Chapter 11. Backdoors

You have spent hours, perhaps days, probing a network’s defenses, finding weaknesses and taking advantage of them to reveal more specific target hosts. After discovering a host that appears interesting enough to warrant further investigation, you focus and begin to dig even deeper. After some more time spent chipping away at the host, investigating each service, looking for public and private exploits, or maybe even buckling down and writing your own—a breakthrough:

C:\WINDOWS\system32>_

Great! Now what?

This is a question that regularly snakes its way into my head, but in this particular situation, there is already an answer. You have gained access to the host; now you need to make sure that you can continue to do so. Since it is unlikely that the administrator of this machine intended for you to gain entry like this (or for that matter, even at all), you will need some sort of backdoor into the system. Depending on the circumstances, this might be something as simple as adding an additional account to the system, or as comprehensive as a fully featured suite of tools that hides itself in memory, offering stealthy remote access and many other things. I will do my best to offer an example of each as well as a few more that fall somewhere in between.

With backdoors, emphasis is often placed on uses and functionality for the attacker or penetration tester, but often there are legitimate uses for administrators as well. It may be something as simple as having an easy ...

Get Security Power Tools now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.