Hypothetical backdoor detection

[fds42]

Ok, here's a hypothetical bit of espionage that i have a few questions about. Please feel free to simply respond with search terms that aren't "detecting backdoor" or "backdoor" in addition to answers to questions. Also, assume a windows active directory environment with linux back office systems.

If you were going to put in a back door that was as undetectable as possible, what mechanisms would you use to stealth it, and what additional techniques could be used to pick up the back door?

If someone only had access to the compromised network and a limited time budget (meaning network scanning tools would be most efficient), what scans besides nmap and nessus would you run?

What behavior should be scanned for? VNC Servers where none should be? How can one find rogue vpn sessions?

How would someone get past a generic corporate class firewall and access the internal network once a machine has been compromised? Or would one simply try to compromise a system in the dmz?

Based on the type of resource, what backdoors might be optimal? Like what would be best for snooping email? File servers? Databases? How can one scan for these?

[thorin]

Please refer to :
http://forums.remote-exploit.org/showthread.php?t=8808

Bullets #1 and #7.

If someone only had access to the compromised network and a limited time budget (meaning network scanning tools would be most efficient), what scans besides nmap and nessus would you run?

This is dependant on multiple varables, including (but not limited to): time, interest, potential return, information needed, target type/config, etc...

What behavior should be scanned for?

Any and all anomylous behavior (which assume a baseline against which to compare or intimate knowledge of the environment).

VNC Servers where none should be?

That's always a good move

How can one find rogue vpn sessions?

Traffic analysis.

How would someone get past a generic corporate class firewall and access the internal network once a machine has been compromised?

If you compromised a machine aren't you passed the FW?

Or would one simply try to compromise a system in the dmz?

You could.

Based on the type of resource, what backdoors might be optimal?

Again this answer depends on too many variables. How attendtive are the sysadmins? What type of systems? What type of services are offered? How much legitimate taffic is there?

Like what would be best for snooping email? File servers? Databases?

Tools designed to "snoop" those services

How can one scan for these?

This is a PenTesting 101 type question, if you don't know the answer you're in way over your head.

[fds42]

Ok, lets try this again.

Play along and assume that i'm not trying to break into a corporate network, lets assume that an outsider has already done so.

In that case, the baseline includes the "anomylous" behavior because the network has already been compromised. What would be the best way to get a baseline of the network? Or would baseline tools be suspect and we'd just have to rely on the intimate knowledge already installed?

Do you have any additional examples to look for in terms of ways of retaining a back door? (in addition to vpn or vnc).

If you compromised a machine aren't you passed the FW?

Its possible to send a payload via a specifically targeted email, via walking in (as an employee that left, or a "visitor"), or other method that involves physically or socially bypassing the firewall that might not be optimal for reuse. The answer to the quoted question might be "no". So now that you've compromised a machine by skipping the firewall, how might one get back into that machine through the firewall?

Tools designed to "snoop" those services

Care to share any examples of scanners that can detect those tools?

[purehate]

So if i understand you correctly you have knowledge of a comprimized network which you are trying to detect and gain access to a back door already in place? The problem here is you are trying to run (no fly) before you even crawl. You have asked enough questions to compose a small pentesting book. I can help you out but you have to provide some details. Pentesting is like thorin said DEPENDENT on MANY variables and what makes a good tester is the ability to evaluate a situation and choose the most effective course of action. So basic info is needed. I could tell you how to create a backdoor binded with a legit .exe and even help inject it but it does little good until the attack is taylormade for the network. If your looking for a back door try a port scan and then match the ports up with their protocols. Theres only about 6335 or so to check. Anyway a good back door will mask it self as a legitimized service

[balding_parrot]

Theres only about 6335 or so to check.

65536 ports

[streaker69]

65536 ports

65535, port 0 don't count.

[purehate]

I knew I missed a number. thanks for the correction

[purehate]

65535, port 0 don't count.

no wonder this doesn't work

bt~# exploit.py www.hackmybox.com -p 0

[thorin]

Ok, lets try this again.

Play along and assume that i'm not trying to break into a corporate network, lets assume that an outsider has already done so.

In that case, the baseline includes the "anomylous" behavior because the network has already been compromised. What would be the best way to get a baseline of the network? Or would baseline tools be suspect and we'd just have to rely on the intimate knowledge already installed?

/me hangs his head in shame, I made a spelling error, it should be "anomalous". If you're doing some type of incident response then you'd either have to have good knowledge of the system/network or have other baselines (ie: a company in the health sector with 50 employees traffic usually looks like xyz).

Do you have any additional examples to look for in terms of ways of retaining a back door? (in addition to vpn or vnc).

RAAdmin, RemoteDesktop, IRC, http, https, ftp, tftp, dns, email, etc etc basically any communication protocol could be hi-jacked to use an existing backdoor.

Its possible to send a payload via a specifically targeted email, via walking in (as an employee that left, or a "visitor"), or other method that involves physically or socially bypassing the firewall that might not be optimal for reuse. The answer to the quoted question might be "no". So now that you've compromised a machine by skipping the firewall, how might one get back into that machine through the firewall?

See previous answer

Care to share any examples of scanners that can detect those tools?

Again this can be any number of generalized tools (nmap, amap, etc...) or specialized tools (SCUBA, ikescan, nbtstat, ettercap, etc...)

[fds42]

So if i understand you correctly you have knowledge of a comprimized network which you are trying to detect and gain access to a back door already in place?

Almost, I don't want to gain access to it. Reverse engineering and forensic analysis would be a better goal.