backdoor – Phocean.net / Computer Security Blog Fri, 24 Feb 2017 21:17:51 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.10 Password stealing using a password filter /2013/10/02/password-stealing-using-a-password-filter.html /2013/10/02/password-stealing-using-a-password-filter.html#comments Wed, 02 Oct 2013 09:12:31 +0000 http://www.phocean.net/?p=1736 http://www.phocean.net/?p=1736 Continue Reading]]> Nice stuff from @mubix: the technic consists in injecting a DLL to lsass.exe, using the password filter feature of Windows.

The password filter architecture is useful to check that a password is compliant with the system security policy. It will typically check that when a user changes his password, it follows the required complexity.

Microsoft opened the API so that users can extend the functionality with their own filters.

Mubix diverted this API by developing a password logger: the DLL just logs the password both on the disk and a remote server,  and does nothing else.

A perfect way to maintain a persistent access… I tested it:

Evilpassfilter exploitation process

Evilpassfilter exploitation process

  1. Evilpassfilter.dll is loaded into lsass.exe
  2. A user updates his password
  3. The password goes through the Evilpassfilter password filter, which notifies the attacker through HTTP and also logs it locally.

Here is what I did to get it work (Windows 7 x64):

  • Make sure the local password security policy is enabled on the target
  • Create a new Win32 project in Visual Studio (2012)
  • Eventually delete unnecessary files, to start with an empty project (stadfx.h and cie)
  • Import the source code
  • Create a Evilpassfilter.def file, which defines the exports: 
    LIBRARY Evilpassfilter
EXPORTS
   InitializeChangeNotify
   PasswordFilter
   PasswordChangeNotify
  • In the project properties, make sure to select the appropriate architecture, matching with the one of your target.

    Selecting the compilation target architecture (win32/x64)

    Selecting the compilation target architecture (win32/x64)

  • In the input settings of the link editor, add wininet.lib as additional dependancy.
  • Also add Evilpassfilter.def as module definition file.

    Evilpassfilter Visual Studio settings

    Evilpassfilter Visual Studio settings

  • In the source code, fix line 72: return; –> return 1;
  • Now you should be able to compile the library. You may want to make sure that the DLL is valid and integrated the exports (open it with IDA or a PE tool):

    Evilpassfilter.dll exports seen in IDA

    Evilpassfilter.dll exports seen in IDA

  • Copy the resulting DLL to the system32 folder.
  • Open regedit HKLM\System\CurrentControlSet\Control\Lsa
    and add Evilpassfilter to the Notification Packages

Reboot and… now you should know what to do next :-)

]]> /2013/10/02/password-stealing-using-a-password-filter.html/feed 18 A link between Stuxnet and the OpenBSD IPSEC backdoor rumor ? /2011/01/16/a-link-between-stuxnet-and-the-openbsd-ipsec-backdoor-rumor.html Sun, 16 Jan 2011 22:12:53 +0000 http://www.phocean.net/?p=967 http://www.phocean.net/?p=967 Found on Full Disclosure, a weired but troubling connection of two security affairs : the OpenBSD backdoor rumor and the stuxnet worm.

]]>