SECUGENIUS SECURITY SOLUTIONS --------------------------------------------------------------------------------------
(A UNIT OF HARKSH TECHNOLOGIES PVT. LTD)
Company Profile: Secugenius Security Solutions is a Student Entrepreneurial Company started by 2 Social Student Entrepreneurs in 2010 with an aim to make our country Cyber Crime Free. Free. We at SECUGENIUS are headquartered at Ludhiana, the Manchester of Punjab. The main activities of Secugenius Security Solutions are providing training in Information Security and various professional courses. Secugenius Security Solutions is an organization which believes in inventing and implementing new ideas to influence the technological minds of the youngsters Looking at the number of Cyber Crimes since last many years, We at Secugenius Security Solutions provides training on Ethical hacking & Cyber Security to students, IT Professionals, Bank Employees, Police officials. Secugenius conducts workshops in all parts of the country in various Colleges/institutions for the benefit of the students & making them aware of the latest trends in technological era of the Computer age. We believe in spreading knowledge to all the youngsters & growing minds of the nation so that they could serve the nation with perfect skill-sets in the field of Cyber Crime Investigation & Forensic Sciences Secugenius provides various security solutions to its clients by securing their websites from cyber attacks. We provide training to college students, graduates and professionals in various fields. Education is delivered to students through two modes i.e. Regular mode and Distance mode which are available as short term and long term courses. In the workshops conducted by Secugenius, participants can claim to be trained by the highly experienced & skilled corporate trainers from different parts of the nation. We believe in making the base of students to be as strong as possible. All the modules have been designed in order to provide students with specialized knowledge by specialized trainers. This library was furnished, managed and funded by the Founders and Directors of Secugenius Er. Harpreet Khattar & Er. & Er. Kshitij Adhlakha. Adhlakha . The overall resource person for the content of the series of this Digital Library is Er. Chetan Soni - Sr. Security Specialist, Secugenius Security Solutions.
This Online Digital Library has been initiated as a free resource & permanent resource on specialization basis for every student of Team Secugenius.
RAT - Remote Administration Tool with Port Forwarding – Advanced Product ID No: SG/ODL/13039 Founder & Director: Harpreet Khattar & Kshitij Adhlakha Resource Person: Chetan Soni & Kailash D Agarwal Secugenius Security Solutions SCO-13A, Model Town Extn, Near Krishna Mandir, Ludhiana-141002, Punjab – India
[email protected],
[email protected] www.secugenius.com , www.seculabs.in
RAT – Remote Administration Tool A remote access tool (a RAT) is a piece of software that allows a remote "operator" to control a system as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity. Malicious RAT software is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software. ’
Its primary function is for one computer operator to gain access to remote PCs. One computer will run the "client" software application, while the other computer(s) operate as the "host(s)". The RAT Trojans can generally do the following:
Block mouse and keyboard Change your desktop wallpaper Download, upload, delete, and rename files Drop viruses and worms Edit Registry Use your internet to perform distributed denial of service attacks (DDoS) Format drives Grab passwords, credit card numbers Hijack homepage Hide desktop icons, taskbar and files Log keystrokes, keystroke capture software Open CD-ROM tray Print text Play sounds Control mouse or keyboard Record sound with a connected microphone Record video with a connected webcam Shutdown, restart, log-off, shutdown monitor Steal passwords View screen View, kill, and start tasks in task manager A well designed RAT will allow the operator the ability to do anything that they could do with physical access to the machine.
The different types of RAT Software’s are:
DarkComet RAT Blackshades RAT Xtreme RAT Cybergate RAT Sub Seven Pain RAT JRAT Net Devil Apocalypse RAT Shark RAT Back Orifice Bandook RAT Bifrost LANfiltrator Optix Pro ProRat
Step 1 – Setting Up Your DNS Questions to ponder: Slaves or victims are connected to as long as we are online, but what will happen if we accidently or purposely go offline? Will they connect to us again when we are online again? The answer to all this is, that the victims catches will disappear if the connection between them and us is disturbed or terminated even for once, So in order to keep the connection between them and us alive we use a Domain service which will act as a temporary host in place of us, So that When we are offline it will take our place and make the connection alive and we are back, Then to give back the session to us. So for all this you need to register on to an active Domain/ Website So you’ll need a DNS so that the slaves have a connection to connect back to you. You’ll need to go to No-ip.com. It is a free Domain registering website that allows us to register a domain, so as to link it to our account. After you go to no-ip you’ll need to register an account, after you do this you should be able to login.
After you see this page click on " Add a Host".
This is going to be your host name, this can be any name, and there are some sample hosts names given you have to choose from it. For the hostname input any name you want. E.g. – chetanhacker.zapto.org Then you’ll scroll down and click on "Update Host"
Congrats you now have a DNS for your RAT!
Now that we have created a Domain, we need some intermedium connectivity with the domain, so we use special software which acts as an interface between our machine and the domain registered. In this case, we are going to use the software by the name DUC Client.
This client is available free on the same website, just go on and download the client. Go to Download options and download the software.
Now install this DUC (Dynamic Update Client) Tool and Login via noip details. The details will be the same that you have filled in the domain registration time.
After Successfully Login, Please click on Select Hosts and Select your all hosts.
After selecting your hosts, click on Refresh Now button.
Step 2 – Port Forwarding Port forwarding is the process that your router or firewall uses to sort the right kind of network data to the right port. Computers and routers use ports as a way to organize network data. Different types of data, such as web sites, file downloads, and online games, are each assigned a port number. Basically Port forwarding is a process of assigning a dedicated logical port to our newly made virus. By using port forwarding, the router or firewall sends the correct data to the correct place. How do routers, modems, firewalls, and ports relate to one another? Router users: Your Computer -> Software -> Personal firewall -> router -> router firewall -> Modem -> Modem firewall -> Internet Modem users: Your Computer -> Software -> Personal firewall ->Modem -> Modem firewall -> Internet Or Your Computer -> Software -> Personal firewall ->Modem -> Internet
PORT FORWADING WAY 1: Now to open or forward the port, you need to go to router setting page, now First of all you need to know your ip address it may or may not be asked by the router. To check your ip open your command prompt (cmd) through RUN Command and type “ipconfig”
Note Down your IPv4 Address and Default Gateway and Open your Default Gateway address in your browser by typing this link http://192.168.1.1/ On the router setting page, follow these steps to locate the appropriate setting column. Generally the port address field is found in NAT settings Virtual Servers or in Firewall settings
The entries made should be of both TCP and UDP protocol, make sure the settings are saved before exiting.
WAY 2: Go to your system control panel, open Windows Firewall, and click on right hand side -> Advanced settings.
Now click on right hand side, -> Inbound rules and then on left hand side -> New rule.
Now you should be able to see a window like this, click and select PORT, after this we are going to select the type of protocol on which this port will work and we will assign a port number to it. Remember we have to choose both the types of protocol that is both TCP and UDP, because the connection can work on either and on both of these protocols. After that simply click on next and follow the screenshots.
Following the next steps by following the screenshots, actually all you need to do now is to click on next and wait for it.
Now provide a new name for your new rule, this name can be any name, it’s just like an entry with a name to look up in future.
After the successful addition of the entries of the Ports and their protocols i n the Windows firewall settings, Click on finish, after that you will be able to see the newly added settings in the inbound active rules column.
WAY 3: You can also Open/ Port Forward your port by adding the entry into your Torrent client. Torrent clients like: Bit Comet, Bit torrent, U Torrent etc. All you have to do is, initialize any torrent client and start downloading any torrent file, after it begins downloading open the properties if the torrent file, there you will notice a port number generally having the value in thousands, you can change that value to the value of port number you want and click on update/ save, and so the torrent client will activate that specific port for the downloading of the requisite torrent file.
TO CHECK IF PORT IS OPEN/IN FORWARD MODE OR NOT: To check if the port is in open /forward mode or not, we first add the entry into our Dark Comet client, That is, we simulate our Remote access tool to start listening for activities on the specific ports. This can be done by , opening your DARK COMET Client, from the tabs given click on Socket/Net, from there in the list right click and click on add port/listen to new port and enter your port number, or if there are more than one port repeat the process and add all your port number step by step.
Now that the client is in listening mode, open your web browser and open the URL, “canyouseeme.org”. Here enter your port no which you want to confirm is open or not. If it is a success, then it will look like this:
If not then it will look like this:
Step 3 – Make a Payload Virus/Trojan Open your Dark Comet client , click on DARK COMET RAT Editor (Expert mode).
Server Module
Now we begin the making of the virus with different qualities and settings.
Full
S1) First of all in the Main setting window, in the process mutex column click 2-3 times on Random to generate a random algorithm. Then in Server ID column you can give a nameif not then leave it as it is, then in Profile name , you can give a profile name for the setings we wil use, so that in future you don’t have to again tune all settings, just load the previous profile. You can also use the active FWb option to bypass the firewall security , so that it can easly run with firewall on in victims system.
S2) Now in the next step i.e. in Network setting window, in IP/DNS column enter your domain name which was created on your no-ip account, and in Port column add the unique port number which you have set in port forward mode.
Moving on to next window
S3) that is Module startup, here are many a great options to use, first option is to start the stub in windows , that is to start your virus file as a windows operating file, you can here define the name of the process by which it will run , and will be shown in the process manager. Also on to the next option you can choose to melt the file, that is after the very first execution the file will melt itself that is will disappear, but the process will continue to run. Also you can change the Creation date, along with you can change the Attributes of the virus, like you can make it hidden, system file, read only file etc.
S4) Moving on to the next option of Install message, here you can create a message that you want to display , when anybody runs your virus file.
S5) Now the next option is Module shield, here are given variety of options to safeguard your virus file. You can choose all the options or the option which pleases you the most.
S6) Next option is of key logger, use it if you have a active FTP account, fill the columns and enjoy every keystroke pressed b y the victim onto his/her system.
S7) The next to next options are generally of no big use, so we skip them, coming to next option of File binder, here you can bind your virus file onto some existing file, so that your virus is not visible, as it will be masked onto some existing file, after choosing the file , click on add file/bind file to generate a newly binded file.
S8) Next is to choose an Icon for the file,
S9) Last option is Stub finalization; here you can choose to compress your virus. When done, click on generate/Build the stub, provide a specific path for the file to generate, after that your file will be saved for distributing to others.
Here is a list of the victims catched by this activity.
Happy hacking