A backdoor is a piece of software that stays on the target host , It allows attackers to connect to the target host at any time . in the majority of cases , A backdoor is a hidden process running on the target host . Because the back door may allow an ordinary authorized user to control the computer , So attackers often use backdoors to control servers . After the attacker raises the privileges , Often through the establishment of a back door to maintain control of the target host . thus , Even if the system vulnerability exploited by the attacker is fixed , The attacker can still continue to control the target system through the back door . Therefore, if we can understand the methods and ideas of attackers to establish backdoors in the system , You can quickly find the back door left by the attacker and clear it after discovering that the system has been invaded .

1. Operating system backdoor analysis and prevention

Operating system back door , It generally refers to the method of bypassing the formal user authentication process of the security control system of the target system to maintain the control right of the target system and hide the control behavior . System maintenance personnel can clear the back door in the operating system , To restore the normal user authentication process of the target system security control system .

1.1 Sticky key back door

Sticky key backdoor is a common continuous control method . stay Windors Press... Continuously on the host 5 Time "Shit" healthy , You can call up the sticky key .Windws The sticky key is mainly designed for users who can't press multiple keys at the same time , for example , Using combination keys Curl+P The user needs to press at the same time "Cur" and P Two keys , If you use sticky keys to achieve combination keys "Ctrl+P" The function of , Just press a key .

For Sticky Keys , The following precautions can be taken .

• When logging into the server remotely , Press continuously 5 Time “"Shift” key , Determine whether the server has been invaded .
• Refuse to use setch.exe Or in “ Control panel ” Closed in “ Enable Sticky Keys ” Options .

1.2 Registry injection backdoor

Under normal user rights , The attacker will fill in the registry key with the backdoor program or script path to be executed HKCU:Sofware\Microsoft\Windows\CurrentVersion\Run in ( The key name can be set arbitrarily ).

1.3 Planning task back door

The planned task is Windows7 And previous versions of the operating system at Command invocation , In from Windows8 Used in operating systems starting with version schtasks Command invocation . There are two kinds of planning task backdoor: administrator permission and ordinary user permission . More scheduled tasks can be set through the back door of administrator privileges , For example, running after restart .
The basic commands for planning task backdoor are as follows . This command means to execute every hour notepad.exe.

1. stay Metaplont The middle model reports the planned task back door
Use Poweshell payload web delivery modular , It can simulate the behavior of an attacker to quickly establish a session in the target system . Because this behavior will not be written to the disk , Therefore, the security software will not detect this behavior .

2. stay PowerSploit Simulate the planned task back door in

3. stay empire Simulate the planned task back door in

1.5 WMI Type rear door

WMI Type a back door can only be run by users with administrator privileges .WMI Type a rear door is usually made of PowerShell Written can be directly from the new WMI Property to read and execute backdoor code 、 Encrypt the code . In this way , An attacker can install a persistent back door in the system , And will not leave any files on the system disk .WMI Type a rear door mainly uses WMI The two characteristics of , No file and no process . The basic idea is this : Store the code encrypted in WMI in , To achieve what is called “ No documents "; When the set conditions are met , The system will start automatically PowerShell Process to execute the backdoor , After execution , The process will disappear ( The duration depends on the operation of the back door , Usually a few seconds ). To achieve what is called “ No process ”.

stay Empire Next use Invoke-WMI modular .

2. web Back door analysis and Prevention

Web The back door is commonly known as WebShell, Is a paragraph containing ASP、ASP.NET、PHP、JSP Program web code . This code runs on the server . The attacker will pass a - A piece of carefully designed code , Do some dangerous operations on the server , To obtain some sensitive technical information , Or you can gain control of the server through penetration and authorization .IDS、 Anti virus software and security tools can generally set the attacker Web The rear door is detected . however , Some attackers will write dedicated Web Back door to hide your behavior .

2.1 Nishang Under the webshell

Nishang Is a special for powershell Penetration testing tools , Among them is ASPX Damascus of , stay \nishang\Antak-Webshell Under the table of contents

2.2 weevely back door

weevely Yes Python Language written for PHP Platform WebShell Its main functions are as follows .

• Execute commands and browse remote files .
• Detect common server configuration problems .
• establish TCP Shell and Reverse Shell,
• Open the scanning port .
• install HTTP agent .

2.3 webacoo back door

This is a product for PHP Platform tools

2.4 ASPX meterpreter back door

MSF Medium shell_reverse_tcp payload, You can create a with meterpreter Functional shellcode

2.5 PHP meterpreter back door

MSF Medium PHP meterpreter payload, You can create a with meterpreter Functional shellcode

3. Analysis and prevention of domain controller permission persistence

After obtaining the permissions of the domain controller , Attackers usually persist existing permissions .

3.1 DSRM back door

DSRM ( Directory Services Restore Mode, Directory service recovery mode ) yes Windows Safe mode startup options for domain controllers in a domain environment . Each domain controller has a local administrator account ( That is to say DSRM Account ).DSRM Its purpose is to : Allows administrators to restore in the event of a failure or crash in a domain environment 、 Repair 、 Rebuild the active directory database , Restore the operation of the domain environment to normal . At the beginning of domain environment creation ,DSRM Your password needs to be installed DC Set when , And rarely reset . modify DSRM The most basic method of password is in DC Up operation ntdsutil Command line tools . In the penetration test , have access to DSRM The account is used to persist the domain environment . If the system version of the domain controller is Windows Server 2008, Need to install KB961320 You can only use the password pair of the specified domain account DSRM Synchronize your password . stay Windows Server 2008 This patch does not need to be installed in later versions of the system . If the system version of the domain controller is Windows Server 2003 You cannot use this method for persistence .
We know , Each domain controller has a local administrator account and password ( Different from the city administrator's account and password ).DSRM The account can be used as a local management product user of a domain controller , Connect the city controller through the network , Then control the domain controller .

3.2 SSP Maintain domain control authority

SSP(Security Support Provider) yes Windows The provider of operating system security mechanism . In short ,SSP It's a DlL file , Mainly used to implement Windows The identity authentication function of the operating system , for example NTLM、Ketberos,Negotiare. Seure Channe (Schannel )、Digest、Credental ( CredSSP ).
SSPI ( Security Support Provider Interfce. Security Support Provider Interface ) yes Windows Used by the operating system when performing authentication operations API Interface . so to speak ,SSPI yes SSP Of API Interface .
If you get the name of the target machine in the network System jurisdiction , You can use this method for persistence operations . Its main principle is : LSA (Local Security Authority) For authentication ; lsass.exe As Windows System process of , For local security and login policies ; At system startup ,SSP Will be loaded into lsass.exe In progress . however , If the attacker is right LSA It has been extended , Customized malicious DLL file , Load it into... When the system starts lsass.exe In progress , You can get lsass.exe Clear text password in process . such , Even if the user changes the password and logs in again , The attacker can still get the new password of the account .

3.3 SID History Domain backdoor

Each user has its own SID.SID The main function of is to track the security principal and control the access rights of users when they connect to resources .SID History This is an attribute that needs to be used during domain migration . If you will A Domain users in the domain migrate to B domain , So in B The name of the new user in the domain SID Will change with it , And then affect the permissions of users after migration , As a result, the migrated users can't access the resources that they can access .SID History It is used to maintain the access rights of domain users in the process of domain migration , That is, if the user's SID Changed the , The system will change its original SID Added to the post migration user's SID History Properties of the , Make the migrated users keep the original permissions 、 Be able to access the resources it can access before . Use mikaz, Can be SID History Property to any user in the domain SID History Properties of the . In the penetration test , If you get domain administrator rights ( Or equivalent to the permissions of the domain administrator ). It can be SIDHisoy As a way to achieve persistence .

3.4 Golden Ticket

A gold note is a forged note granting note (TGT),TGT=krbtgt hash(session key,client info,end time).TGT from AS Return to client, then client use TGT Come to TGS Verify your identity , and client I don't know krbtgt hash Of , Only AS And TGS know krbtgt hash, So if you want to forge TGT We need to know krbtgt hash. So the attacker forges gold notes TGT The premise of is to obtain the administrator's permission to access the domain controller and grab krbtgt hash.

and session key By AS Randomly generated ,TGS Upon receipt of TGT I didn't know before , So it can be forged .client info and end time You can also decide by yourself . So we can forge by client issue TGS Of TGS REQ, And get server ticket.

3.5 Silver Ticket

Silver Ticket( Silver notes are different from Golden Ticket, Silver Ticket The utilization process is forgery TGS, Generate a password that can access the service through the known authorization service password TGT. Because... Is not required in the bill generation process KDC, So you can bypass the domain controller , Rarely leave a log . and Golden Ticket In the process of utilization, we need KDC Issued by TGT, And generating fake TGT Of 20 Within minutes ,TGS Not for the TGT Verify the authenticity of .
Silver Ticket The password hash value depends on the service account , This is different from Golden Tickett Password hash value of the account , So it's more hidden .
Golden Ticket Use krbtgt Password hash value of the account , Using forged high authority arbitrary service to access back the ticket with authority , To obtain domain controller permissions . and Silver Ticket Will forge through the corresponding service account TGS, for example LDAP、 MSSQL、WinRM、 DNS、CIFS etc. , Limited scope , Only limited access .
Golden Ticket By krbtgt Account encrypted , and Silver Ticket It is encrypted by a specific service account .

3.6 Skeleton Key

1. stay mimikatz Can be used in Skeleton Key
2. stay empire Can also be used in Skeleton KEY

3.7 Hook PasswordchangeNotify

Hook PaswordChangeNoify The function of is to synchronize in the system after the user changes the password . The attacker can use this function to obtain the password plaintext entered when the user modifies the password .
When changing the password , After the user enters the new password ,LSA Would call PasswordFileter To check whether the password meets the complexity requirements . If the password meets the complexity requirements ,LSA Would call PasswordChangeNotify, Synchronize passwords in the system .

4. Nishang Script backdoor analysis and prevention under

Nishang Is based on Powersthel Penetration testing tools , It integrates many frameworks 、 Scripts and various Payload stay Nishang Analyze some script backdoors in the environment .

1. HTTP-Backdoor Script
   This script can help an attacker download and execute on the target host Powershell Script , Receive instructions from third-party websites , Execute... In memory PowerShell Script , The syntax is as follows .

2. Add-ScrnSaveBackdoor
   Add ScrnSaveBackdoor Scripts can help attackers exploit Windows Screen saver to install a hidden back door

3. Execute- -OnTime
   Execute-OnTime The script is used to specify... On the target host PowerShell The execution time of the script , And HTTP-Backdoor The use of scripts is similar , It just adds the timing function

4. Invoke- ADSBackdoor
   Invoke-ADSBackdoor Scripts can be used in NTFS Leave a... In the data stream Permanent back door . The threat of this approach is great , Because the back door is permanent , And not easy to find .