Ceh v8 labs module 06 trojans and backdoors

CEH Lab Manual

T ro ja n s

a n d

B a c k d o o rs
M o d u le 06

M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s

T ro ja n s a n d B a c k d o o r s
A

Trojan is a program th a t contains a m alicious or harm ful code inside apparently

harm less program m ing or data in such a iray th a t i t can g et control and cause
damage, such as m ining the file allocation table on a hard drive.
I CON

KEY

^~! V a l u a b l e

1

L a b S c e n a rio
A c c o r d in g

to

B a n k

In t o

s e r io u s

r is k s

S e c u r it y

N e w s

(h t t p :/ / w w w .b a n k in f o s e c u r it y .c o m

),

in f o r m a tio n
T r o ja n s
T est tout
k n o w l e d g e ____________

m

W e b

e x e r c is e

c o m

p o s e

p r o m

is e d

d e v ic e

is

w h ic h

111

m

A n d r o id

p o t e n t ia lly
a n

a lic io u s

a p p s

a re

a n y

d e v ic e s ,

a t

o p e n

t o r

r is k

th e

F B

b e c a u s e

e n v ir o n m
a r o u n d ,

p e r s o n a l

e n t

s o

is

I

th e
a re

th e

a n d

s e n s itiv e

w a r n s .

r e a l
im

B u t

p r o b le m

p o s s ib le

p o t e n tia l

f o r

in f o r m

e x p e r ts
is

to

a t io n
s a y

a n y

m a lic io u s

c o n t r o l.

fin a n c ia l

s to r e d
m

0 11

o b ile

a p p lic a tio n s ,

A n d

a n y w h e r e

fr a u d .

W o r k b o o k r e v ie w
A c c o r d in g
a d v a n c e d

to

c a p t u r in g
a c c e s s

s o ld

Y o u

a re

t h e f t

b la c k

a

s e c u r ity

e x p e r ts ,
a

ta k e

t h e n

t h e m

T r o ja n

th e

k e y lo g g e r

th a t

b a n k in g

th a t

u s e

s t o le n

o v e r ,

is

T r o ja n

s t e a ls

a n d

lo g in

I D

s c h e d u le

s p e c ific a lly

k n o w n

s

a s

a n
b y

p a s s w o r d s

a n d

c it a d e l,

c r e d e n tia ls

o n lin e - b a n k in g

to

fr a u d u le n t

d e s ig n e d

f o r

tr a n s a c tio n s .

f in a n c ia l

fr a u d

a n d

m a r k e t.

a d m

p r o t e c t in g

o f v a lu a b le

is

H a c k e r s

t in s

th e

in c lu d e

z e u s ,

a c c o u n t s ,

c r e a te d

0 1 1

s e c u r ity

o f

k e y s tr o k e s .

o n lin e

H a c k e r s

c y b e r

v a r ia n t

th e

d a ta

in is t r a t o r
n e t w o r k

f r o m

o f

y o u r

f r o m

th e

c o m

T r o ja n s

n e t w o r k ,

a n d

p a n y ,
a n d

a n d

y o u r

b a c k d o o r s ,

id e n t it y

jo b

r e s p o n s ib ilit ie s

T r o ja n

a tta c k s ,

th e

th e ft.

L a b O b je c tiv e s
T h e

o b je c t iv e

o f

tin s

o f

th e

la b

is

to

h e lp

s tu d e n ts

le a r n

to

d e te c t

Trojan

a n d

backdoor

a tta c k s .

T h e

o b je c t iv e

a

la b

in c lu d e :

■

C r e a t in g

s e r v e r

■

D e t e c t in g

T r o ja n s

■

A t t a c k in g

a

a n d

t e s tin g

a n d

n e t w o r k

v u ln e r a b ilitie s

& Tools

a n d

a

n e t w o r k

f o r

a tta c k

b a c k d o o r s

u s in g

fla w s

s a m p le

T r o ja n s

a n d

d o c u m

e n t in g

a ll

d e te c te d

L a b E n v iro n m e n t

demonstrated in
this lab are
available in

T o

c a r r y

‫י‬

o u t

A

t in s , y o u

n e e d :

Window Server 2008

c o m p u t e r r u n n in g

a s

G u e s t- 1 in

v ir t u a l m a c h in e

D EH
:C ToolsCEHv8

‫י‬

Window 7

r u n n in g

a s

G u e s t- 2

in


Module 06 Trojans

C E H La b M anual Page 425

‫י‬

A

■

and Backdoors

w e b

b r o w s e r w it h

A d m in is tr a tiv e

In te r n e t

p r iv ile g e s

to

a c c e s s

r u n

t o o ls

E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.


L a b D u r a t io n
T im

e :

4 0

M in u t e s

O v e r v ie w
A

T r o ja n

is

a

d a m a g e , s u c h

it h

p r o g r a m

th a t

programming

h a r m le s s

W

o f T r o ja n s a n d B a c k d o o r s

th e

a s

h e lp

c o m p u te r

o f

a n d

pictures,

0 1‫־‬

r u in in g

d a ta

a n d / 0 1‫ ־‬s h o w

b e

s u c h

111

a

a n

a b le

m e s s a g e s

re a d

w a y

th a t
0 11 a

a c c e s s

p e r s o n a l

th e

0 11

h a r m

g e ts

a tta c k e r

to

o r

t a b le

file allocation

d ie

Trojan,

a

w o u ld

malicious

c o n t a in s

it

t ill

c o d e

get control

c a n

h a r d

in s id e

a p p a r e n tly
a n d

c a u s e

d is k .

stored passwords

to

111

a

delete files, display

d o c u m e n ts ,

s c re e n .

La b T ask s
TASK

1
P ic k

Overview

a n

o r g a n iz a t io n

d ia t y o u

e d u c a t io n a l in s tit u t io n , a

R e c o m

m

e n d e d

la b s

■

C r e a t in g

■

W

■

P r o x y

■

H

a

r a p p in g

T T P

to

a s s is t y o u

S e r v e r

a

f e e l is

w o r t h y

o f y o u r

c o m m e r c ia l c o m p a n y ,

w id i T r o ja n s

U s in g

T r o ja n

th e

U s in g

P r o R a t

O n e

F ile

a tte n tio n .

0 1‫ ־‬p e r h a p s

a n d

a

T in s

c o u ld

b e

a n

n o n p r o t it c h a r ity .

b a c k d o o rs :

to o l

E

X

E

M a k e r

S e r v e r T r o ja n

T r o ja n

■

R e m

o t e

A c c e s s

‫י‬

D e te c t in g

T r o ja n s

U s in g

A t e lie r W

e b

R e m

o t e

la b

C o m

e x e r c is e .

m

a n d e r

T r o ja n s

‫י‬

C r e a t in g

a

S e r v e r

U s in g

th e

T h e e t

■

C r e a t in g

a

S e r v e r

U s in g

th e

B io d o x

■

C r e a t in g

a

S e r v e r

U s in g

th e

M

‫י‬

H a c k

W

in d o w s

7

u s in g

o S u c k e r

M e ta s p lo it

L a b A n a ly s is
A n a ly z e
y o u r

a n d

t a r g e t ’s

P L E A

S E

d o c u m e n t
s e c u n ty

T A

L K

th e

r e s u lts

p o s tu r e

T O

Y O

U
R


a n d

R

r e la te d

I N

E L A

to

e x p o s u r e

S T

T

E D

R

U

C

T O

th e

d ir o u g h

T

O
T H

R

I F
I S

G iv e

p u b lic

a n d

Y O

H

U

y o u r

tre e

A

V

E

o p in io n

0 11

in f o r m a tio n .

Q

U

E S T

I O

N

S

L A B .



Lab

C r e a tin g a S e r v e r U s in g t h e P r o R a t
T ool
A

Trojan is a program th a t contains m alicious or harm ful code inside apparent/)‫׳‬

harm less program m ing or data in such a way th a t i t can g et control and cause
I CON

KEY

1 ^ 7 V a lu a b le

L a b S c e n a r io
A s

m

o r e

a n d

m

o r e

p e o p le

r e g u la r ly

u s e

th e

In t e r n e t ,

c y b e r

s e c u r ity

is

b e c o m

in g

in f o r m a tio n
m
T est you r
k n o w le d g e

=

W e b

e x e r c is e

o r e

a re

im

u s in g

in f o r m


m

a t io n

In t e r n e t
h a c k e r s

m

p o r t a n t

c o m

m

e

a lw a r e
b y

c a n

a ls o

h a c k e r s

h a c k

n o t

w it h

a n d

y e t

p e r s o n a l

s y s te m s
o n ly

s n if f y o u r

p e o p le
a t io n ,

v ir u s e s ,

m e a n s

a c h in e .

a re

s ,

y o u r

t h a t

n o t

fin a n c ia l

w o r m

p r o t e c t in g

d a ta , w h ic h
m

a n y

in f o r m

w it h

a b o u t

a n o t h e r

m

th e

O t h e r

a n d

m

a w a r e
d a ta ,

h a c k e r s

it .

a n d

T r o ja n

a c h in e

a tta c k s

o f

b u s in e s s

h o r s e s .

f r o m

c a n

H a c k e r

m

lis t e n

in c lu d e

B u t

a lw a r e ;
to

y o u r

s p o o fin g ,

h ija c k in g .

m

a y

d e n ia l- o f - s e r v ic e
b u s in e s s .

to

is

u n ic a t io n
a n d

e v e r y o n e ,

in f e c t in g

s e c u r ity

m a p p in g ,

S o m

f o r

ta k e

c o n t r o l

a tta c k ,

A g a in s t

w h ic h

o f

y o u r

m a k e s

h ig h - p r o file

w e b

a n d

m

ta r g e t

a n y

c o m

s e r v e rs

o t h e r

p u t e r s

s u c h

a s

m

a c h in e s

to

u n a v a ila b le
b a n k s

a n d

c o n d u c t
f o r

n o r m

c r e d it

a
a l

c a r d

g a te w a y s .

Y o u

a re

in c lu d e
t h e ft

a

s e c u r ity

a d m

in is t r a t o r

p r o t e c t in g

th e

n e t w o r k

o f v a lu a b le

d a ta

f r o m

th e

o f y o u r
f r o m

c o m

p a n y ,

T r o ja n s

n e t w o r k ,

a n d

a n d

a n d

id e n t it y

y o u r

jo b

b a c k d o o r s ,

T r o ja n

a tta c k s ,

th e ft.

L a b O b je c t iv e s
T h e

o b je c t iv e

o f

tin s

la b

is

to

h e lp

s tu d e n ts

le a r n

to

d e te c t

T r o ja n

a n d

b a c k d o o r

& Tools
demonstrated in
this lab are

a tta c k s .

T h e

o b je c tiv e s

o f

th e

la b

in c lu d e :

available in
D EH
:C ToolsCEHv8

■

C r e a t in g

■

D e t e c t in g

a

s e r v e r

T r o ja n s

a n d

a n d

te s tin g

th e

n e t w o r k

f o r

a tta c k

b a c k d o o r s

Module 06 Trojans
and Backdoors


E th ic a l H ack in g and Counterm easures Copyright © by EC-Council


‫י‬

A t t a c k in g

a

n e t w o r k

v u ln e r a b ilitie s

a n d

u s in g

fla w s

s a m p le

T r o ja n s

a n c l d o c u m

e n t in g

a ll

d e te c te d

L a b E n v ir o n m e n t
T o

e a r n ‫ ״‬t in s

■

o u t, y o u

Prorat

T h e

n e e d :

t o o l

lo c a t e d

D:CEH-ToolsCEHv8 Module 06 Trojans

a t

and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat
■

A


W

in d o w s

■

A


Window 8 (Virtual Machine)

■ Windows Server 2008
‫י‬

A

‫י‬

w e b

b r o w s e r


S e r v e r

r u n n in g

p r iv ile g e s

to

as

H o s t M a c h in e

111 V ir t u a l M a c h in e

Internet

w it h

2 0 1 2

a c c e s s

t o o ls

11111

T u n e :

2 0

M in u t e s

O v e r v ie w o f T r o ja n s a n d B a c k d o o r s
A

T r o ja n

h a r m le s s

is

a


Note:

T h e

d iffe r

fr o m

c lie n t is

p r o g r a m

th a t

p r o g r a m m in g

th e

a s

r u in in g

v e r s io n s

d a ta

d ie

file

o f th e

w h a t

is

in

s a m e

a s

s h o w n

d ie

malicious

c o n t a in s

o r

in

a

a llo c a tio n

c r e a te d
la b ,

s u c h

t a b le

C lie n t o r

b u t

111 d iis

th e

w a y

o n

H o s t

a c u ia l

o r

h a r m fu l

th a t
a

it

c a n

h a r d

a n d

p ro c e s s

c o d e

a p p a r e n tly
a n d

c a u s e

d r iv e .

a p p e a r a n c e
o f

in s id e

get control

c r e a tin g

o f th e
th e

w e b s it e

s e r v e r

a n d

m

a y
d ie

la b .

La b T ask s
L a u n c h

W

in d o w s

Create Server

V ir t u a l

M

a c h in e

a n d

n a v ig a t e

to

Z:CEHv8 Module

(RAT)ProRat.

with ProRat

2.

D o u b le - c lic k

3 .


8

06 Trojans and BackdoorsTrojans TypesRemote Access Trojans

C lic k

ProRat.exe

111 W

Create Pro Rat Server

in d o w s

t o

8

V ir t u a l M

s ta r t p r e p a r in g

to

a c h in e .

c r e a te

a

s e r v e r.



PflD H R C H .n ET Pf?D FE55 ID r> H L HTTEHnET !!!

Cne
o n ct
English

PCIn
fo
M ssag
e e

Ap a n
p lic tio s
W dw
in o s
A m -T
d in F P
F n yS ff F M n g r
u n tu
ile a a e
!E p re
x lo r
SearchF s
ile
Rg
e istry
C n l Pan
o tro el
S u D w PC
ht o n
C ba
lip o rd
K yL g e
e o gr
G D mg P ssw rd
ive a a e a o s
R D w lo e
. o n dr
P te
rin r
O lin E ito P C n ective
n e d r ro o n
Ca
re te
‫ י‬C e t Downloader S r e ( K a t
► rae
evr 2 by)
C e t C I V c i Ls ( 6K a t
r a e G i t m it 1 b y )

^Help
F IG U R E

4 .

T h e

Create Server

w in d o w

1 .1 : P r o R a t m a i n w i n d o w

a p p e a r s .

Create Server

Pro on ective N tifica n(N o an R u
C n
o tio etw rk d o ter)
Supports Reverse Connection
‫ ט‬U Pro onn
se C ective N tifica n
o tio
» un *p o
o. o1 .c m
IP (D S) A d ss:
N d re

N tifica n
o tio s
1 y= J P a s s w o r d b u tto n :
R e t r ie v e p a s s w o rd s fr o m

G eral Settin s
en
g

m a n y s e r v i c e s , s u c h as

T
est

M il N tifica n
a o tio

p o p 3 a c c o u n ts , m e sse n g e r,
I E , m a il, e tc.

D oesn't support R everse Connection

B dw File
in ith

T
est

Q U M il N tifica n
se a o tio
o b rmn y h o o
E-M
AIL: b m e a @ a o .c m

Server Ex n n
te sio s

IC Pager N tifica n
Q
o tio

Q U IC Pager N tifica n
se Q
o tio

Server Icon

icquin:

T
est

[r]

C I N tifica n
G o tio

W) H lp
e

Server Siz
e:

r

T
est
Q U C I N tifica n
se G o tio
ttp w .y u . o / i- in p ra g
C I URL: h ://w w o rsite c rn cg b / ro tc i
G
C
reate Server

3 2K ayt
4 b

F IG U R E

5 .

C lic k

General Settings

Password, Victim Name,
o v e r

6 .


th e

U n c h e c k

c o n n e c t io n

th e

y o u

h ig h lig h t e d

to

1 .2 : P r o R a t C r e a t e S e r v e r W i n d o w

c h a n g e
a n d

h a v e

th e
to

options

fe a tu r e s ,

s u c h

Port Number

th e

v ic t im

o r

a s

s h o w n

111

Server Port. Server

a s
y o u

liv e

th e

w is h

th e

to

c o n n e c t

s e t tin g s

f o llo w in g

d e fa u lt .

s c r e e n s h o t.



Server P rt:
o
Server Passw rd
o :
V N m:
ictim a e
Q 3 ea fake e r mssa e
iv
rro e g .
Q •1l server o inta
•e
t
n s ll.
Q C A -FWo s rt.
ill V
n ta
Q d a leW
is b indow XP SP2 Secu C n r
s
rity e te
I... Q D leW
isab indow XP F w ll.
s
ire a
Q Ha W
e r indow XP R
s
estore P in
o ts.
Q )on't sen LA n tifica n fro (i9 .i6 .”.“j o (1 .*.x j
d N o tio s m 2 8 r 0 .x
I IPro
tectio fo re o in Local Server
n r mv g
In isib
v ility
Q H e Processes fro A T M ag (9 /2 /X
id
m ll ask an ers x k P)
Q H eV
id alues F mA k do R istry Ed rs(9 /2 P)
ro ll in f eg
ito x k/X
Q H e N es F mM n (9 /2 /K
id am ro sco fig x k P)
Q U Te in teProcess (2k/XP)
n rm a

G eral Settin s
en
g
B dw File
in ith
Server Ex n n
te sio s
Server Icon

Ity !

N o te : y o u can use

D y n a m ic D N S to c o n n e c t
o v e r th e In t e r n e t b y u s in g
n o - i p a c c o u n t r e g is t r a t io n .

Server Siz
e:

r

C
reate Server

3 2K ayt
4 b

F IG U R E

7 .

8 .

Bind with File

C lic k
u s in g

.jpg

th e

C h e c k

file

to

to

1 .3 : P r o R a t C r e a t e S e r v e r - G e n e r a l S e t t i n g s

b in d

b in d

th e

th e

s e r v e r

w it h

a file ; 111

t in s

la b w e

a re

s e r v e r.

Bind server with a file.

C lic k

Select File,

a n d n a v ig a t e

to

Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote
Access Trojans (RAT)ProRatlmages.
9 .

m

S e le c t

th e

Girl.jpg

file

to

b in d

w it h th e

s e r v e r.

C lip b o a rd : T o re a d

d ata fro m ra n d o m access

T is File w b B d d
h
ill e in e :

m e m o ry.

B dw File
in ith
Server Ex n n
te sio s
Server Icon

Server Siz
e:

C
reate Server

3 2K ayt
4 b

I-------------F IG U R E


1 .4 : P r o R a t B i n d i n g w i t h a f ile



1 0 .

S e le c t

Girl.jpg

111

Look in:

th e

w in d o w

a n d

t h e n

c lic k

Open

to

b in d

th e

f ile .

Images

‫תז°11ו‬
£Q1
V N C

V N C T r o ja n s ta rts a
s e rv e r d a e m o n in th e

in f e c t e d s y s te m .

Rle nam
e:

Girl

Open

Files o type:
f

Cancel

F IG U R E

1 1 .

£ 9

C lic k

OK

a fte r

s e le c t in g

th e

1 .5 : P r o R a t b i n d i n g a n im a g e

im a g e

f o r

b in d in g

w it h

a

s e r v e r.

F ile m a n a g e r: T o

m a n a g e v ic t im d ir e c to r y f o r
a d d , d e le t e , a n d m o d if y .

1 2 .

1 11

Server Extensions

Server Extension


s e t tin g s ,

s e le c t

EXE

(lia s

ic o n

s u p p o r t )

111

Select

o p t io n s .



Select Server Ex n n
te sio
^ EXE (H ico su p rt)
as n p o

N tifica n
o tio s

Q SCR (H ico su p rt)
as n p o

Q PIF (H n ico su p rt)
as o n p o

G eral Settin s
en
g

Q C M(H n ico s p o
O as o n u p rt)

Q BA (H n ico s p o
T as o n u p rt)
B dw File
in ith
Server Ex n n
te sio s
Server Icon

£ Q

G iv e D a m a g e : T o

f o r m a t t h e e n t ir e s y s te m
f ile s .

Server Siz
e:

C
reate Server

4 7K ayt
9 b

r

F IG U R E

1 3 .

1 11

Server Icon

b u t t o n

a t

1 .7 : P r o R a t S e r v e r E x t e n s i o n s S e t t i n g s

s e le c t

a n y

r ig h t

s id e

b o t t o m

o f
o f

th e
th e

ic o n s ,
P r o R a t

a n d

c lic k

th e

Create Server

w in d o w .

N tifica n
o tio s
G eral Settin s
en
g

M

B dw File
in ith

m

Server Ex n n
te sio s
I t c o n n e c t s to th e

v ic t im u s in g a n y V N C

H U 11

Server Icon

v ie w e r w it h th e p a s s w o rd
“ s e c r e t.”

jJ

V) H lp
e
Server Ico :
n
Server Siz
e:

C o se n Icon
h o ew
C
reate Server

4 7K ayt
9 b

I
F IG U R E

1 4 .

C lic k

O K

a lt e r

th e

s e r v e r

h a s

1 .8 : P r o R a t c r e a t i n g a s e r v e r

b e e n

p r e p a r e d ,

a s

s h o w n

111

th e

lo llo w in g





F IG U R E

1 5 .

N
to

£ G

SH T T P D

H T T P

o w

y o u

c a n

s e n d

victim’s

th e

m

1 .9 : P r o R a t S e r v e r h a s c r e a t e d

d ie

s e r v e r

a c h in e

a s ,

file

lo r

111 d i e

by mail

e x a m p le ,

s a m e c u r r e n t d ir e c to r y

o r
a

a n y

c o m

m

celebration

u n ic a t io n
file

to

m e d ia

r u n .

i s a s m a ll
Applicator Tools

s e rve r th a t c a n b e

Vicvr

e m b e d d e d in s i d e a n y
m Preview pane

E

p ro g ra m . I t c a n b e w ra p p e d
w it h a g e n u in e p r o g r a m

[]‫־‬B Details pane

A&

Manage

S Extra large icons
t

‫־‬t N"
₪
‫־‬

Large icons

f t| M5d un icons | | j Small icons
lirt
| j ‫ ״‬Details

S

1

( g a m e c l e s s .e x e ). W h e n

□

Item check boxes

□ Filename extensions
I I Hidden items

______________ Layout_________

e x e c u te d , it tu rn s a

o

c o m p u t e r in t o a n in v is ib le
w e b s e rve r.

©

^

1

Show/hide

‫נ״י‬

« Trcjans Types ► Femote Access Trojans (RAT)

A
K Favorites

*.

J . Downlead
Irraces

■ Desktop

J , Language

£ Download}
1 Recent places
S3J

| ^ bnded.server |
^ 1
Fnglish

1 f Libraries
‫־‬
^

£ ProRat

F*| Documtnte

j__ Readme

J* Music

^ T ‫ ״‬rk6h

fcl Pictures

|__ Version.Renewals

81 Videos
Homegrojp
AP Computei

sL Local Disk O
,
5 ? CEH-Tools (1a
^(1 Network
v
9 items
1 item selected 208 MB

F IG U R E

1 6 .

N

o w

g o

to

W

in d o w s

S e r v e r

1 .1 0 : P r o R a t C r e a t e S e r v e r

2 0 0 8

a n d

n a v ig a t e

to

Z:CEHv8 Module 06

Trojans and BackdoorsTrojans TypesRemote Access Trojans
(RAT)ProRat.
1 7 .


D o u b le - c lic k

binder_server.exe

a s

s h o w n

111

th e

f o llo w in g




.
El•

p

ital

‫ י‬T ‫0׳‬J%n(Trt>« » Rencte A cr«s "roiflrs RAT ( ‫ * י‬PraRat

|

id t

^•w

Tjolc

t#lp

V
iew

Oroanize ▼
•

M t

I•I Site

Tavoi ite -»‫־‬
ks
i|

? cajres

^

^ 0° *°

r>ornn#ntc

£

‫״‬

T " T ™ ----------------- Pate modified— | - | Typ |- 1>

H

Music

1

More

»

Folders

v

I

J i Botnet 'rojars

I

^

j j

j , Ya5»cn_R.c‫ ־‬o5
«n

Comnand Shell ~r0)s

I

Defacenent ‫־‬ro;ars

I

[ : Readne
[ ^ ‫ ־‬uHoct

J4 Destnjave T'ojans

I

Ebandng Trojans

I

J4 E-Mal T0‫׳‬j3ns

I

JA FTP Trojar

I

GUITrojors

I

HTTP H I P S "rpjars

I

S

I

J4 MACOSXTrojons

ICMP Backdoor

I

J i Proxy Server Trojan:
. Remote Access “ rcj?- *

I

J . Apocalypse
Atelie‫ ׳‬Web Remji

X

I

4

I

j.. ProRat

. D*fkCo‫׳‬r«tRAT

I

. VNC’ rojans

£

M a rl

H

C

S.

F IG U R E

1 8 .

N

o w

s w it c h

to

W

in d o w s

Windows Server 2008

I C M P T r o ja n : C o v e r t
c h a n n e ls a r e m e t h o d s in

P r o R a t

m

a in

-O g*

. New Text Docuneil •No... I

‘

w in d o w

8

V ir t u a l

a n d
a n d

1 .1 1 : P r o R a t W i n d o w s S e r v e r 2 0 0 8

th e

c lic k

liv e

M

a c h in e

p o r t

a n d

n u m

b e r

e n te r
a s

th e

th e

I P

a d d r e s s

d e fa u lt

111

o f

th e

Connect.

w h i c h a n a tt a c k e r c a n h id e
d a t a i n a p r o t o c o l d i a t is

1 9 .

111 t i n s

la b ,

th e

I P

a d d r e s s

o f W

in d o w s

S e r v e r

2 0 0 8

is

(1 0 .0 .0 .1 3 )

u n d e t e c t a b le .

Note:

I P

a d d re s s e s

F T

m

ig h t

b e

d if f e r

111

c la s s r o o m

la b s

ProRat V1.9

mum

- Poit

PCIn
fo
Ap a n
p lic tio s
M ssa e
e g
W dw
in o s
Am -T
d in F P
Ca
ht
F n yS ff F Mn g r
u n tu
ile a a e
!E p re
x lo r
SearchF s
ile
C n l Pan
o tro el R g try
e is
S u D w PC ScreenS o
ht o n
ht
C ba
lip o rd
Kyo gr
eL g e
G D mg P ssw rd
ive a a e a o s
R D w lo e
. o n dr
P te
rin r
Services
O lin E ito P C n e
n e d r ro o n ctive
Ca
re te
F IG U R E

2 0 .

E n t e r
c lic k


th e

password

y o u

112: P r o R a t C o n n e c t in g In f e c t e d S e r v e r

p r o v id e d

a t

th e

tim e

o t

c r e a tin g

th e

s e r v e r

a n d

OK.



Passw rd
o :

O
K
F IG U R E

2 1 .

N

o w

c lic k

y o u

a re

PC Info

connected

to

a n d

1 .1 3 : P r o R a t c o n n e c t i o n w i n d o w

th e

c h o o s e

Cne
acl

th e

v ic t im

s y s te m

m

a c h in e .

in f o r m

T o

a t io n

a s

te s t
111

th e

th e

c o n n e c t io n ,

f o llo w in g

f ig u r e .

B f P>
>
—ProRat V 1 .9 IC o n n e c te d [1 0 .0 .0 .1 3 ^ ^ ^ H B B B ^ ^ ^ ^ ^ r ‫- ׳‬

x1

F H d H H C H . n e T p « o r e 5 5 1 D n F 1 L 1m‫־‬e p r 1 E T !!!

m

Poit: g n g

o n t e c h n i q u e s c a ll e d

English

t u n n e lin g , w h ic h a llo w o n e

P If
C no

p r o t o c o l t o b e c a r r ie d o v e r

Ds o n c
i c n et

//////// PC Information ////////

IB
A pi ai n
p lc to s

Ms a e
es g

Computer N e
am
User N e
am
Windows Uer
Windows Language
Windows Path
System Path
Tem Path
p
Productld
Workgroup
Data

Wn o s
i dw

Ca
ht

a n o t h e r p ro to c o l.

A m -T
d i FP
n

F n ySuf Fl M n g r
un t f
ie a a e
!xl rr
E poe

S a c Fl s
e r h ie

C nr l P n l
o to a e

R gsr
e i ty

S u Dw P Sr e S o
h t o n C ce n h t
Kyo gr
eL g e

Ci b ad
lp o r

Gv D m g P s w r s
i e a a e a s od
R Dwl dr
. o no e
Pi t r
rne

Rn
u

F IG U R E

2 2 .

2

Attack System
Using Keylogger

N

o w

c lic k

KeyLogger

N
O
9/23/2012

S se I f r ai n
y t mnomto

M i A de si R gsr
al d r s n e i t y
W Hl
; ep

1 .1 4 : P r o R a t c o n n e c t e d c o m p u t e r w i d o w

steal

to

u s e r

p a s s w o r d s

f o r

th e

o n lin e

s y s te m .

[r?~^roRa^7^onnectedn0l0l0^3r~
P H □ H R C H .‫ ח‬E T P P G F E S S I C i n F I L in T E P r i E T !!!
Ds o n c
i c n et
ip: Q j Q 2
Poit: g n i R:
I I 11‫ ׳‬h
//////// PC Information ////////
P If
C no

A pi ai n
p lc to s

Ms a e
es g

Wn o s
i dw

Ca
ht

A m -T
d i FP
n

F n ySuf Fl M n g r
un t f
ie a a e
!xl rr
E poe

S a c Fl s
e r h ie

C nr l P n l
o to a e

R gsr
e i ty

S uDw P Sr e S o
h t o n C ce n h t
Ci b ad
lp o r

Kyo gr
eL g e

Gv D m g P s w r s
i e a a e a s od
R Dwl dr
. o no e
Pi t r
rne

Rn
u

Computer N e
am
User N e
am
Windows Uer
Windows Language
Windows Path
System Path
Tem Path
p
Productld
Workgroup
Data

WIN-EGBHISG14L0
Administrator
English (United St
C:Windows
C:Windowssysterna
C:UsersADHINI~1
N
O
9/23/2012

L i.

Srie
e vc s

O ln E i o P o o n ci e
ni e dt r r C n e tv

S se I f r ai n
y t mnomto

M i A de si R gsr
al d r s n e i t y

L s vst d2 w bst s
a t i ie 5 e ie

Ce t
r ae
P i f r ai nR c i e .
c nomto e ev d
F IG U R E


English (United St
C:Windows
C:Windowssystemc
C:UsersADMINI~1

L s vst d2 w bst s
a t i ie 5 e ie

Ce t
r ae
P i f r ai nR c i e .
c nomto e ev d

TASK

1
0

WIN-EGBHISG14L0
Administrator

l -L

Srie
e vc s

O ln E i o Fr C n e tv
ni e dt r ' o o n ci e

m

R

C o v e r t c h a n n e ls r e ly

W Hl
; ep

1 .1 5 : P r o R a t K e y L o g g e r b u t t o n

A ll Rights Reserved. Reproduction is Strictly Prohibited.


2 3 .

m

T h e

Key Logger

w in d o w

w ill

a p p e a r .

T liis T r o ja n w o rk s

lik e a r e m o t e d e s k to p
a c c e s s . T h e h a c k e r g a in s
c o m p le t e G U I a c c e s s o f
th e r e m o t e s y s te m :
■

In f e c t v ic t im ’s c o m p u te r
w it h s e rv e r.e x e a n d p la n t
R e v e r s e C o n n e c t in g
T r o ja n .

■

T h e T r o ja n c o n n e c ts to
v i c t i m ’s P o r t t o t h e
a t t a c k e r a n d e s t a b lis h in g
a re v e rs e c o n n e c t io n .

■

A tta c k e r th e n has
F IG U R E

c o m p le t e c o n t r o l o v e r
v i c t i m ’s m a c h i n e .
2 4 .

N

o w

s w it c h

N o t e p a d

i
File

Windows Server 2008

to

a n d

1 .1 6 : P r o R a t K e y L o g g e r w i n d o w

ty p e

a n y

m

a c h in e

a n d

o p e n

a

b r o w s e r

o r

te x t.

Text Document -Notepad

Edit

Format

View

Help

‫פר‬

Hi th ere
T h is is my username: xyz@yahoo.com
password: test<3@#S!@l|

m

B a n k i n g T r o ja n s a re

p r o g r a m t h a t s t e a ls d a t a
f r o m in fe c t e d c o m p u te rs
v ia w e b b ro w s e rs a n d

A

Ik.

p ro te c te d s to ra g e .

F IG U R E

2 5 .

W

h ile

th e

v ic t im

p a s s w o r d , y o u

2 6 .

N

o w

t im e


s w it c h
t o

t im e

is

c a n

1 .1 7 : T e s t t y p e d i n W i n d o w s S e r v e r 2 0 0 8 N o t e p a d

message

w r it in g

a

c a p t u r e

th e

to

W

t o

c h e c k

in d o w s
f o r

8

lo g

V ir t u a l

d a ta

o r

e n t e r in g

a

user name

a n d

e n t ity .

M

a c h in e

updates

t r o m

a n d
th e

c lic k

Read Log

v ic t im

f r o m

m a c h in e .



E

=9/23/201211:55:28 PM
a i b bth ism u am yz o .co
h o is y sem e;x atyah o m
p o ; testsh b tto ith sh u n ith
assw rd
iftl u w l iftb tto w 2

|

R ea d Log

|

D e le te L o g

L^L 1 ‫—י‬U L 1 !_ ‫רו‬
•
■
•

S a v e as

H e lp

----------------------------------------------------------1

C □

11 •‫ י‬t 1
_

C le a r S c r e e n

| K e y L o g R e c e iv e d .

|

F IG U R E

2 7 .

Note:

N

o w

P r o R a t

y o u

c a n

K e y lo g g e r

u s e

w ill

a

lo t

n o t

1 .1 8 : P r o R a t K e y L o g g e r w i n d o w

o f

fe a u ir e s

r e a d

s p e c ia l

f r o m

P r o R a t

o n

th e

v ic t im

’s

m a c h in e .

c h a ra c te r s .

L a b A n a ly s is
A n a ly z e
y o u r

a n d

d o c u m e n t

t a r g e t ’s s e c u n t y

d ie

r e s u lts

p o s tu re

a n d

r e la te d

to

e x p o s u re

d ie

la b

e x e r c is e .

th ro u g h

p u b lic

G iv e

a n d

y o u r

fre e

o p in io n

o n


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.

Q u e s t io n s
1.

C re a te
W

a n d

2 .

s e rv e r w it h
X

P

a d v a n c e d

E v a lu a te

a n d

c it ie s

o r

o p t io n s

F ir e w a ll, e tc ., s e n d

v e r if y w h e d ie r y o u

o d ie r


a

in d o w s

e x a m in e

c a n

it

a n d

s u c h

c o m m u n ic a t e

v a r io u s

m e d io d s

as

K ill A

c o n n e c t it

to

w it h

th e

to

V - F W
th e

v ic tim

c o n n e c t to

o n

v ic tim

s ta r t, d is a b le
m a c h in e ,

m a c h in e .

v ic tim s

i f d ie y

a re

111

c o u n t r ie s .

E th ic a l H ack in g and Countenneasures Copyright © by EC-Council


T o o l / U

t i l i t y

In f o r m

a t io n

S u c c e s s f u l

O

u t p u t :

p u t e r

U s e r

N a m

W

in d o w s

W

in d o w s

W

T o o l

T e m

p

W

□

Y e s

P l a t f o r m

0


C o n n e c t io n

e :

e A

A d m

b j e c t i v e s

B lin d e d

A c h ie v e d

s e r v e r .e x e

a t io n

Y I N

- E G

B H

I S G

14 L O

in is t r a t o r

Y e r :

L a n g u a g e :

P a t h :

P a t h :

I D

E n g lis h

(U n it e d

S ta te s )

c : w in d o w s

c : w in d o w s s y s t e m

c : U

s e r s A

D

M

I N

3 2

I ~ l

:

o r k g r o u p :

D a t a :

a m

P a t h :

P r o d u c t

o f

In f o r m

N

in d o w s

S y s t e m

In t e r n e t

c r e a tio n

P C

C o m

P r o R a t

C o l l e c t e d / O

N

O

9 / 2 3 / 2 0 1 2

R e q u ir e d

0

N

o

0

!L a b s

S u p p o r t e d

C la s s r o o m



Lab

W r a p p in g a T r o ja n U s in g O n e F ile
EX E M aker
A Trojan is a program th a t contains m alicious or harm ful code inside apparently
harm lessprogram m ing or data in such a way th a t it can g e t control and cause
I CON
£ 1 7

KEY

V a lu a b le

S o m

e t im

e s

a n

a tta c k e r

m a k e s

g e t

a

a

v e r y

s e c u r e

b a c k d o o r

e v e n

m

o r e

s a fe r

t h a n

th e

p a s s w o r d

f o r

in f o r m a tio n
n o r m
T est yo u r
k n o w le d g e

W e b

e x e r c is e

a l w a y
th e

to

a tta c k e rs

le t

f r o m


th e
a

s y s te m ,

o t

th e

v ic t im

c o m

m

b a c k d o o r
A c t i v e X

1 11

to

o r d e r

to

k e e p

v o ic e
y o u r

c r e a tin g

a y

a n

s y s te m .

m

is

n o r m
th e

in

a

o s t

to

o n ly

g e t

a l

th e

in t o

fu tu r e .

I t

th e

v is it s

w e b s it e s

a tta c k s

b y

is

a

la y e r s

v ic t im

s y s te m

in .

A f t e r

g e t t in g

a s

a

b a c k d o o r

e a s y

a tta c k e r

a s

s h o w

a

n e e d
th e

a

b e d d e d

m e s s a g e

a n d

p r o t e c t in g

in s ta ll

e m

0 1‫ ־‬v e r if y in g

0 11

r u n n in g

c a n

w e b s it e ,

T r o ja n s

a n d

0 1‫ ־‬S S H

th e

in s ta lls

a p p lic a tio n s ,

b a c k d o o r s

o n e

lo g g in g

w a y

u s e r
o f

u s e

a tta c k e r

A n o t h e r

M

a y

a u th e n t ic a tio n s

h a r d e r

a c c e s s

f r o m

a n d

m

a n y

d o w n lo a d in g

s y s te m

T r o ja n s

it

lie n e v e r

c h a t,

u s e r

w it h

a c h in e .
W

a l

n e e d

a tta c k e r ,

0 1‫ ־‬h e r
m

th e

0 1 1

f o r

p r o t e c t
0 1 1

111s

n o r m

m

p a r e d

b y

A c t iv e X .

r u n

A

U s u a lly

c o m

v ic t im

u s in g

A c t i v e X

k n o w le d g e

s y s te m .

s y s te m

th e

0 1 1

is

s y s te m .

b a c k d o o r

th e

v ic t im

c o u ld

r u n n in g

a

b a c k d o o r s

s y s te m

a n d

in t o
b u t

u s e

in s ta lle d

c o n t r o l

‫ט‬

to

u s in g

th e

a b o u t
u s e r .

e x t e n s iv e

s y s te m

f r o m

a tta c k e rs .

Y o u

a re

in c lu d e
t h e ft

& Tools

a

s e c u r ity

p r o t e c t in g

o f v a lu a b le

a d m
th e

d a ta

in is t r a t o r
n e t w o r k
f r o m

o f y o u r
f r o m

th e

c o m

p a n y ,

T r o ja n s

n e t w o r k ,

a n d

a n d

a n d

y o u r

jo b

b a c k d o o r s ,

id e n t it y


T r o ja n

a tta c k s ,

th e ft.


demonstrated in
this lab are

T h e

available in

a tta c k s .

o b je c t iv e

o t

t in s

la b

is

to

h e lp

s m d e n ts

le a r n

to

d e te c t

T r o ja n

a n d

b a c k d o o r

D EH
:C T h e

o b je c tiv e s

o f

th e

la b

in c lu d e :

ToolsCEHv8
Module 06 Trojans

■

W

r a p p in g

■

R u n n in g

a

T r o ja n

w it h

a

g a m e

111

W

in d o w s

S e r v e r

2 0 0 8

and Backdoors


th e

T r o ja n

to

a c c e s s

th e

g a m e

0 1 1

th e

f r o n t

e n d



■

A n a ly z in g

th e

T r o ja n

r u n n in g

in

b a c k e n d

T o

c a r r y

‫י‬

o u t

d iis , y o u

n e e d :

OneFileEXEMaker

t o o l lo c a t e d

D:CEH-ToolsCEHv8 Module 06

a t

Trojans and BackdoorsWrapper Covert ProgramsOneFileExeMaker
■

A

Window Server 2012


■

I t

y o u
th e

111

■

d e c id e
la b

m

t o

d o w n lo a d

ig h t


r u n n in g

th e

(h o s t)

111 v ir t u a l m a c h in e

latest version,

t h e n

s c r e e n s h o ts

s h o w n

d if f e r

p r iv ile g e s

to

m

n

t o o ls

T u n e :

2 0

M in u t e s

A

T r o ja n

h a r m le s s

is

a


Note:
w h a t
d ie

H

TASK

1

OneFile EXE
Maker

T h e
is

111

p r o g r a m

d ia t

a s

d ie

p ro c e s s e s

la b ,
is

o f

b u t

s a m e

d a ta

d ie

r u in in g

v e r s io n s

c o n t a in s

o r

h ie

d ie
d ie

a s

111

malicious

s u c h

a llo c a tio n

c r e a te d

c lie n t

a c tu a l p ro c e s s

s h o w n

111 d iis

a

w a y

t a b le

o r
o f

o r
th a t

o n

a

h o s t

h a r m fu l
it

h a rd

a n d

c o n n e c t in g

c o d e

in s id e

a p p a r e n d y

get control

c a n

a n d

c a u s e

d n v e .

a p p e a r a n c e
to

d ie

m a y

s e r v e r

d itfe r

a n d

fr o m

a c c e s s in g

la b .

La b T ask s
1.

In s ta ll

OneFileEXEMaker
S e n n a S p y O n e EX E M a k e r 2 0 0 0

o n

Windows Server 2008

V ir t u a l M a c h in e .

2 .0 a

S e n n a S p y O n e E X E M aker 2000 - 2.0a
Official Website:
e-m a il:

http://sennaspy.tsx org

s e n n a _ s p y 0 h o lm a 1l.c o m

IC Q U IN

3973927

J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p io g ra m a llo w io in a ll k in d o f file s :

e x e , d ll. o c x . t x t . jp g . b m p

A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !

S h o rt F ile N a m e

P a ra m e te rs

10 p e n M o d e | C o p y T o

Command Line Parameters.

m

Open Mode

C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y

F IG U R E


Copy To---

| A c tio n

Action---

pnEeue
C Nr a (“Wdw C Oe/xct
om
l
ino s
C Mime C Sse C CpOly
a izd yt m
x
oy n
C Mime C Tm
in izd
ep
C Ro
ot
C He
id

3 .1 : O n e F i l e E X E

r

P a ck Fies?

M a k e r H o m e s creen



C lic k

d ie

a d d

Add File

b u tto n

a n d

b r o w s e

to

th e

C E H - T o o ls

fo ld e r

a t

Z:CEHv8 Module 06 Trojans and BackdoorsGamesTetris

lo c a t io n

Lazaris.exe

th e

d ie
a n d

lile .

S e n n a S p y O n e EXE M a k e r 2 0 0 0 - 2 .0 a


Official Website: http://sennaspy tsx org
le s s ! Y o u c a n s e t v a r io u s
e-m a il:

t o o l o p t io n s a s O p e n

s e n n a _ s p y @ h o tm a 1l.c o m

m o d e , C o p y to , A c t io n

IC Q U IN

3973927

T h is p ro g ra m a llo w jo in a ll k in d o f file s :

e x e . d ll. o c x . t x t . jp g . b m p .


[ s h o r t F ile N a m e

|P a r a m e t e r s

| 0 p e n M o d e |C o p y T o

L A Z A R IS .E X E

H id e

S y s te m

| A c tio n

!

A dd F ie

| O p e n /E x e c u te

1
Getete

S ave

Ejj*

C
r
C
(5‫־‬


F IG U R E

3 .

Add File

C lic k

Copy T 0 -------

Open Mode

Command Line Parameters

a n d

b r o w s e

Normal
Maximized
Minimized
Hide

C
(*
C
C

W indows
System
Temp
Root

(•

Open/Execute

C

Copy On|y

3 .2 : A d d i n g L a z a r i s g a m e

to

th e

C E H - T o o ls

fo ld e r

a t

d ie

lo c a t io n

Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesProxy Server
Trojans

a n d

a d d

d ie

mcafee.exe

file .


Official Website: http://sennaspy.tsx.org
e-m a il:

s e n n a _ s p y @ h o tm a il.c o m

IC Q U IN

3973927

T h is p ro g ra m a llo w jo in a ll k in d o f file s :

e x e . d ll. o c x . t x t . jp g . b m p

A u to m a tic O C X f ile re g is te r a n d P a c k file s su p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le I

& Tools
demonstrated in


P a ra m e te rs

| O pen M ode | Copy To

|A c tio n

S y s te m
I S y s te m

this lab are

A dd F ie

O p e n /E x e c u te
| O p e n /E x e c u te

dlee
et

available in

Save

D EH
:C ToolsCEHv8


O pen Mode

Module 06 Trojans
and Backdoors


F IG U R E

4 .


S e le c t

Mcafee

a n d

ty p e

C
C
C
(*

Normal
Maximized
Minimized
Hide

Copy To!------C
(*
‫׳‬
C

W indows
System
Temp
Root

Action--(
•

Operv‫׳‬Execute

C

r

P a c k F ie s ?

Copy Only

3 .3 : A d d i n g M C A F E E . E X E p r o x y s e r v e r

8080 1 1 1

d ie


fie ld .




2 .0 a

S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a

Official Website
e-m a il:

http://sennaspy.tsx org


IC Q U IN :

3973927

T h is p io g ra m a llo w !o in a ll k in d o f file s :

e x e . d ll. o c x . t x t . jp g . b m p

A u to m a tic O C X f ile !e g is te i a n d P a c k file s s u p p o rt


P a ia m e te r s

O pen M ode

Copy To

A c tio n

S y s te m

L A Z A R IS .E X E


Sv
ae
Command Line Parameters:

O pen M ode—


F IG U R E

5.

S e le c t

Lazaris

a n d

c h e c k


d ie

Copy To-------

Normal
Maximized
Minimized
Hide

C
C
C
^

C
(*
C

O p en/Execute

W indows
System
Temp
Root

‫“י‬

P *k F te s ?

Copy On|y

C

3 .4 : A s s i g n i n g p o r t 8 0 8 0 t o M C A F E E

Normal

o p t io n

in

Open Mode.

2 .0 a

S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a

Official Website: http://sennaspy tsx org
e-m a il:


IC Q U IN

3 9 /3 9 2 7

T h is p io g ra m a llo w jo in a ll k in d o f file s :

e x e . d ll. o c x . t x t . ip g . b m p ...


A dd F ie
L A Z A R IS .E X E
M C A FE E EXE

N o tm a l
8080

( S y s te m

H id e

I O p e n /E x e c u te I

S y s te m

Delete


Sv
ae
Exit
O pen Mode


Copy To-------

‫. ־׳‬Maximize
: .01™
Jaximized
1p ‫״‬
^ © 2 C o p y rig h t ( C ) . 1 9 9 8 2 0 0 0 . B y S e n n a S p y

F IG U R E

6 .

C lic k

Save

a n d

b r o w s e

to

C
C

Minimized
Hide

C

W indows

<• System
C Temp
C Root

Action
(
•

Operv‫׳‬Execute

C

r

P a ck Fies?

Copy On|y

3 .5 : S e t t i n g L a z a r i s o p e n m o d e

s a v e

d ie

d ie

o n

th e

d e s k to p ,

a n d

n a m e

d ie

t ile

Tetris.exe.




Save n
1

Name
e-m a il:

sennas

| K

2 [

*■

I - I Size

0‫נ® ־‬

1*1 Type

₪ ‫־‬

a

1 *1 D ate modified

1

^ b
Pu k
: ■ Computer
® N e tw o rk
® M o z ia F re fb x
£

1 KB

Shortcut

2 KB

Google Chrome

Shortcut

9 /1 8 /2 0 1 2 2:3 1 Af
9 /1 8 /2 0 1 2 2 :3 0 AT

_l

(Executables (*.exe)

M C A F E E .E X E

±1

|------- Save------- 1

|t * H

Cancel

_^J

|

Save

L

O pen M ode

‫־‬

(
•
C
C
C

C o p y rig h t (C ). 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y

F IG U R E

m

7 .

N

o w

d o u b le - c lic k

M C A F E E . E X E w ill

,

ru n in b ack g ro u n d

g am €>

to

o p e n

d ie

Copy To

Normal
Maximized
Minimized
Hide

C
(*
("
C

W indows
System
Temp
Root

(
•

Open/Execute

C

r

P a ck Fies?

Copy 0 n|y

3 .6 : T r o j a i i c r e a t e d

Tetris.exe

file .

T liis

w ill

la u n c h

d ie

L a z a r is

it

McAfee

,

011 t h e

tr0 1 1 t e ‫ ״‬d •

r
F IG U R E

8 .


N

o w

is

o p e n

Task Manager

a n d

3 .7 : L a

c lic k

d ie

2a r is g a m e
Processes

m n n in g .

ta b

to

c h e c k



^ ‫[*[ ס‬

O Windows Task M anager
File

O ptions

V iew

Applications

Help

P ro ce s s e s j Se rv ic e s | P erfo rm a n c e j Netw orking | U s e rs |

Im a g e . . .

1 U ser Nam e 1 c p u ]
[

M em ory (. .. | Description

cs rs s .ex e

SY ST E M

00

1 .4 6 4 K

Client S e r . ..

cs rs s .ex e

SY ST E M

00

1 .7 3 6 K

Client S e r ...

d w m .e x e

Adm lnist...

00

1,200 K

D e s k t o p ...

ex p lo re r.e x e

Adm m ist.. .

00

14,804 K

L A Z A R IS .E X E ...

Adm lnist. ..

00

1 .5 4 0 K

Is a ss .ex e

SY ST E M

00

3,100 K

Local S e c u ...

Ism. e x e

SY ST E M

00

1 .3 8 4 K

|

Local S e s s ...

1 M C A F E E .E X E .. .

1

W in d o w s . . .
L A Z A R IS

A d m n s t ...

00

580 K

m sd tc.ex e

N ET YV O ...

00

2 .8 3 2 K

S c re e n p re s s o ... .

Adm inlst. ..

00

2 8 .3 8 0 K

S c re e n p r e ...

s e rv ic e s .e x e

SY ST E M

00

1 .9 9 2 K

Se rv ic e s a .. .

S L s v c .e x e

N E T V /O . ..

00

6 .7 4 8 K

M ic ro s o ft...

sm ss.ex e

SY ST E M

00

304 K

W in d o w s ...

s p o o ls v .ex e

SY ST E M

00

3 .5 8 8 K

Sp oo ler S . . .

s v c h o s t.e x e

SY ST E M

00

13,508 K

H o s t P r o c ...

s v c h o s t.e x e

LO C A L ...

00

3.648 K

H o s t P r o c ...

-

I*

M C A FEE
M S D T C co ...

Sh o w p ro cesses from all u sers

| jP ro :e s s e s : 40

C P U U s a g e : 2°.‫׳‬c

F IG U R E

■

gnc| p rocess

Ph ysical M em ory: 43°.‫׳‬c

3 .8 : M C A F E E i n T a s k m a n a g e r

L a b A n a ly s is
A n a ly z e
y o u r

a n d

t a r g e t ’s

d o c u m e n t
s e c u n ty

th e

r e s u lts

p o s tu r e

a n d

r e la te d

to

e x p o s u r e

d ie

la b

th ro u g h

e x e r c is e .
p u b lic

a n d

G iv e
fre e

y o u r

o p in io n

o n


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.

T o o l / U

t i l i t y

In f o r m

E

a k e r

O

X

E

M

a t i o n

u t p u t :

C o l l e c t e d / O

U s in g

a

b a c k d o o r

b j e c t i v e s

e x e c u te

A c h i e v e d

Tetris.exe

Q u e s t io n s
1.

U s e
O

2 .


v a r io u s

o th e r

n e F ile E X E M

H o w

y o u

o p t io n s

a k e r

w ill s e c u re

a n d

fo r

d ie

a n a ly z e

y o u r

O p e n

th e

c o m p u t e r

m o d e ,

C o p y

to , A c t io n

s e c t io n s

o f

r e s u lts .

fr o m

O

n e F ile E X E M

a k e r

a tta c k s ?



In t e r n e t

□

Y e s

P la t f o r m

0


C o n n e c t io n

R e q u ir e d

0

N

o

0

iL a b s

S u p p o r t e d

C la s s r o o m



P ro x y S e r v e r T ro ja n
A . Trojan is a program th a t contains m alicious or harm ful code inside apparently
harm less program m ing or data in such a way th a t i t can g et control and cause
I CON

KEY

P~/ Valuable
information

Y o u

a re

in c lu d e

Test vom
‫׳‬
knowledge

— Web exercise
m Workbook review

t h e ft

a

s e c u r ity

a d m

p r o t e c t in g

o f v a lu a b le

in is t r a t o r

th e

d a ta

n e t w o r k
f r o m

o f y o u r
f r o m

th e

c o m

p a n y ,

T r o ja n s

n e t w o r k ,

a n d

a n d

a n d

y o u r

jo b

b a c k d o o r s ,

id e n t it y


T r o ja n

a tta c k s ,

th e ft.

T h e

o b je c tiv e

o f

t in s

la b

is

to

h e lp

s tu d e n ts

le a r n

to

d e te c t

T r o ja n

a n d

b a c k d o o r

a tta c k s .

T h e

o b je c tiv e s

o f t in s

•

S t a r tin g

M

•

A c c e s s in g

la b

c A f e e

th e

in c lu d e :

P r o x y

In t e r n e t

u s in g

M

c A le e

P r o x y

T o

c a r r y

o u t

t in s , y o u

■ McAfee

n e e d :

T r o ja n

lo c a t e d

D:CEH-ToolsCEHv8 Module 06 Trojans and

a t

BackdoorsTrojans TypesProxy Server Trojans
JT Tools
■

demonstrated in
this lab are

A

c o m p u t e r m

n n in g

Window Server 2012


m

n n in g

in

(h o s t)


available in
D EH
:C -

■

ToolsCEHv8

I f
111

y o u
th e

d e c id e
la b

t o

m

ig h t

a

w e b

d o w n lo a d

th e

latest version,

t h e n

s c r e e n s h o ts

s h o w n

d if f e r

Module 06 Trojans
‫י‬

Y o u

‫י‬

and Backdoors

n e e d


b r o w s e r

p r iv ile g e s

to

to

a c c e s s

r u n

In t e r n e t

t o o ls

T im


e :

2 0

M in u t e s



A

T r o ja n

h a r m le s s

is

a

Note:

d ie

£

TASK

Proxy server

th a t



w h a t

p r o g r a m

T h e
it is

111

a s

v e r s io n s
d ie

p ro c e s s e s

o r

la b ,

is

o f

h ie

th e

b u t

s a m e

d a ta

d ie

r u in in g

as

malicious

c o n t a in s
in

s u c h

c re a te d

d ie

a

a llo c a tio n

c c lie n t

a c tu a l p ro c e s s

s h o w n

111 d iis

w a y

t a b le

o r

0 1‫ ־‬h a r m fu l
th a t

0 11 a

h o s t

it

a n d

in s id e

a n d

c a u s e

d iffe r

fr o m

d r iv e .

a p p e a r a n c e

o f c o n n e c t in g

a p p a r e n tly

get control

c a n

h a rd

c o d e

to

d ie

m

a y

s e r v e r

a n d

a c c e s s in g

la b .

La b T ask s
-

Mcafee

1.

I n

W

in d o w s

S e r v e r

2 0 0 8

V ir t u a l M a c h in e , n a v ig a t e

to

Module 06 Trojans and BackdoorsTrojans Types,
Proxy Server Trojans

a n d

CmdHere

s e le c t

jr a C >

view

fr o m

d ie

r ig h t- c lic k

c o n te x t m e n u .

|i■ * CD-v3'‫־‬
teduc05Tro:o‫««־‬nd30ccdo0f3 - "rojanaTypes

Pit

Z:CEHv8

a n d

Edt

Toos

Orgsncc »

ndp

Vca ‫־‬
s

*

w

S 's ® 1 '
‫״‬

F

Nn‫ - - •״‬C*»nodri«d M Tvp#
j , Bt*d©«rry T'OJjn

pi Documents

J(
T'0j*tk
,Jf Canrund 5h*l "rajjin*
J j D*tac«‫׳‬rwntT0‫|׳‬an«

£ Picture*
^ Mjflic

M Sat

M

J f Destruetve Trojans
J t awnonc Trojans

‫־‬
•tore »
Folders

JtE-f'd l r3:3rs
Jk F T Tro» r
J t G J: Trojars
JlMTPh-TTFST'Ojans
JtlO P B d C W o o ‫־‬
j.MACOSXTtoaTS

‫׳יי‬

J i Reosrv Montor

_±_

| . Startup P'cgfarr* W
JA ‫ ־‬rojansT/pes
3ladd>e‫־‬ry Trojan
| . Comrrand Srel Trt

R=nctc A
<
J t VMC ‫ ־‬raja

j. 3ef3GemertTro;a•
( . 3estrjc&'/e “ rojor

COer
R»stora previOLS versions

J . EbankirgT-qjarts

1.

SerdTo

Trojors

i . '^PT'cjon
i . SUIT'ojans

C30V

L. -TIP t-rr‫־‬P5 Tro;a

C‫׳‬eare9xjrtcjt
Delete

I , :CKPBdCkdCOr

Rename

Proxy Se‫־‬ver Troji

Prooenes

Jg 35PtOtv TrQ*
-

►

Q it

.. t i n m i G H ‫. ־־ :־‬

F I G U R E 4 .1 : W i n d o w s S e r v e r 2 0 0 8 : C m d H e r e

2 .

N

o w

ty p e

d ie

c o m

m a n d

dir

to

c h e c k

fo r

fo ld e r

c o n te n ts .

F I G U R E 4 .2 : D i r e c t o r y l i s t i n g o f P r o x y S e r v e r f o l d e r

3 .


T h e

f o llo w in g

im a g e

lis t s

d ie

d ir e c to r ie s

a n d

file s

111

th e

fo ld e r .


M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs

-1‫ |ם‬x

|Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>dir
EH
ou 6
n
IU
olune in drive Z h s n label.
a o
I U lune Serial N me is 1 7 - D C
o
u br
6 77 A
I Directory of Z:C v8 M d le 0 Trojans a d BackdoorsVTrojans TypesProxy Serve
EH
ou 6
n
Ir Trojans
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
1 2 1 / 0 6 1 :4 A
0 / 72 0 1 3 M
5 8 ncafee.exe
,32
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
W b r0 y Tr0j4nCr34t0r <u n Nn >
3P x
F n y ae
1 File<s>
rile^s;
5 2 bytes
b,J28
,3 8
3 D s 208,287,793,152 bytes free
ir< >
Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>
EH
ou 6
n
—

m
FIGURE 4 : C
.3 ontentsinProxyServer folder
Type die command m cafee 8080 to m il the service 111 W indow s Server
2008.

FIGURE 4 : Starting m
.4
cafee tool onport 8 8
00
5.

The service lias started 011 port 8080.

6.

N o w go to W indow s Server 2012 host machine and configure the web
browser to access die Internet 011 port 8080.

7.

1 1 diis lab launch Clirom e, and select Settin g s as shown 111 die
1
follow ing figure.
Q

m
Tliis process can b
e
attained in any browser
after settingdie LAN
settings for die respective
browser

2

ww
w googtorofv ■

*

lo*r

C.pj
ico* •

O

G o o g le
XjnaNCMm-

1- ‫״‬n• ...
1‫״ ׳‬
■ •
w
FIGURE 4 : Internet option of abrowser in Windows Server 2 1
.5
02



8

.

C lick the Show advanced setting s 1 1 k to view the Internet settings.
11

FIGURE 4 : Advanced Settings of Chrome Browser
.6
9.

1 1 N etw ork Settin gs, click Change proxy settings.
1
C 0 chcyn
r cv/dV flM ttnpt/
O .'M

I Clvotue

Settings
4 Enitoir AutaMtc M Ml *«Dtom n *u«9« c»rt. VUu)tAdofl1<nflf(

M e
ttmric
focgkOvcmt isu9ncy»<»compute;s>tt«rnpo*>s«rtnastccon>1ectc the r t>o fc
< ><.

| OwypwstBnjt-

it

(U M jtwn r 1l* ju9 I w
Q th « > n * «

Downoads
C laadkcabot: C.'lherrAi r
ovm
nncti rt0AT0T 1 o> i
t <
U Ast »hw 1 mt «Kt! lit M m dw 0 <
0
»«1 > «9
M
TTPS/SM
.

FIGURE 4 : C
.7 hangingproxyse g ofC
ttin s hrom Browser
e
10. 1 1 die Internet Properties w indow click LAN setting s to configure
1
proxy settings.




Internet Properties
General [ Security ] Privacy ] Content

Connections | Programs ] Advanced

To set up an Internet connection, dick
Setup.

Setup

Dial-up and Virtual Private Network settings

Choose Settings if you need to configure a proxy
server for a connection.
(•) Never cfal a connection
O Dial whenever a network connection is not present
O Always dal my default connection

Current

Sgt default

None

Local Area Network (LAN) settings ------------------------------------------------LAN Settings do not apply to dial-up connections.
Choose Settings above for dial-up settings.

OK

] |

|

LAN settings

Cancel J

|

ftpply

FIGURE 4 : LAN Setting ofaC
.8
s
hrom Browser
e
11. 1 1 die Lo cal A rea N etw ork (LA N ) Settin g s w indow, select die U se a
1
proxy server for your LAN option 111 the Proxy server section.
12. En ter die IP address o f W indow s Server 2008, set die port number to
8080, and click OK.

FT

Local Area Network (LAN) Settings

Automatic configuration
Automatic configuration may override manual settings. To ensure the
use of manual settings, disable automatic configuration.
@ Automatically detect settings
‫ ח‬Use automatic configuration script
Address
Proxy server
Use a proxy server for your LAN (These settings will not apply to
dial-up or VPN connections).
Address:

10.0.0.13

Port:

8080

Advanced

I IBypassp x server far lo a a d ss s!
ro y
c l d re e
OK

Cancel

FIGURE 4 : Proxyse g ofLAN inC
.9
ttin s
hrom Browser
e
13. N o w access any web page 111 die browser (example: www.bbc.co.uk).




FIGURE 4 0 Accessingweb p eusingproxy server
.1 :
ag
14. The web page w ill open.
15. N ow go back to W indow s Server 2008 and check die command
prom pt.
A d m in istra to r C:W m dow* s y *te m 3 2 c m d .e x e - m c a fe e 8 0 8 0

m
Accessingweb p e
ag
usingproxy server

ww
w .google.co : /conplete/search?sugexp=
chrom
e,nod=
18&client=h n 8 l= r :1 0
c ro e rh e 2 0
.U 8 = b.co-|
S rq b c
Accepting Nw Requests■
e
ww
w .google.co :1 0
20
/conp
lete/search?sug =
exp chrom
e,nod 188tclient sch n 8 l= n
=
‫ ־‬ro e rh e
l~U q=
S& bbc.co.u
Accepting Nw Requests!
e
e
Accepting Nw R q e
e e u■
* * ‫^ ־‬
/co lete/search?sugexp chroroe,nod 188tclient =h n 8 l= r
np
=
=
c ro e th e
l- S& b c.co.uk
U a= b
| / :bbc.co.uk :1 0
31
H c c e p t i n g N ew Kequests
■
e
/ :ww
w.bbc.co.uk :1 0
20
e
e
e
e
e
e
e
static .bbci.co.uk: /franeworks/barlesque/2.10.0/desktop/3.5/style/r*ain.css :2 0
0!
e
static.bbci.co.uk: /bbcdotcon/0.3.136/style/3pt_ads .css :20 !
0
Accepting Nw R
e equests!____________________________________________
FIGURE 4 1 Background information on Proxy server
.1 :
16. You can see diat we had accessed die Internet using die proxy server
Trojan.

L a b A n a ly s is
Analyze and document die results related to die lab exercise. G ive your opinion on
your target’s security posture and exposure dirough public and tree inform ation.




P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S
R E L A T E D T O T H I S LAB.

T o o l/ U tility

In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d

Pro x y Server
T ro ja n

O u tp u t: U se the proxy server T rojan to access the
In tern et
Accessed webpage: w w w .bbc.co.uk

Q u e s t io n s
1.

Determ ine whether M cAfee H T T P Proxy Server Trojan supports other
ports that are also apart from 8080.

2.

Evaluate the drawbacks o f using the H T T P proxy server Trojan to access
the Internet.

In te rn e t C o n n ectio n R e q u ire d
0 Y es

□ No

P la tfo rm Su p p o rted
0 C lassro om


□ !Labs



H T T P T ro ja n
A . T ro ja n is a p ro g ra m

th a t c o n ta in s m a lic io u s o r h a rm fu l co d e in s id e a p p a re n tly

h a rm le s s p ro g ra m m in g o r d a ta in
d am ag e, su ch a s m in in g th e f ile

I CON

KEY

/ V a lu a b le
'
in fo r m a tio n

S

T est yo u r
k n o w l e d g e ____________

*

W e b e x e rc is e

su ch a

lr a y

th a t it

ca n g e t c o n tro l a n d cau se

a llo c a tio n ta b le o n a h a rd d riv e .

Hackers have a variety ot m otives fo r installing m alevolent softw are (m alw are).
This types o f softw are tends to vield instant access to the system to
continuously steal various types o f inform ation from it, fo r exam ple, strategic
com pany’s designs 01‫ ־‬num bers o f credit cards. A backdoor is a program or a set
o f related program s that a hacker installs 011 the victim com puter to allow
access to the system at a later tim e. A backdoor’s goal is to rem ove the evidence

£ Q ! W o r k b o o k r e v ie w

o f in itia l entry from the systems log. H acker—
dedicated websites give examples
o f m any tools that serve to in stall backdoors, w ith the difference that once a
connection is established the intruder m ust log 111 by entering a predefined
password.
Y o u are a Secu rity A dm inistrator o f your com pany, and your job responsibilities
include protecting the netw ork from Trojans and backdoors, T rojan attacks,
theft o f valuable data from the netw ork, and identity theft.

L a b O b j e c t iv e s
The objective o f tins lab is to help students learn to detect T rojan and backdoor
attacks.
H Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

The objectives o f the lab include:
•

T o run H T T P T rojan 011 W indow s Server 2008

•

Access the W indow s Server 2008 m achine process list using the H T T P
Proxy

•

K ill running processes 011 W indow s Server 2008 V irtu al M achine

To carry out diis, you need:




‫י‬

H TTP RAT located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
BackdoorsTrojans TypesH TTP H T T PS TrojansH TTP RAT T R O JA N

■

A com puter running W indow Server 2008 (host)

■

W indow s 8 running 111 Virtual M achine

■

W indow s Server 2008 111 Virtual M achine

■ I f you decide to dow nload the la te s t versio n , then screenshots shown
in the lab m ight d iffer
■

Y o u need a w eb browser to access In tern et

■

Adm inistrative privileges to run tools

Tim e: 20 M inutes

O v e r v ie w


A Trojan is a program that contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a w ay diat it can get co n tro l and cause
damage, such as ruining die file allocation table on a hard dnve.
Note: The versions o f die created client or host and appearance m ay differ from
w hat it is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 diis lab.

Lab T ask s
HTTP RAT

1.

Log 111 to W indow s 8 Virtual M achine, and select die Sta rt menu by
hovering die mouse cursor on die lower-left corner of die desktop,

u

Rtcytlt D
m

*

a
M
o»itla
firefox

Google
Chremr

Windows 8 Release Previev.
‫ח ■׳‬
>
‫ז‬
8

Evaluation copy Build 840C

FIGURE 5 :Windows 8Startm u
.1
en
2.

Click Se rvice s ui the Sta rt menu to launch Services.


S ta rt

Google
Chrome
m

m
9

Video

Mozilla
Firefox
................. ‫5 י‬

4

‫י‬

services

*
< 3,

W ier
eaO

rm
m

■

B

Calendar

Intonei Explorer

O ktop
cB

Uapt

a

m

>PP1:1 ■: h e " u '.a

Wide Web Publisher is
m
andatory a HTTP RAT
s
runs on port 8
0

Slcfe

S

SfcyDrwe

^

FIGURE 5 :Windows 8Startm uA
.2
en pps
_ . ,,
_
3. D isable/Stop W orld W ide W eb Publishing Services.
File

Action

View

Hdp

+ 1H 1a m 0 ebi »
Services ; lo c a l)

World Wide Web Pubbhng Service

Name

Description

Status

Startup Type

Log A

3 4 ‫־‬Windows Firewall

Windows F1
._

Running

Automatic

Loc

Windows Font Cache Service Optimizes p...

Running

Automatic

Loc

Windows Image Acquisitio...

Manu3l

Windows Installer
Description:

Provides im...
Adds, modi...

Menusl

Loc

Provides Web comectr/rty and
admin straton through the Interret

Automatic

LOC

•^W indows Media Player Net...

V Windows Management Inst.. Provides a c...
Shares Win...

Manual

Net

Infemotion Services Manager

‫ ־‬W in d o w s Modules Installer
^

Enables inst...

Manual

£$ V/indows Process Activatio...

TheWindo...

‫ $ ׳‬Windows Remote Manage...
£

Running

Windows R...

Running

Manual
Menusl

Net

Running

Automatic (D._

Loc

Provides inf...

M enjsl (Tng...

LOC

Maintains d...

Manual (Tng..

Loc

Enables th e ...

Manual (Tng...

Loc

Windows Search

Provides CO.-

Windows Store Service (W5...
Windows Tim#
Q Windows Update

*%W'1
nHTTP Web Proxy Auto ... WinHTTP i...
'•& WLAN AutoConfig
■I^WM Performance Adapter

Running

Provide; p#..

Workstation
P I World Wide Web Publnhin...
. WWAN AutoConfig

Menusl

Loc

Manual

L0C

Menual

The W ired...
The WLANS...

3% Wired AutoConfig

LO
C

Manual

loc

Cr«at«c and...

Running

Automatic

Ntt

Provide! W...

Running

Menusl

u

Menual

L0C v
>

This service ..

<

M

Mended ^Standard/

FIGURE 5 : Administrative tools - Services Window
.3
>
4. Right-click the W orld W ide W eb Pu blish in g service and select
Pro p ertie s to disable the service.




World Wide Web Publishing Service Properties (Local...
Genera1 Log On

Recovery

Dependencies

Service name:

W3SVC

Display name:

World Wide Web Publishing Service
ivides Web connectivity and administration
ugh the Internet Information Services Manager

Description:

5

Path to executable:
C:Windowssystem32svchost.exe -k iissvcs
Startup type:

Disabled

Helo me configure service startup options.

Service status:

Stopped

Start

Pause

Stop

Resume

You can specify the start parameters that apply when you start the service
from here
Start parameters

OK

Cancel

Apply

FIGURE 5 : Disable/Stop World Wide Web publishing services
.4
5.

N o w start H T T P R A T from die location Z:CEH-ToolsCEHv8
M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS
TrojansHTTP RAT T RO JA N .

HTTP RAT 0.31

□

r V 'k H T T P

R A T

f - W !b a c k d o o r W e b s e rv e r
J
by zOmbie

IUUI The sendnotification
option can b usedto send
e
the details to your Mail ID

?J
latest version here: [http://freenet.am/~zombie]

‫ו‬

settings
W send notification with ip address to m
ail
SMTP server 4 sending m
ail
u can specify several servers delimited with ;
sm m ru;some. other, sm server;
tp. ail.
tp.
your email address:
|you@mail.c
I.com
close FireWalls
Create

server port: [80"
Exit

FIGURE 5 : HTTP RAT m window
.5
ain

6. Disable die Send notification w ith ip address to m ail opdon.
7.


C lick C reate to create a httpserver.exe hie.



□

HTTP RAT 0.31

E ll

/ V K H T T P R A T
^kackdoor Webserver
if •T J h 20m
■
y
bie
v0.31

I

1

.
latest version here: [http://freenet.am/~zombie]
seiuriys
send notification with ip address to mail|
SMTP server 4 sending m
ail
u can specify several servers delimited with ;
|sm m ru;some. other, sm server;
tp. ail.
tp.
your email address:
|you@mail.com

1

close FireWalls
|

i

Create

j|

server port: 80

‫־‬

Exit
__

FIGURE 5 : Create backdoor
.6

HTTP RAT 0.31
02 The created
httpserver will b placedin
e
the tool directory

/ V H T T P

R A T

I -W ^backdoor Webserver
done!
la
done
send httpserver.exe 2 victim

r
c
OK

|you@mail.com

w

close FireWalls

server pork:[

Create

Exit

FIGURE 7.‫ :כ‬Backdoor server created successfully

8. The httpserver.exe tile should be created 111 die folder Z:CEHv8
M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS
TrojansHTTP RAT T R O JA N
9.


Double-click die tile to and click Run.



HTTP RAT TROJAN

Application Tool*
Momgc

m

Clipboard

o ®

I

to •

|

N3me

4 Downloads

|

‫ ״ח‬S
elect aone

O p e n File ‫ ־‬S e c u rity W a rn in g

[gj ‫ה־‬
Name

htlpscfvcr |

...TTP HTTPS TrojansHTTP RAT TROJANhttpservcr.cxc

‫־־‬Publisher: Unknown Publisher

*S&l Recent places

Type Application

1 . readme
^

□ D Inrert <elert10n

The publisher could not bp verified. Are you dire you want to run thk
software?

Z ittpiat

Desktop

EE s««t >1
1

01

« HITPHTIPS Trojans >

Favorites
■

to*

<harcut

SI Open ‫י‬
0 Edit
<t) History

od

[3P«te

*

BQ Newitem ‫י‬
E syaccess ‫י‬
a

IS □ I* C" / path
-J

From: Z:CEHv8 Module06 Trojans and Backdoors JrojansT‫״‬

Libraries
1 1 Documents
11

Run

Music
B

Cancel

Pictures

g£ Videos
^3.

Homegroup

This file docs not have ‫ ג‬valid digital signature that verifies its
publisher. You should only run software from publishers you trust

Hwc nI drid wa to a tom?
e a e e h t ftiv re n

T® Computer
i l . Local Oslr (C:)
4-‫ ׳‬CEH-Tcols (10.
Ip Admin (admin-p

4

items

1item selected iO.: K
B

FIGURE 5 : Running the Backdoor
.8
10. G o to T ask M anager and check if die process is running.

File

Options

Processes

View

Performance

App history

Startup

Users

Details

Services
4 %

0%

30%

52%
M em o ry

D isk

N e tw o rk

6 MB
.8

0 MB/s

0 Mbps

0%

Status

CPU

1.9%

Name

25.1 MB

0.1 MB/s

0 Mbps

0 Mbps

A p p s (2 )

Task Manager

>
>

^

Windows Explorer

B a c k g r o u n d p r o c e s s e s (9 )

H

Device Association Framework...

Microsoft Windows Search Inde...
tflf' Print driver host for applications
m

0%

3.3 MB

0 MB/s

0
%

S I Httpserver (32 bit)

1.2 MB

0 MB/s

0 Mbps

0%

4.9 MB

0 MB/s

0 Mbps
0 Mbps

l i l Snagit RPC Helper (32 bit)

1.0 MB

0 MB/s

22.4 MB

0.1 MB/s

0 Mbps

0%

j[/) Snagit Editor (32 bit)

0%
19.7%

Snagit (32 bit)

19.2 MB

0 MB/s

0 Mbps
0 Mbps

1.7%

0.9 MB

0 MB/s

OR) Spooler SubSystem App

0%

1.5 MB

0 MB/s

0 Mbps

0

t>

0%

0.8 MB

0 MB/s

0 Mbps

TechSmith HTML Help Helper (...

W i n d o ‫ : •.׳‬v f f ’‫־ '־-־‬r ‫־‬
;‫.־‬
,

~‫: ׳‬

( * ) Fewer details

FIGURE 5 : Backdoor runningin taskm
.9
anager
11. G o to W indow s Server 2008 and open a web browser to access die
W indow s 8 m achine (here “ 10.0.0.12” is die IP address ot W indow s 8
M achine).




*Drabe'S K RA
TTP T
c | I £ « ‫ ״‬iooale

P]

*

D -

w elcom e 2 IITTP_RAT infected com puter }:]
.es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace]

w plrnm e } : J

FIGURE 5 0 Access the backdoor in Host web browser
.1 :
12. C lick running processes to list the processes running on die W indow s
8 machine.
Z>nbe's HTTP_RAT

1 ■ & 1. . .iQC
,
4
0 0Zf ______
0 O

C

? 1 ‫ ־‬ioojle

P A

E-

running processez:
] ]system Process
]S/stem I kill
] srrss.exe [kill

]!M
[
]!M
[

v ‘ninit.exe fkilll
*

1

w nlogon.exe fkilll
]services.exe f kill
]!!lsass.exe [k i

v h c x r111n
c o to a <;

vcho5t.exe f:
svchostexe f kilfl
dvirr.exe Ik illl
]svchostexe [kill
evehoct.axa [MID
vchost.cxa [UdD:
]svchostexe [hjjj
spoolsv.exe [kilfl
)svchostexe |kill
]svchostexe [kill
d3cHoct.ova f l-illl
MsMpCng.exe fk illl
vc.hus»t.«x« fkilll*
svchostexe fkilll
vchost.exe [ k T
iT j
]ta«kh(>*t.*x» [kill
bckhoct.sxo ] -‫[יי‬
Mpkxar.tM [M 1
[
search indexer.exe fkilfl
]S>n«g1t32.ex• [jo j
]TscHelp.exe [kill
]SnagPri./.•** [kill
]SragitCditor.exe [ !:ill
]aplmjv164.exe f k ill
svchostexe fkilll
]httpserver.exe (kill
]Taskmor.«*x® [kill
firofox O O [UJJ[
.X

5

FIGURE 5 1 Process list of die victim com
.1 :
puter
13. Y o u can kill any running processes from here.

L a b A n a ly s is
your target’s security posture and exposure dirough public and free mformadon.





T o o l/ U tility

Successful send httpserver.exe 011 victim m achine
O u tp u t: K ille d Process
System
smss.exe
csrss.exe

H T T P T ro ja n

w inlogon.exe
serv1ces.exe
lsass.exe
svchost.exe
dwm .exe
splwow64.exe
httpserver.exe
firefow .exe

Q u e s t io n s
1.

Determ ine the ports that H T T P proxy server Trojan uses to communicate.

□ Y es

0 No

0 C lassro o m


0 iLab s



R e m o te A c c e s s T r o ja n s U s in g
A te lie r W e b R e m o te C o m m a n d e r
.4

T ro ja n is a p ro g ra m

th a t c o n ta in s m a lic io u s o r h a rm fu l cod e in s id e a p p a re n tly

h a rm le s s p ro g ra m m in g o r d a ta in
d am ag e, su ch a s m in in g th e f ile

I C O N

K E Y

/ V a lu a b le
in fo r m a tio n

y

5 T est yo u r
k n o w le d g e

TTT
TT

W e b e x e rc is e

su ch a

1r a

j th a t it

ca n g e t c o n tro l a n d cau se


A backdoor T rojan is a very dangerous in fection that com prom ises the integrity
o f a com puter, its data, and the personal inform ation o f the users. Rem ote
attackers use backdoors as a means o f accessing and taking control o f a
com puter that bypasses security m echanism s. Trojans and backdoors are types
o f bad-wares; their m ain purpose is to send and receive data and especially
com m ands through a port to another system. T his port can be even a well-

m


know n port such as 80 or an out o f the norm ports like 7777. Trojans are m ost
o f the tim e defaced and shown as legitim ate and harm less applications to
encourage the user to execute them.
Y o u are a security adm inistrator o f your com pany, and your job responsibilities

J T Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

The objective o f tins lab is to help students learn to detect T rojan and backdoor
attacks.
The objectives o f tins lab include:
•

G ain access to a rem ote com puter

•

A cquire sensitive inform ation o f the rem ote com puter

To cany out tins, you need:
1.


A te lie r W eb Rem ote Com m ander located at D:CEH-ToolsCEHv8
M odule 06 T rojan s and BackdoorsTrojans TypesRem ote A cce ss
T ro jan s (R A T )A telier W eb Rem ote Com m ander



■


■

W indow s Server 2003 running 111 Virtual M achine

111 the lab m ight d iffer
■

Y o u need a w eb browser to access In tern et

■

Adm inistrative privileges to m il tools

Tim e: 20 M inutes

O v e r v ie w


A Trojan is a program that contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a way that it can get co n tro l and cause
damage, such as ruining the file allocation table on a hard drive.
Note: The versions o f the created client or host and appearance may differ from
w hat it is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 diis lab.

a* T A S K

1

A telier W eb
Rem ote
Com m ander

Lab T ask s
1.

In stall and launch A te lie r W eb Rem ote Com m ander (A W R C ) 111
W indow s Server 2012.

2.

T o launch A te lie r W eb Rem ote Com m ander (A W R C ), launch the
S ta rt menu by hovering the mouse cursor on the low er-left corner o f
the desktop.
u
§
€

■ W d w S rv r21
3 in o s e e 02
su.t

MVMom Swvw M l? DMwCMidM•
Evaluator cgpt. Eud M
0C
. rw
*1
3PM 1

FIGURE 6 : Windows Server 2 1 Start-Desktop
.1
02
3. C lick AW Rem ote Com m ander Pro fessio n al 111 the S ta rt m enu apps.




Start
CtnvUcr

Administrator A

T fc
n

£

*

Tools

AW
fieoiote
Connwn..

4

&

FIGURE 6 : Windows Server 2 1 Start Menu Apps
.2
02
4.

The m ain w indow o f AW RC w ill appear as shown 111 the follow ing
screenshot.

‫סי‬
File

AWRC PRO 9.3.9
Tools

Desktop

Help
Syclnfo

Netwarklnfo

FJ# Sy*t*fn

Uc*rs

*r.Grocpc
n

Chat

‫ ט‬Tliis toll is used to
gain access to all the
information of die Rem
ote
system

Progress Report

y , Connect
df

Disconnect

0 Request ajthonrabor

kBytesIn: C

@ dear on iscomect
k8psln: 0

Connection Duraton

FIGURE 6 : Atelier Web Rem Com ander m window
.3
ote
m
ain
5.

In p u t the IP ad dress and U sernam e

I

Passw o rd o f the rem ote

com puter.

6. 1 1 tins lab we have used W indow s Server 2008 (10.0.0.13):
1
■

U ser name: A dm inistrator

■

Passw ord: qw erty@ 123

N ote: The IP addresses and credentials m ight d iffer 111 your labs
7.


C lick C onnect to access the m achine rem otely.



FIGURE 6 : Providing rem com
.4
ote
puter details
Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

8. The follow ing screenshots show that you w ill be accessing the
W indow s S e rve r 2008 rem otely.
10.0.0.13 :A W R C PRO 9.3.9

S
File

Tools

Desktop

Help
Syslnfo

Networidnfb

Fie System

Use's anc Groups

Chat

Internet Explo‫־‬er

windows update

j

Notepad

<
r
&

~
Fastest

* T F V

*29 Monitors *

Remote Host

Progress Report
| administrator

W C o n n ect
cf

□ Request ajthoniabor

k5yle*I11; 201.94

^

#1 6:28:24 Initializing, p lease w a it...
#16:2 8:25 C onnected to 1 0 .0 .0 .1 3

D isconnect

@ Clear on iscomect
k B ^ IiL 0.87

Cumeiliui 1 Duiatun: !Minute, 42 Seconds.

FIGURE 6 : Remote com
.5
puter Accessed
9.

The Com m ander is connected to the Rem ote System . C lick th eSys
Info tab to view com plete details o f the V irtu a l M achine.




FIGURE 6 : Information of the rem com
.6
ote
puter
10. Select N etw orklnfo Path w here you can view netw ork inform ation.
10.0.0.13: AWRC PRO 9.3.9

S
File

Jools

Desktop

Help
Syslnfo

| NetworiJnfo | Ffe System

Use's anc Grocps

Ports Safeties

R em ark

Perm issions

Chat

P/Transport Protocols
M a x U se s

Current U se s

Path

Passw o id

A D M IN S

net ap p lica ...

unlimited

not val■

C$

S p e .. Default share

not a p p lic a ..

unlimited

not v a li

IP CS

& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

S p e . R em o te A dm in

S p e .. R em o te IP C

net applica

unlimited

not vaN

R em ote Host

Progress Report
# 1 6 .2 8 .2 4 Initializing, p lease wait
#1 6 :2 8 :2 5 C onnected to 10 0 .0 .1 3

^
a f

Connect

D Request ajthonrabor

Ifiytesln: 250.93

A / Disconnect
@ dear on iscomect
kSpsIn: 0.00

Connection Duraton: 5 Minutes, 32 Seconds.

.7
ote
puter
11. Select the F ile System tab. Select c: from the drop-down list and
click G et.
12. Tins tab lists the com plete files o l the C : drive o f W indow s Server
2008.




10.0.0.13: AWRC PRO 9.3.9
file

Iools

Desktop

Help
Syslnfo

contents of

NetworicJnfb

I Fie System I Use's and Groups

Chat

'c:'______

CIJ SR ecycle Bin
C l Boot
C 3 D ocum ents and Settin g s
C□ PerfLogs

D

Program Files (x86)

□

Program Files

C l Program D ata

D

System Volume Inform...

□

U sers

□

W indow s

File Sy stem :

NTFS
6C 2 7 -C D 3 9

C apacity:

1 7 ,1 7 7 ,7 6 7 .9 3 6 bytes

F ree space:

6 .5 0 5 .7 7 1 .0 0 8 bytes

Fixed

Type

Serial Number:

Labei:

Progress Report
| administrator

^ Connect
cf

]Request ajthoriratxx‫־‬

# 1 6 .2 8 .2 4 Initializing, p lease w a it...

Password

Disconnect

#1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3

@ Oear on iscomect

kBytesIn: 251.64

ConnectonDuraton:

6
Minutes, 18 Seconds.

.8
ote
puter
13. Select U sers and G roups, w hich w ill display the com plete user
details.
10.0.0.13 :A W R C PRO 9.3.9
File

Jools

Desktop

jUsers

'‫" ם: ־‬

Help
Syslnfo

^ Groups

NetworkJnfo

Ffe System

Use's anc Groups

I Chat

Password Ha^ies

U se r In fo rm a tio n fo r A d m in is tra to r
U ser A cc o un t. A dm inistrator
Passw o rd A g e 7 d ays 21 hours 21 m inutes 3 3 seconds
Privilege Level: A dm inistrator
C om m ent Built-in account for adm inistering th e com puter/dom ain
Flags: Logon script executed. Norm al Account.

Full Name:
W orkstatio n s can log from: no restrictions
Last Logon: 9 /2 0 /2 0 1 2 3:58:24 A M
Last Logoff Unknown
Account expires Never expires
U se r ID (R ID ) 500
P n m ary Global Group (RID): 513
SID S 1 5 21 18 58 18 02 43 300731 51 51 16 0 0 5 9 6 2 0 0 50 0
Domain W IN -E G B H IS G 1 4 L 0
No Su b A u th o rtie s 5

Remote Host

User Name
[ administrator

10.0.0.13

W C o n n ect
nf

D Request ajthon:at>or

kByle* 11 : 256.00
1

^

D isconnect

P assw ord

Progress Report
#1 6:28:24 Initializing, p lease w a it...
#16:2 8:25 C onnected to 1 0 .0 .0 .1 3

@ Oear on iscomect
Cumeuiimi3u1atu< 1 e Minutes, 2 6 Seconds.
:

.9
ote
puter




rs

10.0.0.13: A W R C P R O 9.3.9

file

Iools

Desktop

Help
Syslnfo

NetworWnfo

We System

Use's and Groups

Chat

| Groups ~ | y Passwoid Ha«hes
N am e s

SID

Com m ent

Adm inistrators

S -1 -5-32 -5 44 (Typo A lia s/D o

Adm inistrators have com plete and unrestricted

B acku p O p e r a t o r

S -1 -5-32-551 (Type A lia s/D o

B ac ku p Operators can override security restrict

Certificate Service DC

S -1 -6 -3 2 -6 7 4 (Type A lia s /D o .

M em bers of this group are allowed to co n n ect t«

Cryptographic Ooerat

S -1 -5 -3 2 -5 6 9 (Type A lia s/D o

M em bers are authorized to perform cryptograph

Distributed C O M U s e ‫־׳‬
s

S -1 -5 -3 2 -5 6 2 (Type A lia s /D o .

M em bers are allowed to launch. ac tK ate and us

Event Log R eaders

5 -1 -5 -3 2 -5 7 3 (Type A lia s /D o ...

M em bers of this group c an read event logs from

G u ests

Groups:

S -1 -5 -3 2 -5 4 6 (Type A lia s/D o

G u e s ts have th e sa m e a c c e s s as m em bers o ft

III

<1

______I

Global
G roups:

S - 1-5 -2 1 -1 8 5 8 1 8 0 2 4 3 -3 0 0 7 3 1 5 ...

O rdinary users

Progress Report
| administrator

^ Connect
cf

]Request ajthonrabor

kBytesIn: 257.54

Disconnect

# 1 6 .2 8 .2 4 Initializing, p lease w a it...

Password

#1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3

@ dear on iscomect

Connection Ouraton: ?Minutes, 34Seconds.

FIGURE 6 0 Information of the rem com
.1 :
ote
puter

FIGURE 6 1 Information of the rem com
.1 :
ote
puter
14. Tins tool w ill display all the details o f the rem ote system.
15. Analyze the results o f the rem ote com puter.

L a b A n a ly s is
your target’s security posture and exposure dirough public and tree inform ation.





T o o l/ U tility

Rem otely accessing W indow s Server 2008
R e s u lt: System inform ation o f rem ote W indow s
Server 2008

A telier W eb
Rem ote
Com m ander

N etw o rk In form ation Path rem ote W indow s Server
2008
view ing com plete files ot c: o f rem ote W indow s
Server 2008
U ser and Groups details o f rem ote W indow s Server
2008
Passw ord hashes

Q u e s t io n s
1.

Evaluate die ports that A W R C uses to perform operations.

2.

Determ ine whether it is possible to launch A W R C from the command line
and make a connection. I f ves, dien illustrate how it can be done.

□ Y es

0 No

0 C lassro om




D e te c tin g T ro ja n s
A

T ro ja n is a p ro g ra m

th a t c o n ta in s M a lic io u s o r h a rm fu l code in s id e a p p a re n tly

h a rm le s s p ro g ra m m in g o r d a ta in su ch a )ra y th a t ca n g e t c o n tro l a n d cau se d am ag e,
su ch a s m in in g th e f ile

I CON
V a lu a b le /^

KEY
1

T est yo u r

______ k n o w le d g e _________

W e b e x e rc is e

M ost individuals are confused about the possible ways to rem ove a T rojan virus

in fo r m a tio n

.‫■׳י‬
'*


^

from a specific system. O ne m ust realize that the W o rld W id e W eb is one o f
the tools that transm its inform ation as w ell as m alicious and harm ful viruses. A
backdoor T rojan can be extrem ely harm ful if not dealt w ith appropriately. The
m ain function o f tins type o f virus is to create a backdoor 111 order to access a
specific system. W ith a backdoor T rojan attack, a concerned user is unaware

d


about the possible effects u n til sensitive and im portant inform ation is found
m issing from a system . W ith a backdoor T rojan attack, a hacker can also
perform other types ot m alicious attacks as w ell. The other name fo r backdoor
Trojans is rem ote access Trojans. The m ain reason that backdoor Trojans are
so dangerous is that they hold the ab ility to access a particular m achine rem otely
(source: http://w w w .com bofix.org).
Y o u are a security7adm inistrator o f your com pany, and your job responsibilities

The objective o f this lab is to help students learn to detect T rojan and backdoor
attacks.
The objectives o f the lab include:
& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors


•

Analyze using Po rt ]M onitor

•

Analyze using Process M o nitor

•

Analyze using Registry M o nitor

•

Analyze using Startup Program M o nitor

•

Create M D 5 hash tiles for W indow s directory files



To carry out this, you need:
■

T cp view , located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
BackdoorsPort M onitoring T oolsTC PV iew

■

Autoruns, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
Backd oo rsProcess M onitoring ToolsAutoruns

■

P rcV ie w , located at C:CEH-ToolsCEHv7 M odule 06 T ro jan s and
Backd oo rsProcess M onitor ToolPrc V iew

■

Jv 1 6 pow er to ol, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s
and Backd oo rsR eg istry M onitoring Toolsjv16 Po w er Tools 2012

‫י‬

Fsum FrontEnd. located at D:CEH-ToolsCEHv8 M odule 06 T rojan s
and Backd o o rsFiles and Fold er In te g rity CheckerFsum Frontend

■


& Disabling and Deleting
Entries

■

W indow s Server 2003 m nning h i V irtual M achine

If you don'twant anentry to
active die nest tim you
e
boot or login you can eidier
disable or delete it. To
disable an entryuncheckit.
Autoruns will store die
startup information in a
backup location sodiat it
canreactivate die entry
whenyou recheckit. For
item storedin startup
s
folders Autoruns creates a
subfolder nam Autoruns
ed
disabled. Checka disabled
item to re-enableit

111 the lab m ight d iffer
■

Y o u need a web browser to access In tern et

■

Adm inistrative privileges to m il tools

Tim e: 20 M inutes

O v e r v ie w


A Trojan is a program diat contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a w ay that it can get co n tro l and cause
damage, such as ruining the file allocation table on a hard drive.
Note: The versions o f the created client or host and appearance may differ from
w hat it is 111 the lab, but the actual process o f connecting to the server and accessing
the processes is same as shown 111 tins lab.

Lab T ask s
1.

G o to W indow s Server 2012 V irtual Machine.

2.

T cpview

Install T cp view from the location D:CEH-ToolsCEHv8 Module 06 Trojans
and BackdoorsPort M onitoring ToolsTCPView .

3.

The T C P V iew main wm dow appears, w ith details such as Process, Process
ID , Protocol, Local address. Local Port, Rem ote Address, and Rem ote Port.




T P ie - S
C V w
ysin rn ls: w w
te a
w .sysin rn ls.co
te a
m

File O tio s P ce V
p n ro ss iew H
elp
H a h |
|| P c ss >
ro e
P
ID
P to o
ro c l
C l dns. exe
1572
IC
P
T7d se e
n. x
17
52
IC
P
T7d se e
n. x
17
52
tCP
T7d se e
n. x
17
52
UP
D
i- d se e
n. x
17
52
UP
D
I"7d se e
n. x
17
52
UP
D
i7 d se e
‫ ־‬n. x
17
52
UP
D
i"7d se e
n. x
UP
D
17
52
IF d se e
n. x
17
52
UP
D
» d se e
n. x
17
52
UP
D
1‫ י‬d se e
n. x
17
52
UP
D
»1d se e
n. x
17
52
UP
D
T7d se e
n. x
17
52
UP
D
r d se e
n. x
17
52
UP
D
» d se e
n. x
17
52
UP
D
T d se e
n. x
17
52
UP
D
‫ י‬d se e
n. x
17
52
UP
D
r d se e
n. x
17
52
UP
D
‫ י‬d se e
n. x
17
52
UP
D
‫ ׳ י‬d se e
n. x
17
52
UP
D
1 d se e
‫ ־‬n. x
17
52
UP
D
1 d se e
n. x
17
52
UP
D
T d se e
n. x
17
52
UP
D
•‫ ו‬d se e
n. x
17
52
UP
D
• d se e
n. x
17
52
UP
D
III
‫1־‬

03 Should delete item that
s
you do notwish to ever
execute. Do so bychoosing
Delete in the Entry m
enu.
Only die currendy selected
itemwill be deleted

L c lA d s
o a d re s
win-2n9stosgien

W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
w - n so g n
in 2 9t $ ie
W -2 9 0 L
IN N ST SG
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S L
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N ST SG
IN 2 9 0 L
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L

L ca P tt
o lo
domain

d min
oa
417
95
d min
oa
d min
oa
412
95
413
95
414
95
415
95
416
95
417
95
418
95
419
95
410
96
411
96
412
96
413
96
414
96
415
96
416
96
417
96
418
96
419
96
410
97
411
97

w fl
Vl
‫׳‬
/
W
l

V

1

>

___________ ___________ ___________ ___________ ___________ U
FIGURE 8 :TcpviewMainwindow
.1
tool perform port m onitoring.
T P ie -S
C V w ysin rn ls: w w
te a
w .sysin rn ls.co I ~ I □ f
te a
m
1 File O tion P cess View H lp
p s ro
e
y a ‫@ !־‬
P c ss '
ro e
P
ID
P to o
ro c l
L c lA d s
o a d re s
|L c l P rt
oa o
11s c o t.e e 3 5
1 vh s x
8S
ICP
W - N S 0 G 50
IN 2 9 T S I.. 5 4
(0 sv o x 8 2
ch ste e 9
tCP
W - N S OG 413
IN 2 9 T S I.. 9 5
H s c o t.e e 9 0
vh s x
6
ICP
W - N S O G 414
IN 2 9 T S L 9 5
1 s c o t.e e 1 5
1 vh s x
52
ICP
W - N S O G 419
IN 2 9 T S L 9 5
ITI s c o t.e e 2 8
vh s x
14
ICP
W - N S 0 G 4 11
IN 2 9 T S I.. 96
S3 s c o t.e e 3 4
vh s x
40
TP
C
W - N S OG 413
IN 2 9 T S I.. 9 6
S3 s c o t.e e 4 1
vh s x
32
TP
C
W - N S 0 G 418
IN 2 9 T S I.. 9 6
S3 s c o t.e e 4 7
vh s x
22
TP
C
W - N S OG 419
IN 2 9 T S I.. 9 6
S3 s c o t.e e 1 0
vh s x
88
TP
C
W - N ST SG 4 1 7
IN 2 9 0 L 9 8
1 s c o t.e e 1 5
'‫ י‬v h s x
52
UP
D
w - n s s ie
in 2 9tog n b o s
o tp
S3 s c o t.e e 1 5
vh s x
52
UP
D
w - n s s ie
in 2 9tog n b o c
o tp
1‫ י‬s c o t.e e 9 0
' vh s x
S
UP
D
W - N S 0 G is k p
IN 2 9 T S I... a m
UP
D
w - n s s ie
in 2 9tog n 2 3
S3 s c o t.e e 1 5
vh s x
52
55
1 s c o t.e e 3 9
3 vh s x
02
UP
D
W - N S O G 39
IN 2 9 T S L 31
E3 s c o t.e e 9 0
vh s x
6
UP
D
W - N ST SG te d
IN 2 9 0 L re o
S3 s c o t.e e 9 0
vh s x
6
UP
D
W - N S 0 G ipe- s
IN 2 9 T S I... s c mft
S3 sv o x 1 6
ch ste e 0 4
UP
D
W - N S O G llmr
IN 2 9 T S L n
S3 s c o t.e e 9 0
vh s x
6
UP
D
w - n s s ie
in 2 9tog n 541
34
4
T7 S s m
y te
TP
C
w - n s s ie
in 2 9tog n n tb s s n
e io-s
4
1 ‫ י‬Ss m
y te
TP
C
w - n s s ie
in 2 9tog n mr s f- s
icoot d
4
•1S s m
y te
TP
C
w - n s s ie
in 2 9tog n mr s f- s
icoot d
•' S s m
y te
4
TP
C
W - N S OG h
IN 2 9 T S I... ttp
4
7‫ י י‬Ss m
y te
TP
C
W - N S OG h s
IN 2 9 T S I... ttp
T 7 Ss m
y te
4
TP
C
W - N S O G mr s f- s
IN 2 9 T S I... icoot d
•1S s m
y te
4
TP
C
W - N S OG 58
IN 2 9 T S I... 9 5
III
n

Cl If you are running
Autoruns without
administrative privileges on
Windows Vista and attem
pt
to change die state of a
global entry, you'll be denied
access

X

1 ^
R
W
l
W
l
W
l
W
l
W
l
W
l
W
l
W
l
W
l

*
*
W
l
w
ir
w
ir
W
l
W
l
Wl
Wl v
>

FIGURE 8 :TcpviewMainwindow
.2
5.


N ow it is analyzing die SM T P and odier ports.



TCPView -Sysinternals: www.sysinternals.com
File

y
& Autoruns will display a
dialogwith abutton that
enables you to re-launch
Autoruns with
administrative rights. You
can also use the e
com and-line option to
m
launch initially launch
Autoruns with
administrative rights

Cl There are several w to
ays
get m information about
ore
anautorun location or entry.
To view alocation or entry
in Explorer or Regedit
choseJump To in the Entry
m or double-click on the
enu
entry or location's line in the
display

Options

Process

View

‫ד‬

Help

a

“ too
ro c l
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
C
P
C
P
C
P
C
P
C
P
C
P
<

L ca A d s
o l d re s
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
w - n s s ie
in 2 9tog n
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
w - n s s ie
in 2 9tog n
w>29t s ie
ir - n sog n
wv n $ s ie
ir 2 9 tog n
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG

L ca P rt
o lo
38
38
50
54
413
95
414
95
419
95
411
96
413
98
418
96
419
96
417
98
bo s
o tp
bo c
o tp
is k p
am
23
55
39
31
te d
re o
ip e mft
sc s
llmr
n
5 41
34
n tb s s n
e io-s
mr s f- s
icoot d
mr s f- s
icoot d
h
ttp
h s
ttp
mr s f- s
icoot d
III

R m teA d s
e o d re s
W - N ST SG
IN 2 9 0 L
W - N ST SG
IN 2 9 0 L
W -2 9 0 L
IN N ST SG
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
x

R m teP tt
eo o
0
0
0
0
0
0
0
0
0
0
*

*
*

‫יי‬
‫יי‬
‫יי‬
‫יי‬

*

‫יי‬

‫יי‬

‫יי‬
‫יי‬

‫יי‬
‫י‬
‫י‬

Stat
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST

*

‫יי‬

W - N ST SG 0
IN 2 9 0 L
w - g h g40 4 1 8
in e b is l 1
95
w d w8
in o s
441
98
0
W - NS 0 G
IN2 9 T S I..
W - N S 0G 0
IN 2 9 T S I..
W - N S 0G 0
IN 2 9 T S I..
.
‫ך‬

LIST
EST,
EST,
LIST
LIST
LIST
‫ח־‬

FIGURE 8 :Tcpviewan
.3
alyzin ports
g
Y o u can also kill die process by double-clicking diat respective process, and
then clicking die End Pro cess button.

Properties for dns.exe: 1572
| ‫ך־‬

Domain Name System (DNS) Server
M
icrosoft Corporation

Version:

G
.02.8400.0000

Path:
C:WindowsSystem32dns.exe
End Process
OK

FIGURE 8 : Killing
.4
Processes
1m

TASK

2

Autoruns

G o to W indow s Server 2012 V irtual M achine.
Double-click Autoruns.exe, w hich is located at D:CEH-ToolsCEHv8
Module 06 Trojans and BackdoorsProcess M onitoring ToolsAutoruns.
It lists all processes. D LLs, and services.



Ceh v8 labs module 06 trojans and backdoors

Ceh v8 labs module 06 trojans and backdoors

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (18)

Similar to Ceh v8 labs module 06 trojans and backdoors

Similar to Ceh v8 labs module 06 trojans and backdoors (20)

Ceh v8 labs module 06 trojans and backdoors