CEH Module 8 and 9: Trojans, Backdoors Viruses and Worms Part 1

Definitions

Trojans:A program that appears to be a legitimate program but in fact performs some malicious functions.

Backdoor: A secret entry point to the system that allows someone who is aware of the backdoor gain unauthorized access.

Viruses: A piece of malicious code attached a program that replicates by attaching itself to other programs.

Worm: A standalone program that propagates copies of itself across the network

Example

Covert channels are important for hiding activity from system owner when attacker communicate via his backdoor. Covert channel is a communication channel in a way that was not intended.

There are lots of reason for using covert channel but as an ethical hacker you should know that covert channel can be used directly communicating with the target to continue maintaining server or launching attack against other system via target. In this way attacker can hide himself from second target.

I am going to show a linux utiliy called ptunnel  – tunnel TCP connections over ICMP echo request/reply packets.

From its man page:

ptunnel  is  an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request  and  reply  packets,
commonly  known  as  ping  requests  and replies. At first glance, this might seem like a rather useless thing to do, but it can actually  come
in  handy  in  some  cases.  The following example illustrates the main motivation in creating ptunnel:

Setting: You’re on the go, and stumble across an open wireless network. The  network gives you an IP address, but won’t let you send TCP or UDP
packets out to the rest of the internet, for  instance  to  check  your mail.  What  to do? By chance, you discover that the network will allow
you to ping any computer on the rest of the internet. With ptunnel, you can  utilize  this  feature to check your mail, or do other things that
require TCP.

I believe the scenario author discussed was tricky since using a service you are not authorized to use is illegal. However one can argue that since ICMP is allowed by network, there is nothing illegal. My suggestion just play safe and not try in that scenario. Instead use this tool in your home network.

As an ethical hacker we footprint a system, scan it, enumerate users, and crack passwords, then got an access. We elevated privileged access and plant some rootkits. We now want to attack another server with ssh connection, however we want to cover ourselves. We are going to use ptunnel on the already compromised target so in this way system owner will only see lots of ICMP echo request and reply packets instead of actual commands we are running to communicate with the system. Consequently we will be hiding our activity from him/her. We will be launching attack against another server.

Installation

On a debian based system you can install ptunnel with this command:

apt-get install ptunnel

Note: We need to install ptunnel on the our computer (client computer) and also on the proxy computer (comprimisedTarget)

Action

On the compromisedTarget run ptunnel.

./ptunnel

Here compromisedTarget is the target we have access (already hacked). The second target is the one we want to attack.

On your local computer run following command:

sudo compromisedTarget -p 12345 -da secondTarget -dp 22

We are attacking ssh server of the secondTarget to gain access. There are lots of automated tools like Hydra, brutessh, sshater. You can configure them for a brute force attack. For simplicity I am using ssh command for manual tries to guess the password.

ssh -p 12345 localhost

Now we are sending our ssh packets through the ICMP tunnel that is established with the compromisedTarget. The owner of the compromisedTarget will see lots of ICMP echo request/reply packets but they are part of our ssh attack.

One thought on “CEH Module 8 and 9: Trojans, Backdoors Viruses and Worms Part 1

  1. Pingback: Tweets that mention Information Security Blog » CEH Module 8 and 9: Trojans, Backdoors Viruses and Worms Part 1 -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *