WoW beeing ill really SUCKS. Happy NEW YEAR. That part is also done. Hmmm what’s left…oh yeah the reason I didn’t write too much on my blog. It’s not because I was ill, it’s just because I was lazy ass hell and my my gf was staying over…so busy busy busy.
Only thing I could not switch of during these ‘holidays’ was my brain. It seems to be twisted since my birth and oh well I learned to live with it. So I had a midnight thought the other day. Nothing to funky nonetheless interesting. It’s all about connect back backdoors. If a connect back backdoor is used you always have the question: To where must it connect back?
There are several options which are used nowadays:
- Hacked webserver
- Socks servers on a hacked machine
- Own machine
All of the above options have a weakness in my opinion, they can easily be taken down and they can be traced. The hacked webserver can monitor the incomming connection and analyze logs to find the hacker or the proxy it used. The socks server same story and well if you use your own machine you are just plain stupid. So I was thinking why not use TOR?
Before I proceed I want to point out that TOR is a wonderfull piece of software. Abusing TOR will only achieve that it will stop existing. So I want to ask everyone who uses TOR to be nice and play nice. Luckily there are also projects out there which promote the use of TOR and make life a little bit less of a hell for system administrators, for example nymble. So if I don’t want TOR to be abused why do I still post this? Because this is a nice method(yet to be tested in the field) when you are performing a tiger team operation / penetration test and want to prevent system administrators from taking you down until you succeed or your time is up.
The backdoor will connect to a TOR Hidden Service. TOR hidden service is a great way of hosting content without having to worry about beeing tracable(it all depends on who will trace you…just some curious person or the NSA). In case you missed it , the previous sentence which was in between “( )” was my disclaimer in case anyone uses this for illegal purposes and gets busted. So how would the backdoor connect to a TOR hidden service? I thought of three ways…there are a lot more probably.
- Abuse currently installed TOR
- Package TOR together with the backdoor
- Use a relay website
The first option should be pretty clear…make sure your backdoor has proxy support and use the installed TOR to access the hidden service you set up.
The second option can be accomplished in a variaty of ways…you can mod the TOR source code until it fits your needs or you could try out tibbar his neat trick. With tibbar his trick it might be possible to convert TOR into a injectable DLL which of course would make TOR a lot stealthier then just installing it on the victim machine.
The third option is also fun…because it needs no extra components in your backdoor. You can use tor2web to access your tor hidden service using normal http methods.
When implementing this kind of connect back connections and control mechanisms for your backdoor ALWAYS make sure the actual content is encrypted. You never know who is listening. Also make sure your encryption doesn’t stand out…if you are in a network with like zero encrypted connection don’t use SSL instead use some homemade crypto that can be represented in an alpha numeric way. I know it’s bad advice to say use homemade crypto since that kind of crypto is (always) broken. Sometimes though you have to make the trade off between someone beeing able to read the data and getting passed IDS undetected.
If I test this idea out in the wild I will let you know how it worked out, of course if anyone tests it out I would love to hear if it worked.
DiabloHorn 