I decided to use a a trojan that has far more "eye candy" than tini and netcat. I'm using a trojan called prorat which I used to tinker about with in the past. I think it will really highlight why part one and part two were important to know.
First, as usual, the actors:
I have used two Windows XP virtual machines (safety first kids) for this demonstration, both the victim and attack hosts are shown below:
I have downloaded and openend the prorat command software on the attacker machine as shown below:
The first thing I need to do is to create the server. The server in prorat is actually the piece of software you wish to install on the victims machine. I chose a random port for my server, port 8668. I have included a few screenshots below showing the wide range of options available to the attacker when he is creating the server:
Some of those options, more so in the first image are pretty serious attacker options. For example disable the firewall and anti virus......
I wrapped the prorat server up with the firefox installer (see part two of this series for more information) and installed this on the victims machine. I have included before and after netstat -na outputs below:
I connect to the server through the prorat command console:
I think its time for some fun, lets have a play with some of the tools available to us. As you can see the command console offers me lots of tools to extract information or even do more damage to the victim. I have just selected a few of these to demonstrate in this post.
I have included screen shots of a view of these tools in action, firstly taking screenshots of the victims desktop:
Viewing the applications the victim is running:
Viewing the web history:
I just have three more examples I would like to show to you in this post. Firstly copying the victims clipboard. I have entered some text in notepad on the victims computers:
And I have accessed this through the command console:
Second, stealing files from the victims machine. The victim has a file called mypasswordsfile.txt:
and I have copied this to the command console:
Just one more to show, the keylogger. Without needing any prompting from me the prorat server has been sending all of keystrokes back to the command console as shown below:
Well that is all really, I think we all can now see how easy it can be to get malicious and powerful software onto an unsuspecting victims machine.
Don't have nightmares, the next technical post will be explaining how to steal data and hiding it covertly with tcp packets.
Dave
PS - all stunts are performed by highly trained security ninjas, do not attempt to perform these stunts in your own home.
Posts
2 comments:
Dave,
I wanted to recreate some of your experiments, but am having trouble downloading some of the malicious tools you have mentioned. Any advice?
Hi,
If you are having trouble finding the software you should be able to obtain the tools at the URL's below:
Elitewrap:
http://homepage.ntlworld.com/chawmp/elitewrap/
Tini:
http://ntsecurity.nu/downloads/tini.exe
Prorat:
http://www.prorat.net/
Don't be surprised if your anti virus doesn't like you downloading some of these tools though :-)
I perform all of my testing within virtual machines to reduce the risk of these tests.
Any problems then feel free to ask.
Dave
Post a Comment