Kitchen Knife: Windows remote control management software written in ASP language, relatively old, originator level, once all the rage, has been gradually replaced by the other three
Link: https://pan.baidu.com/s/1Kg_U9fJJL5wrlmIN69H8_g
Extraction code: 23ss
Ice Scorpion: written based on Java, with cross-platform features, dynamic traffic encryption (AES128 + random key)
Link: https://pan.baidu.com/s/1tyrXUC1Os0XI15WSYsCcKg
Extraction code: 23ss
Godzilla: Written based on C#, traffic encryption can pass most of the static antivirus and WAF (the antivirus and WAF are also being updated, and may fail at any time), and the various plug-ins that come with it are extremely powerful
Link: https://pan.baidu.com/s/1ZBQzLoNi6_6QJKwafPDK2A
Extraction code: 23ss
Ant Sword: Java-based cross-platform remote control management tool, modular development, simple and easy-to-understand code, and strong scalability
Link: https://pan.baidu.com/s/18wCOWXddVm9nDFsFpRvhJQ
Extraction code: 23ss
Flow characteristics of Ice Scorpion, Chopper, Ant Sword, and Godzilla
kitchen knife:
The traffic characteristics are mainly manifested in the HTTP protocol, using the HTTP protocol for communication, and control commands and data are transmitted through POST requests . 1. There are assert eavl , base64 and other characteristic characters in the request body
2. The payload passed in the request body is base64 encoded , and there are fixed QGluaV9zZXQo, @ini_set
A Trojan horse in one sentence is shown in the figure:
Connection Trojan
Check the muma.php file after success
Wireshark captures packets, because the chopper traffic is http protocol, filter it, and track the flow
decoding
Ant Sword:
Traffic characteristics are mainly reflected in the encryption method and data type of data packets. Ant Sword uses the AES encryption algorithm to encrypt data, and also uses a custom binary protocol, which has the obvious feature of eval.
1. To transmit various types of data in communication, the default USER-agent request header is antsword xxx , but it can be bypassed by requesting UA in the /modules/request.js file
2. The most obvious feature of the traffic is @ini_set("display_errors", "0") ; this code is basically a code that all webshell clients link to PHP webshells
3. There is another obvious feature after Yijian obfuscation and encryption, that is, most of the parameter names are in the form of "_0x", so the parameters starting with _0x are also likely to be malicious traffic
Ant sword hanging agent
Use burp to capture packets
url decoding (Shift+Ctrl+u)
Ice Scorpion:
Traffic characteristics are mainly manifested in special marks in data packets and transmitted data types. The data packet of Ice Scorpion contains a specific flag, such as "flag=0x52415631", which is used to identify that the data packet is a control command of Ice Scorpion. In addition, Ice Scorpion also uses a custom binary protocol to transmit various types of data in the communication. Looking at the package, we can find no characteristics, but we can find that it is application/xhtml+xmlapplication/xmlapplication/signe requested by POST
Let me introduce 4.0 to you here
This is the default shell of Ice Scorpion
connect shell
capture traffic
request packet
response packet
The encrypted message of the ice scorpion is a bit long, so I won’t decrypt it here, brothers, just read it
1. Accept field
Accept: application/json, text/javascript, */*; q=0.01
2. User-agent field
Ice Scorpion has set up 16 kinds of User-Agents, and each time it connects to the shell, it will randomly select one to use.
3、Content-Type
Content-type: application/x-www-form-urlencoded
4. Fixed request and response headers
Request byte header:
VUYWVkBNGgAUVAgRUFQRAAIBOl
Response header:
TxcWR1NNExZAD0ZaAWMIPAZjH1BFBFtHThcJSl
5. Long connection
Ice Scorpion communication uses long connection by default, which avoids the resource overhead caused by frequent handshakes. By default, Connection will be included in the request header and response header.
Connection: Keep-Alive
also
Ice Scorpion 2 Features The default value of the Accept field is very special, and it is the same at every stage. Ice Scorpion has more than ten built-in userAgents , and each time you connect to the shell, one will be randomly selected for use. But they are relatively old and easy to be detected, but you can modify the ua header Content-Length: 16 in burp, 16 is the characteristic of the Ice Scorpion 2 connection
Features of Ice Scorpion 3 Ice Scorpion 3 cancels dynamic key acquisition. At present, many waf and other devices have analyzed the traffic characteristics of Ice Scorpion 2, so dynamic key acquisition is canceled in 3;
PHP captures the package and sees that the package does not find any characteristics, but it can be found that it is a POST request
1. The Accept header application/xhtm1+xmlapplication/xmlapplication/signed-exchange is a weak feature
2. The ua header is a weak feature. Can be modified by burp
The default 16 userAgents built in Ice Scorpion 3.0 are relatively old. As a waf rule feature jsp packet capture feature analysis Content-Type: application/octet-stream This is a strong feature
tips: octet-stream means that only binary can be submitted, and only one binary can be submitted. If a file is submitted, only one file can be submitted. The background receiving parameter can only have one, and it can only be a stream (or byte array)
Godzilla:
Traffic characteristics are mainly manifested in the special marking and data types of data packets. Godzilla's data packet contains specific tags, such as "XORHEAD" and "XORBODY", which are used to identify the data packet as Godzilla's control commands.
First use the Godzilla production shell, connect
Excuting an order
view traffic
1. The User-Agent field (weak feature) , if the default is used, will expose the jdk information used. However, Godzilla supports custom HTTP headers, and this default feature can be easily removed.
2. Accept field (weak feature) , the default is text/html, application/xhtml+xml, application/xml;q=0.9, image/webp,*/*;q=0.8. As above, this can also be modified and can only be used as a feature for auxiliary detection.
3. There is a very critical feature in Cookie, and there will be a semicolon at the end . It is estimated that subsequent versions will fix it.
4. The data in the response body has certain characteristics. Godzilla will split a 32-bit md5 string in half, and place them in the front and back parts of the base64-encoded data. The structural characteristics of the entire response packet are: the first sixteen digits of md5+base64+the last sixteen digits of md5.