lab manual -- module 06: trojans and backdoors...2013/04/15 · module 06: trojans and backdoors...
TRANSCRIPT
-
Module 06: Trojans and Backdoors
Objective
The objective of this lab is to help students learn to detect Trojan and backdoor attacks.
The objective of the lab includes:
Creating a server and testing a network for attack
Detecting Trojans and backdoors
Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected
Scenario
You are a Security Administrator of your company, and your job responsibilities include protecting the network from Trojans and
backdoors, Trojan attacks, the theft of valuable data from the network, and Identity theft.
Virtual Machines
The following virtual machines are required for completion of this lab:
2008 Server (10.10.10.1)1.
2003 Server (10.10.10.61)2.
NAT3.
Exercise I: Creating a Trojan Server Using ProRat Tool
Lab Scenario
You are a Security Administrator of your company, and your job responsibilities include protecting the network from Trojans andbackdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn to detect Trojan and backdoor attacks.
The objectives of the lab include:
Creating a server and testing the network for attack
Detecting Trojans and backdoors
Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected
Logon to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab in the right pane of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter:
User Name: Administrator
Password: Pa$$w0rd
2.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
1 of 15 3/29/2013 8:42 PM
-
Extract ProRatv19.zip
Navigate to E:\CEHv7 Module 06 Trojans and Backdoors\Miscellaneous Trojans\ProRat folder.
Right-click on the ProRatv19.zip file and select Extract Here option from the context menu.
3.
Extracted File
You can see the extracted ProRat_v1.9 folder as shown in the below figure.
4.
Launch ProRat
Double-click on ProRat.exe file in the E:\CEHv7 Module 06 Trojans and Backdoors\Miscellaneous
Trojans\ProRat\ProRat_v1.9 folder to launch ProRat Server.
5.
Create a Trojan Server
Now, click on Create button at the bottom of the ProRat main window, and from the context menu select Create
ProRat Server (342 Kbayt) option.
6.
Create Server Wizard
Create Server wizard will open. Click on General Settings to change features such as Server Port, Server
Password, Victim Name and the port number you wish to connect over to the victim.
Uncheck all the options above the Invisiblity section as shown in the below figure.
7.
Bind Server
Bind server with a file extension, of your choice such as .jpg, .txt etc. to make a hideout for the server file. Also, you
can change icons to make the file more user friendly for the victim.
Click Bind with File button in the Create Server wizard. Check the Bind server with a file option and click on
Select File button to choose a file.
8.
Choosing a File
Bind the Trojan server with a file by selecting an image or a file that you wish to appear on the victim's machine, once
he/she clicks on the Trojan you have created.
Choose any file from your desired location and click Open button.
9.
Confirm the Binding Prompt
As soon as you click Open button, the Server will bind with Readme.txt (Binded File Name) prompt will appear
click OK.
10.
Server Binding Confirmation
The server will be binded with the file you have selected in the last step.
11.
Select an Icon for Trojan Server
Click on Server Icon option and select an icon that you want the victim to see.
12.
Create ProRat Server
Click on Create Server button at the bottom of the window after choosing an Icon.
Click OK button on the confirmation pop-up.
13.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
2 of 15 3/29/2013 8:42 PM
-
Location of Binded Server
The Binded Server is located in the same directory of ProRat.
14.
Switch to Windows Server 2003 Machine
Switch to Windows Server 2003 machine from the Machines tab in the right pane of the lab environment.
15.
Logon to Windows Server 2003
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter:
User Name: Administrator
Password: Pa$$w0rd
16.
Launch Binded Server
In Windows Server 2003 machine (10.10.10.61), navigate to Z:\CEHv7 Module 06 Trojans and
Backdoors\Miscellaneous Trojans\ProRat\ProRat_v1.9.
Double click on binded_server.exe to run the Trojan server. As soon as you double-click on the file a Notepad
file (the binded file) will open.
17.
Switch to Windows Server 2008
Switch back to the Windows Server 2008 machine from the Machines tab.
18.
Enter the IP Address
Enter the IP address for the victim's machine (Windows Server 2003 machine: 10.10.10.61) with the port you
have provided in the Step 7 and click Connect button.
19.
Password Prompt
It will prompt you with the password window. Enter the same password that you have provided at the time of
server creation.
After typing the password click OK button to connect with the victim's machine.
20.
Connected to Victim's Machine
Now you are connected to the victim's machine (Windows Server 2003) and can access the victim machine
remotely.
21.
Collect Victim's Computer Info
Click PC Info button in the left pane of the ProRat window.
It will show the complete System Information, Mail Address in Registry, Last Visited Websites of the Windows
Server 2003 machine.
22.
KeyLogger Button
Keylogger records all the keystrokes of the victim's machine.
23.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
3 of 15 3/29/2013 8:42 PM
-
To check the keylogge feature, switch to the Windows Server 2003 machine, open a notepad and type any
text.
Switch to Windows Server 2008
Switch back to the Windows Server 2008 machine and click on KeyLogger button to view the keystrokes
typed on the victim machine (Windows Server 2003)
24.
Keylogger Window
Keylogger Window appears, click on Read Log button to view key strokes.
25.
Lab Analysis
In this lab you created a Trojan server using the ProRat tool.
You have now:
Created a Trojan server and tested a target machine for malware vulnerability
Collected the PC information of the target machine
Captured the key strokes of the target machine
Exercise II: ICMP Backdoor
Lab Scenario
You are a Security Administrator of your company, and your job responsibilities include protecting the network from
Trojans, backdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn to detect Trojan and backdoor attacks.
The objectives of this lab include:
Starting ICMP service in Windows Server 2003 (IP address: 10.10.10.61)
Accessing the Windows Server 2003 (IP address: 10.10.10.61) machine using the ICMP Client
Accessing and analysing the list of processes running on Windows Server 2003 (IP address: 10.10.10.61).
Logon to Windows Server 2003
Switch to Windows Server 2003 machine from Machines tab in the right pane of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter:
User Name: Administrator
Password: Pa$$w0rd
2.
Launch ICMP Backdoor3.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
4 of 15 3/29/2013 8:42 PM
-
Navigate to the Z:\CEHv7 Module 06 Trojans and Backdoors\Trojans Types directory.
Right-click on the ICMP Backdoor folder and select CMD Prompt Here to launch ICMP Backdoor in
the command prompt.
View Directory and File list
To view directories and file list, type dir command in the command prompt and press Enter.
4.
Creating ICMP Service
Type the commad icmpsrv –install and press Enter to create the ICMP service.
5.
Service Started Successfully
The service should have started successfully as shown in the below figure.
6.
Logon to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab in the right pane of the lab
environment.
7.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter:
User Name: Administrator
Password: Pa$$w0rd
8.
Access the server running on Windows Server 2003
In Windows Server 2008 (10.10.10.1), navigate to E:\CEHv7 Module 06 Trojans and
Backdoors\Trojans Types directory.
Right-click on ICMP Backdoor folder and select CMD Prompt Here.
9.
Run Command icmpsend
Run command icmpsend 10.10.10.61 to access the server running on Windows Server 2003 victim
machine.
10.
Help Command
Type command h for help in Windows Server 2008 (IP address: 10.10.10.1) command prompt.
11.
Process List
To view the process list of Windows Server 2003 (10.10.10.61) machine from Windows Server 2008
(10.10.10.1) machine, type pslist command and press Enter.
It will list out all the process running in Windows Server 2003 (Victim Machine).
12.
Lab Analysis
In this lab you have learnt how ICMP backdoors work, it will help you to detect Trojans and backdoors.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
5 of 15 3/29/2013 8:42 PM
-
You have now:
Started ICMP service in Windows Server 2003 (IP address: 10.10.10.61)
Accessed the Windows Server 2003 (IP address: 10.10.10.61) machine using the ICMP Client
Accessed and analyzed the list of processes running on Windows Server 2003 (IP address:
10.10.10.61)
Exercise III: Wrapping a Trojan using One File EXE Maker
Lab Scenario
You are a Security Administrator of your company, and your job responsibilities include protecting the
network from Trojans, backdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn to detect Trojan and backdoor attacks.
The objectives of the lab include:
Wrapping a Trojan with a game in Windows Server 2003 (IP address: 10.10.10.61)
Running the Trojan to access a game on the frontend
Analysing the Trojan running in the backend
Logon to Windows Server 2003
Switch to Windows Server 2003 (10.10.10.61) machine from Machines tab in the right pane
of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter.
User Name: Administrator
Password: Pa$$w0rd
2.
Install OneFileEXEMaker
Navigate to Z:\CEHv7 Module 06 Trojans and Backdoors\Wrapper Covert
Programs\OneFileEXEMaker directory.
Double-click “setup.exe” and follow the wizard-driven installation steps to install
the OneFileEXEMaker.
Setup will ask you to install SennaSpy click Yes button.
3.
Launch One EXE Maker 2002 2.0a
To launch One EXE Maker 2002 2.0a, navigate to Start -> All Programs -> Senna Spy
Tools -> One EXE Maker 2002 2.0a
4.
Add the Game File
Click on Add File button and browse to Z:\CEHv7 Module 06 Trojans and
Backdoors\Games\Tetris folder and select Lazaris.exe file. Click Open button to add the
file.
5.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
6 of 15 3/29/2013 8:42 PM
-
Add Trojan
Click on Add File button and browse to the Z:\CEHv7 Module 06 Trojans and
Backdoors\Trojans Types\Proxy Server Trojans folder and select mcafee.exe file.
Click Open button to add the file.
6.
Command Line Parameters
Select MCAFEE.EXE and type 8080 in the Command Line Parameters field.
7.
Normal Option for Lazaris.exe
Now Select LAZARIS.EXE and choose Normal Option from the Open Mode.
Click Save button.
8.
Saving the File
Save as window appears, rename the file to Tetris.exe and click Save button to save the
file on the Desktop.
9.
Run Tetris.exe
Now double-click on Tetris.exe file on the desktop. This will launch the Lazaris game on
the front end.
10.
Launch Task Manager
Right-click on Task bar and select Task Manager to launch Task Manager. In the Task
Manager window select Processes tab to check whether MCAFEE.EXE process is running.
11.
Lab Analysis
In this lab you have wrapped a Trojan in a harmless game file using One File EXE Maker.
You have now:
Wrapped a Trojan with a game in Windows Server 2003 (IP address 10.10.10.61)
Run the Trojan to access the game on Front end
Analyzed the Trojan running in the backend
Exercise IV: Proxy Server Trojan
Lab Scenario
You are a Security Administrator of your company, and your job responsibilities include protecting the
network from Trojans, backdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn how the Proxy Trojans work.
The objectives of this lab include:
Starting Mcafee Proxy
Accessing Internet using Mcafee Proxy
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
7 of 15 3/29/2013 8:42 PM
-
Logon to Windows Server 2003
Switch to Windows Server 2003 (10.10.10.61) machine from Machines tab in the
right pane of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter.
User Name: Administrator
Password: Pa$$w0rd
2.
Launch Proxy Server Trojan in the Command Prompt
Navigate to Z:\CEHv7 Module 06 Trojans and Backdoors\Trojans Types and
right-click on Proxy Server Trojans folder and select Command Prompt Here
from the context menu.
3.
View Directories and Files
Type dir command and press Enter in command prompt to view the files and
directories.
4.
Run mcafee 8080 command
Type mcafee 8080 command and press Enter to run the mcafee service on the
Windows Server 2003 (IP address: 10.10.10.61).
5.
Switch to Windows Server 2008 Machine
Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab in the right
pane of the window.
6.
Logon to Windows Server 2008
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter.
User Name: Administrator
Password: Pa$$w0rd
7.
Launch Firefox
To launch Firefox double-click on Firefox icon on the desktop or navigate to Start
--> All Programs --> Mozilla Firefox--> Mozilla Firefox.
8.
Configure Proxy Settings from Firefox Options
Go to Tools from the menu bar and select Options.
9.
Advanced Options of Firefox10.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
8 of 15 3/29/2013 8:42 PM
-
In Options window, click on Advanced option and go to the Network tab.
Connection Settings
In the Network tab, click on Settings to view Connection Settings wizard.
11.
Configure Proxy Settings
Select Manual proxy configuration option
Set the HTTP Proxy IP to 10.10.10.61 (Windows Server 2003 machine's
IP) and Port: to 8080.
Select the options as shown in the screenshot below.
Click OK to Apply the changes.
Click OK button on the Options window.
12.
Access Website
Now in the address bar of the Firefox, type http://locahost/cars and press
Enter.
13.
Switch Back to Windows Server 2003
Now Switch back to Windows Server 2003 (10.10.10.61) machine and check in
the command prompt where you have launched Proxy Server Trojan.
14.
Lab Analysis
In this lab you learnt how a proxy Trojan works.
You have now:
Started Mcafee Proxy
Accessed Internet (here a local site) using Mcafee Proxy
Exercise V: HTTP Trojan
Lab Scenario
You are a Security Administrator of your company, and your job responsibilities include
protecting the network from Trojans, backdoors, Trojan attacks, data and identitytheft.
Lab Objectives
The objective of this lab is to help students learn how HTTP Trojans work.
The objectives of the lab include:
To run HTTP Trojan on Windows Server 2003 (IP address: 10.10.10.61)
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
9 of 15 3/29/2013 8:42 PM
-
Access the Windows Server 2003 (IP address: 10.10.10.61) machine
process list using the HTTP Proxy
Kill Running process on Windows Server 2003 (IP address: 10.10.10.61)
machine
Logon to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab
in the right pane of the window.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter.
User Name: Administrator
Password: Pa$$w0rd
2.
Launch HTTP RAT
Navigate to E:\CEHv7 Module 06 Trojans and Backdoors\Trojans
Types\HTTP HTTPS Trojans\HTTP RAT TROJAN.
Double-click on httprat.exe file to launch HTTP RAT trojan.
3.
Uncheck Send Notification Option
Uncheck Send Notification with IP address to mail option from the
main window of HTTP RAT.
4.
Create Server
Click Create button to create a httpserver.exe file. Click OK on done!
pop-up.
5.
Note the Location of httpserver.exe
The httpserver.exe file should be created in the folder E:\CEHv7
Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS
Trojans\HTTP RAT TROJAN.
6.
Switch to Windows Server 2003
Switch to Windows Server 2003 (10.10.10.61) machine from Machines
tab in the right pane of the window.
7.
Logon to Windows Server 2003
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press Enter.
User Name: Administrator
Password: Pa$$w0rd
8.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
10 of 15 3/29/2013 8:42 PM
-
Launch Services
To launch Services, navigate to Start -> Administrative Tools ->
Services.
9.
Disable/Stop World Wide Web Publishing
Disable/Stop World Wide Web Publishing Services, Right click on
WWW Publishing Service --> Properties.
10.
WWW Publishing Service Properties
In WWW Publishing Service Properties wizard select Disabled
from Startup Type dropdown list and click on Stop button to stop
the service.
Click Apply and OK button to apply the settings.
11.
WWW Publishing Service
Now you can see in the Services window that the WWW
Publishing Service has been Disabled.
12.
Run httpserver.exe
Navigate to the folder Z:\CEHv7 Module 06 Trojans and
Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT
TROJAN.
Double-click on httpserver.exe file and then click Run button on
Open File - Security Warning to run httpserver.exe.
13.
Launch Task Manager
Launch Task Manager and check in the Processes tab that the
httpserver.exe is running.
14.
Switch back to Windows Server 2008
Switch back to Windows Server 2008 (10.10.10.1) machine from
Machines tab in the right pane of the window.
15.
Launch Firefox
To launch Firefox, double-click the Mozilla Firefox icon on the
Desktop or navigate to Start -> All Programs -> Mozilla Firefox
-> Mozilla Firefox.
16.
Access Windows Server 2003
In the address bar of the browser, type 10.10.10.61 (IP address of
the Windows Server 2003 machine) and press Enter to access the
Windows Server 2003 (10.10.10.61) machine.
17.
Running Processes
Click on running processes to list down the processes running on
Windows Server 2003 (IP address: 10.10.10.61) machine.
18.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
11 of 15 3/29/2013 8:42 PM
-
Computer Info
Click on computer info to see the Windows Server 2003 (IP
address: 10.10.10.61) machine information.
19.
Lab Analysis
In this lab you learnt how the HTTP Trojans work.
You have now:
Run HTTP Trojan on Windows Server 2003 (IP address:
10.10.10.61)
Accessed the Windows Server 2003 (IP address: 10.10.10.61)
machine process list using the HTTP Proxy
Killed Running process on Windows Server 2003 (IP address:
10.10.10.61) machine
Exercise VI: Remote Access Trojans Using Atelier
Web Remote Commander
Lab Scenario
You are a Security Administrator of your company, and your job
responsibilities include protecting the network from Trojans,backdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn how Remote Access
Trojans work.
The objectives of this lab include:
Gaining access to a Remote Computer
Acquiring sensitive information from the Remote Computer
Switch to Windows Server 2003
Swich to Windows Server 2003 (10.10.10.61) machine from
Machines tab in the right pane of the window.
1.
Logon to Windows Server 2003
Go to Machine Commands and click Ctrl+Alt+Del.
2.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
12 of 15 3/29/2013 8:42 PM
-
In the log on box enter the following credentials and
press Enter.
User Name: Administrator
Password: Pa$$w0rd
Create a User
To create a user, navigate to Start -> Administrative
Tools -> Computer Management.
3.
Local Users and Groups
In Computer Management, expand Local Users and
Groups and select Users option.
4.
Create User
Right-click in the Users list pane at the right-side of the
window and select New User option.
5.
New User
In New User wizard enter Username and Password as
ceh, select Password Never Expires and click Create
button to create a new user account.
6.
New User Created
Now check with the Computer Management window
for the newly created user.
7.
Assign Administrator Privilege to the ceh User - 1
Right-click on the ceh user and select Properties from
the context menu.
8.
Assign Administrator Privilege to the ceh User - 2
In ceh Properties wizard select Member Of tab and
click Add button to make this account member of
Administrators group.
9.
Assign Administrator Privilege to the ceh User - 3
In the Select Groups wizard type Administrators in
Enter the object names to select field and click OK
button.
10.
Assign Administrator Privilege to the ceh User - 4
Click Apply and then OK button to apply the settings to
the user account.
11.
Switch to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine
from Machines tab in the right pane of the window.
12.
Logon to Windows Server 200813.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
13 of 15 3/29/2013 8:42 PM
-
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and
press Enter.
User Name: Administrator
Password: Pa$$w0rd
Install Atelier Web Remote Commander
To install Atelier Web Remote Commander, navigate
to E:\CEHv7 Module 06 Trojans and
Backdoors\Trojans Types\Remote Access
Trojans (RAT)\Atelier Web Remote
Commander.
Double-click setup.exe and follow the wizard-
driven installation steps to install the Atelier Web
Remote Commander.
14.
Launch Atelier Web Remote Commander
To launch Atelier Web Remote Commander,
navigate to Start -> All Programs -> Atelier
Web -> AW Remote Commander 7.51 ->
Atelier Web Remote Commander.
15.
Accessing Remotely
Enter the IP address of Windows Server 2003
(10.10.10.61) in the Remote Host field and
Username and Password as ceh in the respective
fields. Click Connect button.
16.
Windows Server 2003 Machine in AW Remote
Commander
Now you can view the Windows Server 2003
machine (10.10.10.61) in Atelier Web Remote
Commander.
17.
Sys Info Tab
Click on Sys Info tab to view system information of
Windows Server 2003 machine.
18.
NetworkInfo Path
Go to NetworkInfo tab to see the shared folderd
information.
19.
File System tab
Go to the File System tab, Select c:\ from
20.
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
14 of 15 3/29/2013 8:42 PM
-
dropdown and Click Get button to extract
directories in the C: drive of the Windows
Server 2003 machine.
Users and Groups
Go to Users and Groups tab, select Users to
view the list of Users, and click Groups to view
Groups in Windows Server 2003 machine.
21.
Groups tab
Groups Tab display complete group details of
Windows Server 2003.
22.
Lab Analysis
In this lab you learnt hoe to access a remote machine
using Atelier Web Remote Commander.
You have now:
Gained access to a Remote Computer
Acquired sensitive information of a Remote
Computer
Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670
15 of 15 3/29/2013 8:42 PM