SCHOOL OF COMPUTING, TECHNOLOGY &
APPLIED SCIENCES
CIT3311-COMPUTER & NETWORK SECURITY
LAB N1: Windows Back-door Exploitation, & Network Confidentiality
Due Date: 10th March, 2025
Names:
Student Number:
Programme:
Lecturer: Prof. Zimba A.
Prof. Zimba A.
�These Labs are meant to be ethical training sessions designed to equip you as security
professionals against potential security risks in various systems.
The skills and techniques taught, along with the tools used herein are intended for educational
purposes only and should never be used against any other system.
The backdoor in Windows (Access Control) | Command prompt on logon screen
The success of this mechanism depends on one having to first access (logged in regardless of the
method) the Windows operating but there’s another way of direct access using a Windows
installation disc or bootable flash disk. This is not cracking the password. Knowledgeable people
might set this backdoor in order to access the victim’s computer either physically or via the
network in their absence. It is very tempting to deliberately set such a backdoor just in case you
are unable to access your machine but doing so may carry fatal consequences.
The screenshots shown here are for Windows 7 but steps for Windows XP are the same and
Windows XP is even more vulnerable in this regard.
Please install your victim hosts on either VMware or Virtual Box in Windows or Virtual Box in
Linux or UNIX. Don’t victimise directly any production computer.
TASK 1:
Step 1
Open your command prompt (run as administrator in win 7/vista).
Type the following command:
Syntax: net user accountname *
Example: net user administrator *
and hit enter. Set any password for that account
Note the space between the accountname and the asterisk.
Your screen should look like this.
Prof. Zimba A.
�In this way, you are changing the Administrator’s password even without having to know it. This
means that if you were to access the cmd at the login screen, then you would be able to
clear/change the Administrator’s password without knowing it and thus login. Hence our current
task to bring up the cmd at the login screen and thereby creating a backdoor.
Step 2:
Now press shift key five times and you must have got a dialog box "sticky keys" on screen.
Sticky keys are a feature that makes it easy for users who have physical disabilities to press
multiple keys at time. This is one of the features which can be used before logging in at logon
screen. This feature can be used at logon screen by pressing shift key five times.
Whenever we start an application like paint, we are actually calling the program
mspaint.exe placed in C:\windows\system32 directory. Similarly, when we press shift key 5
times or use sticky keys feature, the system actually starts the executable file sethc.exe placed in
system32 directory. This means if we rename cmd.exe to sethc.exe and press shift 5
times, system would again start sethc.exe but instead of sticky keys the command prompt will
be opened. But you just can’t simply rename it or change system32 files. Remember, system32 is
a system directory.
Step 3:
To manipulate the system files, do the following;
* Go to C:\windows\system32
* Copy cmd.exe to your desktop and rename it to sethc.exe
*Now copy that file and paste again in system32 directory. (Remember to backup the original
sethc.exe file)
WINDOWS XP
Log out and at the login screen, press shift five times and you should see command prompt on
screen if the files were correct manipulated. In this way, you can now access command prompt at
windows logon screen and change/clear the password easily using "net user" command. You can
delete some users and even create new ones.
Note: If you can also do these changes while using windows Guest Account, then you can
Prof. Zimba A.
�change/clear password even of administrator's account. This is exactly how one would “hack”
into administrator's account through guest account.
WINDOWS Vista/7/11
You must have been greeted by a pop up box saying "Access Denied".
This means that you cannot change system32 directory files not until you have the right
permissions. You cannot have the permissions not until you have the ownership. To accomplish
this, we need to do the following.
Step 4:
*Right click on sethc.exe and run as administrator. Again right click on sethc.exe, open
properties.
*Click on Advanced tab, then on owner and click edit, change the owner from "trusted installer"
to "administrator" or the username under which you are currently logged in and click apply.
Prof. Zimba A.
�Step 5:
Then click on 'Edit' in security tab to edit permissions. Click on ‘Administrators’, give it full
control and apply changes.
Now since you have changed the permissions, replace the original sethc.exe with the sethc.exe
(the one got by renaming cmd.exe).
Prof. Zimba A.
�Logout and whilst at the logon screen, press the shift key five times and it should get you the
command prompt on the screen instead of sticky keys.
Write a full analysis report on the lab just covered stating the advantages and disadvantages of
the Windows pre-login features and your overall conclusion. Your report should include
screenshots.
Suggest practical security measures against this attack.
TASK 2:
Having known exactly which keyboard key invokes the cmd, it will be easy to implement the
same backdoor access mechanism without having to login into the computer.
Step 1
Boot the computer with a Windows installation disc or bootable USB flash disk.
Step 2
Choose “Repair” instead of the “Install” option.
Step 3
Follow the steps that follow on the screen and make sure you access the command prompt whilst
in the “Repair” mode.
Step 4
Use the command prompt to manipulate the cmd.exe file until you obtain access as you did in the
previous task.
Suggest practical security measures against this attack.
TASK 3:
WIRESHARK
Wireshark is a powerful protocol analyzer (and sniffer) that can be used by network
professionals to troubleshoot and analyze network traffic under great scrutiny. Since the
information revealed by Wireshark can be used to either attack or defend a network,
administrators should learn how to use it so that they are aware of what potential attackers can
see. Wireshark is a utility that will help you to look at how various protocols work.
Objectives
After completing this lab, you should be able to
Use Wireshark to capture a communication session between two devices.
Given a screenshot of a session captured using Wireshark, identify the three main
sections of the Wireshark display.
Use Wireshark’s filter option to view desired protocols.
Use Wireshark to capture and identify UDP traffic.
Use Wireshark to capture and identify TCP traffic, including the three-way handshake
and the packets used to determine that a TCP session has ended.
Prof. Zimba A.
�Materials and Setup
You will need the following:
Unix/Linux or Windows OS
Metasploitable
Wireshark
Instructions (take screenshots to include in your work.):
1. Run Wireshark and capture some packets on the network as you try to access your email
account.
2. Observe the packets/frames and take note of (for not less than four different connections):
The type and name of the protocol being used
Source and destination IP or MAC address
The time and information of the packet/frame
The source and destination port numbers
Suggest practical security measures against this attack.
TASK 4 (A): PASSWORD CAPTURE VIA HTTP
a) Run Metasploitable and use the ifconfig command to retrieve the IP address.
b) Open Wireshark and start capturing packets on the eth0 interface in promiscuous mode.
c) Access the web server on Metasploitable via the browser using the IP address in (a).
d) Navigate to the phpMyAdmin where you will be required to log in. User admin as the
username and your surname as the password.
e) Stop the Wireshark from capturing network traffic and use the http filter to view only http
traffic.
f) Find the login credentials in the capture in Wireshark. For this, look for a row with the
item POST, right-click on the row and select follow TCP stream. You should be able to
locate the login credentials in the pop up window.
g) Try the same capture with other TCP-based applications such as Telnet, FTP, or SMTP
and take note of the difference if any. These TCP-based protocols can be found on
Metasploitable.
TASK 4 (b): Secure http (https)
a) Start a Wireshark capture. Log in to your e-mail account or other online account that uses
https.
Prof. Zimba A.
� b) Repeat the steps in TASK 4(a). Take note and list the kind of data that is captured. Check
whether anything can be exploited.
c) Compare the date captured in TASK 4(a) and TASK 4(b).
Suggest practical security measures against this attack.
Prepare a standard lab report in PDF format which should be submitted in Moodle (student
portal) no later than the due date.
Your report should include screenshots taken on every necessary stage and every screenshot
taken should be followed by an explanation. Number the steps your work properly and name
your screenshots accordingly. Apart from giving a full analysis on each of the four tasks, you
should suggest counter-measures in cases of weaknesses in the issue tackled and other
implementations/applications of the concepts covered if there are “no” weaknesses found. Your
last page should constitute the overall conclusion pertaining to the work done.
Please take note of the following:
Your Lab report should start with a standard title page (A sample is provided as the end
of this document). Then the Table of Contents should follow, then the Introduction
(Chapter 1), then the main body where you solve Tasks 1 to 4 should be Chapter 2. After
that, you should have your Conclusion (Chapter 3) (Your conclusion should be about
your lab tasks, NOT generally about hacking), then end your document with the
references used in IEEE format.
Your lab report should include screenshots taken on every necessary stage and every
screenshot taken should be followed by an explanation.
Number the steps of your work properly and name your screenshots diagrams accordingly.
Submit the work no later than the due date.
Prof. Zimba A.
�Sample Title Page
SCHOOL OF COMPUTING, TECHNOLOGY &
APPLIED SCIENCES
CIT3342-HACKING THEORY AND PRACTICE
LAB N1: Windows Back-door Exploitation, & Network Confidentiality
Due date:
Names:
Student Number:
Programme:
Lecturer: Dr. Aaron Zimba
Prof. Zimba A.
