This is lance a first time speaker. hes doing an intro to backdooring operating system [ Applause ] >> Thank you, my name is lance. I'm DC801 one, we run a hackers space in Salt Lake City. I wrote this presentation, kind of training material for new members of our hacker space and kind of to provide a basic introduction to do something kind of interesting with computer security and just kind of seeing, you know, what you can do with just basic tools. Not using anything complicated like ‑‑ Metasploit, or you know, any complicated coding. Or anything like this. So this is super introductory, I hope that you enjoy it. I like to give special thanks to Netedmac, metacortex, grifter, D3c4f and eveyone at DC801 here, and every one at this for helping me out with this presentation. You guys have been great. Just a little bit disclaimer, I'm not responsible for anything dumb that you do with this information. So ‑‑ if you do something dumb, I learned this is from Nemus, here is his phone number. No. I'm not responsible. So what this presentation does not cover, I'm not going to tell you how to hide your backdoor from skilled forensic investigators. Most of the stuff you see here will probably be undetectable by regular users. But anyone who knows what they are doing will see this stuff immediately. So just be warned that ‑‑ you can get in trouble and you're not hiding your tracks very well. Then the ‑‑ I thought it would be good to just kind of give you what I'm assuming your background is. So I'm assuming you have a familiarity with linux, and networking and windows command line, um, administration. So the goal of this talk is to take advantage of a user who has left their computer unlocked. Right? How many people here leave their computer unlocked to go to the bathroom. Every one raised your hand, you have done it. I do it, too. Right? So guess what happens. What happens when you do that and your coworker sees it you get David Hasselhoff, right? Sometimes you get this awesome picture of David Hasselhoff, right? And a great reminder of why you need to lock your computer, right? So I think was thinking we can get the David Hasselhoff in there by the time someone goes to the bathroom and comes back. So what else can we do, right? What other things can we do to the person who left their computer unlocked. Let's see how fast we can install a backdoor. Right? We have five minutes we want to get the backdoor installed, everything setup, and walk away, let them set down and star missing with them. So we're going to start using windows 7, setting up a Netcat backdoor. Netcat is really good, like the hello world of backdoors. Now, for this what we're using, we're using very basic tools we need a to set prebuilt. You have to do a‑‑ setup of all of your tools and everything beforehand so you are ready for when the user walks away from their computer. So you want to make sure that you have the files on a USB drive or on the Internet you can quickly download them and put them on your computer. Another thing you want to look for is portable applications. Portable applications are applications that don't require, DLLs, setup process, basically you put them on the computer and you can run them. So this is kind of my basic toolkit for windows 7. I'm using gViM, windows used to have edit, an awesome command line editor at 16 bit. The new 64‑bit operating system doesn't have it. I found gVim, a portable binary, you connect to your netCat backdoor, you can use gVim to edit files. And Wget. Once you get on there you probably want more things you need a way of downloading that to the command line. This a great to I found that is compiled for windows 64‑bit. There are 32‑bit out there. And the next place to get NETCAT is from the kali linux image. This is that. So ‑‑ we want to set up Netcat. So we get Netcat why we're going to grab it from and set up a backdoor. Right? Here in this command we're running Netcat with the listener on port 449 and execute the command line CMB. As soon as I connect to that port through Netcat as a client I'm going to get a command prompt. So before I can connect to it, I have to make the operating system allow me to connect to it. So I have to put Netcat somewhere, right? In the path, I have to do registry settings, and I have to disable that firewall, or add a rule to the firewall to allow me to get to that Netcat instance and also, I'm assuming that this point, the user log‑in has admin privileges. You need that to modify the firewall. This is an example I got exactly expanded from the offensive security stuff. They have a great tutorial of setting up a Netcat backdoor. I provided a link here and slides on their website, too. This is the basic windows command, if you're just not familiar with them. I thought I would put them in here just so you have something to reference on what their correlation to Linux commands are. The key here, mainly you're going to add new directories and items to the path. You're not constantly typing the full name path in there for the Netcat session. This is just kind of an example of what it looks like. So now that we have the firewalls disabled and Netcat running we now ‑‑ we have a persistent, we want to find the registration settings to allow Netcat to start, your computer reboots, but we want to get to it right now, we have the five minute window. Here is the VBS scrypt, a visual basic scrypt ‑‑ scrypt that allows us to start Netcat and walkway. This puts Netcat in the background, and starts listening and don't wait for the use to restart the computer. We connect to the computer through Netcat here, you look at, this is probably ‑‑ it looks a little faded, I can't see. Basically it is just Netcat, we do the mode, the IP address and the port number. And we get connected and we have theCMD command prompt and access to the remote computers. This works great. Local LANs we will show you how to get to the firewall and connect that way. In this point working in the same office or same place with the target you can now connect to that computer from your computer and start messing with them. So if you're interested you can take care just to verify ‑‑ did it disconnect? All right. This is process explorer if you're not familiar with it. Process explorer let's us look at all of the processing on the operating system. So you're going through this process and look at how Netcat works and how the processes works. You can use process explorer to see that Netcat is running thin background there, that is what is highlighted in the bottom. You can download process explorer and take a look at it. If you want to view connections to it, once you are connected the backdoor can, you can look at the Netcat has an executable coming to from another IP address. And a good tool for windows as the TCP view to view that. Now, so now we have connectivity to the box. So the next question is, okay. What can I do with the connectivity and the backdoor. What fun things can I do to the person has just left their computer unlocked and now they have come back? Right? So ‑‑ we, we, I have a list of pranks here. The one cool thing we can do, can have their keyboard time hello to them. Right? Every 100 seconds their keyboard is typing hello. They are working on code, and it was a types hello, go on forever. We can continuously cycle the cap lock button. Every one hundred seconds cap lock on and off. Can we can write a batch scrypt spread to spread all over the place on their file system. Start notepad continuously. It starts notepad up, closes it, there it is again. Or you can have it start, this is really cool, you can have it start the website up, close it, there it is again. Start it up, close it, there it is again. You can make ‑‑ this is kind of cool, their keyboard, this makes a disco on the keyboard, it cycles the caps lock, scroll lock, it repeats the lights on the keyboard. It is really annoying. Because, I was testing these and trying to disable this one and it kept change everything when I was trying to turn it off. You know, and this is one of my favorites. You can continuously play the startup song, right? The best part about it is your coworker is like why are you restarting your computer, I'm not. It just keeps doing that. You know, this is the classic, popping the CD‑ROM drive in and out, right? Something weird is going on when your CD‑ROM just keeps going in and out in the old days. You get control of your computer, what do you do, Pop the CD‑ROM drive. So this is what the, this is what is called a fork bomb. So basically what this does is a piece of code or instructions that continuously eat up resources of the operating system. This is a fun thing. You know, they are typing along doing their stuff. You can start a fork bomb, and it will stop and halt, they have to reboot. Sure. They are just my control panel. [ Laughter ] [ Applause ] [ Laughter ] Now, just a drunk hazard. [ Laughter ] This is another cool little thing. This is easy to get past if you know how to close a file, you know, control, kill a task. You don't know how to do this, this is super frustrating. Because it makes, like you hit the X, you minimize it, it just sits there in the desktop completely unable to do anything. This one is my favorite, so if you remoted into their computer through Netcat you can start talking to them with windows 7 because it has a text to speak engine. So you can start messing with them, start talking with them, saying hello. Hi, what's going on. You seem to be having trouble with your computer. So we had our fun, we've done everything. You know, and, so we might need, we might run into issues and might need to reboot their computer, because we feel like it, or happen after 30 seconds and walkout of the room saying it was not me, I'm not doing this, right? These are the shutdown commands for windows and command lines. This is another thing you can do to try to hide your code. So if someone sees what you're doing and you want to just kind of hide it so they don't know what the scrypt is, and can't use it again, right? Later in the office, you can use batch EXE and other ones here, these are sketchy backdoors that work really well. The VBS ones worked pretty well. Tried to power shell one, didn't have much luck with it. You can take your scrypt and turn it into binary code, at that point they have to live look at the binary and do things with it. Makes it a little bit more difficult to figure out how it works. Also kind of useful to be able to control the firewall on windows 7. These are all of the commands I thought were useful. You know, you can turn off all of the traffic. You can do all kinds of cool stuff with that. If you write a rule, you can delete it. You can control the windows firewall from the command line. So we set our scrypts up and down a bunch of stuff, it is realtime. A great tool, you can use the "at" command to have stuff run later. You can setup your prank, do a bunch of stuff. Walkway from your terminal, get a glass of water and watch the guy who is frustrated with things that are happening to him. And this is a good command later on if you want your backdoor dial out, you can set it up with an at command and have it run at a certain time, or schedule it with a scheduler. That creates a process with the operating system that they can look at later. What is this program running every day at 3:00? But with at it is kind of invisible. You have to look at the at command and see all of the tasks set. Another good tool is S delete. This goes through and wipes all of the code, or basically what you tell it to it does a deep delete, better than normal delete, it doesn't leave as much fragmentation and remnants of the file. So we have gone over windows. Let's go to Linux so Linux admin. He typing away and goes to the bathroom and leave the shell in. Has the VPNN, the SSH, he is not going to close the session. So ‑‑ what can we do to mess with the Linux user or just the Linux consul that is open? At this point we're going to need a Linux tool kit, too. So another crucial to is the autoSSH. In this case, I went out and compiled a new Netcat. I had a lot ‑‑ a little bit of trouble with it, shred and screen are useful tools. The great thing about auto SSH it is a persistent the backdoor. I took it from one machine to another and it worked just fine with that compiled version and just one file. So the new Netcat doesn't have a persistent listener, like the windows Netcat did. In this version I had to do a while loop on the Netcat listener. The reason I did this, is because the listener would listen to one inbound connection. So if you had a connection to it, it would do everything. If you dropped the connection it would stop the process and exit. So I set in a do while loop so I could continue to connect to it. Here we can see that Netcat listen on port 445, anytime you want to connect execute and then bash. Then again ‑‑ then again here is the Netcat backdoor on Linux. You can use Wget and copy it, copy it into the user bin so its in path, setup the Ip first tables. The critical thing you want to know about the listener, we want to disconnect the command line user from the process. So when they exit their terminal and go and do something else, and log into a different machine, we still get to that process and that process is not owned by that user. So I was trying to think of a good way to hide the Netcat to start on boot. I think the best place I could find was the D process. There is a bunch of scrypts ‑‑ scrypts in there, the start up scrypts. I look at my RC files. If you put it in there it is more than likely to be discovered. Yet again, use Netcat the version IP address, port, and you connect to it. With the Linux version it is a little different than the windows version. You're not going to get the actual command prompt that you're used to. You're going to get a blank screen that will have a cursor in it. You do have a connection to the batch shell, if you type LS or something like that. You will see the command output, but not the standard Linux terminal. This is critical, because you connect to it and think that something is wrong with it because I'm not seeing the batch prompt. In this version of Netcat, when I was connected it, I did not see a batch prompt, so something to look out for. So if we want, so now that we have everything installed and setup, we kind of what to verify it is working. We have everything that we need. So I use net stat‑LPTUN. That matches processes to listening ports. So here I can see that Netcat is listening on 445 and accepting connections from any IP address. Or it is listening on all available ‑‑ IP addresses. So now we've got connectivity, and same thing with it windows box. Now our Linux pranks, right, this is the cool pro scrypt that I found. If they are using Linux as their main desktop and they browse, you can put this in line, basically it takes every image that they brows to and turns it up side down. Pretty awesome. We have a Linux fork bomb. We can take the system to a crawl. We can write to the user terminal. If the system is local. This is annoying. You can cat random data to the computer bell sound. Right? So they are connected, everything is going fine, and just a bunch of garbage and noise comes coming out of their computer. Pretty funny. Then, so this is a cool little prank. This turns everything in the terminal to ‑‑ bork bork. It is all formatted the way it is supposed to do, but everything is just bork, bork, bork, bork, bork. So okay. This has been a classic prank at my work. My boss did this to me on my first day. So you send star wars to their terminal. They are typing along and configure the system. You log‑in and tell them towel blinking lights .NL and find the process, their PTS instance that they're connected to and they cannot do anything with that terminal except watch "Star Wars." It is really annoying. Because you don't own the process either. It is constantly sending stuff to your terminal. Pretty funny. Another cool thing you can do, you can said fortunes to the user terminal and use C matrix, which is a matrix screen to their Linux terminal. They are supposed to be able to type and do stuff. But you can still see the output. but its just clears and refreshes everything. It is pretty funny. This is kind of cool. You can play with the man bell, you know that annoying bell that goes off all of the time when you hit mistake or try to tab something that is not there. Put that in a loop and have the go off randomly. That is pretty bad. This, again, going over nohup so ‑‑ it is kind of what you want to do, if you forget he nohup, this is easily, you start the command and like, crap, I didn't know it is still used, the process is still being ran by the user, you can then do a control Z, background the process and the percent disown one, is kind of the equivalent of nohup, but nohup will work better. I stop the process and it will run in the background and my terminal session can die. These are PHP compilers. If you write great pranks in PHP you can compile it. Hide the the code from users and the other stuff. Now, Netcat. So at this point we built a backdoor into both windows and Linux. We've got ways to get into it, but this is kind of, it is kind of rough, right? We can only connect to it if we're on a local area network, it is not encrypted. It is kind of dangerous to leave it open to everyone. I don't want to open a firewall port on my firewall and access into it remotely. That would be bad. It is not encrypted. So what else can we do with this? Get past the firewall easily and get back to this Netcat? So what we're going to do, we're going to hit up a persistent SSH tunnel. So what we're going to do with the SSH tunnel we're going to have the go out ‑‑ to the target system and connect back to a server that we have somewhere on there, the virtual private server or whatever and then map a port locally, just kind of picture of how it works. It will map a port locally on that machine to a port locally on a remote machine. If they allow SSH out or a port out it will maintain the session connection outside to the firewall or past their firewall to your server and then you can log into your server and connect to that port on your server and it tunnels through the SSH connection and back to that user's ‑‑ the, the ‑‑ machine. This is reverse SSH tunneling. Here we use SSH F cap N dash R. The R is the remote port. And then we're saying hey we want to loop back on his machine 22 and then so what that is going to do, on my remote Linux service, is my VPS somewhere out in the internet it will put port 10,000 as listening port and then come back and map to SSH on this local machine here. Here is a more detailed example. I don't have to use 22. So I have my Netcat port listening. Right? So I can just take this SSH instance and map it to my Netcat backdoor. So at this point it is now bypassing their firewall I can connect to a Linux remote machine. If I'm at my friend's house I can go home and mess with them. Right? I go home and log into my Linux VPS. I connect to the port, come back and have access to the SSH instances. You're probably wondering about passwords. They have to enter the password and everything. If you generate SSH keys, you can take the SSH key and put it on your remote server and allow it to come, allow that remote connection to just automatically authenticate itself. So you can use SSH key gen and then do the SSH copy I D‑back to your remote server. So now we can set up like a job, a scheduled task and have this ‑‑ SSH remote instance run automatically while we're not there. So on Linux you can use autoSSH to make it persistent. After they disconnect, the Internet is kind of buggy at times, it disconnects and auto reauthenticate the connection back to your server. That's great in Linux. You can do the same thing in windows. There is a command line utility called plink, part of the putty library you can use to do remote reverse shells back to Linux systems. You can use this to set up an SSH to reverse shell to your linux instances to your netcat persistence intance. i was trying to find the equivalent of auto-ssh for windows 7, My encrypted tunnel came close. but it has a setup, and a gooey and a system trace it is obvious it is installed. You can make it portable, but go through a bunch of stuff. That's on my list to do, to expand my presentation. At that point we set up a backdoor using basic tools. We have not done binary manipulation, we just have remote access to the system through, just basic admin tools. Right? So now I'm going to talk a little bit about Metasploit. So it takes all of this, we had to do the prep work and get the tools in place. It takes less of that and makes it a little bit more easy to manage. So one of the key to Metasploit you need to understand vulnerabilities, exploits and payloads. Vulnerabilities are places in which you can take advantage of something. There is something wrong with something, or something not right. So in this case, the kind of venerability they usually left their computer unlocked. The exploit is what you do. The exploiting is you installing stuff on their computer because you have access to it. It payload in this case would be Netcat, which is on the system to gain access to it later. So using it we're going to do the same thing, and set up a reverse shell. So we startup the Metasploit consul, a great way to get metasploit training is through offensive.security- metasploit unleash, unfortunately I don't have time to develop over that. Basically just getting the MSF console and then run the MS update and get all of the updates and stuff. So now let's generate a binary payload instead of using Netcat. So basically what we're going to do is create a binary that we can e‑mail and sent to somebody, when they execute it, it will start a reverse shell that we can connect to, like Netcat. Here we're using MS payload with the windows reverse shell. So that is the payload. We're basically just going to use Metasploit payload library to generate our binary. Here are the commands to do that. The L command just shows all of the options available here. In this case, I need to set up a listening port and a listening host. So the IP address it will listen to, listen on, on our target machine and the port I want to connect to. Here you can use MS payload is pretty cool. You can use to it create raw payloads and payloads in C. So you can kind of see how it works. So here is the command that we're going to run. MS payload, with use a windows shell, reverse TCP. we set the L-host we set the remote port . So we created our David Hasselhoff EXE and e‑mail it to our victim, have it available other put it on their system. I have this great Hasselhoff program you need to check out. A cool command is file, file lets you verify what type of file is on a Linux system. So I run files to verify, yes this is a windows executable. So we're going to hit this reverse shell to connect, we're going to give the user, we're going to have the come back and listen to our instance, right? So at this point we need to set up a listener on Metasploit to listen to this instance. We are going to start the MSF console and use the exploit multi handler, and set the L host and had L port. At this point you're ready to listen for the connection, you send the binary to the user. They execute it. Here, you is the PS example they execute the binary and then here in metasploit, you sit here and listen for it to come in, now you have CMB command shell on their system. Pretty cool. This is a great way. If you want to get into this stuff, this kind of like the best way to get the most out of your, your time and energy. You can learn something cool really quickly and then move on to more advance things. So ‑‑ I want to thank everybody for coming to my talk. This is our code library that I'm building. It has all of the codes that I have in the presentation, minus some stuff that I need to put in there. Any time you have a great prank or something you want to, you know, share with the world, we're going to keep track with a bunch of Linux and windows pranks to send out to people. If you build something or expand, I would love to have you contribute. And then I also have intros to backdoors.com, which has the slide presentation, code library, and we'll ‑‑ do some other cool stuff with that. This is another cool thing you can get to ‑‑ these are one line reverse shells. If you setup your metasploit listener, you can run the command and have a connection come back to your listener. If you are interested in VPSs and remote systems there are great places you can look for VPS. The problem is, there is no one good VPS provider. They are good for three or four months and then Peter out and then move onto another one. So I kind of keep up on which ones are new, and what they allow me to do and what they don't. Some interesting projects with the raspberry pie that is based on the remote SSH reserve tunnel and using python to create a backdoor. All right. Any questions? Thank you. [ Applause ] "This text is being provided in a rough draft format.  Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings."