CEHv8 Module 05 System Hacking PDF

System Hacking
Module 05
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
System H acking
Module 05
Engineered by Hackers. Presented by Professionals.
CEH
i. /
P n!
Ethical Hacking and Countermeasures v8

Module: 05 System Hacking Exam 312-50
Module 05 Page 518
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
\m -
(itifwtf
CEH
itkMl lUclwt
September 26th, 2012
IE E E H a ck C o n firm ed , 100k Plain T e x t P assw o rd s V ulnerable

After details were revealed by Radu Dragusin over at IEEEIog.com a few days ago that passwords and user details for some 100,000 members of the Institute of Electrical and Electronics Engineers had been made publicly available on the company's FTP server for at least a month, the organisation has now confirmed it in a communication to members, advising them to change their details immediately. The IEEE is an organisation that is designed to advance technology and has over 400,000 members worldwide, many of those including employees at Apple, Google, IBM, Oracle and Samsung. It is responsible for globally used standards like the IEEE 802.3 Ethernet standard and the IEEE 802.11 Wireless Networking standard. At an organisation like this, you'd expect security to be high. Still, this hack was no hoax. The official announcement of it was sent out yesterday and reads: "IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. This matter has been addressed and resolved. None of your financial information was made accessible in this situation."
http://www.kitguru.net
Copyright by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
Security N ew s
IE E E Hack Confirm ed, 100k Plain Text Passwords Vulnerable
Source: http://www.kitguru.net After details were revealed by Radu Dragusin over at IEEEIog.com recently that passwords and user details for some 100,000 members of the Institute of Electrical and Electronics Engineers had been made publicly available on the company's FTP server for at least a month, the organization confirmed this in a communication to members, advising them to change their details immediately. The IEEE is an organization that is designed to advance technology and has over 400,000 members worldwide, many of those including employees at Apple, Google, IBM, Oracle, and Samsung. It is responsible for globally used standards like the IEEE 802.3 Ethernet standard and the IEEE 802.11 Wireless Networking standard. At an organization like this, you'd expect security to be high. Still, this hack was no hoax. The official announcement of it reads: "IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and
Module 05 Page 519
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
passwords. This matter has been addressed and resolved. None of your financial information was made accessible in this situation." The company continued saying though, that it was technically possible that during the time this information was available, that someone could have used it to access a user's account and therefore, as a "precautionary measure," the IEEE recommended all users change their account information. Until that time, users were not be able to access their account at all. In what seems like quite a bold move, the organization went on to explain to users that one of the best ways to protect themselves is to use a strong, unique password for their login. Considering it was an IEEE security blunder that caused the hack, advising other people on password strength seems a bit hypocritical. That said, in Mr Dragusin's reveal of the hacked information, he produced a graph detailing some of the most commonly used passwords. Almost 300 people used "123456" and other variations of numbers in that same configuration, while hundreds of others used passwords like "admin," "student," and "ieee2012." Considering the involvement of IEEE members in pushing the boundaries of current technology, you'd assume we wouldn't need to turn to Eugene "The Plague" Belford to explain the importance of password security.
Copyright 2010-2013 KitGuru Lim ited
Author: Jon Martindale
http://www.kitguru.net/channel/ion-rnartindale/ieee-hack-confirmed-100k-plain-textpasswords-vulnerable/
Module 05 Page 520
M odule O bjectives
J J J J J J J J J
r
UrtilM
CEH
itkKJl Nm Im
J J J J
System Hacking: Goals CEH Hacking Methodology (CHM) Password Cracking Stealing Passwords Using Keyloggers Microsoft Authentication How to Disable LM HASH How to Defend against Password Cracking Privilege Escalation Executing Applications
^
Types of Keystroke Loggers and Spywares Anti-Keylogger and Anti-Spywares Detecting Rootkits Anti-Rootkits NTFS Stream Manipulation Classification of Steganography Steganalysis Methods/Attacks on Steganography Covering Tracks Penetration Testing
J J J J J
Copyright by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O bjectives
The preceding modules dealt with the progressive intrusion that an attacker makes towards his or her target system(s). You should bear in mind that this does not indicate a culmination of the attack. This module familiarizes you with: System Hacking: Goals CEH Hacking Methodology (CHM) Password Cracking Stealing Passwords Using Keyloggers Microsoft Authentication Howto Disable LM HASH How to Defend against Password Cracking Privilege Escalation Executing Applications Types of Keystroke Loggers and Spywares Anti-Keylogger and Anti-Spywares Detecting Rootkits Anti-Rootkits NTFS Stream Manipulation Classification of Steganography Steganalysis Methods/Attacks on Steganography Covering Tracks Penetration Testing
Module 05 Page 521
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Inform ation at Hand Before System H acking Stage

What you have at this stage:
(rtifwtf
C EH
itkitjl
Copyright by EG-Cowid. All Rights Reserved Reproduction is Strictly Prohibited.
Inform ation at Hand Before System H acking Stage

Before beginning with system hacking, let's go over the phases you went through and the information you collected so far. Prior to this module, we discussed:
Footprinting M odule
Footprinting is the process of accumulating data regarding a specific network environment. Usually this technique is applied for the purpose of finding ways to intrude into the network environment. Since footprinting can be used to attack a system, it can also be used to protect it. In the footprinting phase, the attacker creates a profile of the target organization, with the information such as its IP address range, namespace, and employee web usage. Footprinting improves the ease with which the systems can be exploited by revealing system vulnerabilities. Determining the objective and location of an intrusion is the primary step involved in footprinting. Once the objective and location of an intrusion is known, by using nonintrusive methods, specific information about the organization can be gathered. For example, the web page of the organization itself may provide employee bios or a personnel directory, which the hacker can use it for the social engineering to reach the objective. Conducting a Whois query on the web provides the associated networks and domain names related to a specific organization.
Module 05 Page 522
Scanning M odule
Scanning is a procedure for identifying active hosts on a network, either for the purpose of network security assessment or for attacking them. In the scanning phase, the attacker finds information about the target assessment through its IP addresses that can be accessed over the Internet. Scanning is mainly concerned with the identification of systems on a network and the identification of services running on each computer. Some of the scanning procedures such as port scans and ping sweeps return information about the services offered by the live hosts that are active on the Internet and their IP addresses. The inverse mapping scanning procedure returns the information about the IP addresses that do not map to the live hosts; this allows an attacker to make suppositions about feasible addresses.
Enum eration M odule

Enumeration is the method of intrusive probing into the target assessment through which attackers gather information such as network user lists, routing tables, and Simple Network Management Protocol (SNMP) data. This is significant because the attacker crosses over the target territory to unearth information about the network, and shares users, groups, applications, and banners. The attacker's objective is to identify valid user accounts or groups where he or she can remain inconspicuous once the system has been compromised. Enumeration involves making active connections to the target system or subjecting it to direct queries. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public, such as a DNS address; however, it is possible that the attacker stumbles upon a remote IPC share, such as IPC$ in Windows, that can be probed with a null session allowing shares and accounts to be enumerated
Module 05 Page 523
System Hacking: Goals

r
(>1fw4
C EH
itkMjl IlMhM
Hacking-Stage
| |
A np
Goal
To collect enough information to gain access T o create a privileged user account if the user level is obtained To create and maintain backdoor access
Technique/Exploit Used
Password eavesdropping, brute forcing Password cracking, known exploits
Gaining Access
Escalating Privileges
15 h *# 1
Hiding Files
Trojans
To hide malicious files
Rootkits
To hide the presence of compromise
Clearing logs
Copyright by E&Cauactl. All Rights Reserved. Reproduction isStrictly Prohibited.
System Hacking: Goals

Every criminal commits a crime to achieve certain goal. Likewise, an attacker can also have certain goals behind performing attacks on a system. The following may be some of the goals of attackers in committing attacks on a system. The table shows the goal of an attacker at different hacking stages and the technique used to achieve that goal.
Module 05 Page 524
Hacking-Stage
Gaining Access
Goal
To collect enough information to gain access To create a privileged user account if the user level is obtained To create and maintain backdoor access
Technique/Exploit Used
Password eavesdropping, brute forcing Password cracking, known exploits
s
A
ao
Escalating Privileges
Executing Applications
Trojans
Hiding Files
To hide malicious files
Rootkits
Covering Tracks
To hide the presence of compromise
Clearing logs
FIGURE 5.1: Goals for System Hacking
Module 05 Page 525
CEH Hacking Me
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
CEH H acking M ethodology (CHM)

^ ^Before hacking a system, an attacker uses footprinting, scanning, and enumeration techniques to detect the target area of the attack and the vulnerabilities that prove to be doorways for the attacker. Once the attacker gains all the necessary information, he or she starts hacking. Similar to the attacker, an ethical hacker also follows the same steps to test a system or network. In order to ensure the effectiveness of the test, the ethical hacker follows the hacking methodology. The following diagram depicts the hacking methodology followed by ethical hackers:
N (__4)
Module 05 Page 526
FIGURE 5.2: CEH Hacking Methodology (CHM)
Module 05 Page 527
CEH System H acking Steps

* System hacking cannot be accomplished at a single go. It is accomplished through various steps that include cracking passwords, escalating privileges, executing applications, hiding files, covering tracks, and finally penetration testing. Now it's time to discuss these steps one by one thoroughly, to determine how the attacker hacks the system. In an attempt to hack a system, the attacker first tries to crack passwords. This section describes the first step, i.e., password cracking, that will tell you how and what types of different tools and techniques an attacker uses to crack the password of the target system. 121 IE.^ Cracking Passwords Escalating Privileges Hiding Files
Covering Tracks
Penetration Testing
Module 05 Page 528
Passw ord C racking

Password cracking techniques are used to recover passwords from computer systems
(It'fwd
CEH
ttkujl M a ck *
Attackers use password cracking techniques to gain unauthorized access to the vulnerable system
Attacker Victim
Most of the password cracking techniques are successful due to weak or easily guessable passwords
Password Cracking
Password cracking is the process of recovering passwords from the data that has been transmitted by a computer system or stored in it. The purpose of password cracking might be to help a user recover a forgotten or lost password, as a preventive measure by the system administrators to check for easily crackable passwords or it can also be used to gain unauthorized access to a system. Many hacking attempts start with password cracking attempts. Passwords are the key piece of information necessary to access a system. Consequently, most attackers use password cracking techniques to gain unauthorized access to the vulnerable system. Passwords may be cracked manually or with automated tools such as a dictionary or brute-force method. The computer programs that are designed for cracking passwords are the functions of the number of possible passwords per second that can be checked. Often users, while creating passwords, select passwords that are predisposed to being cracked such as using a pet's name or choosing one that's simple so they can remember it. Most of the passwords cracking techniques are successful due to weak or easily guessable passwords.
Module 05 Page 529
Passw ord C om plexity
CEH
Passwords that contain only letters P O TH M YD E ......... V
Passwords that contain only letters and special ..............v characters
bob@&ba
Passwords that contain only special characters .......... I and numbers 123@$45 *
A+D+u =
Password C om plexity
Password complexity plays a key role in improving security against attacks. It is the important element that users should ensure while creating a password. The password should not be simple since simple passwords are prone to attacks. The passwords that you choose should always be complex, long, and difficult to remember. The password that you are setting for your account must meet the complexity requirements policy setting. Password characters should be a combination of alphanumeric characters. Alphanumeric characters consist of letters, numbers, punctuation marks, and mathematical and other conventional symbols. See the implementation that follows for the exact characters referred to: 0 0 0 0 0 0 0 Passwords that contain letters, special characters, and numbers: apl@52 Passwords that contain only numbers: 23698217 Passwords that contain only special characters: & *# @ !(%) Passwords that contain letters and numbers: meetl23 Passwords that contain only letters: POTHMYDE Passwords that contain only letters and special characters: bob@&ba Passwords that contain only special characters and numbers: 123@$4
Module 05 Page 530
Password Cracking T echniques

A dictionary file is loaded into the cracking application that runs against user accounts The program tries every combination of characters until the password is broken It works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password It is the combination of both brute force attack and the dictionary attack
CEH
UrtifW itkH il lUckw
This attack is used when the attacker gets some information about the password
Dictionary Attack
B ru te Forcing A ttacks
H y b rid A tta ck
Syllable A tta ck R u le -ba sed A tta ck
j
Password Cracking T echniques

Password cracking is the technique used for discovering passwords. It is the classic way to gain privileges to a computer system or network. The common approach for cracking a password is to continually try guesses for the password with various combinations until you get the correct one. There are five techniques for password cracking, as follows.
D ictionary Attacks
In a dictionary attack, a dictionary file is loaded into the cracking application that runs against user accounts. This dictionary is the text file that contains a number of dictionary words. The program uses every word present in the dictionary to find the password. Dictionary attacks are more useful than brute force attacks. But this attack does not work with a system that uses passphrases. This attack can be applied under two situations: Q In cryptanalysis, it is used to find out the decryption key for obtaining plaintext from ciphertext.
In computer security, to avoid authentication and access the computer by guessing passwords.
Module 05 Page 531
Methods to improve the success of a dictionary attack: 0 Use the number of dictionaries such as Technical dictionaries and foreign dictionaries which helps to retrieve the correct password
Use the string manipulation on the dictionary, means if dictionary contain the word "system" then try string manipulation and use "metsys" and others
Brute Forcing Attacks

The cryptographic algorithms must be sufficiently hardened in order to prevent a brute-force attack. The definition as stated by RSA: "Exhaustive key-search, or brute-force search, is the basic technique for trying every possible key in turn until the correct key is identified." When someone tries to produce each and every single encryption key for data until the needed information is detected, this is termed a brute force attack. Until this date, this type of attack was performed by those who had sufficient processing power. The United States government once believed (in 1977) that a 56-bit Data Encryption Standard (DES) was sufficient to deter all brute-force attacks, a claim that several groups across the world had tested. Cryptanalysis is a brute force attack on an encryption of a brute force search of the keyspace. In other words, testing all possible keys is done in an attempt to recover the plaintext used to produce a particular ciphertext. The detection of key or plaintext with a faster pace as compared to the brute force attack can be considered a way of breaking the cipher. A cipher is secure if no method exists to break that cipher other than the brute force attack. Mostly, all ciphers are deficient of mathematical proof of security. If the keys are originally chosen randomly or searched randomly, the plaintext will, on average, become available after half of all the possible keys are tried. Some of the considerations for brute-force attacks are as follows: It is a time-consuming process All passwords will eventually be found Attacks against NT hashes are much more difficult than LM hashes
Q P
Hybrid Attack
This type of attack depends upon the dictionary attack. There are chances that people might change their password by just adding some numbers to their old password. In this type of attack, the program adds some numbers and symbols to the words from the dictionary and tries to crack the password. For example, if the old password is "system," then there is a chance that the person will change it to "systeml" or "system2."
Module 05 Page 532
S yllable A ttack
A s y lla b le a t t a c k is t h e c o m b i n a t i o n o f b o t h a b r u t e f o r c e a t t a c k a n d t h e d ic t io n a r y a tta c k . This c r a c k in g t e c h n i q u e is used w h e n t h e p a s s w o r d is n o t an e x is t in g w o r d . A t t a c k e r s use t h e d i c t i o n a r y a n d o t h e r m e t h o d s t o c ra c k it. It also uses t h e p o s s ib le c o m b i n a t i o n o f e v e r y w o r d p r e s e n t in t h e d ic t io n a r y .
R u le-b ase d A ttack

T his t y p e o f a t t a c k is used w h e n t h e a t t a c k e r g e ts s o m e i n f o r m a t i o n a b o u t th e p a s s w o r d . T his is t h e m o s t p o w e r f u l a t t a c k b e c a u s e t h e c r a c k e r k n o w s t h e t y p e o f p a s s w o r d . For e x a m p le , if t h e a t t a c k e r k n o w s t h a t t h e p a s s w o r d c o n t a in s a t w o - o r t h r e e - d i g i t n u m b e r , t h e n h e o r she w i ll use s o m e s p e c ific t e c h n i q u e s a n d e x t r a c t t h e p a s s w o r d in less t i m e . By o b t a i n i n g u s e fu l i n f o r m a t i o n such as use o f n u m b e r s , t h e le n g t h o f p a s s w o r d , a n d sp ec ial c h a r a c te r s , t h e a t t a c k e r can e a sily a d ju s t t h e t i m e f o r r e t r i e v i n g t h e p a s s w o r d t o t h e m i n i m u m a n d e n h a n c e t h e c r a c k in g t o o l t o r e t r i e v e p a s s w o r d s . T h is t e c h n i q u e in v o lv e s b r u t e fo r c e , d ic t io n a r y , a n d s y l l a b le a tta c k s .
Module 05 Page 533
Types of Password Attacks
C EH
Shoulder Surfing Social Engineering Dumpster Diving
1. Passive Online Attacks Attacker performs password hacking without communicating with the authorizing party
tJ e
Wire Sniffing Man-in-the-Middle Replay
e e
4. Non-Electronic Attacks Attacker need not posses technical knowledge to crack password, hence known as non-technical attack
2. Active Online Attacks Attacker tries a list of passwords one by one against the victim to crack password
Pre-Computed Hashes Distributed Network Rainbow
3. Offline Attack Attacker copies the target's password file and then tries to crack passwords in his own system at different location
a w
Hash Injection Trojan/Spyware/Keyloggers Password Guessing Phishing
it
T ypes of P assw o rd A ttacks

P a s s w o rd c r a c k in g is o n e o f t h e c ru c ia l sta ge s o f h a c k i n g a s y s t e m . P a s s w o rd c r a c k in g
u sed f o r le g a l p u r p o s e s r e c o v e r s t h e f o r g o t t e n p a s s w o r d o f a u se r; if it is u sed b y i l l e g i t i m a t e users, it can ca use t h e m t o g a in u n a u t h o r i z e d p r i v i le g e t o t h e n e t w o r k o r s y s te m . P a s s w o rd a tta c k s a re c la s s ifie d b ase d o n t h e a t t a c k e r 's a c tio n s t o c ra c k a p a s s w o r d . U s u a lly t h e r e a re o f f o u r ty p e s . T h e y are:
A 111A
P a ssiv e O n lin e A ttacks

A passive a t t a c k is an a t t a c k o n a s y s te m t h a t d o e s n o t r e s u lt in a c h a n g e t o t h e
s y s te m in a n y w a y . T h e a t t a c k is t o p u r e l y m o n i t o r o r r e c o r d d a ta . A p a s s iv e a t t a c k o n a c r y p t o s y s t e m is o n e in w h i c h t h e c r y p t a n a l y s t c a n n o t i n t e r a c t w i t h a n y o f t h e p a r tie s in v o lv e d , a t t e m p t i n g t o b r e a k t h e s y s te m s o le ly b a se d u p o n o b s e r v e d d a ta . T h e r e a re t h r e e ty p e s o f p assive o n l i n e a tta c k s . T h e y are: Q Q Q W i r e s n if fin g M a n -in -th e -m id d le R ep lay
Module 05 Page 534
|1 n gn 1 ,nd A ctive O n lin e A ttacks

A n a c tiv e o n l i n e a t t a c k is t h e e a s ie s t w a y t o g ain u n a u t h o r i z e d a d m i n i s t r a t o r - l e v e l access t o t h e s y s te m . T h e r e a re t h r e e ty p e s o f A c t iv e O n lin e A tta c k s . T h e y are: 0 0 0 0 P a s s w o rd g ue ssin g T r o j a n / s p y w a r e / k e y lo g g e r Hash in je c t io n Ph ishin g
O ffline A ttacks
O f f l i n e a t t a c k s o c c u r w h e n t h e i n t r u d e r ch e c k s t h e v a l i d i t y o f t h e p a s s w o r d s . He o r sh e o b s e rv e s h o w t h e p a s s w o r d is s t o r e d in t h e t a r g e t e d s y s t e m . If t h e u s e r n a m e s a n d t h e p a s s w o r d s a re s t o r e d in a file t h a t is r e a d a b le , it b e c o m e s easy f o r t h e i n t r u d e r t o g a in access t o t h e s y s te m . In o r d e r t o p r o t e c t y o u r p a s s w o r d s list t h e y s h o u ld a lw a y s be k e p t in an u n r e a d a b l e f o r m , w h i c h m e a n s t h e y h a v e t o be e n c r y p t e d . O ff li n e a tta c k s a re o f t e n t i m e c o n s u m in g . T h e y a re su c ce ssfu l b e c a u s e t h e L M h a s h e s are v u ln e r a b l e due to a s m a lle r keyspace and sh o rte r le n g t h . D iffe re n t p assw ord c r a c k in g
t e c h n i q u e s a re a v a ila b le o n t h e I n t e r n e t . T h e t e c h n i q u e s t o p r e v e n t o r p r o t e c t f r o m o f f l i n e a tta c k s are: 0 0 0 0 Use g o o d p a s s w o rd s R e m o v e LM hashes A t t a c k e r has t h e p a s s w o r d d a ta b a s e Use c r y p t o g r a p h ic a lly s e c u re m e t h o d s w h i l e r e p r e s e n t in g t h e p a s s w o rd s
T h e r e are t h r e e t y p e s o f o f f l i n e a tta c k s . T h e y are: 0 0 0 P r e - c o m p u t e d hashes D is t r ib u t e d n e t w o r k R a in b o w
------ ------------------------------------------------ k n o w n as n o n - t e c h n ic a l a tta c k s . This k in d o f a t t a c k d o e s n ' t r e q u ir e a n y te c h n ic a l k n o w le d g e a b o u t t h e m e t h o d s o f i n t r u d i n g i n t o a n o t h e r 's s y s te m . T h e r e f o r e , it is c a lle d a n o n - e l e c t r o n i c a tta c k . T h e r e a re t h r e e ty p e s o f n o n - e l e c t r o n i c a tta c k s . T h e y are: 0 0 0 S h o u ld e r s u rfin g Social e n g in e e r in g D u m p s t e r d iv in g
Module 05 Page 535
Passive O nline A ttack: W ire Sniffing

Q Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic
CEH
Com putationally Com plex

Victim Attacker Victim
The captured data may include sensitive information such as passwords (Telnet, FTP, rlogin sessions, etc.) and emails Sniffed credentials are used to gain unauthorized access to the target system
M m
-7 7 -1 P a ssiv e O n lin e A ttack: W ire Sniffing

3
A p a c k e t s n i f f e r t o o l is s e ld o m used f o r an a tta c k . T his is b e c a u s e a s n if f e r can w o r k
---------- -
o n l y in a c o m m o n c o llis io n d o m a i n . C o m m o n c o ll i s i o n d o m a i n s a re n o t c o n n e c t e d b y a s w it c h o r b rid g e . All t h e h o s ts o n t h a t n e t w o r k a re a lso n o t s w i t c h e d o r b r id g e d in t h e n e t w o r k s e g m e n t. As s n if fe r s g a t h e r p a c k e ts a t t h e D a ta L in k L a ye r, t h e y can g ra b all p a c k e ts o n t h e LAN o f th e m a c h in e t h a t is r u n n i n g t h e s n i f f e r p r o g r a m . T his m e t h o d is r e l a t iv e l y h a r d t o p e r p e t r a t e a n d is c o m p u t a t io n a lly c o m p lic a te d . T his is b e c a u s e a n e t w o r k w i t h a h u b i m p l e m e n t s a b r o a d c a s t m e d i u m t h a t all s y s te m s s h a re o n t h e LAN. A n y d a ta s e n t acro ss t h e LAN is a c tu a lly s e n t t o e a c h a n d e v e r y m a c h in e c o n n e c t e d t o t h e LAN. If an a t t a c k e r r u n s a s n if f e r o n o n e s y s te m o n t h e LAN, he o r she can g a t h e r d a ta s e n t t o a n d f r o m a n y o t h e r s y s te m o n t h e LAN. T h e m a j o r i t y o f s n i f f e r t o o l s a re id e a lly s u it e d t o s n if f d a ta in a h u b e n v i r o n m e n t . T h e se t o o l s a re c a lle d p assive s n if fe r s as t h e y p a s s iv e ly w a i t f o r d a ta t o be s e n t, b e f o r e c a p t u r i n g t h e i n f o r m a t i o n . T h e y a re e f f i c i e n t a t i m p e r c e p t i b l y g a t h e r i n g d a t a f r o m t h e LAN. T h e c a p t u r e d d a ta m a y in c lu d e p a s s w o r d s s e n t t o r e m o t e s y s te m s d u r in g T e l n e t , FTP, r lo g i n se s s io n s , a nd e le c t r o n i c m a il s e n t a n d r e c e iv e d . S n i f f e d c r e d e n t i a l s a re used t o g ain u n a u t h o r i z e d access t o t h e t a r g e t s y s te m . T h e r e a re a v a r i e t y o f t o o ls a v a ila b le o n t h e I n t e r n e t f o r p a s s iv e w i r e s n if f i n g .
Module 05 Page 536
Victim
Module 05 Page 537
P a ssiv e O n lin e A ttacks: M an-in-theM id d le a n d R eplay A ttack
CEH
Victim
Web Server
Attacker
Considerations
In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information
Relatively hard to perpetrate Must be trusted by one or both sides Can sometimes be broken by invalidating traffic
In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, thetokens are placed back on the network to gain access
Copyright by E&Coincil. All Rights Reserved. Reproduction isStrictly Prohibited.
W h e n t w o p a r tie s a re c o m m u n i c a t i n g , t h e m a n - i n - m i d d l e a t t a c k can ta k e p la ce. In t h is case, a t h i r d p a r t y i n t e r c e p t s t h e c o m m u n i c a t i o n b e t w e e n t h e t w o p a r tie s , a s s u rin g t h e t w o p a r tie s t h a t t h e y are c o m m u n i c a t i n g w i t h e a ch o t h e r . M e a n w h i l e , t h e t h i r d p a r t y a lt e r s t h e d a ta o r e a v e s d r o p s a n d passes t h e d a ta a lo n g . T o c a r r y o u t th is , t h e m a n in m id d l e has t o s n i f f f r o m b o t h sides o f t h e c o n n e c t i o n s i m u l t a n e o u s ly . T his t y p e o f a t t a c k is o f t e n f o u n d in t e l n e t and w ir e le s s t e c h n o l o g i e s . It is n o t easy t o i m p l e m e n t such a tta c k s d u e t o t h e TCP s e q u e n c e n u m b e r s a n d s p e e d . This m e t h o d is r e l a t iv e l y h a r d t o p e r p e t r a t e a n d can be b r o k e n s o m e t i m e s by in v a lid a tin g th e tra ffic . In a r e p la y a tta c k , p a c k e ts a re c a p t u r e d u sin g a s n if fe r . A f t e r t h e r e l e v a n t i n f o r m a t i o n is
^ P a ssiv e O n lin e A ttack: M a n in th e M id d le an d R ep lay A ttack
e x t r a c t e d , t h e p a c k e ts a re p la c e d b a ck o n t h e n e t w o r k . This t y p e o f a t t a c k can be u sed t o r e p la y b a n k t r a n s a c t i o n s o r o t h e r s i m i l a r ty p e s o f d a ta t r a n s f e r in t h e h o p e o f r e p l i c a t i n g o r c h a n g i n g a c tiv it ie s , such as d e p o s its o r tr a n s fe r s .
Module 05 Page 538
Original Connection r
.................... O ................
...................
............................ >
Victim
Sniff
MITM / Replay Traffic
W eb Server
FIGURE 5.4: Passive Online Attack by Using Man-in-the-Middle and Replay Attack
Module 05 Page 539
Active O nline Attack: Passw ord G uessing

I The attacker takes a set of dictionary words and names, and tries all the possible combinations to crack the password
Network
C EH
Network
Server
Network
Considerations
--------- /c n = \ < !_!
Network
1 Time consuming 1 J Requires huge amounts of network bandwidth Easily detected
A ctive O n lin e A ttack: P assw o rd G u e ssin g

E v e r y o n e k n o w s y o u r u s e r n a m e , b u t y o u r p a s s w o r d is a w e l l - k e p t s e c re t in o r d e r t o k e e p o t h e r s a w a y f r o m a c c e s s in g y o u r tr a n s a c t io n s . W i t h t h e aid o f d i c t i o n a r y a t t a c k m e t h o d o l o g i e s , an i n t r u d e r tr ie s m a n y m e a n s t o g u e s s y o u r p a s s w o r d . In th is m e t h o d o l o g y , an a t t a c k e r ta k e s a s e t o f d i c t i o n a r y w o r d s a n d n a m e s , a n d m a k e s all t h e p o s s ib le c o m b i n a t i o n s t o g e t y o u r p a s s w o r d . T h e a t t a c k e r p e r f o r m s t h is m e t h o d w i t h p r o g r a m s t h a t guess h u n d r e d s o r th o u s a n d s o f w o r d s p e r s e c o n d . T his m a k e s it e a s y f o r t h e m t o t r y m a n y v a r i a t i o n s : b a c k w a r d s w o r d s , d i f f e r e n t c a p i t a l i z a t i o n , a d d in g a d ig i t t o t h e e n d , e tc. T o f a c i li t a t e t h is f u r t h e r , t h e a t t a c k e r c o m m u n i t y has b u i l t large d i c t i o n a r i e s t h a t in c lu d e w o r d s f r o m f o r e i g n la n g u a g e s, o r n a m e s o f th in g s , places, a n d t o w n s m o d e l e d t o c ra c k p a s s w o r d s . A t t a c k e r s can also scan y o u r p r o f i le s t o lo o k f o r w o r d s t h a t m i g h t b r e a k y o u r p a s s w o r d . A g o o d p a s s w o r d is easy t o r e m e m b e r , b u t h a rd t o guess, so y o u n e e d t o p r o t e c t y o u r p a s s w o r d by m a k in g it a p p e a r r a n d o m by i n s e r t in g such t h in g s as d ig its a n d p u n c t u a t i o n . T h e m o r e i n t r i c a t e y o u r p a s s w o r d , t h e m o r e d i f f i c u l t it b e c o m e s f o r t h e i n t r u d e r t o b r e a k .
Module 05 Page 540
Attacker FIGURE 5.5: Active Online Attack by Using Password Guessing Method
S o m e o f t h e c o n s i d e r a t i o n s f o r p a s s w o r d g u e s s in g a re as f o l lo w s : 0 0 0 T akes a lo n g t i m e t o be g ue ss ed R e q u ire s h u g e a m o u n t s o f n e t w o r k b a n d w i d t h It can be e a sily d e t e c t e d
Module 05 Page 541
Active O nline Attack: Troj an/Spy w are/K ey logger

Spyware is a type o f m alware th a t allows attackers to secretly gather inform ation about a person or organization
CEH
W ith the help o f a Trojan, an attacker gets access to the stored passwords in the attacked com puter and is able to read personal documents, delete files, and display pictures
A Keylogger is a program th a t runs in the background and allows rem ote attackers to record every keystroke
vv/
A ctive O n lin e A ttack: Troj an /S p y w a re /K e y lo g g e r

A T r o ja n is a d e s t r u c t i v e p r o g r a m s t h a t s u b t e r f u g e as a b e n ig n a p p li c a t i o n . P r io r t o t h e in s t a l l a t i o n a n d / o r e x e c u t i o n , t h e s o f t w a r e i n i t i a ll y a p p e a rs t o p e r f o r m a d e s ir a b le f u n c t i o n , b u t in p r a c tic e it ste als i n f o r m a t i o n o r h a r m s t h e s y s te m . W i t h a T r o ja n , a t ta c k e r s m a y h a ve r e m o t e access t o t h e t a r g e t c o m p u t e r . A t t a c k e r s can h a ve access t o t h e c o m p u t e r r e m o t e l y a n d p e r f o r m v a r io u s o p e r a t i o n s t h a t a re l i m i t e d b y u s e r p r i v i le g e s o n t h e t a r g e t c o m p u t e r , by in s t a llin g t h e T r o ja n . S p y w a r e is a t y p e o f m a l w a r e t h a t can be in s t a lle d o n a c o m p u t e r t o g a t h e r i n f o r m a t i o n a b o u t t h e users o f t h e c o m p u t e r w i t h o u t t h e i r k n o w l e d g e . T his a llo w s a tt a c k e r s t o g a t h e r i n f o r m a t i o n a b o u t t h e u se r o r t h e o r g a n i z a t i o n s e c re tly . T h e p r e s e n c e o f s p y w a r e is t y p i c a l l y h id d e n f r o m t h e user, a n d can be d i f f i c u l t t o d e te c t. A k e y lo g g e r is a p r o g r a m t h a t re c o rd s all t h e k e y s t r o k e s t h a t a re t y p e d o n t h e c o m p u t e r k e y b o a r d w i t h o u t t h e k n o w l e d g e o f t h e user. O n c e k e y s tr o k e s a re lo g g e d , t h e y a re s h ip p e d t o t h e a t t a c k e r , o r h id d e n in t h e m a c h in e f o r l a t e r r e t r ie v a l. T h e a t t a c k e r t h e n s c r u t i n iz e s t h e m c a r e f u l l y f o r t h e p u r p o s e o f f i n d i n g p a s s w o r d s o r o t h e r u s e fu l i n f o r m a t i o n t h a t c o u ld be u sed t o c o m p r o m i s e t h e s y s te m . For e x a m p le , a k e y lo g g e r is c a p a b le o f r e v e a l i n g t h e c o n t e n t s o f all e m a ils c o m p o s e d b y t h e u s e r o f t h e c o m p u t e r s y s te m o n w h i c h t h e k e y lo g g e r has b e e n in s ta lle d .
Module 05 Page 542
Active O nline Attack: Hash Injection Attack
CEH
A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources
The attacker finds and extracts a logged on domain admin account hash
The attacker uses the extracted hash to log on to the domain controller
Inject a compromised hash into a local session
1 1 .
I k
Attacker
Victim Computer
A ctive O n lin e A ttack: H ash In je c tio n A ttack

A hash in j e c t i o n a t t a c k is t h e c o n c e p t o f i n j e c t i n g a c o m p r o m i s e d h a sh i n t o a local session a n d t h e n u sin g t h e hash t o a u t h e n t i c a t e t o t h e n e t w o r k re s o u rc e s . T his a t t a c k is d o n e s u c c e s s fu lly in f o u r s te p s . T h e y a re : T h e h a c k e r c o m p r o m i s e s o n e w o r k s t a t i o n / s e r v e r u sin g a l o c a l / r e m o t e e x p l o i t T h e h a c k e r e x tr a c ts lo g g e d - o n h ash e s a n d f in d s a lo g g e d - o n d o m a i n a d m in a c c o u n t hash T h e h a c k e rs use t h e hash t o log o n t h e d o m a i n c o n t r o l l e r T h e h a c k e r e x tr a c ts all t h e h ash es in t h e A c t i v e D i r e c t o r y d a t a b a s e a n d can n o w s a tiriz e a n y a c c o u n t in t h e d o m a i n
Inject a com prom ised hash into a local session
Attacker
if
FIGURE 5.6: Active Online Attack by Using Hash Injection Attack
Victim Computer
Module 05 Page 543
O ffline A ttack: Rainbow A ttacks I CEH
Convert huge word lists like dictionary files and brute force lists into password hashes using techniques such as rainbow tables
Compute the hash for a list of possible passwords and compare it with the precomputed hash table. If a match is found then the password is cracked
It is easy to recover passwords by comparing captured password hashes to the precomputed tables
\\
O ffline A ttack: R ainbow A ttacks

D-fra
O f f lin e a tta c k s o c c u r w h e n t h e i n t r u d e r ch e cks t h e v a l i d i t y o f t h e p a s s w o r d s . He o r sh e o b s e rv e s h o w t h e p a s s w o r d is s t o r e d . If t h e u se r n a m e s a n d t h e p a s s w o r d s a re s t o r e d in a file t h a t is r e a d a b l e , it b e c o m e s easy f o r h im o r h e r t o g ain access t o t h e s y s te m . H e n ce , t h e p a s s w o r d s list m u s t be p r o t e c t e d a n d k e p t in an u n r e a d a b l e f o r m , such as an e n c r y p t e d f o r m . O ff li n e a tta c k s a re t i m e c o n s u m in g . T h e y a re su cce ssfu l b e c a u s e t h e L M h a s h e s a re v u ln e r a b l e d u e t o s m a lle r k e y s p a c e a nd s h o r t e r le n g t h . a v a ila b le o n t h e I n t e r n e t . T h e r e a re t w o t y p e s o f o f f l i n e a tta c k s t h a t an a t t a c k e r can p e r f o r m t o d is c o v e r t h e p a s s w o r d , e 0 R a in b o w A t ta c k s D i s t r i b u t e d n e t w o r k A t ta c k s D iffe re n t p a ssw ord c r a c k in g t e c h n i q u e s are
___
R ainbow A ttacks
A r a i n b o w a t t a c k is t h e i m p l e m e n t a t i o n o f t h e c r y p t a n a l y t i c t i m e - m e m o r y t r a d e - o f f t e c h n i q u e . C r y p t a n a l y t i c t i m e - m e m o r y t r a d e - o f f is t h e m e t h o d t h a t r e q u ir e s less t i m e f o r c ry p ta n a ly s is . It uses a lr e a d y c a lc u la te d i n f o r m a t i o n s t o r e d in t h e m e m o r y t o c ra c k t h e c r y p t o g r a p h y . In t h e
Module 05 Page 544
r a i n b o w a tta c k , t h e s a m e t e c h n i q u e is u se d ; t h e p a s s w o r d hash t a b l e is c r e a te d in a d v a n c e a nd s t o r e d i n t o t h e m e m o r y . Such a t a b l e is ca lle d a " r a i n b o w t a b l e . "
*Z
R ainbow T ab le
A r a i n b o w t a b l e is a lo o k u p t a b l e s p e c ia lly u sed in r e c o v e r i n g t h e p l a i n t e x t p a s s w o r d
f r o m a c i p h e r t e x t . The a t t a c k e r uses t h i s t a b l e t o lo o k f o r t h e p a s s w o r d a n d tr ie s t o r e c o v e r th e p a s s w o r d f r o m p a s s w o r d hashes.
C o m p u ted H ash es
th e A n a t t a c k e r c o m p u t e s t h e hash f o r a list o f p o s s ib le p a s s w o r d s a n d c o m p a r e s it w i t h p re -c o m p u te d hash t a b l e ( r a i n b o w ta b le ) . If a m a t c h is f o u n d , t h e n t h e p a s s w o r d is
cracked.
C o m p are th e H ash es
It is easy t o r e c o v e r p a s s w o r d s b y c o m p a r i n g c a p t u r e d p a s s w o r d h as h e s t o t h e p r e c o m p u t e d t a b le s .
P re-C o m p u ted H ash es

O n ly e n c r y p t e d p a s s w o r d s s h o u ld be s t o r e d in a f ile c o n t a i n i n g u s e r n a m e / e n c r y p t e d p a s s w o r d p a irs . T h e t y p e d p a s s w o r d is e n c r y p t e d u s in g t h e hash f u n c t i o n o f c r y p t o g r a p h y d u r in g t h e lo g o n p ro c e s s , a n d it is t h e n c o m p a r e d w i t h t h e p a s s w o r d t h a t is s t o r e d in t h e file . E n c r y p te d p a s s w o r d s t h a t a re s t o r e d can p r o v e useless a g a in s t d i c t i o n a r y a t t a c k s . If t h e file t h a t c o n t a in s t h e e n c r y p t e d p a s s w o r d is in a r e a d a b le f o r m a t , t h e a t t a c k e r can e asily d e t e c t t h e hash f u n c t i o n . He o r she can t h e n d e c r y p t e ach w o r d in t h e d i c t i o n a r y u sin g t h e hash f u n c t i o n , a n d t h e n c o m p a r e w i t h t h e e n c r y p t e d p a s s w o r d . T h u s t h e a t t a c k e r o b t a i n s all p a s s w o r d s t h a t a re w o r d s lis te d in t h e d ic t io n a r y . S to ra g e o f h ash e s r e q u ir e s la rg e m e m o r y sp ace such as LM " h a s h e s " r e q u i r e 3 1 0 T e r a b y te s a nd NT H ashes < 15 ch a rs r e q u ir e s 5 , 6 5 2 , 8 9 7 , 0 0 9 E x a b y te s . Use a t i m e - s p a c e t r a d e o f f t e c h n i q u e t o r e d u c e m e m o r y sp ace r e q u i r e d t o s to r e hashes.
Iqazwed hh021da 9da8dasf
-> 4259cc34599c530b28a6a8f225d668590 -> c744bl716cbf8d4dd0ff4ce31al77151 -> 3cd696a8571a843cda453a229d741843
sodifo8sf -> 7ad7d6fa6bb4fd28ab98b3dd33261e8f
Module 05 Page 545
Tools to C reate Rainbow Tables: W inrtgen and rtg en

The rtgen program need several parameters to generate a rainbow table, the syntax of the command line is: Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table index chain len chain num part index
CEH
Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHAl, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes
Administrator Command Prompt - rtgen ntJm loweralpha 1 7 0 1000 4000000 0 1 ~ i

C :\lls ers N ftd nin istpa tn rN D ou n lofldxNt'a inliawc t*sck l . 5 u in 6 4 > rtg e n n t l n laM cpulp
Rainbow Table properties ChainL 1 24C O
1 lnbow ta b le n t 1_lo1w1*dlu)Ml-y_0_lUUx4UUlKWO_tt.rt param eters iMch a lg o r ith m : n t ln Itash le n g th : 16 :h a r o e t: ahcdof gh i.ih lm n o p a rc tu v u x v c . hnr.net in he x : 61 62 63 64 65 G G G7 68 69 6 a 6h 6c 6d 6e 6 f 78 71 74 7S 76 77 78 77 7a cha rset le n g th : 26
| k h a
[#>6COFQHIJW.MNOPQRSrUWvW2 Key *oocf 8353C82502 keys DW. : 610 :5 M 3 Succfzi tr lI.Uy 0 978333 |978(K|
loq uo nt 141 3 t a r t in tf p o in t b o gin from 0 <0x0090000000000000 < > k!!3fc o f 1MHHHHH ra in h o u r.h n in .1 ge ne rate d <H n 7 .6 a I 111 vr: I 1M M W W M U r nhou f l w i n i <U n V . 6 < : 7M.HH o f 4W M M M M W rn in h n u c ho i n i y r > r . r .l <8 it 7 .7 s tfc2144 o f 48W8888 m iu lw u ch in :! ra te d < 11 n 7 .6 < ( o f 4080090 rainb ow c ha lnu ge ne rate d <0 1 7 .6 v 27680 <
41 .
>tp .pd arte prt(n r 1r* 1pn hmr T0Ui (ccirpuUlun in;
Oplitnil 0 4
M B e re * w a rk
rim -
http://project-rainbowcrack.com
h ttp ://w w w .o xid .it
Copyright by E&GaUKfl. All Rights Reserved. Reproduction is Strictly Prohibited.
Tools to C re a te R ainbow T ab les: W in rtg en a n d rtg e n

A t t a c k e r s can c r e a te r a i n b o w t a b l e s b y u sin g f o l l o w i n g to o ls .
W in rtg en
v S o u rc e : h t t p : / / w w w . o x i d . i t W i n r t g e n is a g ra p h ic a l R a in b o w T a b le s G e n e r a t o r t h a t h e lp s a tt a c k e r s t o c r e a t e r a i n b o w ta b le s f r o m w h i c h t h e y can c ra c k t h e h a s h e d p a s s w o r d . It s u p p o r t s L M , F a stL M , N T L M , LMCHALL, H alfL M C H A L L , N TLM C H A LL, MSCACHE, MD2, MD4, MD5, SHA1, R IP E M D 1 6 0 , M ySQL323,
M y S Q L S H A l, CiscoPIX, ORACLE, SHA-2 (2 5 6 ), SHA-2 (38 4), a n d SHA-2 (5 1 2 ) hashes.
Module 05 Page 546
Rainbow Table properties

Mr! Len Max Len le n Index index Char* Len Chain Count
in
N* of tables
Charset
|a lp h a
[ABCDEFGHUKLMNOPQRSTUVWXYZ Table properties Key space: 8353082582 keys Disk space: 810.35 MB Success probab*ty: 0.978038 (97.80*) Benchmark Hash speed Step speed Table precomputation time Total precomputation time: Max cryptanalysis time: Benchmark Optional parameter !Administrator
Edit
jj
Cancel
FIGURE 5.7: Winrtgen Generate Rainbow Table in Window
S o u rc e : h t t p : / / p r o 1 e c t - r a in b o w c r a c k . c o m R a in b o w C r a c k is a g e n e r a l p r o p o s e i m p l e m e n t a t i o n t h a t ta k e s a d v a n ta g e o f t h e t i m e - m e m o r y t r a d e - o f f t e c h n i q u e t o c ra c k hashes. T his p r o je c t a llo w s y o u t o c ra c k a h a s h e d p a s s w o r d . T he r tg e n t o o l o f t h is p r o j e c t is u sed t o g e n e r a t e t h e r a i n b o w ta b le s . T h e r tg e n p r o g r a m n e e d s s e v e ra l p a r a m e t e r s t o g e n e r a t e a r a i n b o w t a b l e ; y o u can use f o l l o w i n g s y n t a x o f t h e c o m m a n d lin e t o g e n e r a t e r a i n b o w ta b le s :
Syntax: r tg e n h a s h _ a lg o r i t h m c h a r s e t p la i n t e x t _ l e n _ m i n p l a i n t e x t _ l e n _ m a x t a b l e j n d e x
c h a i n j e n c h a in _ n u m p a r t j n d e x
Administrator: Command Prompt - rtgen ntlm loweralpha 1 7 0 1000 4000000 0
_ X
nistrator\Downloads\rainbowcrackl.5win64>rtgen ntln loweralpha 1 MUM 0 ntlm_loweralphattl1000_0_7x4000000_0.rt parameters n: ntln 16 abcdefghijklnnopqrstuvwxyz x: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 78 79 7a h: 26 gth range: 1 - 7 : 0x00000000 al: 8353082582 arting point begin fron 0 <0x0000000000000000) 000 rainbow chains generated <0 n 0000 rainbow chains generated <0 0000 rainbow chains generated <0 0000 rainbow chains generated <0 0000 rainbow chains generated <0 0000 rainbow chains generated <0 7.6 s> n 7.6 s) n 7.7 s) n 7.6 s) n 7.6 s) n 7.6 s)
FIGURE 5.8: rtgen Generate Rainbow Table in Window
Module 05 Page 547
Distributed Network Attack

A Distributed N etw ork Attack (DNA) technique is used for recovering password-
C EH
protected files using the unused processing pow er of m achines across th e ne tw o rk to decrypt passwords In this attack, a DN A m anager is installed in a central location w here machines running DN A clients can access it o v e rth e network
/ The D N A M a n a g e r is in s ta lle d in a c e n tra l lo c a tio n w h e r e m a c h in e s ru n n in g o n D N A C lie n t can access it

L .
f
DNA Manager
^ coordinates th e attack and allocates small p o rtions o f th e key search to machines th a t are d is trib u te d over th e n e tw o rk
f
D N A C lie n t ru ns in th e b a c k g ro u n d , c o n s u m in g o n ly
^ The program com bines th e processing capabilities o f all the clients connected to n e tw o rk and uses it to pe rfo rm key search to de crypt th e m
j
un u se d p ro ce sso r tim e
o v e r th e n e tw o rk
D istrib u te d N etw ork A ttacks

A D i s t r i b u t e d N e t w o r k A t t a c k (D N A ) is t h e t e c h n i q u e used f o r r e c o v e r i n g p a s s w o r d p r o t e c t e d file s . It u tiliz e s t h e u n u s e d p ro c e s s in g p o w e r o f m a c h in e s acro ss t h e n e t w o r k t o d e c r y p t p a s s w o r d s . In t h is a tta c k , a D N A m a n a g e r is in s t a lle d in a c e n t r a l l o c a tio n w h e r e m a c h in e s r u n n i n g D N A c lie n ts can access it o v e r t h e n e t w o r k . T h e D N A m a n a g e r c o o r d i n a t e s t h e a tta c k , a ssig n in g s m a ll p o r t i o n s o f t h e k e y s e a rc h t o m a c h in e s d i s t r i b u t e d t h r o u g h o u t t h e n e t w o r k . T h e D N A c l i e n t r u n s in t h e b a c k g r o u n d , o n l y t a k i n g u n u s e d p ro c e s s o r t i m e . T h e p r o g r a m c o m b in e s t h e p ro c e s s in g c a p a b ilit ie s o f all t h e c lie n ts c o n n e c t e d t o n e t w o r k a n d uses t h e m t o p e r f o r m a k e y s e a rch o n O ffic e 9 7 a n d 2 0 0 0 t o d e c r y p t t h e m . F ea tu res o f th e D N A : Reads s ta tis tic s a nd g ra p h s e a sily A d d s u s e r d ic t io n a r ie s t o c ra c k t h e p a s s w o r d O p tim iz e s p a s s w o r d a tta c k s f o r s p e c ific la n g u a g e s M o d i f i e s t h e u s e r d ic t io n a r ie s C o m p r is e s o f s t e a lt h c l i e n t in s t a l l a t i o n f u n c t i o n a l i t y A u t o m a t i c a l l y u p d a t e s c l i e n t w h i l e u p d a t i n g t h e D N A s e rv e r
Module 05 Page 548
C o n tr o ls t h e c lie n ts a n d id e n t if ie s w o r k d o n e b y c lie n ts
D N A is d iv id e d i n t o t w o m o d u le s :
DNA S erver In te rfa c e

T h e D N A s e r v e r i n t e r f a c e a llo w s users t o m a n a g e D N A f r o m a s e rv e r. T h e D N A s e rv e r m o d u l e p r o v id e s t h e u s e r w i t h t h e s ta tu s o f all j o b s t h a t t h e D N A s e r v e r is e x e c u tin g . T his in t e r f a c e is d iv i d e d in t o : Q C u rre n t jo bs: T h e c u r r e n t j o b q u e u e has all t h e j o b s t h a t h a ve b e e n a d d e d t o t h e list by t h e c o n t r o l l e r . T h e c u r r e n t j o b list has m a n y c o lu m n s , such as t h e i d e n t i f i c a t i o n n u m b e r t h a t has b e e n a ssig n e d b y t h e D N A t o t h e j o b , t h e n a m e o f t h e e n c r y p t e d file , t h e p a s s w o r d t h a t has b e e n used b y t h e user, t h e p a s s w o r d t h a t m a tc h e s a ke y w h i c h can u n lo c k d a ta , t h e s ta tu s o f t h e j o b , a n d v a r io u s o t h e r c o lu m n s . Finished jo b s: T h e f in is h e d j o b list p r o v id e s i n f o r m a t i o n a b o u t t h e j o b s t h a t can be d e c r y p t e d b y in c lu d in g t h e p a s s w o r d . T h e f in is h e d j o b s list also has m a n y c o lu m n s t h a t a re s im ila r t o t h e c u r r e n t j o b list. T he se c o lu m n s in c lu d e t h e i d e n t i f i c a t i o n n u m b e r a ssig n e d by D N A t o t h e j o b , t h e n a m e o f t h e e n c r y p t e d f i l e , t h e d e c r y p t e d p a t h o f t h e file , t h e ke y used t o e n c r y p t a n d d e c r y p t t h e file , t h e d a t e a n d t i m e t h a t t h e D N A s e rv e r s t a r t e d w o r k i n g o n t h e j o b , t h e d a te a n d t i m e t h e D N A s e r v e r f in is h e d w o r k i n g o n t h e j o b , t h e e la p s e d t i m e , e tc.
DNA C lie n t In te rfa c e

T h e D N A c l i e n t i n t e r f a c e can be used f r o m m a n y w o r k s t a t i o n s . T h e c l i e n t s ta t is t ic s can b e e a sily c o o r d i n a t e d by u sin g t h e D N A c l i e n t in t e r fa c e . T his in t e r f a c e is a v a ila b le o n
m a c h in e s w h e r e t h e D N A c l i e n t a p p li c a t i o n has b e e n in s ta lle d . T h e r e a re m a n y c o m p o n e n t s such as t h e n a m e o f t h e D N A c lie n t, t h e n a m e o f t h e g r o u p t o w h i c h t h e D N A c l i e n t b e lo n g s , t h e sta tis tic s a b o u t th e c u r r e n t jo b , and m a n y o th e r c o m p o n e n ts .
N etw ork M a n a g e m e n t
The N e t w o r k T r a ffic a p p li c a t i o n in W i n d o w s is u sed f o r t h e purpose o f n e tw o rk m a n a g e m e n t . T he N e t w o r k T r a ffic d ia lo g b o x is u sed t o f i n d o u t t h e n e t w o r k s p e e d t h a t D N A uses a n d e a ch w o r k u n i t le n g t h o f t h e D N A c l i e n t . U sing t h e w o r k u n i t le n g t h , a D N A c l i e n t can w o r k w i t h o u t c o n t a c t i n g t h e D N A s e rv e r. T h e D N A c l i e n t a p p li c a t i o n has t h e a b i l it y t o c o n t a c t t h e D N A s e r v e r a t t h e b e g in n in g a nd e n d in g o f t h e w o r k u n i t le n g t h . T h e u s e r can m o n i t o r t h e j o b s ta tu s q u e u e a nd t h e DNA. W h e n t h e d a ta is c o lle c te d f r o m t h e N e t w o r k T r a ffic d ia lo g box, m o d i f i c a t i o n t o t h e c l i e n t w o r k u n i t can be m a d e . W h e n t h e size o f t h e w o r k u n i t le n g t h in c re a se s, t h e s p e e d o f t h e n e t w o r k t r a f f i c d e cre a s e s . If t h e t r a f f i c has been decreased, th e c lie n t w o r k on th e jo b s w o u ld re q u ire a lo n g e r a m o u n t o f tim e . T h e re fo re , f e w e r r e q u e s ts t o t h e s e r v e r can be m a d e d u e t o t h e r e d u c t i o n in t h e b a n d w i d t h o f n e t w o r k tra ffic .
Module 05 Page 549
Elcom soft D istributed Passw ord Recovery

Features:
CEH
Distributed password recovery over LAN, Internet, or both Plug-in architecture allows for additional file formats Schedule support for flexible load balancing Install and remove password recovery clients remotely Encrypted network communications
IkomioA Dttnbut*! P mmokI te ovm ><
[-!a
v * -
tm
1 1 a f
MM<j +
< f
LU
Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment
n = n
h ttp ://w w w . elcomsoft. com

"
E lcom soft D istrib u te d P assw o rd R eco v ery

S o u rc e : h t t p : / / w w w . e l c o m s o f t . c o m E lc o m s o ft D i s t r i b u t e d stro n g e n c ry p tio n P a s s w o rd R e c o v e r y a llo w s y o u t o b re a k c o m p le x p a s s w o r d s , r e c o v e r
keys, a nd u n lo c k d o c u m e n t s in a p r o d u c t i o n e n v i r o n m e n t . It a llo w s t h e
e x e c u t i o n o f m a t h e m a t i c a l l y i n t e n s i v e p a s s w o r d r e c o v e r y c o d e o n t h e e n o r m o u s l y p a ra lle l c o m p u t a t i o n a l e le m e n t s f o u n d in m o d e r n g r a p h i c a c c e le r a t o r s . T his e m p lo y s an i n n o v a t i v e t e c h n o l o g y t o a c c e le r a te p a s s w o r d r e c o v e r y w h e n a c o m p a t i b l e ATI o r N V ID IA g r a p h ic s c a rd is p r e s e n t in a d d i t i o n w i t h t h e C P U -o n ly m o d e . W h e n c o m p a r e d w i t h t h e p a s s w o r d r e c o v e r y m e t h o d s t h a t o n l y use t h e c o m p u t e r ' s m a in CPU, t h e GPU a c c e le r a tio n u sed b y t h is t e c h n o l o g y m a k e s p a s s w o r d r e c o v e r y fa s te r . T his s u p p o r t s p a s s w o r d r e c o v e r y o f a v a r i e t y o f a p p li c a t i o n s a n d file f o r m a t s . F ea tu res & B en e fits Q Q Q Q Q R ed uc e s p a s s w o r d r e c o v e r y t i m e D i s t r i b u t e d p a s s w o r d r e c o v e r y o v e r LAN, I n t e r n e t , o r b o t h S o lace m a n a g e m e n t f o r f l e x i b l e c o n t r o l f r o m a n y n e t w o r k e d PC P lu g-in a r c h i t e c t u r e a llo w s f o r a d d it io n a l f ile f o r m a t s F le xib le q u e u e c o n t r o l a llo w s easy j o b m a n a g e m e n t In sta ll a n d r e m o v e p a s s w o r d r e c o v e r y c lie n ts r e m o t e l y
Module 05 Page 550
& ie fcdrt ^ y!w Agent Server tjelp Start II 1 Apply Sr Add Files | filenam e S Testl.&x C STest2.>Jsx M Test3.rfsx TcsM.xbx & TestS. >lcx 5 Reva.xisx 6 CSoft.&x
Elcomsoft Distributed Password Rccovcry
- L fJ
X Delete | ^ rena*mg tme
(!) Enable (5 Doable dapsed tme 1rwi. lrwv Inn. 121w. current speed average speed 4S 6 423 219 470 42 ? 263 status recovered recovered recovered recovered notavpted recovered
Files
process 0.983 % 1.087 % 0.526% S .297 % 0.782 % 0.005% 0.549%
~2h. lfimn. ? Inin.
Connection
Alerts m Cache And Log , not recovered: 0, net crypted : 1 total: 7, not started : 1 , paused : 1, wartng : 0, ecovered : S Attack dictionary [Er^lish
Prefix /Suffix s
object
Result
C om m ent Character Groups v|

M a * 5>m60J:
y M utatton
abcdei^ttnrwpqrstuv.vxyz ABCDffG HJKLM NO PQ RSTLVW XYZ @ 1234567392 . # U + - % a- 0 0 / 1 <>0 ; : 4.? !\ nSoac*
1 0 Bask
l l
) Length
no acttve tasks
tocalmt
onlne
& Elk E d i t ^ yiew ^ Agent S e r v e r Help
Elcomsoft Distributed Password Recovery
.!|
, v' Add F i l e s ^ S t a r t f i l e n a m e Q| T e s t i . j d s x g T e s t 2 . x l s * GS T e * t 3 . ) d s x A Te s M . i d s x G f iT e s t S.xin Q R e v a . x i s x
II | S
X Odde | 4 6 Enable ( * > Obi

renvanng &ne 2h .1 3mn. ? dapsed tme ln. 1-n. I*. 7n. 1 2m\. a/rent speed averagespeed 456 423 219 470 42 ? s t a t u s r e c o v e r e d re c o v e r e d r e c o v e r e d paused r e c o v e r e d notavpted
Lq
F i l e s
*
Agents
p r o g r e s s 0.983% 1.067% 0.S26% 5.297% 0.782% 0.000 %
s
Connection
AJens
m
Cache And log
t o t a l :7 ,n o t *Ur t e d: 1 , Cu9cd :1, rt1ng:0, r e c o v e r e d :5 . nore c o v e r e d:0 , notcrrpcd:l stuck mm | o b j e c t | ReaJt ] Comment
A n o a c f r v t to*s
l o c a h o i t
< * orine
FIGURE 5.9: Elcomsoft Distributed Password Recovery Screenshot
Module 05 Page 551
Non-Electronic Attacks
Looking at either the user's keyboard or screen while he/she is logging in
Convincing people to reveal the confidential information
Searching for sensitive information at the user's trash-bins, printer trash bins, and user desk for sticky notes
I I
N on-E lectronic A ttacks

N o n - e l e c t r o n i c a tta c k s a re also t e r m e d n o n - t e c h n i c a l a tta c k s . T his k in d o f a t ta c k m e th o d s o f in tru d in g in to a n o t h e r 's any te c h n ic a l k n o w le d g e a b o u t th e
d o e s n 't re q u ire
s y s te m . T h e r e f o r e , it is n a m e d a n o n - e l e c t r o n i c a tta c k . T h e r e a re f o u r ty p e s o f n o n - e l e c t r o n i c a tta c k s , w h i c h a re : social e n g in e e r in g , s h o u ld e r s u rfin g , k e y b o a r d s n if fin g , a nd d u m p s t e r d iv in g .
|1
D u m p ste r D iving
D u m p s t e r d iv in g is a k e y a t t a c k m e t h o d t h a t t a r g e t s u p o n a s u b s t a n t i a l f a i l u r e in
c o m p u t e r s e c u r it y : t h e v e r y i n f o r m a t i o n t h a t p e o p le c ra ve , p r o t e c t , a n d d e v o t e d l y s e c u re can be a t t a in e d b y a lm o s t a n y o n e w i l l i n g t o s c r u t i n iz e g a r b a g e . It a llo w s y o u t o g a t h e r i n f o r m a t i o n a b o u t t h e t a r g e t 's p a s s w o r d s by l o o k in g t h r o u g h t h e tr a s h . This l o w - t e c h a t t a c k t y p e has m a n y i m p lic a t io n s . D ue t o less s e c u r it y t h a n t h e r e is t o d a y , d u m p s t e r d iv in g w a s a c t u a l ly q u i t e p o p u l a r in t h e 1 980s. T h e t e r m d u m p s t e r d iv i n g " r e fe r s t o a n y u s e fu l, g e n e r a l i n f o r m a t i o n t h a t is f o u n d a nd ta ke n fr o m a re as w h e r e it has b e e n d is c a r d e d . T h e se a re a s i n c lu d e tr a s h cans, c u r b s id e
c o n t a in e r s , d u m p s t e r s , a n d t h e like, f r o m w h i c h t h e i n f o r m a t i o n can be o b t a i n e d f o r fr e e . C u r io u s a n d / o r m a lic io u s a tt a c k e r s m a y f i n d p a s s w o r d file s , m a n u a ls , s e n s itiv e d o c u m e n t s , r e p o r t s , re c e ip ts , c r e d i t c a rd n u m b e r s , o r d i s k e t t e s t h a t h a ve b e e n t h r o w n a w a y .
Module 05 Page 552
S im p ly , t h e e x a m i n a t i o n o f w a s t e p r o d u c t s t h a t h a ve b e e n d u m p e d i n t o t h e d u m p s t e r a re a s m a y be h e l p f u l t o a tta c k e r s , a n d t h e r e is a m p le i n f o r m a t i o n t o s u p p o r t t h is c o n c e p t . Such u s e fu l i n f o r m a t i o n w a s d u m p e d w i t h n o t h o u g h t t o w h o s e h a n d s it m a y e n d u p in. T his d a ta can be u tiliz e d b y t h e a t ta c k e r s t o g a in u n a u t h o r i z e d access o n o t h e r s ' c o m p u t e r s y s te m s , o r t h e o b je c t s f o u n d can p r o m p t o t h e r ty p e s o f a tta c k s such as th o s e based o n so c ia l e n g in e e r in g .
T H
S h o u ld er Surfing
s u r fin g is w h e n an in tru d e r is s t a n d in g in c o n s p ic u o u s ly , but near a
'41 S h o u ld e r
l e g i t i m a t e user, w a t c h i n g as t h e p a s s w o r d is e n t e r e d . T h e a t t a c k e r s i m p l y lo o k s a t e i t h e r t h e u s e r's k e y b o a r d o r s c re e n w h i l e he o r she is lo g g in g in, a n d w a t c h e s t o see if t h e u se r is s ta r in g a t t h e d e s k f o r a p a s s w o r d r e m i n d e r o r t h e a c tu a l p a s s w o r d . T his can be p o s s ib le o n l y w h e n t h e a t t a c k e r is p h y s ic a lly close t o t h e t a r g e t . This t y p e o f a t t a c k can also o c c u r in a g r o c e r y s to r e c h e c k o u t lin e w h e n a p o t e n t i a l v i c t i m is s w i p i n g a d e b i t ca rd a n d e n t e r i n g t h e r e q u i r e d PIN. M a n y o f th e s e P e r s o n a l I d e n t i f i c a t i o n N u m b e r s a re o n l y f o u r d ig its lon g. E a v e s d r o p p i n g r e fe r s t o t h e a c t o f s e c r e tly lis te n in g t o s o m e o n e 's c o n v e r s a t i o n . P a s s w o rd s can be d e t e r m i n e d by s e c r e tly lis te n in g t o t h e p a s s w o r d e x c h a n g e s . If t h e h a c k e r fa ils t o g e t y o u r p a s s w o r d b y g u e ssin g , t h e r e are o t h e r w a y s he o r she can t r y t o g e t it. " P a s s w o r d s n i f f i n g " is an a lt e r n a t i v e used b y t h e h a c k e rs t o g e t t h e i r t a r g e t p a s s w o r d s . M o s t o f t h e n e t w o r k s use b r o a d c a s t t e c h n o l o g y , w h i c h m e a n s t h a t e v e r y m e ssa g e t h a t a c o m p u t e r o n t h e n e t w o r k t r a n s m i t s can be re a d b y e a c h a n d e v e r y c o m p u t e r c o n n e c t e d o n t h a t n e t w o r k . In p r a c tic e , e x c e p t t h e r e c i p i e n t o f t h e m essa ge , all o t h e r c o m p u t e r s w i ll n o tic e t h a t t h e m e s s a g e is n o t i n t e n d e d f o r t h e m , a n d i g n o r e it. H o w e v e r , c o m p u t e r s can be p r o g r a m m e d t o lo o k a t e v e r y m e s s a g e t r a n s m i t t e d by a s p e c ific c o m p u t e r o n t h e n e t w o r k . In t h is w a y , o n e can lo o k a t m essa ge s t h a t a re n o t in t e n d e d f o r t h e m . H a c ke rs h a v e t h e p r o g r a m s t o d o th is , a n d t h e n scan all t h e m essa ge s t r a v e r s e d o n t h e n e tw o rk lo o k in g fo r th e p assw ord. You m a y e n d u p g iv in g y o u r p a s s w o r d t o t h e a t t a c k e r if y o u a re lo g g in g i n t o a c o m p u t e r acro ss a n e tw o rk , and so m e c o m p u te rs on th e n e tw o r k have b een c o m p ro m is e d th is w ay. U sing t h is p a s s w o r d s n i f f i n g t e c h n i q u e , h a c k e rs h a v e c o lle c te d th o u s a n d s o f p a s s w o r d s b y b r e a k in g i n t o t h e c o m p u t e r s t h a t a re c o n n e c t e d o n a h e a v ily u sed n e t w o r k .
Social E n g in e e rin g
In c o m p u t e r s e c u r ity , social e n g in e e r in g is t h e t e r m t h a t r e p r e s e n ts a n o n - t e c h n i c a l k in d o f i n t r u s io n . T y p ic a lly , t h is re lie s h e a v ily o n h u m a n i n t e r a c t i o n a n d o f t e n in v o lv e s
t r i c k in g o t h e r p e o p le i n t o b r e a k in g n o r m a l s e c u r it y p r o c e d u r e s . A social e n g in e e r r u n s a " c o n g a m e " t o b r e a k t h e s e c u r it y p r o c e d u r e s . For e x a m p le , an a t t a c k e r u sin g social e n g in e e r in g t o b r e a k i n t o a c o m p u t e r n e t w o r k w o u l d t r y t o g ain t h e t r u s t o f s o m e o n e w h o is a u t h o r i z e d t o access t h e n e t w o r k , a n d t h e n t r y t o e x t r a c t t h e i n f o r m a t i o n t h a t c o m p r o m i s e s t h e n e t w o r k s e c u r ity .
Module 05 Page 553
Social e n g in e e r in g is t h e r u n - t h r o u g h o f p r o c u r i n g c o n f i d e n t i a l i n f o r m a t i o n b y d e c e iv in g o r s w a y in g p e o p le . A n a t t a c k e r can m i s r e p r e s e n t h im s e l f as a u s e r o r s y s te m a d m i n i s t r a t o r in o r d e r t o o b t a i n t h e p a s s w o r d f r o m a user. It is n a t u r a l f o r p e o p le t o be h e l p f u l a n d t r u s t i n g . A n y p e r s o n g e n e r a lly m a k e s an e f f o r t t o b u ild a m i c a b l e r e la t io n s h ip s w i t h his o r h e r f r i e n d s a nd c o lle a g u e s . Social e n g in e e r s t a k e a d v a n ta g e o f t h is t e n d e n c y . A n o t h e r t r a i t o f social e n g in e e r in g relie s o n t h e i n a b i l i t y o f p e o p le t o k e e p u p w i t h a c u lt u r e t h a t r e lie s h e a v i l y o n i n f o r m a t i o n t e c h n o l o g y . M o s t p e o p le are n o t a w a r e o f t h e v a lu e o f t h e i n f o r m a t i o n t h e y possess a n d f e w a re ca re le ss a b o u t p r o t e c t i n g it. A t t a c k e r s t a k e a d v a n ta g e o f t h is fa c t fo r th e i n t r u s io n . H a b itu a lly , social e n g in e e r s s e a rch d u m p s te rs fo r v a lu a b le i n f o r m a t i o n . A social e n g in e e r w o u l d h a ve a t o u g h e r t i m e g e t t i n g t h e c o m b i n a t i o n t o a safe, o r e v e n t h e c o m b i n a t i o n t o a h e a lt h c l u b lo c k e r , t h a n a p a s s w o r d . T h e b e s t d e f e n s e is t o e d u c a te , t r a i n , a n d c r e a te a w a re n e s s .
K ey b o ard Sniffing
I
K e y b o a rd s n if fin g a llo w s y o u t o k e y s tr o k e s u sin g k e y lo g g e r s .
in te rp re t th e
p a s s w o r d as t h e t a r g e t e n t e r s t h e
Module 05 Page 554
Default Passwords
J A default password is a password supplied by the m anufacturer w ith new equipm ent that is password protected
Online tools to search default passwords: http://cirt.net http://default-password.info
h ttp :/ / w w w .d e fa u ltp a s s w o rd .u s
The Default Password List
http://www.passwordsdatabase.com https://w3dt.net
h t tp :/ / w w w .v iru s .o rg
*ccrv.8***: 000 B 8I *!'Connect * wm < doscic < 8 0000/4007
http://open-sez.me http://securityoverride.org http://www.routerpasswords.com http://www.fortypoundhead.com

http://securityoverride.org
Tot! % t U i 7.24$
NtowlHinib( : d a \n d * jrM 0 2 9
'
D efault P assw o rd s
S o u rc e : h t t p : / / s e c u r i t y o v e r r i d e . o r g
D e f a u lt p a s s w o r d s a re p a s s w o r d s s u p p lie d b y m a n u f a c t u r e r s w i t h n e w e q u i p m e n t . U s u a lly t h e d e f a u l t p a s s w o r d p r o v id e d by t h e m a n u f a c t u r e r s f o r p a s s w o r d p r o t e c t e d d e v ic e s a llo w s t h e d e v ic e t o be a ccessed d u r in g its in itia l s e tu p . O n l in e t o o l s t h a t can be used t o s e a rch f o r d e f a u l t p a s s w o r d s in c lu d e : 0 0 0 0 0 0 0 0 0 0 h ttp ://c irt.n e t h ttp ://d e fa u lt-p a s s w o rd .in fo h ttp ://w w w .d e fa u ltp a s s w o rd .u s h ttp ://w w w .p a s s w o rd s d a ta b a s e .c o m h ttp s ://w 3 d t.n e t h ttp ://w w w .v iru s .o rg h ttp ://o p e n -s e z .m e h ttp ://s e c u rity o v e rrid e .o rg h ttp ://w w w .ro u te rp a s s w o rd s .c o m h ttp ://w w w .fo rty p o u n d h e a d .c o m
Module 05 Page 555
FIGURE 5.10: Default Password Screenshot
Vendor 3COM 3COM 3COM 3COM 3COM 3COM Huawei 3COM 3COM 3COM 3COM 3COM 3COM
M odel CoreBuilder CoreBuilder HiPerARC LANplex LANplex LinkSwitch E960 NetBuilder N e tbu ild er Office Connect ISDN Routers SuperStack II Switch SuperStack II Switch OfficeConnect 812 ADSL
Version 7 0 0 0 /6 0 0 0 /3 5 0 0 /2 5 0 0 7 0 0 0 /6 0 0 0 /3 5 0 0 /2 5 0 0 v4.1.x 2500 2500 2 00 0 /2 7 0 0
Access Type Telnet Telnet Telnet Telnet Telnet Telnet
Username Debug Tech Adm Debug Tech Tech A dm in
Password Synnet Tech (none) Synnet Tech Tech A dm in ILMI
SNMP M u lti 5x0 2200 2700 Telnet Telnet Telnet M u lti A dm in n/a debug tech a d m in ttd
(none) PASSWORD Synnet Tech a d m in ttd
TABLE 5.1: Online Tools To Search Default Password
Module 05 Page 556
M an u al Passw ord C rack in g (G uessing)

Frequency of attacks is less
r Eu
1 E !!
The failure rate is high
Create a list of possible passwords
Rank passwords from high probability to low
Key in each password, until correct password is discovered
a
M anual passw ord c r a c k in g
I
encom passes
a tte m p tin g to log on w ith d iffe re n t
M an u al P assw o rd C ra c k in g (G u essin g )
p a s s w o r d s . G u e s sin g is t h e k e y e l e m e n t o f m a n u a l p a s s w o r d c ra c k in g . T h e p a s s w o r d is t h e key v a lu e o f d a ta t h a t is n e e d e d t o access t h e s y s te m . M o s t p a s s w o r d s can be c r a c k e d u sin g d iffe re n t e s c a l a t io n p r iv ile g e s , e x e c u t in g a p p lic a tio n s , h id in g file s, a nd c o v e r in g tra c k s .
A t t a c k e r s t r y m a n y a t t e m p t s t o c ra c k p a s s w o r d s t o i n t r u d e i n t o a t a r g e t 's s y s te m . P a s s w o rd s can be c ra c k e d m a n u a l ly o r u sin g s o m e a u t o m a t e d t o o l s , m e t h o d s , a n d a l g o r i t h m s . P a s s w o rd c ra c k in g can be a u t o m a t e d u sin g a s im p le FOR lo o p also. M a n u a l p a s s w o r d c ra c k in g in v o lv e s d i f f e r e n t a t t e m p t s t o log in t h e f o l l o w i n g w a y s : 0 0 0 0 Find a v a lid u se r C re a te a list o f p o s s ib le p a s s w o r d s Rank p a s s w o r d s f r o m h igh p r o b a b i l i t y t o l o w Key in e ach p a s s w o r d , u n til t h e c o r r e c t p a s s w o r d is d is c o v e r e d
A h a c k e r can also c r e a te a s c r ip t file t h a t tr ie s e a c h p a s s w o r d in a list. Still t h is is still c o n s id e r e d m a n u a l c ra c k in g . T h e fa i lu r e r a te o f th is t y p e o f a t t a c k is hig h.
Module 05 Page 557
M an u a l P assw o rd C ra c k in g A lgorithm
In its s i m p l e s t f o r m , p a s s w o r d g u e s s in g can be a u t o m a t e d u sin g a s im p le FOR lo o p . In t h e e x a m p le t h a t f o l lo w s , an a t t a c k e r c r e a te s a s im p le t e x t file w i t h u s e r n a m e s a n d p a s s w o r d s t h a t a re i t e r a t e d u s in g t h e FOR l o o p . T h e m a in FOR lo o p can e x t r a c t t h e u s e r n a m e s a n d p a s s w o r d s f r o m t h e t e x t f i l e t h a t se rv e s as a d i c t i o n a r y as it i t e r a t e s t h r o u g h e v e r y line :
[file: credentials.txt] administrator "" administrator password administrator administrator [Etc. ]

F ro m a d i r e c t o r y t h a t can access t h e t e x t file , t h e c o m m a n d is t y p e d as f o l lo w s :
c:\>FOR /F 1 1tokens=l,2* %i in (credentials .txt) A More? do net use \\victim.com\lPC$ %j /u:victim.com\%iA More? 2 n u l A More? && echo %time% %date% outfile.txtA outfile.txt
More? && echo Wvictim.com acct: %i pass: %j c:\>type outfile.txt
T h e o u t f i l e . t x t c o n t a i n s t h e c o r r e c t u s e r n a m e a nd p a s s w o r d if t h e u s e r n a m e a n d p a s s w o r d in c r e d e n t i a l s . t x t a re c o r r e c t . A n o p e n s e s s io n can be e s ta b lis h e d w i t h t h e v i c t i m s e r v e r u s in g t h e a t t a c k e r 's s y s te m .
Module 05 Page 558
A utom atic Passw ord C rack in g A lgorithm
CEH
Find the algorithm used for encryption
Create a list of the possible passwords
Verify whether there is a match for each user ID
Repeat the cycle until the correct password is discovered

A utom atic P assw o rd C ra c k in g A lg o rith m

As s e c u r it y a w a r e n e s s in c re a s e d , m o s t s y s te m s b e g a n r u n n i n g p a s s w o r d s t h r o u g h s o m e t y p e o f a l g o r i t h m t o g e n e r a t e a hash. This hash is u s u a lly m o r e t h a n j u s t r e a r r a n g in g t h e o rig in a l p a s s w o r d . It is u s u a lly a o n e - w a y h a s h . T h e o n e - w a y hash is a s tr in g o f c h a r a c te r s t h a t c a n n o t b e r e v e rs e d i n t o its o rig in a l te x t . H o w e v e r , t h e v u l n e r a b i l i t y d o e s n o t a ris e f r o m t h e h a s h in g p ro ce ss, b u t f r o m p a s s w o r d s to ra g e . T h e p a s s w o r d t h a t is s to r e d a t t h e t i m e o f a u t h e n t i c a t i o n is n o t d e c r y p t e d b y m o s t o f th e s y s te m s . Such s y s te m s s to r e o n l y o n e - w a y hashes. D u r in g t h e local log in p ro ce ss, t h e p a s s w o r d e n t e r e d is r u n t h r o u g h t h e a l g o r i t h m g e n e r a t in g a o n e - w a y hash a n d c o m p a r i n g i t t o t h e hash s t o r e d o n t h e s y s te m . If t h e y a re f o u n d t o be s im ila r , it is a s s u m e d t h a t t h e p r o p e r p a s s w o r d w a s used. T h e r e f o r e , all t h a t an a t t a c k e r has t o d o in o r d e r t o c ra c k a p a s s w o r d is t o g e t a c o p y o f t h e o n e w a y hash s t o r e d o n t h e s e rv e r, a nd t h e n use t h e a l g o r i t h m t o g e n e r a t e his o r h e r o w n hash u n t i l he o r she g e ts a m a tc h . M o s t s y s t e m s M i c r o s o f t , UNIX, a n d N e t w a r e h a ve p u b lic ly a n n o u n c e d t h e i r h a s h in g a l g o r i t h m s . A t t a c k e r s can use a c o m b i n a t i o n o f a t t a c k m e t h o d s t o r e d u c e t h e t i m e in v o lv e d in c r a c k in g a p a s s w o r d . T h e I n t e r n e t p r o v id e s f r e e w a r e p a s s w o r d c r a c k e rs f o r NT, N e t w a r e , a n d UNIX.
Module 05 Page 559
T h e r e a re p a s s w o r d lists t h a t can be fe d t o th e s e c ra c k e rs t o c a r r y o u t a d i c t i o n a r y a t t a c k . In its s i m p l e s t f o r m , a u t o m a t i o n in v o lv e s f i n d i n g a v a lid u s e r a n d t h e p a r t i c u l a r e n c r y p t i o n a l g o r i t h m b e in g used , o b t a i n i n g e n c r y p t e d p a s s w o r d s , c r e a t in g a list o f all p o s s ib le p a s s w o r d s , e n c r y p t i n g e ach w o r d , a n d c h e c k in g f o r a m a t c h f o r e ach u s e r ID k n o w n . T his p ro c e s s is r e p e a t e d u n t i l t h e d e s ire d re s u lts a re o b t a i n e d o r all o p t i o n s a re e x h a u s t e d . A u t o m a t i c p a s s w o r d c r a c k in g a l g o r i t h m s s h o u ld in c lu d e t h e f o l l o w i n g s te p s: e e 0 Q Q Find a v a lid u se r Find e n c r y p t i o n a l g o r i t h m used O b t a in e n c r y p t e d p a s s w o r d s C re a te a list o f p o s s ib le p a s s w o r d s E n c r y p t e ach w o r d See if t h e r e is a m a tc h f o r e ach u s e r ID
P erfo rm in g A u to m ated P assw o rd G u e ssin g

If t h e a t t a c k e r fa ils in a m a n u a l a t t a c k , h e o r she can c h o o s e t o a u t o m a t e t h e pro ces s. T h e r e a re s e v e ra l fr e e p r o g r a m s t h a t can assist in t h is e f f o r t . S o m e o f th e s e f r e e p r o g r a m s are Leg io n, Jack t h e R ip p e r, N etB IO S A u d i t i n g T o o l (NAT), e tc . T h e s i m p l e s t o f th e s e a u t o m a t i o n m e t h o d s ta k e a d v a n ta g e o f t h e n e t c o m m a n d . T his in v o lv e s a s im p le l o o p u sin g t h e N T / 2 0 0 0 s h ell f o r c o m m a n d . All t h e a t t a c k e r has t o d o is t o c r e a te a s im p le u s e r n a m e a n d p a s s w o r d file . He o r sh e can t h e n r e f e r e n c e t h i s file w i t h i n a FOR c o m m a n d .
C:\> FOR /F "token=l, 2*" %i in (credentials.txt) do net use \\target\lPC$ %i /u: %j

A u t o m a t e d p a s s w o r d a tta c k s can be c a te g o r iz e d as f o l lo w s : A s im p le d ic t io n a r y a t ta c k in v o lv e s lo a d in g a d i c t i o n a r y file (a t e x t file f u ll o f d i c t i o n a r y w o r d s ) i n t o a c ra c k in g a p p li c a t i o n such as L O p h tC ra c k o r J o h n t h e R ip p e r , a n d r u n n i n g it a g a in s t u se r a c c o u n ts t h a t t h e a p p li c a t i o n loc a te s . D i c t i o n a r y a tta c k s a re m o r e e f f e c t i v e w i t h lo n g w o r d s . Q T h e b r u t e f o r c e m e t h o d is t h e m o s t in c lu s iv e , a lt h o u g h s lo w . U s u a lly it tr i e s e v e r y p o s s ib le l e t t e r a n d n u m b e r c o m b i n a t i o n in its a u t o m a t e d e x p l o r a t i o n . 0 A h y b r id a p p r o a c h is o n e t h a t c o m b in e s f e a t u r e s o f b o t h m e t h o d s . It u s u a lly s ta r t s w i t h a d ic t io n a r y , a n d t h e n tr i e s c o m b i n a t i o n s such as t w o w o r d s t o g e t h e r o r a w o r d a nd n um be rs. Users t e n d t o h a ve w e a k p a s s w o r d s b e c a u s e t h e y d o n o t k n o w w h a t c o n s t i t u t e s a s t r o n g p a s s w o r d a n d , t h e r e f o r e , d o n o t k n o w h o w t o c r e a te s t r o n g p a s s w o r d s f o r t h e i r a c c o u n ts . As s h o w n , t h i s lea ves p a s s w o r d s o p e n t o a tta c k .
Module 05 Page 560
Stealing P assw ords Using USB D rive
U rtifM
c EH
itkMjl IlMhM
Attacker
User
Passwords
Inse rt th e USB drive and th e autorun w in d o w w ill pop-up ( if enabled)
PassView is executed in th e background and passwords w ill be stored in th e .TXT files in th e USB drive
C ontents o f launch, bat

start p s p v .exe/stext p s p v .txt
D ownload PassView, a password hacking to o l
Create autorun.inf in USB drive

[autorun] e n = l a u n c h .b a t
Copy th e downloaded files to USB drive
W z J
< >S tealing P a ssw o rd s U sing USB D rives

S te a lin g p a s s w o r d s u sin g a USB d r i v e is a p h y s ic a l a p p r o a c h f o r h a c k in g p a s s w o r d s in a c o m p u te r. A tta cke rs can ste a l passw ord s u s in g a USB d r iv e and d iffe re n t
sto re d
a p p lic a tio n s . P e o p le w h o h a ve m u l t i p l e o n l i n e a c c o u n ts u s u a lly s to r e t h e i r u s e r n a m e s and p a s s w o r d s as a b a c k u p t o use if t h e y f o r g e t t h e m . You can r e c o v e r o r s te a l such c r e d e n t i a l s u sin g a USB d riv e . T h e p h y s ic a l a p p r o a c h m a t t e r s a l o t f o r h a c k in g p a s s w o r d s . O n e can ste a l p a s s w o r d s u sin g a USB d r iv e a n d a p p lic a tio n s . This m e t h o d is a p p lic a b le f o r h a c k in g s t o r e d p a s s w o r d s in a n y c o m p u t e r . M o s t o f t h e p e o p le s ig n in g u p f o r a la rg e n u m b e r o f w e b s i t e s u s u a lly s to r e t h e i r passw ords on th e c o m p u te r in o r d e r t o re m e m b e r th e m . O n e can t r y re c o v e rin g th e m
a u t o m a t i c a l l y u sin g a USB d riv e . T his r e q u ir e s p lu g g in g t h e USB in a n y p o r t o f t h e c o m p u t e r in w h i c h t h e p a s s w o r d s h a v e b e e n s t o r e d . T his t r i c k is a p p lic a b le f o r W i n d o w s XP, W i n d o w s 7, W i n d o w s V is ta , a n d W i n d o w s 2 0 0 0 . All t h e a p p li c a t i o n s i n c lu d e d a re p o r t a b l e a n d l ig h t e n o u g h t h a t t h e y can be d o w n l o a d e d in th e USB d is k in f e w se c o n d s . You can also h a c k s t o r e d M e s s e n g e r p a s s w o r d s . U sing t o o l s a n d a USB p e n d r i v e y o u can c r e a te a r o o t k i t t o h a c k p a s s w o r d s f r o m t h e t a r g e t c o m p u t e r . S te a lin g p a s s w o r d s u s in g a USB d e v ic e is c a r r ie d o u t w i t h t h e h e lp o f t h e f o l l o w i n g s te p s : 1. You n e e d a p a s s w o r d h a c k in g t o o l
Module 05 Page 561
2. 3.
C o p y t h e d o w n l o a d e d .exe file s o f p a s s w o r d h a c k in g t o o l s t o USB d riv e . C re a te a n o t e p a d d o c u m e n t a n d p u t t h e f o l l o w i n g c o n t e n t o r c o d e in t h e n o t e p a d [a u to ru n ] e n = la u n c h .b a t A f t e r w r i t i n g th is c o n t e n t i n t o N o t e p a d , save t h e d o c u m e n t as a u t o r u n . i n f a n d c o p y th is f ile t o t h e USB d riv e .
4.
O pen N o te p a d and w rite th e fo llo w in g c o n te n t in to N otep ad : s t a r t p s p v . e x e / s t e x t p s p v .t x t A f t e r t h a t , save file as la u n c h . b a t a n d c o p y t h is f ile t o t h e USB d r iv e
5. 6.
In s e r t t h e USB
d r i v e a n d t h e a u t o r u n w i n d o w p o p - u p ( if e n a b le d ) .
A p a s s w o r d - h a c k i n g t o o l is e x e c u t e d in t h e b a c k g r o u n d a nd p a s s w o r d s can be s t o r e d in t h e .TXT file s in t h e USB d riv e .
In t h i s sto re d
w a y , y o u can c r e a te y o u r o w n USB p a s s w o r d r e c o v e r y t o o l k i t a n d use it t o ste a l p a s s w o r d s o f y o u r f r i e n d s o r c o lle a g u e s w i t h o u t t h e k n o w l e d g e o f t h e
th e
p e r s o n . This
p ro c e s s ta k e s o n l y a f e w s e c o n d s t o r e t r i e v e p a s s w o r d s .
Attacker
FIGURE 5.11: Stealing Passwords Using USB Drives
Module 05 Page 562
Stealing P assw ords Using K eyloggers

J
CEH
Keyloggers provide an easiest and most effective means of stealing a all victinVs user names and passwords
If an attacker is successful in infecting a victim's machine with a Trojan that have keylogging features he can instruct the Trojan server to log and send back all user credentials to his machine
Attacker
Attacker infects victims local PC with a software keylogger
Victim logs on to the domain server with his credentials
................... >
Keylogger sends login credentials to hacker
.........&
Victim Domain Server

Attacker gains access to domain server
S tealing P a ssw o rd s U sing K ey lo g g ers

W h e n e v e r an a t t a c k e r n e e d s t o c ra c k s o m e t h i n g , he o r she u s u a lly t h i n k s a b o u t th e p o s s ib le l o o p h o l e s in t h e w h o l e p ro ce ss . P a s s w o rd s a re t h e p ie ce o f d a ta used t o access an a c c o u n t o r a s y s te m . C h o o s in g c o m p le x p a s s w o r d s m a k e s y o u r a c c o u n ts s e c u r e a n d t h e j o b o f t h e a t t a c k e r d if f i c u l t . A c o m p le x p a s s w o r d m a k e s t h e a tt a c k e r 's j o b d i f f i c u l t b u t n o t im p o s s ib le . P a s s w o rd s a re t h e p ie c e o f d a ta t o be s u b m i t t e d t o a s y s te m o r a p p li c a t i o n t o g ain access t o it. P a s s w o rd s a re u s u a lly e n t e r e d t h r o u g h t h e k e y b o a r d . H e n c e , if an a t t a c k e r has s o f t w a r e o r a m e c h a n is m t h a t can log t h e k e y s tr o k e s a n d se nd t h e r e p o r t t o h im o r h er, t h e n t h e a t t a c k e r can d e t e r m i n e t h e p a s s w o r d s easily. T h e p r o g r a m s t h a t a l l o w t h e m t o d o th is a re k e y lo g g e rs , a k in d o f m a l w a r e . K e y lo g g e rs can e x p o s e all t h e k e y s tr o k e s e n t e r e d by t h e t a r g e t in c lu d in g u s e r n a m e s a n d p a s s w o r d s f o r a n y w e b s ite s . A r e m o t e k e y lo g g e r can g iv e an a t t a c k e r access n o t o n l y t o y o u r e m a il a n d o n l i n e a c c o u n ts , b u t it can c o m p r o m i s e y o u r f i n a n c ia l d e ta ils as w e ll. K e y lo g g e rs a re u sed by p e o p le t o f i n d a c e r ta in p ie c e o f i n f o r m a t i o n such as a u s e r n a m e o r p a s s w o r d . T h e p ic t o r ia l r e p r e s e n t a t i o n c le a rly e x p la in s t h e w a y a t ta c k e r s ste a l p a s s w o r d s using k e y lo g g e rs .
Module 05 Page 563
Domain Server
Attacker gains access to domain server
FIGURE 5.12: Stealing Passwords Using Keyloggers
W hen
s te a lin g p a s s w o r d s , t h e
a t t a c k e r f i r s t i n f e c ts t h e v i c t i m ' s local
PC w i t h
a s o ftw a re
k e y lo g g e r . W h e n t h e v i c t i m
logs o n t o t h e d o m a i n s e r v e r w i t h his o r h e r c r e d e n tia ls , t h e
k e y lo g g e r a u t o m a t i c a l l y s e n d s lo g in c r e d e n t i a l s (u s e r n a m e , p a s s w o r d s ) t o t h e a t t a c k e r w i t h o u t t h e k n o w l e d g e o f t h e v i c t i m . O n c e t h e a t t a c k e r g e ts t h e v i c t i m ' s lo g in c r e d e n tia ls , he o r she logs o n t o t h e d o m a i n s e r v e r a n d m a y p e r f o r m a n y a c tio n .
Module 05 Page 564
Microsoft Authentication
SAM Database
Windows stores user passwords in the Security Accounts Manager database (SAM), or in the Active Directory database in domains. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM
Windows Security Enter netw ork password
Enter y o u r p assw o'd t o c o n n e c t to :
(rtifwd
CEH
itkitjl
Remember my credentials
NTLM Authentication
Use another account
The NTLM authentication protocol types: 1. NTLM authentication protocol 2. LM authentication protocol These protocols stores user's password in the SAM database using different hashing methods
The specified network password is not correct.
OK
Cancel
Kerberos
Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM
Windows 8
M icrosoft A u th en ticatio n
SAM D a ta b a se
T h e a c r o n y m S A M d a ta b a s e is t h e S e c u r ity A c c o u n ts M a n a g e r d a ta b a s e . T his is used b y W i n d o w s t o m a n a g e u s e r a c c o u n ts a n d p a s s w o r d s in t h e h a s h e d f o r m a t ( o n e - w a y hash). P a s s w o rd s a re n e v e r s t o r e d in p la i n t e x t f o r m a t . T h e y a re s t o r e d in t h e h a s h e d f o r m a t t o p r o t e c t t h e m f r o m a tta c k s . T h e S A M d a t a b a s e is i m p l e m e n t e d as a r e g i s t r y f i l e a n d t h e W i n d o w s k e r n e l o b t a in s a n d k e e p s an e x c lu s iv e fil e s y s t e m lo c k o n t h e S A M file . As t h is file is p r o v id e d w i t h a fil e s y s t e m lock, t h is p r o v id e s s o m e m e a s u r e o f s e c u r it y f o r t h e s to r a g e o f t h e p a s s w o r d s . It is n o t p o s s ib le t o c o p y t h e S A M file t o a n o t h e r l o c a t io n in t h e case o f o n l i n e a tta c k s . Since t h e S A M f ile is lo c k e d w i t h an e x c lu s iv e f i l e s y s t e m lock, it c a n n o t be c o p ie d o r m o v e d w h i l e W i n d o w s is r u n n i n g . T h e lo c k w i ll n o t re le a s e u n til t h e b lu e s c re e n e x c e p t i o n has b e e n t h r o w n o r o p e r a t i n g s y s te m has s h u t d o w n . H o w e v e r , m a k in g t h e p a s s w o r d h a s h e s a v a ila b le f o r o f f l i n e b r u t e - f o r c e a t t a c k s , t h e o n - d is k c o p y o f t h e c o n t e n t s o f t h e S A M file can be d u m p e d u sin g v a r io u s t e c h n i q u e s . M i c r o s o f t i n t r o d u c e d t h e SYSKEY f u n c t i o n in W i n d o w s NT 4 .0 in an a t t e m p t t o i m p r o v e t h e s e c u r it y o f t h e S A M d a ta b a s e a g a in s t o f f l i n e s o f t w a r e c r a c k in g . T h e o n - d is k c o p y o f t h e S A M file
Module 05 Page 565
is p a r t i a l l y e n c r y p t e d w h e n t h e SYSKEY is e n a b le d . In t h is w a y t h e p a s s w o r d hash v a lu e s f o r all local a c c o u n ts s t o r e d in t h e S A M a re e n c r y p t e d w i t h a key. Even if its c o n t e n t s w e r e d is c o v e r e d b y s o m e s u b t e r f u g e , t h e keys a re e n c r y p t e d w i t h a o n e w a y hash, m a k in g it d i f f i c u l t t o b re a k . A lso , s o m e v e r s io n s h a ve a s e c o n d a r y ke y , m a k in g t h e e n c r y p t i o n s p e c ific t o t h a t c o p y o f t h e OS.
NTLM A u th en ticatio n
NTLM (NT LAN M a n a g e r ) is a p r o p r i e t a r y p r o t o c o l e m p l o y e d by m a n y M ic ro s o ft p r o d u c t s t o p e r f o r m c h a l l e n g e / r e s p o n s e a u t h e n t i c a t i o n , a n d it is t h e d e f a u l t a u t h e n t i c a t i o n s c h e m e t h a t M i c r o s o f t f i r e w a l l a n d p r o x y s e r v e r p r o d u c t s use. This s o f t w a r e w a s d e v e lo p e d t o a d d re s s t h e p r o b l e m o f w o r k i n g w i t h Java te c h n o l o g i e s in a M i c r o s o f t - o r i e n t e d e n v i r o n m e n t . Since it d o e s n o t r e ly o n a n y o ffic ia l p r o t o c o l s p e c ific a t io n , t h e r e is n o g u a r a n t e e t h a t it w o r k s c o r r e c t l y in e v e r y s i t u a t i o n . It has b e e n o n s o m e W i n d o w s in s t a lla tio n s , w h e r e it w o r k e d s u c c e s s fu lly . N T L M a u t h e n t i c a t i o n c o n s is ts o f t w o p r o t o c o l s : N T L M a u t h e n t i c a t i o n p r o t o c o l a nd LM a u t h e n t i c a t i o n p r o t o c o l . T h e se p r o t o c o l s use d i f f e r e n t hash m e t h o d o l o g y t o s to r e u s e rs ' p a s s w o r d s in t h e S A M d a ta b a s e .
NTLM A u th en ticatio n P rotocol

P r o d u c ts t h a t a re s u p p o r t e d b y N T M L p r o t o c o l a re p u b lis h e d o n l y b y M i c r o s o f t d u e t o t h e u n a v a i l a b i li t y o f t h e o ffic ia l p r o t o c o l s p e c ific a tio n s . As a c o n s e q u e n c e , in a M i c r o s o f t - o r i e n t e d n e t w o r k e n v i r o n m e n t , n e a r ly all n o n - M S p r o d u c t s h a ve t r o u b l e p e r f o r m i n g t h e i r ta s k s c o r r e c t ly . S o f t w a r e d e v e l o p m e n t e n v i r o n m e n t s s u f f e r f r o m t h e a f o r e m e n t i o n e d p r o b l e m ; t h e r e a re n o lib r a r ie s t h a t i m p l e m e n t th is a u t h e n t i c a t i o n s c h e m e , e x c e p t t h e o n e s b u n d l e d in t h e W i n d o w s OS. In t h e O p e n S o u rc e c o m m u n i t y , t h e r e a re m a n y p r o je c t s f o c u s e d o n t h e i m p l e m e n t a t i o n o f th is p r o t o c o l , b u t m o s t o f th e s e h a ve Java as t h e ta rg e t e n v iro n m e n t. T h e lack o f t h e a v a i l a b il i t y o f th is a u t h e n t i c a t i o n s c h e m e in t h e Java p l a t f o r m c o u ld s p ell s e rio u s t r o u b l e in t h e d e v e l o p m e n t a n d d e p l o y m e n t o f c o o p e r a t iv e a p p li c a t i o n s b ase d o n te c h n o l o g i e s such as SOAP W e b Services t h a t r e ly o n HTTP p r o t o c o l .
K erb ero s
K e r b e ro s is a n e t w o r k a u t h e n t i c a t i o n p ro to c o l. It is d e s ig n e d t o p r o v id e s t r o n g a u t h e n t i c a t i o n f o r c l i e n t / s e r v e r a p p li c a t i o n s b y u sin g s e c r e t - k e y c r y p t o g r a p h y . T his p r o v id e s m u t u a l a u t h e n t i c a t i o n . B o th t h e s e r v e r a n d t h e u s e r v e r i f y t h e i d e n t i t y o f e a ch o t h e r . M e s s a g e s s e n t t h r o u g h K e r b e ro s p r o t o c o l a re p r o t e c t e d a g a in s t r e p la y a tta c k s a n d e a v e s d r o p p in g . K e r b e ro s m a k e s use o f K e y D i s t r i b u t i o n C e n t e r (KDC), a t r u s t e d t h i r d p a r ty . T his c o n s is ts o f t w o lo g ic a lly d is t in c t p a rts : an A u t h e n t i c a t i o n s e r v e r (AS) a n d a T i c k e t G r a n t i n g S e r v e r (TGS). K e r b e ro s w o r k s o n t h e basis o f " t i c k e t s " t o p r o v e t h e u s e r's i d e n t it y .
Module
05 Page 566
Windows Security
Enter network password

Enter your password to connect to:
Remember my credentials
Use another account
} The specified network password is not correct.
OK
Cancel
FIGURE 5.13: Security Authentication in Window
Module 05 Page 567
How H ash P assw ords Are Stored in W indows SAM?

Martin/ m a g i c i a n
CEH
Password hash using LM/NTLM

M a r t i n :1 0 0 8 :62 4A A C 413 795 C D C 1 4E835F1CD 90F4C76: 6F585FF8FF6 280B59CCE252FD B500EB8: : :
f" SAM File is located at
c :\windows\system32\config\SAM
Administrator:500:598DDCE2660D3193AAD3B435B51404EE:2D20D252A479F485CDF5E171D93985BF: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: HelpAssistant:1000:B991A1DA16C539FE4158440889BE1FFA:2E83DB1AD7FD1DC981F36412863604E9 SUPPORT_38894 5aO:1002:NO PASSWORD*********************:F5C1D381495948F434C42AEE04DE990C:::
H a c k e rs:1 0 0 3 :37035B1C4AE2B0C5B75E0C8D76954A50: 7773C08920232397CAE081704964B786::: Admin:1 0 0 4 :NO PASSWORD*********************:NO PASSWORD*********************: : : M a r tin :1 0 0 5 :624AAC4137 95CDC1AAD3B435B51404EE:C5A237B7E9D8E708D8436B6148A25FA1: : :
John:1006:624AAC413795CDC1FF17365FAF1FFE89:3B1B47E42E0463276E3DED6CEF349F93::: Jason:1007:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280B59CCE252FDB500EB8::: [smitH: [I00i): [624AAC413795CDC14E835FlCD90F4C761: |6F585FF8FF6280B59CCE252FDB500EB^:::
y
LM Hash
V
NTLM H ash
U ser n am e U se r ID
"LM hashes have been disabled in Windows Vista and later Windows operating systems, LM will be blank in those systems.'
How H ash P a ssw o rd s Are Stored in W indow SAM

T h e W i n d o w s XP p a s s w o r d s a re s t o r e d in t h e S A M file in a h a s h e d f o r m a t . P a s s w o rd s a re h a s h e d u sin g t h e L M / N T L M hash. M a rtin :1 0 0 8 :6 2 4 A A C 4 1 3 7 9 5 C D C 1 4 E 8 3 5 F lC D 9 0 F 4 C 7 6 :6 F 5 8 5 F F 8 F F 6 2 8 0 B 5 9 C C E 2 5 2 F D B 5 0 0 E B 8 ::
T h e h ash e s a re s t o r e d in c : \ w i n d o w s \ s y s t e m 3 2 \ c o n f i g \ S A M . A d m in i s t r a t o r : 5 0 0 : 5 9 8 D D C E 2 6 6 0 D 3 1 9 3 A A D 3 B 4 3 5 B 5 1 4 0 4 E E :2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 85 B F ::: Gu e s t 5 0 1 NO p / \ 5 5 \ / \ / 0 R D * * * * * * * * * * * * * * * * * * * * * N O P A S S W O R D * * * * * * * * * * * * * * * * * * * * * H e l p A s s i s t a n t : 1 0 0 0 : B 9 9 1 A l D A 1 6 C 5 3 9 F E 4 1 5 8 4 4 0 8 8 9 B E l F F A : 2 E 8 3 D B lA D 7 F D lD C 9 8 1 F 3 6 4 1 2 8 6 3 6 0 4 E 9 ::: SU P PO R T _3 88 9 45 a0 :10 C )2 :N O P A S S W O R D ***** ****** ******* ***:F 5 C lD 3 8 1 4 9 5 9 4 8 F 4 3 4 C 4 2 A EE04DE990C::: A t ta c k e r s : 1 0 0 3 :3 7 0 3 5 B 1 C 4 A E 2 B 0 C 5 B 7 5 E 0 C 8 D 7 6 9 5 4 A 5 0 :7 7 7 3 C 0 8 9 2 0 2 3 2 3 9 7 C A E 0 8 1 7 0 4 9 6 4 B 7 8 6 :::
Module 05 Page 568
A d m i n ,1 0 0 4 N O P A S S W O R D * * * * * * * * * * * * * * * * * * * * * N O P A S S W O R D * * * * * * * * * * * * * * * * * * * * * *
M a r tin : 1 0 0 5 :6 2 4 A A C 4 1 3 7 9 5 C D C lA A D 3 B 4 3 5 B 5 1 4 0 4 E E :C 5 A 2 3 7 B 7 E 9 D 8 E 7 0 8 D 8 4 3 6 B 6 1 4 8 A 2 5 F A 1::: J o h n :1 0 0 6 :6 2 4 A A C 4 1 3 7 9 5 C D C lF F 1 7 3 6 5 F A F lF F E 8 9 :3 B lB 4 7 E 4 2 E 0 4 6 3 2 7 6 E 3 D E D 6 C E F 3 4 9 F 9 3 : :: Jason :1 0 0 7 :6 2 4 A A C 4 1 3 7 9 5 C D C 1 4 E 8 3 5 F 1 C D 9 0 F 4 C 7 6 :6 F 5 8 5 F F 8 F F 6 2 8 0 B 5 9 C C E 2 5 2 F D B 5 0 0 E B 8 ::: S m ith :1 0 0 8 :6 2 4 A A C 4 1 3 7 9 5 C D C 1 4 E 8 3 5 F 1 C D 9 0 F 4 C 7 6 :6 F 5 8 5 F F 8 F F 6 2 8 0 B 5 9 C C E 2 5 2 F D B 5 0 0 E B 8 ::: W h e n t h e u s e r c h a n g e s his o r h e r p a s s w o r d , t h e c r e a t i o n a n d s to r a g e o f v a lid L M h a s h e s is d is a b le d in m a n y v e r s io n s o f W i n d o w s . T his is t h e d e f a u l t s e t t i n g f o r W i n d o w s V ista a nd W i n d o w s 7. T h e LM hash can be b la n k in t h e v e rs io n s in w h i c h d is a b le d LM hash is t h e d e f a u l t s e ttin g . S e le c tin g t h e o p t i o n t o r e m o v e LM h ash e s e n a b le s an a d d it io n a l c h e c k d u r in g p a s s w o r d c h a n g e o p e r a t i o n s , b u t d o e s n o t c le a r LM hash v a lu e s f r o m t h e S A M i m m e d i a t e l y . A c t i v a t i n g th e o p tio n a d d it io n a l c h e c k s to re s a "d u m m y" v a lu e in t h e SA M d a ta b a s e and has no
r e l a t io n s h i p t o t h e u s e r's p a s s w o r d a n d is s a m e f o r all u s e r a c c o u n ts . LM h as h e s c a n n o t be c a lc u la te d f o r t h e p a s s w o r d s e x c e e d in g 14 c h a r a c te r s in le n g t h . T hu s , t h e LM hash v a lu e is se t t o a " d u m m y " v a lu e w h e n a u s e r o r a d m i n i s t r a t o r se ts a p a s s w o r d o f m o r e t h a n 14 c h a r a c te r s .
Module 05 Page 569
W h at Is LAN M a n a g e r H a sh ?
UrtifM
CEH
itkiul l u ll
LM hash or LAN Manager hash is the primary hash format that Microsoft LAN Manager and Microsoft Windows use to store user passwords of up to 14 characters length
When this password is encrypted with the LM algorithm, all the letters are converted to uppercase: 123456QWERTY
The password is padded with null (blank) characters to make it 14 characters in length: 123456QWERTY_
Before encrypting this password, 14 character string is split in half: 123456Qand WERTY_, each string is individually encrypted and the results concatenated:
123456Q= 6BF11E04AFAB197F WERTY_ = F1E9FFDCC75575B15 The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15
M icrosoft
Note: LM hashes have been disabled in Windows Vista and later Windows operating systems
W hat Is a LAN M a n a g e r H ash?

T h e LAN m a n a g e r hash is t h e p r i m a r y hash t h a t M i c r o s o f t LAN M a n a g e r a n d M i c r o s o f t W i n d o w s use t o s to r e u s e r p a s s w o r d s o f u p t o 14 c h a r a c t e r s l e n g t h . This is used in t h e
M i c r o s o f t W i n d o w s v e rs io n s p r i o r t o W i n d o w s NT. It is c o n t i n u e d in la t e r v e r s io n o f W i n d o w s fo r backw ard c o m p a tib ility , but was re co m m e n d e d by M ic ro s o ft to be tu rn e d o ff by
a d m in i s t r a t o r s . M i c r o s o f t W i n d o w s NT s to re s t w o t y p e s o f p a s s w o r d s : a LAN M a n a g e r (L M ) p a s s w o r d a n d a W i n d o w s NT p a s s w o r d . For e x a m p le , le t's a s s u m e y o u r p a s s w o r d is '1 2 3 4 5 6 q w e r t y ' . W h e n th is passw ord is e n c ry p te d w ith th e LM a lg o rith m , it is f i r s t c o n v e rte d to all uppercase:
,1 2 3 4 5 6 Q W E R T Y 1 . If t h e p a s s w o r d is n o t o f 14 c h a r a c te r s in le n g t h , t h e n it is p a d d e d w i t h n u ll ( b la n k ) c h a r a c te r s t o m a k e it 14 c h a r a c te r s in le n g t h . A t t h is sta g e t h e a s s u m e d p a s s w o r d b e c o m e s '1 2 3 4 5 6 Q W E R T Y _ \ B e fo re e n c r y p t i n g , t h e 14 c h a r a c te r s o f t h e p a s s w o r d s a re s p lit i n t o t w o s e v e n b y te h alves. T h a t m e a n s o n e s e v e n b y te s tr in g w i t h 1 2 3 4 5 6 Q' a n d t h e s e c o n d se ven b y te s t r in g w ith W E R TY _ . Each s tr in g is e n c r y p t e d i n d i v id u a l l y and th e re s u lts
c o n c a te n a te d . i.e. , 123456Q = 6BF11E04AFAB197F
WERTY_ = F1E9FFDCC75575B15
T h e r e s u lt in g hash is 6bf11e04afab197ff1e9ffdcc75575b15
Module 05 Page 570
W h at Is LAN M a n a g e r H a sh ?
(C o n td)
The first 8 bytes are derived from the first 7 characters of the password and the second 8 bytes are derived from characters 8 through 14 of the password
CEH
Urt.fi* | ttk.ul M m Im
1
&
IT
If the password is less than 7 characters, the second half will always be 0xAAD3B435B51404EE
Suppose, for this example, the user's password has an LM hash of 0xC23413A8AlE7665f AAD3B435B51404EE
LC5 cracks the password as "WELCOME"
NTLMv2 is a challenge/response authentication protocol, that offers improved security over the obsolete LM protocol
W hat Is LAN M a n a g e r H ash? (C ontd)

F ro m e ach s e v e n b y t e h a lf, an e ig h t b y te o d d p a r it y DES ke y is c o n s t r u c t e d . Each e ig h t b y te DES k e y is e n c r y p t e d w i t h a " m a g i c n u m b e r . " T h e r e s u lts o f t h e m a g ic n u m b e r e n c r y p t i o n a re c o n c a t e n a t e d i n t o a s i x t e e n b y t e o n e - w a y hash v a lu e . T his v a lu e is t h e LAN M a n a g e r o n e w a y hash o f t h e p a s s w o r d . T h e f i r s t 8 b y te s a re d e r iv e d f r o m t h e f i r s t 7 c h a r a c te r s o f t h e p a s s w o r d a n d t h e s e c o n d 8 b y te s a re d e r iv e d f r o m c h a r a c te r s 8 t h r o u g h 14 o f t h e p a s s w o r d . T o g e t h e r a s ix te e n b y te o n e - w a y hash v a lu e is c o n s t r u c t e d f o r a p a s s w o r d n o t e x c e e d in g 14 c h a r a c te r s le n g th . If t h e p a s s w o r d is less t h a n o r j u s t a b o u t 7 c h a r a c t e r s in le n g t h , t h e n t h e s e c o n d h a l f is a lw a y s a 0 x A A D 3 B 4 3 5 B 5 1 4 0 4 E E . W h e n t h e L M p a s s w o r d is used , it is easy f o r p a s s w o r d a t ta c k e r s t o d e t e c t t h e e ig h t h c h a r a c te r , if it is p r e s e n t. For e x a m p le , i f t h e u s e r p a s s w o r d has an LM hash o f 0 x C 2 3 4 1 3 A 8 A l E 7 6 6 5 f A A D 3 B 4 3 5 B 5 1 4 0 4 E E , LC5 cra cks t h e p a s s w o r d as W E L C O M E w i t h v e r y little e ffo rt. N T L M v 2 is a c h a l l e n g e / r e s p o n s e a u t h e n t i c a t i o n p r o t o c o l t h a t o f f e r s i m p r o v e d s e c u r it y o v e r th e o b s o le t e LM p r o t o c o l . T h e r e f o r e , th e s e s y s te m s h a ve t o se t t h e LAN M a n a g e r A u t h e n t i c a t i o n Level t o "S en d N T L M v 2 r e s p o n s e s o n l y . "
Module 05 Page 571
LM Hash Generation
(rtifwd
C EH
itkitjl
* LM H a sh G en e ra tio n
T h e LM hash also ca lle d as t h e LAN m a n a g e r hash u sed by m a n y v e r s io n s o f W i n d o w s f o r s t o r i n g p a s s w o r d s less t h a n 15 c h a r a c te r s . T h e f o l l o w i n g f i g u r e e x p la in s t h e "c e h p a s s l" . In t h e LM hash g e n e r a t io n p ro ce ss, f i r s t t h e p a s s w o r d in lo w e r c a s e is c o n v e r t e d t o u p p e r c a s e ; in t h is e x a m p le , t h is o p e r a t i o n r e s u lts in "C EHPASS1". T h e n , t h e u p p e r c a s e p a s s w o r d , i.e., "C EHPASS1", is d iv i d e d i n t o t w o s e v e n c h a r a c t e r s trin g s ; in t h e e x a m p le , t h e r e s u lt in g s trin g s a re "CEHPASS" a n d * * * * * * ! . As t h e s e c o n d s t r in g c o n ta in s o n l y o n e c h a r a c te r , t o m a k e t h e s e c o n d s t r in g a s e v e n - c h a r a c t e r s tr in g , i t is le n g t h e n e d p a d d in g . T h e t w o s e v e n - c h a r a c t e r s tr in g s a re t h e n used w ith n u ll ( b la n k ) c h a r a c te r s , i.e., e n c ry p tio n keys f o r t h e p ro c e s s o f g e n e r a t in g an LM hash f o r a u s e r p a s s w o r d
as t h e
e n c r y p t i o n o f a c o n s t a n t u s in g t h e DES ( D ig ita l E n c r y p tio n S t a n d a r d ) s y m m e t r i c c i p h e r . A t last, t o c r e a te t h e LM hash, t h e r e s u lt in g D E S - e n c r y p t e d b lo c k s a re c o n c a t e n a t e d .
Module 05 Page 572
cehp assl
CEHPASS
?1
Constant DES
II
Constant
\
Concatenate
7
LM Hash
FIGURE 5.14: LM Hash Generator
Module 05 Page 573
LM, NTLMvl, and NTLMv2

Attribute
Password Case Sensitive No
CEH
LM
N TLM vl
YES
NTLMv2
YES
56bit + 56bit
DES (ECB mode)
MD4
MD5
64bit + 64bit
128bit
128bit
56bit + 56bit + 16bit DES (ECB mode)
56bit + 56bit + 16bit DES (ECB mode)
128bit
HMAC_MD5
64bit + 64bit + 64bit
V " n / n / n / n /
64bit + 64bit + 64bit
128bit
LM, N T L M vl, a n d NTLM v2

T o a d d re s s t h e a d v o c a te d p r o b l e m s in N T L M 1 , M i c r o s o f t i n t r o d u c e d N T L M v e r s io n 2, a n d its use w h e r e v e r p o s s ib le . T h e f o l l o w i n g t a b l e lists t h e f e a t u r e s o f t h e t h r e e
a u th e n tic a tio n m e th o d s . A ttrib u te P assw o rd Case S en sitive Hash Key Length P assw o rd Hash A lg o rith m Hash V a lu e Length C /R Key Length C /R A lg o rith m C /R V a lu e Length 5 6 b it + 5 6 b it DES (ECB m o d e ) 6 4 b i t + 6 4 b it 5 6 b it + 5 6 b i t + 1 6 b i t DES (ECB m o d e ) 6 4 b it + 6 4 b i t + 6 4 b i t
-
LM
No
N TLM vl
YES
NTLMv2
YES
MD4 1 2 8 b it 5 6 b it + 5 6 b it + 1 6 b it DES (ECB m o d e ) 6 4 b it + 6 4 b it + 6 4 b it
MDS 1 28 b it 1 28 b it HMAC_M DS 1 28 b it
TABLE 5.2: LM, NTLMvl, and NTLMv2
Module 05 Page 574
NTLM A u th e n tic a tio n P ro c e s s

Client Computer
User types password into logon window
W indow Domain Controller

Domain controller has a stored copy of the user's hashed password t -----------------------------------\
Martin:1008:624AAC413795CDC1 4E835F1CD90F4C76:6F585FF8FF6 280B59CCE252FDB500EB8:::
Windows runs password through hash algorithm
I
M a rtin
Aa r8 ppq
Hash Algorithm
Martin:1008:624AAC4137 95CDC 14E835F1CD90F4C76:6F585FF8F F6280B59CCE252EDB500EB8: :
w Computer sends login request to DC
DC compares computers response with the response it created with its own hash If they match, the logon is a success
kgj89 pqr
DC sends logon challenge
Aa r8 ppq kgj89 pqr
Computer sends response to challenge
Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.
NTLM A u th en ticatio n P ro c e ss
N T L M in c lu d e s t h r e e m e t h o d s o f c h a l l e n g e - r e s p o n s e a u t h e n t i c a t i o n : L M N T L M v l , a n d N T L M v 2 . T h e a u t h e n t i c a t i o n p ro c e s s f o r all t h e m e t h o d s is t h e s a m e . T h e o n l y d i f f e r e n c e a m o n g t h e m is t h e leve l o f e n c r y p t i o n . In N T L M a u t h e n t i c a t i o n , t h e c l i e n t a n d s e r v e r n e g o t i a t e an a u t h e n t i c a t i o n p r o t o c o l . This is a c c o m p l i s h e d t h r o u g h t h e M i c r o s o f t n e g o t i a t e d S e c u r i t y S u p p o r t P r o v id e r (SSP). T h e p ro c e s s a nd t h e f l o w o f t h e c l i e n t a u t h e n t i c a t i o n t o a d o m a i n c o n t r o l l e r u sin g a n y o f th e N T L M p r o t o c o l s is d e m o n s t r a t e d in t h e f o l l o w i n g s te p s: Q e T h e c l i e n t ty p e s t h e u s e r n a m e a n d p a s s w o r d in t o t h e lo g o n w i n d o w . W i n d o w s r u n s t h e p a s s w o r d t h r o u g h a h a s h a l g o r i t h m a n d g e n e r a t e s a hash f o r th e p a s s w o r d t h a t has b e e n e n t e r e d in t h e lo g o n w i n d o w . Q T h e c l i e n t c o m p u t e r s e n d s a lo g in r e q u e s t a lo n g w i t h d o m a i n n a m e t o t h e d o m a i n c o n tro lle r. Q T h e d o m a i n c o n t r o l l e r g e n e r a t e s a 1 6 - b y t e r a n d o m c h a r a c t e r s tr in g c a lle d a " n o n c e " a n d se nd s it t o t h e c l i e n t c o m p u t e r . Q T h e c l i e n t c o m p u t e r e n c r y p t s t h e n o n c e w i t h a hash o f t h e u s e r p a s s w o r d a n d s e n d s it back to th e d o m a in c o n tro lle r.
Module 05 Page 575
T h e d o m a i n c o n t r o l l e r r e t r ie v e s t h e hash o f t h e u se r p a s s w o r d f r o m t h e S A M a n d uses it t o e n c r y p t t h e n o n c e . T h e d o m a i n c o n t r o l l e r t h e n c o m p a r e s t h e e n c r y p t e d v a lu e w i t h t h e v a lu e r e c e iv e d f r o m t h e c lie n t. If t h e v a lu e s m a tc h , t h e c l i e n t is a u t h e n t i c a t e d a n d t h e lo g o n is success.
4 * 0
User types password into logon window
Client Computer
Window Domain Controller

Domain controller has a stored copy of the user's hashed password
Martin **********
Hash Algorithm
Windows runs password through hash algorithm
@
Aa r8
U a r t i n : 1 0 0 8 : 6 2 4 M C 4 1 3 7 9SCDC 1 4 E 3 3 5 F 1 C D 9 0 F 4 C 7 6 : 6F 5 3S F F 9 F F 6 2 30 B 59 C C E 252 F D B 5 0C E B 8::
pq ppq kg kg;)85
Computer sends login request to DC
DC compares computer's response with the response it created with its own hash
DC sends logon challenge
Aa r8 ppq
If they match, the logon is a success
Computer sends response to challenge
pqr
FIGURE 5.15: NTLM Authentication Process
Module 05 Page 576
Kerberos Authentication
User request to the authentication server
CE H
Key D istribution Center (KDC)
Reply of authentication server to the user request
Authentication Server (AS)
Request to the TGS for a service ticket
Ticket Granting Server
......
Reply of the TGS to the client's request
(TGS)
Request to an application server to access a service
Reply to prove it really is the server the client is expecting
Application Server
K erb ero s A u th en ticatio n

K e r b e ro s is a n e t w o r k a u th e n tic a tio n p ro to c o l. It is d e s ig n e d to p r o v id e stro n g a u t h e n t i c a t i o n f o r c l i e n t / s e r v e r a p p l i c a t i o n s b y u sin g s e c r e t - k e y c r y p t o g r a p h y . T his p r o v id e s m u t u a l a u t h e n t i c a t i o n . B o th t h e s e r v e r a n d t h e u s e r v e r i f y t h e i d e n t i t y o f e a ch o t h e r . M e s s a g e s s e n t t h r o u g h K e r b e r o s p r o t o c o l a re p r o t e c t e d a g a in s t r e p la y a tta c k s a nd e a v e s d r o p p i n g . K e r b e ro s m a k e s use o f K e y D i s t r i b u t i o n C e n t e r (KDC), a t r u s t e d t h i r d p a r ty . T his c o n s is ts o f t w o lo g ic a lly d is t in c t p a rts : an A u t h e n t i c a t i o n s e r v e r (AS) a n d a T ic k e t G r a n t i n g S e rv e r (TGS). T h e a u t h o r i z a t i o n m e c h a n is m o f K e r b e ro s p r o v id e s t h e u s e r w i t h a T i c k e t G r a n t i n g T i c k e t (TGT) t h a t se rve s p o s t - a u t h e n t i c a t i o n f o r la t e r access t o s p e c ific services, Single Sign On b y w h i c h th e u s e r is n o t r e q u i r e d t o r e - e n t e r t h e p a s s w o r d a g a in f o r acc essing a n y se rv ice s t h a t he is a u t h o r i z e d f o r . It is i m p o r t a n t t o n o t e t h a t t h e r e w i ll be n o d ir e c t c o m m u n i c a t i o n b e t w e e n t h e a p p li c a t i o n s e rv e rs a n d Key D i s t r i b u t i o n C e n t e r (KDC); t h e se rv ic e tic k e ts , e v e n if p a c k e te d by TGS, re a c h t h e se rv ic e o n l y t h r o u g h t h e c l i e n t w i s h i n g t o access t h e m .
Module 05 Page 577
Key D i s t r i b u t i o n C e n te r (KDC)
User request to the authentication server
Reply of authentication serve! to the user request
Authentication Server (AS)
Request to the TGS for a service ticket
! ..> Ticket Granting Server (TGS)
Database
Reply of the TGS to the client's request
Request to an application server to access a service
Reply to prove it really is the server the client is expecting
FIGURE 5.16: Kerberos Authentication
Module 05 Page 578
Salting
Salting technique prevents deriving passwords from the password file Stored representation differs
C EH
171
Advantage: Defeats pre-computed hash attacks
Alice:root:b4ef2113ba4303ce24a83fe0317608de02bf38d> Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Cecil:root:209bel;a483b303c23af34761de02be038fde08]<
Note: Windows password hashes are not salted.
S alting
S a ltin g is a w a y o f m a k in g p a s s w o r d s m o r e s e c u re by a d d in g r a n d o m s tr in g s o f c h a r a c te r s t o p a s s w o r d s b e f o r e t h e i r m d 5 h a s h is c a lc u la te d . This m a k e s c r a c k in g p a s s w o r d s h a r d e r . T h e l o n g e r t h e r a n d o m s tr in g , t h e h a r d e r it b e c o m e s t o b r e a k o r c ra c k t h e p a s s w o r d . T h e r a n d o m s tr in g o f c h a r a c te r s s h o u ld be a c o m b i n a t i o n o f a l p h a n u m e r i c c h a r a c te r s . T he s e c u r it y leve l o r t h e s t r e n g t h o f p r o t e c t i o n o f y o u r p a s s w o r d s a g a in s t v a r io u s p a s s w o r d a tta c k s d e p e n d s o n t h e le n g t h o f t h e r a n d o m s t r i n g o f c h a r a c te r s . This d e fe a t s p r e - c o m p u t e d hash a tta c k s . In c r y p t o g r a p h y , a s a lt co n s is ts o f r a n d o m b its t h a t a re used as o n e o f t h e i n p u t s t o a o n e - w a y f u n c t i o n a n d t h e o t h e r i n p u t is a p a s s w o r d . In s t e a d o f p a s s w o r d s , t h e o u t p u t o f t h e o n e - w a y f u n c t i o n can b e s t o r e d a n d u sed t o a u t h e n t i c a t e users. A s a lt can also be c o m b i n e d w i t h a p a s s w o r d b y a k e y d e r i v a t i o n f u n c t i o n t o g e n e r a t e a k e y f o r use w i t h c r y p to g ra p h ic a lg o r ith m . W i t h t h is t e c h n i q u e d i f f e r e n t h ash es can be g e n e r a t e d f o r t h e s a m e p a s s w o r d . This m a k e s th e a t t a c k e r 's j o b o f c r a c k in g t h e p a s s w o r d s d if f i c u l t . In t h is e x a m p le , t h e t w o users A lic e a n d Cecil h a v e t h e s a m e p a s s w o r d s b u t w i t h d i f f e r e n t hash v a lu e s . Since a r a n d o m hash is g e n e r a t e d f o r e ach in d iv id u a l user: A lic e :ro o t:b 4 e f2 1 :3 b a 4 3 0 3 c e 2 4 a 8 3 fe 0 3 1 7 6 0 8 d e 0 2 b f3 8 d a c ip h e r o r o th e r
Module 05 Page 579
B o b :ro o t:a 9 c 4 fa :3 2 8 2 a b d 0 3 0 8 3 2 3 e f0 3 4 9 d c 7 2 3 2 c 3 4 9 a c Cecil : r o o t : 2 0 9 b e l : a 4 8 3 b 3 0 3 c 2 3 a f 3 4 7 6 1 d e 0 2 b e 0 3 8 f d e 0 8
Module 05 Page 580
pwdump7 and fgdump

Adnwstrator C\WrxJows\5ystetn32\cmd.exe
CEH
p w d u m p 7 .exe
PWDUMP extracts LM and NTLM password hashesof local user accounts from the
3
ruitrjtof. Conrrond f*ro#rpl
L = 1 e
Security Account Manager (SAM) database
fyfe tn M Unun a l01,Js tb Attacker

fgdump.exe -h 192.168.0.10 -u AnAckainistrativeUser -p 14mep4ssw0rd
c U r)f *O r
Dumps a remote machine (192.168.0.10) using a specified user

p w d u m p 7 an d fg d u m p
p w d u m p 7 is an a p p li c a t i o n t h a t d u m p s t h e p a s s w o r d h ash e s (O W Fs) f r o m NT's SA M d a ta b a s e , p w d u m p e x tr a c ts L M a n d N T L M p a s s w o r d h ash e s o f local u s e r a c c o u n ts f r o m t h e S e c u r ity A c c o u n t M a n a g e r (S A M ) d a ta b a s e . T his a p p li c a t i o n o r t o o l r u n s b y e x t r a c t i n g t h e b in a r y S A M a n d SYSTEM File f r o m t h e f ile s y s t e m a n d t h e n t h e h ash es a re e x t r a c t e d . O n e o f t h e p o w e r f u l f e a t u r e s o f p w d u m p 7 is t h a t it is also c a p a b le o f d u m p i n g p r o t e c t e d files. Usage o f t h is p r o g r a m r e q u ir e s a d m i n i s t r a t i v e p r i v i le g e s o n t h e r e m o t e s y s te m .
Administrator C:\Windows\system32\cmd.exe
E:\CEH-Tools\CEHuR Nodule 05 System Hacking\Password CrackingM-Jindous Password C rackers\pudump?:*pwdunp7 .exe Pudunp v7.1 - raw password extractor )uthor: Andres Tarasco Acuna
iv l: h t t p :/ / o w u .5 1 4 .e s r : G 0 0 :N O B E 40C 450 A D 9 9 7 1 3 D r1 E D C G B 4 0 C 2 5 n
\dnini a t r a t o D47::: juest : 5 0 1 :N O
PflSSWKDW H H H H H H m H H H H H H H W I t ;;:
- B F 4 Q C 4 5 0 flB 9 9 7 1 3 B F 1 E B C 5 B 4 0 C 2 R A D 4 7 : : :
*:C25510219F66F9F12FC9BE662 LANGUAKD_11_USER:1006 :NO PASSWORD ****************** **** :C25519219 F66F9FI2FC9 BE662 }67B960:: :
* r im in : 1 0 0 7 : NO
juggyboy:1010:NO P A S S : 6 F E 5 E 4 3 B 6 7 B D 4 0 D 4 C B B 3 E 2 2 2 F 9 6 0 9 0 1 5 : Bini:1016:NO :BE40C450AB99713DF1EDC5B40C25AD47::: : BE40C450AB99713DF1EDC5B40C25AD47:::
E:\CEH-Tools\CEHv8 Module 05 Systen Hacking\Password Cracking\Windows Password C rac ke rs\pwdunp7 >
FIGURE 5.18: pwdump7 Extracting Raw Password in Window
Module 05 Page 581
Administrator Command Prompt

|C:\>f gdump rgDump 2.i.0 - fizzgig and the mighty group at foofus.net Uritten to make j0m0kuns life just a bit easier Copyright<C) 2008 fizzgig and foofus.net fgdump comes with ABSOLUTELY NO WARRANTY! This is free software, and you are welcome to redistribute it under certain conditions; see the COPYING and README files for nore information. Ho parameters specified, doing a local dump. Specify ? if you are looking for h elp. Session ID: 2012-09-21-04-50-58 Starting dump on 127.0.0.1 * * * Beginning local dump * * OS <127.0.0.1>: Microsoft Windows Unknown Server <Build 8400> <64-bit> Passwords dumped successfully Cache dumped successfully I Summary
Failed servers:
m 0 H E
Successful servers: 1127.0.0.1
FIGURE 5.19: fgdump Dumping Password in Window
fg d u m p
is b a s ic a lly a u t i l i t y f o r d u m p i n g
passw ords on W in d o w s
N T /2 0 0 0 /X P /2 0 0 3 /V is ta
m a c h in e s . It c o m e s w i t h b u i l t - i n f u n c t i o n a l i t y t h a t has all t h e c a p a b ilit ie s o f P W d u m p a n d can also d o a n u m b e r o f o t h e r c r u c ia l t h i n g s like e x e c u t in g a r e m o t e e x e c u ta b le a n d d u m p i n g t h e p r o t e c t e d s t o r a g e o n a r e m o t e o r local h o s t, a n d g r a b b i n g c a c h e d c r e d e n t i a l s .
Module 05 Page 582
LOphtCrack
EH
LOphtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding
LO phtC rack
S o u rc e : h t t p : / / w w w . I O p h t c r a c k . c o m L O phtC rack is a t o o l d e s ig n e d t o a u d i t p a s s w o r d a n d r e c o v e r a p p lic a tio n s . It is used t o r e c o v e r lo s t M i c r o s o f t W i n d o w s p a s s w o r d s w i t h t h e h e lp o f d ic t io n a r y , h y b r id , r a i n b o w t a b le , a n d b r u t e f o r c e a tta c k s a n d it is also used t o c h e c k t h e s t r e n g t h o f t h e p a s s w o r d . T h e s e c u r it y d e f e c t s t h a t a re i n h e r e n t in w i n d o w s p a s s w o r d a u t h e n t i c a t i o n s y s te m can be d is c lo s e d e a s ily w i t h t h e h e lp o f L O p h tC ra c k . W in d o w s o p e ra tin g s y s te m s , b a se d on th e LAN M anager n e tw o rk in g p r o t o c o ls , use an
a u t h e n t i c a t i o n s y s te m t h a t c o n s is ts o f an 8 - b y t e c h a lle n g e r e t u r n i n g a 2 4 - b y t e re s p o n s e across t h e n e t w o r k f r o m c l i e n t t o s e r v e r in a c h a l l e n g e / r e s p o n s e f o r m a t . T h e s e r v e r m a tc h e s t h e r e s p o n s e a g a in s t its o w n i n d e p e n d e n t c a lc u la tio n o f t h e 2 4 - b y t e re s p o n s e e x p e c t e d a n d th e m a t c h r e s u lts in a u t h e n t i c a t i o n . T h e a l g o r i t h m se g m e n ts and th e n d iv id e s t h e passw ord in to s e v e n -c h a ra c te r re s tric t th e passw ord h ash es i n d iv id u a lly . T his a llo w s t h e a t t a c k e r t o
c ra c k in g t o s e v e n l e t t e r s a nd m a k e s t h e p ro c e s s e a sie r. T h e w e a k n e s s o f t h e p a s s w o r d hash, c o u p le d w i t h t h e tr a n s m is s i o n o f t h e hash acro ss t h e fo rm a t, m akes LM -based s y s te m s h ig h ly s u s c e p tib le n e t w o r k in t h e c h a l l e n g e / r e s p o n s e to c h a lle n g e /re s p o n s e in te rc e p tio n
f o l l o w e d b y d i c t i o n a r y a n d b r u t e - f o r c e a t t a c k s b y LOphtC rack. L O p h tC ra c k 6 has t h e b u i l t - i n a b i l it y t o i m p o r t p a s s w o r d s f r o m r e m o t e W i n d o w s , i n c lu d in g 6 4 - b i t v e r s io n s o f V ista , W i n d o w s 7, a n d U n ix m a c h in e s , w i t h o u t r e q u i r in g a t h i r d - p a r t y u t i l i t y .
Module 05 Page 583
LOphtCrack Password Auditor v6.0.16 - [Untotied2]
View v Help Cracked Accounts
u
Run Import Import Wizard Hashes From Sniffer Begin
w
Pause
u
Stop
a
Session Options Schedule Scheduled Audit Tasks
Weak Passwords Expired Accounts
1 Disable Force Password | Accounts Change
< 1 Doman
Run ,
Report User Name

Admnstrator
BvSsh_V1 rtuaHJs<
Password Age (days)
Loc
A WIN-LXQN3...
A. WIN-MSSaC... Admitstrator
-m si
IN - M S S a C ...
-MSSaC... Guest
__h a s h
ta b le s
0 of 0 _fisst!ss_.fe1|0g
_ t i ! ! S _ S i a E I S f l
__
2 J
Messages
0 8 /3 1 /2 0 1 2 0 8 /3 1 /2 0 1 2 0 8 /3 1 /2 0 1 2 0 8 /3 1 /2 0 1 2 0 4 :3 6 : 5 9 s i n g l e - c o r e o p e r a t i o n . 0 4 :3 7 :0 1 Im p o r te d 2 a c c o u n t s fr o m t h e 0 4 :3 7 :0 1 A u d it s t a r t e d . 0 4 :3 7 :0 1 A u d i t i n g s e s s i o n c o m p le t e d . lo c a l m a c h in e
Od Oh Ora Os
S U fijliC S L U S S C g
FIGURE 5.20: LOphtCrack in Run Mode a
LOphtCrack 6 [ U ntifedl ] r
C raved Accounts Weak Passwords Begin Pause Stop Session Options Schedule Schedjled A u c it Tasks Expired Accounts
View ^ Help X
1) To begin, import haihes to retrieve accounts to audit. < 1 Run Report I

Pa ssw ord Risk Status Pa ssw ord Character Sets __ w o r d s
j
to ta l 29156
Medium Risk: 11.11%
Empty: 5.56%
__ words done
____2 _ d a !e
0 .0 3 Q V
_ _ h a s h _ - j ] jls s Hiah Rsk: 83.33% 1 15 2 0 Empty Hgh Risk Medium Risk Low Risk 5.56 % 83.33 % 11.11% 0.00 % 17 0 0 0 Alpha Alphanumeric Alphanumeric/Symbol Alphanumeric/Symbol. International 100.00 % 0.00 % 0.00 % 0.00 %
0 of 0
____S -d zis 0 .0 0 %
.t in e
0 of 0
Od OhlSm
e la p s e d 4s
t im s _ le f i.
1 n , 10 3 8 (
Od 2 1 1 1 4 1 3 3 Passw o rd Audit Method Passw o rd Length Distribution
Lfim g
_current_tet
C ZXUL
Brute Force: 100.00%
1 2 3 4 5 6 7 8 9 1011121314 Password Length
Dictionary Hybrid Precompjted
0.00 % 0.00 % 0.00 %
Messages
0 5 /2 2 /2 0 0 9 1 3 :2 3 :1 8 c ra c k e d f i r s t h a l f o f LH password f o r \s e v e n a w it h 8 r u te Force
c ra c k .
0 5 /2 2 /2 0 0 9 1 3 :2 3 :1 8 c ra c k e d f i r s t h a l f o f LM password f o r \ e i g h t a w it h s r u t e Force c ra c k .
FIGURE 5.21: LOphtCrack in Report Mode
Module
05 Page 584
Ophcrack
J and runs on multiple platforms
CEH
Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface
U kcr tu t* * * C lTK M pan r*pp kgrn ptrfttouf tVMtff tfoM fnw knob* tplum. p*yv**un tmcn#y* ktowtfr, ***worth
V Kan
LMNuh tt69def9cd6ec622Md)643)6)l40l fc29bc7r9)f1a2SlMd)64tt6)M04 l97W97a7c679l3M]b43*5MM kbUdlOAl 01fcMb7bc6V9Md)MbSlMM fa))*fe46670Md)64))6)t404 di<dc7M)lHMd)64))6)1Mm )706cfc*90b4)OMd)64})6)i4O4M 4fc6d4rt461ffdOMd)64})6)1404 ** 1 #*S1dl d1 ?d)641)6) 1404m <M6td90a97t147Md)64))6)1404 57WOMI0M6c4^1MI%H4O4w 60tfWd)<2)<ft:Md)64))6)i404 4d6 ' 7 k 1)6 1 d6*Md)64))6) 1404m 77M)k)7)4W0)M4)641)6)1404 4SWkk4T)6k7cMd)64n6)1404M M N M 12Uin+1t M N M n I cU4fafd4fc64?6<2)6;)7)40dK
6 6
NT Hath 9669cM2c( 7cU66M*97)JfcJdi7M 66c4t8U11(f67)}Ml9C1Ml*43f 479cf1299a6^670b4'961M6^ *44kO7t |7<f) 1 ) 1)UcrfT) 0{tWIHWr9121K>07y3bl17 tta0d61<4C7<)c4nd0c60KM?D* *066 9( * *66*>(**%(*64: 66f53a)a60MC''*l('499)M64M904 M96WOfcÛ002)M)0)6ttU<* S O I 1d)61< ka)f<6Maf3d6)0) ffdMUc*6l6k4aK4)W 4 1 1 *7 *4*<44| 9*** <'* :)V 1 0 I * dl 14141Mct206Ml6r71 c4*3 Mm4u0dr#4uo4c?cxun17f M < )44*41Ml)0.vf06.'l464r)6d044 n0UdNM41:72(*4]4M )61 <1H6HtlK)4<f|><> Kit>IW lll ))Qf199?l4)74*40))0)14M1t)7W
LM M 1 zxc OflMK PANDA COIAj N TiST OOOU MAKS WHO KONAftO AlTftU G OAT UNIT QUAIITV NI14M TAJtGA) *o n ^mcMMV.Inc*Ha > < ,
LMPw.d2 empty mpty empty tmpty mpty mpty mpty empty mpty mpty mpty mpty mpty mpty mpty mpty
N T ** Z B C d*w* panda co *m t* doom m*n wnd !ewd m * *
16 9 0 6 61
n*14W ray
16
161
0 1f*Ctoy
SUtwt
http://ophcrack.sourceforge.net
Copyright by B - C m
m
L All Rights Reserved. Reproduction isStrictly Prohibited.
O p h c ra c k
S o u rc e : h t t p : / / o p h c r a c k . s o u r c e f o r g e . n e t O phcrack is a W i n d o w s passw ord c r a c k in g to o l th a t uses ra in b o w t a b le s fo r c r a c k in g
p a s s w o r d s . It c o m e s w i t h a g r a p h i c a l u s e r i n t e r f a c e a n d r u n s o n d i f f e r e n t o p e r a t i n g s y s te m s such as W i n d o w s , L in u x / U n ix , e tc. F ea tures : Q Q 9 0 Cracks LM a n d N T LM hashes. B r u t e - f o r c e m o d u l e f o r s im p le p a s s w o r d s R e a l- tim e g ra p h s t o a n a ly z e t h e p a s s w o r d s . D u m p s a n d lo a d s h ash es f r o m e n c r y p t e d S A M r e c o v e r e d f r o m a W i n d o w s p a r t i t i o n .
Module 05 Page 585
opfKiac*
L r .. n L *
i
load *ogreaa w Uiet tKhc.bc cmeal pm gietpp kgrail* plefebjre tsnetcf igold*mar roboa tplum ptysenen tmcnayr kbutby hjmswerth ijv r jo t rfrvtmg .qaKjn cerniglu
t!
Delete SUtatxs
t!
Save | *efaente
1
Tabes
Crad>
O
Mdp
Cut
C
About
IM Hash 29b9dacd6e<b22a.d3M3SbS1404 fc29be7W5Ma28U*d3M3Sb5:4Mee 97W97a7ecC798Jad3b*J5b5HWe S<b38d1Dd9114e69M43b43SbS1OUe Dlfcia6te7bc6929Md36435b21404ee ea53*6e4bb7e0ead3b435b51404et dlcde97a8afie1flaa<M*Sb514&4e* 57X<afe8SeCb435ead3W3505iJOief 49ca6d4e94b1ffd0Md3M3SbS1Me f66u1tf6S1d1d12Md3b4?SbS14Mt ceeb8d90a97314e7aad3b435b514We 57fecM6109ad6<4ad3W3SbS14a1e bOd99deic 3dt2<c*dd3bJ3Sbb1AC4ee 4db?a7ete&3b 1dbdaad3W3Sb5 -*Wcc 778853<3734baC3aad3b43!to5140iee 4i3aOd<4f56k8<wd3b4J505l*>4e< Oe<S6M2e1126d}Tef3^8<Jb5a6 c924JUfd4a9<b47bc226Sb?3734Odac
MT Heah M<S02ec:c S2b6aeK7S3fc3d3S*S4 Mfbc4888d21d6 5Jea>91jbSe3e43r <'9ef12t9. S0a37Cto4 J61e6eSa6f UkOa7ct7eOl6#2ft>ê313S2ca673 Oct>bW83C5<7S7MiA2IO'9? 3b29i3' 99e0d&1c:c5c*8<J&c0cJd7D7$ 9aeO>b>9r76dbk1nad5de76eiO bbf*3<3abC6rek74?93tt643&Ot 649b9f09c2580C2384M58b9S22ct? 501 J8eddSbl<5<A<bM1#288dbJ ff ed6cf92c9ebb3f*SIW3W17e*11 *402(44S1$7f67cd99l2aSeS<ftMc3 Wcd8UU1 *cS2Ctxfc68b 71c6Ma3 ddeb39c46d3dfddM32G4<20Q2f$e37F 9ScS84ei19S3SeC22f>?8i6IIS6dCii 9X32edea6dt<KZf'2cdb4jO*fe<363 dia*>8c#d3U<f9c?8dc6*e*94 53091f9J7f4J74e4C33051WaW7W
LM Pwd 1 ZXC OCIMR PANDA COtAIN TEST DOOM2 MARS WIND LECfiARO ALTMA GOAT RAfiftT QUALITY NEM TARGAS ROXY s^mactwCdY'lr. CI<C(M<1 t V O i,
LM Pwd2 empty empty empty empty empty empty empty empty empty empty empty empty empty empty empty empty
NTRwd S M C deliver pinda <obam test doom2 man wnd leonard altima goa! rabbit quality nc1469 targat roxy i
lble
Directory
Status
,
ng ford: 74/*2 Tre dapaed: 0 *0 0a
N u t |
19
ute *orct: |
FIGURE 5.22: Ophcrack Screenshot
Module 05 Page 586
Cain & Abel

Cain & Abel is a password recovery tool for Microsoft operating systems
CEH
It allows recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording Vol P conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols
|I= U
hte Vie* Confgj-e Tools Help ,e I II! S i + y >i 1 ,S | B s i? 0 o ^ 5 ? 11 1*CCJ 1- | .* . raess ] J} quety
sfr Network | S$j snffe- \ j * c 1 adc a l f i m Hash. & NTLMv2 Hashes (0) ) MS-Cade Haetee {> \ fc PWl flies (0) T O H CO-OlOS-MDSHSSt fB P1X M D 5Hast : AP0P-WD5 hashes $ CRAM M35 Hoohes 4 OSPFWDShajheH RIPv2 MDS Hsdxc 4 VRRP-HMAC j g VNC*3GC5(0) "i? M02 Mddtfs (0) MD4 iVri'cs (0) " f f05 haohes (0) J* 5 1 1 4 *1 hashes (0) 'J* SI1A-2 hashes (0) j ,R RtPEMD 16 0 Hashe: : 0 Kerb5FreAuth *teat Radus Shared-Key <5 IKE FSK Hashes (0) ) MS0L Hashes (0) ) MySQL Hashes (0) -
I>
. -* *
IM Hashes chaKnxe NT1MHashes m u Hashes fchalenge r n M Sm Ux Secirlty Hashes
Rortcvo&d Oninc
SHect/Jl N o* lest pajmcrc Add C Itt kc*rc\< I!* Cclete
dorfttvh1Teteanb
ReanoNC <1 Export
I if
C ain & A bel

S o u rc e : h t t p : / / w w w . o x i d . i t Cain & A b e l is a p a s s w o r d r e c o v e r y t o o l . It r u n s o n t h e M i c r o s o f t o p e r a t i n g s y s t e m . It a llo w s you to r e c o v e r v a r io u s u sin g kin d s o f passw ords by s n i f f i n g and th e n e tw o rk , c ra c k in g e n cryp te d V oIP
passw ords
d ic t io n a r y ,
b ru te -fo rc e ,
c ry p ta n a ly s is
a tta c k s ,
re c o rd in g
c o n v e r s a tio n s , d e c o d i n g s c r a m b le d
p a s s w o r d s , r e c o v e r i n g w ir e le s s n e t w o r k keys, r e v e a lin g
p a s s w o r d b o xe s, u n c o v e r i n g c a c h e d p a s s w o r d s , a n d a n a ly z in g r o u t i n g p r o t o c o ls . W i t h t h e h e lp o f t h is t o o l , p a s s w o r d s a n d c r e d e n t i a l s f r o m v a r io u s s o u r c e s can be r e c o v e r e d easily. It co n s is ts o f APR (A rp Po ison R o u tin g ) t h a t e n a b le s s n if fin g o n s w i t c h e d LAN s a n d m a n - i n m i d d l e a tta c k s . T h e s n if f e r in t h is t o o l is also c a p a b le o f a n a ly z i n g e n c r y p t e d p r o t o c o l s s u ch as HTTP a nd SSH-1, and c o n t a in s filte rs to ca p tu re c re d e n tia ls fro m a w id e ran ge of
a u t h e n t i c a t i o n m e c h a n is m s .
Module 05 Page 587
^JxJ
file View Configure Tools Help
Decoders Cracker * ^
| j 1 Network | '
Sniffer | ! /
Cracker | Q
Traceroute
|ICB CCDU |"ft"
Wireless
| :^ V) Query | NT Hash BE40C450AB99.. I chaleng
I LM Password *e m p ty Dictionary Attack
I < 8 I N T Pas... | LMHash AAD3B435B5H...
LM & NTLM Hash! NTLMv2 Hashes (0) MS-Cache Hashes (1 PWL files (0)
IB
n B
! a !Cisco IOS-MD5 Has!

! 1 ! Cisco PIX-MD5 Hash 'J ) APOP-MD5 Hashes >CRAM-MD5 Hashes 4 * OSPF-MD5 Hashes I RIPv2-MD5 Hashes $ VRRP-HMAC Hashe! g j VNC-30ES (0) m 2 d MD2 Hashes (0) y 1 MD4 Hashes (0) m 5 d MD5 Hashes (0) 5J0 SHA-1 Hashes (0) sJ* SHA-2 Hashes (0) ,R) RIPEMD-160 Hashe:0 Kerbs PreAuth Hash IKE-PSK Hashes (0) MSSQL Hashes (0) ) MySQL Hashes (0)
Cryptanalysis Attack Rainbowcrack-Ontne ActiveSync Select A Note Test password Add to kst Remove Remove Machine Accounts Remove Al Export Insert Delete >
LM Hashes + challenge NTLM Hashes NTLM Hashes + challenge NTLM Session Security Hashes
Ijfe. Radius Shared-Key
:lL
Lost packets: 0 %
LM & NTLM Hashes
FIGURE 5.23: Cain & Abel Screenshot
Module 05 Page 588
S o u rc e : h t t p : / / p r o j e c t - r a i n b o w c r a c k . c o m R a in b o w C r a c k c racks h ash e s w i t h r a i n b o w ta b le s . It uses a t i m e - m e m o r y t r a d e o f f a l g o r i t h m t o c ra c k hashes. A t r a d i t i o n a l b r u t e f o r c e c r a c k e r cra ck s h ash es d i f f e r e n t l y w h e n c o m p a r e d t o a t i m e - m e m o r y t r a d e o f f h a s h c ra c k e r. T h e b r u t e f o r c e hash c r a c k e r w ill t r y all p o s s ib le p la in t e x t s one by o n e d u r in g c ra c k in g , w h e r e a s R a in b o w C ra c k p re -c o m p u te s all p o s s ib le p la i n t e x t c i p h e r t e x t p a irs in a d v a n c e a n d s to r e s t h e m in t h e " r a i n b o w t a b l e " file . It m a y ta k e a lo n g t i m e t o p r e - c o m p u t e t h e ta b le s , b u t o n c e t h e p r e - c o m p u t a t i o n is fin is h e d , y o u w i ll be a b le t o cra c k t h e c i p h e r t e x t in t h e r a i n b o w ta b le s e a s ily a n d q u i c k l y .
Module 05 Page 589
RainbowCrack 1.5
File Edit Rainbow Table Help
Hash
0
0
c25510219f66f9fl2fc9be662a67b960 5ebe7dfa074da8ee8aeflfaa2bbde876 488cdcdd2225312793ed6967b28cl025 2d20d252a479f48ScdfSel71d9398Sb 0cb6948805f797bf2a82807973b89537
Plaintext ? apple green qwerty test
Plaintext in Hex 7 6170706C65 677265656e 717765727479 74657374
Comment Admin Martin Juggyboy Jason Shiela
0 0 0
>
Messages time of alarm check: time of wait: time of other operation: time of disk read: hash t reduce calculation of chain traverse: hash s reduce calculation of alarm check: number of alarm: speed of chain traverse: speed of alarm check: 2.14 s 0.00 s 0.17 s 0.59 s 14388000 35916894 57632 11.11 million/s 16.82 million/s -
E
V
FIGURE 5.24: RainbowCrack Screenshot
Module 05 Page 590
Password Cracking Tools

I W I
I
CEH
Password Unlocker Bundle

h ttp ://w w w .pas s wordunlocker. com
Passware Kit Enterprise

h ttp ://w w w . los tpas s word, com
0 S i
\
1
Proactive System Password Recovery

h ttp ://w w w . e!corns oft. com
PasswordsPro
1 , ,,
i s
http://w w w .insidepro.com
John the Ripper

h ttp ://w w w . openwall. com
LSASecretsView
h ttp ://w w w . nirsoft. net
Windows Password Cracker

h ttp ://w w w . windows -password<racker. com
LCP
h ttp ://w w w . Icps oft.com
WinPassword
h ttp ://la s tbit, com
Password Cracker
h ttp ://w w w . am ipage s. com
P assw o rd C ra c k in g Tools
P a s s w o rd c r a c k in g to o ls a ll o w you to reset unknown or lo s t W in d o w s loca l a d m i n i s t r a t o r , d o m a i n a d m i n i s t r a t o r , a n d o t h e r u s e r a c c o u n t p a s s w o r d s . It e v e n a llo w s users t o g e t access t o t h e i r lo c k e d c o m p u t e r i n s t a n t l y w i t h o u t r e i n s t a l l i n g W i n d o w s , in case o f f o r g o t t e n p a s s w o r d s . A f e w p a s s w o r d s c r a c k in g t o o l s a re lis te d as f o l lo w s : 0 0 0 0 0 0 0 0 0 0 P a s s w o rd U n l o c k e r B u n d le a v a ila b le a t h t t p : / / w w w . p a s s w o r d u n l o c k e r . c o m P r o a c tiv e S y s te m P a s s w o rd R e c o v e r y a v a ila b le a t h t t p : / / w w w . e l c o m s o f t . c o m J o h n t h e R ip p e r a v a ila b le a t h t t p : / / w w w . o p e n w a l l . c o m W i n d o w s P a s s w o rd C ra c k e r a v a ila b le a t h t t p : / / w w w . w i n d o w s - p a s s w o r d - c r a c k e r . c o m W i n P a s s w o r d a v a ila b le a t h t t p : / / l a s t b i t . c o m P a ssw a re Kit E n te r p r is e a v a ila b le a t h t t p : / / w w w . l o s t p a s s w o r d . c o m P a s s w o rd s P ro a v a ila b le a t h t t p : / / w w w . i n s i d e p r o . c o m L S A S e c re tsV ie w a v a ila b le a t h t t p : / / w w w . n i r s o f t . n e t LCP a v a ila b le a t h t t p : / / w w w . l c p s o f t . c o m P a s s w o rd C ra c k e r a v a ila b le a t h t t p : / / w w w . a m l p a g e s . c o m
Module 05 Page 591
Password Cracking Tools

(C o n td)
Kon-Boot
h ttp ://w w w . thelead82. com h ttp ://w w w . top-password. com
C EH
Password Recovery Bundle
Windows Password Recovery Tool

h ttp ://w w w . windowspasswords recovery, com
krbpwguess
h ttp ://w w w . cqure. net
Hash Suite
h ttp://hashs uite. open wall, net
THC Hydra
h ttp ://w w w . the. org
SAMInside
h ttp ://w w w . insidepro. com
Windows Password Breaker Enterprise

h ttp ://w w w . recoverwindowspass word, com
Windows Password Recovery

h ttp ://w w w .pas scape, com
!0
Rekeysoft Windows Password Recovery Enterprise

h ttp ://w w w . rekeys oft. com
IP J

S P assw o rd C ra c k in g Tools (C ontd)

T h e list o f p a s s w o r d c r a c k in g t o o l s c o n t i n u e s as f o l lo w s : K o n - B o o t a v a ila b le a t h t t p : / / w w w . t h e l e a d 8 2 . c o m W i n d o w s P a s s w o rd R e c o v e r y T o o l a v a ila b le a t h ttp ://w w w .w in d o w s p a s s w o rd s re c o v e rv .c o m
Hash S u ite a v a ila b le a t
h ttp ://h a s h s u ite .o p e n w a ll.n e t
S A M I n s id e a v a ila b le a t h t t p : / / w w w . i n s i d e p r o . c o m W i n d o w s P a s s w o r d R e c o v e r y a v a ila b le a t h t t p : / / w w w . p a s s c a p e . c o m P a s s w o rd R e c o v e r y B u n d le a v a ila b le a t h t t p : / / w w w . t o p - p a s s w o r d . c o m K r b p w g u e s s a v a ila b le a t h t t p : / / w w w . c q u r e . n e t THC H y d ra a v a ila b le a t h t t p : / / w w w . t h c . o r g W i n d o w s P a s s w o rd B r e a k e r E n te rp ris e a v a ila b le at h ttp ://w w w .re c o v e rw in d o w s p a s s w o rd .c o m
R e k e y s o ft W i n d o w s P a s s w o rd R e c o v e r y E n te rp ris e a v a ila b le a t h ttp ://w w w .re k e v s o ft. c o m
Module 05 Page 592
LM Hash Backward Com patibility
C EH
Windows 2000-based servers and Windows Server 2003-based servers can authenticate users who connect with computers that are running the earlier versions of Windows
Older W indows clients do not use Kerberos fo r authentication
For backward compatibility, Windows 2000 and Windows Server 2003 support:
r r
LAN Manager (LM) authentication Windows NT (NTLM) authentication NTLM version 2 (NTLMv2) authentication
>
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited
LM H ash B ack w ard C o m p atib ility ES

LM Hash B a c k w a r d C o m p a t i b i l i t y is a s e r v e r b ase d o n W i n d o w s 2 0 0 0 a n d W i n d o w s s e r v e r 2 0 0 3 a n d can a u t h e n t i c a t e u sers t h a t a re r u n n i n g all v e r s io n s o f W i n d o w s . W i n d o w s 9 5 / 9 8 c lie n ts d o n o t use K e r b e r o s f o r a u t h e n t i c a t i o n . For b a c k w a r d c o m p a t i b i l i t y , W i n d o w s 2 0 0 0 a n d W i n d o w s S e r v e r 2 0 0 3 s u p p o r t : Q Q LAN M a n a g e r (L M ) a u t h e n t i c a t i o n W i n d o w s NT ( N T L M ) a u t h e n t i c a t i o n N T L M v e r s io n 2 (N T L M v 2 ) a u t h e n t i c a t i o n
A n NT hash ( u n ic o d e hash) is u sed in N T L M 1 , N T L M v 2 , a n d K e rb e ro s . T h e L M a u t h e n t i c a t i o n p r o t o c o l uses t h e " L M h a s h . " Do n o t s to r e t h e LM hash, i f it is n o t n e ce ss a ry , f o r b a c k w a r d c o m p a tib ility . If LM h ash e s a re s t o r e d , W i n d o w s 9 5 , W i n d o w s 9 8 , o r M a c in to s h c lie n ts o f
n e t w o r k s m a y e x p e r ie n c e t h e b a c k w a r d c o m p a t i b i l i t y p r o b l e m .
Module 05 Page 593
How to Disable LM HASH

Use a Password that is at least 15 Characters Long
LM hash is not generated when the password length exceeds 15 characters
CEH
m
Implementthe NoLMHash Policy by editingthe registry
Locate the following key:
9
Implementthe NoLMHash Policy by using group policy

Disable "Network security: Do not store LAN Manager hash value on next password change" in Local Security Policy > Security Options
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
9 Add key, ty p e N oLM H ash
I?
How to D isab le LM HASH

M e th o d 1: I m p l e m e n t t h e N o L M H a s h P o lic y by U sing a G r o u p Policy
T o d is a b le t h e s to r a g e o f LM hash in t h e S A M d a t a b a s e s b y a p p ly in g t h e lo c a l g r o u p p o l i c y , use t h e s te p s as f o l lo w s : In G ro u p Policy, s e le c t C o m p u te r C o n fig u ra tio n S ettin g s Q In t h e Local Policies > S e cu rity O p tio n s . list o f a v a ila b le p o lic ie s , d o u b l e - c l i c k N e tw o rk s ecu rity: Do n o t s to re LAN W in d o w s S ettin g s S e cu rity
M a n a g e r hash v a lu e on n e x t p as sw o rd change. 0 Click E n ab led >OK.
M e th o d 2: I m p l e m e n t t h e N o L M H a s h P o licy b y E d itin g t h e R e g is tr y L oca te t h e f o l l o w i n g key: H K E Y _ L O C A L _ M A C H IN E \S Y S T E M \C u rre n tC o n tro lS e t\C o n tro l\L s a A d d t h e key, a n d t y p e N o L M H a s h M e th o d 3: Use a P a s s w o rd t h a t is a t Least 15 C h a ra c te rs Long W in d o w s s to r e s an LM hash v a lu e th a t cannot be used to a u th e n tic a te th e user.
Module 05 Page 594
How to D efend against Password Cracking

Do not share passwords Do not use the Enable information security audit to monitor and track password attacks same password during password change Do not use passwords that can be found in a dictionary
C EH
Do not use cleartext protocols Avoid storing passwords in an unsecured location Do not use any system's default passwords Set the password change policy to 30 days
Copyright by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
and protocols with weak encryption
How to D efend a g a in s t P assw o rd C ra c k in g

^ Password cracking, also known as password hacking, is the term used to define the process of gaining unauthorized use of the network, system, or resources that are secured with a password. The basic way of password cracking is guessing the password. Another way is to try various combinations repeatedly. It is done using a computer algorithm where the computer tries various combinations of characters until and unless a successful combination occurs. If the password is weak, then it can be cracked easily. In order to avoid the risk of password cracking, there are some best practices that help you to defend against password cracking. They are:
0 Don't share your password with anyone, as this allows another person to access your personnel information such as grades and pay statements, information that is normally restricted to you. Do not use the same password during a password change, i.e., one that is substantially similar to the previously used one.
Enable security auditing to help monitor and track password attacks. Do not use passwords that can be found in a dictionary. Q Do not use cleartext protocols and protocols with weak encryption.
Module 05 Page 595
Q Q
Set the password change policy as often as possible, i.e., for every 30 days. Avoid storing passwords in an unsecured location because passwords that are stored in places such as in a computer files are easily subjected to attacks. Do not use any system's default passwords.
Module 05 Page 596
How to D efend against Password Cracking (com !)

Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols
CEH
Ensure that applications neither store passwords to memory nor write them to disk
Use a random string (salt) as prefix or suffix with the password before encrypting
Enable SYSKEY with strong password to encrypt and protect the SAM database
Never use passwords such as date of birth, spouse, or child's or pet's name
Monitor the server's logs for brute force attacks on the users accounts
Lock out an account subjected to too many incorrect password guesses
Copyright by EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
How to D efend a g a in s t P assw o rd C ra c k in g (C ontd)

Additional best practices against password cracking include: Make passwords hard to guess by using eight to twelve alphanumeric characters in a combination of uppercase and lowercase letters, numbers, and symbols. Strong passwords are hard to guess. The more complex the password, the less it is subject to attacks. Q Ensure that applications neither store passwords to memory nor write them to disk. If the passwords are stored to memory the passwords can be stolen. Once the password is known it is very easy for the attacker to escalate their rights in the application. 0 Use a random string (salt) as prefix or suffix with the password before encrypting. This is used for nullifying pre-computation and memorization. Since salt is usually different for all individuals, it is impractical for the attacker to construct the tables with a single encrypted version of each candidate password. UNIX systems usually use 12-bit salt. Enable SYSKEY with a strong password to encrypt and protect the SAM database. Usually, the password information of user accounts is stored in the SAM database. It is very easy for the password-cracking software to target the SAM database for accessing the passwords of user accounts. So, to avoid such instances, SYSKEY comes into the picture. SYSKEY provides protection to the user account password information, i.e.,
Module 05 Page 597
stored in the SAM data against password-cracking software using strong encryption techniques. It is more difficult to crack encrypted password information than nonencrypted password information. Q Never use personal information as your passwords such as date of birth, spouse, or child's or pet's name. If you use such passwords, it becomes quite easy for the people who are close to you to crack those passwords. 0 Monitor the server's logs for brute-force attacks on user accounts. Though brute-force attacks are difficult to stop, they can easily be detected by monitoring the web server log. For each unsuccessful login attempt, an HTTP 401 status code gets recorded in your web server logs. Lock out an account subjected to too many incorrect password guesses. This provides protection against brute-force attacks and guessing.
Module 05 Page 598
Im plem ent and Enforce Strong Security P olicy

P e rm a n e n t A ccount L ockout
-
Urtrn*
c El
ltK4l IlM kw
E m ployee P riv ile g e A buse
Em ployee Nam e
Em ployee ID
Em ployee Address
Em ployee SSN
*
J
Em ployee Designation
D ep artm ent
M anager Nam e Termination Effective Date
M anager ID
N otice Period
IS
Benefits Continuation
fT
S e ve ran ce
Opening unsolicited e mail Sending spjm Lmanating Viruses
Refusal to abide by security policy Sending unsolicited e nuil Allowing kids to use company computer Disabling virus scanner Running P2P file sharing Unauthorized file/web serving Annoying the System Admin
IT * n j
Termination Reason
Port scanning Attempted unauthorised access Surfing porn Installing shareware Possession of hacking tools
Im p le m e n t a n d E nforce a Strong S ecu rity P olicy

A strong security policy provides the foundations for the successful implementation of security-related projects in the future; this is the first measure that must be taken to reduce the risk of objectionable use of any of the company's information resources. The first step towards augmenting a company's security is the introduction and implementation of an accurate yet enforceable security policy. The policy will also describe in detail the meaning of acceptable use, as well as listing prohibited activities. The proper implementation of a strong security policy is highly beneficial as it will not only turn all of your staff into participants in the company's effort to secure its communications, but also help reduce the risk of a potential security breach through "human-factor" mistakes. These are usually issues such as revealing information to unknown (or unauthorized sources), the insecure or improper use of the Internet and many other dangerous activities. Additionally, the erection process of a security policy will also help define a company's critical assets, the ways they must be protected, and will also serve as a centralized document, as far as protecting security assets is concerned.
Module 05 Page 599
P erm an en t Account Lockout - Em ployee P rivilege Abuse

Employer Name Employee Address Employee Designation 1 ^ Manager Name Employee 10 Employe* SSN Department Manager ID Notice Period Severance
Termination * ..r : Effective Oate _ 1^ Benefits Continuation
e 4 v >
9
\A
Termination Reason
Opening unsolicited e mail Sending spam Emanating Viruses Port scanning Attempted unauthorized access Sliding porn Installing shareware Possession ol hacking tools
Relus.1 l to abide by security policy Sending unsolicited e-mail Allowing kids to use company computet Disabling virus scanner Running P2P T ile sharing Unauthorized file/web serving Annoying the System Admin
FIGURE 5.24: Implement and Enforce a Strong Security Policy
Module 05 Page 600
v' y
CEH S ystem H ack in g Steps
Escalating privileges is the second stage of system hacking. In this stage, an attacker uses cracked passwords to gain higher level privileges in order to carry out highly privileged operations in the target system. The various tool and techniques that are used by attackers to esca ate the privileges are explained clearly in the following slides. IS 1 fc Cracking Passwords Escalating Privileges Hiding Files
Covering Tracks
Penetration Testing
Module 05 Page 601
P riv ileg e E scalation

An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges Attacker performs privilege escalation attack which takes advantage of design flows, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications These privileges allows attackerto view private information, delete files, or install malicious programs such as viruses, Trojans, worms, etc.
T y p e s of P rivilege Escalation
V ertical Privilege Escalation
Requires to grant higher privileges or higher level of access than administrator This is accomplished by doing kernel-level operations that permit to run unauthorized code
Horizontal Privilege Escalation

Requires to use same privileges or higher level of access that already has been granted but assume the identity of another user with similar privileges
User
I can access the network using John's user account but I need "Adm in" privileges?
Copyright by
EC -C auactl. All Rights Reserved. Reproduction is Strictly Prohibited.
P riv ile g e E sc alatio n

In a privilege escalation attack, the attacker gains access to the networks and their associated data and applications by taking the advantage of defects in design, software application, poorly configured operating systems, etc. Once an attacker has gained access to a remote system with a valid user name and password, he or she will attempt to increase his or her privileges by escalating the user account to one with increased privileges, such as that of an administrator. For example, if the attacker has access to a W2K S P 1 server, he or she can run a tool such as ERunAs2X.exe to escalate his or her privileges to that of SYSTEM by using "nc.exe I -p 50000 -d -e cmd.exe." With these privileges the attacker can easily steal personnel information, delete files, and can even deploy malicious, i.e., unwanted program such as Trojans, viruses, etc. into the victim's systems. Privilege escalation is required when you want to gain unauthorized access to targeted systems. Basically, privilege escalation takes place in two forms. They are vertical privilege escalation and horizontal privilege escalation. Horizontal Privilege Escalation: In horizontal privilege escalation, the unauthorized user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions. For instance, online banking user A can easily access user B's bank account.
Module 05 Page 602
Vertical Privilege Escalation: In vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators. For example, someone performing online banking can access the site with administrative functions.
Attacker
I can access the network using John's user account but I need "Admin" privileges?
User
FIGURE 5.25: Working of Privilege Escalation
Module 05 Page 603
Privilege Escalation Tool: Active@ Password Changer

Active@ Password Changer resets local administrator and user passwords
Features
e Recovers passwords from multiple partitions and hard disk drives Detects and displays all Microsoft Security Databases (SAM ) Displays full account information for any local user
Active! Password Changer: User List
ers in SAN hve file at path: C:\W1ndows\SYSTEM32\CONFIG\SAM drive C: 0, size 98.23GB, File System: NTFS Total U3 er: DOM [ RID &55525I j X nCOOITQ 1 I User Name Administrator MGSCFT-S#rviee Gutct BvS9h_VirtuaU3er 1 Built-in *:count tor gu*ct accecc to tr># comp.. Bitvisc SSH Server automatically managed o c ... Descrpfon Built-in a:count tor admnistema the comcut..
i: ocoooifs
0C000XB
Select User's Accouit and press the Next' button.
<Back
Next >
cancel
http://www.password<hanger.com
Copyright by
E C -G 0 U IC 1 I.All Rights Reserved Reproduction is Strictly Prohibited.
P riv ile g e E sc a la tio n Tool: A ctive@ P assw o rd C hanger

Source: http://www.password-changer.com
Active@Password Changer is a password recovery tool that resets or recovers the local administrator and the user passwords when the administrator has lost or forgotten his or her password or if the administrator's user account was locked out or disabled. Its main features includes recovering passwords from multiple partitions and hard disk drives, displaying and detecting all the Microsoft Security Databases, resetting administrator's/user's password, displaying complete account information for any local user, etc.
Module 05 Page 604
Active@ Password Changer: User List

bsers m SAM hive fileat path: C:\Windows\SYSTEM32\CONFIG\SAM on drive C: 0 >siz e 98.23 G8, Fde System: NTFS Total Users: 0004
User Name
Description
i H
A 000003E9 000001F5
Administrator MGSOFT-Service Guest BvSsh_VrtualUsers
Built-in account for administering the comput... Built-in account for guest access to the comp... Bitvise SSH Server automatically managed ac...
is 000003E3
Select User's Account and press the Next' button.
< Back
Next >
Cancel
Help
FIGURE 5.26: Active( Password Changer Screenshot
Module 05 Page 605
P riv ile g e E sc a la tio n Tools

Offline NT Password & Registry Editor
h ttp://pogos tick, net
C EH
Windows Password Recovery Bootdisk

http ://w w w . rixler. com
Windows Password Reset Kit

h ttp://w w w .reset-w ind 0ws-passv 10rd.net
PasswordLastic
http://www.passwordla5tic.com
Windows Password Recovery Tool

h ttp ://w w w . windows pas swords recovery, com
Stellar Phoenix Password Recovery

h ttp ://w w w . 5te liar info, com
ElcomSoft System Recovery

h ttp ://w w w . elcom soft. com
Windows Password Recovery Personal

h ttp ://w w w . windows pass w ordrecovery. com
Trinity Rescue Kit

http ://trinity home, org
?.5|
Copyright
Windows Administrator Password Reset

http ://w w w . s ys tools group, com
by E&Cauactl. All Rights Reserved. Reproduction isStrictly Prohibited.
P riv ile g e E sc a la tio n Tools

Privilege escalation tools allow you to safely and efficiently remove, reset, or bypass Windows administrator and user account passwords in case you have lost or forgotten your password and cannot log in to your computer. With the help of these tools, you can easily gain access to the locked computer by resetting the forgotten or unknown password to blank. The attacker can use these tools for recovering the original passwords of the victim. A few privilege escalation tools are listed as follows: Q e 0 Offline NT Password & Registry Editor available at http://pogostick.net Windows Password Reset Kit available at http://www.reset-windows-password.net Windows Password Recovery Tool available at http://www.windowspasswordsrecoverv.com ElcomSoft System Recovery available at http://www.elcomsoft.com
Q Trinity Rescue Kit available at http://trinityhome.orR Q Windows Password Recovery Bootdisk available at http://www.rixler.com
Password Lastic available at http://www.passwordlastic.com 0 Stellar Phoenix Password Recovery available at http://www.stellarinfo.com
Module 05 Page 606
Windows Password Recovery Personal available at http://www.windowspasswordrecoverv.com Windows Administrator Password Reset available at http://www.systoolsgroup.com
Module 05 Page 607
Copyright by
How to D efend a g a in s t P riv ile g e E scalatio n

The best countermeasure against privilege escalation is to ensure that users have the least possible privileges or just enough privileges to use their system effectively. Often, flaws in programming code allow such escalation of privileges. It is possible for an attacker to gain access to the network using a non-administrative account. The attacker can then gain the higher privilege of an administrator. General privilege escalation countermeasures include: Q e 0 Q Q Q Restrict the interactive logon privileges Run users and applications on the least privileges Implement multi-factor authentication and authorization Run services as unprivileged accounts Use encryption technique to protect sensitive data Implement a privilege separation methodology to limit the scope of programming errors and bugs Reduce the amount of code that runs with particular privilege
Module 05 Page 608
Perform debugging using bounds checkers and stress tests
Q Test operating system and application coding errors and bugs thoroughly Q Patch the systems regularly
Module 05 Page 609
vulnerability to execute arbitrary code with higher privileges than they would otherwise have been allowed. By executing malicious applications, the attacker can steal personal information, gain unauthorized access to the system resources, crack passwords, capture screenshots, install a backdoor for maintaining easy access, etc. Detailed explanation about executing applications is as follows. 15 m Cracking Passwords Escalating Privileges Hiding Files
Q j ^ j Covering Tracks
I^^JU
Penetration Testing
Module 05 Page 610
Ex^cutiitg A pplications
J J Attackers execute malicious applications in this stage. This is called "owning" the system Attacker executes malicious programs remotely in the victim's machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.
ytacke/.
Spyware
Backdoors
*
Crackers
.Copyright by E&CoUDCtl. All RightsReservei.Reproduction isStrictly Prohibited.
* E x ecu tin g A p plicatio n s

Attackers execute malicious applications in this stage. This is called "owning" the system. Executing applications is done after the attacker gains the administrative privileges. The attacker may try to execute some of his or her own malicious programs remotely on the victim's machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack passwords, capture screenshots, install a backdoor to maintain easy access, etc. The malicious programs that the attacker executes on victim's machine may be: Backdoors - Programming designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources. Q Crackers - Piece of software or program designed for the purpose of cracking the code or passwords. Keyloggers - This can be hardware or a software type. In either case the objective is to record each and every keystroke made on the computer keyboard.
Spyware - Spy software may capture the screenshots and send them to a specified location defined by the hacker. The attacker has to maintain the access to the victim's computer until his or her purpose is fulfilled. After deriving all the requisite information
Module 05 Page 611 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
from the victim's computer, the attacker installs several backdoors to maintain easy access to the victim's computer in the future.
Module 05 Page 612
Executing A pplications: Rem oteExec

J J Windows systems throughout the network
EEC!
RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on It allows attacker to modify the registry, change local admin passwords, disable local accounts, and copy/ update/delete files and folders
*. * !* * w o
MSI installation
* * " * >. _
MSI wktatlon
*XU
^ *t
r M ka
-1 / n l *.
* * 'w >r~--
___________________ _
Copyright by
Ilsl 11/i
E x ecu tin g A pplicatio n s: R em oteE xec

Source: http://www.isdecisions.com
RemoteExec allows you to remotely install applications and execute programs/scripts all over the network. Any file and folder can be updated, copied, as well as deleted instantaneously on Windows systems. With the help of this the attacker can change the Local Administrator Password remotely and can disable all other local accounts for reinforcing security. In addition, it can also reboot, shut down, wake up, and power off a computer remotely.
Module 05 Page 613
Hie
Tods
&incbv
Help
r3t#td
^ RemoteExec ;,- a Remote jobs B f l B New remote job ! C^, Rle executcn I
<
MSI installation
Rem0 teExec5 \orote p 35 /Ncw erocte xx>f4Hl rv.d k ten ^ Q* 1 [? MS: file Product name Operation ^ rn5fbtm Log level Arguments) v ] use sysiem account Don't te M o ogjng tostal [v VMW-fXS^LCK-K41VCD1T0cfcVCEHv8 NcdJe 05 System hadur Save in Ny Target Comp... Launch Launch in a new tab SchediJe Save in Ny Remote Jobs Save mNy Remote Actons
h o Update Installation j * &System action
!s z a
j {r]P o p u p
Q j Ne Operation Local accountm. ..
l Ndtble dctlors My Remote 33 bs My Remote Actions ~^ My Target computers -:-,J, Reporter 0 Hj]| Repcrb
jsl
) ^rabies j-9|, SchedJer
' " itO p f o n s
3 0 5 verson Table of content | |(jury arc^s
FIGURE 5.27: RemoteExec Screenshot
SemoceExec 0 Remote jobs l< Nsa remote job l-C J Fie execution .. i ! Update insta
MSI installation
RemoteEyer/ieroote jobsff leureno* po.NSI ratals ton
Launch Launch in a ne... SchedJe Save nMyRe...
i-iEiam m ] {%
System action [ _ } ' Fie Operation \-Q i Local account ... ! !51 Popup : 5 M jfoe actons
W3ri5t2toan
v HebreA
Z- -
Save n My Re... Save r My Tar...
: r jo C A lJH A C M r E \ 5 0 ftw a r e V k T c 5 0 f t \ < W n < 5 0 w s \ C u r r e n t V e r s jo n .
f 0 J Ny Remote Jobs EJk Ny Remote Acton* ^ O Trg#t Compu.. Reporter Rcpofb gt-jjrTl Tnhkc . Sdwduler ^ Optiore Don't
a c
h y tr on a a n o jw vrfw# tt* r*0 r k
y mwufwl
ramsaina
4 V/2NDOWS3 j | W fU C SB O M H l 4 V/lNUir85eKHQP ( amputm
Table o f . . . J Quick act..
FIGURE 5.28: RemoteExec in Target Computers Screenshot
Module 05 Page 614
Executing Applications: PDQ Deploy
C EH
PDQ Deploy is a software deploymenttool that allows admins to silently install almost any application or patch
PDQ Deploy 2.0 Pro Mode
1 -1
C 3 3 */
** Installti % C*ploymsnts j, Stheduki
i d
w , E d itIn s ta lle r D e p lo yN o w wN e wS c h e o u le
ID J 7
Created
Bapied me
Comput 1
Failed 0
Success.
Installer 1 Skypt
User Adminstrattx
[w i b T i l i5 4 PM 21 stcoreJs
Computer* Computer W IN IX Q N JW R 3 M M Status Successful StepError
| Computers f Detail 0 Running Deployments Submit Feedback
http://www.adminarsenal.com Copyright by E&Cauactl. All Rights Reserved. Reproduction isStrictly Prohibited.
1 ftL------------------J 1
E xecuting A pplications: PDQ D eploy 1 -1 1 ,^

Source: http://www.adrninarsenal.com
PDQ Deploy is a software deployment tool with which you can easily install almost any application or patch to your computer. MSI, MSP, MSU, EXE and batch installers can be remotely deployed to numerous Windows computers at the same time using this tool. You can easily and quickly deploy a packaged program to the selected or to all computers on your network quickly. The features of PDQ Deploy include that it integrates with Active Directory, Spiceworks, PDQ Inventory, and installs to multiple computers simultaneously, as well as realtime status, etc.
Module 05 Page 615

Fil Edit View Help
PDQ Deploy 2.0 Pro Mode
L=J
al
All Deployments Z Z All Schedules
Edit Installer
Deploy Now
New
0*
^
u
Installer Library Installers
Installer "]
D e ploym en ts^ ^ * Schedules
Com put. 1 Failed 0 Success... Installer 1 Skype User Administrator
^ ^
Skype
ID
w Created [9/4/2012 12:54 PM
Elapsed Time
New Target Ust
* $f 7
21 seconds
Computers Computer Status Successful Step Error
WIN-LXQN3WR3R9M
Computers
| Details
0 Running Deployments
FIGURE 5.29: PDQ Display Screenshot
Module 05 Page 616
Executing Applications: Dame Ware NT Utilities

DameWare NT Utilities (NTU) lets you manage servers, notebooks, and laptops remotely It allows attacker to remotely manage and administer Windows computers
r CU I
Copyright by
http://www.dameware.com E& Coincil. All Rights Reserved. Reproduction isStrictly Prohibited.
E x ecu tin g A pplicatio n s: D am eW are NT U tilities

Source: http://www.dameware.com DameWare NT Utilities allows you to manage servers, notebooks, and laptops remotely. With the help of this, you can manage and administer Windows computers remotely. It has the capability of solving end-user problems using a remote control. It can reboot the servers and notebooks remotely, take screenshots of remote desktops, take full control of the end-user's desktop quickly, copy as well as delete files on the remote computers, manage Windows Active Directory, etc.
Module 05 Page 617
DameWare N r Utilities - Services [WIN-DS9MR5HL9E4J

Pi AD Dcmiin Michm Toole Syetm Toole Strvict View Window H*lp
% 4^%
Browser
Active Directory ^ No AD Membership ( j | Microsoft Windows Network - <0 WORKGROUP - O : N0PDC Servers (4)
oo m
> ? x
Processes lA IN D 3 iMfttHl9e4l T0!aiServ1c#j:|14fi Status |C3r*.lde Services Device Drivers S f 1w (WIN*Oi9MKbH19(:4J X
Service Plug and Play
S ta tu e
Running Stepped Funning
Startup Manual Manual Automatic Automatic Manual Manual Manual Manual Manual Manual Manual Automatic
Account LocalSystem LocalSystem LocalSystem LocalSystem LocalSystem localS/stem localS/stcm localS/stem localS/stem NT Authority. localS/stem NT AUTHOR..
Binary
Ia J
C:\Wi ndows\system32\sYchost C:\Windows\system32\svchost C:\Wi ndo ws\system32\svchost C:\W1ndows\Sysrem 32\spoclsv C:\Wi ndows\system32\svchoet C:\Wi ndows\System 32\s/chost C:\Wi ndows\System 32\svchost C:\Wi ndowsXSystem32\svchost C:\W1ndows\Sysrem 32' s/chost C:\Windows\System 32\cvchost C:\Wi ndowsXSystem 32'svchost C:\Wi ndows\systern32\svchost
ffl 0 W1N-D39MR5HL9E4
{^Portable DeviceEnumerator Se vk
j * - Q W1N-IXQN3WR3R9M ! 0 B WlN-MSSELCiaK41 (Windows 8 Servr ! 3 . 0 W1N-ULY8S3KHQIP Workstations [3) ADMIN ADMIN-PC g j |
(a ^ P o r v e i
(^ P ro b le m
Remote
Printer E >
ft { > % &
Start Sen/ice
s I
j s 9 v ^ Q
v - 5 | WIND0WS8 Computers
$ $
Remote Remote
t ft t
Pause Service...
ontnue Service...
J 1
.nstall Service... Jnstal DNTU Service... nstal DWMRC Service.. Remove Service.. Shovi Scrvice Name /i#w Sr/ic Dpnd<rctts.Service Properties
Remote I Remote I Remote I
Favorite Domains vg Favorite Machines
Batch
lire Type
J Browcr
us
Information
y t* *
5 * 3!3% ?
LAP NUM SCKL 9/4/2012 3:27:38 PM
FIGURE 5.30: DameWare NT Utilities Screenshot
Module 05 Page 618
K eylogger
T
Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location
CEH
Keyloggers are placed between the keyboard hardware and the operating system
Legitimate applications for keyloggers include in office and industrial settings to monitor employees computer activities and in home environments where parents can monitor and spy on children's activity
Keystroke logger allows attacker to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc.
K ey lo g g ers
Keyloggers, also called keystroke logging, are software programs or hardware devices that record the keys struck on the computer keyboard of an individual computer user or network of computers. You can view all the keystrokes that are typed at any time in your system by installing this hardware device or programs. It records almost all the keystrokes that are typed by a user and saves the recorded information in a text file. As it is convert, the person does not know that their activities are being monitored. It is mostly used for positive purposes such as in offices and industrial settings for monitoring the employees' computer activities and in home environments where parents can monitor what their children are doing on the Internet. A keylogger, when associated with spyware, helps to transmit your information to an unknown third party. It is used illegally by attackers for malicious purposes such as for stealing sensitive and confidential information about victims. The sensitive information includes email IDs, passwords, banking details, chat room activity, IRC, instant messages, bank and credit card numbers, and other information that is typed by people every day. The data, i.e., transmitted over the encrypted Internet connection, is also vulnerable to keylogging because the keylogger tracks the keys struck before they are encrypted for transmission. The keylogger program is installed onto the user's system invisibly through email attachments or through "drive-by" downloads when users visits certain websites. Keystroke loggers are
Module 05 Page 619
stealth software that sits between keyboard hardware and the operating system, so that they can record every keystroke. A keylogger can: Q Q Record each keystroke, i.e., typed by the user, on his or her computer keyboard. Capture screenshots at regular intervals of time showing user activity such as when he or she types a character or clicks a mouse button. Track the activities of users by logging Window titles, names of launched applications, and other information. Monitor online activity of users by recording addresses of the websites that they have visited and with the keywords entered by them, etc.
Record all the login names, bank and credit card numbers, and passwords including hidden passwords or data that are in asterisks or blank spaces. Q Q Record online chat conversations. Make unauthorized copies of both outgoing email messages and incoming email messages.
Module 05 Page 620
Copyright by
E& Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
T ypes of K ey stro k e L o g g ers

A keylogger is a small software program that records each and every keystroke that is typed by the user at any time on a specific computer's keyboard. The captured keystrokes are saved in a file for reading later or otherwise transmitted to a place where the attacker can access it. As this programs records all the keystrokes that are typed through a keyboard, they can capture the passwords, credit card numbers, email address, names addresses, and phone numbers. Keyloggers have the ability to capture information before it can be encrypted for transmission over the network. This gives the attacker access to pass phrases and other wellhidden information. There are two types of keystroke loggers. They are hardware loggers and software loggers. These two loggers are used for recording all the keystrokes that are entered on a system on which they are installed.
Hardware L oggers
Hardware keyloggers are hardware devices look like normal USB drives. It is connected between a keyboard plug and USB socket. All the recorded keystrokes that are typed by the user are stored within a hardware unit. Attackers retrieve this hardware unit for accessing the keystrokes that are stored in it. The primary advantage of these loggers is that
Module 05 Page 621
they cannot be detected by antispyware, antivirus, or desktop security programs. disadvantage is that its physical presence can be easily discovered. Hardware keystroke loggers are classified into three main types: PC/BIOS Embedded
Its
Physical and/or admin-level access is necessary to the computer, and the application loaded into the computer's BIOS must be made for the particular hardware that it will be running on. BIOS-level firmware that manages keyboard actions can be modified to capture these events as they are processed. Keylogger Keyboard These keyloggers are used for recording keyboard events by attaching a hardware circuit with the keyboard's cable connector. It records the all the keyboard strokes to its own internal memory that can be accessed later. The main advantage of a hardware keylogger over a software keylogger is that it is not operating system dependent and hence, it will not interfere with any applications running on the target computer and it is impossible to discover hardware keyloggers by using any anti-keylogger software. External Keylogger External keyloggers are attached between a usual PC keyboard and a computer. They record each keystroke. External keyloggers do not need any software and work with any PC. You can attach them to your target computer and can monitor the recorded information on your PC to look through the keystrokes. There are four types of external keyloggers: Q PS/2 and USB Keylogger - Completely transparent to computer operation and requires no software or drivers for the functionality. Record all the keystrokes that are typed by the user on the computer keyboard, and store the data such as emails, chat records, applications useds, IMs, etc. Acoustic/CAM Keylogger - Makes use of either a capturing receiver capable of converting the electromagnetic sounds into the keystroke data or a CAM that is capable of recording screenshots of the keyboard. Bluetooth Keylogger - Requires physical access to the target computer only once, at the time of installation. Once this is installed on the target PC, it stores all the keystrokes and you can retrieve the keystrokes information in real time by connecting through a Bluetooth device. Wi-Fi Keylogger - Operates completely stand alone. Unlike a Bluetooth keylogger, this kind of keylogger doesn't require it be near the computer on which the dongle (recording device in Bluetooth keylogger) is installed to retrieve the keystroke information. This keylogger requires no software or drivers and is completely undetectable; it works on any PC. This records the keystrokes and sends the information by email over a predefined time interval.
Module 05 Page 622
Software K eystroke Loggers

_____ J it These loggers are the software installed remotely via a network or email attachment in the computer for recording all the keystrokes that are typed on the computer keyboard. Here the logged information is stored as a log file in a hard drive of the computers. Physical access is not required on the part of the person probing to obtain keystroke data because data is emailed out from the machine at predetermined intervals. Software loggers often have the ability to obtain much additional data as well, since they are not limited by physical memory allocations as are hardware keystroke loggers. Software keystroke loggers are classified into six types. They are: Application Keylogger Kernel Keylogger Rootkit Keylogger Device Driver Keylogger Hypervisor-based Keylogger Form-Grabbing-Based Keylogger Application Keylogger An application keylogger allows you to observe everything the user types in his or her emails, chats, and other applications, including passwords. With this you even can trace the records of Internet activity. It is a completely invisible keylogger to track and record everything happening within the entire network. Kernel Keylogger This method is used rarely because it is difficult to write as it requires a high level of proficiency from the developer of the keylogger. It is also difficult to conflict. These keyloggers exist at the kernel level. Consequently, they are difficult to detect, especially for user-mode applications. This kind of keylogger acts as a keyboard device driver and thus gains access to all the information typed on the keyboard. Rootkit Keylogger The rootkit-based keylogger is a forged Windows device driver that records all keystrokes. This keylogger hides from the system and is undetectable even with standard tools or dedicated tools. Device Driver Keylogger This kind of keylogger usually acts as a device driver. The device driver keylogger replaces the existing I/O driver with the embedded keylogging functionality. All the keystrokes performed on the computer are saved into a hidden logon file and then it is sent to the destination through the Internet. The log files sent to the destination by this keylogger are hidden and it is tough to distinguish from the operating system files, even while doing a directory listing of hidden files. Hypervisor-based Keylogger
Module 05 Page 623
A hypervisor-based keylogger is built within a malware hypervisor operating underneath the operating system and cannot be physically seen or touched. They are the same as virtual machines. FormGrabber-Based Keylogger In a form-grabbing-based keylogger, the web form data is recorded first and then after it is submitted over the Internet, it bypasses https encryption. Form-grabbing-based keyloggers log web form inputs by recording web browsing on the Submit event function.
Module 05 Page 624
Methodology of Attacker in Using Remote Kevtoaaer

-I J Attacker creates a malicious executable file Attacker gives this malicious file to the user through email or lures user to download it from website or malicious server J J -l Once user clicks this malicious file, the keylogger gets installed in user's machine w ithout his/her knowledge Keylogger secretly collects each keystroke as user types and saves it to a text or log file As the user connects to Internet, these files are sent to the remote location as configured by attacker
Keyboard Injection
Application Application
f -------1
Kcyboard-sys
\ Driver
| mouse.sys
1 j
usb.sys
_____ Other drivers
>------------
1J
-------\ Windows Kernel
HAL
Sends malicious file
L
User Keyboard <
__>
Copyright by E& Cam ctl. All Rights Reservfect;Reproduction is Strictly Prohibited.
M ethodology of A ttack er in U sing R em ote K ey lo g g er

For viewing the data remotely, the attacker first creates a malicious executable file and sending this malicious file to the victim through email (i.e., hiding the malicious file behind the genuine file, like an image or song), or otherwise lures the user to download it from a website or malicious server. Once the victim clicks this malicious file, the keylogger is installed on the victim system and the victim does not know that this keylogger software is installed on his or her system as it is invisible to the victim. The keylogger secretly collects each keystroke that is typed by the user and saves it to a text or log file. The log file may contain sensitive information such as bank account numbers and passwords, credit card numbers, phone numbers, addresses, etc. As the victim connects to the Internet, these files are sent to the remote location as configured by the attacker. Here the attacker does not need to have physical access to the victim's machine.
Module 05 Page 625
Keyboard
Injection
2
Hacker
User types ^ on a keyboard V \
passw o rd
Keylogger Injection
Driver Injection
Kernel Injection
Using if (Get Asynckeystate (character) = 32767)
Sends malicious file
User
Keyboard
I I S * Ik
Windows Kernel
mm
FIGURE 5.31: Methodology of Attacker in Using Remote Keylogger
Module 05 Page 626
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
Acoustic/CAM Keylogger
Acoustic Keylogger CAM Keylogger
CEH
m
Capturing Receiver Electromagn -etic Waves O Typed Alphabet
Camera
User Press "A
Copyright by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited
A coustic/C A M K ey lo g g ers
Acoustic keyloggers work on the principle of converting electromagnetic sound waves into data. The concept is that each key on the keyboard makes a slightly different sound when it is pressed. There are listening devices that are capable of detecting the subtle variations between the sounds of each keystroke and use this information to record what is being typed by the user. The acoustic keylogger requires a "learning period" of 1,000 or more keystrokes to convert the recorded sounds into the data. This is done by applying a frequency algorithm to the recorded sounds. To determine which sound corresponds to which key, the acoustic keylogger uses statistical data based on the frequency with which each key is used because some letters will be used much more than others.
Module 05 Page 627
A c o u s tic K e y lo g g e r
Electromagn -etic Waves
User Press A FIGURE 5.32: Acoustic Keyloggers
A CAM keylogger makes use of the webcam to record the keystrokes. The cam installed takes screenshots of the keystrokes and the monitor and sends the recorded screenshots to the attacker account at periodical intervals. The attacker can retrieve the keystroke information by probing the screen shots sent by the CAM keylogger.
C A M K e y lo g g e r
Camera
%
Transmit to the Hacker
Takes Screenshot
Hacker
User User Press A

FIGURE 5.32: CAM Keyloggers
Module 05 Page 628
K eyloggers
PS/2 Keylogger
USB Keylogger
Wi-Fi Keylogger
11r I
rn n H
Keylogger embedded inside the keyboard
Bluetooth Keylogger
Hardware Keylogger
Copyright by
E& Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
K ey lo g g ers
^ Beside the information discussed previously, acoustic/CAM keyloggers, there are other external keyloggers that you can use to monitor the keystrokes of someone's system. These external keyloggers can be attached between a usual PC keyboard and a computer to record each keystroke.
You can use following external hardware keyloggers to monitor user activity:
Module 05 Page 629
PS/2 Keylogger
USB Keylogger
Wi-Fi Keylogger
Keylogger embedded inside the keyboard
Bluetooth Keylogger
Hardware Keylogger
FIGURE 5.33: Different Types of Keyloggers
Module 05 Page 630
K eylogger: S p ytech Spy A gent
CEH
l ;
J J J
See all keystrokes user type Reveals all website visits Records all online searches performed See what programs and apps they use Tracks all file usage and printing Records online chat conversations See every email they send and receive Find out what they upload and download Uncovers secret user passwords
p .Tc rr omtonr&vnd survcilkncc softw
HLjLTI it
G e n e ra l U s e r A c t iv it ie s
K c y ? u & c $ .T y p e d
-4 <eys '.as* Sesso^
l 15 Windows logged
w m dovigflSjS ic B H
Sc.recriSpy Scrccnshots
15 Screenshots Looped
J J J J
<&
Prcgr2rs U sage
25f Apptcetions logged
Clipboard Logs
1 CSpboonis Logged
File/Op( tm cn ts U sage
137 File Events Logged
Event ?Timeline
263 Cverfs Logged
0P|ftPIB9e
5 3esons Logged Record Desktop Activity
In te rn e t A c t iv itie s
E Mails bent;Received
i ' L<^9d
J L
internet Activities
IS Conn*ex!ons loyynd
'A
WcbiHCi Vi&ilCCJ
W ^ t v M iv y -
5 ^ ^ 0 Convcnnbnn* 1 oggeH
Chd'l 'TrJnbLii'pti
Sch e dulin g I Schedule Monitoring Tmies oonavior * io n s . Rr*!tin) Activity AterMlV
View M ost Popular Activities Sum m ary Click here for E a sy Confiqui ation and Setup W izard
Program Options
Log Actions
Reports
Help
http://www.spytech-web.com
Copyright by
IP r
*
K eylogger: Spytech SpyAgent

Source: http://www.spytech-web.com
Spytech SpyAgent is software keystroke logger that allows you to monitor the keystrokes of the user computer on which it is installed. It can also allow you to monitor following things on a user computer: It can reveal all websites visited 0 0 0 0 0 0 0 It records all online searches performed It monitors what programs and apps are in use It can tracks all file usage and printing information It records online chat conversations It is also able to see every email communication on the user computer It helps you determine what the user is uploading and downloading It uncovers secret user passwords
Module 05 Page 631
You can download this software keylogger from its home site and install it on the computer you want to monitor, and then just click Start Monitoring. That's it! It will record a number of things for you about user activity on the computer.
> 1r r 1n o n nd rl s ou i rrv vp ilh n o ft w a r e c o m p u te r m o m cr o rin g^ e illa nr cp e s
Agent
General User A ctivitie s
General
Startup Settings and Conftg
Keystrokes Typed
44 K eys Last Session
Windows Viewed
1 5 W in d o w s L o g g e d
Ctmltgure Logging Options
Programs Usage
i 258 Applications Logged
ScreenSpy Screenshots
15 Screenshots Logged
Remote Log Delivery

Configure Rem ote DelWery
Clipboard Logs
1 Clipboards Logged
File/Documents Usage
137 File Events Logged
Advanced Options
Finer Control on Sp y Agent
Events Timeline
263 Events Logged
Computer Usage
5 Sessions Logged
Content Filtering
Filter and Block Acth
Internet A ctivities
ScreenSpy
Record Desktop Deski Activity
E Mails Sent/Received
0 E-Mails Logged
Internet Activities
15 Connections Logged
SmartLogging
Activity Triggered Logging
Websites Visited
0 Websites Logged
Chat Transcripts
0 Conversations Logged
Scheduling
Schedule Monitoring Times
View Most Popular Activities Summary Click here for Easy Configuration and Setup Wizard
P ro g ra m O p tio n s Log A c tio n s
Behavior Alerts
Real-time Activity A l e r l V
! R e p o rts
!! H elp
FIGURE 5.34: SpyAgent Screenshot
Module 05 Page 632
Keylogger: All In One K eylogger
C EH
(rtifwtf ttfciul lUilwt
Copyright by
lr|
K eylogger: All In O ne K ey lo g g er
1 Source: http://www.relytec.com All In One Keylogger is invisible keylogger surveillance software that allows you to record keystrokes and monitors each activity of the user on the computer. It allows you to secretly track all activities from all computer users and automatically receive logs to a desired email/FTP/LAN account. The keylogger automatically activates itself when Windows starts and is completely invisible. You can do following things using this software: Q Capture all keystrokes (keystrokes logger)
Record instant messages e e Q e e Monitor application usage Capture desktop activity Capture screenshots Quick search over the log Send reports via email, FTP, network
Record microphone sounds
Module 05 Page 633
Q Generate HTML reports
e
0
Disable anti keyloggers Disable unwanted software
Q Filter monitored user accounts e e e

0 Captured screenshots Send reports by FTP Send reports in HTML format Block unwanted URLs
Q Stop logging when the computer is idle
Log Viewer (only 7 days left to purchase a license) |WINMS$flCK4K41) All in u n e K e y lo g g e r
Log v ie w e r
1 2 1 O i
* 11 u u a ir a 11 x 2 3 2 2 5 2 7
Sr. < a d * r/ /
* M U * ()* V% T Leo VwCkat^g Wt Log v*wvtj Log '/wAulc Lag G To Viiinl I og Hie Ep!j Row* < uoetiag mioi Rscr KTML toper L a s t Auk> Log v tte'iErtwisc >wTe*Callcg swO*L9g
009M12 1 +2M 2 0^V3121e 2M 0MM#12 'CMS* C &O S-K12 C3 0SS CWOVM1 21 6J I 4* OSOV2I2 1 C3 20 1 OM OC/M 12 1 C 94 OdMiZt 1 21 C3 2(M 0Sn512lC.32M CV0^t21CU Clos'd 1C32 11
3 2
| Aavt Wndow Run Prog*m M1 n9#r UiiIiBbO N 0trp4< l L*Vwer (ey 7day. * topurera keeeUVW 4l*SLCK41C41! UMttd > **? UnUW O coQ k Ckion* M 014I* fir 10* Tat SwKtiMg UnliBed Gooulo Chiome lltwliO U}Chrome Best KrvtMMr O oivr bao 1 0C < eyto ffy k o sg o e e -. D Cowcee fiee irttlleybgper Mt ip u M a a u u i] Admln4*trto1's idle time: 0 mineies from I0U1 or. 1 (OS-
wSSm
*Ow
C S n*2* 12 1 34 N
Untitled - Notepad AH in Ore Keytogger software is a 1 Invisible Keylegge (<} {<} (<-) {<} o w r sjrvell! {<-) {<) {<-) !lance sotwara Keystrokes Recof {< } rder. spy {<-} {<-} {< } Spy software tool tt3. l rasters every activity cn your PC to encrypted logs The key I {<-} {< :<[ }[ )-} {-) Keylogger software allows you to secretly tra ck {<} {<} {<} {<} ck all actrflties t a n all cor-^yteis user {<) {<} {<} {<} {<} {<} users and automatically r a w logs to a desne emal {<} /FTP.lAfl accountrg
j[ ] M a r c h C e *
( 1 ? * iV jH fe W c rfO *
(< ) mthe Loci, cpace key Sho* I> j tlm
FIGURE 5.35: All In One Keylogger Screenshot
Module 05 Page 634
K eyloggers for W indows

Ultimate Keylogger
h ttp ://w w w . ultim atekeylogger. com
CEH
jM
Powered Keylogger
http ://w w w . m ykeylogger. com
Advanced Keylogger
h ttp ://w w w . mykeylogger. com
StaffCop Standard
http ://w w w . s taffcop. com
The Best Keylogger

h ttp ://w w w . thebestkeylogger.com
iMonitorPC
h ttp ://w w w . imonitorpc. com
SoftActivity Keylogger
h ttp ://w w w .softactivity. com
PC Activity Monitor Standard

http ://w w w . pcacme. com
Elite Keylogger
h ttp ://w w w . wides tep. com
::fnnl B Ih h I
KeyProwler
http ://keyprow ler. com
Copyright by
K ey lo g g ers for W indow s

Besides the keyloggers explained previously, there are so many software keyloggers available in the market; you can make use of these tools to record the keystrokes and monitor each activity of the user on the computer. These keyloggers are listed as follows. They all are used to record the keystrokes on the user computer. You can download these tools from their respective home sites as follows and start using them to monitor keystrokes and other user activity on the computer. Here is the list of keyloggers that run on the Windows operating system:. 0 0 0 0 0 0 0 0 Ultimate Keylogger available at http://www.ultimatekeylogger.com Advanced Keylogger available at http://www.mvkeylogger.com The Best Keylogger available at http://www.thebestkevlogger.com SoftActivity Keylogger available at http://www.softactivity.com Elite Keylogger available at http://www.widestep.com Powered Keylogger available at http://www.mykeylogger.com StaffCop Standard available at http://www.staffc0 p.c0 m iMonitorPC available at http://www.imonitorpc.com
Module 05 Page 635
Q Q
PC Activity Monitor Standard available at http://www.pcacme.com KeyProwler available at http://keyprowler.com
Module 05 Page 636
Key loggers for W indows

Ultimate Keylogger
h ttp://w w w .ultim atekeylogger.com
CEH
|M
Powered Keylogger
h ttp://w w w .m ykeylogger.com
Advanced Keylogger
http ://w w w .m ykeylogger. com
StaffCop Standard
h ttp ://w w w .staffco p.co m
The Best Keylogger

http://w w w .thebestkeylogg er.com
iMonitorPC
h ttp ://w w w . im onitorpc. com
SoftActivity Keylogger
h ttp ://w w w . softactivity.com
PC Activity Monitor Standard

h ttp://w w w .pcacm e.com
Elite Keylogger
h ttp ://w w w . w idestep. com
: Iml =[bb]
KeyProwler
h ttp://keyprow ler.com
Copyright by EC-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
K ey lo g g e rs for W indow s
0 0 0 0 0 0 0 0 0 0 You can also use following keyloggers that runs on the Windows operating system: Keylogger Spy Monitor available at http://ematrixsoft.com REFOG Personal Monitor available at http://www.refog.com Actual Keylogger available at http://www.actualkevlogger.com Spytector available at http://www.spytector.com KidLogger available at http://kidlogger.net PC Spy Keylogger available at http://www.pc-spy-kevlogger.com Revealer Keylogger available at http://www.logixoft.com Spy Keylogger available at http://www.spy-kev-logger.com Actual Spy available at http://www.actualspy.com SpyBuddy 2012 available at http://www.exploreanywhere.com
Module 05 Page 637
Keylogger for Mac: Amac Keylogger for Mac

Amac Keylogger for Mac invisibly records all keystrokes typed, IM chats, websites visited and takes screenshots and also sends all reports to the attacker by email, or upload everything to attacker's website
r C1 1 ! z E5
K ey lo g g er for M ac: A m ac K ey lo g g er for M ac

Source: http://www.amackeylogger.com Amac Keylogger is a keylogger that runs on Mac operating systems and allows you to spy on a Mac machine to secretly record everything on the Mac. It does the following things: Q Q Q 0 0 Log typed passwords Log keystrokes and chat conversations Record websites and take screenshots Log the IP address of the monitored Macintosh Automatically run at startup stealthily
Q Apply settings to all users with one click Q Q Send logs to email/FTP at preset intervals Password protect keylogger access
Module 05 Page 638
FIGURE 5.36: Amac Keylogger for Mac
Module 05 Page 639
K eyloggers for MAC

Aobo Mac OS X KeyLogger
h ttp ://w w w . keylogger-mac. com
CEH
KidLogger for MAC

http://kidlogger. net
Perfect Keylogger for Mac

h ttp ://w w w . blazingtools. com
MAC Log Manager

http ://w w w . keylogger. in
Award Keylogger for Mac

h ttp ://w w w . award-s oft. com
logkext
https://code.google.com
Mac Keylogger
h ttp://w w w .aw ard-soft.com
fr
Keyboard Spy
http://alphaom ega. 5o ftw a re.free.fr
REFOG Keylogger for MAC

h ttp ://w w w . re fog. com
FreeMacKeylogger
h ttp ://w w w . hwsuite. com
Copyright by
Like keyloggers for Windows, there are also many keyloggers that runs on the Mac operating system. These tools will assist you in recording keystrokes and monitoring the user activity on the target MAC OS computer system. You can download them from their respective home sites and they can be used to spy on a Mac machine to secretly record everything on the Mac. They enable you to record everything the user does on the computer such keystroke logging, recording email communication, chat messaging, taking screenshots of each activity, etc. You can use the following keystroke loggers for Mac OS: 0 Aobo Mac OS X KeyLogger available at http://www.keylogger-mac.com
K ey lo g g ers for M ac
0Perfect Keylogger for Mac available at http://www.blazingtools.com 0 0 0 0 0 Award Keylogger for Mac available at http://www.award-soft.com Mac Keylogger available at http://www.award-soft.com REFOG Keylogger for MAC available at http://www.refog.com KidLogger for MAC available at http://kidlogger.net MAC Log Manager available at http://www.keylogger.in
Module 05 Page 640
Q e Q
logkext available at https://code.google.com Keyboard Spy available at http://alphaomega.software.free.fr FreeMacKevlogger available at http://www.hwsuite.com
Module 05 Page 641
Ethical Hacking and Countermeasures Copyright by EC-C0UI1Cil All Rights Reserved. Reproduction is Strictly Prohibited.
H ard w are K ey lo g g ers
A hardware keylogger is a device that is connected in between a keyboard and the computer. It is used to record the keystrokes on the target user computer. Hardware keyloggers log all keyboard activity to their internal memory. The advantage of a hardware keylogger over software keyloggers is they it can log the keystrokes as soon as the computer starts. You can use following hardware keystroke loggers to achieve your goals.
K eyG host
Source: http://www.keyghost.com KeyGhost is a tiny plug-in device that records every keystroke typed on any computer. You can also monitor and record email communication, chatroom activity, instant messages, website addresses, search engine searches, and more with this plug-in keylogger. You do not have to install any software to record or retrieve keystrokes. Features: It is easy to use Installs in seconds; just plug it in Can be unplugged and information retrieved on another PC
Q Q
Uses no system resources Excellent real-time backup device

f < K ryO M A <U)k*#9t1 Ah C l : www.heyg'KSltont
The KeyGhost
Hardware
Kevkxroor is a tiny
plcg-in dc/iic that % (fJ

*
records every keysvcko typedon any PC computer
co

9 *Pmn Proirg -
TimeDate Stamping KeyGhost SX

Pto* So * c!k1k>*
mo
Cfck ktp
tte Me betov to toe K r O k m

KrvChog coaSX
SX wrfcK?
Pr*u n k u u
K ^ ,h o tittrrai * a id a o w MoCeK K tA fta in rr* M fw laf.nuQM igaf/ K/Ghcst Stf 312K F a * Wtmoo -SW K*/Ghct P o1 Flw ' S149 KsjQttaiPa Sf ?Mrgfcrtf FUahMemott tw
KeyGhost (.'SB Keylogger

CompMDU Mil M i PC
moM a cu s e k ty c t
FIGURE 5.37: KeyGhost Screenshot
KeyGrabber
Source: http://www.keydemon.com KeyGrabber is a hardware device that allows you to log keystrokes from a PS/2 or USB keyboard. A hardware video-logger is a tiny frame-grabber for capturing screenshots from a VGA, DVI, or HDMI video source.
' w w im i eyd#1>on com
KeyGrabber
Hardware Keylogger
W hat is <1 Imm I*hh k ry lo ijfjr i? A hardwaro kcytogôr it anl*c1rom < 6s.cc <jfablt <f taftjmg Iu>:1r>k1t f w i j H 2 or Lit ktvteard. A hardwuto video !099011; a D ny fan* gratfcer for ca scam 1) t<4 a1kots fro a VCA. CM 0 HOM vuUo ; KtyC*ibi4 1n tho wortfi Icacknj r>jVjctj ef kaiawara I 4 sl > 9^ 1 t ii stiao ik!ioic^.
K e y (r jb b e 1 U S B
NOW S 4 4 .9 9 !
M ntSouM , mtf M m < tl* M W M VITMK1M 5 1 I H -l loutv tor (Kjnrv Quirk *to Ky uamn cvyfeo aae layout .im r m u fiu lr tu w * m v
FIGURE 5.37: KeyGrabber Screenshot
Module 05 Page 643
Spyw are
J Spyware is a program that records users interaction with the computer and Internet without the a user's knowledge and sends them over the Internet to attacker J It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download
C EH
Spyware is stealthy, and hide its process, files, and other objects in order to avoid removal It allows attacker to gather information about a victim or organization such an email addresses, user logins, passwords, credit card numbers, banking credentials, etc.
f,op a9 at/0
Drive-by download Piggybacked software .. installation
Spyware
41
Masquerading as anti-spyware
JJ r r
Copyright by
Browseradd-ons add-ons Browser
Web browser vulnerability exploits
f#
E& Caunc!. All Rights Reserved. Reproduction Is Strictly Prohibited.
Spyw are
Spyware is stealthy computer monitoring software that allows you to secretly record all activities of a computer user. It automatically delivers logs to you via email or FTP, including all areas of the system such as email sent, websites visited, every keystroke (including login/password of ICQ, MSN, AOL, AIM, and Yahoo Messenger or Webmail), file operations, and online chat conversations. It also takes screenshots at set intervals, just like a surveillance camera directly pointed at the computer monitor. Spyware is usually bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Spyware Propagation Installing the spyware on the user's computer doesn't require any consent from the user. You can install the spyware on the user's computer without their knowledge by "piggybacking" the spyware on other software programs. This is possible because spyware uses advertising cookies, which is one of the spyware subclasses. You can also be affected by spyware when you visit a website that distributes spyware. This is sometimes called "drive-by downloading" since it installs itself when you "drive by" the website. Because of a lack of user's attention in downloading and installing applications from the Internet, it is possible that the spyware is installed. The spyware propelled with other programs on the Internet masquerade as antispyware and run on the user's computer without any notice, when the user downloads and installs programs that are bundled with spyware.
Module 05 Page 644
W h a t D oes the Spyw are D o ?

Monitors users' online activity Displays annoying pop-ups Redirects a web browser to advertising sites
C EH
UrtNW4 itkKJl lUckM
Steals users' personal information and sends it to a remote server or hijacker
Changes web browser's default setting and prevents the userfrom restoring Adds several bookmarks to the web browser's favorites list Decreases overall system security level
Reduces system performance and causes software instability Connects to remote pornography sites Places desktop shortcuts to malicious spyware sites Changes home page and prevents the user from restoring Modifies the dynamically linked libraries (DLLs) and slow down the browser Changes firewall settings Monitors and reports websites you visit Copyright by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
W hat D oes th e Spyw are Do?

1 Once you have succeeded in installing spyware on a victim's computer, you can do many offensive things to the victim's computer. You can do following things with spyware installed on the victim's computer: 0 Steals users' personal information and send it to a remote server or hijacker
Monitor users' online activity 0 Display annoying pop-ups and redirect a web browser to advertising sites
Change web browser's default setting and prevent the user from restoring 0 0 0 0 0 0 0 Add multiple bookmarks to the web browser's favorites list Decrease overall system security level Place desktop shortcuts to malicious spyware sites Connect to remote pornography sites Reduce system performance and causes software instability Steal your passwords Send you targeted email
Module 05 Page 645
Q Q Q Q
Change the home page and prevent the user from restoring: Modifie the dynamically linked libraries (DLLs) and slow down the browser Change firewall settings Monitor and report websites you visit
Module 05 Page 646
Types of Spyw ares

D e sk to p S pyw are E m a il an d In te rn e t S pyw are C h ild M o n ito rin g S pyw are \ S cree n
) C a p tu rin g
S pyw are
USB S pyw are
A udio S pyw are
V ideo S pyw are
P rin t Spyw are
T e le p h o n e / C e llp h o n e S pyw are
GPS S pyw are
T ypes of Spyw are

There are 10 main types of spyware operating on the Internet that an attacker can use to steal information about user activity on computer without his/her consent and knowledge. The following are these 10 types: Q Q Q Desktop Spyware Email and Internet Spyware Child Monitoring Spyware Video Spyware Print Spyware Screen Capturing Spyware USB Spyware
e e e 0
Q Audio Spyware
GPS Spyware Cell Phone and Telephone Spyware
Module 05 Page 647
D esktop Spyware
Desktop| Spyware
Desktop spyware provides information regarding what network users did on their desktops, how, and when
) t
Live recording of remote desktops Record and monitor Internet activities Record software usage and timings
t
Record activity log and store at one centralized location Logs users' keystrokes
3 n
D esk to p Spyw are
A|
Copyright by Ettound. All Rights Reserved. Reproduction is Strictly Prohibited.
Desktop spyware is software that allows an attacker to gain information about a user's activities or gather personal information about the user and send it via the Internet to third parties without the user's knowledge or consent. It provides information regarding what network users did on their desktops, how, and when. Desktop spyware allows attackers to perform the following: 0 0 0 0 0 Live recording of remote desktops Record and monitor Internet activities Record software usage and timings Record activity log and store at one centralized location Logs users' keystrokes
Module 05 Page 648
Desktop Spyware: Activity Monitor

J Activity Monitorallowsyou to track any LAN and gives you the detailed information on what, how, and when network users performed
CEH
(rtifwd itkitjl
Features
View remote desktops e Record activity log e View communication history Take snapshots of the remote computer
D esk to p Spyw are: A ctivity M o n ito r

* Source: http://www.softactivity.com Activity Monitor is a tool that allows you to track any LAN, giving you the most detailed information on what, how, and when network users are performing on the network. This system consists of server and client parts. Activity Monitor Server can be installed on any computer in the whole LAN. Remote spy software is installed on all computers on the network that you want to monitor. Remote spy software is also known as the Agent, a small client program. Agent can be installed remotely from the PC with Activity Monitor Server on it or via Active Directory Group Policy in Windows domain. Any computer in the network under control can be spied on remotely with this tool just by installing the Agent on the computer. You can tune the activity monitor software to record activities of all the computers connected on the network. Features: Q Live view of remote desktops (screenshot)
Easy Internet usage monitoring Monitor software usage
Module 05 Page 649
Record activity log for all workplaces in one centralized location on a main computer with Activity Monitor installed
Store complete history of communications for every user (emails sent and received, IM chats, messages typed in web forums) Q Track any user's keystrokes, even passwords on your screen, in real-time mode Total control over networked computers. Start or terminate remote processes, run commands, copy files from remote systems. You may even turn the computer off or restart it, not to mention logging off the current user Q Deploy Activity Monitor Agent (the client part of the software) remotely from the administrator's PC to all computers in your network
Module 05 Page 650
D esktop Spyware
Remote Desktop Spy
h ttp ://w w w . global-spy-s oft ware, com
CEH
Net Spy Pro
h ttp ://w w w . net-monitoring-s oft ware, com
SSPro
h ttp ://w w w . gps oftde v. com
REFOG Employee Monitor

h ttp ://w w w . re fog. com
RecoveryFix Employee Activity Monitor

h ttp ://w w w . recovery fix. com

OsMonitor
h ttp ://w w w . os monitor, com
Employee Desktop Live Viewer

h ttp ://w w w . nucleus technologies.com
LANVisor
h ttp ://w w w . lanvisor. com
NetVizor
h ttp ://w w w . netvizor. net
Work Examiner Standard

http ://w w w . workexaminer.com
Copyright by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
i_nJ
D esk to p Spyw are
There is various desktop spyware available in the market that an attacker can use to monitor remote user desktops. This spyware can be used to monitor and record every detail of user PC and Internet activity. An attacker can log keystrokes, websites visited by the user, programs running on the user computer, chat conversations, email communication, downloaded files, opened/closed windows, etc. You can also take snapshots of the remote user desktop and much more. Some of desktop spyware software that attackers may use for monitoring user desktops remotely are listed as follows: Remote Desktop Spy available at http://www.global-spy-software.com e e
SSPro available at http://www.gpsoftdev.com RecoveryFix Employee Activity Monitor available at http://www.recoveryfix.com Employee Desktop Live Viewer available at http://www.nucleustechnologies.com NetVizor available at http://www.netvizor.net Net Spy Pro available at http://www.net-monitoring-software.com REFOG Employee Monitor available at http://www.refog.com OsMonitor available at http://www.os-monitor.com LANVisor available at http://www.lanvisor.com Work Examiner Standard available at http://www.workexaminer.com
Module 05 Page 651
E m a il and In tern et Sp yw are

Email Spyware
-I Email spyware monitors, records, and forwards incoming and outgoing emails, including web-mail services like Gmail and Hotmail J J It secretly records and sends copies of all incoming and outgoing emails to the attacker through specified email address It records instant messages conducted in: AIM, MSN, Yahoo, Twitter, Google+, Orkut, MySpace, Facebook, Gmail, etc.
CEH
if'
I I I I I I I I I I I I I I I I I I I
Internet Spyware
J J J J Internet spyware allows attacker to monitor all the web pages accessed by the users It provides a summary report of overall web usage It records the date/time of visits and the active time spent on each website It blocks access to a particular web page or an complete website
Copyright by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited
E m ail an d In te rn e t Spyw are

Em ail Spyware
------ Email spyware is a program or software that monitors, records, and forwards all incoming and outgoing emails, including webmail services such as Hotmail and Yahoo mail. Once installed on the computer that you want to monitor, this type of spyware records and sends copies of all incoming and outgoing emails to you through a specified email address or saves on the local disk folder of the monitored computer. This works in a stealth mode; the users on the computer will not be aware of the presence of email spyware on their computer. It is also capable of recording instant messages conducted in: AIM, MSN, Yahoo, MySpace, Facebook, etc.
Internet Spyware
Internet spyware is a utility that allows you to monitor all the web pages accessed by the users on your computer in your absence. It makes a chronological record of all visited URLs. This automatically loads at system startup. It runs in stealth mode, which means it runs in the background and the users on your computer can never detect this tool is installed on the computer. All the visited URLs are written into a log file and sent to a specified email address. Using Internet spyware, one can perform web activity surveillance on any computer. It
Module 05 Page 652
provides a summary report of overall web usage such as websites visited, and the time spent on each website, as well as all applications opened along with the date/time of visits. It also allows you to block access to a specific web page or an entire website by mentioning the URLs or the keywords that you want to block on your computer.
Module 05 Page 653
Email and Internet Spyware: Power Spy

Power Spy v l 1.1 Unregistered
CEH
Power Spy secretly monitors and records all activities on your computer It records all Facebook use, keystrokes, emails, web sites visited, chats, and IMs in Windows Live Messenger, Skype, Yahoo Messenger, Tencent QQ, Google Talk, AOL Instant Messenger (AIM), and others
Pow er Spy 1 S a e e n s h o t s
M *
c :ontrol Panel
G
S k y p e
F a c e D O O k
r t e b s it e s V is it e d K e y s t r o k e s 1
M S N M e s s e n g e r
A p p * c a o n s
0
H J e E3 &
Y a h o o M e s s e n g e r D o c u m e n t s C u p b o a r d
Export All Logs
E m a ils
A d m in is t r a t o r
D e le leA ll
lo g s
C*>* (c) u .tn .S W l Im< 2004-2012 All OfM rtr.4
http://ematrixsoft.com
0C
'
E m ail a n d In te rn e t Spyw are: Pow er Spy

Source: http://ematrixsoft.com
Power Spy software allows you to monitor your computer from a remote place whenever you are away from the PC. It records all Facebook use, keystrokes, emails, web sites visited, chats & IMs in Windows Live Messenger (MSN Messenger), Skype, Yahoo Messenger, Tencent QQ, Google Talk, GADU-GADU, ICQ, AOL Instant Messenger (AIM), and more. In addition, it even records clipboard data, passwords typed, documents opened, windows opened, and applications executed. It starts automatically with system startup, runs secretly, and sends log reports to your email or FTP. You can check these reports anywhere you like.
Module 05 Page 654
Power Spy vl 1.1 Unregistered
Power Spy
C o n tro l Panel
Buy Now
Screenshots
MSN Messenger
Applications
V o *9 a r
Face book Keystrokes Q ) r . Skype Yahoo Messenger Emails ( f a Documents CiipOoarO Q Export All Logs Delete All Logs
Copyright (c) M#tnxS*fc- IC. 2 0 0 4 -2 0 1 2 All ngKtl r1rv4.
f l
Start Monitoring
Stealth Mode
weositts visited
Configuration
0
O
User Manual
Technical Support
About & Contact
Administrator
Uninstall Me
FIGURE 5.39: Email and Internet Spyware by Using Power Spy
Module 05 Page 655
In te rn e t and E m a il Sp yw are
m
C EH
eBLASTER
h ttp ://w w w . spec tors oft. com
Spylab WebSpy
http ://w w w . spylab. org
!monitor Employee Activity Monitor
1r -Pl .3
Personal Inspector
h ttp ://w w w . spyars enal. com
h ttp ://w w w . employee-monitor ing-s oftware. cc
Employee Monitoring
h ttp ://w w w . employeemonitoring. net
CyberSpy
h ttp ://w w w . cyberspysoftw are. com
OsMonitor
h ttp ://w w w . os -monitor, com
#*
=
AceSpy
h ttp ://w w w . acespy. com
f3
Ascendant NFM
h ttp ://w w w . as cendant-s ecurity. com
EmailObserver
h ttp ://w w w . s ofts ecurity. com
In te rn e t an d E m ail Spyw are

Internet and email Spyware records as well as reviews all activities such as emails, instant messages, andkeystrokes on computers, tablets, and mobile phones. It even protects your family from danger online and safeguards your company from risk and loss. A fFew Internet and email spyware programs are listed as follows: 0 0 0 0 0 0 0 0 0 0 eBLASTER available at http://www.spectorsoft.com !monitor Employee Activity available at http://www.employee-monitoring-software.ee Employee Monitoring available at http://www.employeemonitoring.net OsMonitor available at http://www.os-monitor.com Ascendant NFM available at http://www.ascendant-security.com Spylab WebSpy available at http://www.spylab.org Personal Inspector available at http://www.spyarsenal.com CyberSpy available at http://www.cyberspvsoftware.com AceSpy available at http://www.acespy.com EmailObserver available at http://www.softsecuritv.com
Module
05 Page 656
Child Monitoring Spyware

O
Child monitoring spyware allows you to track and monitor what your kids are doing on the computer online and offline
UrtifM
CEH
ttfciul Nm Iwt
( f c xi
m W
Control and supervise how children use the PC and Internet
Child M onitoring Spyware

Child monitoring spyware allows you to track and monitor what your kids are doing on the computer online and offline. Instead of looking over the child's shoulder every time, one can use child monitoring spyware to know how they are spending time on the computer. This works in a stealth mode; your children will not be aware of the fact that you are watching over them. After the installation, this spyware logs the programs being used, websites visited, counts keystrokes and mouse clicks, and take screenshots of onscreen activity. All the data is accessible through a password-protected web interface. This also allows you to protect your kids from accessing inappropriate web content by setting specific keywords that you want to block. This spyware sends a real-time alert to you whenever the specific keywords are encountered on your computer or whenever your kids want to access inappropriate content. It also records selected activities, including screenshots, keystrokes, and websites. Child monitoring spyware records all the activities of your child on the computer and saves them either into a hidden encrypted file or sends to a specified email address. It also records the time at which they opened the applications, how much time they are spending on the Internet or computer, what they are doing on the computer, and so on.
Module 05 Page 657
C h ild M o n ito r in g Spyw are: N et N a n n y H o m e S u ite

Net Nanny Home Suite allows you to track and monitor whatyour kids are doing on the computer
CEH
It allows you to see logs of children's Internet activity and instant messages
Setting W indow
http://www.netnanny.com
Copyright by EC-Cauncl. All Rights Reserved. Reproduction is Strictly Prohibited.
Child M onitoring Spyware: Net Nanny Home Suite

Source: http://www.netnanny.com Net Nanny's parental control software with its Internet protection tools allows you to protect the child on the Internet from inappropriate content, pornography, and other offensive content. It is a filter that allows you to maintain your home Internet use from anywhere at any time via remote management tools. You can adjust the filter settings according to your personal preferences and need for monitoring web browsing and instant messaging from anywhere. It can generate alerts for IM predators and cyber bullies. It provides passwordprotected access for parents and customizable restrictions for each family member. You can see reports of your children's Internet activity and logs of instant messages.
Module 05 Page 658
O Add IK e r
Remove IH er
Your Net Nanny tnal wl expre 14 days. Buy Now I
S e t t in g W in d o w
FIGURE 5.40: Net Nanny Home Suite in Setting Window
Web
| instant Messagng | Sooal Networfang | Add%ns Stttngs |

W hen Blocked o r W arned
W eb B row sing
P EnaWe Web browsngsplay:

P Record Web activity
| Net Nanny blodi page J

K e yw ord B lociung
( Fiter Web content

Restrict browsing to speofic stes
C ategories
Manage keywords
Reset al categories to: | -Select|Stock j j E
0 Begjrf *9 *0 *3 |wT W ProxyI
AdJtâtuel*x * d
[S5T3 X A k o h d
(E5T "3 A
1 |
r j
SooHNttworla
I *d 4 6 > *
|*xk j J r 3 HeA**ree P
I *d
|S * ~ 3 n * fwnoflTiphy
P-TU . T b o
|5 5 weapons
h* z i
A
Profarvty Manage languages for profarvty m a4ang
brtv tfx ) . C Q fn m g Q Cht Sites |M d
|wjm _J &
lm ge/Wdeo Sea
|**w d
Rt*90u5
F i lt e r W in d o w
FIGURE 5.41: Net Nanny Home Suite in Filter Window
Module 05 Page 659
Child Monitoring Spyware

Aobo Filter for PC
h ttp ://w w w . aobo-porn-filter. com
CEH
p !
K9 Web Protection
h ttp ://w w w l. k9webprotection. com
CyberSieve
h ttp :/'/w w w . 5oftforyou. com
Verity Parental Control Software

h ttp ://w w w . nchsoftware. com
Child Control
h ttp ://w w w . 5alfeld. co
D
aaa c
Profil Parental Filter

h ttp ://w w w . profiltechnology. com
PC Pandora
h ttp ://w w w . pcpandora, com
::fn n l 5 ih h I
KidsWatch
h ttp ://w w w . kids watch, com
Child M onitoring Spyware

Some child monitoring spyware that is readily available in the market are as follows: Aobo Filter for PC available at http://www.aobo-porn-filter.com CyberSieve available at http://www.softforvou.com Child Control available at http://www.salfeld.com SentryPC available at http://www.sentrypc.com Spytech SentryPC available at http://www.spytech-web.com K9 W eb Protection available at http://wwwl.k9webprotection.com
Verity Parental Control Software available at http://www.nchsoftware.com Profil Parental Filter available at http://www.profiltechnology.com PC Pandora available at http://www.pcpandora.com KidsWatch available at http://www.kidswatch.com
Module 05 Page 660
Screen Capturing Spyware
CEH
R ecording
Screen capturing spyware takes screenshots or record screens video in stealth mode (Invisible/hidden to users) of local or remote computers at a predefined interval of time with encryption capability ,
M onitoring
It allowsmonitoringscreensin realtime of all the user activities on the network
C apturing
These spywares may also capture keystrokes, mouse activity, visited website URLs, and printer activity in realtime
Sending
Screen capturing spyware generally saves screenshots to a local disk or sends them to an attacker via FTP or email

Screen capturing spyware is a program that allows you to monitor computer activities by taking snapshots or screenshots of the computer on which the program is installed. This takes snapshots of the local or remote computer at specified time intervals and saves them either on the local disk in a hidden file for later review or sends them to an attacker through a predefined email address or FTP. Screen capturing spyware is not only capable of taking screenshots but also captures keystrokes, mouse activity, visited website URLs, and printer activities in real time. This program or software can be installed on networked computers to monitor the activities of all the computers on the network in real time by taking screen shots. This works in a stealth mode so you can monitor anyone's activities on the computer without their knowledge. With this spyware program, users can monitor a computer and determine the activities of users on the computer as they are looking at the computer live. This program runs transparently in the background. It takes screenshots for each and every application opened on the computer so users can know about each and every action of the computer in real-time.
Module 05 Page 661
S c r e e n C a p tu r in g S p yw are S oftA ctivityT S M o n ito r
SoftActivityTS Monitor is terminal server sessions recorder that captures every user action It captures screenshots of user activity such as picture of each visited web page, opened program, sent or received IM message, etc.
x X6iu xos Mott vhltd *wbiltei
by utr John
x 0 xccx xcoa?
5 0!
http://www .softactivity.com
Copyright by E&Cainc!. All Rights Reserved. Reproduction isStrictly Prohibited.
Screen Capturing Spyware: SoftActivity TS Monitor

Source: http://www.softactivity.com
SoftActivity TS Monitor is a terminal-server sessions recorder that captures every user action. It allows you to monitor the remote user's activities on your W indow s terminal server and monitor your employees who work from home or a remote area and during business trips via RDP. This can also monitor what users do on the client's network, without installing any software on your network. It can document server configuration changes by recording remote and local administrative sessions. Secure your corporate data by preventing information theft by insiders. Increase staff productivity and improve security. This terminal server monitoring software is completely invisible to monitored users.
Module 05 Page 662
Ji 2 to '
Programs Usage Screenshots This month Fron ].un 01 4 ? To: |jn/ 1 4 20 ! 2 t y Custom Rang*
tun toftArtivify Report* Scmh all tabs
L -/
. W ^
All dates Today
This week |Lott 7 days |
Open... Ejipoit Refresh
Yesterday Last 14 days
CYPRtiVMV. John [Last 1days]

| Work Duraton hirra) Cc*wputef | Itaer
<*>
t OPRESS H V Mn C V PR E S S -H V Peter
B
00:35:59 :03:30 00:03:25 00:05:02 00:01:36 00:00:49 00:00:17 00:00:04
Next
r\
Retordi. 12
FIGURE 5.42: SoftActivity TS Monitor Screenshot
Module 05 Page 663
Screen C ap tu rin g Spyware

Desktop Spy
h ttp ://w w w .spyars enal. com
CEH
PC Screen Spy Monitor

h ttp ://e m a trixso ft. com
IcyScreen
h ttp ://w w w . 16s o ft ware, com
Kahlown Screen Spy Monitor

h ttp ://w w w . lesoftrejion. com
Spector Pro
h ttp ://w w w .spec tors oft. com
1 S r1
g : 'S
Guardbay Remote Computer Monitoring Software

h ttp ://w w w . guardbay. com
PC Tattletale
h ttp ://w w w .p cta ttle ta le . com
HT Employee Monitor
h t tp ://w w w . hide tools. com
Computer Screen Spy Monitor

h ttp ://w w w . mysuperspy. com
Spy Employee Monitor

h ttp ://w w w .spys w. com

Screen capturing spyware is a program that allows you to monitor the computer activities of your child or employees by taking snapshots or screenshots for each and every application opened on the computer on which the program is installed. A few of the screen capturing spyware programs are listed as follows: Q Q e Desktop Spy available at http://www.spyarsenal.com IcyScreen available at http://www.16software.com Spector Pro available at http://www.spectorsoft.com PC Tattletale available at http://www.pctattletale.com Computer Screen Spy Monitor available at http://www.mysuperspy.com PC Screen Spy Monitor available at http://ematrixsoft.com Kahlown Screen Spy Monitor available at http://www.lesoftrejion.com Guardbay Remote Computer Monitoring Software available at http://www.guardbay.com Q HT Employee Monitor available at http://www.hidetools.com Spy Employee Monitor available at http://www.spysw.com
e
0
Module 05 Page 664
Ethical Hacking and Countermeasures Copyright by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.
/] USB Spyware
USB spyware is a program or software designed for spying on the computer and dumping into the USB device. USB spyware copies the spyware files from USB devices on to the hard disk without any request and notification. This runs in a hidden mode so the users of the computer will not be aware of the presence of the spyware on their computer. USB spyware provides a multifaceted solution in the province of USB communications. The USB spyware is capable of monitoring USB devices' activity without creating additional filters, devices, etc., which might damage the driver structure in the system. USB spyware lets you capture, display, record, and analyze the data that is transferred between any USB device connected to a PC and applications. This enables working on device driver or hardware development, which provides a powerful platform for effective coding, testing, and optimization and makes it a great tool for debugging software. It captures all the communications between a USB device and its host and saves it into a hidden file for later review. A detailed log presents a summary of each data transaction along with its support information. The USB spyware uses low system resources of the host computer. This works with its own time stamp to log all the activities in the communication sequence. USB spyware does not contain any adware or spyware. It works with most recent variants of Windows.
USB spyware copies files from USB devices to your hard disk in hidden mode without any request
It creates a hidden file/directory with the current date and begins the background copying process
It allows you to capture, display, record, and analyze data transferred between any USB device connected to a PC and applications
Module 05 Page 666
USB Spyware: USBSpy

Source: http://www.everstrike.com USBSpy lets you capture, display, record, and analyze data that is transferred between any USB device connected to a PC and applications. This makes it a great tool for debugging software, working on a device driver or hardware development, and provides a powerful platform for effective coding, testing, and optimization. It makes USB traffic readily accessible for analysis and debugging. Its filters and triggers cut the chase and presents only required data. Its interface makes communications easy to follow.
Module 05 Page 667
USBSpy
! Hi
[*
Qptnra tjetp
tof i k J i 7
i K l R)*2w 1tw eM u5eurM iM */'! > 1 Root Hue u j Ptt I : No <tevK connected AoatMue W I : No device connected 7 / Port 2: No device corrected D*H(lt)828OlOefl)1US8Urav*rwlHo0 , Root HUB Type 1*8 URB i n URB UR URB IM j URB m URB URB URB IIIB3 1 <* C*unr^Rew*t [ 0*411 Device Object 81CFC0X 81E96310 Service ufbhJb **> *>
USB Device Piopeitiet
Nun... 0 I
2
3 4
S
* 7
a
9 10
H i *!
fe w SUtf-Vtew Device Name 0 0 U5BROO-4 JQ 0000... ^ D rrvtfs
II 1 2
.c * Request Type w . Elapsed... Device Object BUU_OR_INTERRUPT_TRANS... IN 0.030043 U5BPDO-4 (0!81E. BUU.OR.WTtRRURT_TRANS.. IN 0.050072 US6PDO-4 (0<81E . BUU.ORJNTERRUPT TRANS. IN 0M 0N USBPDO-4(0*6IE.. OUU_0R JHTCRR URT_TRANS. IN 0 060006 U58PDO-4 (0*81E . BUU.OR .INTERRUPT _TRANS IN USBPDO-4 (0>81E 0.070101 USBPOO-4 (081E 8UU_0R_INTERRUPT_TRANS.. IN 0.070101 Intd(R) *280IM/WW USB U ve*/0070101 * Ho USBPDO-4 (0!81E BUU.OR JNTERRUPT.TRANS.. IN US6POO-4 (081E.. BUU.OR INTERRUPT .TRANS.. IN 0.070101 BUU _0R .INTERR UPT_TRANS... IN 0.060115 US6ROO-4 (0*B1E.. BUU.OR JNTERRURT TRANS.. IN 0.060115 USBPDO-4 (OxBlE BUU.OR JNTERRUPT.TRANS. IN 0.090130 USBPDO-4 (OxBlE.. BUU.OR JNTERRUPT.TRANS.. IN 0.090130 U$BPOO4( OxBlE.. BUU_OR_INTERRURT_TRANS. IN 0.110156 USBPDO-4 (0x6lE. v
1 0
<
9 X
USB HIO MOQan (74*17A0-7403 110086f t *0C3CF5
O ffs e t: 0000
He: 00
Dec:
B in : 00000000
0 0 0 0 0 00 10 0
9 0 0
A tc il
FIGURE 5.43: USB Spyware by Using USBSpy
Module 05 Page 668
USB Spyware
USB Monitor
h ttp ://w w w . hhds o ft ware, com
CEH
USB Monitor Pro
h ttp ://w w w . us b-monitor. com
* USB Activity Monitoring Software

h ttp ://w w w . datadoctor. org
r r- r a ^
USB Grabber
h ttp://usbgrabber. s ourceforge, net
USBTrace
h ttp ://w w w .s ys nude us. com
Stealth iBot Computer Spy

h ttp ://w w w . brickhousesecurity. com
USBDeview
h ttp ://w w w . nirs oft. net
KeyCarbon USB Hardware Keylogger

h ttp ://w w w . spywaredirect.net
Advanced USB Port Monitor

h ttp ://w w w . aggs oft. com
USB 2GB Keylogger

h ttp ://d iij.co m
USB Spyware
A few of USB spyware tools that are available in the market are listed as follows: 0 0 0 0 0 0 0 0 0 0 USB Monitor available at http://www.hhdsoftware.com USB Grabber available at http://usbgrabber.sourceforge.net USBTrace available at http://www.svsnucleus.com USBDeview available at http://www.nirsoft.net Advanced USB Port Monitor available at http://www.aggsoft.com USB Monitor Pro available at http://www.usb-monitor.com USB Activity Monitoring Software available at http://www.datadoctor.org Stealth iBot Computer Spy available at http://www.brickhousesecurity.com KeyCarbon USB Hardware Keylogger available at http://www.spywaredirect.net USB 2GB Keylogger available at http://diij.com
Module 05 Page 669
Audio Spyware
records and spies voice cha message of different instant messengers such as MSN voice chat, Skype voice chat, ICQ voice chat, MySpace voice chat, etc.
It saves the recorded sounds into hidden files and transfers them automatically through Internet to attacker
Malicious users use audio spyware to snoop and monitor conference recordings, phone calls, and radio broadcasts
Copyright by EC-Cauncl. All Rights Reserved. Reproduction is Strictly Prohibited.
Audio Spyware
Audio spyware is the sound surveillance program that is designed to capture the sound waves or voice onto the computer. The spyware can be installed on the computer without the permission of the computer user. The audio spyware is installed on the computer in a silent manner without sending any notification to the user and runs in the background to record various sounds on the computer secretly. Using audio spyware doesn't require any administrative privileges. Audio spyware monitors and records a variety of sounds on the computer. The recorded sounds are saved into a hidden file on the local disk for later retrieve. Therefore, attackers or malicious users use this audio spyware to snoop and monitor conference recordings, phone calls, and radio broadcasts, which may contain the confidential information. Audio spyware is capable of recording and spying voice chat messages of various popular instant messengers. With this audio spyware people can watch over their employees or children and see who they are communicating with. Audio spyware can be used to monitor digital audio devices such as various messengers, microphones, and cell phones. It can record audio conversations by eavesdropping and monitor all ingoing and outgoing calls, text messages, etc. They allow live call monitoring, audio surveillance, track SMS, logging all calls, and GPRS tracking.
Module 05 Page 670
A u d io Spyw are: Spy V o ice R e c o r d e r a n d Sound S n o o p er

Spy V o ice R eco rd er
Spy Voice Recorder records voice chat message of instant messengers, including MSN voice chat, Skype voice chat, Yahoo! messenger voice chat, ICQ voice chat, QQ. voice chat, etc. J J J J
CEH
Sound Snooper
Voice activated recording Store records in any sound format Conference recordings Radio broadcasts logging
F ile
Option About
! Sound Snooper
H i |W
Set Options [7 Au:uSt3rt
00:00:27.9
I Hds Tiay [con
Stop
I ... I I
File
Options
Help
save Pa 1h: ^:Vrocrair files livedata
Hide Insial Path
S B Live! W a v e D evice
Voice
Rctcrdiry Options
C Rc\.vt 0 iviJ 1 Pi Lyiam 3 la! lup | 1 I 50VC rfcaîinUM r Auto Record Task Managem ent W Auto Record When Skyp Voic Chut Aetvat] r Auto Record VVhfn QQ Voice Chat Activate r Auto Record when Yahoo! Messenger voce Chat Activate I~ Auto Recoid When Voce Chat Room Activate
hockey Setttxj (* Default Hockey C Set Hotkey
Ctrl 4 Alt 4 R___ Ctrl 4 Alt 4

V OK c )(C a n c e l
http://www.sound-snooper.com
h ttp://w w w . my superspy. com

Audio Spyware: Spy Voice Recorder and Sound Snooper

Spy V oice Recorder
Source: http://www.mvsuperspv.com Spy Voice Recorder is computer spy software that allows you to monitor sound and voice recorder on the system. It invisibly records online chat conversations made in popular chat programs or instant messengers including different types of voice chats available on the Internet such as MSN Voice Chat, Skype Voice Chat, Yahoo! Messenger Voice chat, ICQ Voice Chat, QQ Voice Chat, etc. This can also record other streaming audio from the Internet, music played, sounds from the microphone, earphones, etc.
Module 05 Page 671
Spy ?oi . ce R e c o r d e r
F ile Option About
M M
Set Options 5e AutoStart Recording Options
00:00:27.9
I- hide Tray Icon _______
Stop
View
Save Path: |D:V>rogram HesVycdVJata
|~ hide Install Path
C Record with Program Startup

(*
jSave Fles/Minutes
Auto Record Task Management |7 Auto Record When Skype Voice Chat Activate! Auto Record When QQ Voice Chat Activate Auto Record When Yahoo !Messenger Voice Chat Activate I- Auto Record When Voice Chat Room Activate
Hotkey Setting C Default Hotkey
Ctrl + Alt + R Ctrl + Alt + V ' OK , Cancel
C Set Hotkey
Exit
FIGURE 5.44: Spy Voice Recorder Screenshot
Sound Snooper
c S o u r c e : http://www.sound-snooper.com Sound Snooper is computer spy software that allows you to monitor sound and voice recorders on the system. It invisibly starts recording once it detects sound and automatically stops recording when the voice disappears. You can use this in recording conferences, monitoring phone calls, radio broadcasting logs, spying and employee monitoring, etc. It has voice activated recording, can support multiple sound cards, stores records of any sound format, sends emails with recorded attachments, and is supported by W indows.
ES S o u n d
File
Snooper
H lfil E3
Voice
Options
Help
S B Live! W a v e D evice
. . .
f f]
|1f r
J.1
Ji. ,
,,u U h
p jr
i1
.i
510 00 25:23
Sound Blaster W a v e D evice
Pause
50 02:05:32
------------------------------------------------------------------------------- 1
FIGURE 5.45: Sound Snooper Screenshot
Module 05 Page 672
Video Spyware
Video spyware secretly monitors and records webcams and video IM conversions
CEH
Attackers can remotely view webcams via the web or mobile phones
Video spyware can be used for video surveillance of sensitive facilities
It allows attacker to get live images from all the cameras connected to this system through Internet
User
Hacker
jLr
) Video Spyware
Video spyware is software for video surveillance. With this software, you can record
all video activity with a programmed schedule. This can be installed on the target computer without the user's knowledge. The video spyware runs transparently in the background, and monitors and records webcams and video IM conversions secretly. The remote access feature of video spyware allows the attacker to connect to the remote or target system in order to activate alerts and electric devices and see recorded images in a video archive or even get live images from all the cameras connected to this system using a web browser such as Internet Explorer.
User
Module 05 Page 673
V ideo Spyware: W ebC am R ecord er
CEH
Record wizard
etected im age
WebCam Recorder records anything on screen such as:

w Webcams playing in your browser w Video IM conversations w Content from video sites such as YouTube Any video playing on your desktop e Record anything displayed on screen
Finish
Retiy
Use manual selection
h ttp://webcam recorder. com
Copyright by E(M580ncB. All Rights Reserved. Reproduction isStrictly Prohibited.
Video Spyware: W ebCam Recorder

Source: http://webcamrecorder.com W ebCam Recorder is video surveillance software that allows you to record anything on screen such as webcams playing in your browser, video IM conversations, content from video sites such as YouTube, and video playing on your desktop.
Module 05 Page 674
Record wizard A u to -d e te c te d image
Cancel
Back
Next
Finish
FIGURE 5.46: Video Spyware by Using WebCam Recorder
Module 05 Page 675
Video Spyware
c WebcamMagic
h ttp ://w w w . robomagic. com
CEH
ID
\
Eyeline Video Surveillance Software

h ttp ://w w w . nchsoftware. com
IF !
MyWebcam Broadcaster
h ttp ://w w w . eyespyfx. com
Capturix VideoSpy
h ttp ://w w w . capturix. com
I-Can-See-You
h ttp ://w w w .internetsafetysoftw are.com
WebCam Looker
h ttp://felenas oft. com
Digi-Watcher
h ttp ://w w w . digi-watcher. com
SecuritySpy
h ttp ://w w w . bens oft ware, com
NET Video Spy

h ttp ://w w w . sarbas h. com
iSpy
h ttp ://w w w . ispy connect, com
Video Spyware
Many video spyware programs are available in the market for secret video surveillance. The attacker can use this software to secretly monitor and record webcams and video IM conversions. An attacker can use video spyware to remotely view webcams in order to get live footage of secret communication. W ith the help of this spyware, attackers can record and play anything displayed on victim's screen. A few of the video spyware programs used for these purposes are listed as follows: Webcam Magic available at http://www.robomagic.com M yWebcam Broadcaster available at http://www.eyespyfx.com l-Can-See-You available at http://www.internetsafetvsoftware.com Digi-Watcher available at http://www.digi-watcher.com NET Video Spy available at http://www.sarbash.com Eyeline Video Surveillance Software available at http://www.nchsoftware.com Capturix VideoSpy available at http://www.capturix.com WebCam Looker available at http://felenasoft.com SecuritySpy available at http://www.bensoftware.com iSpy available at http://www.ispyconnect.com
Module 05 Page 676
P rint Spyware
&
CEH
v jjr
X ____Prin ter
Printer spyware facilitates remote printer usage monitoring and used to detect exact print job properties such as number of copies, number of printed pages, and content printed It records all the information related to the printer activities in different formats and saves the information in encrypted logs and also sends the log file to a specified email address over Internet
User
Attacker
Print Spyware
Attackers can monitor the printer usage of the target organization remotely by using print spyware. Print spyware is printer usage monitoring software that monitors printers in the organization. Print spyware provides precise information about print activities for printers in the office or local printers, which helps in optimizing printing, saving costs, etc. It records all information related to the printer activities and saves the information in encrypted logs and sends the log file to a specified email address over the Internet. The log report consists of the exact print job properties such as number of pages printed, number of copies, content printed, the date and time at which the print action took place. Print spyware records the log reports in different formats for various purposes such as web format for sending the reports to an email through the web or Internet and in hidden encrypted format to store on the local disk. The log reports generated will help attackers in analyzing printer activities. The log report shows how many documents were printed by each employee or workstation, along with the time period. This helps in monitoring printer usage and to determine how employees are using the printer. This software also allows limiting access to the printer. This log report helps attackers to trace out information about sensitive and secret documents that have been printed.
Module 05 Page 677
Attacker
FIGURE 5.47: Working of Print Spyware
Module 05 Page 678
P rin t Spyw are: P r in te r A c tiv ity M o n ito r

each of the selected printers, the number of pages printed, the computer ordering the printing, etc.
UrtifW4 ttkKjl M mh a t
C EH |
Printer Activity M onitor allows you to m onitor and audit printers and find out which documents are printed on
http://www .redline-software.com
Copyright by EfrCainci. All Rights Reserved. Reproduction is Strictly Prohibited.
Print Spyware: Printer Activity Monitor

Source: http://www.redline-software.com Printer Activity Monitor is one of the print spyware programs that an attacker can use to monitor printer usage of the target organization to get information about printed documents. This spyware allows attackers to monitor and audit printers so that he or she can find out which documents are printed on each of the selected printers, the number of pages printed, etc. Attackers can do the following things with help of Printer Activity Monitor: 0 0 0 0 Accurately track print jobs Monitor large numbers of printers simultaneously M onitor printers remotely Generate reports about printer usage
Module 05 Page 679
Module 05 Page 680
P rint Spyware
Print Monitor Pro
w~_ I h ttp ://w w w .spyars enal. com
CEH
Print Job Monitor
h ttp ://w w w . Imonitors oft. com
Accurate Printer Monitor

h ttp ://w w w . aggs oft. com sT^
PrintTrak
http ://w w w .lygil.com
Print Censor Professional

h ttp ://u sefu lso ft. com
Printer Admin -Copier Tracking System

h ttp ://w w w . printeradmin. com
All-Spy Print
h ttp ://w w w . all-spy. com
*j A
l*^
Print Inspector
h ttp ://w w w . soft perfect, com
O&K Print Watch

3 http://w w w .prnw atch.com
too
Print365
h ttp ://kra w a so ft. com
Copyright by EG-Gonid. All Rights Reserved. Reproduction is Strictly Prohibited.
4 1 Print Spyware
Attackers can also use the following printer monitoring applications as printer spyware to get information about target printer usage. This printer spyware helps attackers to track printer usage such as content of documents printed, number copies printed, date and time at which the print action took place, and so on. A few print spyware programs are listed as follows: 0 0 0 0 0 0 0 0 0 0 Print Monitor Pro available at http://www.spyarsenal.com Accurate Printer Monitor available at http://www.aggsoft.com Print Censor Professional available at http://usefulsoft.com All-Spy Print available at http://www.all-spy.com O&K Print Watch available at http://www.prnwatch.com Print Job Monitor available at http://www.imonitorsoft.com PrintTrak available at http://www.lygil.com Printer Admin - Copier Tracking System available at http://www.printeradmin.com Print Inspector available at http://www.softperfect.com Print365 available at http://krawasoft.com
Module 05 Page 681
T e le p h o n e /C e l l p h o n e S p y w a r e
J J Telephone/cellphone spyware monitors and records phone calls, text messages, and tracks employee cell phone usage Attackers install spyware on the devices they want to track, which secretly sends data such as call history, text message, web browser history, actual location of phone, contacts, etc. to attackers through SMS or email
C EH
Satellite
Transmission Tower
Copyright by EG-Gonid. All Rights Reserved. Reproduction is Strictly Prohibited
T elep h on e/C ell Phone Spyware

Telephone/cell phone spyware is a software tool that gives you full access to monitor a victim's phone or cell. It will completely hide itself from the user of the phone. It will record and log all activity on the phone such as Internet use, text messages, and phone calls. Then you can access the logged information via the software's main website or you can also get this tracking information through SM S or email. Usually, this spyware can be used to monitor and track phone usage of employees. But attackers are using this spyware to trace information from their target person's or organization's telephones/cell phones. Using this spyware doesn't require any authorized privileges. M ost common telephone/cell phone spyware features include: 0 Call History - allows you to see the entire call history of the phone (both incoming & outgoing calls). 0 View Text Messages - enables you to view all incoming and outgoing text messages. Even deleted messages can be viewed in the log report.
0
W eb Site History - the entire history of all websites visited through the phone will be recorded to the log report file.
Module 05 Page 682
GPS Tracking - The spyware will show you where the phone is in real time. There is also a log of the cell phone's location so you can see where the phone has been.
It works as depicted in the following diagram.
Satellite
User
Tower
FIGURE 5.49: Working of Telephone/Cell Phone Spyware
Hacker
Module 05 Page 683
C ellphone Spyware: M obile Spy

Source: http://www.phonespysoftware.com Mobile Spy is mobile spyware that helps you to monitor and record the activities of a target mobile phone. You need to install this software on the mobile phone. W ith help of this software, you can record activities, logs, and GPS locations of target. To view the results, you simply need to log in to your secure account using any computer or mobile web browser. Logs are displayed by categories and sorted for easy browsing. It allows an attacker to record text messages, monitor social media, monitor websites, track GPS location, record photos and videos taken, watch the live control panel, view call details, etc.
Module 05 Page 684
f Ml tpy 0**'*> h n W in < 1w ( )
Uplo
PkkI !>>*' >*
(0M e *Ify C w fc w C H IIW Wykm
(W W !*ln W <
* | | X 1 a ** ^
e H t> > W %wiblt l#v(err, nrrHf non0*P Pg mtyxty&pjnt D & !> < > . (U lC 'O tn( {a
t^tw<c /r*m w 1 /*< jn p > <} 1 > *oll1 > < x rt(< r< *U 4 O w *0
t+ (M V4. (Mk 1% u g i > DM c o a tw CM ntcoM M KM vnvroo
< < * **
t m * ip UttM ioM iM iirM M u fip ro ** ..
^ E ' *
*!
2 0 0 7 0 4 2 32204C O 2 0 0 7 0 4 2 01/11*0 2 0 0 7 0 4 2 0 3 i C O 20C/HM-2.)I73CO 2 0 0 7 0 4 2 0 1721)0 2 0 0 7 0 4 2 3)72X0 2 0 0 7 0 4 -W 1442(0 2 0 0 7 0 4 t j 12 1 1C O ZXT-0*-ti 120)C O
1 i 61 2 2 0 ; 1 1 7 *4( 3 9 3 2 6 1 1 6 )2 1 2 0 1 3 6 3 2 1!6)2 )2 29-1133 11 6 * 2 1 2 0 1 3 6 3 2 11 7< 4 (3 5 9 5 2 1 1 6 *2 1 2 2 9 1 1 3 3 11&>2li0l-.'0
; 01 1 (6 0 2 32 0 1 3 6 3 2 1 (6 0 2 32 0 1 3 6 3 2 1 :6 0 2 322*1133 1 (6 0 2 3 2 0 1 3 6 3 2 1(8 8 f S )11 2 2 0 7 6 1 (6 0 2 3 2 0 1 3 6 3 2 1(6 02 )201 -363 2 1tW2)22M1
U r**** irccmoj reanftj UJijorc ireoffwv) aeoe ircwnnj ireomnj 0* 9 0 9 urarswrM urarjwfrM 0017 006 unvsrM unvswcrM
0M em H |frtrtrfM o eC
) onaolhim ynrpum Nown^ !otmn W in dow *Wtn tx p *o e
lw , l
O W
- . ----- -------0 M cto > to < M M C M t1 Q < > w lV m rtrfo r#
,E- l
3SLM6 CONTROL PRMEL HOME VIEW ALL SETTINGS SUPPORT 10GGF'
View URL Logs
0 9 iw im m im w c* u
44
9*ti t*1w ta1gikiiimi v*hm
i t Int*n*t I > retrt*< i Uer O n
FIGURE 5.50: Cellphone Spyware by Using Mobile Spy
Module 05 Page 685
T e le p h o n e /C e l l p h o n e S p y w a r e
VRS Recording System FlexiSPY OMNI
h ttp ://w w w .flexisp y. com
C EH
H L J
h ttp ://w w w .nch. com.au
Modem Spy
h ttp ://w w w . modem spy. com
SpyBubble
h ttp ://w w w .5 p y bubble, com
MobiStealth Cell Phone Spy

h ttp://w w w .m obistealth.com
MOBILE SPY
h ttp ://w w w . mobile-spy. com
SPYPhone GOLD
(3 h ttp://spyera.com
StealthGenie
http://w w w .stealthgenie.com
SpyPhoneTap
t h ttp ://w w w . spy phone tap. com m
CellSPYExpert
h ttp ://w w w . cellspyexpert. com
Copyright by EWiounci. All Rights Reserved. Reproduction is Strictly Prohibited.
r i
T elep h o n e/C ell Phone Spyware

Like Mobile Spy, an attacker can also use the following software programs as
telephone/cell phone spyware to record all activity on a phone such as Internet usage, text messages and phone calls, etc. The following are some available telephone/cell phone spyware programs: 0 Q Q e 0 Q Q Q Q VRS Recording System available at http://www.nch.com.au Modem Spy available at http://www.modemspy.com MobiStealth Cell Phone Spy available at http://www.mobistealth.com SPYPhone GOLD available at http://spyera.com SpyPhoneTap available at http://www.spyphonetap.com FlexiSPY OMNI available at http://www.flexispy.com SpyBubble available at http://www.spybubble.com MOBILE SPY available at http://www.mobile-spy.com StealthGenie available at http://www.stealthgenie.com CellSPYExpert available at http://www.cellspyexpert.com/
Module 05 Page 686
GPS Spyware
GPS spyware is a device or software application that uses the Global PositioningSystemto determ inethe location of a vehicle, mobiles, person, or other asset to which it is attached or installed
CEH
....... 4
Vehicle
Hacker
Transmission Tower
GPS Spyware
L = L
GPS spyware is a device or software application that uses the Global Positioning
System (GPS) to determine the location of a vehicle, person, or other asset to which it is attached or installed. An attacker can use this software to track the target person. This spyware allows you to track the phone location points and saves or stores them in a log file and sends them to the specified email address. You can then watch the target user location points by logging into the specified email address and it displays the connected point's trace of the phone location history on a map. This also sends email notifications of location proximity alerts. An attacker traces the location of the target person using GPS spyware as shown in the following figure.
Module 05 Page 687
.:7
> **'
Vehicle
Server
**'A
Hacker
Transmission Tower
FIGURE 5.51: Working of GPS Spyware
Module 05 Page 688
GPS Spyware: SPYPhone
CEH
SPYPhone software have ability to send events (captured data) from target phone to your web account via Wi-Fi, 3G, GPRS, or SM S
F eatu res
Call interception Location tracking Read SMS messages See call history See contact list Read messenger chat Cell ID tracking Web history
SPYERA
IO G C ^ D AS:nOOtfcpyvncoiri ttTTMG Incoming j#
Outgoing(!*)
MKtcd*
SMS
Incoming 1 0 Outgoing < ** Systwn (7 !
M#t*ngtr
Whats App tc
B6M0
E-mail incoming : Outgoing m Location L0CID! < 1
[f| ' v
ft
__ ^^m i
Copyright by EWiounci. All Rights Reserved. Reproduction is Strictly Prohibited.
GPS Spyware: SPYPhone

^ Source: http://spyera.com SPYPhone is GPS spyware software that sends the GPS location of a target mobile phone to your web account via Wi-Fi, 3G, GPRS, or SMS. You need to install this software on the mobile phone that you want to track. Spyera Spyphone will use GPS positioning to show the coordinates of the device and its physical location on a map inside your web account. It is even possible to configure the settings for real-time updates, and to display a path of travel between certain times. You can do following things using this software: 0 0 0 0 0 0 0 Listen to phone call conversations Read text messages coming to and from the target mobile View the call history of the target mobile Locate the position of the target Access contact lists and the photos taken Read chat messages Read the Cell ID and Cell Name of the target mobile
Module 05 Page 689
SPYERA
THE WORLDS LEADING MOBILE SPY SOFTWARE
SPYERA
THE WORLDS LEADING MOBILE SPY SOFTWARE
Module 05 Page 690
GPS Spyware
EasyGPS
http:,//w w w . eas ygps. com
CEH
ALL-in-ONE Spy
h ttp ://w w w . thespyphone.com
FlexiSPY PRO-X
http ://w w w .flexisp y. com
Trackstick
h ttp ://w w w . tracks tick, com
GPS TrackMaker Professional

h ttp ://w w w . gps tm. com
MobiStealth Pro
h ttp ://w w w . mobis tealth. com
MOBILE SPY
h ttp ://w w w . mobile spy. com
mSpy
h ttp ://w w w . buymspy. com
m 15
World-Tracker
h ttp ://w w w . world-tracker. com
j
1 m l
GPS Retriever
h ttp ://w w w . mobile bugs tore, com
GPS Spyware
There are various software programs that can be used as GPS spyware to trace the location of particular mobile devices. Attackers can also make use of the following GPS spyware software to track the location of target mobiles: 0 0 0 0 0 0 0 0 0 0 EasvGPS available at http://www.easygps.com FlexiSPY PRO-X available at http://www.flexispy.com GPS TrackMaker Professional available at http://www.gpstm.com MOBILE SPY available at http://www.mobile-spy.com World-Tracker available at http://www.world-tracker.com ALL-in-ONE Spy available at http://www.thespyphone.com Trackstick available at http://www.trackstick.com MobiStealth Pro available at http://www.mobistealth.com mSpy available at http://www.buymspy.com GPS Retriever available at http://www.mobilebugstore.com
Module 05 Page 691
H ow to D e fe n d A g a in st K e y lo g g e r s
CEH
Install anti-spyware/antivirus programs and keeps the signatures up to date Install a host-based IDS, which can monitor yoursystem and disable the installation of keyloggers
Install good professional firewall software and anti-keylogging software
' /
Recognize phishing emails and delete them
Keep your hardware systems secure in a locked environm ent and frequently v check the keyboard cables for the attached connectors Choose new passwords for different online accounts and change them frequently Use software that frequently scans and monitors the changes in the system or network
How to D efend Against K eyloggers

A keylogger is a software application that secretly captures and records all keystrokes including passwords that are typed on the computer keyboard. The main objective behind developing keylogger software was for positive productive usage such as recovering lost or deleted data, monitoring employees or children, and diagnosing other computer system problems. However, attackers used keyloggers for malicious purposes such as identity theft of employees, cracking passwords, acquiring credit card and bank account numbers and phone numbers, gaining unauthorized access, and so on. Though it is difficult to detect the presence of keyloggers as they are hidden on the system, here are a few ways to defend against keyloggers: 0 Install antivirus and antispyware software. Viruses, Trojans, and other malware are the mediums through which software keyloggers invade the computer. Antivirus and antispyware are the first line of defense against keyloggers. Using keylogger cleaning applications available online, keyloggers detected by the antivirus can be deleted from the computer. 0 Install host-based IDS, which can monitor your system and disable the installation of keyloggers.
Module 05 Page 692
Enable firewalls on the computer. Firewalls prevent outside access to the computer. Firewalls prevent the transmission of recorded information back to the attacker.
Keep track of the programs that are running on the computer. Use software that frequently scans and monitors the changes in the system or network. Usually keyloggers tend to run in the background transparently.
Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for the attached connectors, USB port, and computer games such as the PS2 that have been used to install keylogger software.
Recognize and delete phishing emails because most attackers use phishing emails as a medium to transfer software keyloggers to a victim's system.
Module 05 Page 693
How to D efend A gainst K eyloggers

(C ontd)
C EH
(rt<fwd | IthKJl lUilwt
Use pop-up blockerand avoid opening junk emails
Scan the files before installing them on to the computer and use registry editor or process explorer to check fo rthe keystroke loggers
Use live CD/DVD or write-protected Live USB for rebooting the computer
Use automatic form-filling programs or virtual keyboard to enter user name and password Use keystroke interference software, which inserts randomized characters into every keystroke Use W indow s on-screen keyboard accessibility utility to enter the password or any other confidential information
VII
Do not click on links in unwanted or doubtful emails that may point to malicious sites
How to D efend Against K eyloggers (Contd)

The following are some more ways to defend against keyloggers:

Enable pop-up blockers and avoid opening junk emails and their attachments. Antivirus and antispyware software is able to detect anything that gets installed, but it is better to detect these programs before they are installed. Scan the files thoroughly before installing them on to the computer and use a registry editor or process explorer to check for keystroke loggers.
Use live CD/DVD or write-protected Live USB to reboot the computer. Use automatic form-filling programs or a virtual keyboard to enter user names and passwords because they avoid exposure through keyloggers. This automatic form-filling program will remove the use of typing your personal, financial, or confidential details such as credit card numbers and passwords through keyboards.
Use keystroke interference software, which inserts randomized characters into every keystroke.
Use the W indows on-screen keyboard accessibility utility to enter the password or any other confidential information. You can maintain your information confidentially because here the mouse is used for entering any information such as passwords, credit
Module 05 Page 694
card numbers, etc. into the keyboard instead of typing the passwords using the keyboard. Q Do not click on links in unwanted or suspicious emails that may point you to malicious websites.
Module 05 Page 695
How to D efend A gainst K eyloggers

(C ontd)
CEH
Copyright by EG-Gonid. All Rights Reserved. Reproduction is Strictly Prohibited.
How to D efend Against K eyloggers (Contd)

The countermeasures mentioned so far provide protection against software
keyloggers. Now we will discuss hardware keyloggers. A hardware keylogger is a hardware device that records each and every keystroke that is typed on the computer keyboard in real time. This device is plugged in between the computer case and keyboard cable connector. A keylogger is used for legitimate applications as well as by attackers for deceitful purposes such as for stealing passwords, bank account numbers, phone numbers and so on. To defend your system against keyloggers, follow the countermeasures listed as follows: e Restrict physical access to sensitive computer systems Periodically check your keyboard interface to ensure that no extra components are plugged to the keyboard cable connector Q Q Lock the server room Periodically check all the computers and check whether there is any hardware device connected to them
Module 05 Page 696
Anti-Keylogger
Anti-key loggers d ete ct and disable so ftw are keyloggers Som e of the anti-keyloggers w ork by matching signatures of keylogger code with a signature database while others protect keyboard drivers and kernels from manipulation by keyloggers Using a virtual keyboard or touch screen makes it difficult for malicious sp yw are and Trojan programs to capture keystrokes
1 1 1 1
1 1
1 1 1 1
1 1 1 1
1 1 | |
| |
II
II
I U U U U U L U U l ___I
1
II I
Copyright by EG-Gonid. All Rights Reserved. Reproduction is Strictly Prohibited
Anti-K eyloggers
Anti-keyloggers, also called anti-keystroke loggers, are designed especially for detecting and disabling keystroke logger software. Anti-keyloggers are specially designed for the purpose of detecting software keyloggers. Many large organizations, financial institutions, online gaming industries, as well as individuals use anti-keyloggers for protecting their privacy while using systems. This software prevents a keylogger from logging every keystroke that is typed by the victim and thus keeps all personal information safe and secure. An anti-keylogger scans a computer, detects, and removes keystroke logger software. If the software (anti-keylogger) finds any keystroke logging program on your computer, it immediately identifies and removes the keylogger, whether it is legitimate keystroke logging program or an illegitimate keystroke logging program. Some of the anti-keyloggers detect the presence of hidden keyloggers by comparing all files in the computer against a signature database of keyloggers and searching for similarities. Other anti-keyloggers detect the presence of hidden keyloggers by protecting keyboard drivers and kernels from manipulation. A virtual keyboard or touchscreen makes the keystroke capturing job of malicious spyware or Trojan programs difficult.
Module 05 Page 697
. . 1 1 .A T& T3 G
7:21 AM
Landscape
Cc/Bcc: Subject: Confidential |
U H B N
O P
space
FIGURE 5.53: Anti-Keylogger Screenshot
Module 05 Page 698
A n ti-K ey lo g g er: Z e m a n a A nti L o g g er

0
Zemana AntiLogger eliminates threats from keyloggers, SSL banker Trojans, spyware, and more Features:
S 2 SSL logger protection Webcam logger protection
// Zem3na AntiLogger 1.9.2-240
CEH
E @ z e M a N a
" Your computer is protected

No further action is naeded
AntHOettogger Ana-ScreenLog?er Ano-WebcanLcg^r Ana-QpbowdLogpv Systemoefense
These rwxXJes protect your corouter from iraloous prograro such as vruses, spyware and trojans. You can swt C\ nem of! as a group, or ndvtdualy.
S Key logger protection

S S Clipboard logger protection Screen logger protection
----------- j 1 ; ----------- J
Anti-Keylogger: Zem ana AntiLogger

Source: http://www.zemana.com Zemana Antilogger is a high-performance security program that protects your computer from keylogger and malware attacks, thereby protecting your identity. The AntiLogger detects the malware at the time it attacks your system rather than detecting it based on its signature fingerprint. It will prompt you if any malicious program is attempting to record the keystrokes of your system, capture your screen, gain access to your clipboard, microphone, and webcam, or inject itself into any sensitive areas of your system. Zemana Antilogger provides protection against various threats such as SSL logger, Webcam logger, Keyloggers, Clipboard logger, Screen logger, spyware, SSL banker, Trojans, etc.
Module 05 Page 699
/ dZcmana AntiLogger 13.2.240

\
Your computer is protected
No further action is needed
I Settings
P ro te c tio n : Enabled These modiies protect your computer from mafcoous programs such as vruses, spyware and trojans. You can switch them off as a group, or ndrvidualy.
Analyzed Stocked
: :
1694 16
s fl
Last A nalyzed object: Last Blocked
: :
Skype.exe keytog.exe
Copyright 2010 Zemana Ltd. Al rights reserved.
FIGURE 5.54: Zemana AntiLogger Screenshot
Module 05 Page 700
Anti-Keylogger
Anti-Keylogger
h ttp ://w w w . anti-keyloggers. com http://w w w .spyshelter.com
CEH
SpyShelter STOP-LOGGER
PrivacyKeyboard
h ttp ://w w w . anti-keylogger. com
DataGuard AntiKeylogger Ultimate

h ttp ://w w w . maxs ecuritylab. com
DefenseWall HIPS
http://w w w .softsphere.com
PrivacyKeyboard
h ttp ://w w w . privacy key board, com
KeyScrambler
h ttp ://w w w . qfxs oftware. com
Elite Anti Keylogger

h ttp ://w w w . elite-antikeylogger. com
I Hate Keyloggers
h ttp ://d e w a so ft. com
CoDefender
https ://w w w . encas sa. com
%
Copyright by E&Coincil. All Rights Reserved. Reproduction is Strictly Prohibited.
Anti-K eyloggers
Anti-keyloggers secure your system from spyware attacks, software keyloggers, and hardware keyloggers. Some of anti-keyloggers that can be used for securing your system against various threats are listed as follows: 0 0 0 0 0 0 0 0 0 0 Anti-Kevlogger available at http://www.anti-kevloggers.com PrivacyKeyboard available at http://www.anti-keylogger.com DefenseWall HIPS available at http://www.softsphere.com KeyScrambler available at http://www.qfxsoftware.com I Hate Keyloggers available at http://dewasoft.com SpyShelter STOP-LOGGER available at http://www.spyshelter.com DataGuard AntiKeylogger Ultimate available at http://www.maxsecuritylab.com PrivacyKeyboard available at http://www.privacvkeyboard.com Elite Anti Keylogger available at http://www.elite-antikeylogger.com CoDefender available at https://www.encassa.com
Module 05 Page 701
How to Defend Against Spyware
CEH
Adjust browser security settings to medium for Internet zone Regularly check task manager report and MS configuration Q manager report
a
'
Enhance the security level of the computer
Try to avoid using any computer system which is , not totally under your control
Be cautious about suspicious emails and sites
Update virus definition files and scan the system for spyware regularly
Install and use anti-spyware software
Update the software regularly and use a firewall with outbound protection
How to D efend Against Spyware

Spyware is a malicious program that gets installed onto a user system without the user's knowledge and gathers confidential information such as personal data, access logs, etc. Spyware comes from three basic sources: one of the main sources is through free downloaded software, the second source of spyware is through email attachments, and the third source of spyware is websites that automatically install spyware when you. Here are ways to defend against spyware: 0 Never adjust your Internet security setting level too low because it provides many chances for spyware to be installed on your computer. So, always set your Internet browser security setting to either high or medium for protecting your computer from spyware. 0
0
Firewall enhances the security level of your computer. Don't open suspicious emails and file attachments received from unknown senders. There is a great likelihood that you will get a virus, freeware, or spyware on the computer. Don't open unknown websites that are presented in spam mail messages, retrieved by search engines, or displayed in pop-up windows because they may mislead you to download spyware.
Module 05 Page 702
Install antispyware software. Antispyware protects against spyware. Antispyware is the first line of defense against spyware. This software prevents spyware from being installed on your system. It periodically scans your system and protects your system from spyware.
Regularly check Task Manager reports and MS Configuration Manager reports.
Try to avoid using any computer system that is not totally under your control. 0 Update virus definition files and scan the system for spyware on a regular basis.
Module 05 Page 703
How to Defend Against Spyware

(C ontd)
CEH
<M >
Perform w e b surfing safely and dow nload cautiously
< M > < K > < M >
Do not use adm inistrative mode unless it is necessary
Do not use public term inals for banking and o ther sensitive activities
Do not dow nload free music files, screensavers, or sm iley faces from Internet
<X >
B e w a re of pop-up w indow s or w e b pages. N e ver click an yw h e re on these window s
<M >*
0 0
s
Perm anently d ele te cookie, cache, URLs history, and tem p o rary files on the com puter w h en done w e b surfing
Do not store personal inform ation on any com puter system that is not to ta lly under your control
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
How to D efend Against Spyware (Contd)

Q Always use caution with anything found on the Internet while downloading and installing free software. Before downloading any software, make sure that it is from a trusted website. The license agreement, security warning, and privacy statements that are associated with the software should be read thoroughly to get a clear understanding before you download. Q Do not use administrative mode unless it is necessary because malicious programs such as spyware are executed when you are in the administrator mode. As a result, attackers may take complete control over your system. e Do not use public terminals for accessing banking account, checking credit card statements, and other sensitive activities. Public systems are not at all secure, as they are accessed by many users. The company that operates the public terminals may not even check their system for spyware. Q Do not download free music files, screensavers, or smiley faces from the Internet because when you download such free programs there is a possibility that spyware comes along with them invisibly.
Module 05 Page 704
Beware of pop-up windows or web pages. Never click anywhere on the windows that display messages such as your computer may be infected, or that they can help your computer to run faster. W hen you click on such windows your system may get infected with spyware.
Permanently delete cookies, caches, URLs, history and temporary files on the computer when done web surfing.
Do not store personal or financial information on any computer system that is not totally under your control, such as in an Internet cafe.
Module 05 Page 705
Anti-Spyware: PC Tools Spyware
r cu
U tM M tlk .jl M
PC Tools Spyware Doctor
PC Tools Spyware Doctor delivers simple protection against dangerous spyware It stops and blocks spyware It checks files before they can get on your PC and compromise your computer
Protection Summary
Protection Status
Balanced Mode Protection is ON

IntelllGuard Protection
Old you Know? Nw *< d!cov*ftO vt ry 5 m inut* M 1*#$uryou r*pro*et*db)scftoau1 1 r fl daily team.
0 pc tools
bySynumcc
http://www .pctools.com
Anti-Spyware: PC Tools Spyware Doctor

Source: http://www.pctools.com PC Tools Spyware Doctor provides protection for your system against extremely dangerous spyware and malware. It detects and deactivates various malicious programs such as adware, trojans, keyloggers, spybots, etc. from your system. It is quite easy to protect your confidential or financial information against spyware using this. Even dangerous threats can be easily defended when this software is integrated with various layers of protection. The files are checked thoroughly before spyware actually enters and compromises your system.
Module 05 Page 706
PC Tools | Spyware Doctor

Home 1 1 ------------------------------IntelliGuard Setting! Support Start Scan How
P ro te ctio n S u m m a ry
P ro te ctio n Statu s
Threats Detected: Scans Performed: Items Scanned: Database Updates:
532 15
Balanced Mode Protection is ON

IntelliGuard Protection
7,562 20
J
*
Start Scan Now

Heed mote protection?
Subscription: Last Smart Update: Last Scan:
t W i,e ,in 3 d ^ ,J L e s s than 1 hour ago L e s s than 1 hour ago
Did you Know? New viruses are discovered every 5 minutes Make sure you're protected by scheduling daily scans
0 pc tools
by Symantec
Report Card
My Account
Smart Update
Help
FIGURE 5.55: PC Tools Spyware Doctor Screenshot
Module 05 Page 707
Anti-Spywares
CEH
Kaspersky Internet Security 2013
h ttp ://w w w . kaspersky. com
SUPERAntiSpyware
http://superantispyware.com
Spyware Terminator 2012

h ttp ://w w w . pcrx. com
SecureAnywhere Complete 2012

h ttp ://w w w . webroot. com
Ad-Aware Free Antivirus+

h ttp ://w w w . lav as oft. com
MacScan
http://macscan.securemac.com
Norton Internet Security

h ttp ://in . norton. com
Spybot - Search & Destroy

h ttp ://w w w . safer-networking, org
SpyHunter
h ttp ://w w w . enigmas oft ware, com &
Malwarebytes Anti-Malware PRO i

h ttp ://w w w . malwarebytes.org
NIC
W W W
Anti -Spywares
Antispywares scan your system and check for spyware such as malware, Trojans,
dialers, worms, keyloggers, and rootkits and removes them if any are found. Antispyware provides real-time protection by scanning your system at regular intervals, either weekly or daily. It scans to ensure the computer is free from malicious software. A few antispyware programs are listed as follows: 0 0 0 0 0 0 0 0 0 0 SUPERAntiSpyware available at http://superantispyware.com Spyware Terminator 2012 available at http://www.pcrx.com Ad-Aware Free Antivirus+ available at http://www.lavasoft.com Norton Internet Security available at http://in.norton.com SpyHunter available at http://www.enigmasoftware.com Kaspersky Internet Security 2013 available at http://www.kaspersky.com SecureAnywhere Complete 2012 available at http://www.webroot.com MacScan available at http://macscan.securemac.com Spybot - Search & Destroy available at http://www.safer-networking.org Malwarebytes Anti-Malware PRO available at http://www.malwarebytes.org
Module 05 Page 708
capable of preventing or detecting and deleting malicious applications. In order to avoid malicious applications being detected by protective applications, attackers hide malicious files e other legitimate files.
!1 * liili 1
Cracking Passwords Escalating Privileges
Hiding Files
Covering Tracks
Penetration Testing
Module 05 Page 709
Rootkits
that tim e and also in future security of the target system causing malicious functions to be executed A typical rootkit comprises of backdoor programs, DD0S programs, packet sniffers, log-wiping utilities, IRC bots, etc.
CEH
Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at
Rootkits replace certain operating system calls and utilities with its own modified versions o f those routines that in turn undermine the
O
the web t*
A ttacker places a rootkit by:
O b jectives of rootkit: To root the host system and gain remote backdoor access To mask attackertracksand presence of malicious applications or processes
Scanning forvulnerable computers and servers on
Wrapping rootkit in a special package like games Installing rootkit on the public computers or corporate computers through social engineering
To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access
Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)
To store other malicious programs on the system and act as a server resource for bot updates
Means of a link and a bot from IRC, ICQ, etc.
Rootkits
Rootkits are software programs aimed to gain access to a computer without being
detected. These are malware that can be used to gain unauthorized access to a remote system and perform malicious activities. The goal of the rootkit is to gain root privileges to a system. By logging in as the root user of a system, an attacker can perform any task such as installing software or deleting files, etc. It works by exploiting the vulnerabilities in the operating system and applications. It builds a backdoor login process to the operating system by which the attacker can evade the standard login process. Once root access has been enabled, a rootkit may attempt to hide the traces of unauthorized access by modifying drivers or kernel modules and deserting active processes. Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed. A typical rootkit is comprised of backdoor programs, DD0S programs, packet sniffers, log-wiping utilities, IRC bots, etc. All files contain a set of attributes. There are different fields in the file attributes. The first field is used to determine the format of the file, that is, if it is a hidden, archive, or read-only file. The other field describes the time the file was created, when it was accessed, as well as its original length. The functions GetFileAttributesEx() and GetFilelnformationByHandle() enable this. ATTRIB.exe is used to display or change file attributes. An attacker can hide, or even change the attributes of a victim's files, so that attacker can access them.
Module 05 Page 710
An attacker places a rootkit by: 0 0 0 Scanning for vulnerable computers and servers on the web Wrapping rootkit in a special package like games Installing rootkit on the public computers or corporate computers through social engineering 0 Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) 0 Means of a link and a bot from IRC, ICQ, etc.
The primary purpose of a rootkit is to allow an attacker repeated unregulated and undetected access to a compromised system. Installing a backdoor process or replacing one or more of the files that run the normal connection processes can help meet this objective. Attackers use rootkits to: 0 0 0 Root the host system and gain remote backdoor access Mask attacker tracks and presence of malicious applications or processes Gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access 0 Store other malicious applications and act as a server resource for bot updates and so on
Module 05 Page 711
Types of Rootkits
Hypervisor Level Rootkit
Modifies the boot sequence of the computer system to load themselves instead of the original virtual machine or operating system
CEH
Hardware/Firmware Rootkit
Hides in hardw are devices or platform firm w are which is not inspected for code integrity
Boot Loader Level Rootkit Kernel Level Rootkit Adds malicious code or replaces original OS kernel and device driver codes Replaces the original boot loader with one controlled by a remote attacker
Library Level Rootkits Application Level Rootkit

Replaces regular application binaries with fake Trojan, or modifies the behavior of existing applications by injecting malicious code Replaces original system calls with fake ones to hide inform ation about the attacker
i f
a _ Types of Rootkits
c J A rootkit is a type of malware that can hide itself from the operating system and antivirus applications in the computer. This program provides the attackers with root-level access to the computer through the backdoors. These rootkits employ a range of techniques to gain control of a system. The type of rootkit influences the choice of attack vector. Basically there are six types of rootkits available. They are:
H ypervisor-level Rootkit
Hypervisor-level rootkits are usually created by exploiting hardware features such as Intel VT and AMD-V. These rootkits host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system's boot sequence and gets loaded instead of the original virtual machine monitor.
K ernel-level Rootkit
The kernel is the core of the operating system. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel module in Linux. If the kit's code contains mistakes or bugs, the stability of the system is greatly affected by the kernel-
Module 05 Page 712
level rootkits. These have the same privileges of the operating system, hence they are difficult to detect and intercept or subvert operations of operating systems.
A pplication-level Rootkit
Application-level rootkit operates inside the victim's computer by replacing the standard application files with rootkits or by modifying present applications with patches, injected code, etc.
a
H ardware/Firm ware Rootkit

Hardware/firmware rootkits use devices or platform firm ware to create a persistent
jj
malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware because firmware is not usually inspected for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware.
B oot-loader-level Rootkit (Bootkit)

Boot-loader-level (bootkit) rootkits function either by replacing or modifying the legitimate boot loader with another one. The boot-loader-level (bootkit) can be activated even before the operating system is started. So, boot-loader-level (bootkit) rootkits are serious threats to security because they can be used to hack encryption keys and passwords.
Library-level Rootkits
----Library-level rootkits work higher up in the OS and they usually patch, hook, or supplant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the attacker.
Module 05 Page 713
How Rootkit Works

r
Process (Be fo re Hooking)
Code section... Call FindNextFile Import data section FindNextFile: 0x87654321 Kernel32.dil 0x87654321:FindNextFile code
CEH
Rootkit replaces first 5 bytes of code with jmp 0x90045123
1
J
1 1
Code section ... Call FindNextFile Import data section FindNextFile: 0x87654321 Kernel32.dil 0x8765432l:FindN extFile Rootkit code: 0x90045123: MyFindNextFile
Direct Kernel Manipulation
Unique process ID ActiveProcesLinks
BLINK Process Identifiers Before rootkit infection
) Process Identifiers 1 After rootkit Infection
Process Identifiers
DKOM rootkits hide a process by unlinking it from the process list

Copyright by E&CaincO. All Rights Reserved. Reproduction is Strictly Prohibited.
How Rootkits Work

System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode. Inline function hooking is a technique where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll. dll), placing an instruction so that any process calls hit the rootkit first.
Process ( Bef or e H ooking)
Code section... Call FindNextFile
Process (A fte r H ooking)

Code section... Call FindNextFile import data section FindNextFile: 0x87654321 Kernel32.dil 0x8765432l:FindNextFile
R o otkit code:
Hooks
Import data section FindNextFile: 0x87654321 Kernel32.dil 0x87654321:FindNextFilecode
Rootkit replaces first 5 *bytes of code with

jmp 0x90045123
0x90045123: MyFindNextFile
FIGURE 5.56: How Rootkits Work
Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the 'System process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the
Module 05 Page 714
PROCESS IDENTIFIERS structures. \Device\Physical Memory object.
It has an ability to obtain read/write access to the
DKOM rootkits hide a process by unlinking it from the process list.
Process 2
Direct Kernel Object Manipulation (DKOM)
Unique process ID ActiveProcesLinks LIST ENTRY{ *FUNK *BLINK Process Identifiers ActiveProcesLinks LIST ENTRY { *FUNK *BLINK Process Identifiers
Unique process ID ActiveProcesLinks FUNK *BLINK Process Identifiers
Before rootkit infection
After rootkit infection
FIGURE 5.57: DKOM Rootkits Diagram
Module 05 Page 715
Fu operates using direct Kernel object manipulation Components of Fu are dropper (fu.exe) and driver (msdirectx.sys)
It allows attacker to:

a Hide processes and drivers Hide information from user-mode applications and even from kernelmode modules w Add privileges to any process token Remove to-be-hidden entries from two linked lists with symbolic names
8 - %
Rootkit: Fu
Fu is an infection database that operates using Direct Kernel Object Manipulation (DKOM) and comes with two components, the dropper (fu.exe) and the driver (msdirectx.sys). The Fu rootkit modifies the kernel object that represents the processes on the system. All the kernel process objects are linked. W hen a user process such as TaskMgr.exe requests the operating system for the list of processes through an API, Windows walks the linked list of process objects and returns the appropriate information. Fu unlinks the process object of the process it is hiding. Therefore, as far as many applications are concerned, the process does not exist. The Fu rootkit can also allow you to hide and list processes and drivers by using different hooking techniques. It can add privileges to any process token. This can perform many actions in the W indow s event view er and appear as someone else's.
Module 05 Page 716
cv In v it e de c o m m a n d e s C : \ t e n p > f u - p i 30 Process f u . e x e :860 Process :2153091200 Process S ystem :4 Process s n s s . e x e :378 Process c s r s s . e x e :632 Process w in lo g o n .e x e :664 Process s e r u i c e s . e x e :708 I r o c e s ls a s s e x e :732 Process s u e h o s t. e x e :912 Process s u c h o s t.e x e :1004 Process s u e h o s t.e x e :1092 Process s u e h o s t.e x e :1176 Process s u e h o s t.e x e :1284 Process s p o o ls u .e x e :1416 Process UMwareSeru i c e . e :1592 Process a l g . e x e :2036 Process e x p l o r e 1* . e x e : 5 7 2 Process w scntfy.exe:580 Process U M w areT ray.exe:920 Process UMwarellser.exe :1040 Process c t f n o n .e x e :1168 Process e n d .e x e :420 I'roc es s taskn gr.exe:816 jT o t a l n u n b er o f proc ess es * 23
FIGURE 5.58: Fu in Command Promt
Module 05 Page 717
Rootkit: KBeast
lI
CEH
KBeast (Kernel Beast) is kernel rootkit that loads as a kernel module. It supports kernel 2.6.16,2.6.18,2.6.32, and 2.6.35 It also has a userland component that provides remote access to the computer KBeast gains its control over a computer by hooking the system call table and by hooking the operations structures used to implement the netstat interface to userland
F e a tu r e s
1Hiding loadable 2
kernel modules
Anti-kill process
Hiding files/directory
7
8
Anti-rem ovefiles
Hiding process (ps, pstree, top, Isof)
Anti-delete loadable kernel modules
Hiding socket and connections (netstat, Isof)
Local root escalation backdoor
Keystroke logging to capture user activity
Rem ote binding backdoor hidden by the kernel rootkit
Rootkit: KBeast
KBeast (Kernel Beast) is kernel rootkit that loads as a kernel module. It supports kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. It provides remote access to the systems by using its userland component. Using the kernel module, the userland backdoor component can be invisible from other userland applications. This can hide files, directories, and processes (ps, pstree, top, Isof) that start with a user-defined prefix. You can use keylogging abilities to capture the user activities. To implement the netstat interface to userland, KBeast obtains access over the system by hooking the system call table and operations structures. The features of this rootkit include: e e 0 Q 0 Hiding this loadable kernel module Hiding files/directory Hiding process (ps, pstree, top, Isof) Hiding socket and connections (netstat, Isof) Keystroke logging to capture user activity Anti-kill process
Anti-remove files
Module 05 Page 718
Q Q Q
Anti-delete this loadable kernel modules Local root escalation backdoor Remote binding backdoor hidden by the kernel rootkit
Module 05 Page 719
Rootkit: H acker D efen der H xDef Rootkit

Hacker Defender (hxdef) is a rootkit for Microsoft Windows operating systems It enables processes, files, and registry keys to be hidden from systems administrations and security scanningtools It can enable remote control of a computer without opening a new TCP or UDP port via a covert channel
Command Prompt
bdc lil00.exe 192.168.8.93 135 v4L connecting server . . . receiving banner . . . opening backdoor . . backdoor found checking backdoor .......... backdoor ready authorization sent, Waiting for reply authorization - s u c c e s s f u l backdoor activated! close shell and all progz to end
R ootkit: H ack er D e fe n d e r H xDef R ootkit

Hacker Defender is a user-mode rootkit that modifies several Microsoft Windows operating systems and Native API functions. You can hide information like files, processes, and registry keys from security scanning tools and other applications. You can control a computer without opening a new TCP or UDP port via a covert channel from a remote area. It can also implement a backdoor and port redirector that can work through existing open TCP ports. Using its stealth mode, attackers can hide data from user-defined applications such as registry key values, allocated memory, system services, and drivers.
Module 05 Page 720
Command Prompt
bdc lil00.exe 192.168.8.93
135 v4L connecting server . . . receiving banner opening backdoor backdoor found checking backdoor ........... backdoor ready authorization sent, Waiting for reply authorization - SUCCESSFUL backdoor activated! close shell and all progz to end session . . . ..
FIGURE 5.59: Hacker Defender HxDef Rootkit in Command Promt
Module 05 Page 721
D etecting Rootkits
In t e g r it y -B a s e d D e te c tio n
CE H BP
S ig na tu re-B a se d Detection
This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints
Mi
m
C ro ss V ie w -B a s e d D etection
Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit
It compares a snapshot of the file system, boot records, or memory with a known trusted baseline
R untim e E xe cu tio n Path Profiling

This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection
H euristic/BehaviorB ased D etection

Any deviations in the system's normal activity or behavior indicates the presence of rootkit
D e te c tin g R ootkits
The rootkit detection techniques are classified as signature, heuristic, integrity, crossview-based, and Runtime Execution Path Profiling.
S ignature-based D etection
Signature-based detection methods work as a rootkit fingerprints. You can compare the sequence of bytes from a file compared with another sequence of bytes that belong to a malicious program. This technique is mostly employed on system files. Rootkits that are invisible can be easily detected by scanning the kernel memory. The success of signature-based detection is less due to the rootkit's tendency to hide files by interrupting the execution path of the detection software.
Heuristic detection works by identifying deviations in normal operating system patterns or behaviors. This kind of detection is also known as behavioral detection. Heuristic detection is capable of identifying new, previously unidentified rootkits. This ability lies in being able to recognize deviants in "normal" system patterns or behaviors. Execution path hooking is one such deviant that causes heuristic-based detectors to identify rootkits.
H euristic D etection
Module 05 Page 722
Integ rity -b ased D etection

Integrity-based detection functions by comparing a current file system, boot records, or memory snapshot with a known, trusted baseline. The evidence or presence of malicious activity can be noticed by the dissimilarities between the current and baseline snapshots.
C ross-view -based D etection

Cross-view-based detection techniques function by assuming the operating system has been subverted in some way. This enumerates the system files, processes, and registry keys by calling common APIs. The gathered information is then compared with the data set obtained through the use of an algorithm traversing through the same data. This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the operating system APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.
R untim e Execution P ath Profiling

The Runtime Execution Path Profiling technique compares runtime execution path profiling of all system processes and executable files. The rootkit adds new code near to a routine's execution path, in order to destabilize it. The number of instructions executed before and after a certain routine is hooked and can be significantly different.
Module 05 Page 723
Follow these steps to detect rootkits: 1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infectedOSandsave the results. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results. Run a clean version of WinDiff from the CD on the two sets ofresultstodetectfilehiding ghostware (e.g., invisible inside, but visible from outside).
2.
3.
Note: There can be some false positives. Also, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
Module 05 Page 724
How to D efend against Rootkits
How to D efend a g a in s t R ootkits

A common feature of these rootkits is that the attacker requires administrator access to the target system. The initial attack that leads to this access is often noisy. Excess network traffic that arises in the face of a new exploit should be monitored. It goes without saying that log analysis is a part and parcel of risk management. The attacker may have shell scripts or tools that can help him or her cover his or her tracks, but surely there will be other telltale signs that can lead to proactive countermeasures, not just reactive ones. A reactive countermeasure is to back up all critical data excluding the binaries, and go for a fresh clean installation from a trusted source. One can do code check summing as a good defense against tools like rootkits. MD5sum.exe can fingerprint files and note integrity violations when changes occur. To defend against rootkits, integrity checking programs for critical system files can be used. Numerous tools, programs, software, and techniques are available to check for rootkits. A few techniques that are adopted to defend against rootkits are listed as follows: Q Reinstall OS/applications from a trusted source after backing up the critical data
Staff with ill-defined responsibilities Q Well-documented automated installation procedures need to be keep
Module 05 Page 725
Q Q Q Q
Install network and host-based firewalls Use strong authentication Store the availability of trusted restoration media Harden the workstation or server against the attack
Update the patches for operating systems and applications
Module 05 Page 726
How to D efend against Rootkits

(C ontd)
Update antivirus and anti-spyware software regularly
CEH
UrtiflH
| ItfcKJl
lUilwt
Do not install unnecessary applications and also disable the features and services not in use
t t
Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies
Ensure the chosen antivirus software posses rootkit protection
Avoid logging in an account with administrative privileges
Adhere to the least privilege principle
How to D efend a g a in s t R ootkits (C ontd)

Now you have seen basic countermeasures for defending against rootkits there are some more countermeasures that will assist you in defending against rootkits. Let's take look at what more you can do to defend against rootkit. You should update you antivirus and antispyware software regularly Q You should not install unnecessary applications on your system and also disable the features and services not in use You should verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies Ensure that the chosen antivirus software possesses rootkit protection before it is installed
Q You should avoid logging in an account with administrative privileges Q You should adhere to the least privilege principle
Module 05 Page 727
Anti-Rootkit: Stinger
J
UrtifM
CEH
tUx*l lUckM
Stinger is a standalone utility used to detect and remove specific viruses. By default, Stinger scans rootkits, running processes, loaded modules, registry and directory locations known to be used by malware on the machine to keep scan times minimal
^ Stingy
E1 * b*<p 6*
Scan Now
1 I |
* Scontiesta rg e t
W * "defences L * Viruses
F Poc*s*s
Onvw.1iw.00> .
c Raportoniy
Dectone* scon Add ---Browse u < jrgnf-<u ,fl 4 Caa^nfr |c|2 C 1 1 McAJm Inc Al Rtf* Vj m vl0 0 00 0 0 0 N V 2 0 1 1 '
* 0
R Regrstry
* R Boot sector R Roo*1t
Interlace
List afl Met !canned
Deec*on
Scon subdirectories 7 | r Report opplceeons (7 Scan*K*
H#ont*c neto * c*e< * o r
Se n sr*vt y* v 1
A nti-R ootkit: S tinger

Source: http://www.mcafee.com McAfee Stinger helps you to detect and remove prevalent Fake Alert malware, viruses, and threats identified in your system. Stinger scans rootkits, running processes, loaded modules, the registry, and directory locations known to be used by malware on the machine to keep scan times minimal. It can also repair the infected files found in your system. It detects and deactivates all the viruses from your system.
Module 05 Page 728
V Stinger
Preferences
Scan N t i targets p Processes On virus d ictio n
H * Help #
S u n Now
w
Directories to scan
Preferences List Viruses
C Report only
(S Repair
(7 R egistry
[* Boot sectors |7 RootMs Interface f List all hies scanned Detection
Stng*)^RiVnon 1020 360 but on Nov 42011 CflpjagN k l 2011 McAtor Inc Al R^jN! Rwr^d V w data to vl 000 0000 oe*ed on Nov 4 2011 *can lot 3149 * i w x *cun: and vvurtfs
C Rename
C Delete
f* Scon subdirectories
W Scan mside compressed tiles
Report applications
Sens*v1ty level
|Medium
_^J
FIGURE 5.60: Stinger Screenshot
Module
05 Page 729
Anti-Rootkit: UnHackMe
J
(crtifwd 1 ttkiul Nm Im
H cE
UnHackMe detects and removes malicious programs (rootkits/malware/adware/spyware/Trojans)
Reg Run Reanimaror - Scan for Malware...
Features: Q Precise doublechecking for a Windowsbased PC w Instant tracking of malicious code in the system (rootkits, Trojans, worms, viruses and so on) w Does not slow up the PC and it is compatible with antivirus programs
[501
3efitVJue Re8sbvK*y \5Y 51H \Curcen5 consoi. \5Y 5TC W \C u rT n 5 C 0na0l. \SYSTCM \CufrentC0n t10l. \S0ftwafe\M icro9 oft\Wl... \S0 tv< rf^M 1cr0wfnWl... \S0ftwa^M1 cnjwfnW1 ... \i0 ftwr*\M1cr0 wfRV\n... \& 0 IW*\M 1cr0 *tfRWI... \S0 ftwir#\M1r0 ft\WI...
REG.5Z C:\Pr0flQT1 F1ls (x86)\NtCff0r.. L ajo 5 r.c :w r.w HEG_52 C:\Pr0cram F1l* (x86)\EP50N . Ajtc Sr. c 0CMJD5A File < 86\)Sol*... Auto Sav-ca SoUrtWr T . REG.SZ (># 30ttoa Ca APC PEG S? C:\PROGRAM FIES <Xa6)\A0V. C :\ P ro g ra rnf.i* (x86)\6^T0. X:\P-ovrm (t86)\A < fcv9. Kernel Auio REG_5 *C\PfOO vnHl*(x)\Au-T HEG.&2 C:\PR0GRAM F1X5 (XBG)VADV. T 41 Internet E*p| T ( ( Browsers
!co &3] W in d e rsS f &O
R g t ry R u 1
" C i 'f i r o q n m
M<rv 0JRRT H<fV_LDOl... *H0 <3 % ... HKEYJ.OOL. MKEr.lOCAl... **K 7 96 ... MKEr.lOCAl... ** 5 :1 HKEY_LOCAl. . 41*0tf 74
K ihxhk/q /v
\SVSTiN\CurffntConttol... MtCEY.lOCAL..
h ttp://www. greatis. com
Copyright by E&GeURCtl. All Rights Reserved. Reproduction is Strictly Prohibited.
A nti-R ootkit: U nH ackM e

Source: http://www.greatis.com UnHackMe is basically anti-rootkit software that helps you in identifying and removing all types of malicious software such as rootkits, Trojans, worms, viruses, and so on. The main purpose of UnHackMe is to prevent rootkits from harming your computer, helping users protect themselves against masked intrusion and data theft. UnHackMe also includes the Reanimator feature, which you can use to perform a full spyware check. Features: e 0 Precise double-checking for a Windows-based PC Instant tracking of malicious code in the system (rootkits, Trojans, worms, viruses and so on) Does not slow up the PC and it is compatible with antivirus programs
Module 05 Page 730
RegRun Reanimator - Scan for Malware...

F4e drt View
Fix Probems Hide Good Items I Hide Security Settings
Reboot
Save Log
a
Internet Expl
x
Item Name Data Type Value REG SZ REG SZ C :\Program Rles (x 8 6 )\H e tw o r... C :\Program Rles (x8 6)\E P S O N ... "C:\Program Rles (x8 6 )'S o la r... C:\PROGRAM FILES (X 8 6 )\A D V ... c:\p ro g ra m Hies (x8 t> )\b ee k1 0... "C:\Program Rles (x 8 6 )'A c tiv e ... "C:\Program Rles (x 8 6 )'A u tD T ... C:\PROGRAM FILES (X 8 6 )\A D V ... C :\W in d o w s\svcn et2\svm et2.exe autocheck a ... Default Value Registry Key \SYS7EM \CurrentControl... \SYSTEM\CurrentControl... \SYSTEM\Cu rrentControl... \S oftw a re\M icroso ft\W i... \b 0 ftw a re\M 1 croso ft\W i... \S oftw a re\M icroso ft\W i... \S oftw a re\M icroso ft\W i... \S oftw a re\M icroso ft\W i... \S oftw a re\M icroso ft\W i. .. Root Key + N o t m ... 83 + N o t m ... 83 + N o t m ... 83 hKEY CURRE... + N o t m ... 96 hKLY LOCAL... + N 0 t m ... yb I-KEY LOCAL... + N o t m ... 96 I-KEY LOCAL... + N o t m ... 96 hKEY LOCAL... + N o t m ... 96 hKEY LOCAL... + N o t m ... 96 31 1' 4! 1 J 6 7 9 H 0 In p l >
02 Browsers /$<
= Network S et Software Co
3 A uto Services berrysrv 3 A uto Services EMP UDSA
A uto Servicss SolarW inds 7F... REG SZ Registry Run Registry Kun Registry Run Registry Run Registry Run APC G I W hois rn5.exe dtri.exe APC svcnet2 BootExecute f n n r * A Q 1 r\ -r REG SZ K tG bZ REG SZ REG SZ REG SZ REG SZ
a im !
B - W indDws SI
b
Kernel Auto [ v j
Prohibited: 0 Suspicious: 9 Warnings: 1
Registry Run Bootexecute
autocheck autochk / q / v * REG_N... Partizan r ^ D o n r . D i u c c fYQRMTCr
\S YSTEM\Cu rrentControl... hKEY_LOCAL... *D e fin e ... 74
\ C n fh A ra ro \MirrncnfH\A/i
u irc v 1 n r a i
A t uni
>Make Backup... >Restote Backup *Add to the Ignae List
> ....... Double-click on he row to get specific command:.
The legend:
Pale Yellow warnings
FIGURE 5.61: UnHackMe Screentshot
Module 05 Page 731
Anti-Rootkits
Virus Removal Tool
http://ww w.sophos.com
(itifwd 1 ItlMUl NMhM
H CE
p !
Rootkit Buster
http://dow nloadcenter. trendmicro. com
Hypersight Rootkit Detector

http:,//northse curity labs. com
Rootkit Razor
h ttp ://w w w . tizersecure. com
Avira Free Antivirus

B y . http ://w w w .avira.co m
RemoveAny
h ttp ://w w w .free-anti-spy. com
SanityCheck
h ttp ://w w w . resplendence, com
TDSSKiller
h ttp ://s upport.kaspersky. com
i m 3 on 1
Prevx
h ttp ://w w w .pre vx. com
Copyright by E&Coincil.All Rights Reserved. Reproduction is Strictly Prohibited.
A nti-R ootkits
The following anti-rootkits help you to remove various types of malware such as rootkits, viruses, Trojan, and worms from your system. You can download or purchase antirootkit software from home sites and install it on your PC to be protected from rootkits. A few anti-rootkits are listed as follows: 0 0 0 0 0 0 0 0 0 0 Virus Removal Tool available at http://www.sophos.com Hypersight Rootkit Detector available at http://northsecuritylabs.com Avira Free Antivirus Tool available at http://www.avira.com SanityCheck available at http://www.resplendence.com GMER available at http://www.gmer.net Rootkit Buster available at http://downloadcenter.trendmicro.com Rootkit Razor available at http://www.tizersecure.com RemoveAny available at http://www.free-anti-spy.com TDSSKiller available at http://support.kaspersky.com Prevx available at http://www.prevx.com
Module 05 Page 732
NTFS Data Stream

5IS ttO T
I
Hacker
Inject malicious code in the existing file
CE H
NTFS Alternate Data Stream (ADS) is a Windows hidden stream which contains metadata forthe file such as attributes, word count, author name, and access and modification time of the files
ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities
NTFS D ata S tream

In addition to the file attributes, each file stored on an NTFS volume typically contains two data streams. The first data stream stores the security descriptor, and the second stores the data within a file. Alternate data streams are another type of named data stream that can be present within each file. Alternate Data Stream (ADS) is any kind of data that can be attached to a file but not in the file on an NTFS system. The Master File Table of the partition will contain a list of all the data streams that a file contains, and where their physical location on the disk is. Therefore, alternate data streams are not present in the file, but attached to it through the file table. NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metadata for the file such as attributes, word count, author name, and access and modification time of the files. ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities. ADSs provide attackers with a method of hiding rootkits or hacker tools on a breached system and allow them to be executed without being detected by the system's administrator. Files with ADS are impossible to detect using native file browsing techniques like the command line or Windows Wxplorer. After attaching an ADS file to the original file, the size of the file will show as the original size of the file regardless of the
Module 05 Page 733
size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Hacker
Existing File
N TF S File S y s t e m
FIGURE 5.62: Working of NTFS Data Stream
Module 05 Page 734
How to Create NTFS Streams

N o te pa d is stre am co m p lia n t app licatio n
S Launch c : \>notepad myfile.txt:lion.txt
w Click 'Yes' to create the new file and type 10 lines of data Save the file
CE H
To modify the stream data, open docum ent
Launch c : \>notepad myfile.txt:tiger.txt
'myfile .txt:tig er .txt' in notepad
w Click 'Yes' to create the new file and type other 20 lines of text Save the file
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
How to C re a te NTFS S tream s iL jr
You can create NTFS Streams by following these steps:
Launch c :\>notepad myfile .t x t :l i o n .txt
Click Yes to create the new file and type 10 lines of data. Q
9
Save the file. Launch c :\>notepad myfile .t x t :tiger .txt Click Yes to create the new file and type other 20 lines of text Save the file. V ie w th e file s iz e o fm y file .tx t (it should be zero).
Q 0 0
Q To modify the stream data, open the document myfile. txt: tiger .txt in Notepad.
Module 05 Page 735
NTFS S tream M an ipulation

Location c:\
CEH
Location c:\
if
Move the contents of Trojan.exe to Readme.txt
Trojan.exe (size:2 M B)
Readme.txt (size: 0)
To move the contents ofTrojan.exe to Readme.txt (stream):
Move
C:\> type c:\Trojan.exe > c:\Readme.txt: Trojan.exe
To executetheTrojan.exe inside the Readme.txt (stream):

C:\start c :\Readme.txt:Trojan.exe
~ l/ \
Execute
Extract
W m /_\
~7/\
To extract the Trojan.exe from the Readme.txt (stream):

C : \> c a t c :\ R e a d m e .t x t : T r o j a n . exe >
Trojan.exe
Note: Cat is a Windows 2003 Resource Kit Utility

NTFS S tream M a n ip u la tio n

You can manipulate the NTFS streams by executing the following steps: To move the contents of Trojan.exe to Readme.txt (stream):
c:\> type c:\Trojan.exe > c :\Readme.t x t :Tro j a n .exe
To execute the Trojan.exe inside the Readme.txt (stream):

c:\> start c :\Readme.t x t :Trojan.exe
Q To extract the Trojan.exe from the Readme.txt (stream):

c:\> cat c :\Readme.t x t :T rojan.exe > Trojan.exe
Note: Cat is a Windows 2003 Resource Kit Utility.

M o ve the contents of
Location c:\
Trojan.exe to Readm e.txt
T ro ja n .e x e (size: 2 M B ) FIGURE 5.63: Working of NTFS Stream Manipulation
R e a d m e .t x t (size: 0)
Module 05 Page 736
How to Defend against NTFS Streams
CEH
To delete NTFS streams, move the suspected files to FAT partition
Use third-party file checksum application to maintain integrity of an NTFS partition against unauthorized ADS
LNS.exefrom (http://ntsecurity.nu /to o lb o x /ln s /) can detect streams
^ How to D efend a g a in s t NTFS S tream s

" ' You should use Lads.exe software as a countermeasure for NTFS. The latest version of lads.exe gives you a report for the availability status of ADSs. Lad.exe is useful to administrators who deal with graphics since this tool provides the findings on the screen. This tool searches for either single or multiple streams. It provides a report of the ADSs' presence as well as gives the full path and length of each ADS that is found. Other means include copying the cover file to a FAT partition and then moving it back to NTFS. This corrupts and loses the streams. LNS.exe from http://ntsecurity.nu/toolbox/lns/ is a tool used to detect NTFS streams. This tool is useful in a forensic investigation. You should do the following things to defend against NTFS streams: Q Q Use up-to-date antivirus software on your system Enable real-time scanning of antivirus as it will protect from execution of malicious streams inside your system
Use file monitoring software such LAD, as it helps you to detect creation of additional or new data streams
Module 05 Page 737
NTFS Stream D etector: Stream Arm or
mamaaamm
Source: http://securityxploded.com
http://securityxploded.com
Copyright by EC-Ca11actl. All Rights Reserved. Reproduction is Strictly Prohibited.
NTFS S tream D etecto r: S tream A rm or
This tool helps you to detect the hidden Alternate Data Stream (ADS) and remove it from your system completely. Its multithreaded ADS scanner helps you to scan recursively over the entire system and uncovers all the hidden streams from your system. You can easily detect the suspicious data stream from a normal data stream as it displays the discovered specific stream with a specific color pattern. It is also able to detect file the type of stream by using the Advance File type detection mechanism.
Module 05 Page 738
Module 05 Page 739
NTFS Stream Detectors

o
ADS Spy
h ttp:,//w w w . merijn. nu
CE H
Stream Explorer
h ttp ://w w w . rekenwonder. com
ADS Manager
h ttp ://d m itry b ra n t. com
ADS Scanner
h ttp ://w w w .po in ts tone, com
j#
Streams
h ttp ://te chn e t. micros oft. com G *
s
RKDetector
h ttp ://w w w . rkdetector. com
AlternateStreamView
h ttp ://w w w . nirs oft. net
GMER
h ttp ://w w w . gmer. net
NTFS-Streams: ADS manipulation tool

h ttp ://s our ceforge, ne t
HijackThis
h ttp ://fre e , antivirus.com
NTFS S tream D etecto rs

There are various NTFS Stream Detectors available in the market. You can detect suspicious streams with the following NTFS stream detectors. You can download and install these stream detectors from their home sites: 0 ADS Spy available at http://www.meriin.nu
ADS Manager available at http://dmitrybrant.com 0 0 0 0 0 0 0 0 Streams available at http://technet.microsoft.com AlternateStreamView available at http://www.nirsoft.net NTFS-Streams: ADS manipulation tool available at http://sourceforge.net Stream Explorer available at http://www.rekenwonder.com ADS Scanner avaialble at http://www.pointstone.com RKDetector available at http://www.rkdetector.com GMER available at http://www.gmer.net HijackThis avaialble at http://free.antivirus.com
Module 05 Page 740
What Is Steganography?
J J Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data Utilizing a graphic image as a cover is the most popular method to conceal the data in files
c| EH
List of the compromised
Source code for the hacking tool
0
[
Plans for future attacks
Communication and coordination channel
<>
Copyright by E&Camctl. All Rights Reservfect;Reproduction is Strictly Prohibited.
! W hat is S teg an o g rap h y ?
^ It has been argued that one of the shortcomings of various detection programs is their primary focus on streaming text data. What if an attacker bypasses normal surveillance techniques and still steals or transmits sensitive data? A typical situation would be where an attacker manages to get inside a firm as a temporary or contract employee and surreptitiously seeks out sensitive information. While the organization may have a policy of not allowing electronic equipment to be removed from a facility, a determined attacker can still find a way with techniques such as steganography. Steganography is defined as the art of hiding data behind some other data without the knowledge of the enemy. It replaces bits of unused data into the usual filesgraphic, sound, text, audio, videowith some other bits that have been obtained surreptitiously. The hidden data can be plaintext or ciphertext, or it can be an image. The lure of the steganography technique is that, unlike encryption, steganography cannot be detected. When transmitting an encrypted message, it is evident that communication has occurred, even if the message cannot be read. Steganography is used to hide the existence of the message. An attacker can use it to hide information even when encryption is not a feasible option. From a security point of view, steganography is used to hide the file in an encrypted
Module 05 Page 741
format. This is done so that even if the file that is encrypted is decrypted, the message will still remain hidden. Attackers can insert information such as: 0 0 0 0 Source code for hacking tool List of compromised servers Plans for future attacks Communication and coordination channel
Module 05 Page 742
rm
A p p licatio n o f S teg an o g rap h y
The application of steganography differs in many areas and the area depends on what feature of steganography is utilized. Steganography is applicable to: Access Control System for Digital Content Distribution In the Access Control System for Digital Content Distribution system, the embedded data is "hidden," but is "explained" to publicize the content. In this system, a prototype of an Access Control System for digital content is developed to send data through the Internet. Using folder access keys, the content owner embeds the content in a folder and uploads on the web page. Here the content owner explains the content and publishes the contact details on the World Wide Web to get an access-request from users and they can contact him or her to get the access key. The valuable data can be protected using special access keys. Q Steganography File Systems A Steganography File System has a level of security using which hiding data is done by a series of fixed size files originally consisting of random bits on top of which vectors could be superimposed in such a way as to allow levels of security to decrypt all lower levels. Even the existence of any higher levels, or an entire partition, is filled with random bits and files hidden in it.
Module
05 Page 743
Media Bridging Using digital steganography, electronic communications can by encrypted in the transport layer, such as a document file, image file, program, or protocol.
Copy Prevention or Control (DVD) In the entertainment industry steganography can be used to protect copyrights for DVDs and CDs. The DVD copy-protection program is designed to support a copy generation management system.
Metadata Hiding (Tracking Information) Metadata can be used to track geo location and to prevent or control copying digital material, i.e., preventing unauthorized duplication of digital data.
Broadcast Monitoring (Gibson, Pattern Recognition) Covert Communication w Q Q Ownership Assertion Fingerprinting (Traitor Tracking) Authentication (Original vs. Forgery)
Module 05 Page 744
C la ssifica tio n of Steganography
CEH
U rtifirt itfciul Nm Im
Steganography !
Linguistic Steganography
Technical Steganography
Semagrams
Open Codes
Visual Semagrams
Covered Ciphers
Text Semagrams
Jargon Code
Copyright by EC-Gauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
C la ssific a tio n of S teg an o g rap h y

Steganography is classified into two areas based on techniques. They are technical steganography and linguistic steganography. Technical steganography hides a message using scientific methods, whereas the linguistic steganography hides the message in the carrier, a medium used to communicate or transfer messages or files. The steganography medium is usually defined as the combination of the hidden message, the carrier, and the steganography key. The following diagram depicts the classification of steganography.
Module 05 Page 745
Steganography
Linguistic Steganography
Technical Steganography
Sem agram s
H
y j J
O p en Codes
Visual Semagrams
Covered Ciphers
Text
Semagrams
Jargon Code
FIGURE 5.64: Classification of Steganography
Module 05 Page 746
T echnical Steganography
J Technical steganography uses physical or chemical means to hide the existence of a message Technical steganography uses tools, devices, or methods to conceal messages
CE H
Some methods of technical steganography include: Invisible Ink Microdots
M eth o d w ith the longest tradition
M eth o d to hide up to one page in a dot
Uses redundant information in texts, pictures, sounds, videos, etc.
Copyright by E&CoiMCil.All Rights Reserved. Reproduction is Strictly Prohibited.
T e c h n ic a l S teg an o g rap h y
Technical steganography is a method of securing text messages with the help of physical or chemical methods to hide the existence of the text message. You can use many tools, devices, and methods. Technical steganography has methods to achieve message hiding. Some of them include: 0 Invisible ink This method uses invisible ink for hiding text messages. Microdots It is a method that can be used to hide up to one page in a dot. Q Computer-based methods Use redundant information in texts, pictures, sounds, videos, etc.
Module 05 Page 747
L inguistic Steganography
H id in g M e s s a g e
J Linguistic steganography utilizes w ritten natural language to hide the message in the carrier in som e non-obvious w ays J J
CEH
Sem agram s
It is further categorized into semagrams and open codes Sem agram s utilize visual sym bols or signs to hide secret messages
V isual S e m a g ram s
T y p e s of S e m a g ra m s
Text S e m a g ra m s
Use innocent-looking or everyday
Hides a message by modifying the appearance of the carrier text, such as subtle changes in the font size or type, adding extra spaces, or different flourishes in letters or handwritten text
convey a message, such as doodles or the

physical objects to positioning of items on a desk or website
J
L in g u istic S teg an o g rap h y

Linguistic steganography hides the message in the carrier in some inventive ways. This technique is further categorized as semagrams or open codes.
:=nl Semagrams
This technique uses symbols and different signs to hide the data or messages. This is further categorized as visual semagrams and text semagrams. Q Visual Semagrams This method uses unmalicious physical objects to transmit a message such as doodles or the positioning of items on a desk or website. 0 Text Semagrams A text semagrams hides the text message by converting or transforming its look and appearance of the carrier text message, such as changing font sizes and styles, adding extra spaces as white spaces in the document, and different flourishes in letters or handwritten text.
Module 05 Page 748
L inguistic Steganography
(C ontd)
J
O p e n c o d e h id es th e se cre t m essag e in a sp ecifically d esign ed p a ttern on th e d o c u m e n t th a t is u n c le a r to th e a v e ra g e re a d e r
CEH
M
O pen c o d e s te g a n o g ra p h y is d iv id ed into: 1. J a rg o n C o d e
Covered cipher is categorized into: 1. N ull C ip hers
It is a language that a group of people can understand but is meaningless to others

2. Covered C ip hers
S A null cipher is an ancient form of encryption where the plaintext is mixed with a large amount of noncipher material 5 It can also be used to hide ciphertext
2 . G rille C ip hers
The message is hidden openly in the carrier medium so that anyone who knows the secret of how it was concealed can recover it
abed efqh iiklm n P
a In this technique, a grille is created by cutting holes in a piece of paper - When the receiver places the grille over the text, the intended message can be retrieved
\J
L in g u istic S teg an o g rap h y (C ontd)

Open code hides the secret message in a legitimate carrier message that is specifically designed in a pattern on a document that is unclear to the average reader. The carrier message is sometimes called the overt communication and the secret message is the covert communication. The open codes technique is divided into two main groups: jargon codes and covered ciphers. The covered ciphers are sub-divided into two types: null ciphers and grille ciphers.
Jargon Codes
Jargon codes are a language that a group of people can understand but is meaningless to others. These codes use signals, terminology, and conversations that have a special meaning that is known to some specific group of people. A subset of jargon codes are cue codes, where certain prearranged phrases convey meaning.
C overed C iphers
The message is hidden openly in the carrier medium so that anyone who knows the secret of how it was concealed can recover it. Covered ciphers are categorized into two types: grille ciphers and null ciphers.
Module 05 Page 749
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
A grille cipher employs a template that is used to cover the carrier message. The words that appear in the openings of the template are the hidden message. A null cipher hides the message by using some prearranged set of rules, such as "read every fifth word" or "look at the third character in every word." It can also be used to hide cipher text.
Module 05 Page 750
S teganography T echniques
Substitution Techniques
Substitute redundant part of the cover-object with a secret message Embed messages by altering statistical properties of the cover objects and use hypothesis methods for extraction
CEH
Statistical Techniques
Transform Domain Techniques
Distortion Techniques
Store information by signal distortion and in the extraction step measures the deviation from the original cover
Embed secret message in a transform space of the signal (e.g. in the frequency domain)
Spread Spectrum Techniques

Adopt ideas from spread spectrum communication to embed secret messages
Cover Generation Techniques
Encode information that ensures creation of cover for secret communication
S teg an o g rap h y T e c h n iq u e s
Steganography techniques are classified into six groups based on the cover modifications applied in the embedding process. They are:
Substitution T echniques
In this technique, the attacker tries to encode secret information by substituting the insignificant bits with the secret message. If the receiver has the knowledge of the places where the secret information is embedded, then they can extract the secret message.
QQQ T ransform D om ain T echniques

Q O D
The transform domain technique of steganography hides the information in significant parts of the cover image such as cropping, compression, and some other image processing areas. This makes it tougher for attacks. Transformations can be applied to blocks of images or over the entire image.
S pread S p ectru m T e c h n iq u e s
This technique provides the means for a low probability of intercept and anti-jamming communications. This is a means of communication in which the signal occupies excess of the
Module 05 Page 751
minimum bandwidth to send the information. The excess band spread is accomplished by means of code (independent of data), and a synchronized reception with the code is used at the receiver to recover the information from the spread spectrum data.
Statistical Techniques
This technique utilizes the existence of " l bit" steganography schemes. This is achieved by modifying the cover in such a way that, when a 1" is transmitted, some of the statistical characteristics change significantly. In other cases the cover remains unchanged. This is done to distinguish between the modified and unmodified covers. The theory of hypothesis from mathematical statistics is used for the extraction.
Distortion Techniques
In this technique, a sequence of modifications is applied to the cover in order to get a stego-object. The sequence of modifications is such that it represents the specific message to be transmitted. The decoding process in this technique requires knowledge about the original cover. The receiver of the message can measure the differences between the original cover and the received cover to reconstruct the sequence of modifications.
Cover-generation Techniques
In this technique, digital objects are developed for the purpose of being a cover to secret communication. When this information is encoded it ensures the creation of a cover for secret communication.
Module 05 Page 752
How Steganography W orks
CEH
Cover Image
Cover Image
t-----
Embedding function Extracting function
EC-Council "Hackers are here. Where are you?"
Stego Image
J
How S teg an o g rap h y W orks

Steganography encrypts less important information from digital content and injects hidden data in its place. This is done over image files, text files, audio files, and any digital data. This process is intended to provide secrecy. With the introduction of the Internet,hidden messages inside digital images became the most common and highly effectiveform of steganography. Images are stored in the computer as a group of pixels, with one pixel being around 8 to 24 bits. This group of pixels is stored in an image file according to any one of a number of formats. There are two files that are needed to hide a message within an image file. They are: 1. The file containing the image into which the message is supposed to be put 2. The file containing the message itself
Module 05 Page 753
Cover Image
Cover Image
Stego Image
FIGURE 5.65: How Steganography Works
Module 05 Page 754
Types of Steganography
Image Steganography Document Steganography Folder Steganography
(rtifwd
CEH
IU x j I lUckM
Video Steganography
Audio Steganography
WhiteSpace Steganography
Web Steganography
Spam/Email Steganography
DVDROM Steganography
Natural Text Steganography
Hidden OS Steganography
C++ Source Code Steganography
Copyright by E&C01ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
I ^ T ypes of S teg an o g rap h y

Steganography is the art and science of writing hidden messages in such a way that no one other than the intended recipient knows of the existence of the message. The increasing uses of electronic file formats with new technologies have made data hiding possible. Basic steganography can be broken down into two areas: data hiding and document making. Document making deals with protection against removal. It is further divided into watermarking and fingerprinting. The different types of steganography are listed as follows: Q Image Steganography e Document steganography
Q Folder Steganography Q Video Steganography Q Audio Steganography Q Whitespace Steganography
Web Steganography
Module 05 Page 755
e e 0 Q
Spam/Email Steganography DVDROM Steganography Natural Text Steganography Hidden OS Steganography
C++ Source Code Steganography
Module 05 Page 756
W hitespace Steganography Tool: SNOW

J The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers If the built-in encryption is used, the message cannot be read even if it is detected
UrtifM
c EH
ItkNjI IU<hM
I I
D : \ C E H - T o o l s \ C E H v 8 M o d u le 05 S y s t e m H a c k i n g \ W h i t e s p a c e S t e g a n o g r a p h y T o o l \ S n o w \ s n w d o s 3 2 > s n o w - C -m " T h i s i s a t e s t f o r W h i t e s p a c e S t e g a n o g r a p h y u s i n g S now " - p we I c o n t e s t . d o c x s n o w o u t . d o c x C om pressed by 41.90X M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x i m a t e l y 3 4 0 . 3 5 x . fin e x t r a 7 l i n e s w e r e a d d e d . D : \ C E H - T o o l s \ C E H u 8 M o d u le 05 S y s t e m H a c k i n g \ U h i t e s p a c e S t e g a n o g r a p h y T o o l \ S n o w \ s nw d o s3 2 >
h ttp://www. darkside. com. au

t 1 j W h itesp ace S teg an o g rap h y Tool: SNOW

______ Source: http://www.darkside.com.au The program SNOW is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. If built-in encryption is used, the message cannot be read even if it is detected.
LÎhJ
D:\CEH-Tools\CEHu8 Module 05 S y s t c n H a c k i n g M J h i t e s p a c e S t e g a n o g r a p h y T o o l \ S n o w \ s 1wdos32>snow -C m " T h i s i s a t e s t f o r W h i t e s p a c e S t e g a n o g r a p h y u s i n g Snow" p 1 1 je lc o n t" t e s t . d o c x s n o u o u t . d o c x Compressed by 41.90X l e s s a g e e x c e e d e d a v a i l a b l e s p a c e by a p p r o x i m a t e l y 3 4 0 . 3 5 Z . ^n e x t r a 7 l i n e s were a d d e d . D:\CEH-Tools\CEHv8 Module 05 S y s te m H a c k i n g \ U h i t e s p a c e S t e g a n o g r a p h y T o o l \ S n o w \ s 11#dos32>
FIGURE 5.66: Whitespace Steganography Tool by Using SNOW
Module 05 Page 757
Image Steganography
J In image steganography, the information is hidden in image files of different formats such as.PNG, .JPG, .BMP, etc. Image steganography tools replace redundant bits of image data with the message in such a way that the effect cannot be detected by human eyes J
CEH
Image file steganography techniques:

Least Significant Bit Insertion Masking and Filtering
9 Algorithms and Transformation
Information
Copyright by E&Cauaci. All Rights Reserved. Reproduction is Strictly Prohibited.
Im a g e S teg an o g rap h y
Image steganography allows you to conceal your secret message within an image. You can take advantage of the redundant bit of the image to conceal your message within it. These redundant bits are those bits of the image that have very little effect on the image if altered. This alteration of bits is not detected easily. You can conceal your information within images of different formats such as .PNG, JPG , .BMP, etc. Images are the popular cover objects used for steganography. Image steganography tools are used to replace redundant bits of image data with the message in such a way that the effect cannot be detected by human eyes. Image steganography techniques can be divided into two groups: Image domain and transform domain. In image (spatial) domain techniques, messages are embedded in the intensity of the pixels directly. In transform domain (frequency) techniques, images are first transformed and then the message is embedded in the image. There are three techniques that you can use to conceal you secret messages in image files: Least Significant Bit Insertion Masking and Filtering Algorithms and Transformation
The following figure depicts image steganography and the role of steganography tools in the image steganography process.
Information
Information
FIGURE 5.67: How Image Steganography Works
Module
05 Page 759
L e a st S ig n ific a n t B it I n s e r tio n
J J The right most bit of pixel is called the Least Significant Bit (LSB) Using this method, the binary data of the hidden message is broken and then inserted into the LSB of each pixel in the image file in a deterministic sequence Modifyingthe LSB does not result in a noticeable difference because the net change is minimal andean be indiscernibleto the human eye
C EH
Exa m p le : G ive n a string of b ytes

(0 0 1 0 0 1 1 1 00100111 11101001 111 0 1 0 0 1 ) 11001000) (0 0 1 0 0 1 1 1 110 01000 11101001) (11 0 0 1 0 0 0
The letter "H" is represented by binary digits 01001000.To hide this "H " above stream can be changed as: (0 0 1 0 0 1 1 0 00100110 11101001 111 0 1 0 0 1 ) 11001000) (0 0 1 0 0 1 1 0 110 01001 11101000) (1 1 0 0 1 0 0 0
To retrieve the H" combine all LSB bits 01001000
Copyright by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.
L east S ignificant Bit In se rtio n

1 e Least Significant Bit Insertion technique is the most commonly used technique of
image steganography in which the Least Significant Bit (LSB) of each pixel is used to hold your secret data. The LSB is the rightmost bit of each pixel of image file. This LSB, if changed, has very little effect on the image; it cannot be detected. To hide the message, first break the message and insert each bit in place of each pixel's LSB of the image so that the recipient at the other end can retrieve your message easily. Suppose you have chosen a 24-bit image to hide your secret data, which can be represented in digital form as follows:
(0 0 1 0 0 1 1 1 11101001 11001000) (0 0 1 0 0 1 1 1 11001000 11101001) (1 1 0 0 1 0 0 0 00100111 11101001)
And you want to hide the letter "H" in above 24 -bit image as follows. Now letter "H" is represented by binary digits 01001000. To hide this "H," the previous stream can be changed to:
Module 05 Page 760
(0 0 1 0 0 1 1 0
11101001
11001000)
(0 0 1 0 0 1 1 0
11001001
11101000)
(1 1 0 0 1 0 0 0
00100110
11101001)
H 0 1 0 0 10 0 0
FIGURE 5.68: Least Significant Bit Insertion Diagram
You just need to replace the LSB of each pixel of the image file as shown in this figure. To retrieve this H at the other side, the person at the receiver side combines all the LSB bits of the image file and thus is able to detect the H at the receiver side.
Module 05 Page 761
Masking and Filtering

Masking and filtering techniques are generally used on 24 bit and grayscale images
CEH
The masking technique using a method similarto watermarks on actual paper, and it can be done by modifyingthe luminance of parts of the image
The information is not hidden at the "noise" level of the image
Maskingtechniques hide information in such a way that the hidden message is inside the visible part of the image
Copyright by EfrCoincl. All Rights Reserved. Reproduction is Strictly Prohibited.
^ J^j M a sk in g an d F ilte rin g

Masking and filtering techniques take advantage of human visual capabilities that cannot detect the slight changes in particular images. Grayscale images can hide information in a way that is similar to watermarks on paper and are sometimes used as digital watermarks. The masking technique allows you to conceal your secret data by placing it on an images file. Both masking and filtering techniques are mostly used on 24-bit-per-pixel images and grayscale images. To hide secret messages, you need to adjust the luminosity and opacity of the image. If the change in the lum inance is small, then people other than the intended users fail to notice that the image contains a hidden message. This technique can be easily applied to the image as it does not disturb the image, it is mostly used with JPEG images. Lossy JPEG images are relatively immune to cropping and compression image operations. Hence, the information is hidden in lossy JPEG images often using the masking technique. The reason that a steganography image encoded with a marking degrades in a lower rate under JPEG compression is that the message is hidden in the significant areas of the picture.
Module
05 Page 762
A lgorithm s and T ransform ation

J Another steganography technique is to hide data in mathematical functions
that are in compression algorithms
C EH
J The data is embedded in the cover image by changing the coefficients of a

transform of an image
J JPEG images use the Discrete Cosine Transform (DCT) technique to achieve
image compression
Type s of transformation techniques

I Fast fourier transform ation
II
Discrete cosine transform ation
111
W a v e le t transform ation
Copyright by EfrCaincl. All Rights Reserved. Reproduction is Strictly Prohibited.
A lg o rith m s a n d T ra n sfo rm a tio n

The algorithms and transformation technique is based on hiding the secret information during the compression of the image. In this technique, the information on the image is concealed by applying various compression algorithms and transformation functions. Compression algorithm and transformation uses a mathematical function to hide the coefficient of least bit during compression of images. Generally JPEG images are suitable to perform compression as they can be saved at different compression levels. This technique gives you high level of invisibility of secret data. JPEG images use a discrete cosine transform to achieve compression. There are three types of transformation techniques used in the compression algorithm: 0 0 0 Fast fourier transformation Discrete cosine transformation Wavelet transformation
Module 05 Page 763
QuickStego hides text in pictures so that only other users of QuickStego can retrieve and read the hidden secret messages
The feet are flexible structures of bones, joints, muscles, and soft tissues that let us stand upright and perform activities like walking, running, and jumping The feet are divided into three sect ons: The forefoot contains the five toes (phalanges) and the five longer bones (metatarsals). The midtoot is a pyramid-like collection ot bones that form the arches of the feet. These include the three cuneiform bones, the cuboid bone, and the navicular bone
h ttp://quickcrypto. com
Im a g e S teg an o g rap h y : Q uickS tego

Source: http://quickcrypto.com QuickStego lets you hide secret messages in images so that only other users of QuickStego can retrieve and read the hidden secret messages. Once a secret message is hidden in an image, you can still save it as picture file; it will load just like any other image and appear as it did before. The image can be saved, emailed, uploaded to the web as before, and the only difference will be that it contains hidden message. QuickStego imperceptibly alters the pixels (individual picture elements) of the image, encoding the secret text by adding small variations in color to the image. In practice, to the human eye, these small differences do not appear to change the image.
Module 05 Page 764
CYBERNESCENCE
The feet are flexible structures of bones, joints, muscles, and soft tissues that let us stand upright and perform activities like walking, running, and jumping. The feet are divided into three sections: The forefoot contains the five toes (phalanges) and the five longer bones (metatarsals). The midfoot is a pyramid-like collection of bones that form the arches of the feet These include the three cuneiform bones, the cuboid bone, and the navicular bone
!Picture. Image, Photo File
||
Open image
Save Image
!steganography
11
Hide Text
1
Get Text ||| Open Text Save Text Upgrade
FIGURE 5.69: QuickStego Screenshot
Module 05 Page 765
Im ag e Steganography Tools
Hide In Picture
h ttp://sourceforge, ne t
CEH
OpenStego
http://opens tego. s ourceforge, net
gifshuffle
s es
h ttp ://w w w . dark side. com. au
PHP-Class StreamSteganography
http://ww w.phpclasses.org
CryptaPix
h ttp ://w w w . briggs oft. com
Red JPEG
h ttp ://w w w . totalcmd.net
BMPSecrets
h ttp ://b m p s ecrets. com
Steganography Studio
& m 1
h ttp ://s tegs tudio. source forge, net
OpenPuff
, -1-
http://em beddeds w. ne t
Virtual Steganographic Laboratory (VSL)

http://s/s 1 .s ource forge, ne t
g! Im a g e S teg an o g rap h y Tools

Like the tool QuickStego discussed previously, you can also use the following image steganography tools to hide your secret messages in images: Hide In Picture available at http://sourceforge.net gifshuffle available at http://www.darkside.com.au CryptaPix available at http://www.briggsoft.com BMPSecrets available at http://bmpsecrets.com OpenPuff available at http://embeddedsw.net OpenStego available at http://openstego.sourceforge.net PHP-Class StreamSteganography available at http://www.phpclasses.org Red JPEG available at http://www.totalcmd.net Steganography Studio available at http://stegstudio.sourceforge.net Virtual Steganographic Laboratory (VSL) available at http://vsl.sourceforge.net
Module 05 Page 766
D o c u m e n t S te g a n o g ra p h y : w b S teg o
CEH
Document Files
Document Files
< ,
StegTool Information
StegTool Information
Welcome to the wbStef>04 Wizard!
A I
The wbSleQD 4 Wizard xvill guide you step by step through codiagydecodiag. With wb^togo !you aro able 1 0 hid0 any Mlocm a earner 1 1 1 0 (*BM P. .TXT, *HTM, PD F ) vrfthout changing those earnortleo optically. 1 1you aro tamiliar with tho way tho program workc you can uco trte Flawchan-Mad 10 mate all 1tmqc m an oveiview flowchart
W iz a rd
S e ttin g s
Help
w b S te g ^
Exit : Cor tin jH
Saect reU and :U pu: data
http://wbstego.wbailer.com
Copyright by E&C*IHg9. All Rights Reserved. Reproduction is Strictly Prohibited.
D o cu m en t S teg an o g rap h y
Similar to image steganography, document steganography is the technique used to hide secret messages to be transferred in documents. The following diagram illustrates the document steganography process:
=
Document Files Document Files
Steg Tool
3 ,
Steg Tool
L_X
Information
Information FIGURE 5.70: Working of Document Steganography
Module 05 Page 767
D ocum ent Steganography: wbStego

rr Source: http://wbstego.wbailer.com
WbStego is a document steganography tool. Using this tool, you can hide any type of file within carrier file types such as Windows bitmaps with 16, 256, or 16.7M colors, ASCII or ANSI text files, HTML fields, and Adobe PDF files.
I
The wbSteg04 Wizard will guide you step by step through coding/decoding ' With wbSteg04 you ore able to hide any Ales in a earner Me ( BMP. * TXT. * HTM. *PDF) without changing ihese earner Wes optically Ifyou are familiar with the way the programworks you can use the Flowchart-Mode 1 0make all seltmgs in an overview flowchart tJelp Settings flowchart -Mode
x jf
Continue
Module 05 Page 768
D ocu m en t Steganography Tools

BBQ I
_ _|
C EH
Merge Streams
h ttp://w w w .ntkernel.com
StegParty
h ttp ://w w w .fa s terlight. com
JU ?
Office XML
h ttp ://w w w . irongeek. com
[ A
^ ^ 4)
Hydan
http://w w w .crazyboy.com
Data Stash
h ttp ://w w w .sky juices o ft ware, com
StegJ
h ttp ://s tegj. source forge, net
FoxHole
http://foxhole.sourceforge. net
StegoStick
http://sourceforge. net
Xidie Security Suite

h ttp ://w w w . s tegano. ro
SNOW
h ttp ://w w w . dark side. com. au
D o cu m en t S teg an o g rap h y Tools

Similar to wbStego, there are many other tools that allow you to hide data within other document files of various types or extension: 0 0 0 0 0 0 0 0 0 0 Merge Streams available at http://www.ntkernel.com Office XML available at http://www.irongeek.com Data Stash available at http://www.skyiuicesoftware.com FoxHole available at http://foxhole.sourceforge.net Xidie Security Suite available at http://www.stegano.ro StegParty available at http://www.fasterlight.com Hydan available at http://www.crazyboy.com StegJ available at http://stegj.sourceforge.net StegoStick available at http://sourceforge.net SNOW available at http://www.darkside.com.au
Module 05 Page 769
Video Steganography
Video steganography refers to hiding secret information or any kind of files with any extension into a carrier video file
CEH
vw
vw
In video steganography, the information is hidden in video files of different formats such as .AVI, .MPG4, A/VMV, etc.
Discrete Cosine Transform (DCT) manipulation is used to add secret data at the time of the transformation process of video
The techniques used in audio and image files are used in video files, as video consists of audio and images
A large number of secret messages can be hidden in video files since they are a moving stream of images and sound
Video S teg an o g rap h y

Video steganography involves hiding secret messages files of any extensions in the continuously flowing video file. Here video files are used as the carrier to carry the secret information from one end to another end. It keeps your secret information more secure. As the carrier video file is a moving stream of images and sound, it is difficult for the unintended recipient to notice the distortion in the video file caused due to the secret message. It might go unobserved because of continuous flow of the video. As a video file is a combination of image and audio, all the techniques available for image and audio steganography can also be applied to video steganography. It can be used to hide a large number of secret messages.
Module 05 Page 770
Video Steganography: OmniHide PRO

video/documentformats. The outputfile would work just as the original source file
C EH
J OmniHide Pro hides a file within another file. Any file can be hidden within common image/music/
O m n iH id e Pro Trial v l.O
]1 1 1 1 1 T Hide your data from tnose prying eyes

Hide | Recover | Settings Co Pro! | About C\User$\Admlnlstra10r\Desk10p\hpc1 im ages\tiger_display.jpg
C :\Users\A drr1n1straT0f\D eskt0p\hptt 1m age$\rhe tig er docx options v
Output Filo
|C \U<or$VAdrT1irittrat0f\Do<ktop\hput lmags\tiger_display_Out jp g
V ie w converted filo when complete
Hide Itl
Clear A i
Exit
http://omnihide.com
Copyright by ElrCaiHCi. All Rights Reserved. Reproduction is Strictly Prohibited.
Video S teg an o g rap h y : O m niH ide PRO

Source: http://omnihide.com OmniHide PRO allows you to hide any secret file within innocuous image, video, music files, etc. The resultant Stego file can be used or shared like a normal file without anyone knowing that something is hidden within it, thus this tool enables you to save your secret file from prying eyes. It also enables you to add a password to hide your file to enhance security. Features: This allows you to hide you files in Photos, Movies, Documents, and Music etc. 0 It put no limitation on file type and size you want to hide
Module 05 Page 771
OmniHide Pro Trial v1.0
!*Wide rrr u Ji
Omni Hide
l l l l l Hide your data from those prying eyes

Recover | Settings | Co Pro! | About
Mask File
C:\Users\Administrator\Desktop\lnput lmages\tiger_display.jpg
A
options ]
File To hide
C:\Users\Administrator\Desktop\lnput lmages\The tiger.docx
Output File
|c:\Users\Administrator\Desktop\lnput lmages\tiger_display_Qut.jpg View converted file when complete
Hide Itl
Clear A U .
Exit
Ready.
FIGURE 5.72: OmniHide PRO Screenshot
Module 05 Page 772
Video S teganography Tools

Our Secret
h ttp ://w w w .secu re kit. net
U rtM M itfc M jl N M h M
C EH
BDV DataHider
h ttp ://w w w . bdv notepad. com
RT Steganography
h ttp ://rts tegvideo. s ourceforge, net
StegoStick
http://sourceforge. net
<jy yj -i
Masker
h ttp ://w w w .so ft puls. com
OpenPuff
http://em beddeds w. net
Max File Encryption

h ttp ://w w w . softeza. com
Stegsecret
h ttp ://s tegs ecre t. sourceforge, net
E9
MSU StegoVideo
h ttp ://w w w . compression, ru *
*
* * J
PSM Encryptor
http://dem o.pow ersoftm akers.com
Video S teg an o g rap h y Tools

In addition to PRO, there are many other tools that you can use to hide your secret information file in video files: Our Secret available at http://www.securekit.net RT Steganography available at http://rtstegvideo.sourceforge.net Masker available at http://www.softpuls.com Max File Encryption available at http://www.softeza.com MSU StegoVideo available at http://www.compression.ru BDV DataHider available at http://www.bdvnotepad.com StegoStick available at http://sourceforge.net OpenPuff available at http://embeddedsw.net Stegsecret available at http://stegsecret.sourceforge.net PSM Encryptor available at http://demo.powersoftmakers.com
Module 05 Page 773
Audio Steganography
J
(rtifwd
CEH
ithiul UtkM
Audio steganography refers to hiding secret information in audio files such as .MP3, .RM, .WAV, etc. Information can be hidden in an audio file by using LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz)
StegTool
Information
Information
Audio S teg an o g rap h y

Audio steganography allows you to conceal your secret message within an audio file such as WAV, AU, and even MP3 audio files. It embeds secret messages in audio files by slightly changing the binary sequence of the audio file. Changes in the audio file after insertion cannot be detectable, so this secures the secret message from prying eyes. You need to ensure that the carrier audio file should not be significantly degraded due to embedded secret data; otherwise, the eavesdropper can detect the existence of the hidden message in the audio file. So the secret data should be embedded in such a way that there is a slight change in the audio file that cannot be detected by a human. Information can be hidden in an audio file by using an LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz).
Module 05 Page 774
Information
Information
FIGURE 5.73: Working of Audio Steganography
Module 05 Page 775
A u dio S teg a n o g ra p h y M e th o d s
Echo Data Hiding
It refers to hiding a message as an echo into an audio signal The sensitive message is encoded in the echo in the form of variations in amplitude, decay rate, and offset An echo cannot be easily resolved because the parameters are set below levels audible to human
(citifwd
c EH
ItkKJl NMkw
Spread Spectrum Method

It encodes data as a binary sequence that sounds like noise but can be recognized by a receiver with the correct key Two approaches are used in this technique, namely direct sequence spread spectrum (DSSS) and frequency hopping spread spectrum (FHSS) In DSSS, the secret message is spread out by chip rate (constant) and then modulated with a pseudo-random signal that is then interleaved with the cover signal In FHSS, the audio file's frequency spectrum is altered so that it hops rapidly between frequencies Spread spectrum method plays a major role in secure communications-commercial and military
Audio S teg an o g rap h y M eth o d s

There are certain methods available to conceal your secret messages in audio files. Some methods implement the algorithm that is based on inserting the secret information in the form of a noise signal, while other methods believe in exploiting sophisticated signal processing techniques to hide information. The following methods are used to perform audio steganography in order to hide secret information.
J S lL
m u
Echo Data Hiding
In the echo data hiding method, the secret information is embedded within the carrier audio signal by introducing an echo into it. It uses three parameters of echo, namely, initial amplitude, decay rate, and offset or delay to hide secret data. When the offset between carrier signal and echo decreases, these two signals get mixed at a certain point of time where it is not possible for the human ear to distinguish between these two signal. At this point, an echo sound can be heard as an added resonance to the original signal. However, this point of undistinguishable sounds depends on factors such as quality of original audio signal, type of sound, and listener.
Module 05 Page 776
To encode the resultant signal in to binary form, two different delay times are used. These delay times should be below human perception. Parameters such as decay rate and initial amplitude should also be set below threshold audible values so that the audio is not hearable at all.
Spread Spectrum M ethod

In this method, secret information is spread across as much of the frequency spectrum as possible. This method uses two versions of spread spectrum viz.: direct sequence spread spectrum (DSSS) and frequency hopping spread spectrum (FHSS) In DSSS, the secret message is spread out by chip rate (constant) and then modulated with a pseudo-random signal that is then interleaved with the cover signal. In FHSS, the audio file's frequency spectrum is altered so that it hops rapidly between frequencies. Spread spectrum method plays a major role in secure communications, both commercial and military.
Module 05 Page 777
Audio Steganography M ethods

(Cont'd)
CEH
LSB Coding
0 The low bit encoding techniqueis sim ilarto the least bit insertion method done through image files It replaces the LSB of information in each sampling p o in tw ith a coded binary string
Tone Insertion
It dependson the inaudibility of low pow er tones in the presence of significantly higher spectral components An indirect exploitation of the psychoacoustic masking phenom enon in the spectral domain
Phase Encoding
Phase coding is described as the phase in which an W m is substituted by a reference phase that represents the data It hides secret message as phase shifts in the phase spectrum of a digital signal The phase shifts cannot be easily identified due to low signal-to-noise ratio
! o r
A udio S teg an o g rap h y M eth o d s (C ontd) LSB Coding

LSB encoding works like the LSB insertion technique in which a secret binary message is inserted in the least significant bit of each sampling point of the audio signal. This method can be used to hide large amounts of secret data. It is possible to use the last two significant bits to insert secret binary data but the problem is that it will create noise in the audio file. Its poor immunity to manipulation makes this method less adaptive. Hidden data can be easily identified and extracted due to channel noise and resampling.
Tone Insertion
This method involves embedding data in the audio signal by inserting low power tones. These low power tones are not audible in the presence of significantly higher audio signals. As it is not audible, it conceals the existence of your secret message. It is very difficult for the eavesdropper to detect the secret message from the audio signal. This method helps to avoid attacks such as low-pass filtering and bit truncation. The audio steganography software implements one of these audio steganography methods to embed the secret data in the audio files.
Module 05 Page 778
Phase Encoding
Phase coding is described as the phase in which an initial audio segment is substituted '--- by a reference phase that represents the data. It encodes the secret message bits as phase shifts in the phase spectrum of a digital signal, achieving a soft encoding in terms of signal-to-noise ratio.
Module 05 Page 779
Audio Steganography: D eepSound

J
~ L O
DeepSound hides secret data into audio files wave and flac It enables extracting secret files directly from audio CD tracks DeepSound might be used as a copyright marking software for wave, flac, and audio CD It also supports encrypting secret files using AES-256 to improve data protection
J J J
DeeaSouw 13
Retoad Add tiles

H am er airlio files
is?
Encode btrac sec etues
Settings
S K f l *1l*s n01 Track 1
:CYCLE.BIN DeepSoundFiles )& flac \ SecretPilelost lO W o v 01__prophc 02 Track 2.wfc
03 6 6 n d e x iM ftfc g X J'S0 0
0 123 0006 COO?
> 0 * 4
Encode t*a*t ' 1 1 * fi 1TI 0002
03 Track 3.W8
04 Track 4.wov
brtdrt secret fcks M
06 T rack i.wav
08 Dop>oy_1bStoro,wav MonoBbrtwav Mono8bitMdlMB va^ Mono8WtPodiMB.wav SAM_1508WAV S<a1008bit.werv
01 Track 1.wav
f 0_ojlcr1j3her rtgcflac
4 ( fa s 21 OSOMB (22072B52 Bytoa)
Output dirwtory: I
MffnaQuîr/ Encrypt disabled
http://jpinsoft.net
Audio S teg an o g rap h y : D eepS ound

Source: http://jpinsoft.net DeepSound helps you to hide any kind of secret data into audio files (WAV and FLAC). You can use this tool to embed your secret message in the audio file. It will also allow you to extract secret files directly from audio CD tracks when you are at the other end. It also able to encrypt secret files, thus enhancing security. To access the data in a carrier file, you simply browse to the location with the DeepSound file browser and right-click the audio file to extract your secret file(s).
Module 05 Page
780
Module 05 Page 781
Audio Steganography Tools

Mp3stegz
h ttp ://m p 3 s tegz. source forge, net y
CEH
CHAOS Universal
h ttp ://s afe chaos. com
MAXA Security Tools

h ttp ://w w w . maxa-tools.com
'
p LmJ
SilentEye
h ttp ://w w w .sile nte ye . org
BitCrypt
h ttp ://b itc ry p t. mos he sz weizer. com
QuickCrypto
h ttp ://w w w . quick crypto, com
MP3Stego
h ttp ://w w w .pe titcola s. net
CryptArkan
h ttp ://w w w . kuskov. com
Hide4PGP
h ttp ://w w w . heinz -repp, online home, de ^
StegoStick
h ttp ://s teqos lick, source forge. net
Audio S teg an o g rap h y Tools
You can also use the following audio steganography tools to hide your secret information in audio files: 0 0 0 0 0 0 0 0 0 0 Mp3stegz available at http://sourceforge.net MAXA Security Tools available at http://www.maxa-tools.com BitCrypt available at http://bitcrypt.moshe-szweizer.com MP3Stego available at http://www.petitcolas.net Hide4PGP available at http://www.heinz-repp.onlinehome.de CHAOS Universal available at http://safechaos.com SilentEye available at http://www.silenteye.org QuickCrypto available at http://www.quickcrypto.com CryptArkan available at http://www.kuskov.com StegoStick available at http://sourceforge.net
Module 05 Page 782
Folder Steganography: In v isib le Secrets 4

Folder steganography refers to hiding secret information in folders
C re a te S e lf-D e c ry p tin g Package

Files Popup Message
Select the Hes you want to include in the self-deerypbng package: (You can add files by dropping them on this list). Click NEXT to continue... Name ^)awards.html ^ awards.jpg ^main.dwt.isc mam.dwt main,css ^ main.css. isc support. |pg Type HTML Document ACDSee JPEG I... Crypted File DWT File Cascading Style... Crypted File ACDSee JPEG I... Full Path C \alina\WEBSITE\ C \alina\WEBSITE\ C \alina\WEBSITE\Templates\ \alina\WEBSI TE\Templates\
c c \alina\WEBSITE\ c \alir>a\WEBSITE\ c \alina\WEBSITE\

Remove | [ B
<
^ Add files
>
j|[
|
Add folders [ |
Cryptboard
( Back
Next )
Help
| I
;< Close
Copyright by EtC tU iC i. All Rights Reserved. Reproduction isStrictly Prohibited.
C/Xy F o ld er S teg an o g rap h y : In v isib le S ecrets 4

Folder steganography refers to hiding secret information in folders. This can be accomplished with the help of the tool Invisible Secrets 4. Source: http://www.invisiblesecrets.com Invisible Secrets 4 is file encryption software that keeps cybercriminals out of your emails and prevents attackers from viewing your private files. This software not only encrypts your private data and files for safe keeping and securing transfer across the net, but also hides them in such a place that no one can identify them. Even an attacker could not locate sensitive information. Since the places the private documents are kept appear totally innocent, such as picture or sound files or web pages, these types of files are a perfect disguise for sensitive information. This software allows you to encrypt and hide documents directly from Windows Explorer, and then automatically transfer them by email or via the Internet.
Module 05 Page 783
FIGURE 5.75: Invisible Secret Autorun
Invisible Secrets 4
C re a te Self-D ecrypting P a ck a g e
Files Popup M essage
Select the files you want to include in the self-decrypting package: (You can add files by dropping them on this list). Click NEXT to continue... Name ) âwards.html ^ awards.jpg '^main.dwt.isc 3" main.dwt 3 main, css ^ main. css. isc tfcsupport.jpg < | ^ Add files C j Add folders ^ Remove Type HTML Document ACDSee JPEG I... Crypted File DWT File Cascading Style... Crypted File ACDSee JPEG I... Full Path C:\alina\WEBSITE\ C:\alina\WEBSITE\ C:\alina\WEBSITE\Templates\ C:\alina\WEBSITE\Templates\ C:\alina\WEBSITE\ C:\alina\WEBSITE\ C:\alina\WEBSITE\ l> Cryptboard
| Back
Next >
Help
Close
FIGURE 5.76: Invisible Secret Screenshot
Module 05 Page 784
Folder Steganography Tools

g p
B*fcB
C EH
Folder Lock
h ttp ://w w w . newsoftwares.net
Universal Shield
h ttp ://w w w . evers trike, com
A+ Folder Locker jjî

h ttp ://w w w . giant matrix, com
WinMend Folder Hidden

h ttp ://w w w . winmend. com
'
Toolwiz BSafe
h ttp ://w w w . tootwiz.com
Encrypted Magic Folders

h ttp ://w w w .pc magic, com
M = =
sm
Hide Folders 2012

h ttp ://fsp ro .n e t
E2
QuickCrypto
h ttp ://w w w . quick crypto, com
GiliSoft File Lock Pro

h ttp ://w w w . gilis oft. com
Max Folder Secure

h ttp ://w w w . maxfoldersecure. com
1
'
F o ld er S teg an o g rap h y Tools

In addition to Invisible Secrets 4, you can also use following tools as folder
steganography tools to hide your secret information in folders: 0 0 Folder Lock available at http://www.newsoftwares.net A+ Folder Locker available at http://www.giantmatrix.com
Toolwiz BSafe available at http://www.toolwiz.com 0 0 0 0 0 0 0 Hide Folders 2012 available at http://fspro.net GiliSoft File Lock Pro available at http://www.gilisoft.com Universal Shield available at http://www.everstrike.com W inM end Folder Hidden available at http://www.winmend.com Encrypted Magic Folders available at http://www.pc-magic.com QuickCrypto available at http://www.quickcrypto.com Max Folder Secure available at http://www.maxfoldersecure.com
Module 05 Page 785
Spam /E m ail Steganography: Spam M im ic

J Spam steganography refers to hiding information in spam messages
lEEHli
Copyright by EC-CaUBCfl. All Rights Reserved. Reproduction is Strictly Prohibited.
S p a m /E m a il S teg an o g rap h y : Spam M im ic

Spam/email steganography refers to the technique of sending secret messages by hiding them in spam/email messages. Spam emails can be used as the way of secret communication by embedding the secret messages in some way and hiding the embedded data in the spam emails. This technique is supposedly to be used by various military agencies, with the help of steganographic algorithms. This can be accomplished with the help of the Spam Mimic tool. Source: http://www.spammimic.com Spam Mimic is spam "grammar" for a mimic engine by Peter Wayner. This encodes the secret message into innocent-looking spam emails. The fun grammar of this software encodes the message into art-speak and the commentary of a baseball game. It provides the capabilities of both encoding and decoding. The encoder of this tool encodes the secret message as spam with a password, fake PGP, fake Russian, and space.
Module 05 Page 786
Encode Enter your short secret message:

112983465
Alternate encodings: Encode as spam with a password Encode as fake PGP Encode as fake Russian B33 Encode as space home | encode | decode | explanation | credits | faq & feedback | terms | Franks
Copyngfat 2000-2010 *pamnunlc.coa), All rtghti r***rv*d
FIGURE 5.77: Spam Mimic Login Page
You can copy the message out of the text box and paste it into a mail Launch your mail program How to copy and paste in Windows How to copy and paste in X How to copy and paste on a Mac
FIGURE 5.78: Spam Mimic Main Page
Module 05 Page 787
Natural Text Steganography: Sams Big G Play Maker
CEH
Natural text steganography programs convert sensitive information in to a userdefinable free speech such as a play
Sams bigG play maker
General | Wordlists | Equiv. | |Hi, Corfidential meeting at 5 PM, Must attend. (Phil stutters 1 times) Mike sayi "Mine's a pint" Harold s5ys "H ot steamy grits!" (Adam stutters 1 times] Jason says "Alive" (Jason scratches head 1 times) Jason says 'Y e s thank you." Adam sajs 'W here?'' Harold scys "A t your command?' (Mike strikes Mike 1 times) Phil says W here?" Paul says 'W h a t does MPEG mean?" Paul says "Ah! An earthling!" Kenny says "Hot steamy grits!" (Mike steps forward 1 times) JYA says "Mine's a pint" Mr Honk> 8ayo "Hot rtoamy gritcl" Mike sayi "Hot steamy grits!" Phil says "Did he mean to die jujt then?" Mr H ankj says "I never talk politics." Sam SAV* "Mikft ynu Udyhnvl" Jason says "But I read slash-dot
E a *
h ttp://www.scramdisk.clara.net
Copyright by E&Coinci. All Rights Reserved. Reproduction is Strictly Prohibited.
N atu ral Text S teg an o g rap h y : Sam s Big G P lay M a k e r

Natural text steganography programs convert sensitive information into a userdefinable free speech item such as a play. Sams Big G Play Maker helps in performing natural text steganography. Source: http://www.scramdisk.clara.net Sams Big G Play Maker is a Windows-based program that is designed for hiding secret messages in the form of an amusing play or conversation. This is usually applicable for small messages. Looking at the secret message's output play that is generated using this tool, no one can realize that the output play contains a hidden message.
Module 05 Page 788
Sams big G play maker

General Wordlists | Equiv. (Phil stutters 1 times) Mike says "Mine's a pint" Harold says "Hot steamy grits!" (Adam stutters 1 times) Jason says "Alive" (Jason scratches head 1 times) Jason says ,Yes thank you." Adam says 'W here?" Harold says "At your command?" (Mike strikes Mike 1 times] Phil says "Where?" Paul says 'W h a t does MPEG mean?" Paul says "Ah! An earthling!" Kenny says "Hot steamy grits!" (Mike steps forward 1 times) JYA says "Mine's a pint" Mr Hanky says "Hot steamy grits!" Mike says "Hot steamy grits!" Phil says "Did he mean to die just then?" Mr Hanky says "I never talk politics." Sam says "Mike - you ladyboy!" Jason says "But I read slash-dot" end of scene
Hi, Confidential meeting at 5 PM, Must attend.
About Exit
F IG U R E 5.79: Sam s Big G P lay M a k e r Screensho t
Module 05 Page 789
Issues in Information Hiding
C EH
L e v e ls of V is ib ility
R o b u s tn e s s v s . P a y lo a d
File Format Dependence

Data compression techniques are of two types: lossy and lossless Conversion of lossless information to compressed lossy information destroys the secret information present in the cover
If the embedding process distorts the cover to the point that it is visually unnoticeable, meaning if the image is visibly distorted, then the carrier is insufficient for the payload. Likewise, if the image is not distorted, then the carrier is adequate
Redundancy is needed for a robust method of embedding the message, but it subsequently reduces the payload Robustness and payload are inversely related. Therefore, the smaller the payload, the more robust it will be
!!*![
1 ^
Is s u e s in In fo rm atio n H iding
The following three sections discuss issues that must be considered when hiding information.
S teg an o g rap h ic F ile System

In a steganographic file system, a relatively large amount of sensitive information is hidden within an existing host file system. A steganographic file system allocates dynamically fragments of hidden information to the unused location on a storage device, thereby allowing the hidden data to be embedded within a host file system. It also allows users to give names and password (access keys) for the files. In this method, the data is obfuscated using cryptographic algorithms, but the presence of data is denied without the corresponding access key, i.e., given by the user. W ithout the appropriate access key (password) the attacker cannot get the data of the file. The following method is used to construct a steganographic file system: Q File system begins with random data.
The encrypted blocks are written to the pseudorandom locations using the key acquired from the filename and directory password to hide the file blocks in random data. When
Module 05 Page 790
the file system continues to be written to, collisions occur and the blocks are overwritten, allowing only a small portion of the disk space to be safely utilized. Q Multiple copies of each block should be written. A method to identify the blocks when they are overwritten is also required.
Need for steganographic file systems

Steganographic file systems provide additional protection to the hidden data in a convenient way. W ith the help of these, users can store their confidential (such as trade secrets) or financial information on their systems without any fear. To access the information, the person should hold expressly granted permissions and knowledge without which he or she cannot access the information in the file. The information hiding techniques not only encrypt the data content but also the presence of data. The data that is within the steganographic file system can only be accessed by the user having the access key (granted permissions).
Levels of V isibility
If the embedding process distorts the cover to the point that it is visually unnoticeable, meaning if the image is visibly distorted, then the carrier is insufficient for the payload. Likewise, if the image is not distorted, then the carrier is adequate. The way a message is embedded will determine whether the data is perceptible or not. To reduce the theft of data, the presence of a watermark is often publicized. However, publicizing the presence of a watermark also allows various methods to be implemented to attempt to alter or disable the watermark. When the visibility of the data is increased, the potential for manipulation of the data also increases.
R obustness v ersu s Payload

In order to have a robust method of embedding a message, redundancy should be maintained to resist changes made to the cover. However, increasing the robustness of the message means that less space is usable for the payload. Robustness must be weighed against the size of the payload.
File F orm at D ependence

Conversion of files that have lossless information to compressed files with lossy information can destroy the secret information present in the cover. Some processes embed the data depending on the file format of the carrier, while others do not depend on the file format. The JPEG compression algorithm uses floating-point calculations to translate the picture into an array of integers. This conversion process can result in rounding errors that may eliminate portions of the image. This process does not result in any noticeable difference in the image. Nevertheless, embedded data could become damaged. Some other popular algorithms, namely Windows Bitmap (BM P) and Graphic Interchange Format (GIF), are considered lossless compressions. The compressed image is an exact representation of the original.
Module 05 Page 791
Steganalysisisthe art of discoveringand renderingcovertmessagesusingsteganography
Challenge of Steganalysis
Efficient and accurate detection of hidden content within digital images
Some of the suspect signals or files may have irrelevant data or noise encoded into them
Steganalysis is the reverse process of steganography. It hides the data, while steganalysis is used to detect the hidden data. It determines the encoded hidden message, and if possible, it recovers that message. The message can be detected by looking at variances between bit patterns and unusually large file sizes. The first step in steganalysis is to discover an image that is suspected of harboring a message. This is considered to be an attack on the hidden information. There are two other types of attacks against steganography: message attacks and chosen-message attacks. In the former, the steganalyst has a known hidden message in the corresponding stego-image. The steganalyst determines patterns that arise from hiding the message and detecting this message. The steganalyst creates a message using a known stego tool and analyzes the differences in patterns. Cover images disclose more visual clues as compared to stego-images. It is necessary to analyze the stego-images to identify the information that is concealed. The gap between cover image and stego-image file size is the simplest signature. Many signatures are evident using some of the color schemes of the cover image.
Module 05 Page 792
Once detected, a stego-image can be destroyed or the hidden message can be modified. Some of the data that is hidden behind the images using the Image Domain Tool can prove to be useless.
Challenges of Steganalysis:
0 0 0 0 Suspect information stream may or may not have encoded hidden data Efficient and accurate detection of hidden content within digital images Encrypts the hidden data before inserted into a file or signal Some of the suspect signals or files may have irrelevant data or noise encoded into them
Module 05 Page 793
S teg a n a ly sis M eth od s/A ttack s on Steganography

Only the steganography medium is available for analysis Steganography algorithm is known and both the original and the stegoobject are available The hidden message and the corresponding stegoimage are known During the communication process! active attackers can change the cover
Urt1fw4
C EH
ilhiul lUtbM
Reformat
The format of the file is changed. This works because different file formats store data in different ways
The stego-object and the original cover-object are available, which are compared to identify hidden information This attack generates stego objects from a chosen message using specific steganography tools in order to identify the steganography algorithms The stego-object and steganography algorithm are identified
Known-cover
Known-message
Chosen-message
Disabling or Active
J I
Chosen-stego
Copyright by EW iouici. All Rights Reserved. Reproduction is Strictly Prohibited.
S teg an aly sis M e th o d s/A tta c k s on S teg an o g rap h y

Steganography attacks are split into eight types: stego-only attacks, reformat attacks, known-cover attacks, known-message attacks, known-stego attacks, chosen-stego attacks, chosen-message attacks, and disabling attacks.
Stego-only attack
~ The stego-only attack takes place when there is only the stego-medium, which carries out the attack. The only way that this attack can be avoided is by detecting and extracting the embedded message.
R eform at attack
----In this method the format of the file is changed. This works because different file formats store data in different ways
(1 >>
Know n-cover attack

The known-cover attack is used with the presence of a stego-medium as well as a
cover-medium. This would enable a comparison to be made between both the mediums so that the change in the format of the medium can be detected.
Module 05 Page 794
K now n-m essage attack

The known-message attack presumes that the message and the stego-medium are present, and the technique by which the message was embedded can be found.
jc
Known-Stego attack
In this attack, the steganography algorithm is known and both the original and stegoobject are available.
C hosen-stego attack
The chosen-stego attack takes place when the forensic investigator generates a stegomedium from the message by using a special tool. Searching for signatures that will enable the detection of other steganography mediums can carry out such an attack.
C hosen-m essage attack

The steganalyst generates a stego-object from some steganography tool or algorithm of a chosen message. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms.
1 .!!,;, D isabling or active attack s

^ These are categorized into six parts, which include blur, noise reduction, sharpen, rotate, resample, and soften. Disabling attacks can smooth transitions and decrease the contrast by averaging the pixels next to the hard edges of the defined lines and the areas where there are significant color transitions. This is otherwise called blurring the stegomedium. Random noise in the stego-medium inserts random-colored pixels to the image. The uniform noise inserts pixels and colors that closely resemble the original pixels. Noise reduction decreases the noise in the image by adjusting the colors and averaging the pixel values. Sharpening is the opposite of the blur effect. It increases contrast between adjacent pixels where there are significant color contrasts that are usually at the edge of objects. Rotation moves the stego medium to give its center a point. Resampling involves what is known as the interpolation process that is used to reduce the raggedness associated with the stego-medium. Resampling is normally used to resize the image. Softening of the stego-medium applies a uniform blur to an image to smooth edges and reduce contrasts and cause less distortion than blurring.
Module 05 Page 795
D e te c tin g Text an d Im a g e S teg an o g rap h y

L
Steganography is the art of hiding either confidential or sensitive information within the cover medium. In this, the unused bits of data in computer files such as graphics, digital images, text, HTML, etc. are used for hiding sensitive information from unauthorized users. Hidden data is detected in different ways depending on the file used. The following file types require specific methods to detect hidden messages. W hen a message is hidden in a file in such a way that only the authorized user aware of the hidden message can read or recover the message, probably the alteration is applied to the cover or carrier file. The alteration varies based on the type of file used as carrier.
Text Files
For text files, the alterations are made to the character position for hiding the data. These alterations can be detected by looking for text patterns or disturbances, the language used, line height, and unusual number of blank spaces.
Im ag e Files
The information that is hidden in the image can be detected by determining changes in size, file format, last modified, last modified time stamp, and color palette of the file.
Module 05 Page 796
Statistical analysis methods can be used when scanning an image. Assuming that the least significant bit is more or less random is an incorrect assumption since applying a filter that shows the LSBs can produce a recognizable image. Therefore, it can be concluded that LSBs are not random. Rather, they consist of information about the entire image. W henever a secret message is inserted into an image, LSBs are no longer random. With encrypted data that has high entropy, the LSB of the cover will not contain the information about the original and is more or less random. By using statistical analysis on the LSB, the difference between random values and real values can be identified.
Module 05 Page 797
D etecting Audio and Video Steganography

Audio File
S
Urt1fw4
C EH
ilhiul lUtbM
Statistical analysis method can also be used for audio files since the LSB modifications are also used on audio
5 S
The inaudible frequencies can be scanned for information The odd distortions and patterns show the existence of the secret data
Video File
A d m in is tra to r Detection of the secret data in video files includes a com bination of methods used in image and audio files Special code signs and gestures can also be used for detecting secret data
D etectin g Audio a n d Video S teg an o g rap h y

Audio File
In audio steganography, confidential information such as private documents and files are embedded in digital sound. The documents that are hidden can be detected by the following ways: Statistical analysis method can also be used for audio files since the LSB modifications are also used on audio The inaudible frequencies can be scanned for information The odd distortions and patterns show the existence of the secret data
Video File
---In video steganography, confidential information or any kind of files with any extension are hidden in a carrier video file either by using audio steganography or image steganography tools. Therefore, the detection of the secret data in video files includes a combination of methods used in image and audio files. Special code signs and gestures can also be used for detecting secret data.
Module 05 Page 798
S teg an o g rap h y D etectio n Tool: G arg o y le Investigator F o ren sic P ro
EH
S teg an o g rap h y D etectio n Tool: G arg o y le Investigator F o ren sic Pro
Source: http://www.wetstonetech.com Gargoyle Investigator Forensic Pro is a tool that conducts quick searches on a given computer or machines for known contraband and malicious programs. It is possible to find remnants even though the program has been removed because the search is conducted for the individual files associated with a particular program. Its signature set contains over 20 categories, including botnets, Trojans, steganography, encryption, keyloggers, etc. and helps in detecting stego files created by using BlindSide, W eavW av, S-Tools, etc. It has the ability to perform a scan on a stand-alone computer or network resources for known malicious programs, the ability of scan within archive files, etc.
Module 05 Page 799
FIGURE 5.80: Gargoyle Investigator Forensic Pro Screenshot
yj/2lM3 U:U:18AM I j 4/29/2MO U:C4;18AM | j i/29/2000 H.C t;16AM | ] V29/2Q00 11:04:18 AM | |) 9/Uj2CC> 02:33:++AM |
FIGURE 5.80: Gargoyle Investigator Forensic Pro Timeline Result Screenshot
Module 05 Page 800
Steganography D etectio n Tools

((!Wv Xstegsecret
http://stegsecret.sourceforge. net
CEH
StegAlyzerSS
h ttp://w w w .sarc-w v.com
Stego Suite
- h ttp ://w w w . wets tonetech. com
StegMark SDK
h ttp ://w w w . datamark. com. sg
StegAlyzerAS
h ttp ://w w w . sarc-wv. com
Steganography Studio
h ttp ://s tegs tudio. source forge, net
r v
! !
StegAlyzerRTS
h ttp ://w w w . sarc-wv. com
Virtual Steganographic Laboratory (VSL)

h ttp ://v s I. sourceforge, ne t
1 W S Z U M -L M i
Stegdetect
h ttp ://w w w . outguess.org
S teg an o g rap h y D etectio n Tools

Steganography detection tools allow you to detect and recover hidden information in any digital media such as images, audio, and video. The following is a list steganography detection tools: Q 0 Q Q e 0 Q Q Q Xstegsecret available at http://stegsecret.sourceforge.net Stego Suite available at http://www.wetstonetech.com StegAlyzerAS available at http://www.sarc-wv.com StegAlyzerRTS available at http://www.sarc-wv.com StegSpy available at http://www.spy-hunter.com StegAlyzerSS available at http://www.sarc-wv.com StegMark SDK available at http://www.datamark.com.sg Steganography Studio available at http://sourceforge.net Steganographic Laboratory (VSL) available at http://vsl.sourceforge.net Stegdetect available at http://www.outguess.org
Module 05 Page 801
CEH S ystem H ack in g Steps

Once the attacker breaks into the target network or computer successfully, he or she tries to hide himself or herself from being detected or traced out. Thus, the attacker tries to cover all the tracks or logs that are generated during his or her attempts to gain access to the target network or com puter________________________________________________________________ != =
ffej
Hiding Files
Coveri ng Tracks
2*- Penetration Testing
Module 05 Page 802
Why Cover Tracks?

~
S They can attack again
They can cover the tracks to avoid th e ir detection They can install backdoors to gain access in future
SECEVENT.EVT (security): Failed logins, accessing files w ith o u t privileges
SYSEVENT.EVT (system ): Driver failure, things not operating correctly
A PPEV EN T .EV T (applications)
Alterin g event logs
The attacker might not w a n t to d elete the entire log
t-
4 W hy C over T ra c k s?
The complete job of an attacker involves not only compromising the system successfully but also disabling logging, clearing log files, eliminating evidence, planting additional tools, and covering his or her tracks. The attacker must clear the evidence of having been there and done the damage." Erasing the intrusion logs, tracking files, and attack processes is very crucial for an attacker as the messages can alert the actual owner of the system to change the security settings to avoid attacks in the future. If this happens, then the attacker will be left with no chances for relogging into the system for launching the attack. Hence, an attacker needs to destroy the evidence of intrusion to maintain the access and evasion. If the attacker covers or deletes their tracks, then he or she can re-login to the system and install backdoors. Thus, the attacker can gain users' sensitive information such as user names and passwords of bank accounts, email IDs, etc. The attacker may not wish to delete an entire log to cover his or her tracks as it may require admin previleges. If the attacker is able to delete only the attack event logs, even then the attacker hides himself or herself from being detected. Q 0 The attacker can manipulate the log files with the help of: SECEVENT.EVT (security): failed logins, accessing files without privileges SYSEVENT.EVT (system): Driver failure, things not operating correctly APPEVENT.EVT (applications)
Module 05 Page 803
Covering Tracks
Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection
CEH
Hacker
Gained administrator
" <
Install backdoors
1* 1
Target User
When all the information of interest has been stripped off from the target, the intruder installs several backdoors so that he or she can gain easy access in the future
C overing T ra c k s
Erasing evidence is a requirement for any attacker who would like to remain obscure. This is one method to evade trace back. This starts with erasing the contaminated logins and possible error messages that may have been generated from the attack process. Next, attention is turned to effect any changes so that future logins are not allowed. By manipulating and tweaking the event logs, the system administrator can be convinced that the output of his or her system is correct, and that no intrusion or compromise has actually taken place. Since the first thing a system administrator does to monitor unusual activity is to check the system log files, it is common for intruders to use a utility to modify the system logs. In some cases, rootkits can disable and discard all existing logs. This happens if the intruders intend to use the system for a longer period of time as a launch base for future intrusions, if they remove only those portions of logs that can reveal their presence with the attack. It is imperative for attackers to make the system look like it did before they gained access and established backdoors for their use. Any files that have been modified need to be changed back to their original attributes. There are tools for covering one's tracks with regard to the NT operating system. Information listed, such as file size and date, is just attribute information contained within the file.
Module 05 Page 804
Protecting against an attacker who is trying to cover his or her tracks by changing file information can become difficult. However, it is possible to detect if an attacker has changed file information by calculating a cryptographic hash on the file. This type of hash is a calculation that is made against the entire file and then encrypted.
Module 05 Page 805
Ways to Clear Online Tracks

J
R e m o v e M o s t R e c e n tly U sed (M R U ), d e le te coo kies, c le a r cach e, tu rn o ff A u to C o m p le te , c le a r T o o lb a rd a ta fro m th e b ro w se rs
C EH
In W indows 7
Click on the Start button, choose Control Panel > Appearance and Personalization -> Taskbar and Start Menu Click the Start Menu tab, and then, under Privacy, clear the Store and display a list of recently opened programs check box
From the Registry in W indows 8

H KC U \Softw are\M icro so ft\ W indow s\C urrentVersion\ Explorer and then rem ove the key for "R ecen t Docs" e Delete all the values except "(D e fa u lt)"
Ac
P 9
f i f e I V 4 V
W ays to C le a r O n lin e T ra c k s
The Internet is the ultimate resource to search or to gather information related to any topic. Unfortunately, Internet resources are misused by attackers to track others' online activities, which allow them to launch an attack or theft. There are several ways to clear online tracks: Private browsing History in the address field Disable stored history Delete private data Clear cookies on exit Clear cache on exit Delete downloads Disable password manager Clear data in password manager Delete saved sessions
Module 05 Page 806
Q Q Q Q
Delete user JavaScript Set up multiple users Remove Most Recently Used (M RU) Clear Toolbar data from the browsers
Turn off AutoComplete
In Windows 7
0 Click the Start button, choose Control Panel > Appearance and Personalization >
Taskbar and Start Menu.

Q Click the Start Menu tab, and then, under Privacy, clear the Store and display a list of
recently opened programs check box. From the Registry in Windows 8

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and then remove the key for "Recent Docs" Q Delete all the values except "(Default)"
Module 05 Page 807
Disabling Auditing: Auditpol
CEH
C :\ U serssA d n if 1 is t r a t o r > a u d it p o l / s o t / c a t o j o r y : " s y c t o n " , " a :e n a b le f a i l u r e :e n ab le The comnand was s u c c e s s f u lly e x ecu ted . C :\ U s e rs \ A d n in is t r a t o r > a u d it p o l / g et /category: * S y s te n a u d it p o l ic y C a te g o ry / Su b c a te g o ry S o t t in g S e c u r i t y S y s t e n E x te n s io n IP s e c D1*iue 1 O th er S y s te n Ev en ts S e c u r i t y S t a t e Change ,ogon/Logoff Account Lockout IP s e c Main Mode Su c ce s s and S u ccess F a il Su c ce s s S u ccess S u ccess S u ccess No No No No No No No No No No No No No No No No No No No No No No No No end and and and and F a il F a il F a il F a il F a il
Intruders will disable auditing immediately after gaining administrator privileges At the end of their stay, the intruders will just turn on auditing again using auditpol.exe
Network P o l i c y S e r v e r U s e r / D o vic e C la in o 'b jo c t A ccess F i l e S y s te n R e g is t r y K e r n e l O b ject SAN C e r t i f i c a t i o n S o r v ic e s A p p lic a t io n G en erated H andle M a n ip u la tio n P i l e Sh are F i l t e r i n g P la tf o r m Pa c k e t Drop D e t a ile d F i l e Sh are Rem ovable Sto ra g e C e n t r a l P o l i c y S ta g in g P r i v i l e g e Use Non S e n s it iv e P r i v i l e g e Us O th e r P r i v i l e g e Use E v e n ts S e n s i t i v e P r i v i l e g e Use D e t a ile d T ra ck in g P r o c e s s C r e a tio n P r o c e s s T erm ina tion DPAP1 A c t i v i t y _______________
A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g
No A u d itin g No A u d itin g No A u d itin g No A u d itin g No A u d itin g No A u d itin g ______
http://www.microsoftcom
Copyright by E& C m ci. All Rights Reserved. Reproduction is Strictly Prohibited.
D isa b lin g A uditing: A uditpol

Source: http://www.microsoft.com One of the first steps for an attacker who has command-line capability is to determine the auditing status of the target system, locate sensitive files (such as password files), and implant automatic information gathering tools (such as a keystroke logger or network sniffer). Windows auditing records certain events to the Event Log (or associated syslog). The log can be set to send alerts (email, pager, and so on) to the system administrator. Therefore, the attacker will want to know the auditing status of the system he or she is trying to compromise before proceeding with his or her plans. Tool Auditpol.exe is a part of the NT resource kit and can be used as a simple command-line utility to find out the audit status of the target system and also make changes to it. The attacker would need to install the utility in the W IN N T directory. He or she can then establish a null session to the target machine and run the command:
C:\> auditpol \\<ip address of target>
This will reveal the current audit status of the system. He or she can choose to disable the auditing by:
C :\> auditpol \\<ip address of target> /disable
Module
05 Page 808
This will make changes in the various logs that might register his or her actions. He or she can choose to hide the registry keys changed later on. The moment the intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once their work is done, after logout intruders again turn on the auditing by using same tool: audit.exe.
31 Administrator. Command Prompt . 1 Q 1 x I
C :\ U s e r n \ A d n i n i s t r a t o r > a 11d i t p o I set / c t e g o r y : " 8 y s t s n " # " a :e n a b l e f a i l u r e : e n a b l e rbe c o n n a n d w as s u c c e s s f u l l y e x e c u t e d . C :\ U 8 e r s > v A d m i n i s t r a t o r > a u d i t p o l / ,g e t Systen a u d it p o lic y C a t e g o r y /S u b c a t e g o r y S y stem S e c u r it y S y ste n E xten sio n System I n t e g r i t y 1P s e c D r i v e r O t h e r System Events S e c u r i t y S t a t e Change L o g o n /L o g o f f Logon L og o ff Account Lockout I P s e c h a in H o d e I P s e c Q u i c k Mode IP s e c E x t e n d e d Node S p e c i a l Logon O t h e r L o a o n /L o g o f f E v e n ts N etw ork P o l i c y S e r v e r U s e r / D e v ic e C la im s O b je c t A c c e ss r i l e System Reg i s t r v K ern el O b je c t SAN C e r t i f i c a t io n S e r v i c e s A p p lic a tio n G enerated H and le M a n ip u la tio n P ile Share F i l t e r i n g P l a t f o r m P a c k e t Drop 1 1 It e r in g P latfo r m C o n n e ctio n O th e r O b je c t A ccess Events D e t a ile d P ile Share R e m o v a b le S t o r a n e C e n tra l P o lic y S tag in g P r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e U s e O t h e r P r i v i l e g e Use E ven ts S e n s i t i v e P r i v i l e g e Use [t o t a lle d T r a c k i n g Pro cess C re a t io n P ro cess T e rm in a tio n D P A P I A c t iv it v / 'c a t e g o r y : S e t t in g Success Success Success Success Success No No No No No No No No No No No No No No No No No No No No No No No No and and and and and Pai Pal Pai Pai Pai
A u d i t in g Aud it in g Aud i t i n g A u d it in g A u d it in g A u d it in g A u d it in g A u d i t in g A u d i t in g A u d it in g A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it A u d it in g in g in g in g in g in g in g in g in g in g in g in g in g in g
No A u d i t in g No A u d i t in g No A u d i t in g No A u d i t in g No A u d i t in g No A u d i t in a
Module 05 Page 809
C overing T racks Tool: C C leaner
CEH
Oro 5 0 0 * ^ 00 09 0 1 * Ooo*O**** CocftM
f 'M tfiO n n e Sm er
;M *3 1 Vs
K 1V5 3 124 2*h
JW rrt* C tfefr t*T*0rry ** * * * N E zkter -Wory J Wrr*< Esto* - LocMm t stow Ooamnts f*Sy*>-CatfyRcydftn
C*?
04
t^ n
ttfiim I*****,"*
O Xw
O 0p1 C o Ah
Cotfm
Application Track, " * * * S J i T
Windows Tasks
Copyright by ElrC lin ci. All Rights Reserved. Reproduction is Strictly Prohibited.
r 'f l C o v erin g T ra c k s Tool: C C le a n e r

M l 'l Source: http://www.piriform.com
CCleaner is a system optimization, privacy, and cleaning tool. It allows you to remove unused files and cleans traces of Internet browsing details from the PC. It keeps your privacy online, and makes the system faster and more secure. In addition, it frees up hard disk space for further use. With this tool, you can erase your tracks very easily. It also cleans traces of your online activities such as your Internet history.
Module 05 Page 810
> CCIeaner com

M Care} QuadCM Q9M0 ! ! , 4 x RAM . M DtAGefore* M O OGTX/W O Ccn
ClEAMNtC0*U It (l.*MCS) C.27MB bytes rem oved Detail of M m dewed Internet Ca*e G oogle Chrom e0 Ces Internet r tv v Google Chrome es* C oofces G oogle C hrom e 12 G oogle Ovome Setao* U*B :N*s
IT Sjn ttm 2 Ffapry S y Bn BT e m p o r a r yM e * ffi0k*erd 3 MwwyC^

9 Ofafct. Ne Pregnants Qwrdo^clogNM O Window* Error Reoottrg I]C#6 *ache
OLt+WZ C O fU t (O M ie a ) *30 M Dto be eweved. (Agpro*er1 ate *cel Detail 0/ f*es to be defeted (Note. No Mm h*we beer M m * C
B 0 C B
CS * d? 5 $ 5 * ^
J (.ooqlr f hronir g Internet Catf V Internet rtstcrr
Internet Cad* Ireernet *tttrr C oojes SawedFormInternarrm
^Hina( C itktii rm0y Hoti( Nn 1 1 2 0 * 8 tt dhtem sCw t24 I

Internet El*rer C00h Wrdww t P w t Cccjnertt f*SyXm CrttfyltMyci'dr *?System-7ec>craryHes Opera Internet ntetory O0p*a Coofees #safan-Cootoe* l^Gotx* Chrome-Intern* Cache 0Goo0eOvc*e-Internet Hrtory Goo0e Chrom e Cooiees
3 3
A c c o u t!
9A d v a n c e d
H O H
Start M enu Shortcuts D OeskloShortcuts 04j Fte/etch data ***- Odar Cache Tray hot/caucn5 Cache WMow Sc ,Vocation Cache
E comk
9 Dervtoad tfetory f f Sacaon B S > ed Pom Wonnaoon
nW r* > < rtlto ry
nnSLOflNH C CustomFfci andPolders WlP f *Space
I fc Il *e s I I *8 It 5 752 II T2S*** 1 1 33*8 t OX a OH 2l7525 291 3846k{ z 3*8 <
A p p lic a tio n T r a c k s
FIGURE 5.82: CCIeaner Screenshot
W in d o w s T a s k s
Module 05 Page 811
C o v e rin g T ra c k s Tool: M R U -B laster

MRU-Blaster is an application for W indow s that allows you to clean the most recently used lists stored on your computer
C EH
It allows you to clean out your tem porary Internet files and cookies
The olcwrc terns [at user lequert) have teen sriried in thtf section to alew jcu to penranenlM gnore them n scannrg. Any Item that it checked belo/< vvil fce zcarrv=d Ikv/mcA iin tx * v is ? ) h! tvi r jtvm/e; ecawint
P ;rtame cl 0 1er IvpodURLd> 1 lostcr Result* Window Wrdow'Run. "DialogMRU 7 [ Google Todbar History 7 [ | M icrosoft Olfee Recenl" ldde!(f 7 ! 'ota! Items Detected: 378 W Wndow* U0 1A 1 t MRU4 Microsoft Feoedt MRUs 17 oidPuftctMRU l!*rw//, 7 ( W Ccrcl ftoiontatcna MRU Iterw UnowWal Counl WinXP I oyniil 17 MS Vliual Studo 6 0 MRII Iterrvs 17 ?1
f7 M icro vo ltQ fficoM RU Ite m s W WindowStrea mM RU [7 W ind ow sFhj/Seaich M RUs f7 W in d o vvt "Recent ' _ ? J W Vorouj > 4 1 0Sin g leM RU Ite m : _?J (7 WindowN e t!\ 01kheirs |7 Q utt0P 1 0M RU IKnt W Injldl LocationM HU
r CuslcnHr0Ntfiliw*itrnP01.l llwus _?J
_?J
v Win<tow 'Recent' Folder Ifcm C O / Winctows 'Recent holder Hem 39 v Intorro Explao MRU Item Rooont Download Diroctcry / MS lirecJD Most Recent Applcatior!
/M 9 Cir#cD*vM eet R*c*nt Appletor

/ MS Direcilrput Most Recent Applcatlon Name / MS Cirecilrpul Motl Rer*nl Applralinn ID Micicsclt Management Console Recent Fib Litt Filcl Mierwcft Management Console Rftfienl Fils Lit( F1l*2 v* Mkiwcft Mai ayernci f. Conwlo Recent Fib Lilt FilcO Microsoft Maraaemert Console Recenl Fite List F1le4 v* Windows Explorer RocertDoc* Stream MRU MAIN Winctows EKpoier RecertDocs S ifearn MRU U
f7 W in d ow sO ren V vlihM RU*
_7J
Any ittntf rci on th* let C *11b lo u n do nth * tcnrcu(t
http://www.brightfort.com
C o v erin g T ra c k s Tool: M R U -B laster

Source: http://www.brightfort.com MRU-Blaster is a program that allows you to clean most recently used lists on the system, temporary Internet files, and cookies. M RU list provides you with the complete information about the names, locations of the last files you have accessed, opened, saved, and looked at. It ensures your Internet privacy. MRU-Blaster safely handles cleaning up of "usage tracks" and other remnants that most programs leave behind.
Module 05 Page 812
($|5 MRU-Blaster Results Window

Results: Total Hems Detected: 378 >
S3 Windows 'Recent' Folder Item 38 lxl Windows 'Recent' Folder Item 39 y Internet Explorer M RU Item Recent Download Directory MS Direct3D Most Recent Application y MS DirectDraw Most Recent Application y MS Directlnput Most Recent Application Name < / MS Directl nput Most Recent Application ID 0 Microsoft Management Console R ecent File List Filel 0 Microsoft Management Console R ecent File List - File2 [/] Microsoft Management Console R ecent File List - File3 y ] Microsoft Management Console R ecent File List File4 W in d o w s Explorer RecentDocs Stream M R U - MAIN S3 Windows Explorer RecentDocs Stream M R U -0
M a in M e n u
C le a n N o w
F IG U R E 5.83: M R U -B laster Results W in d o w
P r o g r a m S e tt in g s
Scan Options The following items (at user request) have been added in this section to allow you to permanently ignore them in scanning Any item that is checked below will be scanned
i/r> c/x?cA n rs/7 fo fr x tn x /* ) s i'& v x r w
wN ntor p0 Exp! orr .T.yP. 9 ? ..!W .f?.^ s' w Windows "Run..." Dialog MRU w Google Toolbar History w Microsoft Office "Recent" folder(s) w Windows UserAssist MRUs w Microsoft Regedit MRUs w WordPerfect MRU Items w Corel Presentations MRU Items w UnreadMail Count (WinXP Logon) w MS Visual Studio 6.0 MRU Items
Plugins
f * Microsoft Office MRU Items
R / Windows Stream MRU 1 7Windows Find/Search MRUs
W Windows "Recent" folder(s) \ W Various Extra Single MRU Items \ w Windows Network Items w QuattroPro MRU Items
_?J
R r
w
Install Locations MRU Customize Notifications Past Items Windows OpenWith MRUs
1 [
Any items not on this list can be found on the scan results screen.
MRU-Blaster plug ins provide additional cleaning support tor other items on disk.
G o lo P lu gin s
S a v e S e ttin g s
D e le te S e ttin g s from R e g istry
C lose
F IG U R E 5.84: M R U -B laster Program Settings
Module 05 Page 813
Track Covering Tools

Wipe
h ttp ://p riva cyro o t. com
CEH
EvidenceEraser
h ttp ://w w w . es/idenceeraser. com
Tracks Eraser Pro

J W http://w w w .ace soft.ne t
H
-
WinTools.net Professional
h ttp ://w w w . wintools.net
BleachBit
http://bleachbit.sourceforge. net
RealTime Cookie & Cache Cleaner(RtCB)

h ttp ://w w w . kleins oft. co.za
AbsoluteShield Internet Eraser Pro

r1 T h ttp ://w w w . internet-track-eraser. com
AdvaHist Eraser
h ttp ://w w w . advacrypt. cjb. ne t
Clear My History
h ttp ://w w w . hide -my-ip. com
rp n l
Free Internet Window Washer

h ttp ://w w w . e using, com
T rack C o v erin g Tools

Track covering tools protects your personal information throughout your Internet browsing by cleaning up all the tracks of Internet activities on the computer. They free cache space, delete cookies, clear Internet history shared temporary files, delete logs, and discard junk. A few of these tools are listed as follows 0 W ipe available at http://privacyroot.com
Q Tracks Eraser Pro available at http://www.acesoft.net Q BleachBit available at http://bleachbit.sourceforge.net e 0 AbsoluteShield Internet Eraser Pro available at http://www.internet-track-eraser.com Clear My History available at http://www.hide-my-ip.com
Q EvidenceEraser available at http://www.evidenceeraser.com Q WinTools.net Professional available at http://www.wintools.net Q RealTime Cookie & Cache Cleaner (RtC3) available at http://www.kleinsoft.co.za AdvaHist Eraser available at http://www.advacrypt.cjb.net Q Free Internet W indow Washer available at http://www.eusing.com
Module 05 Page 814
As a pen tester, you should evaluate the security posture of the target network or system. To evaluate the security, you should try to break the security of your system by simulating various attacks on the system, just like an attacker would. There are certain steps that you need to follow to conduct a system penetration test. This section will teach you how to conduct a system hacking penetration test.
151
Hiding Files
Covering Tracks
^ r U
Penetration Testing
Module 05 Page 815
Password Cracking
START
Perform W ire Sniffing M idd le Attack
C EH
Perform Man-in-the-
A
Perform Rule-based Attack
Load the dictionary file into the cracking application that runs against user accounts Run a program that tries every combination of characters until the password is broken Run packet sniffer tools on the LAN to access and record the raw network traffic that may include passwords sent to remote systems Acquires access to the communication channels between victim and server to extract the information
Perform Syllable Attack
Check for password com plexity
Perform Hybrid Attack
a--- ^
Perform Dictionary Attack Perform Bru te forcing
KHi
Attack
|****|
>
P assw o rd C ra c k in g
In an attempt to hack a system, the attacker initially tries to crack the password of the system, if any. Therefore, as a pen tester, you should also try to crack the password of the system. To crack the password, follow these steps: S te p l: Identify password protected systems Identify the target system whose security needs to be evaluated. Once you identify the system, check whether you have access to the password, that means a stored password. If the password is not stored, then try to perform various password cracking attacks one after the other on the target system. Step 2: Perform a dictionary attack Perform a dictionary attack by loading the dictionary file into the cracking application that runs against user accounts. Run the cracking application and observe the results. If the application is allowing you to log in to the system, it means that the dictionary file contains the respective password. If you are not able to log in to the system, then try other password-cracking techniques.
Module 05 Page 816
Step3: Perform wire sniffing

Run packet sniffer tools on the LAN to access and record the raw network traffic that may include passwords sent to remote systems.
Step4: Perform a rule-based attack

Try to obtain the password by performing a rule-based attack.
Step5: Perform a syllable attack

Try to extract the password by performing a syllable attack. This attack is a combination of a brute force attack and a dictionary attack.
Step6: Perform a hybrid attack

Try to perform a hybrid attack. This attack is used to find passwords that are a dictionary word with combinations of characters prepended or post pended to them.
Step7: Perform a brute force attack

You should try every possible combination of characters until a password is found.
Step8: Perform a man-in-the-middle attack

Try to acquire access to the communication channels between victim and server to extract the information.
Module 05 Page 817
(Cont'd)
Perform Replay Attack
Perfo rm Shoulder Surfing
Use a Sniffer to capture packets and authentication tokens. After extracting relevant info, place back the tokens on the network to gain access Record every keystroke that an user types using keyloggers Secretly gather person or organization personal information using spyware With the help of a Trojan, get access to the stored passwords in the Trojaned com puter Inject a compromised hash into a local session and use the hash to validate to network resources Recover password-protected files using the unused processing power of machines across the network to decrypt password
X
Perform Password Guessing Perform Social Engineering
T
Perform Trojan/Spyware/ keyloggers
A
Perform Dum pster Diving
A
Perform Hash Injection Attack Perform PreCom puted Hashes
A
Perform Rainbow Attack Perform Distributed N etw o rk Attack
P assw o rd C ra c k in g (C ontd)
Step 9: Perform a replay attack
Try to intercept the data in the communication and retransmit it.
Step 10: Perform password guessing

Try to guess the possible combinations of passwords and apply them.
S te p ll: Perform TrojansSpyware/keyloggers

Use malicious applications or malware such as Trojan/spyware/keyloggers to steal passwords.
Stepl2: Perform Hash Injection Attack

Inject a compromised hash into a local session and use the hash to validate to network resources.
Step 13: Perform a rainbow attack

Use a rainbow table that stores pre-computed hashes to crack the hashed password.
Step 14: Perform a distributed network attack

Recover password-protected files using the unused processing power of machines across the network to decrypt passwords.
Module 05 Page 818
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
Step 15: Perform pre-computed hashes

Use pre-computed hashes to crack passwords.
Step 16: Perform dumpster diving

Check the trash bin of your target to check whether you find confidential passwords anywhere.
Step 17: Perform social engineering

Use the social engineering technique to gain passwords.
Step 18: Perform shoulder surfing

Check whether you can steal the password by using shoulder surfing.
Module 05 Page 819
Privilege Escalation
C EH
Try to run services as unprivileged accounts
Use privilege escalation tools
Use privilege escalation tools such as Active@ Password Changer, Offline NT Password & Registry Editor, Windows Password Reset Kit, Windows Password Recovery Tool, ElcomSoft System Recovery, Trinity Rescue Kit, Windows Password Recovery Bootdisk, etc.
P riv ile g e E sc alatio n

Once the attacker gains the system password, he or she then tries to escalate their privileges to the administrator level so that they can install malicious programs or malware on the target system and thus retrieve sensitive information from the system. As a pen tester, you should hack the system as a normal user and then try to escalate your privileges. The following are the steps to perform privilege escalation: S te p l: Try to log in with enumerated user names and cracked passwords Once you crack the password, try to log in with the password obtained in order to gain access to the system. Check whether interactive logon privileges are restricted. If YES, then try to run the services as unprivileged accounts. Step2: Try to run services as unprivileged accounts Before trying to escalate your privileges, try to run services and check whether you have permissions to run services or not. If you can run the services, then use privilege escalation tools to obtain high-level privileges. Step3: Use privilege-escalation tools Use privilege-escalation tools such as Active( Password Changer, Offline NT Password & Registry Editor, Windows Password Reset Kit, Windows Password Recovery Tool, ElcomSoft System Recovery, Trinity Rescue Kit, Windows Password Recovery Bootdisk, etc. These tools will help you to gain higher level privileges.
Module 05 Page 820
START
Urti*W
CEH
itkM l lUikw
V Check if firewall software and anti-keylogging software are installed Check if the hardware systems are secured in a locked environment ;
Try to use keyloggers
S Try to use Sp yw ares Use tools for rem ote execution S
Use keyloggers such as Spytech SpyAgent, All In One Keylogger, Powered Keylogger, Advanced Keylogger, etc. Use spywares such as SoftActivity TS Monitor, Spy Voice Recorder, WebCam Recorder, Mobile Spy, SPYPhone GOLD, etc.
I...... ..
E x ecu tin g A p plicatio n s

Pen testers should check the target systems by executing some applications in order to find out the loopholes in the system. Here are the steps to check your system when you choose certain applications to be executed to determine loopholes.
Stepl: Check antivirus installation on the target system

Check if antivirus software is installed on the target system and if installed, check that it is upto-date or not.
Step2: Check firewall anti-keylogging software installation on the target system

Check if firewall software and anti-keylogging software is installed or not.
Step3: Check the hardware system

Check if the hardware systems are secured in a locked environment.
Step4: Use keyloggers

Try to install and use keyloggers on the system in order to record keystrokes. Use keyloggers such as Spytech SpyAgent, All In One Keylogger, Powered Keylogger, Advanced Keylogger, etc.
Module 05 Page 821
Step5: Use spyware

Try to install and use spyware on the system in order to monitor the activities on the system. Use spyware such as SoftActivity TS Monitor, Spy Voice Recorder, WebCam Recorder, Mobile Spy, SPYPhone GOLD, etc.
Step6: Use tools for remote execution

Try to install and use tools for remote execution.
Module 05 Page 822
CEH
(g) START-:
0
Perform steganalysis
t
Try to install the rootkit in the target system to maintain hidden access Perform Integrity Based Detection, Signature Based Detection, Cross View Based Detection, and Heuristic Detection techniques to detect rootkits Use anti-rootkits such as Stinger, UnHackMe, Virus Removal Tool, Rootkit Buster, etc. to detect rootkits
technique
Perform Integrity Based D etection technique
Use steganography to hide secret message
P erform Signature Based Detection technique
Use W indows hidden stream (N TFS-A D S ) to inject malicious code
t> Use NTFS Alternate Data Stream (ADS) to inject malicious code on a breached system and execute them without being detected by the user Use NTFS stream detectors such as StreamArmor, ADS spy, Streams, etc. to detect NTFS-ADS stream message within an ordinary message and extract it at the destination to maintain confidentiality of data Use steganography detection tools such as Gargoyle Investigator" Forensic Pro, Xstegsecret, Stego Suite, Stegdetect, etc. to perform steganalysis
Perform Cross V ie w based D etection technique
Check if patches for OS and applications are updated
t) Use steganography technique to hide secret
A
P erform Heuristic D ete ction technique
....>
Check if antivirus and anti-spyware software are updated regularly
H id in g F ile s
An attacker installs rootkits to maintain hidden access to the system. You should follow pen testing steps for detecting hidden files on the target system.
Stepl: Install rootkits

First try to install the rootkit in the target system to maintain hidden access.
Step2: Perform integrity-based Detection techniques

Perform integrity-based detection, signature-based detection, cross-view-based detection, and heuristic detection techniques to detect rootkits.
Step3: Use anti-rootkits programs

Use anti-rootkits such as Stinger, UnHackMe, Virus Removal Tool, Rootkit Buster, etc. to detect rootkits.
Step4: Use NTFS Alternate Data Streams (ADSs)

Use NTFS Alternate Data Streams (ADSs) to inject malicious code on a breached system and execute it without being detected by the user.
Module 05 Page 823
Step5: Use NTFS stream detectors

Use NTFS stream detectors such as StreamArmor, ADS spy, Streams, etc. to detect NTFS-ADS streams.
Step6: Use steganography technique

Use steganography techniques to hide secret messages within an ordinary message and extract it at the destination to maintain confidentiality of data.
Step7: Use steganography detection

Use steganography detection tools such as Gargoyle Investigator Forensic Pro, Xstegsecret, Stego Suite, Stegdetect, etc. to perform steganalysis.
Module 05 Page 824
Covering Tracks
START ^
v
Disable auditing V Tamper log files V
Close all remote connections to the victim machine Remove web activity tracks such as MRU, cookies, cache, temporary files and history
** Disable auditing using tool such as Auditpol Tamper log files such as event log files, server log files and proxy log files by log poisoning or log flooding Use track covering tools such as CCIeaner, MRU-Blaster, Wipe, Tracks Eraser Pro, Clear My History, etc.
Close any opened port
C overing T ra c k s
The pen tester should whether he or she can cover the tracks that he or she has made during simulating the attack to conduct penetration testing. To check whether you can cover tracks of your activity, follow these steps: S te p l: Remove web activity tracks First, remove the web activity tracks such as such as MRU, cookies, cache, temporary files, and history. Step2: Disable auditing Try to disable auditing on your target system. You can do this by using tools such as Auditpol. Step3: Tamper with log files Try to tamper with log files such as event log files, server log files, and proxy log files with log poisoning or log flooding. Step4: Use track covering tools Use track covering tools such as CCIeaner, MRU-Blaster, Wipe, Tracks Eraser Pro, Clear My History, etc. Step5: Try to close all remote connections to the victim machine Step6: Try to close any opened ports
Module 05 Page 825
Module Summary
(itifwd
C EH
IthKJl lUck*
Attackers use a varietyof meansto penetrate systems Password guessing and cracking is one of the first steps Password sniffing is a preferred eavesdroppingtactic
Vulnerability scanningaidsthe attackerin identifyingwhich password cracking technique to use Key stroke logging and other spyware tools are used as they gain entry to systems to keep up the attacks Invariably, attackers destroy evidence of "having been there and donethe damage"
Stealingfilesas well as hidingfilesarethe meansto sneak out sensitive information
*
p v
M odule S u m m ary
Attackers use a variety of means to penetrate systems. Password guessing and cracking is one of the first steps. Password sniffing is a preferred eavesdropping tactic. Vulnerability scanning aids the technique to use. Keystroke logging and other spyware tools are used to gain entry to systems to keep up attacks. Invariably, attackers destroy evidence of "having been there and done the damage." Stealing files as well as hiding files are the means to sneak out sensitive information. attacker in identifying which password cracking
Module 05 Page 826

CEHv8 Module 05 System Hacking PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 05 System Hacking PDF

Uploaded by

Copyright:

Available Formats

System Hacking

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Engineered by Hackers. Presented by Professionals.

Ethical Hacking and Countermeasures v8

Module 05 Page 518

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

September 26th, 2012

IE E E H a ck C o n firm ed , 100k Plain T e x t P assw o rd s V ulnerable

Module 05 Page 519

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Copyright 2010-2013 KitGuru Lim ited

Author: Jon Martindale

Module 05 Page 520

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Copyright by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 05 Page 521

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Inform ation at Hand Before System H acking Stage

Copyright by EG-Cowid. All Rights Reserved Reproduction is Strictly Prohibited.

Inform ation at Hand Before System H acking Stage

Module 05 Page 522

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Enum eration M odule

Module 05 Page 523

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

System Hacking: Goals

To hide malicious files

To hide the presence of compromise

Copyright by E&Cauactl. All Rights Reserved. Reproduction isStrictly Prohibited.

System Hacking: Goals

Module 05 Page 524

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

To hide malicious files

To hide the presence of compromise

FIGURE 5.1: Goals for System Hacking

Module 05 Page 525

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

CEH H acking M ethodology (CHM)

Module 05 Page 526

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

FIGURE 5.2: CEH Hacking Methodology (CHM)

Module 05 Page 527

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

CEH System H acking Steps

Module 05 Page 528

Ethical Hacking and Countermeasures System Hacking

Exam 312-50 Certified Ethical Hacker

Passw ord C racking

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 05 Page 529