A backdoor is a hidden mechanism that provides you with access to a system through some alternative means. A backdoor can exist in many forms, but it is always meant to escape the notice of the system's typical users while still enabling unauthorized users to access that system. For example, a new, unauthorized user account can be used as part of a backdoor so that you don't rely on an active and closely monitored account to gain access.

Another example of a backdoor is a remote access tool (RAT), also known as a remote access Trojan. As the latter name implies, a RAT is primarily downloaded to a victim computer through Trojan horse malware; that is, it either comes along with what appears to be legitimate software, or it itself is disguised to look like legitimate software. The function of a RAT is pretty much identical to standard remote access technology, and may strictly offer an interactive shell, or may offer full GUI services. The primary difference between a RAT and something like RDP, other than delivery mechanism, is that RATs are specifically designed to remain hidden from view on the infected system. Some examples of popular RATs include NetBus, Sub7, Back Orifice, Blackshades, and DarkComet.

While a RAT can escape human notice, the more common ones will be instantly picked up by an anti-malware scanner or intrusion detection system. Advanced RATs, however, can leverage rootkit technology to infect a system at a low level. The power of rootkits is that they can alter an operating system's kernel or a device's firmware to mask the malicious code's activity. Therefore, a rootkit-empowered RAT can more effectively evade security solutions. It's important to note that even if a RAT can evade security solutions and initially escape human notice, it can still exhibit behavior that might tip off a user, like excessive or unexplained network traffic that traverses the interface.

Note: Hardware backdoors also exist and can be substantially stealthier and provide greater levels of access, but they are not commonly used in pen testing. Most such backdoors are incorporated into hardware during the manufacturing process.

Remote Access Services

Remote access services like Telnet, SSH, RDP, VNC, etc., can also enable persistence. You can even leverage backdoor accounts with these services to remotely control the target system. However, remaining stealthy while using these services is especially difficult because of how well known, closely monitored, and transparent to the system they tend to be.