Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.
root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -S
0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
5 - script execution (requires -i -c), creates a tmp file in the process dir you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
root@Dis9Team:/pentest/backdoors/cymothoa#
When penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage. Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system. The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac. Let’s face it, we still need to write stuff into temp directories from time to time.
Mark Baggett, and Tim Tomes recently presented some nice techniques on hiding malware within Windows volume shadow copies (http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows). Since it is unlikely for A/V products to be able to scan volume shadow copies, and the capability to create a process from a volume shadow copy using ‘wmic’ exists, then we would likely want to follow this sequence of tasks during a test:
a) Disable the A/V product of choice.
b) Upload our favorite/useful executable content. (perhaps a reverse TCP meterpreter shell or similar)
c) Upload Mark and Tim’s excellent vssown.vbs script
a. Enable service and create volume shadow copy.
b. Disable volume shadow copy service.
d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy.
e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’.
The challenge presented is whether we can effectively disable the antivirus product of choice. Listed below are some possible techniques for three popular products which may get us what we need. None of these techniques are stealthy from a user interface perspective. Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes.
Today based on Astr0baby’s article on how can we create a fully undetectable metasploit payload, i modified his REVERSE_TCP Payload Generator in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works:
#!/bin/bashecho"************************************************************"echo" Automatic shellcode generator - FOR METASPLOIT "echo" By Astr0baby 2011 "echo" With some Randomic gravy and sauce to bypass Antivirus "echo" For Automatic Teensy programming and deployment "echo"************************************************************"
OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
During Defcon 19, percX from foofus.net discussed a new attack method against printers. This attack method involved tricking the printer into passing LDAP or SMB credential back to attacker in plain text.
According percX, this type of attack has been found to work on a number of Ricoh or rebranded Ricoh systems (specifically manufactured by Sharp.).
This poll as based on two different stories. The first showed how the principle of endearment and how it may be used by a malicious social engineer.
The second story involved a social engineer employing the authority principle.
By simply carrying a clipboard and acting in charge could a social engineer manipulate people into giving up valuable data?
These two scenarios where presented with a third option that neither of them would work. How did the results turn out?
We allowed for a long period of time to collect as much data as possible. The only thing we asked for was Gender, Field Worked In and their choice. The statistics can give us some insight into not only which is more popular but also which is more popular based on the gender.
Our first data set is the most simplistic and sets a baseline for the poll, Gender.
Weevely create and manage PHP trojan designed to be hardly detectable. Is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions.
With weevely you can generate PHP code to trojanize a web server, this backdoor acts like a telnet client to execute commands or inject addictional function on the backdoored server. Communication between backdoor server and client are done via normal HTTP requests, with a plausible fake HTTP_REFERER header field that contains coded commands to hide traffic from NIDS monitoring and HTTP log files review.
The program trying to bypass PHP configurations that disable sensible functions that execute external programs, enabled with the option disable functions located in php.ini. Weevely tries different system function (system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()) to find out and use functions enabled on remote server. Also the backdoor server code is small and easily hideable in other PHP files, the core is dynamically crypted in order to bypass pattern matching controls.
root@bt:/weevely# ./main.py -h
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
Usage: main.py [options]
Options:
-h, --help show this help message and exit
-g, --generate Generate backdoor crypted code, requires -o and -p .
-o OUTPUT, --output=OUTPUT
Output filename for generated backdoor .
-c COMMAND, --command=COMMAND
Execute a single command and exit, requires -u and -p
.
-t, --terminal Start a terminal-like session, requires -u and -p .
-C CLUSTER, --cluster=CLUSTER
Start in cluster mode reading items from the give
file, in the form 'label,url,password' where label is
optional.
-p PASSWORD, --password=PASSWORD
Password of the encrypted backdoor .
-u URL, --url=URL Remote backdoor URL .
The following presentation from Carlos Perez (darkoperator) will cover the techniques and methods used by penetration testers and hackers, how do they enumerate and perform their tasks once on a compromised system and how to detect the tell tales signs of their presence and actions.
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –dbs
[03:18:19] [WARNING] POST parameter ‘cat_name’ is not injectable
[03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase –level/–risk values to perform more tests. Rerun by providing either a valid –string or a valid –regexp, refer to the user’s manual for details
[*] shutting down at: 03:18:19
