Ackcmd backdoor Analysis

By Sinbad
December 14,200 1
Http://sinbad.dhs.org

Introduction
-= -- =
Ackcmd is a backdoor that provides remote shell commands in Win2000. It uses TCP for transmission, but unlike TCP connections that normally have three handshakes, ackcmd only uses tcp ack packets, therefore, it is generally possible to bypass the firewall and avoid IDS detection.

Ackcmd uses the client/serverstructure to run ackcmds.exe on the target machine to implant a backdoor. Intruders can run the command ackcmdc <target IP> on the client to obtain a remote shell.

Analysis
-= -- =
We now use sniffit to observe how ackcmd's data is transmitted. Intruders connect to the target machine 192.168.0.2 at 192.168.0.29:

E:/tools> ackcmdc 192.168.0.2

Ackcmd 1.1-The ack Command Prompt for Windows 2000
-(C) 2000, Arne vidstrom, arne.vidstrom@ntsecurity.nu
-For instructions see http://ntsecurity.nu/toolbox/ackcmd/

Type "quit" and press enter to quit

Ackcmd> net name <------ enter the command

Name
-------------
Server2000
Administrator
The command is successfully completed.

Ackcmd> quit <------ quit

Sniffit captures the following packages:

TCP packet ID (from_IP.port-to_IP.port): 192.168.0.29.80-192.168.0.2.1054
SEQ (HEX): 6060606 ack (HEX): 6060606
Flags:-A ---- Window: 4000
Packet ID (from_IP.port-to_IP.port): 192.168.0.29.80-192.168.0.2.1054
45 e 00. 00. 38 8 00. 00. 00. 00. 80. 06. B9. 50 p C0. A8. 00. 1D.
C0. A8. 00. 02. 00. 50 P 04. 1E. 06. 06. 06. 06. 06. 06. 06. 06. 06. 06.
70 p 10. 40 @ 00. E6. C6. 00. 00. 02. 04. 05. B4. 01. 01. 04. 02.
6e n 65 E 74 T 20 6e n 61 A 6D M 65 E

TCP packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
SEQ (HEX): 6060606 flags: --- r --
Packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
45 e 00. 00. 28 (04. A8. 00. 00. 80. 06. B4. B8. C0. A8. 00. 02.
C0. A8. 00. 1d. 04. 1E. 00. 50 p 06. 06. 06. 06. 06. 06. 06. 06. 06. 06.
50 p 04. 00. 00. 11. EB. 00. 00.

TCP packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
SEQ (HEX): 6060606 ack (HEX): 6060606
Flags:-A ---- Window: 4000
Packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
45 e 00. 00. CD. 04. A9. 00. 00. 80. 06. B4. 12. C0. A8. 00. 02.
C0. A8. 00. 1d. 04. 1E. 00. 50 p 06. 06. 06. 06. 06. 06. 06. 06. 06. 06.
70 p 10. 40 @ 00. 1C. C1. 00. 00. 02. 04. 05. B4. 01. 01. 04. 02.
0d. 0a. C3. FB. B3. C6. 20 20 20 20 20 20 20 20 20
20 20 20 20 0d. 0a. 2d-2D-2D-2D-2D-2D-2D-2D-2D-2D-
2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-
2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-
2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-
2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-2D-
2D-2D-2D-2D-2D-0d. 0a. 53 s 45 E 52 r 56 v 45 E 52 r 32 2 30 0 30 0
30 0 20 20 20 20 20 0d. 0a. 41 A 44 d 4D M 49 I 4E n 49 I 53 s
54 t 52 r 41 A 54 t 4f O 52 R 20 20 20 0d. 0a. C3. FC. C1. ee. B3.
C9. B9. A6. CD. Ea. B3. C9. A1. A3. 0d. 0a. 0d. 0a.

We can see that this operation has transmitted a total of three TCP packets. The client port number is 80, and the server port number is 1054. This type of HTTP-like communication is easily ignored by the network administrator. The Client Command net name is placed in the TCP Data Segment in plaintext mode. The server immediately returns a tcp rst packet, and then returns a tcp ack with the output result after the command is executed. If the output result is very long, ackcmd can only return part of the data, which is not taken into consideration by the author during design. You can run dir C:/winnt/system32 to check whether all the data is not returned. only part of the file list can be output.

Detection
-= -- =
First, the ports (80 and 1054) used are fixed. To monitor the data packets sent by the client, the tcpdump filtering rule is:

TCP [0: 2] = 80 and TCP [2: 2] = 1054

After several experiments, we can find that the serial number and ACK number in the tcp ack packet for communication between them are both 0x06060606 (decimal 101058054), which is also an important feature. The Filtering Rule For tcpdump is:

TCP [] = 0x06060606 and TCP [] = 0x06060606

Defects
-= -- =
As the author said, this is a proof-of-concept that uses tcp ack to traverse the firewall, so it is not perfect. Clear text transmission of data, so that ackcmds.exe can be viewed in win2000's task details, so it is not difficult to find the path afterwards.

Trackback: http://tb.blog.csdn.net/TrackBack.aspx? Postid = 643070