netbus is a classic piece of software that has been around since 1998. we will briefly review it here as a gentle introduction to backdoors and remote control software. netbus was originally written by carl-fredrik. the program consists of two parts: a client and a server. the server software is installed on the target Pc, that is, the machine that you want to remotely control. the client software is used to connect and control the target.
once the netbus server software is installed on the target machine, the client software can perform a number of different actions on the target. remember, even though the attacker is not physically sitting at the local machine, the cli- ent software allows the attacker to execute commands on the remote target as if he were. some of the more popular options include the following:
n opening the cd-rom drive; n starting a program;
fIGURE 6.5
n taking a screenshot of the target’s current screen; n uploading and downloading files;
n sending messages.
to use netbus, simply install the server on the target machine and run the cli- ent software on the attacker machine.
netbus comes as a compressed file that contains several different pieces. You need to first unzip the netbus file. to install the server software, you will need to execute the patch.exe file on the target. this installs and starts netbus. the program will run as a process called “patch.exe” and when installed, will auto- matically create a registry entry so that it starts every time windows is started. to access the client panel you run the netBus.exe. enter the target iP address in the “Host name/iP:” field and click the connect button. figure 6.6 shows an example of the client interface that is used to interact with the target.
there is little doubt that netbus is an old piece of software, but it makes for a great tool when discovering and exploring backdoor command and control of a remote target.
ROOTKITS
Just like metasploit, when people are first exposed to the power and cunning of rootkits, they are usually amazed. to the uninitiated, rootkits appear to have an almost black-magic-like quality. they are usually simple to install and can pro- duce amazing results. running a rootkit gives you the ability to hide files, pro- cesses, and programs as if they were never installed on the computer. rootkits can be used to hide files from users and even the operating system itself.
Because rootkits are so effective at hiding files, they will often be successful at evading even the most finely tuned antivirus software. the name rootkit is typically said to be a derivative of the words “root,” as in root-level or admin- istrative access, and the “kit” or collection of tools that were provided by the software package.
fIGURE 6.6
As we already mentioned, rootkits are extremely stealthy. they can be used for a variety of purposes including escalating privileges, recording keystrokes, installing backdoors, and other nefarious tasks. many rootkits are able to avoid detection because they operate at a much lower level of the operating system itself, inside the kernel. the software that users typically interact with, func- tions at a higher level of the system. when a piece of software like antivirus needs to perform a particular task, it will often pass the request off to the lower levels of the operating system to complete the task. remember, some rootkits live deep inside the operating system. they can also work by “hooking” or intercepting these various calls between the software and operating system. By hooking the request from a piece of software, the rootkit is able to modify the normal response. consider the following example: assume that you want to see what processes are running on a windows machine. to accomplish this, most users will depress the key combination “cntlAltdel.” this will allow the user to start the task manager and view running processes and ser- vices. most people perform this task without thinking about it. they examine the process list presented and move on.
while the following is a gross oversimplification, it should serve as an example to help you understand the basics. in this case software is making a call to the operating system and asking what processes or services are running. the oper- ating system queries all the running programs it is aware of and returns the list. However, if we add a rootkit to the mix, things get a little more compli- cated. Because rootkits have the ability to intercept and modify the responses returned by the operating system, when a user attempts to view the process list, the rootkit can simply remove selected programs, services, and processes from the list. this happens instantaneously and the user is not aware of any differ- ences. the program itself is actually functioning perfectly. it is reporting exactly what it was told by the operating system. in many senses of the word, the root- kit is causing the operating system to lie.
it is important to point out that a rootkit is not an exploit. rootkits are some- thing that is uploaded to a system after the system has been exploited. rootkits are usually used to hide files or programs and maintain stealthy backdoor access.
ALERT!
As with everything else and even more so in this case, you must be 100 percent sure that your client authorizes the use of rootkits before you deploy them in a penetration test. Utilizing a rootkit without authorization will be a sure way to quickly end your career and put you behind bars. Even if you have been fully authorized to conduct a penetration test, double and triple check that you are specifically authorized to utilize a rootkit.