Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Hypothetical backdoor detection

  1. #1
    Junior Member
    Join Date
    Sep 2007
    Posts
    37

    Default Hypothetical backdoor detection

    Ok, here's a hypothetical bit of espionage that i have a few questions about. Please feel free to simply respond with search terms that aren't "detecting backdoor" or "backdoor" in addition to answers to questions. Also, assume a windows active directory environment with linux back office systems.

    If you were going to put in a back door that was as undetectable as possible, what mechanisms would you use to stealth it, and what additional techniques could be used to pick up the back door?

    If someone only had access to the compromised network and a limited time budget (meaning network scanning tools would be most efficient), what scans besides nmap and nessus would you run?

    What behavior should be scanned for? VNC Servers where none should be? How can one find rogue vpn sessions?

    How would someone get past a generic corporate class firewall and access the internal network once a machine has been compromised? Or would one simply try to compromise a system in the dmz?

    Based on the type of resource, what backdoors might be optimal? Like what would be best for snooping email? File servers? Databases? How can one scan for these?

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Please refer to :
    http://forums.remote-exploit.org/showthread.php?t=8808

    Bullets #1 and #7.

    If someone only had access to the compromised network and a limited time budget (meaning network scanning tools would be most efficient), what scans besides nmap and nessus would you run?
    This is dependant on multiple varables, including (but not limited to): time, interest, potential return, information needed, target type/config, etc...

    What behavior should be scanned for?
    Any and all anomylous behavior (which assume a baseline against which to compare or intimate knowledge of the environment).
    VNC Servers where none should be?
    That's always a good move
    How can one find rogue vpn sessions?
    Traffic analysis.

    How would someone get past a generic corporate class firewall and access the internal network once a machine has been compromised?
    If you compromised a machine aren't you passed the FW?
    Or would one simply try to compromise a system in the dmz?
    You could.

    Based on the type of resource, what backdoors might be optimal?
    Again this answer depends on too many variables. How attendtive are the sysadmins? What type of systems? What type of services are offered? How much legitimate taffic is there?
    Like what would be best for snooping email? File servers? Databases?
    Tools designed to "snoop" those services
    How can one scan for these?
    This is a PenTesting 101 type question, if you don't know the answer you're in way over your head.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Junior Member
    Join Date
    Sep 2007
    Posts
    37

    Default

    Ok, lets try this again.

    Play along and assume that i'm not trying to break into a corporate network, lets assume that an outsider has already done so.

    In that case, the baseline includes the "anomylous" behavior because the network has already been compromised. What would be the best way to get a baseline of the network? Or would baseline tools be suspect and we'd just have to rely on the intimate knowledge already installed?

    Do you have any additional examples to look for in terms of ways of retaining a back door? (in addition to vpn or vnc).

    If you compromised a machine aren't you passed the FW?
    Its possible to send a payload via a specifically targeted email, via walking in (as an employee that left, or a "visitor"), or other method that involves physically or socially bypassing the firewall that might not be optimal for reuse. The answer to the quoted question might be "no". So now that you've compromised a machine by skipping the firewall, how might one get back into that machine through the firewall?

    Tools designed to "snoop" those services
    Care to share any examples of scanners that can detect those tools?

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    So if i understand you correctly you have knowledge of a comprimized network which you are trying to detect and gain access to a back door already in place? The problem here is you are trying to run (no fly) before you even crawl. You have asked enough questions to compose a small pentesting book. I can help you out but you have to provide some details. Pentesting is like thorin said DEPENDENT on MANY variables and what makes a good tester is the ability to evaluate a situation and choose the most effective course of action. So basic info is needed. I could tell you how to create a backdoor binded with a legit .exe and even help inject it but it does little good until the attack is taylormade for the network. If your looking for a back door try a port scan and then match the ports up with their protocols. Theres only about 6335 or so to check. Anyway a good back door will mask it self as a legitimized service

  5. #5
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    Quote Originally Posted by purehate View Post
    Theres only about 6335 or so to check.
    65536 ports

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by balding_parrot View Post
    65536 ports
    65535, port 0 don't count.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    I knew I missed a number. thanks for the correction

  8. #8
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by streaker69 View Post
    65535, port 0 don't count.
    no wonder this doesn't work

    bt~# exploit.py www.hackmybox.com -p 0

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by fds42 View Post
    Ok, lets try this again.

    Play along and assume that i'm not trying to break into a corporate network, lets assume that an outsider has already done so.

    In that case, the baseline includes the "anomylous" behavior because the network has already been compromised. What would be the best way to get a baseline of the network? Or would baseline tools be suspect and we'd just have to rely on the intimate knowledge already installed?
    /me hangs his head in shame, I made a spelling error, it should be "anomalous". If you're doing some type of incident response then you'd either have to have good knowledge of the system/network or have other baselines (ie: a company in the health sector with 50 employees traffic usually looks like xyz).

    Do you have any additional examples to look for in terms of ways of retaining a back door? (in addition to vpn or vnc).
    RAAdmin, RemoteDesktop, IRC, http, https, ftp, tftp, dns, email, etc etc basically any communication protocol could be hi-jacked to use an existing backdoor.

    Its possible to send a payload via a specifically targeted email, via walking in (as an employee that left, or a "visitor"), or other method that involves physically or socially bypassing the firewall that might not be optimal for reuse. The answer to the quoted question might be "no". So now that you've compromised a machine by skipping the firewall, how might one get back into that machine through the firewall?
    See previous answer

    Care to share any examples of scanners that can detect those tools?
    Again this can be any number of generalized tools (nmap, amap, etc...) or specialized tools (SCUBA, ikescan, nbtstat, ettercap, etc...)
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Junior Member
    Join Date
    Sep 2007
    Posts
    37

    Default

    Quote Originally Posted by purehate View Post
    So if i understand you correctly you have knowledge of a comprimized network which you are trying to detect and gain access to a back door already in place?
    Almost, I don't want to gain access to it. Reverse engineering and forensic analysis would be a better goal.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •