table of Contents
Because you want to face a new beginning, a person must have a dream, there is hope, there is hope for the future. Without these, it would not be called a new beginning, and called fugitive.
---- Maria Duenas
Said front
Everyone in the normal use of the computer office, to hand accidentally press a key on the keyboard, a box will pop up on your computer, called Sticky Keys is enabled, which is affecting our operations. But this thing but there is a huge loophole.
What is sethc? How to use?
sethc is the windows in the sticky keys. His approach is enabled by 5 down the shift key, windows will go to c: \ windows \ system32 \ following sethc.exe program, and execute it. So this time, we should find attentive, cmd is in this directory. The system is retrieved by the name sethc enabled, then if we can cmd into sethc, so that the call sethc this time, the "wrong" call cmd. Thus, the formation of a loophole. And as long as the shortcut is not disabled, and even can be called before the desktop computer does not enter the system, because this thing is covert, so many people have ignored it, and as such, it becomes apparent harm.
"The case can be left to do the back door, backdoor Trojans usually easy to find or difficult to mention the right to use sethc replace the back door is a good choice."
About permissions for the sethc
We open the properties sethc.exe file, found by default belongs trustedtnstaller all, or whether it is ordinary users do not have administrator permissions to edit it in. trustedinstaller is a security mechanism, rights management than administrator rights, but lower than the system. We can choose security in the Senior inherited from the parent √ cancel. As shown I have changed.
Leaving the back door sethc
Old method (replacement program)
Next sethc show you how to use the back door to leave the system, first of all connected to each other and into the host c: \ windows \ system32 \ directory
cd c:\windows\system32
The original sethc renamed sethc1
move sethc.exe sethc1.exe
Next cmd copy and rename sethc
copy cmd.exe sethc.exe
Double-click the drone down the shift key 5 test, this can be seen in the pop-up box was replaced with viscous cmd, and is the administrator's privileges.
When we do not know the other account password can still enter other system through this loophole. As shown, did not enter the system before we enter cmd command sethc, and is the supreme authority of the system, flattered.
New method (image hijacking)
The idea of the new method is achieved by modifying the registry of the image hijacking and open Remote Desktop.
Image hijack the name suggests, is that when we open a program actually opens the program b. In this case, looking in, we would want to open a sethc result is open cmd.
Set image hijack hijacked need to add the program HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options registry location and then set up some simple, we execute the following program from the command line:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
命令说明:reg add 是向注册表添加记录,后面跟的是注册表的位置,这里需要注意的是 HKLM 实际上是 HKEY_LOCAL_MACHINE 的缩写。Image File Execution Option 这个目录就是用来设置镜像劫持的,要被劫持的就是命令中的 sethc 粘滞键程序,随后通过 / v 来指定键名,这个键名 debugger 是固定的,然后通过 / t 来指定类型,即 REG_SZ 字符串类型,最后通过 / d 来指定键的值,即被恶意替换的程序,也就是我们的 cmd。
相应的,如果要删除映像劫持就将add改为delete
开启远程桌面
设置完镜像劫持后就已经达成了效果,但是为了方便利用,我们可以通过修改注册表开启目标机的远程桌面。
第一个是设置远程桌面连接的用户鉴定选项的状态。分为“0”和“1”两种状态。
0代表进行远程桌面前不需要用户身份验证,这时输入用户名不输入密码点连接会直接到远程桌面锁屏的那个界面,所以设置为0我们可以直接到目标机的锁屏,然后直接调用cmd。
1代表需要进行用户身份验证,当我们输入用户名不输入密码直接点击连接会提示身份验证错误。
这里我们将之设置为“0”,运行如下命令:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0
第二个是设置远程桌面连接的安全层,有三个参数:“0”“1”“2”。
0就是连接前使用rdp协议进行身份验证,rdp即远程桌面连接,可以简单的理解为关闭验证
1是指在连接前两端协商来进行身份验证
2是使用tls协议来进行
这里我们将之设置为0,运行如下命令:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0
This we can already connect via Remote Desktop, before landing systems not using sethc loopholes into the target system, and is the highest authority.
When performing penetration testing, we won a host of others may have been hacked and left a back door, we can try to shift, you can not say pop cmd
Defensive approach
- Deleted directly in the system32 sethc
- Sethc will deny access to everyone
- In the Control Panel - Accessibility Options - sticky keys option to use the shortcut key to cancel
