This lab demonstrated a couple of bots that could be used for a DoS attack. One problem with our setup was that we had to manually enter the commands each time a new bot entered the IRC channel. In order to more effectively carryout the attack, it would be beneficial to have the process of giving commands automated. To do this we used a plugin for XChat called onjoin. This plugin allows you to automatically send commands anytime a user enters the channel. The files for the plugin can be found at http://silenceisdefeat.org/~b0at/xchat/on_join/. There is a customizable configuration file that can be adjusted for any type of IRC bot. The use of a script like this allows the attacker to leave the IRC channel unattended but still allow the attacks to continue.
The use of this XChat plugin uses the setup that was used in this lab for Section 3. It would fit well after this section.
Installing and Configuring onJoin
• Copy the on_join-005.zip file from the NAS to your RedHat WS 4.0 machine. • Unzip the file using the command “unzip on_join-005.zip”.
• Change to the newly created 005 directory. • Open the _onjoin.conf file in a text editor.
• Put the following line at the top of the list of commands:
o * * say PAN <WinXP IP> 80 10
• Save the file.
• Copy the _onjoin.conf and on_join-005.pl files to your /root/.xchat2 directory using the following commands:
o cp _onjoin.conf /root/.xchat2/
o cp on_join-005.pl /root/.xchat2/
Demonstrating the Use of onJoin
• If XChat is running close it. Also make sure the IRC server is running on RedHat WS 4.0.
• Open XChat. At the top menu click on Window… Plugins and Scripts. You should see the onJoin plugin listed. If it isn’t listed, make sure the appropriate files are in your .xchat2 directory.
• Connect to the IRC server as you did in previous sections. • Join the #ece4112 channel.
• Start Ethereal and begin capturing packets.
• On the RedHat 7.2 virtual machine run the q8Bot.
• Watch the XChat window running on RedHat WS 4.0. Within a couple of minutes the bot should log into the channel. As soon as this happens you should see a message generated by the plugin giving the PAN command.
Screenshot of Ethereal and XChat before the bot enters.
Screenshot of XChat and Ethereal after the bot has entered.
Appendix E: IRCBotDetector
OS’s needed: RedHat WS 4.0 Windows VM
Answers include: 6 questions 2 screenshots
Goals: In Section 2 we saw how SDBot can affect Windows machines. In this section we will use IRCBotDetector to detect the presence of this bot. As IRCBotDetector is simply a Windows bash file you will first need to familiarize yourself with batch scripting.
Background: In DOS and Windows, a batch file is a text file with a series of commands intended to be executed by the command interpreter. When the batch file is run, the shell program (usually command.com or cmd.exe) reads the file and executes its commands. A batch file is analogous to a shell script in Unix-like operating systems. A working knowledge of shell scripting is essential to anyone wishing to become reasonably proficient at system administration, even if they do not anticipate ever having to actually write a script. We will not do any serious batch scripting in this lab but for those interested there are plenty of tutorials and books on bash(NUX)/batch(Windows) scripting.
http://www.faqs.org/docs/abs/HTML/ (Linux)
http://labmice.techtarget.com/scripting/default.htm (Windows)
1.1
Detecting Bots before they are connected to a Server
Open your virtual Windows OS and mount the NAS folder. Copy the IRCBot-Detector.bat file from the Lab10 folder onto your Desktop. Right click on it and choose Edit. You will see many @echo statements that echo the text that follows them to the command prompt. Find the line below:
netstat –an | find “:6667”
This line represents the detector’s first test and its purpose is to find established connections on port 6667 (a commonly used IRC port). Modify the line such that the batch script will find connections established by SDBot and save the modified file as IRCBot-Detector-Modified.bat.
Q1.1: What did you modify the line to?
Answer: port modified to a range that include 6668 or just the port 6668 Q1.2: What is the purpose of the –a and –n flags?
Q1.3: Look at Test #2. What does it do and why?
Answer: sees if port 113 is being listened on. The bot will establish a connection to the IDENTServer.
Q1.4: Look at Test #3. Its purpose is to find rundil.exe. Why? (Hint: What is rundil.exe used for?)
Answer: rundil.exe is a common name used to fake bot activity
Go to your SDBot folder and run the windows bot as you did in Section 2. DO NOT start the IRC server on the RedHat 4.0 machine just yet!
Now run the modified batch file you just created. Observe the command prompt that appears.
Q1.5 Look at the 3 tests that are being run. Did any test detect the presence of a bot on the machine? (Hint: yes, which)
Answer: Only test 2 detects the presence of the bot
Screenshot#1: Take a screenshot of the prompt displaying the test that detected it.
You just learned: that the presence of a bot can be detected even though it is not connected to an IRC server.
1.2
Detecting Bots while they are connected to a Server
On you RedHat 4.0 host machine open a terminal and start the irc server by typing once again: #usr/local/sbin/ircd –s
Once it is running disconnect as in Section 1 and type in the XChat window: /server <WS4.0 IP> 6668
Once the server logs you in, join the ece4112 channel as you did in Section 1. Since your SDBot is still running on the Windows machine you will most likely already find him in the ece4112 channel. Back on the Windows machine run the modified .bat file once again.
Q1.6 Look at the 3 tests being run. Did any test detect the presence of the bot on the machine? (Hint: yes, which)
Answer: Only test 1 detects the presence of the bot by displaying a connection established on port 6668.