40 likes | 173 Vues
Remote Control and Advanced Techniques. Remote Control Software. What do they do? Connect through dial-in and/or TCP/IP. Replicate remote screen on local machine ( graphical ) Allow running graphical, text-based application in remote machine, displaying the results in the local machine.
E N D
Remote Control Software • What do they do? • Connect through dial-in and/or TCP/IP. • Replicate remote screen on local machine (graphical) • Allow running graphical, text-based application in remote machine, displaying the results in the local machine. • A variety of applications, most with free download as demo. • pcAnywhere is one of the pioneers and very popular. • VNC is also very popular because it is cross-platform and free. • Discovering and connecting to remote control software • Use Nmap or Superscan to search for ports 22, 799, 800, 1494, 2000, 2001, 5631, 5632, 5800, 5801, 5900, 5901, 43188, 65301 • Once software is identified download free demo and try brute force. • Major weakness: only password is encrypted, traffic is compressed, only. • Countermeasures: strong password (again), encrypt traffic (SSL, SSN, etc.), limit and log login attempts, change default listening port. In dial-in use: logoff user with call completion.
Advanced Techniques • Adding to what we have seen before: • Trojans: we have seen that BO, NetBus and SubSeven are the most common Trojan, backdoor hacker tools. • TCP/IP ports: official , Internet services. Different from protocol ports. • Trojan ports: list , more details, and resources. • Port listening software: netstat, Active Ports (example), BackOfficer Friendly (example). • Checking and removing Trojans: Symantec on-line check (example), Moosoft Cleaner shareware. • Weeding out rogue processes: Windows Task Manager, Linux ps –aux • Be aware of traps: Whack-A-Mole (pseudo game), BoSniffer (BO in disguise), eLiTeWrap (packs Trojans as exe). Generic: download, scan for virus, then execute, do not run from Internet. • Rootkits: Difficult to detect • keep a record of your files using Tripwire, • create image of your hard-drive: hardware and software solutions (Norton Ghost, Drive Image).
Other Techniques • TCP hijacking • Juggernaut: spy on a TCP connection and issue commands as the logged user. • Hunt: spy on a TCP connection (works with shared and switched nets). • Countermeasures: encrypted protocols such as IPSec, SSH. • TFTP: Trivial File Transfer Protocol. • Used by routers, and there are free servers for Windows. • Standard client in Windows 2000: tftp.exe protected by Windows File Protection so it can't be removed. See use here. • Prevent its use by Nimda : • Edit the services file: %systemroot%/system32/drivers/etc/services • Find this line: tftp 69/udp • Replace it with: tftp 0/udp • Social Engineering • Help desk information: on the Web, e-mail, voice • User information: on the Web, e-mail, voice