Ceh v8 labs module 06 trojans and backdoors

518 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
518
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
129
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ceh v8 labs module 06 trojans and backdoors

  1. 1. CEH Lab Manual T ro ja n s a n d B a c k d o o rs M o d u le 06
  2. 2. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s T ro ja n s a n d B a c k d o o r s A Trojan is a program th a t contains a m alicious or harm ful code inside apparently harm less program m ing or data in such a iray th a t i t can g et control and cause damage, such as m ining the file allocation table on a hard drive. I CON KEY ^~! V a l u a b l e 1 L a b S c e n a rio A c c o r d in g to B a n k In t o s e r io u s r is k s S e c u r it y N e w s (h t t p :/ / w w w .b a n k in f o s e c u r it y .c o m ), in f o r m a tio n T r o ja n s T est tout k n o w l e d g e ____________ m W e b e x e r c is e c o m p o s e p r o m is e d d e v ic e is w h ic h 111 m A n d r o id p o t e n t ia lly a n a lic io u s a p p s a re a n y d e v ic e s , a t o p e n t o r r is k th e F B b e c a u s e e n v ir o n m a r o u n d , p e r s o n a l e n t s o is I th e a re th e a n d s e n s itiv e w a r n s . r e a l im B u t p r o b le m p o s s ib le p o t e n tia l f o r in f o r m e x p e r ts is to a t io n s a y a n y m a lic io u s c o n t r o l. fin a n c ia l s to r e d m 0 11 o b ile a p p lic a tio n s , A n d a n y w h e r e fr a u d . W o r k b o o k r e v ie w A c c o r d in g a d v a n c e d to c a p t u r in g a c c e s s s o ld Y o u a re t h e f t b la c k a s e c u r ity e x p e r ts , a ta k e t h e n t h e m T r o ja n th e k e y lo g g e r th a t b a n k in g th a t u s e s t o le n o v e r , is T r o ja n s t e a ls a n d lo g in I D s c h e d u le s p e c ific a lly k n o w n s a s a n b y p a s s w o r d s a n d c it a d e l, c r e d e n tia ls o n lin e - b a n k in g to fr a u d u le n t d e s ig n e d f o r tr a n s a c tio n s . f in a n c ia l fr a u d a n d m a r k e t. a d m p r o t e c t in g o f v a lu a b le is H a c k e r s t in s th e in c lu d e z e u s , a c c o u n t s , c r e a te d 0 1 1 s e c u r ity o f k e y s tr o k e s . o n lin e H a c k e r s c y b e r v a r ia n t th e d a ta in is t r a t o r n e t w o r k f r o m o f y o u r f r o m th e c o m T r o ja n s n e t w o r k , a n d p a n y , a n d a n d y o u r b a c k d o o r s , id e n t it y jo b r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e th e ft. L a b O b je c tiv e s T h e o b je c t iv e o f tin s o f th e la b is to h e lp s tu d e n ts le a r n to d e te c t Trojan a n d backdoor a tta c k s . T h e o b je c t iv e a la b in c lu d e : ■ C r e a t in g s e r v e r ■ D e t e c t in g T r o ja n s ■ A t t a c k in g a a n d t e s tin g a n d n e t w o r k v u ln e r a b ilitie s & Tools a n d a n e t w o r k f o r a tta c k b a c k d o o r s u s in g fla w s s a m p le T r o ja n s a n d d o c u m e n t in g a ll d e te c te d L a b E n v iro n m e n t demonstrated in this lab are available in T o c a r r y ‫י‬ o u t A t in s , y o u n e e d : Window Server 2008 c o m p u t e r r u n n in g a s G u e s t- 1 in v ir t u a l m a c h in e D EH :C ToolsCEHv8 ‫י‬ Window 7 r u n n in g a s G u e s t- 2 in v ir t u a l m a c h in e Module 06 Trojans C E H La b M anual Page 425 ‫י‬ A ■ and Backdoors w e b b r o w s e r w it h A d m in is tr a tiv e In te r n e t p r iv ile g e s to a c c e s s r u n t o o ls E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  3. 3. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s L a b D u r a t io n T im e : 4 0 M in u t e s O v e r v ie w A T r o ja n is a d a m a g e , s u c h it h p r o g r a m th a t programming h a r m le s s W o f T r o ja n s a n d B a c k d o o r s th e a s h e lp c o m p u te r o f a n d pictures, 0 1‫־‬ r u in in g d a ta a n d / 0 1‫ ־‬s h o w b e s u c h 111 a a n a b le m e s s a g e s re a d w a y th a t 0 11 a a c c e s s p e r s o n a l th e 0 11 h a r m g e ts a tta c k e r to o r t a b le file allocation d ie Trojan, a w o u ld malicious c o n t a in s it t ill c o d e get control c a n h a r d in s id e a p p a r e n tly a n d c a u s e d is k . stored passwords to 111 a delete files, display d o c u m e n ts , s c re e n . La b T ask s TASK 1 P ic k Overview a n o r g a n iz a t io n d ia t y o u e d u c a t io n a l in s tit u t io n , a R e c o m m e n d e d la b s ■ C r e a t in g ■ W ■ P r o x y ■ H a r a p p in g T T P to a s s is t y o u S e r v e r a f e e l is w o r t h y o f y o u r c o m m e r c ia l c o m p a n y , w id i T r o ja n s U s in g T r o ja n th e U s in g P r o R a t O n e F ile a tte n tio n . 0 1‫ ־‬p e r h a p s a n d a T in s c o u ld b e a n n o n p r o t it c h a r ity . b a c k d o o rs : to o l E X E M a k e r S e r v e r T r o ja n T r o ja n ■ R e m o t e A c c e s s ‫י‬ D e te c t in g T r o ja n s U s in g A t e lie r W e b R e m o t e la b C o m e x e r c is e . m a n d e r T r o ja n s ‫י‬ C r e a t in g a S e r v e r U s in g th e T h e e t ■ C r e a t in g a S e r v e r U s in g th e B io d o x ■ C r e a t in g a S e r v e r U s in g th e M ‫י‬ H a c k W in d o w s 7 u s in g o S u c k e r M e ta s p lo it L a b A n a ly s is A n a ly z e y o u r a n d t a r g e t ’s P L E A S E d o c u m e n t s e c u n ty T A L K th e r e s u lts p o s tu r e T O Y O U R C E H La b M anual Page 426 a n d R r e la te d I N E L A to e x p o s u r e S T T E D R U C T O th e d ir o u g h T O T H R I F I S G iv e p u b lic a n d Y O H U y o u r tre e A V E o p in io n 0 11 in f o r m a tio n . Q U E S T I O N S L A B . E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Lab C r e a tin g a S e r v e r U s in g t h e P r o R a t T ool A Trojan is a program th a t contains m alicious or harm ful code inside apparent/)‫׳‬ harm less program m ing or data in such a way th a t i t can g et control and cause damage, such as m ining the file allocation table on a hard drive. I CON KEY 1 ^ 7 V a lu a b le L a b S c e n a r io A s m o r e a n d m o r e p e o p le r e g u la r ly u s e th e In t e r n e t , c y b e r s e c u r ity is b e c o m in g in f o r m a tio n m T est you r k n o w le d g e = W e b e x e r c is e o r e a re im u s in g in f o r m W o r k b o o k r e v ie w m a t io n In t e r n e t h a c k e r s m p o r t a n t c o m m e a lw a r e b y c a n a ls o h a c k e r s h a c k n o t w it h a n d y e t p e r s o n a l s y s te m s o n ly s n if f y o u r p e o p le a t io n , v ir u s e s , m e a n s a c h in e . a re s , y o u r t h a t n o t fin a n c ia l w o r m p r o t e c t in g d a ta , w h ic h m a n y in f o r m w it h a b o u t a n o t h e r m th e O t h e r a n d m a w a r e d a ta , h a c k e r s it . a n d T r o ja n a c h in e a tta c k s o f b u s in e s s h o r s e s . f r o m c a n H a c k e r m lis t e n in c lu d e B u t a lw a r e ; to y o u r s p o o fin g , h ija c k in g . m a y d e n ia l- o f - s e r v ic e b u s in e s s . to is u n ic a t io n a n d e v e r y o n e , in f e c t in g s e c u r ity m a p p in g , S o m f o r ta k e c o n t r o l a tta c k , A g a in s t w h ic h o f y o u r m a k e s h ig h - p r o file w e b a n d m ta r g e t a n y c o m s e r v e rs o t h e r p u t e r s s u c h a s m a c h in e s to u n a v a ila b le b a n k s a n d c o n d u c t f o r n o r m c r e d it a a l c a r d g a te w a y s . Y o u a re in c lu d e t h e ft a s e c u r ity a d m in is t r a t o r p r o t e c t in g th e n e t w o r k o f v a lu a b le d a ta f r o m th e o f y o u r f r o m c o m p a n y , T r o ja n s n e t w o r k , a n d a n d a n d id e n t it y y o u r jo b b a c k d o o r s , r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e ft. L a b O b je c t iv e s T h e o b je c t iv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t T r o ja n a n d b a c k d o o r & Tools demonstrated in this lab are a tta c k s . T h e o b je c tiv e s o f th e la b in c lu d e : available in D EH :C ToolsCEHv8 ■ C r e a t in g ■ D e t e c t in g a s e r v e r T r o ja n s a n d a n d te s tin g th e n e t w o r k f o r a tta c k b a c k d o o r s Module 06 Trojans and Backdoors C E H La b M anual Page 427 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  5. 5. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s ‫י‬ A t t a c k in g a n e t w o r k v u ln e r a b ilitie s a n d u s in g fla w s s a m p le T r o ja n s a n c l d o c u m e n t in g a ll d e te c te d L a b E n v ir o n m e n t T o e a r n ‫ ״‬t in s ■ o u t, y o u Prorat T h e n e e d : t o o l lo c a t e d D:CEH-ToolsCEHv8 Module 06 Trojans a t and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat ■ A c o m p u t e r r u n n in g W in d o w s ■ A c o m p u t e r r u n n in g Window 8 (Virtual Machine) ■ Windows Server 2008 ‫י‬ A ‫י‬ w e b b r o w s e r A d m in is tr a tiv e S e r v e r r u n n in g p r iv ile g e s to as H o s t M a c h in e 111 V ir t u a l M a c h in e Internet w it h 2 0 1 2 a c c e s s t o o ls 11111 L a b D u r a t io n T u n e : 2 0 M in u t e s O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T r o ja n h a r m le s s is a d a m a g e , s u c h Note: T h e d iffe r fr o m c lie n t is p r o g r a m th a t p r o g r a m m in g th e a s r u in in g v e r s io n s d a ta d ie file o f th e w h a t is in s a m e a s s h o w n d ie malicious c o n t a in s o r in a a llo c a tio n c r e a te d la b , s u c h t a b le C lie n t o r b u t 111 d iis th e w a y o n H o s t a c u ia l o r h a r m fu l th a t a it c a n h a r d a n d p ro c e s s c o d e a p p a r e n tly a n d c a u s e d r iv e . a p p e a r a n c e o f in s id e get control c r e a tin g o f th e th e w e b s it e s e r v e r a n d m a y d ie la b . La b T ask s L a u n c h W in d o w s Create Server V ir t u a l M a c h in e a n d n a v ig a t e to Z:CEHv8 Module (RAT)ProRat. with ProRat 2. D o u b le - c lic k 3 . C E H La b M anual Page 428 8 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans C lic k ProRat.exe 111 W Create Pro Rat Server in d o w s t o 8 V ir t u a l M s ta r t p r e p a r in g to a c h in e . c r e a te a s e r v e r. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  6. 6. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s PflD H R C H .n ET Pf?D FE55 ID r> H L HTTEHnET !!! Cne o n ct English PCIn fo M ssag e e Ap a n p lic tio s W dw in o s A m -T d in F P F n yS ff F M n g r u n tu ile a a e !E p re x lo r SearchF s ile Rg e istry C n l Pan o tro el S u D w PC ht o n C ba lip o rd K yL g e e o gr G D mg P ssw rd ive a a e a o s R D w lo e . o n dr P te rin r O lin E ito P C n ective n e d r ro o n Ca re te ‫ י‬C e t Downloader S r e ( K a t ► rae evr 2 by) C e t C I V c i Ls ( 6K a t r a e G i t m it 1 b y ) ^Help F IG U R E 4 . T h e Create Server w in d o w 1 .1 : P r o R a t m a i n w i n d o w a p p e a r s . Create Server Pro on ective N tifica n(N o an R u C n o tio etw rk d o ter) Supports Reverse Connection ‫ ט‬U Pro onn se C ective N tifica n o tio » un *p o o. o1 .c m IP (D S) A d ss: N d re N tifica n o tio s 1 y= J P a s s w o r d b u tto n : R e t r ie v e p a s s w o rd s fr o m G eral Settin s en g m a n y s e r v i c e s , s u c h as T est M il N tifica n a o tio p o p 3 a c c o u n ts , m e sse n g e r, I E , m a il, e tc. D oesn't support R everse Connection B dw File in ith T est Q U M il N tifica n se a o tio o b rmn y h o o E-M AIL: b m e a @ a o .c m Server Ex n n te sio s IC Pager N tifica n Q o tio D oesn't support R everse Connection Q U IC Pager N tifica n se Q o tio Server Icon icquin: T est [r] C I N tifica n G o tio D oesn't support R everse Connection W) H lp e Server Siz e: r T est Q U C I N tifica n se G o tio ttp w .y u . o / i- in p ra g C I URL: h ://w w o rsite c rn cg b / ro tc i G C reate Server 3 2K ayt 4 b F IG U R E 5 . C lic k General Settings Password, Victim Name, o v e r 6 . C E H La b M anual Page 429 th e U n c h e c k c o n n e c t io n th e y o u h ig h lig h t e d to 1 .2 : P r o R a t C r e a t e S e r v e r W i n d o w c h a n g e a n d h a v e th e to options fe a tu r e s , s u c h Port Number th e v ic t im o r a s s h o w n 111 Server Port. Server a s y o u liv e th e w is h th e to c o n n e c t s e t tin g s f o llo w in g d e fa u lt . s c r e e n s h o t. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  7. 7. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Server P rt: o Server Passw rd o : V N m: ictim a e Q 3 ea fake e r mssa e iv rro e g . Q •1l server o inta •e t n s ll. Q C A -FWo s rt. ill V n ta Q d a leW is b indow XP SP2 Secu C n r s rity e te I... Q D leW isab indow XP F w ll. s ire a Q Ha W e r indow XP R s estore P in o ts. Q )on't sen LA n tifica n fro (i9 .i6 .”.“j o (1 .*.x j d N o tio s m 2 8 r 0 .x I IPro tectio fo re o in Local Server n r mv g In isib v ility Q H e Processes fro A T M ag (9 /2 /X id m ll ask an ers x k P) Q H eV id alues F mA k do R istry Ed rs(9 /2 P) ro ll in f eg ito x k/X Q H e N es F mM n (9 /2 /K id am ro sco fig x k P) Q U Te in teProcess (2k/XP) n rm a G eral Settin s en g B dw File in ith Server Ex n n te sio s Server Icon Ity ! N o te : y o u can use D y n a m ic D N S to c o n n e c t o v e r th e In t e r n e t b y u s in g n o - i p a c c o u n t r e g is t r a t io n . Server Siz e: r C reate Server 3 2K ayt 4 b F IG U R E 7 . 8 . Bind with File C lic k u s in g .jpg th e C h e c k file to to 1 .3 : P r o R a t C r e a t e S e r v e r - G e n e r a l S e t t i n g s b in d b in d th e th e s e r v e r w it h a file ; 111 t in s la b w e a re s e r v e r. Bind server with a file. C lic k Select File, a n d n a v ig a t e to Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRatlmages. 9 . m S e le c t th e Girl.jpg file to b in d w it h th e s e r v e r. C lip b o a rd : T o re a d d ata fro m ra n d o m access T is File w b B d d h ill e in e : m e m o ry. B dw File in ith Server Ex n n te sio s Server Icon Server Siz e: C reate Server 3 2K ayt 4 b I-------------F IG U R E C E H La b M anual Page 430 1 .4 : P r o R a t B i n d i n g w i t h a f ile E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  8. 8. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s 1 0 . S e le c t Girl.jpg 111 Look in: th e w in d o w a n d t h e n c lic k Open to b in d th e f ile . Images ‫תז°11ו‬ £Q1 V N C V N C T r o ja n s ta rts a s e rv e r d a e m o n in th e in f e c t e d s y s te m . Rle nam e: Girl Open Files o type: f Cancel F IG U R E 1 1 . £ 9 C lic k OK a fte r s e le c t in g th e 1 .5 : P r o R a t b i n d i n g a n im a g e im a g e f o r b in d in g w it h a s e r v e r. F ile m a n a g e r: T o m a n a g e v ic t im d ir e c to r y f o r a d d , d e le t e , a n d m o d if y . 1 2 . 1 11 Server Extensions Server Extension C E H La b M anual Page 431 s e t tin g s , s e le c t EXE (lia s ic o n s u p p o r t ) 111 Select o p t io n s . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  9. 9. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Select Server Ex n n te sio ^ EXE (H ico su p rt) as n p o N tifica n o tio s Q SCR (H ico su p rt) as n p o Q PIF (H n ico su p rt) as o n p o G eral Settin s en g Q C M(H n ico s p o O as o n u p rt) Q BA (H n ico s p o T as o n u p rt) B dw File in ith Server Ex n n te sio s Server Icon £ Q G iv e D a m a g e : T o f o r m a t t h e e n t ir e s y s te m f ile s . Server Siz e: C reate Server 4 7K ayt 9 b r F IG U R E 1 3 . 1 11 Server Icon b u t t o n a t 1 .7 : P r o R a t S e r v e r E x t e n s i o n s S e t t i n g s s e le c t a n y r ig h t s id e b o t t o m o f o f th e th e ic o n s , P r o R a t a n d c lic k th e Create Server w in d o w . N tifica n o tio s G eral Settin s en g M B dw File in ith m Server Ex n n te sio s I t c o n n e c t s to th e v ic t im u s in g a n y V N C H U 11 Server Icon v ie w e r w it h th e p a s s w o rd “ s e c r e t.” jJ V) H lp e Server Ico : n Server Siz e: C o se n Icon h o ew C reate Server 4 7K ayt 9 b I F IG U R E 1 4 . C lic k O K a lt e r th e s e r v e r h a s 1 .8 : P r o R a t c r e a t i n g a s e r v e r b e e n p r e p a r e d , a s s h o w n 111 th e lo llo w in g s c r e e n s h o t. C E H La b M anual Page 432 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  10. 10. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s F IG U R E 1 5 . N to £ G SH T T P D H T T P o w y o u c a n s e n d victim’s th e m 1 .9 : P r o R a t S e r v e r h a s c r e a t e d d ie s e r v e r a c h in e a s , file lo r 111 d i e by mail e x a m p le , s a m e c u r r e n t d ir e c to r y o r a a n y c o m m celebration u n ic a t io n file to m e d ia r u n . i s a s m a ll Applicator Tools s e rve r th a t c a n b e Vicvr e m b e d d e d in s i d e a n y m Preview pane E p ro g ra m . I t c a n b e w ra p p e d w it h a g e n u in e p r o g r a m []‫־‬B Details pane A& Manage S Extra large icons t ‫־‬t N" ₪ ‫־‬ Large icons f t| M5d un icons | | j Small icons lirt | j ‫ ״‬Details S 1 ( g a m e c l e s s .e x e ). W h e n □ Item check boxes □ Filename extensions I I Hidden items ______________ Layout_________ e x e c u te d , it tu rn s a o c o m p u t e r in t o a n in v is ib le w e b s e rve r. © ^ 1 Show/hide ‫נ״י‬ « Trcjans Types ► Femote Access Trojans (RAT) A K Favorites *. J . Downlead Irraces ■ Desktop J , Language £ Download} 1 Recent places S3J | ^ bnded.server | ^ 1 Fnglish 1 f Libraries ‫־‬ ^ £ ProRat F*| Documtnte j__ Readme J* Music ^ T ‫ ״‬rk6h fcl Pictures |__ Version.Renewals 81 Videos Homegrojp AP Computei sL Local Disk O , 5 ? CEH-Tools (1a ^(1 Network v 9 items 1 item selected 208 MB F IG U R E 1 6 . N o w g o to W in d o w s S e r v e r 1 .1 0 : P r o R a t C r e a t e S e r v e r 2 0 0 8 a n d n a v ig a t e to Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat. 1 7 . C E H La b M anual Page 433 D o u b le - c lic k binder_server.exe a s s h o w n 111 th e f o llo w in g s c r e e n s h o t. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  11. 11. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s . El• p ital ‫ י‬T ‫0׳‬J%n(Trt>« » Rencte A cr«s "roiflrs RAT ( ‫ * י‬PraRat | id t ^•w Tjolc t#lp V iew Oroanize ▼ • M t I•I Site Tavoi ite -»‫־‬ ks i| ? cajres ^ ^ 0° *° r>ornn#ntc £ ‫״‬ T " T ™ ----------------- Pate modified— | - | Typ |- 1> H Music 1 More » Folders v I J i Botnet 'rojars I ^ j j j , Ya5»cn_R.c‫ ־‬o5 «n Comnand Shell ~r0)s I Defacenent ‫־‬ro;ars I [ : Readne [ ^ ‫ ־‬uHoct J4 Destnjave T'ojans I Ebandng Trojans I J4 E-Mal T0‫׳‬j3ns I JA FTP Trojar I GUITrojors I HTTP H I P S "rpjars I S I J4 MACOSXTrojons ICMP Backdoor I J i Proxy Server Trojan: . Remote Access “ rcj?- * I J . Apocalypse Atelie‫ ׳‬Web Remji X I 4 I j.. ProRat . D*fkCo‫׳‬r«tRAT I . VNC’ rojans £ M a rl H C S. F IG U R E 1 8 . N o w s w it c h to W in d o w s Windows Server 2008 I C M P T r o ja n : C o v e r t c h a n n e ls a r e m e t h o d s in P r o R a t m a in -O g* . New Text Docuneil •No... I ‘ w in d o w 8 V ir t u a l a n d a n d 1 .1 1 : P r o R a t W i n d o w s S e r v e r 2 0 0 8 th e c lic k liv e M a c h in e p o r t a n d n u m b e r e n te r a s th e th e I P a d d r e s s d e fa u lt 111 o f th e Connect. w h i c h a n a tt a c k e r c a n h id e d a t a i n a p r o t o c o l d i a t is 1 9 . 111 t i n s la b , th e I P a d d r e s s o f W in d o w s S e r v e r 2 0 0 8 is (1 0 .0 .0 .1 3 ) u n d e t e c t a b le . Note: I P a d d re s s e s F T m ig h t b e d if f e r 111 c la s s r o o m la b s ProRat V1.9 mum - Poit PCIn fo Ap a n p lic tio s M ssa e e g W dw in o s Am -T d in F P Ca ht F n yS ff F Mn g r u n tu ile a a e !E p re x lo r SearchF s ile C n l Pan o tro el R g try e is S u D w PC ScreenS o ht o n ht C ba lip o rd Kyo gr eL g e G D mg P ssw rd ive a a e a o s R D w lo e . o n dr P te rin r Services O lin E ito P C n e n e d r ro o n ctive Ca re te F IG U R E 2 0 . E n t e r c lic k C E H La b M anual Page 434 th e password y o u 112: P r o R a t C o n n e c t in g In f e c t e d S e r v e r p r o v id e d a t th e tim e o t c r e a tin g th e s e r v e r a n d OK. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  12. 12. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Passw rd o : O K F IG U R E 2 1 . N o w c lic k y o u a re PC Info connected to a n d 1 .1 3 : P r o R a t c o n n e c t i o n w i n d o w th e c h o o s e Cne acl th e v ic t im s y s te m m a c h in e . in f o r m T o a t io n a s te s t 111 th e th e c o n n e c t io n , f o llo w in g f ig u r e . B f P> > —ProRat V 1 .9 IC o n n e c te d [1 0 .0 .0 .1 3 ^ ^ ^ H B B B ^ ^ ^ ^ ^ r ‫- ׳‬ x1 F H d H H C H . n e T p « o r e 5 5 1 D n F 1 L 1m‫־‬e p r 1 E T !!! m Poit: g n g o n t e c h n i q u e s c a ll e d English t u n n e lin g , w h ic h a llo w o n e P If C no p r o t o c o l t o b e c a r r ie d o v e r Ds o n c i c n et //////// PC Information //////// IB A pi ai n p lc to s Ms a e es g Computer N e am User N e am Windows Uer Windows Language Windows Path System Path Tem Path p Productld Workgroup Data Wn o s i dw Ca ht a n o t h e r p ro to c o l. A m -T d i FP n F n ySuf Fl M n g r un t f ie a a e !xl rr E poe S a c Fl s e r h ie C nr l P n l o to a e R gsr e i ty S u Dw P Sr e S o h t o n C ce n h t Kyo gr eL g e Ci b ad lp o r Gv D m g P s w r s i e a a e a s od R Dwl dr . o no e Pi t r rne Rn u F IG U R E 2 2 . 2 Attack System Using Keylogger N o w c lic k KeyLogger N O 9/23/2012 S se I f r ai n y t mnomto M i A de si R gsr al d r s n e i t y W Hl ; ep 1 .1 4 : P r o R a t c o n n e c t e d c o m p u t e r w i d o w steal to u s e r p a s s w o r d s f o r th e o n lin e s y s te m . [r?~^roRa^7^onnectedn0l0l0^3r~ P H □ H R C H .‫ ח‬E T P P G F E S S I C i n F I L in T E P r i E T !!! Ds o n c i c n et ip: Q j Q 2 Poit: g n i R: I I 11‫ ׳‬h //////// PC Information //////// P If C no A pi ai n p lc to s Ms a e es g Wn o s i dw Ca ht A m -T d i FP n F n ySuf Fl M n g r un t f ie a a e !xl rr E poe S a c Fl s e r h ie C nr l P n l o to a e R gsr e i ty S uDw P Sr e S o h t o n C ce n h t Ci b ad lp o r Kyo gr eL g e Gv D m g P s w r s i e a a e a s od R Dwl dr . o no e Pi t r rne Rn u Computer N e am User N e am Windows Uer Windows Language Windows Path System Path Tem Path p Productld Workgroup Data WIN-EGBHISG14L0 Administrator English (United St C:Windows C:Windowssysterna C:UsersADHINI~1 N O 9/23/2012 L i. Srie e vc s O ln E i o P o o n ci e ni e dt r r C n e tv S se I f r ai n y t mnomto M i A de si R gsr al d r s n e i t y L s vst d2 w bst s a t i ie 5 e ie Ce t r ae P i f r ai nR c i e . c nomto e ev d F IG U R E C E H La b M anual Page 435 English (United St C:Windows C:Windowssystemc C:UsersADMINI~1 L s vst d2 w bst s a t i ie 5 e ie Ce t r ae P i f r ai nR c i e . c nomto e ev d TASK 1 0 WIN-EGBHISG14L0 Administrator l -L Srie e vc s O ln E i o Fr C n e tv ni e dt r ' o o n ci e m R C o v e r t c h a n n e ls r e ly W Hl ; ep 1 .1 5 : P r o R a t K e y L o g g e r b u t t o n E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s 2 3 . m T h e Key Logger w in d o w w ill a p p e a r . T liis T r o ja n w o rk s lik e a r e m o t e d e s k to p a c c e s s . T h e h a c k e r g a in s c o m p le t e G U I a c c e s s o f th e r e m o t e s y s te m : ■ In f e c t v ic t im ’s c o m p u te r w it h s e rv e r.e x e a n d p la n t R e v e r s e C o n n e c t in g T r o ja n . ■ T h e T r o ja n c o n n e c ts to v i c t i m ’s P o r t t o t h e a t t a c k e r a n d e s t a b lis h in g a re v e rs e c o n n e c t io n . ■ A tta c k e r th e n has F IG U R E c o m p le t e c o n t r o l o v e r v i c t i m ’s m a c h i n e . 2 4 . N o w s w it c h N o t e p a d i File Windows Server 2008 to a n d 1 .1 6 : P r o R a t K e y L o g g e r w i n d o w ty p e a n y m a c h in e a n d o p e n a b r o w s e r o r te x t. Text Document -Notepad Edit Format View Help ‫פר‬ Hi th ere T h is is my username: xyz@yahoo.com password: test<3@#S!@l| m B a n k i n g T r o ja n s a re p r o g r a m t h a t s t e a ls d a t a f r o m in fe c t e d c o m p u te rs v ia w e b b ro w s e rs a n d A Ik. p ro te c te d s to ra g e . F IG U R E 2 5 . W h ile th e v ic t im p a s s w o r d , y o u 2 6 . N o w t im e C E H La b M anual Page 436 s w it c h t o t im e is c a n 1 .1 7 : T e s t t y p e d i n W i n d o w s S e r v e r 2 0 0 8 N o t e p a d message w r it in g a c a p t u r e th e to W t o c h e c k in d o w s f o r 8 lo g V ir t u a l d a ta o r e n t e r in g a user name a n d e n t ity . M a c h in e updates t r o m a n d th e c lic k Read Log v ic t im f r o m m a c h in e . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  14. 14. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s E =9/23/201211:55:28 PM a i b bth ism u am yz o .co h o is y sem e;x atyah o m p o ; testsh b tto ith sh u n ith assw rd iftl u w l iftb tto w 2 | R ea d Log | D e le te L o g L^L 1 ‫—י‬U L 1 !_ ‫רו‬ • ■ • S a v e as H e lp ----------------------------------------------------------1 C □ 11 •‫ י‬t 1 _ C le a r S c r e e n | K e y L o g R e c e iv e d . | F IG U R E 2 7 . Note: N o w P r o R a t y o u c a n K e y lo g g e r u s e w ill a lo t n o t 1 .1 8 : P r o R a t K e y L o g g e r w i n d o w o f fe a u ir e s r e a d s p e c ia l f r o m P r o R a t o n th e v ic t im ’s m a c h in e . c h a ra c te r s . L a b A n a ly s is A n a ly z e y o u r a n d d o c u m e n t t a r g e t ’s s e c u n t y d ie r e s u lts p o s tu re a n d r e la te d to e x p o s u re d ie la b e x e r c is e . th ro u g h p u b lic G iv e a n d y o u r fre e o p in io n o n in f o r m a tio n . PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Q u e s t io n s 1. C re a te W a n d 2 . s e rv e r w it h X P a d v a n c e d E v a lu a te a n d c it ie s o r o p t io n s F ir e w a ll, e tc ., s e n d v e r if y w h e d ie r y o u o d ie r C E H La b M anual Page 437 a in d o w s e x a m in e c a n it a n d s u c h c o m m u n ic a t e v a r io u s m e d io d s as K ill A c o n n e c t it to w it h th e to V - F W th e v ic tim c o n n e c t to o n v ic tim s ta r t, d is a b le m a c h in e , m a c h in e . v ic tim s i f d ie y a re 111 c o u n t r ie s . E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  15. 15. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s T o o l / U t i l i t y In f o r m a t io n S u c c e s s f u l O u t p u t : p u t e r U s e r N a m W in d o w s W in d o w s W T o o l T e m p W □ Y e s P l a t f o r m 0 C E H La b M anual Page 438 C o n n e c t io n e : e A A d m b j e c t i v e s B lin d e d A c h ie v e d s e r v e r .e x e a t io n Y I N - E G B H I S G 14 L O in is t r a t o r Y e r : L a n g u a g e : P a t h : P a t h : I D E n g lis h (U n it e d S ta te s ) c : w in d o w s c : w in d o w s s y s t e m c : U s e r s A D M I N 3 2 I ~ l : o r k g r o u p : D a t a : a m P a t h : P r o d u c t o f In f o r m N in d o w s S y s t e m In t e r n e t c r e a tio n P C C o m P r o R a t C o l l e c t e d / O N O 9 / 2 3 / 2 0 1 2 R e q u ir e d 0 N o 0 !L a b s S u p p o r t e d C la s s r o o m E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  16. 16. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Lab W r a p p in g a T r o ja n U s in g O n e F ile EX E M aker A Trojan is a program th a t contains m alicious or harm ful code inside apparently harm lessprogram m ing or data in such a way th a t it can g e t control and cause damage, such as m ining the file allocation table on a hard drive. I CON £ 1 7 KEY V a lu a b le L a b S c e n a r io S o m e t im e s a n a tta c k e r m a k e s g e t a a v e r y s e c u r e b a c k d o o r e v e n m o r e s a fe r t h a n th e p a s s w o r d f o r in f o r m a tio n n o r m T est yo u r k n o w le d g e W e b e x e r c is e a l w a y th e to a tta c k e rs le t f r o m W o r k b o o k r e v ie w th e a s y s te m , o t th e v ic t im c o m m b a c k d o o r A c t i v e X 1 11 to o r d e r to k e e p v o ic e y o u r c r e a tin g a y a n s y s te m . m is n o r m th e in a o s t to o n ly g e t a l th e in t o fu tu r e . I t th e v is it s w e b s it e s a tta c k s b y is a la y e r s v ic t im s y s te m in . A f t e r g e t t in g a s a b a c k d o o r e a s y a tta c k e r a s s h o w a n e e d th e a b e d d e d m e s s a g e a n d p r o t e c t in g in s ta ll e m 0 1‫ ־‬v e r if y in g 0 11 r u n n in g c a n w e b s it e , T r o ja n s a n d 0 1‫ ־‬S S H th e in s ta lls a p p lic a tio n s , b a c k d o o r s o n e lo g g in g w a y u s e r o f u s e a tta c k e r A n o t h e r M a y a u th e n t ic a tio n s h a r d e r a c c e s s f r o m a n d m a n y d o w n lo a d in g s y s te m T r o ja n s it lie n e v e r c h a t, u s e r w it h a c h in e . W a l n e e d a tta c k e r , 0 1‫ ־‬h e r m th e 0 1 1 f o r p r o t e c t 0 1 1 111s n o r m m p a r e d b y A c t iv e X . r u n A U s u a lly c o m v ic t im u s in g A c t i v e X k n o w le d g e s y s te m . s y s te m th e 0 1 1 is s y s te m . b a c k d o o r th e v ic t im c o u ld r u n n in g a b a c k d o o r s s y s te m a n d in t o b u t u s e in s ta lle d c o n t r o l ‫ט‬ to u s in g th e a b o u t u s e r . e x t e n s iv e s y s te m f r o m a tta c k e rs . Y o u a re in c lu d e t h e ft & Tools a s e c u r ity p r o t e c t in g o f v a lu a b le a d m th e d a ta in is t r a t o r n e t w o r k f r o m o f y o u r f r o m th e c o m p a n y , T r o ja n s n e t w o r k , a n d a n d a n d y o u r jo b b a c k d o o r s , id e n t it y r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e ft. L a b O b je c t iv e s demonstrated in this lab are T h e available in a tta c k s . o b je c t iv e o t t in s la b is to h e lp s m d e n ts le a r n to d e te c t T r o ja n a n d b a c k d o o r D EH :C T h e o b je c tiv e s o f th e la b in c lu d e : ToolsCEHv8 Module 06 Trojans ■ W r a p p in g ■ R u n n in g a T r o ja n w it h a g a m e 111 W in d o w s S e r v e r 2 0 0 8 and Backdoors C E H La b M anual Page 439 th e T r o ja n to a c c e s s th e g a m e 0 1 1 th e f r o n t e n d E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  17. 17. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s ■ A n a ly z in g th e T r o ja n r u n n in g in b a c k e n d L a b E n v ir o n m e n t T o c a r r y ‫י‬ o u t d iis , y o u n e e d : OneFileEXEMaker t o o l lo c a t e d D:CEH-ToolsCEHv8 Module 06 a t Trojans and BackdoorsWrapper Covert ProgramsOneFileExeMaker ■ A Window Server 2012 c o m p u t e r r u n n in g ■ Windows Server 2008 ■ I t y o u th e 111 ■ d e c id e la b m t o d o w n lo a d ig h t A d m in is tr a tiv e r u n n in g th e (h o s t) 111 v ir t u a l m a c h in e latest version, t h e n s c r e e n s h o ts s h o w n d if f e r p r iv ile g e s to m n t o o ls L a b D u r a t io n T u n e : 2 0 M in u t e s O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T r o ja n h a r m le s s is a d a m a g e , s u c h Note: w h a t d ie H TASK 1 OneFile EXE Maker T h e is 111 p r o g r a m d ia t p r o g r a m m in g a s d ie p ro c e s s e s la b , is o f b u t s a m e d a ta d ie r u in in g v e r s io n s c o n t a in s o r h ie d ie d ie a s 111 malicious s u c h a llo c a tio n c r e a te d c lie n t a c tu a l p ro c e s s s h o w n 111 d iis a w a y t a b le o r o f o r th a t o n a h o s t h a r m fu l it h a rd a n d c o n n e c t in g c o d e in s id e a p p a r e n d y get control c a n a n d c a u s e d n v e . a p p e a r a n c e to d ie m a y s e r v e r d itfe r a n d fr o m a c c e s s in g la b . La b T ask s 1. In s ta ll OneFileEXEMaker S e n n a S p y O n e EX E M a k e r 2 0 0 0 o n Windows Server 2008 V ir t u a l M a c h in e . 2 .0 a S e n n a S p y O n e E X E M aker 2000 - 2.0a Official Website: e-m a il: http://sennaspy.tsx org s e n n a _ s p y 0 h o lm a 1l.c o m IC Q U IN 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p io g ra m a llo w io in a ll k in d o f file s : e x e , d ll. o c x . t x t . jp g . b m p A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! S h o rt F ile N a m e P a ra m e te rs 10 p e n M o d e | C o p y T o Command Line Parameters. m Open Mode C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E C E H La b M anual Page 440 Copy To--- | A c tio n Action--- pnEeue C Nr a (“Wdw C Oe/xct om l ino s C Mime C Sse C CpOly a izd yt m x oy n C Mime C Tm in izd ep C Ro ot C He id 3 .1 : O n e F i l e E X E r P a ck Fies? M a k e r H o m e s creen E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  18. 18. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s C lic k d ie a d d Add File b u tto n a n d b r o w s e to th e C E H - T o o ls fo ld e r a t Z:CEHv8 Module 06 Trojans and BackdoorsGamesTetris lo c a t io n Lazaris.exe th e d ie a n d lile . S e n n a S p y O n e EXE M a k e r 2 0 0 0 - 2 .0 a S e n n a S p y O n e E X E M aker 2000 - 2.0a Official Website: http://sennaspy tsx org le s s ! Y o u c a n s e t v a r io u s e-m a il: t o o l o p t io n s a s O p e n s e n n a _ s p y @ h o tm a 1l.c o m m o d e , C o p y to , A c t io n IC Q U IN 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p ro g ra m a llo w jo in a ll k in d o f file s : e x e . d ll. o c x . t x t . jp g . b m p . A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! [ s h o r t F ile N a m e |P a r a m e t e r s | 0 p e n M o d e |C o p y T o L A Z A R IS .E X E H id e S y s te m | A c tio n ! A dd F ie | O p e n /E x e c u te 1 Getete S ave Ejj* C r C (5‫־‬ C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E 3 . Add File C lic k Copy T 0 ------- Open Mode Command Line Parameters a n d b r o w s e Normal Maximized Minimized Hide C (* C C W indows System Temp Root (• Open/Execute C Copy On|y 3 .2 : A d d i n g L a z a r i s g a m e to th e C E H - T o o ls fo ld e r a t d ie lo c a t io n Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesProxy Server Trojans a n d a d d d ie mcafee.exe file . S e n n a S p y O n e E X E M aker 2000 - 2.0a Official Website: http://sennaspy.tsx.org e-m a il: s e n n a _ s p y @ h o tm a il.c o m IC Q U IN 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p ro g ra m a llo w jo in a ll k in d o f file s : e x e . d ll. o c x . t x t . jp g . b m p A u to m a tic O C X f ile re g is te r a n d P a c k file s su p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le I & Tools demonstrated in S h o rt F ile N a m e P a ra m e te rs | O pen M ode | Copy To |A c tio n S y s te m I S y s te m this lab are A dd F ie O p e n /E x e c u te | O p e n /E x e c u te dlee et available in Save D EH :C ToolsCEHv8 Command Line Parameters O pen Mode Module 06 Trojans and Backdoors C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E 4 . C E H La b M anual Page 441 S e le c t Mcafee a n d ty p e C C C (* Normal Maximized Minimized Hide Copy To!------C (* ‫׳‬ C W indows System Temp Root Action--( • Operv‫׳‬Execute C r P a c k F ie s ? Copy Only 3 .3 : A d d i n g M C A F E E . E X E p r o x y s e r v e r 8080 1 1 1 d ie Command Line Parameters fie ld . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  19. 19. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s S e n n a S p y O n e EX E M a k e r 2 0 0 0 2 .0 a S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a Official Website e-m a il: http://sennaspy.tsx org s e n n a _ s p y @ h o tm a il.c o m IC Q U IN : 3973927 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p io g ra m a llo w !o in a ll k in d o f file s : e x e . d ll. o c x . t x t . jp g . b m p A u to m a tic O C X f ile !e g is te i a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! S h o rt F ile N a m e P a ia m e te r s O pen M ode Copy To A c tio n S y s te m L A Z A R IS .E X E O p e n /E x e c u te O p e n /E x e c u te Sv ae Command Line Parameters: O pen M ode— C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E 5. S e le c t Lazaris a n d c h e c k S e n n a S p y O n e EX E M a k e r 2 0 0 0 d ie Copy To------- Normal Maximized Minimized Hide C C C ^ C (* C O p en/Execute W indows System Temp Root ‫“י‬ P *k F te s ? Copy On|y C 3 .4 : A s s i g n i n g p o r t 8 0 8 0 t o M C A F E E Normal o p t io n in Open Mode. 2 .0 a S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a Official Website: http://sennaspy tsx org e-m a il: s e n n a _ s p y @ h o tm a il.c o m IC Q U IN 3 9 /3 9 2 7 J o in m a n y file s a n d m a k e a u n iq u e E X E file . T h is p io g ra m a llo w jo in a ll k in d o f file s : e x e . d ll. o c x . t x t . ip g . b m p ... A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le ! A dd F ie L A Z A R IS .E X E M C A FE E EXE N o tm a l 8080 ( S y s te m H id e I O p e n /E x e c u te I S y s te m Delete O p e n /E x e c u te Sv ae Exit O pen Mode Command Line Parameters Copy To------- ‫. ־׳‬Maximize : .01™ Jaximized 1p ‫״‬ ^ © 2 C o p y rig h t ( C ) . 1 9 9 8 2 0 0 0 . B y S e n n a S p y F IG U R E 6 . C lic k Save a n d b r o w s e to C C Minimized Hide C W indows <• System C Temp C Root Action ( • Operv‫׳‬Execute C r P a ck Fies? Copy On|y 3 .5 : S e t t i n g L a z a r i s o p e n m o d e s a v e d ie d ie o n th e d e s k to p , a n d n a m e d ie t ile Tetris.exe. C E H La b M anual Page 442 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  20. 20. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s Save n 1 Name e-m a il: sennas | K 2 [ *■ I - I Size 0‫נ® ־‬ 1*1 Type ₪ ‫־‬ a 1 *1 D ate modified 1 ^ b Pu k : ■ Computer ® N e tw o rk ® M o z ia F re fb x £ 1 KB Shortcut 2 KB Google Chrome Shortcut 9 /1 8 /2 0 1 2 2:3 1 Af 9 /1 8 /2 0 1 2 2 :3 0 AT _l S h o rt F ile N a m e (Executables (*.exe) M C A F E E .E X E ±1 |------- Save------- 1 |t * H Cancel _^J | Save L O pen M ode ‫־‬ ( • C C C C o p y rig h t (C ). 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y F IG U R E m 7 . N o w d o u b le - c lic k M C A F E E . E X E w ill , ru n in b ack g ro u n d g am €> to o p e n d ie Copy To Normal Maximized Minimized Hide C (* (" C W indows System Temp Root ( • Open/Execute C r P a ck Fies? Copy 0 n|y 3 .6 : T r o j a i i c r e a t e d Tetris.exe file . T liis w ill la u n c h d ie L a z a r is it McAfee , 011 t h e tr0 1 1 t e ‫ ״‬d • r F IG U R E 8 . C E H La b M anual Page 443 N o w is o p e n Task Manager a n d 3 .7 : L a c lic k d ie 2a r is g a m e Processes m n n in g . ta b to c h e c k E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  21. 21. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s ^ ‫[*[ ס‬ O Windows Task M anager File O ptions V iew Applications Help P ro ce s s e s j Se rv ic e s | P erfo rm a n c e j Netw orking | U s e rs | Im a g e . . . 1 U ser Nam e 1 c p u ] [ M em ory (. .. | Description cs rs s .ex e SY ST E M 00 1 .4 6 4 K Client S e r . .. cs rs s .ex e SY ST E M 00 1 .7 3 6 K Client S e r ... d w m .e x e Adm lnist... 00 1,200 K D e s k t o p ... ex p lo re r.e x e Adm m ist.. . 00 14,804 K L A Z A R IS .E X E ... Adm lnist. .. 00 1 .5 4 0 K Is a ss .ex e SY ST E M 00 3,100 K Local S e c u ... Ism. e x e SY ST E M 00 1 .3 8 4 K | Local S e s s ... 1 M C A F E E .E X E .. . 1 W in d o w s . . . L A Z A R IS A d m n s t ... 00 580 K m sd tc.ex e N ET YV O ... 00 2 .8 3 2 K S c re e n p re s s o ... . Adm inlst. .. 00 2 8 .3 8 0 K S c re e n p r e ... s e rv ic e s .e x e SY ST E M 00 1 .9 9 2 K Se rv ic e s a .. . S L s v c .e x e N E T V /O . .. 00 6 .7 4 8 K M ic ro s o ft... sm ss.ex e SY ST E M 00 304 K W in d o w s ... s p o o ls v .ex e SY ST E M 00 3 .5 8 8 K Sp oo ler S . . . s v c h o s t.e x e SY ST E M 00 13,508 K H o s t P r o c ... s v c h o s t.e x e LO C A L ... 00 3.648 K H o s t P r o c ... - I* M C A FEE M S D T C co ... Sh o w p ro cesses from all u sers | jP ro :e s s e s : 40 C P U U s a g e : 2°.‫׳‬c F IG U R E ■ gnc| p rocess Ph ysical M em ory: 43°.‫׳‬c 3 .8 : M C A F E E i n T a s k m a n a g e r L a b A n a ly s is A n a ly z e y o u r a n d t a r g e t ’s d o c u m e n t s e c u n ty th e r e s u lts p o s tu r e a n d r e la te d to e x p o s u r e d ie la b th ro u g h e x e r c is e . p u b lic a n d G iv e fre e y o u r o p in io n o n in f o r m a tio n . PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. T o o l / U t i l i t y In f o r m E a k e r O X E M a t i o n u t p u t : C o l l e c t e d / O U s in g a b a c k d o o r b j e c t i v e s e x e c u te A c h i e v e d Tetris.exe Q u e s t io n s 1. U s e O 2 . C E H La b M anual Page 444 v a r io u s o th e r n e F ile E X E M H o w y o u o p t io n s a k e r w ill s e c u re a n d fo r d ie a n a ly z e y o u r O p e n th e c o m p u t e r m o d e , C o p y to , A c t io n s e c t io n s o f r e s u lts . fr o m O n e F ile E X E M a k e r a tta c k s ? E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  22. 22. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s In t e r n e t □ Y e s P la t f o r m 0 C E H La b M anual Page 445 C o n n e c t io n R e q u ir e d 0 N o 0 iL a b s S u p p o r t e d C la s s r o o m E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  23. 23. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s P ro x y S e r v e r T ro ja n A . Trojan is a program th a t contains m alicious or harm ful code inside apparently harm less program m ing or data in such a way th a t i t can g et control and cause damage, such as m ining the file allocation table on a hard drive. I CON KEY P~/ Valuable information L a b S c e n a r io Y o u a re in c lu d e Test vom ‫׳‬ knowledge — Web exercise m Workbook review t h e ft a s e c u r ity a d m p r o t e c t in g o f v a lu a b le in is t r a t o r th e d a ta n e t w o r k f r o m o f y o u r f r o m th e c o m p a n y , T r o ja n s n e t w o r k , a n d a n d a n d y o u r jo b b a c k d o o r s , id e n t it y r e s p o n s ib ilit ie s T r o ja n a tta c k s , th e ft. L a b O b je c t iv e s T h e o b je c tiv e o f t in s la b is to h e lp s tu d e n ts le a r n to d e te c t T r o ja n a n d b a c k d o o r a tta c k s . T h e o b je c tiv e s o f t in s • S t a r tin g M • A c c e s s in g la b c A f e e th e in c lu d e : P r o x y In t e r n e t u s in g M c A le e P r o x y L a b E n v ir o n m e n t T o c a r r y o u t t in s , y o u ■ McAfee n e e d : T r o ja n lo c a t e d D:CEH-ToolsCEHv8 Module 06 Trojans and a t BackdoorsTrojans TypesProxy Server Trojans JT Tools ■ demonstrated in this lab are A c o m p u t e r m n n in g Window Server 2012 ■ Windows Server 2008 m n n in g in (h o s t) v ir t u a l m a c h in e available in D EH :C - ■ ToolsCEHv8 I f 111 y o u th e d e c id e la b t o m ig h t a w e b d o w n lo a d th e latest version, t h e n s c r e e n s h o ts s h o w n d if f e r Module 06 Trojans ‫י‬ Y o u ‫י‬ and Backdoors n e e d A d m in is tr a tiv e b r o w s e r p r iv ile g e s to to a c c e s s r u n In t e r n e t t o o ls L a b D u r a t io n T im C E H La b M anual Page 446 e : 2 0 M in u t e s E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  24. 24. M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A T r o ja n h a r m le s s is a Note: d ie £ TASK Proxy server th a t p r o g r a m m in g d a m a g e , s u c h w h a t p r o g r a m T h e it is 111 a s v e r s io n s d ie p ro c e s s e s o r la b , is o f h ie th e b u t s a m e d a ta d ie r u in in g as malicious c o n t a in s in s u c h c re a te d d ie a a llo c a tio n c c lie n t a c tu a l p ro c e s s s h o w n 111 d iis w a y t a b le o r 0 1‫ ־‬h a r m fu l th a t 0 11 a h o s t it a n d in s id e a n d c a u s e d iffe r fr o m d r iv e . a p p e a r a n c e o f c o n n e c t in g a p p a r e n tly get control c a n h a rd c o d e to d ie m a y s e r v e r a n d a c c e s s in g la b . La b T ask s - Mcafee 1. I n W in d o w s S e r v e r 2 0 0 8 V ir t u a l M a c h in e , n a v ig a t e to Module 06 Trojans and BackdoorsTrojans Types, Proxy Server Trojans a n d CmdHere s e le c t jr a C > view fr o m d ie r ig h t- c lic k c o n te x t m e n u . |i■ * CD-v3'‫־‬ teduc05Tro:o‫««־‬nd30ccdo0f3 - "rojanaTypes Pit Z:CEHv8 a n d Edt Toos Orgsncc » ndp Vca ‫־‬ s * w S 's ® 1 ' ‫״‬ F Nn‫ - - •״‬C*»nodri«d M Tvp# j , Bt*d©«rry T'OJjn pi Documents J( T'0j*tk ,Jf Canrund 5h*l "rajjin* J j D*tac«‫׳‬rwntT0‫|׳‬an« £ Picture* ^ Mjflic M Sat M J f Destruetve Trojans J t awnonc Trojans ‫־‬ •tore » Folders JtE-f'd l r3:3rs Jk F T Tro» r J t G J: Trojars JlMTPh-TTFST'Ojans JtlO P B d C W o o ‫־‬ j.MACOSXTtoaTS ‫׳יי‬ J i Reosrv Montor _±_ | . Startup P'cgfarr* W JA ‫ ־‬rojansT/pes 3ladd>e‫־‬ry Trojan | . Comrrand Srel Trt R=nctc A < J t VMC ‫ ־‬raja j. 3ef3GemertTro;a• ( . 3estrjc&'/e “ rojor COer R»stora previOLS versions J . EbankirgT-qjarts 1. SerdTo Trojors i . '^PT'cjon i . SUIT'ojans C30V L. -TIP t-rr‫־‬P5 Tro;a C‫׳‬eare9xjrtcjt Delete I , :CKPBdCkdCOr Rename Proxy Se‫־‬ver Troji Prooenes Jg 35PtOtv TrQ* - ► Q it .. t i n m i G H ‫. ־־ :־‬ F I G U R E 4 .1 : W i n d o w s S e r v e r 2 0 0 8 : C m d H e r e 2 . N o w ty p e d ie c o m m a n d dir to c h e c k fo r fo ld e r c o n te n ts . F I G U R E 4 .2 : D i r e c t o r y l i s t i n g o f P r o x y S e r v e r f o l d e r 3 . C E H La b M anual Page 447 T h e f o llo w in g im a g e lis t s d ie d ir e c to r ie s a n d file s 111 th e fo ld e r . E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  25. 25. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs -1‫ |ם‬x |Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>dir EH ou 6 n IU olune in drive Z h s n label. a o I U lune Serial N me is 1 7 - D C o u br 6 77 A I Directory of Z:C v8 M d le 0 Trojans a d BackdoorsVTrojans TypesProxy Serve EH ou 6 n Ir Trojans 1 9 1 / 0 2 01:07A < IR 0 / 92 1 M D> 1 9 1 / 0 2 01:07A < IR 0 / 92 1 M D> 1 2 1 / 0 6 1 :4 A 0 / 72 0 1 3 M 5 8 ncafee.exe ,32 1 9 1 / 0 2 01:07A < IR 0 / 92 1 M D> W b r0 y Tr0j4nCr34t0r <u n Nn > 3P x F n y ae 1 File<s> rile^s; 5 2 bytes b,J28 ,3 8 3 D s 208,287,793,152 bytes free ir< > Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans> EH ou 6 n — m FIGURE 4 : C .3 ontentsinProxyServer folder Type die command m cafee 8080 to m il the service 111 W indow s Server 2008. FIGURE 4 : Starting m .4 cafee tool onport 8 8 00 5. The service lias started 011 port 8080. 6. N o w go to W indow s Server 2012 host machine and configure the web browser to access die Internet 011 port 8080. 7. 1 1 diis lab launch Clirom e, and select Settin g s as shown 111 die 1 follow ing figure. Q m Tliis process can b e attained in any browser after settingdie LAN settings for die respective browser 2 ww w googtorofv ■ * lo*r C.pj ico* • O G o o g le XjnaNCMm- 1- ‫״‬n• ... 1‫״ ׳‬ ■ • w FIGURE 4 : Internet option of abrowser in Windows Server 2 1 .5 02 C E H La b M anual Page 448 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  26. 26. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 8 . C lick the Show advanced setting s 1 1 k to view the Internet settings. 11 FIGURE 4 : Advanced Settings of Chrome Browser .6 9. 1 1 N etw ork Settin gs, click Change proxy settings. 1 C 0 chcyn r cv/dV flM ttnpt/ O .'M I Clvotue Settings 4 Enitoir AutaMtc M Ml *«Dtom n *u«9« c»rt. VUu)tAdofl1<nflf( M e ttmric focgkOvcmt isu9ncy»<»compute;s>tt«rnpo*>s«rtnastccon>1ectc the r t>o fc < ><. | OwypwstBnjt- it (U M jtwn r 1l* ju9 I w Q th « > n * « Downoads C laadkcabot: C.'lherrAi r ovm nncti rt0AT0T 1 o> i t < U Ast »hw 1 mt «Kt! lit M m dw 0 < 0 »«1 > «9 M TTPS/SM . FIGURE 4 : C .7 hangingproxyse g ofC ttin s hrom Browser e 10. 1 1 die Internet Properties w indow click LAN setting s to configure 1 proxy settings. C E H La b M anual Page 449 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  27. 27. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Internet Properties General [ Security ] Privacy ] Content Connections | Programs ] Advanced To set up an Internet connection, dick Setup. Setup Dial-up and Virtual Private Network settings Choose Settings if you need to configure a proxy server for a connection. (•) Never cfal a connection O Dial whenever a network connection is not present O Always dal my default connection Current Sgt default None Local Area Network (LAN) settings ------------------------------------------------LAN Settings do not apply to dial-up connections. Choose Settings above for dial-up settings. OK ] | | LAN settings Cancel J | ftpply FIGURE 4 : LAN Setting ofaC .8 s hrom Browser e 11. 1 1 die Lo cal A rea N etw ork (LA N ) Settin g s w indow, select die U se a 1 proxy server for your LAN option 111 the Proxy server section. 12. En ter die IP address o f W indow s Server 2008, set die port number to 8080, and click OK. FT Local Area Network (LAN) Settings Automatic configuration Automatic configuration may override manual settings. To ensure the use of manual settings, disable automatic configuration. @ Automatically detect settings ‫ ח‬Use automatic configuration script Address Proxy server Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections). Address: 10.0.0.13 Port: 8080 Advanced I IBypassp x server far lo a a d ss s! ro y c l d re e OK Cancel FIGURE 4 : Proxyse g ofLAN inC .9 ttin s hrom Browser e 13. N o w access any web page 111 die browser (example: www.bbc.co.uk). C E H La b M anual Page 450 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  28. 28. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 4 0 Accessingweb p eusingproxy server .1 : ag 14. The web page w ill open. 15. N ow go back to W indow s Server 2008 and check die command prom pt. A d m in istra to r C:W m dow* s y *te m 3 2 c m d .e x e - m c a fe e 8 0 8 0 m Accessingweb p e ag usingproxy server ww w .google.co : /conplete/search?sugexp= chrom e,nod= 18&client=h n 8 l= r :1 0 c ro e rh e 2 0 .U 8 = b.co-| S rq b c Accepting Nw Requests■ e ww w .google.co :1 0 20 /conp lete/search?sug = exp chrom e,nod 188tclient sch n 8 l= n = ‫ ־‬ro e rh e l~U q= S& bbc.co.u Accepting Nw Requests! e Accepting Nw Requests! e Accepting Nw R q e e e u■ * * ‫^ ־‬ /co lete/search?sugexp chroroe,nod 188tclient =h n 8 l= r np = = c ro e th e l- S& b c.co.uk U a= b | / :bbc.co.uk :1 0 31 H c c e p t i n g N ew Kequests ■ Accepting Nw Requests■ e / :ww w.bbc.co.uk :1 0 20 Accepting Nw Requests! e Accepting Nw Requests■ e Accepting Nw Requests! e Accepting Nw Requests! e Accepting Nw Requests■ e Accepting Nw Requests! e Accepting Nw Requests! e static .bbci.co.uk: /franeworks/barlesque/2.10.0/desktop/3.5/style/r*ain.css :2 0 0! Accepting Nw Requests■ e static.bbci.co.uk: /bbcdotcon/0.3.136/style/3pt_ads .css :20 ! 0 Accepting Nw R e equests!____________________________________________ FIGURE 4 1 Background information on Proxy server .1 : 16. You can see diat we had accessed die Internet using die proxy server Trojan. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and tree inform ation. C E H La b M anual Page 451 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  29. 29. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d Pro x y Server T ro ja n O u tp u t: U se the proxy server T rojan to access the In tern et Accessed webpage: w w w .bbc.co.uk Q u e s t io n s 1. Determ ine whether M cAfee H T T P Proxy Server Trojan supports other ports that are also apart from 8080. 2. Evaluate the drawbacks o f using the H T T P proxy server Trojan to access the Internet. In te rn e t C o n n ectio n R e q u ire d 0 Y es □ No P la tfo rm Su p p o rted 0 C lassro om C E H La b M anual Page 452 □ !Labs E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  30. 30. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs H T T P T ro ja n A . T ro ja n is a p ro g ra m th a t c o n ta in s m a lic io u s o r h a rm fu l co d e in s id e a p p a re n tly h a rm le s s p ro g ra m m in g o r d a ta in d am ag e, su ch a s m in in g th e f ile I CON KEY / V a lu a b le ' in fo r m a tio n S T est yo u r k n o w l e d g e ____________ * W e b e x e rc is e su ch a lr a y th a t it ca n g e t c o n tro l a n d cau se a llo c a tio n ta b le o n a h a rd d riv e . L a b S c e n a r io Hackers have a variety ot m otives fo r installing m alevolent softw are (m alw are). This types o f softw are tends to vield instant access to the system to continuously steal various types o f inform ation from it, fo r exam ple, strategic com pany’s designs 01‫ ־‬num bers o f credit cards. A backdoor is a program or a set o f related program s that a hacker installs 011 the victim com puter to allow access to the system at a later tim e. A backdoor’s goal is to rem ove the evidence £ Q ! W o r k b o o k r e v ie w o f in itia l entry from the systems log. H acker— dedicated websites give examples o f m any tools that serve to in stall backdoors, w ith the difference that once a connection is established the intruder m ust log 111 by entering a predefined password. Y o u are a Secu rity A dm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. L a b O b j e c t iv e s The objective o f tins lab is to help students learn to detect T rojan and backdoor attacks. H Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors The objectives o f the lab include: • T o run H T T P T rojan 011 W indow s Server 2008 • Access the W indow s Server 2008 m achine process list using the H T T P Proxy • K ill running processes 011 W indow s Server 2008 V irtu al M achine L a b E n v ir o n m e n t To carry out diis, you need: C E H La b M anual Page 453 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  31. 31. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ‫י‬ H TTP RAT located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and BackdoorsTrojans TypesH TTP H T T PS TrojansH TTP RAT T R O JA N ■ A com puter running W indow Server 2008 (host) ■ W indow s 8 running 111 Virtual M achine ■ W indow s Server 2008 111 Virtual M achine ■ I f you decide to dow nload the la te s t versio n , then screenshots shown in the lab m ight d iffer ■ Y o u need a w eb browser to access In tern et ■ Adm inistrative privileges to run tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a w ay diat it can get co n tro l and cause damage, such as ruining die file allocation table on a hard dnve. Note: The versions o f die created client or host and appearance m ay differ from w hat it is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 diis lab. Lab T ask s HTTP RAT 1. Log 111 to W indow s 8 Virtual M achine, and select die Sta rt menu by hovering die mouse cursor on die lower-left corner of die desktop, u Rtcytlt D m * a M o»itla firefox Google Chremr Windows 8 Release Previev. ‫ח ■׳‬ > ‫ז‬ 8 Evaluation copy Build 840C FIGURE 5 :Windows 8Startm u .1 en 2. C E H La b M anual Page 454 Click Se rvice s ui the Sta rt menu to launch Services. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  32. 32. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs S ta rt Google Chrome m m 9 Video Mozilla Firefox ................. ‫5 י‬ 4 ‫י‬ services * < 3, W ier eaO rm m ■ B Calendar Intonei Explorer O ktop cB Uapt a m >PP1:1 ■: h e " u '.a Wide Web Publisher is m andatory a HTTP RAT s runs on port 8 0 Slcfe S SfcyDrwe ^ FIGURE 5 :Windows 8Startm uA .2 en pps _ . ,, _ 3. D isable/Stop W orld W ide W eb Publishing Services. File Action View Hdp + 1H 1a m 0 ebi » Services ; lo c a l) World Wide Web Pubbhng Service Name Description Status Startup Type Log A 3 4 ‫־‬Windows Firewall Windows F1 ._ Running Automatic Loc Windows Font Cache Service Optimizes p... Running Automatic Loc Windows Image Acquisitio... Manu3l Windows Installer Description: Provides im... Adds, modi... Menusl Loc Provides Web comectr/rty and admin straton through the Interret Automatic LOC •^W indows Media Player Net... V Windows Management Inst.. Provides a c... Shares Win... Manual Net Infemotion Services Manager ‫ ־‬W in d o w s Modules Installer ^ Enables inst... Manual £$ V/indows Process Activatio... TheWindo... ‫ $ ׳‬Windows Remote Manage... £ Running Windows R... Running Manual Menusl Net Running Automatic (D._ Loc Provides inf... M enjsl (Tng... LOC Maintains d... Manual (Tng.. Loc Enables th e ... Manual (Tng... Loc Windows Search Provides CO.- Windows Store Service (W5... Windows Tim# Q Windows Update *%W'1 nHTTP Web Proxy Auto ... WinHTTP i... '•& WLAN AutoConfig ■I^WM Performance Adapter Running Provide; p#.. Workstation P I World Wide Web Publnhin... . WWAN AutoConfig Menusl Loc Manual L0C Menual The W ired... The WLANS... 3% Wired AutoConfig LO C Manual loc Cr«at«c and... Running Automatic Ntt Provide! W... Running Menusl u Menual L0C v > This service .. < M Mended ^Standard/ FIGURE 5 : Administrative tools - Services Window .3 > 4. Right-click the W orld W ide W eb Pu blish in g service and select Pro p ertie s to disable the service. C E H La b M anual Page 455 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  33. 33. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs World Wide Web Publishing Service Properties (Local... Genera1 Log On Recovery Dependencies Service name: W3SVC Display name: World Wide Web Publishing Service ivides Web connectivity and administration ugh the Internet Information Services Manager Description: 5 Path to executable: C:Windowssystem32svchost.exe -k iissvcs Startup type: Disabled Helo me configure service startup options. Service status: Stopped Start Pause Stop Resume You can specify the start parameters that apply when you start the service from here Start parameters OK Cancel Apply FIGURE 5 : Disable/Stop World Wide Web publishing services .4 5. N o w start H T T P R A T from die location Z:CEH-ToolsCEHv8 M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS TrojansHTTP RAT T RO JA N . HTTP RAT 0.31 □ r V 'k H T T P R A T f - W !b a c k d o o r W e b s e rv e r J by zOmbie IUUI The sendnotification option can b usedto send e the details to your Mail ID ?J latest version here: [http://freenet.am/~zombie] ‫ו‬ settings W send notification with ip address to m ail SMTP server 4 sending m ail u can specify several servers delimited with ; sm m ru;some. other, sm server; tp. ail. tp. your email address: |you@mail.c I.com close FireWalls Create server port: [80" Exit FIGURE 5 : HTTP RAT m window .5 ain 6. Disable die Send notification w ith ip address to m ail opdon. 7. C E H La b M anual Page 456 C lick C reate to create a httpserver.exe hie. E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  34. 34. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs □ HTTP RAT 0.31 E ll / V K H T T P R A T ^kackdoor Webserver if •T J h 20m ■ y bie v0.31 I 1 . latest version here: [http://freenet.am/~zombie] seiuriys send notification with ip address to mail| SMTP server 4 sending m ail u can specify several servers delimited with ; |sm m ru;some. other, sm server; tp. ail. tp. your email address: |you@mail.com 1 close FireWalls | i Create j| server port: 80 ‫־‬ Exit __ FIGURE 5 : Create backdoor .6 HTTP RAT 0.31 02 The created httpserver will b placedin e the tool directory / V H T T P R A T I -W ^backdoor Webserver done! la done send httpserver.exe 2 victim r c OK |you@mail.com w close FireWalls server pork:[ Create Exit FIGURE 7.‫ :כ‬Backdoor server created successfully 8. The httpserver.exe tile should be created 111 die folder Z:CEHv8 M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS TrojansHTTP RAT T R O JA N 9. C E H La b M anual Page 457 Double-click die tile to and click Run. E th ic a l H ack in g and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  35. 35. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs HTTP RAT TROJAN Application Tool* Momgc m Clipboard o ® I to • | N3me 4 Downloads | ‫ ״ח‬S elect aone O p e n File ‫ ־‬S e c u rity W a rn in g [gj ‫ה־‬ Name htlpscfvcr | ...TTP HTTPS TrojansHTTP RAT TROJANhttpservcr.cxc ‫־־‬Publisher: Unknown Publisher *S&l Recent places Type Application 1 . readme ^ □ D Inrert <elert10n The publisher could not bp verified. Are you dire you want to run thk software? Z ittpiat Desktop EE s««t >1 1 01 « HITPHTIPS Trojans > Favorites ■ to* <harcut SI Open ‫י‬ 0 Edit <t) History od [3P«te * BQ Newitem ‫י‬ E syaccess ‫י‬ a IS □ I* C" / path -J From: Z:CEHv8 Module06 Trojans and Backdoors JrojansT‫״‬ Libraries 1 1 Documents 11 Run Music B Cancel Pictures g£ Videos ^3. Homegroup This file docs not have ‫ ג‬valid digital signature that verifies its publisher. You should only run software from publishers you trust Hwc nI drid wa to a tom? e a e e h t ftiv re n T® Computer i l . Local Oslr (C:) 4-‫ ׳‬CEH-Tcols (10. Ip Admin (admin-p 4 items 1item selected iO.: K B FIGURE 5 : Running the Backdoor .8 10. G o to T ask M anager and check if die process is running. File Options Processes View Performance App history Startup Users Details Services 4 % 0% 30% 52% M em o ry D isk N e tw o rk 6 MB .8 0 MB/s 0 Mbps 0% Status CPU 1.9% Name 25.1 MB 0.1 MB/s 0 Mbps 0 Mbps A p p s (2 ) Task Manager > > ^ Windows Explorer B a c k g r o u n d p r o c e s s e s (9 ) H Device Association Framework... Microsoft Windows Search Inde... tflf' Print driver host for applications m 0% 3.3 MB 0 MB/s 0 % S I Httpserver (32 bit) 1.2 MB 0 MB/s 0 Mbps 0% 4.9 MB 0 MB/s 0 Mbps 0 Mbps l i l Snagit RPC Helper (32 bit) 1.0 MB 0 MB/s 22.4 MB 0.1 MB/s 0 Mbps 0% j[/) Snagit Editor (32 bit) 0% 19.7% Snagit (32 bit) 19.2 MB 0 MB/s 0 Mbps 0 Mbps 1.7% 0.9 MB 0 MB/s OR) Spooler SubSystem App 0% 1.5 MB 0 MB/s 0 Mbps 0 t> 0% 0.8 MB 0 MB/s 0 Mbps TechSmith HTML Help Helper (... W i n d o ‫ : •.׳‬v f f ’‫־ '־-־‬r ‫־‬ ;‫.־‬ , ~‫: ׳‬ ( * ) Fewer details FIGURE 5 : Backdoor runningin taskm .9 anager 11. G o to W indow s Server 2008 and open a web browser to access die W indow s 8 m achine (here “ 10.0.0.12” is die IP address ot W indow s 8 M achine). C E H La b M anual Page 458 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  36. 36. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs *Drabe'S K RA TTP T c | I £ « ‫ ״‬iooale P] * D - w elcom e 2 IITTP_RAT infected com puter }:] .es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace] w plrnm e } : J FIGURE 5 0 Access the backdoor in Host web browser .1 : 12. C lick running processes to list the processes running on die W indow s 8 machine. Z>nbe's HTTP_RAT 1 ■ & 1. . .iQC , 4 0 0Zf ______ 0 O C ? 1 ‫ ־‬ioojle P A E- running processez: ] ]system Process ]S/stem I kill ] srrss.exe [kill ]!M [ ]!M [ v ‘ninit.exe fkilll * 1 w nlogon.exe fkilll ]services.exe f kill ]!!lsass.exe [k i v h c x r111n c o to a <; vcho5t.exe f: svchostexe f kilfl dvirr.exe Ik illl ]svchostexe [kill evehoct.axa [MID vchost.cxa [UdD: ]svchostexe [hjjj spoolsv.exe [kilfl )svchostexe |kill ]svchostexe [kill d3cHoct.ova f l-illl MsMpCng.exe fk illl vc.hus»t.«x« fkilll* svchostexe fkilll vchost.exe [ k T iT j ]ta«kh(>*t.*x» [kill bckhoct.sxo ] -‫[יי‬ Mpkxar.tM [M 1 [ search indexer.exe fkilfl ]S>n«g1t32.ex• [jo j ]TscHelp.exe [kill ]SnagPri./.•** [kill ]SragitCditor.exe [ !:ill ]aplmjv164.exe f k ill svchostexe fkilll ]httpserver.exe (kill ]Taskmor.«*x® [kill firofox O O [UJJ[ .X 5 FIGURE 5 1 Process list of die victim com .1 : puter 13. Y o u can kill any running processes from here. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and free mformadon. C E H La b M anual Page 459 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  37. 37. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d Successful send httpserver.exe 011 victim m achine O u tp u t: K ille d Process System smss.exe csrss.exe H T T P T ro ja n w inlogon.exe serv1ces.exe lsass.exe svchost.exe dwm .exe splwow64.exe httpserver.exe firefow .exe Q u e s t io n s 1. Determ ine the ports that H T T P proxy server Trojan uses to communicate. In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro o m C E H La b M anual Page 460 0 iLab s E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  38. 38. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs R e m o te A c c e s s T r o ja n s U s in g A te lie r W e b R e m o te C o m m a n d e r .4 T ro ja n is a p ro g ra m th a t c o n ta in s m a lic io u s o r h a rm fu l cod e in s id e a p p a re n tly h a rm le s s p ro g ra m m in g o r d a ta in d am ag e, su ch a s m in in g th e f ile I C O N K E Y / V a lu a b le in fo r m a tio n y 5 T est yo u r k n o w le d g e TTT TT W e b e x e rc is e su ch a 1r a j th a t it ca n g e t c o n tro l a n d cau se a llo c a tio n ta b le o n a h a rd d riv e . L a b S c e n a r io A backdoor T rojan is a very dangerous in fection that com prom ises the integrity o f a com puter, its data, and the personal inform ation o f the users. Rem ote attackers use backdoors as a means o f accessing and taking control o f a com puter that bypasses security m echanism s. Trojans and backdoors are types o f bad-wares; their m ain purpose is to send and receive data and especially com m ands through a port to another system. T his port can be even a well- m W o r k b o o k r e v ie w know n port such as 80 or an out o f the norm ports like 7777. Trojans are m ost o f the tim e defaced and shown as legitim ate and harm less applications to encourage the user to execute them. Y o u are a security adm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. L a b O b j e c t iv e s J T Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors The objective o f tins lab is to help students learn to detect T rojan and backdoor attacks. The objectives o f tins lab include: • G ain access to a rem ote com puter • A cquire sensitive inform ation o f the rem ote com puter L a b E n v ir o n m e n t To cany out tins, you need: 1. C E H La b M anual Page 461 A te lie r W eb Rem ote Com m ander located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and BackdoorsTrojans TypesRem ote A cce ss T ro jan s (R A T )A telier W eb Rem ote Com m ander E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  39. 39. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs ■ A com puter running W indow Server 2008 (host) ■ W indow s Server 2003 running 111 Virtual M achine ■ I f you decide to dow nload the la te s t versio n , then screenshots shown 111 the lab m ight d iffer ■ Y o u need a w eb browser to access In tern et ■ Adm inistrative privileges to m il tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program that contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a way that it can get co n tro l and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions o f the created client or host and appearance may differ from w hat it is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 diis lab. a* T A S K 1 A telier W eb Rem ote Com m ander Lab T ask s 1. In stall and launch A te lie r W eb Rem ote Com m ander (A W R C ) 111 W indow s Server 2012. 2. T o launch A te lie r W eb Rem ote Com m ander (A W R C ), launch the S ta rt menu by hovering the mouse cursor on the low er-left corner o f the desktop. u § € ■ W d w S rv r21 3 in o s e e 02 su.t MVMom Swvw M l? DMwCMidM• Evaluator cgpt. Eud M 0C . rw *1 3PM 1 FIGURE 6 : Windows Server 2 1 Start-Desktop .1 02 3. C lick AW Rem ote Com m ander Pro fessio n al 111 the S ta rt m enu apps. C E H La b M anual Page 462 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  40. 40. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs Start CtnvUcr Administrator A T fc n £ * Tools AW fieoiote Connwn.. 4 & FIGURE 6 : Windows Server 2 1 Start Menu Apps .2 02 4. The m ain w indow o f AW RC w ill appear as shown 111 the follow ing screenshot. ‫סי‬ File AWRC PRO 9.3.9 Tools Desktop Help Syclnfo Netwarklnfo FJ# Sy*t*fn Uc*rs *r.Grocpc n Chat ‫ ט‬Tliis toll is used to gain access to all the information of die Rem ote system Progress Report y , Connect df Disconnect 0 Request ajthonrabor kBytesIn: C @ dear on iscomect k8psln: 0 Connection Duraton FIGURE 6 : Atelier Web Rem Com ander m window .3 ote m ain 5. In p u t the IP ad dress and U sernam e I Passw o rd o f the rem ote com puter. 6. 1 1 tins lab we have used W indow s Server 2008 (10.0.0.13): 1 ■ U ser name: A dm inistrator ■ Passw ord: qw erty@ 123 N ote: The IP addresses and credentials m ight d iffer 111 your labs 7. C E H La b M anual Page 463 C lick C onnect to access the m achine rem otely. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  41. 41. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 6 : Providing rem com .4 ote puter details Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors 8. The follow ing screenshots show that you w ill be accessing the W indow s S e rve r 2008 rem otely. 10.0.0.13 :A W R C PRO 9.3.9 S File Tools Desktop Help Syslnfo Networidnfb Fie System Use's anc Groups Chat Internet Explo‫־‬er windows update j Notepad < r & ~ Fastest * T F V *29 Monitors * Remote Host Progress Report | administrator W C o n n ect cf □ Request ajthoniabor k5yle*I11; 201.94 ^ #1 6:28:24 Initializing, p lease w a it... #16:2 8:25 C onnected to 1 0 .0 .0 .1 3 D isconnect @ Clear on iscomect k B ^ IiL 0.87 Cumeiliui 1 Duiatun: !Minute, 42 Seconds. FIGURE 6 : Remote com .5 puter Accessed 9. The Com m ander is connected to the Rem ote System . C lick th eSys Info tab to view com plete details o f the V irtu a l M achine. C E H La b M anual Page 464 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  42. 42. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs FIGURE 6 : Information of the rem com .6 ote puter 10. Select N etw orklnfo Path w here you can view netw ork inform ation. 10.0.0.13: AWRC PRO 9.3.9 S File Jools Desktop Help Syslnfo | NetworiJnfo | Ffe System Use's anc Grocps Ports Safeties R em ark Perm issions Chat P/Transport Protocols M a x U se s Current U se s Path Passw o id A D M IN S net ap p lica ... unlimited not val■ C$ S p e .. Default share not a p p lic a .. unlimited not v a li IP CS & Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors S p e . R em o te A dm in S p e .. R em o te IP C net applica unlimited not vaN R em ote Host Progress Report # 1 6 .2 8 .2 4 Initializing, p lease wait #1 6 :2 8 :2 5 C onnected to 10 0 .0 .1 3 ^ a f Connect D Request ajthonrabor Ifiytesln: 250.93 A / Disconnect @ dear on iscomect kSpsIn: 0.00 Connection Duraton: 5 Minutes, 32 Seconds. FIGURE 6 : Information of the rem com .7 ote puter 11. Select the F ile System tab. Select c: from the drop-down list and click G et. 12. Tins tab lists the com plete files o l the C : drive o f W indow s Server 2008. C E H La b M anual Page 465 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  43. 43. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs 10.0.0.13: AWRC PRO 9.3.9 file Iools Desktop Help Syslnfo contents of NetworicJnfb I Fie System I Use's and Groups Chat 'c:'______ CIJ SR ecycle Bin C l Boot C 3 D ocum ents and Settin g s C□ PerfLogs D Program Files (x86) □ Program Files C l Program D ata D System Volume Inform... □ U sers □ W indow s File Sy stem : NTFS 6C 2 7 -C D 3 9 C apacity: 1 7 ,1 7 7 ,7 6 7 .9 3 6 bytes F ree space: 6 .5 0 5 .7 7 1 .0 0 8 bytes Fixed Type Serial Number: Labei: Progress Report | administrator ^ Connect cf ]Request ajthoriratxx‫־‬ # 1 6 .2 8 .2 4 Initializing, p lease w a it... Password Disconnect #1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3 @ Oear on iscomect kBytesIn: 251.64 ConnectonDuraton: 6 Minutes, 18 Seconds. FIGURE 6 : Information of the rem com .8 ote puter 13. Select U sers and G roups, w hich w ill display the com plete user details. 10.0.0.13 :A W R C PRO 9.3.9 File Jools Desktop jUsers '‫" ם: ־‬ Help Syslnfo ^ Groups NetworkJnfo Ffe System Use's anc Groups I Chat Password Ha^ies U se r In fo rm a tio n fo r A d m in is tra to r U ser A cc o un t. A dm inistrator Passw o rd A g e 7 d ays 21 hours 21 m inutes 3 3 seconds Privilege Level: A dm inistrator C om m ent Built-in account for adm inistering th e com puter/dom ain Flags: Logon script executed. Norm al Account. Full Name: W orkstatio n s can log from: no restrictions Last Logon: 9 /2 0 /2 0 1 2 3:58:24 A M Last Logoff Unknown Account expires Never expires U se r ID (R ID ) 500 P n m ary Global Group (RID): 513 SID S 1 5 21 18 58 18 02 43 300731 51 51 16 0 0 5 9 6 2 0 0 50 0 Domain W IN -E G B H IS G 1 4 L 0 No Su b A u th o rtie s 5 Remote Host User Name [ administrator 10.0.0.13 W C o n n ect nf D Request ajthon:at>or kByle* 11 : 256.00 1 ^ D isconnect P assw ord Progress Report #1 6:28:24 Initializing, p lease w a it... #16:2 8:25 C onnected to 1 0 .0 .0 .1 3 @ Oear on iscomect Cumeuiimi3u1atu< 1 e Minutes, 2 6 Seconds. : FIGURE 6 : Information of the rem com .9 ote puter C E H La b M anual Page 466 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  44. 44. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs rs 10.0.0.13: A W R C P R O 9.3.9 file Iools Desktop Help Syslnfo NetworWnfo We System Use's and Groups Chat | Groups ~ | y Passwoid Ha«hes N am e s SID Com m ent Adm inistrators S -1 -5-32 -5 44 (Typo A lia s/D o Adm inistrators have com plete and unrestricted B acku p O p e r a t o r S -1 -5-32-551 (Type A lia s/D o B ac ku p Operators can override security restrict Certificate Service DC S -1 -6 -3 2 -6 7 4 (Type A lia s /D o . M em bers of this group are allowed to co n n ect t« Cryptographic Ooerat S -1 -5 -3 2 -5 6 9 (Type A lia s/D o M em bers are authorized to perform cryptograph Distributed C O M U s e ‫־׳‬ s S -1 -5 -3 2 -5 6 2 (Type A lia s /D o . M em bers are allowed to launch. ac tK ate and us Event Log R eaders 5 -1 -5 -3 2 -5 7 3 (Type A lia s /D o ... M em bers of this group c an read event logs from G u ests Groups: S -1 -5 -3 2 -5 4 6 (Type A lia s/D o G u e s ts have th e sa m e a c c e s s as m em bers o ft III <1 ______I Global G roups: S - 1-5 -2 1 -1 8 5 8 1 8 0 2 4 3 -3 0 0 7 3 1 5 ... O rdinary users Progress Report | administrator ^ Connect cf ]Request ajthonrabor kBytesIn: 257.54 Disconnect # 1 6 .2 8 .2 4 Initializing, p lease w a it... Password #1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3 @ dear on iscomect Connection Ouraton: ?Minutes, 34Seconds. FIGURE 6 0 Information of the rem com .1 : ote puter FIGURE 6 1 Information of the rem com .1 : ote puter 14. Tins tool w ill display all the details o f the rem ote system. 15. Analyze the results o f the rem ote com puter. L a b A n a ly s is Analyze and document die results related to die lab exercise. G ive your opinion on your target’s security posture and exposure dirough public and tree inform ation. C E H La b M anual Page 467 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  45. 45. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S LAB. T o o l/ U tility In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d Rem otely accessing W indow s Server 2008 R e s u lt: System inform ation o f rem ote W indow s Server 2008 A telier W eb Rem ote Com m ander N etw o rk In form ation Path rem ote W indow s Server 2008 view ing com plete files ot c: o f rem ote W indow s Server 2008 U ser and Groups details o f rem ote W indow s Server 2008 Passw ord hashes Q u e s t io n s 1. Evaluate die ports that A W R C uses to perform operations. 2. Determ ine whether it is possible to launch A W R C from the command line and make a connection. I f ves, dien illustrate how it can be done. In te rn e t C o n n ectio n R e q u ire d □ Y es 0 No P la tfo rm Su p p o rted 0 C lassro om C E H La b M anual Page 468 E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  46. 46. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs D e te c tin g T ro ja n s A T ro ja n is a p ro g ra m th a t c o n ta in s M a lic io u s o r h a rm fu l code in s id e a p p a re n tly h a rm le s s p ro g ra m m in g o r d a ta in su ch a )ra y th a t ca n g e t c o n tro l a n d cau se d am ag e, su ch a s m in in g th e f ile I CON V a lu a b le /^ KEY 1 T est yo u r ______ k n o w le d g e _________ W e b e x e rc is e L a b S c e n a r io M ost individuals are confused about the possible ways to rem ove a T rojan virus in fo r m a tio n .‫■׳י‬ '* a llo c a tio n ta b le o n a h a rd d riv e . ^ from a specific system. O ne m ust realize that the W o rld W id e W eb is one o f the tools that transm its inform ation as w ell as m alicious and harm ful viruses. A backdoor T rojan can be extrem ely harm ful if not dealt w ith appropriately. The m ain function o f tins type o f virus is to create a backdoor 111 order to access a specific system. W ith a backdoor T rojan attack, a concerned user is unaware d W o r k b o o k r e v ie w about the possible effects u n til sensitive and im portant inform ation is found m issing from a system . W ith a backdoor T rojan attack, a hacker can also perform other types ot m alicious attacks as w ell. The other name fo r backdoor Trojans is rem ote access Trojans. The m ain reason that backdoor Trojans are so dangerous is that they hold the ab ility to access a particular m achine rem otely (source: http://w w w .com bofix.org). Y o u are a security7adm inistrator o f your com pany, and your job responsibilities include protecting the netw ork from Trojans and backdoors, T rojan attacks, theft o f valuable data from the netw ork, and identity theft. L a b O b j e c t iv e s The objective o f this lab is to help students learn to detect T rojan and backdoor attacks. The objectives o f the lab include: & Tools dem onstrated in th is lab are availab le in D:CEHToolsCEHv8 M odule 06 Trojans and Backdoors C E H La b M anual Page 469 • Analyze using Po rt ]M onitor • Analyze using Process M o nitor • Analyze using Registry M o nitor • Analyze using Startup Program M o nitor • Create M D 5 hash tiles for W indow s directory files E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  47. 47. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs L a b E n v ir o n m e n t To carry out this, you need: ■ T cp view , located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and BackdoorsPort M onitoring T oolsTC PV iew ■ Autoruns, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and Backd oo rsProcess M onitoring ToolsAutoruns ■ P rcV ie w , located at C:CEH-ToolsCEHv7 M odule 06 T ro jan s and Backd oo rsProcess M onitor ToolPrc V iew ■ Jv 1 6 pow er to ol, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and Backd oo rsR eg istry M onitoring Toolsjv16 Po w er Tools 2012 ‫י‬ Fsum FrontEnd. located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and Backd o o rsFiles and Fold er In te g rity CheckerFsum Frontend ■ A com puter running W indow Server 2008 (host) & Disabling and Deleting Entries ■ W indow s Server 2003 m nning h i V irtual M achine If you don'twant anentry to active die nest tim you e boot or login you can eidier disable or delete it. To disable an entryuncheckit. Autoruns will store die startup information in a backup location sodiat it canreactivate die entry whenyou recheckit. For item storedin startup s folders Autoruns creates a subfolder nam Autoruns ed disabled. Checka disabled item to re-enableit ■ I f you decide to dow nload the la te s t versio n , then screenshots shown 111 the lab m ight d iffer ■ Y o u need a web browser to access In tern et ■ Adm inistrative privileges to m il tools L a b D u r a t io n Tim e: 20 M inutes O v e r v ie w o f T r o ja n s a n d B a c k d o o r s A Trojan is a program diat contains m alicio u s or harm ful code inside apparently harmless programming or data 111 such a w ay that it can get co n tro l and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions o f the created client or host and appearance may differ from w hat it is 111 the lab, but the actual process o f connecting to the server and accessing the processes is same as shown 111 tins lab. Lab T ask s 1. G o to W indow s Server 2012 V irtual Machine. 2. T cpview Install T cp view from the location D:CEH-ToolsCEHv8 Module 06 Trojans and BackdoorsPort M onitoring ToolsTCPView . 3. The T C P V iew main wm dow appears, w ith details such as Process, Process ID , Protocol, Local address. Local Port, Rem ote Address, and Rem ote Port. C E H La b M anual Page 470 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  48. 48. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs T P ie - S C V w ysin rn ls: w w te a w .sysin rn ls.co te a m File O tio s P ce V p n ro ss iew H elp H a h | || P c ss > ro e P ID P to o ro c l C l dns. exe 1572 IC P T7d se e n. x 17 52 IC P T7d se e n. x 17 52 tCP T7d se e n. x 17 52 UP D i- d se e n. x 17 52 UP D I"7d se e n. x 17 52 UP D i7 d se e ‫ ־‬n. x 17 52 UP D i"7d se e n. x UP D 17 52 IF d se e n. x 17 52 UP D » d se e n. x 17 52 UP D 1‫ י‬d se e n. x 17 52 UP D »1d se e n. x 17 52 UP D T7d se e n. x 17 52 UP D r d se e n. x 17 52 UP D » d se e n. x 17 52 UP D T d se e n. x 17 52 UP D ‫ י‬d se e n. x 17 52 UP D r d se e n. x 17 52 UP D ‫ י‬d se e n. x 17 52 UP D ‫ ׳ י‬d se e n. x 17 52 UP D 1 d se e ‫ ־‬n. x 17 52 UP D 1 d se e n. x 17 52 UP D T d se e n. x 17 52 UP D •‫ ו‬d se e n. x 17 52 UP D • d se e n. x 17 52 UP D III ‫1־‬ 03 Should delete item that s you do notwish to ever execute. Do so bychoosing Delete in the Entry m enu. Only die currendy selected itemwill be deleted L c lA d s o a d re s win-2n9stosgien W - N S 0G IN 2 9 T S I.. W - N S OG IN 2 9 T S L w - n so g n in 2 9t $ ie W -2 9 0 L IN N ST SG W - N S 0G IN 2 9 T S I.. W - N S OG IN 2 9 T S L W -2 9 0 L IN N ST SG W - N S OG IN 2 9 T S L W - N S OG IN 2 9 T S L W - N S 0G IN 2 9 T S I.. W - N S OG IN 2 9 T S L W -2 9 0 L IN N ST SG W - N S OG IN 2 9 T S I.. W - N S OG IN 2 9 T S L W - N S OG IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N ST SG IN 2 9 0 L W - N S OG IN 2 9 T S L W - N S OG IN 2 9 T S I.. W - N S OG IN 2 9 T S L L ca P tt o lo domain d min oa 417 95 d min oa d min oa 412 95 413 95 414 95 415 95 416 95 417 95 418 95 419 95 410 96 411 96 412 96 413 96 414 96 415 96 416 96 417 96 418 96 419 96 410 97 411 97 w fl Vl ‫׳‬ / W l V 1 > ___________ ___________ ___________ ___________ ___________ U FIGURE 8 :TcpviewMainwindow .1 tool perform port m onitoring. T P ie -S C V w ysin rn ls: w w te a w .sysin rn ls.co I ~ I □ f te a m 1 File O tion P cess View H lp p s ro e y a ‫@ !־‬ P c ss ' ro e P ID P to o ro c l L c lA d s o a d re s |L c l P rt oa o 11s c o t.e e 3 5 1 vh s x 8S ICP W - N S 0 G 50 IN 2 9 T S I.. 5 4 (0 sv o x 8 2 ch ste e 9 tCP W - N S OG 413 IN 2 9 T S I.. 9 5 H s c o t.e e 9 0 vh s x 6 ICP W - N S O G 414 IN 2 9 T S L 9 5 1 s c o t.e e 1 5 1 vh s x 52 ICP W - N S O G 419 IN 2 9 T S L 9 5 ITI s c o t.e e 2 8 vh s x 14 ICP W - N S 0 G 4 11 IN 2 9 T S I.. 96 S3 s c o t.e e 3 4 vh s x 40 TP C W - N S OG 413 IN 2 9 T S I.. 9 6 S3 s c o t.e e 4 1 vh s x 32 TP C W - N S 0 G 418 IN 2 9 T S I.. 9 6 S3 s c o t.e e 4 7 vh s x 22 TP C W - N S OG 419 IN 2 9 T S I.. 9 6 S3 s c o t.e e 1 0 vh s x 88 TP C W - N ST SG 4 1 7 IN 2 9 0 L 9 8 1 s c o t.e e 1 5 '‫ י‬v h s x 52 UP D w - n s s ie in 2 9tog n b o s o tp S3 s c o t.e e 1 5 vh s x 52 UP D w - n s s ie in 2 9tog n b o c o tp 1‫ י‬s c o t.e e 9 0 ' vh s x S UP D W - N S 0 G is k p IN 2 9 T S I... a m UP D w - n s s ie in 2 9tog n 2 3 S3 s c o t.e e 1 5 vh s x 52 55 1 s c o t.e e 3 9 3 vh s x 02 UP D W - N S O G 39 IN 2 9 T S L 31 E3 s c o t.e e 9 0 vh s x 6 UP D W - N ST SG te d IN 2 9 0 L re o S3 s c o t.e e 9 0 vh s x 6 UP D W - N S 0 G ipe- s IN 2 9 T S I... s c mft S3 sv o x 1 6 ch ste e 0 4 UP D W - N S O G llmr IN 2 9 T S L n S3 s c o t.e e 9 0 vh s x 6 UP D w - n s s ie in 2 9tog n 541 34 4 T7 S s m y te TP C w - n s s ie in 2 9tog n n tb s s n e io-s 4 1 ‫ י‬Ss m y te TP C w - n s s ie in 2 9tog n mr s f- s icoot d 4 •1S s m y te TP C w - n s s ie in 2 9tog n mr s f- s icoot d •' S s m y te 4 TP C W - N S OG h IN 2 9 T S I... ttp 4 7‫ י י‬Ss m y te TP C W - N S OG h s IN 2 9 T S I... ttp T 7 Ss m y te 4 TP C W - N S O G mr s f- s IN 2 9 T S I... icoot d •1S s m y te 4 TP C W - N S OG 58 IN 2 9 T S I... 9 5 III n Cl If you are running Autoruns without administrative privileges on Windows Vista and attem pt to change die state of a global entry, you'll be denied access X 1 ^ R W l W l W l W l W l W l W l W l W l * * W l w ir w ir W l W l Wl Wl v > FIGURE 8 :TcpviewMainwindow .2 5. C E H La b M anual Page 471 N ow it is analyzing die SM T P and odier ports. E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  49. 49. M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs TCPView -Sysinternals: www.sysinternals.com File y & Autoruns will display a dialogwith abutton that enables you to re-launch Autoruns with administrative rights. You can also use the e com and-line option to m launch initially launch Autoruns with administrative rights Cl There are several w to ays get m information about ore anautorun location or entry. To view alocation or entry in Explorer or Regedit choseJump To in the Entry m or double-click on the enu entry or location's line in the display Options Process View ‫ד‬ Help a “ too ro c l C P C P C P C P C P C P C P C P C P C P D P D P D P D P D P D P D P D P D P C P C P C P C P C P C P < L ca A d s o l d re s W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG w - n s s ie in 2 9tog n w - n s s ie in 2 9tog n W -2 9 0 L IN N ST SG w - n s s ie in 2 9tog n W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W - N S OG IN 2 9 T S L W -2 9 0 L IN N ST SG w - n s s ie in 2 9tog n w - n s s ie in 2 9tog n w>29t s ie ir - n sog n wv n $ s ie ir 2 9 tog n W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG W -2 9 0 L IN N ST SG L ca P rt o lo 38 38 50 54 413 95 414 95 419 95 411 96 413 98 418 96 419 96 417 98 bo s o tp bo c o tp is k p am 23 55 39 31 te d re o ip e mft sc s llmr n 5 41 34 n tb s s n e io-s mr s f- s icoot d mr s f- s icoot d h ttp h s ttp mr s f- s icoot d III R m teA d s e o d re s W - N ST SG IN 2 9 0 L W - N ST SG IN 2 9 0 L W -2 9 0 L IN N ST SG W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. W - N S 0G IN 2 9 T S I.. x R m teP tt eo o 0 0 0 0 0 0 0 0 0 0 * * * ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ * ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫י‬ ‫י‬ Stat LIST LIST LIST LIST LIST LIST LIST LIST LIST LIST * ‫יי‬ W - N ST SG 0 IN 2 9 0 L w - g h g40 4 1 8 in e b is l 1 95 w d w8 in o s 441 98 0 W - NS 0 G IN2 9 T S I.. W - N S 0G 0 IN 2 9 T S I.. W - N S 0G 0 IN 2 9 T S I.. . ‫ך‬ LIST EST, EST, LIST LIST LIST ‫ח־‬ FIGURE 8 :Tcpviewan .3 alyzin ports g Y o u can also kill die process by double-clicking diat respective process, and then clicking die End Pro cess button. Properties for dns.exe: 1572 | ‫ך־‬ Domain Name System (DNS) Server M icrosoft Corporation Version: G .02.8400.0000 Path: C:WindowsSystem32dns.exe End Process OK FIGURE 8 : Killing .4 Processes 1m TASK 2 Autoruns G o to W indow s Server 2012 V irtual M achine. Double-click Autoruns.exe, w hich is located at D:CEH-ToolsCEHv8 Module 06 Trojans and BackdoorsProcess M onitoring ToolsAutoruns. It lists all processes. D LLs, and services. C E H La b M anual Page 472 E th ic a l H ack in g and Counterm easures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

×