Rootkit Lab Part 3

00:00

Hey, everyone, welcome back to the core. So in the last video, we went ahead and launched a root kit. We then verified that the process was running so again the process we created the A one g dot e x e that was running. We also verified that cat was running and then we went ahead and verified that

00:14

port 1901 was actually listening. So we were able to see that we were successful and actually launching. Lookit

00:21

in this video, we're gonna wrap up the rest of the labs. We're gonna take a look and run another scan with root kit. Reveal er and we're also going to,

00:28

uh, take a look at the root kit and verify that we can actually access the host.

00:34

So let's go ahead and get started. So first things first, we're gonna just minimize our command prompt window here, and we're gonna double click back on the Rukia, reveal er and launch that again.

00:42

Now, before we run our scam, we just want to go toe options and make sure that both things are checked here. So make sure that scam registry and also hide standard ante F s make sure those air checks, they should be by default. But just in case you're not, make sure you check those.

00:56

So then what we're going to do is just run another scan. So here, instead, 35 just cooked the scan button again. I might take a couple of minutes to run the scans Woman briefly Paul's and will come back once my skin is complete.

01:07

All right, So once you've run this scan, if you go back to the lab guy, what you'll see is question number two here. One of the scan results now show you. So if you'll recall earlier when we ran the scan, we just noticed these top two here, which were false positives. However, now, because we've run the root kit, we notice a couple of registry He's here that we probably want to take a look at because their militias

01:26

Now we're not gonna go into the registry in this particular lab.

01:30

That thoughts aside the scope of this little mini course, however, uh, in the real world. What she would want to do is go look at these registry keys and see if they're actually malicious or not, or if there are some more false positives.

01:42

So the next thing we want to do on our end is we're gonna go to the Cali Lennox machine. So the way we do that has come over here on the right side of the lab and select the resource is tab.

01:52

Now, then you'll see the Cali Lennox machine right there. Just go ahead and select that.

01:56

That will put up the machine for you. Now,

01:57

with this particular Callie Lennox machine, there'll be some arrows down here at the bottom that you'll see, and you need to click in drag and slide up this year's he can actually log in cities, click and drag it, and then you'll see the log in box there. Same log in as you normally would with Callie Lennox root for the user name and then t o r

02:16

for the password again. All over case

02:20

that's gonna go ahead and pull the Cali machine for you.

02:23

Now all it's doing that we're gonna go back to our lab guide here.

02:27

So with the Cali Lennox machine, we're gonna launch a terminal. Now, in this particular instance of Callie, it's gonna be on the left side, which is a more recent version of Cali Lennox. So you'll see it on the left side of the screen. There, it's gonna be that little black box you were to go ahead and launch the terminal window, and then we're gonna try to connect to that Windows machine using Net Cat,

02:45

if we are successful, will run a couple of commands

02:47

to take a look at the information we get back. If we're not successful, we need to back up and go back in the lab document and just make sure that we've completed all steps properly.

02:58

So here in Cali, Lennox, just click the little black box that's gonna launch the terminal window for you.

03:04

And the next thing we're going to do is we're gonna use net. Cats were just gonna type in net cat at the prompt.

03:10

We're gonna put a space and then the i p address of the Windows machine. So 10

03:15

0.0 dot Tenn 0.20 and then space 19 0 once you remember that support number we talked about earlier?

03:23

So go ahead and do that and we can see that I'm successful in my side. That's established a connection we see here that the prompt we get now is a windows prompt. So we know that we are connected to that machine.

03:35

But we don't know if it's really that Windows machine, Right? Maybe it's some other machine, and I messed up or something someplace. So let's type in host name and just verify that that's the machine we need.

03:45

I don't see Yes, it is. Right. So that's the Windex P. And don't worry about the naming convention here. That's just gonna be the actual host machine. And now they've named it here in the lab,

03:55

are So let's go back to our step by step the lab guide.

03:58

So the question is, what is the house name? You could just fill out that there and that'll verify that this is actually the Windows device we were looking for.

04:05

So now we're going to do We're gonna go back to that windows machine,

04:09

so let's click back on our windows. Explain machine under resource is on the right side, there

04:14

and again, like I mentioned before, just make sure that you're checking these boxes to complete your lab progress. As you're going through it, I'm gonna go ahead and close out rookie reveal right here.

04:24

We're gonna go back to the command prompt. So if you've minimized it, just make sure you go back. You definitely should minimize it. If you don't, it's going to stop the process from running. And so you'll want to go ahead and just repeat some of the steps in the lab

04:34

are someone's. We're back at the Windows Command prompt. We're gonna type in task list again.

04:40

So let's go and type that in

04:45

and you'll see again that we're running the A one g t x c and then NC Dottie XY processes. So we see those in there now, what you want to do on your end of things because your number's probably going to be different than mine is. Make a note of the process i d. Numbers. So these numbers right here. So, for example, with the a one g dot e x e

05:02

you want to just shot down? If you have the same number you were jot down 17

05:05

04 for the n c dot e x c u would jot down this 188 You're gonna need those numbers for the next part of the lab so again, Just make sure you jot those down to make sure you have those. And they're probably going to be different on your end, so just jot them down. Put him in your phone notes real quick, whatever the case might be.

05:26

Ah, through no pad document or some text editor, et cetera. But just make sure you make a note of those

05:30

because you will need them for this next part of the lab.

05:34

All right, so what we're going to do now is if we go back to our lab guy were to type in this command right here, And instead of typing in P I d. Right here, we're gonna type in the actual numbers. Who again? That's why you need to make a note of those numbers so you can go ahead and kill off those processes.

05:50

So let's go ahead and do that. We're just gonna type in task

05:54

kill.

05:57

We're gonna put a space

05:58

ford slash capital F

06:00

space, forward slash p i D. Lower case. So that's the process I D. Number. And then we're gonna type in the first number, which, in my example, is going to be the 17 04 for the A one G Dottie XY that'll go ahead and kill that process.

06:16

And then what I'm going to do, I'm gonna do with lazy way. I'm just gonna press the up Barrow and then just change the number here

06:21

and you could type it all the way in again. If you want to know what is type in the next number and kill off that process is, Well,

06:28

all right. So the next thing we're going to do is we're going to type

06:31

task list again.

06:33

And the question is, Are those processes still running or are they stopped? So we'll take a look and see if we see those processes again, and you'll notice, at least on my end that I only see the A l g Dottie X and I don't see the n c t x c or the A one g d e x e. So I was successful and stopping those processes.

06:51

So on my end of things, question number four here, I would answer you.

06:55

No, right. They have stopped those processes. If they're still running on your side, just run this command again and make sure you're entering in the correct process, i d number. And if you're still having problems, just back up in the lab and make sure you've entered everything correctly.

07:09

All right, so in this video, we just wrapped up our lab. So again, we located those processes. We used a net cat to connect from our limits machine to our Windows machine. We verified the connection. We verified it was the correct machine by using the command of host name. And then we came back to the winner's machine.

07:26

We located the suspicious processes again. We found the process i d. Number.

07:30

We then entered in the task Kill Command to kill off this processes. And we verified that the were actually stopped