Advanced Rootkit Exploit – Demonstrated

June 28, 2011 by Keatron Evans

This is mainly post-expoitation demonstration, that first starts with a walk-through of exploiting a windows machine. Next, we walk through getting a copy of the web server’s home page and then modify it with an iframe that points to an exploit server. Anybody that browses to the victim webpage now gets owned.

Once it’s set up, we move to post exploitation.

This is a great example of some of the hands-on labs you will do in the InfoSec Institute Advanced Ethical Hacking class.

After we own the page and make it a browse by attack page, we then exploit the server again, create an .ini file for a rootkit to make the rootkit hide the infected page from every windows service (including windows itself mostly), except for the w3wp service (which actually serves the page out). The kit also makes netcat listen on port 100, then hides netcat, and even HIDES the open port 100! So taskmgr, netstat, Anti-virus et al are useless. You wont find anything. We then prove that the port is open by telneting to it and gaining yet another shell. Then we go back to the victim (playing the victim) run netstat -an to see all open ports, and show that 100 doesn’t show up.

Then we go to task manager, and tasklist to see there’s no netcat running. And lastly, but most importantly, I show that there is no way to actually see the infected page unless you browse to the actual web page. You cannot see it from the victim side by doing any command line stuff nor by looking at it through windows explorer. Traditional live forensics will NOT help you…we need to do some rootkit forensics, which we do in-depth on this exact case coming up next (will be linked here when live tomorrow).

Posted: June 28, 2011
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.

4 responses to “Advanced Rootkit Exploit – Demonstrated”

  1. Pellucida says:

    Fascinating demo. It’s always easier to see in action to stimulate me to learn more. I should sign up for one of the classes.

  2. Shawn Anderson says:

    Great Video, I am excited to get my class kit. Should be coming today. Thanks for putting out these videos, they reassure the newbie and give a better idea of the type of training we should expect in the class kit.

  3. Keatron says:

    ‘@Pellucida. Glad the vid helped!
    @Shawn. We’re glad to have you!

  4. Ron says:

    I almost abdicated this course unit, but after delving online on the web to randomly search for help I stumble on this video, 25 minutes of watching the video, intantly changed my hatre of the course.
    It is a very good stuff, your have done great and it is kind of you, pls keep it.

Leave a Reply

Your email address will not be published.