In a Red Team assessment, obtaining our payload undetectable can sometimes be very time-consuming. Today I will show how you can develop a custom undetectable backdoor in Python and how to protect yourself against one.
I will discuss initializing our server, building our client, and testing it for detection. Testing any network environment or any individual PC without their permission is illegal.
Lab Setup Requirements
- Kali Linux (Our Server).
- MacOS up-to-date (Our Client).
- Network set to NAT or Bridge.
We are using http.server module to handle the client requests. First we will set the HOST_NAME and PORT_NUMBER to the right value after that. Initializing our server via the server class object, with three parameters, the HOST_NAME, PORT_NUMBER along with our server class handler, and finally, we serve forever with an exception handling.
In the do_GET function, we have an input field asking for the attacker’s command to be executed on the client. In the second line, after the client executes our backdoor, it will send a GET request to the server.
The server responds to the client with the 200 response code so, the client knows we have successfully received the response with the HTTP header content-type set to text/html. In the last line, we send the command to the client.
The do_POST function we expect the client to execute the command and send the results back to server. First, if the client sends data in POST, we send the client 200 success response code, the http-content length specifying how many bytes of data the HTTP POST contains.
It returns a string and we should convert it to integer before we pass this value as a parameter to the rfile.read function, which will read the actual payload. Then we store the command execution result in the PostData variable and print it out on the server.
We import four Python libraries, which will help us to send and receive HTTP requests promptly, with executing commands on the client and sending the output to our server. Let’s review the code line by line.
First, we import necessary modules. In the second line we run an infinity loop because we want the connection to be forever until the client shuts down their machine. In the loop, we define to make a GET request to our server and separate the text in a c2_command variable.
If the server sends a terminate command, in such case we break the loop and exit the session. Otherwise, for any other command in the response-text, we then process it under the CMD variable where we open the subprocess shell to execute our command and pipe them with the standard input, output, and error.
In the post_request variable, we define two post requests along with the post data. We have to understand one thing here, the CMD output can be our command execution result or any error, so we will send both to our server.
Suppose the server sends the command whoami and whooami to the client who will execute both and send the output and the error to the server so the server will know which is the correct command execution output and the errors.
Testing for Detection
I have compiled the client for the macOS executable and uploaded to virus total. The result will amaze you because none of the antivirus agents detected the backdoor just because we are using the HTTP protocol and there is nothing that looks suspicious to the anti-virus program. You can have a look at the executable file.
I will use macOS as a client and kali machine as a server and we will test for the backdoor to see if it works or not. We will execute the client code on macOS and the server will be our Kali machine.
Let’s test it.
As you can see, after executing the server on kali side we were listening for the incoming connection. On the macOS, we executed the client and we were communicating with the server.
Let’s execute some commands.
Whoami Standard Output
We have typed the command whoami which results in a valid command on the client side and sends us back the post request with the command standard output. Executing some non-existing commands will result in a standard error output.
After sending a terminate command to the client, the loop will break and the connection will be closed.
To prevent such backdoors we must understand the importance of network monitoring and anti-virus solutions. These both will help us prevent such backdoors.
We often make the mistake of downloading and executing software tools, etc., from other sources.
This is very dangerous. We should always use licensed tools and software for our organizations or as an individual and only download content from legit and official sources. Downloading it from other sources could be the modified version and a backdoor could be attached to it.
There are numerous backdoor delivery methods. Sometimes it can be bound to some other valid software or sometimes they will be serving as a web page. An example is HTA, so we should always be aware of what is being installed on the system and their sources.