Summary & Introduction
The goal and purpose for this project is to tie in many stealth software and backdoor concepts covered in the course to create a single, uniformed covert communication program. The designed and implemented solution should be a complete application that allows the user (attacker) open a port on a firewall including closed ones, and the backdoor should accept arbitrary commands for execution with the results being sent back to the remote client application.
Assumptions
- Can be based for a particular OS, in this case Linux
- Attack and compromise carried out on a local network
- Details such as the IPs of attack and victim are known
- Backdoor application already installed on victim’s machine
- Both machines have root access
Server Component (Backdoor)
Control & Covert Channel
This portion of the backdoor should accept packets regardless of the firewall rules that are in place when the interacting port is opened by the client application and be disguised as a typical system process like kworker.
Accepted packets that have been authenticated should have an encrypted password embedded within some part of the payload. Once authenticated, the command will be extracted (decrypted) from it and execute some sort of command. Outputs and results are sent back on a covert channel that are separate from the channel previously used to connect.
Packet Sniffing
As an alternative to port knocking or receiving special packet sequences to either authenticate or decode for access, packet capture at the card level will be implemented. This allows for listening of traffic coming from a particular IP, port, and/or even protocol.
Client Component
The client application used by the attacker needs to generate all the corresponding packet information intended to be received to connect to the backdoor. All sent data should be encrypted and he/she should be able to carry out command execution on the accessed server. An option is available to extract file contents to be sent back on a covert channel.
Diagrams
Backdoor (Server)
Attacker (Client)
As usual the code for the project can be found on GitHub.