Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on creating a new user for a backdoor. There are both advantages and disadvantages to creating a new user account. Participants learn the following tools in creating the user account:

  • Net user
  • Net local group

Video Transcription

00:04
Hello, ladies and gentlemen, welcome to this latest video. We're going to discussing back, adoring again in the post exploitation world. Specifically, this back door is going to be sort of ah,
00:14
twist on the idea of a backdoor Most of the time when you hear of a back door, we hear about a back story here, you know, someone who is using some crazy epic hack in some nifty trick to, ah,
00:26
hide behind to get past all these layers of firewalls behind which is normally hidden. And I let someone connected.
00:33
What we're going to do instead is slightly different. It's sort of easier, but at the same time, um, more effective, which is always a great combo.
00:43
Rather than working harder, we're going to do some working smarter.
00:47
What we're going to do is we're going to create a new user.
00:51
So they're they're kind of things to consider when it comes to creating a new user. The pros in the columns of situation,
00:58
the pro is pretty simple. A new user, especially one whose name and everything looks like it belongs fits in,
01:04
is going to attract practically no attention. Most of the time.
01:07
If it seems valid.
01:11
User seems to fit into the network without any issue. You're probably gonna be fine. Ah, Valid seeming user with admin power. It can install software change rules. Really do a lot of stuff.
01:23
You can really wreak havoc without anyone paying too much attention.
01:27
Especially if add mons have different account
01:30
style and you follow that admit account style.
01:34
The only people who are going to see it. The first thing you're gonna look for is whatever that
01:38
special, you know, ticket. They put on it for admin. They see it. They're almost never gonna pay attention. What you're actually doing until things start to break, Of course,
01:46
at which point everyone's looking for someone to blame. So you'll have to be a little bit. We're careful.
01:53
The con is if someone actually has something in place. If events are being rug when new users were created,
02:00
anything like that, or even if they just, you know, you've got one of those crazy sys admin who knows exactly how many users have exactly what privileges?
02:08
Um, and they definitely do exist in the world. They're scary people.
02:13
So someone is monitoring it that monitoring the user's list to that extent,
02:19
you're going to warn them. At that point, they'll know. But you won't necessarily know that they know. Which means they're going to have an extremely easy time keeping track of you, you know, outdoing you, controlling everything you're trying to do on their system because everything you're doing is going to be done by a single user,
02:38
and it's all going to be done. Generally speaking,
02:40
um,
02:42
since you're acting a single user, you're gonna be doing it during the day when normal user activity is going on. So they're going to have a much easier time stopping you.
02:52
So there is a serious pro and con to it.
02:53
I generally, if I have the opportunity to create a new user, I'll do so,
02:59
um,
03:00
but that I won't
03:02
on Lee used that. I'll use it, you know, see if it's getting tagged or if it seems like they're paying more attention to what it's doing.
03:09
Um, but
03:12
in general, it's fairly safe to create a new user,
03:15
and it is very, very effective. It's a constant back door to which you know the actual password. The actual process for it is sort of two step like the last one was. Although the first step for this one is actually an analysis step more than it is a command step.
03:31
The first thing we're gonna do is we're gonna just type in that user. We saw that command of the information gathering
03:38
and, you know, it kind of pipe that door file and moved on with their lives
03:42
here. We're doing it for a specific reason. And the specific reason is elucidated
03:46
by these names. We see its account one
03:52
pilot on the account
03:53
account, too,
03:55
and account three for those. You actually watch that video? You'll know that there were a bunch of war accounts. I deleted those because,
04:02
well, kind of proving a point here. So by using that user by actually entering this command, we see that there's this prison naming scheme.
04:10
Um, and this particular name of team is sort of
04:13
odd and that it doesn't indicate anything about the user. Doesn't name ready
04:16
really identifiable feature Other than an I. D or a number,
04:20
it isn't uncommon to see I d numbers as part of the path or
04:26
either part or all of
04:28
the user name,
04:30
So it is possible that That's just the system they use at whatever company you're testing against.
04:36
So it may be that it's account followed by a serial number.
04:41
It could be really any number of things. What matters is that this is what an account looks like.
04:46
So that makes sense that when we do our next command
04:49
that use red,
04:51
we're just gonna do the logical next step.
04:55
I count four.
04:56
I'm here. You see, if a week password, but one that follows
05:00
general requirements for a lot of networks, it's good enough that it looks like a normal and user did it. And not someone just, you know,
05:09
generating uneasily working password for the bad guys to use. Because again, when you put in a back door in a target system, you don't actually want that target system to be vulnerable to everyone on the Internet. That's gonna get you in trouble with your customer. If
05:24
during the course of your pen testing someone uses your backdoor to swipe millions of dollars of credit card data or what have you,
05:30
you're gonna get in trouble?
05:31
So you do Annette user ad and then assuming that you know with your original exploit, you broke your way in with some degree of permission. You're going to add that user account to the administrators group so that your permission is consistent and not reliant on some sort of error or vulnerability. Or however you got it now,
05:49
which is sort of one of the big benefits of creating a user.
05:53
Ah, lot of people don't see the point because they're like, Well, if I've exploited my way into the system that I've explained my twin sister, we don't have to worry about creating a proper account.
06:00
The thing about vulnerabilities and the thing about breaking your way into a system is that to get in, you have to break something.
06:08
And well, in some cases, most cases even.
06:12
Ah, what you're doing is done in such a way as to not destabilize the target. And you can usually consistently use the access.
06:19
But not always. Some vulnerabilities can actually, you know, there might be a one in vai ver one in 10 chance, but they can't actually just completely bushwhack the target system, which isn't what you want.
06:30
So by breaking in the first time in whatever terrifyingly dangerous way you've got available and then creating a stable, simple means of re accessing it with a normal admin account or with just a normal account, even, and then increasing your privileges through a different kind of exploit,
06:46
you're reducing the chance that you're going to make a big screw up or in some way make a mistake, which could lead to being noticed.
06:55
So
06:57
again, when you have the option, creating a user account is option, often a very good choice.
07:01
Um, as you can see, it's two commands. Three commands of you count our information gathering with earlier
07:09
takes practically no time to do. And if you do it right, you almost never get caught.
07:14
So that's all I've got for this video. That's pretty much the last of
07:18
the back door ing,
07:21
um,
07:23
but that we're going to go ahead and
07:26
move on to our next subject, which after after this is going to be password cracking
07:30
and covering tracks.
07:31
So until next time, I am your speed Joseph, Mary and you've been watching this on cyber very dot i t

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor