Frequently Asked Questions
How this exploit exactly works?
This is not an exploit. You can not own any machine using it. You can not backdoor anything without the keys of its frontdoor. This is just some kind of tool to maintain remote access to a machine in special restricted scenarios.
Is it safe?
You are the only one who can answer that question. If you are concerned about security issues you should always enable -e flag. However you must be aware that although matahari is developed with some security in mind, she probably contains bugs that have yet to be discovered. Her very nature is stealthy enough to live undetected on most networks and even after being discovered by some wicked mind, she should be able to stand against typical and easy attacks (namely, mitm, IP spoofing and retransmission attacks)
Encryption uses ARC4 algorithm from python-crypto package. Each HTTP interaction is encrypted using a fresh key obtained from SHA hashing a pre-shared key with a nonce. You should read this, this and this if you are concerned about security issues. If you desperately need to use matahari in a very hostile enviroment you should change your encryption password regularly and always after intense traffic sessions. This way you can reduce the risk of success of some eavesdropping guy who is making cryptoanalysis to your traffic.
Security is a trade-off. You must weight the risk and decide for yourself wether you can afford it when running matahari.
Can you add feature X?
Suggestions are very welcome. Just contact me and I will see what I can do.
What are polling types?
matahari does not wait to receive commands to execute. She requests them. Remember she is supposed to be operating behind a firewall so no inbound connection can be made. She will periodically send HTTP requests to try to get another command to execute, and it is precisely that time between requests what you must configure with -T option. Current polling types are:
- insane: 10 seconds between requests
- agressive: 25 seconds between requests
- normal: 60 seconds between requests
- polite: 5 mins between requests
- paranoid: 30 mins between requests
- stealth: 60 mins between requests
- adaptative: dinamically increases polling period when no commands are received until reaching stealth type.
Polling type can be changed at runtime by sending a special crafted
command to the client. The syntax is "%polling-type", for example %agressive.