Rootkit Lab Part 1

00:00

Hey, everyone, welcome back to the course. So in the last video, we wrapped up our lab of just analyzing malware. So we went ahead and created a malicious execute herbal. We then analyzed it through different means, and we finalize the lab by doing a hash calculation on our particular file. So in the future, if we were analyzing files, we could compare that hash

00:18

to future Mauer that we might experience and see if it's the same thing

00:23

in this video, where to go ahead and start our root kit lab. So again, I want to stress that we're using an older root kit here to learn the fundamentals.

00:31

So this step by step lab guide is available in the resource Is section. If you haven't downloaded those already, be sure to download those for the course, and this allows you to pause the video and go through the lab at your own pace.

00:42

Now you should already be logged into the Cyber re website. If you're not, make sure you're logged in. But if you're watching this course in most cases you should be logged onto the site already. The first thing we're going to do is search for root kit in the catalogue here.

00:55

And then we'll give us this root kit lab right here. So let's go ahead and select that will select a launch button

01:00

and then at the next screen will select the launch item button to actually launch the lab. Now, it might take a few minutes to go ahead and launch the lab all the way up. So we're gonna go ahead and positive video until it fully launches and then I'll restart once the lab is up.

01:14

All right, So once the lab boots up, it should actually take you directly into this window's X P desktop. And in this lab, we're gonna be using a tool called Root Kit revealing which is also an older tool. And hence the reason why we're using the Windows X P desktop. But again, I want to stress we're just going over the basic fundamentals in this particular lab.

01:33

So let's go back to our step by step lab guide here.

01:36

First thing we're going to do down here is step number six. We're gonna go ahead and launch the rocket, reveal er, and they just run a scan with it Now it may take a few minutes to run the skin, and you might also get some prompts around licensing, so just agree to the any license terms that you get. So go ahead and double click this shortcut icon here on the desktop

01:53

that's gonna launch a tool for us. You see, I get a license agreement. Just agree to that. If you get it

01:57

and you might get a couple of them there we go and then you'll be taken inside the tool, and we're just gonna go ahead and run the skin. It has mentioned it might take us a couple of minutes to run the first scan.

02:07

All right, So once the scan's complete, you'll see that it's actually gonna list out a couple of registered files and say that this is potentially malware. These air, actually false positives. So don't worry about that, but you should see a couple of results on this initial skin from your side.

02:22

So let's go ahead and close a root kit, reveal er here, there's gonna x out of that, and we're not gonna go to the command line so that when we do that in Windows expert, if you're not familiar. Just go to start menu and you can go to run and then cmd

02:32

and just enter. And that'll bring you up a command prompt.

02:38

So let's go back to our step by step lab guide.

02:39

So we just ran the skin with Rukia. Reveal er we went ahead and we've launched our command prompt window. So now we're here. It's step number 11. So are we going to do is type in task list. Now we want to just see what kind of task are running on this particular device. So this task list

02:54

all lower case and this press enter on your keyboard there.

03:00

All right, So you see, we got several task running now in this lab we're going to do is we're gonna be mimicking these various processes so specifically this a LG, Dottie FC. We're gonna be creating one called a one g dot e x c, which is going to be our malicious process. In that way, we can mimic that, and a lot of times malware would

03:20

be doing that right. It'll be

03:22

trying to look similar to this, so the the average person wouldn't be able to go through and actually say, Oh, that's a malicious file.

03:30

So the next thing we're going to do is we're gonna check for open ports.

03:35

So the way we do that is worth a type of command called net stats were type net stat.

03:40

And then we're gonna put a space and dash lower case A N,

03:45

and we're just gonna see if we have any ports open on this particular device. And of course, we do.

03:51

Now, for our purposes on this lab, we're gonna be using port number 1901 So you'll see here down a step 13. I've got that notated here. Just make a note of that. You don't have to memorize that. You'll see that in later commands in this lab. We I actually just list that same port number, and there would just be mindful that that's what

04:09

we're going to be doing. You don't see 90 no one listed here.

04:12

What we want to do what we're using a malicious porter sees me setting are malicious process to a specific port. We wantto try to increments by a small number to an existing port that's open. So that was somebody analyzing this may not notice the difference or may not notice.

04:29

They may think that that 90 no one is something legitimate, right? Because we've listed it right near

04:34

these other numbers here. These other active, poor numbers.

04:39

So the next thing we're going to do at the command prompt Here's just change the directory. So we're gonna do it here now. One thing I want to stress before we continue in this lab. If you want to get credit for actually doing this lab, what you want to do is you want to make sure that you,

04:51

ah specify these percentage task complete. You notice I don't do that in these labs. I just go through it. But just to make sure you check these boxes here that I'll go ahead and actually track your progress in this particular lap. So just make sure you do that to get full credit for this lab.

05:08

So going back to our step by step lab guide here, we're gonna use this command here to change our directory.

05:13

So we're just gonna go ahead and type in

05:15

CD

05:16

space, and then we're gonna type in the path so capital C, colon backwards slash and then documents and settings

05:28

and then we're gonna put a backward slash again. We're gonna go to admin

05:31

backward slash desktop

05:33

and then a backward slash

05:35

h x d is and dog

05:39

e f

05:41

and then the number 084

05:45

And then we're gonna put a space in the files and a backward slash

05:48

s. So go ahead and run that there and you'll see that will change our directory to this path right here.

05:56

All right, So now if we go back to our step by step lab guide, what we're going to do is we're gonna rename a couple of files here. So steps 17 and 18 we're just gonna do together. So well, First type in this command here and press enter. And then we're gonna type in this command here and press enter to rename that file as well.

06:14

So at the command prompt. Just type in rename

06:17

Space. And then our first file name, which is a TSH x d e

06:24

f 084

06:27

dot e x e and we're gonna rename that to a one g dot He exceeds Who if you recall when we looked at the processes we noticed, one was a L. G dot t x c. And so that's why we're naming this a one g Dottie XY because of lower case L in the number one. Ah, lot of times will look very similar.

06:44

So we'll go ahead, rename that, and we're gonna go again to step 18 and rename that file as well.

06:50

So we'll do rename. And now you know what you can do on your end. You just press the up Barrow and I'll back out of that. You see, you could press the up barrel there if you want to, and that will allow you to quickly put the change in there. I'm gonna go ahead and I'm just going to lead all that out. And I'm gonna type it in manually just to show you the entire thing again. So rename.

07:09

And then this time it's going to be a checks D e

07:14

f 084 But now the file extension is going to be dot

07:18

two and then dot i and I for the file extension.

07:23

And we're gonna change that to a one g dot ionized or initialization file.

07:30

We'll change out there.

07:32

All right, so we go back to our step by step lab guide.

07:35

The next thing we're going to do is we're actually gonna open that file and note pad, but we're gonna stop the video there, and we'll pick that up in the next video. So in this video, we just went ahead and

07:46

got into the lab itself. We went through and we looked for processes, running along with the port numbers. And then we've gone ahead and changed our directory. And now we just rename the files to different file names. So that way they hopefully blend in a little bit. And in the next video, whereto go ahead and finish our lab. So we're gonna open the

08:05

the a one g dot I and I file inside of no pattern were to make some specific changes, so definitely make sure that you follow along