I have a windows backdoor pet project - virtual-reality.
I recently added a new payload - grand-theft-socket.
Situation: you have a server you need to backdoor. Server runs a public service listening on some port. For the sake of argument lets pretend it is a webserver. All outgoing traffic is disallowed.
Grand-theft-socket:
- You inject
gts.dll(payload) into webserver process (injection is not covered by VR project)- Injected DLL hooks
WSAAccept()
- Injected DLL hooks
- You send a knock by executing
vr.py tcp_knock webserver_ip port. - You execute
meterpreter/bind_tcpwithRHOST=webserver_ipandLPORT=port. - You enjoy your meterpreter session.
All of this happens while not interrupting normal service operations. Webserver continues to serve webpages and what not.
How it is done:
-
tcp_knocksends a small packet requesting next connection to be treated as backdoor connection. This connection is terminated andINVALID_SOCKETis returned to the host process. (knock is not designed to be secure. It is designed to be improbable by chance) - When a connection from ip address that sent a knock is created:
In a sense we steal a socket from legit service and use it for incoming backdoor connection.
You may find some other interesting things in this project.
- icmp backdoor which executes meterpreter stager sent as ping packet data
- https backdoor which harvests steganographically encoded commands from images posted on imgur.com