Utilizing winexe to create a backdoor

Posted on February 15, 2008. Filed under: Computer Forensics | Tags: , , , , , |

On Thursday of this week I was fortunate enough to work along side a colleague of mine as we were conducting a forensic investigation. We had retrieved a active laptop and wanted to conduct a live memory dump of the system. Unfortunately there was a password on the screen saver and we didn’t want to compromise the data in anyway. His solution to achieve our goals was to utilize a program called winexe on a *nix system.

Winexe allows a person to connect to the IPC$ share of an active host. Now you might say “whats the point”. Take a moment and look at it from a corporate investigative standpoint. If you have a system that you possess a local admin account for (perhaps a standard one utilized by the company help desk) you can utilize this to access that IPC$ share.

Now winexe will open winexesvc control named or “ahexe.” After a successful connection it passess optional parameters (ex. –runas, –system) and the command itself to winexesvc process via the pipe.

Then winexesvc creates two pipes: ahexec_stdio%08X, and ahexec_stderr%08X (where %08X is replaced by unique number) and runs command with I/O redirected to those pipes.

Now we create a Netcat reverse shell and we are into the system from the Linux console. Completing a nifty little memory dump. Viola active memory secured on a password protected system.

I will have future posts on utilizing Netcat and tools and tricks for capturing the active memory.

You can find this great tool at http://eol.ovh.org/winexe/

Make a Comment

Make a Comment: ( 6 so far )

blockquote and a tags work here.

6 Responses to “Utilizing winexe to create a backdoor”

RSS Feed for secauditor speaks: hmmmm…Security – Imagine That Comments RSS Feed

it’s make everything easy

Winexe is a handy tool but this is nothing truly groundbreaking. Psexec \\computername cmd.exe will do the same.

Shme,

You hit it on the head not groundbreaking but very handy.

The groundbreaking part is that psexec doesn’t run on linux. Winexe is just a psexec port to linux.

Has anyone tried connecting to a machine on the internet with this tool? So far i can only get it to connect locally (doesnt help with remote servers) Are there ports that need to be open to use this across the internet? What protocol does it use?

Port 123424 ultimately though you are accessing the IPC$ share so access across the Internet is not an option. This is more valuable for Incident Handling or Forensics.


Where's The Comment Form?

    About

    “The soft and the pliable will defeat the hard and strong.” Lao Tzu

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...