Hi all!
Today I would like to share with you a method of obtaining a starting point in the network of an enterprise. Let's get started!
What are we dealing with?
Have you ever heard of PyPI, NPM or NuGet?
I think that at least someone knows at least one of these. So, all these are repositories with libraries or just packages (for example, utilities) written in one language or another. For example PyPI (Python Package Index) are repositories with python packages that are published directly by the community itself. Anyone can upload a package there, and they are not really checked in any way, which is what an attacker can actually use.
Today we will create a library for PyPI, which, when installed, will install a backdoor on the system. We will focus only on Linux systems in this example, because whoever needs it will make it multiplatform. Go!
How is the PyPI package organized?
A PyPI package is a regular tar.gz archive that stores the package metadata (README for example), the code itself (.py), additional data (for example, in the case of python-geoip, this is GeoIP.dat (that is, the GeoIP database itself) ) and setup script (setup.py). It is the installation script that will be of interest to us!
What do we do?
We will add before executing the setup () function, which is part of setuptools, we will add the code that will install the backdoor.
First, let's create the backdoor itself. I won't bother too much and will do it with Metasploit.
Today I would like to share with you a method of obtaining a starting point in the network of an enterprise. Let's get started!
What are we dealing with?
Have you ever heard of PyPI, NPM or NuGet?
I think that at least someone knows at least one of these. So, all these are repositories with libraries or just packages (for example, utilities) written in one language or another. For example PyPI (Python Package Index) are repositories with python packages that are published directly by the community itself. Anyone can upload a package there, and they are not really checked in any way, which is what an attacker can actually use.
Today we will create a library for PyPI, which, when installed, will install a backdoor on the system. We will focus only on Linux systems in this example, because whoever needs it will make it multiplatform. Go!
How is the PyPI package organized?
A PyPI package is a regular tar.gz archive that stores the package metadata (README for example), the code itself (.py), additional data (for example, in the case of python-geoip, this is GeoIP.dat (that is, the GeoIP database itself) ) and setup script (setup.py). It is the installation script that will be of interest to us!
What do we do?
We will add before executing the setup () function, which is part of setuptools, we will add the code that will install the backdoor.
First, let's create the backdoor itself. I won't bother too much and will do it with Metasploit.