Eyeless
Apr 26 2004, 09:14 PM
When I break into a windows box first thing I do is share C: create admin user and then they are owned... Or sometimes for shits and giggles I use a backdoor...(well only recently as I just figured out how...) This works fine, however they are easily discovered and when I get a good server I want to keep it longer than they next check of the admin... What other ways of securing a way back in are there? Preferably something not so obvious... Im wondering what other peoples standerd practice is also.. Thanks for the replys..
enemc
Apr 26 2004, 09:35 PM
hi i use
remote administrator,
winvnc,
servu5.0.0.4,
optix 1.32,(not often)
icmd (starting telnet with pass),
and rootkit with hxdef...
i try to get the sam file to crack it.. they often sharing c:\ but you dont know the login..
Eyeless
Apr 26 2004, 09:59 PM
lol, here
net share c=c:\
net user username password /add
net localgroups administrators username /add
then go to a command prompt on YOUR puter and type this
net use j: \\server\c password /server\username
now go to MY COMPUTER there should be a Network drive j: open it and your in...
But sometimes the service is stopped and sometime I cant start it with a net start.. but im sure theres probly a way..
Niekos
Apr 26 2004, 10:19 PM
Some possible ways...
1. A undetected backdoor that runs only an hour a day. So you can connect to the pc only 1 hour a day. So its very hard for the Administrator to see. Its not that hard to make something like that. I made it also myself. So you connect in that hour and do what you want with it when you need the server.
2. Make a 2nd account with admin rights.
I'm to tired to think of something else. I just use a backdoor combined with an irc bot. So it listens all the time but I dont lose many servers with this method.
Eyeless
Apr 26 2004, 10:25 PM
Really, mine get dumped after the first check by admin... Funny that your admins dont use netstat... Maybe you dont have important servers either,or REALLY lazy admins.. And dont tell me to use a netstat fake now...
Has anyone tried to create a new user and had the system tell you "The remote procedure call failed"?? in this case, WTF can I do?
-Arthy-
Apr 27 2004, 03:16 PM
Actually I don't use a backdoor.
That because I'm too lazy to code one, and I'm too lazy to search for one.
At least till now
Anyways, I use quite a good rootkit, if an admin discoveres my rootkit he definately find my backdoor too, but thats only if it's running off course.
And thats why I really like the idea of a 1 hour active backdoor!
w0bbes
Apr 27 2004, 04:04 PM
i do prefer a backdoor such as winshell, it provides good options and has an easy to use cmd..
you can get it here i think
hxxp://www.winshell.de/
cagontoo
Apr 27 2004, 04:29 PM
some avīs detects winshell ...
Niekos
Apr 27 2004, 05:55 PM
| QUOTE (cagontoo @ Apr 27 2004, 04:29 PM) |
| some avīs detects winshell ... |
make it undetected
. Not that big of a problem.
Forge
Apr 27 2004, 07:19 PM
ok ok I use a modified version of Net Cat....it has a service adder and a password so not anyone can get it...it installs its self into NTFS filesystem stream so the file cant be found....then it changes modification dates so no one knows whats going on...then I got a patcher for netcat so there ya go
....never get detected cause it just sits there I still have active boxes from the old DCOM days. Thats probably the best way to go...just write your own or modify someone elses.
st3@1th
Apr 27 2004, 07:31 PM
| QUOTE |
| When I break into a windows box first thing I do is share C: |
Uhhh that doesn't ring any bells?? Even a user would probablly notice that. Besides if sharing/server service is enabled C$ is enabled by default so all you need is an admin account and you have access to the whole drive.
Adding an account is the second most obvious problem. An admin will notice even if they never touch the command line.
Anyway your best bet is use a backdoor/rootkit and don't make any other modifications that way unless their checking their ports they won't notice. If they do then your dealing with a cautious- half way decent admin at least, and you need to get creative. Like scheduled backdoors etc.
rpm
Apr 27 2004, 08:02 PM
Yoda crypt it
Eyeless
Apr 28 2004, 05:49 PM
LOL @st3@1th- That is only to further comprimise the system, the account and share are removed afterwards.
st3@1th
Apr 28 2004, 08:28 PM
Sharing C drive on most windows setups is still, as I said, redundant.
SlippyG
Apr 29 2004, 03:13 AM
| QUOTE (st3@1th @ Apr 28 2004, 08:28 PM) |
| Sharing C drive on most windows setups is still, as I said, redundant. |
Absolutely.
Personaly I just backdoor at the NDIS so that I can get access without appearing on netstat, without an open socket, and using any routed protocol (Or even unroutable if I'm on the same LAN)
The good thing about this is because you are already at kernel you're below any local firewall or av and so nothing running on the target machine will be able to trip or filter the packets. Especialy true since you're not propagating those packets up the TCP/IP stack chains and even the miniport drivers dont get a look in.
Of course, theres still hardware/enterprise firewalls to get past, but it is so much easier when you're protocol independent. NAT/PAT notwithstanding.
Top this off with a tiny vxd to misreport the backdoored file on disk reads and the backdoored file is apparently unchanged - and, just to paint over the cracks it also misreports itself once loaded. filesystem looks intact!
Of course, nothing lasts forever - even all this won't protect you from an admin who remotely deploys snapshots throughout the entire organisation every weekend, but hey, every problem has its solution <G>
Sharing folders/drives is a great way to get spotted and anything that opens a socket is easy prey for everything from netstat to firewalls. Sure, you could kill the firewall but thats even louder than sharing folders.
SG
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
