Professional Documents
Culture Documents
CEH v8 Labs Module 05 System
CEH v8 Labs Module 05 System
System Hacking
Module 05
System Hacking
System hacking is the science of testing computers and networkfor vulnerabilities and
plug-ins.
Lab Scenario
{ I Valuable
intommtion_____
Test your
knowledge______
a* Web exercise
Q! Workbook review
Password hacking 1s one o f the easiest and most common ways hackers obtain
unauthorized computer 01 network access. Although strong passwords that are
difficult to crack (or guess) are easy to create and maintain, users often neglect tins.
Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain.
Passwords rely 011 secrecy. After a password is compromised, its original owner isnt
the only person who can access the system with it. Hackers have many ways to
obtain passwords. Hackers can obtain passwords from local computers by using
password-cracking software. To obtain passwords from across a network, hackers
can use remote cracking utilities 01 network analyzers. Tins chapter demonstrates
just how easily hackers can gather password information from your network and
descnbes password vulnerabilities diat exit 111 computer networks and
countermeasures to help prevent these vulnerabilities from being exploited 011 vour
systems.
Lab Objectives
The objective o f tins lab is to help students learn to m onitor a system rem otely
and to extract hidden files and other tasks that include:
[ Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
Recovering passwords
Lab Environment
To earn out die lab you need:
Lab Duration
Tune: 100 Minutes
C E H L ab M an u al Page
stask
Overview
Lab Tasks
Recommended labs to assist you 111 system hacking:
Extracting Administrator Passwords Using LCP
Hiding Files Using NTFS Stream s
Find Hidden Files Using ADS Spy
Hiding Files Using the Stealth Files Tool
Extracting SAM Hashes Using PWdump7 Tool
User System Monitoring and Surveillance Needs Using Spytech Spy Agent
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
the targets security posture and exposure.
C E H L ab M an u al Page 309
Extracting Administrator
Passwords Using LCP
Link Control Protocol (LCP) ispart of the Point-to-Point (PPP)protocol In PPP
communications, both the sending and receiving devices send out LCP packets to
determine specific information requiredfor data transmission.
Lab Scenario
l^7 Valuable
information
S
Test your
knowledge______
*a Web exercise
Q Workbook review
Lab Objectives
Tlie objective o f tins lab is to help students learn how to crack administrator
passwords for ethical purposes.
111 this lab you will learn how to:
^^Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 310
Lab Environment
To carry out the lab you need:
You can also download the latest version o f LCP from the link
http: / www.lcpsoft.com/engl1sh/1ndex.htm
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Duration
Time: 10 Minutes
Overview of LCP
LCP program mainly audits user account passw ords and recovers diem 111
Windows 2008 and 2003. General features o f diis protocol are password recovery,
brute force session distribution, account information importing, and hashing. It can
be used to test password security, or to recover lost passwords. Tlie program can
import from die local (or remote) computer, or by loading a SAM, LC, LCS,
PwDump or Smtt tile. LCP supports dictionary attack, bmte lorce attack, as well as a
hybrid ot dictionary and bmte torce attacks.
Lab Tasks
9
TASK 1
1. Launch the Start menu by hovering the mouse cursor 011 the lower-left
corner of the desktop.
Cracking
Administrator
Password
C E H L ab M an u al Page 311
Start
Administrator
Server
Manager
Windows
PowerShell
Computer
Control
Panel
Google
Chrome
Hyper-V
Manager
LCP
tet
*9
Hyper-V
Virtual
Machine...
SQL Server
Installation
Center...
Mozilla
Firefox
Global
Network
Inventory
?
Command
Prompt
Ifflfmrtbfimr
II
Nmap
Zenmap
GUI
Woikspace
Studio
Ku
Dnktop
TZI
LCP
File
View
Im port
Session
a c #
"Dictionaiy attack
6
Hybrid attack
Dictionary word:
User Name
Help
0
LM Password
? * * a
r
I0
NT Password
0.0000
I <8
>14
% done
LM Hash
NT Hash
4 . From die menu bar, select Import and then Import from rem ote
com puter.
C E H L ab M an u al Page 312
LCP
| File
fh
Help
9 e
Dictionary wc
User Name
X done
LM Hash
NT Hash
C Q l CP is logically a
transport layer protocol
according to the OSI
model
View
In
Computer
OK
Dictionary at!
Dictionary word:
User Name
WIN-039MR5HL9E4
Cancel
Help
Import type
() Import from registry
Connection
Execute connection
Shared resource: hpc$
User name: Administrator
Password: I
0 Hide password
Ready for passw!
C E H L ab M an u al Page 313
View
Im port
Session
Dictionary attack
Hybrid attack
Dictionary word:
User Name
LM Password
NO PASSWO.
Guest
1 *
1 10
^Adm inistrator
Help
a e + l 0 !?>
r
0.0000
NT Password
NO PASSWO. .
<8
NO PASSWO...
X done
>14
LM Hash
NO PASSWORD
BE40C45QAB99713DF.J
NO PASSWORD
NO PASSWORD
C25510219F66F9F12F.J
NT Hash
^ L A N G U A R D .. . NO PASSWO.
NO PASSWORD
- C Martin
NO PASSWO.
NO PASSWORD
5EBE7DFA074DA8EE..
S Juggyboy
NO PASSWO.
NO PASSWORD
488CD CD D222531279.
fi Jason
NO PASSWO.
NO PASSWORD
2D 20D 252A479F485C..
- C Shiela
NO PASSWO.
NO PASSWORD
0CB6948805F797BF2...
r a :
View
Im port
Session
Help
* o e
0 0 4 H 11 1 1 ^ 8 l M
Dictionary attack
Hybrid attack
/ |7
LM Password
NT Password
<8
Administrator NO PASSWO...
G uest
NO PASSWO...
>14
x
NO PASSWO...
NT Hash
NO PASSWORD
BE40C45CAB99713DF..
NO PASSWORD
NO PASSWORD
- E lANGUAR...
NO PASSWO...
NO PASSWORD
C25510219F66F9F12F..
^ M a r t in
NO PASSWO... apple
NO PASSWORD
5EBE7DFA074DA8EE
^Qjuqqyboy
NO PASSWO... green
NO PASSWORD
488CDCD D222531279..
^ 3 Jason
NO PASSWO... qwerty
NO PASSWORD
2D20D252A479F485C..
S h ie la
NO PASSWO... test
NO PASSWORD
OCB6948805F797B F2...
LM Hash
FIGURE 1.7: LCP generates the password for the selected username
Lab Analysis
Document all die IP addresses and passwords extracted for respective IP addresses.
Use tins tool only for training purposes.
Tool/Utility
LCP
User Name
Martin
Juggvboy
Jason
Sluela
N T Password
apple
green
qwerty
test
Questions
1. \Y11at is the main purpose o f LCP?
2 . How do von continue recovering passwords with LCP?
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 315
0 !Labs
Lab Scenario
/ Valuable
information
' Test your
knowledge
SB Web exercise
m
Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and
port redirectors, and obtained all the information available to them, they will
proceed to hack other systems 011 the network. Most often there are matching
service, administrator, or support accounts residing 011 each system that make it
easy for the attacker to compromise each system in a short am ount o f time. As
each new system is hacked, the attacker performs the steps outlined above to
gather additional system and password information. Attackers continue to
leverage inform ation 011 each system until they identity passwords for accounts
that reside 011 highly prized systems including payroll, root domain controllers,
and web servers. 111 order to be an expert ethical hacker and penetration tester,
you m ust understand how to hide files using NTFS streams.
Lab Objectives
The objective o f tins lab is to help students learn how to lnde files using NTFS
streams.
& T ools
dem onstrated in
Use NTFS streams
this lab are
available in
Hide tiles
D:\CEHTools\CEHv8
Module 05 System
Hacking
To carry out the lab you need:
Lab Environment
C E H L ab M an u al Page
Lab Duration
Tune: 15 Minutes
NTFS (New
Technology File System) is
die standard file system of
Windows.
NTFS supersedes die FAT file system as the preferred file system lor Microsoft
Windows operating systems. NTFS has several improvements over FAT and HPFS
(High Performance File System), such as unproved support lor metadata and die
use of advanced data structures.
Lab Tasks
Sd. TASK 1
NTFS Stream s
3 . Create a folder called m agic on the C:\ drive and copy c a lc .e x e from
C :\w indow s\system 32 to C:\magic.
7 . N ote the file siz e o f the readm e.txt by typing dir 111 the command
prom pt.
8. N ow hide c a lc .e x e inside the readm e.txt by typing the following 111 the
com m and prompt:
type c:\m a g ic\ca lc.ex e > c:\m agic\readm e.txt 1c a lc .e x e
C E H L ab M an u al Page 317
-lo|x|
re a d n e .tx t
C : S n a g ic > d ir
U o lu n e i n d r i u e C h a s n o l a b e l .
U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F
D ir e c to r y
0 9 /1 2 /2 0 1 2
0 9 /1 2 /2 0 1 2
0 1 /1 9 /2 0 0 8
0 9 /1 2 /2 0 1 2
of
C :\n a g ic
0 5 : 3 9 AM
< D IR >
0 5 : 3 9 AM
< D IR >
0 6 : 5 1 AM
1 8 8 ,4 1 6 c a lc . e x e
0 5 : 4 0 AM
12 r e a d n e . t x t
1 8 8 ,4 2 8 b y te s
2 F ile < s >
2 D ir < s >
4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e
C : \ m a g ic > ty p e
c : \ n a g ic \c a lc . e x e
> c :\n a g ic \r e a d n e . t x t: c a lc . e x e
C :\m a g ic >
Type dir 111 com m and prom pt and note the tile size o f readm e.txt.
[cTTAdministrator Command Prompt
D ir e c to r y
0
0
0
0
9 /1
9 /1
1 /1
9 /1
2 /2
2 /2
9 /2
2 /2
01
01
00
01
2
2
8
2
of
C :\n a g ic
0 5 : 3 9 AM
< D IR >
0 5 : 3 9 AM
< D IR >
0 6 : 5 1 AM
1 8 8 ,4 1 6 c a lc . e x e
12 r e a d n e . t x t
0 5 : 4 0 AM
1 8 8 ,4 2 8 b y te s
2 F ile < s >
4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s fr e e
2 D ir < s >
C : \ n a g ic > ty p e
c : \ n a g ic \c a lc . e x e
> c :\m a g ic \ r e a d m e . t x t : c a l c . e x e
C :\m a g ic > d ir
U o lu n e i n d r i u e C h a s n o l a b e l .
U o lu n e S e r i a l N u n b e r i s 3 4 C 9 - D 7 8 F
D ir e c to r y
0 9 /1 2 /2 0 1
0 9 /1 2 /2 0 1
0 1 /1 9 /2 0 0
0 9 /1 2 /2 0 1
2
2
8
2
of
C :\n a g ic
0 5 : 3 9 AM
<
0 5 : 3 9 AM
<
1 8 8 ,4 1 6 c a lc . e x e
0 6 : 5 1 AM
0 5 : 4 4 AM
12 r e a d n e . t x t
1 8 8 ,4 2 8 b y te s
2 F ile < s >
4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e
2 D ir < s >
LJ
FIGURE 23: Command prompt with executing hidden calc.exe command
10. Tlie tile s iz e o f the readme.txt should not ch ange. N ow navigate to the
directory c:\m agic and d e le te ca lc .e x e .
C E H L ab M an u al Page 318
-I ! X
0 5 : 3 9 AM
< D IR >
0 6 : 5 1 AM
1 8 8 ,4 1 6 c a lc . e x e
0 5 : 4 0 AM
12 re a d m e .tx t
2 F ile < s >
1 8 8 ,4 2 8 b y te s
2 D ir < s >
4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e
C :\m a g ic > ty p e
c :\m a g ic \c a lc .e x e
> c :\ m a g ic \ r e a d m e . t x t : c a l c . e x e
C :\m a g i c > d i r
U o lu m e i n d r i u e C h a s n o l a b e l .
U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F
D ir e c to r y
0
0
0
0
9
9
1
9
/1
/1
/1
/1
2 /2
2 /2
9 /2
2 /2
01
01
00
01
of
2
2
8
2
C :\m a g ic
0 5 : 3 9 AM
< D IR >
0 5 : 3 9 AM
< D IR >
0 6 : 5 1 AM
1 8 8 .4 1 6 c a lc . e x e
0 5 : 4 4 AM
12 r e a d m e .tx t
2 F ile < s >
1 8 8 ,4 2 8 b y te s
2 D ir < s >
4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e
C : \ m a g ic > m k lin k b a c k d o o r .e x e r e a d m e . t x t : c a lc . e x e
s y m b o lic l i n k c r e a te d t o r b a c k d o o r .e x e
= = = >> r e a d m e . t x t : c a l c . e x e
C :\m a g ic >
12. Type backdoor, press Enter, and the the calculator program will be
ex ecu ted .
HB
0 9 /1 2 /2 0 1 2
0 5 : 4 0 AM
2 F ile < s >
2 D ir < s >
C :\m a g ic > ty p e
122 r e a d m e . t x t
1
1 8 8 ,. 4 2 8 b y t e s
4 ,3 7 7 ,6 7 7 .8 :
c : \ m a g ic \c a lc .e x e
> c :S
C :\m a g ic > d ir
U o lu m e i n d r i v e C h a s n o l a b e l .
U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F
D ir e c to r y
0
0
0
0
9 /1
9 /1
1 /1
9 /1
2 /2
2 /2
9 /2
2 /2
012
012
008
012
of
C :\m a g ic
< D IR >
0 5 :3 9
AM
< D IR >
0 5 :3 9
AM
1 8 8 ,4 1
0 6 :5 1
AM
0 5 :4 4
AM
1 8 8 ,4
2 F ile < s >
4 ,3 7 7 ,4 1 5 ,6
2 D ir < s >
C :\ m a g ic > m k lin k b a c k d o o r .e x e r e a d n e . t i
s y m b o lic l i n k c r e a te d f o r b a c k d o o r .e x t
C :\m a g ic )b a c k d o o r
| 1 1
_! _
_lI_lI.
_lI_u_lI.
_lI _l.
Backspace
CE
sqrt |
_ !_ 1 .
MR |
j d
MS |
C : \ m a c r ic >
1/x |
Lab Analysis
Document all die results discovered during die lab.
Tool/Utility
NTFS Streams
Questions
1. Evaluate alternative m ethods to hide the other exe files (like
calc.exe).
0 No
Platform Stipported
0 Classroom
C E H L ab M an u al Page 320
0 !Labs
3
Find Hidden Files Using ADS Spy
A ds Spy is a tool used to list, view, or deleteAlternate Data Stream (AD S) on
Windons Server2008 nith N T F S filesystems.
I CON
KEY
/ Valuable
information
S
Test your
knowledge
m. Web exercise
ffi! Workbook review
Lab Scenario
Hackers have many ways to obtain passwords. Hackers can obtain passwords
from local computers by using password-cracking software. To obtain
passwords from across a network, hackers can use remote cracking utilities or
network analyzers. Tins chapter demonstrates just how easily hackers can gather
password inform ation from your network and describes password
vulnerabilities that exit in com puter networks and countermeasures to help
prevent these vulnerabilities from being exploited on your systems. 111 order to
be an expert ethical hacker and penetration tester, you m ust understand how to
find hidden files using ADS Spy.
Lab Objectives
The objective o f tins lab is to help students learn how to list, view, or delete
A lternate Data Stream s and how to use them.
It will teach you how to:
t~Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 321
Lab Environment
To carry out the lab you need:
You can also download the latest version o f ADS Spy from the link
http: / / www.menjn.11u/program s.php#adsspv
Lab Duration
Tune: 10 Minutes
ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011
Windows Server 2008 with NTFS file systems. ADS Spy is a method o f stonng
meta-information o f files, without actually stonng die information inside die file it
belongs to.
Lab Tasks
m. TASK 1
Alternative Data
Streams
1.
[Ready
C E H L ab M an u al Page 322
ADS are a w ay
of storing metainformation
regarding files,
without actually
storing the
information in the
file it belongs to,
carried over from
early MacOS
compatibility
11? Ignore safe system info data streams ('encryptable', 'Summarylnformation', etc)|
r
j|
5. Find the ADS hidden info file while }*ou scan the system for alternative
data streams.
& Compatible
with: Windows
Server 2012,
20008
C E H L ab M anual P ag e 323
Lab Analysis
Document all die results and reports gathered during die lab.
Tool/Utility
ADS Spy
Output:
Questions
1. Analyze how ADS Spy detects NTFS streams.
Internet Connection Required
Yes
Platform Supported
0 Classroom
C E H L ab M an u al Page 324
0 !Labs
Workbook review
The Windows N T NTFS hie system has a feature that is not well documented
and 1s unknown to many N T developers and m ost users. A stream 1s a hidden
file that is linked to a norm al (visible) file. A stream is not limited 111 size and
there can be more than one stream linked to a normal tile. Streams can have any
name that complies with NTFS naming conventions. 111 order to be an expert
ethical hacker and penetration tester, you m ust understand how to hide tiles
using the Stealth Files tool. 111 this lab, discuss how to tind hidden tiles inside o f
other tiles using the Stealth Files Tool.
Lab Objectives
The objective o f this lab is to teach students how to hide files using the Stealth
Files tool.
It will teach you how to:
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 325
Hide tiles
Lab Environment
To carry out tins lab you need:
You can also download the latest version o f Stealth Files from the link
http://w w w .froebis.com /engl 1sh /sf 40 .shtml
Lab Duration
Time: 15 Minutes
Stealth files use a process called steganography to lude any tiles inside o f another
.
Lab Tasks
B
TASK 1
Stenography
2. Launch Notepad and write Hello World and save the file as R eadm e.txt
on the desktop.
readm e - N otepad
File
Edit
Format
View
Help
f l e l l o W o rld !
3. Launch the Start m enu by hovering the mouse cursor on the lowerleft corner o f the desktop.
4 . Click the Stealth Files 4.0 app to open the Stealth File window.
5. The main window o f Stealth Files 4.0 is shown 111 the following figure.
This is an
alternative to
encryption
b ecau se no one
can decrypt
encrypted
information or
files unless they
know that the
hidden files exist.
C E H L ab M anual P ag e 327
I
r
^J
Create a Backup of the Carrier File!
C E H L ab M an u al Page 328
9 . In Step 2 , choose the carrier file and add the file R eadm e.txt f r o m the
desktop.
10. In Step 3, choose a password such as m agic (you can type any desired
password).
13
! I
\ x
remove the
hidden files from
the carrier file by
going to Remove
Hidden Files and
following the
instructions
I-
:d
magic)
I Hide Files! |
13. O pen the notepad and check the file; c a lc .e x e is copied inside it.
readm e N otepad
File
Edit
F orm at
V iew
I ~ I
H elp
)H e llo W o rld !
h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f
p p h ifh lb k id o fh a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b fo jh k g g e e ia
b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j
lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b
lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g
le o n m b fn g b ln b h c ik fd h k m g io d c fg n lg g o a d d c a jm p ip fib h p p g g c g im m k a d n j
e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a
k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k
m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h fp a la p p d b a
c ile n o id lh ib e k p b h e jm ifn g f h f a p m h a fb lifh lc g ia e b k ijik g o h d a g e e b ip b
o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j
in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g
o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i
lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c
fn ln a dn n o a o n eo p o o p b b ag m d a oh m e kd gfce kcn b cg m injem e g p nn h e in o ilg e j
o o ig lc d h a c lc h jlh d g ib o o h e m b n a p m k m e p a o k jc h h g c jb id fh a k c lg fb m a p n b d
o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia
kam gkajbbn ln d b ig ga g m cg nb n m a foh o g a ckcd n khb o m g o fp d e g ib ikm jm d p fkg
14. N ow open the Stealth files Control panel and click Retrieve Files.
C E H L ab M anual Page 329
\
Stealth Fi1es 4.0
Hide Files
Retrieve Files
Close Program
FIGURE 4.8: Stealth files main window
15. 111 Step 1, choose the tile (Readme.txt) from desktop 111 which you have
saved the c a lc .e x e .
16. 111 Step 2, choose the path to store the retrieved hidden file. 111 the lab
the path is desktop.
17. Enter the password m agic (the password that is entered to liide the tile)
and click on R etrieve Files!
Stealth File! 4.0
Retrieve Files...
I 1
T x
z l
Retrieve Files!
0 5 Vorslon;
IP Address
MAC Addr:
Host Name
Windows NT 62
(non)
D4 BE 09 CJ CE 20
WIN-039MR6HL9E4
Lab Analysis
Document all die results and reports gadiered during die lab.
Tool/Utility
S tealth Files
T ool
Questions
1. Evaluate other alternative parameters tor hiding files.
Internet Connection Required
Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 331
0 !Labs
Lab
Lab Scenario
[Z7 Valuable
iiiformation_____
Passwords are a big part ot this m odern generation. You can use the password
for your system to protect the business or secret inform ation and you may
choose to limit access to your PC with a W indows password. These passwords
are an im portant security layer, but many passwords can be cracked and while
that is worry, tliis clunk 111 the arm our can come to your rescue. By using
password cracking tools or password cracking technologies that allows hackers
to steal password can be used to recover them legitimately. 111 order to be an
expert ethical hacker and penetration tester, you must understand how to crack
administrator passwords. 111 tins lab, we discuss extracting the user login
password hashes to crack the password.
Test your
knowledge
=
Web exercise
Workbook review
Lab Objectives
Tins lab teaches you how to:
Lab Environment
To carry out the lab you need:
_^Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 332
You can also download the latest version o f pwdump7 from the link
http:/ / www.tarasco.org/security/pwdum p 7 / 111dex.html
Lab Duration
Time: 10 Minutes
Overview of Pwdump7
Pw dum p 7 can be used to dum p protected tiles. You can always copy a used file
just by executing: pwdum p 7 .exe -d c:\lockedf 11e.dat backup-lockedf 11e.dat. Icon
key
Lab Tasks
1. O pen the com m and prom pt and navigate to D:\CEH-Tools\CEHv8
Generating
H ashes
& Active
directory
passw ords are
stored in the
ntds.dit file and
currently the
stored structure
M o d u le 05 S y s te m H a c k in g \ P a s s w o r d C r a c k in g M J in d o w s
P a s s w o rd C
3 . N ow type pw dum p7.exe and press Enter, which will display all the
password hashes.
C E H L ab M an u al Page 333
P a s s w o rd C
*: BE40 C 45 0 A B 99 7 13 D F1 ED C 5 B 4 0C 2 SA
*:NO PASSWORD*
* :C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C 9 B E 6 6 2
* :5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 : : :
* * * :4 8 8 C D C D D 2 2 2 5 3 1 2 7 9 3 E D 6 9 6 7 B 2 8 C 1 0 2 5 :
* :2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F :: :
* * :0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 :: :
M o d u le 05 S y s te m H a c k in g S P a s s w o rd C ra c k in g V W in d o w s
P a s s w o rd C
4 . N ow type pw dum p7.exe > c:\h ash es.txt 111 the com m and prom pt, and
press Enter.
Tins com m and will copy all the data ot pw dum p7.exe to the
c:\h a sh es.tx t file. (To check the generated hashes you need to navigate
to the C: drive.)
hashes.txt - Notepad
File
Edit
Format
View
Help
( A d m in i s t r a t o r : 5 0 0 : NO
PASSWORD* * * * * * * * * * * * * * * * * * * : BE40C450AB997 13DF1EDC5B4 0C25 AD4 7
G u e s t: 5 0 1 : NO PASSWORD* * * * * * * : NO
PASSWORD* * * * : : :
LANGUARD_11_USER: 1 0 0 6 : NO
PASSWORD* * * * * * * * * * * * * * * * : C2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C9 B E 6 6 2 A 6 7 B 9 6 0
M a r t i n :1 0 1 8 :NO
P A S S W O R D * * * * * * * * * * * * * * * 5 : * * * EBE7DFA074DA8EE8AEF1FAA2BBDE876
Duggyboy : 1 0 1 9 : NO
P A S S W O R D * 4 8 8 : * * * * * * * * * * * * * * * * * * CDCDD2225312793ED6967B28C1025
3 a s o n :1 0 2 0 :N O
P A S S WOR D * * * * * 2 : * * * * * * * * * * * * * * * D20D252A479F485CDF5E171D93985BF
S h i e l a :1 0 2 1 :NO
P A S S W O
* * * * 0 : * * * * * * * * * CB6948805F797BF2A82807973B89537
Lab Analysis
Analyze all the password hashes gathered during die lab and figure out what die
password was.
Tool/Utility
PW dum p7
Administrator
Guest
Lauguard
Martin
Juggyboy
Jason
shiela
Questions
1. W hat is pwdum p 7 .exe com m and used for?
2 . How do you copy the result o f a comm and to a file?
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 335
0 !Labs
Lab Scenario
ICON KEY
[II7 Valuable
information
111 computer and information security, the use ot password is essential for users to
protect their data to ensure a seemed access to dieir system or machine. As users
become increasingly aware o f the need to adopt strong passwords, it also brings
challenges to protection o f potential data. 111 diis lab, we will discuss creating die
rainbow table to crack the system users passwords. 111 order to be an expert ethical
hacker and penetration tester, you must understand how to create rainbow tables to
crack the administrator password.
Test your
knowledge
== Web exercise
m
Workbook review
Lab Objectives
The objective o f this lab is to help students how to create and use rainbow
table to perform system password hacking.
Lab Environment
To earn out die lab, you need:
^^Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 336
You can also download the latest version o f Winrtgen from the link
http: / / www.ox1d.it/ projects.html
If you decide to download the latest version, then screenshots shown 111 the
lab might differ
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Duration
Time: 10 Minutes
You can also
download Winrtge from
s lunj/www 0x1dlt/p10ject A rainbow table is a precomputed table for reversing cryptograpliic hash functions,
usually for cracking password hashes. Tables are usually used 111 recovering plaintext
passwords, up to a certain length, consisting o f a limited set of characters.
Lab Task
TASK 1
Generating
Rainbow Table
Add T able
Rainbow tables
usually used to crack a lot
of hash types such as
Status
Remove
About
Remove All
OK
Exit
N T L M , M D 5 , SH A1
C E H L ab M an u al Page 337
III
Add Table
Remove
Remove All
OK
About
Exit
iii. Select loweralpha from die Charset drop-down list (diis depends on the
password).
4.
Click OK.
R ain bow Table p rop erties
r
Hash
|ntlm
v T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
Min Len
I4
-M ax Len rIndex
1
I9
Chain Len
Chain Count
|2400
I4000000
|abcdefghiiklmnopqrstuvwxyz
Table properties
Key space: 5646683807856 keys
Disk space: 61.03 MB
Success probability: 0.001697 (017%)
Benchmark
Optional parameter
Hash speed:
|Administrator
Step speed:
Table precomputation time:
Total precomputation time:
Max cryptanalysis time:
Benchmark |
C E H L ab M an u al Page 338
Status
ntlm_lowe(alpha#4-9_0_2400x4000000_oxid8000.rt
III
Add Table
Remove
Remove All
OK
About
Exit
Creating the hash table will take some time, depending on the selected hash
and charset.
Note: To save die time tor die lab demonstration, die generated hash table
is kept in die following !older: D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Rainbow Table Creation ToolsYWinrtgen
7.
winrtgen.exe.
Winrtgen
'L
5
CEHv8 M o d u le 05 S y stem H acking
&Favorites
D esktop
J . D o w n lo ad s
%
R ecen t pla ce s
Search W inrtgen
N am e
D ate m od ifie d
T ype
M c h arset.tx t
7/1 0 /2 0 0 8 &29 PM
T ext D o c u m e n t
9/18/201211:31 A M
RT File
H! w in rtg en .e x e
7 /1 0 /2 0 0 8 1 0 :2 4 PM
A pplic ation
7/1 0 /2 0 0 8 10:33 PM
SJG File
w inrtgen.e xe.sig
Size
6KB
62,500 KB
259 KB
1 KB
Libraries
[ J D o c u m e n ts
M usic
II! P ictu res
H
Videos
C o m p u te r
&
Local Disk ( C )
1 m N ew V o lu m e (D:)
4 ite m s
1 ite m se le c te d 61.0 MB
State: Q
S hared
Lab Analysis
Analyze and document the results related to the lab exercise.
Tool/Utility
W inrtge
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 340
0 !Labs
Lab Scenario
1' J Valuable
mforination_____
Test your
knowledge______
a s Web exercise
m
Workbook review
Computer passwords are like locks on doors; they keep honest people honest. It
someone wishes to gam access to your laptop or computer, a simple login password
will not stop them. Most computer users do not realize how simple it is to access die
login password for a computer, and end up leaving vulnerable data on their
computer, unencrypted and easy to access. Are you curious how easy it is for
someone to gain access to your computer? Windows is still the most popular
operating system, and die method used to discover the login password is die easiest.
A hacker uses password cracking utilities and cracks vour system. That is how simple
it is for someone to hack your password. It requires 110 technical skills, 110 laborious
tasks, onlv simple words 01 programs. 111 order to be an ethical hacker and
penetration tester, you must understand how to crack administrator password. 111
tins lab we discuss how to crack guest users or administrator passwords using
RainbowCrack.
Lab Objectives
~ T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page
The objective ot this lab is to help students to crack p assw ord s to perform
system password hacking.
Lab Environment
To earn out die lab, you need:
You can also download the latest version o f RainbowCrack from the
link h ttp ://proiect-ra111bowcrack.com/
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
If you decide to download die latest version, dien screenshots shown in die
lab nnght differ
Lab Duration
Tune: 10 Minutes
Overview of RainbowCrack
RainbowCrack is a computer program diat generates rainbow tables to be used 111
password cracking. RainbowCrack differs from "conventional" bmte force crackers
in diat it uses large pre-computed tables called rainbow tables to reduce die lengdi of
time needed to crack a password.
Lab Task
E
t a s k
Generating the
Rainbow Table
m RainbowCrack for
GPU is the hash cracking
program in RainbowCrack
hash cracking utilities.
RainbowCrack 1.5
File | E d it
R a in b o w T a b le
H e lp
P la in te x t in
A d d H a s h ...
H ex
L o a d H a s h e s f r o m File...
L o a d LM H a s h e s f r o m P W D U M P File...
L o a d N T L M H a s h e s f r o m PW D U M P File..
S a v e R e su lts...
3.
ii.
iii.
Paste into die Hash held, and give die comment (optional).
1V.
Click OK.
hashes.txt - Notepad
File
Edit
Format
View
Help
Undo
A d m i n i s t r a t o r : 5 0 0 : NO
Cut
P A S S W O R D * * * * * * * * * * * * * * * * * * * * * : BE40C450AB
Q | RainbowCrack uses
time-memoiy tradeoff
algorithm to crack hashes. It
differs from the hash crackers
that use brute force algorithm
G u e s t : 5 0 1 : NO P A S S W O R D * * * * * * * * * * * * * * * * * * " !
Copy
P A S S W O R D ********************** *
Paste
LANGUARD_11_USER: 1 0 0 6 : NO
PASSWORD * * * * * * * * * * * * * * * * * * * : C2 5 5 1 0 2 1 9 F
Delete
Select All
M a r t i n :1 0 1 8 :NO
P
order
: * * * * * * * * * * * * Right
* * * to
* * left
* * Reading
EBE7DFA07
] ug g y b o y : 1 0 1 9 : NO
PASSWORD4 8 8 : * * * * * * * * * * * * * * * * * * * * CDCDD22
D a s o n :1 0 2 0 :N O
P
:* * * * * * * * * * * * *Open
* * * *IME
* * D20D252A4
S h ie la :1 0 2 1 :N O
PASSWORD************ *********
________________________ _____ -
::
RainbowCrack 1.5
File
Edit
R ainbow T able
Help
P l a i n t e x t I n H ex
/Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
0C86948805F797BF2A82807973889537
Comment (optional):
password
Edit
Rainbow Table
H elp
H a sh
P la in te x t
@ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537
P l a i n t e x t I n Hex
2 Fun time-memory
tradeoff tool suites, including
rainbow table generation,
sort, conversion and lookup
RainbowCrack 1.5
0 . RainbowCrack's
purpose is to generate
rainbow tables and not to
crack passwords per-se,
some organizations have
endeavored to make
RainbowCrack's rainbow
tables available free over
the internet.
P File
Edit
Rainbow T able
H a sh
0
I [r x TI
H elp
P la in te x t
P l a i n t e x t i n H ex
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7
@ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
@ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
@ c 2 5 5 1 0 2 1 9 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
7 . Click die Rainbow Table from die menu bar, and click Search Rainbow
Table...
9 RainbowCrack for
GPU software uses GPU
from NVIDIA for
computing, instead of
CPU. By offloading
computation task to GPU,
the RainbowCrack for
GPU software can be tens
of times faster than nonGPU version.
8. Browse die Rainbow Table diat is already generated 111 die previous lab,
which
05
System
9 . Click Open.
Open
^
O rganize
jA
w in rtg e n
( j | | Search w in rtg e n
New fo ld e r
Recent places
[jjj
ki
N am e
Date m o d ifie d
Type
9/18/2012 11:31 A M
RT File
M usic
ntlm .loweralphag4-6.0.24001(4000000.ox..
Libraries
j3 ] Docum ents
J l M usic
E Q a time-memory
tradeoff hash cracker need
a pre-computation stage, at
the time all plaintext/hash
pairs within the selected
hash algorithm, charset,
plaintext length are
computed and results are
stored in files called
rainbow table
Pictures
Videos
1^
C om puter
^
>1
Filenam e:
ntlmjoweralpha*4-6_0_2400x4000000_oxid* v
10. It will crack the password, as shown 111 the following figure.
RainbowCrack 1.5
File
Edit
Rainbow Table
H elp
H ash
P l a i n t e x t I n Hex
Com ment
p a ssw o rd
0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
te s t
74657374
4 8 8 c d c 6 d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
g ree n
677265656c
5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
a p p le
6170706C65
c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0
2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
==!RainbowCrack focus
on tlie development of
optimized time-memory
tradeoff implementation,
and generation of large
rainbow tables.
te s t
74657374
7
q w e r ty
717765727479
2 .3 4 s
0.00 s
0 .1 9 s
0 .0 8 s
5755200
35850648
55125
9 .7 1 million/s
1 5 .3 3 mllllon/s
/s
Lab Analysis
Analyze and document die results related to the lab exercise.
Tool/Utility
Administrator
Guest
Languard
Martin
Juggyby
R ainbow C rack
Jason
Sluela
test
test
green
apple
qwerty
Questions
1. W hat kind o f hashes does RainbowCrack support?
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 347
0 !Labs
Lab
Extracting Administrator
Passwords Using LOphtCrack
U)phtCrack is packed with powerfulfeatures, such as scheduling, hash extraction
fro/// 64-bit Windows versions; multiprocessor algorithms, and network monitoring
and decoding. It can impotf and crack U N IX passwordfiles and remote Windows
machines.
Lab Scenario
/ Valuable
information
Test your
knowledge______
^
Web exercise
Since security and compliance are high priorities for m ost organizations, attacks
011 a company 01 organization's com puter systems take many different forms,
such as spooling, smurfing, and other types o f demal-of-service (DoS) attacks.
These attacks are designed to harm 01 interrupt the use o f your operational
systems.
Password cracking is a term used to describe the penetration o f a network,
system, 01 resource with 01 w ithout the use o f tools to unlock a resource that
has been secured with a password. 111 tins lab we will look at what password
cracking is, why attackers do it, how they achieve their goals, and what you can
do to do to protect yourself. Through an examination o f several scenarios, m
tins lab we describe some o f the techniques they deploy and the tools that aid
them 111 their assaults and how password crackers work both internally and
externally to violate a company's infrastructure.
111 order to be an expert ethical hacker and penetration tester, you m ust
understand how to crack administrator passwords. 111 tins lab we crack the
system user accounts using LOphtCrack.
^^Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page
Lab Objectives
The lab teaches you how to:
Lab Environment
To earn out the lab you need:
Tins tool requires the user to register or you can also use the evaluation
version for a limited period o f time
Lab Duration
Tune: 10 Minutes
Overview of LOphtCrack
LOphtCrack provides a scoring metric to quickly assess password quality.
Passwords are measured against current industry best practices and are rated as
Strong, Medium, Weak, or Fail.
Lab Tasks
TASK 1
Cracking
Administrator
Password
1. Launch the Start m enu by hovering the mouse cursor to the lower left
m ost corner o f the desktop.
vm 1i 5 ! '1
Start
Server
M anager
W indow s
Pow erShel
Google
Chrome
Hyper-V
M anager
Fa
Com puter
Control
Panel
Hyper-V
Virtual
Machine...
SQL Server
Installation
Center...
*J
C om m and
P rom pt
e
/ LOphtCrack supports
pre-computed password
hashes.
Adm inistrator
Intrmrtfupterr
Drdlrp
Mozilla
Firefox
Global
Network
Inventory
<
If
N m ap Zenm ap
GUI
W orkspace
Studio
3
FIGURE 8.2: Windows Server 2012 Apps
x
LO p h tC rack 6 W izard
< Back
ca
LOphtCrack has a
built-in ability to import
passwords from remote
Windows, including 64-bit
versions of Vista, Windows
7, and UNIX machines,
without requiring a thirdparty utility.
Next >
5. Choose Strong P assw ord Audit from the C hoose Auditing Method
wizard and click Next.
1- '
7 . Click Next.
C E H L ab M an u al Page 351
m LOphtCrack offers
remediation assistance to
system administrators.
8. Click Finish.
LOphtCrack Password Auditor v6.0.16
Bogin Auditing
Step
LOphtCrack 6 now ready to b e g n th e passw ord
aud*ing p ro ce ss Plea se confirm th e f o lo w n g settings
an d go b a c k a n d c h a n g e a n y th n g th a t ts not correct
Step 2
[ / ] S a v e th e s e settings a s s e s a o n defaults
Press finish'to b e p n audfcng
Step 5
6g1n
Auditing
C E H L ab M an u al Page 352
Cracked Accounts
J j.
<N
Weak Passwords
Pause
Stop
Schedule Scheduled
Audit
Tasks
Run y Report
LM Password
LMHash__________________________
,X WIN-D39MR... A d m in istrato r
* m issing *
OCKXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
WIN-D39MR... G uest
m issing *
0000000000000000000000000000000(
J t WIN-D39MR... Jason
* m issing *
0000000000000000000000000000000(
* m issing *
Domain
User Name
WIN-D39MR... Ju g g y b o y
* m issing
A WIN-D39MR... M artin
m issing
oooooooooootxxxxxxxxxxxxxxxxxxxx
LOphtCrack 6
0000000000000000000000000000000(
u o rd s t o t a ]
29151
_words_done
10BT5OT?
_______
0000000000000000000000000000000(
Audit c o m p leted .
_______
LtX&
sslaezei
0d Oh 0 Os
OK
____tlMS-lSlt
_ _ l _d o n S
III
>
4 X
Messages
0 9 /1 8 /2 0 1 2
0 9 /1 8 /2 0 1 2
0 9 /1 8 /2 0 1 2
0 9 /1 8 /2 0 1 2
1 4 :4 7 :4 8
1 4 :4 7 :5 2
1 4 :4 7 :5 2
1 4 :4 7 :5 2
M u ^ i- c o r e o p e r a tio n w ith 4 c o re s .
I m p o r te d 2 a c c o u n ts fro m t h e l o c a l
A u d it s t a r t e d .
A u d itin g s e s s i o n c o m p le te d .
m a c h in e
i. Select the Enabled, Crack NTLM P assw ord s check boxes 111
Dictionary Crack.
ii. Select the Enabled, Crack NTLM P assw ord s check boxes 111
Dictionary/Brute Hybrid Crack.
iii. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Brute
Force Crack.
IV.
Select the Enable Brute Force Minimum Character Count check box.
C E H L ab M an u al Page 353
T he Dictionary C ra ck te s ts fo r p a ssw o rd s th a t a re
th e sa m e a s th e w ords fcsted in t h e w ord file. This
te st * very fa s t a n d finds th e w e a k e s t p a ssw o rd s.
D ictionary List
0
C ra ck NTLM P a ssw o rd s
C h a rac ters to a p p e n d
P re co m p u ted
E ! E n ab led
C
Location
T h s c ra c k w o rk s a g a r o t LM a n d NTLM p a ssw o rd s,
but n o t U n a
B a/te F o rce C rack
g]Enabled
L an g u a g e:
J r a c k NTLM P a ssw o rd s
English
a lp h a b e t n u m b ers
C ustom C h a ra c te r S e t (list e a c h c h arac ter):
E T N RIOAS D H LCFPU M YG W VBXKQ JZetnrioasd
hlcfpumygwvbxkqjzOI 23456789
To
QK
Q ancel
13. Click Begin ' ' from the menu bar. LOphtCrack cracks the
adm inistrator passw ord.
C E H L ab M anual P ag e 354
Lab Analysis
Document all die results and reports gathered during die lab.
Tool/Utility
L O p h tC rac k
Administrator
Guest
Jason
Juggvbov
LA N G U A R D _ 11_USER
Martin
qwerty
green
apple
Questions
1. W hat are the alternatives to crack administrator passwords?
2 . W hy is a brute force attack used 111 the LOphtCrack tool?
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 355
0 !Labs
Web exercise
Workbook review
Lab Scenario
111 a security system that allows people to choose their own passwords, those people
tend to choose passwords that can be easily guessed. Tins weakness exists 111
practically all widely used systems instead o f forcing users to choose well-chosen
secrets that are likely to be difficult to remember. The basic idea is to ensure that
data available to the attacker is sufficiently unpredictable to prevent an off-line
verification of whether a guess is successful or not; we examine common forms of
guessing attacks, password cracking utilities to develop examples of cryptographic
protocols that are immune to such attacks. Pooiiy chosen passwords are vulnerable
to attacks based upon copying information. 111 order to be an expert ethical hacker
and penetration tester, you must understand how to crack the weak administrator or
system user account password using password cracking tools. 111 tins lab we show
you how to crack system user accounts using Ophcrack.
Lab Objectives
The objective o f this lab is to help students learn:
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 356
Lab Environment
To earn out die lab, you need:
"
You can also download the latest version o f LOphtCrack from the link
h ttp :/ / ophcrack.sourceforge.net/
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Lab Duration
Time: 15 Minutes
Overview of OphCrack
Rainbow tables for LM hashes of alphanumeric passwords are provided for free by
developers. By default, OphCrack is bundled with tables diat allow it to crack
passwords no longer than 14 characters using only alphanumeric characters.
Lab Task
TASK 1
Cracking the
Password
1. Launch the Start m enu by hovering the mouse cursor on the lower-left
corner of the desktop.
vnnootfj!xrvff1
0uKetejjeunoioawwucwwr
C E H L ab M an u al Page 357
ophcrackC
1' !
Load
Delete
Progress
Statistics
4A
11/
Save
Tables
C radt
Help
Exit
About
Preferences
Preload:
w attn g
| Brute force:
waiting
j Pwd found:
0/0
Time e lapsed: |
OhOmQs
U/
,..
&
<?
Single h a sh
PW DUMP file
S essio n file
& Ophcrack is
bundled with
tables that allow s
it to crack
passw ords no
longer than 14
characters using
only alphanumeric
characters
E n cry p te d SAM
Local SAM w ith sa m d u m p 2
Local SAM w ith p w d u m p 6
R e m o te SAM
D irectory
P rogress
waiting
| Pw dfouxJ:
5. Browse die PWDUMP file diat is already generated by using P\\T)U M P 7 111
die previous lab 110:5 (located at c :\h a sh e s.tx t).
6. Click Open
C E H L ab M an u al Page 358
0 CO
Organize
available as Live CD
distributions which
automate the retrieval,
decryption, and cracking of
passwords from a Windows
system.
Desktop
Date modified
Type
9/17/2012 9:25 AM
File folder
9/18/2012 2:18 PM
File folder
TFTP-Root
9/4/2012 7:00 PM
File folder
Users
9/18/20122:35 PM
File folder
8/30/20121:06 PM
File folder
W in d o w s
9/15/2012 3:26 PM
File folder
4 W in d o w s .o ld
8/7/2012 1:50 AM
File folder
J,.
W in d o w s .o ld .0 0 0
8/8/2012 12:03 AM
File folder
.r n d __________________
9/19/2012 9:58 AM
RND File
Text Document
j . u sr
(3| Documents
Music
fc l Pictures
Videos
r
: Computer
Local Disk (C:)
. ^ Local Disk (D:)
j i . Program Files
Libraries
Name
Recent places
J ) Music
] I
=- EH m
4 Downloads
S
New folder
hashes.txt
9/18/2012 3:06 PM
|j6j msdos.sys
9/15/2012 2:53 PM
System file
[A user.js
9/6/20124:03 PM
JS File
v,
v j [All Files ( * /)
Open
Si
iu
Load
Delete
Save
Tables
P rogress
Statistics
Preferences
Crack
|
NT H ash
User
A d m in istra to r
BE40C450AB997...
G uest
3 1d6cfe0d16ae9...
C25510219F66F...
LANGUARDJ 1_
M artin
5EBE7DFA074D...
Juggyboy
Jason
488CDCDD2225...
Shiela
0CB69488O5F79...
2D20D252A479F...
7 Ophcrack Cracks
L M andN TL M
Windows hashes
Directory
P rogress
waiting
] Pwd fbcrtd:
8. Click Table. The Table Selection window will appear as shown 111 die
following figure.
ophcrack
Progress
IU
',,sg?
Tables
Crack
Table Selection
Statistics 0
User
D irectory
Table
m XP fre e fast
n o t installed
G uest
XP f re e sm all
n o t installed
LANGUARD_11_
XP special
n o t installed
M artin
# XP g e rm a n v l
n o t installed
Ju g g y b o y
XP g e rm a n v2
n o t installed
Jaso n
Vista special
n o t installed
Shiela
Vista free
n o t installed
Vista nin e
n o t installed
Vista eight
n o t installed
Vista n u m
n o t installed
Vista seven
n o t installed
XP flash
n o t installed
< Vista e ig h t XL
& T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
Status
A d m in istra to r
n o t installed
III
<
= e nabled
J = disabled
>
= n o t n sta le d
B B S S
Preload: _______ waiting_______| Brute force: |
waiting
] Pwd fbuxJ:
Tne elapsed:
Oh 0 Os
Note: You can download die free XP Rainbow Table, Vista Rainbow
Tables from h ttp :// ophcrack.sourcelorge.net/tables.php
Table Selection
lable
Directory
XP free fast
not installed
XP free small
not installed
9 XP special
not installed
XP german v1
not installed
XP german v2
not installed
Vista special
not installed
| ! Vista free
not installec
Vista nine
not installed
# Vista eight
not installed
Vista num
not installed
not installed
not installed
XP flash
not installed
III
<l
< = enabled
Status
4 = disabled
<
= not installed
@@
FIGURE 9.8: Installing vista free rainbow table
10. The Browse For Folder window appears; select the the table_vista_free
folder (which is already download and kept at D:\CEH-Tools\CEHv8
Module 05 System Hacking\Password Cracking Tools\Ophcrack)
OphCrack
tables_vista_free
pwdump7
winrtgen
t>
steganography
III
<
Make New Folder
OK
l>
Cancel
12. The selected table vista free is installed,; it shows a green color ball which
means it is enabled. Click OK.
?
Table Selection
Directory
fable
Status
XP free fast
not installed
XP free small
not installed
XP special
not installed
XP german v1
not installed
XP german v2
not installed
Vista special
net installed
>
Vista free
Vista nine
not installec
Vista eight
not installed
Vista num
not installed
Vista seven
not installed
XP flash
not installed
Vista eight XL
not installed
III
= enabled
on disk
<
4 = disabled
>
# = not installed
Install
13. Click Crack: it will crack die password as shown 111 die following figure.
ophcrack
i
This is necessary if die
generation of die LM hash
is disabled (this is default
for Windows Vista), or if
the password is longer than
14 characters (in which
case the LM hash is not
stored).
Load
Delete
Progress
Statistics
User
a/
Save
Tables
Crack
Help
Bat
Preferences
LM Hash
N T Hash
Administrator
BE40C450AB997...
Guest
31d6cfe0d16ae9...
LM Pwd 1
LM Pwd 2
N T Pwd
empty
C25510219F66F...
LANGUARD 11_...
Martin
5EBE7DFA074D...
apple
Juggyboy
488CDCDD2225...
green
Jason
2D20D252A479F...
qwerty
Shiela
0CB6948805F79...
test
!ab le
Directory
Status
100% in RAM
Progress
Lab Analysis
Analyze and document the results related to the lab exercise.
T o o l/U tility
User Names:
OphCrack
Administrator
Guest
LA N G U A R D _ 11_USER
Martin
Juggyby
Jason
Slieiela
apple
green
qwerty
test
E th ical H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Questions
1. W hat are the alternatives to cracking administrator passwords?
In te rn e t C o n n ectio n R eq u ired
Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 363
0 !Labs
Lab Scenario
^_ Valuable
information_____
Test your
knowledge
*A Web exercise
m
Workbook review
To be an expert ethical hacker and penetration tester, you must have sound
knowledge of footprinting, scanning, and enumeration. Tliis process requires an
active connection to the machine being attacked. A hacker enumerates applications
and banners 111 addition to identifying user accounts and shared resources.
You should also have knowledge of gaining access, escalating privileges, executing
applications, liiduig tiles, and covering tracks.
Lab Objectives
The objective o f tins lab is to help students to learn how to:
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page
Lab Environment
To earn out die lab, you need:
You can also download die latest version o f R em oteE xec from the link
http://w w w .isdecisions.com /en
If you decide to download die latest version, dien screenshots shown 111 die
lab might differ
Lab Duration
Tune: 10 Minutes
Overview of RemoteExec
Rem oteExec, die universal deployer for Microsoft Windows systems, allows
network administrators to run tasks remotely.
Lab Task
TASK 1
Monitoring
System
R em oteExec
Remotecxec
*00
rame
f*l demote jobs
*ecoter
^ 5<hedue
^Ootons
S y s te m Requirements:
Target computers can have
any of these operating
systems: Microsoft
Windows 2003/2008 (No
Service Pack is required);
an administration console
with Microsoft Windows
2003/2008 Service Pack 6 ,
IE5 or more.
, able of contert || Quick a:cess |
: 00B
Ne
Virco
rep
Q RemoteExec
considerably simplifies and
accelerates all install and
update tasks on a local or
wide area network (WAN)
as well as on remote
machines.
Remote execution
requirements: The account
running RemoteExec needs
administrative rights on
target computers.
Microsoft file and printer
sharing (SMB TCP 445)
and ICMP (ping) should be
enabled. These protocols
also need to be allowed in
any firewall between the
administration console and
target computers.
3 . To execute a New Remote job, double-click die New Remote job option
diat configures and ex e c u te s a new remote job.
Hta
Tool* ]tfn d o *
Help
& 5cnotc>c<
Remote jobs
: 0 ^ New rcrrote )cb
;
execu%oo
! 1 - 0 Updax rstalafeon
| MSI rstalaMn
!@1 Systenn acton
j fj Plb CDeraton
; *j: Lcea arrouo -r.anma..
; pcptp
RemoteExecjRerrote jobs
job
My Renote J3bs
My Remote Actons
^ My Target Computers
Mows you
/our favorite remste j98
/our favorite rarcte actors.
Yout favorite taroet conxiter bts.
Mutote aaons
j . My Renoie Joos
i ^ My Rertore Actors
: ^ My Target C croj^rs
Report
:^j. ScrcdJcr
L-4^ Options
E U Configure files to be
generated: You see that the
report has been added after
the installation of Acrobat
Reader in the scheduled
tasks. A new section,
Document generation, is
available to specify the
output files. Select a PDF
file to be generated in an
existing folder. Make sure
that the account running
the task has write access to
this folder.
4 . 111 a New Remote job configuration you can view different categories to
work remotely.
hie
Tods
Wmiow Hep
E?
B ^:5eno.eE>ec
P.enote (061
}Q 3 ^ 0!
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
;
Ffc execuSon
i 1 - 0 Update rstalafon
j--j^|MSI rstalaaon
HfcSysteac*>n
j-uT F*? Otxralon
1- ^ loca a rra n t rante
I ~PCpLp
=MJtcle actons 5
Nr teoote J>x
j ^ Mr Rcnote *ctcrc
:Nv Taract Ccrojtcn ^ :
m jfe Repcrte
; t ScredJcr
!y*Opfcon
| ) Update retalafion
(Si MSI mstalotion
{fc System action
Fib Oooation
Lccd account maintenance
S I Popup
( 5 Multtie actions
For the OS version, select = from die drop-down menu and specify die
operating system.
b. For the OS level, select = from die drop-down menu and select
Workstation.
c.
C E H L ab M anual P ag e 367
For the IE version, select >= from die drop-down menu and specify the
IE version.
d. For the Service Pack, select = from die drop-down menu and specify
die service pack version.
hie
Tods
V/niow
Hep
33 ^ eno:e>ec
1-1 ^ Reno* jobs
B ^ New rarote tfc
File execution
RemoteExeqReirote jobs/New remote job/^le executor
! lo
Update rstaloton
MSI rstaloaon * :
SwteT Kton | 6 -!
r -rj) ? CDraJon !
loai account rvamcena
nitr*e arm
NyRn>90c
Mvkno:Actcrc,
La-nch
tjfr
[ Sc^edLie
save r My Rorct Jobs
0 OS verson
=v.||
vwndowe 7/2XB
BO S level
H K vcrn
>- H ] M * 1
:..
Save r My TargetCmputrc
Hj Wortotatoo
Regecrvvw
kM
Oor't e:<e:j:e scan or a computer wnee tne actor a as ahead/ exeo.ee
Coflnoute*
vn
5
loos
noow
RenoteExec
Rertote
Nca remote jofc
10
)005
j ()
I q g a sssH i
_______
F ile ex e c u tio n
ReroteE>e:/3 emote jobs !New errcre job/File execution
I MO
|
Laandi
Q?
Schedule
Save n My Remote jx k
rSf
Lcxd aaomttranKTa...
h Poxo
= -l mJtpfe actons
j My R ero e Jets
Ny Rerote Actons
Ny T05t COTOLters
Reaxte
j Scheduler
V * Oabors
I
XJ
FIGURE 10.7: RemoteExec Add/Edit a computer
9 . To execute the defined action on die remote computer, click the Launch
option 111 the nglit pane of die window.
1 2 3 Schedule th e report:
To configure schedule
report, click on Schedule in
the toolbar and, when
prom pted select the task
that lias been created
previously to install
Acrobat Reader.
:c o ls
jg n d w
Bf3
>
B | RemoteExec
Remote ;ods 0
New rerroze job
j IS
j
r | ^
j-C r
:tSp
File execution
j fl? PopLp
NuDoie actiors
: 151 My Remote 3c*
W My Remote *coons
My Target C0xxters
S - ii, Reporter
S^ediier
Lpictc nstalaton
MSI n stab to a
Systen actor
File Ope-otwr
L3co ecco1ntnontenc...
. j :.;:
Don't execjte again on a computer v.+!ee the acaon was aireacy executec
V45000
___
FIGURE 10.8: RemoteExec executing the defined action
Lab Analysis
Analyze and document die results related to die lab exercise.
T o o l/U tility
R em o teE x ec
C o m p u te r N a m e : W IN-D39M RSHL9E4
0 No
P latform S upported
0 C lassroom
0 1Labs
c a su a l
i t is d e te cte d .
Lab Scenario
VZDValuable
information
Test your
knowledge
mk Web exercise
,!, Workbook review
Network steganography describes all the methods used tor transmitting data over a
network without it being detected. Several methods for liiduig data 111 a network
have been proposed, but the main drawback o f most of them is that they do not
offer a secondary layer of protection. If steganography is detected, the data is in
plaintext. To be an expert ethical hacker and penetration tester, you must have
sound knowledge o f footprinting, scanning, and enumeration. Tins process requires
an active connection to the machine being attacked.
Lab O bjectives
The objective o f this lab is to help students learn:
Lab Environment
To earn out die lab, you need:
^ Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 370
You can also download the latest version o f Snow from the link
h ttp :/Avww.darks 1de.com .au/snow /
111
Lab Duration
Tune: 10 Minutes
Overview of Snow
Snow exploits die steganograplnc nature of whitespace. Locating trailing whitespace
like tinduig a polar bear 111 a snowstorm. It uses die ICE encryption
algoridun, so the name is diemadcally consistent.
111 text is
Lab Task
1.
2.
Open Notepad and type Hello World! and dien press enter and press die
Hyphen key to draw a line below it.
3.
File
Edit
Format
View
Help
H e llo W o rld !
1
4.
Type diis command 111 the command sheU: readme2.txt. It is die name of
anodier diat will be created automatically.
sn o w -C -m "My s w is s bank accou n t number is 4 5 6 5 6 6 8 4 5 1 2 2 6 3
p "magic" readm e.txt readm e2.txt(m agic is th e passw ord, you can
type your desired passw ord also)
C E H L ab M an u al Page 371
r *
FIGURE 11.2: Hiding Contents of readme, txt and die text in the readme2.txt file
C om pressed by 2 3 .37X
I
M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x .
I
An e x t r a 8 l i n e s were a d d e d .
I
E : \ C E H - T o n l s \ 0 F H u 8 M n r i n l e 0 5 R u s t e m H a r k in g \ste g a n o g r a p } 1y \ l ) h i t e s p a c e s t e g a n o g r a H
phySSnouI'snow C - p "m agic" R ea d m e2 .tx t
I
My s w i s s bank a c c o u n t number i s 4bbbbbU4512263
I
E:\C EH-Tools\CEH u8 Module 05 S y stem H a c k in g \ste g a n o g r a p } 1y \w h it e sp a c e s t e g a n o g r a H
phy\Snow>
I
8. To check die tile 111 a G U I, open die readm e2.txt 111 Notepad and select
Edit ^S elect all. You will see die hidden data inside readme2.txt 111 die
form of spaces and tabs.
C E H L ab M an u al Page 372
readme2 - Notepad
File
Edit
Format
View
Help
H e l l o W o r ld !
(FIGURE
11.4: Contents of readme2.txt revealed with select all option
Lab Analysis
Analyze and document die results related to die lab exercise.
T o o l/U tility
Snow
Steganography
Lab Q uestions
1.
How would you lude die data of tiles widi secret data in other tiles?
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 373
0 !Labs
Lab Scenario
To be an expert ethical hacker and penetration tester, you must have sound
knowledge of footprinting, scanning, and enumeration. Tins process requires an
active connection to the machine being attacked. A hacker enumerates applications
and banners 111 addition to identifying user accounts and shared resources.
You should also have knowledge on gaining access, escalating privileges, executing
applications, luduig tiles, and covering tracks.
Lab Objectives
The objective o f tins lab is to help students learn:
Lab Environment
.^ T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
You can see the more audit commands from the following link:
h ttp :/ / technet.m icrosott.com /enus /library /cc731451 %28v=ws. 100/029.aspx for W indows Server 2012
Lab Duration
Time: 10 Minutes
C E H L ab M an u al Page
Overview of Auditpol
Aucftpd displays information
policies.
011
Lab Task
/get
Displays the current
audit policy.
1.
Select Start
2.
Command Prompt.
figure.
M ic r o s o f t Windows [U e r s io n 6 . 2 . 8 4 0 0 ]
<c> 2 012 M i c r o s o f t C o r p o r a t io n , f i l l r i g h t s r e s e r v e d .
/set
Sets the audit policy.
C :\U s e r s \A d m in i s t r a t o r >
/list
Displays selectable
policy elements.
3. To view all die audit policies, type die following command 111 die command
prompt:
/backup
Saves the audit policy to
a file.
C E H L ab M an u al Page 375
4.
Press Enter.
si
M i c r o s o f t Windows [ U e r s i o n 6 . 2 . 8 4 0 0 ]
<c> 2 0 1 2 M i c r o s o f t C o r p o r a t i o n . A l l ;r i g h t s
C :\U sers\A d n in i s t r a t o r > a u d i t p o 1 / g e t
S ystem a u d i t p o l i c y
C ategory/S ubcategory
S y s te m
S e c u r i t y System E x t e n s i o n
S ysten I n t e g r i t y
IPsec D riv e r
O th er S y ste n E vents
S e c u r i t y S t a t e Ch an g e
L ogon/Logoff
Logon
Logoff
Account Lockout
I P s e c Main Mode
I P s e c Q u i c k Mode
I P s e c E x t e n d e d Mode
S p e c i a l Logon
O th er Logon/Logoff Events
Netw ork P o l i c y S e r v e r
U se r / D evice C la i n s
O bject Access
F i l e S ystem
R egistry
K ernel O bject
SAM
C e r tif ic a tio n S ervices
A p p lic a tio n G en erated
H an d le M a n i p u l a t i o n
P il e S hare
F i l t e r i n g P l a t f o r m P a c k e t D ro p
F i l t e r i n g P la tfo rm C onnection
O th er O b ject A ccess Events
D e ta ile d F i l e Share
R em o v ab l e S t o r a g e
C e n tra l P o lic y S ta g in g
P r i v i l e g e Use
Non S e n s i t i v e P r i v i l e g e Use
O t h e r P r i v i l e g e Use E v e n t s
S e n s i t i v e P r i v i l e g e Use
D e ta ile d T racking
P rocess C rea tio n
P ro ce ss T erm in atio n
DPAPI A c t i v i t y
RPC E v e n t s
P o l i c y Ch an ge
A u t h e n t i c a t i o n P o l i c y Ch an g e
A u t h o r i z a t i o n P o l i c y C han ge
MPSSUC R u l e - L e v e l P o l i c y C ha n ge
F i l t e r i n g P l a t f o r m P o l i c y Ch an ge
O t h e r P o l i c y C h an g e E v e n t s
A u d i t P o l i c y C h an g e
A c c o u n t M an ag em ent
/ restore
Restores the audit policy
from a file that was
previously created by
using auditpol /backup.
/ clear
Clears die audit policy.
/remove
Removes all per-user
audit policy settings and
disables all system audit
policy settings.
reserved.
/category:
S ettin g
No
No
No
No
No
A uditing
A uditing
A uditing
A uditing
A uditing
No
No
No
No
No
No
No
No
No
No
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
No
No
No
No
No
No
No
No
No
No
No
No
No
No
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
No A u d i t i n g
No A u d i t i n g
No A u d i t i n g
No
No
No
No
A uditing
A uditing
A uditing
A uditing
No
No
No
No
No
No
A uditing
A uditing
A uditing
A uditing
A uditing
A uditing
5. To enable die audit policies, type die following command 111 die command
prompt:
auditpol /set /category:"system",'"account logon" /success:enable
/failureienable
6.
Press Enter.
A d m in is tra to r: C om m and P ro m p t
/ resourceSACL
Configures global
resource system access
control lists (SACLs).
D ir e c t o r y S e r v ic e C hanges
D ir e c to r y S e r v ic e R e p lic a t io n
D e t a ile d D ir e c to r y S e r v ic e R e p lic a t io n
D ir e c to r y S e r v ic e A c c e ss
A c c o u n t L ogon
K e r b e r o s S e r v i c e T ic k e t O p e r a t io n s
O th e r A cco u n t Logon E v e n ts
K erb eros A u th e n tic a tio n S e r v ic e
C r e d e n tia l U a lid a tio n
No
No
No
No
A
A
A
A
u d it in g
u d it in g
u d itin g
u d it in g
No
No
No
No
A
A
A
A
u d it in g
u d itin g
u d it in g
u d itin g
lo g o n 1
): M i s e r s \ A d m i n i s t r a t o r >
7. To check if audit policies are enabled, type die following command 111 die
command prom pt auditpol /get /category:*
8.
Press Enter.
Auditpol /g e t
[/user[:<usemame> | <{sid
}>]]
...]]
[/subcategory:* | <nam e> |
< {guid}>[,:<name | < {guid
}>...]]
[/option:<option name>]
t/sd]
[A]
Auditpol /se t
[/user[:<usemame> | <{sid
} >] [/ include] [/ exclude]]
[/category: <nam e> | < {gui
d}>[,:<nam e| <{guid}>. ..
F a i lu r e
F a i lu r e
F a i lu r e
F a i lu r e
F a i lu r e
]]
[ / success:<enable> | <disa
ble>][/failure:<enable> | <
disable >]
[/option:<option name>
/value:
<enable> | <disable>]
C E H L ab M an u al Page 377
9. To clear die audit policies, type die following command 111 die command
prompt:
auditpol /clear /y
auditpol /list
[ / user | / category | subcateg
ory[:<categoryname> | < {g
uid}>|*]]
[M [A]
No
No
No
No
No
A u d it i n g
A u d it i n g
A u d it i n g
A u d it i n g
A u d it i n g
No
No
No
No
A u d it i n g
A u d it i n g
A u d it i n g
A u d it i n g
S u ccess
S u ccess
S u ccess
S u ccess
and
and
and
and
F a ilu r e
F a ilu r e
F a ilu r e
F a ilu r e
C :\U s e r s \A d m in is tr a to r 'a u d it p o l / c l e a r / y
r he command was s u c c e s s f u l l y e x e c u t e d .
C :\U s e r s \A d m in is tr a to r >
11. To check if the audit policies are cleared, type the following command 111 die
command prompt:
auditpol Ig et /category:*
Auditpol / set
[/user[:<usemame> | <{sid
} 5,I [/ include] [/ exclude]]
[ / category:<name> | < {gui
d }> [,:<nam e| < {guid}> . ..
11
[/success:<enable> | <disa
ble>][/failure:<enable> | <
disable >]
[/subcategory:<nan 1e> | < {
guid} > [,:<name | < {guid} >
...
[/success:<enable> | <disa
ble>][/failure:<enable> | <
disable >]
[/option: <option 11ame>
/value:
<enable> | <disable>]
C :\U s e rs \A d n in istr a to r ) a u d i t p o l /g e t /c a te g o r y :*
S ysten a u d it p o lic y
C a te q o ry /S u b ca teg o rv
S e tt ing
S y ste n
No A u d i t i n g
S e c u r ity S y ste n E x tension
No A u d i t i n g
S y ste n I n t e g r i ty
IPsec D riv e r
No A u d i t i n g
No A u d i t i n g
O th e r S y s te n E vents
S e c u r i t y S t a t e Change
No A u d i t i n g
Luyun/L uyurf
L og on
No A u d i t i n g
No A u d i t i n g
Logoff
Account Lockout
No A u d i t i n g
I P s e c M ain Mode
No A u d i t i n g
I P s e c Q u i c k Mode
No A u d i t i n g
I P s e c E x t e n d e d Mode
No A u d i t i n g
S p e c i a l L og on
No A u d i t i n g
No A u d i t i n g
O th er Logon/Logoff E uents
No A u d i t i n g
N etw ork P o l i c y S e r v e r
U se r / D e vic e C la i n s
No A u d i t i n g
O bject Access
F ile S y ste n
No A u d i t i n g
R egistry
No A u d i t i n g
K ernel O bject
No A u d i t i n g
SAM
No A u d i t i n g
C e r tif ic a tio n S erv ices
No A u d i t i n g
No A u d i t i n g
A p p lic a tio n G e nerated
H andle M a n ip u la tio n
No A u d i t i n g
F il e Share
No A u d i t i n g
No A u d i t i n g
F i l t e r i n g P l a t f o r n P a c k e t Drop
No A u d i t i n g
F i l t e r i n g P la tf o r n C onnection
O th e r O b jec t Access E vents
No A u d i t i n g
D e ta ile d F il e Share
No A u d i t i n g
No A u d i t i n g
R enovable S to ra g e
No A u d i t i n g
C e n tra l P o lic y S tag in g
P r i v i l e g e Use
Non S e n s i t i v e P r i v i l e g e Use
No A u d i t i n g
No A u d i t i n g
O t h e r P r i v i l e g e U se E v e n t s
S e n s i t i v e P r i v i l e g e Use
No A u d i t i n g
D e ta ile d T racking
P ro cess C reatio n
No A u d i t i n g
P rocess T ern in atio n
No A u d i t i n g
No A u d i t i n g
DPAPI A c t i v i t y
No A u d i t i n g
RPC E v e n t s
P o l i c y Change
A u t h e n t i c a t i o n P o l i c y Change
No A u d i t i n g
No A u d i t i n g
A u t h o r i z a t i o n P o l i c y Change
MPSSUC R u l e - L e v e l P o l i c y C h a n g e
No A u d i t i n g
F i l t e r i n g P l a t f o r n P o l i c y Change
No A u d i t i n g
O t h e r P o l i c y Change E v e n ts
No A u d i t i n g
A u d it P o l i c y Change
No A u d i t i n g
Account M anagenent
| <|
____________________________in_______
v 1
>
C E H L ab M an u al Page 378
Lab Analysis
Analyze and document the results related to the lab exercise.
T o o l/U tility
A uditP ol
System
Account Logon
Q uestions
1.
2.
In te rn e t C o n n ectio n R eq u ired
Yes
0 No
P latform S upported
0 C lassroom
Lab
13
Password Recovery Using
CHNTPW.ISO
CHNTPWISO isapassiwrdrecoverytoo!1hatmis on WindonsServer2003, WindonsSener
2008, and Windons 7 Virtual-Machine.
I CON KEY
Lab Scenario
I7 / Valuable
information
Test your
knowledge
** Web exercise
Workbook review
this lab, we show you how to erase or recover an admin password using
CHNTPW.ISO.
111
Lab Objectives
Tlie objective o f tins lab is to help students learn:
Tools
dem onstrated in
this lab are
To earn* out die lab, you need:
available in
CHNTPW .ISO located at D:\CEH-Tools\CEHv8 Module 05 System
D:\CEHH acking\Passw ord R ecovery Tools\CHNTPW.ISO\cd110511
Tools\CEHv8
Module 05 System
CHNTPW .ISO is tool to recover/erase the administrator passwords for
Hacking
Windows Server 2008
Lab Environment
Lab Duration
Time: 15 Minutes
C E H L ab M an u al Page 380
Overview of CHNTPW.ISO
ONTPWJSOis an offline N T password and registry editor, boot disk/CD.
Lab Task
3 Offline N T Password
& Registry Editor can
delete any password from
nearly any installation o f
Windows almost instandy.
1.
2.
Before starting diis lab make sure diat Windows Server 2008 Virtual
Machine is shut down.
3.
Now select Windows Server 2008 Yiitual Machine and click Settings
die right pane of Hyper-V..
111
H yp e r*V M a n a g e r
File
Action
View
Help
H>per-V Minager
3 j WIN.DMWR5HL9E4
V irtu a l M achines
Name
WIN-D39MR5HL9E4
New
a feck Track 5
Import Virtual Machine..,
g Windows 7
JW
indow8
Snapshots
Inspect Disk...
The selected virtual 1aeh1e has
() Stop Service
X
Q
Remove Server
Refresh
Vitw
Help
Windows Server2008
W in d o w s S c rv c r2 0 0 8
>ij Connect...
Settings...
None
Start
Snapshot
Move...
Exoort...
Surtmay
<1:
f i j l Rename...
Delete...
4.
Select DVD drive from IDE controller in die left pane of Settings tor
Windows Server 2008.
5.
Check die Image file option and browse for die location of CHNTPW.ISO,
and select Apply->OK.
Q N o installation in
Windows is required
making this program an
easy alternative to many
other password recovery
C E H L ab M an u al Page 381
Windows Server2008
I-H E
A Hardware
*2]l Acd Hardware
Select the controller and location on the coatroler to attach the CD/DVD drive.
Controller:
IDEControler 1
C Offline NT
Password &
Registry Editor is
com pletely free to
download and
use.
0 Qr use)
Media
I Prxessor
1 Virtual processor
0 IDE Controler 0
C J Hard Drive
Windows Server2008.vhdx
() Image file:
C: \LI8ers\Ad*ninistrar ^Pesfctop\cd110511Vd 110511. is
L U S C a m d g i______________
DVD Drive
c d llO S ll.is
gj SCSI Controler
S 9
Location:
COM 1
To remove the virtual CD/D/O drive from the vrtual machne, dick Remove.
ffcne
COM2
f*>ne
I t J Diskette Crive
None
ft
Management________________
[T1Nnc
Y
V'.ndows Server2008
Inregrabon Services
Al services offered
Srapshot =ile Location
C: V>rogrcmData,Miaosoft\Win..
Smart Paang File Location
C: 'ProgramData'Microsoft\Win..
6.
7.
C E H L ab M an u al Page 382
File
A ctio n
M e d ia
C lip b o ard
V iew
H elp
I Status; O ff
8. After booting, Window will prompt you with: Step one: S elect disk
where the Windows installation is
9.
Press Enter.
1
File
Action
Media
Clipboard
View
II
- 1 r x
Help
11 1 fo
W i n d o w s K e g i s t r y Ldit U t i l i t y fl o p p y / c n n t p w
<c> 1 99 7 2 0 1 0 P e t t e r N H a g e n p n o r d a h l P e u n e t . n o
GNU G P L v2 license, see fi l e s on CD
T hi s u t i l i t y will e n a b l e y o u to c h a n g e or b l a n k the p a s s w o r d of
any u s e r ( i n c l . a d n i n i s t r a t o r > on an !lindows N T / Z k / X P / U i s t a
W I T H O U T k n o w i n g the o l d p as sw or d.
U n l o c k i n g l o c k e d / d i s a b l e d a c c o u n t s a ls o su pp o r t e d .
T e s t e d on:
LI
S t e p ONE:
Select
the way
through
the q u e s t i o n s
in s t a l l a t i o n
d i s k whe
/ d e v / s d a : 17.1 GB,
AD.
17179869184
is
bytes
[Please s e l e c t p a r t i t i o n by n u n b e r or
= qui t
= a u t o m a t i c a l l y st a r t d i s k d r i v e r s
Status: Running
10. N ow you will see: Step TWO: S elect PATH and registry files; press Enter.
C E H L ab M an u al Page 383
'
File Action
Media
Clipboard
View
Help
II 1 ji
?*
S t e p ONE:
Se le c t
disk where
the M i n d o w s
installation
is
,lease se le ct p a r t i t i o n by n u n b e r or
q = quit
d = a u t o m a t i c a l l y sta rt d i s k d r i v er s
m = M a n u a l l y s e l e c t d i s k d r iv e r s to load
f = f e t c h a d d i t i o n al d r iv e r s f r o n fl op p y / us b
a = s h o w all p a r t i t i o n s f o u n d
M o u n t i n g f r o n / d e v/s da l. w i t h a s s u m e d
So, let s re al l y c h e c k if it is NT F S?
filesystem
type NTFS
S t e p TMO: Se le c t P ATH an d r e g i s t r y fi l es
D E B U G path: w in d o w s f o u n d as Min do ws
| Status: R u n n in g
____
FIGURE 13.6: CHNTPW.ISO Step Two
11. Select which part of the registry to load, use predefined choices, or list die
files with space as delimiter, and then press Enter.
L
File
Action
Media
<9 @ 0
^^T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
Clipboard
View
Help
II It ife
a = s h o w all p a r t i t i o n s f o u n d
1
= s h o w p r o p b a b l e W i n d o w s <NTFS)
Se le ct: C1
partitions
only
Selected 1
M o u n t i n g f r o m / de v/ s da l. w i t h a s s u m e d f i l e s y s t e m
So, let's re al l y c h e c k if it is NT F S?
y_
?A5
type NT FS
__
D E B U G path: wi nd o w s f o u n d as M i n d o w s
D E B U G path: s y s t e m 3 2 f o u n d as S y s t e m 3 2
D E B U G path: c o n f i g f o u n d as c o n f i g
D E B U G path: f o u n d c o r r e c t c as e to be: M i n d o w s / S y s t e m 3 2 / c o n f ig
W ha t is the p a t h to the r e g i s t r y d i r e c t o r y ? (r el a t i v e to windc
iMindows/System32/configl :
D E B U G path: M in d o w s f o u n d as M i n d o w s
D E B U G path: S y s t e m 3 2 f o u n d as S y s t e m 3 2
D E B U G path: c o n f i g f o u n d as c o n f i g
D E B U G path: f o u n d c o r r e c t c a s e to be: M i n d o w s / S y s t e m 3 2 / c o n f i g
hrwxrwxrwx
2
0
0
262144
12:50 BCD-Template
hrwxrwxrwx
2
0
0
29097984
14:30 COMPONENTS
1 4 : 3 0 D E FA UL T
hrwxrwxrwx
1 0
0
262144
20 08 Jo urnal
hrwxrwxrwx
1 0
0
0
Hrwxrwxrwx
1 0
0
8192
12:10 RegBack
hrwxrwxrwx
1 0
0
262144
14:30 SAM
hrwxrwxrwx
1 0
0
262144
1 4 : 3 0 SE CU R I T Y
hrwxrwxrwx
1 0
0
33816576
14:30 SOFTMARE
hrwxrwxrwx
1 0
0
9437184
14:30 SYSTEM
hrwxrwxrwx
1 0
0
40 96
11:51 TxR
[drwxrwxrwx
1
0
0
4096
11 :5 1 s y s t e m p r o f i 1e
Se lec t w h i c h part of r e g i s t r y to load! use
or list the fil es w i t h s p ac e as d e l i m i t e r
1 P a s s w o r d res et [ sam s y s t e m se cu ri ty !
2 R e c o v e r y C o n s o 1e p a r a m e t e r s [so ft wa re !
3 - qu it - re tu r n to p r e v i o u s
pr e d e f i r
12. W hen you see: Step THREE: Password or registry edit, type yes (y), and
press Enter.
C E H L ab M anual P ag e 384
'
File Action
Media
. 3
Clipboard
Clipboa
01
View
Help
9 5
j~Step~THREE| P a s s w r d_ or _r e^ i t r y e d i t ~ ~
k h n t p w version 0.99.6 110511 , <c> P et ter N Hagen
fejive <SftM> name (from lieader): < NSy s temRoo t\Sys tem32\Conf igNSAM)
ROOT KEY at offset: 0x0 01 02 0 ** Subkey indexing type is: 666c (If)
w i l e size 26 214 4 (400001 bytes, con ta in in g 6 pages < 1 headerpage)
Used for data: 25 0/ 20 80 0 blocks/bytes, unused: 14 /3584 blocks/bytes.
L i v e ( S YST EM > name (from header): <SVSTEM>
ROOT KEY at offset: 0x 0 01 02 0 Subkey indexing type is: 686c <lh>
w i l e size 943 718 4 (9000001 bytes, c o n ta in in g 2164 pages ( 1 headerpage)
Elsed for data: 100 211 /59 376 88 blocks/bytes, unused: 462 1/3 278 696 blocks/bytes.
h i v e (SECURITY) name (from header): < emRoo t\Sys tem32\Conf igNS EC UR IT Y >
ROOT KEY at offset: 0x 0 01 02 0 Subkey indexing type is: 666c (If)
w i l e size 26214 4 (400001 bytes, co nt ain ing 6 pages ( 1 headerpage)
HJsed for data: 406/22 272 blocks/bytes, unused: 5/2112 blocks/bytes.
* SAM policy limits:
w a i l e d logins before lockout
M i n i m u m passw ord length
Password history count
is
to do?
to save)
Cl1
Status: Running
a a l
File Action
Q C E H -T o o ls is als o
M a p p e d in V irtu a l
M a c h in e as N e tw o rk
D rive Z:
Media
Clipboard
L .
View Help
p a s s w o r d history count
: 0
Mhat
to do?
Ill
-> y
What
Status: Running
14. 111 chntpw Edit User Info & Passwords, press Enter to enter the user name
to change
Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
File Action
Media
( * ) O
Clipboard
II
View
I I if e
Help
hat
to do?
Cl J -> y
hat
to do?
[13
-> y
Ill
c h n t p w Edit U s e r Info
------------ Us er n a w e
Adhi n i st ra t o r
Gues t
I US R _ W I N U L Y 8 5 8 K H Q I P
?1ec t : f <j|ui t .
fidhin?
ADMIN
!- Loc k?
d i s / lo ck
U s e r w i t h RID
(hex)
I Status; Running
15.
Windows
Wind
Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
File
Actior
Action
Media
Clipboard
View
Help
lo
to do?
C13
Account bits: 0 x 0 0 1 0
([ D i s a b l e d
1[ Tenp. d up l i c a t e
1C 1 Do na in trust ac
It 1 Pw d d o n t e x p i r
1C 3 ( un kn ow n 0x10)
XI
1
1
]
H o n e d i r req.
Norna l a c c o un t
Wks trust act.
Au to loc kout
(u n kn ow n 0x20)
1
I
1
1
1
P a s s w d not req.
NMS a cc ou nt
Srv trust act
(u n k n o w n 0x08>
( u n k no wn 0x40)
- - U s e r Edit Menu:
1 1 C l e a r (blank ) u s e r p a s s w o r d
I 2 Edit (set new) u s e r p a s s w o r d (care ful w i t h this on XP or Uista)
3 P r o m o te u s e r (Make u s e r an a d m i n i s t r a t o r )
(4 - U n l o c k a nd en a b le u s e r ac co u n t) Eseen s u n l o c k e d alr ea dy ]
I q Quit edi ting user, b a c k to u s e r se lec t
!?elect:
> 1_
an
Status: Running
16. Type ! after clearing die password o f die user account, and press Enter.
'
File
Action
1 - E dit
lhat
to do?
Media
Clipboard
View
Help
u s e r d a t a an d p a s s w o r d s
C13
:==== c h n t p w E di t U s e r Info
P a ss w o r d s
------------ U s e r n a n e
A dh i n i s t r a t o r
Gu es t
IUSR_MIN-ULY858KHQIP
== = =
Jsernane
ulInane
:oHHent
Bu i l t - i n a c c o u n t f o r a d m i n i s t e r i n g the c o h p u t e r / d o n a i n
tonedi r
s e r is M e m b e r of 1 groups:
10000220 = A d n i n i s t r a t o r s (w hi c h has 1 Me m be rs )
A cco un t bits: 0 x 0 0 1 0 =
1 P a s s w d not req.
3 Disabled
J
H o M e d i r req.
3 Tenp. d u p l i c a t e ! XI Norwal ac co un t
1 NMS acc ou nt
1 Srv trust act
3 Do mai n trust ac '
Wks trust act.
3 Pw d d o n t e x p i r 5
1 Au to loc kout
I (u n kn ow n 0x08)
3 (un kn ow n 0x20)
1 (u n kn ow n 0x40)
3 ( un kn ow n 0x10)
- - - U s e r Edit Menu:
1 C l e a r (blank) u s e r p a s s w o r d
2 - Ed it (set new) u s e r p a s s w o r d (ca reful w i t h this on X P or Uista)
3 - P r o M o t e u s e r (Make u s e r an a d w i n i s t r a t o r )
(4 U n l o c k an d e na b l e u s e r a c co un t) Cs eeM S u n l o c k e d al rea dy3
q - Q uit e d i t i n g user, b a c k to u s e r se l e c t
Select: Cg3 > 1
Pa ss wo r d cle ar ed *
Select: - Q u i t ,
- list users, 0 x <R I D > - U s e r w i t h R I D (hex)
)r s i m v1 m e n t e r the u s e r n a n e to ch ange: [ A d n i n i s t r a t o r l t
Status: Running
C E H L ab M an u al Page 387
Q C E H -T o o ls is als o
File Action
M a p p e d in V irtu a l
M a c h in e as N e tw o rk
D rive Z:
0 1 f5
0 3e8
Media
Clipboard
II
It
View
Help
jfe
; Hdninistpator
: Gue st
! IUSR_WIN-ULY858KHQIP
the u s e r n a n e
to chang e:
[Ad ni n i s tratorl
RID
Usernane
fullnane
cohhent
B ui l t - i n
honedir
account
Adninistrators
A cc ou n t hits: 0 x 0 0 1 0
C 1 Disabled
I 1
[ 1 Tenp. d u p l i c a t e
1X1
[ 1 Do n a in trust ac
C 1
C 1
[ P wd don' t e x p i r
C 1 (u n k no w n 0x10)
t 1
for adMinistering
( w hi c h has
the c o w p u t e r / d o M a i n
1 ne n be ps )
H o n e d i p peq.
NoPMa l ac co un t
Mks trust act.
Au to lockout
( u n k n o wn 0x20)
I
[
E
[
I
1
1
1
1
1
P a ss w d not peq.
NMS acc ou nt
Srv t p u s t act
<u n kn o w n 0x88)
(un kn ow n 0x40)
- U s e r E di t Menu:
1 - C l e a r (b lank) u s e r p a s s w o r d
2 Ed it (set new) u s e r p a s s w o r d (car efu l w i t h this on X P or Uista )
3 - Pr on ot e u s e r (nake u s e r an a d n i n i s t r a t o r )
(4 - U n l o c k a n d e n a b l e u s e r a c c o un t) [seen s u n l o c k e d al rea dy!
q - Q uit e d i t i n g user, b a c k to u s e r se l e c t
Select: [q] > 1
P a s s w o r d c l ea re d
I n te r a c t i v e
M e n u <> = = = = = = = = <>
saded hives: (S A M ) ( S Y ST EM ) (S E C U R I T Y )
1 Edi t u s e r d a t a and p a s s w o rd s
Mhat
to do?
til
>
Status: Running
[IyTools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
18. In Step FOUR: Writing back Changes, About to write file(s) back! Do it?,
here die default option will be [n]. Type yes [y] and press Enter.
File Action
Media
Clipboard
Built-in
<$
Vi!
View
account
II I t
ior
I.
Help
adninistenng
t he
conputer/donain
ife
I 1
[X3
[ 1
I 1
C 1
H o n e d i r req.
Nornal account
Mks trust act.
Auto lockout
(unknown 8x20)
I S t ep _ FO U R ^ _ M r i t i n g _ b a c k _ c h a n g e s
About to write file(s) back Do it? [n]
: y_
Status: Running
.0 A
FIGURE 13.14: CHNTPW.ISO Step Four
20. Now turn off die Windows Server 2008 Virtual Machine.
21. Open Hyper-V Manager settings o f Windows Server 2008 and change die
DVD drive option to None from IDE Controller 1 and then select click
^ Apply >OK.
Settings for Windows Server2008 on WIN-D39MR5HLSE4
Windows Server2008
Hardware
y zrx
(i
DVD Drive
Add Hardware
Select the controller and ocation on the controler to afcach the CD/DVD drive.
|K> BIOS
Boot from CD
Controller:
M Memory
1024 NB
D
Location:
IDE Controller 1
Processor
1 Virtual processor
0 On use]
Media
Specify the media to use with y a r virtual CD/DVD drve.
| None
O Image fie:
C: VJsers\Admslrator'PesktopVd 11051 l\cd 11051 l.iso
* DVD Drive
None
53Li SCSI Ccntroler
| Drive F:'
v|
To remove the virtual CD10VD drive from this virtual ma1ine, dick Remove.
COM2
None
M a c h in e as N e tw o rk
D rive Z:
COM 1
None
Diskette Drive
None
Management_________________
(L Name
Windows Server2008
Integration Services
Al services offered
Snapshot File Location
C: V>rogramOatay1icrosoft\Win..
| Smart Paging File .ocabon
C'ProgramOataVlicrosoftV/Vin..
) Automatic Start Action
Restart if previously running
22. Go to Windows Server 2008 Virtual Maclune, and click the Start button.
'*
File Action
'S [ 0 ] i)
Media
Clipboard
View
0 I II 1 f c
Help
>
Lab Analysis
Analyze and document die results related to the lab exercise.
T o o l/U tility
C H N T P W .IS O
Q uestions
1.
How do
you
configure CHNTPW.ISO
111
Machine Settings?
0 No
P latform S upported
0 C lassroom
0 !Labs
Lab
Lab Scenario
KEY
/ Valuable
information
Test your
knowledge
Web exercise
Workbook review
Today, employees are given access to computer, telephone, and other electronic
communication equipment. Email, instant messaging, global positioning systems,
telephone systems, and video cameras have given employers new ways to monitor
the conduct and performance o f their employees. Many employees also are given
laptop computer and wireless phones they can take home and use for business
outside the workplace. Whether an employee can claim a reasonable expectation of
privacy when using such company-supplied equipment 111 large part depends upon
the steps die employer has made to minimize that expectation.
111 tins lab, we explain monitoring employee or suident activity using Spytech
SpyAgent.
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
Lab Objectives
The objective of tins lab is to help smdents use Spytech and the SpyAgent tool.
After completing tins lab, smdents will be able to:
Lab Environment
To perform the lab, you need:
C E H L ab M an u al Page 392
You can also download Spytech SpyAgent from http://www.spytechw eb.com /spyagent.shtml
Lab Duration
Time: 15 Minutes
Lab Tasks
The basic idea in diis section is to:
1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Keyloggers\Spytech SpyAgent
TASK 1
Installation of
Spytech SpyAgent
2.
Double-click Setup.exe. You will see die following window. Click Next.
Spytech SpyAgent Setup
http:/ / uww.spytech-web.com
Next >
Cancel
fA g m ?
Unauthorized reproduction or distribution of this program, or any portion of it,
may result in severe civil and criminal penalties, and will be prosecuted to
the maximum extent possible under law.
< Back
Next >
Cancel
4.
Tlie Important N otes window appears, read die note and click Next
Important Notes
Spytech SpyAgent
Build Version 7.56.12
Copyright Spytech Software and Design, Inc. 2000-2012.
< Back
Next >
Cancel
5.
The Softw are L icen se A greem ent window appears; you m ust accept
the agreement to install Spytech SpyAgent.
6.
Click Y es to continue.
License
1. You may use the program on a single computer at one time. You may not copy the program and
accompanying materials except for backup purposes to use in support of using the program on a single
machine at one time.
2. You may only install this software on a computer that you own, or on a computer from which you
have consent of the owner to install this software.
3. You may not make copies of the program for sale or distribution.
4.
This software is copyrighted, and all rights therein are reserved for Spytech Software. Purchase of
Do you accept all the terms of the preceding License Agreement? If you choose No, Setup will close. T 0
install this product, you must accept this agreement.
< Back
Yes
No
7.
8.
Destination Directory
C:\Program Files (x8G)\Spytech SoftwareVSpytech Sp
Browse..
< Back
Next >
Cancel
9.
Administrator/Tester
Stealth Installation
< Back
Next >
Cancel
11.
Ready To Install
Splash W arning:
This option allows you to
display a message to the
user when SpyAgent is
started. This message can
be configured in the
Advanced Settings >
Splash Screen window
< Back
Next >
Cancel
Yes
No
13. A Notice For Antivirus Users window appears; read die text click Next.
^
"
L o g L ocation: this
allows you to specify where
you want SpyAgent to store
its activity logs. For
Windows N T /2000/X P
systems monitoring ALL
users it is recommended
that the log location be set
to x:\docum ents and
settings\all users
Since SpyAgent can do all of the above, some antivirus solutions may
deem SpyAgent as ,potentially harmful' or a 'trojan' despite it being a
legitimate tool to monitor your computer (and users). With all Spy tech
software, you can be sure our products are 100%safe to use and
virus-free.
If you run into any "trojan" related warnings, it is very likely to be a
< Back
Next >
Cancel
14. The Finished window appears. Click C lose to end the setup.
If
Finished
17 Run SpyAgent
< Back
Close
W e lc o m e t o S p y A g e n t ! ( S t e p 1 )
B e f o r e y o u c a n s t a r t u s in g S p y A g e n t y o u m u s t
c o n fig u r e y o u r p a s s w o rd t h a t w ill b e u s e d fo r
a c c e s s in g S p y A g e n t . D o n o t lo s e t h i s
p a s s w o r d a s it c a n n o t b e r e s e t w i t h o u t a
r e in s ta lla tio n o f S p y A g e n t.
16. The following window appears. E nter the password 111 New Passw ord
field, and retype the same password in Confirm field.
17. Click OK.
O ld P a s s w o rd :
N e w P a s s w o rd :
C o n firm :
I
T h is p a s s w o rd r e s tr ic t s o th e r u s e rs fro m
c h a n g in g th e S p y A g e n t s e ttin g s .
W e lc o m e t o S p y A g e n t ( S t e p 2 )
You w ill n o w b e p r e s e n te d w it h t h e E asy
C o n fig u r a tio n W iz a r d . Y o u c a n u s e t h is w iz a r d
t o q u i c k l y s e t u p S p y A g e n t 's m o s t f r e q u e n t l y
u s e d fe a tu r e s . Y ou ca n r e s ta r t th is w iz a r d a t
a n y t i m e in t h e f u t u r e .
click to continue...
FIGU RE 14.13: Welcome SpyAgent window
1. C o n fig u ra tio n
P le a s e s e le c t a c o n fig u ra tio n p a c k a g e
fro m th e b elo w o p tio n s.
2. Extras
3. Confirm Settings
4. Apply
5. Finish
C o m p le te C o n fig u ra tio n
Configure with all possible logging options
preconfigured.
T y p ic a l C o n fig u ra tio n
Configure with the m ost com m only used logging
options preconfigured.
!
FIGURE 14.14: Selecting configuration package
21. Choose additional options, and select the Display Alert on Startup
check box.
22. Click Next.
In tern et Traffic
D ata: This log ALL
incoming and outgoing
internet data transmitted
and received by users. All
email passwords, FTP
passwords, website
transmissions, etc. will be
logged by this feature
23.
A r e y o u s u re y o u w ant to c o n tin u e y o u r
c o n fig u ra tio n ? If so , c lic k NEXT.
1. C o n fig u ra tio n
2. E x tra s
S e ttings to be applied:
3. C o n firm S e ttin g s
4. A p p ly
5. Finish
24.
1. Configuration
2. Extras
3. Confirm Settings
C lic k F IN IS H to finish the easy configuration
wizard!
4. A p p ly
5. Finish
25.
1. Configuration
2. Extras
3. Confirm Settings
C o n fig u ra tio n F in is h e d !
4. Apply
5. F in is h
|GOiMij--]
FIGU RE 14.18: Configuration finished window
26.
C E H L ab M anual P ag e 401
T^EST
I C lic k H e re fo r
O rd e r in g I n f o r m a t io n
G eneral
Startup Settings and Conftg
Keystrokes Typed
Windows Viewed
Programs
>
0 A p p lic a tio n !
Clipboard
W e lc o m e t o S p y A g e n t * ( S t e p 3 )
0 C lip b o a rd s
j | , j s l% S p y A g e n t 's u s e r in t e r f a c e . T h is is
w h e r e y o u c a n s t a r t a n d s t o p m o n it o r in g ,
v i e w a c t i v i t y lo g s , c h a n g e s e t t in g s , a n d
c o n f ig u r e t h e s o f t w a r e .
!mote L o g D e live ry
nfigure Remote Delivery
Events Tlfl
Ivanced O p tio n s
e r Control on SpyAgent
0 E v e n ts Log
reenS py
Internet A ctivities
E-Mails Se I
0 E -M a ils L o g t ^ : ---------
/fl
= ! n a r tL o g g in g
----------------
Websites Visited
Chat Transcripts
0 W ebsites Logged
0 C o n v e rs a tio n s Logged
S c h e d u lin g
Schedule Monitoring 1
H Program Options
B e h a v io r A le rts
Real-time A ctivity A l e r t s
Log Actions
( Reports
Help
27.
G
Monitoring User
Activities
m
G e n e ra l U s e r A c t iv itie s
C lick H ere fo r
O rd e rin g In fo rm a tio n
General
Startup Settings and Conflg
Keystrokes Typed
Windows Viewed
4 Windows Logged
m
Programs Usage
7n Applications
A ; rh n e Logged
nnn.iH
70
0 Screenshots Logged
Clipboard Logs
File/Documents Usage
0 C lipboards Logged
Advanced O ptions
Events Timeline
Computer Usage
9 1 Events Logged
2 Sessions Logged
C o nte nt F iltering
ScreenSpy
In te r n e t A c t iv itie s
Record Deskt<
E-Mails Sent/Received
Internet Activities
0 Connections Logged
Websites Visited
Chat Transcripts
2 W ebsites Logged
0 Conversations Logged
11 Program Options
6 Log Actions
Sm artLogging
Scheduling
Schedule Monitoring Times
B e havior A lerts
Reports
i! Help
28.
29.
Click OK.
C lic k H e r e fo r
O r d e r in g In f o r m a t io n
General
Startup Settings and Config
Keystrokes Typed
Windows Viewed
4 Windows Logged
C o S lg u re Logging Options
Programs Usage
ScrcenSpy Screenshots
Clipboard Logs
0 C lip bo ards Logge
Advanced Options
Events Timelim
Content Filtering
91 Events Logged
ScreenSpy
In te rn e t A c tiv itie s
Record Deskt<
E-Mails Sent/Received
0 E-M ails Logged
;
^
Internet Activities
0 C on ne ction s Logged
Websites Visited
Chat Transcripts
W ebsites Logged
Lo g A c tio n s
SmartLogging
Activity Triggered Logging
Scheduling
Schedule Monitoring Tim es
Behavior Alerts
I R e p o rts
H e lp
30.
C E H L ab M an u al P ag e 403
31.
It will show the following window, with the options select Do not
sh o w th is Help Tip again and select Do not sh o w Related Help Tips
like this again. Click click to continue...
S p y A g e n t is n o w m o n i t o r in g y o u r c o m p u t e r .
T o s t o p m o n i t o r in g p r e s s S p y A g e n t 's h o t k e y
c o m b in a t io n - b y d e f a u l t it is
C O N T R O L + A L T + S H IF T + M - th e n e n t e r y o u r
S p y A g e n t p a s s w o rd .
SpyAgent features a
large set o f r eporting tools
that allow you to save and
prepare log data for later
viewing, documentation, and
printing. All reports are
formatted in HTML fomiat
for viewing with your webbrowser.
7A
! th is again
32.
33.
It will ask for the Access Password; enter the password and click OK.
34.
35.
S p y A g e n t K e y stro k e s Log V ie w e r
0
Save Log
Save
1 C lea r
14 e n tries
J J F orm at
_ i j Actions.
Jum p to Log 3
Tue
Tue
Tue
Tue
7 /2 4 /1 2
7 /2 4 /1 2
7 /2 4 /1 2
7 /2 4 /1 2
@ 2:1 2 :2 7
2 :1 2 :2 9
2 :1 2 :5 6
2 :1 3 :0 3
PM
PM
PM
PM
K e y s tro k e s T y p e d
|[B ac ks p ac e][B a ck sp ac e][B ac ks p a ce ][B ac ks p ac e][B a ck sp a ce ][B ac ks p a ce ]|
[B a ck s p a c e ][B a c k s p a c e ]S p y [B a c k s p a c e ][B a c k s p a c e ][B a c k s p a c e ]It will show th e
follwmg window se ld [B a ck sp a ce ]e ct D o n to [B ac ks p ac e][B a ck sp ac e]o t show this
H elp T ip ag ain and Do not show R elated H elp Tips like this agin [B acksp ace]
[B a ck sp a ce ][B ac ks p ac e]am [B a ck sp a ce ], click on click to count1[B a ck sp a ce ]
[B a ck s p a c e j[B a c k s p a c e j[B a c k s p a c e ]n 1[B a ck sp a ce ]t1nue
Note: Log entries preceeded with a '* ' indicate a password entry.
36.
To check the websites visited by the user, click W ebsite V isited from
Internet A ctivities.
37.
It will show all the user visited websites results, as shown in the
following screenshot.
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion
your targets security posture and exposure.
011
T o o l/U tility
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 406
0 !Labs
Lab Scenario
^_ Valuable
information_____
Test your
knowledge
*A Web exercise
m
Workbook review
Today, employees are given access to computers, telephones, and other electronic
communication equipment. Email, instant messaging, global positioning systems,
telephone systems, and video cameras have given employers new ways to monitor
the conduct and performance of their employees. ]Many employees also are given
laptop computers and wireless telephones diev can take home and use for business
outside die workplace. Whedier an employee can claim a reasonable expectation of
privacy when using such company-supplied equipment 111 large part depends upon
the steps die employer has made to minimize that expectation.
111 tins lab, we explain monitoring employee or student activity using Power Spy
2013.
Lab Objectives
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
The objective o f tins lab is to help students use the Activity Monitor tool. After
completing diis lab, students will be able to:
Lab Environment
To perform die lab, you need:
C E H L ab M an u al Page
Lab Duration
Time: 15 Minutes
Lab Tasks
The basic idea 111 dus section is to:
1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Spywares\Email and Internet Spyware\Power Spy.
TASK 1
Installation of
Power Spy 2013
2.
3.
By clicking Next you are agreeing to the following terms of License Agreement.
License Agreem ent:
DISCLAMER: A ll o u r products are distrib u te d and licensed on an 'as is* basis and no
w a rra n tie s or guarantees of a n y k in d are prom ised b y eM atrixSoft (the *Company*) and
Power Spy (th e *Softw are') as to th e ir perform ance, re lia b ility or s u ita b ility to a n y given
task. In no event shall th e Software be lia b le fo r a n y loss of data o r A N Y DAMAGES OF
http:/ / ematrixsoft.com/ittde
x.php
4.
011
Completing Setup
Setup has finished installing product on your computer.
Click Finish to exit the Setup Wizard.
Keystrokes Typed
log all keystrokes, including
optional nonalphanumerical keys, typed
with time, Windows
username, application name
and window caption
5.
Run as administrator
W ith administrative rights, you can check, delete and export logs, change settings, and
have complete access to the software
N et Chatting
Conversations monitor
and record all latest version
Windows Live Messenger /
Skype / MSN Messenger /
IC Q / AIM / Yahoo!
Messengers BOTH SIDES
chatting conversations with
time, chat users, and all
coming/outgoing messages
FIGURE 15.3: Selecting folder for installation
6.
Tlie S etup login passw ord window appears. Enter the password 111 the
N ew passw ord field, and retype the same password 111 the Confirm
passw ord held.
7.
Click Submit.
Screen Snapshots
automatically captures
screenshots of entire desktop
or active windows at set
intervals. Save screenshots as
JPEG format images on your
computer harddisk
Automatically stop screenshot
when user is inactive
New password:
Confirm password:
8.
9.
The Enter login Passw ord window appears. Enter the password
(which is already set).
11.
Q Stealth Mode: Power
Spy run absolutely invisibly
under Windows systems and
does not show in Windows
task list Xone will know its
running unless you tell them!
You can also choose to hide
or unhide Power Spy icon
and its uninstall entry
Register product
An icon is displayed on Desktop to disable Stealth Mode in trial version.
You can totally try the software on yourself. Click Start monitoring and Stealth Mode on it's
control panel, then do anything as usual on the PC: visiting web sites, reading emails, chatting
on facebook or Skype, etc. Then, use your hotkey to unhide its control panel, and click an icon on
the left to check logs.
You can also click Configuration to change settings, setup an email to receive logs from any
location, such as a remote PC. iPad or a smart phone.
If you like the product, click Purchase button below to buy and register it. Stealth Mode will be
enabled after it is unlocked with your registration information.
User Name:
Unlock Code:
12.
Power Spy
ea
Control Panel
111
die following
Buy now
Start
monitoring
Keystrokes
w eb sites visited
D
A p p licatio n s
Stealth Mode
jm
Configuration
clipboard
m ic ro p h o n e
ex ec u te d
13.
k t A S K
Monitoring and
Recording User
Activities
Power Spy
Control Panel
Buy now
Start
m onitoring
Keystrokes
websites visited
Stealth Mode
*m JP
Configuration
Applications
executed
clipboard
About
microphone
Uninstall
14.
FIGU RE
15.
Click Stealth Mode (stealth mode runs the Power Spy completely
invisibly on the computer) .
16.
Power Spy
Control Panel
Buy now | g
Stop
monitoring
Keystrokes
I K 1
Applications
executed
cnpDoara
w m
About
Y
microphone
(>
Uninstall
Easy-to-use Interface:
config Power Spy with
either Wi2ard for common
users or control panel for
advanced users. Userfriendly graphical program
interface makes it easy for
beginngers.
17.
ves
|1
No
18.
19.
Run as administrator
With administrative rights, you can check, delete and export logs, change settings, and
have complete access to the software
20.
The Enter login passw ord window appears. Enter the password
(which is already set) .
21.
Click Submit.
22.
23.
Power Spy
Control Panel
Stop
m onitoring
Keystrokes
websites visited
Stealth Mode
JP
(D *
Applications
executed
Buy now
Configuration
clipboard
About
microphone
24.
Power
Program Executed
log all programs including
application, executable file,
documents and directories
navigated with time,
Windows username,
application/document/ direct
ory name and file paths..
S p y Control Panel
screenshots
Applications
executed
Start
monitoring
Keystrokes
websites visited
(O)
Yahoo
messenger
clipboard
Configuration
About
microphone
25.
26.
li/JWUJ:>/* MNMMIir
1/3fX12w.1m
173>OCl3?-.H!t7W
u n ti*
im tm i
Aor*t,t.tgr
*awiHIr
111
the following
4!Cnto)
fM|(O.0v
!VKf In (K^rwtwA
H
fjpHVn.10d<1|m iPMKtminr jn
{CtrkfCtrfc
Vfogr"n(xMjamn***(* un5W:
(*(a*
txytm
jhfXP^oCW _____
;W
ear
oAa'cAa
:;2SUIO.I2m
<*
Wl(O.I)v
1
(m
AraVAi
1 ogr* l (nK)rweeeF
V(/' <1
1At*u
lVaU4J:}SfM
(4j0*-t VWnjm
:toragranHes(*Jmcoof ofto'pWct
173*01132=Mt430M
'
J
FIGU RE 15.17: Resulted keystrokes
Q ) Documents Opened log all text contents of
documents opened in MS
Word and NotePad.
27.
28.
To check the websites visited by the user, click W ebsite visited in the
It will show all the visited w e b site s, as shown
screenshot.
111
the following
1ya/2Cl22:42:m
1va/xu 2:42:27
IV2M 122:42:23fM
1VJtfX122:42:20fW
btfpjfttnteroaot.ctr\(toggesrfny1ea-tefr<nrt {*p
htpy/gnalTnoo>tan\jburas-<tty-orc*to>1>}
tYto/'Brafrjcsoft camkeooooo <1e*trtrt .g>c
:7W3C17 j PM
1V21/2C122142110m
2V9/3C122:!7:40PM
I eM atrixS o ft
Featured Product
>3
.H1icjpturot ill
Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion on
your targets security posture and exposure.
T o o l/U tility
0 No
P latform S up p o rted
0 C lassroom
C E H L ab M anual P ag e 416
0 !Labs
KEY
._ Valuable
information
Test your
knowledge
Web exercise
c a Workbook review
Lab Scenario
Porn sites are tilled with images that sometimes change multiple times each day,
require authentication 111 some cases to access their "better" areas o f content, and by
using stenograpluc techniques, would allow an agent to retrieve messages from their
home bases and send back updates, all 111 porn trading. Thumbnails could be
scanned to find out if there are any new messages for die day; once decrypted, these
messages would point to links on die same site with the remaining information
encrypted.
Terrorists know that so many different types of files can hold all sorts of hidden
information, and tracking or finding these files can be an almost impossible task.
These messages can be placed 111 plain sight, and the servers that supply these files
will never know it. Finding these messages is like finding the proverbial "needle" 111
the W orld Wide Web haystack.
111 order to be an expert an etlucal hacker and penetration tester, you must
understand how to lude the text inside the image. 111 tliis lab, we show how text is
hidden inside an image using the QuickStego tool.
7 Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 05 System
Hacking
C E H L ab M an u al Page 417
Lab Objectives
The objective o f tins lab is to help the smdents learn how to hide secret text
m e ssa g e s 111 an image.
Lab Environment
To perform the lab, you need:
"
Lab Duration
Time: 10 Minutes
Overview of Steganography
Steganography is the art and science o f writing hidden messages 111 such a way diat
no one, apart from the sender and intended recipient, suspects the existence o f die
message, a form o f security through obscurity. Steganography includes die
concealment o f information within computer hies. 111 digital steganography,
electronic communications may include stenographic coding inside of a transport
layer, such as a document tile, image file, program, or protocol.
Lab Tasks
The basic idea 111 diis section is to:
1.
TASK 1
http:/ / quickcrypto.com
3.
C E H L ab M anual Page 418
Click Open Im age in the Picture, Im age, Photo File dialog box.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
4.
5.
TUI
Organize
Search QuickStego
New folder
Download
Recent p
Name
Music
Libraries
Date modified
Type
9/20/2012 4:42 PM
JPEG image
(1 Documej
Saved Hidden
Text Im ages
bmp format only
J'-
Music
k. Pictures
9 Videos
Computer
^ Local Dis v
<
File name: | lamborghini_5.jpg
v | | Images (*.bmp;*.jpg;*.jpeg;*.gif v |
Open
Cancel
6. The selected image is added; it will show a message that reads: THIS IMAGE
DOES NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE.
7. To add the text to the image, click Open Text from the T ext File dialog
box.
8.
9.
C E H L ab M anual Page 420
Select Text F11e.txt tile, and then click the Open button.
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
di
ra!
*fr 1
Organize
'ff
v Q | | Search QuickStego
Favorites
Desktop
E 0 #
New folder
Name
_,Text
File.txt
Date modified
Type
9/20/2012 5:00 PM
Text Document
Downloa
Recent p =
Music
Libraries
0 Documei
J 1 Music
fc l Pictures
9 Videos
Open
10.
11.
111
the Steganography
im age.
QuickStego - Steganography Hide a Secret Text Message in an Image
ca
| Open Image |
Save Image
1
1
Steganography
Gel Text
Open Text
12.
C E H L ab M anual P ag e 421
To save the image (where the text is hidden inside the image) click
S ave Im age in the Picture, Im age, Photo File dialog box.
EQ QuickStego
imperceptibly
alters the pixels
(individual picture
elem ents) of the
image, encoding
the secret text by
adding small
variations in color
to the image. In
practice, to the
human eye, th ese
small differences
do not appear to
change the im age
13.
Provide the tile name as ste g o , and click S ave (to save tins file on the
desktop).
Save The Image File To
( ? ) ( J ) ' 7 f t I M Desktop^
Organize
. Favorites
Search Desktop
Libraries
System Folder
Desktop
Downloads
%
J)
* jg
New folder
Recent places
Music
Libraries
Computer
System Folder
Network
OF! D/ !rar
I stego I
| Image ( .bmp)
Hide Folders
14.
Exit from the Q uickStego window. Again open QmckStego, and click
Open Im age 111 the Picture, Im age, Photo File dialog box.
15.
16.
The hidden text inside the image will appear as displayed in the
following figure.
Q 3 Approximately 2MB of
free hard disk space (plus
extra space for any images)
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your targets security posture and exposure.
T o o l/U tility
Q uickS tego
In te rn e t C o n n ectio n R eq u ired
Yes
0 No
P latform S upported
0 !Labs
C E H L ab M anual P ag e 423