coding

Published on November 4th, 2012 | by Luke Queenan

0

Designing a Backdoor

As any good brogrammer knows, designing before you code is usually a good idea. So today I’ll be taking you through the design work for a covert application I will be creating in the coming months. There are two parts to this application, a server and client component. The server will be the actual backdoor running on the compromised machine and the client will be the program we use to communicate with it. The backdoor, or server, will be designed to run on Linux, written in C, and will be tested on Fedora 17. The client will also be written in C and should run on any Nix based system.

Requirements

Let’s start with the requirements we would like the backdoor to have.

• Disguised process name, obviously seeing “backdoor.out” running in top is going to give us away
• Accept packets from behind the firewall (nothing should get in the way of a brogrammer’s backdoor)
• Only accept packets that have our embedded passphrase contained within the header
• Execute commands passed in the encrypted packet using the system() command
• Return the results of the executed commands to the client application
• Searching for a file, retrieving its contents, and returning them to the client
• Opening a covert channel back to the client for transmitting data

Some additional features that would be good to have if time permits.

• Key logging with offline and real time functionality
• Web camera control for taking pictures or video and uploading media back to the client

The requirements for the client application are fairly straight forward

• Encrypt passphrase into the header along with a command or filename
• Listen for returning data

State Diagrams

State diagrams are really useful for visualizing the application’s flow and function design. The backdoor application is presented first.

Next up is the client state diagram. As the diagram shows, the client is designed as a single command per execution.

Pseudo Code

The pseudo code shown here is fairly high level, no real functions are mentioned and read and write loops are not shown. The pseudo code for back door is up first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

main()
	maks process name
	change UID/GID to 0
	call stealthListen()
 
stealthListen()
	get the NICs on the machine
	find a suitable NIC from the device list
	open the capture session
	create and parse the filter to the capture
	set the filter on the listening device
	call pcap_loop with the receivedPacket callback function
 
receivedPacket()
	get the IP header and offset value
	memcpy the code out of the header
	ensure that it matches the passphrase by decoding with todays date
	if the code does not match
		return
	extract command
	if key logger command
		call keyLogger()
	else if retrieve file command
		call retrieveFile()
	else if system command
		call systemCommand()
	else
		return
 
keyLogger()
	create local socket pair
	fork
	if parent process
		call sendKeys
	else if child process
		call recordKeys
 
sendKeys()
	create UDP client socket
	epoll listen on socket pair and client socket
	if local socket
		create UDP packet
		encode keypress in header
		send packet to client
	if client socket
		kill child process
		return
 
recordKeys()
	epoll listen on keyboard device
	if keypress
		send keypress over local socket
 
retrieveFile()
	locate file using system() locate command
	if file found
		read contents into buffer
	else
		load file not found into buffer
	call sendResponse()
 
systemCommand()
	execute system() command
	buffer results
	call sendReponse()
 
sendResponse()
	create SSL connection back to client
	send buffer over connection

Next up is the client pseudo code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

main()
	change UID/GID to 0
	process the command line argument
	call encodeCommand()
	call sendCommand()
 
encodeCommand()
	encode command using XOR
 
sendCommand()
	fill out sockaddr_in structs
	fill out IP header
	fill out TCP header
	calculate checksum
	create raw socket
	send command
	if key logger command
		call keyLogger()
	else
		call getResponse()
 
keyLogger()
	listen on UDP socket
	if packet received
		display key press
	else if user input
		send stop command
		exit
 
getResponse()
	listen on SSL socket
	if timeout occurs
		exit
	else
		receive data and save to file
		print data to screen
		exit

That concludes the design work I’ve done for the backdoor. All that’s left to do is some brogramming.
 

Tags: backdoor, brocoding, brogramming, C, covert, design, hacking

About the Author

Luke Queenan Software developer specializing in network security applications and administration, Windows/Unix client-server models using IPC and TCP/IP, keeping fit in the gym.

Related Posts

Developing the Rogue Pi →

Linux Key Logger →

Four Tips for Debugging in XCode Like a Bro. →

Ruby DNS Spoofing using Packetfu →