A
backdoor in a computer system (or cryptosystem or algorithm) is a method
of bypassing normal authentication, securing illegal remote access to a
computer, obtaining access to plaintext, and so on, while attempting to remain
undetected. In recent days, large organizations deploy Intrusion Detection Systems
(IDS) to detect attacks directed to their online resources. This hardens
chances for successful attacks; however, attackers can still use client side
attacks to compromise and gain control of remote systems.
In
this post, we shall practically see one of the commonly used methods,
backdooring executable, that will lead us into a successful attack. It might
look intimidating if you see this for the first time, but don’t be scared since
as you continue to follow these posts finally everything will be clear and
start making sense. Hopefully you will enjoy and love this, just like how I do
when I was preparing it.
To
begin, we shall get any executable that we will use as our backdoor. And if I say
any I mean ANY, like adobe reader, VLC media player, web browser etc. since
majority of us like movies, I will download the recent version of a VLC media
player for windows 32 bit operating system.
Great!
We have two options to create a backdoor, first by manually appending our
malicious shell codes and then modify the program execution flow or by using a Metasploit
framework. In this post, we shall use the second method which is easy to
understand for the time being; however, it is quite important to know both of
them as we shall see in later posts.
The Metasploit
Project is a computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development. Its
best-known sub-project is the open source Metasploit Framework, a tool
for developing and executing exploit code against a remote target machine. Other
important sub-projects include the Opcode Database, shellcode archive and
related research. The Metasploit Project is well known for its anti-forensic
and evasion tools, some of which are built into the Metasploit Framework. You can
download it from their website www.metasploit.com,
as for my case I am using kali Linux which is pre-loaded with Metasploit
framework. You can also download and install kali Linux from www.kali.org .
So far so good! On the
console, I used Metasploit payload called reverse https which is followed by
local IP address and port that I will use to receive connection from the remote
machine. I encoded this payload with three iterations to avoid antivirus and
IDS detection. Finally, the downloaded VLC will be passed as an input as well
as providing the name for the output malicious VLC backdoor.
Perfect!
Now we have our backdoor, we need to send it to our victim’s machine for
execution while on our attacking machine we shall set a listener waiting for
any remote connection. This is where Social Engineering comes into account. Social
engineering, in the context of information security, refers to psychological
manipulation of people into performing actions or divulging confidential
information. A type of confidence trick for the purpose of information
gathering, fraud, or system access, it differs from a traditional
"con" in that it is often one of many steps in a more complex fraud
scheme.
After
spending time and money, we can successful convince our user to install our
malicious VLC backdoor. For demonstration, I will copy the backdoor the var/www
directory and start an apache server. Then I will start postgresql server and
the Metaslpoit. Finally, Metasploit console will be launched.
Bravo!
I selected a multi-handler to handle the remote connection form our victim
machine. It demands the payload, local port and IP address of attacking machine
to be set. Remember, there has to be the same as the one used in creating the
backdoor, I hope you can still remember that.
Now,
our victim downloads the malicious VLC backdoor using our apache server. After downloading,
he will then proceed to install this VLC media player. However, the moment he starts
the installation, on out attacking machine we will receive a remote connection
and gain control of his machine.
Fantastic!
Now we have our Meterpreter session opened, we can type help to see some
interesting activities that we can perform on this remote computer. We can get
the user ID, and if the user is not an administrator, we can escalate our
privileges and becomes system’s admin.
Great!
Also, we can dump the hashes for all users on this machine and later on crack
them to obtain their passwords.
At
this point, we can download files from the remote machine; take screen shot,
record video and audio by using the webcam and so on. Our victim is running a
Windows 7 32 bit operating system.
Pause
a bit and think how many times you have installed programs given from a third
part? If so, as we saw, how many persons might be able to access and control
your computer each time you are connected to the internet? Later on, we shall
see how to inspect executable before installing on our machines.
