You are on page 1of 117

CEH Lab M anual

S y s te m

H a c k in g
M o d u le 0 5

M odule 05 - System H acking

S y s t e m H a c k in g
S y ste m h a c k in g is th e science o f testin g com p uters a n d n e tw o rk f o r v u ln era b ilities a n d p lu g -in s.

La b S cen ario
{ — I Valuable

intormntion____ Test your knowledge_____ a* Web exercise £Q! Workbook review

Password hacking 1s one of the easiest and most common ways hackers obtain unauthorized computer 01‫ ־‬network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect tins. Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain. Passwords rely 011 secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities 01‫ ־‬network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and descnbes password vulnerabilities diat exit 111 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 your systems.

La b O b jectives
The objective of tins lab is to help students learn to m o n ito r a system rem o tely and to extract hidden tiles and other tasks that include: ■ Extracting administrative passwords ■ HicUng files and extracting hidden files ■ Recovering passwords ■ Monitoring a system remotely
[‫ “׳‬Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

La b Environm ent
To earn‫־‬out die lab you need: ■ A computer mnning Windows Server 2012 ■ A web browser with an Internet connection ■ Administrative pnvileges to run tools

La b Duration
Tune: 100 Minutes

C E H Lab Manual Page

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

O verview of System H acking
The goal of system hacking is to gain access, escalate privileges, execute applications, and hide files.

^ task 1
Overview

La b T a s k s
Recommended labs to assist you 111 system hacking: ■ Extracting Administrator Passwords Using LCP ■ Hiding Files Using NTFS
■ ■ S tream s Spy Files Tool

■ Find Hidden Files Using ADS

Hiding Files Using the S te a lth

Extracting SAM Hashes Using PW dump7 Tool

■ Creating die Rainbow Tables Using W inrtge ■ Password Cracking Using R ain bo w C rack
■ ■

Extracting Administrator Passwords Using LOphtCrack Password Cracking Using O p h crack

■ System Monitoring Using R em o teE xec ■ Hiding Data Using Snow Steganography ■ Viewing, Enabling and Clearing the Audit Policies Using Auditpol

Password Recovery Using CHNTPW .ISO
Spy Agent

■ User System Monitoring and Surveillance Needs Using S pytech
■ ■

Web Activity Monitoring and Recording using P ow er Spy 2 0 1 3 Image Steganography Using Q uickStego

La b A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on the target’s security posture and exposure.

P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .

C E H Lab Manual Page 309

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

E x t r a c t in g A d m in is tr a to r P a s s w o r d s U s in g L C P
L i n k C o n tro l P ro to co l (L C P ) is p a r t o f th e P o in t-to -P o in t (P P P ) p ro to c o l I n P P P co m m un ication s, b o th th e sen d in g a n d receiving devices se n d o u t L C P p a c k e ts to d eterm in e specific in fo rm a tio n re q u ire d fo r d a ta tra n sm issio n .

La b S cen ario
l£^7 Valuable information
S

Test your knowledge_____

*a Web exercise £Q Workbook review

Hackers can break weak password storage mechanisms by using cracking methods that outline 111 this chapter. Many vendors and developers believe that passwords are safe from hackers if they don’t publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. Password-cracking utilities take advantage of weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords.

La b O b jectives
The objective of tins lab is to help students learn how to crack administrator passwords for ethical purposes.
111

this lab you will learn how to: ■ Use an LCP tool ■ Crack administrator passwords

^^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

La b Environm ent
To carry out the lab you need:
‫י‬

LCP located at

D:\CEH-Tools\CEHv8 M odule 05 System H acking\P assw ord C racking Tools\LCP

■ You can also download the latest version of LCP from the link http: /www.lcpsoft.com/engl1sh/index.11 tm
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 310

M odule 05 - System H acking

■ If you decide to download the la te s t 111 the kb might differ ■ Run this tool 111 W indow s
■ TCP/IP

version,

then screenshots shown

■ Follow the wizard driven installation instnictions
S erver 2 0 1 2

■ Administrative privileges to run tools settings correctly configured and an accessible DNS server

La b Duration
Time: 10 Minutes

O verview of L C P
LCP program mainly audits user account passwords and recovers diem 111 Windows 2008 and 2003. General features of dns protocol are password recovery, brute force session distribution, account information importing, and hashing. It can be used to test password security, or to recover lost passwords. The program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Sniff file. LCP supports dictionary attack, bmte force attack, as well as a hybrid of dictionary and bmte force attacks.

La b T a s k s
9 TASK 1

1. Launch the S ta rt menu by hovering the mouse cursor 011 the lower-left corner of the desktop.

Cracking Adm inistrator Password

S | W in d o w s Se rver 2012

FIGURE 1 .1 :W indow sS erver 2012— Desktopview

2. Click the LCP app to launch LCP.

m You can also download LCP from http:/ / www.lcpsoft.com .

C E H Lab Manual Page 311

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Start

A d m in is tr a to r

Server Manager

Windows PowerShell

Google Chrome

Hyper-V Manager

LCP

T
Computer Control Panel

*9
Hyper-V Virtual Machine...

m
SQL Server Installation Center...

tet

y

?

Inwc* n$ ie»T *

£

Command Prompt

Mozilla Firefox

Global Network Inventory

© a
Ku Nmap Zenmap GUI

I I
Workspace Studio

Dnktop

O

3

FIGURE 1 .2: W indow sS erver 2012— A pps

3. The LCP main window appears.
£ 7 LCP supports additional encryption of accounts by SYSKEY at import from registry and export from SAM file.

LCP
File View Import Session Help

TZI

a c #
1 ‫ ־‬Dictionary attack Dictionary word: User Name LM Password r 0

► ■ 6
Hybrid attack r

?‫ ״ * * ■ ו‬a
Brute force attack 0.0000 I <8 >14 % done LM Hash NT Hash

/0
NT Password

Ready for passwords recovering

0 of 0 passwords were found (0.000%)

FIGURE 1.3: LCP m ain window

4. From die menu bar, select Im po rt and then Im port from
com puter.

rem ote

C E H Lab Manual Page 312

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

LCP
| File fh . 1 View | Import | Session A Help 9 e Im port From Local Computer... Im port From Remote Computer... Im port From SA M File... Dictionary wc User Name Im port From .LC File... Im port From .LCS File... Im port From PwD um p File... Import From Sniff File... D X done LM Hash NT Hash

CQ l CP is logically a transport layer protocol according to the OSI model

Ready for passwords recovering

0 of 0 passwords were found (0.000%)

FIGURE 1.4: Import die rem ote com puter

5. Select C om puter nam e or IP from registry, and click OK.
File View In
Com puter

address,

select the Im po rt

typ e

as Im po rt

Import from remote computer
OK Com p utet n a m e ot I P ad dress: W IN - 0 3 9 M R 5 H L 9 E 4 r D ictio n ary at!

C ancel

D ictio n ary word: Im port type Use r N am e (• ) Im port from registry O Im port from m em ory I I E n c r y p t transferred d a ta

H e lp

CQlcp ch ecksdieidentity of thelinkedd eviceandeidier accep tsor rejectsthepeer device, thend eterm ines die accep tab lepacket sizefor tran sm issio n .

Connection
E x e c u t e c o n n e c tio n S h a r e d reso u rce: h p c $ U s e r nam e: Pa s s w o rd : I Adm inistrator

0

H id e p a ss w o rd

Ready for passw!

FIGURE 1.5: Import from rem ote com puter window

6. The output window appears.

C E H Lab Manual Page 313

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

LCP ‫[ ־‬C:\Program Files (x86)\LCP\pwd80013.txt]
File View Import Session Help

_

x

a e + l ► 0 !?> ‫י יי‬
r D ic tio n a ry a tta c k r H ybrid a t t a c k r D ic tio n a ry w ord:

1 • ‫© ״* ®״׳‬
X done
LM H ash NO P A S S W O R D NO P A S S W O R D X X X X X NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D N T H ash B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .J NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .J 5 E B E 7 D F A 0 7 4 D A 8 E E .. 4 8 8 C D C D D 2 22 53 1 27 9. 2D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C .. 0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...

B ru te fo rc e a t t a c k

r L M P a s s w o rd NO P A S SW O . NO P A S SW O . . NO P A S SW O . NO P A S SW O . NO P A S SW O . NO P A S SW O . NO P A S SW O .

1

10

0 .0 0 0 0

U ser Nam e ^ A d m in is t r a t o r G uest

N T P a s s w o rd

< 8
X

>14 X

NO P A S S W O ...

;U -C
S S

L A N G U A R D .. . M artin Ju g g y b o y Ja s o n

- C S h ie la

S Main purpose of LCP programisuser account passw ords auditingand recovery in W indows

Ready for passwords recovering

1 of 7 passwords were found (14.286%)

FIGURE 1.6: Importing the User Nam es

7. Now select any U ser

N am e

and click the L1L4 Play button.
‫־‬ ra :

8. Tins action generates passwords.
LCP - [C:\Program Files (x86)\LCP\pwd80013.txt.lcp]
File View Import Session Help

0 0 4
‫ ״מ‬D ic tio n a ry a t t a c k r

H

8 ‫ ״׳‬l 1 1 1 1^ ‫־‬ « M * o
‫"י‬ B ru te fo rc e a t t a c k 142857

e
*done

H ybrid a t t a c k

D ic tio n a ry w ord: Adm inistrate

1

/ |7

S tartin g com bin ation : A D M I N I S T R A T O R A

E n din g com bin ation : A D M IN IS T R A T 0 R Z Z

User N am e £ Adm inistrator

LM P a s s w o rd N O P A S S W O ... N O P A S S W O ... N O P A S S W O ... NO NO NO NO

N T P a s s w o rd

<8

>14 x

LM H ash NO P A S S W O R D NO P A S S W O R D

N T H ash B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .. NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .. 5 EBE7D FA 074D A 8EE 4 8 8 C D C D D 222 53 1 27 9.. 2 D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C O C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...

® G u e st ! B lA N G U A R . . . ^ M a r tin Ju g g y b o y ^ 3 Ja s o n ® S h ie la

NO P A S S W O ...

x x

NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D

P A S S W O . . . a p p le P A S S W O . . . g re e n P A S S W O . . . q w e rty P A S S W O . . . test

Passwords recovering interrupted

5 of 7 passwords were found (71.429%)

I

FIGURE 1 .7 : LCPg en eratesthepassw ordfor the s e le c te dusern am e

La b A n a ly sis
Document all die IP addresses and passwords extracted for respective IP addresses. Use tins tool only for trainmg purposes.

C E H Lab Manual Page 314

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L A B .

T o o l/U tility

In fo rm atio n C o lle cted /O b jec tiv es A chieved R em ote C o m p u ter N a m e : O u tp u t:

WIN-D39MR5HL9E4

LC P

User Name ■ Martin ■ Juggyboy ■ Jason ■ Sluela

-

NT Password apple green qwerty test

Q uestio ns
1. \Y11at is the main purpose of LCP? 2. How do von continue recovering passwords with LCP?
In te rn e t C o n n ectio n R eq u ired □ Yes P latform S upported 0 C lassroom 0

No

0 !Labs

C E H Lab Manual Page 315

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

H id in g F ile s U s in g N T F S S t r e a m s
A . stre a m co n sists o f d a ta a sso cia ted rvith a m a in fi le o r d irecto ry ( k n o ir n a s th e m a in n n n a m e d strea m ). E a c h f i e a n d d irecto ry in N T F S can h a ve m u ltip le d a ta stre a m s th a t a re g en era lly h id d en fr o m th e user.

La b S cen ario
/ Valuable information ' Test your knowledge SB Web exercise
m Workbook review

Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems on the network. Most often there are matching service, administrator, or support accounts residing on each system that make it easy for the attacker to compromise each system in a short amount of time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and password information. Attackers continue to leverage information 011 each system until they identity passwords for accounts that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you must understand how to hide files using NTFS streams.

La b O b jectives
The objective of tins lab is to help students learn how to hide files using NTFS streams.
& T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

It will teach you how to: ■ Use NTFS streams ■ Hide tiles

La b Environm ent
To carry out the lab you need: ■ A computer running W indow s ■ Formatted C:\ drive NTFS
S erver 2 0 0 8

as virtual machine

C E H Lab Manual Page

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

La b Duration
Tune: 15 Minutes

O verview of N T FS S tre a m s
NTFS (New Technology File System ) is die standard file systemof W indows.

m

NTFS supersedes die FAT file system as the preferred file system tor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved support tor m etadata and die use of advanced data structures.

La b T a s k s
Sd.

TASK

1

1. Run this lab 111 Windows Server 2008 virmal machine 2. Make sure the C:\ drive is formatted for NTFS. 3. Create a folder called m agic on the C:\ drive and copy c a lc .e x e from C :\w indow s\system 32 to C:\m agic. 4. Open a command prompt and go to C :\m agic and type notepad re a d m e .tx t 111 command prompt and press Enter.
re a d m e .tx t 111 Notepad appears. (Click Y es button it prompted to create a new re a d m e .tx t file.) 6. Type H ello World! and Save the tile.

NTFS Stream s

5.

£ 3 NTFS streamruns on W indows Server 2008

7. Note the tile s ize of the re a d m e .tx t by typing d ir 111 the command prompt. 8. Now hide c a lc .e x e inside the re a d m e .tx t by typing the following 111 the command prompt:
typ e c :\m a g ic \c a lc .e x e > c :\m a g ic \re a d m e .tx t 1c a lc .e x e

C E H Lab Manual Page 317

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

(cT Administrator C o m m a n d Prompt C : N n a g i c > n o t e p a d rea d n e . t x t C:Snagic>dir Uolune in driue C has no label. U olume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \nagic 09/12/2012 09/12/2012 01/1 9 / 2 0 0 8 09/1 2 / 2 0 1 2 05:39 AM <DIR> 05:39 AM <D I R > 06:51 AM 1 8 8 . 4 1 6 cal c . e x e 05 : 4 0 AM 12 read n e . t x t 188 , 4 2 8 bytes 2 File<s> 2 Dir<s> 4 , 3 7 7 . 6 7 7 , 8 2 4 bytes free > c : \ n a g i c \ r e a d n e .txt:calc.exe

-lo|x|

EQ a streamc o n s is tsofdata asso ciatedwith am ainfileor directory(know na sthe m ain unnam edstream ).

C : \ m a g i c >type c : \ n a g i c \ c a l c . e x e C:\magic>

FIGURE 2.2: Com m andprom ptwithhidingcalc.e x ecom m and

Type d ir 111 command prompt and note the tile size of re a d m e .tx t.
[ c T TAdministrator C o m m a n d Prompt D i r e c t o r y of C:\ m a g i c 09/12/2012 09/12/2012 01/19/2008 09/12/2012 05:39 AM <D I R > 05:39 AM <D I R > 06:51 AM 18 8 , 4 1 6 cal c . e x e 12 read n e . t x t 0 5 : 4 0 AM 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free 2 Dir<s> > c : \ m a g i c \ r e a d m e .txt:calc.exe

C : \ n a g i c >type c : \ n a g i c \ c a l c . e x e

C : \ m a g i c >dir Uolune in driue C has no label. Uolune S e r i a l N u n b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C:\ n a g i c 09/12/2012 09/1 2 / 2 0 1 2 01/19/2008 09/12/2012 05:39 A M < 05:39 A M < 18 8 , 4 1 6 cal c . e x e 06:51 AM 0 5 : 4 4 AM 12 read n e . t x t 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free 2 Dir<s>

t._ NTFS supersedes the FAT file systema s the preferred file systemfor Microsoft’sW indows operating system s.

LJ
FIGURE 23: Com m andprom ptwith execu tin ghiddenc a lc.execom m and

10. The file size of the readme.txt should not change. Now navigate to the directory c:\m agic and d e le te c a lc .e x e . 11. Return to the command prompt and type command:
m klin k b ackd o o r.exe re a d m e .tx t:c a lc .e x e

and press E nter

C E H Lab Manual Page 318

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

V . A d m in istra to r Com m and Prom pt

- I□ ! X

09/12/2012 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2

05:39 A M <D I R > 06:51 A M 18 8 , 4 1 6 cal c . e x e 0 5 : 4 0 AM 12 r e a d m e . t x t 2 Fil e < s > 188 , 4 2 8 bytes 2 Dir<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free > c : \ m a g i c \ r e a d m e .txt:calc.exe

C:\magic>type c:\magic\calc.exe

C : \ m a g ic>dir Uolume in driue C has no label. Uolume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \magic 09 / 1 2 / 2 0 1 2 09 / 1 2 / 2 0 1 2 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2 05:39 A M <D I R > 05:39 A M <D I R > 06:51 A M 18 8 . 4 1 6 cal c . e x e 05:44 AM 12 r e a dme.txt 2 Fil e < s > 1 88,428 bytes 2 Dir<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free

ffilA streamisaliiddenfile that islinkedtoanorm al (visib le) file.

C : \ m a g i c > m klink b a c k d o o r . e x e r e a d m e . t x t: c a l c . e x e sym b o l i c link c r e a t e d t o r b a c k d o o r . e x e === >•> readme .txt :calc ■exe C:\magic>

FIGURE 2.4: Com m andprom pt linkingdie executedhiddenc a lc .e x e

12. Type backdoor, press E nter, and the the calculator program will be
e xecu ted .

ss

m im stra to r Com m and Pro m p t

12 rea d m e . t x t 188,42 18 8 . 4 2 8 bytes 4,377,677.8: > c:S

09/12/2012

0 5 : 4 0 AM 2 F ile<s> 2 D ir<s>

C:\magic>type c:\magic\calc.exe

1
|

C:\magic>dir U olume in drive C has no label. Uo l u m e S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \ magic 09/12/2012 09/12/2012 01/19/2008 09/12/2012 <DIR> 05:39 AM <DIR> 05:39 AM 188,41 06:51 AM 0 5 : 4 4 AM 1 188,4 2 File<s> 4,37 7 , 4 1 5 , 6 2 Dir<s>

r

Backspace

CE

1 I.‫ע‬ L‫ע‬ I.‫ע‬

‫־‬
sqrt

1
|

_ !‫_ ע _ו‬
MR |

l l l

_

l

I_

jd

MS

|

C : \ m a g i c > m k l i n k b a c k d o o r . e x e readme.t) s y m b o l i c link c r e a t e d f o r backdoor.ext C : \ m a g i c )ba c k d o o r C:\macric>

_ u _ _
l

1

/x

|

I

_ l.‫ע‬

y
FIGURE 2.5: Com m and prompt with executed hidden calc.exe

Lab A n a ly sis
Document all die results discovered during die lab.

P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .

C E H Lab Manual Page 319

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Tool/Utility NTFS Streams

Information Collected/Objectives Achieved Output: Calculator (calc.exe) file executed

Q uestio ns
1. Evaluate alternative methods to hide the other exe files (like calc.exe). Internet Connection Required

□Y es
Platform Stipported

0

No

0

Classroom

0 !Labs

C E H Lab Manual Page 320

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

3

F in d H id d e n F ile s U s in g A D S S p y
A d s S p y is a to o l u se d to list, view, o r delete A lte r n a te D n tn S tr e a m s ( A D S ) on W in d o w s S e r v e r 2 0 0 8 w ith N T F S file s y s te m .

I C ON

KEY

La b S cen ario
Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and describes password vulnerabilities that exit in computer networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you must understand how to find hidden files using ADS Spy.

/ Valuable information
S

Test your knowledge

‫־‬ = ‫ ־‬Web exercise ffi! Workbook review

La b O b jectives
The objective of tins lab is to help students learn how to list, view, or delete A lte rn a te D ata S tream s and how to use them. It will teach you how to: ■ Use ADS Spy ■ Find hidden tiles
t£~Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

La b Environm ent
To cany out the lab you need:
‫י‬

ADS Spy located at D:\CEH-Tools\CEHv8

M odule 05 System H acking\N TFS S tre a m D e te c to r Tools\ADS Spy Spy

■ You can also download the latest version of ADS http: / / www.mer1jn.11u/programs.php#adsspv ■ It you decide to download the la te s t 111 the lab might differ ■ Run tins tool 111 W indow s
version,

from the link

then screenshots shown

S erver 2 0 1 2

C E H Lab Manual Page 321

Ethical Hacking and Countermeasures Copyright © by EC-Coundl All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

La b Duration
Tune: 10 Minutes

O verview of A D S Sp y
‫ן‬1 ‫ ^ ןחר‬jj-,5 (^ternate ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 belongs to.
Data Stream ) is a technique Windows Server 2008 widi NTFS file systems. ADS Spy is a method of stonng used to store m eta-info on meta-inform ation of files, without actually stonng die information inside die file it files.

La b T a s k s
m.

TASK

1

1.

Navigate to the CEH-Tools director}‫ ־‬D:\CEH-Tools\CEHv8
System H acking\N TFS S tream D e te c to r Tools\ADS Spy Spy.

M od

A lternative Data Stream s

2. Double-click and launch ADS

ADS Spy v1.11 -Written by Merijn
A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of in fo h id d e n a s m etad ata o n files o n N T F S drives. T h e y a re not visib le in Explorer a n d th e size th ey ta k e up is not rep orted by W in d o w s . R e c e n t brow ser h ijack e rs started u sing A D S to h id e their files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com ple tely sure th ey a re m alicious! [v ^

(• C C |7 [‫־ ־‬

Q u ic k s c a n (W in d o w s b a s e folder only) Full s c a n (all N T F S drives) S c a n only this folder: Ig n o re s a fe system in fo d a ta stream s fe n c ry p ta b le ', ,Su m m aryln form ation '. e tc ) C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts S c a n th e system for alte rnate d a ta stream s R e m o v e s e le c te d stream s

J

KlADS Spyis a sm all tool to list, view, or delete Alternate Data Streams (ADS) onWindows 2 0 1 2 with NTFS file system s.

[R e a d y -

FIGURE 3.1 W elcom e screen of ADS Spy

3. Start an ap prop riate 4. Click Scan

scan

that you need.

th e system fo r a lte rn a te d a ta stream s.

C E H Lab Manual Page 322

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

ADS Spy v1.1 1 -Written by Merijn
A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of info h id d e n a s m e ta d a ta o n files o n N T F S drives. T h e y a re not visib le in Exp lorer a n d th e size th ey ta k e u p is not rep orted by W in d o w s . R e c e n t brow ser h ijac k e rs started using A D S to h id e their files, a n d ve ry fe w anti-m alware s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o ve th e s e stream s. N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure they a re m alicious! v /*.

C | (»

Q u ic k s c a n (W in d o w s b a s e folder only) Full s c a n (all N T F S d r iv e s )| S c a n only this foldet: Ig n o te s a fe system info d a ta stream s fe n c ry p ta b le ', 'Su m m aryln form ation ', e tc )| C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts | R e m o v e s e le c te d stream s

£ ‫ ־‬ADS are a w ay of storing metainformation regarding files, w ithout actually storing the information in the file it belongs to, carried over from early MacOS com patibility

C 11 ? r

A

j S c a n th e system for aite rnate d a ta stream s

C:\magic\readme txt: calc, exe (1051648 bytes)
C :\U s e rs \ A d m in is tra to r\ D o c u m e n ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s) □ C A U s e rs \ A d m in is tra to r\ F a v o rite s \ L in k s \ S u g g e s te d S it e s .u r l: fa v ic o n (894 b yte s) C:\U sers\A d m in istra to r\M y D o c u m e n t s : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 bytes) C A W in d o w s .o ld .0 0 0 \ D o c u m e n ts a n d Se ttin g s \ A d m in is tra to r\ F a v o rite s \ L in k s \ Su g g e s te d S it e s .u r l: fa v ic o n (8 ! □ C :\ W in d o w s .o ld .0 0 0 \ U s e rs \ A d m in is tra to r\ F a vo rite s \ L in k s \ S u g g e 5 te d S it e s .u r l: fa v ic o n (894 bytes)

| S c a n c o m p le te, fo un d G alte rn ate d a ta stream s (A D S 's ).

FIGURE 3.2 ADS S py windowwith Full Scan selected

5. Find the ADS data streams.

hidden info file

while }*on scan the system for alternative
s e le c te d stream s.

6. To remove the Alternate Data Stream, click Rem ove
ADS Spy v1.11 -Written by Merijn

A lte rn a te D a t a S tre a m s ( A D S ) a te p ie c e s of info h id d e n a s m e ta d a ta o n files on N T F S drives. T h e y a re not visib le in Exp lorer a n d th e size th ey ta k e u p is not rep otted b y W in d o w s . R e c e n t brow ser h ijack e rs started using A D S to h ide theit files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n also disp lay legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure th ey a te m alicious!

C (* C

Q u ic k s c a n ( W in d o w s b a s e foldet only) Full s c a n (all N T F S d rives) S c a n only this folder:

J

1✓ Ig n o te s a fe system info d a ta stream s ('e n cry p ta b le ', ‘Sum m aryln form ation ', e tc )

& Com patible with: Windows Server 2012, 20008

r

C a lc u la te M D 5 c h e c k s u m s of stream s' co n ten ts S c a n th e system for alte rn ate d a ta stream s R e m o v e s e le c te d stream s

□ □ □

C :\ m a g ic \ te a d m e .tx t: c a lc , e x e (1 05 1 G 48 b yte s) C \ U s e 1s\Adm in istrato r\D ocu m en ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (1 2 bytes) C .A U s e ts 'A d m 1 n 1s tra to r\F avo r 1te s \ L in k s \ S u g g e s te d S it e s .u r l: fa v ic o n (8 94 b y te s)

*‫ ׳׳‬C :\U sets\A d m in istrato r\M y D o c u m e n t s : {7 2 6 B G F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s)

/Windows.old.000\Documents and SeKings^drnini$tfat0f\Fav0rites\Links\Suggested Sites.url: favicon (8
C :\ W in d o w s .o ld O O O \ U se rs\ A d m in is tra to r\ F a vo rite s \ Lin k s\ S u g g e ste d S it e s .u r l: fa v ic o n (894 b yte s)

| S c a n c o m p le te, fo un d S alte rnate d a ta stream s (A D S 's ).

FIGURE 3.3: Find die hidden streamfile

C E H Lab Manual Page 323

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

L a b A n a ly s is

Document all die results and reports gathered during die lab.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility

Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives) Output: ■ Hidden files with its location ■ Hidden files size

ADS Spy

Q u e s t io n s

1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 324

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

H id in g F ile s U s in g t h e S t e a l t h F ile s Tool
S te a lth F i/e s u se a p ro cess c a lled steganography to h id e a n y file s in sid e o f a n o th e r f i e . I t is a n a lte rn a tiv e to en cryp tio n o f file s .

■ co n
/V aluable

k ey

‫ ־־‬L a b S c e n a r io

The Windows NT NTFS hie system has a feature that is not well documented and is unknown to many NT developers and most users. A stream is a hidden file that is linked to a normal (visible) file. A stream is not limited in size and Test your know ledge there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 1 1 1 order to be an expert sA W eb exercise ethical hacker and penetration tester, you must understand how to hide files m W orkbookreview using the Stealth Files tool. 1 1 1 this lab, discuss how to find hidden files inside of other files using the Stealth Files Tool. inform ation___
L a b O b je c t iv e s

The objective of tins lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to: ■ Use the Stealth Files Tool ■ Hide files — Tools L a b E n v ir o n m e n t demonstrated in To carry out tins lab you need: this lab are available in ■ Stealth Files tool located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHHacking\Steganography\Audio Steganography\Stealth Files Tools\CEHv8 Module 05 System ■ A computer running Window Server 2012 (host machine) Hacking ■ You can also download the latest version of Stealth Files from the link http://www.froeb1s.com/e11glisl1/sf40.sl1tml
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab Manual Page 325

M odule 05 - System H acking

■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Administrative privileges to run the Stealth files tool ■ Run this tool 111 Windows Server 2012 (Host Machine)
L a b D u r a tio n

Tune: 15 Minutes
O v e r v ie w o f S t e a lt h F ile s T o o l
Stenography is the art and science of writing hidden messages.

£U

Stealth files use a process called steganography to lude any tiles inside of another . . . . 7 . . . tile. It is an alternative to encryption ot tiles because no one can decrypt the encrypted information or data from die tiles unless diey know diat die ludden tiles exist.
Lab T asks

B

TASK 1

Stenography

1. Follow the wizard-driven installation instructions to install Stealth Files Tool. 2. Launch Notepad and write Hello World and save the tile as Readme.txt on the desktop.
readme - Notepad
File Edit Format View Help f l e l l o W o rld !

& Stealth Files uses a process called steganography to hide any file or files inside of another file

F IG U R E 4.1: Hello world in readme.txt

3. Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.

C E H Lab Manual Page 326

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

FIG U RE 4.2: Windows Server 2012 — Desktop view

4. Click the Stealth Files 4.0 app to open the Stealth File window.

m You can also download Stealth File from http://www.froebis.com.

F IG U R E 4.3: Windows Server 2012 —Apps

5. The main window of Stealth Files 4.0 is shown 111 the following figure.

This is an alternative to encryption because no one can decrypt encrypted information or files unless they know that the hidden files exist.

F IG U R E 4.4: Control panel of Stealth Files

C E H Lab Manual Page 327

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

6. Click Hide Files to start the process of hiding the files. 7. Click Add files.
‫ם‬
Step 1 ■ Choose Source Files:

Stealth Files 4.0 - Hide Files...

S Before Stealth Files hides a file, it compresses it and encrypts it with a password. Then you must select a carrier file, which is a file that contains die hidden files

Destroy Source Filesl Remove Selected Files! Step 2 •Choose Carrier File:

I
r Create a Backup of the Carrier File! Step 3 ■ Choose Password:

‫^־‬J

F IG U R E 4.5: Add files Window

8. In Stepl, add the Calc.exe from c:\windows\system32\calc.exe. & Stealth Files 4.0 can be downloaded from the link: http://www.froebis .com/english/sf40. shtml 9. In Step 2, choose the carrier file and add the file Readme.txt from the desktop. 10. In Step 3, choose a password such as magic (you can type any desired password).

C E H Lab Manual Page 328

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

13

Stealth Files 4.0” Hide Files...
Step 1 ■ Choose Source Files: C:\W1ndows\Sj1stem 32Vcacls.exe

!“ I‫ם‬

\ x

5 You can also remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions

I- Destroy Source Filesl Add Files! Step 2 Choose Carrier File. C:\Use s\Adm inistrator\Desktop\ eadm e.txt I- Create a Backup of the C arrier File! Choose Password: m agic) | Remove Selected Files!

1

1

:d

I Hide Files! |

FIG U R E 4.6: Step 1-3 Window

11. Click Hide Files. 12. It will hide the file calc.exe inside the readme.txt located on the desktop. 13. Open the notepad and check the file; calc.exe is copied inside it.
readme ‫ ־‬Notepad File Ed it Form at View H elp
)H e llo W o rld ! h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h if h lb k id o f h a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b f o jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g leo n m b fn g b ln b h cik fd h k m g io d cfg n lg g o ad d cajm p ip fib h p p g g cg im m k a d n j &T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a password, you will prompted to enter it again to recover die hidden files e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h f p a la p p d b a c ile n o id lh ib e k p b h e jm if n g f h f a p m h a f b lif h lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fnln adn n oaon eop oop bb agm d aoh m ekd gfcekcnb cgm injem egp n nh ein oilgej o o ig lcd h a clc h jlh d g ib o o h e m b n a p m k m e p a o k jch h g cjb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbnlndbiggagm cgnbnm afohogackcdnkhbom gofpdegibikm jm dpfkg

I~ I‫ם‬

:

F IG U R E 4.7: Calc.exe copied inside notepad.txt

14. Now open the Stealth files Control panel and click Retrieve Files.
C E H Lab Manual Page 329 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

t Stealth Fi1es 4.0
S Pictures will still look the same, sound file will still sound die same, and programs will still work fine

\

a © □

Hide Files
‫־‬

Retrieve Files

Remove Hidden Files

&■ These carrier files will still work perfecdy even with the hidden data in diem

e

About Stealth Files

Close Program
F IG U R E 4.8: Stealth files main window

15. In Step 1 , choose the hie (Readme.txt) from desktop 111 which you have saved the calc.exe. 16. 1 1 1 Step 2, choose the path to store the retrieved hidden file. 1 1 1 the lab the path is desktop. 17. Enter the password magic (the password that is entered to liide the tile) and click on Retrieve Files!
S
This carrier file can be any of these file types: E X E , D LL, OCX, COM, JPG , G IF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files

Stealth File! 4.0 - Retrieve Files...

I ‫ ־־‬1‫ ם‬T x

-Step1■ C h o o seC a rrie rF ile : C :\ Us e rs \ A d m in is tra to r\ D e s k to p V re a d m e .tx t I‫ ־־‬D e stro yC a rrie rF ile ! Step2-C h o o seD e s tin a tio nD ire c to ry : C :\lls e rs V '.d m in is tra to rV D e s k to p \ r Step3• E n te rP a ssw o rd : |m a g ic | R etrieveF ile s !
F IG U R E 4.9: Retrieve files main window

d

18. The retrieved file is stored on the desktop.

C E H Lab Manual Page 330

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

05 Vorslon; IP Address MAC Addr•••: Host Name

Windows NT 62 (non•) D4 BE 09 CJ CE 20 WIN-039MR6HL9E4

Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously.

FIG U R E 4.10: Calc.ese running on desktop with the retrieved file

L a b A n a ly s is

Document all die results and reports gathered during die lab.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility Stealth Files Tool

Information Collected/Objectives Achieved Hidden Files: Calc.exe (calculator) Retrieve File: readme.txt (Notepad) Output: Hidden calculator executed

Q u e s t io n s

1. Evaluate other alternative parameters tor hiding tiles. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 331

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Lab

E x tr a c tin g S A M H a s h e s U s in g P W dum p7 Tool
Pwdump7 can a l s obeusedt od u / u p p m t e c t e d j i l e s Youcana l w ay sc o p ya u s e d ' f t / eb ) [ j u s te x e c u t i n g pnduffp7. e x ed c \ / o c k e d f 1/ e . d a t backjphxh dfi led otI c o nkey L a b S c e n a r io

Passwords are a big part ot tins modern generation. You can use the password for your system to protect the business or secret information and you may Test your choose to limit access to your PC with a Windows password. These passwords know ledge are an important security layer, but many passwords can be cracked and while = W eb exercise that is worry, tliis clunk 111 the armour can come to your rescue. By using password cracking tools 01‫ ־‬password cracking technologies that allows hackers W orkbookreview to steal password can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tlus lab, we discuss extracting the user logui password hashes to crack the password. iiiform ation___
L a b O b je c t iv e s

[£Z7 Valuable

Tlus lab teaches you how to: ■ Use the pw dum p7 tool ■ Crack administrator passwords
L a b E n v ir o n m e n t

To carry out the lab you need:
_^Tools

demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H Lab Manual Page 332

■ Pwdump7 located at D:\CEH-T00 ls\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7 ■ Run tlus tool 011 Windows Server 2012 ■ You can also download the latest version of pwdump7 from the link http:/ /www.tarasco.org/security/pwdump 7/ 111dex.html ■ Administrative privileges to run tools
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

■ TCP/IP settings correctly configured and an accessible DNS server ■ Run this lab in Windows Server 2012 (host machine)
L a b D u r a tio n

Time: 10 Minutes

Overview of Pwdump7
Pwdump7 can be used to dump protected files. You can always copy a used file just by executing: pwdump7.exe -d c:\lockedf11e.dat backup-lockedf11e.dat. Icon key
Lab T asks

Generating Hashes

1. Open the command prompt and navigate to D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7. 2. Alternatively, you can also navigate to D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7a11d right-click the pwdump7 folder and select CM D prompt here to open the command prompt.
Ad ministraton C:\Wi ndows\system32\cmd.exe
[D:\CEH-Tools\CEHv8 Module 05 Sys t e m Hack i n g \ P a s s w o r d C r ackingMJindows Hrac ke t*s\pw d u m p 7 > Password C

& Active directory passwords are stored in the ntds.dit file and currently the stored structure

F IG U R E 5.1: Command prompt at pwdump7 directory

3. Now type pwdump7.exe and press Enter, which will display all the password hashes.

C E H Lab Manual Page 333

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

Administrator: Command Prompt
:\CEH-T ools\CEHu8 Module 05 Sys t e m H a c k i n g \ P a s s w o r d C r a c k ingSWindows P a s sword C ackers\pwdunp7) p w d ump? .exe w dunp vV.l - raw p a s sword e x tractor uthor: Andres Tarasco A cuna rl: h t t p : //www.514.es A d m i n i s t r a t o r : 5 0 0 :NO PASSWORD***** D 4 7 : :: G u e s t :501 :NO P A S S W O R D * ******* * * *** LA N G U A R D _ 1 1 _ U S E R : 1 0 0 6 : N O PASSWORD* A67B960: : : Mart in :1018 :NO P A S S W O R D * *****-***** J u g g y b o y :1 0 1 9 :NO P A S S W O R D * ******** Jason :1020 :NO PASS W O R D ***■ *■ ***■*■***■ * S)liela:1021 :NO P A S S W O R D * * * * * * ** * * * *: BE40C4 5 0 A B 9 9 7 1 3 D F 1 E D C 5 B 4 0 C 2 S A *:NO PASSWORD* *:C25510219F66F9F12FC9BE662 * : 5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 ::: ***:488CDCDD2225312793ED6967B28C1025: * : 2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F : :: **:0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 : ::

:\CEH-Tools\CEHu8 Module 05 Sys t e m Hack i n g S P a s s w o r d C r a c k ingVWindows P a s sword C ac ke rs Spw d u m p 7 >

& Always copy a used file just executing: pwdump7.exe -d c:\lockedfile.dat backuplockedfile.dat.

F IG U R E 5.2: pwdump7.exe result window

4. Now type pwdump7.exe > c:\hashes.txt 111 the command prompt, and press Enter. 5 Tins command will copy all the data ot pwdump7.exe to the c:\hashes.txt tile. (To check the generated hashes you need to navigate to the C: drive.)
hashes.txt - Notepad
File Edit Format View Help

(A d m in istra to r: 500: NO PASSWORD****‫******* ״ * * * * * * * * ״‬:BE40C450AB99713DF1EDC5B40C25AD47 G uest:5 0 1 :NO PASSWORD**‫ * ״ ״ ״ ״ * * ״ ״ ״ ״ * * ״ ״ ״ ״ ״ ״‬: NO PASSWORD**‫ ״ ״ ״ ״ ״ ״ ״ * ״ ״ ״ ״ ״ ״ ״ ״ * ״ ״‬: :: LANGUARD_11_USER:1006:NO PASSWORD**********‫********* ״ ״‬:C25510219F66F9F12FC9BE662A67B960 M a rtin :1018:NO P A S S W O R D * * * * * * * * * * * * * * * 5 : ‫ ״ * * * ״ ״‬EBE7DFA074DA8EE8AEF1FAA2BBDE876 Duggyboy:1019:NO P A S S W O R D * 4 8 8 : * * ‫ ״ * * * * * * * * * * * * * * * * ״‬CDCDD2225312793ED6967B28C1025 ]ason:1020:NO PASSWORD* * * * * 2: * * * * * * * * * * * * * * * ‫ ״‬D20D252A479F485CDF5E171D93985BF Shiela:1021:N O P A S S W O R D * * * * 0 : ‫ ״ * * * * * * ״ * * ״ ״ * ״ ״ ״ ״‬CB6948805F797BF2A82807973B89537

F IG U R E 5.3: hashes.txt window

L a b A n a ly s is

Analyze all the password hashes gathered during die lab and figure out what die password was.

C E H Lab Manual Page 334

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility

Information Collected/Objectives Achieved Output: List of User and Password Hashes ■ Administrator ■ Guest ■ Lauguard ■ Martin ■ Juggyboy ■ Jason ■ shiela

PWdump7

Q u e s t io n s

1. What is pwdump7.exe command used for? 2. How do you copy the result of a command to a file? Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 335

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

C re a tin g th e R a in b o w T a b le s U s in g W in rtg e n
Winrtgen i s a graphical ‫־‬ Rainbow Tables Generator that s / i p p o / t s UM, FastLM, N T L M , L M C H 4LL, HaljLMCHALL, N I U M C H A L L , M S C A C H E , M D 2, M D 4, M D 5, S H A 1 , R I P E M D 160, M j S O L J 23, M j S O L S H 4 1, CiscoPIX, O K 4CLE, S H 4-2 ( 256) , S H 4-2 ( 384) and S H 4-2 ( 512) ha s h e s . ICON KEY L a b S c e n a r io

111 computer and information security, the use ot password is essential for users to protect their data to ensure a seemed access to dieir system or machine. As users Test your become increasingly aware of the need to adopt strong passwords, it also brings know ledge challenges to protection of potential data. 111 tins lab, we will discuss creating die rainbow table to crack the system users’ passwords. 111 order to be an expert ethical = = W eb exercise hacker and penetration tester, you must understand how to create rainbow tables to m W orkbookreview crack the administrator password.

[£ II7V aluable inform ation

L a b O b je c t iv e s

The objective of this lab is to help students how to create and use rainbow table to perform system password hacking.
L a b E n v ir o n m e n t

To earn‫ ׳‬out die lab, you need:
^^Tools

demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H Lab Manual Page 336

■ Winrtgen Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation Tools\Winrtgen ■ A computer running Window Server 2012 ■ You can also download the latest version of Winrtgen from the link http: / Avwwox1d.it/projects.html ■ If you decide to download the latest version, then screenshots shown 111 the lab might differ
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

■ Run this tool 011 Windows Server 2012 ■ Administrative pnvileges to mil tins program
L a b D u r a tio n

Time: 10 Minutes
You cau also download Winrtge from

O v e r v ie w o f R a in b o w T a b le

iittpv'/w w w .oxid.it/fjrojeef ^ rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking password hashes. Tables are usually used 111 recovering plaintext passwords, up to a certain length, consisting of a limited set of characters.
Lab T ask TASK 1

Generating Rainbow Table

1. Double-click the winrtgen.exe tile. The main window of winrtgen is shown 111 die following figure.
r ‫־‬
F ile n a m e Winrtgen v2.8 (Rainbow Tables Generator) by mao S ta tu s

A d dT a b le

R em o ve

R em o veA ll

A b o u t

OK

E x it

FIG U R E 6.1: winrtgen main window Rainbow tables usually used to crack a lot of hash types such as
m

2. Click die Add Table button.

NTLM, MD5, SHA1

C E H Lab Manual Page 337

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Winrtgen v2.8 (Rainbow Tables Generator) by mao

- ‫ם‬

x

£ Q You can also download Winrtge from http://www.oxid.it/project s.html.

III Add Table Remove Remove All About OK Exit

FIG U R E 6.2: creating die rainbow table

3. Rainbow Table properties window appears: i. Select ntlm from the Hash drop-down list u. Set die M in Len as 4, die Max Len as 9, and the Chain Count of 4000000 iii. Select loweralpha from die Charset drop-down list (tins depends on the password). 4. Click OK.
Rainbow Table properties
r Hash |ntlm Min Len -Max Len rIndex Chain Len— |2400 Chain Count — I4000000

I4

I9

1 °

£vTools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

|abcdefghijklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark Hash speed: Step speed: Table precomputation tim e: Total precomputation tim e: Max cryptanalysis tim e: Benchmark | Optional parameter |Adm inistratot

FIG U R E 6.3: selecting die Rainbow table properties

5. A file will be created; click OK.

C E H Lab Manual Page 338

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Winrtgen v2.8 (Rainbow Tables Generator) by mao
Filename Status

x

n tlm _ lo w e ra lp h a # 4 9 _ 0 _ 2 4 0 0 x 4 0 0 0 0 0 0 _ o x id 8 0 0 0 .rt

I I I

Add Table

Remove

Remove All

About

OK

Exit

FIG U RE 6.4: Alchemy Remote Executor progress tab window

Creating the hash table will take some time, depending on the selected hash and charset. Note: To save die time lor die lab demonstration, die generated hash table is kept 111 die following !older: D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation ToolsYWinrtgen
m You must be careful of your harddisk space. Simple rainbow table for 1 —5 alphanumeric and it costs about 613MB of your harddisk.

7 . Created a hash table saved automatically 111 die folder containing

winrtgen.exe.
Winrtgen

‫י‬
v C Search Winrtgen Size 6KB 62,500 KB 259 KB 1 KB

' L
‫ ־&־‬Favorites ■ Desktop Downloads % Recent places

5
CEHv Module 05 System Hacking ► Rainbow Table Creation Tools ► Winrtgen

8

Name
M charset.txt

Date modified 7/10/2008 &29 PM

Type Text Document RT File Application SJG File

| □ ntlm_loweralphag4-6_0_2400x4000000_ox... | 9/18/201211:31 AM H! winrtgen.exe □ winrtgen.exe.sig

7/10/200810:24 PM 7/10/2008 10:33 PM

Libraries [ J Documents Music II■! Pictures H Videos

Computer & Local Disk ( C )

1 m New Volume (D:)

4 items

1 item selected 61.0 M B

State: Q

Shared

FIG U RE 6.5: Generated Rainbow table file

C E H Lab Manual Page 339

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

L a b A n a ly s is

Analyze and document the results related to the lab exercise. Tool/Utility Winrtge Information Collected/Objectives Achieved Purpose: Creating Rainbow table with lower alpha Output: Created Rainbow table: ntlm_lowe1‫־‬alpha#46_0_2400X4000000_ox...

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Internet Connection Required D Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 340

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

P a s s w o r d C r a c k in g U s in g R a in b o w C ra c k
Rainbon'Crack i sa computerprogram thatgenerates rainbow t a b l e st o be usedin password c r a c k i n g . L a b S c e n a r io

Computer passwords are like locks 011 doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple login password Test your will not stop them. Most computer users do not realize how simple it is to access die know ledge____ login password tor a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is tor as W eb exercise someone to gain access to your computer? Windows is still the most popular m W orkbookreview operating system, and die method used to discover the login password is die easiest. A hacker uses password cracking utilities and cracks vour system. That is how simple it is for someone to hack your password. It requires 110 technical skills, 110 laborious tasks, only simple words 01‫ ־‬programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack administrator password. 111 tins lab we discuss how to crack guest users or administrator passwords using RainbowCrack.
L a b O b je c t iv e s

1 '— JV aluable inforination___

£~Tools demonstrated in this lab are L a b E n v ir o n m e n t available in To earn‫ ־‬out die lab, you need: D:\CEHTools\CEHv8 ■ RainbowCrack Tool located at D:\CEH-T00 ls\CEHv8 Module 05 Module 05 System System Hacking\Rainbow Table Creation Tools\RainbowCrack Hacking ■ A computer running Window Server 2012

The objective ot this lab is to help students to crack passwords to perform system password hacking.

■ You can also download the latest version of RainbowCrack from the link http://proiect-ra111bowcrack.com/
C E H Lab Manual Page 1 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

!2 2 You can also download Winrtge from http://www.oidd.it/project s.html

■ If you decide to download die latest version, then screenshots shown in die lab nuglit differ ■ Run diis tool 011 Windows Server 2012 ■ Administrative privileges to mn diis program
L a b D u r a tio n

Tune: 10 Minutes
O v e r v ie w o f R a in b o w C r a c k

RauibowCrack is a computer program diat generates rainbow tables to be used ui password crackuig. RauibowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rauibow tables to reduce die lengdi of time needed to crack a password.
Lab T ask
E task 1

Generating the Rainbow Table

1. Double-click die rcrack_gui.exe tile. The maui window of RauibowCrack is shown ui die following figure.

m RainbowCrack for G PU is the hash cracking program in RainbowCrack hash cracking utilities.

FIG U RE 7.1: RainbowCrack main window

2. Click File, and dien click Add Hash...

C E H Lab Manual Page 342

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

RainbowCrack 1.5
File | Edit Rainbow Table Help P la in te x t in H ex Add Hash... Load Hashes from File... Load L M Hashes from P W D U M P File... Load N T LM Hashes from P W D U M P File.. Save Results...

£Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight G PU brute forcing cracker

FIG U RE 7.2: Adding Hash values

3. The Add Hash window appears: i. Navigate to c:\hashes, and opendie hashes.txt tile (which isalready generated using Pwdump7 located at c:\hashes.txt 111 the previous Lab no:5) . Right-click, copy die hashes from hashes.txt tile. Paste into die Hash held, and give die comment (optional). Click OK.
hashes.txt - Notepad
File Edit Format View Help Undo

ii. iii.
iv.

£Q| RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from die hash crackers that use brute force algorithm

A d m in is tra to r:5 0 0 :NO Cut P A S SW O R D *********************: BE40C450AB Copy G u e st: 501: NO PASSW O RD ******************"! Paste P A S SW O R D ********************** ‫* ׳‬ LANGUARD_11_USER:1006:NO Delete PASSWORD‫***** * * * * ״ * * * * * * * * * * ״‬: C25510219F Select All M a r t in :1018:NO Right Reading order P A S S W O R D 5 : *********‫***״‬ * * * to * *left **‫״‬ EBE7DFA07 ] uggy boy: 1019: NO Show Unicode control characters PAS S WORD488: * * * * * * * * * * * * * * * * * * * * ‫ ״‬CDCDD22 Insert Unicode control character Dason:1020:NO Open IME P A S S W O R D 2 :* * * * * * * * * * * * * **** * •* ‫ ״‬D20D252A4 _____________________________ _______Shiela:1021:N O PASSWORD* * * * * * * * * * * * * * * * * * * * *

FIG U R E 7.3: Selecting the hashes

C E H Lab Manual Page 343

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

RainbowCrack 1.5
File Edit Rainbow Table Help P l a i n t e x t I n H ex

* ‫־‬ ‫י‬

£/Tools

demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

0C86948805F797BF2A82807973889537 Comment (optional): password

FIG U R E 7.4: Adding Hashes

4. The selected hash is added, as shown 111 die following figure.
RainbowCrack 1.5
File H a sh @ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537 Edit Rainbow Table Help P la in te x t ? P l a i n t e x t I n Hex

£ 2 Fun time-memory tradeofftool suites, including rainbow table generation, sort, conversion and lookup

FIG U R E 7.5: Added hash show in window

5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 111 the following figure.

C E H Lab Manual Page 344

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

RainbowCrack 1.5

I

‫־־[ם‬r x

TI

£ 0 . RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.

P File H a sh 0

Edit

Rainbow Table

Help P la in te x t ? ? ? ? ? P l a i n t e x t i n H ex ? ? ‫ל‬ ? 1

0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7

@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7 @ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 @ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 @ c 2 5 5 1 0 2 1 9 £ 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0

FIG U R E 7.6: Added Hashes in the window

7. Click die Rainbow Table from die menu bar, and click Search Rainbow Table...
£ 9 RainbowCrack for G PU software uses G PU from N V ID IA for computing, instead of CPU. By offloading computation task to G PU, the RainbowCrack for G PU software can be tens of times faster than nonG PU version.

8. Browse die Rainbow Table diat is alreadv generated 111 the previous lab, which is located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation Tools\Winrtgen. 9. Click Open.

C E H Lab Manual Page 345

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

Open
^ Organize ▼ jA ” Windows Password Crac... ► winrtgen v

( j | | Search winrtgen
| ‫ב־‬ ‫־׳י‬ [ jjj

P I Type RT File

|

New folder Name Q ntlm.loweralphag4-6.0.24001(4000000.ox■..

ki

Recent places Music

Date modified 9/18/2012 11:31 AM

Libraries j3] Documents

J l Music

E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table

g 9

Pictures Videos

1^ ^

Computer Local Disk (C:)

r . Local Disk (D:) 1 - Local Disk (£)

> 1
Filename: ntlmjoweralpha*4-6_0_2400x4000000_oxid*£ v | Rainbow Tables (*.rt;*.rtc) Open

FIG U R E 7.8: Added Hashes in the window

10. It will crack the password, as shown 111 the following figure.
RainbowCrack 1.5
File H ash 3 3 3 0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 4 e e c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 te s t te s t g ree n a p p le ? q w e r ty Edit Rainbow Table Help P l a i n t e x t I n Hex 74657374 74657374 677265656c 6170706C 65 7 717765727479 Com ment p a ssw o rd

✓ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 3 3 c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0 2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f

£ = • = ‫־‬ ! RainbowCrack focus on the development of optimized time-memory tradeoff implementation, and generation of large rainbow tables.

t i n e o f a la rm c h e c k : tin e o f w a it: ti m e o f o t h e r o p e r a t i o n : ti m e o f d i s k r e a d : h a s h & re d u c e c a l c u l a t i o n o f c h a in t r a v e r s e : h a s h 4 r e d u c e c a l c u l a t i o n o f a la r m c h e c k : num ber o f a la r m : s p e e d o f c h a in t r a v e r s e : s p e e d o f a la r m c h e c k :

2 .3 4 s 0 .0 0 s 0 .1 9 s 0 .0 8 s 5755200 35850648 55125 9 .7 1 m i l l i o n / s 1 5 .3 3 m l l l l o n / s

/s

5

FIG U R E 7.9: Added Hashes in the window

L a b A n a ly s is

Analyze and document die results related to the lab exercise.

C E H Lab Manual Page 346

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility

Information Collected/Objectives Achieved Hashes: ‫ י‬Administrator ‫ י‬Guest ‫ י‬Languard ‫ י‬Martin ■ Juggyboy ■ Jason ‫ י‬Shiela Password Cracked: ‫ י‬test ‫ י‬test ‫ י‬green ‫ י‬apple ‫ י‬qwerty

RainbowCrack

Q u e s t io n s

1. What kind of hashes does RambowCrack support? Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 347

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Lab

E x tra c tin g A d m in is tra to r P a s s w o r d s U s in g L O p h tC ra c k
U)phtCrack i spacked with powetfnlf e a t u r e s , such as sc he du l i n g , hash ex tr act ion f r o / / / 64b i t Windows v e r s i o n s ; multiprocessor al g o r i t h m s , and network monitoring and d ec o d i n g .I t can import and crack U N I X passwordfiles and remote Windows machines. L a b S c e n a r io

/V aluable inform ation Test your know ledge____ ^ W eb exercise

Since security and compliance are high priorities for most organizations, attacks a company 01‫ ־‬organization's computer systems take many different forms, such as spooling, smurfing, and other types of denial-of-service (DoS) attacks. These attacks are designed to harm 01‫ ־‬interrupt the use of your operational systems.
011

r*‫־‬.. W orkbookreview Password cracking is a term used to describe the penetration of a network, system, 01‫ ־‬resource with 01‫ ־‬without the use of tools to unlock a resource that has been secured with a password. 111 tins lab we will look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination of several scenarios, in tins lab we describe some of the techniques they deploy and the tools that aid them 111 their assaults and how password crackers work both internally and externally to violate a company's infrastructure.
111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tins lab we crack the system user accounts using LOphtCrack.

^^Tools

demonstrated in L a b O b je c t iv e s this lab are The lab teaches you how to: available in D:\CEH■ Use the LOphtCrack tool Tools\CEHv8 ■ Crack administrator passwords Module 05 System Hacking
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page

M odule 05 - System H acking

L a b E n v ir o n m e n t

To earn’ out the lab you need: ■ LOphtCrack tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\LOphtCrack ■ Run tliis tool on Windows Server 2012 (host machine) ■ You can also download the latest version of LOphtCrack from the link http: / / www.lOphtcrack.com ■ Administrative privileges to run tools ■ Follow wizard driven installation instructions ■ TCP/IP settings correctly configured and an accessible DNS server ■ Tins tool requires the user to register or you can also use the evaluation version for a limited period of time
L a b D u r a tio n

Time: 10 Minutes
O v e r v ie w o f L O p h t C r a c k

LOphtCrack provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail.
Lab T asks TASK 1

Cracking Administrator Password

1. Launch the Start menu by hovering the mouse cursor to the lower left most corner of the desktop.

|| W in d o w sS e rv e r2 0 1 2
vm 1 i‫״ימ״« ׳‬5‫י!שי'י‬1‫ן‬
m You can also download the LOphtCrack from http://www.lOphtcrack.

FIG U R E 8.1: Windows Server 2012—Desktop view

2. Click the LOphtCrack6 app to open the LOphtCrack6 window

C E H Lab Manual Page 349

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

S ta rt

Administrator

Server Manager

Windows PowerShel

Google Chrome

Hyper-V Manager

F a
Computer

T
Control Panel

o
Hyper-V Virtual Machine...

‫י‬ ‫י‬
SQL Server Installation Center...

* J e
/LOphtCrack supports pre-computed password hashes.
Intrmrt fuplcrr‫׳‬

m
Command Prompt

Q
Mozilla Firefox

K
Global Network Inventory

< ©
Nmap Zenmap GUI

I f
Workspace Studio

Drdlrp

O‫־‬

3
F IG U R E 8.2: Windows Server 2012 —Apps

3. Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next.
LOphtCrack Password Auditor v6.0.16

x
LOphtCrack 6 Wizard

Welcome to the LOphtCrack Wizard Ths wizard wil prompt you wth step-by-step nsbuctions to get you audting n mrxies First, the wizard w i help you determne where to retrieve your encrypted passwords from Second, you w i be prompted wth a few options regardng which methods to use to audit the passwords Third, you w i be prompted wth how you wish to report the results Then. LOphtCrack w i proceed audting the passwords and report status to you along the way. notifying you when audfcng is complete Press Next' to conbnue wth the wizard

6

6

LOphtCrack can also cracks U N IX password files.

[7 ‫ ך‬jjjprit show me this wizard on startup

FIG U RE 8.3: Welcome screen of die LOphtCrack Wizard

4. Choose Retrieve from the local machine in the Get Encrypted Passwords wizard and click Next.

C E H Lab Manual Page 350

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

LO p h tC ra c kPa ssw o rdA u d ito rv 6 .0 .1 6

Get Encrypted Passwords

Choose one of the folowng methods to retrieve the encrypted passwords | ♦ Retneve from the tocal machne | Pulls encrypted passwords from the local machrte's registry Admnatrator access a requred Retneve from a remote machne Retneve encrypted passwords from a remote machne on your doman Admrwtrator access is required Retneve from SAM /SYSTEM backup Use emergency repar disks, backup tapes, or volume shadow copy techr»ques to obtain a copy of the registry SAM and SY ST EM hives This contans a copy of your non-doman passwords Q Retneve by jnrffng the local network Sniffing captures encrypted hashes n transit over your network Logns.fie shamg and pmt shanng al use network authentication that can be captured.

< Back

Next >

■ |

LOphtCrack has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and U N IX machines, without requiring a thirdparty utility.

ca

FIG U R E 8.4: Selecting die password from die local machine

5. Choose Strong Password Audit from the Choose Auditing Method wizard and click Next.
1 - ‫׳‬°' ‫ן‬

FIG U R E 8.5: Choose a strong password audit

6. In Pick Reporting Style, select all Display encrypted password hashes. 7. Click Next.
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 351

M odule 05 - System H acking

m LOphtCrack offers remediation assistance to system administrators.

FIG U R E 8.6: Pick Reporting Style

8. Click Finish.
LO p h tC ra c kPa ssw o rdA u d ito rv 6 .0 .1 6

‫ ־‬°

x

Bogin Auditing

P

Step

LOphtCrack « now ready to begn the password aud*ing process Please confirm the folowng settings and go back and change anythng that ts not correct Retrieve passwords from the local machine Perform 'Quick' password audit Display doman password belongs to Display passwords v41en audited Display time spent auditing each password Give visible notification *tfien done audrtng Show method used to crack password

6

O

Step 2

_ LOphtCrack lias real._ time reporting that is displayed in a separate, tabbed interface.

[/] Save these settings as sesaon defaults Press ■finish'to bepn audtng

► Step 5
6«g1n Auditing

FIG U RE 8.7: Begin Auditing

9. LOpntcrack6 shows an Audit Completed message, Click OK. 10. Click Session options Irom the menu bar.

C E H Lab Manual Page 352

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

Cracked Accounts Weak Passwords Pause Stop Schedule Scheduled Audit Tasks

J j.

<N

Disable Force Password Expired Accounts

‫־‬ d Domain

Run y Report User Name LM Password * missing * ‫ ״‬missing * * missing * * missing * * missing ‫ ״‬missing LM Hash__________________________

,X WIN-D39MR... Administrator £ WIN-D39MR... Guest J t WIN-D39MR... Jason 4 WIN-D39MR... Juggyboy <tw1N-D39MR... IANGUARD_11_USER A WIN-D39MR... Martin

LOphtCrack 6

x

to t a ] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( uords 29151 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( _wgrds_done 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( 1 0 B T 5 O T ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( _______ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (

I

Audit completed.

OK

LtX&sslaezei 0d Oh 0» Os
____ tlMS-iSlt _ _ l ‫_־‬d o n S

_______

III Messages 0 9/1 8 /2 0 1 2 0 9/1 8 /2 0 1 2 0 9 / 1 8/2 01 2 0 9/1 8 /2 0 1 2 1 4 :4 7 :4 8 M u ^ i - c o r e o p e r a t i o n w i t h 4 c o r e s . 1 4 :4 7 :5 2 Im p o r t e d 2 a c c o u n t s fr o m t h e l o c a l 1 4 :4 7 :5 2 A u d i t s t a r t e d . 1 4 :4 7 :5 2 A u d i t i n g s e s s i o n c o m p le t e d . m a c h in e

> 4 X

FIG U R E 8.8: Selecting Session options £ Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force Password auditing methods.

11. Auditing options For This Session window appears: i. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary Crack. ii. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary/Brute Hybrid Crack. iii. Select the Enabled, Crack NTLM Passwords check boxes 111 Brute Force Crack.
IV.

Select the Enable Brute Force Minimum Character Count check box.

v. Select the Enable Brute Force Maximum Character Count check box. 12. Click OK.

C E H Lab Manual Page 353

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

A u d itin gO p tio n s Fo rT h isSessio n
Dictionary Crack Dictionary List 0 Crack NTLM Passwords Dictionary/Brute H ybrid Crack [2 Enabled 0 V Crack NTLM Passwords C om m onletter substitutions * (m uch slower) * Charactersto prepend - Charactersto append

‫־‬m

The Dictionary Crack tests for passwords that are the same as the words fcste dinthe wordfile. This test *very fast and findsthe weakest passwords. The Dictionary/Brute H ybrid Crack tests forpasswordsthat are variations of the words inthe wordfile. Itfinds passwords such as Dana9 9 or monkeys! . This test isfast andfinds weak passwords.

Precom puted
E ! Enabled C Hash File List

Preserve Precomputation Data

Location

Also known as 'ranbow tables', the Precom puted Cracktests for passwords aganst a precom puted hashes contan-edn a file orfiles This test is very fast andfinds passwords created fromthe sam e character set as the precom puted hashes. Preservng precom putation data speeds up consecutive m ns n exchange for disk space Ths crack works aganst LM and NTLM passwords, but not Una The Brute Force Crack tests for passwords that are m ade up of the characters specified inthe character set I finds passwords such as "W eR3pfc6s■ ' or "vC5%6S*12b" This test is slow andfinds m e < fc jmto strong passwords. Enabing a start orend point lets you control the m in im u mand m a x im u mnum berof characters to iterate.

Ba/te Force Crack Language:

J£rack NTLM Passwords

English

alphabet ♦num bers CustomCharacter Set (list each character):
E T N RIO AS D H LCFPU MYG W V BX K Q JZetnrioasd hlcfpumygwvbxkqjzOI 23456789

Brute Force M in im u mCharacter C ount

‫נ‬

The actual m a x im u mcharacter count used m ay vary based on hash type Specfy a character set w ith m ore characters to crack strongerpasswords.

Brute Force M ax im u mCharacter Count
To 9 ’

QK

Qancel

F IG U R E 8.9: Selecting die auditing options

13. Click Begin ' ' ‫ ר‬from the menu bar. LOphtCrack cracks the administrator password. 14. A report is generated with the cracked passwords.

FIG U RE 8.10: Generated cracked Password Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 354

M odule 05 - System H acking

L a b A n a ly s is

Document all die results and reports gathered during die kb.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility

Information Collected/Objectives Achieved User Names: ‫ י‬Administrator ‫ י‬Guest ‫ י‬Jason ‫ י‬Juggvbov ‫ י‬LANGUARD_11_USER ‫ י‬Martin Password Found: ‫ י‬qwerty ■ green ‫ י‬apple

LOphtCrack

Q u e s t io n s

1. What are the alternatives to crack administrator passwords? 2. Why is a brute force attack used 111 the LOphtCrack tool? Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 355

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

P a s s w o r d C r a c k in g U s in g O p h c ra c k
Ophcrnck i s a free open source ( GPL l i c e n s e d ) program that cracks Windows passn‫׳‬ ords by using L M hashes through rainbow t a b l e s . ICON KEY L a b S c e n a r io

/V aluable inform ation
J? T e$t your ___know ledge____

» W eb exercise W orkbookreview

a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. Tins weakness exists m practically all widely used systems instead of forcing users to choose well-chosen secrets that are likely to be difficult to remember. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, password cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Poorly chosen passwords are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak administrator 01‫־‬ system user account password using password cracking tools. 111 tins lab we show you how to crack system user accounts usmg Ophcrack.
111

L a b O b je c t iv e s

The objective of this lab is to help students learn: ‫ י‬Use the OphCrack tool Tools ■ Crack administrator passwords demonstrated in this lab are L a b E n v ir o n m e n t available in D:\CEHTo earn‫ ־‬out die lab, you need: Tools\CEHv8 Module 05 System " OphCrack tool located at D:\CEH-T00 ls\CEHv8 Module 05 System Hacking Hacking\Password Cracking Tools\Ophcrack ■ Run this tool 011 Windows Server 2 0 12 (Host Machine) ■ You can also download the latest version of LOphtCrack from the link http: / / ophcrack.sourceforge.net/
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab Manual Page 356

M odule 05 - System H acking

■ Administrative privileges to run tools ■ Follow the wizard-driven installation instructions
L a b D u r a tio n

Time: 15 Minutes
O v e r v ie w o f O p h C r a c k

Rainbow tables for LM hashes of alphanumeric passwords are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack passwords no longer than 14 characters using only alphanumeric characters.
Lab T ask TASK 1

Cracking the Password

1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.

g| W n d o w sS e rv e r2 0 1 2
v n n o o tfj!x rv ff1 0 uK e te jje u n o io a ww u c w w r

‫ןןמישיייעןיימיירזמיי‬
FIG U R E 9.1: Windows Server 2012 - Desktop view

tvilwtor c c‫׳‬pv kud M O O

2. Click the OphCrack app to open the OphCrack window.

m You can also download the OphCrack from http:/ /ophcrack.sourceforg e.net.

FIG U R E 9.2: Windows Server 2012— Apps

3. The OphCrack main window appears.

C E H Lab Manual Page 357

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - S ystem H ackin g

ophcrackC

1‫' ם ! ־‬

4A
Load Progress Delete Statistics Save

11/
Tables Cradt Help

^
Exit

G
About

J

Preferences

B Rainbow tables for LM hashes of alphanumeric passwords are provided for free by die developers

Preload:

waitng

| Brute force:

waiting

j

Pwd found:

0/0

Time elapsed: |

OhOmQs

FIG U R E 9.3: OphCrack Main window

4. Click Load, and then click PW DUMP file.
ophcrack

‫ב‬
Single hash PW D UM P file Session file

U/

,• © ..‫י‬

&

<?

e

& Ophcrack is bundled with tables that allows it to crack passwords no longer than 14 characters using only alphanumeric characters

Encrypted SAM Local SAM with samdump2 Local SAM with pwdump Remote SAM

6

Directory

Progress

Preload: _______ waiting_______| Brute force: |

waitng

| PwdfouxJ:

Fig 9.4: Selecting PWDUMP file

5. Browse die PWDUMP file diat is already generated by using P\\T)UMP7111 die previous lab 110:5 (located at c:\hashes.txt). 6. Click Open
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 358

M odule 05 - System H acking

O p en PW D UM P file

0C O^ ^
Organize ■ Desktop
4 Downloads

***

* Computer
A Name

► Local Disk (C:)

v

C

| Search Local Disk (C:)

P ] I

New folder Date modified 9/17/2012 9:25 AM 9/18/20122:18 PM 9/4/2012 7:00 PM 9/18/20122:35 PM 8/30/20121:06 PM 9/15/2012 3:26 PM 8/7/2012 1:50 AM

§ ‫־‬ =- E Hm
Type File folder File folder File folder File folder File folder File folder File folder File folder RND File Text Document System file JS File ‫ן‬ ji. Program Files Program Files (x86) j j TFTP-Root Users j. usr
J W in d o w s 4• W indow s.old

S

Recent places

available as Live CD distributions which automate the retrieval, decryption, and cracking of passwords from a Windows system.

J )Music
^ Libraries (3| Documents Music fcl Pictures H Videos :■ Computer Local Disk (C:) . ^ Local Disk (D:) v,

J,.

W in d o w s.o ld

.0 0 0

8/8/2012 12:03 AM 9/19/2012 9:58 AM 9/18/2012 3:06 PM 9/15/2012 2:53 PM 9/6/20124:03 PM

r

^

.rnd__________________

hashes.txt

|j6j msdos.sys

[ Auser.js
File name: hashes.txt

v

j

[All Files (*/) Open

FIG U R E 9.5 import the hashes from PWDUMP file

7. Loaded hashes are shown 111 the following figure.
ophcrack

O
Load Progress

Si
Delete Statistics

«S
Save

IU
Tables Crack

O

o

j

Preferences |

User
Administrator

NT Hash BE40C450AB997... 31d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB69488O5F79...

Guest LANGUARD.! 1_ Martin Juggyboy Jason

£7 Ophcrack C racks LMandNTLM W indows hashes

Shiela

Directory

Progress

Preload: _______ waitng_______| Brute force: |

waiting

] Pwd foaxl:

FIG U RE 9.6 Hashes are added

8. Click Table. The Table Selection window will appear as shown 111 die following figure.

C E H Lab Manual Page 359

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

o p h c ra c k IU
Tables Progress User Administrator Statistics 0

^ ‫י ז‬

', ,s g ?
Crack

Table Selection
Table m XP free fast • XP free small • XP special # XP german vl • XP german v2 • Vista special • Vista free • Vista nine • Vista eight • Vista num • Vista seven • XP flash < • Vista eight XL Directory Status not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed

Guest
LANGUARD_11_

Martin Juggyboy
Jason Shiela

&Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

< • = enabled

III

|

>

J

= disabled

• = not nstaled

B B S S
Pretoad: _______ waiting_______| Brute force: | waiting ] Pwd fouxJ: T«ne elapsed: Oh 0‫ וח‬Os

FIG U RE 9.7: selecting die Rainbow table

Note: You can download die free XP Rainbow Table, Vista Rainbow Tables from http:// ophcrack.sourcetorge.net/tables.php 9. Select Vista free, and click Install.
‫״‬G Table Selection

lab le • XPfre efa st • XPfreesm a ll 9 XP sp e cia l • XP g e rm a nv 1 • XP g e rm a nv 2 •V istasp e cia l | !• V istafre e •V istan in e #V istae ig h t •V istan u m < •V istase ve n * X Pfla sh < •V istae ig h tX L

D ire cto ry

Sta tu s n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in s ta lle d n o t in sta lle d n o t in s ta lle c n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d

< l < •= e n a b le d

III 4= d is a b le d • =n o tin s ta lle d

‫<ן‬

0 0 @ @
FIG U R E 9.8: Installing vista free rainbow table

C E H Lab Manual Page 360

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

10. The Browse For Folder window appears; select the the table_vista_free folder (which is already download and kept at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\Ophcrack) 11. Click OK.
Browse For Folder
Select the directory which contains the tables.

&■ Ophcrack Free tables available for Windows XP, Vista and 7

4

J4 CEHv8 M odule 05 System Hacking
4
a

A

Password Cracking W indows Password Crackers
A

OphCrack tables_vista_free pwdump7 winrtgen I

t > <

steganography III OK

V

1

l> Cancel

Make New Folder

12. The selected table vista free is installed,; it shows a green color ball which means it is enabled. Click O K . ? x Table Selection
‫־‬ fa b le •X Pfre efa st •X Pfre esm a ll •X P sp e cia l •X Pg erm anv 1 •X Pg erm anv2 •V istasp e cia l >• V istafre e •V istan in e •V istae ig h t •V istan u m •V istase ve n •X Pfla sh * V istaeig h tX L D ire cto ry S ta tu s n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in sta lle d n o t in s ta lle d n e t in s ta lle d o nd is k n o t in s ta lle c n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in s ta lle d n o t in sta lle d

& Loads hashes from encrypted SAM recovered from a Windows partition

C :/Pro g ramF ile s(x 8 6 )/ ta b le s_vista _fre e

<
£ = enabled 4 = disabled

III

> In s ta ll

# = not installed

A

*

*

FIG U R E 9.9: vista free rainbow table installed successfully

13. Click Crack: it will crack die password as shown 111 die following figure.

C E H Lab Manual Page 361

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

ophcrack

i
Load Progress Delete Statistics

«!
Save

a/
Tables

^
Crack

@
Help

i
Bat

J

Preferences NT Hash BE40C450AB997... 31d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB6948805F79... apple green qwerty test em pty LM Pwd 1 LM Pwd 2 NT Pwd

This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored).

User Administrator Guest LAN6UARDJ 1_... Martin Juggyboy Jason Shiela

LM Hash

!able t> 4 Vista free

Directory C:/Program File...

Status 100% in RAM

Progress

FIG U R E 9.10: passwords ate cracked

L a b A n a ly s is

Analyze and document the results related to the lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. I Tool/Utility Information Collected/Objectives Achieved User Names: ‫ י‬Administrator ‫ י‬Guest ‫ י‬LANGUARD_11_USER ‫ י‬Martin
‫־‬

j

OphCrack

‫י‬ ‫י‬

Juggyb°y

Jason Slieiela

Rainbow Table Used: Yista free Password Found: ‫ י‬apple ‫ י‬green ‫ י‬qwerty ‫ י‬test
C E H Lab Manual Page 362 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Q u e s t io n s

1. What are the alternatives to cracking administrator passwords? Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 363

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

S y s te m M o n ito rin g U s in g R e m o te E x e c
System hacking i st he s c i e n c e of t e s t i n gcomputers and netnorksfor v u l n e r a b i l i t i e s andplugging. L a b S c e n a r io
^_ Valuable

inform ation___ Test your know ledge

To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. This process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.

*A m

You should also have knowledge of gaining access, escalating privileges, executing W orkbookreview applications, lnding tiles, and covering tracks.
L a b O b je c t iv e s

W eb exercise

The objective of tins lab is to help students to learn how to:
‫י‬

Modify Add /Delete registry kevs and or values

■ Install service packs, patches, and hotlixes ■ Copy folders and tiles Tools ‫ י‬Run programs, scripts, and applications demonstrated in this lab are ■ Deploy Windows Installer packages 111 silent mode available in D:\CEHL a b E n v ir o n m e n t Tools\CEHv8 Module 05 System To earn‫ ־‬out die lab, you need: Hacking ■ Remote Exec Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Executing Applications Tools\RemoteExec ■ Windows Server 2008 running on the Virtual machine ■ Follow die Wizard Driven Installation steps

C E H Lab Manual Page

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

■ You can also download die latest version of RemoteExec from the link http://www.isdecisions.com/en ■ If you decide to download die latest version, dien screenshots shown 111 die lab might differ ■ Administrative pnvileges to run tools
L a b D u r a tio n

Time: 10 Minutes
O v e r v ie w o f R e m o t e E x e c

RemoteExec, die universal deployer for Microsoft Windows systems, allows network administrators to run tasks remotely.
Lab T ask TASK 1

1. Install and launch RemoteExec.

Monitoring System
RemoteExec
R em otecxec r\am e
f*l demote jobs ^eco‫־‬ter ^ Schedue‫׳‬

‫מ*כ‬ ‫ס־‬ ‫כ‬ 0 ‫ח‬
Albws vou ‫ מ‬corftare. rra-MOt 3rd exeats rerro:e jobs. Albws vou ‫ מ‬dsjMv reco‫׳‬ts or renew executions. Albws vou ro renote executions ard oerie‫׳‬-ate autara .. ConScu‫׳‬e Re*note€xec options.

‫^׳‬ O o to n s
0 3 . System Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an administration console with Microsoft Windows 2003/2008 Service Pack 6, IE5 or more.

,able of contert | |Q uick a:cess |

FIG U RE 10.1: RemoteExec main window

2. To configure executing a file, double-click Remote jobs.

C E H Lab Manual Page 365

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

Ne

: 00B

Virco

rep

‫י‬
£ Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (W AN) as well as on remote machines.

‫״‬

Alows you to dtspa,‫ ׳ ׳‬eports 0‫ ׳ ר׳‬errote execj$o 1‫«׳‬. Allows you to soedijte ‫׳‬errote e<ecjto 1‫׳‬s snd generate sutoiia.. Configure RcmotcExcc optoas.

TaDle ofcontert Quick access

Remote execution requirements: The account running RemoteExec needs administrative rights on target computers. Microsoft file and printer sharing (SM B TCP 445) and ICM P (ping) should be enabled. These protocols also need to be allowed in any firewall between the administration console and target computers.

FIG U R E 10.2: RemoteExec configuring Remote jobs

3. To execute a New Remote job, double-click die New Remote job option diat configures and executes a new remote job.
Hie Tool* ]tfndo* Help

& < 5 c n o t c € > c
New rcrrote )cb 5 0 : execu%oo ; Updax rstalafeon 1 - 0 |‫ ®•־‬M SI rstalaMn Systenn acton 1@ ■■ ! !

R em otejo b s
Rem oteExec,‫׳‬Rerrote jobs job My Renote J3bs ote Actons . ranrenaMy Rem ^ MyTarget Com puters Mows you /our favorite rem stej»98 /our favorite rarcte actors. Yout favorite taroet conxiter bts.

f jn tC o e r a k n
Lcca acrouv ‫ ׳‬.

p c p tp “ ■ ;

Mutote aaons j-™ My Renore 30 0s i ^ My Rertore Actors MyTargetCctoj»s ^ : Report‫־‬ :* “T ScredJcr L-4^ Options

EU Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, “ Document generation,” is available to specify the output files. Select a PD F file to be generated in an existing folder. Make sure that the account running the task has write access to this folder.

Table ofconteni | Q uickaccea

FIG U R E 10.3: RemoteExec configuring New Remote job

4. 1 1 1a New Remote job configuration you can view different categories to work remotely. 5. Here as an example: we are executing die hie execution option. To execute double-click File Execution.

C E H Lab Manual Page 366

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

hie

Tools

Wmiow‫׳‬

Hep

E?
B ‫ ^־־‬:5eno‫־‬ . eE> ec P.enote (061

V

£ ‫יל‬ Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

; Ffc execuSon i 1-0 Update rstalafon j--j^|MSI ratilaaon HfcSyste»ac*>n j-uT F*? Coe‫ ׳‬ason 1 -^‫ ־‬Loca arroinr ‫׳‬rante I ~PCpLp = ‫״‬ MJtcle aeons 5 Nr teoote J>x “ j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : jfe Reporte‫־‬ ; ‘“ t ScTcdJcr !‫״‬y*Opfcon«

} Q3£ ^0 !■

New remote job
RemoteExeciRefrote jobs/Newrem ote jc

| ) Update retalafion (Si MSI m stalotion {§fcSystem action Fib Ooo‫־‬ation Local account m aintenance S I Popup (5 Multtfe actions

Instil 5Marosoft jadaie reretefy. Instil o Winda^s Instiler > 3 x > qcrsrrctSY• Rcaoot,^Shutoovm ,\V3< rup a eonou» ‫־‬cnotdy. C03y files or faWa5 » cirotc am u K n Chanas the bed xhincbati p e5 s/< 0 »Cand'or doeue a il otho‫־‬local a Dectay 3 nessage to t r jttt ewe*: an t‫־‬ * ,em ote com pute! Execute se!‫׳‬e‫׳‬al actons r one pass.

IraMe QfcontenT| |Quiet access

FIG U R E 10.4: RemoteExec configuring File Execution

6. In the File execution settings, browse die executable file, select Interactive from drop-down list of Context, and check the Auto option.
Using RemoteExec, you can: Install patches, service packs, and hotfixes Deploy Windows Installer packages in silent mode Run applications, programs, and scripts Copy files and folders

Note:

FIG U R E 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below

7. Configuring die Filter Section: a. For the OS version, select = from die drop-down menu and specify die operating system. b. For the OS level, select = from die drop-down menu and select Workstation. c. For the IE version, select >= from die drop-down menu and specify the IE version.
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 367

M odule 05 - System H acking

d. For die Service Pack, select = from die drop-down menu and speciiv die service pack version.
hie Tods V/niow Hep

!eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode.

3 • • 3 ^ ‫־‬eno:e£>ec 1 1^ Reno* jobs • B ^ Newrarote tfc ! l o Update rstaloton MSI rstalaMn *■: SwteT Kton | 6 -! ..loca( account rvam cena fflpo»M; < ‫ •י‬t+itr*e arm NyR«n»»>90c « ■ :

File execution
RenoteExeqReirote ]0b3/N ewrem ote job/^le executor

^

La-nch

tjfr La/rh ‫חו‬a r»?/» tab [‫§ן‬ Schectie save r My Rorct® Jobs ^ save r K‫׳‬y Rem ote Acsoot Save r My Target C»m put«rc

r-rj)«? C D ra Jo n !

0 OS verson B O S level H K vcr»n

= ■ v .|| vw ndow e 7/2XB * •H j Wortotatoo

^

M v k « n o :»A c tc rc,”

> - H] M * 1 !

Ny ljr jet (.croj'.efc • ls» Reports ScredJcf ^ ! Opton^ - ' *

□Regetry vw kM

□ Oor't e:<e:j:e scan or a com puter wne‫׳‬e tne actor aas ahead/exeo.ee

»‫״‬
C oflnoute‫*׳‬

FIG U R E 10.6: RemoteExec Filter tab C O ln ! e remote job was automatically set with the filter option, “Don’t execute again on a computer where the action was already executed.” So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer.

Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK.
tie

• 5

:cols

vnnoow

‫־‬
File execution
Re‫׳‬roteE>e:/3emote jobs!New ‫־׳‬ errcre job/File execution

B

RenoteExec £ 1 0 Rertote )005 j (‫)־‬ New remote jo fc

____
^ Q? d P Laandi Launch ina new tab Schedule Save n M y‫ ׳‬Remote jx k S5ve n My Remote Actjors ^ Save n My Taraet Cwtdu^s

I MO Update nstabton
| r | 0 MS nstafexn ; Systen actor i‫״‬Cp Fie: Opecttx‫־‬

I qgasssHi
L c x d

rS f aaomtrranKTa... h ■ Poxo =-l§ mJtpfe actons j• ‫ ©■־‬My Reroe Jets Nv Rerote Actons Ny Tarost Cortxters Reaxte‫׳‬ j• • ■ ©Scheduler ; I

‫י‬ • V* O D h o rs

© C onfigure the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution.

X J
FIG U R E 10.7: RemoteExec Add/Edit a computer

9. To execute the defined action on die remote computer, click the Launch option 111 the nglit pane of die window.

C E H Lab Manual Page 368

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

123 Schedule the report: To configure schedule report, click on Schedule in the toolbar and, when prompted select die task that lias been created previously to install Acrobat Reader.

e

:cols

jgndw

‫כאי׳‬

‫־‬ Bf 3
B ‫ | ־‬RemoteExec Renote ;ods 0 ©

• >
File execution
RemoteExec/Refrote jcbs/Mew remote jOD/^e etecuton (JJ: Launch ir e new tab Schsdue Save mNy Renote 3 0 0 5 Efe Save mMy Renote Actiors save mMy Taraet conou:ers

N e w re rro z ejo b 0
j I S Lpictc nstalaton j MSI nstabtoa r‫־‬ ^ | Systen actor j-Cr File Ope-otwr :‫־‬ ‫־‬ tSp L3co ecco1ntn‫־‬ ontenc...

.j ‫־‬:.;:‫־‬

t3

|

j“ fl? PopLp NuDote actiors :■ 1 5 1My Remote Xbs W My Remote *CO O ns My Target C0‫״‬xxters Re00r» S e x ie r V 4 5‫ ׳‬00 ‫כ‬0‫ח‬

□Don't execjte again on a computet v.+ !e‫־‬e the acaon was atreacy executec

___
FIG U R E 10.8: RemoteExec executing the defined action

L a b A n a ly s is

Analyze and document die results related to die lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility RemoteExec Information Collected/Objectives Achieved File to Execute: Firefox setup 3-6.13.exe Computer Name: WIN-D39MRSHL9E4

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 1Labs 0 No

C E H Lab Manual Page 369

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

H id in g D a ta U s in g S n o w S te g a n o g ra p h y
S/m ‫׳‬ i susedt oc o r n e a / m e s s a g e sinASCR t e x tbyappen din gn h i t e s p a c et ot h eendof l i n e s .B e c a u s e s p a c e sand t a b sme g e n e / a l l ynotv i s i b l ei nt e x tl i e ne / s ,A / em e s s a g ei sf f e c t i i e l yh i d d e n fmm m s i / a l o b s e r v e r s .At/di ft h eb u i l t i ne n a y p f / o ni su s e d ,f l . 7 em e s s a g ecann otbe/eadevenfi t i sd e t e c t e d . L a b S c e n a r io
VZD Valuable

information

Test your know ledge
m k

W eb exercise

,‫־!־‬, W orkbookreview

Network steganography describes all the methods used tor transmitting data over a network without it being detected. Several methods for liiding data 111 a network have been proposed, but the main drawback of most of them is that they do not offer a secondary layer of protection. If steganography is detected, the data is in plaintext. To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to die machine being attacked.
L a b O b je c t iv e s

The objective of tins lab is to help students learn: ■ Using Snow steganography to hide tiles and data ■ Hiding tiles using spaces and tabs
L a b E n v ir o n m e n t

To earn‫־‬out die lab, you need:
^ ‫־‬Tools

‫י‬ ‫י‬

demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

Snow located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Steganography\Whitespace Steganography\SNOW Run tins tool on Windows Server 2012

■ You can also download the latest version of Snow from the link http:/ / www. darkside.com.ausnow / ■ If you decide to download the latest version, then screenshots shown 111 the lab might ditter

C E H Lab Manual Page 370

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

L a b D u r a tio n

Tune: 10 Minutes
O v e r v ie w o f S n o w

Snow exploits die steganograplnc nature of whitespace. Locating trailing whitespace
111 text is like tinduig a polar bear 111 a snowstorm. It uses die ICE encryption

algoridun, so the name is diematically consistent.
Lab T ask

1. Open a command prompt and navigate to D:\CEH-Tool\CEHv8 module 05 system hacking\steganography\white space steganography\snow 2. Open Notepad and type Hello World! and dien press enter and press die Hyphen key to draw a line below it. 3. Save die tile as readme.txt.
readme -Notepad
The encryption algorithm built in to snow is IC E, a 64-bit block cipher also designed by the author of snow. It runs in 1-bit cipher-feedback (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit of output),

F ile E d it Fo rm at V iew H e lp Hello World! 1

FIG U R E 11.1: Contents of readme.txt

4. Type diis command 111 the command slieU : readme2.txt. It is die name of anodier diat will be created automatically. snow -C -m "My swiss bank account number is 45656684512263” p "magic" readme.txt readme2.txt(magic is the password, you can type your desired password also)

C E H Lab Manual Page 371

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

Administrator Command Prompt

‫ ׳ ־ן‬° r * ‫׳‬

E : \ C E H - T o o l s S C E H u 8 M o d u l e 05 S y s t e m H a c k i n g N s t e g a n o g r a p h y \ w h i t e sp a c e s t e g a n o g r a p h y \ S n o w > s n o 1» - C -m ‫״‬M y s u i s s b a n k a c c o u n t n u m b e r is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " m a g i c" readme.txt readme2.txt C o m p r e s s e d by 23 M e s s a g e e x c e e d e d a v a i l a b l e s p a c e b y a p p r o x i m a t e l y 5 7 1 . 43x. An e x t r a 8 l ines w ere added.

.‫־‬ & '/ '/ .

E:\CEH-Tools\CEHu8 phy\Snow>

Module

05 S y s t e m H a c k i n g \ s t e g a n o g r a p h y \ w h i t e

space

steganogra

FIG U R E 11.2: Hiding Contents of readme,txt and die text in the readme2.txt file

5. Now die data (‘ M y Swiss bank account number is 45656684512263 ” ) is hidden inside die readme2.txt hie with die contents ot readme.txt.
If you want to compress a long message, or one not containing standard text, you would be better off compressing the message externally with a specialized compression program, and bypassing snow's optional compression step. This usually results in a better compression ratio.

6. The contents ot readme2.txt are readme.txt + M y Swiss bank account number is 45656684512263. 7. Now type snow -C -p "magic" Readme2.txt: diis will show die contents of readme.txt.(magic is die password which was entered while luding die data).
Administrator: Command Prompt
E : \ C E H - T o o l s S C E H u 8 M o d u l e 05 S y s t e m H a c k i n g \ s t e g a n o g r a p h y \ w h i t e sp a c e s t e g a n o g r a H phy\Snow>snou -C -m "M y s u i s s b a n k a c c o u n t n u m b e r is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " n a g i B c" r e a d m e . t x t r e a d m e 2 . t x t ■ Compressed by 23.37X I M e s sage e x c e e d e d a v a i l a b l e s p a c e b y a p p r o x i m a t e l y 5 7 1 . 43x. I An e x t r a 8 lines w ere added. I E : \ C E H - T o n l s \ 0 F H u 8 M n H n l e 05 R u s t e m H a r k i n g \ s t e g a n o g r a p } 1y\l)hite phySSnouI'snow — "magic" Readme2.txt My sw i s s b a n k a c c o u n t n u m b e r is 4 b b b b b U 4 5 1 2 2 6 3 E : \ C E H - T o o l s \ C E H u 8 M o d u l e 05 S y s t e m H a c k i n g \ s t e g a n o g r a p } 1y \ w h i t e space phy\Snow>

Cp

sp a ce steganograH I
I steganograH I

FIG U R E 11.3: Revealing the hidden data of readme2.txt

8. To check die tile 111 a GUI, open die readme2.txt 111 Notepad and select Edit‫ ^־‬Select all. You will see die hidden data inside readme2.txt 111 die form of spaces and tabs.

C E H Lab Manual Page 372

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

readme2 - Notepad File Edit Form at View H elp Hello World!

_

X

(FIG URE 11.4: Contents of readme2.txt revealed with select all option

L a b A n a ly s is

Analyze and document die results related to die lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility Snow Steganography
L a b Q u e s t io n s

Information Collected/Objectives Achieved Output: You will see the hidden data inside Notepad

1. How would you liide the data of tiles widi secret data in other hies? 2. Which encryption is used 111 Snow? Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 373

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

V ie w in g , E n a b lin g , a n d C le a rin g t h e A u d it P o lic ie s U s in g A u d itp o l
Aj i d r i p o l i sa m/mjandi n Windon: 1‫־‬ S e rv er2012,Windows Se rv er2008,and Windows S e r v e r 200J andi sn e q / t h e d j b r q / t e t y i n gorcmfgmigan a u d i t p o l i c yatt h es n b c a t e g o yl e v e l
I C ON KEY

L a b S c e n a r io

I 7 /V aluable inform ation Test your know ledge ** W eb exercise W orkbookreview

To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners in addition to identifying user accounts and shared resources. You should also have knowledge on gaining access, escalating privileges, executing applications, lndmg tiles, and covering tracks.
L a b O b je c t iv e s

The objective of tins lab is to help students learn: ‫י‬
.^Tools

How to set audit policies

L a b E n v ir o n m e n t

demonstrated in To earn‫־‬out the lab, you need: this lab are ■ Auditpol is a built-in command in Windows Server 2012 available in ■ You can see the more audit commands from the following link: D:\CEHhttp:/ / technet.m1crosott.com/enTools\CEHv8 us /library /cc731451 %28v=ws. 100/029.aspx for Windows Server 2012 Module 05 System Hacking ‫ י‬Run dns on Windows Server 2012
L a b D u r a tio n

Tnne: 10 Minutes

C E H Lab Manual Page

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

O v e r v ie w o f A u d itp o l

Aucftpddisplays information 011 performance and functions to man^xiateaudit policies.
Lab T ask

D isplays the current audit policy.

/g et

1. Select Start

Command Prompt.

2. Administrator: A command prompt will appears as shown in die following figure.
‫־־‬
Administrator: Command Prompt
reserved. M icrosoft Windows tUersion 6.2.8400] <c> 2 0 1 2 M i c r o s o f t C o r p o r a t i o n , fill r i g h t s

/set Sets the audit policy.

C: \ U s e r s \ f l d n i n i s t r a t o r >

/list D isplays selectable policyelem ents.

FIG U RE 12.1: Administrator Command Prompt in windows server 2012

/backup S aves the audit policyto a file.

3. To view all die audit policies, type die following command 111 die command prompt: auditpol /get /category:* 4. Press Enter.

C E H Lab Manual Page 375

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

si

A d m in istra to r: C o m m an d Pro m p t

M icrosoft Windows [Uersion 6.2.8400] r ig h ts reserved. <c> 2012 M icrosoft Corporation. A l l ;

H

/restore R estores the audit policy fromafilethat w as previouslycreated by usingauditpol /backup.

/ clear C lears die audit policy.

/rem ove R em oves all per-user audit policysettings and disables all systemaudit policysettings.

C:\Users\Adnin istra to r> a u d itp o 1 /get /category:♦• System audit p o lic y Category/Subcategory S e ttin g System S e c u r ity System Extension No A uditing Systen In t e g r it y No Auditing No A uditing IPsec D river Other Systen Events No Auditing S e c u r ity Sta te Change No A uditing Logon/Logoff Logon No A uditing Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No A uditing IPsec Quick Mode No Auditing IPsec Extended Mode No A uditing Sp e c ia l Logon No Auditing Other Logon/Logoff Events No Auditing No Auditing Network P o lic y Server User / Device C lain s No Auditing Object Access F i l e System No Auditing R e g istry No Auditing Kernel Object No Auditing SAM No Auditing C e r t if ic a tio n S e rvic es No Auditing A p p licatio n Generated No A uditing Handle Manipulation No Auditing P ile Share No Auditing F ilt e r in g Platform Packet Drop No Auditing F ilt e r in g Platform Connection No Auditing Other Object Access Events No Auditing D etailed F i l e Share No Auditing Removable Storage No A uditing No Auditing C en tral P o lic y Staging P r iv ile g e Use Non S e n s itiv e P r iv ile g e Use No Auditing Other P r iv ile g e Use Events No A uditing S e n s itiv e P r iv ile g e Use No Auditing D etailed Tracking Process Creation No A uditing Process Termination No A uditing DPAPI A c t iv it y No A uditing RPC Events No Auditing P o lic y Change A uth entication P o lic y Change No Auditing Authorization P o lic y Change No Auditing MPSSUC R ule-Level P o lic y Change No Auditing F ilt e r in g Platform P o lic y Change No Auditing No Auditing Other P o lic y Change Events Audit P o lic y Change No Auditing Account Management

< | ___________________ h i ___________________ ____ [ >
FIG U R E 12.2: Auditpol viewing die policies

5. To enable die audit policies, type die following command 111 die command prompt: auditpol /set /category:"system","account logon" /success:enable /failureienable 6. Press Enter.
Administrator: Command Prompt
D i r e c t o r y S e r v ic e C hanges D ire c to ry S e rv ic e R e p lic a tio n D e ta ile d D ire c to ry S erv ic e R e p lic a tio n D ire c to r y S e rv ic e A ccess A c c o u n t Logon K erberos S e rv ic e T ic k e t O p e ra tio n s O t h e r A c c o u n t Lo gon E v e n t s K erberos A u th e n tic a tio n S e rv ic e C re d en tial U alid atio n No No No No No No No No A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g logon1

/ resourceSA C L C onfigures global resource systemaccess control lists (S A C L s).

C :\U se rs\A d m in is tra to r> a u d itp o l / s e t /c a te g o r y : "sy ste m ","a cc o u n t :e n a b le / f a i lu r e :e n a b le The command u a s s u c c e s s f u l l y e x e c u t e d . :: M i s e r s \ A d m i n i s t r a t o r >

FIG U R E 12.3: Auditpol Local Security Policies in Windows Server 2012

C E H Lab Manual Page 376

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

7. To check if audit policies are enabled, type die following command 111 die command prompt auditpol /get /category:* 8. Press Enter.
Auditpol /get [/user[:<usemame> | <{sid [/category:* |<name> |< {g uid}>[,:<name |< {guid}> ...‫ע‬ [/subcategory:* |<name> | < {guid}>[,:<name |< {guid Administrator Command Prompt
‫נ‬: \ U s e r s \ A d n i n i s t r a t o r ) a u d i t p o l /get iysten a u d i t p o l i c y Jategory/Subcategory Systen Security Systen Extension Systen Integrity IPsec D r i u e r O t h e r S y s t e n Eve n t s Security State Change Log o n / L o g o t t Logon Log o f f Account Lockout IPsec Mai n Mode IPsec Q u i c k Mode IPsec E x t e n d e d Mode S p e c i a l L ogon O t h e r L o g o n / L o g o f f Eve n t s Network Policy Server U s e r / D e v i c e Cla i n s Object A c c e s s File S y s t e n Registry Kernel Object SAM Certification Services Application Generated Handle Manipulation F i l e S hare Filtering Platforn Packet Drop Filtering Platforn Connection O t h e r O b j e c t A c c e s s Eve n t s D e t a i l e d Fil e S hare Renovable Storage Central Policy Staging ’r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e Use O t h e r P r i v i l e g e Use Eve n t s S e n s i t i v e P r i v i l e g e Use )etailed T r a c k i n g Pr o c e s s C r e a t i o n Pr o c e s s T e r n i n a t i o n DPAPI A c t i v i t y R P C Eve n t s 5o l i c y Cha n g e Authentication Policy Change A u t h o r i z a t i o n P o l i c y Cha n g e /category:* Setting Success Success Success Success Success No No No No No No No No No No No No No No No No No No No No No No No No and an d and and an d Failure Failure Failure Failure Failure

}> ]]

}>...]] t/ s d ] [A]

[/option:<option name>]

A udit ing Auditing A udit ing Auditing Auditing Au d i t ing Auditing Auditing Auditing Auditing Auditing A u d i t ing Auditing A u d i t ing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing

No A u d i t i n g No A udit ing No A u d i t i n g No No No No A udit ing Auditing Auditing Auditing

Auditpol /set [/user[:<usemame> | <{sid } >] [/include] [/exclude]] [/category:<name> |< {gui d}>[,:<name| <{guid}>. ..

No A u d i t i n g No A u d i t i n g

]]

[/success: <enable> |<disa ble>][/failure:<enable> |< disable>] [/subcategory:<name> |<{ guid}>[,:<name | <{guid} > [/success:<enable> | <disa ble>][/failure:<enable> | < disable>] [/option:<option name> /value: <enable> | <disable>]

FIG U RE 12.4: Auditpol enabling system and account logon policies

-]]

9. To clear die audit policies, type die following command 111 die command prompt: auditpol /clear /y 10. Press Enter.

C E H Lab Manual Page 377

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

Adm inistrator: Com m and Prom pt
Com pu te r A c count Management S e c u r i t y Group Management D i s t r i b u t i o n Group Management A p p l i c a t i o n Group Management O t h e r A c co u n t Management E v e n t s DS A c c e s s D i r e c t o r y S e r v i c e Ch an ges D ire c to ry S erv ice R e p lic a tio n D e ta ile d D ire c to ry S erv ice R e p lic a tio n D i r e c t o r y S e r v i c e A c ce s s Account Logon K erberos S e rv ic e T ic k e t O p e ra tio n s O t h e r A c co unt Logon E v e n t s Kerberos A u th e n tic a ti o n S e rv ic e C re d e n tia l U alid atio n C :\U sers\A d m in istrato r)a u d itp o l / c l e a r /y rhe command was s u c c e s s f u l l y e x e c u t e d . C :\U sers\A d m in istrato r> No No No No No No No No No A uditing A u d iting A uditing A uditing A uditing A uditing A uditing A u d iting A u d iting and and and and Failu re Failu re Failu re Failu re

auditpol /list [/user |/category |subcateg ory[:<categoryname> | <{g uid}>|*]]

Success Success Success Success

[/v] [A]

FIG U R E 12.5: Auditpol clearing die policies

11. To check if the audit policies are cleared, type the following command 111 the command prompt: auditpol Iget /category:* 12. Press Enter.
3!

A d m in istrato r: C o m m an d Pro m p t
‫רך‬

Auditpol / set [/user[:<usemame> | <{sid }5 ‫[ ]י‬/include] [/exclude]] [/ category:<11ame> |< {gui d }>[,:<name| <{guid}>...

]]

[/success:<enable> | <disa ble>][/failure:<enable> |< disable>] [/subcategory:<name> |< { guid} >[,:<name | <{guid} >

...]]
[/success:<enable> |<disa ble>][/failure:<enable> |< disable>] [/option: <option 11ame> /value: <enable> |<disable>]

C:\Users\Adninistrator)auditpol /get /category:* Systen audit policy Cateqory/Subcategorv Sett ing Systen No Auditing Security Systen Extension No Auditing Systen Integrity IPsec Driver No Auditing No Auditing Other Systen Events Security State Change No Audit ing Luyun/Luyurf Logon No Auditing No Audit ing Logoff Account Lockout No Audit ing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing No Auditing Other Logon/Logoff Euents No Audit ing Network Policy Server User / Device Clains No Auditing Object Access File Systen No Audit ing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing No Audit ing Application Generated Handle Manipulation No Auditing File Share No Auditing No Audit ing Filtering Platforn Packet Drop No Audit ing Filtering Platforn Connection Other Object Access Events No Audit ing Detailed File Share No Audit ing No Audit ing Renovable Storage No Audit ing Central Policy Staging Privilege Use Non Sensitive Privilege Use No Auditing No Audit ing Other Privilege Use Events Sensitive Privilege Use No Auditing Detailed Tracking Process Creation No Auditing Process Ternination No Auditing No Audit ing DPAPI Activity No Audit ing RPC Events Policy Change Authentication Policy Change No Auditing No Auditing Authorization Policy Change MPSSUC Rule-Level Policy Change No Auditing Filtering Platforn Policy Change No Auditing Other Policy Change Events No Auditing Audit Policy Change No Auditing Account Managenent |< | _______________________ i n ______

=

v 1 >

FIG U R E 12.6: Auditpol clearing die audit policies

C E H Lab Manual Page 378

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

L a b A n a ly s is

Analyze and document the results related to the lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility AuditPol

Information Collected/Objectives Achieved Result open Auditpol Category: ‫ י‬System ‫ י‬Account Logon

Q u e s t io n s

1. How do you configure global resource SACLs using Auditpol? 2. Evaluate a report or backup an audit policy to a comma separated value (CSV) text tile. Internet Connection Required □ Yes Platform Supported 0 Classroom 0 No

C E H Lab Manual Page 379

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

L ab

13
P a s s w o r d R e c o v e r y U s in g C H N T P W .I S O
CHC\TTPU"ISO i s apassnordimveiyt o o l f a r trunson WindowsS e r v e r 2003,WindowsSenw 2008,andWindons 7 V i r t u a l M a c h i n e .
I C ON KEY

L a b S c e n a r io

I 7 /V aluable inform ation Test your know ledge ** W eb exercise W orkbookreview

Nowadays, attacking the password is one of die most straightforward hacking attacks. Passwords are the most common access control method used by system administers to manage the usage of network resources and applications. There are numerous feasible methods to crack passwords. To be an expert etliical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
111

tins lab, we show you how to erase or recover an admin password using CHNTPW.ISO.
L a b O b je c t iv e s

The objective of tins lab is to help students learn: ■ Recovering the Password of Windows Server 2008 Tools L a b E n v ir o n m e n t demonstrated in this lab are To earn* out die lab, you need: available in ‫ י‬CHNTPW.ISO located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHHacking\Password Recovery Tools\CHNTPW.ISO\cd110511 Tools\CEHv8 Module 05 System ■ CHNTPW.ISO is tool to recover/erase the administrator passwords for Hacking Windows Server 2008 ■ A computer running with Windows Server 2008 as YirUial Machine
L a b D u r a tio n

Time: 15 Minutes
C E H Lab Manual Page 380 Ethical Hacking and Countermeasures Copyright © by EC-Couucil All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

O v e r v ie w o f C H N T P W .IS O

ONTPWJSOis an offline NT password and registry editor, boot disk/CD.
Lab T ask

1. Start Hyper-V Manager by selecting Start ^ Hyper-V Manager. 2. Before starting diis lab make sure that Windows Server 2008 Virtual Machine is shut down.
£3 Offline N T Password & Registry Editor can delete any password from nearly any installation of Windows almost instantly.

3. Now select Windows Server 2008 Yutual Machine and click Settings 111 die right pane of Hyper-V..
Hyper*V Manager
File Action View Help

H>per-V Mjnager 3 j WIN-DMWR5HL9E4

Virtual Machines

N am e A a feck T rack5 gW in d o w s7

WIN-D39MR5HL9E4
New

Im port V irtual M achine..,
j^l Hypcr-V Settings...

JW in d o w 8

V irtual Sw itchM anager.., .J V irtual S A NM anager... yjL E dit D isk ...
Snapshots
The selected virtual ■ 1aeh»1e has ‫ף‬ Inspect Disk...

(■) StopS ervice
X Remove Server

C " Offline N T Password & Registry Editor simply deletes passwords instead of displaying them making it fast and easy to use.

Q R efresh V itw
U Help

Windows Server2008
Windows Scrvcr2008
■ > ij Connect...

Created: 8/8/201250123P W
Notes: None

Settings...
0 Start

Surtm ay M em cry N etw D rk n g| P .epiccbor

< 1 :

Snapshot ^ M ove... E xoort... fijl R enam e... L D elete...

FIG U R E 13.1: CHNTPW.ISO Windows Server 2008 settings

4. Select D V D drive from IDE controller in die left pane ot Settings tor Windows Server 2008. 5. Check die Image file option and browse for die location of CHNTPW.ISO, and select Apply->OK.
Q No installation in Windows is required making this program an easy alternative to many other password recovery

C E H Lab Manual Page 381

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 05 - System H acking

Settings for Windows Server2008 on WIN-D39MR5HL9E4
Windows Server2008 A Hardware *2]l Acd Hardware

I-HE

4 ‫► ף‬a
Select the controller and location on the coatroler to attach the CD/DVD drive. Controller: Location: 0 Qr use) IDEControler 1

C Offline NT Password & Registry Editor is completely free to download and use.

I Processor 1Virtual processor 0 IDE Controler 0 C J Hard Drive Windows Server2008.vhdx L U S C a m d g i______________ DVD Drive c d llO S ll.is g£j SCSI Controler S 9 Legacy Network Adapter

Media Specify the media to use with ya_r virtual CD/DVD drive. O None (•) Image file: C: \LI8ers\Ad*ninistr a » r ^Pesfctop \cd 110 511Vd 110 511. is

0

Physical CDA)VD drive:

R ealtekP C IeG B EF am ilyC ontr..
COM 1

ffcne
COM2

To remove the virtual CD/D/O drive from the vrtual machne, dick Remove.

f* > n e N one

I t J Diskette Crive ft M anagem ent________________

[T 1N am e
Y V'.ndows Server2008 Inregrabon Services Al services offered Srapshot = ile Location C: V> rogrcmData,Miaosoft\Win.. Smart Pacing File Location C: 'ProgramData 'Microsoft\Win..

f>) ALtomatic Start Action
Restart if previously running

FIG U R E 13.2: CHNTPW.ISO Windows Server 2008 settings &■ Tool will also remove passwords from 64-bit versions of Windows Operating Systems.

6. Now go to Hyper-V Manager and right-click Windows Server 2008. and

select Connect to start Windows Server 2008 Virtual Maclune.

Offline N T Password & Registry Editor works with all popular Windows versions including Windows 7 and more.

FIG U RE 13.3: CHNTPW.ISO Connecting to Windows Server 2008

7. Click die Start ^

button; Windows Server 2008 will start.

C E H Lab Manual Page 382

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

,‫־‬

Windows Server2008 on WIN-D39MR5HL9E4 -Virtual Machine Connection L^_ I ‫ם‬
Media Clipboard View Help

x

File Action

^ |o| ■ > < s >0 II 1 ► fe__________________________________ I

The virtual machine ,Windows Server2008' is turned off
To start the virtual machine, select ’Start’ from the Action menu

I Status; Off

‫י‬

FIG U R E 13.4: starting windows server 2008 O/S

8. After booting, Window will prompt you with: Step one: Select disk where the Windows installation is 9. Press Enter.
1 Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection

I ‫־־‬ I

1 °r x ‫ם‬

‫י‬

F ile A ctio n M e d ia C lip b o a rd V ie w H e lp
W i n d o w s Kegistry L d i t U t i l i t y floppy / cnntpw < c > 1 9 9 7v2 —2 010 Petter H ageno —£ pnordahlPeunet.no G N UG PL license, seeN files n 1 > This utility will enable you too change or blank the password any user (incl. adninistpator) n an W indow sN T/^k/'XP/U i sta of W IT H O U T knowing the old password. Unlocking locked/disabled accounts also supported.

® 0 1 11 ► fo ‫פ‬

L J It works offline, that is, you have to shut down your computer and boot off a floppydisk or CD or another system.

Tested on: N T3.51 &N T 4: Server Workstation, C . A W in2k Prof & toSP3 SP4. Server, Cannot PD change D . XP H o M e « Prof: up to

LI the w ay through the questions installation is Step O N E: Select disk w h e /dev/sda: 17.1 G B, 17179869184 bytes [Please select partition b y nunber or = qu it = automatically start disk drivers

3

Status: Running

B O I
FIG U R E 13.5: CHN TPW JSO Step One

10. Now you will see: Step TW O: Select PATH and registry files; press Enter.

C E H Lab Manual Page 383

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 05 - System H acking

'‫ל‬

Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection

‫ם‬

F ile A ctio n M e d ia C lip b o a rd V ie w H e lp

© © © 0 II 1 ►j i ► ? *
here are several steps to g o through: Disk optional loading disksdrivers PA T H select select, with w here are the N indow sof system File-select, w hat parts ofchange registry w e needfiles stored Then finally the password or registry If changes were M ade, write then back to diskedit itself Step O N E: Select disk w here the M indow s installation is
S ' This is a utility to (re)set the password of any user that has a valid (local) account on your N T system.

,lease select partition b y nunber or q = quit d = Manually automatically start disk drivers m = select disk drivers to load f = fetch additional drivers a= show all partitions foundfron floppy / usb M ounting /dev/sdal. assum ed filesystem type N T FS So, let sfron really check if with it is NTFS?

Step T M O : Select PA T H and registry files D EBU G path: w indow s found as M indow s

L

| Status: Running

____

FIG U RE 13.6: CHNTPW.ISO Step Two

11. Select which part of the registry to load, use predehned choices, or list die tiles with space as delimiter, and then press Enter.
L Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection ‫־־‬ ‫ם‬

F ile A ctio n M e d ia C lip b o a rd V ie w H e lp

< 9@®®0 ^^Tools

II It ife

demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

a show all partitions found 1 == show indow s < N TFS) partitions only Select: C 1‫ נ‬propbable W Selected 1 M ounting /dev/sdal. assum ed filesystem type N T FS So, let's from really check if with it is NTFS?

D EBU G path: w indow s found as M indow s32 D EBU G path: system found as System D EBU G path: found config32 found as config D EBU G path: correct case to be: M indows/System 32/config W hat is the path to the registry directory? (relative to w indc iMindows/System32/configl : D EBU G path: M indow s found as M indow s32 D EBU G path: System 32 found as System D EBU G path: found configcorrect found as config D EBU G path: case to be: M indows/System 32/config hrw xrw xrw x 2 0 0 262 14 4 12:50 C BCD -Tem plate hrw xrw xrw x 2 0 0 29097984 14:30 O M P O N E N T S 14:30 D EFA U LT hrw xrw xrw x 10 0 262 14 4 hrw xrw xrwx 10 0 0 2 0 0 8 Journal H rw xrw xrw x 10 0 8 1 9 2 12:10 S RegBack hrw xrw xrw x 10 0 262 14 4 14:30 A M hrw xrw xrw x 10 0 262 14 4 14:30 SECURITY hrw xrw xrw x 10 0 3 3 8 16 57 6 14:30 SO FT M A R E hrw xrw xrw x 10 0 943 71 84 14:30 SYSTEM hrw xrw xrw x 10 0 4 0 9 6 11:51 T xR [drw xrw xrw x 1 0 0 4 0 9 6 11:51 systemprofi1 e Select which part with of registry todelimiter load! use predef i r or list the files space as 1 ‫ ־‬Password reset [sam system security! 2 RecoveryConso1 3 — - quit - return e toparameters previous [software!

y_

‫־‬ ?A5

__

FIG U R E 13.7: CHN TPW JSO loading registry request

12. When you see: Step THREE: Password or registry edit, type yes (y), and press Enter.
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 384

M odule 05 - System H acking

'‫ל‬
File

Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection I “
Action Media Clipboard Clipboa View Help

n

.® 3 0 1

£ 95

!Select w hichfiles part of registry todelimiter load* use predefined choices nr the as |1 -list Passw ord reset with [sanspace systen m 2RecoveryConsole eters security! [software] fc ‫ ־‬quit - return toparam previous ■Selected files: sa m system security ■ C o p yin g san system security to /tm p
a It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD. The bootdisk includes stuff to access N TFS and FAT/FAT32 partitions and scripts to glue die whole thing together.
j~ S te p ~ T H R E E | k h n tp w P a s s w ° r d o r r e g i itr y e d i t~ ~

‫ו‬
a a l

v e rs io n .9 9 .6 110511 , <c> P e t t e r NH a g e n fejive S ftM > n a m e0 (from lieader): N System R o ot\Sys tem 32 \C onf ig N M ) ■ R O O T< K EY at offset: 0 x 0 0 1 0 2 0*< SubKey indexing type is: 6 6 6 cSA (If) wile size 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages < ♦ headerpage) ■ U se d for data: 2 50 /2 08 00 blocks/bytes, unused: 1 4 /3 5 8 41 blocks/bytes. Live S Y ST E M >n a m e (from header): < S V S T E M > ■ R O O T( K EY at offset: 0 x 0 0 1 0 2 0 « Subkey indexing type is: 6 8 6 c < lh > wile size 9 4 3 7 1 8 4 (9 0 0 0 0 0 1 bytes, containing 2 1 6 4 pages (♦ 1 headerpage) Elsed for data: 1 0 0 2 1 1 /5 9 3 7 6 8 8 blocks/bytes, unused: 4 6 2 1 /3 2 7 8 6 9 6 blocks/bytes. hive (SECURITY) n a m e (from header): < e m R o o t\Sys tem 32 \C onf i gN SEC U ■ R O O TK EY at offset: 0 x 0 0 1 0 2 0 ‫ א‬Subkey indexing type(♦ is: 6 6 c (If)RITY> wile size 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages 16 headerpage) H Jsed for data: 4 0 6 /2 2 2 7 2 blocks/bytes, unused: 5 /2 1 1 2 blocks/bytes. ■ * »S A M policy limits: wailed loginsord before lockout is M inim um length ■ Passw ordpassw history count ■ (> = = = = = = = = < > chntpw M ain Interactive M e n u< > = Loaded hives: < SA M ) (SYSTEM ) (SECURITY) I 1 - Edi t user data and passw ords 9 ‫ ־‬Registry o w with write support♦ < 1Quit (youeditor, will b en asked if full there is som ething to save) W hat to do? Cl1

L

Status: Running

FIG U R E 13.8: CHNTFW.ISO Step Three

13. Loaded hives: <SAM><system><SECURITY> 1— Edit user data and passwords 9— Registry editor, now widi hill write support! Q— Quit (you will be asked if diere is something to save) 1 1 1What to do? the default selected opdon will be [1]. Press Enter.
'‫ל‬
File

Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
Action Media Clipboard View Help

L“ 1‫ם‬

Q CEH-Tools is also Mapped in Virtual Machine as Network Drive Z:

| Step TH REE: Password or registry edit ■ ch n tp w version 1 1 0 5 1 1, < (c) Petter NSystem H ag en 32\Config\SAM ■live (SA M > n a m e0.99.6 (from header): \System RootN > ■ R O O T K EY at offset: 0 x 0 0 1 0 2 0* ■Subkey indexing type(♦ is: 6 6 6 c< lf> ■File 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages headerpage) Used size for data: 2 5 0 /2 0 8 0 0 blocks/bytes, unused: 1 4 /3 5 8 41 blocks/bytes. Live EM > n a m e (from header): < SYSTEM ) ■ R O O T (SYST K EY at offset: 0 x 0 0 1 0 2 0 * Subkey indexing type is: 6 8 6 c < lh > wile size 9 4 3 7 1 8 4 1 9 0 0 0 0 0 1 bytes, containing 2 1 6 4 pages (♦ 1 headerpi ■ U se d for data: 1 0 0 2 1 1 /5 9 3 7 6 8 8 blocks/bytes, unused: 4 6 2 1 /3 2 7 8 6 9 6 bloc Live (SECURITY> n a m e (from header): < em Root\System 32\ConfigN SECURITY: ■ R O O T size K EY at offset: 0 x 0 0 1 0 2 0* * Subkey indexing type(♦ is: 6 6 c (If) Wile 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages 16 headerpage) Used for data: 4 0 6 /2 2 2 7 2 blocks/bytes, unused: 5 /2 1 1 2 blocks/bytes. password history count : 0 k> = = = = = = = = < >chntpw M ain Interactive M e n u< > = Loaded hives: < S A M > (SYSTEM ) < SEC U R IT Y > I 1 - Edi t user data an d passw ords M hat to do? I l l >y K> = = = = = = = = < >chntpw M ain Interactive M e n u< > = Loaded hives: (SAM ) (SYSTEM ) < SEC U R IT Y > 1 - Edi t user data and passw ords W h at to do? [11 >
Status: Running

FIG U RE 13.9: CHNTPW.ISO loading hives

C E H Lab Manual Page 385

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

14. 1 1 1chntpw Edit User Info & Passwords, press Enter to enter the user name to change
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
File A ction M edia Clipboard V iew Help

E C j N Ts t o r e si t su s e r i n f o r m a t i o n ,i n c l u d i n g c r y p t e dv e r s i o n so ft h e p a s s w o r d s ,i naf i l ec a l l e d ' s a m ' ,u s u a l l yf o u n di n \ w i n n t \ s y s t e m 3 2 \ c o n f i g . T h i sf i l ei sap a r to fd i e r e g i s t r y ,i nab i n a r yf o r m a t p r e v i o u s l yu n d o c u m e n t e d , a n dn o te a s i l ya c c e s s i b l e .

«

0 (*)® O

III I► I ife ‫צ‬
M a in In t e r a c t iv e M enu <> =

: > == ======< > c h n t p w ,o a d e d 1 h iv e s : < SAM > d a ta

< SYSTEM > and

< S E C U R IT Y >

— Ed i t

u se r*

p a ssw o rd s

hat

to

do?

Cl J

->

y M a in In te r a c tiv e M enu <> =

>========< > c h n t p w saded 1 h iv e s : Ed i t < SA M > d a ta

< SYSTEM > and

< S E C U R IT Y >

u se r

p a ssw o rd s

hat

to

do?

[1 3

->

y M a in In te r a c tiv e M enu <>=

> ========<> saded 1 9 h iv e s : Ed i t

c h n tp w < SA M > d a ta

< SYSTEM > and

< S E C U R IT Y >

u se r

p a ssw o rd s w ith f u ll w rite si

R e g is t r y

e d it o r ,

now

Jh a t

to

do?

I l l E d it U ser In fo A d h in ? A D M IN !Lock? —

c h n tp w

--------------- U s e r n a w e — A d h in i s t r a t o r Gues t I U S R _ W I N —U L Y 8 5 8 K H Q I P ? 1e c t : f — <j|ui t .

• d is / lo c k w ith R ID (h e x )

U ser

SD i s a b l ey o u rs o f t w a r e f i r e w a l l( N o r t o nI n t e r n e t S e c u r i t yi so f t e nt h e c u l p r i t ) .

I Status; Running

F IG U R E1 3 . 1 0 :C H N T P W . I S Oc h n t p w E d i tU s e rI n f o&P a s s w o r d s

15.

1 1 1the User Edit Menu: 1— Clear (blank) user password 2— Edit (set new) user password (careful with tins on XP or Vista) 3— Promote user (make user an administrator) 4— Unlock and enable user account [seems unlocked already] q— Quit editing user, back to user select The default option, Quit [q], is selected. Type 1 and press Enter.

C E H Lab Manual Page 386

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

R
I File

W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
A Action ctior M edia Clipboard V iew Help

‫־‬ ‫ם ־‬

U
I I

j

lo ®
ch n tp w < SA M > d a ta M a in In t e r a c t iv e M enu <>========<> h iv e s : E d it < SYSTEM > and < S E C U R IT ¥ > u se r p a ssw o rd s w ith f u ll w rite su p p o rt?

■<> == = == == = <> Lo ad e d 1 9

R e g is t r y

e d it o r ,

now

M hat =====

to

do?

C13 E d it U se r In f o & P a s s w o rd s ====

c h n tp w

--------------U se rn a n e — A d n in i s t r a t o r G ues t IU S R _ M IN - U L Y 8 5 8 K H Q IP (S e le c t : f lo r s im p ly - Q u it, . e n t e r th e - lis t u se rs , 0 x < R ID > - U s e r w it h R ID u se rn a n e to c h a n g e : [ A d n in is t r a t o r l (h e x )

C" D i s a b l ea l l" d o w n l o a d a c c e l e r a t o r "p r o g r a m s ;t h e y w i l lm o r et h a nl i k e l y c o r r u p ty o u rd o w n l o a d .

[R ID Ils e r n a M e !fu ll nane Ic o M M e n t b io M e d i r

B u ilt - in

acco u n t

fo r

a d n in is t e r in g

th e

c o M p u te r/ d o n a in

■A ([ 1[ 1C It 1C

ccount b it s : 0x0010 ‫ נ‬D is a b le d ‫ נ‬Tenp. d u p lic a t e 1 D o n a in tru s t ac 1 Pw d d o n ‫ ״‬t e x p ir 3 (u n k n o w n 0 x 1 0 )

‫נ‬ X I 1 1 ]

H o n e d ir r e q . N o rn a l a cco u n t W ks t r u s t a c t . A u to lo c k o u t (u n k n o w n 0 x 2 0 )

1 I 1

S rv tru s t a c t ( u n k n o w n 0x08> 1 1 (u n k n o w n 0 x 4 0 )

Passw d n ot re q . NMS a c c o u n t

■- — — - U s e r E d i t M e n u : 1 1 ‫ ־‬C le a r (b la n k ) u s e r p a ssw o rd I 2 — E d it (s e t n ew ) u s e r p a ssw o rd (c a r e fu l w ith t h is ■ 3 — P ro n o te u s e r (n a k e u s e r an a d n i n i s t r a t o r ) ■ (4 - U n l o c k a n d e n a b l e u s e r a c c o u n t) E s e e n s u n lo c k e d I q — Q u it e d i t in g u se r, back to u s e r s e le c t !? e le c t : tg 3 > 1 _

on

XP

o r

U is ta )

a lr e a d y ]

Status: Running

a n
F IG U R E1 3 . 1 1 :C H N T P W J S OU s e !E d i tM e n u

16. Type ! after clearing die password of die user account, and press Enter.
'‫ל‬
File

W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
A ction M edia Clipboard V iew Help

‫ם‬

1

-

E d it

u se r

d a ta

and

p a ssw o rd s

lh a t :====

to

do?

C13 E d it U se r In fo P a s s w o rd s === =

ch n tp w

--------------U se rn a n e — Adni n i s tra to r G ues t IU S R _ M IN - U L Y 8 5 8 K H Q IP

Is e r n a n e u l 1n a n e :o n n e n t to n e d i r

B u ilt - in

acco u n t

fo r

a d n in is t e r in g

th e

c o n p u t e r / d o n a in

s e r is n en b e r o f 1 g ro u p s: 10000220 = A d n in is t r a t o r s (w h ic h A ccount b it s : 0x0010 3 D is a b le d 3 Tenp. d u p lic a t e 3 D o n a in tru s t ac 3 Pw d d o n ‫ ״‬t e x p ir 3 (u n k n o w n 0 x 1 0 ) = J ! ' 5 • ‫נ‬ X I ‫נ‬ 1 3

has

1

n e n b e rs) 1 1 1 I 1 Passw d NMS a c c S rv tru (u n k n o w (u n k n o w not ou n s t n 0 n 0 re q . t a ct x08) x40)

H o n e d ir r e q . N o rn a l a cco u n t W ks t r u s t a c t. A u to lo c k o u t (u n k n o w n 0 x 2 0 )

‫־‬

- - - U s e r E d it M enu: 1 — C le a r (b la n k ) u se r 2 - E d it (s e t new ) u s e r 3 - P ro n o te u s e r (n a k e (4 ‫ ־‬U n lo c k a n d e n a b le u q - Q u it e d it in g u se r, S e le c t : Cg3 > 1 P a s s w o rd c le a r e d * S e le c t : ♦ - Q u it , ) r s in p lM e n t e r th e

p a ssw o rd p a ssw o rd (c a re fu l w ith th is u s e r an a d n in is t r a t o r ) s e r a c c o u n t) C s e e n s u n lo c k e d back to u s e r s e le c t

on

XP

o r

U is ta )

a lr e a d y 3

- lis t u se rs , 0 x < R ID > - U s e r w i t h R ID u se rn a n e to c h a n g e : C A d n in is t r a t o r 3 t

(h e x )

L

Status: Running

F IG U R E1 3 . 1 2 :C H N T P W IS OP a s s w o r d C l e a r e d

17.

Load hives:

<SAM><system><SECURTTY>

1- Edit user data and passwords 9 - Registry editor, now with full write support!
C E H Lab Manual Page 387 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

Q— Quit (you will be asked if there is something to save) 1 1 1What to do?, the default selected option will be [1]. Type quit (q), and press Enter.
‫לי‬
Q C E H -T o o ls is als o M a p p e d in V irtu a l M a c h in e as N e tw o rk D rive Z:
File

W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
A ction M edia Clipboard V iew Help

‫ם‬

Ji 0 @ © 0 n \> h
01f 5 03e8 ; : ! H d n in is tp a to r G uest IU S R _ W IN - U L Y 8 5 8 K H Q IP th e R ID U se rn an e f u lln a n e cohhent u se rn a n e to change: [A d n in is t r a t o r l

honedir
A cco C 1 [ 1 [ 1 [ ‫נ‬ C 1

B u ilt - in

acco u n t

fo r

a d M in is t e r in g

th e

c o w p u te r / d o M a in

A d n in is t r a t o r s unt h it s : 0x0010 D is a b le d T en p . d u p lic a t e D o n a in tr u s t ac Pw d d o n ' t e x p ir (u n k n o w n 0 x 1 0 ) I 1 1X1 C 1 C 1 t 1

(w h ic h

has

1

nenbeps) I [ E [ I 1 1 1 1 1 Passw d n ot NMS a c c o u n S rv t p u s t <u n k n o w n 0 (u n k n o w n 0 peq. t a ct x88) x40)

H o n e d ir * p e q . NoPM al a cco u n t M ks t r u s t a c t. A u to lo c k o u t (u n k n o w n 0 x 2 0 )

— — — U s e r E d it M enu: 1 - C le a r (b la n k ) u s e r p a ssw o rd 2 — E d it (s e t n ew ) u s e r p a ssw o rd (c a r e f u l w it h t h is 3 - P ro n o te u s e r (n a k e u s e r an a d n i n i s t r a t o r ) (4 - U n lo c k a n d e n a b le u s e r a c c o u n t ) [s e e n s u n lo c k e d q - Q u it e d it in g u se r, back to u s e r s e le c t S e le c t : [q ] > 1 P a s s w o rd c le a r e d ♦

-

on

XP

o r

U is ta )

a lr e a d y !

[ > === = = = = = < > c h n t p w saded 1 h iv e s : (S A M ) d a ta

M a in

In t e r a c t iv e

M enu

<> = = = = = = = = <>

( SYSTEM ) and

(S E C U R IT Y )

— Ed i t

u se r

p a ssw o rd s

M hat

to

do?

t i l

‫> ־‬

Status: R unning

[£ Z yT o o ls demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking

F I G U R E1 3 . 1 3 :C H N T P W J S Ol o a d i n g h i v e sQ u i to p t i o n 1 8 . 1 1 1Step FOUR: Writing back Changes, About to write file(s) back! D o it?,

here die default option will be [n]. Type yes [y] and press Enter.
‫לו‬
File

W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n I— .‫ם‬
Action M edia Clipboard View Vi! Help

< $ © ® © 0 II 1 ► fe
■ A ccount b i t s : 0x0010 D is a b le d IE ‫ נ‬T en p . d u p lic a te 1[ ‫ כ‬D o n a i n tr u s t ac IE 3 Pw d d o n ‫ ״‬t e x p ir [ 1 (u n k n o w n x )

B u ilt- in

account

i o r

a d n in is t e n n g

th e

c o n p u te r / d o n a in

It 1

1

0 18

I 1 [X 3 [ 1 I 1 C 1

H o n e d ir r e q . N o rn a l a cco u n t M ks t r u s t a c t . A u to lo c k o u t (u n k n o w n 8 x 2 0 )

1 3 1

Passw d n ot peq. NM S a c c o u n t Srv tru s t act

1 (4 ‫ ־‬U n lo c k a n d e n a b l e u s e r a c c o u n t ) I q - Q u it e d it in g u s e r , b a c k to u s e r B e le c t : [q l ) 1 ■ Passw o rd c le a r e d *

C seens s e le c t

u n lo c k e d

a lr e a d y !

U ser

w it h

R ID

(h e x )

()= = = = = = = = < > Loaded 1 ‫־‬ h iv e s : E d it

c h n tp w (S A M ) d a ta

M a in

In te r a c tiv e

M enu

< )=

(S Y S T E M ) and

< S E C U R IT Y >

u se r

p a ssw o rd s

IS t e p _ F O U R ^ _ M r it in g _ b a c k _ c h a n g e s About to w rite f ile (s ) back♦ Do it ? [n ] : y_

Status: Running

.0 A
F IG U R E1 3 . 1 4 :C H N T P W . I S OS t e p F o u r

C E H Lab Manual Page 388

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

19. The edit is completed.

Q It w o r k so f f l i n e ,t h a ti s , y o uh a v et os h u t d o w ny o u r c o m p u t e ra n db o o to f fa f l o p p y d i s ko rC Do r a n o d i e rs y s t e m .

F I G U R E1 3 . 1 5 :C H N T P W J S OE d i tC o m p l e t e d

20. Now turn off die Windows Server 2008 Virtual Machine. 21. Open Hyper-V Manager settings of Windows Server 2008 and change die D V D drive option to None from IDE Controller 1 and then select click
^ Apply ‫>״‬ O K .
Settings for W indows Server2008 on WIN-D39MR5HLSE4
Windows Server2008 Hardware Add Hardware |K> BIOS Boot from CD M Memory 1024 NB Select the controller and ocation on the controler to afcach the CD/DVD drive. Controller: IDE Controller 1 Media Specify the media to use with y a r virtual CD/DVD drve. | © None O Image fie: C: VJsers\Adm«strator'PesktopVd 11051 l\cd 11051 l.iso Location: 0 On use]

y z rx ‫׳‬

4 ► (i
DVD Drive ■

DProcessor
1Virtual processor 3 W IDE Cor troiler 0 (_4 Hard Drive Windows Server2008. vhdx - «U I0e Cortrotgr 1 ______________ * ‫ י‬DVD Drive None 5 3 Li SCSI Ccntroler

O Physical CDA>VD dive: |Drive •F:' v|

Q C E H -To ols is als o M a p p e d in V irtu a l M a c h in e as N e tw o rk D rive Z:

Q Legacy Network Adapter Realtek PCIe GBE Family Contr... ^ COM 1 None COM2 None U Diskette Drive None

To remove the virtual CD10VD drive from this virtual ma±1 ine, dick Remove.

Management__________________ ( L Name Windows Server2008 Integraaon Services Al services offered Snapshot File Location C: V*rogramOatay1iCT0soft\Win.. ‫ | י‬Smart Paging File .ocabon C: V^ogramOatayiicrosoftVfVin.. £ ) Automatic Start Action Restart if previously running

F IG U R E1 3 . 1 6 :C H N T P W . I S OW i n d o w sS e n d e r2 0 0 8 S e t r i ! 1 g s
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 389

Module 0 5 - S y ste m H acking

22. Go to Windows Server 2008 Virtual Maclune, and click the Start button.
' * ‫ ־‬W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n I‫־‬ ‫־‬I‫ם‬
File Action M edia Clipboard View Help

x

' S[ 0 ]i )9 0 II I1 ►f c >

The virtual machine , Windows Server2008' is turned off
To start the virtual machine, select 'Start' from the Action menu

F IG U R E1 3 . 1 7 :s t a r t i n g w i n d o w ss e r v e r2 0 0 8

23. Windows server 2008 boots without requiring any password.

F IG U R E1 3 . 1 8 :W i n d o w sS e r v e r2 0 0 8 W i n d o w

C E H Lab Manual Page 390

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

Lab A n a ly sis
Analyze and document the results related to the lab exercise.

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

Tool/Utility CHNTPW.ISO

Information Collected/Objectives Achieved Machine Name: Windows server 2008 Output: Log into Windows Server 2008 without entering the user name and password

Q u estio n s
1. How do
you

configure

CHNTPW.ISO

111

Windows Server 20 08 Virtual

Machine Settings?

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 391

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Lab

User System Monitoring and Surveillance Needs Using Spytech SpyAgent
Spytech SpyAgent is powerful computer spy sojhrare that allons you to monitor everything users do on your computer, in total stealth. SpyA gent prorides a large array o f essential computer monitoring features, as well as website, application, and chat client blocking, lockdown scheduling, and remote delivery o f logs via email or FTP.
I C O N K E Y

Lab S cen a rio
Today, employees are given access to computer, telephone, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance of their employees. Many employees also are given laptop computer and wireless phones they can take home and use for business outside the workplace. Whether an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation.
1 1 1 tins lab, we explain monitoring employee or student activity‫ ״‬using Spytech

/ V a lu a b le in f o r m a t io n

Test your k n o w le d g e

W e b e x e r c is e

m

W o r k b o o k r e v ie w

SpyAgent.
& Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking

Lab O b jectives
The objective of this lab is to help smdents use Spytech and the SpyAgent tool. After completing tins lab, smdents will be able to: ■ Install and configure Spytech SpyAgent ■ Momtor keystrokes typed, websites visited, and Internet Traffic Data

Lab Environm ent
To perform the lab, you need:
C E H Lab Manual Page 392 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

■ A computer running Windows Server 2012 ■ Administrative pnvileges to install and mil tools ■ Run tins tool 111 Windows Server 2012 ■ You can also download Spytech SpyAgent from http://www.spytechweb.com/spyagent.shtml ■ II you decided to download the latest version, screenshots may differ

Lab Duration
Time: 15 Minutes

O verview of Sp ytech SpyA gent
SpyAgent is a powerful solution that can log all keystrokes, emails, windows, websites, applications, Internet connections, chat conversations, passwords, print jobs, documents viewed, and even screenshots. SpyAgent runs 111 complete stealth with optional email delivery and logging and lockdown scheduling. SpyAgent also features powerful filtering and access control feauires, such as Chat Blocking (to restnct access to chat software), Application Blocking (to prevent specific applications from being executed), and Website Filtering.

Lab T a sk s
The basic idea in diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
TAS K 1
Installation of Spytech SpyAgent Hacking\Keyloggers\Spytech SpyAgent

2. Double-click Setup.exe. You will see die following window. Click Next.
Spytech SpyAgent Setup

m Y o uc a nd o w n l o a d t h es p y t e c hS p y A g e n tf r o m
http:/ / uww.spytech-web.com N ext >
F IG U R E1 4 . 1 :I n s t a l l a t i o n o fS p y t e c h S p y A g e n t

Cancel

C E H Lab Manual Page 393

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

3. The Welcome wizard of Spytech SpyAgent setup program window appears; read die instructions and click Next.
Welcome Welcom e tothe Spytech SpyAgent Setup p ro g ra m . This p ro g ra mw ill in stall Spytech SpyAgent o nyou r co m p u te r. It is stro n g ly reco m m en d ed thatyou e x it a llWindows p ro g ram sb efore ru n n in g th is Setup p ro g ra m . C lick Cancel toq u it Setup and then close any p ro g ram syou have ru n n in g . C lick N ext tocontinue w ith the Setup p ro g ra m . WARNING: This p ro g ramis protected b y co p yrigh t lawand in tern atio n al treaties.

fA g m ?
U nauthorized rep ro d u ctio no rd istrib u tio no f th is p ro g ram ,o r any p o rtio no f it, m ay resu lt insevere civil and crim in al penalties, and w ill be prosecuted to th em a x im u mex ten tp ossib le u n der law .

<Back

N ext >

Cancel

F IG U R E1 4 . 2 :I n s t a l l a t i o n w i z a r d o fS p y t e c h S p y A g e n t

4. The Important Notes window appears, read die note and click Next
Important Notes Spytech SpyAgent BuildVersion 7 .5 6 .1 2 C o p yrig h t Spytech Software and D esign, Inc. 2 0 0 0 2 0 1 2 .

m A c t i v eM o d e :t h i s o p t i o na l l o w sS p y A g e n tt o b es t a r t e d i nm o n i t o r i n g m o d ew h e niti so p e n e dn on e e df o rm a n u a l l y s t a r t i n g i t sm o n i t o r i n g

w w w .sp ytech -w eb .co m What is Spytech SpyAgent? Spytech SpyAgent is a p ow erfu l and e a syto u se softw are u tility th at allow syou tolo g all keystrokes typed, w indow s and ap plications launched, w ebsites visited, passw ords used, icq/m sn /yah o o /aim conversations, and even a ll in tern et connections m ad e. A ll lo g s are easily view ed w iththe b u ilt inlo gview ers and can be saved toa convenient, easily viewed te x t fo rm a t fo re m ail tran sfer(b u ilt in )o r p rin to u ts. SpyAgent can also capture all em ails, as w ell as capture screenshots o f the desktop a t set tim e in tervals. SpyAgent can be ran o nw indow s startu pinactive m o n ito rin gm o d e

<Back
F IG U R E1 4 . 3 :I n s t a l l a t i o n w i z a r d

N ext >

Cancel

5. 6.

The Software License Agreement window appears; you must accept the agreement to install Spytech SpyAgent. Click Yes to continue.

C E H Lab Manual Page 394

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Software License Agreement Please read the fo llo w in g LicenseA greem ent. Press the PAGE DOWN key tosee th e rest o f th e ag reem en t. License 1 . You m ay use the p ro g ramo n a sin g le co m p u ter at one tim e . You m ay n o t copy the p ro g ra man d accom panying m aterials except fo r backup purp oses touse insu p p o rt o fu sin g the p ro g ra mo na sin g le m achine at one tim e . 2 . You m ay o n ly in stall th is softw are o n a co m p u ter th at you o w n, o ro n a co m p u ter fro mw hichyou have consent o f the ow ner to in stall th is so ftw are. 3 . You m ay n o tm ake copies o f th ep ro g ra mfo r sale o rd istrib u tio n . 4 . This softw are is copyrighted, andall rig h ts th erein are reserved fo r Spytech Softw are. Purchase o f D oyou accept all th e te rm so f th ep receding LicenseAgreem ent? Ifyou choose N o, Setup w ill close. T0 in stall th is p roduct, you m u st accept th isag reem en t.

Prin t

<Back
F IG U R E1 4 . 4 :S e l e c tt h e A g r e e m e n t

Yes

N o

7. 8.

Choose die Destination Location to install Spytech SpvAgent. Click Next to continue installation.
Choose Destination Location Setup w ill in stall Spytech SpyAgent inthe fo llo w in gd irecto ry.

‫ו דו‬

m S t e a l t hM o d e :t h i s o p t i o na l l o w sS p y A g e n tt o r u ni nt o t a ls t e a l t h . C o m b i n e dw i t h'A c t i v e M o d e 't h es o f t w a r ew i l l l o a da n dr u ni nm o n i t o r i n g m o d ei nc o m p l e t es t e a l t h

T0in stall to th is d irecto ry, click N ex t. T0in stall to a d ifferen td irecto ry, click Brow se and select an oth er d irecto ry. You can choose n o t toin stall Spytech SpyAgent, b y clicking Cancel toe x it Setup.

D estination D irecto ry C :\ProgramFiles (x8G )\Spytech Softw areVSpytech Sp

Brow se..

Space Required: 3 0 4 8K SpaceAvailable: 5 2 3 1 7 3 6K <Back N ext > Cancel

F IG U R E1 4 . 5 :S e l e c t i n g f o l d e rf o ri n s t a l l a t i o n

9.

Select SpyAgent installation type, and select Administrator/Tester die setup type.

10. Click Next.

C E H Lab Manual Page 395

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Select SpyAgent Installation Type Click the type o f Setupyou p refer, then click N e x t. A dm in istrato r/Tester Pro g ramw ill be in stalled w ith the all softw are o p tio n s■ and accessible viaW indows start m e n u . This is reco m m en d edalso fo r new u sers! H elp d ocum ents are in stalled . C Stealth Installation Programw ill be in stalled w ith m in im u mreq u ired o p tio n s and n o shortcuts included inW indows start m en u . Also HELP D ocum ents ate N O T INSTALLED.

Space R equired: 3 0 4 8K Space Available: 5 2 3 1 5 7 6K <Back
F IG U R E1 4 . 6 :s e l e c t i n g i n s t a l l a t i o n t y p e

N ext >

Cancel

11.
m S p l a s hW a r n i n g : T h i so p t i o na l l o w sy o ut o d i s p l a yam e s s a g et ot h e u s e rw h e nS p y A g e n ti s s t a r t e d .T h i sm e s s a g ec a n b ec o n f i g u r e di nt h e A d v a n c e dS e t t i n g s ‫־‬ > S p l a s hS c r e e nw i n d o w

The Ready to Install window appears. Click Next to start installing Spytech SpyAgent.
Ready To Install Setup n owhas enough in fo rm atio ntosta rt in stallin g Spytech SpyA gent. C lick Back tom ake any changes b efore co n tin u in g . Click Cancel toe x it Setup.

<Back
F IG U R E1 4 . 7 :R e a d y t o i n s t a l lw i n d o w

N ext >

Cancel

12. It will prompt for include an uninstaller. Click Yes.
Spytech SpyAgent Setup

£

Would you like to include an uninstaller?

Yes

No

F IG U R E1 4 . 8 :S e l e c t i n ga nu n i n s t a l l e r
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab Manual Page 396

Module 0 5 - S ystem H acking

1 3 .

A Notice For Antivirus Users

window appears; read die text click Next.

^

"

A NOTICE FOR ANTIVIRUS USERS M odern an tiviru sp ro g ram s can detect a w ide range o fp o ten tially d angerous p ro g ram s. This n o rm a llygoes fa rb eyond trad itio n al viruses and w o rm s andoften includes heuristic alerts, w hich basically m ean s thatyou can get alerts and w arn in gs w hen an antivirus p ro g ram"thinks it could be" so m e th in g . These w arn in gs sh o u ld be expected fo r the fo llo w in g types o f applications: • Software th at lo gs o r captures keystrokes • Software th at m o n ito rs u ser activity -Software th at allow syou torecover passw ords o ro th er p ersonal data ■ Software th at m o n ito rs o r lo gs Internet o rn etw ork activity Since SpyAgent can d o all o f the above, so m e an tiviru s solu tio n sm a y d eemSpyAgent as ,p oten tially h arm fu l' o r a 'tro jan 'd espite it b eing a leg itim ate to o l tom o n ito ryo u r co m p u ter (and u sers). With a ll Spytech softw are, you can b e sure o u r prod u cts are 1 0 0 %safe touse and v iru sfre e . If you ru nin toany "trojan" related w arn in gs, it is very likely tob ea

L o gL o c a t i o n :t h i s a l l o w sy o ut os p e c i f yw h e r e y o uw a n tS p y A g e n tt os t o r e i t sa c t i v i t yl o g s .F o r W i n d o w sN T / 2 0 0 0 / X P s y s t e m sm o n i t o r i n gA L L u s e r siti sr e c o m m e n d e d t h a tt h el o gl o c a t i o nb es e t t ox : \ d o c u m e n t sa n d s e t t i n g s \ a l lu s e r s

< Back

N ext >

Cancel

F IG U R E1 4 . 9 :A c c e p tA n t i v i r u sn o t i c e

14. The Finished window appears. Click Close to end the setup.

If

Finished Setup is com p lete and Spytech SpyAgent is nowin stalled !

5‫י ז‬

17 Run SpyAgent 1 ✓ View H elp D ocum entation

Click C lose toend th e Setup

<Back
F IG U R E1 4 . 1 0 :F i n i s hw i n d o w

C lo se

15. The following window appears. Click click to continue...

C E H Lab Manual Page 397

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

W e lc o m e t o S p y A g e n t ! ( S t e p 1 ) B e f o r e y o u c a n s t a r t u s in g S p y A g e n t y o u m u s t c o n fig u r e y o u r p a s s w o rd t h a t w ill b e u s e d fo r a c c e s s in g S p y A g e n t . D o n o t lo s e t h i s p a s s w o r d a s it c a n n o t b e r e s e t w i t h o u t a r e in s ta lla tio n o f S p y A g e n t.

F IG U R E1 4 . 1 1 :W e l c o m eS p y A g e n tw i n d o w

16. The following window appears. Enter the password 111 New Password field, and retype the same password in Confirm field. 17. Click OK.
Old Password:

m S p y A g e n tc a n d e l i v e r i t sa c t i v i t yl o g s i ns e c r e tt o y o u ro w n p e r s o n a le m a i lo r F T Pa c c o u n t

New Password:

Confirm:

••••••I
This password restricts other users from changing the SpyAgent settings.

F IG U R E1 4 . 1 2 :S e l e c t i n gN e wP a s s w o r d

18. The following window appears. Click click to continue.

C E H Lab Manual Page 398

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

W e lc o m e t o S p y A g e n t■ ( S t e p 2 ) You w ill n o w b e p r e s e n te d w it h t h e E asy C o n fig u r a tio n W iz a r d . Y o u c a n u s e t h is w iz a r d t o q u i c k l y s e t u p S p y A g e n t 's m o s t f r e q u e n t l y u s e d fe a tu r e s . Y ou ca n r e s ta r t th is w iz a r d a t a n y t i m e in t h e f u t u r e .

click to continue...
F IG U R E1 4 . 1 3 :W e l c o m eS p y A g e n tw i n d o w

19. Configuration package wizard appears. Select the Complete +Stealth Configuration package. 20. Click Next.

1. C on fig uratio n

P leas e s e le c t a c o n fig u ra tio n p a cka g e fro m th e below options. f* C o m p le te -I- S te a lth C o n fig u ratio n

2 .E x t r a s 3 .C o n f i r mS e t t in g s 4 .A p p l y 5 .F i n i s h

Configure to run in total stealth, with all possible logging options preconfigured.
C C o m p le te C on fig uratio n

Configure with all possible logging options preconfigured.
C Ty p ic al C on fig uratio n

Configure with the most commonly used logging options preconfigured.

!—
F IG U R E1 4 . 1 4 :S e l e c t i n gc o n f i g u r a t i o np a c k a g e

21. Choose additional options, and select the Display Alert on Startup check box. 22. Click Next.

C E H Lab Manual Page 399

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

m In t e r n e tT r a f f ic D a t a :T h i sl o gA L L i n c o m i n ga n do u t g o i n g i n t e r n e td a t at r a n s m i t t e d a n dr e c e i v e db yu s e r s .A ll e m a i lp a s s w o r d s ,F T P p a s s w o r d s ,w e b s i t e t r a n s m i s s i o n s ,e t c .w i l lb e l o g g e db yt h i sf e a t u r e

F IG U R E1 4 . 1 5 :S e l e c t i n ga d d i t i o n a lo p t i o n

23.

The Confirm Settings wizard appears. To continue click Next.
0 ■

1. C o n fig u ratio n 2. E x tras 3. C onfirm S etting s 4. Apply 5. Finish

A re you su re you w an t to co ntinue y o u r co n fig u ratio n ? I f so, click NEXT.
S e t t in g s to b e a p p lie d : • A ll lo g g in g o p tio n s w ill b e p re c o n fig u r e d fo r o p tim a l S t e a lt h • U s e r s w ill b e a le r te d S p y A g e n t is ru n n in g

£ QS p y A g e n tl i a st h e u n i q u ea b i l i t yt oa l l o w y o u t o h a v e i t sa c t i v i t y l o g sd e l i v e r e d t o y o u rp e r s o n a le m a i l a d d r e s so rF T Pa c c o u n t


F IG U R E1 4 . 1 6 :C o n f k m s e t t i n g w i z a r d

24.

The Configurations Applied window appears. Click Next.

C E H Lab Manual Page 400

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

f e a s y c o n lig u r a lio n a n d s e tu p w iz a rd j

1 .C o n f i g u r a t i o n 2 .E x t r a s 3 .C o n f i r mS e t t in g s
4. A pply

C o n fig u ratio n s A pplied!

A l l s e le c t e d s e t t in g s h a v e b e e n a p p lie d s u c c e s s f u lly ! C l i c k F I N I S H to fin is h t h e e a s y c o n fig u r a tio n w iz a rd I

5 .F i n i s h

F IG U R E1 4 . 1 7 :C o n f i g u r a t i o na p p l i e dw i n d o w

25.

The Configuration Finished window appears. Click Finish to successfully set up SpyAgent.

1 .C o n f i g u r a t i o n

C o n fig u ratio n Finished!

m S p y A g e n tl i a sa b u i l ti n s c h e d u l i n g f e a t u r e t h a ta l l o w s y o u t oc o n f i g u r eS p y A g e n tt o l o g u s e ra c t i v i t i e sd u r i n g s p e c i f i ch o u r so fd i ed a y ,o r t ol o c k d o w n y o u rc o m p u t e r a tc e r t a i n t i m e s

2 .E x t r a s 3 .C o n f i r mS e t t i n g s 4 .A p p l y
5. Finish

You h a v e now s u c c e s s fu lly se tu p S p y A g e n t ! I f yo u w is h to c h a n g e a n y s e t t in g s fu rth e r, c l i c k on th e b u tto n s on t h e S p y A g e n t in t e r f a c e for m o re o p t io n s !

| —GOiMij--]
F IG U R E1 4 . 1 8 :C o n f i g u r a t i o nf i n i s h e dw i n d o w

26.

The main window of Spytech SpyAgent appears, as show 111 the following figure. Click Click to continue...

C E H Lab Manual Page 401

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

T^EST
I C lic k H e r e f o r ‫ י‬O r d e r in g In f o r m a t io n

G e n e r a lU s e rA c tiv itie s K e y s t r o k e sT y p e d
0 K e y s L a s t j ‫־־"־'־־‬

G eneral
S ta r tu p S e ttin g s a n d C o n ftg

W i n d o w sV i e w e d
n fig u re L o g g in g O p tio n s

P r o g r a m s ( >
0 A p p lic a tio n ! V ^

!■mote L o g D e live ry
II n fig u re R e m o te D e liv e ry

C l i p b o a r d
0 C lip b o a rd s

W e lc o m e t o S p y A g e n t* ( S t e p 3 ) j| ,js • l% S p y A g e n t ' s u s e r i n t e r f a c e . T h i s i s w h e r e y o u c a n s ta r t a n d s to p m o n ito rin g , v i e w a c t i v i t y lo g s , c h a n g e s e t t i n g s , a n d c o n fig u r e t h e s o ftw a r e . I

Ivanced O p tio n s
e r C o n tro l o n S p y A g e n t

E v e n t sT l f l
0 E v e n ts Log

>ntent F ilte rin g
e r a n d B lo c k A c tiv ity

I n t e r n e tA c t iv it i e s E M a i l sS e i
0 E-Mails L o g t^ :----

reenS py
■ c o rd D e s k t o p A c tiv ity

‫־(יי‬

--------C h a tT r a n s c r i p t s
0 C o n v e r s a tio n s L o g ge d

= ! n a r tL o g g in g
A c tiv ity T r ig g e r e d L o g g in g

W e b s i t e sV i s i t e d
‫ ׳‬/fl► 0 W e b s ite s L o g g e d

S c h e d u lin g
S c h e d u le M o n ito rin g 1

V iew M o s t P o p u la r A c tiv itie s S u m m a ry C lic k here fo r Easy C o n fig u ra tio n and S e tu p W izard

B e h a v io r A le rts

n

R e a l- tim e A c tiv ity A l e r t s

H • P r o g r a m O p t io n s

L o g A c t io n s

I R e p o rts

► H e lp

F IG U R E1 4 . 1 9 :M a i nw i n d o w o fS p y A g e n t

27.
G
t

To check the general user activities, click Start Monitoring.
--------------------- 1 —I— w-l
m
G e n e ra l U s e r A c t iv itie s
C lic k H e r e f o r O r d e r in g I n f o r m a t io n

Monitoring User Activities

General
S ta rtu p S e ttin g s an d C o n fig

K e y s t r o k e sT y p e d
0 K ey s Last Session

W i n d o w sV i e w e d
4 W indow s Logged

m
P r o g r a m sU s a g e
70 n A1 ‫; ״ ״‬r« h ‫ ״‬n e Logged 1 n n n .ri pplications

!figure Logging O ptions

< ?3 2 ^S c r e e n S p yS c r e e n s h o t s
1 0 Sc ree n sh o ts Logged

Remote Log D elivery
C o n fig u re R e m o te D e liv e ry

C l i p b o a r dL o g s
0 C lip b o a rd s L ogged

F i l e / D o c u m e n t sU s a g e
0 File E v en ts Logged

Advanced O ptions
Fin er C o n tro l on S p y A g e n t

E v e n t sT i m e l i n e
9 1 Even ts Logged

C o m p u t e rU s a g e
2 S e s s io n s Logged

C o nte nt F iltering
Filter an d B lo ck A ctiv ity

I n te r n e t A c t iv itie s

ScreenSpy
R e c o rd D eskt<

E M a i l sS e n t / R e c e i v e d
0 E-M ails Logged

A

I n t e r n e tA c t i v i t i e s
0 C o n ne ctio n s Logged

S m artLogging
A c tiv ity T rig g e re d Logging

W e b s i t e sV i s i t e d
2 W e b site s Logged

C h a tT r a n s c r i p t s
0 C o n v e rs a tio n s Logged

Scheduling
S c h e d u le M o nito rin g T im e s

View M ost P opular A c tiv itie s Sum m ary C lick here fo r Easy C o n fig u ra tio n and Setup W izard

B e havior A lerts

n
I

R e a l-tim e A c tiv ity A le rtfc ff

j 11• P r o g r a m

O p tio n s

6 ■ L o g A c t io n s

► R e p o rts

1 1 • H e lp

F IG U R E1 4 . 2 0 :S t a r tm o n i t o i n g

C E H Lab Manual Page 402

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

28. 29.

When the Enter Access Password window appears, enter the
password.

Click OK.
computer monicoring'nnd surveillance software G e n e ra l U se r A c tiv itie s
K e y s tro k e s T yp ed
0 Keys Last Session

Click H ere for O rd erin g In fo rm a tio n
G en era l

Startup Settings and Config
W in d o w s V ie w e d 4 Windows Logged

S p y A g e n tl i a sa f e a t u r e c a l l e d S m a r t L o g g i n g d i a tl e t s y o u t r i g g e rm o n i t o r i n g w h e n c e r t a i n e v e n t sa r i s e ,i n s t e a d o f r u n n i n g c o n s t a n t l y l o g g i n g e v e r y t h i n g t h a tu s e r sd o . S m a r t L o g g i n g t i e si n t od i e k e y s t r o k e s ,w e b s i t e sv i s i t e d , a p p l i c a t i o n sr a n ,a n d w i n d o w s u s e d l o g g i n g f u n c t i o n s

CoSlgure Logging Options
P ro g r a m s U s a g e S c rc e n S p y Scre en sh o ts
0 Screenshots Logged

>70 Applications Logged

Configure Remote Delivery
C lip b o a rd Logs

R e m o te L o g D e livery

0 Clipboards Logge
E v e n ts T im elim 91 Events Logged

Advanced Options Finer Control on SpyAgent
C o n te n t Filterin g

Filter and Block Activity
S c re e n S p y

In te rn e t A c tiv itie s
E-M ails S e n t/ R e c e iv e d 0 E-Mails Logged ; ^ In te rn e t A ctivitie s
0 Connections Logged

Record Desktt
Sm a rtL o g g in g

Activity Triggered Logging
S c h e d u lin g

2

W e b s ite s V isited W ebsites Logged

‫׳‬

C h a t T ra n s crip ts
0 Conversations Logged

Schedule Monitoring Times
B e h a v io r A lerts n

View Most Popular Activities Summary Click here for Easy Configuration and Setup Wizard

Real-time Activity AlertAJ?

► P r o g r a m O p t io n s

L o g A c t io n s

I R e p o rts

► H e lp

F IG U R E1 4 . 2 1 :E n t e r i n gt h ep a s s w o r d

30.

Stealth Notice window appears, read the instmctions click OK NOTE: To bring SpyAgent out of stealth mode, press CONTROL+SHIFT+ALT+M on your keyboard.

S p y A g e n ta l l o w sy o u t os a v ea l lo fS p y A g e n t ' s k e y s t r o k e s ,w e b s i t e s , w i n d o w s ,a p p l i c a t i o n s , c o n n e c t i o n s ,c l i p b o a r d , a c t i v i t y ,p r i n tj o b s ,f i l e u s a g e ,a n dd o c u m e n t sl o g s t oas p e c i f i e dd i r e c t o r ya t o n c ef o re a s i e rv i e w i n g l a t e ro no rs o y o uc a n c l e a ry o u rl o g sw i t h o u t l o s i n gd a t a .

H U

F IG U R E1 4 . 2 2 :S t e a l t hm o d en o t i c e
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 403

Module 0 5 - S y ste m H acking

31.

It will show the following window, with the options select Do not show this Help Tip again and select D o not show Related Help Tips like this again. Click click to continue...

S p y A g e n t is n o w m o n i t o r in g y o u r c o m p u t e r . T o s t o p m o n i t o r in g p r e s s S p y A g e n t 's h o t k e y c o m b in a t io n - b y d e f a u l t it is C O N T R O L + A L T + S H IF T + M - th e n e n t e r y o u r S p y A g e n t p a s s w o rd .

m S p y A g e n tf e a t u r e sa l a r g es e to fr e p o r t i n g t o o l s t h a ta l l o w y o u t os a v ea n d p r e p a r e l o g d a t a f o rl a t e r v i e w i n g ,d o c u m e n t a t i o n ,a n d p r i n t i n g .A l lr e p o r t sa r e f o r m a t t e d i n H T M Lf o r m a t f o rv i e w i n g w i t h y o u rw e b b r o w s e r .

d

D o n o t s h o iv t h is H e lp T ip a g a i ! t h i s a g a in

7A D o n o t s h o w R e l a t e d H e l p T i p s

F IG U R E1 4 . 2 3 :S t a r tm o n i t o i n g

32. 33.

Now‫ ־‬browse the Internet (anything). To bring spyAgent out ot stealth mode press CONTROL+SHIFT+ALT+M on your keyboard. It will ask for the Access Password; enter the password and click OK.

F IG U R E1 4 . 2 4 :E n t e r i n gt h ep a s s w o r d

34. 35.

To check user keystrokes from the keyboard, click Keystrokes Typed Irom General User Activities. It will show all the resulting keystrokes as shown in the following screenshot.

C E H Lab Manual Page 404

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

SpyAgent Keystrokes Log V iew er
0 Save Log Save ‫ י‬1 ‫ נ‬C lea r

14 entries
_ i j Actions. c Jum p to Log 3

J J F orm at

S e le c t a K e y s t r o k e s L o g E n t r y Tim« Administrator Administrator Administrator Administrator Snag 1tEditor.exe K e y s tro k e s T y p e d |[B ac ks p ac e][B a ck sp ac e][B ac ks p a ce ][B ac ks p ac e][B a ck sp a ce ][B ac ks p a ce ]| [B a ck s p a c e ][B a c k s p a c e ]S p y [B a c k s p a c e ][B a c k s p a c e ][B a c k s p a c e ]It will show th e follwmg window se ld [B a ck sp a ce ]e ct D o n to [B ac ks p ac e][B a ck sp ac e]o t show this H elp T ip ag ain and Do not show R elated H elp Tips like this agin [B acksp ace] [B a ck sp a ce ][B ac ks p ac e]am [B a ck sp a ce ], click on click to count 1[B a ck sp a ce ] [B a ck sp a c e j[B a c k s p a c e j[B a c k s p a c e ]m [B a c k s p a c e ]t 1nue Snagit Editor • Jul 24, 2012 2:35:58 PM Tue Tue Tue Tue 7/24/12 7/24/12 7/24/12 7/24/12 @ © © © 2:12:27 2:12:29 2:12:56 2:13:03 PM PM PM PM

Note: Log entries preceeded with a '* ' indicate a password entry.

F IG U R E1 4 . 2 5 :R e s u l t e dk e y s t r o k e s

36. 37.

To check the websites visited by the user, click Website Visited from
Internet Activities.

It will show all the user visited websites results, as shown in the following screenshot.

C E H Lab Manual Page 405

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

Lab A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

Tool/Utility Spytech SpyAgent

Information Collected/Objectives Achieved Output: ‫ י‬Monitoring keystrokes typed ‫ י‬Website log entries ‫ י‬Pages visited for selected website ‫ י‬Internet traffic data

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 406

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Web Activity Monitoring and Recording Using Power Spy 2013
Power Spy 2013 sojhmre allowsyon to secretly won!tor and record a ll activities on yonr computer, and this is completely legal.

Lab S cen a rio
^___ V a lu a b le i n f o r m a t i o n _________

Test your k n o w le d g e

*A m

W e b e x e r c is e

W o r k b o o k r e v ie w

Today, employees are given access to computers, telephones, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance of their employees. ]M any employees also are given laptop computers and wireless telephones diev can take home and use for business outside die workplace. Wliedier an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation.
1 1 1 tins lab, we explain monitoring employee or sftident activity using Power Spy
2013.

Lab O b jectives
& Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking

The objective of tins lab is to help students use the Activity Monitor tool. After completing diis lab, students will be able to: ■ Install and configure Power Spy 2013 ■ Monitor keystrokes typed, websites visited, and Internet Traffic Data

Lab Environm ent
To perform die lab, you need: ■ A computer running Windows Server 2012 ■ Administrative privileges to install and mil tools ■ You can also download Power Spy tool from http:/ / ematr1xsoft.com/download-power-spv-software.php

C E H Lab Manual Page

• 7

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

If you decided to download latest version screenshots may differ Run diis tool 111 Windows Server 2012

Lab Duration
Time: 15 Minutes

O verview of Pow er Sp y 2013
Power Spy software records Facebook use and all keystrokes typed, and captures all chats and IMs 111 Windows Live Messenger (MSN Messenger) , Skype, Yahoo Messenger, Tencent QQ, Google Talk, GADU-GADU, ICQ, AOL Instant Messenger (AIM), and odiers. It records all websites visited, emails read, documents opened, windows opened, clipboard activities, passwords typed, and applications executed.

Lab T a sk s
The basic idea 111 diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
TAS K 1
Installation of Power Spy 2 0 1 3 Hacking\Spywares\Email and Internet Spyware\Power Spy.

2. Double-click pcspy.exe. The Software License Agreement window appears. You must accept the agreement to install Power Spy. 3. Click Next 111 die License Agreement wizard.
S e tu p P o w e r S p y
W e lc o m e t o t h e S e tu p W iz a r d ! T h is w ill in s ta ll t h e s o f t w a r e o n y o u r c o m p u t e r . I t is r e c o m m e n d e d t o c lo s e a ll o t h e r a p p lic a tio n s b e f o r e c o n tin u in g .

C lic k N e x t t o c o n t in u e , o r C a n c e l t o e x it S e tu p .

B y c lic k in g N e x t y o u a r e a g r e e in g t o t h e f o llo w in g t e r m s o f L ic e n s e A g r e e m e n t .

License A g ree m en t: DIS C LA M ER : A ll o u r products a re d is trib u te d an d licensed on an 'a s is* basis an d no w a rra n tie s o r g u ara n te es o f a n y k in d a re prom ised b y e M a trix S o ft (th e *C o m p an y *) an d P ow er Spy ( th e *S o ftw a re ') as to t h e ir perfo rm a n ce , r e lia b ilit y o r s u ita b ility to a n y g iv e n task. In no e v e n t sh a ll th e S o ftw are be lia b le fo r a n y loss of d a ta o r A N Y D A M A G E S OF

m Y o uc a nd o w n l o a d t h eP o w e rS p y2 0 1 3f r o m
http:/ / ematrixsoft.com/ittde x.php

F IG U R E1 5 . 1 :I n s t a l l a t i o n o fS p y t e c h S p y A g e n t

4. Setup has finished the installation 011 the system. Click Finish.

C E H Lab Manual Page 408

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

C o m p le tin g S e tu p
S etu p has finished installing product on y o u r com puter. Click Finish to exit th e Setu p W izard.

K e y s t r o k e sT y p e d— l o ga l lk e y s t r o k e s ,i n c l u d i n g o p t i o n a ln o n a l p h a n u m e r i c a lk e y s ,t y p e d w i t ht i m e ,W i n d o w s u s e r n a m e ,a p p l i c a t i o nn a m e a n dw i n d o wc a p t i o n

F IG U R E1 5 . 2 :S e l e c td i e A g r e e m e n t

5.

The Run as administrator window appears. Click Run.
R u n as a d m in is tra to r

X

W ith a d m in istrativ e rights, y o u ca n check, d e le te a n d exp ort logs, c h a n g e settings, a n d h a v e c o m p le te a ccess to th e so ftw a re

m N e tC h a t t i n g C o n v e r s a t i o n s— m o n i t o r a n dr e c o r da l ll a t e s tv e r s i o n W i n d o w sL i v eM e s s e n g e r/ S k y p e/M S NM e s s e n g e r/ IC Q/A IM/Y a h o o ! M e s s e n g e r ’ sB O T HS ID E S c h a t t i n gc o n v e r s a t i o n sw i t h t i m e ,c h a tu s e r s ,a n da l l c o m i n g / o u t g o i n gm e s s a g e s
F I G U R E1 5 . 3 :S e l e c t i n g f o l d e rf o ri n s t a l l a t i o n

6.

The Setup login password window appears. Enter the password 111 the New password field, and retype the same password 111 the Confirm password held. Click Submit.

7.

C E H Lab Manual Page 409

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

S e tu p lo g in p a s s w o rd
Setup a password to login the software. The password can include uppercase letters, lowercase letters, numbers and symbols.

S c r e e n S n a p s h o t s — a u t o m a t i c a l l yc a p t u r e s s c r e e n s h o t so fe n t i r e d e s k t o p o ra c t i v e w i n d o w sa ts e t i n t e r v a l s .S a v es c r e e n s h o t sa s JPEGf o r m a ti m a g e so n y o u r c o m p u t e rh a r d d i s k . A u t o m a t i c a l l ys t o p s c r e e n s h o t w h e n u s e ri si n a c t i v e

New password: Confirm password:

F IG U R E1 5 . 4 :S e l e c t i n gN e wP a s s w o r d

8.

The Information dialog box appears. Click OK.
Information
Your passw ord is created . You w ill use it to lo g in th e software.

F IG U R E1 5 . 5 :p a s s w o r dc o n f i r m a t i o nw i n d o w

9.

The Enter login Password window appears. Enter the password (which is already set).

10. Click Submit
Q = !S e l f A c t i o n s— r e c o r d P o w e rS p ya d m i n i s t r a t o r o p e r a t i o n s ,l i k es t a r to rs t o p m o n i t o r i n g

F IG U R E1 5 . 6 :E n t e rt h ep a s s w o r d
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 410

Module 0 5 - S y ste m H acking

11.
£QS t e a l t h M o d e :P o w e r S p yr u n a b s o l u t e l y i n v i s i b l y u n d e rW i n d o w ss y s t e m sa n d d o e s n o ts h o w i n W i n d o w s t a s k l i s tN o n ew i l lk n o w i t ’ s r u n n i n g u n l e s s y o u t e l lt h e m ! Y o uc a na l s o c h o o s et oh i d e o ru n h i d e P o w e rS p y i c o n a n d i t su n i n s t a l le n t r y

The Register product window appears. Click Later to continue.
R e g is te r p ro d u c t
A n ic o n is d is p la y e d o n D e s k to p t o d is a b le S te a lth M o d e in t r ia l v e rs io n .

Y o u c a n t o ta lly t r y t h e s o ftw a re o n y o u rs e lf. C lic k Sta rt m o n ito rin g a n d Ste a lth M o d e o n it's c o n tro l p a n e l, t h e n d o a n y th in g as u su a l o n t h e PC: vis itin g w e b sites, re a d in g e m a ils , c h a ttin g o n fa c e b o o k o r Sk yp e , e tc . T h e n , u s e y o u r h o tk e y t o u n h id e its c o n tro l p a n e l, a n d click a n ic o n o n t h e le ft t o c h e c k lo g s.

Y o u c a n a lso clic k C o n fig u ra tio n t o c h a n g e s e ttin g s , s e tu p a n e m a il t o re c e iv e lo g s f r o m a n y lo c a tio n , su c h as a r e m o te PC. iP ad o r a s m a rt p h o n e .

If y o u lik e t h e p ro d u c t, click P u rc h a se b u tt o n b e lo w t o b u y a n d r e g is te r it. S te a lth M o d e w ill b e e n a b le d a f t e r it is u n lo c k e d w it h y o u r r e g is tra tio n in fo rm a tio n .

U ser N am e : U n lo c k C o d e :

F IG U R E1 5 . 7 :R e g i s t e rp r o d u c tw i n d o w

12.

The main window of Power Spy appears, as displayed 111 die following tigure.
Power Spy
Control Panel
Buy now

ea T a s k S c h e d u l e :Y o u c a n s e ts t a r t i n g a n d e n d i n g t i m ef o re a d it a s k t o a u t o m a t i c a l l ys t a r ta n d s t o p t h e m o n i t o r i n g j o b .

‫ם‬ D
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
A p p licatio n s ex ec u te d

©

f * n

Keystrokes
w eb sites visited

Sta rt m o n ito rin g

® Ste a lth M o d e

jm
® C o n fig u ra tio n

clipboard

1‫׳‬
m ic ro p h o n e

Export all logs

Delete all logs

F IG U R E1 5 . 8 :M a i nw i n d o w o fP o w e rS p y

13.
k t A S K 2

Click Start monitoring.

Monitoring and Recording User Activities

C E H Lab Manual Page 411

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Power Spy

Control Panel

Buy now

£

‫ם‬

©

f
*m

Keystrokes
w eb sites visited

Sta rt m o n ito rin g

®

JP
clipboard

Stea lth M o d e

© C o n fig u ra tio n

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
A p p licatio n s ex ec u te d

n

t
m ic ro p h o n e

© About

© Uninstall

Export all logs

Delete all logs

y = i ‫־‬J L o g sV i e w :c h o o s e t o v i e w d i f f e r e n tt y p eo fl o g s f r o m p r o g r a m m a i n i n t e r f a c e . Y o uc a n d e l e t es e l e c t e d l o g s o rc l e a ra l ll o g s ,s e a r c h l o g so r e x p o r tl o s s i n g r e p o r t s i n H T M Lf o r m a t

F IG U R E1 5 . 9 :S t a r tm o n i t o r i n g

14.

The System Reboot Recommended window appears. Click OK.
System Reboot Recommended
O n e or more monitoring features require system reboot to start working. It is recom m ended to close the software first (click Stealth M o d e or X on the right top corner), then restart your computer.

The message displays only once.

F IG U R E1 5 . 1 0 :S y s t e m R e b o o tR e c o m m e n d e dw i n d o w

15. 16.

Click Stealth Mode (stealth mode runs the Power Spy completely invisibly on the computer) . The Hotkey reminder window appears. Click OK (to unhide Power Spy, use the Ctrl+Alt+X keys together on your PC keyboard).

C E H Lab Manual Page 412

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

Power Spy

Control Panel

Buy now

| g

‫ם‬

f
Hotkey reminder

®
K eystrokes
S to p m o n ito rin g

The Stealth M o d e is started and the software will run com pletely invisibly. To unhide it, use your hotkey: Ctrl + Al + X . (Press the 3 keys togeth er on your keyboard). Hotkey o nly works in current W in d o w s user account. It is disabled in other user accounts for security.

I °K 1
■■■■■ Applications executed

w m

cn p D o a ra

Y
microphone

About

(£>
Un in stall

E x p o rt

a ll

lo g s

D e le te

a ll lo g s

m E a s y t o u s eI n t e r f a c e : c o n f i gP o w e rS p yw i t h e i d i e rW i2a r df o rc o m m o n u s e r so rc o n t r o lp a n e lf o r a d v a n c e du s e r s .U s e r f r i e n d l yg r a p h i c a lp r o g r a m i n t e r f a c em a k e sit e a s yf o r b e g i n n g e r s .

F IG U R E1 5 . 1 1 :S t e a l t hm o d ew i n d o w

17. The Confirm window appears Click Yes.
Comfirm
A re yo u sure yo u re m e m b e r this?

1 ves
F IG U R E1 5 . 1 2 :S t e a l d im o d en o t i c e

o |1 N

|

18. 19.

Now browse the Internet (anytiling). To bring Power Spy out of stealth mode, press CONTROL+ALT+X on your keyboard. The Run as administrator window appears. Click Run.
R u n as a d m in is tra to r
W ith a d m in istrativ e rights, y o u c a n check, d e le te a n d exp ort logs, c h a n g e settings, and h a v e c o m p le te a ccess t o th e s o ftw a re

‫י‬

*

F IG U R E1 5 . 1 3 :R i m a sa d m i n i s t r a t o r
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab Manual Page 413

Module 0 5 - S y ste m H acking

20. 21.

The Enter login password window appears. Enter the password (which is already set) . Click Submit.

F IG U R E1 5 . 1 4 :E n t e rt h ep a s s w o r d

22.Click Later 111 the Register product window to continue if it appears. 23. Click Stop monitoring to stop the monitoring.
Power Spy
Control Panel
Buy now (

a

f *
m

K e y s tro k e s
w eb sites visited

® S to p m o n ito rin g

®

(D
■ ■■ ■■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ A p p licatio n s ex ec u te d

JP
c lip b o a r d

Ste a lth M o d e

® C o n fig u ra tio n

1‫׳‬
m ic ro p h o n e

® About

E x p o r t a ll lo g s

D e le te

a ll lo g s

F IG U R E1 5 . 1 5 :S t o pt h em o n i t o r i n g

24.

To check user keystrokes from the keyboard, click Keystrokes in
Power Spy Control Panel.

C E H Lab Manual Page 414

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Power

S p y Control Panel

m P r o g r a m E x e c u t e d — l o g a l lp r o g r a m si n c l u d i n g a p p l i c a t i o n ,e x e c u t a b l ef i l e , d o c u m e n t sa n d d i r e c t o r i e s n a v i g a t e d w i t ht i m e , W i n d o w su s e r n a m e , a p p l i c a t i o n / d o c u m e n t / d i r e c t o r yn a m ea n d f i l ep a t h s . .

CS
screenshots

f *
m

K e y s tro k e s websites visited

Sta rt m on ito rin g

D
■■■■■ ■■■■■ ■■■■■ Applications executed

P
Yahoo messenger

CS)
C o n fig u ra tio n

clipboard

1‫׳‬
microphone a ll lo g s

©
A b o u t

E x p o r t a ll l o g s

D e le te

F IG U R E1 5 . 1 6 :S e l e c t i n gk e y s t r o k e sf r o m P o w e rs p yc o n t r o lp a n e l

25. 26.

It will show all the resulted keystrokes as shown 111 the following screenshot. Click the Close button.
4!C nto) fM |(O .0 v li/JWUJ £«:> /*« M N M M Iir u n t i* VSa/Xl2£*M** *»• »*• «• ‫׳‬
1 7 3 * 0 1 1 32 = M t4 3 0 M :; » 2 SU IO .I2m l-/3»fXl2W.1m tomntor 1jynt12l-.H-.i7m Aannatittm fjpHV»n.10d < 1|m» iPM Ktm inr jn !(•K^rwtwA

.>—> «!w a y im •m(attjiwrotorew wm:
:ofcrtAi Ht— 1— r 1 (m (>M)|wWi•AraVAi 1 o g r«*l« (nK)rweeeF V • (• / • '••<1 1 A «t*u :C rayonH e s(*»Jmco»ofofto'pWct

»V fo g r• "«n l«w • m

In VKf•■ . ! < » — ■ • w un5W:

< * » ‫״‬ — ‫״‬ » ■

* M O *

{CtrkfCtrfc >>0r.(m jhf)(P«foCW

________________

:\ p f0 9 ‫•׳‬ ‫»*״‬

V yapa• («H )«tw o*ofr

o r: ‫•ייי‬

1 > * <

< £ « *

«W l(O .I)v
( 4 j0 * tV W n jm

lV»aU£4J:}SfM

5‫^׳‬gt E«>‫[ • ־‬io* 23.2052 2:MJS 1 ‫ימ‬

leabcatonP*h‫׳‬

J
F IG U R E1 5 . 1 7 :R e s u l t e dk e y s t r o k e s £ Q )D o c u m e n t sO p e n e d l o g a l lt e x tc o n t e n t so f d o c u m e n t so p e n e d i n M S W o r da n d N o t e P a d .

27. 28.

To check the websites visited by the user, click Website visited in the
Power Spy Control Panel.

It will show all the visited websites, as shown 111 the following screenshot.

C E H Lab Manual Page 415

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

1 va/xu 2 :4 2 :2 7m VJ2UX122 :4 2 :2 3fM I va/3t1 22 :4 2 :2 0fW : •/*nc1 7‫ ד»יג‬IJ P M 1 v3t/2c12 2i4 2jl0 m Sy2l,3‫׳‬C I2 2:J7 :4 0PM

btfpjfttnteroaot.ctr\(«‫׳‬toggesr‫׳‬fny1ea-tefr<nrt{*p h t« p y / g n a lT n o o > ta n \ jb u » ra s < tty o rc *t»o > 1> }«« tvto/'B ra frix so ft c a m k e o o o o o» ‫■<־‬ ‫״‬ ‫פי‬ ‫בי׳‬ ‫ב‬ ‫׳‬1e*trtrt.g > c h n p /fm M(U^» w ,u 1u-!b1 t-«1].lw<Uu->~«>tn1>lkM-a‫־‬n>7)UI.«• * • 1 * ^ 3 1 *U F'b3C «ffalm roltr h t^ » K / A r» w r .g o » n te < o » \ te a rtf'> aw o‫״‬ <kc 1iH>w<K j »»1mfc tn !^/,nUwn.ilIliAU :vHVVM(1 • fap j/rw *.Q > o1 )e.x > .rfttarT < *1< ri0-riGr n«K -f0 y g > »T C t> J0 c a x > »jnaAsio1T 0 > y w ^ jn a• b a o a o o i♦ 0na*sS$1j»r*»*< c.3..43j4M X.1®«!SO.Z3K—

I eMatrixSoft ‫ ־‬Power Spy »oftn‫־‬ar» offlral t«r. me* 2 0 0 4

Featured Product
Power Spy

I

PC Screen Spy Monitor

2 0 13spy software
Umm caam un«l <Lr«otly ii roar PC*croon It rte«rd1 • < ond1 (*diuitaMo, vxthost b*in|d«t«rt»<1 .Tt1l1 c4ptur*t ill

2 0 13 1vgif PC. 10 nmtr ‫יי‬b nrertormci falect lorcatm int
F IG U R E1 5 . 1 8 :R e s u l to fv i s i t e dw e b s i t e s

Lab A n a ly sis
Analyze and document die results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

Tool/Utility PowerSpy 2013

Information Collected/Objectives Achieved Output: ‫ י‬Monitoring keystrokes typed ‫ י‬Website log entries ‫ י‬Pages visited for selected website ‫ י‬Internet traffic data

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 416

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Image Steganography Using QuickStego
Q nickS tego hides te x t in pictures so that only other users o f Q uickStego can retrieve and read the hidden secret messages.
I CON KEY

Lab S cen a rio
Porn sites are tilled with images that sometimes change multiple times each day, require authentication 111 some cases to access their "better" areas of content, and by using stenograpluc techniques, would allow an agent to retrieve messages from their home bases and send back updates, all 111 porn trading. Thumbnails could be scanned to find out if there are any new messages for die day; once decrypted, diese messages would point to links on die same site with the remaining information encrypted. Terrorists know that so many different types of tiles can hold all sorts of hidden information, and tracking or finding these files can be an almost impossible task. These messages can be placed 111 plain sight, and the servers that supply these tiles will never know it. Finding these messages is like finding the proverbial "needle" 111 the World Wide Web haystack.
111 order to be an expert an etliical hacker and penetration tester, you must understand how to lude the text inside the image. 111 diis lab, we show how text is hidden inside an image using the QuickStego tool.

1.___ s

V a lu a b le in fo r m a tio n

T est your k n o w le d g e

W e b e x e r c is e

m

W o r k b o o k r e v ie w

£7 Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking

Lab O b jectives
Tlie objective of tins lab is to help the students learn how to messages 111 an image.
hide secret text

Lab Environm ent
To perform the lab, you need: ■ A computer running Windows Server 2012 ■ Administrative privileges to install and 11111 tools
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab Manual Page 417

Module 0 5 - S y ste m H acking

"

QuickStego

is located at D:\CEH-Tools\CEHv8 Module 05 System

Hacking\Steganography\lmage Steganography\QuickStego

■ You can also download Quick Stego tool from http: / /quickc1Tpto.com/ free-steganographv-software.html ■ It you decided to download latest version screenshots may differ ■ Run this tool 111 Windows Server 2012

Lab Duration
Time: 10 Minutes

O verview of Steg anog raphy
Steganography is the art and science of writing hidden messages 111 such a way that no one, apart from the sender and intended recipient, suspects the existence of die message, a form of security7 through obscurity‫״‬. Steganography includes die concealment of information widiin computer hies. 111 digital steganography, electronic communications may include stenographic coding inside of a transport layer, such as a document tile, image tile, program, or protocol.

Lab T a sk s
The basic idea 111 diis section is to: 1. Follow die wizard-driven installation steps to install Quick Stego
TAS K 1
Hide the text inside the image

2. Launch Quick Stego from Start menu apps

m Y o uc a nd o w n l o a d d i eQ u i c k S t e g of r o m
http:/ / quickcrypto.com

F IG U R E1 6 . 1 :M a i i iw i n d o w o ft h eQ u i c k S t e g o

3.
C E H Lab Manual Page 418

Click Open Image in the Picture, Image, Photo File dialog box.
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

m Im a g eT y p e st h a tc a n b eo p e n e d■ j p g / . j p e g ,. g i f , o r. b m pf o r m a t s

F I G U R E1 6 . 2 :O p e n i n g t h ei m a g e

4. 5.

Browse the image from D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Steganography\lmage Steganography\QuickStego.

Select lamborgini_5.jpg. and then click the Open button.
L J:
« Organize ‫־״־‬

S e l e c tA nI m a g eF i l eT oO p e n
Image Steg... ► QuickStego
V c

TUI

Search QuickStego

New folder Nam e Date modified Type

D o w n lo a d ^ Recent p Music

9/20/2012 4:42 PM

JPEG image

Libraries

-

( 1 Documej

J ' -Music
Saved Hidden Text Images ‫־‬ ■ b m pformat only
Computer ^ Local Dis v < File name: | lamborghini_5.jpg v | | Images (*.bmp;*.jpg;*.jpeg;*.gif v | Open Cancel k . Pictures 9 Videos

F IG U R E1 6 . 3 :S e l e c t i n g d i ei m a g e

6. The selected image is added; it will show a message diat reads: THIS IMAGE
DOES NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE.

C E H Lab Manual Page 419

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

Ik UQ u i c k S t e g od o e sn o t E N C R Y P Tt h es e c r e tt e x t m e s s a g et h o u g h iti sw e l l h i d d e n i nt h ei m a g e . Q u i c k C r y p t oi n c l u d e st h e f u n c t i o n so fQ u i c k S t e g o b u ta l s oa l l o w sy o ut o s e c u r e l ye n c r y p tt e x ta n d f i l e sa n de v e nh i d ef i l e so n y o u rc o m p u t e r .

F IG U R E1 6 . 4 :S e l e c t e d i m a g e i sd i s p l a y e d

7. To add die text to the image, click box.

Open Text

from the Text File dialog

F IG U R E1 6 . 5 :S e l e c t e dt e x tf i l e

8. Browse the text file from D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Steganography\lmage Steganography\QuickStego.

9. Select Text F11e.txt tile, and then click the Open button.
C E H Lab Manual Page 420 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 0 5 - S y ste m H acking

d i
^ ^ *fr | ,j.. «

S e l e c tF i l et oO p e n
Image Steg... > QuickStego v Q | | Search QuickStego

ra!
P

Organize »

New folder Nam e
‫__ן‬,Text File.txt

E 0 ‫־‬ ‫ ׳‬#
Date m odified
9 /2 0 /2 0 1 2 5:0 0 P M

'f f Favorites ■ Desktop

Type
Text D o cu m e nt

£ Downloa Recent p = Music

T h ec o t ef u n c t i o n so f Q u i c k S t e g oa r ea l s op a r to f Q u i c k C r y p t o ,d i e r e f o r et h e p r o d u c tw i l lb es u p p o r t e d f o rt h ef o r e s e e a b l ef u t u r e . F u n c t i o n a l i t yo ni t sw a yi s t h ea b i l i t yt oh i d em e s s a g e s i n s i d ea u d i of i l e s ,e . g .m p 3 a n dw a v .

m

^ 0

Libraries Documei

J 1 Music f c l Pictures 9 Videos

Open

F IG U R E1 6 . 6 :S e l e c t i n gt l i et e x tf i l e

10. 11.

The selected text will be added; click Hide Text 111 the Steganography dialog box. It shows the following message: The text message is now hidden in
image. Q u i c k S t e g oS t e g a n o g r a p h y‫־‬H i d eaS e c r e tT e x tM e s s a g ei na nI m a g e

H i el a r g e rd i ei m a g e , t h em o r et e s tt l i a tc a n b e c o n c e a l e d w i t h i n .Q u i c k S t e g o w i l lt e l ly o u h o w m a n y T c h a r a c t e r so ft e x ty o u m u s t l o s e ify o u g o o v e rt h i sl i m i t p e rp i c t u r e .L ip r a c t i c ea l o to f s e c r e tt e s tc a n b e h i d d e n i n e v e n as m a l li m a g e .
!Picture, Image, Photo File | Open Image | Save Image |

ca

1 1

Steganography 1 Gel Text |

1
Open Text

‫נ‬

The text m e s s a g e is n ow hidden in image.

F IG U R E1 6 . 7 :H i d i n gt h et e s t

12.

To save the image (where the text is hidden inside the image) click Save Image in the Picture, Image, Photo File dialog box.

C E H Lab Manual Page 421

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

EQ QuickStego imperceptibly alters the pixels (individual picture elements) of the image, encoding the secret text by adding small variations in color to the image. In practice, to the hum an eye, these small differences do not appear to change the image
* jg Libraries t> ( j ) Documents > J l Music Network * . Favorites ■ 4 % Desktop Downloads Recent places I Libraries System Folder ( ? ) ( J ) ' 7 Organize ▼ f t IM Desktop^

F IG U R E1 6 . 8 :S a v et h es t e g a n o g r a p h yi m a g e

13.

Provide the tile name as stego, and click Save (to save tins file on the desktop).
S a v eT h eI m a g eF i l eT o
v C Search Desktop

New folder

A

J ) Music ‫י‬ Computer System Folder

h

O F! D•/‫• !♦־־‬rar
I stego I | Im age (’ .bmp)

*‫ר‬

• * Hide Folders

F IG U R E1 6 . 9 :B r o w s ef o rs a v e df i l e 1 4 . Exit

Open Image 111

from the QuickStego window. Again open QmckStego, and click the Picture, Image, Photo File dialog box.

15. 16.

Browse the Stego file (which is saved on desktop). The hidden text inside the image will appear as displayed in the following figure.

C E H Lab Manual Page 422

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 0 5 - S y ste m H acking

03A p p r o x i m a t e l y2 M Bo f f r e e h a r d d i s k s p a c e( p l u s e x t r as p a c ef o ra n y i m a g e s )

F IG U R E1 6 . 1 0 :H i d d e nt e x ti ss h o w e d

Lab A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

Tool/Utility QuickStego

Information Collected/Objectives Achieved Image Used: Lamborghi11i_5.jpg Output: The hidden text inside the image will be shown

Internet Connection Required □ Yes Platform Supported 0 !Labs 0 No

C E H Lab Manual Page 423

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.