More Related Content
Similar to Ceh v8 labs module 06 trojans and backdoors
Similar to Ceh v8 labs module 06 trojans and backdoors (20)
Ceh v8 labs module 06 trojans and backdoors
- 2. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
T ro ja n s a n d B a c k d o o r s
A
Trojan is a program th a t contains a m alicious or harm ful code inside apparently
harm less program m ing or data in such a iray th a t i t can g et control and cause
damage, such as m ining the file allocation table on a hard drive.
I CON
KEY
^~! V a l u a b l e
1
L a b S c e n a rio
A c c o r d in g
to
B a n k
In t o
s e r io u s
r is k s
S e c u r it y
N e w s
(h t t p :/ / w w w .b a n k in f o s e c u r it y .c o m
),
in f o r m a tio n
T r o ja n s
T est tout
k n o w l e d g e ____________
m
W e b
e x e r c is e
c o m
p o s e
p r o m
is e d
d e v ic e
is
w h ic h
111
m
A n d r o id
p o t e n t ia lly
a n
a lic io u s
a p p s
a re
a n y
d e v ic e s ,
a t
o p e n
t o r
r is k
th e
F B
b e c a u s e
e n v ir o n m
a r o u n d ,
p e r s o n a l
e n t
s o
is
I
th e
a re
th e
a n d
s e n s itiv e
w a r n s .
r e a l
im
B u t
p r o b le m
p o s s ib le
p o t e n tia l
f o r
in f o r m
e x p e r ts
is
to
a t io n
s a y
a n y
m a lic io u s
c o n t r o l.
fin a n c ia l
s to r e d
m
0 11
o b ile
a p p lic a tio n s ,
A n d
a n y w h e r e
fr a u d .
W o r k b o o k r e v ie w
A c c o r d in g
a d v a n c e d
to
c a p t u r in g
a c c e s s
s o ld
Y o u
a re
t h e f t
b la c k
a
s e c u r ity
e x p e r ts ,
a
ta k e
t h e n
t h e m
T r o ja n
th e
k e y lo g g e r
th a t
b a n k in g
th a t
u s e
s t o le n
o v e r ,
is
T r o ja n
s t e a ls
a n d
lo g in
I D
s c h e d u le
s p e c ific a lly
k n o w n
s
a s
a n
b y
p a s s w o r d s
a n d
c it a d e l,
c r e d e n tia ls
o n lin e - b a n k in g
to
fr a u d u le n t
d e s ig n e d
f o r
tr a n s a c tio n s .
f in a n c ia l
fr a u d
a n d
m a r k e t.
a d m
p r o t e c t in g
o f v a lu a b le
is
H a c k e r s
t in s
th e
in c lu d e
z e u s ,
a c c o u n t s ,
c r e a te d
0 1 1
s e c u r ity
o f
k e y s tr o k e s .
o n lin e
H a c k e r s
c y b e r
v a r ia n t
th e
d a ta
in is t r a t o r
n e t w o r k
f r o m
o f
y o u r
f r o m
th e
c o m
T r o ja n s
n e t w o r k ,
a n d
p a n y ,
a n d
a n d
y o u r
b a c k d o o r s ,
id e n t it y
jo b
r e s p o n s ib ilit ie s
T r o ja n
a tta c k s ,
th e
th e ft.
L a b O b je c tiv e s
T h e
o b je c t iv e
o f
tin s
o f
th e
la b
is
to
h e lp
s tu d e n ts
le a r n
to
d e te c t
Trojan
a n d
backdoor
a tta c k s .
T h e
o b je c t iv e
a
la b
in c lu d e :
■
C r e a t in g
s e r v e r
■
D e t e c t in g
T r o ja n s
■
A t t a c k in g
a
a n d
t e s tin g
a n d
n e t w o r k
v u ln e r a b ilitie s
& Tools
a n d
a
n e t w o r k
f o r
a tta c k
b a c k d o o r s
u s in g
fla w s
s a m p le
T r o ja n s
a n d
d o c u m
e n t in g
a ll
d e te c te d
L a b E n v iro n m e n t
demonstrated in
this lab are
available in
T o
c a r r y
י
o u t
A
t in s , y o u
n e e d :
Window Server 2008
c o m p u t e r r u n n in g
a s
G u e s t- 1 in
v ir t u a l m a c h in e
D EH
:C ToolsCEHv8
י
Window 7
r u n n in g
a s
G u e s t- 2
in
v ir t u a l m a c h in e
Module 06 Trojans
C E H La b M anual Page 425
י
A
■
and Backdoors
w e b
b r o w s e r w it h
A d m in is tr a tiv e
In te r n e t
p r iv ile g e s
to
a c c e s s
r u n
t o o ls
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 3. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
L a b D u r a t io n
T im
e :
4 0
M in u t e s
O v e r v ie w
A
T r o ja n
is
a
d a m a g e , s u c h
it h
p r o g r a m
th a t
programming
h a r m le s s
W
o f T r o ja n s a n d B a c k d o o r s
th e
a s
h e lp
c o m p u te r
o f
a n d
pictures,
0 1־
r u in in g
d a ta
a n d / 0 1 ־s h o w
b e
s u c h
111
a
a n
a b le
m e s s a g e s
re a d
w a y
th a t
0 11 a
a c c e s s
p e r s o n a l
th e
0 11
h a r m
g e ts
a tta c k e r
to
o r
t a b le
file allocation
d ie
Trojan,
a
w o u ld
malicious
c o n t a in s
it
t ill
c o d e
get control
c a n
h a r d
in s id e
a p p a r e n tly
a n d
c a u s e
d is k .
stored passwords
to
111
a
delete files, display
d o c u m e n ts ,
s c re e n .
La b T ask s
TASK
1
P ic k
Overview
a n
o r g a n iz a t io n
d ia t y o u
e d u c a t io n a l in s tit u t io n , a
R e c o m
m
e n d e d
la b s
■
C r e a t in g
■
W
■
P r o x y
■
H
a
r a p p in g
T T P
to
a s s is t y o u
S e r v e r
a
f e e l is
w o r t h y
o f y o u r
c o m m e r c ia l c o m p a n y ,
w id i T r o ja n s
U s in g
T r o ja n
th e
U s in g
P r o R a t
O n e
F ile
a tte n tio n .
0 1 ־p e r h a p s
a n d
a
T in s
c o u ld
b e
a n
n o n p r o t it c h a r ity .
b a c k d o o rs :
to o l
E
X
E
M a k e r
S e r v e r T r o ja n
T r o ja n
■
R e m
o t e
A c c e s s
י
D e te c t in g
T r o ja n s
U s in g
A t e lie r W
e b
R e m
o t e
la b
C o m
e x e r c is e .
m
a n d e r
T r o ja n s
י
C r e a t in g
a
S e r v e r
U s in g
th e
T h e e t
■
C r e a t in g
a
S e r v e r
U s in g
th e
B io d o x
■
C r e a t in g
a
S e r v e r
U s in g
th e
M
י
H a c k
W
in d o w s
7
u s in g
o S u c k e r
M e ta s p lo it
L a b A n a ly s is
A n a ly z e
y o u r
a n d
t a r g e t ’s
P L E A
S E
d o c u m e n t
s e c u n ty
T A
L K
th e
r e s u lts
p o s tu r e
T O
Y O
U
R
C E H La b M anual Page 426
a n d
R
r e la te d
I N
E L A
to
e x p o s u r e
S T
T
E D
R
U
C
T O
th e
d ir o u g h
T
O
T H
R
I F
I S
G iv e
p u b lic
a n d
Y O
H
U
y o u r
tre e
A
V
E
o p in io n
0 11
in f o r m a tio n .
Q
U
E S T
I O
N
S
L A B .
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 4. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
Lab
C r e a tin g a S e r v e r U s in g t h e P r o R a t
T ool
A
Trojan is a program th a t contains m alicious or harm ful code inside apparent/)׳
harm less program m ing or data in such a way th a t i t can g et control and cause
damage, such as m ining the file allocation table on a hard drive.
I CON
KEY
1 ^ 7 V a lu a b le
L a b S c e n a r io
A s
m
o r e
a n d
m
o r e
p e o p le
r e g u la r ly
u s e
th e
In t e r n e t ,
c y b e r
s e c u r ity
is
b e c o m
in g
in f o r m a tio n
m
T est you r
k n o w le d g e
=
W e b
e x e r c is e
o r e
a re
im
u s in g
in f o r m
W o r k b o o k r e v ie w
m
a t io n
In t e r n e t
h a c k e r s
m
p o r t a n t
c o m
m
e
a lw a r e
b y
c a n
a ls o
h a c k e r s
h a c k
n o t
w it h
a n d
y e t
p e r s o n a l
s y s te m s
o n ly
s n if f y o u r
p e o p le
a t io n ,
v ir u s e s ,
m e a n s
a c h in e .
a re
s ,
y o u r
t h a t
n o t
fin a n c ia l
w o r m
p r o t e c t in g
d a ta , w h ic h
m
a n y
in f o r m
w it h
a b o u t
a n o t h e r
m
th e
O t h e r
a n d
m
a w a r e
d a ta ,
h a c k e r s
it .
a n d
T r o ja n
a c h in e
a tta c k s
o f
b u s in e s s
h o r s e s .
f r o m
c a n
H a c k e r
m
lis t e n
in c lu d e
B u t
a lw a r e ;
to
y o u r
s p o o fin g ,
h ija c k in g .
m
a y
d e n ia l- o f - s e r v ic e
b u s in e s s .
to
is
u n ic a t io n
a n d
e v e r y o n e ,
in f e c t in g
s e c u r ity
m a p p in g ,
S o m
f o r
ta k e
c o n t r o l
a tta c k ,
A g a in s t
w h ic h
o f
y o u r
m a k e s
h ig h - p r o file
w e b
a n d
m
ta r g e t
a n y
c o m
s e r v e rs
o t h e r
p u t e r s
s u c h
a s
m
a c h in e s
to
u n a v a ila b le
b a n k s
a n d
c o n d u c t
f o r
n o r m
c r e d it
a
a l
c a r d
g a te w a y s .
Y o u
a re
in c lu d e
t h e ft
a
s e c u r ity
a d m
in is t r a t o r
p r o t e c t in g
th e
n e t w o r k
o f v a lu a b le
d a ta
f r o m
th e
o f y o u r
f r o m
c o m
p a n y ,
T r o ja n s
n e t w o r k ,
a n d
a n d
a n d
id e n t it y
y o u r
jo b
b a c k d o o r s ,
r e s p o n s ib ilit ie s
T r o ja n
a tta c k s ,
th e ft.
L a b O b je c t iv e s
T h e
o b je c t iv e
o f
tin s
la b
is
to
h e lp
s tu d e n ts
le a r n
to
d e te c t
T r o ja n
a n d
b a c k d o o r
& Tools
demonstrated in
this lab are
a tta c k s .
T h e
o b je c tiv e s
o f
th e
la b
in c lu d e :
available in
D EH
:C ToolsCEHv8
■
C r e a t in g
■
D e t e c t in g
a
s e r v e r
T r o ja n s
a n d
a n d
te s tin g
th e
n e t w o r k
f o r
a tta c k
b a c k d o o r s
Module 06 Trojans
and Backdoors
C E H La b M anual Page 427
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 5. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
י
A t t a c k in g
a
n e t w o r k
v u ln e r a b ilitie s
a n d
u s in g
fla w s
s a m p le
T r o ja n s
a n c l d o c u m
e n t in g
a ll
d e te c te d
L a b E n v ir o n m e n t
T o
e a r n ״t in s
■
o u t, y o u
Prorat
T h e
n e e d :
t o o l
lo c a t e d
D:CEH-ToolsCEHv8 Module 06 Trojans
a t
and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat
■
A
c o m p u t e r r u n n in g
W
in d o w s
■
A
c o m p u t e r r u n n in g
Window 8 (Virtual Machine)
■ Windows Server 2008
י
A
י
w e b
b r o w s e r
A d m in is tr a tiv e
S e r v e r
r u n n in g
p r iv ile g e s
to
as
H o s t M a c h in e
111 V ir t u a l M a c h in e
Internet
w it h
2 0 1 2
a c c e s s
t o o ls
11111
L a b D u r a t io n
T u n e :
2 0
M in u t e s
O v e r v ie w o f T r o ja n s a n d B a c k d o o r s
A
T r o ja n
h a r m le s s
is
a
d a m a g e , s u c h
Note:
T h e
d iffe r
fr o m
c lie n t is
p r o g r a m
th a t
p r o g r a m m in g
th e
a s
r u in in g
v e r s io n s
d a ta
d ie
file
o f th e
w h a t
is
in
s a m e
a s
s h o w n
d ie
malicious
c o n t a in s
o r
in
a
a llo c a tio n
c r e a te d
la b ,
s u c h
t a b le
C lie n t o r
b u t
111 d iis
th e
w a y
o n
H o s t
a c u ia l
o r
h a r m fu l
th a t
a
it
c a n
h a r d
a n d
p ro c e s s
c o d e
a p p a r e n tly
a n d
c a u s e
d r iv e .
a p p e a r a n c e
o f
in s id e
get control
c r e a tin g
o f th e
th e
w e b s it e
s e r v e r
a n d
m
a y
d ie
la b .
La b T ask s
L a u n c h
W
in d o w s
Create Server
V ir t u a l
M
a c h in e
a n d
n a v ig a t e
to
Z:CEHv8 Module
(RAT)ProRat.
with ProRat
2.
D o u b le - c lic k
3 .
C E H La b M anual Page 428
8
06 Trojans and BackdoorsTrojans TypesRemote Access Trojans
C lic k
ProRat.exe
111 W
Create Pro Rat Server
in d o w s
t o
8
V ir t u a l M
s ta r t p r e p a r in g
to
a c h in e .
c r e a te
a
s e r v e r.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 6. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
PflD H R C H .n ET Pf?D FE55 ID r> H L HTTEHnET !!!
Cne
o n ct
English
PCIn
fo
M ssag
e e
Ap a n
p lic tio s
W dw
in o s
A m -T
d in F P
F n yS ff F M n g r
u n tu
ile a a e
!E p re
x lo r
SearchF s
ile
Rg
e istry
C n l Pan
o tro el
S u D w PC
ht o n
C ba
lip o rd
K yL g e
e o gr
G D mg P ssw rd
ive a a e a o s
R D w lo e
. o n dr
P te
rin r
O lin E ito P C n ective
n e d r ro o n
Ca
re te
יC e t Downloader S r e ( K a t
► rae
evr 2 by)
C e t C I V c i Ls ( 6K a t
r a e G i t m it 1 b y )
^Help
F IG U R E
4 .
T h e
Create Server
w in d o w
1 .1 : P r o R a t m a i n w i n d o w
a p p e a r s .
Create Server
Pro on ective N tifica n(N o an R u
C n
o tio etw rk d o ter)
Supports Reverse Connection
טU Pro onn
se C ective N tifica n
o tio
» un *p o
o. o1 .c m
IP (D S) A d ss:
N d re
N tifica n
o tio s
1 y= J P a s s w o r d b u tto n :
R e t r ie v e p a s s w o rd s fr o m
G eral Settin s
en
g
m a n y s e r v i c e s , s u c h as
T
est
M il N tifica n
a o tio
p o p 3 a c c o u n ts , m e sse n g e r,
I E , m a il, e tc.
D oesn't support R everse Connection
B dw File
in ith
T
est
Q U M il N tifica n
se a o tio
o b rmn y h o o
E-M
AIL: b m e a @ a o .c m
Server Ex n n
te sio s
IC Pager N tifica n
Q
o tio
D oesn't support R everse Connection
Q U IC Pager N tifica n
se Q
o tio
Server Icon
icquin:
T
est
[r]
C I N tifica n
G o tio
D oesn't support R everse Connection
W) H lp
e
Server Siz
e:
r
T
est
Q U C I N tifica n
se G o tio
ttp w .y u . o / i- in p ra g
C I URL: h ://w w o rsite c rn cg b / ro tc i
G
C
reate Server
3 2K ayt
4 b
F IG U R E
5 .
C lic k
General Settings
Password, Victim Name,
o v e r
6 .
C E H La b M anual Page 429
th e
U n c h e c k
c o n n e c t io n
th e
y o u
h ig h lig h t e d
to
1 .2 : P r o R a t C r e a t e S e r v e r W i n d o w
c h a n g e
a n d
h a v e
th e
to
options
fe a tu r e s ,
s u c h
Port Number
th e
v ic t im
o r
a s
s h o w n
111
Server Port. Server
a s
y o u
liv e
th e
w is h
th e
to
c o n n e c t
s e t tin g s
f o llo w in g
d e fa u lt .
s c r e e n s h o t.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 7. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
Server P rt:
o
Server Passw rd
o :
V N m:
ictim a e
Q 3 ea fake e r mssa e
iv
rro e g .
Q •1l server o inta
•e
t
n s ll.
Q C A -FWo s rt.
ill V
n ta
Q d a leW
is b indow XP SP2 Secu C n r
s
rity e te
I... Q D leW
isab indow XP F w ll.
s
ire a
Q Ha W
e r indow XP R
s
estore P in
o ts.
Q )on't sen LA n tifica n fro (i9 .i6 .”.“j o (1 .*.x j
d N o tio s m 2 8 r 0 .x
I IPro
tectio fo re o in Local Server
n r mv g
In isib
v ility
Q H e Processes fro A T M ag (9 /2 /X
id
m ll ask an ers x k P)
Q H eV
id alues F mA k do R istry Ed rs(9 /2 P)
ro ll in f eg
ito x k/X
Q H e N es F mM n (9 /2 /K
id am ro sco fig x k P)
Q U Te in teProcess (2k/XP)
n rm a
G eral Settin s
en
g
B dw File
in ith
Server Ex n n
te sio s
Server Icon
Ity !
N o te : y o u can use
D y n a m ic D N S to c o n n e c t
o v e r th e In t e r n e t b y u s in g
n o - i p a c c o u n t r e g is t r a t io n .
Server Siz
e:
r
C
reate Server
3 2K ayt
4 b
F IG U R E
7 .
8 .
Bind with File
C lic k
u s in g
.jpg
th e
C h e c k
file
to
to
1 .3 : P r o R a t C r e a t e S e r v e r - G e n e r a l S e t t i n g s
b in d
b in d
th e
th e
s e r v e r
w it h
a file ; 111
t in s
la b w e
a re
s e r v e r.
Bind server with a file.
C lic k
Select File,
a n d n a v ig a t e
to
Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote
Access Trojans (RAT)ProRatlmages.
9 .
m
S e le c t
th e
Girl.jpg
file
to
b in d
w it h th e
s e r v e r.
C lip b o a rd : T o re a d
d ata fro m ra n d o m access
T is File w b B d d
h
ill e in e :
m e m o ry.
B dw File
in ith
Server Ex n n
te sio s
Server Icon
Server Siz
e:
C
reate Server
3 2K ayt
4 b
I-------------F IG U R E
C E H La b M anual Page 430
1 .4 : P r o R a t B i n d i n g w i t h a f ile
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 8. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
1 0 .
S e le c t
Girl.jpg
111
Look in:
th e
w in d o w
a n d
t h e n
c lic k
Open
to
b in d
th e
f ile .
Images
תז°11ו
£Q1
V N C
V N C T r o ja n s ta rts a
s e rv e r d a e m o n in th e
in f e c t e d s y s te m .
Rle nam
e:
Girl
Open
Files o type:
f
Cancel
F IG U R E
1 1 .
£ 9
C lic k
OK
a fte r
s e le c t in g
th e
1 .5 : P r o R a t b i n d i n g a n im a g e
im a g e
f o r
b in d in g
w it h
a
s e r v e r.
F ile m a n a g e r: T o
m a n a g e v ic t im d ir e c to r y f o r
a d d , d e le t e , a n d m o d if y .
1 2 .
1 11
Server Extensions
Server Extension
C E H La b M anual Page 431
s e t tin g s ,
s e le c t
EXE
(lia s
ic o n
s u p p o r t )
111
Select
o p t io n s .
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 9. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
Select Server Ex n n
te sio
^ EXE (H ico su p rt)
as n p o
N tifica n
o tio s
Q SCR (H ico su p rt)
as n p o
Q PIF (H n ico su p rt)
as o n p o
G eral Settin s
en
g
Q C M(H n ico s p o
O as o n u p rt)
Q BA (H n ico s p o
T as o n u p rt)
B dw File
in ith
Server Ex n n
te sio s
Server Icon
£ Q
G iv e D a m a g e : T o
f o r m a t t h e e n t ir e s y s te m
f ile s .
Server Siz
e:
C
reate Server
4 7K ayt
9 b
r
F IG U R E
1 3 .
1 11
Server Icon
b u t t o n
a t
1 .7 : P r o R a t S e r v e r E x t e n s i o n s S e t t i n g s
s e le c t
a n y
r ig h t
s id e
b o t t o m
o f
o f
th e
th e
ic o n s ,
P r o R a t
a n d
c lic k
th e
Create Server
w in d o w .
N tifica n
o tio s
G eral Settin s
en
g
M
B dw File
in ith
m
Server Ex n n
te sio s
I t c o n n e c t s to th e
v ic t im u s in g a n y V N C
H U 11
Server Icon
v ie w e r w it h th e p a s s w o rd
“ s e c r e t.”
jJ
V) H lp
e
Server Ico :
n
Server Siz
e:
C o se n Icon
h o ew
C
reate Server
4 7K ayt
9 b
I
F IG U R E
1 4 .
C lic k
O K
a lt e r
th e
s e r v e r
h a s
1 .8 : P r o R a t c r e a t i n g a s e r v e r
b e e n
p r e p a r e d ,
a s
s h o w n
111
th e
lo llo w in g
s c r e e n s h o t.
C E H La b M anual Page 432
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 10. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
F IG U R E
1 5 .
N
to
£ G
SH T T P D
H T T P
o w
y o u
c a n
s e n d
victim’s
th e
m
1 .9 : P r o R a t S e r v e r h a s c r e a t e d
d ie
s e r v e r
a c h in e
a s ,
file
lo r
111 d i e
by mail
e x a m p le ,
s a m e c u r r e n t d ir e c to r y
o r
a
a n y
c o m
m
celebration
u n ic a t io n
file
to
m e d ia
r u n .
i s a s m a ll
Applicator Tools
s e rve r th a t c a n b e
Vicvr
e m b e d d e d in s i d e a n y
m Preview pane
E
p ro g ra m . I t c a n b e w ra p p e d
w it h a g e n u in e p r o g r a m
[]־B Details pane
A&
Manage
S Extra large icons
t
־t N"
₪
־
Large icons
f t| M5d un icons | | j Small icons
lirt
| j ״Details
S
1
( g a m e c l e s s .e x e ). W h e n
□
Item check boxes
□ Filename extensions
I I Hidden items
______________ Layout_________
e x e c u te d , it tu rn s a
o
c o m p u t e r in t o a n in v is ib le
w e b s e rve r.
©
^
1
Show/hide
נ״י
« Trcjans Types ► Femote Access Trojans (RAT)
A
K Favorites
*.
J . Downlead
Irraces
■ Desktop
J , Language
£ Download}
1 Recent places
S3J
| ^ bnded.server |
^ 1
Fnglish
1 f Libraries
־
^
£ ProRat
F*| Documtnte
j__ Readme
J* Music
^ T ״rk6h
fcl Pictures
|__ Version.Renewals
81 Videos
Homegrojp
AP Computei
sL Local Disk O
,
5 ? CEH-Tools (1a
^(1 Network
v
9 items
1 item selected 208 MB
F IG U R E
1 6 .
N
o w
g o
to
W
in d o w s
S e r v e r
1 .1 0 : P r o R a t C r e a t e S e r v e r
2 0 0 8
a n d
n a v ig a t e
to
Z:CEHv8 Module 06
Trojans and BackdoorsTrojans TypesRemote Access Trojans
(RAT)ProRat.
1 7 .
C E H La b M anual Page 433
D o u b le - c lic k
binder_server.exe
a s
s h o w n
111
th e
f o llo w in g
s c r e e n s h o t.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 11. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
.
El•
p
ital
יT 0׳J%n(Trt>« » Rencte A cr«s "roiflrs RAT ( * יPraRat
|
id t
^•w
Tjolc
t#lp
V
iew
Oroanize ▼
•
M t
I•I Site
Tavoi ite -»־
ks
i|
? cajres
^
^ 0° *°
r>ornn#ntc
£
״
T " T ™ ----------------- Pate modified— | - | Typ |- 1>
H
Music
1
More
»
Folders
v
I
J i Botnet 'rojars
I
^
j j
j , Ya5»cn_R.c ־o5
«n
Comnand Shell ~r0)s
I
Defacenent ־ro;ars
I
[ : Readne
[ ^ ־uHoct
J4 Destnjave T'ojans
I
Ebandng Trojans
I
J4 E-Mal T0׳j3ns
I
JA FTP Trojar
I
GUITrojors
I
HTTP H I P S "rpjars
I
S
I
J4 MACOSXTrojons
ICMP Backdoor
I
J i Proxy Server Trojan:
. Remote Access “ rcj?- *
I
J . Apocalypse
Atelie ׳Web Remji
X
I
4
I
j.. ProRat
. D*fkCo׳r«tRAT
I
. VNC’ rojans
£
M a rl
H
C
S.
F IG U R E
1 8 .
N
o w
s w it c h
to
W
in d o w s
Windows Server 2008
I C M P T r o ja n : C o v e r t
c h a n n e ls a r e m e t h o d s in
P r o R a t
m
a in
-O g*
. New Text Docuneil •No... I
‘
w in d o w
8
V ir t u a l
a n d
a n d
1 .1 1 : P r o R a t W i n d o w s S e r v e r 2 0 0 8
th e
c lic k
liv e
M
a c h in e
p o r t
a n d
n u m
b e r
e n te r
a s
th e
th e
I P
a d d r e s s
d e fa u lt
111
o f
th e
Connect.
w h i c h a n a tt a c k e r c a n h id e
d a t a i n a p r o t o c o l d i a t is
1 9 .
111 t i n s
la b ,
th e
I P
a d d r e s s
o f W
in d o w s
S e r v e r
2 0 0 8
is
(1 0 .0 .0 .1 3 )
u n d e t e c t a b le .
Note:
I P
a d d re s s e s
F T
m
ig h t
b e
d if f e r
111
c la s s r o o m
la b s
ProRat V1.9
mum
- Poit
PCIn
fo
Ap a n
p lic tio s
M ssa e
e g
W dw
in o s
Am -T
d in F P
Ca
ht
F n yS ff F Mn g r
u n tu
ile a a e
!E p re
x lo r
SearchF s
ile
C n l Pan
o tro el R g try
e is
S u D w PC ScreenS o
ht o n
ht
C ba
lip o rd
Kyo gr
eL g e
G D mg P ssw rd
ive a a e a o s
R D w lo e
. o n dr
P te
rin r
Services
O lin E ito P C n e
n e d r ro o n ctive
Ca
re te
F IG U R E
2 0 .
E n t e r
c lic k
C E H La b M anual Page 434
th e
password
y o u
112: P r o R a t C o n n e c t in g In f e c t e d S e r v e r
p r o v id e d
a t
th e
tim e
o t
c r e a tin g
th e
s e r v e r
a n d
OK.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 12. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
Passw rd
o :
O
K
F IG U R E
2 1 .
N
o w
c lic k
y o u
a re
PC Info
connected
to
a n d
1 .1 3 : P r o R a t c o n n e c t i o n w i n d o w
th e
c h o o s e
Cne
acl
th e
v ic t im
s y s te m
m
a c h in e .
in f o r m
T o
a t io n
a s
te s t
111
th e
th e
c o n n e c t io n ,
f o llo w in g
f ig u r e .
B f P>
>
—ProRat V 1 .9 IC o n n e c te d [1 0 .0 .0 .1 3 ^ ^ ^ H B B B ^ ^ ^ ^ ^ r - ׳
x1
F H d H H C H . n e T p « o r e 5 5 1 D n F 1 L 1m־e p r 1 E T !!!
m
Poit: g n g
o n t e c h n i q u e s c a ll e d
English
t u n n e lin g , w h ic h a llo w o n e
P If
C no
p r o t o c o l t o b e c a r r ie d o v e r
Ds o n c
i c n et
//////// PC Information ////////
IB
A pi ai n
p lc to s
Ms a e
es g
Computer N e
am
User N e
am
Windows Uer
Windows Language
Windows Path
System Path
Tem Path
p
Productld
Workgroup
Data
Wn o s
i dw
Ca
ht
a n o t h e r p ro to c o l.
A m -T
d i FP
n
F n ySuf Fl M n g r
un t f
ie a a e
!xl rr
E poe
S a c Fl s
e r h ie
C nr l P n l
o to a e
R gsr
e i ty
S u Dw P Sr e S o
h t o n C ce n h t
Kyo gr
eL g e
Ci b ad
lp o r
Gv D m g P s w r s
i e a a e a s od
R Dwl dr
. o no e
Pi t r
rne
Rn
u
F IG U R E
2 2 .
2
Attack System
Using Keylogger
N
o w
c lic k
KeyLogger
N
O
9/23/2012
S se I f r ai n
y t mnomto
M i A de si R gsr
al d r s n e i t y
W Hl
; ep
1 .1 4 : P r o R a t c o n n e c t e d c o m p u t e r w i d o w
steal
to
u s e r
p a s s w o r d s
f o r
th e
o n lin e
s y s te m .
[r?~^roRa^7^onnectedn0l0l0^3r~
P H □ H R C H . חE T P P G F E S S I C i n F I L in T E P r i E T !!!
Ds o n c
i c n et
ip: Q j Q 2
Poit: g n i R:
I I 11 ׳h
//////// PC Information ////////
P If
C no
A pi ai n
p lc to s
Ms a e
es g
Wn o s
i dw
Ca
ht
A m -T
d i FP
n
F n ySuf Fl M n g r
un t f
ie a a e
!xl rr
E poe
S a c Fl s
e r h ie
C nr l P n l
o to a e
R gsr
e i ty
S uDw P Sr e S o
h t o n C ce n h t
Ci b ad
lp o r
Kyo gr
eL g e
Gv D m g P s w r s
i e a a e a s od
R Dwl dr
. o no e
Pi t r
rne
Rn
u
Computer N e
am
User N e
am
Windows Uer
Windows Language
Windows Path
System Path
Tem Path
p
Productld
Workgroup
Data
WIN-EGBHISG14L0
Administrator
English (United St
C:Windows
C:Windowssysterna
C:UsersADHINI~1
N
O
9/23/2012
L i.
Srie
e vc s
O ln E i o P o o n ci e
ni e dt r r C n e tv
S se I f r ai n
y t mnomto
M i A de si R gsr
al d r s n e i t y
L s vst d2 w bst s
a t i ie 5 e ie
Ce t
r ae
P i f r ai nR c i e .
c nomto e ev d
F IG U R E
C E H La b M anual Page 435
English (United St
C:Windows
C:Windowssystemc
C:UsersADMINI~1
L s vst d2 w bst s
a t i ie 5 e ie
Ce t
r ae
P i f r ai nR c i e .
c nomto e ev d
TASK
1
0
WIN-EGBHISG14L0
Administrator
l -L
Srie
e vc s
O ln E i o Fr C n e tv
ni e dt r ' o o n ci e
m
R
C o v e r t c h a n n e ls r e ly
W Hl
; ep
1 .1 5 : P r o R a t K e y L o g g e r b u t t o n
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
- 13. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
2 3 .
m
T h e
Key Logger
w in d o w
w ill
a p p e a r .
T liis T r o ja n w o rk s
lik e a r e m o t e d e s k to p
a c c e s s . T h e h a c k e r g a in s
c o m p le t e G U I a c c e s s o f
th e r e m o t e s y s te m :
■
In f e c t v ic t im ’s c o m p u te r
w it h s e rv e r.e x e a n d p la n t
R e v e r s e C o n n e c t in g
T r o ja n .
■
T h e T r o ja n c o n n e c ts to
v i c t i m ’s P o r t t o t h e
a t t a c k e r a n d e s t a b lis h in g
a re v e rs e c o n n e c t io n .
■
A tta c k e r th e n has
F IG U R E
c o m p le t e c o n t r o l o v e r
v i c t i m ’s m a c h i n e .
2 4 .
N
o w
s w it c h
N o t e p a d
i
File
Windows Server 2008
to
a n d
1 .1 6 : P r o R a t K e y L o g g e r w i n d o w
ty p e
a n y
m
a c h in e
a n d
o p e n
a
b r o w s e r
o r
te x t.
Text Document -Notepad
Edit
Format
View
Help
פר
Hi th ere
T h is is my username: xyz@yahoo.com
password: test<3@#S!@l|
m
B a n k i n g T r o ja n s a re
p r o g r a m t h a t s t e a ls d a t a
f r o m in fe c t e d c o m p u te rs
v ia w e b b ro w s e rs a n d
A
Ik.
p ro te c te d s to ra g e .
F IG U R E
2 5 .
W
h ile
th e
v ic t im
p a s s w o r d , y o u
2 6 .
N
o w
t im e
C E H La b M anual Page 436
s w it c h
t o
t im e
is
c a n
1 .1 7 : T e s t t y p e d i n W i n d o w s S e r v e r 2 0 0 8 N o t e p a d
message
w r it in g
a
c a p t u r e
th e
to
W
t o
c h e c k
in d o w s
f o r
8
lo g
V ir t u a l
d a ta
o r
e n t e r in g
a
user name
a n d
e n t ity .
M
a c h in e
updates
t r o m
a n d
th e
c lic k
Read Log
v ic t im
f r o m
m a c h in e .
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 14. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
E
=9/23/201211:55:28 PM
a i b bth ism u am yz o .co
h o is y sem e;x atyah o m
p o ; testsh b tto ith sh u n ith
assw rd
iftl u w l iftb tto w 2
|
R ea d Log
|
D e le te L o g
L^L 1 —יU L 1 !_ רו
•
■
•
S a v e as
H e lp
----------------------------------------------------------1
C □
11 • יt 1
_
C le a r S c r e e n
| K e y L o g R e c e iv e d .
|
F IG U R E
2 7 .
Note:
N
o w
P r o R a t
y o u
c a n
K e y lo g g e r
u s e
w ill
a
lo t
n o t
1 .1 8 : P r o R a t K e y L o g g e r w i n d o w
o f
fe a u ir e s
r e a d
s p e c ia l
f r o m
P r o R a t
o n
th e
v ic t im
’s
m a c h in e .
c h a ra c te r s .
L a b A n a ly s is
A n a ly z e
y o u r
a n d
d o c u m e n t
t a r g e t ’s s e c u n t y
d ie
r e s u lts
p o s tu re
a n d
r e la te d
to
e x p o s u re
d ie
la b
e x e r c is e .
th ro u g h
p u b lic
G iv e
a n d
y o u r
fre e
o p in io n
o n
in f o r m a tio n .
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Q u e s t io n s
1.
C re a te
W
a n d
2 .
s e rv e r w it h
X
P
a d v a n c e d
E v a lu a te
a n d
c it ie s
o r
o p t io n s
F ir e w a ll, e tc ., s e n d
v e r if y w h e d ie r y o u
o d ie r
C E H La b M anual Page 437
a
in d o w s
e x a m in e
c a n
it
a n d
s u c h
c o m m u n ic a t e
v a r io u s
m e d io d s
as
K ill A
c o n n e c t it
to
w it h
th e
to
V - F W
th e
v ic tim
c o n n e c t to
o n
v ic tim
s ta r t, d is a b le
m a c h in e ,
m a c h in e .
v ic tim s
i f d ie y
a re
111
c o u n t r ie s .
E th ic a l H ack in g and Countenneasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 15. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
T o o l / U
t i l i t y
In f o r m
a t io n
S u c c e s s f u l
O
u t p u t :
p u t e r
U s e r
N a m
W
in d o w s
W
in d o w s
W
T o o l
T e m
p
W
□
Y e s
P l a t f o r m
0
C E H La b M anual Page 438
C o n n e c t io n
e :
e A
A d m
b j e c t i v e s
B lin d e d
A c h ie v e d
s e r v e r .e x e
a t io n
Y I N
- E G
B H
I S G
14 L O
in is t r a t o r
Y e r :
L a n g u a g e :
P a t h :
P a t h :
I D
E n g lis h
(U n it e d
S ta te s )
c : w in d o w s
c : w in d o w s s y s t e m
c : U
s e r s A
D
M
I N
3 2
I ~ l
:
o r k g r o u p :
D a t a :
a m
P a t h :
P r o d u c t
o f
In f o r m
N
in d o w s
S y s t e m
In t e r n e t
c r e a tio n
P C
C o m
P r o R a t
C o l l e c t e d / O
N
O
9 / 2 3 / 2 0 1 2
R e q u ir e d
0
N
o
0
!L a b s
S u p p o r t e d
C la s s r o o m
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 16. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
Lab
W r a p p in g a T r o ja n U s in g O n e F ile
EX E M aker
A Trojan is a program th a t contains m alicious or harm ful code inside apparently
harm lessprogram m ing or data in such a way th a t it can g e t control and cause
damage, such as m ining the file allocation table on a hard drive.
I CON
£ 1 7
KEY
V a lu a b le
L a b S c e n a r io
S o m
e t im
e s
a n
a tta c k e r
m a k e s
g e t
a
a
v e r y
s e c u r e
b a c k d o o r
e v e n
m
o r e
s a fe r
t h a n
th e
p a s s w o r d
f o r
in f o r m a tio n
n o r m
T est yo u r
k n o w le d g e
W e b
e x e r c is e
a l w a y
th e
to
a tta c k e rs
le t
f r o m
W o r k b o o k r e v ie w
th e
a
s y s te m ,
o t
th e
v ic t im
c o m
m
b a c k d o o r
A c t i v e X
1 11
to
o r d e r
to
k e e p
v o ic e
y o u r
c r e a tin g
a y
a n
s y s te m .
m
is
n o r m
th e
in
a
o s t
to
o n ly
g e t
a l
th e
in t o
fu tu r e .
I t
th e
v is it s
w e b s it e s
a tta c k s
b y
is
a
la y e r s
v ic t im
s y s te m
in .
A f t e r
g e t t in g
a s
a
b a c k d o o r
e a s y
a tta c k e r
a s
s h o w
a
n e e d
th e
a
b e d d e d
m e s s a g e
a n d
p r o t e c t in g
in s ta ll
e m
0 1 ־v e r if y in g
0 11
r u n n in g
c a n
w e b s it e ,
T r o ja n s
a n d
0 1 ־S S H
th e
in s ta lls
a p p lic a tio n s ,
b a c k d o o r s
o n e
lo g g in g
w a y
u s e r
o f
u s e
a tta c k e r
A n o t h e r
M
a y
a u th e n t ic a tio n s
h a r d e r
a c c e s s
f r o m
a n d
m
a n y
d o w n lo a d in g
s y s te m
T r o ja n s
it
lie n e v e r
c h a t,
u s e r
w it h
a c h in e .
W
a l
n e e d
a tta c k e r ,
0 1 ־h e r
m
th e
0 1 1
f o r
p r o t e c t
0 1 1
111s
n o r m
m
p a r e d
b y
A c t iv e X .
r u n
A
U s u a lly
c o m
v ic t im
u s in g
A c t i v e X
k n o w le d g e
s y s te m .
s y s te m
th e
0 1 1
is
s y s te m .
b a c k d o o r
th e
v ic t im
c o u ld
r u n n in g
a
b a c k d o o r s
s y s te m
a n d
in t o
b u t
u s e
in s ta lle d
c o n t r o l
ט
to
u s in g
th e
a b o u t
u s e r .
e x t e n s iv e
s y s te m
f r o m
a tta c k e rs .
Y o u
a re
in c lu d e
t h e ft
& Tools
a
s e c u r ity
p r o t e c t in g
o f v a lu a b le
a d m
th e
d a ta
in is t r a t o r
n e t w o r k
f r o m
o f y o u r
f r o m
th e
c o m
p a n y ,
T r o ja n s
n e t w o r k ,
a n d
a n d
a n d
y o u r
jo b
b a c k d o o r s ,
id e n t it y
r e s p o n s ib ilit ie s
T r o ja n
a tta c k s ,
th e ft.
L a b O b je c t iv e s
demonstrated in
this lab are
T h e
available in
a tta c k s .
o b je c t iv e
o t
t in s
la b
is
to
h e lp
s m d e n ts
le a r n
to
d e te c t
T r o ja n
a n d
b a c k d o o r
D EH
:C T h e
o b je c tiv e s
o f
th e
la b
in c lu d e :
ToolsCEHv8
Module 06 Trojans
■
W
r a p p in g
■
R u n n in g
a
T r o ja n
w it h
a
g a m e
111
W
in d o w s
S e r v e r
2 0 0 8
and Backdoors
C E H La b M anual Page 439
th e
T r o ja n
to
a c c e s s
th e
g a m e
0 1 1
th e
f r o n t
e n d
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 17. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
■
A n a ly z in g
th e
T r o ja n
r u n n in g
in
b a c k e n d
L a b E n v ir o n m e n t
T o
c a r r y
י
o u t
d iis , y o u
n e e d :
OneFileEXEMaker
t o o l lo c a t e d
D:CEH-ToolsCEHv8 Module 06
a t
Trojans and BackdoorsWrapper Covert ProgramsOneFileExeMaker
■
A
Window Server 2012
c o m p u t e r r u n n in g
■ Windows Server 2008
■
I t
y o u
th e
111
■
d e c id e
la b
m
t o
d o w n lo a d
ig h t
A d m in is tr a tiv e
r u n n in g
th e
(h o s t)
111 v ir t u a l m a c h in e
latest version,
t h e n
s c r e e n s h o ts
s h o w n
d if f e r
p r iv ile g e s
to
m
n
t o o ls
L a b D u r a t io n
T u n e :
2 0
M in u t e s
O v e r v ie w o f T r o ja n s a n d B a c k d o o r s
A
T r o ja n
h a r m le s s
is
a
d a m a g e , s u c h
Note:
w h a t
d ie
H
TASK
1
OneFile EXE
Maker
T h e
is
111
p r o g r a m
d ia t
p r o g r a m m in g
a s
d ie
p ro c e s s e s
la b ,
is
o f
b u t
s a m e
d a ta
d ie
r u in in g
v e r s io n s
c o n t a in s
o r
h ie
d ie
d ie
a s
111
malicious
s u c h
a llo c a tio n
c r e a te d
c lie n t
a c tu a l p ro c e s s
s h o w n
111 d iis
a
w a y
t a b le
o r
o f
o r
th a t
o n
a
h o s t
h a r m fu l
it
h a rd
a n d
c o n n e c t in g
c o d e
in s id e
a p p a r e n d y
get control
c a n
a n d
c a u s e
d n v e .
a p p e a r a n c e
to
d ie
m a y
s e r v e r
d itfe r
a n d
fr o m
a c c e s s in g
la b .
La b T ask s
1.
In s ta ll
OneFileEXEMaker
S e n n a S p y O n e EX E M a k e r 2 0 0 0
o n
Windows Server 2008
V ir t u a l M a c h in e .
2 .0 a
S e n n a S p y O n e E X E M aker 2000 - 2.0a
Official Website:
e-m a il:
http://sennaspy.tsx org
s e n n a _ s p y 0 h o lm a 1l.c o m
IC Q U IN
3973927
J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p io g ra m a llo w io in a ll k in d o f file s :
e x e , d ll. o c x . t x t . jp g . b m p
A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !
S h o rt F ile N a m e
P a ra m e te rs
10 p e n M o d e | C o p y T o
Command Line Parameters.
m
Open Mode
C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y
F IG U R E
C E H La b M anual Page 440
Copy To---
| A c tio n
Action---
pnEeue
C Nr a (“Wdw C Oe/xct
om
l
ino s
C Mime C Sse C CpOly
a izd yt m
x
oy n
C Mime C Tm
in izd
ep
C Ro
ot
C He
id
3 .1 : O n e F i l e E X E
r
P a ck Fies?
M a k e r H o m e s creen
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 18. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
C lic k
d ie
a d d
Add File
b u tto n
a n d
b r o w s e
to
th e
C E H - T o o ls
fo ld e r
a t
Z:CEHv8 Module 06 Trojans and BackdoorsGamesTetris
lo c a t io n
Lazaris.exe
th e
d ie
a n d
lile .
S e n n a S p y O n e EXE M a k e r 2 0 0 0 - 2 .0 a
S e n n a S p y O n e E X E M aker 2000 - 2.0a
Official Website: http://sennaspy tsx org
le s s ! Y o u c a n s e t v a r io u s
e-m a il:
t o o l o p t io n s a s O p e n
s e n n a _ s p y @ h o tm a 1l.c o m
m o d e , C o p y to , A c t io n
IC Q U IN
3973927
J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p ro g ra m a llo w jo in a ll k in d o f file s :
e x e . d ll. o c x . t x t . jp g . b m p .
A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !
[ s h o r t F ile N a m e
|P a r a m e t e r s
| 0 p e n M o d e |C o p y T o
L A Z A R IS .E X E
H id e
S y s te m
| A c tio n
!
A dd F ie
| O p e n /E x e c u te
1
Getete
S ave
Ejj*
C
r
C
(5־
C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y
F IG U R E
3 .
Add File
C lic k
Copy T 0 -------
Open Mode
Command Line Parameters
a n d
b r o w s e
Normal
Maximized
Minimized
Hide
C
(*
C
C
W indows
System
Temp
Root
(•
Open/Execute
C
Copy On|y
3 .2 : A d d i n g L a z a r i s g a m e
to
th e
C E H - T o o ls
fo ld e r
a t
d ie
lo c a t io n
Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesProxy Server
Trojans
a n d
a d d
d ie
mcafee.exe
file .
S e n n a S p y O n e E X E M aker 2000 - 2.0a
Official Website: http://sennaspy.tsx.org
e-m a il:
s e n n a _ s p y @ h o tm a il.c o m
IC Q U IN
3973927
J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p ro g ra m a llo w jo in a ll k in d o f file s :
e x e . d ll. o c x . t x t . jp g . b m p
A u to m a tic O C X f ile re g is te r a n d P a c k file s su p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le I
& Tools
demonstrated in
S h o rt F ile N a m e
P a ra m e te rs
| O pen M ode | Copy To
|A c tio n
S y s te m
I S y s te m
this lab are
A dd F ie
O p e n /E x e c u te
| O p e n /E x e c u te
dlee
et
available in
Save
D EH
:C ToolsCEHv8
Command Line Parameters
O pen Mode
Module 06 Trojans
and Backdoors
C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y
F IG U R E
4 .
C E H La b M anual Page 441
S e le c t
Mcafee
a n d
ty p e
C
C
C
(*
Normal
Maximized
Minimized
Hide
Copy To!------C
(*
׳
C
W indows
System
Temp
Root
Action--(
•
Operv׳Execute
C
r
P a c k F ie s ?
Copy Only
3 .3 : A d d i n g M C A F E E . E X E p r o x y s e r v e r
8080 1 1 1
d ie
Command Line Parameters
fie ld .
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 19. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
S e n n a S p y O n e EX E M a k e r 2 0 0 0
2 .0 a
S e n n a S p y O n e E X E M aker 2000 2.0 ־a
Official Website
e-m a il:
http://sennaspy.tsx org
s e n n a _ s p y @ h o tm a il.c o m
IC Q U IN :
3973927
J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p io g ra m a llo w !o in a ll k in d o f file s :
e x e . d ll. o c x . t x t . jp g . b m p
A u to m a tic O C X f ile !e g is te i a n d P a c k file s s u p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !
S h o rt F ile N a m e
P a ia m e te r s
O pen M ode
Copy To
A c tio n
S y s te m
L A Z A R IS .E X E
O p e n /E x e c u te
O p e n /E x e c u te
Sv
ae
Command Line Parameters:
O pen M ode—
C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y
F IG U R E
5.
S e le c t
Lazaris
a n d
c h e c k
S e n n a S p y O n e EX E M a k e r 2 0 0 0
d ie
Copy To-------
Normal
Maximized
Minimized
Hide
C
C
C
^
C
(*
C
O p en/Execute
W indows
System
Temp
Root
“י
P *k F te s ?
Copy On|y
C
3 .4 : A s s i g n i n g p o r t 8 0 8 0 t o M C A F E E
Normal
o p t io n
in
Open Mode.
2 .0 a
S e n n a S p y O n e E X E M aker 2000 2.0 ־a
Official Website: http://sennaspy tsx org
e-m a il:
s e n n a _ s p y @ h o tm a il.c o m
IC Q U IN
3 9 /3 9 2 7
J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p io g ra m a llo w jo in a ll k in d o f file s :
e x e . d ll. o c x . t x t . ip g . b m p ...
A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !
A dd F ie
L A Z A R IS .E X E
M C A FE E EXE
N o tm a l
8080
( S y s te m
H id e
I O p e n /E x e c u te I
S y s te m
Delete
O p e n /E x e c u te
Sv
ae
Exit
O pen Mode
Command Line Parameters
Copy To-------
. ־׳Maximize
: .01™
Jaximized
1p ״
^ © 2 C o p y rig h t ( C ) . 1 9 9 8 2 0 0 0 . B y S e n n a S p y
F IG U R E
6 .
C lic k
Save
a n d
b r o w s e
to
C
C
Minimized
Hide
C
W indows
<• System
C Temp
C Root
Action
(
•
Operv׳Execute
C
r
P a ck Fies?
Copy On|y
3 .5 : S e t t i n g L a z a r i s o p e n m o d e
s a v e
d ie
d ie
o n
th e
d e s k to p ,
a n d
n a m e
d ie
t ile
Tetris.exe.
C E H La b M anual Page 442
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 20. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
Save n
1
Name
e-m a il:
sennas
| K
2 [
*■
I - I Size
0נ® ־
1*1 Type
₪ ־
a
1 *1 D ate modified
1
^ b
Pu k
: ■ Computer
® N e tw o rk
® M o z ia F re fb x
£
1 KB
Shortcut
2 KB
Google Chrome
Shortcut
9 /1 8 /2 0 1 2 2:3 1 Af
9 /1 8 /2 0 1 2 2 :3 0 AT
_l
S h o rt F ile N a m e
(Executables (*.exe)
M C A F E E .E X E
±1
|------- Save------- 1
|t * H
Cancel
_^J
|
Save
L
O pen M ode
־
(
•
C
C
C
C o p y rig h t (C ). 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y
F IG U R E
m
7 .
N
o w
d o u b le - c lic k
M C A F E E . E X E w ill
,
ru n in b ack g ro u n d
g am €>
to
o p e n
d ie
Copy To
Normal
Maximized
Minimized
Hide
C
(*
("
C
W indows
System
Temp
Root
(
•
Open/Execute
C
r
P a ck Fies?
Copy 0 n|y
3 .6 : T r o j a i i c r e a t e d
Tetris.exe
file .
T liis
w ill
la u n c h
d ie
L a z a r is
it
McAfee
,
011 t h e
tr0 1 1 t e ״d •
r
F IG U R E
8 .
C E H La b M anual Page 443
N
o w
is
o p e n
Task Manager
a n d
3 .7 : L a
c lic k
d ie
2a r is g a m e
Processes
m n n in g .
ta b
to
c h e c k
E th ic a l H ack in g and Countenneasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 21. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
^ [*[ ס
O Windows Task M anager
File
O ptions
V iew
Applications
Help
P ro ce s s e s j Se rv ic e s | P erfo rm a n c e j Netw orking | U s e rs |
Im a g e . . .
1 U ser Nam e 1 c p u ]
[
M em ory (. .. | Description
cs rs s .ex e
SY ST E M
00
1 .4 6 4 K
Client S e r . ..
cs rs s .ex e
SY ST E M
00
1 .7 3 6 K
Client S e r ...
d w m .e x e
Adm lnist...
00
1,200 K
D e s k t o p ...
ex p lo re r.e x e
Adm m ist.. .
00
14,804 K
L A Z A R IS .E X E ...
Adm lnist. ..
00
1 .5 4 0 K
Is a ss .ex e
SY ST E M
00
3,100 K
Local S e c u ...
Ism. e x e
SY ST E M
00
1 .3 8 4 K
|
Local S e s s ...
1 M C A F E E .E X E .. .
1
W in d o w s . . .
L A Z A R IS
A d m n s t ...
00
580 K
m sd tc.ex e
N ET YV O ...
00
2 .8 3 2 K
S c re e n p re s s o ... .
Adm inlst. ..
00
2 8 .3 8 0 K
S c re e n p r e ...
s e rv ic e s .e x e
SY ST E M
00
1 .9 9 2 K
Se rv ic e s a .. .
S L s v c .e x e
N E T V /O . ..
00
6 .7 4 8 K
M ic ro s o ft...
sm ss.ex e
SY ST E M
00
304 K
W in d o w s ...
s p o o ls v .ex e
SY ST E M
00
3 .5 8 8 K
Sp oo ler S . . .
s v c h o s t.e x e
SY ST E M
00
13,508 K
H o s t P r o c ...
s v c h o s t.e x e
LO C A L ...
00
3.648 K
H o s t P r o c ...
-
I*
M C A FEE
M S D T C co ...
Sh o w p ro cesses from all u sers
| jP ro :e s s e s : 40
C P U U s a g e : 2°.׳c
F IG U R E
■
gnc| p rocess
Ph ysical M em ory: 43°.׳c
3 .8 : M C A F E E i n T a s k m a n a g e r
L a b A n a ly s is
A n a ly z e
y o u r
a n d
t a r g e t ’s
d o c u m e n t
s e c u n ty
th e
r e s u lts
p o s tu r e
a n d
r e la te d
to
e x p o s u r e
d ie
la b
th ro u g h
e x e r c is e .
p u b lic
a n d
G iv e
fre e
y o u r
o p in io n
o n
in f o r m a tio n .
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
T o o l / U
t i l i t y
In f o r m
E
a k e r
O
X
E
M
a t i o n
u t p u t :
C o l l e c t e d / O
U s in g
a
b a c k d o o r
b j e c t i v e s
e x e c u te
A c h i e v e d
Tetris.exe
Q u e s t io n s
1.
U s e
O
2 .
C E H La b M anual Page 444
v a r io u s
o th e r
n e F ile E X E M
H o w
y o u
o p t io n s
a k e r
w ill s e c u re
a n d
fo r
d ie
a n a ly z e
y o u r
O p e n
th e
c o m p u t e r
m o d e ,
C o p y
to , A c t io n
s e c t io n s
o f
r e s u lts .
fr o m
O
n e F ile E X E M
a k e r
a tta c k s ?
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 22. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
In t e r n e t
□
Y e s
P la t f o r m
0
C E H La b M anual Page 445
C o n n e c t io n
R e q u ir e d
0
N
o
0
iL a b s
S u p p o r t e d
C la s s r o o m
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 23. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
P ro x y S e r v e r T ro ja n
A . Trojan is a program th a t contains m alicious or harm ful code inside apparently
harm less program m ing or data in such a way th a t i t can g et control and cause
damage, such as m ining the file allocation table on a hard drive.
I CON
KEY
P~/ Valuable
information
L a b S c e n a r io
Y o u
a re
in c lu d e
Test vom
׳
knowledge
— Web exercise
m Workbook review
t h e ft
a
s e c u r ity
a d m
p r o t e c t in g
o f v a lu a b le
in is t r a t o r
th e
d a ta
n e t w o r k
f r o m
o f y o u r
f r o m
th e
c o m
p a n y ,
T r o ja n s
n e t w o r k ,
a n d
a n d
a n d
y o u r
jo b
b a c k d o o r s ,
id e n t it y
r e s p o n s ib ilit ie s
T r o ja n
a tta c k s ,
th e ft.
L a b O b je c t iv e s
T h e
o b je c tiv e
o f
t in s
la b
is
to
h e lp
s tu d e n ts
le a r n
to
d e te c t
T r o ja n
a n d
b a c k d o o r
a tta c k s .
T h e
o b je c tiv e s
o f t in s
•
S t a r tin g
M
•
A c c e s s in g
la b
c A f e e
th e
in c lu d e :
P r o x y
In t e r n e t
u s in g
M
c A le e
P r o x y
L a b E n v ir o n m e n t
T o
c a r r y
o u t
t in s , y o u
■ McAfee
n e e d :
T r o ja n
lo c a t e d
D:CEH-ToolsCEHv8 Module 06 Trojans and
a t
BackdoorsTrojans TypesProxy Server Trojans
JT Tools
■
demonstrated in
this lab are
A
c o m p u t e r m
n n in g
Window Server 2012
■ Windows Server 2008
m
n n in g
in
(h o s t)
v ir t u a l m a c h in e
available in
D EH
:C -
■
ToolsCEHv8
I f
111
y o u
th e
d e c id e
la b
t o
m
ig h t
a
w e b
d o w n lo a d
th e
latest version,
t h e n
s c r e e n s h o ts
s h o w n
d if f e r
Module 06 Trojans
י
Y o u
י
and Backdoors
n e e d
A d m in is tr a tiv e
b r o w s e r
p r iv ile g e s
to
to
a c c e s s
r u n
In t e r n e t
t o o ls
L a b D u r a t io n
T im
C E H La b M anual Page 446
e :
2 0
M in u t e s
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 24. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s
O v e r v ie w o f T r o ja n s a n d B a c k d o o r s
A
T r o ja n
h a r m le s s
is
a
Note:
d ie
£
TASK
Proxy server
th a t
p r o g r a m m in g
d a m a g e , s u c h
w h a t
p r o g r a m
T h e
it is
111
a s
v e r s io n s
d ie
p ro c e s s e s
o r
la b ,
is
o f
h ie
th e
b u t
s a m e
d a ta
d ie
r u in in g
as
malicious
c o n t a in s
in
s u c h
c re a te d
d ie
a
a llo c a tio n
c c lie n t
a c tu a l p ro c e s s
s h o w n
111 d iis
w a y
t a b le
o r
0 1 ־h a r m fu l
th a t
0 11 a
h o s t
it
a n d
in s id e
a n d
c a u s e
d iffe r
fr o m
d r iv e .
a p p e a r a n c e
o f c o n n e c t in g
a p p a r e n tly
get control
c a n
h a rd
c o d e
to
d ie
m
a y
s e r v e r
a n d
a c c e s s in g
la b .
La b T ask s
-
Mcafee
1.
I n
W
in d o w s
S e r v e r
2 0 0 8
V ir t u a l M a c h in e , n a v ig a t e
to
Module 06 Trojans and BackdoorsTrojans Types,
Proxy Server Trojans
a n d
CmdHere
s e le c t
jr a C >
view
fr o m
d ie
r ig h t- c lic k
c o n te x t m e n u .
|i■ * CD-v3'־
teduc05Tro:o««־nd30ccdo0f3 - "rojanaTypes
Pit
Z:CEHv8
a n d
Edt
Toos
Orgsncc »
ndp
Vca ־
s
*
w
S 's ® 1 '
״
F
Nn - - •״C*»nodri«d M Tvp#
j , Bt*d©«rry T'OJjn
pi Documents
J(
T'0j*tk
,Jf Canrund 5h*l "rajjin*
J j D*tac«׳rwntT0|׳an«
£ Picture*
^ Mjflic
M Sat
M
J f Destruetve Trojans
J t awnonc Trojans
־
•tore »
Folders
JtE-f'd l r3:3rs
Jk F T Tro» r
J t G J: Trojars
JlMTPh-TTFST'Ojans
JtlO P B d C W o o ־
j.MACOSXTtoaTS
׳יי
J i Reosrv Montor
_±_
| . Startup P'cgfarr* W
JA ־rojansT/pes
3ladd>e־ry Trojan
| . Comrrand Srel Trt
R=nctc A
<
J t VMC ־raja
j. 3ef3GemertTro;a•
( . 3estrjc&'/e “ rojor
COer
R»stora previOLS versions
J . EbankirgT-qjarts
1.
SerdTo
Trojors
i . '^PT'cjon
i . SUIT'ojans
C30V
L. -TIP t-rr־P5 Tro;a
C׳eare9xjrtcjt
Delete
I , :CKPBdCkdCOr
Rename
Proxy Se־ver Troji
Prooenes
Jg 35PtOtv TrQ*
-
►
Q it
.. t i n m i G H . ־־ :־
F I G U R E 4 .1 : W i n d o w s S e r v e r 2 0 0 8 : C m d H e r e
2 .
N
o w
ty p e
d ie
c o m
m a n d
dir
to
c h e c k
fo r
fo ld e r
c o n te n ts .
F I G U R E 4 .2 : D i r e c t o r y l i s t i n g o f P r o x y S e r v e r f o l d e r
3 .
C E H La b M anual Page 447
T h e
f o llo w in g
im a g e
lis t s
d ie
d ir e c to r ie s
a n d
file s
111
th e
fo ld e r .
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 25. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
-1 |םx
|Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>dir
EH
ou 6
n
IU
olune in drive Z h s n label.
a o
I U lune Serial N me is 1 7 - D C
o
u br
6 77 A
I Directory of Z:C v8 M d le 0 Trojans a d BackdoorsVTrojans TypesProxy Serve
EH
ou 6
n
Ir Trojans
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
1 2 1 / 0 6 1 :4 A
0 / 72 0 1 3 M
5 8 ncafee.exe
,32
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
W b r0 y Tr0j4nCr34t0r <u n Nn >
3P x
F n y ae
1 File<s>
rile^s;
5 2 bytes
b,J28
,3 8
3 D s 208,287,793,152 bytes free
ir< >
Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>
EH
ou 6
n
—
m
FIGURE 4 : C
.3 ontentsinProxyServer folder
Type die command m cafee 8080 to m il the service 111 W indow s Server
2008.
FIGURE 4 : Starting m
.4
cafee tool onport 8 8
00
5.
The service lias started 011 port 8080.
6.
N o w go to W indow s Server 2012 host machine and configure the web
browser to access die Internet 011 port 8080.
7.
1 1 diis lab launch Clirom e, and select Settin g s as shown 111 die
1
follow ing figure.
Q
m
Tliis process can b
e
attained in any browser
after settingdie LAN
settings for die respective
browser
2
ww
w googtorofv ■
*
lo*r
C.pj
ico* •
O
G o o g le
XjnaNCMm-
1- ״n• ...
1״ ׳
■ •
w
FIGURE 4 : Internet option of abrowser in Windows Server 2 1
.5
02
C E H La b M anual Page 448
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 26. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
8
.
C lick the Show advanced setting s 1 1 k to view the Internet settings.
11
FIGURE 4 : Advanced Settings of Chrome Browser
.6
9.
1 1 N etw ork Settin gs, click Change proxy settings.
1
C 0 chcyn
r cv/dV flM ttnpt/
O .'M
I Clvotue
Settings
4 Enitoir AutaMtc M Ml *«Dtom n *u«9« c»rt. VUu)tAdofl1<nflf(
M e
ttmric
focgkOvcmt isu9ncy»<»compute;s>tt«rnpo*>s«rtnastccon>1ectc the r t>o fc
< ><.
| OwypwstBnjt-
it
(U M jtwn r 1l* ju9 I w
Q th « > n * «
Downoads
C laadkcabot: C.'lherrAi r
ovm
nncti rt0AT0T 1 o> i
t <
U Ast »hw 1 mt «Kt! lit M m dw 0 <
0
»«1 > «9
M
TTPS/SM
.
FIGURE 4 : C
.7 hangingproxyse g ofC
ttin s hrom Browser
e
10. 1 1 die Internet Properties w indow click LAN setting s to configure
1
proxy settings.
C E H La b M anual Page 449
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 27. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
Internet Properties
General [ Security ] Privacy ] Content
Connections | Programs ] Advanced
To set up an Internet connection, dick
Setup.
Setup
Dial-up and Virtual Private Network settings
Choose Settings if you need to configure a proxy
server for a connection.
(•) Never cfal a connection
O Dial whenever a network connection is not present
O Always dal my default connection
Current
Sgt default
None
Local Area Network (LAN) settings ------------------------------------------------LAN Settings do not apply to dial-up connections.
Choose Settings above for dial-up settings.
OK
] |
|
LAN settings
Cancel J
|
ftpply
FIGURE 4 : LAN Setting ofaC
.8
s
hrom Browser
e
11. 1 1 die Lo cal A rea N etw ork (LA N ) Settin g s w indow, select die U se a
1
proxy server for your LAN option 111 the Proxy server section.
12. En ter die IP address o f W indow s Server 2008, set die port number to
8080, and click OK.
FT
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure the
use of manual settings, disable automatic configuration.
@ Automatically detect settings
חUse automatic configuration script
Address
Proxy server
Use a proxy server for your LAN (These settings will not apply to
dial-up or VPN connections).
Address:
10.0.0.13
Port:
8080
Advanced
I IBypassp x server far lo a a d ss s!
ro y
c l d re e
OK
Cancel
FIGURE 4 : Proxyse g ofLAN inC
.9
ttin s
hrom Browser
e
13. N o w access any web page 111 die browser (example: www.bbc.co.uk).
C E H La b M anual Page 450
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 28. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
FIGURE 4 0 Accessingweb p eusingproxy server
.1 :
ag
14. The web page w ill open.
15. N ow go back to W indow s Server 2008 and check die command
prom pt.
A d m in istra to r C:W m dow* s y *te m 3 2 c m d .e x e - m c a fe e 8 0 8 0
m
Accessingweb p e
ag
usingproxy server
ww
w .google.co : /conplete/search?sugexp=
chrom
e,nod=
18&client=h n 8 l= r :1 0
c ro e rh e 2 0
.U 8 = b.co-|
S rq b c
Accepting Nw Requests■
e
ww
w .google.co :1 0
20
/conp
lete/search?sug =
exp chrom
e,nod 188tclient sch n 8 l= n
=
־ro e rh e
l~U q=
S& bbc.co.u
Accepting Nw Requests!
e
Accepting Nw Requests!
e
Accepting Nw R q e
e e u■
* * ^ ־
/co lete/search?sugexp chroroe,nod 188tclient =h n 8 l= r
np
=
=
c ro e th e
l- S& b c.co.uk
U a= b
| / :bbc.co.uk :1 0
31
H c c e p t i n g N ew Kequests
■
Accepting Nw Requests■
e
/ :ww
w.bbc.co.uk :1 0
20
Accepting Nw Requests!
e
Accepting Nw Requests■
e
Accepting Nw Requests!
e
Accepting Nw Requests!
e
Accepting Nw Requests■
e
Accepting Nw Requests!
e
Accepting Nw Requests!
e
static .bbci.co.uk: /franeworks/barlesque/2.10.0/desktop/3.5/style/r*ain.css :2 0
0!
Accepting Nw Requests■
e
static.bbci.co.uk: /bbcdotcon/0.3.136/style/3pt_ads .css :20 !
0
Accepting Nw R
e equests!____________________________________________
FIGURE 4 1 Background information on Proxy server
.1 :
16. You can see diat we had accessed die Internet using die proxy server
Trojan.
L a b A n a ly s is
Analyze and document die results related to die lab exercise. G ive your opinion on
your target’s security posture and exposure dirough public and tree inform ation.
C E H La b M anual Page 451
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 29. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S
R E L A T E D T O T H I S LAB.
T o o l/ U tility
In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d
Pro x y Server
T ro ja n
O u tp u t: U se the proxy server T rojan to access the
In tern et
Accessed webpage: w w w .bbc.co.uk
Q u e s t io n s
1.
Determ ine whether M cAfee H T T P Proxy Server Trojan supports other
ports that are also apart from 8080.
2.
Evaluate the drawbacks o f using the H T T P proxy server Trojan to access
the Internet.
In te rn e t C o n n ectio n R e q u ire d
0 Y es
□ No
P la tfo rm Su p p o rted
0 C lassro om
C E H La b M anual Page 452
□ !Labs
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 30. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
H T T P T ro ja n
A . T ro ja n is a p ro g ra m
th a t c o n ta in s m a lic io u s o r h a rm fu l co d e in s id e a p p a re n tly
h a rm le s s p ro g ra m m in g o r d a ta in
d am ag e, su ch a s m in in g th e f ile
I CON
KEY
/ V a lu a b le
'
in fo r m a tio n
S
T est yo u r
k n o w l e d g e ____________
*
W e b e x e rc is e
su ch a
lr a y
th a t it
ca n g e t c o n tro l a n d cau se
a llo c a tio n ta b le o n a h a rd d riv e .
L a b S c e n a r io
Hackers have a variety ot m otives fo r installing m alevolent softw are (m alw are).
This types o f softw are tends to vield instant access to the system to
continuously steal various types o f inform ation from it, fo r exam ple, strategic
com pany’s designs 01 ־num bers o f credit cards. A backdoor is a program or a set
o f related program s that a hacker installs 011 the victim com puter to allow
access to the system at a later tim e. A backdoor’s goal is to rem ove the evidence
£ Q ! W o r k b o o k r e v ie w
o f in itia l entry from the systems log. H acker—
dedicated websites give examples
o f m any tools that serve to in stall backdoors, w ith the difference that once a
connection is established the intruder m ust log 111 by entering a predefined
password.
Y o u are a Secu rity A dm inistrator o f your com pany, and your job responsibilities
include protecting the netw ork from Trojans and backdoors, T rojan attacks,
theft o f valuable data from the netw ork, and identity theft.
L a b O b j e c t iv e s
The objective o f tins lab is to help students learn to detect T rojan and backdoor
attacks.
H Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors
The objectives o f the lab include:
•
T o run H T T P T rojan 011 W indow s Server 2008
•
Access the W indow s Server 2008 m achine process list using the H T T P
Proxy
•
K ill running processes 011 W indow s Server 2008 V irtu al M achine
L a b E n v ir o n m e n t
To carry out diis, you need:
C E H La b M anual Page 453
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 31. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
י
H TTP RAT located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
BackdoorsTrojans TypesH TTP H T T PS TrojansH TTP RAT T R O JA N
■
A com puter running W indow Server 2008 (host)
■
W indow s 8 running 111 Virtual M achine
■
W indow s Server 2008 111 Virtual M achine
■ I f you decide to dow nload the la te s t versio n , then screenshots shown
in the lab m ight d iffer
■
Y o u need a w eb browser to access In tern et
■
Adm inistrative privileges to run tools
L a b D u r a t io n
Tim e: 20 M inutes
O v e r v ie w
o f T r o ja n s a n d B a c k d o o r s
A Trojan is a program that contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a w ay diat it can get co n tro l and cause
damage, such as ruining die file allocation table on a hard dnve.
Note: The versions o f die created client or host and appearance m ay differ from
w hat it is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 diis lab.
Lab T ask s
HTTP RAT
1.
Log 111 to W indow s 8 Virtual M achine, and select die Sta rt menu by
hovering die mouse cursor on die lower-left corner of die desktop,
u
Rtcytlt D
m
*
a
M
o»itla
firefox
Google
Chremr
Windows 8 Release Previev.
ח ■׳
>
ז
8
Evaluation copy Build 840C
FIGURE 5 :Windows 8Startm u
.1
en
2.
C E H La b M anual Page 454
Click Se rvice s ui the Sta rt menu to launch Services.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 32. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
S ta rt
Google
Chrome
m
m
9
Video
Mozilla
Firefox
................. 5 י
4
י
services
*
< 3,
W ier
eaO
rm
m
■
B
Calendar
Intonei Explorer
O ktop
cB
Uapt
a
m
>PP1:1 ■: h e " u '.a
Wide Web Publisher is
m
andatory a HTTP RAT
s
runs on port 8
0
Slcfe
S
SfcyDrwe
^
FIGURE 5 :Windows 8Startm uA
.2
en pps
_ . ,,
_
3. D isable/Stop W orld W ide W eb Publishing Services.
File
Action
View
Hdp
+ 1H 1a m 0 ebi »
Services ; lo c a l)
World Wide Web Pubbhng Service
Name
Description
Status
Startup Type
Log A
3 4 ־Windows Firewall
Windows F1
._
Running
Automatic
Loc
Windows Font Cache Service Optimizes p...
Running
Automatic
Loc
Windows Image Acquisitio...
Manu3l
Windows Installer
Description:
Provides im...
Adds, modi...
Menusl
Loc
Provides Web comectr/rty and
admin straton through the Interret
Automatic
LOC
•^W indows Media Player Net...
V Windows Management Inst.. Provides a c...
Shares Win...
Manual
Net
Infemotion Services Manager
־W in d o w s Modules Installer
^
Enables inst...
Manual
£$ V/indows Process Activatio...
TheWindo...
$ ׳Windows Remote Manage...
£
Running
Windows R...
Running
Manual
Menusl
Net
Running
Automatic (D._
Loc
Provides inf...
M enjsl (Tng...
LOC
Maintains d...
Manual (Tng..
Loc
Enables th e ...
Manual (Tng...
Loc
Windows Search
Provides CO.-
Windows Store Service (W5...
Windows Tim#
Q Windows Update
*%W'1
nHTTP Web Proxy Auto ... WinHTTP i...
'•& WLAN AutoConfig
■I^WM Performance Adapter
Running
Provide; p#..
Workstation
P I World Wide Web Publnhin...
. WWAN AutoConfig
Menusl
Loc
Manual
L0C
Menual
The W ired...
The WLANS...
3% Wired AutoConfig
LO
C
Manual
loc
Cr«at«c and...
Running
Automatic
Ntt
Provide! W...
Running
Menusl
u
Menual
L0C v
>
This service ..
<
M
Mended ^Standard/
FIGURE 5 : Administrative tools - Services Window
.3
>
4. Right-click the W orld W ide W eb Pu blish in g service and select
Pro p ertie s to disable the service.
C E H La b M anual Page 455
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 33. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
World Wide Web Publishing Service Properties (Local...
Genera1 Log On
Recovery
Dependencies
Service name:
W3SVC
Display name:
World Wide Web Publishing Service
ivides Web connectivity and administration
ugh the Internet Information Services Manager
Description:
5
Path to executable:
C:Windowssystem32svchost.exe -k iissvcs
Startup type:
Disabled
Helo me configure service startup options.
Service status:
Stopped
Start
Pause
Stop
Resume
You can specify the start parameters that apply when you start the service
from here
Start parameters
OK
Cancel
Apply
FIGURE 5 : Disable/Stop World Wide Web publishing services
.4
5.
N o w start H T T P R A T from die location Z:CEH-ToolsCEHv8
M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS
TrojansHTTP RAT T RO JA N .
HTTP RAT 0.31
□
r V 'k H T T P
R A T
f - W !b a c k d o o r W e b s e rv e r
J
by zOmbie
IUUI The sendnotification
option can b usedto send
e
the details to your Mail ID
?J
latest version here: [http://freenet.am/~zombie]
ו
settings
W send notification with ip address to m
ail
SMTP server 4 sending m
ail
u can specify several servers delimited with ;
sm m ru;some. other, sm server;
tp. ail.
tp.
your email address:
|you@mail.c
I.com
close FireWalls
Create
server port: [80"
Exit
FIGURE 5 : HTTP RAT m window
.5
ain
6. Disable die Send notification w ith ip address to m ail opdon.
7.
C E H La b M anual Page 456
C lick C reate to create a httpserver.exe hie.
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 34. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
□
HTTP RAT 0.31
E ll
/ V K H T T P R A T
^kackdoor Webserver
if •T J h 20m
■
y
bie
v0.31
I
1
.
latest version here: [http://freenet.am/~zombie]
seiuriys
send notification with ip address to mail|
SMTP server 4 sending m
ail
u can specify several servers delimited with ;
|sm m ru;some. other, sm server;
tp. ail.
tp.
your email address:
|you@mail.com
1
close FireWalls
|
i
Create
j|
server port: 80
־
Exit
__
FIGURE 5 : Create backdoor
.6
HTTP RAT 0.31
02 The created
httpserver will b placedin
e
the tool directory
/ V H T T P
R A T
I -W ^backdoor Webserver
done!
la
done
send httpserver.exe 2 victim
r
c
OK
|you@mail.com
w
close FireWalls
server pork:[
Create
Exit
FIGURE 7. :כBackdoor server created successfully
8. The httpserver.exe tile should be created 111 die folder Z:CEHv8
M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS
TrojansHTTP RAT T R O JA N
9.
C E H La b M anual Page 457
Double-click die tile to and click Run.
E th ic a l H ack in g and Countenneasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 35. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
HTTP RAT TROJAN
Application Tool*
Momgc
m
Clipboard
o ®
I
to •
|
N3me
4 Downloads
|
״חS
elect aone
O p e n File ־S e c u rity W a rn in g
[gj ה־
Name
htlpscfvcr |
...TTP HTTPS TrojansHTTP RAT TROJANhttpservcr.cxc
־־Publisher: Unknown Publisher
*S&l Recent places
Type Application
1 . readme
^
□ D Inrert <elert10n
The publisher could not bp verified. Are you dire you want to run thk
software?
Z ittpiat
Desktop
EE s««t >1
1
01
« HITPHTIPS Trojans >
Favorites
■
to*
<harcut
SI Open י
0 Edit
<t) History
od
[3P«te
*
BQ Newitem י
E syaccess י
a
IS □ I* C" / path
-J
From: Z:CEHv8 Module06 Trojans and Backdoors JrojansT״
Libraries
1 1 Documents
11
Run
Music
B
Cancel
Pictures
g£ Videos
^3.
Homegroup
This file docs not have גvalid digital signature that verifies its
publisher. You should only run software from publishers you trust
Hwc nI drid wa to a tom?
e a e e h t ftiv re n
T® Computer
i l . Local Oslr (C:)
4- ׳CEH-Tcols (10.
Ip Admin (admin-p
4
items
1item selected iO.: K
B
FIGURE 5 : Running the Backdoor
.8
10. G o to T ask M anager and check if die process is running.
File
Options
Processes
View
Performance
App history
Startup
Users
Details
Services
4 %
0%
30%
52%
M em o ry
D isk
N e tw o rk
6 MB
.8
0 MB/s
0 Mbps
0%
Status
CPU
1.9%
Name
25.1 MB
0.1 MB/s
0 Mbps
0 Mbps
A p p s (2 )
Task Manager
>
>
^
Windows Explorer
B a c k g r o u n d p r o c e s s e s (9 )
H
Device Association Framework...
Microsoft Windows Search Inde...
tflf' Print driver host for applications
m
0%
3.3 MB
0 MB/s
0
%
S I Httpserver (32 bit)
1.2 MB
0 MB/s
0 Mbps
0%
4.9 MB
0 MB/s
0 Mbps
0 Mbps
l i l Snagit RPC Helper (32 bit)
1.0 MB
0 MB/s
22.4 MB
0.1 MB/s
0 Mbps
0%
j[/) Snagit Editor (32 bit)
0%
19.7%
Snagit (32 bit)
19.2 MB
0 MB/s
0 Mbps
0 Mbps
1.7%
0.9 MB
0 MB/s
OR) Spooler SubSystem App
0%
1.5 MB
0 MB/s
0 Mbps
0
t>
0%
0.8 MB
0 MB/s
0 Mbps
TechSmith HTML Help Helper (...
W i n d o : •.׳v f f ’־ '־-־r ־
;.־
,
~: ׳
( * ) Fewer details
FIGURE 5 : Backdoor runningin taskm
.9
anager
11. G o to W indow s Server 2008 and open a web browser to access die
W indow s 8 m achine (here “ 10.0.0.12” is die IP address ot W indow s 8
M achine).
C E H La b M anual Page 458
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 36. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
*Drabe'S K RA
TTP T
c | I £ « ״iooale
P]
*
D -
w elcom e 2 IITTP_RAT infected com puter }:]
.es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace]
w plrnm e } : J
FIGURE 5 0 Access the backdoor in Host web browser
.1 :
12. C lick running processes to list the processes running on die W indow s
8 machine.
Z>nbe's HTTP_RAT
1 ■ & 1. . .iQC
,
4
0 0Zf ______
0 O
C
? 1 ־ioojle
P A
E-
running processez:
] ]system Process
]S/stem I kill
] srrss.exe [kill
]!M
[
]!M
[
v ‘ninit.exe fkilll
*
1
w nlogon.exe fkilll
]services.exe f kill
]!!lsass.exe [k i
v h c x r111n
c o to a <;
vcho5t.exe f:
svchostexe f kilfl
dvirr.exe Ik illl
]svchostexe [kill
evehoct.axa [MID
vchost.cxa [UdD:
]svchostexe [hjjj
spoolsv.exe [kilfl
)svchostexe |kill
]svchostexe [kill
d3cHoct.ova f l-illl
MsMpCng.exe fk illl
vc.hus»t.«x« fkilll*
svchostexe fkilll
vchost.exe [ k T
iT j
]ta«kh(>*t.*x» [kill
bckhoct.sxo ] -[יי
Mpkxar.tM [M 1
[
search indexer.exe fkilfl
]S>n«g1t32.ex• [jo j
]TscHelp.exe [kill
]SnagPri./.•** [kill
]SragitCditor.exe [ !:ill
]aplmjv164.exe f k ill
svchostexe fkilll
]httpserver.exe (kill
]Taskmor.«*x® [kill
firofox O O [UJJ[
.X
5
FIGURE 5 1 Process list of die victim com
.1 :
puter
13. Y o u can kill any running processes from here.
L a b A n a ly s is
Analyze and document die results related to die lab exercise. G ive your opinion on
your target’s security posture and exposure dirough public and free mformadon.
C E H La b M anual Page 459
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 37. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S
R E L A T E D T O T H I S LAB.
T o o l/ U tility
In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d
Successful send httpserver.exe 011 victim m achine
O u tp u t: K ille d Process
System
smss.exe
csrss.exe
H T T P T ro ja n
w inlogon.exe
serv1ces.exe
lsass.exe
svchost.exe
dwm .exe
splwow64.exe
httpserver.exe
firefow .exe
Q u e s t io n s
1.
Determ ine the ports that H T T P proxy server Trojan uses to communicate.
In te rn e t C o n n ectio n R e q u ire d
□ Y es
0 No
P la tfo rm Su p p o rted
0 C lassro o m
C E H La b M anual Page 460
0 iLab s
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 38. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
R e m o te A c c e s s T r o ja n s U s in g
A te lie r W e b R e m o te C o m m a n d e r
.4
T ro ja n is a p ro g ra m
th a t c o n ta in s m a lic io u s o r h a rm fu l cod e in s id e a p p a re n tly
h a rm le s s p ro g ra m m in g o r d a ta in
d am ag e, su ch a s m in in g th e f ile
I C O N
K E Y
/ V a lu a b le
in fo r m a tio n
y
5 T est yo u r
k n o w le d g e
TTT
TT
W e b e x e rc is e
su ch a
1r a
j th a t it
ca n g e t c o n tro l a n d cau se
a llo c a tio n ta b le o n a h a rd d riv e .
L a b S c e n a r io
A backdoor T rojan is a very dangerous in fection that com prom ises the integrity
o f a com puter, its data, and the personal inform ation o f the users. Rem ote
attackers use backdoors as a means o f accessing and taking control o f a
com puter that bypasses security m echanism s. Trojans and backdoors are types
o f bad-wares; their m ain purpose is to send and receive data and especially
com m ands through a port to another system. T his port can be even a well-
m
W o r k b o o k r e v ie w
know n port such as 80 or an out o f the norm ports like 7777. Trojans are m ost
o f the tim e defaced and shown as legitim ate and harm less applications to
encourage the user to execute them.
Y o u are a security adm inistrator o f your com pany, and your job responsibilities
include protecting the netw ork from Trojans and backdoors, T rojan attacks,
theft o f valuable data from the netw ork, and identity theft.
L a b O b j e c t iv e s
J T Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors
The objective o f tins lab is to help students learn to detect T rojan and backdoor
attacks.
The objectives o f tins lab include:
•
G ain access to a rem ote com puter
•
A cquire sensitive inform ation o f the rem ote com puter
L a b E n v ir o n m e n t
To cany out tins, you need:
1.
C E H La b M anual Page 461
A te lie r W eb Rem ote Com m ander located at D:CEH-ToolsCEHv8
M odule 06 T rojan s and BackdoorsTrojans TypesRem ote A cce ss
T ro jan s (R A T )A telier W eb Rem ote Com m ander
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 39. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
■
A com puter running W indow Server 2008 (host)
■
W indow s Server 2003 running 111 Virtual M achine
■ I f you decide to dow nload the la te s t versio n , then screenshots shown
111 the lab m ight d iffer
■
Y o u need a w eb browser to access In tern et
■
Adm inistrative privileges to m il tools
L a b D u r a t io n
Tim e: 20 M inutes
O v e r v ie w
o f T r o ja n s a n d B a c k d o o r s
A Trojan is a program that contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a way that it can get co n tro l and cause
damage, such as ruining the file allocation table on a hard drive.
Note: The versions o f the created client or host and appearance may differ from
w hat it is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 diis lab.
a* T A S K
1
A telier W eb
Rem ote
Com m ander
Lab T ask s
1.
In stall and launch A te lie r W eb Rem ote Com m ander (A W R C ) 111
W indow s Server 2012.
2.
T o launch A te lie r W eb Rem ote Com m ander (A W R C ), launch the
S ta rt menu by hovering the mouse cursor on the low er-left corner o f
the desktop.
u
§
€
■ W d w S rv r21
3 in o s e e 02
su.t
MVMom Swvw M l? DMwCMidM•
Evaluator cgpt. Eud M
0C
. rw
*1
3PM 1
FIGURE 6 : Windows Server 2 1 Start-Desktop
.1
02
3. C lick AW Rem ote Com m ander Pro fessio n al 111 the S ta rt m enu apps.
C E H La b M anual Page 462
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 40. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
Start
CtnvUcr
Administrator A
T fc
n
£
*
Tools
AW
fieoiote
Connwn..
4
&
FIGURE 6 : Windows Server 2 1 Start Menu Apps
.2
02
4.
The m ain w indow o f AW RC w ill appear as shown 111 the follow ing
screenshot.
סי
File
AWRC PRO 9.3.9
Tools
Desktop
Help
Syclnfo
Netwarklnfo
FJ# Sy*t*fn
Uc*rs
*r.Grocpc
n
Chat
טTliis toll is used to
gain access to all the
information of die Rem
ote
system
Progress Report
y , Connect
df
Disconnect
0 Request ajthonrabor
kBytesIn: C
@ dear on iscomect
k8psln: 0
Connection Duraton
FIGURE 6 : Atelier Web Rem Com ander m window
.3
ote
m
ain
5.
In p u t the IP ad dress and U sernam e
I
Passw o rd o f the rem ote
com puter.
6. 1 1 tins lab we have used W indow s Server 2008 (10.0.0.13):
1
■
U ser name: A dm inistrator
■
Passw ord: qw erty@ 123
N ote: The IP addresses and credentials m ight d iffer 111 your labs
7.
C E H La b M anual Page 463
C lick C onnect to access the m achine rem otely.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 41. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
FIGURE 6 : Providing rem com
.4
ote
puter details
Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors
8. The follow ing screenshots show that you w ill be accessing the
W indow s S e rve r 2008 rem otely.
10.0.0.13 :A W R C PRO 9.3.9
S
File
Tools
Desktop
Help
Syslnfo
Networidnfb
Fie System
Use's anc Groups
Chat
Internet Explo־er
windows update
j
Notepad
<
r
&
~
Fastest
* T F V
*29 Monitors *
Remote Host
Progress Report
| administrator
W C o n n ect
cf
□ Request ajthoniabor
k5yle*I11; 201.94
^
#1 6:28:24 Initializing, p lease w a it...
#16:2 8:25 C onnected to 1 0 .0 .0 .1 3
D isconnect
@ Clear on iscomect
k B ^ IiL 0.87
Cumeiliui 1 Duiatun: !Minute, 42 Seconds.
FIGURE 6 : Remote com
.5
puter Accessed
9.
The Com m ander is connected to the Rem ote System . C lick th eSys
Info tab to view com plete details o f the V irtu a l M achine.
C E H La b M anual Page 464
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 42. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
FIGURE 6 : Information of the rem com
.6
ote
puter
10. Select N etw orklnfo Path w here you can view netw ork inform ation.
10.0.0.13: AWRC PRO 9.3.9
S
File
Jools
Desktop
Help
Syslnfo
| NetworiJnfo | Ffe System
Use's anc Grocps
Ports Safeties
R em ark
Perm issions
Chat
P/Transport Protocols
M a x U se s
Current U se s
Path
Passw o id
A D M IN S
net ap p lica ...
unlimited
not val■
C$
S p e .. Default share
not a p p lic a ..
unlimited
not v a li
IP CS
& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors
S p e . R em o te A dm in
S p e .. R em o te IP C
net applica
unlimited
not vaN
R em ote Host
Progress Report
# 1 6 .2 8 .2 4 Initializing, p lease wait
#1 6 :2 8 :2 5 C onnected to 10 0 .0 .1 3
^
a f
Connect
D Request ajthonrabor
Ifiytesln: 250.93
A / Disconnect
@ dear on iscomect
kSpsIn: 0.00
Connection Duraton: 5 Minutes, 32 Seconds.
FIGURE 6 : Information of the rem com
.7
ote
puter
11. Select the F ile System tab. Select c: from the drop-down list and
click G et.
12. Tins tab lists the com plete files o l the C : drive o f W indow s Server
2008.
C E H La b M anual Page 465
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 43. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
10.0.0.13: AWRC PRO 9.3.9
file
Iools
Desktop
Help
Syslnfo
contents of
NetworicJnfb
I Fie System I Use's and Groups
Chat
'c:'______
CIJ SR ecycle Bin
C l Boot
C 3 D ocum ents and Settin g s
C□ PerfLogs
D
Program Files (x86)
□
Program Files
C l Program D ata
D
System Volume Inform...
□
U sers
□
W indow s
File Sy stem :
NTFS
6C 2 7 -C D 3 9
C apacity:
1 7 ,1 7 7 ,7 6 7 .9 3 6 bytes
F ree space:
6 .5 0 5 .7 7 1 .0 0 8 bytes
Fixed
Type
Serial Number:
Labei:
Progress Report
| administrator
^ Connect
cf
]Request ajthoriratxx־
# 1 6 .2 8 .2 4 Initializing, p lease w a it...
Password
Disconnect
#1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3
@ Oear on iscomect
kBytesIn: 251.64
ConnectonDuraton:
6
Minutes, 18 Seconds.
FIGURE 6 : Information of the rem com
.8
ote
puter
13. Select U sers and G roups, w hich w ill display the com plete user
details.
10.0.0.13 :A W R C PRO 9.3.9
File
Jools
Desktop
jUsers
'" ם: ־
Help
Syslnfo
^ Groups
NetworkJnfo
Ffe System
Use's anc Groups
I Chat
Password Ha^ies
U se r In fo rm a tio n fo r A d m in is tra to r
U ser A cc o un t. A dm inistrator
Passw o rd A g e 7 d ays 21 hours 21 m inutes 3 3 seconds
Privilege Level: A dm inistrator
C om m ent Built-in account for adm inistering th e com puter/dom ain
Flags: Logon script executed. Norm al Account.
Full Name:
W orkstatio n s can log from: no restrictions
Last Logon: 9 /2 0 /2 0 1 2 3:58:24 A M
Last Logoff Unknown
Account expires Never expires
U se r ID (R ID ) 500
P n m ary Global Group (RID): 513
SID S 1 5 21 18 58 18 02 43 300731 51 51 16 0 0 5 9 6 2 0 0 50 0
Domain W IN -E G B H IS G 1 4 L 0
No Su b A u th o rtie s 5
Remote Host
User Name
[ administrator
10.0.0.13
W C o n n ect
nf
D Request ajthon:at>or
kByle* 11 : 256.00
1
^
D isconnect
P assw ord
Progress Report
#1 6:28:24 Initializing, p lease w a it...
#16:2 8:25 C onnected to 1 0 .0 .0 .1 3
@ Oear on iscomect
Cumeuiimi3u1atu< 1 e Minutes, 2 6 Seconds.
:
FIGURE 6 : Information of the rem com
.9
ote
puter
C E H La b M anual Page 466
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 44. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
rs
10.0.0.13: A W R C P R O 9.3.9
file
Iools
Desktop
Help
Syslnfo
NetworWnfo
We System
Use's and Groups
Chat
| Groups ~ | y Passwoid Ha«hes
N am e s
SID
Com m ent
Adm inistrators
S -1 -5-32 -5 44 (Typo A lia s/D o
Adm inistrators have com plete and unrestricted
B acku p O p e r a t o r
S -1 -5-32-551 (Type A lia s/D o
B ac ku p Operators can override security restrict
Certificate Service DC
S -1 -6 -3 2 -6 7 4 (Type A lia s /D o .
M em bers of this group are allowed to co n n ect t«
Cryptographic Ooerat
S -1 -5 -3 2 -5 6 9 (Type A lia s/D o
M em bers are authorized to perform cryptograph
Distributed C O M U s e ־׳
s
S -1 -5 -3 2 -5 6 2 (Type A lia s /D o .
M em bers are allowed to launch. ac tK ate and us
Event Log R eaders
5 -1 -5 -3 2 -5 7 3 (Type A lia s /D o ...
M em bers of this group c an read event logs from
G u ests
Groups:
S -1 -5 -3 2 -5 4 6 (Type A lia s/D o
G u e s ts have th e sa m e a c c e s s as m em bers o ft
III
<1
______I
Global
G roups:
S - 1-5 -2 1 -1 8 5 8 1 8 0 2 4 3 -3 0 0 7 3 1 5 ...
O rdinary users
Progress Report
| administrator
^ Connect
cf
]Request ajthonrabor
kBytesIn: 257.54
Disconnect
# 1 6 .2 8 .2 4 Initializing, p lease w a it...
Password
#1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3
@ dear on iscomect
Connection Ouraton: ?Minutes, 34Seconds.
FIGURE 6 0 Information of the rem com
.1 :
ote
puter
FIGURE 6 1 Information of the rem com
.1 :
ote
puter
14. Tins tool w ill display all the details o f the rem ote system.
15. Analyze the results o f the rem ote com puter.
L a b A n a ly s is
Analyze and document die results related to die lab exercise. G ive your opinion on
your target’s security posture and exposure dirough public and tree inform ation.
C E H La b M anual Page 467
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 45. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S
R E L A T E D T O T H I S LAB.
T o o l/ U tility
In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d
Rem otely accessing W indow s Server 2008
R e s u lt: System inform ation o f rem ote W indow s
Server 2008
A telier W eb
Rem ote
Com m ander
N etw o rk In form ation Path rem ote W indow s Server
2008
view ing com plete files ot c: o f rem ote W indow s
Server 2008
U ser and Groups details o f rem ote W indow s Server
2008
Passw ord hashes
Q u e s t io n s
1.
Evaluate die ports that A W R C uses to perform operations.
2.
Determ ine whether it is possible to launch A W R C from the command line
and make a connection. I f ves, dien illustrate how it can be done.
In te rn e t C o n n ectio n R e q u ire d
□ Y es
0 No
P la tfo rm Su p p o rted
0 C lassro om
C E H La b M anual Page 468
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 46. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
D e te c tin g T ro ja n s
A
T ro ja n is a p ro g ra m
th a t c o n ta in s M a lic io u s o r h a rm fu l code in s id e a p p a re n tly
h a rm le s s p ro g ra m m in g o r d a ta in su ch a )ra y th a t ca n g e t c o n tro l a n d cau se d am ag e,
su ch a s m in in g th e f ile
I CON
V a lu a b le /^
KEY
1
T est yo u r
______ k n o w le d g e _________
W e b e x e rc is e
L a b S c e n a r io
M ost individuals are confused about the possible ways to rem ove a T rojan virus
in fo r m a tio n
.■׳י
'*
a llo c a tio n ta b le o n a h a rd d riv e .
^
from a specific system. O ne m ust realize that the W o rld W id e W eb is one o f
the tools that transm its inform ation as w ell as m alicious and harm ful viruses. A
backdoor T rojan can be extrem ely harm ful if not dealt w ith appropriately. The
m ain function o f tins type o f virus is to create a backdoor 111 order to access a
specific system. W ith a backdoor T rojan attack, a concerned user is unaware
d
W o r k b o o k r e v ie w
about the possible effects u n til sensitive and im portant inform ation is found
m issing from a system . W ith a backdoor T rojan attack, a hacker can also
perform other types ot m alicious attacks as w ell. The other name fo r backdoor
Trojans is rem ote access Trojans. The m ain reason that backdoor Trojans are
so dangerous is that they hold the ab ility to access a particular m achine rem otely
(source: http://w w w .com bofix.org).
Y o u are a security7adm inistrator o f your com pany, and your job responsibilities
include protecting the netw ork from Trojans and backdoors, T rojan attacks,
theft o f valuable data from the netw ork, and identity theft.
L a b O b j e c t iv e s
The objective o f this lab is to help students learn to detect T rojan and backdoor
attacks.
The objectives o f the lab include:
& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors
C E H La b M anual Page 469
•
Analyze using Po rt ]M onitor
•
Analyze using Process M o nitor
•
Analyze using Registry M o nitor
•
Analyze using Startup Program M o nitor
•
Create M D 5 hash tiles for W indow s directory files
E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 47. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
L a b E n v ir o n m e n t
To carry out this, you need:
■
T cp view , located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
BackdoorsPort M onitoring T oolsTC PV iew
■
Autoruns, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
Backd oo rsProcess M onitoring ToolsAutoruns
■
P rcV ie w , located at C:CEH-ToolsCEHv7 M odule 06 T ro jan s and
Backd oo rsProcess M onitor ToolPrc V iew
■
Jv 1 6 pow er to ol, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s
and Backd oo rsR eg istry M onitoring Toolsjv16 Po w er Tools 2012
י
Fsum FrontEnd. located at D:CEH-ToolsCEHv8 M odule 06 T rojan s
and Backd o o rsFiles and Fold er In te g rity CheckerFsum Frontend
■
A com puter running W indow Server 2008 (host)
& Disabling and Deleting
Entries
■
W indow s Server 2003 m nning h i V irtual M achine
If you don'twant anentry to
active die nest tim you
e
boot or login you can eidier
disable or delete it. To
disable an entryuncheckit.
Autoruns will store die
startup information in a
backup location sodiat it
canreactivate die entry
whenyou recheckit. For
item storedin startup
s
folders Autoruns creates a
subfolder nam Autoruns
ed
disabled. Checka disabled
item to re-enableit
■ I f you decide to dow nload the la te s t versio n , then screenshots shown
111 the lab m ight d iffer
■
Y o u need a web browser to access In tern et
■
Adm inistrative privileges to m il tools
L a b D u r a t io n
Tim e: 20 M inutes
O v e r v ie w
o f T r o ja n s a n d B a c k d o o r s
A Trojan is a program diat contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a w ay that it can get co n tro l and cause
damage, such as ruining the file allocation table on a hard drive.
Note: The versions o f the created client or host and appearance may differ from
w hat it is 111 the lab, but the actual process o f connecting to the server and accessing
the processes is same as shown 111 tins lab.
Lab T ask s
1.
G o to W indow s Server 2012 V irtual Machine.
2.
T cpview
Install T cp view from the location D:CEH-ToolsCEHv8 Module 06 Trojans
and BackdoorsPort M onitoring ToolsTCPView .
3.
The T C P V iew main wm dow appears, w ith details such as Process, Process
ID , Protocol, Local address. Local Port, Rem ote Address, and Rem ote Port.
C E H La b M anual Page 470
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 48. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
T P ie - S
C V w
ysin rn ls: w w
te a
w .sysin rn ls.co
te a
m
File O tio s P ce V
p n ro ss iew H
elp
H a h |
|| P c ss >
ro e
P
ID
P to o
ro c l
C l dns. exe
1572
IC
P
T7d se e
n. x
17
52
IC
P
T7d se e
n. x
17
52
tCP
T7d se e
n. x
17
52
UP
D
i- d se e
n. x
17
52
UP
D
I"7d se e
n. x
17
52
UP
D
i7 d se e
־n. x
17
52
UP
D
i"7d se e
n. x
UP
D
17
52
IF d se e
n. x
17
52
UP
D
» d se e
n. x
17
52
UP
D
1 יd se e
n. x
17
52
UP
D
»1d se e
n. x
17
52
UP
D
T7d se e
n. x
17
52
UP
D
r d se e
n. x
17
52
UP
D
» d se e
n. x
17
52
UP
D
T d se e
n. x
17
52
UP
D
יd se e
n. x
17
52
UP
D
r d se e
n. x
17
52
UP
D
יd se e
n. x
17
52
UP
D
׳ יd se e
n. x
17
52
UP
D
1 d se e
־n. x
17
52
UP
D
1 d se e
n. x
17
52
UP
D
T d se e
n. x
17
52
UP
D
• וd se e
n. x
17
52
UP
D
• d se e
n. x
17
52
UP
D
III
1־
03 Should delete item that
s
you do notwish to ever
execute. Do so bychoosing
Delete in the Entry m
enu.
Only die currendy selected
itemwill be deleted
L c lA d s
o a d re s
win-2n9stosgien
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
w - n so g n
in 2 9t $ ie
W -2 9 0 L
IN N ST SG
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S L
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N ST SG
IN 2 9 0 L
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
L ca P tt
o lo
domain
d min
oa
417
95
d min
oa
d min
oa
412
95
413
95
414
95
415
95
416
95
417
95
418
95
419
95
410
96
411
96
412
96
413
96
414
96
415
96
416
96
417
96
418
96
419
96
410
97
411
97
w fl
Vl
׳
/
W
l
V
1
>
___________ ___________ ___________ ___________ ___________ U
FIGURE 8 :TcpviewMainwindow
.1
tool perform port m onitoring.
T P ie -S
C V w ysin rn ls: w w
te a
w .sysin rn ls.co I ~ I □ f
te a
m
1 File O tion P cess View H lp
p s ro
e
y a @ !־
P c ss '
ro e
P
ID
P to o
ro c l
L c lA d s
o a d re s
|L c l P rt
oa o
11s c o t.e e 3 5
1 vh s x
8S
ICP
W - N S 0 G 50
IN 2 9 T S I.. 5 4
(0 sv o x 8 2
ch ste e 9
tCP
W - N S OG 413
IN 2 9 T S I.. 9 5
H s c o t.e e 9 0
vh s x
6
ICP
W - N S O G 414
IN 2 9 T S L 9 5
1 s c o t.e e 1 5
1 vh s x
52
ICP
W - N S O G 419
IN 2 9 T S L 9 5
ITI s c o t.e e 2 8
vh s x
14
ICP
W - N S 0 G 4 11
IN 2 9 T S I.. 96
S3 s c o t.e e 3 4
vh s x
40
TP
C
W - N S OG 413
IN 2 9 T S I.. 9 6
S3 s c o t.e e 4 1
vh s x
32
TP
C
W - N S 0 G 418
IN 2 9 T S I.. 9 6
S3 s c o t.e e 4 7
vh s x
22
TP
C
W - N S OG 419
IN 2 9 T S I.. 9 6
S3 s c o t.e e 1 0
vh s x
88
TP
C
W - N ST SG 4 1 7
IN 2 9 0 L 9 8
1 s c o t.e e 1 5
' יv h s x
52
UP
D
w - n s s ie
in 2 9tog n b o s
o tp
S3 s c o t.e e 1 5
vh s x
52
UP
D
w - n s s ie
in 2 9tog n b o c
o tp
1 יs c o t.e e 9 0
' vh s x
S
UP
D
W - N S 0 G is k p
IN 2 9 T S I... a m
UP
D
w - n s s ie
in 2 9tog n 2 3
S3 s c o t.e e 1 5
vh s x
52
55
1 s c o t.e e 3 9
3 vh s x
02
UP
D
W - N S O G 39
IN 2 9 T S L 31
E3 s c o t.e e 9 0
vh s x
6
UP
D
W - N ST SG te d
IN 2 9 0 L re o
S3 s c o t.e e 9 0
vh s x
6
UP
D
W - N S 0 G ipe- s
IN 2 9 T S I... s c mft
S3 sv o x 1 6
ch ste e 0 4
UP
D
W - N S O G llmr
IN 2 9 T S L n
S3 s c o t.e e 9 0
vh s x
6
UP
D
w - n s s ie
in 2 9tog n 541
34
4
T7 S s m
y te
TP
C
w - n s s ie
in 2 9tog n n tb s s n
e io-s
4
1 יSs m
y te
TP
C
w - n s s ie
in 2 9tog n mr s f- s
icoot d
4
•1S s m
y te
TP
C
w - n s s ie
in 2 9tog n mr s f- s
icoot d
•' S s m
y te
4
TP
C
W - N S OG h
IN 2 9 T S I... ttp
4
7 י יSs m
y te
TP
C
W - N S OG h s
IN 2 9 T S I... ttp
T 7 Ss m
y te
4
TP
C
W - N S O G mr s f- s
IN 2 9 T S I... icoot d
•1S s m
y te
4
TP
C
W - N S OG 58
IN 2 9 T S I... 9 5
III
n
Cl If you are running
Autoruns without
administrative privileges on
Windows Vista and attem
pt
to change die state of a
global entry, you'll be denied
access
X
1 ^
R
W
l
W
l
W
l
W
l
W
l
W
l
W
l
W
l
W
l
*
*
W
l
w
ir
w
ir
W
l
W
l
Wl
Wl v
>
FIGURE 8 :TcpviewMainwindow
.2
5.
C E H La b M anual Page 471
N ow it is analyzing die SM T P and odier ports.
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
- 49. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs
TCPView -Sysinternals: www.sysinternals.com
File
y
& Autoruns will display a
dialogwith abutton that
enables you to re-launch
Autoruns with
administrative rights. You
can also use the e
com and-line option to
m
launch initially launch
Autoruns with
administrative rights
Cl There are several w to
ays
get m information about
ore
anautorun location or entry.
To view alocation or entry
in Explorer or Regedit
choseJump To in the Entry
m or double-click on the
enu
entry or location's line in the
display
Options
Process
View
ד
Help
a
“ too
ro c l
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
C
P
C
P
C
P
C
P
C
P
C
P
<
L ca A d s
o l d re s
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
w - n s s ie
in 2 9tog n
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
w - n s s ie
in 2 9tog n
w>29t s ie
ir - n sog n
wv n $ s ie
ir 2 9 tog n
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
L ca P rt
o lo
38
38
50
54
413
95
414
95
419
95
411
96
413
98
418
96
419
96
417
98
bo s
o tp
bo c
o tp
is k p
am
23
55
39
31
te d
re o
ip e mft
sc s
llmr
n
5 41
34
n tb s s n
e io-s
mr s f- s
icoot d
mr s f- s
icoot d
h
ttp
h s
ttp
mr s f- s
icoot d
III
R m teA d s
e o d re s
W - N ST SG
IN 2 9 0 L
W - N ST SG
IN 2 9 0 L
W -2 9 0 L
IN N ST SG
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
x
R m teP tt
eo o
0
0
0
0
0
0
0
0
0
0
*
*
*
יי
יי
יי
יי
*
יי
יי
יי
יי
יי
י
י
Stat
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
*
יי
W - N ST SG 0
IN 2 9 0 L
w - g h g40 4 1 8
in e b is l 1
95
w d w8
in o s
441
98
0
W - NS 0 G
IN2 9 T S I..
W - N S 0G 0
IN 2 9 T S I..
W - N S 0G 0
IN 2 9 T S I..
.
ך
LIST
EST,
EST,
LIST
LIST
LIST
ח־
FIGURE 8 :Tcpviewan
.3
alyzin ports
g
Y o u can also kill die process by double-clicking diat respective process, and
then clicking die End Pro cess button.
Properties for dns.exe: 1572
| ך־
Domain Name System (DNS) Server
M
icrosoft Corporation
Version:
G
.02.8400.0000
Path:
C:WindowsSystem32dns.exe
End Process
OK
FIGURE 8 : Killing
.4
Processes
1m
TASK
2
Autoruns
G o to W indow s Server 2012 V irtual M achine.
Double-click Autoruns.exe, w hich is located at D:CEH-ToolsCEHv8
Module 06 Trojans and BackdoorsProcess M onitoring ToolsAutoruns.
It lists all processes. D LLs, and services.
C E H La b M anual Page 472
E th ic a l H ack in g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.