Ridiculous ways of controlling a computer remotely part 1: Telegram

So, recently I heard about a virus that exfiltrates data via telegram, and it got me thinking. What if you could use telegram for a reverse shell? What other ways are there which you could do for this? And I feel like I've come up with pretty good answers to each of these questions.


Possibly the only kind of useful thing on this list, the fact that telegram is encrypted end-to end, meaning that is is very difficult to glean info on what is being send to received, the fact that it is a relatively innocuous and widely used messaging app, and the fact that it is relatively anonymous.
However, there are some things which make the jobs of blue teams everywhere a little bit easier. It's not completely anonymous, as you need a phone number to sign up, and the phone number needs to be verified. This fact alone would make this a rather silly idea for people in countries that care, because once that sim connects your government gets a decent idea of where you are. However, this would presumably not be an issue in countries that have more important things to worry about, like civil war and genocide, or countries who just don't give a damn about cybercrime.
Another issue with this kind of messaging based reverse shell control is that this is pretty useless for business use. Most businesses keep social media/ IM use blocked by firewalls, mainly to stop people from mucking about at work, but as shown in this image any business that blocks IM apps would have no problems with this control method, if it actually existed.
Telegram works with HTTP requests, so I started off with the HTTP request module in python. The way I envisioned this working is that the program checks for new messages every 60 seconds-ish, and then would send an http request for new messages, although I wasn't sure of how the API worked at the time.
After wondering why things weren't deleting for a day, I realised the reason why was in the documentation. Almost immediately I stumbled upon a problem. For some reaosn I couldn't get rid of old messages in the update. It took a day to fix, but I finally realised I was being a dimwit and that I hadn't read the documentation properly. However, I noticed that even though every other message disappeared from the function, the last one just sort of didn't. This is a bit annoying, as it could lead to the computer executing the same command once a minute. I felt like having stuff in sperate files was cheating, so I had the bright idea of having it always ignore the first thing you send it. This is a bit annoying the first time you use it, but is actively better than any other solution. Not only is there this issue, but Telegram won't let you delete messages after 48 hours, so if the bot doesn't notice the messages in that time, too bad: the bot no longer works.
Luckily, a lot of the features I added were to make the bot work well for its intended purpose, and I realised that having the bot work well for its intended purpose and having the bot work were two different things. Using a massively stripped down version of my code I got it printing everything I put almost instantly. From there, getting it to print the results of the commands was pretty easy.

Now all I had to do was to get this to be sent back.


And suddenly it works! If you want to use the code, you can find it here.
So it is possible. However, it's a bit of a pain, given that the API isn't really designed for it. For example after a certain number of characters the you won't get anything back, which I learnt from when I tried to see what was in my documents. You could get around this pretty easily by splitting up the messages in order.


Popular posts from this blog