Lets say John lives near (200 miles away) the C&C server and that John's IP is 1...

libeclipse · on June 8, 2017

1) How does the satellite come into this.

2) How does the C&C server complete the request. Are the hanging ports on the victim's side?

3) If the C&C server completes the connection, how do they carry on talking? Just like spoofing IPs, you can't ever get a reply. Or do they do the John decoy thing for every packet?

XaspR8d · on June 8, 2017

1) The satellite system system broadcasts to everyone (apparently poorly/not encrypted) in the area, so it isn't necessary to take over any upstream routing in order to get a hold of the incoming packets. They just arrive at your doorstep, and since you configured them to be rejected by normal clients you know you won't have to compete for the response.

2) The C&C just responds over regular land-line. (Since the satellite service is download-only, this isn't any different from the service's normal clients.)

3) The reply keeps coming back over satellite and they keep grabbing it?

theEXTORTCIST · on June 8, 2017

I believe you are correct in your understanding. Mine was a little different. I thought this was a classic asymmetrical routing scenario on the Internet with a cool eavesdropper twist.

I'm assuming that because the sat system broadcasts unencrypted, you can sniff all the packets for all hosts on that network just like you can on a wifi network with the proper promiscuous mode receiver. An unencrypted shared broadcast medium.

So packet flow is routed inbound from victim as such

(victim SYN to decoy IP) to (internet) to (sat broadcast to geographic area decoy and attacker C&C)

But packet flow outbound from C&C to victim is handled differently via landline

(spoofed decoy IP) to (landline/internet) to (victim)

So packets come in via sat link but go out via spoofed source on a landline.