Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cehv8 Labs - Module06: Trojans and Backdoors.

1,784 views

Published on

Cehv8 labs
Module06: Trojans and Backdoors

Download here:
CCNAv5: ccna5vn.wordpress.com
CEHv8: cehv8vn.blogspot.com

Published in: Education
  • Are You Heartbroken? Don't be upset, let Justin help you get your Ex back. ▲▲▲ http://ow.ly/mOLD301xGxr
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • you could enable the saving mode pls?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Cehv8 Labs - Module06: Trojans and Backdoors.

  1. 1. CEH Lab Manual Trojans and Backdoors Module 06
  2. 2. ICON KEY if Valuable information My Test your knoxvlgg E Web exercise Hill Wjorkbook review I“: Tools demonstrated in this lab are available in l): CEl-l- Too| sCEHv8 Module 06 Trojans and Backdoors Modu| e06—Tmjl| sandBnekdoors Trojans and Backdoors A T/ r)/ '(I/ / / '.r (I p/ 'qg/ '(I/ // I‘/ J/If ro/ If/ I// /.r (I / /// I// r/'0// J or / m/'/ /,y7// for/ e / '// .r/ I/0 r¢p/ I/‘e/ /I‘/ ' / J/I/7// /e. i‘. r _p/ '0‘gm/ /// /1// {g or (I'm? ! / '/I Jill‘/ J (I 117])’ 1‘/ J/If /2‘ (‘(1/1 gef mnfrol mm’ (‘(1/I31’ I/ (I/ //rlgfl, J‘/ /f/ J / Lt 1‘/ /i/ /i/ /Kg f/ JP]/7? (1// am)‘/ '0/1 /1111]? on {I / Jam’ r/ /'/ "Lie. Lab Scenario According to Bank Info Security News (http: //wyw. bai1kinfosecurity. com), Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI Warns. B11t experts say any mobile device is potentially at risk because the real problem is malicious applications, which in ar1 open environment are impossible to control. And anywhere malicious apps are around. so is the potential for financial fraud. According to cyber security experts, the banking Trojan known as citadel. an advanced variant of zeus. is a keylogger that steals online-banking credentials by capturing keystrokes. Hackers then use stolen login IDs and passwords to access online accounts, take them over, and schedule fraudulent transactions. Hackers created this Trojan that is specifically designed for financial fraud and sold on the black market. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, the theft of valuable data from the network, and identity theft. Lab Objectives The objective of this lab is to help students learn to detect Trojan and backdoor attacks. The objective of the lab include: ' Creating a server and testing a network for attack Detecting Trojans and backdoors Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected Lab Environment To carry out this, you need: ' A computer running Window Server 2008 as Guest~1 in virtual machine Window 7 running as Guest—2 in virtual machine A web broxvser with Internet access Administrative privileges to run tools CEH Lab Manual Page 425 Ethical Hacking and Coumerrneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  3. 3. Module06—Tmll| sandBacluIoors Lab Duration Time: 40 Minutes Overview of Trojans and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a way that it can get control a11d cause damage, such as ruining the tile allocation table on a hard disk "ith the help of a Trojan, ar1 attacker gets access to stored passwords in a computer and would be able to read personal documents, delete files, display pictures, and/ or show messages on the screen. E T A 3 K 1 Pick an organization that you feel is xvorthy of your attention. This could be an Overview educational institution, a commercial company. or perhaps a nonprofit charity. Recoinmended labs to assist you with Trojans and backdoors: ' Creating a Server Using the ProRat tool ' ‘C'rapping a Trojan Using One File EXE Maker ' Proxy Server Trojan ' HTTP Trojan ' Remote Access Trojans Using Atelier V'eb Remote Commander ' Detecting Trojans ' Creating a Server Using the Theef ' Creating a Server Using the Biodox ' Creating a Server Using the Mosucker ' Hack Vindovs 7 using Metasploit Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure through public and free information. PLEASE TALK TO YOIIR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. CEH Lab Manual Page 426 Emmi Hacking and Counter-rneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  4. 4. ICON KEV [3 Valuable information . /T Test your knowlgge E Web exercise Ell Workbook review if‘ Tools demonstrated in this lab are available in D: CEl-| - TooIscEHv8 Module 06 Trojans and Backdoors Module06—Troll| sandBaekdoors Creating a Server Using the ProRat Tool A Tnyaxl is (I p/ 'ogm/ // f/ mf ro/ /// Ii/ I.r / ///1// rio/ /.r or /2m'/ //f/ // rode i/ /ride r; t>p(Ire/ /f_/ y / mr/ /// err p/ 'o‘gm/ /// /// '// kg or (info / /1 J‘/ /1‘/ J :7 mg} I‘/2/If if mu gel‘ rom‘ro/ mid m/ /ye I/ (I/ //age, .r/ /r/ J at / '// /'/ /i/ {g f/ JP]; /(’ (I/ /omf/ '0” fab/ e 0/1 (I / J/Irn’ r/ I‘/ "112. Lab Scenario As more and more people regularly use the Internet, cyber security is becoming more important for everyone, and yet many people are not aware of it. Hacker are using malware to hack personal information, financial data, and business information by infecting systems with viruses, worms, and Trojan horses. But Internet security is not only about protecting your machine from malware; hackers can also sniff your data. which means that the hackers can listen to your communication with another machine. Other attacks include spoofing, mapping, and hijacking. Some hackers may take control of your and many other machines to conduct a denial-of-service attack. which makes target computers unavailable for normal business. Against l1igh—profile web servers such as banks and credit card gateways. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks. theft of valuable data from the network, and identity theft. Lab Objectives The objective of this lab is to help students learn to detect Trojan and backdoor attacks. The objectives of the lab include: ' Creating a server and testing the network for attack ' Detecting Trojans and backdoors CEH Lab Manual Page 427 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  5. 5. IIJ TASK 1 Create Sewer with ProRat Module06—TrolarsurdBaokdoors Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected Lab Environment To carry this out, you need: The Prorat tool located at | ):CEH-TooIscEl-lv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProIlat A computer running "indows Server 2012 as Host Machine A computer running Window 8 (Virtual Machine) Windows Server 2008 running in Virtual Machine A web browser with Internet access Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Trojans and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or dam in such a way that it can get control and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions of the created Client or Host and appearance of the website may differ from what is in the lab. but the actual process of creating the server and the client is the same as shown in this lab. Lab Tasks 1. [J Launch "indows 8 Virtual Machine and navigate to Z: CEHv8 Module 08 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat. Double—click ProRat. exe in "indows 8 Virtual Machine. Click Create Pro Rat Sewer to start preparing to create a server. CEH Lab Manual Page 428 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Module 06 — Trojans and Backdoors FiieManager ShutDownF‘C T —. ' It Create Downloader Server (2 Kbayt) 7 If Crgate CGI Victim List (16 Kbayt] (_J) flelp FIGURE 1.1: ProRat main window 4. The Create Server 'indo' appears. Create Server Proflonnective Notilication [Network and Router] 1 Notification: Supports Reverse Connection -' ‘- P“55“'°‘d b‘-‘“°“: D Use PruConnei: tive Notification Retrieve passwords from > , 1 1 '3 many Sflfices‘ Such as General Settings IP [DN5]-°tdd'9355 pop} accounts. messenger‘. M an Notification IE‘ man‘ "C Doesn't support Reverse Connection : iB'"d WM‘ We D Use Mail Notification E-MAIL- bomberman@}-ahoiicorrii Server Extension: _ _ ICU Pager Notification Doesn't support Reverse Connection game, '60” D Use ICU Pager Notification ir: o um: 157115792‘ CGI Notilication Doesn't support Reverse Connection uUse EG1 Notification CGI URL: httpzl/ wirirw.3roursite. i:omIcgi~bin/ proratcj Server Size: 7‘-11 t trayt FIGURE 1.2: ProRat Create Server Window 5. Click General Settings to change features. such as Sewer Port, Sewer Password, Victim Name, and the Port Number you wish to connect over the corinectiou you 11:‘tVE‘ to the 'iCLi111 or live the settings defaitlt. 6. Uncheck the higlllighted options as shown in the follo'i11g screenshot. CEH Lab . I.1nual Page 429 Ethical Hacking and COll)KEfl]1Efl§lIE§ Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Module 06 — Trojans and Backdoors Bind with File Q I rsable Windows XP SP2 Security Center Server Extensions - H Disable Windows XP Firewall. H lear Windows XP Restore Points sew Icon 2 38': send LAN notifications from [ 132.158.*. *] or [1 Invisibility Now You can use D Hide Processes from All Task Managers [Sx/2k/ XP] D)_mmiC Dgs to come“ D Hide Values From All kind of Flegisliy Editors [Bx/2k/ XP] over (1): Immm 1,, -using D Hide Names From Msconlig [Sic/2k/ ><P] no-ip account registration. D UnTerminate Process [2k/ ><P] Server Size: 34;‘ i ti aw FIGURE 1.3: ProRat Create Server-General Settings / . Click Bind with File to bind the server with 41 tile; in this lab we are using the . jpg file to bind the server. 8. Check Bind server with a file. Click Select File, and navigate to Z: CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRatImages. 9. Select the Girl. jpg file to bind with the server. Clipboard: To read ’ " Selecl File data from random access “““‘°‘? '~ This File will be Binded Create Server FIGKRE 1.4: ProRat Binding with a file CEH Lab . I.1nual Page 430 Ethical Hacking and Coumennensures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Module 06 — Trojans and Backdoors 10. Select Girl. jpg in the vindov and then click Open to bind the tile. . ~r E; -. VNC Trojan starts a VNC server daemon in the infected system. FIGURE 1.5: ProRat binding an image 11. Click OK after selecting the image for binding with a server. Sewer will bind with Girljpg '. File manager: To manage victim directory for add. delete, and FIGURE 1.6: ProRat Pop»up 12. In Server Extensions settings, select EXE (has icon support) in Select Sewer Extension options. CEH Lab . Ianual Page 431 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. an F‘ -. Give Damage: To format the entire system files. . -. It connects to the victim using any '. 'C viewer with the password “secrer. " Module 06 — Trojans and Backdoors Notifications General Settrngs Bind with File Server Extensions Server Icon Server Srze: H7? tr amt Select Server Extension E E IH 3 rcr: -n Art-p-: rrH ‘St: Fl | H.a, rr: »:rrr r, sppr: rr‘t E CUM [Has no icon support] Q BAT [Has no icon support] Create Server FIGURE l.7: PioRat Server Extensions Settings 13. In Server Icon select any of the icons, and click t11e Create Sewer button at bottom right side of the ProR:1tvindox'. Notifications General Settings Brnd with Frle Server Extensions Server Icon Server Size: wan tray? mggeeeflefi Jl§¢@@? c@ %flE%fi“fi 9. ». s:’>1»j5_51'7f3"¥: <~ / - r @WD©@@jB: ea 1 -/ fie] Server Icon: l | FIGURE 1.8: ProRat creating a server 14. Click OK after the server has been prepared, as sho'11 in the following screenshot. CEH Lab . I.1nual Page 432 Ethical Hacking and Countennensures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Module 06 — Trojans and Backdoors General Settings Notifications ProRat V1. The Binded server, has been created with your settings in the current directory. Server Icon; Choose new lcon I Server Size: 497 V tr aw FIGURE l.9: ProRat Server has created in the same current directory 15. Now vou can send the server tile by mail or am‘ communication media _g to the victim’s machine as, for example, a celebration file to run. L2; SHTTPD is a smarll T 2 ' HTTP server that can be ’ ' *3 P'°R‘" C ‘ embedded inside any Wm - = - '3 program. It can be Wrapped Fr pane I [ l‘ E "W W" ‘W-95 with 3 geuugne Pmgmm {B WM _; _ Detail pant W1 ’ Frlerrzrrreerterrsrlr We Wm“ ‘pr (game chessexe). Then var = ' 7 Jr "ms" "W rum - executed, it turns a compum mm an imasgbre Cu) , « -rz, m~, ,u . s. m=. eru. s;rW. srr, x*i » Prr: Rat «lc , W web server. Fmmm » Down‘ I Daktov "W96 4 Duwrlunl: Reterrt pla: e<. llarrrres Document; , Mm _ p_. _m Vets-: n l-lmevuls B Vrcers 4, Haruguip I- on peter . _ LotalDisl< 0 ‘Tu c[»4 roam’ rs. ti. Network ~ Qrterrt ‘ . ‘e'rV 2967i: 1 FIGURE 1.10: ProRat Create Server 16. Nov‘ go to "indovs Server 2008 and navigate to Z: CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat. 17. Double-Aclick binder_server. exe as shown in the follovvirrg screenshot. CEH Lab . Ianual Page 433 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ell ICMP Trojan: Covert channels are methods in which an attacker can hide data in a protocol that is undetectable. Modu| e06—Tm)ansa| dBae| «Ioots mm. (‘I ‘fl . -rvm-runes ~ammmes'muvsam vnrofllr . 5“ R04 D& D‘ Ommnav wens v Vain F: U‘l: .I) M‘ ‘ 1:» «on: wmm ‘. 6 «auras - Mm’ me >- Folder: g Ee'né: "cna's 3 (: vvv1:md; M‘r: y,: Q oeracewen 05': 1 DS': u::2e"o, . 3 = $m. ;m. _-W i am: was»: 3 tr: M ar Q GLITraVar-s Q «-1 ~4‘r= s ‘mats 3 I04: azrktnm Q vac 3: T-rue 3 FIGURE 1.1]: ProRat Vviudows Server 2008 18. Now switch to "iudo's 8 Virtual Machine and enter the IP address of Windows Server 2008 and the live port number as the default in the ProRat main Vil1dO' and click Connect. 19. In this lab. the IP address ofV'indows Server 2008 is (10.0.0.13) Note: IP addresses might be differ in classroom labs %§EEEE EEEEE -E3 E1 | E>q: |oveI Emma Sam 5M —EEH FIGURE 112: ProRat Connecting Infected Server 20. Enter the password you provided at the time of creating the server and click OK. CEH Lab Manual Page 434 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  12. 12. Module 06 — Trojans and Backdoors FIGURE 1.13: ProRat comicction vi. ndow 21. Now you are connected to the victim machine. To test the connection, click PC Info and choose the system information as in the followiiig figure. Q‘. ProRatV1.9lConnected[10.0.0.13] lFHl: IHH < A . ,. _ Covert channels rely on techniques called tunneling. vh. icli allow one protocol to be cauicd on-1 PC WU another piorocol. M93359? Chat Funny Stuff Applications Windows Admin~FTP File Manager | E><p| oiei Search Files Control Panel Registry Screen Shot Keyl. ogger Passwords Run Services gniine Edit, -_, , p, Dc°nn.3c[iV.3 Systemlnlormalion Mail Address in Registry Last visited 25 web sites (1) Help Pc information Received. FIGURE l. l4: ProRat connected computer window 22. Now click KeyLogger to steal user passwords for the onliue system. Q TASK 2 , H . ‘ -. -'7; ! . u“‘f°°', ;‘; 'l°'°“ --»: iimr£— Po-«ma: lllmll SII1 8 er 9 °9" ea 1 1 rum: lnforma Windows ‘r V Adrnin~FTP File Manager Search Files Registry Screen Shot KeyLogger Password: nun Services gnime Educ, p,0c0mec[, Ve Systemlnlormalion Mai| Address in Flegistiy Last visited 25 web sites 0) Help Pi: inloimation Received FIGURE 1.15: Pi‘oR.1i Key'Loggei launou CEH Lab . I.1nual Page 435 Ethical Hacking and Coumennensures Copyiiglit © by EC-Council All Rights Reseivcd. Reproduction is Strictly Prohibited.
  13. 13. . . This Troian works like a remote desktop access. The hacker gains complete GUI access of the remote system: I Infect victiufs computer with serverexe and plant Reverse Connecting Trojan. I The Ttoian connects to victinfs Port to the attacker and establishing a reverse connection. I Attacker their has complete control over victim's inaclrine. . — . l.: .:. . Baiikiiig Trojans are program that steals data from infected computers via web browsers and protected storage. Module 06 — Trojans and Backdoors 23. The KeyLogger window will appear. Read Log I Delete Log I I Save as I I Clear Screen I I (3) Help Chai‘3et: DEFAUL'l“_. Bl-IAHSET E FIGURE l. l6: ProRat Ke_vLogger window 24. Now switch to Windows Sewer 2008 machine and open a browser or Notepad and type any text. - my =2 Est =0-~32 . e Hi‘ there J ‘his is "y userr re: xyzf)-at‘-3-3.c-at Pass. -.ord: test? -I‘ S'_‘.1| _J _l J FIGURE 1.17: Text typed in 'V"indoWs Server 2008 Notepad 25. ‘('hile the victim is writing a message or entering a user name and password, you can capture the log entity. 26. Now switch to Y'indows 8 Virtual hlachine and click Read Log from time to time to check for data updates from the victim machine. CEH Lab rIanual Page 436 Ethical Hacking and Corrrrtemreasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Module 06 — Trojans and Backdoors CharSel: DEFAULTIHAHSET‘/1‘ KeyLog Recewed. FIGURE 1.18: ProRat KeyLogger window 27. Now you can use a lot of features from ProRat on the victim’s machine. Note: ProRat Keylogger will not read special characters. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure through public and free information. I'I. I ~I 1| .ll()lHl{II1{l( Il)l(ll ()l 1Il Qll1]() RI 1 ll 1) It) l1I| I. I5. a «- a. ‘Jung-5 1. Create a server with advanced options such as Kill AV~F" on start, disable ‘C‘indows XP Firewall, etc. . send it and connect it to the victim machine, and verify whether you can communicate with the victim machine. 2. Evaluate and examine various methods to connect to victims if they are in other cities or countries. CEH Lab 1I.1nual Page 437 Ethical Hacking and Countennensures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. CEH Lab Manual Page 438 Modllefifi-TIo| aIsaIdBae| (dooI's 'l'()()l/ lllilily ProRat Tool Information Collected/ ()hjecli'es Achieved Successful creation of Blinded server. exe Output: PC Information Computer Name: VIN—EGBHISG14LO User Name: Administrator V"indows Ver: Vir1doWs Language: English (United States) Vindows Path: c: Windows System Path: c: windowssystem32 Temp Path: c: UsersADl-IINI~1 Product ID: V"orkgroup: NO Data: 9/23/2012 lntemet Connection Required El Yes Platform Supported El Classroom Ethical Hacking and Countenneasures Copyright © by EC—Coum; il All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. ICON KEY : ';1lu-. ible information 0 Test your knovvledoe 3 Web exercise . -‘rs "orkbook review 5 Tools demonstrated in this lab are available in D: CEH- Too| sCEHv8 Module 06 Trojans and Backdoors Module 06 — Trojans and Backdoors era sud -~l T/ ‘(_)/ M / .v /7 p/ 'og/ 71/21 / [W to/ /In/ //. c / ///1// r/'0// .v or [m/ '// _// }// (‘or/ (> / //. v/r/ (I 150/7111 ‘(I/ //_/ y / JIH '/ /// am‘ p/ ‘qg/ ‘/1// /// /// /pg 0/‘ (Min / // . ‘/ /1'/ ,2 (I 117/)‘ / /.m/ ‘ if (‘/1// ‘gt’/ ‘ ro/ //‘/ 'o/ and m/ /.«'(’ / /(I/ /mgr, .‘/ /(‘/ .I m‘ /7// /// //g f/ Jzjfi/ e zI/ /m‘rI/ ‘/0// /‘/1/1/0 01/ /1 Zmrrl / //‘/ /'1’. Sometimes an attacker makes a very secure backdoor even more safer than the normal way to get into a system. A normal user may use only one password for using the system, but a backdoor may need many authentications or SSH layers to let attackers use the system. Usually it is harder to get into the victim system from installed backdoors compared with normal logging in. After getting control of the victim system b_v an attacker, the attacker installs a backdoor on the victim system to keep his or her access in the future. It is as easy as running a command on the victim machine. Another way the attacker can install a backdoor is using ActiveX. "henever a user visits a website, embedded ActiveX could rui1 on the system. Most of websites show a message about running ActiveX for voice chat. downloading applications. or verifying the user. In order to protect your system from attacks by Trojans and need extensive knowledge on creating Trojans and backdoors and protecting the system from attackers. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft of valuable data from the network, and identity theft. our - 4- 7") *‘*'. ~.t~' : —; 3.- ff»: é . U? U‘ The objective of this la attacks. is to help students learn to detect Trojan and backdoor The objectives of the lab include: ' "rapping a Trojan with a game in "indows Server 2008 ' Running the Trojan to access the game on the front end CEH Lab . Ianual Page 439 Ethical Hacking and Countermeasures Copyright Q by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Q TASK 1 OneFiIe EXE Maker Module 06 — Trojans and Backdoors ' Analyzing the Trojan running in backend . v'' u. .. 1: . . . .. o .9. .7) _i To carry out this, you need: OneFiIeEXEMaker tool located at D: CEH-TooIsCEHv8 Module 06 Trojans and BackdoorsWrapper Covert Programs0neFiIeExeMaker A computer running Window Server 2012 (host) Windows Sewer 2008 running in virtual machine If you decide to download the latest version, then screenshots shown in the lab might differ Adniiiiistrative privileges to run tools 1 . ?J 1 . Time: 20 Minutes “" - ‘.3 , - . - 5 . A ' . ..‘". '.. ."’_. .."' , .. : . oa: A Trojan is a program that contains malicious or harmful code inside apparently harmless progrannning or data in such a way that it can get control and cause damage, such as ruining the tile allocation table on a hard drive. Note: The versions of the created client or host ai1d appearance may differ fzoin what is in the lab, but the actual process of connecting to the server and accessing the processes is same as shown in this lab. .3 3 ' 'zs': s 1. Install OneFiIeEXEMaker on Windows Sewer 2008 Virtual Machine. Senna Spy One EXE Maker 2000 — 2.0a Official Website: 15 ht1p: llsennaspy. tsx. org e~lIail: :enM_! p9@hoInal. col IEO U| N' 3373927 Join now lilo: and make a unique EXE lie. Hi: pvogvan allow loin all Iund ol lilet: one. dll. non. Ixl. iP£I. Imp Amonalu: DIX llle nsguleu and Pack liles xuppoll Window: 9:. Ni and 2000 uuloalibla ! lam . .,. ... Jrtapy 1.. inn“ ]P. —eim 7 Short File Nan A/ .1dFle l Eu Eomn-and Lune Puarr-eta: Cooy To Achon (‘ lv Pack Flea? W‘) Enpynghl [[2], 19982000, By Senna Spy FIGURE 3.]: OueFile EXE Make: Home screen CEH Lab Manual Page 440 Ethical Hacking and Coumennensures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. l—‘ Essa You can set various tool options as Open mode, Copy to, Action 3 Tools demonstrated in this lab are available in D: CEl-l- ToolsCEHv8 Module 06 Trojans and Backdoors Module 06 — Trojans and Backdoors 2. Click the Add File button and browse to the CEH—Tools folder at the location 2:CEl-IV8 Module 06 Trojans and BackdoorsGamesTetris and add the Lazaris. exe tile. [22 5 Senna Spy One EXE Maker 2000 — 2.0a Official Website: http: IIsennaspy. tsx. org e-nail: :erina_tpy@hotnal. coI IE1] UIN: 3973927 Join nany liles and make a unique EXE lie. "is ntogfi allow ioin all kind of lilox: one. dll. OBI, (Kt. ipg. hip . . Aiaonatu: DD< lile izgister and Pack lilo: tuppoil Window: &i. Ni and 2000 collnaliale ! Shoil ran. ii-5 Dpen M14; Copy To’ '@ fiave E5»! Cammendhne Paiameleis [Jpen Mode CcioyTo Action F P F J I r‘ M0,, ” r‘ wmws (. ‘ 0pgy/ E)(Q; ulg 0“ ‘ta copyngm it]. 1998 zonu, By Senna Spy FIGURE 3.2: Adding Iazaris game 3. Click Add File and browse to the CEI-l—Tools folder at the location Z: CEHv8 Module 06 Trojans and BackdoorsTrojans TypesPi-oxy Server Trojans and add the mcafee. exe tile. 3.". 5 Senna Spy One EXE Maker 2000 — 2.0a Official Website: ht1p: lIsennaspy.1sx. org oral: :enna_w! @ho| nai. con IEII UIN: 3373327 Joii inany lie: and make a unique EXE liii. mi pmgian allow pm all kind ol liler exe. dll. ocx. liil, iw. blip Aiaornalu: 0D( lile regular and Pack lilal support Window: 9:. NI and 2000 coinoalihlo l ~~-« Open Mode Copy lo Hi-‘la spam. Unonlfxacula l W Uinnltiiuculu 9"” fiuve iii Command Line Paiameleis om Mode Copy To Action , i r‘ Nome] K‘ wndws r: Upgn/ Execulg F Pad‘ H95‘ f Maxlmilad f-‘ System r‘ Copy Only -' Minimized I: mo Eopylighl [II]. 1998 2000, By Senna Spy ” Hue ' Hour FIGURE 3.3: Adding MCAFEEEXE proxy server 4. Select Mcafee and type 8080 in the Command Line Parameters field. CEH Lab Manual Page 441 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Module 06—Tmjans and Backdoors 2'. :1 Senna Spy One EXE Maker 2000 - 2.0a Omcialwebsne. hflp: IIsennaspy. tsx. org . ... .a_ . .nu_: pyehoc-a. c_ um um; 3373327 Join nany Me: and make a uniqua EXE us. m. pm. .. am pull all and ul Iilesz axe. an, ocx, m. in. him . . Autnnnlnc l]D( lile regular and Pack lilo: swzpufl Vliidovn SI. N1 and 2l]0fl cnlqnaliala I Short Filo Nana [Pa-a-um llilpen Mode | I:opy to lAcIion gaaru | mzmus EXE ma. Syslell Dnenlhlecuto IZEEEE . HIE; . S” §ave E11 Command Line Pavameicvx Unen Mode Copy To u Achorl "NW "Wm ‘°°= ~‘*= °"'= ”“°”'°" I‘ Maxlmmed 5 System r‘ Mmmzed r‘ Temp :7: Covylighl 1:]. was man, By Senna spy " Hide " Root f‘ Cow Unby FIGURE 3.4: Assigning poit 8080 to MCAFEE _ _ . . : >. Select Lazarus and c11eck the Nonnal option 111 Open Mode. [ 2'. 5 Senna Spy One EXE Maker 2000 - 2,021 Official website: http: IIsennaspy. tsx. org e-uni: |enna_w! @ho| nni. cnn IEO UIM: 3973927 Join Din! lilo: utd lake a unique EXE lie. "vi: pwg— allow ioin all kind of mu: ewe, dll, ocx. Int, ipg, bnp . . Aulooalic 0D( lile vagina: and Pack Vila: tampon Window: &. N7 and ZIIIJIJ cflllflaliilo I shon File Na-e | Paa-ems lopen Mode Envy In Action Add Fig I ,1 mm . Uvenrrxw-fie‘ Qdete MCAFEEEXE 8130 Hide Syalun DpenIElec| IIe Eommand Line Puamelevs Cooy To ‘ Action F Wndows (7 Open/ Execute V‘ P*”‘°" / -‘ swam r‘ cow Only ’‘ Temo '” Root FIGURE 3.5: Setting Lazatis open mode 6. Click Save and browse to save the tile on the desktop, and name the tile Tetris. exe. CEH Lab hianual Page 442 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Module 06—Tro[ans and Backdoors Command Line Pavameicvx Open Mode Copy To l Achurl ‘ r: N°, ,., a| (‘ wmws (2 Clpgn/ Exgculg l_ P3°l‘ "937 f‘ Ma><ImI: ed 5 System r‘ cow Only rj Mmmzed r‘ Temp Er: Cwyvighl 1:], was man, By Senna Spy ’ Hide " Root FIGURE 3.6: Ttoian cieated H 7. Now double-click to open the Tetris. exe file. This will launch the Lazaris E; -. ! ICAFEE. EXEwi1l d t. d mnmlmkgmund game on 1e rout en . B » LJ xi 1 3.. FIGURE 3.7: Lazaris game 8. Now open Task Manager and click the Processes tab to check if McAfee is running. CEH Lab hlanual Page 443 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. ModIle06-Tlojnlsunllncldools . ‘lud<>ws lask Hiindqer Microsoft Windows spooler 5.. . Host Proc. .. Host Proc. .. Ll FIGURE 3.8: MCAFEE in Task manager Lab Analysis Analyze and docurnent the results related to the lab exercise. Give your opinion on your target’s security posture and exposure through public and free information. PLEASE TALK TO YOl'R INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/ lltiliI_‘ Information Collected/ ()l)jccIi'cs Acliitsvcd EXE Maker Output: Using a backdoor execute Tehis. exe Questions 1. Use various other options for the Open mode, Copy to, Action sections of OneFileEXEMaker and analyze the results. 2. How you will secure your computer from OneFileEXEMal~: er attacks? CEH Lab Manual Page 444 Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Module 06 - Trojans and Backdoors I | IIr. .un; : IlIII| —«! 'I| llI rt. .u| v|| ... - Cl Yes IZI No Platform Supported lZI Classroom IZI iLabs CEH Lab Rlanual Page 445 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. ICON KEY E Valuable information 0 / ‘ Test your knowledge E V‘eb exercise Q Workbook review if“ Tools demonstrated in this lab are available in D: ¢EI-| - ToolsCEHv8 Module 06 Trojans and Backdoors Modu| e06—Tro| a|ssndBaokdoors Proxy Server Trojan A Tm/ km / '5 (I p/ 'qg/ n// / I‘/ Jm‘ r0// mi/ /.r / /// I/ir/ '0// .r or / Jm'/ //f/ // rot/ e i/ /ride (rpp(I/ 'e/ /I‘/ ' / Jr: /‘/ /// m pl‘0gI‘(I/ /// //I. /lg or r/ /1/(I [/1 r/ /r/ J (I / my f/ J/If if my grf ro/1Iro/ mm’ m/ /yr I/ (I/ //flg(’, .r/ /r/ .1 (Ir / '// /'/ /i/ {g f/ J(’fl‘/ P (I/ /or/ If/ M fab/4" 01/ (1 1mm’ r/ /'/ "Ir. Lab Scenario You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft of valuable data from the network, and identity theft. Lab Objectives The objective of this lab is to help students learn to detect Trojan and backdoor attacks. The objectives of this lab include: 0 Starting McAfee Proxy O Accessing the Internet using McAfee Proxy Lab Environment To carry out this. you need: ' McAfee Trojan located at D: CEH-TooIsCEHv8 Module 06 Trojans and BackdoorsTrojans TypesProxy Sewer Trojans ' A computer running Window Sewer 2012 (host) ' Windows Sewer 2008 running in virtual machine ' If you decide to download the latest version, then screenshots shown in the lab might differ ' You need a veb browser to access Internet ' Administrative privileges to run tools Lab Duration Time: 20 Minutes CEH Lab Manual Page 446 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. T TASK 1 [lfl Proxy sewer - Mcafee Module 06 — Trojans and Backdoors «m - ~ . I - u I ? 'I ? s. .I " ‘ "3 C ' a 4 9 no . - b 94-; .. do-co. . 9 ¢. rl-o. o A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a va_v that it can get control and cause damage, such as ruining the tile allocation table on a hard drive. Note: The versions of the created cclient or host and appearance mav differ from what it is in the lab, but the actual process of connecting to the server and accessing the processes is same as shown in this lab. r1 ~ -? J 3:. ’ S (S 1. In "indovs Server 2008 Virtual Machine, navigate to Z: CEHv8 Module 06 Trojans and BackdoorsTrojans Types, and right—click Proxy Server Trojans and select cmdflere from the context menu. gm! 0 FIGURE 4. l: V'indovs Server 2008: Cmdl-lere 2. Now type the command dir to check for folder contents. FIGURE 4.2: Directory listing of Proxy Server folder 3. The following image lists the directories and files in the folder. CEH Lab rIauual Page 447 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. This process can be attained in any l). lO'S€I after setting the I_‘V settings for the respective broxvser Module 06- Trojans and Backdoors T Adlrunntralor. (: VlndowssvsteIrL'l2aIuIae I'll| IvN n. .u. .|. » nu. lrmimv . ... .c [Lu i. .i. ... .~ I. »n_. ... .~. |. ,.y. ~ ~I'. -.. .. Iunr . .. . i,». ._. .- / ’ i. .. . ... I. -ln-I lmw vnl Nauru-. « u I! » Jrrru -4 lIII‘V; ml 1': I’l)| -rli‘ Hiultllv Ill. lr-n_| rn . uul llnllllllllll‘ Iru . ... ... ' NH ' rm . N tin-alt‘ : --<I' rm mm u. ., l. ~II_i-1ut: r~4-1lUr- -. r.. ... ..4 N.1I| l:‘ -I in v . «Lu. -i ' ' ' . -N Hndulr» >1». I FIGURE 4.3: Contents in Proxy Server folder 4. Type the command mcafee 8080 to run the service in "indovs Server 2008. r mmummior. ¢; w-uaoussysxeuu2una¢xe - make use lunr ‘; "'. ‘V‘] Nmvln-i~ I ll. ; l, lllI. rN Hmlul: HI. i. ~.. ,.. .. . ... .i i«. ..i. .i. ,.. .~ | .~. ._. ... . | .,. ..- l'I‘H-ll NH ll| l( rm I-ll’. rm . » . ».. - . . rm I-ll’. V, lrl1_i‘1n(', r(«1IlIr Inn‘; M. ..-» I l I | :< n l 0 l‘n" ' / HR. . ll‘I‘l' -: Jluu n. .a. .1., » UL. 1.~u. ... ._ . ... .i r: ..ti. .i. ,.i. ~_ 1.~u_. .. 1., ,.t-. -i-. ~., .., - . ~.. ,r-. ~ ll‘J_]<iIl. .IIL-ll -- KHNH | u.. , nnr l‘: mu ‘, »nppurl, e:l' u-4 n. .i-. ..1u~up . .nr. .. New um, '- HTTP Pr: -u; Tl . - L. --. -.. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .. FIGYRE 4.4: Starting mcafee tool on port 8080 5. The service has started on port 8080. 6. Now go to Windows Sewer 2012 host machine and configure the web browser to access the Internet on port 8080. / . In this lab launch Chrome, and select Settings as shoxvn in the following figure. FIGURE 4.5: Internet option of a browser in ‘('iirdovs Server 1012 CEH Lab . IanIIal Page 448 Ethical Hacking and Countenueasures Copyright Q by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Module 06 — Trojans and Backdoors 8. Click the Show advanced settings link to View the Internet settings. y- ‘r . . '— . 1"? “ c H 2. FIGURE 4.6: Advanced Settings of Chrome Browser 9. In Network Settings, click Change proxy settings. '- _. , . a'—rW c FIGURE 4.7: Changing proxy settings ofC1u‘ome Browse: 10. In the Internet Properties 'indov click LAN settings to configure proxy settings. CEH Lab Manual Page 449 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Module 06 — Trojans and Backdoors Internet Properties Ge've'al sezumv Pmazy Content Comechons Proqrams‘Advanced lo set ua an Internet connection, cfick Setup Setro. Dal-in and unis! Pmate Network settings Agar. .. Add vr3N, . . Choose Settings if you need to configure a proxy server for a connecbon. Local Area Network (rm) settings LAN settings do not aody to dualw Cofiflechons. Choose Set: '11;s above for d-amp settings. OK Cancel FIGURE 4.8: IAN Settings of 2 Chrome Browser 11. In the Local Area Network (LAN) Settings windoxv, select the Use a proxy sewer for your LAN option in the Proxy server section. 12. Enter the IP address of "indovs Server 2008, set the port number to 8080, and click OK. ~ Local Area Network (LAN) Settings " Automatic configuration Automatic tonfiguration may override manual settings. To ensure the use of manual settings, disable automatic configuration. if: Automatically detect settings use automatic configuration gcnpt Proxy server 7 Use a pro)_rv server for your LAN (‘|11ese settings will not apply to ~ dralup or VPN connections). Addres 10. 0.13 Por aoso ] Advanged #__ypVas"s_proxy server for lo Cancel FIGURE 4% Proxy settings of IAN in Chrome Browser 13. Now access any web page in the browser (example: ''V. l)l)C. CO. l1l~2). CEH Lab Manual Page 450 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Q Accessing web page using proxy servex «- Module 06—Tro§ans and Backdoots . ~.. ... .,. _ c j [35 . -. In Top News nory Dbama rnmes Romney men In-Hulls News rm mm». mm, . uamquugm M. .. u. .. M. .. . mnuu. usmenur "who new man: Heavy wrung In Damascus suburb ‘ u. ..u. .p. ,-. m.s FIGURE 4.10: Accessing web page using pioxy sexvei 14. The Web page will open. 15. Now go back to Windows Server 2008 and check the coinnmnd prompt. ’ Adnnnnlmlor. (:VlIndoInsyslenL12cnId. c.Ile make Inna 4 E ' : x A V . ‘ . . , ,. > rhhl r . i. mu . .. . |.y~. m.- “mi lam | .. m | iVI . » an 1. w. -., . I Imun->_: un| INA: In in ViI‘Hlv‘ViVI . u ‘, w,. i., --, ,v L'1l'I in mi. -.. ,. .1.. ~.m. ;.. ‘.. ‘I 1m, ..1n-m. wiuwwnr-bixl uh n~m. m.. »| l4V‘iO inn‘ . ',m, u . <.- ), u.. ,. «mp mm‘ mmlmum u ( in. .. ,m~ Km . ‘.I . v FIGURE 4.1 l: Backgroluid infoimation on Pioxy serve: 16. You can see that “'6 had accessed the Internet using the prom_' server Trojan. Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your targefs security posture and exposure through public and free information. CEH Lab Klanual Page 451 Ethical Hacking and Countermeasures Copyiighr © by EC-Council All Rights Reseived. Reproduction is Strictly Prohibited.
  29. 29. Mottlellfi-Tlo| aIsaIdBae| tdooI's PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. 'l'ool/ lltility Information Collected/ ()bjccti'cs Achieved Proxy Server Output: Use the proxy server Trojan to access the Trojan Internet Accessed Webpage: WWW. bbc. co. uk Questions 1. Determine whether Mcz-‘rfee HTTP Proxy Server Trojan supports other ports that are also apart from 8080. 2. Evaluate the drawbacks of using the HTTP proxy server Trojan to access the Internet. Internet Connection Required M Yes Platform Supported [21 Classroom CEH Lab Manual Page 452 Ethical Hacking and Countenneasures Copyright © by EC—Coum‘jl All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. ICON KEY C Valuable information . /V Test your knowlgge V'eb exercise Ill] Q Workbook review If Tools demonstrated in this lab are available in D: cEH- ToolsCEHv8 Module 06 Trojans and Backdoors Module06—TIolu| sandBaoltdoovs H1TP Trojan A Tm/ '/m / '3 ll p/ 'qg/ n// / f/ Jm‘ ro/ /I11/'1/.1‘ / //(I/ ir/ '0// .r 0/‘ / am‘/ //f/ J rode i/ /xi! /P (511011/‘H/ f/' / m/'/ /// mar prqgm/ /// //i/ /g or (fair! /11 SI/ f/J (1 11(1)’ f/ Jaf if m/ / gef ro/1fro/ mid m/ /ye (in/ //qgr’, .r/ /r/ .2 / Lt r/ //'/ /i/ /Kg 1‘/ Jeff/ e rI/ /orm‘io/ / fab/ e 01/ (I burn’ r/ /'/ iv. Lab Scenario Hackers have a variety of motives for installing malevolent software (malware). This types of software tends to yield instant access to the system to continuously steal various types of information from it, for example, strategic coinpany’s designs or numbers of credit cards. A backdoor is a program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence of initial entry from the systems log. Hacker—dedicated websites give examples of many tools that serve to install backdoors, with the difference that once a connection is established the intruder must log in by entering a predefined password. You are a Security Administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks. theft of valuable data from the network, and identity theft. Lab Objectives The objective of this lab is to help students learn to detect Trojan and backdoor attacks. The objectives of the lab include: 0 To run HTTP Trojan on "indovs Server 2008 0 Access the "indovs Server 2008 machine process list using the HTTP Proxy 0 Kill running processes on V'indows Server 2008 Virtual lIachine Lab Environment To carry out this. you need: CEH Lab Manual Page 453 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  31. 31. Modrle06—TrojmsandBaoltdoors ' HTTP RAT located at D: CEH-Too| sCEl-lv8 Module 06 Trojans and BackdoorsTrojans TypesHTTP I-ITTPS Trojansl-ITTP RAT TROJAN ' A computer running Window Sewer 2008 (host) ' Windows 8 running in Virtual Machine ' Vindows Server 2008 in Virtual Machine ' If you decide to download the latest version, then screenshots shown in the lab might differ ' You need a web browser to access Internet ' Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Trojans and Backdoors A Trojan is a program that conta. ins malicious or harmful code inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions of the created client or host and appearance may differ from what it is in the lab, but the actual process of connecting to the server and accessing the processes is same as shown in this lab. L Lab Tasks HIT’ RAT 1. Log in to Windows 8 Virtual Machine, and select the Start menu by hovering the mouse cursor on the lower—left corner of the desktop, FIGURE 5.1: Wnflows 8 Start menu 2. Click Services in the Start menu to launch Services. CEH Lab Manual Page 454 Ethical Hacking and Counternreasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  32. 32. Q; Stopping the World Wide Web Publisher is mandatory as H] II’ RAT runs on port 80 Modu| e06—Tro)sIIsandBookdooIs FIGURE 5.2; Wrindows 8 Start menu Apps 3. Disable / Stop World Wide Web Pub slung Services. rm mm V. .. H1; «-9319 Snnwra tonal) jfl: bIIID ~saviut(l. nd) wwuvrdz wdzndalshig Suvirz Name wthesennec acme-. . to-vita 3.xv. p1-an 3ll'vIllF$ we rm-mmry md iannmmm lmnnqrine hterra rlnwlmtor S<'vIc: : Mung. Wndrvvs Fivrwall Wndcvws Font (xhe Senate Whdnws Image Aequismou Wrvdcvvslrlslnllev , wndcws Management Wrist. .. Wndr-as Media Player Net , Wndrvvv Nleduh-6 Vnttadlrv Wndcvvs l"reecs: lldlatm. . Wridiwaflxnlulc Manage" wnmusemm wnucws Stole smueiws. .. Wndwcs Time Wndcw; upam Wnll"TF W¢Ii'ru1yAutc 4‘ wmiamccmluu WLANAu1ok: nlIg wu ludnnvipnro Amps» mvanmucuunu Detenphcn wmnmr. . Optimizer , .. Prnmdei m-. .. Adds, mud Prwdet a <. . snares Wln . . Fruhlmnr Tm Wmdn . . Marnhlnt H Erublcsthe . . wmmw u. ‘ ‘nu Mm: .. mi WLANL. Prrmdos , .. Srlatus mung : zm. ng Running ammg Ruunmu sumo Type mr: -um» Aazornan: Maruil Mevunl Automaic Mann! M. .. . .i Mannl Menu! warm. (0.. Muu| l4‘rg. . Mm mt‘. -9 Man. ul('r9.. . Mann! Mam: mam i»-mam . snmms , ’ FIGURE 5.3: Administrative tools ~> Services Vviudow 4. Right—click the World Wide Web Publishing service and select Properties to disable the service. CEH Lab Manual Page 455 Ethical Hacking and Countermeasures Copydght © by EC—Council All Rights Reserved. Reproduction is Suictly Prohibited.
  33. 33. Module 06 — Trojans and Backdoors World Wide Web Publishing Service Properties (Local G¢"‘€"3l LogOn Recovery Dependencies Service name W3SVC Dsplay name World Wide Web Publishing Service Demnpmn Pruvid-; -s Web connectivity and administration thtough the Internet lrilormation Setvices Manage! Path to executable C Windows sys1em32 svchosz exe k iissvcs Slavtui: tyne Dsabled ervice status Stopoed Start You can specify the start parameters that apply when you start the service tram here Stan parameters FIGURE 5.4: Disa| )1c/ Stop V'ot. ld '/ idc Web publishing SCl''iC€S 5. Now start HTTP RAT from the loczition Z: CEH-TooIsCEHv8 Module 06 Trojans and BackdoorsTrojans Types| -ITTP HTTPS TrojansH'I'I'P RAT TROJAN. HTTP RAT 0.31 — x . «:-s: «_ The send notification option can be used to send the details to your Mail ID | a[es[ Ve[giOn hale; lhttpr/ /lieenetam/ ”zombie] settings l7 send notilication with ip addiess to mail SMTP server 4 sending mail u can specify several seiveis delimited with , ‘ your email address: lyou@mai| .com l-7 close FiteIi/ all: server pott; BU Eii FIGURE 5.5: HTTP RAT main window 6. Disable the Send notification with ip address to mail option. 7. Click Create to create :1 httpservenexe tile. CEH Lab iI.1nual Page 456 Ethical Hacking and Countennensures Copyiight © by EC-Council All Rights Reseived. Reproduction is Strictly Prohibited.
  34. 34. Module 06 — Trojans and Backdoors HTTP RAT 0.31 rarest version here; [http: /i'lreenet. am/ "zombie] settings l_ send notification with ip address to mail SMTP server 4 sending mail u can specify several servers delimited with ; ' 'f ’ 1‘ iii Wire : itii-= i Tiilp '»= i‘~'E‘i your email address: Ii. ‘ if_'- - i r l7 close Filewalls server port: BU FIGURE 5.6: Create backdoor FET HTTP RAT 0.31 ' T The created httpseryer will be placed in the tool directory done send httpservenexe 2 victim l7 close FireWalls server port: 80 Create I Er-iit I FIGURE 5.7: Backdoor server created successfully 8. The httpservenexe file shou. ld be created in the folder Z: CEHv8 Module 06 Trojans and BackdoorsTrojans TypesH'I'I'P I-I'I'I'PS TrojansH'l'l'P RAT TROJAN. 9. Double—click the file to and click Run. CEH Lab iI.1nual Page 457 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Module 06—Tro)ans and Baekdoots V . V. : . A . ~— FIIPKAHHUJAN . 3 Hunt H _ ‘ . — V, 0 _‘ vewnem - I Oren - ice‘! ; mm VI/ no . - mm. Kwnxnw Hflul ’ hm-nu ‘ ' H. . , ,.. ¢ . VVHHV . ., ._. 0 _' I « '_‘_H_mw°'m _ Dpsn Flls-§nIunlyWarmng H , ,mm ‘ V : Th2puh|5duQv(ouUlnIbevzrifi¢d. Areyulmuymtvlmflonllfhk ‘ Johwire? I; Dump 2 mp. .. DO I ‘ ‘lam: ..1wmws m, ... .m1p an mama~. r.np. ..m at . . . mu 5 1|: . Wm 9uh| |>hzI: Unknown rumm- R: c:r(: ||: ::s m-. ... .. Tm" Type Appllzmlnn Lb, _,,5 5-am ZLEv-Iv8Mndu| e0:Wvnjan: and swam; I'oansI - Documents 4‘ mm Cm - Fciuleq fl Vdeoc 4 Hmnegcup 4- fnmpuiev -. I mxrm 4’ u- (in-mu‘ 10 "» Mm. 'nmm—: J'e'7. M(zm'(: I(: l , . P: » FIGURE 5.8: Running the Backdoox 10. Go to Task Manager and check if the process is nu1ning. Task Manager File Ophons View Processes Perlmmnnct Apphnslcr) sunup Users Dennis semces 30% 52% '. "‘L uF, H-_<~ A pp: . Task Manager Windows Explorev BK‘(LEi I Dtvlce Assocvahon Framewovk. Httpsen: , Microsoft Wmdews Search lnde. —_ Pun! dnvev hosuov apphmvuns , , Snagll (32 nm E/ - Suagnt Edutor ».32 but) - Snagn rwc Helpuvil um -. Spoo| evSubSysIem App - Techsmnth HTML Help Helpev( W ‘W1. 5) Fewer detanls FIGURE 5.9: Backdoor running in task managci 11. Go to V'i11dovs Server 2008 and open 2 web browser to access the ‘"indows 8 machine (here “10.0.0.12”is the IP address of V'indows 8 Machine). CEH Lab Manual Page 458 Ethical Hacking and Countermeasures Copynight © by EC-Council All Rights Rcscrvcd. Reproduction is Strictly Prohibircd.
  36. 36. Module 06 — Trojans and Backdoors FIGIJRE 3.10: Access the backdoor in Host web btowset 12. Click running processes to list the processes mnning on the "indo's 8 machine. ‘1J4J4J4L. v,)C*UU(. ()Cv ? FIGURE 5.11: Process list of the victim computer 13. You can kill any running processes from here. -€’J. ‘T'. ";" ~"3's . Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure through public and tree information. CEH Lab . Ianual Page 459 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Modleofi-TIo| aIsu| dBaeltdooI's PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. 'l'ool/ lltility Information Collected/ ()bjecti'es Achieved Successful send httpservenexe on victim machine Output: Killed Process System smss. exe csrss. exe HTTP Tmian winlogon. exe servicesexe lsass. exe svchost. exe dwm. exe splwow64.exe httpservenexe firefow. exe Questions 1. Determine the ports that HTTP proxy server Trojan uses to communicate. Intemet Connection Required [I Yes Platform Supported M Classroom CEH Lab Manual Page 460 Ethical Hacking and Countenneasures Copyright © by EC—Councfl All Rights Reserved. Reproduction is Suictly Prohibited
  38. 38. ICON KEY E Valuable information M’ Test your knoxvlgge Web exercise Ill] Lg Workbook review [hf Tools demonstrated in this lab are available in D: CEl-I- ToolsCEHv8 Module 06 Trojans and Backdoors Module06—Trolu| sandBacltdoors Remote Access Trojans Using Atelier Web Remote Commander A Tlzykm /5 (I ]>/ ‘og/ rI/ // I/ J/If ro/ /mi/ /.r / /// I// rio/ /.t or / JrIr/ /{fi/ / rode / //5// /0 (W311/‘(I/ /I/ r / J11/‘/ /// (’. ‘J‘ progm/ /// /// "Mg or / //If/ I i/ / rm‘/ J (I my I/ Jm‘ if mu gm‘ ronfrol mid m/ /re r/ /7// mgr’, .r/ /r/ J (II r/ //'/ /i/ {g 1‘/ Jefi/0 (I/ /arm‘/ '0” ml)/ e 01/ (I / mm’ r/ /'/ '1.'(>. Lab Scenario A backdoor Trojan is a ver_v dangerous infection that compromises the integrity of a computer, its data, and the personal information of the users. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. Trojans and backdoors are types of bad—wares; their main purpose is to send and receive data and especially commands through a port to another system. This port can be even a well- known port such as 80 or an o11t of the norm ports like 7777. Trojans are most of the time defaced and shoxvn as legitimate and harmless applications to encourage the user to execute them. You are a security administrator of your company, and your job responsibilities include protecting the network from Trojans and backdoors. Trojan attacks. theft of valuable data from the netxvork. and identity theft. Lab Objectives The objective of this lab is to help students learn to detect Trojan and backdoor attacks. The objectives of this lab include: 9 Gfllll QCCESS t0 2 IGIIIOIE COIDPUIGI O Acquire sensitive information of the remote computer Lab Environment To carry out this. you need: 1. Atelier Web Remote Commander located at D: ¢EH-ToolsCEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote Access Trojans (RAT)Atelier Web Remote Commander CEH Lab Manual Page 461 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. E TASK 1 Atelier Web Remote Commander Module 06 — Trojans and Backdoors A computer running Window Sewer 2008 (host) Windows Server 2003 running in Virtual Machine If you decide to download the latest version, then screenshots shown in the lab might differ You need a web browser to access Internet Administrative privileges to run tools — 36 <-5:3‘. .. «rue . ..l ,3: a Time: 20 Minutes Z3'. 'vf3‘~«' C. " " A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the tile allocation table on a hard drive. Note: The versions of the created client or host and appearance may differ from what it is in the lab, b11t the actual process of connecting to the server and accessing the processes is same as shown in this lab. . ? 3 ' '2s': s 1. Install and launch Atelier Web Remote Commander (AWRC) in V"indovs Server 2012. 2. To launch Atelier Web Remote Commander (AWRC), launch the Start menu by hovering the mouse cursor on the lover—left corner of the desktop. _‘ | wn'in-. «.s3a. v.aImL . .‘. .-V y N L _ l V I FIGURE 6.1: Windows Server 2012 Start-Desktop IL 3. Click AW Remote Commander Professional in the Start menu apps. CEH Lab Manual Page 462 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. L2:-. This toll is used to gain access to all the information of the Remote system Module 06 — Trojans and Backdoors fihjfi a-minrmii. -:1: FIGURE 6.2: Vindows Server 2012 Start Menu Apps 4. The main window of AWRC will appear as shown in the following screenshot. C1 AWRC PRO9.3.9 '-l“ 3‘ File Tools He’: hoehtnn : .,-cmn Nnwmtvlnfe n. <v<m-» ilerennrfivmrw rm . i Tghstest «'. :a: °.~. fiyffiijj vi. -at Remote HDSI User Name Pvugress Reporl " 1 Password Vt (nrrrwtl rr l " Reutesl a1l'hDVi, 'aD0|' . / Clea on irscomett mm: In. »: .; ;>c : ~ 3 -Connection Dmaiorv FIGURE 6.3: Atelier '"eb Remote Commander main window gr Input the IP address and Usemame I Password of the remote computer. 6. In this lab we have used "indows Server 2008 (10.0.0.l3): ' User name: Administrator ' Password: q'ern'@123 Note: The IP addresses and credentials might differ in your labs 7. Click Connect to access the machine remotely. CEH Lab . Ianrral Page 463 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Module 06 — Trojans and Backdoors 7 Q AWRC PRO9.3.9 '-'= ’‘ FM: laols He’: Desktop ‘syswo Het. v.orkk~‘o ‘kivslem Ustsanccrocps chat ¢Faste§ V 9 nf/ E] age r A Remote Host User Name Pmgress Repcm g .0 g D ,3 V adrmmstratav l‘ Password Va (mined rr 1. "I ] m , H R£fiLESla1liDtI. 'aDoI’ Icleaonllscornect lBv‘1e: lV r: vfvsi" 3 ionrvecnon Duvalorv FIGURE 6.4: Providing remote computer details fTooIs 8. The following screenshots show that you will be accessing the demonstrated in Windows Server 2008 reniotely. “"s_Iab ate 'Q7 10.0.0.1; Awric 5R59_3.9 '7“ X l avallable In at W H. » D: cEH' Desktw SY: Iwfo Nemondnfo aesyszem usesanccmws Chat ToolsCEHv8 '1‘ 7 Module 06 Trojans , and Backdoors 3a: u"e‘: s : a“Dt1!' c‘ 3 ’. '.Fa: test V cm: -= ~ Whlcmtoriv K , C1a; ‘ ; 9|]E]fl / IZI - ~ Rrmule Must use. um. .. Pmgtan Repuvl aammstratav _ Password " 9'“°""“‘ nonun- E .1 on. on )s(Lwve<t lDH¢: IH. CD194 K5933‘ 3.3" CoHH: .hoH3uvaluH. LMINIE‘ ‘l25€(0'ld5t FIGURE 6.5: Remote computer Accessed 9. The Commander is connected to the Remote System. Click thesys Info tab to View complete details of the Virttlal lIachine. CEH Lab . I.1nual Page 464 Ethical Hacking and Cotlntennensures Copyright © by EC-Council All Rights Reseivcd. Reproduction is Strictly Prohibited.
  42. 42. Module 06 — r F1 We Teal; Her: Desktop St-stwto General r«er. v.aur~‘o : ~w, u.«< mr t ndalx Trojans and Backdoors 10.0.0.1} AWRC 3R0 9.3 9 ‘kivstem Use'san(GroLD5 Chat -tvrtuve now» >rnru<0-s ‘. <4-rvtrrs ‘ Pl-twrAIMemnrv mm Remote System General lnlorrnattort: Ooeratrtg System Processor K64. Edtuort. Sum Standard lid : BVOS Remote Host J. t lBv‘1!: Irt :50 -at ’SNBl0S Rom Inbtmaton‘ A User Name Progress Report admtmstratar Password . I7 Dt<(onnect J Clea on fiscornect .2;>s : ~ 3 ‘:0 ionrvecttort Duvatorv : MImJ‘ES, nsezondz. FIGURE 6.6: Information of the remote computer 10. Select Networklnfo Path where you can view network information. rs ” " m “’ Vi‘ Q 10.0.0.13:AWRC3RO9.3.9 Lli " [He put; gas Deskmu Srshfo Fk System uses an: Gl0lDS Chat Chan: Dn-rxfintar 3nrK€‘ah<tI«V = n.mu T3[Yran<nnrtPrntnrnl< m. arem< Resnuvce Type Remark Permtsstons Maxuses Currertusos Path Password Secunh ADr/ tttts Spe Remotemmun rtctappllca Lnhmled 1 CV’tndows nettalt ___ cs Spe Deldullslale lIt. lappttt; a urltllttled 0 C | I|Jlv’dI4 Tools IPCS Spe Remote| PC nctappllca Lrthmted 1 not»-ah demonstrated in this lab are available in D: CEH- Too| sCEHv8 Module 06 Trojans and Backdoors Remote Host User Name Pragress Report ecvmmstrotov } m.2tt.24tmttrttzmg. ptcasuvm. ... Password , I1 DhL0l| ¥I('(l t t ‘J lfivleé tn- LSD 9: vl Gear on izscomect -SD51" -Zanneruon Duraton: 5 Mtntres, 22 Seconds. FIGURE 6.7: Information of the remote computer 11. Select the File System tab. Select c: from the drop—down list and click Get. 12. This tab lists the complete files of the C: drive of "indows Server 2008. CEH Lab tIanual Page 465 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Modu| e06—Trvo)a| suIIBae| «Ioors E-I: look new rm. 9.. ... . r. ... .r. .r. u. .,. .c. ... er. , A|: | Sh Moan D 5Recyc| e arr. 1/19/2009 2 33 31 AM E Duct 9/12/2012 7 J8 ZGAM E Documents and Settings 1/19/2008 7 23 ZOAM i Permgs 1/I9/2008 3 '1 20AM E Program Flea (X88) 9/19/2012 9 48 39 rm E Program Fles 9/2a/2012 3 20 47AM Prograrrroaa 9/13/2012 2 31 53AM System Valuma Inform 9/12/2012 6,40 26AM E Users 9/12/2012 6:15 07AM Vflndcms 9/20/2012 58 24AM H| eSystem rm= s Type Fixed Capacity: 17.177.767.936trytes SeIIa| Number sczrcoas . abe Freespace. 6.5fl5.771.0UEl7ytes Rornota Host User Name Progress Report . U U r ; aamrrustraor P d V. (onnect I4 flmrltucl “sum i‘ nrwzr armor any Zaurorrasuunect term In: 251.64 has In one corrrrmm Imraton: Ewlrnutes, 15 Seconds. FIGURE 68: Information of the remote computer 13. Select Users and Groups, which will display the complete user details. : User Information [or Administraor User Account Adrrunlstvatm mes; Password Age 7 days 21 hours 21 minutes 33 seconds Privilege Level Administrator Comment Bunhn account fcr adnumstenna the cornouter/ dnrrrarn Flags Logan scnpt executed Normal Account Full Name wrrrnrsrarrrrrs can log hum no restrictions Last Logan 9/20/2012 3 58 24 AM last Logdf Unknown Account expnes Never axpnas User In (RID) son Pnmary Global Group (RID) 513 SID S 1 5 21 1858180243 300736151 1609596200 500 Domain WIN-EGBH| SG14L0 No Sunmnhonlles 5 Rurrorrr Nusl Usvr Name Progress Report :9 D r: 1 admlnlsllaor Password g gmrrrran )4 nhoorrnnct I‘ ReQ~&5raimo': aa: Y Zoe-orrmscnrvrccx | fly| =)! .II. 2so. oo tausnr moo CuvlIu. |luuJlu| rurI. Emnums, Zésemnds. FIGURE 6.9: Information of the remote computer CEH Lab Manual Page 466 Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Rcsctvcd. Rcpxoduction is Suictly Prohibited.
  44. 44. Modu| e06—Tro)u| su| dBne| «Ioors E-I: Iools new nenma syswo susmurr Chat [hen >e. e.. r.rrrm. -s E Local NIIII ' Collrnut Gmunst Administrators s. 5.32.544 (Type Alias/ Do Administrators have complete and urvostncuc ; Blclurp Oporuors st-5~32-551 (Typo Alinlbo . Backup Operators can override socunty mind: I cenrncate servrce DI. ’ 51-5-32-su uype Alias/ Do Members or «ms gorrp are allowed to connect It Clyplogapflc Oplrfl S-14-32-569 (Type Ali: /Do Member: Hi authorized to perflarrn ayuogaflt Dtstnbtted COM Users S-1-5-32-562 (Type Alias/ Do Members are allowed In lamch, actruate and us Bent Log Readers S-1—5—32-573 (Typo NISIDO . . Members of ltns goupczr road Iverl logs tron Guests s1.5.32.54s (Type A| IaslDo Guests have the same access as rnernbers on K/ < I > Global Nuns: I SD Corlrnlrl 5"-"IP51 None 5-1-5-214858180243-30073l5 . . Drdnary users Romots Host User Name Progress Report .13 1,1 1: 3 Aamrnrslrdor V. (onnect I4 flmrltncl Pfissuord __ d‘ Reqtesv arm ‘ahzr Zasuerrasmrrrea leytesln: 257.54 lwsln 0.00 torlwecwnalabon: 9Mnures, Msemnds. FIGURE 6.10: Infotmafion of the remote computer oakmn 5.. ... . r. ... ... ..r. . W. .. er. u; ers&avs UOIINXIIII Llllhi NTLM Huh : mane) ar: encasozurseuanrirncsaqorz:52ux7 (none) (none) H5lVI(L°vMU| <*'°"| |l) Remote Host User Name Progress Report .13 1. 1, _ [mmlrusrruor Password v‘ r onlrvrl I; puungct l__________ H‘ REQ_t5lB1L‘O'I6DD’ Zviueuerraserrrnea IGVES In: 257.7! | % In man Connection Zlnton: IJMVIUCES. 2! Seconds. FIGURE 6.1]: Information of the remote computer 14. This tool will display all the details of the remote system. 15. Analyze the results of the remote computer. Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure through public and free information. CEH Lab Manual Page 467 Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. ModIle06—Tro| ansaIdBae| (dooI's PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. 'l'o0l/ lltility Information Collected/ ()hjccti'cs Achieved Remotely accessing W/ indows Server 2008 Result: System information of remote W/ indows Server 2008 Atelier Web Network Information Path remote Wmdows Server R 2008 emote . . _ V. Commande; viewing complete tiles of c: of remote Wuldows Server 2008 User and Groups details of remote Vindows Server 2008 Password hashes Questions 1. Evaluate the ports that AVRC uses to perform operations. 2. Determine whether it is possible to launch AW/ RC from the command line and make a connection. Ifyes, then illustrate how it can be done. Intemet Connection Required Cl Yes Platform Supported M Classroom CEH Lab Manual Page 468 Ethical Hacking and Countenneasures Copyright © by EC—Ccuncil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. ICON KEY E Valuable information M‘, Test your knoxvlgge U "eb exercise Q Workbook reviexv if Tools demonstrated in this lab are available in D: CEl-l- ToolsCEI-N8 Module 06 Trojans and Backdoors Module06—TIolu| sandBooltdoovs Detecting Trojans A Trojan / Ir (l])I'0gI? I// / I‘/ Jm‘ ro/ /fail/4‘ / //(I/ ir/ '0// I or / Jm‘/ //f/ // rode i/ /I/ I/8 rppzl/ '0// /5' / mr/ /// e.r. rp/ vgm/ /// //i/ {g or (film in Mr]; (I 11 ‘(gr #111)‘ mil gef ro/ //ro/ m1r/ m/ /ye (/ /1// /qge, x/ /r/9 ax r/ /i/ /i/ /kg / /Jeff/ e (I/ /01?! //0/I fab/ e 0/1 (I / Ja/ ‘Ii n’r/ 'm>. Lab Scenario Most individuals are confused about the possible ways to remove a Trojan virus from a specific system. One must realize that the V'orld "ide "eb is one of the tools that transmits information as xvell as malicious and harmful viruses. A backdoor Trojan can be extremely harmful if not dealt with appropriately. The main function of this type of virus is to create a backdoor in order to access a specific system. "ith a backdoor Trojan attack, a concerned user is unaware about the possible effects until sensitive and important information is found missing from a system. V'ith a backdoor Trojan attack, a hacker cai1 also perform other types of malicious attacks as Well. The other name for backdoor Trojans is remote access Trojans. The main reason that backdoor Trojans are so dangerous is that they hold the ability to access a particular machine remotely (source: http: / / vvv. combofi_: .org). You are a security administrator of your company, and your job responsibilities include protecting the netxvork from Trojans and backdoors. Trojan attacks. theft of valuable data from the network, and identity theft. Lab Objectives The objective of this lab is to help students learn to detect Trojan and backdoor attacks. The objectives of the lab include: 0 Analyze using Port Monitor 0 Analyze using Process Monitor 0 Analyze using Registry Monitor 0 Analyze using Startup Program Monitor 0 Create MD5 hash files for "indovs directory files CEH Lab Manual Page 469 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  47. 47. 3 Disabling and Deleting Entries If you don't want an entry to active the next time you boot or login you can either disable or delete it. To disable an entry unclicck it. Autoruns will store the startup infomiation in a backup location so that it can reactivate the entry when you recheck it. For items stored in startup folders Autorniis creates a snbfoldet named Autoruns disabled. Check a disabled item to re-enable it Tl _ TASK 1 Tcpview Modu| e06—TrojansandBackdoors Lab Environment To carry out this, you need: Tcpview, located at D: CEH-TooIsCEHv8 Module 08 Trojans and BackdoorsPort Monitoring ToolsTCPView Autoruns. located at D: cEH-TooIsCEHv8 Module 06 Trojans and BackdoorsProcess Monitoring TooIsAutoruns PrcView, located at C: CEH-TooIsCEHv7 Module 06 Trojans and BackdoorsProcess Monitor ToolPrc View Jv16 power tool, located at D: cEH-TooIscEHv8 Module 06 Trojans and BackdoorsRegistry Monitoring TooIsjv16 Power Tools 2012 FsumFrontEnd. located at D: CEH-Tools¢El-lv8 Module 06 Trojans and BackdoorsFiIes and Folder Integrity CheclterFsum Frontend A computer running Window Server 2008 (host) Windows Server 2003 running in Virtual Machine If you decide to download the latest version, then screenshots shown in the lab might differ You need a web browser to access Internet Administrative privileges to run tools Lab Duration Time: 20 Minutes Overview of Trojans and Backdoors A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on a hard drive. Note: The versions of the created client or host and appearance may differ from what it is in the lab, but the actual process of connecting to the server and accessing the processes is same as shown in this lab. Lab Tasks 1. [Q L» Go to Windows Sewer 2012 Virtual iIachine. Install Tcpview from the location D: CEH-ToolscEl‘lv8 Module 06 Trojans and BackdoorsPort Monitoring Too| sTCPView. The TCPView main window appears, with details such as Process. Process ID, Protocol, Local address. Local Port, Remote Address, and Remote Port. CEH Lab Manual Page 470 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Module 06—Trojans and Backdoors _. ,, TCPView - Sysinternalsz www. sysinterna| s.com File Options Process View Help A -4 Places: PID Pvolcucol Local Address Local Poll dnsexe rcp ; ;’IN~2N9STDSG| ... domain dnsexe TCP WIN-2N95TcIsGI. 49157 dnsexe UDP win-2n9stos9ien domain LII shoulddsleresrems that 523:: 33$ VISZSSSZISSEI: i'32"s'2" Y0“ do not Wish to em dnsexe UDP WIN-ZNQSTOSGI. .. 49153 execute. Do so by choosing > dnsexe UDP W| N~2N3STDSG| ... 49154 Delfle in the Enuy menu dnmee UDP WIN-2N9STIJSl3|. .. 49155 dnsexe UDP WIN-ZNSSTCISGI. .. 49156 . ()"1-V““l‘i1:l: ““; :l"'1-Vd‘°l°°‘°d dnsexe UDP WIN-ZNBSTCISGI. .. 4915/ “°"‘ ° °‘° 1 dnsexe UDP WIN-ZNSSTEISGI. .. 49153 dnsexe UDP W| N~2N3STE| SG| ... 49159 dns axe UDP W| N~2N9STOSG| .. 43150 dnsexe UDP W| N«2N9ST| JSl3|. .. 49181 dns exe UDP WIN-ZNSSTUSGI. 49182 dns exe UDP WIN-2N95TClSG| 49183 dnsexe UDP WIN-ZNQSTOSGI 49154 dns axe UDP W| N~2N9STU5G| .. 49155 dns axe UDP WIN-ZNSSTOSGI. 49156 dns exe UDP WIN-ZNSSTOSGI. 49157 dns exe UDP WlN«2N9STOSG| 49158 dns axe UDP WIN-2N9STCISG| . 49189 dns exe UDP WIN-ZNSSTCISGI. 49170 dns exe UDP WIN-2N9STOSl3| 49171 FIGURE 8.1: Tcpview Main window 4. The tool perform port monitoring. _, ‘, TCPView — Sysinternalsz www. sysinterna| s.com File Options Process View Help A —< ocess PID Protocol Loca| Add1ess F1 A " svchostexe 3856 TCP WIN-ZNQSTCISGI . . 5504 WI ‘ svchoslexe 892 TCP WIN-ZNBSTCISGI. 49153 WI ‘ svchosl exe 960 TCF’ WIN-ZNQSTOSGI . 49154 WI ‘ svchosl exe 1552 TCF’ W| N~2N9STOSG| . 49159 WI ‘i svchosl exe 2184 TCF’ WIN-2N9STUSG| . 491 S1 WI ‘ svchosl exe 3440 TCP WIN-2N95TOSG| . 49183 WI ‘ svchoslexe 4312 TCP WIN-2N9STOSG| 49159 WI ‘ svchoslexe 4272 TIZP WIN-ZNSSTOSGI 49169 WI ‘ svchoslexe 1808 TCP WlN~2N9STOSG| 49187 W1 ‘ svchoslexe 1552 UDP win-2n9stosgien boolps ' ‘ svchoslexe UDP win-2n9stosgIen boolpc ‘ svchosl exe UDP W| N«2N9STOSG| . Isakmp ‘ svchoslexe UDP win-2n9stnsgien 2535 1 svchostexe UDP WIN-ZNBSTOSGI, 3391 Lt] If . ‘ svchoslexe UDP WIN-ZNEISTCISGI Ieiedo ‘ you "_° mnmug 1 svchosl exe UDP W| N~2N9STElSG| . ipseemsfl Autonmswnrhout 1 svchostexe UDP WIN-ZNSSTOSGI. .. llmnv administrative privileges on ‘ svchostexe UDP wirr2n9slosgien 53441 Whldows Vista and anem [ System TCP win~2n9stosgien netbios-ssn to Chang: the Sum of 3 P - ‘ System TIZP win~2n9slos9ien Inicrosofl-ds . System TCP win-2n9stosgien rnicvosofl-ds E1°"‘1°““Y1.‘°“'"b° d= "“°“ ' 1 System TCP WINQNBSTEISGI, mp “C955 3 System TCP WIN-ZNSSTEISGI. .. http: System TCP W| N~2N9STClSE| .. micvosoll-ds System TCP WINZNQSTUSEI. .. 5985 FIGURE 8.2: Tcpview Main window 5. Now it is analyziiig the SMTP and other ports. CEH Lab Mailual Page 471 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. E‘ Autoruns will display a dialog with a button that enables you to rc»launch Autoruns with administrative rights. You can also use the -e command-line option to launch launch Autoruns with administrative rights Q] There are several ways to get more information about an autorun location or entry. To view a location or entry in Explorer or Regedit chose jump To in the Entry menu or daubl: -click on the entry or location's line in the display Q TASK 2 CEH Lab Manual Page 472 ModIle06—Tro]I| su| IlBne| uloors File Options Process View Help Local Addes: WIN-ZNSSTOSGI. .. WIN-ZNSSTOSGI. .. WIN-ZNSSTOSGI. .. WIN-ZNSSTUSGI. .. WIN-ZNSSTDSGI‘, WIN-ZNSSTIJSGI. .. WIN-ZNSSTEISGI. .. WIN-ZNEISTIJSGI. .. WIN-ZNSSTCISGI. .. WIN-ZNSSTUSGI. .. w'n-2n3:Io@I w'vr2n3stosg'en WIN-ZNSSTCISGI. .. w'I'r2n3stosgen WIN-ZNSSTCISGI. .. WIN-ZNSSTUSGI. .. WIN-ZNSSTOSGL. WIN-ZNSSTUSGL wirlnflstosgen wn-2n3stos9en w'n~2rn9saos9'en w'rr2n3slo: g'en WIN-ZNSSTOSGI. .. WINAZNSSTOSGI. .. WIN-ZNSSTEISGL. Local Pool 3% 5504 491 53 491 54 I91 59 491 B1 491 B3 431 BB 431 491 B7 boobs bootoc isakm 255 3391 leredo ipsecvmsit hm 53441 netbios-ssn Inictosdl-d: H emote Address WIN-ZNSSTDSGI . . WIN-ZNSSTDSGL. WIN-ZNSSTDSGL. WIN-ZNSSTUSGI. .. WINQNSSTDSGIW WIN-ZNSSTDSGL. WIN-ZNSSTDSGI. .. WIN-ZNSSTDSGI. .. WIN-ZNSSTDSGI. .. WINAZNSSTDSGI. .. WIN-ZNSSTDSGL. win-egbhi: g1 4!] windwsfi WIN-ZNSSTUSGL. WINAZNSSTUSGIH. WIN-ZNSSTDSGIW FIGURE 8.3: Tcpview analyzing ports 6. You can also kill the process by double—clicking that respective process, and then clicking the End Process button. E Version: Path: Domain Nane System [DNS]Setver Microsoft Corporation s. o2.a4ou. ouoo Fl emote Pan uaaossa - - - ~ 1 - 1 I -aaooaaaooa 5.. mu: —-m C: Wi'dow: Sy: lem32ch: .eaoe FIGURE 8.4: Processes 7. Go to W/ indows Server 2012 Virtual Machine. 8. Double—click Autorunaexe, which is located at D: CEI-I-Too| sCEHv8 Modu| e06TrojansandBaekdoorsProcess Monitoring Too| sAutorIlIs. 9. It lists all processes, I)LLs, and services. Ethical Hacking and Counterrneasures Copyright © by EC—Cuuncfl All Rights Reserved. Reproduction is Strictly Prohibiteni
  50. 50. Module 06—Trojans and Baokdoots 3Autoruns [WIN-2N9STOSG| ENAdmumstrator]-Sysinternals: wvvwisysnnteru. ' '3 " me Entry Options Um Help : M Codec: , 3 Boo(ExecnAe :1 Image Hqacks ’ Applml l - KnownDLLs c Wnlogon I‘ Wnmc-ck Provider: _» Pm! Monies: A LSA Pvovnden ‘ *2 Network Providers ‘-_‘ Sndebavfiadoets 3 Eveunhno :1; Logon Expooe: I Inlcmelixploict ‘ '* ‘écheduledhskx ‘$9 Services ,5; Driven Aulovui Entry Desclouon Piblssher Imooe Pom ; ; HKLMSDFTWAREMsc: osollWniows NTEuvertVemnnWnlo9onAppSeti. p L11 You can View Exp1o; e;'s E1 UsrLogon cmd c wIndows: y:em32ust| o 51¢ Pwpcmcs cualog for an 5 HKLMSUFTWAREMicvosoOt4/ni0w: CuventVemanF| Ln Hotkeystmds hkcmd Mamie lnlel Eovpovallon c windowssy: lem32H<c - ’ lgfxlvay ngxlvay Modue Intel Covpotallon c vmdowssys4eIn32: g’>dv 1 ' Pevsustervce pelsusfence Module lnlel Eolpovallori c w4ndowssy: le1n32td>@ 5 Hr<LMsom»/ AHEwow6432NodeMmsanwndowsn: ummnvemomnun V L’; AdobeARM Adobe Reade: and Acrobat Adobe Systems Incovpovated c pvogvavI files [xesnouun entry's file by choosing Properties in the Entry menu. You can also have Automus automatically cxccutc an Intcmct much in _ - "' Adobe Reader AdobeAc: obat soeeotoun Adobe Systems Incovpolaled c pvogIam mes [x88]adob your browser by selecting W 2' EPSUN_UD_S EPSDN use Displayvl 40 SEIKEI EPSCIN CEIHPEIRA c pIogIamh| e: [>(BS]eoso SearchOnlineiutb: Entty "“‘ ' "' i ' ' " "W ' UICXIIL Windows Enlnes Hidden FIGURE 8.5: Aiitonuis Main Window 10. The following is the detailed list on the Logan tab. If Simply mu Automns and it shows you the mama‘. configured mm} SJ Autoruns [WIN-2N9STOSG| ENAdmImstrator] - Sysmternalsz wwwisyslnteru. start applications in the File Entry Opt-ans Um Help locations that most directly execute applicatioiis. Pct‘-Dun 3 new scan that ‘ ‘ Codecs ‘ 3 Boot Execue V : ] | ‘ma9e H-tacks . ‘Applml I KnownDLLs Q Wriogon ‘(fleas changes to options - Wins: -ck Plunder: fin Memos t, ‘ LSA Pvovldels‘ 9 Na(workPvovnde1s ‘ >9 sdeua Gadgets bv macs] — ‘ht disphv I 3 Evevilhng . Explorer Internet Exdove: , '1 Schedded Tasks ; vi; Services _A{ Dnvess ' ' Amotm Enhy nesopoon Puoushe. Image Pah ~ . 21 -“ HolKeysCmds hkcmd Modue lnleltovpovation cwmdowssys4e<n32hkc m Imlfmflg xp l°'°I'_Ii1;h'5 '41 - ‘ | g|xTvay gxt-oy Module lnlel Eoipovalnon c »«~ndowssys«em32tgm ‘"1"! ’ 5 °“‘5 ‘°“"5°‘ 3 P“ M - Pevsnslence pevsisience Module lnlelCovpovahon cwandow: 3ys| em32i¢xp Objects (BHO's), Intemct J1 Explorer toolbars and I u Adobe ARM Adooe Reader and Acrobat Adobe Systems lncotpolated c pn: -glam me: [x88Icomm extensions T-31 - ‘Adobe Reader Adobe. -Acsobd Speed. aun Adobe Syslemslncotpolated cpIogIemh| cs[xB8|adob M : « EP$DN_UD_S EPSUNUSBDI3playV140 SEIKO EPSUN IZDRPURA cpIogIemlI| e:[x8S]e93o M , > 90c-glelal. Googie Talk Guog| e c pvogIam me: [xB8l9oc-9| V. L} SuvJaveUpdaI Java(TMIUpdale Schedule: Sun Mnclosyslenmlnc cpIogveml| |e: [xB$| comm _u C PIogIamDdeMncIoso0lWIndow: Slul MenuPuogomsstanup Windows Entries Hidden FIGURE 89: Autonms l. /agon list 11. The following are the Explorer list details. CEH Lab hianual Page 473 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. 5 Services All "indows services configured to start automatically when the system boots. Ii] Drivers This displays all kemel—mode drivers registered on the system except those that are disabled Module 06—Triojans and Backdoors 3 Autoruns [WIN-2N9STOSG| ENAdministrator] - Syslnternals: wvvwsysinter. ..‘ ' '3 " tile Entry Options User Help A : M Codec: ‘ 3 Boot Execue ii‘ Wln: ot| .F‘rovrdel: . 3 Evemhng l :1; Logori Aulolun Entry Descrollon :5’ H KLMS DFTWARE ClA: :esProtocolsFIer El lexllxml 3 Image Huck: ‘ LSA Provider: ‘ Inleinelixpioler ‘ Mlcrosoll OM-cc XML MIME Microsoft Corporation ' Applnll KnownDLLs G Wnlogon *2 Network Providers ‘. _‘ Sidebaifiadgeis '* Scheduledlasks ‘fii Services :4 Drivers Pit-lisher lrriooe Pain 1: prc-glam ll| esconimon M 5 HKLMSoftwae£| ax: e:‘Shel| Ex£ontexlMerI. Hand| ers Q1 sneoiimonsri V R , WnRAR ~/ riRAFlsheleidensiori Snag ShelExlensionDLL Tei: hSrnith Corporation Alexander Roshal t proglarri files [x38]lechs c proglam ri| eswinrarrare g H KLMS o6twaeWow6432N odeC1a: ses‘She| ExConlextMeriiHand| er: S nagl IM ansh WnRAR 32 Snag Shel Extension DLL WriRAFl she! eidension H KLMS oflwareC| assesDirer: ioryShel| E xEonlexlM eriuHarn: Iers ‘W Snag| lMan5h Snag ShelExlensionDLL lechSrnith Corporation Alexander Roshal i: proglarri tile: [xB6]lechs I: ptoglan ll| eswrnralae TeehSrnrlh Corporation r: ologlam Vile: [>(8S]lechs Windows Entries Hidden FIGURE 8.10: Autoruiis Explorer list 12. The following are the Services list details. 41 Autoruns [WIN-2N9STOSG| ENAdmlnlstrator] - Syslnternalsz wwwsyslnter. .. tile Entry Options User Help A 7: M Codees ‘ jaooitxecue V : ]|rna9eHqecks u‘ Winsock Providers 7 3 Everilhng l __-4, Logon . ‘ Explorer Ailolm Entry Desorption g HKLMsys«emCuienlComolse¢s ervvces AdobeFloshPla This service keeps your Ad c2i~1s Service to corwerl claims b S EMP_UD$A EPSUN USB DisplayV‘I 40 The Mozila Maintenance 8 _/ . Pmmomos ‘ . ; ' Mo: -l| aMainlen ose Save: nslalahon tiles used ospvsvc Ullnce Sollware Protection V/ Suxlieilservei This xerviee manage: lhe c LSA Providers ‘ Internet Exdoiei‘, 'i soiediied Task: Pibiisher Adobe Systems Incotpolaied c windowssysi~ow64rna Microsoft Corporation 1: proglam li| eswindows id SEIKO EPSUN CUBPURA c piogiam mes [x88leoso Mozlla Foundation I: piogiarii llle$ [xB8lmozl Microsoft Corporation 1: plogiem liles [xB8lcomm Microsoll Corporation c progrerri ll| e:cc«iimon ll Mieiosoll Eolporalion c progiarii | l|e: iodate sci Windows Entries Hidden FIGURE 8.11: Antonius Services list 13. The following are the Driver: list details. CEH Lab Manual Page 474 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. ED Scheduled Tasks Task scheduler tasks configured to start at boot or Iogon [ID TASK 4 JV1 6 Power Tool 14. 15. 16. 17. Module 06 — Trojans and Backdoors - X til? .7 Autoruns [WIN-2N9ST0SG| ENAdmImstratorl — Sysnnternalsz www.5ysIn1er. .. me Entry Ophons User Help dzh Codec: I 3 Boot Execute :1 Image Huck: - Applnll I - KnownDLLs e Wnloqon u‘ Wlncorl. Pvovudeus . Pm Monica: . LSA Pvovldevs ‘ -3 Network Ptavudtls I, ‘ seem. Ea Is 3 Everythng I :1, Logan . Explora lnlemelixplovel " Scheduled Tasls ‘it; Selvlces Aulovun Entry Descvohon Ptbhshel Image mm » 5 HKLMSy: Iem| ZuIenlConlIoISetSeIvIces 2 swag ’LsI 3wae SCSI Story: -01} om. .sI c wIndowssysIern32dIve ,7. a<b9l>oI Acxaptec Wndow: SAS/ SA AdapIec, Inc I: wIndows: ysIern32cirve g aapam Adaxec Wndows SATA sz Adapter, Inc c wirII: lowssysIern32cbrve 2 a®u320 Adaofec SlovPorI UIlIa320 Adaptec, Inc I: w¢ndowssysIern32dIve 2 arndsala AHU 1 2 Device om: Advanced Mme Devices 1: wIndowssysIe1n32IciIve 2 arndsbs mo Tecfnology AHCI Co AMD Technologies Inc I: wIndow$sysIern32ciNe ‘A arndxata Storage may owe. Advanced Mm Devvces c vwndowssys| e«n32’dIve E are Adaolec HAID Slolpovl Dnver FMC-Snevva, Inc c wundowssysIem32dIIve V. avcsas Ad-aplcc sAs RAID wsua Fwcstena, Inc c wIndowssyste1n32dIve Heady Windows Enlnes Hndden FIGURE 8.12: : utom. ns Drivers list. The following is the KnownDLLs list in Autoruns. _JAutoruns [WIN—2N9STOSG| ENAdmInIsIrator]-Sysmternalszwww. sysInter. .. ' '3 " me Entry Ophons Usev Help A : H : ‘ WIn: o:kProvude1s V. PIInlMovIIloIs LSAF'IovIdeIs n, " Ne(warkPIovIdeIs I; Sndebarfiadgeis :2 Evemrng I :4, Logan , emote: '— | nteIneIExpIoIe1 '1 Scheduledlasks , ;. Servrces I Duvet: cm: ‘ gamzmue Vi; |rna9eHIIaI: ks W - Applnll * ~<nownoLLs _ I Autolm Enny Descrotnon Pnbhsher Image Pah 5 HKLMSystemC1ren| ConlIolSe¢Corlvo| SessIon ManageIKnownD| |s 5 I _wows4 3/ - _»/ owsicpu V. - _wows¢m We not lound E WIr-dows FI| e not Iound E »/ vndows We not lound C Windows Windows Entries Hsdden FIGURE 8.13: Automns Known Dl_L‘s list. Install and launch jv16 PowerToo| s in V'indows Server 2012 (host machine). jvl6 Power Tool is located at D: CEH-TooIscEHv8 Module 06 Trojans and BackdoorsRegistry Monitoring Toolsjrl6 Power Tools 2012. To l? l1l11Cl1 jv16 PowerTools, select the Start menu by hovering the mouse cursor on the lowereleft corner of the desktop. CEH Lab Manual Page 475 Ethical Hacking and Countemleasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Module 06—Tro)ans and Backdoors , IVMM-‘I-1u'. $Y:4 . -max-in “Wk d . ,i FIGURE 7.1: Windows Server 2012 Start~Desktop 18. Click jv16 PowerTools 2012 in Start menu apps. 9‘ nil: m’cT.3m(-:1 : ‘ - m Winlogon 7 7 T Notifications Shows DLLS that register for Wiulogon _, notification of logon events ll FIGURE 7.2: Windows Server 2012 Start Menu Apps 19. Click the Clean and fix my computer icon. C! Winsock Providers Shows registered Vinsock protocols, including Vinsock service providers. Malware often installs itself as a Wiusock service provider because there are few tools that can remove them. Autoruns can uninstall them, but cannot disable them CEH Lab Marlual Page 476 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Module 06 — Trojans and Backdoors u ivl6PowerToo| s2012 - C " i, ai ll 1 - r i . ‘i; . / __~ 5 Registry Tools fa -. .-s J file roots Fdlv remove Sueed U0 nw software and comouter leftovers A Syflsrr Yools / V ’ " k* izge Backus Corllro-' ‘lhrdfi immrm my verify my do/ irrloads " {xograms start compuiai are safe in tin automaticaily ‘ Acom ’1lS[O11 5¢KDrq$ 91% rou are . SN'q the rice mil Version our 16 PowerTool5 to my me Rcgisrn Hes: -i '°"‘ '°"‘°"‘ 95% PC was 7" [1o:29:45 lip]: vou 5-stem has "0i been analned The health score or your corrouter l5 95 Du! or 100 an: the -wealtv score or you . ‘.mao. - 5 'eq. s': v s 92 out 0‘ me It you scored moei me you can irvorovelthe ratings by Jill‘; the Clean and Fix M. cowctm tool FIGURE 8.20 ivl6 Home page. 20. The Clean and fix my computer dialog box appears. Click the Settings mb and then click the Start button. . . , ‘ . 1 l <53 ‘ ~ ‘ i ‘ - ' . - ‘ H «to @ Selling: Additional Additional Search Ignore words salety options woids Weill" i~. Emphasze safety over boa scan speed and the number of found errors. Eirohasize the runber of fund errors and speed over safety and accuracy. Selected setting: Normal system scan policy: all Windowsrelated data IS skipped for additional safety. Only old temp files are listed. Fl CEH Lab iIanual Page 477 Ethical Hacking and Countennensures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Q LSA Providers Shows registers Local Security Authority (LS. -) authentication, notification and smmty Packages Module 06 — Trojans and Backdoors FIGURE 8.21: M6 Clean and Ex my computer dialogue. 21. It will 211121326 your system for files; this will take a few minutes. U M6 Poweflools 2012 [W8-x64] » Clean and fix my computer Fule Select Tools Help Analymg you computer. This can take a few minutes. Please wait. .. In Printer Monitor Drivers Displays DI_Ls that load into the print spooling service. Malware has used this support to autostart itself FIGURE 8.2; 'yvl6 Clean and fix my computer Analyzing. 22. Computer items will be listed after the complete analysis. *4 M6 PowerToo| s 2012 [W8-x64] — Clean and fix my computer we Select Tools Help [tan Seventy Descrptmn [:1 You can save the results ofa scan with Fil&>Save and load a saved scan with File->Load. These commands work with native Autoruus file formats, but you can use File~>Export to save a text-only version of t “why [mm the scan results. Y ou can "'“"*““"""““"““ also automate the generation ; ' Inmlul m. » In zlmmmxy ntlml-n of native Atxtoruus export files with command line : Fl--u-“Iv Iunk options _ ; ‘ lllrmln-Ir sn| lw. m- nnluy _ ; l llsrlrss amply Itvy ‘ , ~w Ins. -rm nu» oexlr-nsmn 3 5 Sum mrnu dml dmkmp Items Selected: o, highlighted‘ 0, mm: 296 FIGURE 8.24: ]vl6 Clean and fix my computer Ituns details 23. Selected item details are as follows. [:1 Sidebar Displays W"i. udovs sidebar gadgets CEH Lab Manual Page 478 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Module 06 — Trojans and Backdoors ‘-5 1v16 PowerTooIs 2012 [W8-x64] » Clean and fix my computer File Select Tools Help Item Seventy Descnpuon Tags Item Seventy Desapuon Tags HKCRlnstal| Fie or dnrectofy ‘c: Hxawnszatl ' Fie or drecmry 'c: HlQ. M$oft~. a Fie or directory ‘C: l-lKLM‘soft. : Fie or directory ‘C: HKl_M5F'r Fie ov dwectory 'C: Hl<LM5U-‘I'M Fie or dnrectorv ‘c: HlQM5ofi~. ( . File or dlfeflofv ‘C: :1 Compare the current Automns display with previous results that you've saved. Select File | Compare ' ‘ . ~.. .m uh . . n y. k m‘ Fnt Delete Close and browse to the saved file. Amonms Wm display in Selected C, hnghllghted 0, total: 296 green any new items, which ¢on¢; po, ,.; | to mm‘; -5 ma; FIGURE 8.13: ivl6 Clean and fix my computer Items. are not resent in the saved , , , c , 51:, No: am 3, does not 24. The Registry junk S€C[lOl1 provides details tor selected items. show deleted items U lv16 Powerlools 2012 [W8~x64] ~ Clean and fix my computer File Select Tools Help Item Seventy D€SUDfiDn Tags Q4 If you are running Autonms without administrative privileges on Wmdows Vista and attanpt to change the state of a global = ntr. V=. V°u'11 be denied gt. nc. ..: .., mt / access. Automns will display a dialog with a button that ‘ ; l‘JI-sols-I» sllllwrur I-nlly enables you to re-launch : ' HKCU-505,, “ 30., ” obsolete Somme‘ Automns with . _ _ 4 HKCUsol‘t. ~.; 30'/ . Obsolete software e admuustrative 11 hrs g HKUS‘$»l-5- 30'/ n Wsolete softrx are 1 HKLJS'. <.—1A5— 30'/ . Obsolete software! llxrlz-is v-mnly km-y A HI<CRucroc 10'/ . Useless emotv kev HKCRacmt Useless empty key Useless empty key Selected. o, hlghllghted‘ 3, total: 296 FIGURE 825: ivl6 Clean and Ex my computer Item registry jun}; 25. Select all check boxes in the item list and click Delete. A dialog box appears. Click Yes. 3- Mfilllflfi l’age 479 Ethical Hacking and Countermeasures Copyright © by EC-Council EmP'Y I-°°’“i°“5 5°15“-‘°" All Rights Reserved. Reproduction is Strictlv Prohibited. in the Options menu is ' checked Autoxuns doesn't show locations with no entries
  57. 57. CEH Lab Manual Page 480 Module 06 — Trojans and Backdoors ‘-1 lv16 PowerToo| s 2012 [W8-X64] ~ Clean and ll)( my computer File Select Tools Help Item Seventy Descnpuon Tags Item Severity Descrvuon Tags 7; L . . . ms PowerTools 2012 " '7 7 _ 7 You are about to delete a lot of erroneous registry data. Using the Fix ‘ ” option I5 always the better option. Are you sure you know what you are ,7 doing and want to proceed? I Yes I No Cancel 7 V] 5 %; i.. ii llIr'nu -Inll . l.-slim. lli-mt N I :1’: Fix Close Selected 29¢ highlighted 0 mm 295 FIGURE 8.26: i'l6 Clean and fix my computer Item check box. Go to the Home tab, and click the Control which programs start automatically icon. Ll lvl6 Powellools 2012 Ele Lanolwe 100': art , .. , "‘ ~ '—' uvesuoc-on: Har®00k»'Ol ~ Onlme axanao-e I Home ‘ _ , . , . . l ll‘, / , ~ ; rzegisuy ': >ols _ » E. at. Taol-; Clean and 5: row Fullv remove Speed us in computer S°‘rl'4ye and tomvuter leftcners Euler“ T005 y I (9 ms 59.1.05 seimgs 100% Regsvv healra 100'/ o PCHEBT Atom -avatar» +2; Control . -mch Irrimunlze mv lenry my do/ mloads Uoeluna mil computer are safe In rm 5u'. oI‘ldL_d» l mu are usng the tree inal version of iv 15 Poweffools to buy me 'eal Ethical Hacking and Coiintemiezisures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Q The Verify Signatures option appears in the Options menu on systems that su ort ima si Ill verificaiibn and cg: n iflsulitgin Module 06 _ Inoians and Backdoors Autoruns querying certificate revocation list (CR-L) “i°b 53”‘ ‘° FIGURE 8.28: i'l6 Control which program start automaticallv. determine if image ' 5*8“““““ ’“° "and 27. Check programs in Startup manager, and then vou can select the appropriate action. pv16 PowerTooIs 2012 [W8-x641 ~ Startup Manager Select Tools Help Process rmnng Yes PD 4280 -a . . Th :1 4 LA Thc Hme M1°'°s°fi c-‘Program Fies (xB6)‘Commonl Ba: aprsIorItv Normal Entries selection omits C d he fiwogam fies (xséhc Y Usage 9 12 NB 1{mg°5 lb? “ l}“"° b°°_“ Loaded from u<Ev_LocAl. _MAcHm5sos= m» Page file usage 2.23 M3 Sign“! 55' 311010505‘ If oescmuon Javacml Uudate schedua Fie size 245.92 KB Verify Signatures is 7395 selected and omits images , , , Erwbled Progam Descruuon Filename that have Microsoft 11) their resource's company name pound S, ,,, ,,3,, , field if Verify Signatures is not selected _ googlelamexe ooogie Tall. C: Progam Files EM’_LD. exe EPSON use Drsolr C: ‘Program Files Reader_d. exe Adobe Acrobat 5. C: Proqam Files AdobeARM. e)re Adobe Reader er C: ‘Pr09rem FIIQS -gfirtramexe ogfflrav Module C: 'x'~‘«‘Indows‘5vst hkandexe hkcmd Module Czwnndowsuvst 95(De*s. exe D€VS4Sle'(e Modt. c: '.'. ~,wndo-ssvst - New Drsable Delete Selected C; hlgl'1llghiEd 1‘ total, 15 HGURE 8.29: '[v16 Startup Manager Dialogue. 28. Click the Registry Tools menu to View registry icons. ; v16 Powerlools 2012 , _ i _ V -" Lvvesuwort: Handbooknoc _, _ _ ‘ ‘ ‘ ’ onlne a. u-‘an-e l-. -l Use the Hide Microsoft Entries or Hide W/ indows Entries in the Options I "°"“ . s . menu to help you identify , 1 1 , ‘J ‘,7; ‘ ‘ I I . 5 mm: mis b= s«- *'<‘<‘°. <‘ to a system SLHCC nnstallauon. Manager Fnder &Replace Cleaner Autoruns prefixes the name We Tool: of an image's publisher with . — - r . "(Na , ‘.eu~fl: d)" gfir cannot ~ Svstevr woos; L K I ‘ ti} 3 verify a digital signature for R’ D R ' H R b eos v 29.; y 2915 v rhc 61: that's rmsttd by the (9 p. .,, m., ,», Corr: -actor lnformanon Monitor system i Badovs '‘ Act: onHIstorY N Senrlos 100* w - Irm aw. » Reqrstrv Heal-cw we are usnq the free mar version nfjvls PowerTool5 to bur the d . _ . . 100* re E7440" PC Nee : « FIGURE 8.30 ivl6 Regisuy tools. 29. Click Filo Tools to 'iE' tile icons. CEH Lab hlanual Page 481 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. [:1 The Hide Windows Entries omits images signed by V'iudows if Verify Signatures is selected. If Verify Signatures is not selected, Hide Windows Entries omits images that have Microsoft in their resource's company name field and the image resides beneath the °”oSystemRoor°/ o directory If Tools demonstrated in this lab are available in D: cEH- Too| sCEHv8 Module 06 Trojans 30. Module 06 — Trojans and Backdoors A Regnslrv Tools . - System Toots @ . .,. .,m. ,., .. Acom wstofv Setmqs moss Rcwsav *E6wE’| 100'/ u Pcvtearh JV15 PowevToo| s 2012 ' - ' 7- we Supt-on Handbook -not Dnlme . ... ..aoe ( . / , L / ‘ ‘v FE ma File Cleaner Fie mm Fla Recmevy _ ‘ 1 J, , , , :4: Duokate Fl: Directory Drectory ma H; Ovgaruzev Fnaer Fnder . A Mass vename Merge fiaes son files Remove mes ‘Wes on reboot tau ave usrvg the wee ma! mam of]v16 Pow: rToo4s 'ed~. evssor‘ lobuvthe Click System Tools to View system icons. move Reqwstfv Heam 100% 9C Men '1‘ FIGURE 8.3]: ]v16 File tools. M6 PowerToo| s 2012 " ' *' Lwe Supoort: Hand: -sow not Onlrne n. aM>se 7 - J . .J L V " 5052.52 SKNYLD SINK Menu AMIDIMOON mnszasa Mmeoev Too? Yool / H J Sermce Svstem Manaoev Ovurmzer ‘V . 7‘ , ,. . 1. . . Vou are usmg me he: ma verscon of)»/16 PowerToo4s to buy me on ~. e«. -mnv FIGURE 8.32: ivlé System tools. range 482 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Module 06 — Trojans and Backdoors 31. Click Privacy tools to ’l€' privacy icon. 32 Ell, You can compare the current Autoruns display with previous results that you've saved. Select File| compare and browse to the saved file. Autoruns will display in green any new items, which correspond to entries that are not present in the saved file. Note that it does not show deleted items Dcnea 100% Regain Near 100% M6 Powerlools 2012 ‘ “ " H.940 '- I we Suooou Nandbool not Ovvime muaue M / t — we 0-tstnty DI§(l‘iue! Cleaner < 5* 1 i ‘u ‘ ‘Ow are usnq me free my vevyon om I6 Poweflools to my me 'etI . evs<on‘ FIGURE 8.33: iv16 Privacy tools. . Click Backups in the menu to display the Backup Tool dialog box. r , —. _ . Iv- M Ma Powerlools 2012 - D * E-I2 Lmouaoe 1004: Hub , __ ‘ _ " - ' K Lwe Support. Handbook not U M6 PowerToo| s 2012 [W8-X64] - Backup Tool ' '3 " fie fieleel loci: flab Flegctly Fie Bad up: cum Bock-ox Ba-: kLD: Descvoaoe Yyve Snze ID Created rags _ ltl--lhukups I | ‘_ Clean and am vemmed 34.5 as oooezo 21.09.2012. 1 . Delete Rtstore cxose Re Selected 3 hughhghted 3 total I PCP¢ea! t 100% '24:! .e'5«on' FIGURE 8.34: ]vl6 Backup tools CEH Lab Manual Page 483 Ethical Hacking and Countermeztsures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Q TASK 5 Fs| unFrontEnd E‘ CE-I-Tools are also located mapped Network Drive (Z: ) of Virtual Machines CEH Lab Manual Page 484 ModIlo06—Trohnsandllac| trloors 33. Go to Windows Server 2012 Virtual Machine. 34. Double—click FunnFrontEnd. oxo, the executable file located at D: CEl-| - 'I'oolsCE| -N8 Module 06 Trojans and BackdoorsFi| os and Folder Integrity ChockorFsun Frontond. 35. The Farm: Frontond main window is shown in the following screenshot. H I: Fsum Fmntevm Tad: cum‘; ma. :1 fl ‘fan i wait, mum- | Gmerave mm 35 opnons ":1 um ' we I] Mama. or) D Illerfl D uangns El aaazz [J : zu. _n. ,.92 L_| ad [_| 0:16 E] ensue. -wvourn El cnclumoaem D my I’! crdZ_mpcg2 Fl met ! '| uc64_= an. |_} ¢l3Z | _M. m.. .a Llfldtherli CM"! -! um: E Ip nut- L mvs_¢c'n E «:51 F 43: hush _ i| ¢khnr32 nu OB- lnmdngc Elcelhmgmzamrl] v| Dam: FIGURE 8.35: FsumF1ontEnd main window. 36. Select the qpe of hash that you want; let’ 5 say md5. Check the rnd5 check box. ‘-1 mm Prnnruul — I Tad: _‘ cum‘: Main 5 II- j Toa I] verify avechsr | C-«mvoou: RE opuom ‘J mm U‘. ‘.*. ‘!°. °.*5!/ ’°’_ LJM-‘Il124(3) LIMVIIDH‘) E1!-a El»? -sh Flunsz Flvbmnlu Dub. .. Elmo : mean: 1 nine: CWDIVO Ihxh: H: OH» ‘ m [_ Mv| l2$5(q) E Llmuzsslil ‘ Cr--I rnpfihlifl) rlsilsh Cs? -¢2(Z24) EIUZIZSGI Ci-ZDOII Isndru2IZIl4l 5ndru211|l8| gndmzzscm .4-uzzsun I6 [human-I) v Ethical Hacking and Coumenneasures Copyright © by EC—Councfl All Rights Reserved. Reproduction is Strictly Pzohibiteni
  62. 62. Module 06 — Trojans and Backdoors FIGURE 8.36: FsurnFrontEnd checking md5. 37. Select a file by clicking the File browse bottom from the desktop. That is Test. txt. rS. .lFVl l'vontc'1d VH3 5.1 i ' l D , X : <ir1v1=F= ':r1rrud V 7 V 7 7 V 7 7 V V 7 7 Y . ... ..i. .;; .. ... a;. , ,1.. ... .1{.1 1,,1.. ..m{.1 _. ... .,, ..1 . ... .. :1 Le}. Have Autoruns -4 we . ~= ~ — * W — -W L -M K -<5 — r-- . '_ / :lIly K‘K>l§| l gull : (1l. “;C ii ndlfid 1 1| r1mll5C1 ‘ n :1m. lZ£O 1: l1)l automatically F, m-mea an $.11 L’. 1 .1". .1r. , suiazxzss) . ... m.. , ex e an ll; :: °°"‘ ’cn)t5II1 7 mead C crdmlus A1 1’u1enu1111x :1 7 me-us he _'1 7 <re'uJ 1:: 21 ecut . .. _ . ... .. lntemet search in ’*”*' Fl: 1 U your browser by _ . ma. .. selecting Search Online in the Entry menu . Uetz1te hr; Ln'11eze1<e'c1gere' FIGURE 8.37: FsumFrcnt. Eud file browse. E. Autoruns F F A d = ;.m Fror1ten:11.5 5.1 - l " " ‘"5P'aY3 ‘he text ‘ , ‘°°. »’. ... .._. ... ... ‘(Not verified)‘ :3; next *0 the "3 Zliilfiil company name of an image that either does not . I_ . ... .. have a signature ‘ or has a signature ". .', ,'. f., .. ' ‘J. "M7 that is not signed : fr‘ M'1r1lAF14llm by a certificate H M“ h . Cm7;le(h1une root authority on ‘, ‘:"": ';'l , , the Of I‘00t 4 LcuID: | 1;. mi . ... ..m. .. , authontles trusted by the system FIGURE 8.38: Fsum Front End file open. 38. Click Add Folder to select a folder to be added to the hash, for example. D: CEl-I1-Tools. CEH Lab ltlanual Page 485 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

×