Saturday, October 2, 2010

Reverse HTTP evilness

Some months ago I heard people talking about using Tor to anonymously scan your target network by using the SOCKS interface and sockifying tools like NMAP, etc.

What amazed  me was the  Tor backdoor   that the guys of Carnal Ownage created. Unfortunately, it is only meant for Windows environments because it is the main platform that pentesters are working with.

I came up with the idea of making something (a crappy script in my case) that could be executed easily in a Unix environment. Basically, I borrowed some RSA and Blowfish code implemented in Python and I created a reverse http shell that encrypts all the traffic.


This script also permits to upload and download  small files. Unfortunately, Python is too ineficient in this case and it will use all the resources available in the computer. Forget about using this method to upload your toolkit :D

The most interesting part is that it can use a HTTP Tor proxy to connect to a hidden service, so you can run a reverse backdoor and the destination will not be identified. Of course, I coded this script for fun and it should only be used for educational puposes and to show how difficult is to defend a network (and easly to fly under the radar if you have some skills).


The code is not finished yet because I have been too busy since then, but it works :D

I think it is a good way to teach people that they do not have to relay on tools to defend their networks. They have to understand that they are going to be compromised soon or later and they have to desing their networks and strategies to identify the existing compromise and respond to the incident as quick as possible.

No comments:

Post a Comment