-
Module 06: Trojans and Backdoors
Objective
The objective of this lab is to help students learn to detect
Trojan and backdoor attacks.
The objective of the lab includes:
Creating a server and testing a network for attack
Detecting Trojans and backdoors
Attacking a network using sample Trojans and documenting all
vulnerabilities and flaws detected
Scenario
You are a Security Administrator of your company, and your job
responsibilities include protecting the network from Trojans
and
backdoors, Trojan attacks, the theft of valuable data from the
network, and Identity theft.
Virtual Machines
The following virtual machines are required for completion of
this lab:
2008 Server (10.10.10.1)1.
2003 Server (10.10.10.61)2.
NAT3.
Exercise I: Creating a Trojan Server Using ProRat Tool
Lab Scenario
You are a Security Administrator of your company, and your job
responsibilities include protecting the network from Trojans
andbackdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn to detect
Trojan and backdoor attacks.
The objectives of the lab include:
Creating a server and testing the network for attack
Detecting Trojans and backdoors
Attacking a network using sample Trojans and documenting all
vulnerabilities and flaws detected
Logon to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine from Machines
tab in the right pane of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter:
User Name: Administrator
Password: Pa$$w0rd
2.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
1 of 15 3/29/2013 8:42 PM
-
Extract ProRatv19.zip
Navigate to E:\CEHv7 Module 06 Trojans and
Backdoors\Miscellaneous Trojans\ProRat folder.
Right-click on the ProRatv19.zip file and select Extract Here
option from the context menu.
3.
Extracted File
You can see the extracted ProRat_v1.9 folder as shown in the
below figure.
4.
Launch ProRat
Double-click on ProRat.exe file in the E:\CEHv7 Module 06
Trojans and Backdoors\Miscellaneous
Trojans\ProRat\ProRat_v1.9 folder to launch ProRat Server.
5.
Create a Trojan Server
Now, click on Create button at the bottom of the ProRat main
window, and from the context menu select Create
ProRat Server (342 Kbayt) option.
6.
Create Server Wizard
Create Server wizard will open. Click on General Settings to
change features such as Server Port, Server
Password, Victim Name and the port number you wish to connect
over to the victim.
Uncheck all the options above the Invisiblity section as shown
in the below figure.
7.
Bind Server
Bind server with a file extension, of your choice such as .jpg,
.txt etc. to make a hideout for the server file. Also, you
can change icons to make the file more user friendly for the
victim.
Click Bind with File button in the Create Server wizard. Check
the Bind server with a file option and click on
Select File button to choose a file.
8.
Choosing a File
Bind the Trojan server with a file by selecting an image or a
file that you wish to appear on the victim's machine, once
he/she clicks on the Trojan you have created.
Choose any file from your desired location and click Open
button.
9.
Confirm the Binding Prompt
As soon as you click Open button, the Server will bind with
Readme.txt (Binded File Name) prompt will appear
click OK.
10.
Server Binding Confirmation
The server will be binded with the file you have selected in the
last step.
11.
Select an Icon for Trojan Server
Click on Server Icon option and select an icon that you want the
victim to see.
12.
Create ProRat Server
Click on Create Server button at the bottom of the window after
choosing an Icon.
Click OK button on the confirmation pop-up.
13.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
2 of 15 3/29/2013 8:42 PM
-
Location of Binded Server
The Binded Server is located in the same directory of
ProRat.
14.
Switch to Windows Server 2003 Machine
Switch to Windows Server 2003 machine from the Machines tab in
the right pane of the lab environment.
15.
Logon to Windows Server 2003
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter:
User Name: Administrator
Password: Pa$$w0rd
16.
Launch Binded Server
In Windows Server 2003 machine (10.10.10.61), navigate to
Z:\CEHv7 Module 06 Trojans and
Backdoors\Miscellaneous Trojans\ProRat\ProRat_v1.9.
Double click on binded_server.exe to run the Trojan server. As
soon as you double-click on the file a Notepad
file (the binded file) will open.
17.
Switch to Windows Server 2008
Switch back to the Windows Server 2008 machine from the Machines
tab.
18.
Enter the IP Address
Enter the IP address for the victim's machine (Windows Server
2003 machine: 10.10.10.61) with the port you
have provided in the Step 7 and click Connect button.
19.
Password Prompt
It will prompt you with the password window. Enter the same
password that you have provided at the time of
server creation.
After typing the password click OK button to connect with the
victim's machine.
20.
Connected to Victim's Machine
Now you are connected to the victim's machine (Windows Server
2003) and can access the victim machine
remotely.
21.
Collect Victim's Computer Info
Click PC Info button in the left pane of the ProRat window.
It will show the complete System Information, Mail Address in
Registry, Last Visited Websites of the Windows
Server 2003 machine.
22.
KeyLogger Button
Keylogger records all the keystrokes of the victim's
machine.
23.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
3 of 15 3/29/2013 8:42 PM
-
To check the keylogge feature, switch to the Windows Server 2003
machine, open a notepad and type any
text.
Switch to Windows Server 2008
Switch back to the Windows Server 2008 machine and click on
KeyLogger button to view the keystrokes
typed on the victim machine (Windows Server 2003)
24.
Keylogger Window
Keylogger Window appears, click on Read Log button to view key
strokes.
25.
Lab Analysis
In this lab you created a Trojan server using the ProRat
tool.
You have now:
Created a Trojan server and tested a target machine for malware
vulnerability
Collected the PC information of the target machine
Captured the key strokes of the target machine
Exercise II: ICMP Backdoor
Lab Scenario
You are a Security Administrator of your company, and your job
responsibilities include protecting the network from
Trojans, backdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn to detect
Trojan and backdoor attacks.
The objectives of this lab include:
Starting ICMP service in Windows Server 2003 (IP address:
10.10.10.61)
Accessing the Windows Server 2003 (IP address: 10.10.10.61)
machine using the ICMP Client
Accessing and analysing the list of processes running on Windows
Server 2003 (IP address: 10.10.10.61).
Logon to Windows Server 2003
Switch to Windows Server 2003 machine from Machines tab in the
right pane of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter:
User Name: Administrator
Password: Pa$$w0rd
2.
Launch ICMP Backdoor3.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
4 of 15 3/29/2013 8:42 PM
-
Navigate to the Z:\CEHv7 Module 06 Trojans and Backdoors\Trojans
Types directory.
Right-click on the ICMP Backdoor folder and select CMD Prompt
Here to launch ICMP Backdoor in
the command prompt.
View Directory and File list
To view directories and file list, type dir command in the
command prompt and press Enter.
4.
Creating ICMP Service
Type the commad icmpsrv –install and press Enter to create the
ICMP service.
5.
Service Started Successfully
The service should have started successfully as shown in the
below figure.
6.
Logon to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine from Machines
tab in the right pane of the lab
environment.
7.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter:
User Name: Administrator
Password: Pa$$w0rd
8.
Access the server running on Windows Server 2003
In Windows Server 2008 (10.10.10.1), navigate to E:\CEHv7 Module
06 Trojans and
Backdoors\Trojans Types directory.
Right-click on ICMP Backdoor folder and select CMD Prompt
Here.
9.
Run Command icmpsend
Run command icmpsend 10.10.10.61 to access the server running on
Windows Server 2003 victim
machine.
10.
Help Command
Type command h for help in Windows Server 2008 (IP address:
10.10.10.1) command prompt.
11.
Process List
To view the process list of Windows Server 2003 (10.10.10.61)
machine from Windows Server 2008
(10.10.10.1) machine, type pslist command and press Enter.
It will list out all the process running in Windows Server 2003
(Victim Machine).
12.
Lab Analysis
In this lab you have learnt how ICMP backdoors work, it will
help you to detect Trojans and backdoors.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
5 of 15 3/29/2013 8:42 PM
-
You have now:
Started ICMP service in Windows Server 2003 (IP address:
10.10.10.61)
Accessed the Windows Server 2003 (IP address: 10.10.10.61)
machine using the ICMP Client
Accessed and analyzed the list of processes running on Windows
Server 2003 (IP address:
10.10.10.61)
Exercise III: Wrapping a Trojan using One File EXE Maker
Lab Scenario
You are a Security Administrator of your company, and your job
responsibilities include protecting the
network from Trojans, backdoors, Trojan attacks, data and
identity theft.
Lab Objectives
The objective of this lab is to help students learn to detect
Trojan and backdoor attacks.
The objectives of the lab include:
Wrapping a Trojan with a game in Windows Server 2003 (IP
address: 10.10.10.61)
Running the Trojan to access a game on the frontend
Analysing the Trojan running in the backend
Logon to Windows Server 2003
Switch to Windows Server 2003 (10.10.10.61) machine from
Machines tab in the right pane
of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter.
User Name: Administrator
Password: Pa$$w0rd
2.
Install OneFileEXEMaker
Navigate to Z:\CEHv7 Module 06 Trojans and Backdoors\Wrapper
Covert
Programs\OneFileEXEMaker directory.
Double-click “setup.exe” and follow the wizard-driven
installation steps to install
the OneFileEXEMaker.
Setup will ask you to install SennaSpy click Yes button.
3.
Launch One EXE Maker 2002 2.0a
To launch One EXE Maker 2002 2.0a, navigate to Start -> All
Programs -> Senna Spy
Tools -> One EXE Maker 2002 2.0a
4.
Add the Game File
Click on Add File button and browse to Z:\CEHv7 Module 06
Trojans and
Backdoors\Games\Tetris folder and select Lazaris.exe file. Click
Open button to add the
file.
5.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
6 of 15 3/29/2013 8:42 PM
-
Add Trojan
Click on Add File button and browse to the Z:\CEHv7 Module 06
Trojans and
Backdoors\Trojans Types\Proxy Server Trojans folder and select
mcafee.exe file.
Click Open button to add the file.
6.
Command Line Parameters
Select MCAFEE.EXE and type 8080 in the Command Line Parameters
field.
7.
Normal Option for Lazaris.exe
Now Select LAZARIS.EXE and choose Normal Option from the Open
Mode.
Click Save button.
8.
Saving the File
Save as window appears, rename the file to Tetris.exe and click
Save button to save the
file on the Desktop.
9.
Run Tetris.exe
Now double-click on Tetris.exe file on the desktop. This will
launch the Lazaris game on
the front end.
10.
Launch Task Manager
Right-click on Task bar and select Task Manager to launch Task
Manager. In the Task
Manager window select Processes tab to check whether MCAFEE.EXE
process is running.
11.
Lab Analysis
In this lab you have wrapped a Trojan in a harmless game file
using One File EXE Maker.
You have now:
Wrapped a Trojan with a game in Windows Server 2003 (IP address
10.10.10.61)
Run the Trojan to access the game on Front end
Analyzed the Trojan running in the backend
Exercise IV: Proxy Server Trojan
Lab Scenario
You are a Security Administrator of your company, and your job
responsibilities include protecting the
network from Trojans, backdoors, Trojan attacks, data and
identity theft.
Lab Objectives
The objective of this lab is to help students learn how the
Proxy Trojans work.
The objectives of this lab include:
Starting Mcafee Proxy
Accessing Internet using Mcafee Proxy
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
7 of 15 3/29/2013 8:42 PM
-
Logon to Windows Server 2003
Switch to Windows Server 2003 (10.10.10.61) machine from
Machines tab in the
right pane of the lab environment.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter.
User Name: Administrator
Password: Pa$$w0rd
2.
Launch Proxy Server Trojan in the Command Prompt
Navigate to Z:\CEHv7 Module 06 Trojans and Backdoors\Trojans
Types and
right-click on Proxy Server Trojans folder and select Command
Prompt Here
from the context menu.
3.
View Directories and Files
Type dir command and press Enter in command prompt to view the
files and
directories.
4.
Run mcafee 8080 command
Type mcafee 8080 command and press Enter to run the mcafee
service on the
Windows Server 2003 (IP address: 10.10.10.61).
5.
Switch to Windows Server 2008 Machine
Switch to Windows Server 2008 (10.10.10.1) machine from Machines
tab in the right
pane of the window.
6.
Logon to Windows Server 2008
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter.
User Name: Administrator
Password: Pa$$w0rd
7.
Launch Firefox
To launch Firefox double-click on Firefox icon on the desktop or
navigate to Start
--> All Programs --> Mozilla Firefox--> Mozilla
Firefox.
8.
Configure Proxy Settings from Firefox Options
Go to Tools from the menu bar and select Options.
9.
Advanced Options of Firefox10.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
8 of 15 3/29/2013 8:42 PM
-
In Options window, click on Advanced option and go to the
Network tab.
Connection Settings
In the Network tab, click on Settings to view Connection
Settings wizard.
11.
Configure Proxy Settings
Select Manual proxy configuration option
Set the HTTP Proxy IP to 10.10.10.61 (Windows Server 2003
machine's
IP) and Port: to 8080.
Select the options as shown in the screenshot below.
Click OK to Apply the changes.
Click OK button on the Options window.
12.
Access Website
Now in the address bar of the Firefox, type http://locahost/cars
and press
Enter.
13.
Switch Back to Windows Server 2003
Now Switch back to Windows Server 2003 (10.10.10.61) machine and
check in
the command prompt where you have launched Proxy Server
Trojan.
14.
Lab Analysis
In this lab you learnt how a proxy Trojan works.
You have now:
Started Mcafee Proxy
Accessed Internet (here a local site) using Mcafee Proxy
Exercise V: HTTP Trojan
Lab Scenario
You are a Security Administrator of your company, and your job
responsibilities include
protecting the network from Trojans, backdoors, Trojan attacks,
data and identitytheft.
Lab Objectives
The objective of this lab is to help students learn how HTTP
Trojans work.
The objectives of the lab include:
To run HTTP Trojan on Windows Server 2003 (IP address:
10.10.10.61)
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
9 of 15 3/29/2013 8:42 PM
-
Access the Windows Server 2003 (IP address: 10.10.10.61)
machine
process list using the HTTP Proxy
Kill Running process on Windows Server 2003 (IP address:
10.10.10.61)
machine
Logon to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine from Machines
tab
in the right pane of the window.
1.
Enter Credentials
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter.
User Name: Administrator
Password: Pa$$w0rd
2.
Launch HTTP RAT
Navigate to E:\CEHv7 Module 06 Trojans and Backdoors\Trojans
Types\HTTP HTTPS Trojans\HTTP RAT TROJAN.
Double-click on httprat.exe file to launch HTTP RAT trojan.
3.
Uncheck Send Notification Option
Uncheck Send Notification with IP address to mail option from
the
main window of HTTP RAT.
4.
Create Server
Click Create button to create a httpserver.exe file. Click OK on
done!
pop-up.
5.
Note the Location of httpserver.exe
The httpserver.exe file should be created in the folder
E:\CEHv7
Module 06 Trojans and Backdoors\Trojans Types\HTTP HTTPS
Trojans\HTTP RAT TROJAN.
6.
Switch to Windows Server 2003
Switch to Windows Server 2003 (10.10.10.61) machine from
Machines
tab in the right pane of the window.
7.
Logon to Windows Server 2003
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and press
Enter.
User Name: Administrator
Password: Pa$$w0rd
8.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
10 of 15 3/29/2013 8:42 PM
-
Launch Services
To launch Services, navigate to Start -> Administrative Tools
->
Services.
9.
Disable/Stop World Wide Web Publishing
Disable/Stop World Wide Web Publishing Services, Right click
on
WWW Publishing Service --> Properties.
10.
WWW Publishing Service Properties
In WWW Publishing Service Properties wizard select Disabled
from Startup Type dropdown list and click on Stop button to
stop
the service.
Click Apply and OK button to apply the settings.
11.
WWW Publishing Service
Now you can see in the Services window that the WWW
Publishing Service has been Disabled.
12.
Run httpserver.exe
Navigate to the folder Z:\CEHv7 Module 06 Trojans and
Backdoors\Trojans Types\HTTP HTTPS Trojans\HTTP RAT
TROJAN.
Double-click on httpserver.exe file and then click Run button
on
Open File - Security Warning to run httpserver.exe.
13.
Launch Task Manager
Launch Task Manager and check in the Processes tab that the
httpserver.exe is running.
14.
Switch back to Windows Server 2008
Switch back to Windows Server 2008 (10.10.10.1) machine from
Machines tab in the right pane of the window.
15.
Launch Firefox
To launch Firefox, double-click the Mozilla Firefox icon on
the
Desktop or navigate to Start -> All Programs -> Mozilla
Firefox
-> Mozilla Firefox.
16.
Access Windows Server 2003
In the address bar of the browser, type 10.10.10.61 (IP address
of
the Windows Server 2003 machine) and press Enter to access
the
Windows Server 2003 (10.10.10.61) machine.
17.
Running Processes
Click on running processes to list down the processes running
on
Windows Server 2003 (IP address: 10.10.10.61) machine.
18.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
11 of 15 3/29/2013 8:42 PM
-
Computer Info
Click on computer info to see the Windows Server 2003 (IP
address: 10.10.10.61) machine information.
19.
Lab Analysis
In this lab you learnt how the HTTP Trojans work.
You have now:
Run HTTP Trojan on Windows Server 2003 (IP address:
10.10.10.61)
Accessed the Windows Server 2003 (IP address: 10.10.10.61)
machine process list using the HTTP Proxy
Killed Running process on Windows Server 2003 (IP address:
10.10.10.61) machine
Exercise VI: Remote Access Trojans Using Atelier
Web Remote Commander
Lab Scenario
You are a Security Administrator of your company, and your
job
responsibilities include protecting the network from
Trojans,backdoors, Trojan attacks, data and identity theft.
Lab Objectives
The objective of this lab is to help students learn how Remote
Access
Trojans work.
The objectives of this lab include:
Gaining access to a Remote Computer
Acquiring sensitive information from the Remote Computer
Switch to Windows Server 2003
Swich to Windows Server 2003 (10.10.10.61) machine from
Machines tab in the right pane of the window.
1.
Logon to Windows Server 2003
Go to Machine Commands and click Ctrl+Alt+Del.
2.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
12 of 15 3/29/2013 8:42 PM
-
In the log on box enter the following credentials and
press Enter.
User Name: Administrator
Password: Pa$$w0rd
Create a User
To create a user, navigate to Start -> Administrative
Tools -> Computer Management.
3.
Local Users and Groups
In Computer Management, expand Local Users and
Groups and select Users option.
4.
Create User
Right-click in the Users list pane at the right-side of the
window and select New User option.
5.
New User
In New User wizard enter Username and Password as
ceh, select Password Never Expires and click Create
button to create a new user account.
6.
New User Created
Now check with the Computer Management window
for the newly created user.
7.
Assign Administrator Privilege to the ceh User - 1
Right-click on the ceh user and select Properties from
the context menu.
8.
Assign Administrator Privilege to the ceh User - 2
In ceh Properties wizard select Member Of tab and
click Add button to make this account member of
Administrators group.
9.
Assign Administrator Privilege to the ceh User - 3
In the Select Groups wizard type Administrators in
Enter the object names to select field and click OK
button.
10.
Assign Administrator Privilege to the ceh User - 4
Click Apply and then OK button to apply the settings to
the user account.
11.
Switch to Windows Server 2008
Switch to Windows Server 2008 (10.10.10.1) machine
from Machines tab in the right pane of the window.
12.
Logon to Windows Server 200813.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
13 of 15 3/29/2013 8:42 PM
-
Go to Machine Commands and click Ctrl+Alt+Del.
In the log on box enter the following credentials and
press Enter.
User Name: Administrator
Password: Pa$$w0rd
Install Atelier Web Remote Commander
To install Atelier Web Remote Commander, navigate
to E:\CEHv7 Module 06 Trojans and
Backdoors\Trojans Types\Remote Access
Trojans (RAT)\Atelier Web Remote
Commander.
Double-click setup.exe and follow the wizard-
driven installation steps to install the Atelier Web
Remote Commander.
14.
Launch Atelier Web Remote Commander
To launch Atelier Web Remote Commander,
navigate to Start -> All Programs -> Atelier
Web -> AW Remote Commander 7.51 ->
Atelier Web Remote Commander.
15.
Accessing Remotely
Enter the IP address of Windows Server 2003
(10.10.10.61) in the Remote Host field and
Username and Password as ceh in the respective
fields. Click Connect button.
16.
Windows Server 2003 Machine in AW Remote
Commander
Now you can view the Windows Server 2003
machine (10.10.10.61) in Atelier Web Remote
Commander.
17.
Sys Info Tab
Click on Sys Info tab to view system information of
Windows Server 2003 machine.
18.
NetworkInfo Path
Go to NetworkInfo tab to see the shared folderd
information.
19.
File System tab
Go to the File System tab, Select c:\ from
20.
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
14 of 15 3/29/2013 8:42 PM
-
dropdown and Click Get button to extract
directories in the C: drive of the Windows
Server 2003 machine.
Users and Groups
Go to Users and Groups tab, select Users to
view the list of Users, and click Groups to view
Groups in Windows Server 2003 machine.
21.
Groups tab
Groups Tab display complete group details of
Windows Server 2003.
22.
Lab Analysis
In this lab you learnt hoe to access a remote machine
using Atelier Web Remote Commander.
You have now:
Gained access to a Remote Computer
Acquired sensitive information of a Remote
Computer
Lab Manual -- Module 06: Trojans and Backdoors
https://labondemand.com/labprofile/manual/12670
15 of 15 3/29/2013 8:42 PM