Lab Manual -- Module 06: Trojans and Backdoors...2013/04/15 · Module 06: Trojans and Backdoors...

Module 06: Trojans and Backdoors

Objective

The objective of this lab is to help students learn to detect Trojan and backdoor attacks.

The objective of the lab includes:

Creating a server and testing a network for attack

Detecting Trojans and backdoors

Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected

Scenario

You are a Security Administrator of your company, and your job responsibilities include protecting the network from Trojans and

backdoors, Trojan attacks, the theft of valuable data from the network, and Identity theft.

Virtual Machines

The following virtual machines are required for completion of this lab:

2008 Server (10.10.10.1)1.

2003 Server (10.10.10.61)2.

NAT3.

Exercise I: Creating a Trojan Server Using ProRat Tool

Lab Scenario

You are a Security Administrator of your company, and your job responsibilities include protecting the network from Trojans andbackdoors, Trojan attacks, data and identity theft.

Lab Objectives


The objectives of the lab include:

Creating a server and testing the network for attack

Detecting Trojans and backdoors

Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected

Logon to Windows Server 2008

Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab in the right pane of the lab environment.

1.

Enter Credentials

Go to Machine Commands and click Ctrl+Alt+Del.

In the log on box enter the following credentials and press Enter:

User Name: Administrator

Password: Pa$$w0rd

2.

Lab Manual -- Module 06: Trojans and Backdoors https://labondemand.com/labprofile/manual/12670

1 of 15 3/29/2013 8:42 PM

Extract ProRatv19.zip

Navigate to E:\CEHv7 Module 06 Trojans and Backdoors\Miscellaneous Trojans\ProRat folder.

Right-click on the ProRatv19.zip file and select Extract Here option from the context menu.

3.

Extracted File

You can see the extracted ProRat_v1.9 folder as shown in the below figure.

4.

Launch ProRat

Double-click on ProRat.exe file in the E:\CEHv7 Module 06 Trojans and Backdoors\Miscellaneous

Trojans\ProRat\ProRat_v1.9 folder to launch ProRat Server.

5.

Create a Trojan Server

Now, click on Create button at the bottom of the ProRat main window, and from the context menu select Create

ProRat Server (342 Kbayt) option.

6.

Create Server Wizard

Create Server wizard will open. Click on General Settings to change features such as Server Port, Server

Password, Victim Name and the port number you wish to connect over to the victim.

Uncheck all the options above the Invisiblity section as shown in the below figure.

7.

Bind Server

Bind server with a file extension, of your choice such as .jpg, .txt etc. to make a hideout for the server file. Also, you

can change icons to make the file more user friendly for the victim.

Click Bind with File button in the Create Server wizard. Check the Bind server with a file option and click on

Select File button to choose a file.

8.

Choosing a File

Bind the Trojan server with a file by selecting an image or a file that you wish to appear on the victim's machine, once

he/she clicks on the Trojan you have created.

Choose any file from your desired location and click Open button.

9.

Confirm the Binding Prompt

As soon as you click Open button, the Server will bind with Readme.txt (Binded File Name) prompt will appear

click OK.

10.

Server Binding Confirmation

The server will be binded with the file you have selected in the last step.

11.

Select an Icon for Trojan Server

Click on Server Icon option and select an icon that you want the victim to see.

12.

Create ProRat Server

Click on Create Server button at the bottom of the window after choosing an Icon.

Click OK button on the confirmation pop-up.

13.


2 of 15 3/29/2013 8:42 PM

Location of Binded Server

The Binded Server is located in the same directory of ProRat.

14.

Switch to Windows Server 2003 Machine

Switch to Windows Server 2003 machine from the Machines tab in the right pane of the lab environment.

15.





Password: Pa$$w0rd

16.

Launch Binded Server

In Windows Server 2003 machine (10.10.10.61), navigate to Z:\CEHv7 Module 06 Trojans and

Backdoors\Miscellaneous Trojans\ProRat\ProRat_v1.9.

Double click on binded_server.exe to run the Trojan server. As soon as you double-click on the file a Notepad

file (the binded file) will open.

17.

Switch to Windows Server 2008

Switch back to the Windows Server 2008 machine from the Machines tab.

18.

Enter the IP Address

Enter the IP address for the victim's machine (Windows Server 2003 machine: 10.10.10.61) with the port you

have provided in the Step 7 and click Connect button.

19.

Password Prompt

It will prompt you with the password window. Enter the same password that you have provided at the time of

server creation.

After typing the password click OK button to connect with the victim's machine.

20.

Connected to Victim's Machine

Now you are connected to the victim's machine (Windows Server 2003) and can access the victim machine

remotely.

21.

Collect Victim's Computer Info

Click PC Info button in the left pane of the ProRat window.

It will show the complete System Information, Mail Address in Registry, Last Visited Websites of the Windows

Server 2003 machine.

22.

KeyLogger Button

Keylogger records all the keystrokes of the victim's machine.

23.


3 of 15 3/29/2013 8:42 PM

To check the keylogge feature, switch to the Windows Server 2003 machine, open a notepad and type any

text.


Switch back to the Windows Server 2008 machine and click on KeyLogger button to view the keystrokes

typed on the victim machine (Windows Server 2003)

24.

Keylogger Window

Keylogger Window appears, click on Read Log button to view key strokes.

25.

Lab Analysis

In this lab you created a Trojan server using the ProRat tool.

You have now:

Created a Trojan server and tested a target machine for malware vulnerability

Collected the PC information of the target machine

Captured the key strokes of the target machine

Exercise II: ICMP Backdoor

Lab Scenario

You are a Security Administrator of your company, and your job responsibilities include protecting the network from

Trojans, backdoors, Trojan attacks, data and identity theft.

Lab Objectives


The objectives of this lab include:

Starting ICMP service in Windows Server 2003 (IP address: 10.10.10.61)

Accessing the Windows Server 2003 (IP address: 10.10.10.61) machine using the ICMP Client

Accessing and analysing the list of processes running on Windows Server 2003 (IP address: 10.10.10.61).


Switch to Windows Server 2003 machine from Machines tab in the right pane of the lab environment.

1.

Enter Credentials




Password: Pa$$w0rd

2.

Launch ICMP Backdoor3.


4 of 15 3/29/2013 8:42 PM

Navigate to the Z:\CEHv7 Module 06 Trojans and Backdoors\Trojans Types directory.

Right-click on the ICMP Backdoor folder and select CMD Prompt Here to launch ICMP Backdoor in

the command prompt.

View Directory and File list

To view directories and file list, type dir command in the command prompt and press Enter.

4.

Creating ICMP Service

Type the commad icmpsrv –install and press Enter to create the ICMP service.

5.

Service Started Successfully

The service should have started successfully as shown in the below figure.

6.


Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab in the right pane of the lab

environment.

7.

Enter Credentials




Password: Pa$$w0rd

8.

Access the server running on Windows Server 2003

In Windows Server 2008 (10.10.10.1), navigate to E:\CEHv7 Module 06 Trojans and

Backdoors\Trojans Types directory.

Right-click on ICMP Backdoor folder and select CMD Prompt Here.

9.

Run Command icmpsend

Run command icmpsend 10.10.10.61 to access the server running on Windows Server 2003 victim

machine.

10.

Help Command

Type command h for help in Windows Server 2008 (IP address: 10.10.10.1) command prompt.

11.

Process List

To view the process list of Windows Server 2003 (10.10.10.61) machine from Windows Server 2008

(10.10.10.1) machine, type pslist command and press Enter.

It will list out all the process running in Windows Server 2003 (Victim Machine).

12.

Lab Analysis

In this lab you have learnt how ICMP backdoors work, it will help you to detect Trojans and backdoors.


5 of 15 3/29/2013 8:42 PM

You have now:

Started ICMP service in Windows Server 2003 (IP address: 10.10.10.61)

Accessed the Windows Server 2003 (IP address: 10.10.10.61) machine using the ICMP Client

Accessed and analyzed the list of processes running on Windows Server 2003 (IP address:

10.10.10.61)

Exercise III: Wrapping a Trojan using One File EXE Maker

Lab Scenario

You are a Security Administrator of your company, and your job responsibilities include protecting the

network from Trojans, backdoors, Trojan attacks, data and identity theft.

Lab Objectives



Wrapping a Trojan with a game in Windows Server 2003 (IP address: 10.10.10.61)

Running the Trojan to access a game on the frontend

Analysing the Trojan running in the backend


Switch to Windows Server 2003 (10.10.10.61) machine from Machines tab in the right pane

of the lab environment.

1.

Enter Credentials


In the log on box enter the following credentials and press Enter.


Password: Pa$$w0rd

2.

Install OneFileEXEMaker

Navigate to Z:\CEHv7 Module 06 Trojans and Backdoors\Wrapper Covert

Programs\OneFileEXEMaker directory.

Double-click “setup.exe” and follow the wizard-driven installation steps to install

the OneFileEXEMaker.

Setup will ask you to install SennaSpy click Yes button.

3.

Launch One EXE Maker 2002 2.0a

To launch One EXE Maker 2002 2.0a, navigate to Start -> All Programs -> Senna Spy

Tools -> One EXE Maker 2002 2.0a

4.

Add the Game File

Click on Add File button and browse to Z:\CEHv7 Module 06 Trojans and

Backdoors\Games\Tetris folder and select Lazaris.exe file. Click Open button to add the

file.

5.


6 of 15 3/29/2013 8:42 PM

Add Trojan

Click on Add File button and browse to the Z:\CEHv7 Module 06 Trojans and

Backdoors\Trojans Types\Proxy Server Trojans folder and select mcafee.exe file.

Click Open button to add the file.

6.

Command Line Parameters

Select MCAFEE.EXE and type 8080 in the Command Line Parameters field.

7.

Normal Option for Lazaris.exe

Now Select LAZARIS.EXE and choose Normal Option from the Open Mode.

Click Save button.

8.

Saving the File

Save as window appears, rename the file to Tetris.exe and click Save button to save the

file on the Desktop.

9.

Run Tetris.exe

Now double-click on Tetris.exe file on the desktop. This will launch the Lazaris game on

the front end.

10.

Launch Task Manager

Right-click on Task bar and select Task Manager to launch Task Manager. In the Task

Manager window select Processes tab to check whether MCAFEE.EXE process is running.

11.

Lab Analysis

In this lab you have wrapped a Trojan in a harmless game file using One File EXE Maker.

You have now:

Wrapped a Trojan with a game in Windows Server 2003 (IP address 10.10.10.61)

Run the Trojan to access the game on Front end

Analyzed the Trojan running in the backend

Exercise IV: Proxy Server Trojan

Lab Scenario

You are a Security Administrator of your company, and your job responsibilities include protecting the

network from Trojans, backdoors, Trojan attacks, data and identity theft.

Lab Objectives

The objective of this lab is to help students learn how the Proxy Trojans work.


Starting Mcafee Proxy

Accessing Internet using Mcafee Proxy


7 of 15 3/29/2013 8:42 PM


Switch to Windows Server 2003 (10.10.10.61) machine from Machines tab in the

right pane of the lab environment.

1.

Enter Credentials




Password: Pa$$w0rd

2.

Launch Proxy Server Trojan in the Command Prompt

Navigate to Z:\CEHv7 Module 06 Trojans and Backdoors\Trojans Types and

right-click on Proxy Server Trojans folder and select Command Prompt Here

from the context menu.

3.

View Directories and Files

Type dir command and press Enter in command prompt to view the files and

directories.

4.

Run mcafee 8080 command

Type mcafee 8080 command and press Enter to run the mcafee service on the

Windows Server 2003 (IP address: 10.10.10.61).

5.

Switch to Windows Server 2008 Machine

Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab in the right

pane of the window.

6.





Password: Pa$$w0rd

7.

Launch Firefox

To launch Firefox double-click on Firefox icon on the desktop or navigate to Start

--> All Programs --> Mozilla Firefox--> Mozilla Firefox.

8.

Configure Proxy Settings from Firefox Options

Go to Tools from the menu bar and select Options.

9.

Advanced Options of Firefox10.


8 of 15 3/29/2013 8:42 PM

In Options window, click on Advanced option and go to the Network tab.

Connection Settings

In the Network tab, click on Settings to view Connection Settings wizard.

11.

Configure Proxy Settings

Select Manual proxy configuration option

Set the HTTP Proxy IP to 10.10.10.61 (Windows Server 2003 machine's

IP) and Port: to 8080.

Select the options as shown in the screenshot below.

Click OK to Apply the changes.

Click OK button on the Options window.

12.

Access Website

Now in the address bar of the Firefox, type http://locahost/cars and press

Enter.

13.

Switch Back to Windows Server 2003

Now Switch back to Windows Server 2003 (10.10.10.61) machine and check in

the command prompt where you have launched Proxy Server Trojan.

14.

Lab Analysis

In this lab you learnt how a proxy Trojan works.

You have now:

Started Mcafee Proxy

Accessed Internet (here a local site) using Mcafee Proxy

Exercise V: HTTP Trojan

Lab Scenario

You are a Security Administrator of your company, and your job responsibilities include

protecting the network from Trojans, backdoors, Trojan attacks, data and identitytheft.

Lab Objectives

The objective of this lab is to help students learn how HTTP Trojans work.


To run HTTP Trojan on Windows Server 2003 (IP address: 10.10.10.61)


9 of 15 3/29/2013 8:42 PM

Access the Windows Server 2003 (IP address: 10.10.10.61) machine

process list using the HTTP Proxy

Kill Running process on Windows Server 2003 (IP address: 10.10.10.61)

machine


Switch to Windows Server 2008 (10.10.10.1) machine from Machines tab

in the right pane of the window.

1.

Enter Credentials




Password: Pa$$w0rd

2.

Launch HTTP RAT

Navigate to E:\CEHv7 Module 06 Trojans and Backdoors\Trojans

Types\HTTP HTTPS Trojans\HTTP RAT TROJAN.

Double-click on httprat.exe file to launch HTTP RAT trojan.

3.

Uncheck Send Notification Option

Uncheck Send Notification with IP address to mail option from the

main window of HTTP RAT.

4.

Create Server

Click Create button to create a httpserver.exe file. Click OK on done!

pop-up.

5.

Note the Location of httpserver.exe

The httpserver.exe file should be created in the folder E:\CEHv7

Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS

Trojans\HTTP RAT TROJAN.

6.


Switch to Windows Server 2003 (10.10.10.61) machine from Machines

tab in the right pane of the window.

7.





Password: Pa$$w0rd

8.


10 of 15 3/29/2013 8:42 PM

Launch Services

To launch Services, navigate to Start -> Administrative Tools ->

Services.

9.

Disable/Stop World Wide Web Publishing

Disable/Stop World Wide Web Publishing Services, Right click on

WWW Publishing Service --> Properties.

10.

WWW Publishing Service Properties

In WWW Publishing Service Properties wizard select Disabled

from Startup Type dropdown list and click on Stop button to stop

the service.

Click Apply and OK button to apply the settings.

11.

WWW Publishing Service

Now you can see in the Services window that the WWW

Publishing Service has been Disabled.

12.

Run httpserver.exe

Navigate to the folder Z:\CEHv7 Module 06 Trojans and

Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT

TROJAN.

Double-click on httpserver.exe file and then click Run button on

Open File - Security Warning to run httpserver.exe.

13.

Launch Task Manager

Launch Task Manager and check in the Processes tab that the

httpserver.exe is running.

14.

Switch back to Windows Server 2008

Switch back to Windows Server 2008 (10.10.10.1) machine from

Machines tab in the right pane of the window.

15.

Launch Firefox

To launch Firefox, double-click the Mozilla Firefox icon on the

Desktop or navigate to Start -> All Programs -> Mozilla Firefox

-> Mozilla Firefox.

16.

Access Windows Server 2003

In the address bar of the browser, type 10.10.10.61 (IP address of

the Windows Server 2003 machine) and press Enter to access the

Windows Server 2003 (10.10.10.61) machine.

17.

Running Processes

Click on running processes to list down the processes running on

Windows Server 2003 (IP address: 10.10.10.61) machine.

18.


11 of 15 3/29/2013 8:42 PM

Computer Info

Click on computer info to see the Windows Server 2003 (IP

address: 10.10.10.61) machine information.

19.

Lab Analysis

In this lab you learnt how the HTTP Trojans work.

You have now:

Run HTTP Trojan on Windows Server 2003 (IP address:

10.10.10.61)

Accessed the Windows Server 2003 (IP address: 10.10.10.61)

machine process list using the HTTP Proxy

Killed Running process on Windows Server 2003 (IP address:

10.10.10.61) machine

Exercise VI: Remote Access Trojans Using Atelier

Web Remote Commander

Lab Scenario

You are a Security Administrator of your company, and your job

responsibilities include protecting the network from Trojans,backdoors, Trojan attacks, data and identity theft.

Lab Objectives

The objective of this lab is to help students learn how Remote Access

Trojans work.


Gaining access to a Remote Computer

Acquiring sensitive information from the Remote Computer


Swich to Windows Server 2003 (10.10.10.61) machine from

Machines tab in the right pane of the window.

1.



2.


12 of 15 3/29/2013 8:42 PM

In the log on box enter the following credentials and

press Enter.


Password: Pa$$w0rd

Create a User

To create a user, navigate to Start -> Administrative

Tools -> Computer Management.

3.

Local Users and Groups

In Computer Management, expand Local Users and

Groups and select Users option.

4.

Create User

Right-click in the Users list pane at the right-side of the

window and select New User option.

5.

New User

In New User wizard enter Username and Password as

ceh, select Password Never Expires and click Create

button to create a new user account.

6.

New User Created

Now check with the Computer Management window

for the newly created user.

7.

Assign Administrator Privilege to the ceh User - 1

Right-click on the ceh user and select Properties from

the context menu.

8.


In ceh Properties wizard select Member Of tab and

click Add button to make this account member of

Administrators group.

9.


In the Select Groups wizard type Administrators in

Enter the object names to select field and click OK

button.

10.


Click Apply and then OK button to apply the settings to

the user account.

11.


Switch to Windows Server 2008 (10.10.10.1) machine

from Machines tab in the right pane of the window.

12.

Logon to Windows Server 200813.


13 of 15 3/29/2013 8:42 PM


In the log on box enter the following credentials and

press Enter.


Password: Pa$$w0rd

Install Atelier Web Remote Commander

To install Atelier Web Remote Commander, navigate

to E:\CEHv7 Module 06 Trojans and

Backdoors\Trojans Types\Remote Access

Trojans (RAT)\Atelier Web Remote

Commander.

Double-click setup.exe and follow the wizard-

driven installation steps to install the Atelier Web

Remote Commander.

14.

Launch Atelier Web Remote Commander

To launch Atelier Web Remote Commander,

navigate to Start -> All Programs -> Atelier

Web -> AW Remote Commander 7.51 ->

Atelier Web Remote Commander.

15.

Accessing Remotely

Enter the IP address of Windows Server 2003

(10.10.10.61) in the Remote Host field and

Username and Password as ceh in the respective

fields. Click Connect button.

16.

Windows Server 2003 Machine in AW Remote

Commander

Now you can view the Windows Server 2003

machine (10.10.10.61) in Atelier Web Remote

Commander.

17.

Sys Info Tab

Click on Sys Info tab to view system information of

Windows Server 2003 machine.

18.

NetworkInfo Path

Go to NetworkInfo tab to see the shared folderd

information.

19.

File System tab

Go to the File System tab, Select c:\ from

20.


14 of 15 3/29/2013 8:42 PM

dropdown and Click Get button to extract

directories in the C: drive of the Windows

Server 2003 machine.

Users and Groups

Go to Users and Groups tab, select Users to

view the list of Users, and click Groups to view

Groups in Windows Server 2003 machine.

21.

Groups tab

Groups Tab display complete group details of

Windows Server 2003.

22.

Lab Analysis

In this lab you learnt hoe to access a remote machine

using Atelier Web Remote Commander.

You have now:

Gained access to a Remote Computer

Acquired sensitive information of a Remote

Computer


15 of 15 3/29/2013 8:42 PM

Lab Manual -- Module 06: Trojans and Backdoors...2013/04/15 · Module 06: Trojans and Backdoors...

Documents

Transcript of Lab Manual -- Module 06: Trojans and Backdoors...2013/04/15 · Module 06: Trojans and Backdoors...