[RC5] Hiding the NT service client

C Lamothe clamothe at ameritech.net
Wed May 6 12:20:58 EDT 1998


----------
> From: John Vozza <john at netrom.com>
> 
> Yes, GET PERMISSION FRIST!!!
> 
> John
----------

>From your e-mail I gather that you are an administrator of some type so I
suppose I understand your view.  However,

1)If you worked in a large corp. you would know that asking the MIS dept
for permission to do anything legit is a major pain in the ass, let alone
asking permission to install something working to crack encryption.  I can
see the questions now... viruses?, trojans?, mailing "secrets"?...
2) I normally follow "official procedures" even though I am a hacker in a
Elec. Engineers body.
3)I have learned that asking forgivness is easier than asking permission.
4)The machines are running NT Workstation and are sitting on my/engineers
desks - idle 90% of the time not doing critical work.
5)I just can't resist all those Pentium II's.

So continuing on my quest I have discovered a few interesting things:

On these machines I do not have adm rights so I can't install the NT
service client.  However I can run regedit. (Isn't NT a wonderfull OS? A
"secure" OS that will take over all UNIX machines...  now if only someone
can configure it right.)

On my home system - I found In the registry the service client installs the
key

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bovrc5nt]

that contains the setting for the service such as automatic/manual, path,
name, type, etc.

You can modify "DisplayName" to change the name of the client in the
services list - no need to change the name in the .exe as I orginally did.

I have yet to try this but -  I should be able to export a running clients
key to a REG file, copy the client, and import the REG file to the target
system.  Since I can't start the client from the services applet - restart
the machine.

Tracks will be left behind in the registry logs - in this case
\winnt\system32\config\system.log - can I remove these? If not no big deal.

All that is left is to hide the process listing - or disguse it if this is
not possible.


A CPU is a terrible thing to waste!
--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list