Tải bản đầy đủ
While the victim is writing a message or entering a user name and password, you can capmre the log entity.

While the victim is writing a message or entering a user name and password, you can capmre the log entity.

Tải bản đầy đủ

M od ule 0 6 - T rojans and Backdoors

E
=9/23/201211:55:28 PMahi bob this is my usemame;xyzatyahoo.com
password; testshiftl buttowithl shiftbuttonwith2

|

Read Log

|

Delete Log

L•^L1‫—י‬
■UL 1 !_•‫ רו‬11•_‫י‬t 1

Save as

Clear Screen

Help

C □ 1----------------------------------------------

|KeyLog Received.

|

FIGURE 1.18: ProRat KeyLogger window

27.

N ow you can use a lot o f feauires from ProRat on the victim’s machine.

Note: ProRat Keylogger will not read special characters.

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your target’s secunty posture and exposure dirough public and free information.

P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D T O T H I S LAB.

Questions
1.

Create a server wkh advanced options such as Kill AV-FW on start, disable
Windows XP Firewall, etc., send it and connect it to the victim machine,
and verify whedier you can communicate with the victim machine.

2. Evaluate and examine various mediods to connect to victims if diey are 111
odier cities or countries.

C E H L ab M an u al P age 437

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved
Successful creation o f Blinded server.exe
O u tp u t: PC Information
Computer NameAYIN-EGBHISG 14LO
User Name: Administrator
W indows Yer:

P ro R at T o o l

Windows Language: English (United States)
W indows Path: c:\windows
System Path: c:\windows\system 32
Tem p Path: c :\U se rs\A D M IN I~ l\
Product ID:
Workgroup: N O
Data: 9/23/2012

In tern e t C o n n ectio n R eq u ired
□ Yes

0 No

P latform S up p o rted
0 C lassroom

C E H L ab M an u al P age 438

0 !Labs

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Lab

Wrapping a Trojan Using One File
EXE Maker
A Trojan is aprogram that contains malicious or harmful code inside apparently
harmlessprogramming or data in such a way that it canget control and cause
damage, such as mining thefile allocation table on a hard drive.
I CON

KE Y

£17 Valuable
information
Test your
knowledge
Web exercise
‫ט‬

Workbook review

Lab Scenario
Sometimes an attacker makes a very secure backdoor even more safer than the
normal way to get into a system. A normal user may use only one password for
using the system, but a backdoor may need many authentications or SSH layers
to let attackers use the system. Usually it is harder to get into the victim system
from installed backdoors compared with normal logging 111. After getting
control of the victim system by an attacker, the attacker installs a backdoor on
the victim system to keep 111s or her access in the future. It is as easy as running
a command on the victim machine. Another way the attacker can install a
backdoor is using ActiveX. Wlienever a user visits a website, embedded
ActiveX could run on the system. Most o f websites show a message about
running ActiveX for voice chat, downloading applications, or verifying the user.
111 order to protect your system from attacks by Trojans and need extensive
knowledge on creating Trojans and backdoors and protecting the system from
attackers.
You are a security administrator o f your company, and your job responsibilities
include protecting the network from Trojans and backdoors, Trojan attacks,
theft o f valuable data from the network, and identity theft.

& Tools
Lab Objectives
demonstrated in
The objective of tins lab is to help smdents learn to detect Trojan and backdoor
this lab are
attacks.
available in
D:\CEHThe objectives o f the lab mclude:
Tools\CEHv8
■ Wrapping a Trojan with a game 111 Windows Server 2008
Module 06 Trojans
and Backdoors



C E H L ab M an u al P age 439

Running the Trojan to access the game on the front end

E th ica l H a c k in g an d C o u n tem ieasu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

■ Analyzing the Trojan running in backend

Lab Environment
To carry out diis, you need:
‫י‬

OneFileEXEMaker tool located at D:\CEH-Tools\CEHv8 Module 06
Trojans and Backdoors\Wrapper Covert Programs\OneFileExeMaker



A computer running Window Server 2012 (host)



Windows Server 2008 running in virtual machine

■ It you decide to download the la te st version, then screenshots shown
111 the lab might differ


Administrative privileges to run tools

Lab Duration
Tune: 20 Minutes

Overview of Trojans and Backdoors
A Trojan is a program diat contains m alicious or harmful code inside apparendy
harmless programming or data 111 such a way that it can get control and cause
damage, such as ruining die hie allocation table on a hard drive.
Note: The versions of die created client or host and appearance may ditfer from
what is 111 die lab, but die actual process o f connecting to die server and accessing
die processes is same as shown 111 dus lab.
H

TASK

1

OneFile EXE
Maker

Lab Tasks
1. Install OneFileEXEMaker on Windows Server 2008 Virtual Machine.
Senna Spy One EXE M a k e r 2 0 0 0

2.0a

Senna Spy One EXE Maker 2000 - 2.0a
O fficial W ebsite:
e-mail:

http://sennaspy.tsx.org

senna_spy0 holm a1l.com

ICQ UIN

3973927

Join many files and make a unique EXE file.
This piogram allow join all kind of files: exe, dll. ocx. txt, jpg. bmp
Automatic OCX file register and Pack files support
W indows 9x. NT and 2000 compatible !
Short File Name

Parameters

10 pen M ode | Copy T o

Command Line Parameters.

m

Copyright (C). 1998-2000. By Senna Spy

Open Mode
C Normal
C Maximized
C Minimized
C Hide

Copy To-----(“ Windows
C System
C Temp
C Root

| Action

Action-----C Open/Execute
C Copy Only

r

Pack Fies?

FIGURE 3.1: OneFile EXE Maker Home screen

C E H L ab M an u al P age 440

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Click die Add File button and browse to the CEH-Tools folder at die
location Z:\CEHv8 Module 06 Trojans and Backdoors\Games\Tetris and
add die Lazaris.exe hie.
Senna Spy One EXE M a k e r 2 0 0 0 - 2.0a

Senna Spy One EXE Maker 2000 - 2.0a
O fficial W ebsite:

less! You can set various
tool options as Open
mode, Copy to, Action

e-mail:

http://sennaspy tsx org

senna_spy@hotma1l.com

ICQ UIN

3973927

Join many files and make a unique EXE file.
This program allow join all kind of files: exe. d ll, ocx. txt, jpg, bmp .
Automatic OCX file register and Pack files support
W indows 9x. NT and 2000 compatible !
[sh o rt File Name

|Parameters

|0 p e n Mode |Copy To

LAZARIS.EXE

Hide

System

| Action

!

Add Fie

| O pen/Execute
Getete

1

Save
Ejj*
Command Line Parameters

Copyright (C). 1998-2000. By Senna Spy

Open Mode
C Normal
r Maximized
C Minimized
(5‫ ־‬Hide

Copy T0 ----C Windows
(* System
C Temp
C Root

(• Open/Execute
C Copy On|y

FIGURE 3.2: Adding Lazaris game

3.

Click Add File and browse to the CEH-Tools folder at die location
Z:\CEHv8 Module 06 Trojans and Backdoors\Trojans Types\Proxy Server
Trojans and add die m cafee.exe file.
Senna Spy O ne E X E Maker 2000 - 2.0a
O fficial W ebsite:
e-mail:

http://sennaspy.tsx.org

senna_spy@hotmail.com

ICQ UIN

3973927

Join many files and make a unique EXE file.
This program allow join all kind of files: exe. dll. ocx. txt, jpg. bmp
Automatic OCX file register and Pack files support
W indows 9x. NT and 2000 compatible I

& Tools
demonstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 06 Trojans
and Backdoors

Short File Name

Parameters

| Open Mode | Copy To

|A ction

System

O pen/Execute

I System

| O pen/Execute

Add Fie

delete
Save

Command Line Parameters

Copyright |C|, 1998-2000. By Senna Spy

Open Mode
C Normal
C Maximized
C Minimized
(* Hide

Copy To!----C Windows
(* System
‫ ׳‬Temp
C Root

Action-----(• Operv‫׳‬Execute
C Copy Only

r

PackFies?

FIGURE 3.3: Adding MCAFEE.EXE proxy server

4.

C E H L ab M an u al P age 441

Select Mcafee and type 8 0 8 0 111 die Command Line Parameters field.

E th ica l H a c k in g an d C o u n term easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Senna Spy One EXE M a k e r 2 0 0 0

2.0a

Senna Spy O ne EXE Maker 2000 2.0 ‫־‬a
O fficial W ebsite
e-mail:

http ://sennaspy tsx org

senna_spy@hotmail.com

ICQ UIN:

3973927

Join many files and make a unique EXE file.
This piogram allow !oin all kind of files: exe. dll. ocx. txt. jpg. bmp
Automatic OCX file !egistei and Pack files support
W indows 9x. NT and 2000 compatible !
Short File Name

Paiameters

Open Mode Copy To

LAZARIS.EXE

System

Action
O pen/Execute
O pen/Execute

Save

Command Line Parameters

Open Mode—
C Normal
C Maximized
C Minimized
^ Hide

Copyright (C). 1998-2000. By Senna Spy

Copy To-----C Windows
(* System
Temp
C Root

Open/Execute
C Copy On|y

‫“י‬

P *kF le s?

FIGURE 3.4: Assigning port 8080 to MCAFEE

5.

Select Lazaris and check die Normal option in Open Mode.
Senna Spy One EX£ M a k e r 2 0 0 0

2.0a

Senna Spy One EXE Maker 2000 2.0 ‫־‬a
O fficial W ebsite:
e-mail:

http ://sennaspy tsx org

senna_spy@hotmail.com

ICQ UIN

39/3 92 7

Join many files and make a unique EXE file.
This piogram allow join all kind of files: exe. dll. ocx. txt. jpg. bmp ...
Automatic OCX file register and Pack files support
W indows 9x. NT and 2000 compatible !
Add Fie
LAZARIS.EXE
MCAFEE EXE

Notmal
8080

Hide

(System

I O pen/E xecute I

System

O pen/Execute

Delete

Save
Exit
Open Mode

Command Line Parameters

‫־׳‬: p.0 1 ™‫״‬

^ © 2 Copyright (C). 1998 2000. By Senna Spy

Jaximized
1 .Maximize
C Minimized
C Hide

Copy To-----C Windows
<• System
C Temp
C Root

Action
(• Operv‫׳‬Execute
C Copy On|y

r

Pack Fies?

FIGURE 3.5: Setting Lazaris open mode

6.

C E H L ab M an u al P age 442

Click Save and browse to save die tile on the desktop, and name die tile
Tetris.exe.

E th ica l H a c k in g an d C o u n ten n e asu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

Save n | K
1

‫י‬-» *‫ ז‬0‫ש‬

Name *■
e-mail:

sennas

2[
I - I Size

1*1 Type

0‫ נ® ־‬a

₪ ‫־‬

1*1 Date modified

1

^Pubk
: ■ Computer
4 * Network
® M o zia F re fb x
£

1 KB Shortcut
2 KB Shortcut

Google Chrome

9/18/2012 2:31 Af
9/18/2012 2:30 AT

±1

_l
Short File Name
MCAFEE.EXE

|------Save------1
(Executables (*.exe)

_^J

Cancel

|

Save
L

‫־‬
Copyright (C), 1998-2000. By Senna Spy

Open Mode
(• Normal
C Maximized
C Minimized
C Hide

Copy To
C Windows
(* System
(" Temp
C Root

(• Open/Execute
C Copy 0n|y

r

Pack Fies?

FIGURE 3.6: Trojan created
m MCAFEE.EXE will
run in background

7. Now double-click to open die Tetris.exe file. Tliis will launch die Lazaris
,
,
g am€> 011 th e tr011t e ‫ ״‬d •

r
FIGURE 3.7: La2aris game

8.

C E H L ab M an u al P age 443

Now open Task Manager and click die P rocesses tab to check it McAfee
is running.

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M od ule 0 6 - T rojans and Backdoors

^ ‫[ *[ ס‬

£ J W indows Task M anager
File

O ptions

View

Applications

Help

Processes

Im a g e ...

jServices | P erform ance j Networking | Users

1 User Name 1[

cpu]

Memory (... | Description

csrss.exe

SYSTEM

00

1 .4 6 4K

Client S e r...

csrss.exe

SYSTEM

00

1.7 3 6K

Client S er...

dw m .exe

A dm lnist...

00

1,200 K

e xplo re r.e xe

Adm m ist...

00

14,804 K

|

|
1

D e s k to p ...
W indows ...

LAZARIS.EXE ...

A dm lnist...

00

1.5 4 0K

Isass.exe

SYSTEM

00

3,100 K

Local S ecu ... -

Ism.exe

SYSTEM

00

1 .3 8 4K

Local Sess...

1 MCAFEE.EXE ...

LAZARIS

A d m n s t...

00

580 K

NETW O...

00

2 .8 3 2 K

MS DTC co...

S creenpresso... .

A dm irilst...

00

2 8 .3 8 0 K

S creenpre...

se rvices.exe

SYSTEM

00

1 .9 9 2K

Services a ...

SLsvc.exe

NETW O...

00

6 .7 4 8 K

M ic ro s o ft...

smss.exe

SYSTEM

00

304 K

W indows ...

spoolsv.exe

SYSTEM

00

3 .5 8 8 K

Spooler S ...

m sdtc.exe

MCAFEE

svch ost.exe

SYSTEM

00

13,508 K

H o s tP ro c ...

svch ost.exe

LOCAL ...

00

3.648 K

H o s tP ro c ...

I*

Show processes from all users

|jP ro:esses: 40

CPU Usage: 2°.‫׳‬c



gnc| process

Physical Memory: 43°.‫׳‬c

FIGURE 3.8: MCAFEE in Task manager

Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion 011
your target’s secunty posture and exposure dirough public and free information.

P L E AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D T O T H I S LAB.

T o o l/U tility

In fo rm atio n C o llected /O b jectiv es A chieved

E X E M aker

O u tp u t: Using a backdoor execute T etris.exe

Questions
1. Use various odier options for die Open mode, Copy to, Action sections of
OneFileEXEMaker and analyze the results.
2.

C E H L ab M an u al P age 444

How you will secure your computer from OneFileEXEMaker attacks?

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 0 6 - T rojans and Backdoors

Internet Connection Required

□ Yes

0 No

P latform S upported
0 C lassroom

C E H L ab M an u al P age 445

0 iLabs

E th ica l H a c k in g an d C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.