Case Study

Previous page
Table of content
Next page
 < Day Day Up > 

This case study does not demonstrate how to break into systems like all the other chapters, but actually how to use a common rootkit to hide the location of files, folders, and even processes on a computer system. To set the scene, Evil Jimmy has already compromised a Windows 2003 server by shoulder surfing passwords while at work. He needs to hide some of his common hacking tools on the server so that no one can see them. Later he will use the server to island hop to another system, but until then, he needs to hide his tools for later use. He has decided this would be a great chance to use a rootkit and conceal a folder that will host all his tools for later, so when the administrators review the files in the directories on the system, they will not find his tools.

Step 1.

Evil Jimmy sits at the physical server and copies all his tools including his rootkit program from his USB pen drive onto the server.

Step 2.

Jimmy puts his tools into a directory called _root_MyTools. By using the key characters of "_root_", when he activates the rootkit, the folder disappears from view:

C:\>dir  Volume in drive C is Home  Volume Serial Number is 60D1-AE67  Directory of C:\ 10/08/2004 07:30                 0 AUTOEXEC.BAT 10/08/2004 07:30                 0 CONFIG.SYS 30/03/2005  23:49    <DIR>        Drivers 02/01/2005  20:55    <DIR>        Inetpub 15/05/2005  17:08    <DIR>        Program Files 18/05/2005  22:49    <DIR>        Temp 18/05/2005  22:41    <DIR>        WINDOWS 18/05/2005  22:39    <DIR>        _root_MyTools                2 File(s)            0 bytes                6 Dir(s)   547,532,800 bytes free C:\>

Step 3.

It is time to start the rootkit to conceal the directory "_root_MyTools". Jimmy executes the following from the command shell:

C:\>net start _root_

Step 4.

Listing the directory again, he can verify that the files are hidden, as shown here:

C:\>dir  Volume in drive C is Home  Volume Serial Number is 60D1-AE67  Directory of C:\   10/08/2004 07:30                 0 AUTOEXEC.BAT 10/08/2004 07:30                 0 CONFIG.SYS 30/03/2005 23:49   <DIR>           Drivers 02/01/2005 20:55   <DIR>           Inetpub 15/05/2005 17:08   <DIR>           Program Files 18/05/2005 22:49   <DIR>           Temp 18/05/2005 22:41   <DIR>           WINDOWS               2 File(s)              0 bytes               5 Dir(s)     547,532,800 bytes free

Step 5.

Later when Jimmy wants the files visible again, he just needs to execute the stop as follows:

C:\>net stop _root_

This example demonstrates how easy it is to hide files from the eyes of an administrator after access to the computer has been achieved. Protection is key, because when a breach has been made and rootkits have been installed, the integrity of your server is forever left in question. In this case study, Evil Jimmy could have easily installed a second rootkit that could hide tools in a different location. If an administrator found one set of tools or rootkit, he likely would not look for a second one.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209
    Authors: Andrew Whitaker, Daniel Newman
    BUY ON AMAZON
    Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
    Cisco IP Communications Express: CallManager Express with Cisco Unity Express
    Twisted Network Programming Essentials
    Special Edition Using Crystal Reports 10
    Quantitative Methods in Project Management
    Java All-In-One Desk Reference For Dummies
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy