1. 简介：Trojans

该视频简单讲述了Trojan的背景知识，并介绍了后续课程中如何制作Trojan、利用封装/加壳技术来使得文件/程序能够被Victim执行等。

The topics explored in the Trojans Module include:

• Whiteboard, which shows the interrelationships of all the basic components utilized in this module
• And the following simulation labs:
  • fPort Lab
  • ICMPSrv Lab
  • MD% Lab
  • netStat Lab
  • PRCView Lab
  • TCP View Lab
  • Tini Lab

2. 框架

该视频环绕Trojan，简要介绍了两个部分的内容，包括：Trojan的原理及防御方法。(We explain how a trojan is a remote administration tool (RAT) that gives the full control of the victim’s PC to the attacker. Essentially, a Trojan is malicious code hidden inside non-malicious code.)

3. fport使用

该视频简要介绍了利用fport命令来检测系统后台正在运行的执行文件及其PID及Port，以及同一进程使用多个端口的情况，通过查看当前系统开放的端口和使用情况，我们可以发现可疑进程，防止有木马程序正在悄悄危害我们的计算机。

在win7下，进行fport命令，却无法显示任何信息，查看原因是因为fport是工作在windows2000下的命令行工具，可以在windows NT/vista/XP系统中运行，不支持在win7系统上运行，所以将fport放置到XP系统的根目录下进行。

fPort is a run command that maps each process ID on the network.  fPort goes beyond what information is displayed in the Task Manager.  fPort also sorts its output by protocol and lists the process name, port, as well as the location/path on the network.

From this Trojan lab, you’ll learn how to determine if the process is active, what it affects and/or if it’s connected to and other important real-time information.

Windows版本：fport2.0

4. ICMPsrv使用

该视频介绍了如何在客户端和服务端安装icmpsend和icmpsrv、执行及注销服务等命令来进行ping data的交互。

ICMP is a tunnel command application with both client (icmpsend) and server (icmpsrv) level options for obtaining client and server usage info.

ICMP’s sole purpose is to validate the traffic link between those targeted nodes on the network.

 1 需要采用客户端和服务端的合作。
 2 例如：
 3    服务端(Victim)采用Windows Server系列，安装icmpsrv
 4     > icmpsrv -install
 5     > netstat -a
 6
 7    客户端安装icmpsend
 8     > icmpsend [victim IP]
 9     >> dir
10     >> ipconfig
11     >> ...
12
13    在客户端打开Wireshark监听icmp(ping data)

5. MD5使用

该视频介绍了如何利用md5sum/md5deep/tigerdeep等工具来识别文件的唯一标识的。

MD5 is a run line command used to identify the message digest of a file.  This information verifies that the integrity of a file “has or has not” been changed which is critically important to learning the behavior of Trojans and how to combat them.

1 KALI和Windows版本
2
3   标示一个文件的唯一标识。
4
5   KALI中有同样功能的工具很多，例如md5deep
6     # md5deep -r [dir]  // 列出在dir路径下所有文件的md5值
7     # tigerdeep -r [dir]  // 列出在dir路径下所有文件的tiger hash

6. netstat工具

该视频介绍了如何使用windows下的netstat命令来显示TCP/IP协议的连接状态。

netStat is a run line command that displays protocol stats and the current TCP/IP connections.  Each version of netStat is syntax specific, so this Trojan lab demonstrates some of those syntax variations from one version of netStat to another.

1 Windows下
2   > netstat /?
3   > netstat -ano
4
5 Kali下
6   # netstat -help
7
8 在WindowsXP,WindowsServer及Linux等等系统下netstat的命令参数选项有些是不同的，请留意。

7. PrcView使用

Need to recon a Trojan? This lab shows you how, with PrcView. PrcView is a process-focused forensic analysis and Trojan reconnaissance tool.

缺点：无法显示PORT。

PrcView is a process-focused forensic analysis and Trojan reconnaissance tool.  Its output displays process by name, ID, priority and path/location, key information you’ll need in conducting Trojan reconnaissance.

Windows版本： Process Viewer

8. TcpView使用

For this Trojan simulation lab, you'll learn how to use the Tcp View utility. The TcpView utility displays “EACH” process, and it does so sorted by protocol.

能够实时显示后台exe执行状态并并对其操作与监控。

The TcpView utility displays “EACH” process, and it does so sorted by protocol.  More importantly, TCPView provides the local and remote port address, and the status “IN REAL TIME” of each process. Real time status of system process offer a great advantage to determining how quickly your response time must be in identifying and locating Trojans.

Windows版本：TCPView

9. Tini使用

The final lab in the Trojan simulation series is Tini. In this lab you’ll learn the basics of how a Trojan works and how Trojans operates.

该视频简单介绍了如果在成功运行backdoor之后，通过telnet连接remote的小实验。

Tini is the most significant of the all the lab lessons covered in the Trojans module.  In this lab you’ll learn the basics of how a Trojan works and how Trojans operates.

Tini is a telnet utility that gives you access to the system if you can get the user to launch it.

1 Windows下
2
3   > netstat -a
4   > trojan.exe
5   > netstat -a
6   > telnet [remote IP] [PORT]
7   get shell

Windows版本：telnet