ceh v5 module 05 system hacking.pdf
TRANSCRIPT
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
1/188
Module VSystem Hacking
Ethical HackingVersion 5
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
2/188
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
3/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Security News
Source Courtesy : http://news.com.com/Notre+Dame+probes+hack+of+computer+system/2100-1029_3-6030229.html
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
4/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
Password cracking Password attacks
Identifying various password cracking tools
Formulating countermeasures for password cracking
Escalating privileges Executing applications
Keyloggers and Spywares
Spywares and keyloggers countermeasures
Hiding files Understanding rootkits
The use of Steganography
Covering tracks
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
5/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Password Cracking
Password CrackingTools
Password CrackingCountermeasures
Password Attacks
Keyloggers andSpywares
Escalating Privileges
Executing Applications
Hiding Files
Covering Tracks
Steganography
Countermeasures
Rootkits
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
6/188
System Hacking:Part I
Cracking Passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
7/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
CEH Hacking Cycle
Enumeration
Cracking passwords Escalating privileges
Executing applicationsHiding files
Covering tracks
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
8/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Password Types
Passwords that contain only letters
HIJKLMNO
Passwords that contain only numbers 758904
Passwords that contain only special characters
$@$!()
Passwords that contain letters and numbers
ax1500g Passwords that contain only letters and special characters
m@roon$
Passwords that contain only special characters andnumbers
@$47$
Passwords that contain letters, special characters, andnumbers
E1n@8$
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
9/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Password Attacks
Four types ofpassword attacks Passive online
attacks
Active onlineattacks
Offline attacks
Non-electronicattacks
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
10/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Passive Online Attack: Wire Sniffing Access and record raw network traffic
Wait until authentication sequence
Brute force credentials
Considerations:
Relatively hard to perpetrate
Usually extremely computationally complex
Tools widely available
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
11/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Passive Online Attack: Man-in-the-
Middle and Replay Attacks Somehow get access to communications
channel
Wait until authentication sequence
Proxy authentication-traffic
No need to brute force
Considerations: Relatively hard to perpetrate
Must be trusted by one or both sides
Some tools widely available
Can sometimes be broken by invalidating traffic
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
12/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Active Online Attack:Password Guessing
Try different passwords until one works
Succeeds with: Bad passwords
Open authentication points
Considerations: Should take a long time
Requires huge amounts of network bandwidth
Easily detected
Core problem: bad passwords
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
13/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Offline Attacks Time consuming
LM Hashes much more vulnerable due to smaller key
space and shorter length
Web services available
Distributed password cracking techniques available
Mitigations:
Use good passwords
Remove LM Hashes
Attacker has password database
Password representations must be cryptographically
secure
Considerations:
Moores law
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
14/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Offline Attacks
Try different passwords
from a list
Succeeds only with poorpasswords
Considerations: Very fast
Core problem: bad passwords
Hybrid AttackDictionary Attack
Start with dictionary
Insert entropy:
Append a symbol
Append a number
Considerations: Relatively fast
Succeeds when entropy ispoorly used
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
15/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Offline Attack:Brute-force Attack
Try all possible passwords:
More commonly, try a subset thereof
Usually implemented with progressive complexity
Typically, LM hash is attacked first
Considerations:
Very slow
All passwords will eventually be found
Attack against NT hash is MUCH harder thanLM hash
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
16/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Offline Attack:Pre-Computed Hashes
Generate all possible hashes
Compare to database values
Storing hashes requires huge storage:
LM Hashes: 310 Terabytes
NT Hashes < 15 chars: 5,652,897,009 exabytes
Solution: Use a time-space tradeoff
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
17/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Non-Technical Attacks
Shoulder surfing
Watching someone type his/her password
Common and successful
Mouthing password while typing
Keyboard sniffing
Hardware is cheap and hard to detect Software is cheap and hard to detect
Both can be controlled remotely
Social engineering
Discussed in Module 9
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
18/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Password MitigationUse the following in place of passwords:
Smart cards Two-factor authentication
Difficult to thwart
High cost of initial deployment
Biometric
Two- or three-factor authentication
Usually defeated with non-technical attacks
Very expensive
Prone to failures
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
19/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Permanent Account Lockout
Employee Privilege Abuse
Severance Package:
Refusal to abide by security policy
Sending unsolicited e-mail
Allowing kids to use companycomputer to do homework
Disabling virus scanner
Running P2P file sharing
Unauthorized file/web serving
Annoying the Sysadmin
Yes
No
Yes
No
Benefits Continuation:
Employee SSN:Employee Address:
Opening unsolicited e-mail
Sending spam
Emanating Viruses Port scanning
Attempted unauthorized access
Surfing porn
Installing shareware
Possession of hacking tools
Termination Reason:
Termination Effective Date:
Department:
Manager ID:Manager Name:
Employee ID:Employee Name:
Termination Notice
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
20/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Administrator Password Guessing
Assuming that NetBIOS TCP139 port is
open, the most effective method ofbreaking into 2000/2003 is password
guessing
Attempting to connect to an enumerated
share (ipc$, or c$) and trying user
name/password
Default admin$, c$, %systemdrive%
shares are good starting points
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
21/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Manual Password Cracking Algorithm
Find a valid user
Create a list of possible passwords Rank the passwords from high probability to low
Key in each password
If the system allows in Success, or else try againpeter./34dre45
Jacob/nukk
Ujohn/dfdfg
Rudy/98#rt
System Manual Attacker
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
22/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Automatic Password Cracking Algorithm
1. Find a valid user
2. Find encryption algorithm used
3. Obtain encrypted passwords4. Create list of possible passwords
5. Encrypt each word
6. See if there is a match for each user ID
7. Repeat steps 1 through 6
Attack Speed 300 words / sec
CHC: Cracking passwords
System
peter./34dre45
Jacob/nukk
Ujohn/dfdfg
Rudy/98#rt
Dictionary Attack
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
23/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Performing Automated Password
Guessing Performing automated password guessing is easysimple loop using
the NT/2000 shell for command based on the standard NET USEsyntax
1. Create a simple user name and password file
2. Pipe this file into FOR command:
C:\> FOR /F "token=1, 2*" %i in (credentials.txt)
do net use \\target\IPC$ %i /u: %j
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
24/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The NetBIOS Auditing Tool (NAT) is designed to explore theNetBIOS file-sharing services offered by the target system
It implements a stepwise approach to gather information and
attempt to obtain file system-level access as though it were a
legitimate local client
If a NETBIOS session can be established at all via TCP port139, the target is declared vulnerable
Once the session is fully set up, transactions are performedto collect more information about the server, including anyfile system shares it offers
Tool: NAT
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
25/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NAT Screenshot
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
26/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Smbbf (SMB Passive Brute Force Tool)
The SMB Auditing Tool is a passwordauditing tool for the Windows and the SMB
platforms It makes it possible to exploit the timeout
architecture bug in Windows 2000/XP,making it extremely fast when guessingpasswords on these platforms
When running a large password file againstWindows 2000/XP, it shows statistics up to1,200 logins/sec
This means that you could run a commonly
used English dictionary with 53,000 wordsagainst a server in under a minute
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
27/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Smbbf Tool
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
28/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SmbCrack Tool
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
29/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Legion
Legion automates the password guessing in NetBIOSsessions. Legion will scan multiple, Class C, IP addressranges for Windows shares and also offers a manualdictionary attack tool
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
30/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: LOphtcrack
LC4 is a password auditing and recovery package distributed by @stake software.SMB packet capture listens to the local network segment and captures individuallogin sessions
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
31/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Microsoft Authentication
NTLM (NT LAN Manager) is a challenge/response form ofauthentication that was the default network authentication
protocol in Windows NT 4.0/Windows 2000Microsoft has upgraded its default authentication protocol
to Kerberos, a considerably more secure option than NTLM
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
32/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
LM, NTLMv1, and NTLMv2
Attribute LM NTLMv1 NTLMv2
Password case sensitive No Yes Yes
Hash key length 56bit + 56bit - -
Password hash algorithm DES (ECB mode) MD4 MD4
Hash value length 64bit + 64bit 128bit 128bit
C/R key length 56bit + 56bit +16bit
56bit + 56bit +16bit
128bit
C/R algorithm DES (ECB mode) DES (ECB mode) HMAC_MD5
C/R value length 64bit + 64bit +64bit
64bit + 64bit +64bit
128bit
CHC: Cracking passwords
d h i i h
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
33/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NTLM and LM Authentication on the
Wire
ClientClient ServerServer
Authentication Request
Server Challenge - nonce
LM Response DES (LM Hash, nonce)
NTLM Response DES (Unicode pwd, nonce)
Authentication Result
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
34/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Kerberos Authentication
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
35/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
What is LAN Manager Hash?
Example: Lets say that the password is: 123456qwerty
When this password is encrypted with the LM algorithm, it is first converted toall uppercase: 123456QWERTY
The password is padded with null (blank) characters to make it 14 characters inlength: 123456QWERTY_
Before encrypting this password, 14 character string is split in half: 123456Q andWERTY_
Each string is individually encrypted and the results concatenated:
123456Q = 6BF11E04AFAB197F
WERTY_ = F1E9FFDCC75575B15
The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15
Note: The first half of the hash contains alphanumeric characters and it will take 24hrs to crack by Lophtcrack, and the second half only takes 60 seconds. LM hashesare not salted
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
36/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
LM Hash Generation
Padded with NULL to 14 characters
Converted to uppercase
Separated into two 7-character strings
KeyKey
Constant
cehman1 CEHMAN 1******1******== ++
LM Hash
KeyKey
Constant
Concatenate
DESDES DESDES
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
37/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
LM Hash
The first 8 bytes are derived from the first 7 characters of thepassword and the second 8 bytes are derived from characters 8through 14 of the password
If the password is less than 7 characters, then the second half willalways be 0xAAD3B435B51404EE
Let's assume, for this example, that the user's password has an LMhash of 0xC23413A8A1E7665f AAD3B435B51404EE
LC4 will crack the password as "WELCOME"
16-byte NTLM hash (md4)16-byte LM hash
1st 8 bytes of LM hash 2nd 8 bytes of LM hash
from first 7 chars from second 7 chars
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
38/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Salting
Salting technique preventsderiving passwords from passwordfile
Stored representation differs
Side effect: defeats pre-computedhash attacks
Alice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Cecil:root:209be1:a483b303c23af34761de02be038fde08
Same
Password
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
39/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
PWdump2 and Pwdump3
PWdump2 decrypts a password or password file. It uses analgorithmic approach as well as brute forcing
pwdump3 is a Windows NT/2000 remote password hashgrabber. Use of this program requires administrative privileges on
the remote system
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
40/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Rainbowcrack
Hash cracker
Pre-computes all possible plaintext-ciphertext
pairs in advance and stores them in the file calledrainbow table
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
41/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: KerbCrack
KerbCrack consists of two programs, kerbsniff and kerbcrack. The
sniffer listens on the network and captures Windows 2000/XP
Kerberos logins. The cracker can be used to find the passwords fromthe capture file using a brute-force attack or a dictionary attack
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
42/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: NBTDeputy
NBTDeputy registers a NetBIOS computer name on the network andresponds to NetBT name-query requests
It helps to resolve IP address from the NetBIOS computer name,which is similar to Proxy ARP
This tool works well with SMBRelay
For example, SMBRelay runs on a computer as ANONYMOUS-ONEand the IP address is 192.168.1.25. NBTDeputy is also run on192.168.1.25. Then, SMBRelay may connect to any XP or .NET server
when the logon users access "My Network Places"
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
43/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NetBIOS DoS Attack
Sending a NetBIOS Name Release message to the
NetBIOS Name Service (NBNS, UDP 137) on a
target NT/2000 machine forces it to place its namein conflict so that the system will no longer will be
able to use it
This will block the client from participating in the
NetBIOS network
Tool: nbname.cpp
NBName can disable entire LANs and prevent
machines from rejoining them
Nodes on a NetBIOS network infected by the tool will
think that their names already are being used by other
machines
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
44/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
NetBIOS DoS Attack (nbname)
Nbname will injectDuplicate ComputerName packets onto thewire
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
45/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: John the Ripper
It is a command-line tool designed to crack both Unix and NTpasswords
The resulting passwords are case insensitive and may not represent the
real mixed-case password
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
46/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Password guessing is a tough task
Why not just sniff credentials off the wire as users log in to a
server and then replay them to gain access?If an attacker is able to eavesdrop on NT/2000 logins, then
this approach can spare lot of random guesswork
Password Sniffing
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
47/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
How to Sniff SMB Credentials?
Run windump (tcpdump equivalent) with thiscommand:
windump -nes 0 -w C:\cehfiletcp[28]=0x72 or tcp[28]=0x73 ortcp[40]=0x72 or tcp[40]=0x73
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
48/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Sniffing Hashes Using LophtCrack
CHC: Cracking passwords
l
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
49/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: ScoopLM
This tool captures
LM/NTLM
authenticationexchange on the
network
Supports microsoft-
ds, Active Directory,
NTLMv2 on
NetBIOS over
TCP/IP, Telnet, IIS
(HTTP), and DCOM
over TCP/IP
CHC: Cracking passwords
SMBRelay Man-in-the-Middle
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
50/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SMBRelay Man in the Middle
ScenarioVictim client192.168.234.220
Attacker192.168.234.50
Relay address192.168.234.252
Victim server192.168.234.34
HR data
Man-in-the-middle192.168.234.251
The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relayaddress of 192.168.234.252 using /R, and a target server address of192.168.234.34 with /T.
c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34When a victim client connects to the fraudulent server thinking it is talking to thetarget, MITM server intercepts the call, hashes the password, and passes theconnection to the target server.
CHC: Cracking passwords
di i h k
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
51/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Attacker cracks the hashes usingLOphtcrack
John's hash,dfsd7Ecvkxjcx77868cx6vxcv, is
transmitted over the network
Eavesdropping on LM responses
becomes much easier if the
attacker can trick the victim to
attempt Windows authentication
of the attacker's choice
The basic trick is to send an
email message to the victim with
an embedded hyperlink to a
fraudulent SMB server
When the hyperlink is clicked,
the user unwittingly sends his
credentials over the network
Redirecting SMB Logon to the Attacker
CHC: Cracking passwords
SMB R l Att k
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
52/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SMB Replay Attacks
Trick client computer to request a connection
Request connection to the client computer and collectchallenge
Return challenge from client computer as own challenge
Wait for response from client computer
Return response as own response
Best way of fighting SMB replay attack is by enabling SMBsigning in security policy
CHC: Cracking passwords
SMB R l Att k
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
53/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SMB Replay Attacks
1. Hey, I want to connect.1. Hey, I want to connect.
2. What a coincidence,2. What a coincidence,
so do I.so do I.
3. OK, here is3. OK, here is
a challenge.a challenge.
4. Thanks! Here4. Thanks! Heres yours your
challenge, rightchallenge, right
back at you.back at you.
5. All right, here5. All right, heres my responses my response
to your (my) challenge.to your (my) challenge.
6. That6. Thats so nice, heres so nice, heress
your response back to you.your response back to you.
CHC: Cracking passwords
R l Att k T l SMBP
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
54/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Replay Attack Tool: SMBProxy
A Passing the Hash tool that works as a proxy
You can authenticate to a Windows NT4/2000 server by knowing only
the md4 hash You can mount shares and access the registry and anything a
particular user can do with his privileges
It does not work with syskey enabled systems
CHC: Cracking passwords
Hacking Tool SMBDieThis is outdated hackpresented for Proof of
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
55/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: SMBDie
SMBDie tool crashes computers running Windows 2000/XP/NT bysending specially- crafted SMB requests
presented for Proof ofconcept
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
56/188
SMB Signing
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
57/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SMB Signing
Server Messaging Block signing helps
prevent man-in-the-middle attacks, such as
eavesdropping on SMB packets for password
hashes from remote user logins
SMB signing provides mutual authentication
by embedding a digital signature in each
packet and requiring verification by the
server and the client
You can enable SMB Signing using Local
Security Policy
Password Cracking Countermeasures
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
58/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Password Cracking Countermeasures
Enforce 8-12 character alphanumeric
passwords
Set the password change policy to 30days
Physically isolate and protect the
server
Use SYSKEY utility to store hashes on
disk
Monitor the server logs for brute force
attacks on user accounts
CHC: Cracking passwords
Do Not Store LAN Manager Hash in
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
59/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
SAM Database Instead of storing your user account password in cleartext, Windows
generates and stores user account passwords by using two different
password "hashes"
When you set or change the password for a user account to a password
that contains fewer than 15 characters, Windows generates both a LAN
Manager hash (LM hash) and a Windows NT hash (NT hash) of thepassword
These hashes are stored in the local Security Accounts Manager (SAM)
database or in Active Directory
The LM hash is relatively weak compared to the NT hash, and so it is
prone to fast brute-force attack. Therefore, you may want to prevent
Windows from storing an LM hash of your password
LM Hash Backward Compatibility
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
60/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
LM Hash Backward Compatibility
Windows 2000-based servers and Windows Server 2003-based servers can
authenticate users who connect from computers that are running the earlier
versions of Windows
Windows 95/98 clients do not use Kerberos for authentication
For backward compatibility, Windows 2000 and Windows Server 2003 support:
LAN Manager (LM) authentication
Windows NT (NTLM) authentication
NTLM version 2 (NTLMv2) authentication
The NTLM, NTLMv2, and Kerberos all use the NT hash, also known as the Unicode
hash
The LM authentication protocol uses the LM hash
It is best to prevent storage of the LM hash if you do not need it for backward
compatibility. If your network contains Windows 95, Windows 98, or Macintosh
clients, you may experience the following problems if you prevent the storage of
LM hashes
How to Disable LM HASH?
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
61/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
How to Disable LM HASH?
Method 1: Implement the NoLMHash Policy by Using Group
Policy
Disable Network security: Do not store LAN Manager hash value on next
password change in Local Security Policy Security Options
Method 2: Implement the NoLMHash Policy by Editing the
Registry
Locate the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Add Key, type NoLMHash
Method 3: Use a Password that is at least 15 Characters Long
Windows stores an LM hash value that cannot be used to authenticate the user
Password Brute-Force Estimate Tool
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
62/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Password Brute Force Estimate Tool
CHC: Cracking passwords
Syskey Utility
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
63/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Syskey Utility
The key used to encrypt the passwords is randomly generated by the Syskey
utility Encryption prevents compromise of the passwords
Syskey uses 128-bit encryption to encrypt the system hash
Syskey must be present for the system to boot
CHC: Cracking passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
64/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
65/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
66/188
System Hacking:
Part II
Escalating Privileges
CEH Hacking Cycle
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
67/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
g y
Enumeration
Cracking passwords Escalating privileges
Executing applicationsHiding files
Covering tracks
Privilege Escalation
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
68/188
EC-CouncilCopyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
g
If an attacker gains access to the network using a non-admin
user account, the next step is to gain privileges higher than
that of an administrator This is called privilege escalation
CHC: Escalating privileges
Network
I can access the network using Johns user
account but I need Admin privileges?
Attacker
Cracking NT/2000 Passwords
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
69/188
EC-Council Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
g /
SAM file in Windows NT/2000 contains the user names and encryptedpasswords. The SAM file is located at %systemroot%\system32\config directory
The file is locked when the OS is running
Booting to an alternate OS
NTFSDOS (www.sysInternals.com) will mount any NTFS partition as alogical drive
Backup SAM from the Repair directory
Whenever rdisk /s is run, a compressed copy of the SAM called SAM._is created in %systemroot%\repair. Expand this file using c:\>expandsam._sam
Extract the hashes from the SAM
Use LOphtcrack to hash the passwords
CHC: Escalating privileges
Active@ Password Changer
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
70/188
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
g
Active@ Password Changer is a DOS-based solution
designed for resetting local administrator and user
passwords on Windows XP / 2003 / 2000 / NT
systems
Boot the target computer using A@ctive formatted
floppy/CD-ROM and change the password located at
the SAM file
Other Windows login security restrictions like
'Accou n t i s d i sab l ed', 'Passw o r d n ev er
exp i r e s', 'Accou n t i s l o c ked ou t ', 'User M u st
Chan ge Pa ssw o r d a t Nex t L o gon' and 'L o g o n
H o u r s ' can be changed or reset
With Active@ Password Changer you can log in as a
particular user with a blank password
Active@ Password Changer
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
71/188
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
g
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
72/188
Change Recovery Console Password -
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
73/188
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Method 21. Shut down the domain controller on which you want to
change the password
2. Restart the computer:
The selection menu screen is displayed during therestart process
Press F8 to view advanced startup options
3. Select the Directory Service Restore Mode option
4. After you successfully log on, use one of the followingmethods to change the local Administrator password:
At a command prompt, type the following command:net user administrator * (or)
Use the Local User and Groups snap-in (Lusrmgr.msc)
to change the Administrator password5. Shut down and restart the computer
CHC: Escalating privileges
Privilege Escalation Tool: x.exe
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
74/188
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
This tool, when executed on
remote systems, creates a
user called X with apassword of X and adds
the user to the
administrators group
CHC: Escalating privileges
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
75/188
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
76/188
EC-Council Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
77/188
System Hacking:
Part III
Executing Applications
CEH Hacking Cycle
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
78/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Enumeration
Cracking passwords Escalating privileges
Executing applicationsHiding files
Covering tracks
Tool: psexec
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
79/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Executing applications
Lets you execute processes on other systems remotely
Launches interactive command prompts on remote systems
Tool: remoexec
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
80/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Executes applications remotely
You should know the following:
IP address, the account name,
and password, to run the
application
CHC: Executing applications
Tool: Alchemy Remote Executor
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
81/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Alchemy RemoteExecutor is a systemmanagement tool thatallows Network
Administrators toexecute programs onremote networkcomputers
Program executes on
multiple remotecomputerssimultaneously
Keystroke Loggers
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
82/188
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
If all other attempts to sniff outdomain privileges fail, then akeystroke logger is the solution
Keystroke loggers are stealthsoftware packages that are placed
between keyboard hardware andthe operating system, so that they
can record every keystroke
There are two types of keystrokeloggers:
1. Software-based
2. Hardware-based
CHC: Executing applications
E-mail Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
83/188
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
This keylogger captures keystrokes and sends them toan e-mail account
Spytector FTP Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
84/188
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Totally invisible and undetectable
FTP and Email log delivery
Remotely deployable
Option to include Protected Storage
passwords in the log
Option to include URL history in the log
The logs can be received either when they
have reached a minimum size or at
specified day intervals
The keylogger server works even on a Guest
account (2k, XP, and 2003)
Both small and large icons of the server canbe changed
http://www.spytector.com
IKS Software Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
85/188
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
http://www.amecisco.com/downloads.htm
It is a desktop activity logger that ispowered by a kernel mode driver. Thisdriver enables it to run silently at thelowest level of Windows 2000/XPoperating systems
CHC: Executing applications
Ghost Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
86/188
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibited
Picture Source:http://www.shareup.com/Ghost_Keylogger-screenshot-1672.html
http://www.keylogger.net/It is a stealth keylogger and invisible surveillance toolthat records every keystroke to an encrypted log file.The log file can be sent secretly with email to aspecified address
CHC: Executing applications
Hacking Tool: Hardware Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
87/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The Hardware Keylogger is a tinyhardware device that can beattached in between a keyboard and
a computer It keeps a record of all keystrokes
typed on the keyboard. Therecording process is transparent to
the end user There are two types of hardware
keyloggers:
PS/2 keyloggers
USB keyloggers
CHC: Executing applications
Hardware Keylogger: Output
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
88/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Executing applications
Keyboard Keylogger: KeyGhostSecurity Keyboard
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
89/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Records all the keystrokes
The Security Keyboard functions
cannot be bypassed even if the user
boots from a disc
It can record upto 2,000,000 key
strokes
A non-volatile flash memory storedplaced in the keyboard stores all the
keystrokes
Keylogger records the Keystrokes
that are used to modify BIOS
Source Courtesy: http://www.keyghost.com/securekb.htm
USB Keylogger:KeyGhost USB Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
90/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
It works by recording USBtraffic in the hardware
Keystrokes are recorded toKeyGhosts internal flashmemory chip
It can record upto2,000,000 keystrokes
Source Courtesy: http://www.keyghost.com/USB-Keylogger.htm
What is Spyware?
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
91/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Spyware is a program that records computeractivities on a machine
Records keystrokes
Records email messages
Records IM chat sessions
Records websites visited
Records applications opened
Captures screenshots
CHC: Executing applications
Spyware: Spector
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
92/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Spector is spyware that records everything that one does on the Internet
Spector automatically takes hundreds of snapshots every hour, like a
surveillance camera
Spector works by taking a snapshot of whatever is on the computer
screen and saves it away in a hidden location on the systems hard drive
CHC: Executing applications
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
93/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Remote Spyhttp://www.covert-spy.com
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
94/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: eBlaster
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
95/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
It shows what the surveillance target surfs on the Internet and records allemails, chats, instant messages, websites visited, and keystrokes typed,and then automatically sends this recorded information to the desiredemail address
CHC: Executing applications
Stealth Voice Recorder
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
96/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Executing applications
Stealth Keylogger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
97/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Keystrokes recording
Websites visited
Chat and instant message monitoring
Recording applications executed
File monitoring
Screenshot monitoring
Printer monitoring
Clipboard monitoring
CHC: Executing applications
Stealth Website Logger
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
98/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Designed to monitor andrecord all websites that a useror computer visits
Offers detailed reports on allaccessed websites from asingle computer or from theentire network
Displays reports in web formator secretly sends them to aspecified email address
All recorded information isstored in a secret encryptedfile
CHC: Executing applications
Digi-Watcher Video Surveillance
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
99/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Watcher turns a PCwith webcam intoan inexpensive andcomplete securityand videosurveillance system
Standalone,Watcher does
motion detection,video logging, emailor FTP alert,broadcasting, andmore
It can operate instealth mode
Desktop Spy Screen Capture Program
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
100/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Captures desktop/active application screenshots andsaves them to a specified directory on the hard drive
Telephone Spy
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
101/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Records telephoneconversations directly to yourhard disk
It can start recording from a
telephone line automaticallywhenever a receiver is put off
You will need a PC and a voicemodem
You can use it to record anyphone conversation such as
business discussions andnegotiations
It can send the recordedconversation by email,attaching a sound file and amemo
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
102/188
Perfect Keylogger
Combination of features like keylogging screen capturing and
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
103/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Combination of features like keylogging, screen capturing, andAOL monitoring
Stealth Email Redirector
l h l
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
104/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Stealth EmailRedirector is aprogram that sends
the copies of alloutgoing emails
SER monitorsoutgoing traffic of
email client softwareand intercepts allemails that are sent
The program sends
intercepted emails tospecified emailaddresses
Spy Software: Wiretap Professional
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
105/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Spy Software: FlexiSpywww.flexispy.com
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
106/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
FlexiSPY is an activity logger formobile phones
Activities such as sending andreceiving SMS messages, call history,(incoming/outgoing), call duration,GPRS activity, and contact names intheir address book that is associated toeach SMS and call
FlexiSPY is virtually undetectable by
the user!
Works with most Motorola and Nokiaphones
Spy Software: FlexiSpy (SampleReport)
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
107/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
PC PhoneHome
This tool tracks stolen laptops
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
108/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
p p
PC PhoneHome secretly sends a stealth
email message to an email address of
your choice containing the physical
location of your computer every time youget an Internet connection
When the stolen computer is online, it
will send a stealth message to the pre-
determined email address containing its
exact location
Install the software and restart
the computer
Start Run configmod
Enter your email address
Thats all
Whenever your system is online,
you will receive notification
through email
Keylogger Countermeasures
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
109/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Install Antivirus software and keep the signatures up to date
Install a Host-based IDS such as Cisco CSA agent which can
monitor your system and disable the installation of keyloggers Keep your hardware systems secure in a locked environment
Frequently check the keyboard cables for attached connectors
Anti-Keylogger
This tool can detect keylogger installations and remove
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
110/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
This tool can detect keylogger installations and removethem
PrivacyKeyboardhttp://www.anti-keylogger.com
PrivacyKeyboard is the first product of its kind which protects
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
111/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
PrivacyKeyboard is the first product of its kind which protectscomputers against both spy software and hardware
When you are typing important information like your e-banking password,
PrivacyKeyboard will help you circumvent hardware keyloggers, whichare difficult to detect
The virtual keyboard prevents hardware keyloggers from interceptingkeystrokes made by the user
The protection against software keyloggers is also active at this moment
Since the user is not actually using the keyboard of his PC, hardwarekeyloggers do not receive any signals from it and cannot capture thekeystrokes
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
112/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
113/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
114/188
System Hacking:
Part IV
Hiding Files
CEH Hacking Cycle
i
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
115/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Enumeration
Cracking passwords Escalating privileges
Execute applicationsHiding files
Covering tracks
Hiding Files
There are two ways of hiding files in NT/2000
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
116/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
y g /
Attrib
use attrib +h [file/directory]
NTFS Alternate Data Streaming
NTFS files system used by Windows NT, 2000,and XP has a feature Alternate Data Streamsthat allows data to be stored in hidden files that
are linked to a normal visible file.
Streams are not limited in size and there can bemore than one stream linked to a normal file
CHC: Hiding files
Rootkits
Rootkits are kernel programs that
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
117/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Rootkits are kernel programs that
have the ability to hide themselves
and cover up traces of activities
When a rootkit is installed, it
replaces certain operating system
calls and utilities with its own
modified versions of those routines
For example, to hide the existence
of a file, the rootkit intercepts all
system calls that can carry a file
name argument, such as open(),
chdir(), and unlink()
Why Rootkits?
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
118/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
The hacker requires root access to the system by installing a virus,
Trojan horse program, or spyware, in order to exploit it
To maintain the root access, the attacker needs to hide tracks from
the system administrator by modifying the system commands
Rootkit allows the hacker to maintain hidden access to the system
Hacking Tool: NT/2000 RootKit
What if the very code of the operating system came underth t l f th tt k ?
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
119/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
the control of the attacker?
The NT/2000 rootkit is built as a kernel mode driver
which can be dynamically loaded at run timeThe NT/2000 rootkit runs with system privileges, right at
the core of the NT kernel, so it has access to all theresources of the operating system
The rootkit can also:
Hide processes (that is, keep them from being listed)
Hide files
Hide registry entries
Intercept keystrokes typed at the system console
Issue a debug interrupt, causing a blue screen of death
Redirect EXE files
CHC: Hiding files
Planting the NT/2000 Rootkit
The rootkit contains a kernel modedevice driver called root sys
The attacker can then stop and
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
120/188
EC-Council
Copyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
device driver, called _root_.sys,and a launcher program, calleddeploy.exe
After gaining access to the targetsystem, the attacker will copy
_root_.sys and deploy.exe ontothe target system and execute
deploy.exe
This will install the rootkit devicedriver and start it up. The attackerlater deletes deploy.exe from the
target machine
restart the rootkit at will by
using the commands net stop
_root and net start _root_
Once the rootkit is started, the
file _root_.sys stops appearing
in the directory listings. The
rootkit intercepts the system
calls for listing files and hides
all files beginning with _root_from display
CHC: Hiding files
Rootkit - Screenshot
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
121/188
EC-Council
Copyright byEC-CouncilAll Rights reserved. Reproduction is strictly prohibitedCHC: Hiding files
Rootkits in Linux
A rootkit is also referred to as a set of modified and recompiled
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
122/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
A rootkit is also referred to as a set of modified and recompiled
Unix tools (typically including ps, netstat, and passwd) designed to
hide any trace of the intruders presence or existence
A rootkit may include programs to monitor traffic, create a back
door into the system, alter log files, and attack other machines on
the network
Detecting Rootkits
Detecting rootkits is a problem
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
123/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Detecting rootkits is a problem
Once infected with a rootkit, you cannot trust your
operating system
You cannot believe what the system tells you when you
request a list of running processes or files in a directory One way to get around this is to shut down the suspect
computer and check its storage after booting from
alternative media that you know is clean, such as abootable CD-ROM
Steps for Detecting Rootkits
Simple steps you can take to detect some of todays ghostware:
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
124/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
p p y y g
Run "dir /s /b /ah"and "dir /s /b /a-h"inside the potentially infected OS
and save the results Boot into a clean CD, run "dir /s /b /ah"and "dir /s /b /a-h"on the same
drive, and save the results
Run a clean version of WinDiff from the CD on the two sets of results to
detect file-hiding ghostware (i.e., invisible inside, but visible from
outside)
Note: There will be some false positives. Also, this does not detect stealth
software that hides in BIOS, Video card EEPROM, bad disk sectors,
Alternate Data Streams and so on
Rootkit Detection Tools
BlackLight from F-Secure Corp.
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
125/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
BlackLight from F Secure Corp.
http://www.f-secure.com/blacklight
RootkitRevealer from Sysinternals
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Malicious Software Removal Tool from Microsoft Corp
http://www.microsoft.com/security/malware
remove/default.mspx
Sony Rootkit Case Study
In October 2005 Mark Russinovich discovered that some Sony BMG Music
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
126/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Entertainment CDs use rootkit technology to automatically install digital rights
management software on Windows computers
The intent of this kludge was to prevent unauthorized digital copying of the music
The Sony music CD creates a hidden directory and installs several of its own device
drivers; it then reroutes Windows systems calls to its own routines
It intercepts kernel-level application programming interfaces and tries to disguise
its presence
Sony was hit with numerous lawsuits across the United States for planting a rootkit
on users computers without their knowledge
For more information, visit: http://www.sysinternals.com/blog/2005/10/sony-
rootkits-and-digital-rights.html
Rootkit: Fu
It operates using Direct Kernel ObjectManipulation
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
127/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Manipulation
It comes with two componentsthe dropper
(fu.exe) and the driver (msdirectx.sys) It can:
Hide processes and drivers
List processes and drivers that were hiddenusing hooking techniques
Add privileges to any process token
Make actions in the Windows Event Viewer
appear as someone elses actions
CHC: Hiding files
Rootkit: AFX Rootkit 2005
This program patches Windows API tohide certain objects from being listed
Current Version Hides:
Removal: How to remove thisrootkit
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
128/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Current Version Hides: Processes
Handles
Modules Files & Folders
Registry Keys & Values
Services
TCP/UDP Sockets
Systray Icons
Configuring a computer with therootkit is simple:1. Create a new folder with a uniqiue
name, i.e., c:\windows\rewt\
2. In this folder place the root.exe, i.e.,c:\windows\rewt\root.exe
3. Execute root.exe with the "/i"parameter, i.e., startc:\windows\rewt\root.exe /I
Everything inside the root folder is nowinvisible!
rootkit
Method 1
1. Run the root.exe with the "/u"parameter
2. Delete all the files associated with it
3. Reboot
Method 2
1. Boot into safe mode2. Locate the service with the root folder
name
3. Remove the service and delete all thefiles associated with it
4. Reboot
Rootkit: Nuclear
This rootkit performs a user-level hook on certain APIs, allowing you to hide or modify some itemson the NT-Based OS (NT/2000/Xp/Windows 2003)Features/Benefits
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
129/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Features/Benefits
Process
Hides process(s) totally from the task managerFile/DirectoryHides directory(s) or file(s) from Windows ExplorerRegistryHides registry value(s) from the registry editor and MSConfigPorts/ProtocolsHides connections on/through any port(s)/protocol(s) in netstatModulesHides modules in specific processes from any module explorerApplication BlockBlocks explorer from executing a list of applicationsConnection BlockBlocks applications from connecting to any host
PersistenceProtects Directory(s) or File(s) from being deleted/renamed/moved
Rootkit: Nuclear
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
130/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Rootkit:Vanquish
It is a dll injection-based, winapi hooking rootkit
It hides files folders registry entries and log
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
131/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
It hides files, folders, registry entries, and log
passwords
In case of registry hiding, Vanquish uses anadvanced system to keep track of enumerated
keys/values and hides the ones that need to be
hidden
For dll injections, the target process is first writtenwith the string 'VANQUISH.DLL' (VirtualAllocEx,
WriteProcessMemory) and then
CreateRemoteThread
For API hooking, Vanquish uses variousprogramming tricks
CHC: Hiding files
Rootkit Countermeasures
Back up critical data and
reinstall OS/applications from a
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
132/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
/ pp
trusted source
Do not rely on backups, as there
is a chance of restoring from
Trojaned software
Keep a well-documentedautomated installation
procedure
Keep availability of trusted
restoration media
CHC: Hiding files
Patchfinder2.0
Patchfinder (PF) is a sophisticated
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
133/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
diagnostic utility designed to detect
system libraries and kernel
compromises
Its primary use is to check if the given
machine has been attacked with some
modern rootkits like Hacker Defender,
AFX, Vaniquish, and He4Hook
CHC: Hiding files
RootkitRevealer
RootkitRevealer fromwww.sysinternals.com scans the drive andthe registry for the presence of rootkits
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
134/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Creating Alternate Data Streams
Start by going to the command line
and typing notepad test.txt
Check the file size again and notice
that it hasnt changed!
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
135/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Put some data in the file, save the file,
and close Notepad
From the command line, type dir
test.txt and note the file size
Next, go to the command line and type
n o t epa d t est . t x t : h i d den .t x t . Type
some text into Notepad, save the file,
and close
On opening test.txt, only the original
data will be seen
On use of the t y p e command on the
filename from the command line, only
the original data is displayed
On typing t y pe t est . t x t : h i d den .t x t ,
a syntax error message is displayed
CHC: Hiding files
How to Create NTFS Streams?
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
136/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Hiding files
NTFS Stream Manipulation
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
137/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Hiding files
NTFS Streams Countermeasures
Deleting a stream file involves copying the front file to a FAT partition,
then copying it back to NTFS
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
138/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
then copying it back to NTFS
Streams are lost when the file is moved to the FAT Partition
LNS.exe from (http://nt security.nu/cgi-bin/download/lns.exe.pl) can
detect streams
CHC: Hiding files
NTFS Stream Detectors (ADS Spy andADS Tools)
ADS Spy
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
139/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
ADS Tools
What is Steganography?
The process of hiding data in images is called Steganography
The most popular method for hiding data in files is to utilize graphicimages as hiding places
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
140/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
images as hiding places
Attackers can embed information such as:
Source code for hacking tool
List of compromised servers
Plans for future attacks
Grandmas secret cookie recipe
CHC: Hiding files
Tool: Merge Streams
This utility enables you to merge MS Word streams and MS Excel
workbook streams
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
141/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
It can hide MS Excel workbooks within MS Word documents or
vice versa
CHC: Hiding files
Invisible Folders
Hide any folder or a group of folders on your system by pressing a simple hotkeycombination
The select folders will remain invisible until you decide to make them visible again usingh k bi i
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
142/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
your hotkey combinations
You can also password-protect your hotkey combinations
CHC: Hiding files
Tool: Invisible Secrets 4
A security suite that helps you to hide files, encrypt files, destroy your
Internet traces, shred files, make secure IP to IP password transfers, and
even lock any application on your computer
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
143/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
even lock any application on your computer
CHC: Hiding files
Tool: Image Hide
Image Hide is a steganography
program that hides text in images
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
144/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Does simple encryption and
decryption of data
Even after adding bytes of data, there
will not be any increase in image size
Image looks the same to normalPaint packages
Loads and saves to files and gets past
all mail sniffers
CHC: Hiding files
Tool: Stealth Files
Stealth Files can hide executables in other files such as MicrosoftWord, Excel, PowerPoint, and Acrobat
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
145/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
146/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Step 1)
Step 1: Select a Carrier File for hiding information
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
147/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Step 2)
Step 2: Add File/Message to hide
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
148/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Step 3)
Step 3: Assign password
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
149/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Step 4)
Step 4: Hide the file
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
150/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Un-hiding Step 1)
Select the file to uncover information
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
151/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Un-hiding Step 2)
Enter Password to unhide the message
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
152/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Tool: Steganography (Un-hiding Step 3)
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
153/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Masker Steganography Tool
Masker is a program that encrypts files and folders and hides theminside another file
Masker hides files and folders in inconspicuous places, such aspictures videos and sound files
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
154/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
pictures, videos, and sound files
You can hide any files and even whole folders with subfolders
Hermetic Stego
Hermetic Stego is a a Steganography program that allows you to encrypt and
hide a file of any size in one or more BMP image files, with or without the use
of a stego/encryption key, so that the presence of the hidden file is
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
155/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
undetectable, even by forensic software using statistical methods
The message is hidden in multiple BMP images files
Hide
Secret Message
DCPP Hide an Operating System
DCPP is a Steganography
tool that hides an entire
operating system inside
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
156/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
operating system inside
free space of another
operating system
http://www.securstar.com
Windows XP Windows 2003
h i d d e n
Tool: Camera/Shy
Camera/Shy works with Windows and Internet
Explorer and lets users share censored or sensitive
information buried within an ordinary GIF image
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
157/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
y g
The program lets users encrypt text with a click of
the mouse and bury the text in an image. The files
can be password protected for further security
Viewers who open the pages with the Camera/Shy
browser tool can then decrypt the embedded text
on the fly by double-clicking on the image and
supplying a password
CHC: Hiding files
Camera/Shy - Screenshot
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
158/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Hiding files
Camera/Shy - Screenshot
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
159/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Hiding files
www.spammimic.com
Encoded message
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
160/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Decoded to
CHC: Hiding files
Tool: Mp3Stego
http://www.techtv.com
MP3Stego will hide information in MP3 files during the compressionprocess
The data is first compressed, encrypted, and then hidden in the MP3 bit
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
161/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
stream
CHC: Hiding files
Tool: Snow.exe
Snow is a white space steganography program and is used to conceal
messages in ASCII text by appending white space to the end of lines
Because spaces and tabs are generally not visible in text viewers, the
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
162/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
message is effectively hidden from casual observers If the built-in encryption is used, the message cannot be read even if it
is detected
CHC: Hiding files
Video Steganography
MSU StegoVideo can hide any file in a video sequence
Embed .exe files directly inside a mpeg or avi file
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
163/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Case Study: Al-Qaida members DistributingPropaganda to Volunteers using Steganography
Al-Qaeda Increasingly Reliant on Media to spread their propaganda
Al-Qaida sympathizers use computers with steganography techniques todistribute Al-Qaida videos and other Jihadist materials over the Internet
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
164/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Source: http://www.nytimes.com/2006/09/30/world/30jordan.html?pagewanted=2&ref=technology
Steganography Detection
Stegdetect is an automated tool for detecting
steganographic content in images
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
165/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
It is capable of detecting different
steganographic methods to embed hidden
information in JPEG images
Stegbreak is used to launch dictionary attacks
against Jsteg-Shell, JPHide, and OutGuess
0.13b
CHC: Hiding files
Stegdetect Screenshot
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
166/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Hiding files
SIDS
Stego intrusion detection system:
Aims to flag all HTTP traffic containing imagery that tests
positive for stego content (more protocols later)
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
167/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Gateway defense mechanism:
Placed at a network border
In promiscuous mode, sniffs all HTTP traffic and reconstructs(if necessary) any images transmitted
Tests each image against all known steganalysis algorithms
Alerts user/administrator to presence of stego on their network
It is Not a firewall!
High-Level View
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
168/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Algorithm 4Algorithm 3
Algorithm 2
Algorithm 1
Algorithm n
Master
Database
SIDS
FW
image1
image2
image3image4
image5
Scanner
Internet
SIDS Screenshots
- Statistics -
Shows last imagetesting positive for
stego
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
169/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Graphs detailing thenumber of imagescaptured/flagged
Screenshots (contd)
- Recent Finds -
Details of individualimages captured from
the wire
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
170/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary ofsteganalysisinformation
Allows for manualinspection of images
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
171/188
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
172/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
173/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
System Hacking:
P t V
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
174/188
Part V
Covering Tracks
CEH Hacking Cycle
Enumeration
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
175/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Cracking passwords Escalating privileges
Execute applicationsHiding files
Covering tracks
Covering Tracks
Once intruders have
successfully gained
Administrator access on a
system they will try to cover
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
176/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
system, they will try to coverthe detection of their presence
When all the information of
interest has been stripped off
from the target, the intruder
installs several backdoors so
that he can gain easy access in
the future
CHC: Covering tracks
Disabling Auditing
First thing intruders will do after gaining
Administrator privileges is to disable
auditing
Windows 2003 Resource Kit's
auditpol exe tool can disable auditing
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
177/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
auditpol.exe tool can disable auditing
using the command line
At the end of their stay, the intruders will
just turn on auditing again using
auditpol.exe
CHC: Covering tracks
Clearing the Event Log
Intruders can easily wipe out
the logs in the Event Viewer
This process will clear logs of
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
178/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
This process will clear logs of
all records but will leave one
record stating that the event log
has been cleared by Attacker
CHC: Covering tracks
Tool: elsave.exe
elsave.exe utility is a simple tool for clearing the event log
The following syntax will clear the security log on the remote server
'rovil' (correct privileges are required on the remote system)
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
179/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Save the system log on the local machine to d:\system.log
and then clear the log:el save - l syst em - F d: \ syst em. l og C
Save the application log on \\serv1 to\\serv1\d$\application.log:
el save - s \ \ ser v1 - F d: \ appl i cat i on. l og
CHC: Covering tracks
Hacking Tool: Winzapper
Winzapper is a tool that an attacker can use to
erase event records selectively from the security
log in Windows 2000
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
180/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
To use the program, the attacker runs
winzapper.exe and marks the event records to be
deleted, then he presses Delete Events and Exit
To sum things up: After an attacker has gained
Administrator access to the system, you cannot
trust the security log
CHC: Covering tracks
Evidence Eliminator
Deleting the Internet cache andhistory", will not protect you...
your PC is storing deadly evidence
Even FORMATTING the disk wouldnot work
All thoseweb pages, pictures,movies, videos, sounds, email
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
181/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
movies, videos, sounds, emailand everything elseyou have ever
viewed could easily be recovered
Files and Internet searchesyouhave made that you thought you had
never "saved to disk" can be recordedas permanent evidence on yourhard drive
Evidence Eliminator permanentlywipes out evidence so that forensicanalysis is impossible
Tool: Traceless
Clear your Internet settings
You can stop your home page from being written over byuninvited websites
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
182/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Covering tracks
Tool: Tracks Eraser Pro
Designed to protect you by
cleaning up all the unwanted
history data on your
computer
All h h
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
183/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
Allows you to erase the cache,
cookies, history, typed URLs,
auto complete memory,
index.dat from your browsersand Window's temp folder,
run history, search history,
open/save history, recent
documents, and so on
CHC: Covering tracks
Tool: ZeroTracks
Allows you to clear paging files, recent documents, the Recycle Bin,temp files, and the run list on the Start menu
You can also clear the Internet cache, temporary Internet files, cookies,
and autocompletes
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
184/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibitedCHC: Covering tracks
What happened next?
After few days when Bradleys boss was again out for
some work and had left his cabin open, Bradley removed
his keylogger. He extracted all the information stored in
-
8/9/2019 CEH v5 Module 05 System Hacking.pdf
185/188
EC-CouncilCopyright byEC-Council
All Rights reserved. Reproduction is strictly prohibited
y gg
keylogger, and to his surprise he had a lot of his bosss
sensitive personal and official information.
He can use this information to blackmail his boss or even
leak the companys confidential information.
Summary
Hackers use a variety of means to penetrate systems
Password guessing/cracking is one of the first steps
Password sniffing is a preferred eavesdropping tactic