Archive for February, 2012

So I just setup a mini enterprise environment with a domain controller (tip: win2k8r2 can be used free for 180 days)and a client. I decided to run wireshark while I added the client to the new domain, which resulted in the following screenshot:

Now that looks rather interesting when you want to locate domain controllers doesn’t it? Let’s give it a go with nslookup

C:\>nslookup -type=SRV _ldap._tcp.dc._msdcs.pen.test
Server: UnKnown
Address: 192.168.164.128

_ldap._tcp.dc._msdcs.pen.test SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = win-62u3ql0g1ia.pen.test
win-62u3ql0g1ia.pen.test internet address = 192.168.164.128
win-62u3ql0g1ia.pen.test internet address = 192.168.126.133

Now isn’t that neat? It’s like a quick and easy way to find the available domain controllers in a network, if you know the domain name. Additionally it seems that the client communicates with the domain controller using CLDAP. I didn’t find a  suitable Linux client, but in the links below you’ll find a perl script capable of performing the so called “LDAP Ping“, the other option is of course using a windows client. The output of the script is similar to the one shown in Wireshark which looks as follow:

Now I can’t be the only one doing this, so I googled around a bit and found some nice additional material worth the read, they are summed up below:

Advertisements

Or for that matter any other kind of direct connection. So basically yeah it’s a backdoor over which you have no realtime control. Realtime is overrated anyways and people are way to attached to direct control of their backdoors. Let’s think about the following scenario for a minute:

You want to steal information, have as much  (and long term) control as possible and avoid anomaly detection on the wire. Preferably avoid locally installed firewalls, possibly without administrator/root privileges.

How would you go about that? I assume most responses to that question will be along the lines of:

  • behave like normal traffic
  • don’t have a direct connection, spawn one when needed
  • use connectionless protocols
  • sniffing the wire

All good and well, but they would still require the backdoor to initiate a connection to the attacker or vice versa. So let’s just choose the most obvious answer to the question: avoid any kind of direct connection to and from the backdoor. So ehhh how would you communicate with your backdoor then? Let’s again choose the obvious and easy answer: have others do the dirty work for you. Just concern yourself(the backdoor) with the really important stuff which is data. So let’s define how our connectionless backdoor should work:

Monitor any file or stream which contains data that the attacker would be able to indirectly manipulate and for which the rights of the backdoor are high enough to read or manipulate.

So practically what does this mean? That as an attacker you must know your target and be able to control his environment somewhat. Here are a few examples for sending data to the backdoor:

  • Create an account on the same forum as your target and  have a dynamic signature which sets and receives cookies.
  • Email him asking a normal question and embed the command in your signature or email text
  • Upload a game to a website the target usually plays games on and have it create

Here are a few example for sending data from the backdoor to the attacker:

  • Edit the cookies to send information back, the browser will handle the connection and firewall for you
  • Embed the data in all pictures on the computer eventually they will get uploaded somewhere
  • Adjust attachments of email in the draft folder
  • Adjust his bookmarks

Well you get the drift, it depends a lot on the privileges the backdoor has and the files it can access. Creativity will be your best buddy when implementing/using this backdoor. Just make sure your continuous file monitoring or wire sniffing doesn’t slow down the whole computer, cause that will surely alert the target.

Of course you can loosen up a bit and only use the connectionless technique to send commands which include a postback url and have the backdoor post it’s results to the given url. This of course brings the firewall problem back into the equation. It would also make the backdoor a lot less stealthy just like the traditional sniffing the wire based backdoors (ex: SniffDoorSilent Backdoortrixd00r).

Like you have probably concluded by now, it isn’t the most efficient backdoor, but it sure would be very stealthy. It makes an excellent candidate to have long term access to a compromised target. Yes the initial planting of this backdoor is it’s weakest point. The detection of the backdoor based on traffic however would be pretty difficult, since it generates none.