CEH Practical: Information-Gathering Methodology

 

Information gathering can be broken into seven logical steps. Footprinting is performed during the first two steps of unearthing initial information and locating the network range.

Footprinting

Footprinting is defined as the process of establishing a scenario or creating a map of an organization's network and systems. Information gathering is also known as footprinting an organization. Footprinting is an important part of reconnaissance process which is typically used for collecting possible information about a targeted computer system or network. Active and Passive both could be Footprinting. The example of passive footprinting is assessment of a company's website, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Basically footprinting is the beginning step of hacker to get hacked someone because having information about targeted computer system is the main aspect of hacking. If you have an information about individual you wanna hack so you can easily hacked that individual. The basic purpose of information gathering is at least decide what type of attacks will be more suitable for the target. Here are some of the pieces of information to be gathered about a target
during footprinting:

• Domain name
• Network blocks
• Network services and applications
• System architecture
• Intrusion detection system
• Authentication mechanisms
• Specific IP addresses
• Access control mechanisms
• Phone numbers
• Contact addresses

Once this information is assemble, it can give a hacker better perception into the organization, where important information is stored, and how it can be accessed.

Footprinting Tools 

Footprinting can be done using hacking tools, either applications or websites, which allow the hacker to locate information passively. By using these footprinting tools, a hacker can gain some basic information on, or "footprint," the target. By first footprinting the target, a hacker can eliminate tools that will not work against the target systems or network. For example, if a graphics design firm uses all Macintosh computers, then all hacking software that targets Windows systems can be eliminated. Footprinting not only speeds up the hacking process by eliminating certain tool sets but also minimizes the chance of detection as fewer hacking attempts can be made by using the right tool for the job. Some of the common tools used for footprinting and information gathering are as follows:

• Domain name lookup
• Whois
• NSlookup
• Sam Spade

Before we discuss these tools, keep in mind that open source information can also yield a wealth of information about a target, such as phone numbers and addresses. Performing Whois requests, searching domain name system (DNS) tables, and using other lookup web tools are forms of open source footprinting. Most of this information is fairly easy to get and legal to obtain.

Footprinting a Target 

Footprinting is part of the preparatory pre-attack phase and involves accumulating data regarding a target's environment and architecture, usually for the purpose of finding ways to intrude into that environment. Footprinting can reveal system vulnerabilities and identify the ease with which they can be exploited. This is the easiest way for hackers to gather information about computer systems and the companies they belong to. The purpose of this preparatory phase is to learn as much as you can about a system, its remote access capabilities, its ports and services, and any specific aspects of its security.

DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.

NSlookup and DNSstuff

One powerful tool you should be familiar with is NSlookup (see Figure 2.2). This tool queries DNS servers for record information. It's included in Unix, Linux, and Windows operating systems. Hacking tools such as Sam Spade also include NSlookup tools. Building on the information gathered from Whois, you can use NSlookup to find additional IP addresses for servers and other hosts. Using the authoritative name server information from Whois ( AUTH1.NS.NYI.NET ), you can discover the IP address of the mail server.

Syntax

nslookup www.sitename.com

nslookup www.usociety4.com

Performing DNS Lookup

This search reveals all the alias records for www.google.com and the IP address of the web server. You can even discover all the name servers and associated IP addresses.

Understanding Whois and ARIN Lookups

Whois evolved from the Unix operating system, but it can now be found in many operating systems as well as in hacking toolkits and on the Internet. This tool identifies who has registered domain names used for email or websites. A uniform resource locator (URL), such as www.Microsoft.com , contains the domain name ( Microsoft.com ) and a hostname or alias ( www ).
The Internet Corporation for Assigned Names and Numbers (ICANN) requires registration of domain names to ensure that only a single company uses a specific domain name. The Whois tool queries the registration database to retrieve contact information about the individual or organization that holds a domain registration.

Using Whois

• Go to the DNSStuff.com website and scroll down to the free tools at the bottom of the page.
• Enter your target company URL in the WHOIS Lookup field and click the WHOIS button.
• Examine the results and determine the following:
  
  • Registered address
  • Technical and DNS contacts
  • Contact email
  • Contact phone number
  • Expiration date

• Visit the company website and see if the contact information from WHOIS matches up to any contact names, addresses, and email addresses listed on the website.

• If so, use Google to search on the employee names or email addresses. You can learn the email naming convention used by the organization, and whether there is any information that should not be publicly available.

Syntax

whois sitename.com
whois usociety4.com

Related posts

1. Hacker Tool Kit
2. World No 1 Hacker Software
3. Pentest Automation Tools
4. Best Hacking Tools 2020
5. Hack Tools For Games
6. Pentest Tools Find Subdomains
7. Nsa Hack Tools Download
8. Pentest Tools Bluekeep
9. Growth Hacker Tools
10. Hack Tools Online
11. Ethical Hacker Tools
12. Hacker Tools Software
13. Hacking Tools For Pc
14. Hack And Tools
15. Hack Tool Apk No Root
16. Hacking Tools And Software
17. Hack Tools For Pc
18. Hacking Tools Windows 10
19. Hack Rom Tools
20. How To Make Hacking Tools
21. Hacker Tools Free Download
22. Pentest Tools Subdomain
23. Hacker Hardware Tools
24. Free Pentest Tools For Windows
25. Pentest Box Tools Download
26. Hacker Hardware Tools
27. Computer Hacker
28. Hacker Tools List
29. Top Pentest Tools
30. Hack Tools For Windows
31. Pentest Tools Port Scanner
32. Hacker Tools 2020
33. Pentest Tools Free
34. Bluetooth Hacking Tools Kali
35. Hacker Tools For Windows
36. Hacking Tools For Pc
37. How To Hack
38. Beginner Hacker Tools
39. Pentest Tools Apk
40. Pentest Tools Open Source
41. What Are Hacking Tools
42. Hack Tools Github
43. Tools Used For Hacking
44. Hackers Toolbox
45. Hacker Tools 2019
46. Hack Tools Github
47. Growth Hacker Tools
48. Hacking Tools Download
49. Hacking Tools Hardware
50. Hacker Tools Software
51. Easy Hack Tools
52. Pentest Tools Online
53. Pentest Tools Subdomain
54. Hack Tools
55. Hack Tools Online
56. Hack Tools For Games
57. Hack Tools For Mac
58. Hacking Tools For Windows
59. Nsa Hack Tools Download
60. Pentest Tools Apk
61. Hack Apps
62. Hacking Tools Windows
63. Hacking Tools Mac
64. Hacker
65. Pentest Tools List
66. Hacking Tools 2020
67. Hack Tools For Mac
68. Hack Tools For Windows
69. Tools Used For Hacking
70. Hacking Tools For Mac
71. Android Hack Tools Github
72. Hacking Tools Mac
73. Hacker Tools Mac
74. Black Hat Hacker Tools
75. Hacking Tools Online
76. Pentest Box Tools Download
77. Pentest Tools Find Subdomains
78. Pentest Tools Review
79. Tools Used For Hacking
80. Hacker Search Tools
81. Underground Hacker Sites
82. Best Pentesting Tools 2018
83. Hack Tools For Games
84. Pentest Tools Windows
85. Hack Tools Github
86. Pentest Automation Tools
87. Hack Tools For Windows
88. Best Hacking Tools 2020
89. Hacker Search Tools
90. Hacking Tools
91. Bluetooth Hacking Tools Kali
92. Pentest Reporting Tools
93. Pentest Tools Review
94. Hack Tools Online
95. Hacker Techniques Tools And Incident Handling
96. Install Pentest Tools Ubuntu
97. Hacker Tools 2019
98. Hack And Tools
99. Hack Tools For Windows
100. Hacking Tools For Games
101. Hacking Tools Download

Takeover - SubDomain TakeOver Vulnerability Scanner

Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. For more information: here



Installation:

# git clone https://github.com/m4ll0k/takeover.git
# cd takeover
# python takeover.py

or:

wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python takeover.py

Download Takeover

Related word

1. Hack Tools 2019
2. Hack Tools Online
3. Hacking Tools Free Download
4. Hack Website Online Tool
5. Beginner Hacker Tools
6. Hacker Tools Online
7. Hacking App
8. Pentest Tools For Ubuntu
9. Install Pentest Tools Ubuntu
10. Hacker Tools List
11. Hacker Tools
12. Hacker Security Tools
13. Pentest Tools Online
14. Physical Pentest Tools
15. New Hack Tools
16. Bluetooth Hacking Tools Kali
17. Pentest Tools Android
18. Hacking Tools And Software
19. Pentest Tools Github
20. Hacker Tools Free Download
21. Tools Used For Hacking
22. Underground Hacker Sites
23. Hacker Tools Windows
24. Hacker Tools 2019
25. Game Hacking
26. Bluetooth Hacking Tools Kali
27. Hack Tools For Ubuntu
28. Hacking Tools Mac
29. Hack Tools For Mac
30. Hacker Tools For Pc
31. Nsa Hack Tools
32. Pentest Tools For Android
33. Hack Tools For Windows
34. Hack Apps
35. New Hack Tools
36. Kik Hack Tools
37. Hacking Tools For Beginners
38. How To Hack
39. Hacking Tools For Beginners
40. Best Hacking Tools 2019
41. Hacking Tools Windows 10
42. Pentest Tools Online
43. Hackers Toolbox
44. Hacker Tools Free
45. Hacks And Tools
46. Hacker Tools For Ios
47. Pentest Tools Tcp Port Scanner
48. Pentest Automation Tools
49. Hacking Tools Hardware
50. Hacking Tools For Pc
51. Pentest Automation Tools
52. Hack Tools Download
53. Free Pentest Tools For Windows
54. Hacker Tools Windows
55. Pentest Tools Online
56. Top Pentest Tools
57. Termux Hacking Tools 2019

Iranian Hackers Pose As Journalists To Trick Victims Into Installing Malware

An Iranian cyberespionage group known for targeting government, defense technology, military, and diplomacy sectors is now impersonating journalists to approach targets via LinkedIn and WhatsApp and infect their devices with malware. Detailing the new tactics of the "Charming Kitten" APT group, Israeli firm Clearsky said, "starting July 2020, we have identified a new TTP of the group,

via The Hacker News

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Related links

1. Pentest Tools
2. Hacker Tools 2019
3. Hacker Tools Free Download
4. Github Hacking Tools
5. Hacking Tools Kit
6. Hack Tools For Ubuntu
7. Hacker
8. Hacker Tools
9. Pentest Tools Bluekeep
10. Best Hacking Tools 2019
11. Pentest Tools Kali Linux
12. Hacking Tools Windows
13. Hacking Tools For Windows
14. Pentest Tools Apk
15. Underground Hacker Sites
16. Tools Used For Hacking
17. Hacking Tools For Windows
18. Free Pentest Tools For Windows
19. Hacking Tools Windows 10
20. Hack Tools
21. Pentest Tools Port Scanner
22. Pentest Automation Tools
23. Hacker Techniques Tools And Incident Handling
24. Pentest Tools Online
25. Pentest Tools Tcp Port Scanner
26. Hacker Tools Apk
27. Hack Tools For Games
28. Hack Apps
29. Pentest Tools For Android
30. Hacking Tools Hardware
31. Hack And Tools
32. Android Hack Tools Github
33. Hacking Tools Download
34. Hacker Tools List
35. Top Pentest Tools
36. Hacker Tools 2020
37. Hacking Tools For Windows 7
38. Hacker Tools Free Download
39. Hackrf Tools
40. Hacking Tools For Windows
41. Termux Hacking Tools 2019
42. Growth Hacker Tools
43. Hacking Tools For Windows 7
44. Hacking Tools Name
45. Hacking Tools Online
46. World No 1 Hacker Software
47. Termux Hacking Tools 2019
48. Best Hacking Tools 2019
49. Hack Tools For Mac
50. Hack Website Online Tool
51. Beginner Hacker Tools
52. Hacker Search Tools
53. Hack Website Online Tool
54. What Are Hacking Tools
55. Best Hacking Tools 2019
56. New Hacker Tools
57. Wifi Hacker Tools For Windows
58. New Hacker Tools
59. Easy Hack Tools
60. Hacking App
61. Hacker Tools Github
62. Hacker Tools For Pc
63. Hack App
64. How To Hack
65. Install Pentest Tools Ubuntu
66. Hacking Tools And Software
67. Hacking Tools Pc
68. Hacker Tools
69. Hack Tools For Games
70. Top Pentest Tools
71. Tools 4 Hack
72. Hacking Tools For Windows Free Download
73. Physical Pentest Tools
74. Hacking Tools For Mac
75. Pentest Tools Apk
76. Pentest Tools For Ubuntu
77. Hacking Tools For Windows 7
78. Pentest Tools Online
79. Hacker Tools Github
80. Pentest Tools Github
81. Kik Hack Tools
82. Hacking Tools And Software
83. Hack Tools For Pc
84. Hacker Tools Apk Download
85. Hacker Tools Apk
86. Tools For Hacker
87. Hackrf Tools
88. Hacking Tools 2019
89. Hacker Tools
90. Ethical Hacker Tools
91. Hacking Tools Windows
92. Pentest Tools Find Subdomains
93. How To Hack
94. Hack Rom Tools
95. Pentest Reporting Tools
96. Hacker Tools 2019
97. New Hacker Tools
98. Pentest Tools Android
99. Termux Hacking Tools 2019
100. Hack Tools For Mac
101. Hacker Tools Github
102. Hacking Tools For Windows 7
103. How To Hack
104. Growth Hacker Tools
105. Hacker Tools Github
106. Github Hacking Tools
107. Hacker Tools Hardware
108. Pentest Tools Download
109. Pentest Tools Download
110. Ethical Hacker Tools
111. Hacker Hardware Tools
112. Hacking Tools Mac
113. Tools For Hacker
114. Black Hat Hacker Tools
115. Nsa Hack Tools
116. Pentest Tools Port Scanner
117. Pentest Tools Bluekeep
118. Hack Tools 2019
119. Tools 4 Hack
120. Pentest Tools Framework
121. Hacker Tools 2019
122. Hacking Tools Kit
123. How To Hack
124. Hacker Hardware Tools
125. Hacking Tools For Beginners
126. Hack Tool Apk
127. Nsa Hack Tools Download
128. Kik Hack Tools
129. What Are Hacking Tools
130. Hack Rom Tools
131. Pentest Tools For Android
132. Hacker Tools Software
133. Hacking Tools Free Download

Exploit-Me

"Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use. The Exploit-Me series was originally introduced at the SecTor conference in Toronto. The slides for the presentation are available for download. Along with this SecTor is making the audio of the talk available." read more...

Website: http://securitycompass.com/exploitme.shtml

Related posts

• Pentest Tools Tcp Port Scanner
• Hacker Security Tools
• Hacking Tools For Windows 7
• Hacker Tools Software
• Hacker Techniques Tools And Incident Handling
• Hacker Tools Free
• Pentest Tools Port Scanner
• Nsa Hack Tools
• Pentest Tools Alternative
• Hack Tools
• Pentest Tools Website
• Hacking Apps
• Blackhat Hacker Tools
• Hacker Tools Software
• Hacking Tools Usb
• Top Pentest Tools
• Computer Hacker
• Tools Used For Hacking
• Beginner Hacker Tools
• Hack Tools For Windows
• Tools Used For Hacking
• Install Pentest Tools Ubuntu
• Best Hacking Tools 2019
• Hacking Tools Windows
• Hacking App
• Hacker Tools Apk Download
• Pentest Tools Kali Linux
• Hack Tool Apk No Root
• What Are Hacking Tools
• Hack Tools
• Hacker
• Termux Hacking Tools 2019
• Pentest Tools Android
• Hacker Tools 2019
• Hack Tools For Mac
• Pentest Tools Apk
• Computer Hacker
• Hack Tool Apk No Root
• Hack Tools Mac
• Hack Tools For Windows
• Install Pentest Tools Ubuntu
• Hacking Tools
• Hacking Tools For Windows
• World No 1 Hacker Software
• Pentest Reporting Tools
• Hacking Tools For Windows 7
• Hack App
• Best Hacking Tools 2020
• Termux Hacking Tools 2019
• Top Pentest Tools
• Hack Website Online Tool
• Game Hacking
• Underground Hacker Sites
• Best Hacking Tools 2019
• Pentest Tools Find Subdomains
• Top Pentest Tools
• Hack Tools
• What Is Hacking Tools
• Pentest Tools List
• Hacking Tools For Windows
• Hacking Tools Windows
• Hacker Tool Kit
• Pentest Tools Download
• Pentest Tools For Mac
• Tools Used For Hacking
• Hack Tools Github
• Hack Tools For Windows
• Hack Tools Mac
• Top Pentest Tools
• Ethical Hacker Tools
• Hack Tools Download
• Pentest Tools For Android
• Hacker Tools For Windows
• Hack Tool Apk No Root

Many Ways Of Malware Persistence (That You Were Always Afraid To Ask)

TL;DR: Are you into red teaming? Need persistence? This post is not that long, read it ;)

Are you into blue teaming? Have to find those pesky backdoors? This post is not that long, read it ;)

In the previous post, I listed different ways how a Windows domain/forest can be backdoored. In this new post, I am digging a bit deeper, and list the most common/known ways malware can survive a reboot, just using local resources of the infected Windows system. The list is far from complete, and I would like to encourage everyone to comment on new methods, not yet listed here.

From an incident response point of view, one of the best strategies to find malware on a suspicious system is to search for suspicious entries that start with the system. In the good old days, you had to check for 2-3 locations to cover 99% of the infections. Nowadays, there are a thousand ways malware can start. The common ones automatically start whenever Windows starts (or the user logs in), but some tricky ones are triggered by other events.

Autoruns

My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.

On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually, this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on a live system is that a good rootkit can fool the analyst easily. 

For quick wins, I usually filter out Microsoft entries, look for per-user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps to find 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.

Zeus "hiding" in the usual random directory - check the faked timestamp

To implement "poor-mans monitoring", regularly save the output of Autoruns, and during incident response, it will be highly valuable. Howto guide here.

Logon

"This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations." 

There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.

One of my favorite regarding this topic is the file-less Poweliks malware, 100% pure awesomeness. Typical ring 3 code execution.

Explorer

"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually, this is not about auto-malware execution, but some of them might be a good place to hide malware.

Internet explorer

"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicious BHO is installed into your browser, you are pretty much screwed.

Scheduled tasks

"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.

I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.

Did you know that you can create custom events that trigger on Windows event logs?

Did you know you can create malware persistence just by using Windows tools like bitsadmin and Scheduled tasks?

Scheduler in the old days

Scheduler in the new days

Services

HKLM\System\CurrentControlSet\Services is a very commonplace to hide malware, especially rootkits. Check all entries with special care.

Drivers

Same as services. Very commonplace for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates that can be chained back to "Software Publisher Certificates". Typical startup place for Ring 0 rootkits. 

Starting from Windows 10, even this will change and all drivers have to be signed by "Windows Hardware Developer Center Dashboard portal" and EV certificates.

Codecs

22 registry keys. Not very common, but possible code execution.

Boot execute

"Native images (as opposed to Windows images) that run early during the boot process."

5 registry keys here. Good place to hide a rootkit here.

Image hijacks

"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.

This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to set a debug program on sethc.

If you see this, you are in trouble

AppInit

"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into Explorer, browsers, etc. Luckily it is going to be deprecated soon.

Known DLLs

"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.

Winlogon

"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.

Winsock providers

"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.

Print monitors

"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hiding their persistence module.

LSA providers

"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer.

Network providers

"Missing documentation". If you have a good 1 sentence documentation, please comment.

WMI filters

"Missing documentation". Check Mandiant for details.

Sidebar gadgets

Thank god MS disabled this a while ago :)

We all miss you, you crappy resource gobble nightmares

Common ways - not in autoruns

Now, let's see other possibilities to start your malware, which won't be listed in Sysinternals Autoruns.

Backdoor an executable/DLL

Just change the code of an executable which is either auto-starting or commonly started by the user. To avoid lame mistakes, disable the update of the file ... The backdoor factory is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the codesigner CA, and your executable will blend in.

See, rootkit.exe totally looks legit, and it is filtered out when someone filters for "Hide Windows entries".

Hijack DLL load order

Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from Mandiant and DLL hijack detector.

Here you can see how PlugX works in action, by dropping a legitimate Kaspersky executable, and hijacking the DLL calls with their DLL. 

Hijack a shortcut from the desktop/start menu

Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.

IE hijacked to start with http://tinyurl.com/2fcpre6

File association hijack

Choose the user's favorite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!

COM object hijack

The main idea is that some COM objects are scanned for whether they are on the system or not, and when it is registered, it is automatically loaded. See COMpfun for details.

Windows Application Compatibility - SHIM

Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.

Every time IE starts, inject a DLL into IE

Bootkits 

Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.

MBR - Master boot record

Malware can overwrite the Master boot record, start the boot process with its own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attached the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infections like this.

There is a slight difference when MBR is viewed from infected OS vs clean OS

VBR - Volume boot record

This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check GrayFish for details. SecureBoot can be used to prevent malware infections like this.

BIOS/UEFI malware

Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, implementation and design errors happens. Check the Computrace anti-theft rootkit for details.

Hypervisor - Ring -1 rootkit

This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot See Rutkowska's presentation from 2006 But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simply delete it after it is fully functional after reboot. Update: There is a good paper from Igor Korkin about hypervisor detection here.

SMM (System Management Mode) malware - Ring -2 rootkit

Somehow related to the previous type of attacks, but not many people know that System Management Mode can be used to inject code into the OS. Check the DEITYBOUNCE malware for more details ;) Also, abusing Intel Dual Monitor Mode (DMM) can lead to untrusted code execution, which basically monitors the SMM mode.

Intel® Active Management Technology - Ring -3 rootkit

According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possibly go wrong? See Alexander Tereshkin's and Rafal Wojtczuk's great research on this, or Vassilios Ververis thesis about AMT. 

As not many people click on links, let me quote the scary stuff about AMT:

• Independent of the main CPU
• Can access host memory via DMA (with restrictions)
• Dedicated link to NIC, and its filtering capabilities
• Can force host OS to reboot at any time (and boot the system from the emulated CDROM)
• Active even in S3 sleep!

Other stuff

Create new user, update existing user, hidden admins

Sometimes one does not even have to add malicious code to the system, as valid user credentials are more than enough. Either existing users can be used for this purpose, or new ones can be created. E.g. a good trick is to use the Support account with a 500 RID - see here, Metasploit tool here.

Esoteric firmware malware

Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see GrayFish again), graphic card, etc.

Hidden boot device

Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.

Network-level backdoor

Think about the following scenario: every time the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered GPO MiTM attack, the Evilgrade tool, or even the Xensploit tool when we are talking about VM migration.

Software vulnerability

Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...

Hardware malware, built into the chipset

I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!

More links

Tools I highly recommend:

• Sysinternals Autoruns
• GMER
• DLL hijack detector
• PCHunter
• Mandiant Redline
• Volatility
• Kansa

For more information, check this blog post, part 1, part 2

Update 2017-04-29: A very nice list of Office persistence: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/

Update 2017-10-23: Persistence via Security Descriptors and ACLs: https://www.youtube.com/watch?v=SeR4QJbaNRg

Update 2018-07-25: Backdooring LAPS https://rastamouse.me/2018/03/laps---part-1/
https://rastamouse.me/2018/03/laps---part-2/ 

I would like to thank to Gabor Pek from CrySyS Lab for reviewing and completing this post.

Continue reading

1. Hacking Tools Free Download
2. Hacker Tools Apk Download
3. Pentest Tools Windows
4. World No 1 Hacker Software
5. Free Pentest Tools For Windows
6. Hacking Tools For Windows Free Download
7. Pentest Tools Alternative
8. Tools For Hacker
9. Hacker Techniques Tools And Incident Handling
10. Hackers Toolbox
11. New Hack Tools
12. Hackers Toolbox
13. Tools 4 Hack
14. Pentest Tools Port Scanner
15. Pentest Tools Apk
16. What Are Hacking Tools
17. Pentest Tools Windows
18. Pentest Tools Website Vulnerability
19. Underground Hacker Sites
20. Easy Hack Tools
21. Best Hacking Tools 2019
22. Hacking Tools Kit
23. Pentest Tools List
24. Hack Tools For Games
25. Pentest Tools Online
26. Hacking Tools
27. Hack App
28. Best Hacking Tools 2020
29. Hacking Tools For Windows Free Download
30. Hacker Tools
31. Pentest Tools For Android
32. Hack Tool Apk No Root
33. Hack App
34. Hack Apps
35. Hacking Tools Download
36. Hacker Hardware Tools
37. Best Pentesting Tools 2018
38. Hacker Tools Hardware
39. Pentest Tools Find Subdomains
40. Hacking Tools For Games
41. What Are Hacking Tools
42. Pentest Tools Online
43. Pentest Tools Online
44. Black Hat Hacker Tools
45. Computer Hacker
46. Pentest Tools Windows
47. Pentest Tools Tcp Port Scanner
48. Nsa Hack Tools Download
49. Physical Pentest Tools
50. Hack Tools Download
51. Hacker Hardware Tools
52. Hacker Search Tools