Planting a Backdoor: There are many ways to plant a backdoor on a system, but let’s look at one provided via the PsTools suite.
This suite includes a mixed bag of utilities designed to ease system administration. Among these tools is PsExec, which is designed to run commands interactively or noninteractively on a remote system.
Initially, the tools may seem similar to Telnet or Remote Desktop, but it does not require installation on the local or remote system in order to work. To work, PsExec need only be copied to a folder on the local system and run with the appropriate switches.
Let’s look at some of the commands you can use with PsExec:
- The following command launches an interactive command prompt on a system named \\zelda: psexec \\zelda
- This command executes ifconfig on the remote system with the /all switch and displays the resulting output locally: psexec \\zelda ipconfig /all.
- This command copies the program rootkit.exe to the remote system and executes it interactively: psexec \\zelda –c rootkit.exe.
- This command copies the program rootkit.exe to the remote system and executes it interactively using the administrator account on the remote system: psexec \\zelda –u administrator –c rootkit.exe.
As these commands illustrates, it is possible for an attacker to run an application on a remote system quite easily. The next step is for the attacker to decide what to do or what to run on the remote system. Some of the common choices are Trojans, rootkits, and backdoors.
Other utilities that may prove helpful in attaching to a system remotely are the following:
PDQ Deploy This utility is designed to assist with the deployment of software to a single system or to multiple systems across a network. This utility is designed to integrate with Active Directory as well as other software packages.
RemoteExec This utility is designed to work much like PsExec, but it also makes it easy to restart, reboot, and manipulate folders on the system.
DameWare This is a set of utilities used to remotely administer and control a system. Much like the other utilities on this list, it is readily available and may not detected by antivirus utilities. DameWare also has the benefit of working across platform such as Windows, OS X, and linux.
Netcat This utility is a simple yet effective application that can be used to open up backdoors on a system when effectively planted onto a system.
In this exercise you will see how to use Netcat to establish a connection to a remote host. To perform this activity you will need to be running a Kali Linux client and have a target system running Windows or Kali.
- On the target system, start up Netcat by running the following command: Nc –l –p 1313
This command tells Netcat to listen (-l) on a specific port (-p) set to 1313 (it could be any number).
- On the Kali client, initiate a connection to the target by issuing the following command: Nc <target ip address> 1313
This command tells the client to locate the target and connect to port 1313.
- At the console windows that appears, you can now enter commands that will be executed on the remote system.