Use Attrib +h [file/directory]
exe
123ANDREW_____
Bootable Linux distribution
In the repair directory Called SAM._
Use L0phtcrack
But the attacker has the encrypted credentials
Attrib.
Allows data to be stored in hidden files
that are linked to a normal visible file Two ways of hiding files in NT/2000
Hides hidden.txt within test.txt NTFS Alternate Data Streaming
notepad test.txt:hidden.txt
test.txt has to already exist
The process of hiding data within images
Windows App
Simple encrypt/decrypt of data Image Hide
No increase in image size
Hides information within an .mp3 file
Mp3stego
Hidden in the mp3 bit stream
Whitespace steganography program
Snow.exe Tools
Hides data in ASCII text by appending
whitespace to the end of lines Steganography
Windows App
Easy to use
Hides data in GIF images Camera/Shy Hiding Files
To view the messages live on the web Comes with its own browser app
Automated tool for detecting
steganographic content in images Stegdetect Countermeasures
Moves the contents of a file to ids data
strem makestrm.exe
Tools
Packetstorm utility to write files to the NTFS ADS
ads_cat
Contains utilities to add, extract and remove ADS
Displays NTFS files that have ADS streams
Lists files with ADS List ADS
Countermeasures
One manual way to remove a stream is to
copy the file to a FAT partition, then back.
FAT Copy
This removes the stream
Spyware can install remote Motivation and Study Techniques to help Cisco
Also known as rootkits control and backdoors you learn, remember, and pass your
CISSP
technical exams!
Screen capture CEH
Keystroke logging Usually these tools offer multiple different More coming soon...
ways of interacting with a filesystem
Microphone enable
Log file analysis Visit us www.mindcert.com
Spector
eBlaster
Software that interacts with the OS Remote Control and Subscribe via RSS
Replaces core functions within the OS Tools Backdoors
Good at hiding its existence RootKit
Windows
Available for NetBIOS Port
Unix
Most effective method o breaking into Windows is Password guessing
Detects and removes Spector from your system Anti-Spector
Assuming TCP Port 139 is open
Tools IPC$
Detects and removes spy software Countermeasures
Spyguard Connect to an enumerated share C$
Default Admin shares
Admin$
Once intruders have gained access they administrator same as root under UNIX
The default admin account is
will need to cover their tracks Administrator Password
Intruders will normally install Sometimes has a blank password
Backdoors so they can always
Create or use a username/password file
come back to the machine using
a covert channel FOR /F "token=1, 2*" %1 in
Can use a simple DOS Shell script
Automated password guessing (credentials.txt)
These normally include looking at logs Build a script using the FOR command
do net use \\target\IPC$ %i /u: %j
Therefore, logs are always sanitized or To cover tracks you have to look
cleared down totally. at general sys admin activities
Windows application
Sometimes, the intruder actually
disables logging totally Automates password guessing for
Legion NetBIOS sessions
Comes with NT/2000 Resource Kit Remote Password Guessing Scans multiple Class C addresses
Command line util to find out audit
Manual dictionary attack tool
status of a target machine Auditpol.exe Tools
c:\>auditpol \\<ip address of target> Windows tool
Can be run over the network
Now Cerberus Internet Scanner
Comes with NT/2000 Resource Kit Covering Tracks NTInfoscan (now CIS)
Vulnerability Scanner designed for NT4
Dumps and event log for a local or Will check NetBIOS shares
Produces a tab delimited CSV file remote system Dumpel.exe
Block access to TCP and UDP Ports 135 to 139
Lets the intruder know what is in the logs
Tools Disable WINS client on all adapters
Simple tool for clearing the event logs
on Windows/2000 Use strong passwords Or two factor authentication
eslave.exe
Correct privileges are required on the remote system
Countermeasures Security Log
Selectively erases records from the
Win 2000 security log Event 529 or 539
Command line application WinZapper Log failed logon attempts
From Foundstone
Needs admin rights VisualLast
Look at a logging application Visual Log manager
GUI commercial system for Windows
Evidence Eliminator
Counters all privacy issues
Eavesdropping is sniffing the
passwords from the network segment Subtopic
Find a valid user
Create a list of possible passwords Switch ports by default only see your
To eavesdrop you have to be traffic and broadcasts Have to use a tool to get around this
Ken in each password
Manual Password Cracking able to sniff all VLAN traffic
Success Hubs forward all frames out of all ports
If the system allows you in
Telnet
Try again Else Some passwords are unencrypted POP3
etc..
Find a valid user
Algorithms Certified Ethical Hacker Collect these passwords and hashes and
Find encryption algorithms used
Module 5 - System Hacking Some passwords are encrypted then run attacks against them offline
Obtain encrypted passwords
Create list of possible passwords
Automatic Password Cracking Eavesdropping Windows Application
Encrypt each word
Password auditing and recovery tool
Success See if it works LOphtcrack Captures individual login sessions
SMB Packet capture listens to the local
network segment Uses either Dictionary
Try again Else Attacks the 24 byte hashed password
Or Brute Force attacks
Easiest to crack Tools
Only letters Windows command line application
Only numbers Listens on the network and captures
KerbCrack kerbsniff 2000/XP kerberos logins
Only special characters
Conists of two programs
Harder to crack Letters and numbers Uses dictionary or brute force to crack the password
Password Types kerbcrack
Letters and special characters
Numbers and special characters Sending a NetBIOS name release to the
Most secure passwords NetBIOS name service (UDP 137)
Letters, numbers, and special characters places the name in conflict No longer able to use it
Using a dictionary of words Blocks the client from participating in
Dictionary attack nbname
Tools the NetBIOS network
Or a wordlist
Denial of Service Carries out a NetBIOS DoS attack
Going through all possible combinations
Brute force attack Crashes computers running Windows 2000/XP/NT
Eventually Will always work SMBDie
Sends a specially crafted SMB request
A mixture of dictionary and brute force attacks Hybrid attack Password Attacks
It is important to gain root or
Ask the user for there password Social engineering administrative level access
Once hacker has access to a system May have gained access with a non
Look over there shoulder Shoulder surfing admin account
Try to find password evidence in trash Small .exe that adds a user to the local admin
Dumpster diving
group
NT/2000/XP Windows clients by default send LM Privilege Escalation Need to logon to the server console
GetAdmin
and NTLM password hashes Run from the command line
Win9x Clients only send LM hashes Tools
Only works on NT4.0 SP3
123ANDREW First converted to Uppercase
Exposes a LPC Flaw in NT
hk.exe
Password is padded with null characters to Escalates a non admin user to an admin user
make it a 14 character length
Your password is 123andrew Lan Manager Hashes
123ANDR Example Log all keyboard activity
The 14 character string is split in two halves
EW_____ Physical devices that are connected to
Hardware the keyboard port
Each string is encrypted and the Password Cracking
results concatenated Types
Applications that have to be installed
Subtopic Software on a users machine
SAM file in NT/2000 contains the Hardware Keystroke logger
usernames and encrypted passwords Keystroke Loggers Keyghost
USB or PS2
C:\windows\system32\config
Windows software
Such as Backtrack Tools
Boot to an alternate OS Invisible to the user
IKS Software Keylogger
Mount the drive Then dumps this to a configurable
NT/2000 Passwords Buffer of 100 keystrokes text file on the machine
Backup the SAM from the Repair directory File is locked when OS running
Cracking Passwords
use c:\expand same._sam Expand the file
Extract the hashes from the files
Send an email with a link Trick the user into trying SMB
authentication against the attacker
Embed code etc..
Redirecting SMB to the Attacker
The SMB authentication will fail
SMB server to capture usernames and
passwords from incoming SMB traffic
Man in the Middle attacks (MITM)
Can relay the traffic to another server
to provide a MITM attack SMBRelay
Receives a connection on port 139
These are then extracted with L0phtcrack Collects NTLM password hashes to a text file
Increases speed of L0phtcrack
Removes duplication SMBGrind
Provides facility to target specific users Tools
Registers a NetBIOS name on the network
Helps resolve IP address from NetBIOS name NBTDeputy
Works well with SMBRelay
Windows and Unix Command line tools
Cracks both Unix and Windows passwords
John the Ripper
Extremely fast
May not reflect correct password Resulting Passwords are Case Insensitive
Enforce 7-12 character alpha-numeric
passwords
Set the password expiration policy to 30 days
Physically isolate and protect the server Countermeasures
Syskey initiates 128 bit encryption for the SAM Use the "syskey" utility
Monitor all server logs for password attacks