Rootkit Lab Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

4 hours 17 minutes
Video Transcription
Hey, everyone, welcome back to the course In the last video, we went ahead and loved into the lab. We also took a look for port numbers. We ran a scam with
root kit reveal er and we also went ahead and looked at any process is running. And then what we did is we wrapped up the last video by
renaming our file. That way we can hopefully blend in a little bit to the naked eye of someone's analyzing this.
Now, this really weird to go ahead and finish out our lab. So we're gonna open the a one g dot i and I file. So if you remember, we renamed it to that from the h x d e f 084 dot to dot i and I, We rename that to the A one g dot i and II to hopefully allow it to blend in a little better.
We're gonna open that file of no pad and make some very specific changes. So again, I want to stress
make sure you follow along with the step by step guide. If you haven't downloaded the lab guide yet, be sure to do so. These are provided with the course to allow you to go through the lab at your own pace. The other thing I want to stress again is make sure to get credit for the lab to check these boxes as you're going through these different steps in the lab to fully get credit for the lab so it reflects on your Siberia count.
If you don't do that, if you just go through the lab. Adi, don't check these boxes.
It's not going to track your progress.
So if we go back to our lab guide here, we're just gonna type in this command right here to open no pact. So no pad space and then a one g dot I and I are file name there.
So what? The command prompt is type in no pad and then a one g dot i and I
and just put one either and go ahead and launch it there. Now you see, it's gonna open up that no pad document for us. So again, I want to stress make sure you're actually following along with the lab guide here and making on Lee the specific changes.
So when I mentioned something in the lab guide here that says, for example, in step 21 under this head and table section, change it to a one G. What you're going to do is you're gonna change everything under this section to just a one G.
So you'll follow that same process for all of these. If there's if there's multiple things in there and there's only one item to enter in, just make sure you change those multiple things into just this one item,
and that'll make more sense as we actually go ahead and type these in.
So first things first, let's go ahead and under hidden table. We're just gonna type in a one G.
Now, as you're going through this, you can use control s to save as you're going through the no pad document here to save the changes that you've made.
Step 22
we're gonna go here and under the route processes, which is the next section down. We're gonna change these to file names. The 1st 1 will be changed to a one G Dottie XY. The second will be changed to see MD dot t x c and what you can do for the 2nd 1 is just take out the r That'll change it for you.
So let's go ahead and do that. So we'll change this 1st 1 here. That's gonna change you a one g dot t x c
And then the 2nd 1 here will change to see MD dot t x c You can highlight and type that in, or you gonna stake out the R and D with the lazy way and just say that as well.
Now the next thing we're going to do is under the startup run section. So it's right down here in the middle.
We're gonna add this path here, so it's gonna be a little bit of typing here, and I'll just talk you through it. So under startup run just space down a little bit there and we're gonna go ahead and I usually space down a couple.
We're gonna go ahead and type this in, so we're gonna type in this path So capital C, colon backwards slash and then documents and settings
Backward slash admin backwards slash desktop
backward slash en si dot e F c for net cat.
We're gonna put a question mark. We're gonna put a space and then dash capital L
Space Dash, Lower case tears and Tom
Space dash lowercase P as in Paul
And then 90. No one. If you recall that support now, we talked about earlier that we were going to use. We'll put a space dash lower Case E.
And then we'll put our next path, which is capital C colon backwards slash
windows and then system 32.
If I spell it right, that'll work better. There we go. System 32
and then backwards slash cmd Dottie xy
All right, so just double check yourself there. Make sure you take that incorrectly and then move on to the next step of our lab guide there. So we go back to our lab guide and step 24.
What we'll see here is that under the hidden ports section, we're gonna add in 1901 So again, that same port number that we were talking about earlier.
So if we scroll down here to hidden ports right here,
we're just gonna space down and put in 1901
All right, so let's go back to our lab guide here
Now, under the setting section, we're gonna make several changes So here's a setting section right here. We're gonna make several changes. So that password one, we're gonna change that to just the number of 13. 37. We're going to also change the driver name and the driver file. Name is Wells. That'll be the last changes we make to this particular file.
So just go ahead. And if you need to pause the video and do steps 25 3 27 and that'll make those final changes for us, But we're gonna go through that step by step is well, so under settings, if we go to password right here after the equal sign, we just want to change all of this to 13. 37.
All right, so the next thing here, under the driver name down here near the bottom, we want to change all of this
to just a one g dot e x e.
And then finally, under the driver file name the very last one there. We're gonna change all of this
to just a one g dot s. Y s Go ahead to save all that.
Now. Since we've made all the changes, you can go ahead and close out this no pad document. That's perfectly fine.
And we'll come back to our command prompt here.
So if you go back to our step by step guide here,
you'll see that now we're at step number 28. So we're just gonna basically refresh that No pad or that execute herbal document. We're gonna go ahead and refresh that. That way we can go ahead and run the root kit.
So the way we do that, we just enter in this command right here at the prompt.
So let's go ahead and do that.
We're gonna type in a one g dot e x e,
and then we're gonna put a space, and we're gonna put
a dash
a colon,
and then the word refresh.
All right, so just run that that'll refresh it for us. And now if we type in a one g dot e f e that will actually go ahead and run this route Care for us.
All right, So once we've done that, if you come back or step a sub lab guy, we're gonna type in task list again, and that's gonna show us if that process is running and if it's running, we were successful for it's not. We need to go look at our syntax and also look at the no pad and make document and make sure that we've typed in everything correctly. So let's go ahead here and step 30 and type in task list
and we'll see if we noticed the A one G Dottie XY process. So you'll see. We see a l. G right here. But if we come down just a little bit, you see a one g Dottie XY along with our net cat
is well, so you see that we were successful there. We are able to run that.
All right, so let's go back to our step by step lab guide here.
Now, the next thing we're going to do is we're gonna take a look and see if
Net cat is listening on port 1901 which again is a sport number we specified. So here in step 32 we're just gonna write, uh, enter in at the command, prompt this nets that space dash A N o.
So nets that space dash, you know,
and type that in there. So now we're looking for port number 90 No. One. So if we scroll. If we look here in our list, you'll see right there. 1901
is listed,
so we know we're successful there. It's actually listening on that port number.
So if we go back to our lab guy there, you'll see one question. Is it listening on port 90 no one. In my case, Yes. If you get a No. There. If you're answering no to that question, go back. Make sure you typing all the syntax correctly. Also, make sure that no pad document open that file again and make sure that you've added everything correctly in there.
So in this video, we just went through the next steps of her last. We went ahead and
launched the root kit, and we verified that is actually in there working. We're gonna wrap up this lab in the next video with the final steps.
Up Next
Malware Threats

This malware course will provide students with an introduction to different types of malware, like viruses, worms, and Trojans. Students will gain hands-on experience in analyzing malicious files, identifying malicious processes, and more.

Instructed By