Académique Documents
Professionnel Documents
Culture Documents
exe
Windows App
Easy to use
Hides data in GIF images Camera/Shy Hiding Files
To view the messages live on the web Comes with its own browser app
Spyware can install remote Motivation and Study Techniques to help Cisco
Also known as rootkits control and backdoors you learn, remember, and pass your
CISSP
technical exams!
Screen capture CEH
Keystroke logging Usually these tools offer multiple different More coming soon...
ways of interacting with a filesystem
Microphone enable
Log file analysis Visit us www.mindcert.com
Spector
eBlaster
Software that interacts with the OS Remote Control and Subscribe via RSS
Replaces core functions within the OS Tools Backdoors
Good at hiding its existence RootKit
Windows
Available for NetBIOS Port
Unix
Most effective method o breaking into Windows is Password guessing
Detects and removes Spector from your system Anti-Spector
Assuming TCP Port 139 is open
Tools IPC$
Detects and removes spy software Countermeasures
Spyguard Connect to an enumerated share C$
Default Admin shares
Admin$
Once intruders have gained access they administrator same as root under UNIX
The default admin account is
will need to cover their tracks Administrator Password
Intruders will normally install Sometimes has a blank password
Backdoors so they can always
Create or use a username/password file
come back to the machine using
a covert channel FOR /F "token=1, 2*" %1 in
Can use a simple DOS Shell script
Automated password guessing (credentials.txt)
These normally include looking at logs Build a script using the FOR command
do net use \\target\IPC$ %i /u: %j
Therefore, logs are always sanitized or To cover tracks you have to look
cleared down totally. at general sys admin activities
Windows application
Sometimes, the intruder actually
disables logging totally Automates password guessing for
Legion NetBIOS sessions
Comes with NT/2000 Resource Kit Remote Password Guessing Scans multiple Class C addresses
Command line util to find out audit
Manual dictionary attack tool
status of a target machine Auditpol.exe Tools
c:\>auditpol \\<ip address of target> Windows tool
Can be run over the network
Now Cerberus Internet Scanner
Comes with NT/2000 Resource Kit Covering Tracks NTInfoscan (now CIS)
Vulnerability Scanner designed for NT4
Dumps and event log for a local or Will check NetBIOS shares
Produces a tab delimited CSV file remote system Dumpel.exe
Block access to TCP and UDP Ports 135 to 139
Lets the intruder know what is in the logs
Tools Disable WINS client on all adapters
Simple tool for clearing the event logs
on Windows/2000 Use strong passwords Or two factor authentication
eslave.exe
Correct privileges are required on the remote system
Countermeasures Security Log
Selectively erases records from the
Win 2000 security log Event 529 or 539
Try to find password evidence in trash Small .exe that adds a user to the local admin
Dumpster diving
group
NT/2000/XP Windows clients by default send LM Privilege Escalation Need to logon to the server console
GetAdmin
and NTLM password hashes Run from the command line
Win9x Clients only send LM hashes Tools
Only works on NT4.0 SP3
123ANDREW First converted to Uppercase
Exposes a LPC Flaw in NT
hk.exe
Password is padded with null characters to Escalates a non admin user to an admin user
123ANDREW_____ make it a 14 character length
Your password is 123andrew Lan Manager Hashes
123ANDR Example Log all keyboard activity
The 14 character string is split in two halves
EW_____ Physical devices that are connected to
Hardware the keyboard port
Each string is encrypted and the Password Cracking
results concatenated Types
Applications that have to be installed
Subtopic Software on a users machine
Send an email with a link Trick the user into trying SMB
authentication against the attacker
Embed code etc..
Redirecting SMB to the Attacker
But the attacker has the encrypted credentials The SMB authentication will fail
These are then extracted with L0phtcrack Collects NTLM password hashes to a text file