Ayoi’s

OK, maybe I should post something useful and perhaps exercise our brain lil bit. It seems that most of the time lately I just keep posting more about me and my family and less more on IT thingy. So as for this post, let me give you one example of how we can create a simple backdoor for windows based machines which I believe MAYBE will be ignored by your ordinary administrator (you’ll discover why later on). And even if he managed to notice the existence of the backdoor, he might have some difficulties on deleting that as well ;). So lets begin…

First of all, in this example, I just using the swiss knife for us, the so called security guys.. netcat or nc. Yeap, there are many things that you can do with netcat, starting from transferring files, sholving shells up to becoming a relay for remote communication.. Cool eh? For this post, let us use the simpler mean of netcat.. We will use the sholving shell capability of this nifty application and of cause, we are going to rename it so hopefully nobody can notice it existence in your system

So.. we are going to rename our netcat with one of Windows processes name, smss.exe. So what is smss.exe?

smss.exe is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens “normally,” the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

smss.exe is NOT an application to enable you to send sms (short message service) from your PC ok? Usually only one smss.exe process will be executed in your machine and it is highly unusual to have a second process with the same name exist. This process is not as the same as svchost.exe.

So lets rename our “backdoor” with smss.exe

Then, we will execute our newly renamed “backdoor” with this line of command,

c:\start smss.exe -L -p 1337 -e cmd.exe

where -L = listening mode (persistent and in windows only)

-p = local port

-e = execute

meaning we instructed our “backdoor” to open and listen at local port 1337 and whoever connected at that port will be given msdos prompt..

Oh yes, by issuing start command, you will be presented another prompt on the  executed application.

OK, now we’ve executed our “backdoor”, what’s next? run netstat and see whether our backdoor is opening the 1337 port and in listening mode..

Our “backdoor” is running allrite. Now lets call the task manager and see what we can see from there..

There it is. Ok let us answer this questions.. In most of the time, how many system administrators will noticed the existence of extra process in their systems? If you are a system administrator, perhaps you can answer those as I do not have the answer. Even though if you managed to detect this extra process and tries to kill it via task manager, sorry to disappoint you but you can never be able to kill that process using windows task manager. Because based solely on its name, windows consider it is one of its critical processes and will never allow you to kill it.

Now that’s a bummer rite? You’ve detected the extra process, you know that it opens 1337 tcp port and in listening mode. You know whoever connect to that port will be given a dos prompt but heck you just can’t remove that bugger process. OK now enuff scratching your head as actually Microsoft did give you another set of command and application to remove that bugger or any unwanted process. Only one minor problem, you need to put your mouse aside and start typing some command line. (WMIC stands for Windows Management Instrumentation Command-Line. Read about it at here and here.

OK  I’ve learned these wmic kung-fu from Ed Skoudis posting at Handlers Diary. I recommend that you read those articles. It is very very very useful.

So let start by listing the smss.exe process. OK first of all you might ask me how one earth that I know it is smss.exe that open the 1337 port? Allrite, first of all I need to know which process/application uses that port so a simple netstat -naob will give me some information on this where

-n = display ports and addresses in numerical form

-a = display all connections and listening ports

-o = Display the owning process ID associated with each connection

-b = Displays the executable involved in creating the each connection or listening port.

Neat eh?

So by executing netstat with those options, you will be presented with this.

Now you know that one of the smss.exe processes that running on your machine is listening on port 1337. Now let use wmic to see the details of this process though..

C:\wmic process where name=”smss.exe” list full

The first smss.exe process appears to be normal. Take a look at the CommandLine and ExecutablePath fields. It appears normal to me anyway

Now let examine the second smss.exe process. Hmm now that look suspicious. First look at the CommandLine field. So this is the smss.exe process that listening on port 1337. In fact, whoever connect to this machine at that port will be given a dos prompt. Also the ExecutablePath appears suspicious as well. So this is our backdoor.

Ok, now we’ve identified the culprit, but how to remove it? We know that windows task manager refuses to stop/kill any process that it deemed “critical” to windows operation (even the ones that open and listen at a port and will give dos prompt to whoever connect to that port )

Ahah, I guess a simple c:\wmic process where name=”smss.exe” delete would do but what if it also kills the other legitimate smss.exe? It would creates some problem to us as well. So instead of using the process name, we better off using the process ID. True?

c:\wmic process where name=”smss.exe” get executablepath, processid will do the trick

c:\wmic process where processid=”process id number” delete

and voila. The rogue process removed. A quick check with netstat shows that tcp port 1337 is no more in listening mode.

Cool eh? So there is not hope for you guys who is WIMP (Windows Icon Mouse Pointer) dependent? Unfortunately yes.. And I have to admit it saves a lot of time as well. Applications like tcpview and ActivePorts will give you the ability to remove unwanted process easily.

Be Warned : Easily also means that you can easily killing legitimate process without you knowing it no matter what your excuses are and bring down your machine as well. Anyway I do believe it is important to at least know a lil bit on additional functions/application and tools that Microsoft “secretly” provided in their operating systems. “secretly” as I dun thing we were tought on these kind of tools before?

Ok now I need to take my bath and shut down my WIMP operating system

Comments RSS