cd00r
cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or "secret knock" before executing the attacker's code.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1040 | Network Sniffing |
cd00r can use the libpcap library to monitor captured packets for specifc sequences.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
cd00r can monitor incoming C2 communications sent over TCP to the compromised host.[1][2] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
cd00r can discover the IP for the network interface on the compromised device.[1] |
|
| Enterprise | T1205 | .001 | Traffic Signaling: Port Knocking |
cd00r can monitor for a single TCP-SYN packet to be sent in series to a configurable set of ports (200, 80, 22, 53 and 3 in the original code) before opening a port for communication.[1][2] |