Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Remote Rootkit Scanner for Windows

from [Andres Tarasco] Network Security [Permanent Link]
Subject: [Full-Disclosure] Remote Rootkit Scanner for Windows
Date: Tue, 19 Oct 2004 13:12:35 +0200 

Hacker defender is a rootkit that is being highly deployed by Hackers in
compromised box in the last months.
Due to a design Flaw its possible to remotely detect if an NT based computer
is "infected" with this rootkit.

Rkdscan was developed to check for this flaw, performing a network scan and
after sending some data to open ports is able to detect if the remote box
have been compromised.

Usage:

C:\rkdscan>rkdscan.exe xx.yy.0.0 xx.yy.10.0
 Remote hxdef Scanner $Revision: 1.0 $
 atarasco_@_sia.es http://www.siainternational.com

 [+] Targets: xx.yy.0.0-xx.yy.10.0 with 150 Threads
 + xx.yy.0.1
 + xx.yy.1.1
Checking xx.yy.1.5 port: 3389...
Checking xx.yy.1.17 port: 3389...
Checking xx.yy.1.17 port: 21...
Checking xx.yy.1.30 port: 3389...
Checking xx.yy.1.7 port: 21...
Checking xx.yy.1.20 port: 21...
Checking xx.yy.1.22 port: 1025...
 [+] IP: xx.yy.1.22 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0
Checking xx.yy.1.66 port: 1025...
Checking xx.yy.1.25 port: 21...
 [+] IP: xx.yy.1.66 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0
Checking xx.yy.1.65 port: 3389...
Checking xx.yy.1.47 port: 3389...
Checking xx.yy.1.52 port: 7...
 [+] IP: xx.yy.1.52 port: 7 INFECTED with HACKER DEFENDER v0.82 - 0.83
Checking xx.yy.1.90 port: 3389...
Checking xx.yy.1.101 port: 3389...
Checking xx.yy.1.96 port: 3389...
Checking xx.yy.1.97 port: 3389...
Checking xx.yy.1.94 port: 7...
Checking xx.yy.1.94 port: 80...
 [+] IP: xx.yy.1.94 port: 80 INFECTED with HACKER Defender v0.84 - v1.0.0
Checking xx.yy.1.109 port: 3389...
Checking xx.yy.1.98 port: 3389...
Checking xx.yy.1.21 port: 25...
Checking xx.yy.1.116 port: 21...


attached in this e-mail is a zip file with both source  and binary files

rkdscan.c       md5sum: a24c0d9f35ccaa07efa8a291476a8a4d
rkdscan.exe     md5sum: 229fd4a1df6d76c799c9b059519f204a (compiled with Bc++
Builder)
rkdscan.zip     md5sum: bb653a41e757b9762070bcd1ec082e5e
 

Special Thanks for Javier Olascoaga ( jolascoaga[at]sia.es )  for the
development  of a nasl/nessus script.

 


Andrés Tarascó Acuña
Security Consultant - Tiger Team
Departamento de Consultoría

Grupo SIA
Avenida de Europa Nº 2. Alcor Plaza
Edificio B. Parque Oeste Alcorcon.
28.922. Madrid
*Tel.: +34 902 480 580 * Fax: +34 91 307 79 80
atarasco_@_sia.es
<www.sia.es>

 <<rkdscan.zip>>  <<hacker_defender.nasl>>

Attachment: rkdscan.zip
Description: Binary data

Attachment: hacker_defender.nasl
Description: Binary data

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Remote Rootkit Scanner for Windows, Andres Tarasco <=
Previous by Date:  Re: Wireless-Keyboards, Vladimir Vitkov
Next by Date:  Nessus question, Dan Tesch
Previous by Thread:  MonkeyShell: using XML-RPC for access to a remote shell, Abe Usher
Next by Thread:  Nessus question, Dan Tesch
Indexes:  [Date] [Thread] [Top] [All Lists]