Executing Applications

Once you gain access to a system and obtain sufficient privileges, it’s time to compromise the system and carry out the attack. Which applications are executed at this point is up to the attacker, but they can either be custom-built applications or off-the-shelf software.

An attacker executes different applications on a system with specific goals in mind:
Backdoors Applications of this type are designed to compromise the system in such a way as to allow later access to take place. An attacker can use these backdoors later to attack the system. Backdoors can come in the form of rootkits, Trojans, and similar types. They can even include software in the form of remote access Trojans (RATs).
Crackers Any software that fits into this category is characterized by the ability to crack code or obtain passwords.
Keyloggers Keyloggers are hardware or software devices used to gain information entered via the keyboard.
Malware This is any type of software designed to capture information, alter, or compromise the system

Planting a Backdoor

There are many ways to plant a backdoor on a system, but let’s look at one provided via the PsTools suite. This suite includes a mixed bag of utilities designed to ease system administration. Among these tools is PsExec, which is designed to run commands interactively or noninteractively on a remote system. Initially, the tool may seem similar to Telnet or remote desktop, but it does not require installation on the local or remote system in order to work. To work, PsExec need only be copied to a folder on the local system and run with the appropriate switches.

Let’s take a look at some of the commands you can use with PsExec:

  • The following command launches an interactive command prompt on a system named \\zelda : psexec \\zelda cmd .
  • This command executes ipconfig on the remote system with the /all switch, and dis- plays the resulting output locally: psexec \\zelda ipconfig /all .
  • This command copies the program rootkit.exe to the remote system and executes it interactively: psexec \\zelda -c rootkit.exe .
  • This command copies the program rootkit.exe to the remote system and executes it interactively using the administrator account on the remote system: psexec \\zelda-u administrator -c rootkit.exe .

As these commands illustrate, it is possible for an attacker to run an application on a remote system quite easily. The next step is for the attacker to decide what to do or what to run on the remote system. Some of the common choices are Trojans, rootkits, and backdoors.