|You are here:|
Redirector is based on backdoor technology. First connection packets are same as in backdoor connection. That mean you use same ports as for backdoor. Next packets are special packets for redirector only. These packets are made by redirectors base which is run on users computer. First packet of redirected connection defines target server and port.
The redirectors base saves its settings into its inifile which name depends on base exefile name (so default is rdrbs100.ini). If this file doesn't exist when base is run, it is created automatically. It is better not to modify this inifile externaly. All settings can be changed from base console.
If we want to use redirector on server where rootkit is installed, we have to run redirectors base on localhost before. Then in base console we have to create mapped port routed to server with hxdef. Finally we can connect on localhost base on chosen port and transfering data. Redirected data are coded with rootkit password. In this version connection speed is limited with about 256 kBps. Redirector is not determined to be used for hispeed connections in this version. Redirector is also limited with system where rootkit run. Redirector works with TCP protocol only.
In this version the base is controled with 19 commands. These are not case sensitive. Their function is described in HELP command. During the base startup are executed commands in startup-list. Startup-list commands are edited with commands which start with SU.
Redirector differentiate between two connection types (HTTP and other). If connection is other type packets are not changed. If it is HTTP type Host parametr in HTTP header is changed to the target server. Maximum redirectors count on one base is 1000.
Redirector base fully works only on NT boxes. Only on NT program has tray icon and you can hide console with HIDE command. Only on NT base can be run in silent mode where it has no output, no icon and it does only commands in startup-list.
getting mapped port info
No mapped ports in the list.
add command MPINFO to startup-list and get startup-list commands
>SUADD MPINFO >sulist 0) MPINFO
using of HELP command
>HELP Type HELP COMMAND for command details. Valid commands are: HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL, DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST >HELP ADD Create mapped port. You have to specify domain when using HTTP type. usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET SERVER PORT> <PASSWORD> [TYPE] [DOMAIN] >HELP EXIT Kill this application. Use DIS flag to discard unsaved data. usage: EXIT [DIS]
add mapped port
we want to listen on localhost on port 100, rootkit is installed on server 188.8.131.52 on port 80, target server is www.google.com on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address of target server (www.google.com) - we always have to know its ip - is 184.108.40.206:
>ADD 100 220.127.116.11 80 18.104.22.168 80 bIgpWd HTTP www.google.com
command ADD can be run without parameters, in this case we are asked for every parameter separately
check mapped ports again with MPINFO
There are 1 mapped ports in the list. Currently 0 of them open.
enumeration of mapped port list
>LIST 000) :100:22.214.171.124:80:126.96.36.199:80:bIgpWd:HTTP
detailed description of one mapped port
>DETAIL 0 Listening on port: 100 Mapping server address: 188.8.131.52 Mapping server port: 80 Target server address: 184.108.40.206 Target server port: 80 Password: bIgpWd Port type: HTTP Domain name for HTTP Host: www.google.com Current state: CLOSED
test whether rootkit is installed
We can test whether the rootkit is installed without password on mapping server 220.127.116.11 (but this is not needed if we are sure about it):
>TEST 0 Testing 0) 18.104.22.168:80:bIgpWd - OK
if test failed it returns
Testing 0) 22.214.171.124:80:bIgpWd - FAILED
Port is still closed and before we can use it, we have to open it with OPEN command, we can close port with CLOSE command when it is open, we can use flag ALL when want to apply these commands on all ports in the list, current state after required action is written after a while:
>OPEN 0 Port number 0 opened. >CLOSE 0 Port number 0 closed.
>OPEN ALL Port number 0 opened.
Save current settings
To save current settings and lists we can use SAVE command, this saves all to inifile (saving is also done by command EXIT without DIS flag):
>SAVE Saved successfully.
Open port is all what we need for data transfer. Now you can open your favourite explorer and type http://localhost:100/ as url. If no problems you will see how main page on www.google.com is loaded.
First packets of connection can be delayed up to 5 seconds, but others are limited only by speed of server, your internet connection speed and by redirector technology which is about 256 kBps in this version.