Windows Backdoor: System Level Access via Hot Keys


You hear it all the time in the support forums, “I lost my administrator password, what do I do?” Honestly, it makes you wonder how many times the request is really legit.

But, what if you were having a really bad day and you forgot your password. I mean the world ran out of coffee and your car radio got stuck on a country station on the way in to work. Yes, that kind of bad day. You arrive late to your office; well you did stop at every coffee place on the way in to make sure they were out, what did you expect? You rush to your desk, sit down at your keyboard to login and… nothing. It’s gone, you can’t remember it. You wrote your password on a sticky note on your monitor (of course), but wouldn’t you know, this was the day the cleaning crew actually visited your office, and threw it away. You could call IT support, but that would be you. What do you do? Better yet, how much time would you need? 

60 Seconds. This is how long it takes (minus boot times) to get a command prompt in the latest version of Windows, from the main login screen, with all of the security patches updated and an anti-virus program installed. That is, if you have physical access to the system and can reboot it. And this is not any old command prompt; this is a command prompt as the user “System”. If you know windows security, then you know that the “System” user is the highest level of authority that you can have. The operating system thinks you are the internal “system”. 

This hack requires physical access to the system and access to a DVD or USB drive. It is obtained by the manipulation of the Windows Hot-Keys “utilman.exe” file. This hack has been around (and known) since Windows XP and still works in the latest release of Windows 7. Because it is a manipulation of a windows service, it has never been patched. And actually, it is used as a solution, with instructions, on Microsoft’s Technet forum. 

After manipulation, once the hotkey is pressed, it instantly opens a command prompt window as the user “System” at the login screen. Typing “explorer.exe” in the command prompt gives you a desktop with the password prompt still visible in the background (See picture). From here, many of the features of windows are functional. In the following picture you can see the open “Start Bar” & “Internet Explorer” window, along with the login prompt in the background:


Amazingly, this works in Windows Server products as well. If someone had access to your computer and manipulated the hot-keys, they could get system level access to your server at a later date via the hot-key without rebooting your system. Therefore, it is imperative to keep physical security as a top concern in your business. Make sure that your server is in an area that is not available to public traffic and preferably in a locked room. Take extra care with your laptops. Do not leave them in areas that are unattended. 

It is always a good idea to disable services that are not needed. Also, disable booting to external devices and using boot passwords helps. Unfortunately, disabling the Windows hot-keys is not well documented. With Windows 7, Microsoft recommends a third-party program to tweak these settings. Supposedly you can also do this with a Windows policy edit, but I have not seen this documented either. I have also seen some sites recommend renaming the “utilman.exe” file to something else if not needed. But the best defense is strong physical security.

Security Issues: Compatibility, Convenience and Toys

Looking back over my 20 years of doing IT support, some of the top security issues that I have encountered have been compatibility, convenience and yes, you guessed it, toys.

Sometimes It can be hard to get employees with all their differences, likes and dislikes, to get along. Sometimes It can be downright impossible to get software to get along with the server. On more than one occasion I have seen where software wouldn’t play nice with the server unless the directory it used was given the security settings of “Everyone” and “Full Control”. Everyone means every authenticated user (It used to include even unauthenticated users!) and Full Control means, well, you get the picture.

For example, the application team of a company was trying to get a new web application installed for some executives. The data in the directory was not updating properly. The team had tried everything and the only thing that worked was allowing “everyone – full control” security rights to the directory. Of course this was against corporate policy for a web app, and the server team would not allow it. The software had to be up and running by a certain date. A mini power struggle ensued. The server team called in their people, the application team called in, well, the executives. Guess who won that battle?

Companies will run old versions of software because it is too costly, time-consuming or difficult to upgrade. These programs can be full of security issues. Especially software 10 or even 15 years old when security was not a top concern.

It seems that the more authority an employee has, the more toys they have. When dealing with top executives and company decision makers, many times you run into the magical four word phrase, “But, I want it”. This means, “I understand that this peer-to-peer software sharing service is an open door for malware and hackers, and even though we jumped through hoops to secure our system, I want it.” Of course that attitude lasts until their network is compromised, and their toy costs them.

It is amazing what I have been asked to do for executives and business owners over the years. One of the funniest by far was for a utility company CEO. He was one of the most technically competent executives that I had even met. He was an engineer before he became an executive and was probably the top engineer in the company. I had installed a new workstation for him. It was a two-day process.

Many of the utilities that he used were no longer being made and where not network aware. They were going to be replaced “someday”, but processes still relied on them. It was a minor miracle to get them to work with the newer OS. He only wanted certain data copied over from his old computer. It was checked and double checked. When I left we had verified that everything had worked at least twice, sometimes more. When I went in to work the next morning I received a call from a very angry CEO. As I was taking the call, I couldn’t fathom what I had missed or what ancient program decided to crash on his new system. Or what company process was being held up because his software wasn’t working. When I picked up the phone all I heard him say was, “WHERE ARE MY BIKINI BABE PICTURES???”

Backtrack 4: Penetration Testing with Social Engineering Toolkit

*** Update – Looking for a Backtrack 5 based tutorial? I have created an updated tutorial to cover the newer Backtrack 5 SET.

People do not understand how dangerous it is to click on unknown links in an e-mail or even on a website. Hackers will disguise their malware shell and make it look very appealing. Be it a video codex that you must install to watch a video that you really want to watch or even a webpage that tells you that you have a virus and you must install and run the latest online anti-virus scanner to remove it.

Doing either of these could place the control of your machine into a hacker’s hand. But I have Windows 7 with the latest security updates and my anti-virus is up to date. This may not make any difference at all if you allow the program to run. But it is really complicated and I need to make several bad choices in a row right? No, one wrong mouse click could be all that is needed. You don’t believe me? I was once told by a security instructor that instead of trying to convince people that their systems could be at risk, you need to show them.

Backtrack 4 has included a program that you do not hear much about in the main stream security media. But, it is a penetration testers dream. Under the penetration menu is a program called the Social Engineering Toolkit (SET). If social engineering attacks for penetration testers could be made any simpler, I do not know how.

Okay, timeout for a disclaimer: This is for security experts only, and should only be done in a testing environment (VMWare images on a PC works great) and not on a live network. Or on any machine that will be connected to a live network. Never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail. The following is for informational purposes only, if you chose to try this, you do so at your own risk.

All right, follow along, this is really technical and there are a lot of steps. Okay, I am kidding, it is a really simple, menu driven process. And remember that this is a tool for the good guys, who knows what the bad guys are using. One last note, turn off Apache or the SET won’t run.

  1. Obtain Backtrack 4, the VMWare image works great.
  2. First click on the menu button, Start the networking service. Then click on Backtrack, and then the Penetration Menu and finally Social Engineering Toolkit.
  3. This will bring up a program menu; you need to update both the Social Engineering Toolkit and the Metasploit Framework.
  4. Next, I had to reboot my machine to get it to work right after the updates.
  5. Now, click on main option 2 – Website Attack Vectors (Notice step 3 – Infections USB/CD/DVD Generator…)
  6. Next, chose Option 1, Web Templates, Let SET create a website for you. (Notice options to clone websites to match the company that you are doing the penetration test for…)
  7. Next is your choice for attack methods, the Java attack works well, chose 1 – Java Applet Attack Method
  8. Next select 1- Java Required (Notice other options…)
  9. Next select the type of payload for the attack, I like option 2 – Windows Reverse_TCP Meterpreter.
  10. Next chose the encoder to bypass anti-virus. I have never had anything detect number 2 – Shikata_Ga_Nai with 3 encryption passes (encryption passes is next option).
  11. Next chose port for the Metasploit Listener, 80 is default, I just hit enter
  12. Next option is “Do you want to create a Linux/OSX payload too?” I hit no, my target is a Windows PC.

And that is it. The SET webserver will launch, and it will start up Metasploit to listen for incoming connections. On the Victim’s PC, just surf to the attacker PC’s IP Address through a browser and you will see a generic , kinda plain test website that SET creates. It says something like the CEO is giving a presentation and you need Java installed and need to run the Java applet that pops up to view the broadcast. Then a Java certificate warning pops up, and like any user, they trustingly follow the directions. Once they click “yes” or “accept” you now have a meterpreter shell to their PC.

  1. Back on the attacking PC, it will list the session that the user opened to you.
  2. Type Sessions –L, Once and you get a screen that looks like this:

You now have access to the victims PC. Use “Sessions -i” and the Session number to connect to the session. Once connected, you can use linux commands to browse the remote pc, or running “Execute –f cmd.exe –c –H –i” will give you a remote windows command shell.

That’s it, one bad choice on the victim’s side and security updates and Anti-virus means nothing. They can even surf away or close the webpage, because once the shell has connected the web browser is no longer needed. Most attackers will then solidify their hold on the PC and merge the session into another process effectively making the shell disappear.

This is why informing your users about the dangers of clicking on unknown links in e-mails, suspicious web links, online anti-virus messages and video codec updates is critical. It can be very hazardous to your network. Also, this type of attack, like advance persistent threat attacks most likely will not be detected with IDS systems. This makes capturing and monitoring your network traffic critical. There are several ways to analyse traffic captures. The Kneber botnet (Zeus variant) was discovered by traffic analysis with Netwitness software. Try out the Investigator version, it is free and works very well.

Check out the complete How to use Metasploit Training Class videos from the Louisville Metasploit class. And also the the Backtrack 4: Social Engineering Toolkit (SET) – Introduction video by SET creator David Kennedy.