Professional Documents
Culture Documents
CEHv8 Module 05 System Hacking
CEHv8 Module 05 System Hacking
Module 05
Ethical
Hacking
Countermeasures
Hacking
and
System
System Hacking
Module 05
EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
Countermeasures
System Hacking
and
clE
Security News
nr aS
NEWS
Security News
IEEE Hack
Passwords
Vulnerable
Confirmed,
100k
Plain
Text
Source: http://www.kitguru.net
After details were revealed by Radu Dragusin over at IEEElog.com recently that
passwords and user details for some 100,000 members of the Institute of Electrical
and Electronics Engineers had been made publicly available on the company's
FTP server for at least a month, the organization confirmed this in a
communication to members, advising them to change their details immediately.
The IEEE is an organization that is designed to advance technology and has over
400,000 members worldwide, many of those including employees at Apple, Google,
IBM, Oracle, and Samsung. It is responsible for globally used standards like the IEEE
802.3 Ethernet standard and the IEEE 802.11 Wireless Networking standard. At an
organization like this, you'd expect security to be high.
Still, this hack was no hoax. The official announcement of it reads: "IEEE has
become aware of an incident regarding inadvertent access to unencrypted log files
containing user IDs and
Strictly Prohibited.
Exam
312-50
passwords. This matter has been addressed and resolved. None of your financial
information was made accessible in this situation."
The company continued saying though, that it was technically possible that during
the time this information was available, that someone could have used it to access
a user's account and therefore, as a "precautionary measure," the IEEE
recommended all users change their account information. Until that time, users were
not be able to access their account at all.
In what seems like quite a bold move, the organization went on to explain to users
that one of the best ways to protect themselves is to use a strong, unique
password for their login. Considering it was an IEEE security blunder that
caused the hack, advising other people on password strength seems a bit hypocritical.
That said, in Mr Dragusin's reveal of the hacked information, he produced a graph
detailing some of the most commonly used passwords. Almost 300 people used
"123456" and other variations of numbers in that same configuration, while
hundreds of others used passwords like "admin," "student," and "ieee2012."
Considering the involvement of IEEE members in pushing the boundaries of current
technology, you'd assume we wouldn't need to turn to Eugene "The Plague" Belford
to explain the importance of password security.
http://www.kitguru.net/channel/ion-martindale/ieee-hack-confirmed-100kplain-textpasswords-vulnera ble/
CH
Module Objectives
-I System Hacking: Goals
CEH Hacking Methodology
-I
(CHM)
Anti-Keylogger
J Password Cracking
J
and
Anti-
Spywares
Keyloggers
Spywares
Detecting
Microsoft
Rootkits
Authentication
Anti-
Rootkits
J NTFS Stream Manipulation
Password
Cracking
J
Steganalysis
Methods/Attacks
Steganography
Privilege Escalation
-I Executing Applications
Classification of Steganography
on
-i Covering Tracks
.1
Penetration Testing
Module Objectives
The preceding modules dealt with the progressive intrusion that an
attacker makes towards his or her target system(s). You should bear in mind that
this does not indicate a culmination of the attack. This module familiarizes you
with:
System Hacking: Goals
and Spywares
Password Cracking
Detecting Rootkits
Anti-Rootkits
Microsoft Authentication
Classification of
Steganalysis
72
Steganography
Privilege Escalation
Covering Tracks
Executing Applications
Penetration Testing
Exam
312-50
,i.0-004011110111ftopi
.
r
o
Footprinting Module
Scanning Module
IP Range
Namespace
Enumeration Module
Target assessment
Intrusive probing
Identification of
User lists
services
Security flaws
Employee web
Identification of
usage
www
4P
systems
1
Copyright C by FC-COMCg. All Rights Reserved. Reproduction is Strictly Prohibited.
Stage
Before beginning with system hacking, let's go over the phases you went
through and the information you collected so far. Prior to this module, we discussed:
Footprinting Module
Footprinting is the process of accumulating data regarding a
specific network environment. Usually this technique is applied for the purpose of
finding ways to intrude into the network environment. Since footprinting can be
used to attack a system, it can also be used to protect it. In the footprinting phase,
the attacker creates a profile of the target organization, with the information such as
its IP address range, namespace, and employee web usage.
Footprinting improves the ease with which the systems can be exploited by
revealing system vulnerabilities. Determining the objective and location of an
intrusion is the primary step involved in footprinting. Once the objective and
location of an intrusion is known, by using nonintrusive methods, specific information
about the organization can be gathered.
For example, the web page of the organization itself may provide employee bios or a
personnel directory, which the hacker can use it for the social engineering to
reach the objective. Conducting a Whois query on the web provides the associated
networks and domain names related to a specific organization.
Exam
312-50
Scanning Module
Scanning is a procedure for identifying active hosts on a network, either
for the purpose of network security assessment or for attacking them. In the
scanning phase, the attacker finds information about the target assessment
through its IP addresses that can be accessed over the Internet. Scanning is mainly
concerned with the identification of systems on a network and the identification of
services running on each computer.
Some of the scanning procedures such as port scans and ping sweeps return
information about the services offered by the live hosts that are active on the Internet
and their IP addresses. The inverse mapping scanning procedure returns the
information about the IP addresses that do not map to the live hosts; this allows
an attacker to make suppositions about feasible addresses.
Enumeration Module
Enumeration is the method of intrusive probing into the target
assessment through which attackers gather information such as network user lists,
routing tables, and Simple Network Management Protocol (SNMP) data. This is
significant because the attacker crosses over the target territory to unearth
information about the network, and shares users, groups, applications, and banners.
The attacker's objective is to identify valid user accounts or groups where he or she
can remain inconspicuous once the system has been compromised. Enumeration
involves making active connections to the target system or subjecting it to direct
queries. Normally, an alert and secure system will log such attempts. Often the
information gathered is what the target might have made public, such as a DNS
address; however, it is possible that the attacker stumbles upon a remote IPC
share, such as IPC$ in Windows, that can be probed with a null session allowing
shares and accounts to be enumerated
-.
0=0.
Exam
312-50
0011111m.m011MIMINI
Access
Escalating Privileges
Goal
Technique/Exploit Used
To
collect
enough
information to gain access
To create a privileged user
account if the user level is
obtained
create
and
maintain backdoor
access
To
Hiding Files
Password
eavesdropping, brute
forcing
Password
cracking,
known
exploits
Trojans
Covering Tracks
Clearing logs
attacker can also have certain goals behind performing attacks on a system. The
Ethical
Hacking
Countermeasures
Hacking
and
System
Goal
Hacking-Stage
E
l
Gaining Access
Escalating Privileges
To collect enough
information
to gain access
Technique/Exploit Used
Password eavesdropping,
brute forcing
Password
cracking,
known
exploits
Executing
Applications
To
create
and
maintain backdoor
access
Trojans
Hiding Files
To hide malicious files
Covering Tracks
To
hide
presence
compromise
the
of
Rootkits
Clearing logs
EC-Council
Exam
312-50
Cracking Passwords
Escalating Privileges
Hiding Files
(.
g
m
Covering Tracks
&
Exam 312-50
Cracking Passwords
. Escalating Privileges
Executing Applications
Enumeration
Hiding Files
Exam
312-50
Cracking
Passwords
Escalating
Privileges
Executing
Applications
Penetration
Testing
Covering
Tracks
Hiding
Files
This section describes the first step, i.e., password cracking, that will tell you how
and what types of different tools and techniques an attacker uses to crack the
password of the target system.
u_
MI Cracking Passwords
Module 05 Page 528
Escalating Privileges
Executing Applications
Hiding Files
Covering Tracks
Ethical Hacking and Countermeasures Copyright
_ Penetration Testing
EC-Council
by
Exam
Password Cracking
EH
312-50
Password cracking
techniques are used
to
recover
passwords
from
computer systems
Attackers
use
password cracking
techniques to gain
unauthorized
access to the vulnerable system
Attacker
Prohibited.
Password Cracking
Password cracking is the process of recovering passwords from the data
that has been transmitted by a computer system or stored in it. The purpose of
password cracking might be to help a user recover a forgotten or lost password,
as a preventive measure by the system administrators to check for easily
crackable passwords or it can also be used to gain unauthorized access to a
system.
Many hacking attempts start with password cracking attempts. Passwords are the
key piece of information necessary to access a system. Consequently, most
attackers use password cracking techniques to gain unauthorized access to the
vulnerable system. Passwords may be cracked manually or with automated tools
such as a dictionary or brute-force method.
The computer programs that are designed for cracking passwords are the
functions of the number of possible passwords per second that can be checked.
Often users, while creating passwords, select passwords that are predisposed to
being cracked such as using a pet's name or choosing one that's simple so they can
remember it. Most of the passwords cracking techniques are successful due to
weak or easily guessable passwords.
Ethical
Hacking
and
Countermeasures System
Hacking
Password
Complexity
E"
MIN
4
Passwords
that contain
only
letters
and special
characters
bob&ba
Passwords that
contain
only
special
characters
and
numbers
"INS
Passwords
that
contain
only
special characters
& #6!(%)
Passwords that
contain letters and
numbers
meet123
1234345
Password Complexity
Password complexity plays a key role in improving security against
attacks. It is the important element that users should ensure while creating a
password. The password should not be simple since simple passwords are prone
to attacks. The passwords that you choose should always be complex, long, and
difficult to remember. The password that you are setting for your account must meet
the complexity requirements policy setting.
numbers:
ap1@52
Module 05
by
Page 530
EC-Council
Ethical
Ethical Hacking and Countermeasures
Certified Ethical Hacker System Hacking
Exam
clEY
Password Cracking
Techniques
A dictionary file
tries
is loaded into the
cracking
of
application that
until
runs against user
is
accounts
It is the
combination of
both brute force
attack and the
dictionary attack
dictionary
and
tries to crack the
password
4 4
312-50
4
Syllable
Attack
Dictionary
Forcing
rute
Hybrid
Attack
Attack
Iti
Copyright 0 by FS-Ce
Prohibited.
Dictionary Attacks
In a dictionary attack, a dictionary file is loaded into the cracking
application that runs against user accounts. This dictionary is the text file that
contains a number of dictionary words. The program uses every word present in the
dictionary to find the password. Dictionary attacks are more useful than brute force
attacks. But this attack does not work with a system that uses
passph rases.
This attack can be applied under two situations:
e
In cryptanalysis, it is used to find out the decryption key for obtaining
plaintext
from
ciphertext.
(7) In computer security, to avoid authentication and access the computer by
guessing
passwords.
Exam
312-50
follows:
e It is a time-consuming process
e All passwords will eventually be found
e Attacks against NT hashes are much more difficult than LM hashes
Hybrid Attack
..---. This type of attack depends upon the dictionary attack. There are chances
that people might change their password by just adding some numbers to their old
password. In this type of attack, the program adds some numbers and symbols to
the words from the dictionary and tries to crack the password. For example, if
the old password is "system," then there is a chance that the person will change it
to "systeml" or "system2."
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
Syllable Attack
A syllable attack is the combination of both a brute force attack and the
dictionary attack. This cracking technique is used when the password is not an
existing word. Attackers use the dictionary and other methods to crack it. It also uses
the possible combination of every word present in the dictionary.
Rule-based Attack
This type of attack is used when the attacker gets some information
about the password. This is the most powerful attack because the cracker knows
the type of password. For example, if the attacker knows that the password
contains a two- or three-digit number, then he or she will use some specific
techniques and extract the password in less time.
By obtaining useful information such as use of numbers, the length of password,
and special characters, the attacker can easily adjust the time for retrieving the
password to the minimum and enhance the cracking tool to retrieve passwords.
This technique involves brute force, dictionary, and syllable attacks.
Exam
312-50
H
1. Passive Online Attacks
le Shoulder Surfing
Wire Sniffing
Attacker performs
password hacking without
communicating with the
authorizing party
te Social Engineering
Dumpster Diving
Man-in-the-Middle
et
Replay
A
4. Non-Electronic Attacks
et Pre-Computed Hashes
et Distributed Network
passwords
e Rainbow
different location
in
Hash Injection
3. Offline Attack
(i
his
ti
Trojan/Spyware/Keylogg
ers ei Password Guessing
ti Phishing
e Wire sniffing
Manin-themiddle
Replay
Exam 312-50
logger
Hash injection
Phishing
Offline Attacks
Offline attacks occur when the intruder checks the validity of the
passwords. He or she observes how the password is stored in the targeted system.
If the user names and the passwords are stored in a file that is readable, it becomes
easy for the intruder to gain access to the system. In order to protect your
passwords list they should always be kept in an unreadable form, which means
they have to be encrypted.
Offline attacks are often time consuming. They are successful because the LM
hashes are vulnerable due to a smaller keyspace and shorter length. Different
password cracking techniques are available on the Internet.
The techniques to prevent or protect from offline
attacks
are:
Rainbow
Non-electronic Attacks
Non-e!ectronic attacks are also known as non-technical attacks. This
kind of attack doesn't require any technical knowledge about the methods of
intruding into another's system. Therefore, it is called a non-electronic attack.
There are three types of non-electronic attacks. They are:
e
Shoulder
surfing
Social
engineerin
g
Dumpster
diving
Module 05 Page 535
by EC-Council
Ethical
Hacking
and
Countermeasures
System
Hacking
Passive
Wire
Sniffing
Online
Attack:
Computationa
lly
omplex
.74
Victim
Attacker
Victim
the LAN, he or she can gather data sent to and from any other system on the LAN.
The majority of sniffer tools are ideally suited to sniff data in a hub environment.
These tools are called passive sniffers as they passively wait for data to be sent, before
capturing the information. They are efficient at imperceptibly gathering data from
the LAN. The captured data may include passwords sent to remote systems during
Telnet, FTP, rlogin sessions, and electronic mail sent and received. Sniffed
credentials are used to gain unauthorized access to the target system. There are a
variety of tools available on the Internet for passive wire sniffing.
omputationa
lly
Complex
Victim
Exam
original connection
0
Sniff
Victim
312-50
MITM / Replay
Cr An
Web Server
Traffic
Attacker
Considerations
Gain access to
the
communicatio
n
channels
Use sniffer
Relatively hard to
perpetrate
Must be trusted by
one
or
both sides
a
the
relevant info is
s.c=u1
Passive Online Attack: Man-in-theMiddle
and
Replay Attack
When two parties are communicating, the man-in-middle attack can take place. In
this case, a third party intercepts the communication between the two parties,
assuring the two parties that they are communicating with each other. Meanwhile,
the third party alters the data or eavesdrops and passes the data along. To carry
out this, the man in middle has to sniff from both sides of the connection
simultaneously. This type of attack is often found in telnet and wireless
technologies. It is not easy to implement such attacks due to the TCP sequence
numbers and speed. This method is relatively hard to perpetrate and can be broken
sometimes by invalidating the traffic.
In a replay attack, packets are captured using a sniffer. After the relevant
information is extracted, the packets are placed back on the network. This type of
attack can be used to replay bank transactions or other similar types of data transfer
Ethical
Hacking
and
Countermeasures System Hacking
0
Victim
Original
Connection
Sniff
#1
1. up
.1
L.
MITM
Replay
Web Server
Traffic
FIGURE 5.4: Passive Online Attack by Using Man-in-the-Middle and Replay Attack
Exam
IEH
Active
Online
Attack:
Password Guessing
312-50
Network
combinations to crack
the
password
Netwo
rk
Considerations
Networ
Time consuming
Requires
huge
amounts of network
bandwidth
Easily detected
Attacker
Exam
Network
140,4401*
Attacker
FIGURE 5.5: Active Online Attack by Using Password Guessing Method
follows:
e Takes a long time to be guessed
e
312-50
Ethical
Hacking
and
Countermeasures System
Hacking
r41)
pictures
Copyright 0 by EC-Co
Prohibited.
"
f:Ln
logged, they are shipped to the attacker, or hidden in the machine for later
retrieval. The attacker then scrutinizes them carefully for the purpose of finding
passwords or other useful information that could be used to compromise the system.
For example, a keylogger is capable of revealing the contents of all emails
composed by the user of the computer system on which the keylogger has been
installed.
Ethical
Hacking
and
Countermeasures System
Hacking
C EH
a
I
7 0
Victim Computer
Attacker
Copyright 0 by FS-Co
Prohibited.
Attacker
Computer
Victim
Exam
312-50
H
Computed Ii _
Convert huge word lists
like dictionary files and
brute force lists into
password hashes using
techniques such as
rainbow tables
It is easy to recover
passwords by
comparing captured
password hashes to the
precomputed tables
Precomputed Hashes
lqazwed
41254cc31599c530b28a6a8f225d668390
hh021da
c744b1716cbf8d4ddOff4lice31a177151
9da8dasf
3cd696a8571a843ccla453a229d741843
so di fo 8s f
7ad7d6f a6bb4fd28ab98b3dd33261e8f
Copyright by EC-Ca
Prohbited.
Offline attacks occur when the intruder checks the validity of the
passwords. He or she observes how the password is stored. If the user names and
the passwords are stored in a file that is readable, it becomes easy for him or her
to gain access to the system. Hence, the passwords list must be protected and kept in
an unreadable form, such as an encrypted form.
Offline attacks are time consuming. They are successful because the LM hashes are
vulnerable due to smaller keyspace and shorter length. Different password
cracking techniques are available on the Internet.
There are two types of offline attacks that an attacker can perform to discover the
password.
e Rainbow Attacks
e Distributed network Attacks
Rainbow Attacks
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
rainbow attack, the same technique is used; the password hash table is created in
advance and stored into the memory. Such a table is called a "rainbow table."
Rainbow Table
A rainbow table is a lookup table specially used in recovering the plaintext
password from a cipher text. The attacker uses this table to look for the password
and tries to recover the password from password hashes.
Computed Hashes
An attacker computes the hash for a list of possible passwords and
compares it with the pre-computed hash table (rainbow table). If a match is
found, then the password is cracked.
Pre-Computed Hashes
Only encrypted passwords should be stored in a file containing user
name/encrypted password pairs. The typed password is encrypted using the
hash function of cryptography during the logon process, and it is then compared
with the password that is stored in the file.
Encrypted passwords that are stored can prove useless against dictionary attacks.
If the file that contains the encrypted password is in a readable format, the attacker
can easily detect the hash function. He or she can then decrypt each word in the
dictionary using the hash function, and then compare with the encrypted password.
Thus the attacker obtains all passwords that are words listed in the dictionary.
Storage of hashes requires large memory space such as LM "hashes" require 310
Terabytes and NT Hashes < 15 chars requires 5,652,897,009 Exabytes. Use a timespace tradeoff technique to reduce memory space required to store hashes.
1gazwed
->
4259cc34599c530b28a6a8f225d668590
hh021da
->
c744b1716cbf8d4ddOff4ce31a177151
9da8dasf
->
3cd696a8571a843cda453a229d741843
sodifo8sf
->
7ad7d6fa6bb4fd28ab98b3dd33261e8f
Exam
clf
IC
,146,
MEV .1111=6111A1
*Lob.. table 61.66._/ouvraluhal1-7_11_1166161x966016111611_11 rt 6.1.
uach Iyorlahno
at in
oh 16661.ha
16
1.3,661
.11vmaft In 6,,a,
76 77 711 79 7a er
Ionian
7
1 2 =111
hawk-.
v.v.
9
111
Che,Loa
12400
61
6.166
MAW %
We655
Pm.
21"2.W.VN11'3"Z. .9 1..1.12.. 11 7-
7,,
rwmt,
gr.
1
taBL0EN311111,1111017011SILIVWXR
1t1
MUDS
.16.1MIAIII
ehx wee P3530129112
1-tirehar 1 wora 11
i6vontlal CCCCC 1n mint head. Frain a retteellann1MMONNInele,
:;.:72 :51
'171 61
^MI of
44
= : : 1 : : : : : 1 : 1 2 :4=1:I I I: : .4 .1. : :
aavaaabam chola. neve
al IV n 7.6
6O
.6.1nbou chdhal li
4 (il o. 7.6
6)
Miiiike -.1.....................0.. liou........................1 I ea o. , . 4 . .
lrya
Ca tow. CO BUB
IN.
312-50
valnhlh 091013319160M
11.
.tne I
Carmel noaam
N
h
t
0
1
W
a
r
t
.
w
w
a
rrideo
wmea
nnna
me
harIn
wamtr
abahm
a
it
mew
*.
an .
...
http://www.oxid.it
se
Tools to Create Rainbow Tables: Winrtgen and
rtgen
C)
Winrtgen
Source: http://www.oxid.it
Winrtgen is a graphical Rainbow Tables Generator that helps attackers to create
rainbow tables from which they can crack the hashed password. It supports LM,
FastLM, NTLM, LMCHALL, HaIfLMCHALL, NTLMCHALL, MSCACHE, MD2,
MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2
(256), SHA-2 (384), and SHA-2 (512) hashes.
Rainbow Table
properties
Hash
Mn Len
Chan Len
klas Len
Chan
Coal
Imam
I
M
O
10
N el tables
Ip
loco=
.
l
Eat
IABCDEFGHUKLMNOPQRSTUVWX12
Table poodles
Key
space.
8353082582 keys
Disk
space
610.35618
Operand pdasetel
lA
drenrsbalog
n
c
h
m
a
"
l
k
Cancel
H
a
s
h
s
p
e
e
d
S
t
e
p
s
p
e
e
d
Table
plecomputation
tine
Told
pteccerpulatson
time
I
Meal
ctyplanalysis
tine
enchrnaik I
rtgen
Source: http://project-rainbowcrack.com
RainbowCrack is a general propose implementation that takes advantage of the
nt
1 V 181611 41611418181 a
Duren. sahis nt lm_lowera lphalll -7_0_1000x40000810_0. rt parame ters
, ash A.gordehn:
nt lni
, ash lane h I
16
' NIP.Mt I
abcderghijkleinopgrstuuwxyz
'.1barea. in tax:
61 62 63 64 65 66 67 68 69 6a 6 b 6c 6d be
Sill 7`. 7b 77 78
79 7a
bursas Ilanouth:
26
AsTiostremt length range :
1 - 7
. &see isLr sr* :
0,41130810000
8353082582
.1sTintemt total:
68
70 71
72 75
4
FIGURE 5.8: rtgen Generate Rainbow Table in Window
Ethical
Hacking
and
Countermeasures System
Hacking
=NM
lE!!
A Distributed Network Attack (DNA) technique is used for recovering passwordprotected files using the unused processing power of machines across
the network to decrypt passwords
II In this attack, a DNA manager is installed in a central location
where machines
running DNA clients can access it over the network
The
DNA
Manager
is
installed in a
central location
running on
DNA
Client can
access it
over the
network
DNA Manager
coordinates
the
attack and allocates
small
portions of the
key
search
to
machines
that
are
distributed
over
the
network
The
program
combines
the
processing
capabilities of all
the
clients connected
to
network and uses
it
to
perform
key
search
to
decrypt them
them.
Features of the DNA:
Reads statistics and graphs easily
e Adds user dictionaries to crack the password
Optimizes password attacks for specific
languages e Modifies the user dictionaries
Comprises of stealth client installation functionality
Automatically updates client while updating the DNA server
Network Management
The Network Traffic application in Windows is used for the purpose of
network management. The Network Traffic dialog box is used to find out the
network speed that DNA uses and each work unit length of the DNA client. Using the
work unit length, a DNA client can work without contacting the DNA server. The
DNA client application has the ability to contact the DNA server at the beginning and
Exam
312-50
Elcomsoft
Distributed
Password Recovery
O
Features:
LP 1
War
p ujAN
1.3
110..1.19
moo. , I=
4.01. OW MN
pm
.1 on.
1 Er
C
411..11
1-
P,
impa: 4
n L... s
PM.
.iwn
...,
r a
-1
Im
A
...
311.
4.,
Mnd
Iwo
ii
Ail PM*
=11
m.1.1
morns
.0.1MI I
krlo
ti
Install and remove
password
recovery
clients
remotely
E.P1.11.moPP*
.
t
Plug-in architecture
allows
for
additional file formats
Ay. ,
T
i
AIMPIC141000.61ra
I/ MOMS
W.. Ire 41 .
.
.
.
,
-
.
m
.
T.
Lgli
.''.
--
...:..'
..1..
.
.
I
".....
'''..".
**a=
4* 1.
:
ail P
..
http:fiwwwelcomsoftconi
networked
PC
Ethical
Hacking
and
Countermeasures System Hacking
,1
AMIL
1, 1111.R141.1
rAN J U VI NNIMIL
L12,11.
fi e
Ice
lever
pwv
ageni
Help
A1pIy
13 Han
a iL
II
orNress
Seem
reg 1.)kx
des
P'
A234.
4
Celele
de
Eb Enable
resarre3 tone
I.007 %
Ter13.2i
0.526 %
110414.149
5.297%
7111,4415,549
0.792 14
Reva.Poo
0.000 %
CSolt.Aw
0.543 %
amen/ owed
everew sped
stain
nn.
456 recovered
roni.
423 recovered
I en.
219 recovered
0.9111%
g l fa llen
Doable
dewed erne
1h. Won.
170
12 ow
42 recovered
7
I net.
20
not averted
recovered
Connect
ion
Mat
s
tote
7,
Atte*
i
Cpl
Cannon:
Ceche AM
Leg
: 5,
nlrg 0, To
Remit
I
Character Gmups
M'ilsainum
g.1.11+41MCM . . . . 1 .
D
813N507119Q
reeek Soren
i1,44sa.
1 1 , 4 < >10/11
Hells /S..A
D
0
Mask
0 length
loceloot
ovine
. no ectne Von
MT
Se
O il
yore
1Id
Agent
Moir
Sena,
Help
Add Filen
S ue
En4514
11
23
Nide
doo5., .
I 44% I
Wrest speed
Cleave
F oam
dewed bee
Teoll
A
.elec
Ian
mo s e y t e e
rel./
0.903 %
0'0
A te40.410
1007%
0
427
0.120 %
11 te40.1do
t
on.
Coenecb
oe
Maus
456
I on.
A944a2
evesw owed
ii Teoll.ehe
5247%
a Tes15.elce
12 m
0.701 %
li Re
0.050 %
7w.
re0v
v0e
- 2 9 . 2 8 W1
dst
119
rece
silMIMIZI211
nve
d
GLI
470
ooz
Alerts
es
42 recovered
r rot opts
LSJ
old i 7,
net listedr 6 6
4040 0, resevered s S.
rot teem:red
en a mead II
wised
Creel/weed leg
Wads I
cacti
Reset
Ceem l
louteet
errne
.. . en v t ele
a
Exam
312-50
Non-Electronic Attacks
CIEH
Looking at either the user's
keyboard
or
screen
while
he/she is logging
in
Convincing people to
information
Non-Electronic Attacks
Non-electronic attacks are also termed non-technical attacks. This kind
of attack doesn't require any technical knowledge about the methods of
intruding into another's system. Therefore, it is named a non-electronic attack.
There are four types of non-electronic attacks, which are: social engineering,
shoulder surfing, keyboard sniffing, and dumpster diving.
Dumpster Diving
popular in the 1980s. The term "dumpster diving" refers to any useful, general
information that is found and taken from areas where it has been discarded.
These areas include trash cans, curbside containers, dumpsters, and the like,
from which the information can be obtained for free. Curious and/or malicious
attackers may find password files, manuals, sensitive documents, reports, receipts,
credit card numbers, or diskettes that have been thrown away.
by EC-Council
Exam
312-50
Simply, the examination of waste products that have been dumped into the
dumpster areas may be helpful to attackers, and there is ample information to
support this concept. Such useful information was dumped with no thought to
whose hands it may end up in. This data can be utilized by the attackers to gain
unauthorized access on others' computer systems, or the objects found can
prompt other types of attacks such as those based on social engineering.
Shoulder Surfing
HP
Social Engineering
-- In computer security, social engineering is the term that represents a nontechnical
kind of intrusion. Typically, this relies heavily on human interaction and often
involves tricking other people into breaking normal security procedures. A social
engineer runs a "con game" to break the security procedures. For example, an
attacker using social engineering to break into a computer network would try to
gain the trust of someone who is authorized to access the network, and then try to
extract the information that compromises the network security.
Exam
312-50
Keyboard Sniffing
Keyboard sniffing allows you to interpret the password as the target
enters the keystrokes using keyloggers.
Exam
312-50
Default Passwords
CEH
A default password is a password supplied by the
manufacturer
with
new
equipment that is password protected
J
http://www.defaultpassword.us
1===aiiii&
7e.
http://securityoverride.org
htt p://ww w. routerpasswords.com
raaorio4
* Y
74YR
ilbee
e-Yeeefte
Ir-.
S Y JNO Y I
Pe
le7e
Mawr.
...11.
Re. MD Ye
ye.)
.r.e
KY
-7,7,
KY
http://www.virus.org
Wm
VS=
fel
y
feneY28, WO Be
Pei
77c y cl ky FY
.ae Emmy. ieeem Yee. A
nee YelY70%.
1
<MY , Ye
.
tralw
r............
7tro
{MN,
y ly
WY
my
y r.
tee.
telY
rye
L111,
YE
ION
YIP
CEM
eMe
10Y
mem
illeeelY
my
ley
gurerow,
y y Ye
ye w.
Yea Ye
.....7
Me
y
tee
477
nu"
11111
ye
ye
A...
yew
WV
Ivey
H.
In
la
Y in+.
Yew
Y e.
dieeye
elo
http://securityoverride.org
Copyright 0 by EC-Ca
Prohibited.
Default Passwords
Source: http://securitvoverride.org
Default passwords are passwords supplied by manufacturers with new equipment.
Usually the default password provided by the manufacturers for password
protected devices allows the device to be accessed during its initial setup. Online
tools that can be used to search for default passwords include:
http://cirt.net
http://default-password.info
e http://www.defaultpassword.us
e
http://www.passwordsdataba
se.com
https://w3dt.net
e
http://www.v
irus.org
http://opensez.me
http://securitvoverride.org
http://www.routerpass
words.com
http://www.fortypoun
dhead.com
M.
li e m for.fmto
it
IOW
St
1/10
Mt !
o .
Kb
4
I. M i . . 7
1 .11.
Vt
Ka
r r t. *.
1.4
.1.
, ow.
,17,51711,417/11
"
7.
dormo.. a
wanifie
M,
JO
.117
7
s
141.11.
I
I
User-
Vendor
Model
3COM
CoreBuild
3COM
er
3COM
CoreBuild
3COM
er
Ac
ces
s
SuperStack
Switch
OfficeConnect
812 ADSL
II
Version
7000/6000/3500
/2500
Type
name
Telnet
7000/6000/3500
Debug
/2500
3COM
HiPerARC
v4.1.x
Telnet
3COM
LANplex
2500
Huawei
Tech
LANple
2500
Telnet
3COM
3COM
LinkSwit
Adm
3COM
ch
Telnet
2000/2700
E960
3COM
NetBuild
er
3COM
Netbuild
Debug
5x0
2200
er
3COM
Office
Connect
2700
Telnet
Tech
Telnet
Tech
Ad
min
ISDN
Routers
SuperStack
II
Switch
SNMP
Multi
Admin
Telnet
Telnet
tech
Admin
Synnet
ILMI
Tech
(none)
n/a
Multi
Telnet
Password
adminttd
PASSWORD
Synnet
Tech
adminttd
(none)
Tech
Synnet
Tech
debug
TABLE 5.1: Online Tools To Search Default Password
Ethical
Hacking
and
Countermeasures
System
Hacking
clE
Manual Password
Cracking
(Guessing)
Frequency
attacks
of
The
failure
rate
is
high
is
less
Key in each
Find a
I ri
user
Create a list of
passwords
possible
passwords
Rank
from high
probability to low
password,
until
correct
password
is discovered
Exam 312-50
System Hacking
administra tor
""
administrator password
a d mi n i s tr a to r
a d mi n i s tr a to r
[Etc.]
From a directory that can access the text file, the command is typed as follows:
c:\>FOR
/F "tokens=1,2*"
%i in
(credentials.txt)A
\\victim.com\IPC$
%j
/u:victim.com\%iA
2>>nulA
%time%
\\victim.com acct:
c: \> t yp e
%date%
>> outfile.txtA
%i pass:
%j
>> outfile.txt
outfile.txt
The outfile.txt contains the correct user name and password if the user name and
password in credentials.txt are correct. An open session can be established with the
victim server using the attacker's system.
Exam
Automatic
Cracking
Algorithm
Find a valid
each
user
Password
CI
E
312-50
ann
Obtain the
Encrypt
encrypted passwords
word
40 404.,
NIF
Verify whether
possible passwords
Attackers can use a combination of attack methods to reduce the time involved in
cracking a password. The Internet provides freeware password crackers for NT,
Netware, and UNIX.
Exam
There are password lists that can be fed to these crackers to carry out a
312-50
dictionary
attack. In its simplest form, automation involves finding a valid user and the particular
encryption algorithm being used, obtaining encrypted passwords, creating a list
of all possible passwords, encrypting each word, and checking for a match for each
user ID known. This process is repeated until the desired results are obtained or all
options are
exhausted.
steps:
Create
possible
list
passwords
of
manual attack,
automate
the process. There are several free programs that can assist in this effort. Some of
these free programs are Legion, Jack the Ripper, NetBIOS
simplest of these
automation
Auditing Tool
involves a simple loop using the NT/2000 shell for command. All the attacker has to
do is to create a simple user name and password file. He or she can then reference this
file within a
FOR command.
C:\> FOR
/F "token=1,
do net use
2*" %i in (credentials.txt)
\\target\IPC$
%i /u:
%j
LOphtCrack
or
running it against user accounts that the application locates. Dictionary attacks
are more effective with long words.
(7) The brute force method is the most inclusive, although slow. Usually it
tries every
possible letter and number combination in its
automated exploration.
starts with
a dictionary, and then tries combinations such as two words together or a
word and
numbers.
Users tend to have weak passwords because they do not know what constitutes
strong passwords
for
Ethical
Hacking
and
Countermeasures
System
Hacking
Stealing
Using
USB Drive
clE
Passwords
&tract Password
Attacker
Insert the USB drive
PassView
and
the
is
executed
in
the
pop-up
USB drive
(if enabled)
Download
PassView,
start
password
p s p v.e x e / s t e x t
hacking tool
p s p v.t x t
files
to
USB drive
torun]
e n = l au n
c h . b at
All the applications included are portable and light enough that they can be
downloaded in the USB disk in few seconds. You can also hack stored Messenger
passwords. Using tools and a USB pendrive you can create a rootkit to hack passwords
from the target computer.
Stealing passwords using a USB device is carried out with the help of the following
steps:
1. You need a password hacking tool
Exam
312-50
2. Copy the downloaded .exe files of password hacking tools to USB drive.
3. Create a notepad document and put the following content or code in
the
notepad
[autorun]
en=launch.bat
After writing this content into Notepad, save the document as autorun.inf
and copy this file to the USB drive.
4.
5. Insert the USB drive and the autorun window pop-up (if enabled).
6. A password-hacking tool is executed in the background and passwords can
be
stored
in
the .TXT files in the USB drive.
In this way, you can create your own USB password recovery toolkit and use it to
steal the stored passwords of your friends or colleagues without the knowledge of
the person. This process takes only a few seconds to retrieve passwords.
AA
L
Attac
ker
Fassword-,
.
v
.
.
c
.
,
m
'
s
c
o
m
p
,
n
e
,
al
EC-Council
Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
Stealing
Passwords
Using
Keyloggers
/
a
J Keyloggers provide an easiest and most effective means of stealing a all victim's
user
.A7
names
and
passwords
4 "
Attacker infects
victim's local PC with
a software keylogger
ot
>
lb : :
-
.:.......
:::
Attacker
011.
Keylogger sends
login credentials to
hacker
Victim
Domain
Server
but it can compromise your financial details as well. Keyloggers are used by
people to find a certain piece of information such as a user name or password. The
pictorial representation clearly explains the way attackers steal passwords using
keyloggers.
Ethical
Hacking
and
Countermeasures System Hacking
,1 1 1 j . ir in
rfII,
ti it lin
Art ,,l's ,x al 4
Ife
wt
MI
a sal.er ,,,
f I ft14151 yil
fin
dilt. I
4,
It.
Attacker
a rykkaget wr05
Domain
Server
Victim
ii:a; in r
ha, i,-4
Attacrt
server
gains
to domain
Keyloggers
When stealing passwords, the attacker first infects the victim's local PC with a
software keylogger. When the victim logs on to the domain server with his or
her credentials, the keylogger automatically sends login credentials (user name,
passwords) to the attacker without the knowledge of the victim. Once the attacker
gets the victim's login credentials, he or she logs on to the domain server and may
perform any action.
Exam
312-50
Microsoft Authentication
Windows Security
SAM Database
Windows stores user passwords in the
Security Accounts Manager database
(SAM), or in the Active Directory database
in domains. Passwords are never stored in
clear text; passwords are hashed and the
results are stored in the SAM
Enter network
password
Enter your passe/0.d
61
ad
-.44Pin
in
1:E=EC
Remember my credentials
011MigiLEZZEZMIP
t,* The NTLM authentication protocol types:
1. NTLM authentication
protocol
2. LM authentication
protocol
o These protocols stores user's password in
the
SAM
atabase using differenthashing methods
to
connect to.
The
Kerberos
Microsoft has upgraded its default
authentication
protocol to Kerberos which provides a
stronger
uthentication for client/server applications than NTLMA
"gl Windows 8
Copyright 0 by ECtig
Prohibited.
Microsoft Authentication
SAM Database
The acronym SAM database is the Security Accounts Manager database.
This is used by Windows to manage user accounts and passwords in the hashed
format (one-way hash). Passwords are never stored in plaintext format. They are
stored in the hashed format to protect them from attacks. The SAM database is
implemented as a registry file and the Windows kernel obtains and keeps an
exclusive filesystem lock on the SAM file. As this file is provided with a filesystem
lock, this provides some measure of security for the storage of the passwords.
It is not possible to copy the SAM file to another location in the case of online
attacks. Since the SAM file is locked with an exclusive filesystem lock, it cannot
be copied or moved while Windows is running. The lock will not release until the
blue screen exception has been thrown or operating system has shut down. However,
making the password hashes available for offline brute-force attacks, the on-disk
copy of the contents of the SAM file can be dumped using various techniques.
Exam
312-50
is partially encrypted when the SYSKEY is enabled. In this way the password hash
values for all local accounts stored in the SAM are encrypted with a key.
Even if its contents were discovered by some subterfuge, the keys are encrypted
with a oneway hash, making it difficult to break. Also, some versions have a
secondary key, making the encryption specific to that copy of the OS.
NTLM Authentication
NTLM (NT LAN Manager) is a proprietary protocol employed by many
Microsoft products to perform challenge/response authentication, and it is the
default authentication scheme that Microsoft firewall and proxy server products
use. This software was developed to address the problem of working with Java
technologies in a Microsoft-oriented environment. Since it does not rely on any
official protocol specification, there is no guarantee that it works correctly in every
situation. It has been on some Windows installations, where it worked
successfully. NTLM authentication consists of two protocols: NTLM authentication
protocol and LM authentication protocol. These protocols use different hash
methodology to store users' passwords in the SAM database.
Kerberos
--Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by using secret-key
cryptography. This provides mutual authentication. Both the server and the user
verify the identity of each other. Messages sent through Kerberos protocol are
protected against replay attacks and eavesdropping.
Kerberos makes use of Key Distribution Center (KDC), a trusted third party. This
consists of two logically distinct parts: an Authentication server (AS) and a Ticket
Granting Server (TGS). Kerberos works on the basis of "tickets" to prove the user's identity.
Ethical
Hacking
and
Countermeasures System
Hacking
Windows Security
Enter network password
Enter your password to connect to:
41.
yin
==
El Remember my credentials
Cancel
Exam
312-50
CIEH
tb
111100
Martin/magician
624AAC413795CDC1
11110
Martin:
1008:
4E835F1CD90F4C76:6F585F
F8FF6
280B59CCE252FDB500E88::
:
c:\windows\system32\ config\SAM
17
X
Administrator:500:598DDCE2660D3193AAD3B435B51404EE:2D20D252A479F485CDF5E171D
93985BF::: Guest:501:NO PASSWORD*********************:NO
PASSWORD*********************:::
HelpAssistant:1000:B991A1DA16C539FE4158440889BE1FFA:2E83DB1AD7FD1DC981F3641
2863604E9::: SUPPORT_388945a0:1002:NO
PASSWORD*********************:F5C1D381495948F434C42AEE04DE990C:::
Hackers:1003:37035B1C4AE2B0C5B75E0C8D76954A50:7773C08920232397CAE0817
04964B786::: Admin:1004:NO PASSWORD*********************:NO
PASSWORD*********************:::
Martin:1005:624AAC413795CDC1AAD3B435B51404EE:C5A237B7E9D8E708D8436B614
8A25FA1:::
John:1006:624AAC413795CDC1FF17365FAF1FFE89:3B1B47E42E0463276E3DED6CEF34
9F93:::
Jason:1007:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280B59CCE252FDB500EB8:::
ISmithl:
:1624AAC413795CDC14E835F1CD90F4C76146F585FF8FF6280B59CCE252FDB500EB1:::
:$
User name Usei ID
LM Hash
NTLM Hash
"LM hashes have been disabled in Windows Vista and later Windows operating systems, LM will be blank in
those systems."
Copyright 0 by EC-Quad. All Rights Reserved.
Reproduction is Shicti y Prohibited.
PASSWORD*********************-
HelpAssistant:1000:8991A1DA16C539FE4158440889BE1FFA:2E83DB1AD7FD1DC981
F36412863 604E9:::
SUPPORT_388945a0:1002:NO
PASSWORD*********************:F5C1D381495948F434C42A
EE04DE990C:::
Attackers:1003:37035B1C4AE2B0C5B75E0C8D76954A50:7773C08920232397CAE081
704964B7 86:::
EC-Council
EthkalHaddngandCounterrneasuresCopydght(Oby
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
Martin:1005:624AAC413795CDC1AAD3B435851404EE:C5A237B7E9D8E708D843686
148A25FA 1:::
John :1006 :624AAC413795CDC1FF17365FAF1FFE89 :3 B1B47 E42 E0463276E3 DE
D6CEF349F93:::
Jason:1007:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280859CCE252FDB
500EB8:::
Smith:1008:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280859CCE252FDB
500EB8::: When the user changes his or her password, the creation and storage of
valid LM hashes is disabled in many versions of Windows. This is the default
setting for Windows Vista and Windows 7. The LM hash can be blank in the
versions in which disabled LM hash is the default setting. Selecting the option to
remove LM hashes enables an additional check during password change operations,
but does not clear LM hash values from the SAM immediately. Activating the
option additional check stores a "dummy" value in the SAM database and has
no relationship to the user's password and is same for all user accounts. LM
hashes cannot be calculated for the passwords exceeding 14 characters in length.
Thus, the LM hash value is set to a "dummy" value when a user or administrator
sets a password of more than 14 characters.
Exam
312-50
H
C
1.40111111.
LM hash or LAN Manager hash is the primary hash format that Microsoft
LAN
Manager
and Microsoft Windows use to store user passwords of up to 14 characters
length
are
'IIIIIIIIOIIIIIIIIIII'
123456Q = 6BF11E04AFAB197F
12 Microsoft
WERTY_ = FlE9FFDCC75575E115
The hash is
6BF11E04AFAB197FF1E9FFDCC75575B15
Note: LM hashes have been disabled in Windows Vista and later Windows operating systems
Copyright 0 by EIG-Ca
Prohibited.
i.e.,
123456Q
= 6BF11E04AFAB197F
WERTY = F1E9FFDCC75575B15
6BF11E04AFAB197FF1E9FFDCC75575B15
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
OM!
The first 8 bytes are derived from the first 7 characters of the
password and the second 8 bytes are derived
from characters 8 through 14 of the password
characters,
always
be
Copyright by EC-Ca
Prohibited.
ctl y
Ethical
Hacking
and
Countermeasures System
Hacking
LM "Hash"
Generation
Padded with NULL
to 14 characters
cehpassl
Converted to
the uppercase
Separated
into
two
7character
strings
COMINIM
1'
Constant I
DES
11=1.11111111M1
41IllMIMM
LM Hash
LM "Hash" Generation
The LM hash also called as the LAN manager hash used by many versions
of Windows for storing passwords less than 15 characters.
The following figure explains the process of generating an LM hash for a user
password "cehpass1".
In the LM hash generation process, first the password in lowercase is converted to
uppercase; in this example, this operation results in "CEHPASS1". Then, the
uppercase password, i.e., "CEHPASS1", is divided into two seven character strings;
in the example, the resulting strings are "CEHPASS" and "1******". As the second
string contains only one character, to make the
second string a seven-character string, it is lengthened with (blank) characters,
null
i.e.,
padding. The two seven-character strings are then used as the encryption keys
for the encryption of a constant using the DES (Digital Encryption Standard)
symmetric cipher. At last, to create the LM hash, the resulting DES-encrypted
blocks are concatenated.
cehpassl
Exam
CEHPASS
312-50
1*
Constant
Constant
DES X
DES
Concatenate
Hash
LM
Exam
312-50
EH
Attribute
LM
No
56bit + 56bit
NTLMv1
NTLMv2
YES
YES
MD4
MD5
64bit + 64bit
128bit
128bit
56bit + 56bit +
16bit
16bit
56bit + 56bit +
128bit
C/R Algorithm
DES (ECB
64bit + 64bit +
+
64bit + 64bit
64bit
64bit
HMAC_MD5
128bit
version
2, and advocated its use wherever possible. The following table
features of the three authentication methods.
Attribute
Password
Case
Sensitive
Hash
Key
Hash
Length
Length
Password
Hash
Algorithm
Value
Algorithm
NTLM
lists the
LM
NTLMv1
NTLMv2
No
YES
56bit + 56bit
DES (ECB mode)
MD4
MDS
64bit + 64bit
128bit
128 bit
YES
128
128
by
Exam
NTLM Authentication
Process
312-50
d
User
types Client
password
into
logon
Computer
Marti n
* * * * * * * *
window
1111.111.1111.1111111.1111.11.
Hash
Algorithm
4E835FICOSIOPAC76:6F585FF
SFF6
Windows
runs
passw ord
through
hash
algorithm
280B59CCR252FOBSOCEB8:::
Martin:1008:624AAC41379
5CDC
14E835F1CD90F4C76:6F585
FFOF
DC
compares
computer's
response with the
response
it created with its
own hash
F62801359CCE252FDS500E81
3: :
Computer
Aa r8
ppq
kgj 8 9
match,
the
logon
is
a
succes
s
DC sends logon challenge
Aa r8
ppq
kgj89 pqr
Note, Microsoft has upgraded its default authentication protocol to Kerberos, which
e The client types the user name and password in to the logon window.
e
hash
for
the
password that has been entered in the logon window.
e The client computer sends a login request along with domain name to the
domain
controller.
a "nonce"
and sends it to the client computer.
e The client computer encrypts the nonce with a hash of the user password
and
sends
back to the domain controller.
it
Exam
312-50
t) The domain controller retrieves the hash of the user password from the SAM
and uses it
to encrypt the nonce. The domain controller then compares the encrypted
value with
the value received from the client. If the values match, the client is
authenticated and
the logon is success.
ri
lient Computer
Martin
User types 0
ile * * * * * * * * *
password
window
Hesh
Algorithm
umuswaromeni:Aasysirorit
71011511CCLIWITSUODLIS:::
Windows
runs
Mortar:
1008:
1524Aa04137515CDC
14s035r1c090r4C76,615OSITe
r
[1521101159CM.2521DH0CEBeii,
DC compares
password
through
computer's
response with the
response
it created with its
own hash
hash algorithm
Aa
re
PP9
kg 16
9 pqr
Computer sends
response to challenge
Aa r8
ppq
eg g
9 pqr
Exam
Kerberos Authentication
H
312-50
C
nLe
Authentication Server
Reply
of
(AS)
authentication
server
to the user
request
Application Server
Copyright 0 by EC-Caums11 All Rights Reserved. Reproduction is Stri ctl y
Prohibited.
Kerberos Authentication
Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by using secret-key
cryptography. This provides mutual authentication. Both the server and the user
verify the identity of each other. Messages sent through Kerberos protocol are
protected against replay attacks and eavesdropping.
Kerberos makes use of Key Distribution Center (KDC), a trusted third party. This
consists of two logically distinct parts: an Authentication server (AS) and a Ticket
Granting Server (TGS).
The authorization mechanism of Kerberos provides the user with a Ticket Granting
Ticket (TGT) that serves post-authentication for later access to specific services,
Single Sign On by which the user is not required to re-enter the password again
for accessing any services that he is authorized for. It is important to note that
there will be no direct communication between the application servers and Key
Distribution Center (KDC); the service tickets, even if packeted by TGS, reach the
Reply
>
of
authentication server
to
the
Authentication
Server
(AS)
user
request
Database
Application
Server
FIGURE 5.16: Kerberos Authentication
Ethical
Hacking
Countermeasures
Hacking
and
System
clE H
Salting
Salting
technique
prevents
deriving
passwords from the password file
Stored representation differs
Advantage:
Defeats
pre-computed
hash
attacks
Alice:root:b4ef2113ba4303ce24a83fe0317608de02bf38d1.0Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Cecikroot:209belia483b303c23af34761de02be038fde08
Salting
Salting is a way of making passwords more secure by adding random
strings of characters to passwords before their md5 hash is calculated. This makes
cracking passwords harder. The longer the random string, the harder it becomes to
break or crack the password.
The random string of characters should be a combination of alphanumeric
characters. The security level or the strength of protection of your passwords
against various password attacks depends on the length of the random string of
characters. This defeats pre-computed hash attacks.
In cryptography, a salt consists of random bits that are used as one of the inputs to
a one-way function and the other input is a password. Instead of passwords, the
output of the one-way function can be stored and used to authenticate users. A
salt can also be combined with a password by a key derivation function to
generate a key for use with a cipher or other
cryptographic algorithm.
With this technique different hashes can be generated for the same password. This
makes the attacker's job of cracking the passwords difficult.
In this example, the two users Alice and Cecil have the same passwords but with
different hash values. Since a random hash is generated for each individual user:
Alice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Module 05 Page 579
by EC-Council
Bob:roota9c4fa:3282abd0308323ef0349dc72
32c349ac
Cecil:root:209be1:a483b303c23af34761de02b
e038fde08
Exam
312-50
Ethical
Hacking
and
Countermeasures System
Hacking
CIE H
Adowesta..CWIndomn symetn3Aand.exe
pwdump7 . exe
...MI
*TT
hrt.
O.
,f
.1.111141WO
4.4
--
PWDUMP
extracts
LM
and
NTLM
password
hashes
of local
user
r
M . .
fgdump .exe -h
192.168.0.10
-u
AnAdministrativeUser
-p
14mep4sswOrd
accounts
from the
Security
Account
Manager
(SAM)
database
(192.168.0.10) using a
specified
user
me
* U M. Abaft
Noma rim
ha
IP film
re b.*,
tee
.1s-o.
*CM
P pwdump7 and
fgdump t.?)
pwdump7 is an application that dumps the password hashes
(OWFs)
from NT's SAM database. pwdump extracts LM and NTLM password hashes of
local user accounts from the Security Account Manager (SAM) database. This
application or tool runs by extracting the binary SAM and SYSTEM File from the
filesystem and then the hashes are extracted. One of the powerful features of
pwdump7 is that it is also capable of dumping protected files. Usage of this
program requires administrative privileges on the remote system.
Administrator. CAWindows\system34 cmd.exe
CEH-Too ls
t :A u nt ,
CENuR
otu le
RS
P ua u t e r 7 D P u d o . P 7 - e x e
u 7 .1
-
ys t ee
H at M ing Pas a wo od
El
Pas sw or d
raw
extr ac
A n d r es
Aeon .
1.12
tor
pa s s wo r d
:M b a r :
Tap as . .
htt p
.S14
es
gee, No
i.t
s t :501 :NO
NCO
PASSWORD
670960:: :
AiN9 :Hp pagsposptua
Anip
'uggyboy t 1010 t NO PASSWORD
11140C4t 11A0991.13DF1EDCS9140C2C A
.NO PAS
PASSWOADmm.m.
uawerwe
earemete
-C25510219F66F9F12FC9BE66.
ee0P.10C4c
SA D99711 DA1 TDC511491C254D47
w
AFESE93B6701/90D9CEB3E222P9609015 A
If
' in i:1016
:NO
\CEH-ToolsNCENy8
Paddle
OS
System
CraellneAlsndous Password ackers \ pudems17)
Hacloas
Password
Ethical
Hacking
and
Countermeasures System
Hacking
-7
if
you
Server
8400)
-Summary
a
i
l
e
d
s
e
r
v
e
r
s
:
O
N
E
uccessful servers:
27.0.0.1
Exam
312-50
LOphtCrack
CIEH
LOphtCrack is a password auditing and recovery application packed with features such as
scheduling, hash extraction from 64-bit Windows versions, multiprocessor algorithms, and networks
monitoring and decoding
64
it W 6-6. A
1.1
LOphtCrack
Source:
http://www.lOphtcrack.com
LOphtCrack is a tool designed to audit password and recover applications. It is used
to recover lost Microsoft Windows passwords with the help of dictionary, hybrid,
rainbow table, and brute force attacks and it is also used to check the strength of the
password. The security defects that are inherent in windows password
authentication system can be disclosed easily with the help of LOphtCrack.
Windows operating systems, based on the LAN Manager networking
protocols, use an authentication system that consists of an 8-byte challenge
returning a 24-byte response across the network from client to server in a
challenge/response format. The server matches the response against its own
independent calculation of the 24-byte response expected and the match results in
authentication. The algorithm divides the password into seven-character
segments and then hashes individually. This allows the attacker to restrict the
password cracking to seven letters and makes the process easier. The weakness of
the password hash, coupled with the transmission of the hash across the network
(1
A
L w 1_,
Run
Import
Import
Session
Wizard Hashes From Sniff er
Cracked Accounts
Weak
Passwords Schedule Scheduled
Auda
Tasks
Expired Accounts
Begin
, 07 1
shownwa
Options
2.2
4 .
.2Les.
eporl
Bun
Damon
User Name
WIN4XQN3
hash
;149
-blzr.sz titre
Ade...strata
et,
WIN+15581.C..
Adesnetrator
_13d
Od Oh Ors Os
sitit 1011
II
3-0931,1
=
P
=
08 31
1
:59 s ng e-core
operation.
08/31/2012 04:37:01 Imported 2 accounts from the local machine
08/31/2012
04:37:01 Audit started.
08/31/2012
04:37:01 Auditing session completed.
_SOS*
NualltiaLLISZE
LOphtCrack c - [Untitbd1]
View
Menu
st
00
A
Run Import
Import
Begin
Stop Session
wonno mous Diann ',Beer
Pause
1111
-
1 11
ve account, to audi,.
Empty: 556%
1
15
2
0
Empty
5.56%
Hah Risk
Mmilum Risk
Lou Risk
63.33 %
11.11 %
0.00%
Mute Form
10006%
0.00%
Hybrid
Precomputed
0.00 %
0.00%
Mesage:
05 22
1MilliMral
rack.
Options
1
Dictionary
e.
rot
- Help
X
X
Braised AccoLnts
Weft Passwords
Schedule Schedrled
Aucit
T as k,
Aotto.uNt,
:flintier
3 4
5 6
1 8 9 10 11 12 13 14
Pa.-wad L.qm
Paceworal rflarortnr
Not. 173 DO%
17 Alpha
100.133 %
0 Alphawsnerk
0 Alohsnurnerk/Symbol
0.03%
0.03%
0 AlchfrornerK15ifibol.International
05/22/2009
rack .
0.0C %
L14
1
-
Ethical
Hacking
and
Countermeasures System
Hacking
Ophcrack
Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical
User Interface and runs on multiple platforms
apilosis
0 ill
4:1
di
,Ish
2 9 6 1 1 09c116111122
131.3 b 1
01ed
1. 291,011511a211
1. 851 $ 1 4
01.111,
6 /0197 4c 6, 98 3
1. 1 t1 3 16 5 . 0 kre
a mp l y
911002e0 c5.11
LIM
.6
4811,1.1
1111151
empt y
LU
Pod I
DeC
sw
ow.1i
cl . b. e.
10 121 9. 1b aN O T IM 711141.4 *
PAMPA
a I I kW eV ell1111111.1.3,111 1/1
6/141.4
(O WN
Prd
IA Nod
v.
te l l
Na
11111. 71
011c5 gbelx012 1
17b. rs65
enrry
51w
ele
17. 111
o n e ,
1 .. 1"1
11.10ilat
1 6 4 4 1 . 1 0 / 46 11/M IS10
row,
161
Ti f f
D OC11
legINO WN10,,.121:111.02
WAS
MAO
Meb1101e271C CO I O S / 6 1 5 2 1 d e l
U MW)
own
Mond
*1
5 , [ 4 0 6 / 9 00 1 0 111.4115/25 1Mo
49
WW1
med111. 0
046
1 1/111111 113135011404a
Imp,
70116
411.
kaNclOWQ/1162101
4 111 11
4 4 . 1 01.V.11114 e411101*- 1 . 1
GOAT
11161 4
1.111$1
1
N oy
10114
5411111
Wryley
40 1 . 1 4 1 , T W e aa l &? 1 60r c l
4 1111$01, 40
11.1c12011d1111 ,1111
11.1
611111011131161 4 1 J 0 k X0211110/
W.Dy
111. 0
Ilt f
11 0 1 11 1 417.1101.1111016111Y
on
3 6 k T k a l 1111 51 40
1,
1 4 11 2 112 11/ r e121114 1
0 1 2 41111172.1114 111
WM .
OLULIT,
11114111
UAW
,
lb:1 0
1
d,11111.1/11114 01/ 0111t1. 111111
o n a ml i V j p . -
0111
11:11 0 1
Amisal,
O us ee ,
%ma,*
http://opheracksourceforge.net
Copyright 0 by EC-Canall. All Rights Reserved. Reproduction is Strictly
Prohibited.
Ophcrack
Source: http://obhcrack.sourceforge.net
Ophcrack is a Windows password cracking tool that uses rainbow tables for
cracking passwords. It comes with a graphical user interface and runs on different
operating systems such as Windows, Linux/Unix, etc.
Features:
Cracks LM and NTLM hashes.
e
passwords e
Real-time graphs to
091x,
act
adi
W
I
Sues..
...finnan
HI Hail
I
P
A
M
e
s
h
21bIdefted6ecta22.411e41Ib5 I tOest
L
O
N
tit Pel I
LM
Perd 2
NT Orel
ZiCC
. . P. ,
cop
MUWR
empty
del. .
.970197m7eee7183pard31013651.04ee
WI DP
empty
',amid
Seblil410M11410...11,135b51404.
...le6ed17e31601b1a311111<e1171
COWIN
empty
esteem
011cSabtel16929aad3D435b51.04t
Othe9UPICY71Th12.62101'3b803
TESI
emit*,
sett
mee539f6e6.b,tancals1351251.04,
19.0d61a9:c 5<e11tIk560ec5.0076
0000.12
tr.Pt1
docen2
9ee0be19374-11,6111KIS4tee39H62
AWLS
emery
Man
bel53ea38001140-ak,199315,335113.
WINO
empty
wed
19eaeate91elfidifeac13639651101tre
60569109,258e0:2311130581,95226.1
LICI1A1.0
empty
lammed
ALTIAA
...0.1
Ann.
ceet8etnt9791.7asP3635.311e0eet
GO .
empty
goat
.57bc016109.116,4.4133.115b1104.e
01.0.241110167c4A62,Se5810.<3
1U11111Pr
empty
6a199de5623et621eed3b1351351401te
WALT(
empty
1elb7a/vanta1dedasse1ket35k7.0Pec
d6lie3I.46tblek043264.20021507,
91 1169
empty
n 0469
Ta76613e173Aleenlead3ed1111,31104.
9I6161PI19535t2271176416115ISIGIA
71AGAS
empty
trot
13380041563titea65035051 4t t
I1CS2asea01es42.11MOldNecied
ROXY
eMpty
nay
13 ee561192e1 ladY7t4201tklbSet6
Ma1lyallellaWerItel6el6e4411160.1
prleet.06,, 1 r..
9218.11649th17bc2161b2373404c
9311079714174410130511941113759
001140 61,04e
M eda l ,
..ba.
Quaid,
Sums
Om. ts ar
me i
Peel fend
PedeP
Pm eletnelt I,
OP Om Cs
Exam
312-50
Fk
Veen
[veva. look
-eip
R.
NTLM Nash.
go MUM, Part. (0)
16-Cach. Mac. (
0v. lfin (0) L
cern
05.1371X
001
e o
1,01410!
Has,
A001, +105
Mohr,
9 CRAM
1,105 Hal-es
4. ow Nos
B.A.
+ RUN 2
M:15 004510
tom
q; 0
1,..185L+
taint
t.'".
1.
I.P1
0
01,110.70.5
trIki her.nps
chalenr
0
ern IA Soc., Sec.,
mach.
Partevrabd Orbit
-
AM.^
W IN1
Moo
15
.17
P HOIONC
(
Rtwat
Manta
limn< .1
4s 00.170.14 .
1-01
were
Mgr:
[deft
Ewa 1
pre
(0)
Pm
n02
0s )(0)
"Inl e
t. 01
P05140les
(0)
5110-1
Fleshes (0)
910-2
Hashes (0)
It WPM]
160 rba,e,
Kerb
SPraulh O
S
Rados
9wed -Key
6 In PS .
Mies (0)
:0
nhee (0)
eI
WO
OL
Ha
4
146Q1.
Hash. (0j)d
1.1.01(0001.
WitiriAmmw.o.ddir
ti
Li0000:14* 000
Ccerrded 0 by 134111111111.All Rights Resented Reproduction IsSedcdy Prohibited.
Exam
312-50
JQJ
c.1
File View Configure Tools Help
6.i4ii4111*
Decoders 1
1+
El
n3Ea 00%
112 CCDU
I
rader
iaf C
Password
LM 8 PRIM Hash,
NTLMv2
Hashes
gm
(0)
MS-Cadre
Hashes (I
User ricrac
X
X Len
emPtY '
4arrrillt4
yptanalyses Attack
15
NTLM Hashes
ActiveSync
APOP4.D5
Select Al
Hashes
Note
CRAM-MD5
NTLM Hashes +
chalenge
Nitta Session Security
Hashes
Test password
Hashes
OSPF-MD5
Hashes
RLFv2-MD5
Hashes
VRRP-HMAC
Hashe:
VNC.3DES (0)
nd
Add to of
.d
t i SHA-1 Hashes (0)
SHA-2 Hashes
Delete
,M, RIPEMD-160
Remove
Madre Accents
Kasha
Kerb5
Insert
Remove
(0)
Remove Al
PreAuth
Hast
Radius
Export
4l
Shared-
Key
IKE-PSK Hashes
N111
Hashes
I NT Hash
AA0384358514...
13E40C450A599..
AAD313435B514... 71D0F2152916.
LM Hashes + challenge
Rairibowaack-Orite
1
I Cesco IOS-MD 5
Had
1111 Cisco PDC-M05
Hash
Query
_a nasras
Attad
X Test
12i)
Dcbonary Attack
klr.
Wreless
1 LM
A rr.-,f0010.
X 1111
ylGuest
r=g
LM & NTLM
(0)
jr) MSSQL Hashes
(0)
MySQL Hashes
(0J)
11
1
Lost packets: 0%
is
47
Exam
312-50
RainbowCrack
H
RainbowCrackcracks hashes with rainbow tables. It uses timememory tradeoff algorithm
to crack hashes
1P
ti
Memory tradeoff tool suites,
including
rainbow table generation, sort,
conversion, and lookup
r a.
CO
Maa
raa.es :
lie .1.2.,..4,711112161..i.Creellailli,10:
M7
4,11
1 , . .
Me : e a 1 1 3
1,H1515
ANALI
in ;:{3.
.,,.......
(54..
43:,
m, .
.,,r1
aa,,,
sue..
Yd.
WM .
format
trtc-1
t.
Computation on multi-core
processor
support
Computation on GPU and multiGPU
(via NW:AA Ct1DA technology)
support
..1.1111
Fa.
so
MI6
rpm
7!
111,11
7. I*
wol;
L.::
0-11
.1
rWir,1 611011-1,04 ,
al.pc
:r. 0.1.3. UMW WI
1
.14.10.WW
0-40.
It. .2
RainbowCrack
Source: http://proiect-rainbowcrack.com
Exam
312-50
RainbowCrack 1.5
File Ede
Comment
A c25510219f66f9f12fc9be662a67b960
Id Sebe7dfa074dafte8aeflfaa2bbde876
apple
Hash
? Admin
6170706c65
Martin
A 488cdcdd2225312793ed6967b28c1025
green
677265656e
Juggyboy
id 2d20d252a479f485cdf5e171d93985bf
gwerty
717765727479
Jason
test
74657374
Shiela
0cb6948805f797bf2a82807973b89537
Plaintext
nu
Messages
time of alarm check:
2.14 s
time of wait:
0.00
0.17 s
0.59 s
14388000
35916894
number of alarm:
57632
11.11 million/s
16.82 million/s
10
Exam
312-50
H
Password Unlocker Bundle
http://www.posswarclunlocker.com
http://www.lostpassword.com
PasswordsPro
http://www.insidepro.com
4
http://www.ekomsoft.com
LSASecretsView
http://www.nirsoft.net
LCP
http://www.lcpsoft.com
TM
Password Cracker
http://www.ornIpages.corn
WinPassword
http://lastbit.com
a
r
Copyright 0 by
Prohibited.
cracker.com
e WinPassword available at http://lastbit.com
e Passware Kit Enterprise available at
http://www.lostpassword.com
PasswordsPro available at http://www.insidepro.com
LSASecretsView available at http://www.nirsoft.net
LCP available at http://www.lcpsoft.com
Password Cracker available at http://www.amlpages.com
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
Password Cracking
Tools
H
(
C
o
n
t
'
d
)
Kon-Boot
http://www.thelead82.corn
Windows
Password
Recovery
krbpwguess
http://www.rgure.net
Tool
http Wwww.windowsposswordsrecovery.com
THC Hydra
http://www.thc.org
Hash Suite
http://hashsuite.operogoN.net
it
SAMInside
http://onvivrecoverwindovespossword.com
http://www.insidepro.corn
0.
4.
C0171
Copyright C by
Prohibited.
Hash
Suite
available
at
http://hashsuite.openwall.net
e
SAMInside
available
at
http://www.insidepro.com
e
Windows
Password
Recovery
available
at
http://www.passcape.com
e
password.com
e Krbpwguess available at http://www.cgure.net
e THC Hydra available at http://www.thc.org
Windows Password Breaker Enterprise available at
http://www.recoverwindowspassword.com
Rekeysoft Windows Password Recovery Enterprise available at
http://www.rekevsoft.com
Exam 312-50
System Hacking
LM Hash Backward
Compatibility
support:
Copyright 0 by EG-Ce
Prohibited.
support:
Ethical
Hacking
and
Countermeasures System
Hacking
CEH
How to Disable LM
HASH
Use a Password that is at least 15
Characters
Long
LM hash is not generated when the
password
length
exceeds
15
characters
SYSTEM
Control \ L sa
Add key, type NoLMHash
4 Windows Settings
4 Security
Ethical
Hacking
and
Counterme
asures
System
Hacking
How
Defend
against
Password
Cracking
C EH
to
Do not use
pas
swo
rds
that
Docan
not
share
be
passwo
fou
rdsnd
Enable information
security audit to
monit
or and
track
in
a
dict
ion
ary
chang
e
passw
ord
attack
s
s
a
Avoid storing
with
passwords
Do
not
use
any
syste
m's
defau
lt
passw
ords
Do not use
cleartext
protocols
and protocols
in
an
Cracking
Password cracking, also known as password hacking, is
the term used to define the process of gaining unauthorized use of
the network, system, or resources that are secured with a password.
The basic way of password cracking is guessing the password. Another
way is to try various combinations repeatedly. It is done using a
computer algorithm where the computer tries various combinations
of characters until and unless a successful combination occurs. If the
password is weak, then it can be cracked easily. In order to avoid
the risk of password cracking, there are some best practices that
help you to defend against password cracking. They are:
e Don't share your password with anyone, as this allows another
person to access your
personnel information such as grades and pay statements,
information that is normally restricted to you.
e
i.e.,
one
that
is
similar to the previously used one.
substantially
Exam
312-50
e Set the password change policy as often as possible, i.e., for every 30 days.
Avoid storing passwords in an unsecured location because passwords that
are stored in places such as in a computer files are easily subjected to attacks.
Do not use any system's default passwords.
Ethical
Hacking
and
Countermeasures System
Hacking
Vr
Use a random string (salt) as prefix or suffix with the password before
encrypting
I
Enable SYSKEY with strong password to encrypt and protect the SAM
I database
Never use passwords such as date of birth, spouse, or child's or pet's name
"t4
'+g/
Monitor the server's logs for brute force attacks on the users accounts
to disk. If
the passwords are stored to memory the passwords can be stolen. Once the
password is
known it is very easy for the attacker to escalate their rights in the application.
e Use a random string (salt) as prefix or suffix with the password before
encrypting. This is
used for nullifying pre-computation and memorization. Since salt is usually
different for
all individuals, it is impractical for the attacker to construct the tables with
a single
encrypted version of each candidate password. UNIX systems usually use 12bit salt.
Enable SYSKEY with a strong password to encrypt and protect the SAM
database. Usually, the password information of user accounts is stored in the
SAM database. It is very easy for the password-cracking software to target
the SAM database for accessing the passwords of user accounts. So, to
avoid such instances, SYSKEY comes into the picture. SYSKEY provides
protection to the user account password information, i.e.,
Module 05 Page 597
by EC-Council
Exam 312-50
e Lock out an account subjected to too many incorrect password guesses. This
provides
protection against brute-force attacks and guessing.
Ethical
Hacking
and
Countermeasures System
Hacking
Employee ID
Employee Address
Employee
SSN
Employee
Designation
Department
Manager Name
Manager ID
Terminat
Notice Period
ion
Effective
Date
Benefit
s
Opening unsolicited e
mail
Contin
Sending spam
uation
Severance
Y X
Refusal to :Undo by security policy
Sending unsolicited e mail
Allowing kids to use company computer
tmanating Viruses
Port scanning
is =gr.
Termination Reason
Surfing porn
Installing shareware
Copyright 0 by EC-Ca
Prohibited.
Module 05 Page
by EC-Council
'
Ethical
Hacking
and
Countermeasures System Hacking
Employes Nam.
Employee 10
Employee Address
Employee SSN
Employee
Designation
Department
Manager ID
Manager Name
Notke Period
Terminati
on
Effective
Severance
Date
Benefits
Continuation
Sending span
Emanating
Viruses
P011 scanning
vie
Surfing peril
Installing shareware
Termination Reason
Strictly Prohibited.
Exam
312-50
Cracking
Passwords
lk
Testing
Executing
Applications
Privileges
Escalating
10
Covering
Tracks
Cracking Passwords
Hiding Files
Executing Applications
Covering Tracks
_ Penetration Testing
Ethical Hacking and Countermeasures Copyright
Council
by EC-
Exam
Privilege Escalation
EH
312-50
_I An attacker can gain access to the network using a non-admin user account, and the
next
step
be to gain administrative privileges
would
Attacker performs privilege escalation attack which takes advantage of design flows,
programming errors, bugs, and configuration oversights in the OS and software
application to gain administrative access to the network and its associated
applications
-I These privileges allows attacker to view private information, delete files, or install
malicious
programs
User
Attacker
I can access the
network
usingiohn's
user
account but I need
"Admin"
privileges?
Privilege Escalation
In a privilege escalation attack, the attacker gains access to the networks
and their associated data and applications by taking the advantage of defects in
design, software application, poorly configured operating systems, etc.
Once an attacker has gained access to a remote system with a valid user name and
password, he or she will attempt to increase his or her privileges by escalating the
user account to one with increased privileges, such as that of an administrator. For
example, if the attacker has access to a W2K SP1 server, he or she can run a tool
such as ERunAs2X.exe to escalate his or her privileges to that of SYSTEM by using
"nc.exe -I -p 50000 -d -e cmd.exe." With these privileges the attacker can easily steal
personnel information, delete files, and can even deploy malicious, i.e., unwanted
program such as Trojans, viruses, etc. into the victim's systems.
Privilege escalation is required when you want to gain unauthorized access to
targeted systems. Basically, privilege escalation takes place in two forms. They are
vertical privilege escalation and horizontal privilege escalation.
Horizontal Privilege Escalation: In horizontal privilege escalation, the unauthorized
user tries to access the resources, functions, and other privileges that belong to the
authorized user who has similar access permissions. For instance, online banking
user A can easily access user B's bank account.
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
Attacker
User
I can access the
network using John's
user account but I
need
"AdmIn"
privileges?
Ethical
Hacking
and
Countermeasures
System
Hacking
C EH
Active@ Password
Changer
Active@ Password Changer resets local administrator and user
passwords
110"
Features
e
in
SAN
hve
file
at
C:MIndeva1SYSTEM3ACONF1G
\SAM
size 93.23GA. Fie System: MTN
e
Recovers
passwords from
multiple
partitions and
hard disk drives
path:
dew Cr O.
To7JUserel DOM
User Name
it
I mamma
Microsoft
Security
Databases
(SAM)
000031FS
COOOMB
O
OODIF4
Dercrptbm
AdnitletatOr
MGSCF7-Service
Guest
cow..
e Displays full
account
information for
any local
user
tnIdr
II
nits
ca me
http://www.password-changer.com
Copyright 0 by MCP MCA. All Rights Reserved. Reproduction i s Stridly Prohibited.
Privilege Escalation
Password Changer
Tool:
Active@
Source: http://www.password-changer.com
Active@Password Changer is a password recovery tool that resets or recovers
the local administrator and the user passwords when the administrator has lost or
forgotten his or her password or if the administrator's user account was locked out
or disabled. Its main features includes recovering passwords from multiple
partitions and hard disk drives, displaying and detecting all the Microsoft Security
Databases, resetting administrator's/user's password, displaying complete account
information for any local user, etc.
Ethical
Hacking
Countermeasures
System Hacking
and
Wridows
User Name
A, 000001F
Description
Admrestra tor
000003E9
MGSOFT-Service
00000 1F5
Guest
000003E13
BvSsh VrtualUsers
< 1T:ad(
Next >
Cancel
FTtelp
Strictly Prohibited.
Exam
312-50
http://pagostiek.net
http://www.rirler.corn
PasswordLastic
http://www.reset-windobvs-passsvord.net
http://www.passwordlostic.com
Tool
Recovery
httpWwww.windowsposswordsrecovery.com
http://www.stellarinfo.com
Personal
http://wwww.ekomsoft.com
http://www.windows-posswordrecovery.carn
111
Windows
Administrator
Password Reset
http://www.systoolsgroup.com
Copyright 0 by EC-Ca
Prohibited.
ElcomSoft
System
Recovery
available
http://www.elcomsoft.com
e Trinity Rescue Kit available at http://trinityhome.org
e Windows Password Recovery Bootdisk available at
at
htto://www.rixler.com
e PasswordLastic available at htto://www.oasswordlastic.com
e Stellar Phoenix Password Recovery available at
http://www.stellarinfo.com
Windows Password
http://www.windowspasswordrecoverv.com
Exam 312-50
Recovery
Personal
available
at
Exam
312-50
Implement multi-factor
authentication and
authorization
Perform
debugging
using bour checkers
and stress tests
Test
operating
system
and
and
bugs
application
coding
errors
thoroughly
Implement
a
privilege
separation methodology to
limit
the
scope
of
programming
errorsand
bugs
privilege
countermeasures
Restrict
privileges
escalation
include:
the
interactive
logon
authorization e
accounts
e Use encryption technique to protect sensitive data
e
Implement a privilege separation methodology to limit the scope of
programming
errors
and bugs
tj Reduce the amount of code that runs with particular privilege
Exam
312-50
Exam
312-50
C1E
Cracking
PPaasssswwoorr dd ss
Executing
Applications
4
Cracking Passwords
Escalating Privileges
*OS Executing Applications
Hiding Files
r]
Covering Tracks
Council
by EC-
Exam
312-50
Executing Applications
J Attackers execute malicious applications in this stage. This is called "owning" the system
_I Attacker executes malicious programs remotely in the victim's machine to
gather information
that leads to exploitation or loss of privacy, gain unauthorized access to system
resources,
crack the password, capture the screenshots, install backdoor to maintain easy
access, etc.
oackep
keyfoggers
011M111.
44. (
Backdoors
Spyware
y0
1411
a
0
c
re.
01
Crackers
a
m.
.
,ic.
a
L
j .,
...4
VER
O
kieJf
ioi
a
:Copyright CD by EC-Causal. All lbgbtsllese nied..Reprod ucti on Is Strictly Problbited.
Executing Applications
Attackers execute malicious applications in this stage. This is called
"owning" the system. Executing applications is done after the attacker gains the
administrative privileges. The attacker may try to execute some of his or her own
malicious programs remotely on the victim's machine to gather information that
leads to exploitation or loss of privacy, gain unauthorized access to system
Exam
312-50
Ethical
Hacking
and
Countermeasures System
Hacking
-.1M11.
Executing
Applications:
RemoteExec
J
RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on
Windows systems throughout the network
it allows attacker to moaity tne registry, cnange local aamm passworas, aisame local
accounts, ana copy/ update/delete files and folders
Msi
MIK
.nstallahon
USI ostalation
................
-orm.
3
V wog.
Frets.
..
MIR
a.0 ...1
szamsisimmimmmwm=0
=
OM/
game
Meng
i,r t w I7
=.0
6111111114110
nis=
Ethical
Hacking
and
Countermeasures System Hacking
Renoteteec
MSI installation
.unch
remote Isla
ame
oMe
n
l_g
(1Lpdate
instaltalon
MY file
[AKIH.MSEELC(.K4MCEM-reeMCOlve MedukOSSystentisle
rem
n My Renate
Actors
System
mien
m
Save n MV Tartlet f , .
ateductraune
Me
Operation
.4
ORmaJon
Local
account
narafmn
P.P.P
KAMM
actors
Log level
LIV Remo
13135
nM
ma %WM
AmiffreolM)
y Remote
Actions
AIP,
Sys
My
. account
fl
Tomei
f r galrEmMMOIM
Computers
!, Repenter
Rotate
-odes
SdledUer
mmeer m
Opbans
am. Atmleowsi
i ft
mue
La s . me p o ?
IMF a rot, t
Arm,
CM_
eS
.1.ome
Launch
MSI installation
Wren.
gm..
Meta
0.1
m CS
11/xlmato,
.csen
ZornereBsc
Launch in a re...
770
1.7.71
tf[PUsm
' WOW
1,6"
eM
tkbrm's
Sched.le
Fl
Save nMyRe..........
Save n My Re...
Save n MY
Renate :alas
Nen mg
3o13
r;
He
executon
Usdate
System
action
J'
Re
Operatio
n
a
n
t
4
l
o
r
d
a
m
I
M
M
O
W
eb. actssm
" Mt
IM My Renew labs
My Remote
Its' dv
Ittr t 0.111Pll
R eVC C II
Russets
tot*
f
d
e
d
a
m
O
p
e
Aeheni
..sm.
c
r
s
war
aresea-Gr
table Of .
DULA( ear
Exam
312-50
Executing Applications:
PDQ Deploy
PDQ Deploy is a software deployment tool that allows admins
AIaPDllaral i k
PDQ
De
2
140 617P,
ID Creven
11
0 1.7
11
ki)
De.
Carrog_
EtuOted
11
feue
seconds
&Deploy
., Edn leather Non
[ZNew Selimpula L
Instal
iet Adrninbtratot
1
Skype
Faded
Success-
elver
Computes
Compute.
Swte Step
WIN-LXONIWR)R91.4 Stotcaeelul
i
i
Co
mp
ute
rs
Mu
Is
0 Running
Deployments
Submit Ferdbath
http://www.odminor3enol.com
Copyright 0 by EC-Cannon. All Rights Reserved. Reproduction i s Stri y
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Marie& 3,
ee
NI
loYments
DeP
11 All Schedules
Skype
411 New Target
List
11 to
p sieve
,/ Edrt Installer
mime
gp Installer Library
ar Installers
.otia,
r Installer
3,Deploy Nov
% Deployments T7
Schedules
DstaM1Welelit
ID
Created
Time
e al 7
Cornput_
Faded
1
Elapsed
Success..
0
Error
Computers
Computer
Status
Step
WIN-LXQN3WR3R9M
Successful
Computers
rpeta.
FIGURE 5.29: PDQ Display Screenshot
Installer
1 Skype
User
- 41
New 54Pre.44
Ethical
Hacking
and
Countermeasures System
Hacking
Executing
Applications:
DameWare
Utilities
C H
NT
DameWare NT Utilities (NTU) lets you manage servers, notebooks, and laptops remotely
It allows attacker to remotely manage and administer Windows computers
Orr,V
Urchve
ibur
i
rd
iedir
Ai 0 r=
41
r.er
1111=111147X,,
0
11.14 0!laga .
l ad S . . g r.
J...
" i k . e c to r..
Vp P h
c r. b c , Ar p
1.4
1...
q 14OF 2 L 1
. 1 64 .
.6
-P
la
%,L. Corp.
4b5w..= 1114 Cons.
11.
W ow
:41
g
W P.41P 3ilaHLPE4
-
am LA.Coi/v/Ralvl
el
MN
IV15LCrY.41
WWI.. I Urn It /014
4.1114IS4P
,r
f i e rl u r a.
&Wu .
Le tr r i cc e,
OW. el v. v 4 s , c r
Mama
/..
CAVIIIMSPATJ
Airma.
S
I. .
l awI li
lrafg rfn
uPdx
C I, J
LN/a
Irrirmas
1.440
tourrearm
Lurla
.g
g
VI1v4aro4rImrd1.rocrot
V I v b f k r r v . r ol l e . V.vo M1
(WArdp...41
10110,1,
Slatiw
M
A
N
N
r
E
r
W
0
/1
4
0
V
e
d
W
lt ..
0. 4 K * 4
IL.514111.11
CMINPileo P igeO r i l t vo r P m e
tw a re rFrrn.
Ix
vs.
/ yp r
ine
or
Balm
-
Pomp! UPON:4.0M
9041$01:
3ZkIlielt1
http://wwwdomeware.com
Copyright 0 by EC-Csuecil. All Rights Reserved. Reproduction isStridly
Prohibited.
remote control. It can reboot the servers and notebooks remotely, take screenshots
of remote desktops, take full control of the end-user's desktop quickly, copy as well
as delete files on the remote computers, manage Windows Active Directory, etc.
Ethical
Hacking
and
Countermeasures System
Hacking
4lik
Ail
4x
BrOveSer
Actise Directory
t ?ri:k fl e d
94A
TOIalSeMCAI
* Na AD Membership
-
aioal itlj 0
SteAus 1Coactele.
qp
WORACROUP
qa
No
PDC
- Q Severs (4)
Statm
&Mug and Play
0/31.1339MRSHL9E4
XON3WR3INM
la AA N-MSSFLOCAKA1
(Windows R Sam
Startup
Account
tinny
Manual
LocalSystem
CAWnelows\ systernnsechost
IAI
Monad
LocelSrecen
CAVAndovrAsystcrraZarchost
Actor/141k
LocalSyseern
CAPAndoreAsystern32'sedrast
Autornaur
LoralSystem
CAWndows\ Sy4em32`spealer
Aunnin
ciPPort.hle Device Enuormator Sevin e
%coped
Pe
nning
WNLLY11581041
4
Workstations
13)
ADMIN
SPreblem
. gip
Restart
Remote
Rarrrote 1
4
'Remote!
WNDOWS8
Rennet
a
di
Snip Serocte--
'Remote
s
*Remota I
ADMINPC
II I I I 1 2
*Printer
Sewer
natal
1
0 Snake..
Manua/
LoralSystem
CAVAndowssysternlAsvchort
Manual
localSystern
[W reckers\ Systerr2Zevelmer_
Manual
localSystern
CAWIndows\Systern32`..svehost--
Manual
10CalS/Stert
CMYnclows\Srgern32..swhost
Manual
localSystern
CAWndowsSrxern32`axhost
Manual
Manual
locaSystem
Automatic
NT AUTHOR.. C:\Wndowsbysterr32ssavvccehtaosstt
CAWndows\ Systern32`vochost
VCempctere
Fasorite
Domains
Batch
F.oreeklachne
4A
411.414111
+ins lypa
Scree..
Lernavc &nuke.Shaw Sarvica Naos
19 Warm
0
Dopenchnel,..
P
i
Soule.
r.
Deaner .4.1, Information
II it
30 RI kb rA
. am pi
3.4:4110/01
9/4/2012
1:2531PM
Ethical
Hacking
Countermeasures
Hacking
and
System
Keylogger
C EH
Keyloggers
Copyright 0 by EC-Ca
connection, is also vulnerable to keylogging because the keylogger tracks the keys
struck before they are encrypted for transmission.
The keylogger program is installed onto the user's system invisibly through email
attachments or through "drive-by" downloads when users visits certain websites.
Keystroke loggers are
Exam
312-50
stealth software that sits between keyboard hardware and the operating system,
so that they can record every keystroke.
A keylogger can:
e Record each keystroke, i.e., typed by the user, on his or her computer
keyboard.
e Capture screenshots at regular intervals of time showing user activity such
as
when
he
or she types a character or clicks a mouse button.
e Track the activities of users by logging Window titles, names of launched
applications,
and other information.
e Monitor online activity of users by recording addresses of the websites that
they
have
visited and with the keywords entered by them, etc.
(7) Record all the login names, bank and credit card numbers, and passwords
including
hidden passwords or data that are in asterisks or blank spaces.
e Record online chat conversations.
e
Make unauthorized copies of both outgoing email messages and
incoming
email
messages.
Exam
312-50
CIE H
r
Keystroke
Loggers
L Application Keylogger
il!POPPI=111
11111111.111=
L
L
Kernel
Keylogger
Rootkit
Keylogger
Keylogsta
eYlotter
4
I
ftyperyisor-
_A
based
Key logger
Form Grabbing
Based
Keylogger
Copyright 0 by EC-Ca and. All Rights Reserved. Reproduction s Stri
Prohibited.
Hardware Loggers
Exam 312-50
or
desktop
security
Ethical Hacking and Countermeasures
Certified Ethical Hacker
System Hacking
Exam 312-50
Kernel
Keylogge
r
Rootkit
Keylogger
Device Driver Keylogger
Hypervisor-based Keylogger
Form-Grabbing-Based Keylogger
Application Keylogger
An application keylogger allows you to observe everything the user types in his or
her emails, chats, and other applications, including passwords. With this you even
can trace the records of Internet activity. It is a completely invisible keylogger to track
and record everything happening within the entire network.
Kernel Keylogger
This method is used rarely because it is difficult to write as it requires a high level of
proficiency from the developer of the keylogger. It is also difficult to conflict. These
keyloggers exist at the kernel level. Consequently, they are difficult to detect,
especially for user-mode applications. This kind of keylogger acts as a keyboard
device driver and thus gains access to all the information typed on the keyboard.
Rootkit Keylogger
The rootkit-based keylogger is a forged Windows device driver that records all
keystrokes. This keylogger hides from the system and is undetectable even with
Exam
312-50
Exam
Methodology of Attacker in
Using Remote Keylogger
312-50
CEH
Keyboard
Save It to a
log file
Send It
0111
<
Injection
to a remote
location
Hacker
Application
Keefoggatt
Injection
Vetoer Injection
kr end Inflection
el=
Application *
Driver
Icesi
Sohntanterl
Um
types
Windows Kernel
Con
keybo
ard
PASSWORD
Sends
-327670
EM
Keyboard
malicious fi le
User
Ethical
Hacking
Countermeasures
Hacking
and
System
Keyboard
Injection
e
Send It
Save it to a
log file
Application
ton remote
location
........ ..
Hacker
Driver Injection
Driver
Kernel Infection
ee
-32761)
User types
on a keyboard
-
PASSWORD
Sends
malicious file
Use
r
Windows Kernel
1 M N I F t r S ; ;
; ; ; ; ;
V A I.I V .1.11.11.te. V 1 j
E1::::
MII 11111 . . . I M E
MMEM.. Ilrl I
11
HAL
Keyboard
Exam
312-50
Acoustic/CAM Keylogger
H
Acoustic Keylogger
CAM Keylogger
3 _
Capturin
g
Receiver
Camera
Typed
Alphabet
Transmit to
t
he
Takes
Screens hot
Electromagn ((
-etic Waves
flip
ko
Hacker
Hacker
1 1 W
User
-1IF
Acoustic keyloggers work on the principle of converting
electromagnetic sound waves into data. The concept is that each key on the
keyboard makes a slightly different sound when it is pressed. There are listening
devices that are capable of detecting the subtle variations between the sounds
of each keystroke and use this information to record what is being typed by the
user.
The acoustic keylogger requires a "learning period" of 1,000 or more keystrokes to
convert the recorded sounds into the data. This is done by applying a frequency
algorithm to the recorded sounds. To determine which sound corresponds to
which key, the acoustic keylogger uses statistical data based on the frequency
with which each key is used because some letters will be used much more than
others.
by EC-Council
Exam
312-50
Acoustic Keylogger
>t*
Capturing
Receiver
Alphabet
Electromagn
-etic Waves
MI
N.
NI IP NJ na-
- - r u m- a m m o .
MI
1111111011M
W ON Ne MO M,
1111,
EN
EP
111
1N.
User
User Press "A"
FIGURE 5.32: Acoustic Keyloggers
A CAM keylogger makes use of the webcam to record the keystrokes. The cam
installed takes screenshots of the keystrokes and the monitor and sends the
recorded screenshots to the attacker account at periodical intervals. The attacker
can retrieve the keystroke information by probing the screen shots sent by the CAM
keylogger.
CAM Keylogger
Ca
m
er
a
oto
Tra
nsm
it to
the
Hac
ker
Takes
Screenshot
User
Exam
312-50
Keyloggers
CEH
CM)
P5/2 Keylogger
'mks\
USB Keylogger
Wi-Fi Keylogger
Bluetooth Keylogger
Hardware Keylogger
Keylogger embedded
inside the keyboard
Keyloggers
Beside the information discussed previously, acoustic/CAM keyloggers,
there are other external keyloggers that you can use to monitor the keystrokes of
someone's system. These external keyloggers can be attached between a usual PC
keyboard and a computer to record each keystroke.
You can use following external hardware keyloggers to monitor user activity:
Ethical
Hacking
and
Countermeasures
System
Hacking
1"151.1111114441114111 1 11
PS/2
Keylogger
Keylogger
embedded
inside
the
keyboard
USB Keylogger
Wi-Fi Keylogger
Bluetooth Keylogger
Hardware Keylogger
Exam 312-50
System Hacking
CIEH
J See all keystrokes user type
J Reveals all website visits
eral
Records
online
User ACil
ows Loosed
Prcg
rarli
IRI
Ascalo
n
-'e"""
ko,ISHRO
,-s
chat
Celrowpr
Usagn
5 lemiwni vaned
Internet Activities
Internet
E Stals SentiReceived
Activities
Rawls Levied
,g)
Ls connections Lumped
AL, Ella:
TiLinhcl ipts
lb a
renv,,...
SMSOLOOltIn.
no.PA
1111
=1011101101
C Program Options
Log Actions
Reports
Help
http://www.spytechweb.com
performed
It monitors what programs and apps
re in use
e It can tracks all file usage and printing information
e
It
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
You can download this software keylogger from its home site and install it on the
computer you want to monitor, and then just click Start Monitoring. That's it! It will
record a number of things for you about user activity on the computer.
General
Startup Settings and Ceeki
LSIi
Viewed
elycstroikentssTyped
Windows
15 Windows
Logged
Programs Usag
Screenshots
eenSpy
Cil
15 Screenshots
Advanced Options
Computer Usage
Content Filtering
5 Sessions Logged
ScreenSpyy
Record Deakiop Activity
Internet Activities
Internet Activities
Is Connechans Logged
SmartLogging
E Mails Sent/Received
0 E-Mails Logged
Websites Visited
o Websites Logged
fai
Chat Transcripts
WO O Conversabons Legged
Program
Options
Behavior Alerts
Scheduling
Log Actions
Reports
Help
EC-Council
Exam
312-50
IEH
T.ftlioiyiu.imt
arall
de
0,1.'"..
.' 1.
n
mow. v.. *Wm..,. n
...on .M1* .......
1114
4MISEIM
no
MEOW
P1.105,101.1
.1.1=11
INIMIMM11.
111
= !MYRA :V: Wm./a
n. -
fm
=77.4:;174=
y+w
.6.101011111
wrW AS
.
a
r
e
...x...0.0c0.~.7, 4.4t
1.1144116
11Slw
al 14 Le.A.LL
Li 44:ILA
Copyright
Prohibited.
A ll I n
One
ht t r
Key logger
is
: / /
w w w .r e l v t e c.c o m
i n v isi b l e
keylogge
of t
wa r
t h a t
a l l
ow s
you
to
record
surveilla
nce
s
k eys t r
okes
a nd
ea c
monitors
is
i
c om pl
e te
n
vi t i
l y
es
fr om
C a
pt u r
ac c
ou
a t i c a l l
vi s i
gs
a l l
e
e
of
co
he
user
on
he
m puter .
It
all
ow s
you
secretly
t o
activity
track
all
email/FTP/LA
N
ac t i
m
bl
e
u
keys t r
r )
nt .
You
okes
ll
co
put
T he
e
r
users
a u t
o
keyl
c a
ogge
do
( k
fo l l
eys t r
nd
a utom
ow i
okes
m a t i c a l l
l o gge
ng
i n
a c t i
s i
ng
recei
va t
is
es
ve
its
s of t
wa r
lf
l ogs
t o
wh
en
Wi n
es i r
dow s
ed
st
ar t s
nd
e
R ecord
i ns t a
nt
m es s a
ges
e
M on
i t
or
a p
l i c a t i
u s a
ge
e
Ca
pt u r
des k t
Ca
pt u r
s c r
Qu
ick
S en
repo
a c t i
vi t
e
ee
ns
hot s
e
ea r c
r t s
over
vi
m a i l ,
l og
F T P,
netw or k
e
R e co rd
mi c r
oph
one
sou
ds
Ethical
Hacking
and
Countermeasures
System
Hacking
Generate HTML
reports
e
anti
Disable
keyloggers
e Disable unwanted
software e Filter
monitored user accounts e
Captured screenshots
tflitatp$0.444144i4 V11111
URLs
e Stop logging when the computer is idle
tog
E.
Mr
7 7
77
i t
.1
77
ls e
PI
16
17
MU
141.01.
15101$7.12 61131.7
2 .1 X
4
PO..
MA
Va. CY. .
7
No,
*
Lai
A155.6.5
5.
.......p.1217.1.01[41;
1.
*Wm
4 4./
4
IMMO 717706
411.
E.. 9
Pan 7. Rm.
5.611.1
1.
dos. e.
16r
10.1.1.66 10571
***It 4 7P . / . 1 7 . 0 11 . - h r
111.11.170 101.5 1666601.7.1. 7
31
II
.1
1124114i P.
C195,2012 711.
ta
7
Om. 0.66
5.
11
44
1 C l
601
W
01:1612
-P7 1716.5. 1166.6 68r
6009111.4 11 .111 6 6 . 0 . 6
11.6.11.64611.611151.216.61.171..
1.162.1
11.1112 12
6 5 . 1 2 26
Co C !mma
Mil21,2 '13211 VG* I al GO.. C.ren.
S.
16
Yawn.
Pact
II616
Rams
'res .*/
I rem.
. 4*
=ORM
W,17
LK
I Ad. Wnclew
6014511,21,x.} Nun
4a6.5,2
6 rmu VIJana
Ak45.< co
. ea 40
7
6
.
1
1
1
6
6
f.c10"001,901r.
Log viewer
17
25
4.1. 400 i
une o e ro gg o r
As*
4444
N o r a , v a s * -4 . m ft .. . a......................no 1456.04111
6.77672 16 36 26 .17.7.......................65566.611 m15.. 118.
4176_
PIM
pc.) tc.)
157111anc. pas.. KP7Strek. R..164 rdel. spy 141 Ni 16 j Sri saftwan tool 11.
1
1
PC ...MOW 394 The .4.1. 1.-) Pi Pi Pi (7
147169366 calt.oe Plloas you 10 9.544 lia GP (6.) 16.)
16.) (6.) .all
Corp4613 26r j6.)
(0.) )4.)
(0.) usees
auleruically
logs so a
e.
liflIslbC
i...11111a
L
e
g
a
r
t
.
.
111111104.
II
1 rwIN,,10.
w
S4
141 LI
ou
1 1 - 1 4 1.'_
"
2 14....................I
_1
Exam
312-50
Ultimate Keylogger
Fl!
http://www.ultimotekeylogger. corn
imr-
Advanced Keylogger
1 1 11
http://nunv.mykeylogger.com
Powered Keylogger
http://nnonrmykeylogger.com
StaffCop Standard
hnOWnmn,stofftop.cam
iMonitorPC
http://www.thebestkeylogger.com
http://www.imonitorpc.corn
4111,
114
SoftActivity Keylogger
http://narrw.softoctivity.com
http://wwwpcocme.corn
Elite Keylogger
KeyProwler
http://wwwwidesiep.corn
http://keyprowler.com
http://www.mvkevlogger.com
e The Best Keylogger available at
http://www.thebestkeylogger.com
e SoftActivity Keylogger available at
http://www.softactivitv.com
(:)
Exam
312-50
Exam
312-50
U lti m a t e
K e y l o g g e r
FV V VC I C U
I NC y lV 5 6 C 1
http://www.ultimatekeyloggercom
http://www.mykeyloggercom
Advanced Keylogger
StaffCop Standard
http://www.mykeylogger.com
III
4
httpl/www.staficop.com
iMonitorPC
httpl/www.thebestkeyloggercom
http://www.imonitorpc.cam
SoftActivity Keylogger
el
http://www.softactivity.com
http://www.pcocme.com
Elite Keylogger
KeyProwler
http://www.widestep.corn
httpl/keyprowler.com
Copyright 0 by EC-CIIIICil.
Strictly Prohibited.
You can also use following keyloggers that runs on the Windows
operating
system:
kevlogger.com
e Revealer Keylogger available at
http://www.logixoft.com
e Spy Keylogger available at http://www.spy-keylogger.com
e Actual
Spy
available at http://www.actualspv.com
Ethical
Hacking
and
Countermeasures System
Hacking
11
_ -,11101111111111m'-
..-
ot
1.
os
km.
m.
S
efto.
O w.
.0*
Ya
. YM
Y,
,. . ,
1
..
.. F a
.le
PM
...a
.1
"
"
MY
...
mei l
"
N
.
1111111.111.111111111111.11.1111"1"
...................................................................
1.1.1.11111111MME0
'
'
Immalimmum
"2171dckeYloggrer.cory,
Copyright 0 by E0010100. All Rights Reserved. Reproduction is Stnctiv
Prong:med..
Ethical
Hacking
and
Countermeasures System
Hacking
IlLACM1=0
4. A
41111 1 1 1 111111..
L0
.1:r
le .
71 47.1.
MINN
Exam
312-50
lotp://kidloggernet
http://www.keylogger.in
logkext
http://www.oword-soft.com
https://code.google.com
I1=11.!
Mac Keylogger
Keyboard Spy
http://www.m.vorchsoft.com
http://olphoornego.softwore. free*
FreeMacKeylogger
http://www.refog. tom
http://www.Mvsuite.com
pyrigh
by
Is Stri y
Pro ib
Ethical
Hacking
and
Countermeasures System
Hacking
Keyboard
Spy
available
at
httolialphaomega.software.free.fr
Ethical
Hacking
and
Countermeasures System
Hacking
Hardware
Keyloggers
12_10111. 1Ir 71
KeyGrabb
yi0gger
4111r
, Interfa
ce tos
er
Security
Hardware Ke
M..11.
1.11...1111.1
WA. .
hy 0.01.1C
14.10.1.,
It
&w o w
omw
4 oe Om
M . .
VI t
1141111
.!
WI 04
11 11.114101It
traMm.
0
0
0
Sor ia
MIIME
wmp dm
.... .1
111.
ni
111
NIIIMMINEIN
/
" 4
..
. R r a r r ertd IA
Wm 541.991
4 " a . 1 "
t11
lies
=.t
"
_ ____
IteYGraobber
KeYGhost
n'wwwkeyglibitco,
Copyright 0 by MIME MI Rights Reserved ReensclisSion is Stfictiv
Proihibtted.
Hardware Keyloggers
A hardware keylogger is a device that is connected in between a
keyboard and the computer. It is used to record the keystrokes on the target
user computer. Hardware keyloggers log all keyboard activity to their internal
memory. The advantage of a hardware keylogger over software keyloggers is they
it can log the keystrokes as soon as the computer starts. You can use following
hardware keystroke loggers to achieve your goals.
KeyGhost
Source: http://www.keyghost.com
KeyGhost is a tiny plug-in device that records every keystroke typed on any
computer. You can also monitor and record email communication, chatroom
activity, instant messages, website addresses, search engine searches, and more
with this plug-in keylogger. You do not have to install any software to record or
retrieve keystrokes.
Features:
It is easy to use
Installs in seconds; just plug it in
Can be unplugged and information retrieved on another PC
Module 05 Page 642
by EC-Council
I I
Interface
Security APP
wrenc ley0csicorn
Keyenose
HanSWIM
P i vny
A g a, devi ce MN
de
nicardIfint
M ylbe w
y
koysirtike
airy PC
a
l
ebn p a r e
1
h
al
q,
MM
.
11 =
oas
m
0
Ud t
kir be
1 0 b e k n e ub es .
lea-maKolibassoali
1
,4
01.......................
AO
KA /011,01P,0
ma ma. .
web
e.
*sr
t w..u"...mukiedum
%s
m
. su9
Mud
r
1199
ewe
461110
411111NN
11)r1.r.re
Keylmer
tin
Keytihost CS9
Genii
11111. N
KeyGrabber
Source: http://www.kevdemon.com
KeyGrabber is a hardware device that allows you to log keystrokes from a PS/2
or USB keyboard. A hardware video-logger is a tiny frame-grabber for capturing
screenshots from a VGA, DVI, or HDMI video source.
Hardware Keylogger
WWI is
it
AbAedou re
.1A rienic a
y l o g g r f ,
mi n a i n
,
a vv
he .
Itayl
yry r ,
laiiftwst
vides
Ia
KeyCiabbe
-
111=
111,
"
IRM
im11
11
Sm. /
0-
NO
W
.. . old.
si Ll a i vb o an i .
.0
4,41.4
1 4 4 . 9 9
Ethical
Hacking
and
Countermeasures System Hacking
Spyware
C EH
usually
bundled as a hidden component of
freeware
programs that can be available
on the Internet for download
SpYwone
Drive-by download
Masqueradi
ng
as
antispyware
Web browser
vulnerability exploits
elopsomuo,
Piggybacked
software
installation
Browser add-ons
Cookies
Co pyri ght 0 by EC-Cs Noci. All Rights Reserved. Reproduction is Strictly Prohibited.
Spyware
Spyware is stealthy computer monitoring software that allows you to
secretly record all activities of a computer user. It automatically delivers logs to you
via email or FTP, including all areas of the system such as email sent, websites
visited, every keystroke (including login/password of ICQ, MSN, AOL, AIM, and
Yahoo Messenger or Webmail), file operations, and online chat conversations. It also
takes screenshots at set intervals, just like a surveillance camera directly pointed
at the computer monitor. Spyware is usually bundled as a hidden component of
freeware or shareware programs that can be downloaded from the Internet.
Spyware Propagation
Installing the spyware on the user's computer doesn't require any consent from the
user. You can install the spyware on the user's computer without their knowledge by
"piggybacking" the spyware on other software programs.
This is possible
because spyware uses advertising cookies, which is one of the spyware subclasses.
You can also be affected by spyware when you visit a website that distributes spyware.
This is sometimes called "drive-by downloading" since it installs itself when you
Exam
312-50
:11
Attacker
User
sites
Connect
to
remote
pornography sites
Reduce system performance and causes software
instability Steal your passwords
Send you targeted email
Module 05 Page 645
EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
e Change the home page and prevent the user from restoring:
e
Exam
312-50
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
) Types of Spyware
A
'
and
Internet Spyware e
Child
Monitoring
Spyware e
Video
Spyware
e Print Spyware
e
Screen
Capturing
Spyware e
USB
Spyware
Au
dio
Sp
yw
are
GP
S
Spy
war
e
e Cell Phone and Telephone Spyware
Exam
312-50
Desktop Spyware
CEH
Desktop spyware provides information
regarding what network users did on their
desktops, how, and when
Live
recording
of remote
desktops
Record
software
Record and'
monitor Internet
usage
and timings
ctivities
ILL
Copyrig
ht 0 by
Record activity
log and store at
one
centraliz
ed
location
Mg Nod.
Logs users'
keystrokes
Desktop Spyware
Desktop spyware is software that allows an attacker to gain information
about a user's activities or gather personal information about the user and send it
via the Internet to third parties without the user's knowledge or consent. It provides
information regarding what network users did on their desktops, how, and when.
Desktop spyware allows attackers to perform the
following:
e Live recording of remote desktops
e
Internet activities e
Record
activity
log
and
store
at
one
Exam
312-50
bew.lblwlm
Features
3e
to.
1..m. T.,
%a% a,
it IA'
411
IIMM .
1 4
awe
.4
.4 1
*.
-
9
View
communication
history
Take snapshots
of the remote
computer
M.
http://wwwsoftoct&ftycom
Copyright 0 by MUMMA. All Rights Reserved. Reproduction isStrictly Prohbited.
Easy
Internet
usage monitoring
Monitor software usage
Exam 312-50
1 .,
I9
flArr
_J
_J
.14 Lk'
I 4.3.3,1303 ALE
`t)
I:.3.
3,
Aro
ru
L4
florrr
cm,4111.1 00.
,aor
1.1.4poPI.LL
0, 0nrI r m
990
,9
1
00
s VOW
91.101.11-
ur
n..
Il l
0041114.
-.0 4x.ws
',6trID005019.70.a.r
ammeIp,l
54E
GanKCAAS 76,1. r0
0044.
517
170
i'ATITTI34,333.337tarll
Clgoo
rC
411
Cstoz
oL
.rY
3.r.
wlsx.
1,1741
LS.
101
Int o be nt .
mc vibe ay..
beds.
-ekr .1,0. kr
1110
19101.1
4.4eraPapedb.
..15,11,5AT.A.C4WYleve
6R
NT
.619.1333 3e
YOL LITA601115
. 04LOWSLOWILAYLM9at
lm
DE.
1140,
11 60
NI
.1.9s
LFC
ne.SononeLo.
GiirATInd-aono
1>Y0 0.0.1totleoo2
Serer
MICPWC511331.3
0.0106kre R90 96nr,
r0969 3,.../9.91,Cw em
06
IO
C
50.10. 0 0 1C 0t
belmencese.ran two
1......C9690
Wo e
Ernrra
?wow R r 0 r u n p r a m i s o r a
c rI r 0: Mf 5 s a . 3 : vA w
Cr.
Eol
94.1 wet
:minx 11.6a14neriror
ilorergar
C
15X.
+.LarecnM. g
Aral 140,160.
10711.3171
9119.60 U00
k
M
N,
C
9,
r
3
a
C
C
.
3
4
3
n
r
e
p
,
7
410119ekb
rv1e#b RI err.r.
e1.1.1. I *AM*
Tna,
L"..11101.111
wersnr
Lot
prom
to m
0$
040Rker
14 0
00 Lentrro
WannerOnua
fr
CEH
Desktop
Spyware
Net Spy Pro
http://www.net-monitoring-softwore.cOM
SSPro
http://www.gpsoftdev.com
OsMonitor
RecoveryFix Employee
4
Activity Monitor
http://www.os-monitorcom
http://www.recoveryfix.com
Employee
LANVisor
Desktop
http://www.lonvisorcom
11.1111IF
Live Viewer
http://www.nucleustechnologie
s.com
NetVizor
http://www.netvizornet
Copyright 0 by EC-Cs
Shicty Prohibited.
Desktop Spyware
There is various desktop spyware available in the market that
an attacker can use to monitor remote user desktops. This spyware can be
used to monitor and record every detail of user PC and Internet activity.
An attacker can log keystrokes, websites visited by the user, programs
running on the
user computer, chat conversations, email
communication, downloaded files, opened/closed windows, etc. You can
also take snapshots of the remote user desktop and much more. Some of
desktop spyware software that attackers may use for monitoring user
desktops remotely are listed as follows:
e
Remote
Desktop
Spy
available
http://www.global-spy-software.com
e SSPro available at http://www.gpsoftdev.com
at
http://www.recovervfix.com
Employee
Desktop
Live
Viewer
available
at
http://www.nucleustechnologies.com
e NetVizor available at http://www.netvizor.net
tj Net Spy Pro available at http://www.netmonitoring-software.com
tj REFOG Employee Monitor available at
http://www.refog.com
OsMonitor available at http://www.osmonitor.com
LANVisor available at
http://www.lanvisor.com
e Work Examiner Standard available at http://www.workexaminer.com
Module 05 Page 651
by EC-Council
Exam
312-50
CEH
Email Spyware
Email spyware monitors, records, and forwards
incoming and outgoing emails, including web-mail
services like Gmail and Hotmail
J It secretly records and sends copies of all incoming and outgoing
emails to the attacker through specified email address
-I It records instant messages conducted in: AIM, MSN, Yahoo, Twitter,
Google+, Orkut, MySpace, Facebook, Gmail, etc.
1111111
Gc4
OW=
I I f II I
Internet Spyware
Internet spyware allows attacker to monitor all the web pages accessed by
the users
J It provides a summary report of overall web usage
J It records the date/time of visits and the active time spent on
each website J It blocks access to a particular web page or an
complete website
J
rhT
Internet Spyware
Internet spyware is a utility that allows you to monitor all the web pages
accessed by the users on your computer in your absence. It makes a chronological
record of all visited URLs. This automatically loads at system startup. It runs in
stealth mode, which means it runs in the background and the users on your
computer can never detect this tool is installed on the computer. All the visited
URLs are written into a log file and sent to a specified email address. Using Internet
spyware, one can perform web activity surveillance on any computer. It
Exam 312-50
provides a summary report of overall web usage such as websites visited, and the
time spent on each website, as well as all applications opened along with the
date/time of visits. It also allows you to block access to a specific web page or an
entire website by mentioning the URLs or the keywords that you want to block on
your computer.
Ethical
Hacking
and
Countermeasures System
Hacking
Email
and
Internet
Spyware: Power Spy
Gr.
Power Spy
y11.1
Unregistered
J Power Spy secretly monitors
and records all activities on
Control
Power
Spy
Panel
your computer
J
It records all
use,
keystrokes,
emails, web
sites visited, chats,
and
IMs
in
Windows
Live
Messenger,
Skype,
Yahoo
Messenger,
Tencent QQ, Google
Talk, AOL Instant
Messenger (AIM),
and others
Nosstokss
S000nstsgs
*10.11s1VIstbd
A
USSaies naps
Ergs
1
0
Yahoo Ilesson(OK
Cl000md
E molt
Selmosaslm
0 Aiwa& Carew.
APoloalcos
http://ematrixsoft.com
E
r4..401;:)444.4544 lac
Ethical
Hacking
and
Countermeasures
System
Hacking
Power Spy
Buy Now
Control Panel
tan Monitoring
00 Stealth Mode
0
Screensnots
Faceboos
Mbytes Visited
Ke,s1rokes
itt
e
s
f
t
:h
Ensues
USN Messenger
Messenger
Yahoo
onfiguration
ser Manual
echnical
Support
Administrator
ppiicabons
Documents
Clipboard
ele_ I.e-
ninstall Me
ee
=I
Exam
312-50
CEH
eBLASTER
Spylab WebSpy
http://www.spectorsoftcom
http://www.spylab.org
ti
!monitor
Employee
Activity Monitor
Personal Inspector
http://www.spyarsenaLcom
http://www.employee-monitoringsoftware.ct
CyberSpy
Employee Monitoring
http://www.cyberspysoftware.com
http://www.employeentonitoring.net
AceSpy
OsMonitor
http://www.ocespy.corn
http://www.os-monitor.com
EmailObserver
Ascendant NFM
http://www.softsecurity.com
http://www.ascendant-security.com
http://www.emploveemonitoring.net
e OsMonitor available at http://www.os-monitor.com
e Ascendant NFM available at http://www.ascendant-
securitv.com
e Spylab WebSpy available at http://www.savlab.org
e Personal Inspector available at http://www.spvarsenal.com
(7)
(7)
Exam
312-50
CEH
Child monitoring spyware allows you to track and monitor what
your kids are doing on the computer online and offline
websites
much time they are spending on the Internet or computer, what they are doing on
the computer, and so on.
Ethical
Hacking
and
Countermeasures System
Hacking
Child
Monitoring
Spyware:
Net Nanny Home Suite
` '
*r .
iffa COM&
e rr
11015100
. l ,......... ION1.4.M.
...m.o.
ma . . . 4 r.
rr
MEM IP,
P oar a
el
Ma ni
01
Como
ma lao
Inaam
110.0
0111a
.10
00.0.
WA._
MM. 0 ow...
Ian
Mr a al
Fr-J
1.
_ Ilia
MI
anew
1414
0
Setting Window
Filter Window
http:/lwww.netnanny.c
om
Copyright 0 by EC-CO ENCi. All Rights Reserved. Reproduction is StriCdy
Prohbited.
alerts for IM predators and cyber bullies. It provides passwordprotected access for
parents and customizable restrictions for each family member. You can see reports of
your children's Internet activity and logs of instant messages.
Ethical
Hacking
and
Countermeasures System Hacking
Setting Window
"................."
Filter Window
7.-
Exam
H
Aobo Filter for PC
K9 Web Protection
CyberSieve
Software
http://www.softforyou. tom
L]
Child Control
http://www.soleld. corn
http://www. profiltechnology.com
SentryPC
PC Pandora
MN) //www.sentrypt.
iProtectYou Pro
ulrp://i#
softforyotr. fan
;
T
11.1111P
KidsWatch
http://www. kids watch. corn
lf71
E 1!!!!!!!
1
(7)
Ethical
Hacking
and
Countermeasures
System
Hacking
CEH
Screen Capturing
Spyware
Record ng
Screen capturing spyware takes screenshots
or record screens video in stealth
mode (Invisible/hidden to users) of
local or remote computers at a
predefined interval of time with
encryption capability
It
a
llows
monitoringscreensin
realtime of all the user activities
on
the
network
Capturing
Sen
These spywares may also capture
keystrokes, mouse activity, visited
website URLs, and printer activity in
real time
Screen
capturing
spyware
generallysaves screenshots to a
local disk or sends them to an
attacker via FTP or email
Copyright by EC-Ca
every application opened on the computer so users can know about each and every
action of the computer in real-time.
Ethical
Hacking
and
Countermeasures System
Hacking
Screen
Spyware:
TS Monitor
Capturing
SoftActivity
SoftActivity
TS Monitor is
terminal
server
sessions
recorder that
captures
every user action
..-..........
iLIIIMLIM
It captures
screenshots of
user activity such as
picture
of each visited web
page,
opened program, sent
or
received IM message,
etc.
...Eli
MA.=
Ail
y
ma ..
*4
4
X 40.25
2 01.
.1{ .
O*,
I. I/
by Inc. Jahn
WWI.
To.01
err.
1I
I m
http://www.softoctivity.com
Copyright by EC-Corned. All Rights Reserved. Reproduction is Strictly Prohibited.
011E11
nmin
ts
Exam
lop
tropm
Ws WArliVitY GIO0Ik
Rowans Usage
Soyenbwo
hTis
month
Smarm
Ie WY
Open bawl P
eeeee h
6-4161
!ow
ti o
hie
hand.u,
'112012
Imll data
10:
.L . ,12 012
eslesday Last 11 d ay s n ommi l iCodas
Range
Wok Dural
Carpde
Umar
1199169
1
00:35:59
CYPRESS HV
JO .
C0.0330
00.0325
C0.0502
00:01:36
20
CYPRESS HV
Paler
16
12
00:00:49
010017
or2n.
MTV, -
1,4.1f/tot...I:
Mert. ow ed we Sigel
Ye.
by oar/ Jobs
WC =
Ida cl;
snrnr,
e
1
tfs ,
ler.,, ,
-. ,-,
&
wa d
312-50
00:000s4
26
6700 06
0316111
*Ca 0,7
ha s )
Pc
hoc twit
Newt
Item
12
1111=
m
g
e
Z
i
m
.
EC-Council
Exam
312-50
EH
Desktop Spy
httpwww..spro
L.
http://ematrixsoft.com
IcyScreen
http://www.16softwore.com
http://wwwlesoftrejion.corn
Guardbay
Spector Pro
Remote
Computer
lutp://www.spectorsoft.com
Monitoring Software
http://www.guardbay.com
PC Tattletale
http://www.pciattletale.com
07
3
Ii
f2"
HT Employee Monitor
http://www.hidefools.com
Computer Screen
Spy Monitor
http://www.mysuperspy.com
HT
Employee
Monitor
available
at
available
at
http://www.hidetools.com
e
Spy
Employee
Monitor
http://www.spvsw.com
Ethical
Hacking
and
Countermeasures System
Hacking
cIE
USB spywarecoples flies from USB devices to
your
hard
disk in hidden mode without any request
USB Spyware
USB spyware is a program or software designed for spying on the
computer and dumping into the USB device. USB spyware copies the spyware files
from USB devices on to the hard disk without any request and notification. This runs
in a hidden mode so the users of the computer will not be aware of the presence of
the spyware on their computer.
USB spyware provides a multifaceted solution in the province of USB communications.
The USB spyware is capable of monitoring USB devices' activity without creating
additional filters, devices, etc., which might damage the driver structure in the
system.
USB spyware lets you capture, display, record, and analyze the data that is
transferred between any USB device connected to a PC and applications. This
enables working on device driver or hardware development, which provides a
powerful platform for effective coding, testing, and optimization and makes it a great
tool for debugging software.
It captures all the communications between a USB device and its host and saves it
into a hidden file for later review. A detailed log presents a summary of each data
transaction along with its support information. The USB spyware uses low system
resources of the host computer. This works with its own time stamp to log all the
activities in the communication sequence.
USB spyware does not contain any adware or spyware. It works with most recent
variants of Windows.
Module 05 Page b65
by EC-Council
Exam
312-50
to USB spyware copies files from USB devices to your hard disk in hidden
mode without
any request
e It creates a hidden file/directory with the current date and begins the
background
copying process
e
It allows you to capture, display, record, and analyze data transferred
between
any
USB
device connected to a PC and applications
Exam
312-50
m.. Ilgy
ps
Oro R..
14 1. Oa P..
L. a
11/..211111a 1:111.1.11. al
21
311,M1,101.,f .11111/6
P oe s t '
itsA:akjeenaiPt haw_ a
amass
19tao4 taut..
o.oraro
lala101111.1L
IIUS,k,9113001 POW ..
P 1016U.M.I.FCRUPT ..6
Vl
0,01A
(
1.1191011 115111.. (MK
aaA
0.4X0It
0-117f1101
0.0101.01
(1,011E
U51600.4 04IE WNW
ME
izaa
.1
.
14 a
Pe
et
C
V
112.11 .1 I-
Oft
NM
ISK.DP.M1105..1",
OW .0*.0111101 11,Wa .
111.U...01001, 6
Ivr wow
'us ...,
6.104
a
al
ulda0o4 (.!10e .
0 *MI
a :gm
U0P00, 0401
rs1.4 (a.t.
Of
airb..k.11.461111(111141112
*tar
I if
Stid NW
ttPtE17
,,
I:
--
La11.1.
1:14: 1:a0.11.
0
."
o *Jun
14.
11111140ST
1 jVITIOLPTY0/6.. N
<4......ry...Pc -
0 bur
14060.11M4
.. is
- - , ........
- VsP 0......11........
ta.a.
low or
(1.09/1/
1.KBPXYI (UM .
V5100)119.1111t L./
--AAA
1111111
141),.1.1
.......
,
E. l .
111,710.
1..
CI O. SOL
(.9199
110110
.h:tp Nwww.ev
erstrike cam
Et h ic a l
Hac kin g
E x a m 3 1 2 -5 0 C e r t i f i e d E t h i c a l
Ha c ke r
a nd
Co un t e rm e asu re s
S yste m Ha c king
qA
Ea
-
Vow
Vee p
Cebers
t1.0
is
L!
Typo
Nut.
O pus
MB
IN
0
Wu _011_1741830, 1 _IRMA
0.0=313
1
ELLE _011_171TERAU41_TAANS
0.050372
2
NU CRPITERRU71 _TRANS
060936
3
BULKOR JMTERRUPT_TRANS
0060006
Lft0
O x
PC ,
-
Apure Ina
(Lapsed .
&P0
- ore Root me
- oirc
EPOICEEZ I
816100626010131Rel US8U-ssersal
Mal
-a rc Root I4.
ay
Port I: No dr.xs
arraesd
Q-/
Ulf
Port 2: ND apse
- arc "mop)
gnome/cc use
Urassrsal
Root
S
0.070101
NMI 6
070101
URB
=.
con octal
Ore
MN 4
1I
USEPD0-4
PI
10.01E
US8405-4
10.110
USE00.0.4
IN
10416
16E000-4
BUYOR_OITBRINPI _TRAMS
el
9
0.060115
iMal 10
mucca_ortotrouri_nums
0.010130
LOS
II
LUX _OR _INTERRIPI TRANS
0.093130
12
IN
Pi
MB
Pp. Obtxt
u9100-4 (O. 11
111JLE_OR_INTERALPI TRANS
0.070101
Wu O DOIXR el _10316..
7
BUX_CO_INNtReUP1 TRANS
0.070101
Pi
BUIRORINTERSLOlTRANIS
0.110159
id
0
el
10.016
US8P00-4 10
sIII
US10130-4
10.1110
US8e00-4
N
N
I0a1118..
U91000-4
(0410..
112100-4
10410..
U9000-4
81410..
USBe00-4
IS
-.
Mal( .
U61,00-4
(041[..
,..
. -
Stark .1ms
Capturno %Pits
Orsts Now
Opts Obeid
Swats
0 x
K
-
USA Dims.
'Naples.
US0000-4
6100030
useht.1.
Chnoween
USD HO
M _7110000..
81198310
lidUsb
Sake Lim
Clans GUID
HIDOots
PAC 7A0-710 3.110 011E 4:0UXSYS
Ej
_thisLikL
IX
itauteallior
010..e.
0000
K..:
00
D.
Ole
00 00 00
00000000
Asc.%
18300
Mo dul e 05 P age 66 8
EC-Council
USB Spyware
USB Monitor
USB Monitor Pro
http://www.hhdsoftware.com
http://www.usb-monitor.com
USB Grabber
USB
http://usbgrabber.sourceforge.net
Activity
Monitoring Software
http://wvwv.datadoctor.org
USBTrace
Stealth iBot Computer Spy
http://www.sysnucleus.com
http://wvwv.brickhousesecurity.com
On'
KeyCarbon USB Hardware
tf
USBDeview
httpwwww.nk,oft.net
Keylogger
http://www.spyworedirert.net
err
http://www.aggtoft.com
Copyright 0 by EC-Ca
USB Spyware
A few of USB
spyware tools
as
e USBTrace available at
http://www.sysnucleus.com
e USBDeview available at http://www.nirsoft.net
e Advanced USB Port Monitor available at http://www.aggsoft.com
KeyCarbon
USB
Hardware
Keylogger
available
at
http://www.spywaredirect.net
e USB 2GB Keylogger available at http://diij.com
Exam
312-50
Audio Spyware
H
Audio
illance
of different instant
messengers such
as MSN voice
chat,
Skype
voice chat, ICQ
voice
chat, MySpace voice chat, etc.
Pr
on the
attacker
Audio Spyware
Audio spyware is the sound surveillance program that is designed to capture the
sound waves or voice onto the computer. The spyware can be installed on the
computer without the permission of the computer user. The audio spyware is
installed on the computer in a silent manner without sending any notification to
the user and runs in the background to record various sounds on the computer
secretly. Using audio spyware doesn't require any administrative privileges.
Audio spyware monitors and records a variety of sounds on the computer. The
recorded sounds are saved into a hidden file on the local disk for later retrieve.
Therefore, attackers or malicious users use this audio spyware to snoop and
monitor conference recordings, phone calls, and radio broadcasts, which may
contain the confidential information.
Audio spyware is capable of recording and spying voice chat messages of various
popular instant messengers. With this audio spyware people can watch over
their employees or children and see who they are communicating with.
Audio spyware can be used to monitor digital audio devices such as various
messengers, microphones, and cell phones. It can record audio conversations by
eavesdropping and monitor all ingoing and outgoing calls, text messages, etc.
They allow live call monitoring, audio surveillance, track SMS, logging all calls, and
GPRS tracking.
Ethical
Hacking
and
Countermeasures System
Hacking
C EH
Sound Snooper
J Voice activated recording
Conference recordings
el +pa.
%Firs
Isar, eh.
1,21. Option
About
Options Help
Voice
MEM 00:00:27.9 I
stop
cot Ootienc
AroStoit
r Hde Trey Icon r MICE Instal Pe&
RetodRajCVIora
old 0,y... Obi
tut, I I oar.,
Record TrokrAsnagernen1
Co Auto Record When SlOo. Volta
Chat
AzIontO
I Auto Record When OCI YOU Chet
ArtIvAta
7 ALIO Record When ',ANY:VR.5.M. VORA
COI AMAX r 'WO FtecogdWhen Noce Chat
Room Acts..
tr. . r 4",
510
00
25 23
, 10
hotkRy searp
Default Hotkey COI a All .R
r Seltwkev
Ctrl All 4 I
ry DR
Pause
50
02 09
http://wwwsound-snoopercom
XCd
http://www.mysuperspy.com
Ethical
Hacking
and
Countermeasures System Hacking
Spy
Voice
Recorder
File Option About
IIIIIIIIIIIII
Stop
00:00:27.9
Save Path: ID:Iprogram FiesYycdtData
Set Options
AutoStart
Recording Options
Save FiesiNnutes
6- Default Hotkey
Set Hotkey
Exit
OK
X Car"'
- - Sound Snooper
Source: http://www.sound-snoopercom
Sound Snooper is computer spy software that allows you to monitor sound and voice
recorders on the system. It invisibly starts recording once it detects sound and
automatically stops recording when the voice disappears. You can use this in
recording conferences, monitoring phone calls, radio broadcasting logs, spying
and employee monitoring, etc. It has voice activated recording, can support
multiple sound cards, stores records of any sound format, sends emails with
recorded attachments, and is supported by Windows.
CliC Sound Snooper
File Options Help
SB Live! Wave Device
Voice
510
I11
11! er
00 25 23
Pause
50
02:05:32
Ethical
Hacking
and
Countermeasures
System
Hacking
Video Spyware
Video
spyware
secretly
monitors and
records
webcams and
video IM
conversions
Video
spyware can
be used for
video
surveillance of
sensitive
facilities
C EH
Attackers
can
remotely
view webcams via
the
web or mobile
phones
It allows attacker to
get
live images from all
the
cameras connected to
this
system through
Internet
User
Copyright 0 by Etta Mad. All Rights Reserved. Reproduction is Strictly
Prohibited.
User
Hacker
Exam
312-50
Record wizard
WebCam
Recorder
records
anything
on screen
such as:
e Webcams playing in your
browser
13 Video IM conversations
ti
Content
from
video
sites such
as YouTube
Any
video
playing on
your
desktop
Ersh
Ethical
Hacking
Countermeasures
Hacking
and
System
Record wizard
Auto-detected
image
R arle
I
Cancel
Finish
Exam
312-50
Video Spyware
H
Eyeline Video Surveillance
WebcamMagic
httpww..... robomogk.c.
15"-:
1.14iii:mT r1:
Software
http://www.nchsoftware.com
MyWebcam Broadcaster
Capturix VideoSpy
http://www.eyespylx.com
http://www.capturix.com
I-Can-See-You
WebCam Looker
http://www.internetsafetysoftwore.com
http://felenasoft.com
Digi-Watcher
SecuritySpy
http://www. bens oftware.com
iSpy
http://www.sarbash.com
http://www.ispyconnect.com
Video Spyware
Many video spyware programs are available in the market for
secret video surveillance. The attacker can use this software to secretly monitor
and record webcams and video IM conversions. An attacker can use video spyware
to remotely view webcams in order to get live footage of secret communication.
With the help of this spyware, attackers can record and play anything displayed on
victim's screen. A few of the video spyware programs used for these purposes are
listed as follows:
e WebcamMagic available at http://www.robomagic.com
MyWebcam Broadcaster available at http://www.eyespyfx.com
e I-Can-See-You available at
http://www.internetsafetvsoftware.com
e Digi-Watcher available at http://www.digi-watcher.com
e NET Video Spy available at http://www.sarbash.com
Ethical
Hacking
and
Counter
measure
s System
Hacking
,
A
P
Ir
in
t
M
ir
Spyware
1111Printer
pl C ell ,E
.1(
114
Spool
/44::27:
M
Print Server
User
Copyright 0 by Mk
Md. All Rights
Reserved.
Reproduction is
Strictly Prohibited.
Print Spyware
Attackers can monitor the printer usage of the target
organization remotely by using print spyware. Print spyware is printer
usage monitoring software that monitors printers in the
organization. Print spyware provides precise information about print
activities for printers in the office or local printers, which helps in
optimizing printing, saving costs, etc. It records all information
related to the printer activities and saves the information in
encrypted logs and sends the log file to a specified email address
over the Internet. The log report consists of the exact print job
properties such as number of pages printed, number of copies,
content printed, the date and time at which the print action took place.
Print spyware records the log reports in different formats for
various purposes such as web format for sending the reports to an
email through the web or Internet and in hidden encrypted
format to store on the local disk.
The log reports generated will help attackers in analyzing printer
activities. The log report shows how many documents were printed
by each employee or workstation, along with the time period. This
helps in monitoring printer usage and to determine how employees
are using the printer. This software also allows limiting access to
the printer. This log report helps attackers to trace out information
about sensitive and secret documents that have been printed.
Countermeasures Copyright
Ethical
Hacking
Countermeasures
Hacking
and
System
Spool
wIMINEmmamka=1
Printer
Print Sewer
User
Attacker
FIGURE 5.47: Working of Print Spyware
Exam
Print Spyware:
Activity Monitor
312-50
Printer
Printer Activity Monitor allows you to monitor and audit printers and find out which
documents are printed on each of the selected printers, the number of pages printed, the
computer ordering the printing, etc.
Yul Y. e.
"irr
INA/bnira) I
Klial 311
Mg,
.31119
/AI"
MAI,
311.36
non
11..
la,.
.13
111
Ms
.3
.1
WI KV,
A
u
11=1 a als
74
I
C 11 111
.13/0
Cl
MI
.1
41
MI ..".
r
I=
4.
4
II=3
11.
1313..........
.............mr.
=w e
r
"
=:1 a*
&aro
a
CI WA%
.11.11
A
=1 I..
311,311.
t
=
I :1.
1, TAW
I
14
fralroiltin
.I.
fork%
5.5
81
1
: .0,3. ..,
CJ , .r.
:
.4,44.
=I
NA44111
.00
".........44.
............1/
1..............
41- e
r
., .7.
MI
M
OK
41
WI .
r.
1 el ..w.
,41
3.,.J
4.111.
a
a
; =I
http://www.redrine-softwore.com
Copyright 0 by Ell:ta NBC'. All Rights Reserved. Reproduction Is
Prohibited.
cd y
Monitor:
simultaneously
Monitor printers remotely
(s4 Generate reports about printer usage
System Hacking
1.a I
ampftofta
Nai
r .
ir
lala
afta .
ma
w
EC-
Ethical
Hacking
and
Countermeasures
System
Hacking
Print Spyware
4)
http://www.spyorsenaLcom
http://www.imonitorsoft.com
PrintTrak
http://www.aggsoft.com
httpWwwwlygil.com
Printer Admin
Copier
http://usefulsoft.com
Tracking
System
http://www.printeradmin.com
-14,6
Print Inspector
All-Spy Print
http://www.softperfect.com
http://www.oll-spy.com
LL
Print365
http://krawasoft.com
http://www.prnwatch.com
Copyright by
Prohibited.
Print Spyware
Attackers can also use the following printer monitoring applications as
printer spyware to get information about target printer usage. This printer
spyware helps attackers to track printer usage such as content of documents
printed, number copies printed, date and time at which the print action took place,
and so on. A few print spyware programs are listed as follows:
e Print Monitor Pro available at http://www.sovarsenal.com
e Accurate Printer Monitor available at
http://www.aggsoft.com
e Print Censor Professional available at
http://usefulsoft.com
e All-Spy Print available at http://www.all-spv.com
O&K Print Watch available at
http://www.prnwatch.com
Admin
Copier
Tracking
System
available
at
http://www.printeradmin.com
Print Inspector available at http://www.softperfect.com
Print365 available at http://krawasoft.com
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
Telephone/Cellphone Spyware
H
Telephone/cellphone spyware monitors and records
phone
calls,
text
messages, and tracks employee cell phone usage
J
which secretly
sends data such as call history, text message, web browser
history, actual
location of phone, contacts, etc. to attackers through SMS
or email
>
401
-
User
Transmissi
on
Tower
Hacker
IMP
-A
Telephone/cell phone spyware is a software tool that gives you full access
to monitor a victim's phone or cell. It will completely hide itself from the user of the
phone. It will record and log all activity on the phone such as Internet use, text
messages, and phone calls. Then you can access the logged information via the
software's main website or you can also get this tracking information through SMS
or email. Usually, this spyware can be used to monitor and track phone usage of
employees. But attackers are using this spyware to trace information from their
target person's or organization's telephones/cell phones. Using this spyware doesn't
require any authorized privileges.
Most common telephone/cell phone spyware features include:
Call History - allows you to see the entire call history of the phone
incoming & outgoing calls).
(both
View Text Messages enables you to view all incoming and outgoing text
messages. Even deleted messages can be viewed in the log report.
Web Site History the entire history of all websites visited through the
phone will be recorded to the log report file.
Exam
312-50
tj GPS Tracking The spyware will show you where the phone is in real time.
There
is
also
a log of the cell phone's location so you can see where the phone has been.
It works as depicted in the following diagram.
Nir."
E
it
*
User
Trans
missi
on
Tower
FIGURE 5.49: Working of Telephone/Cell Phone Spyware
Hacker
Exam
312-50
CEH
a
t
MO
B ILE
..1.}L.
X.
VIE*"
.
--
13.41../1
7. .
7112 ow.
/
1=1 ;
111=11
71=
11 = 1 M O = M a
1:1=
--1
11
INELom
MII
lIL
1
=111 +uni
111
S
MIN:
I
=
S
1
.tw
http:/
11111
"
:
P..
/www phonespysoftwarcogni
System Hacking
hca, .
cp
GI
l ei , esoR
4.m.
Ms* I a. .
IR Sm
Cm
1.
,-
Ws *
soy e avnb r
o h n o p l a, 1 4 4 . [A l . ..........................
11
ml.
41.101
.........,
rd
. 111, 5 11
11M1,
A + i d . i. 0
re3 3 5 0 . 1 . 0 .
. 1 10
. .... .-.
. . r
...s
un.......................3
0/1I14
2 7 1. 3 7 W
2057
117 . 0 35. 13 00 1
. ... Id ,, t..., ,
e...
01.1.1M
1321...V .J es t
353 301.71 3
merr.s .
...tidy Let , .
aw n
Lorat
r*a
ria10. 4
VW
'whim
IMPIMO
RSO
31 1
.1-
1.01-70.
111W71.3
. rI l l
MI MP
M0.00
g.
3300.1.0............0.........
-
Ono.
YR
on ,
woa.
So
at
1 = 70. =
11350
1111
We
.1 .1 i . fo k.
m r.. . 1 11 2 0 1 0
1,t
./
.1...
0017
LIM
rean ni
a n s wan
iftI
ures ...5
1 NZ 201.317 1,130,711.1133
MO
.14-
5 0 0 . 5 1 1 . 0 . . . 5 h we
MLR
beery Inners rm
1173
1. 379 3
2...41411111,010 1 e
1,
rra
30.1,001 1 0
2017-0.2777 0 VI
1 0
.40.0356
7
7
' , IL, W.
..^1
01/4
8.-
11 4 s ( 1330ri 3
IMC
U..
.0
1..
m.p. sm.: 01
NY.
V i05.0
UAL
L e g.
(6)
i
11% 01
Wry
ACIBILE
5.103, .
13;m1
...................1.161
4
11114513 115113
R/ R a..,
IINVI 014
1 1 1.1.1
Be oa lm e w
. 2 1
r Ylne
2 / 010-1031511
MOIRE
ACJ-46.1.1- CI
III PRY
B
O
3 7 1 . 0 . 0 41 0 1 .
137011
R
MI
1075.-**31.
Ps, VAL
Imam.
111
.:131L05.1.
VG7
31*.D34016
611.1n1.1
l
EC-CouncH
Exam
Telephone/Cellphone Spyware
FlexiSPY OMNI
http://www.nch.com.ou
http://www.flerisPV,om
Modem Spy
SpyBubble
http://nrww.modemspy.com
http://www.spybobble.com
MOBILE SPY
1101
http://www.mobile-spy.corn
SPYPhone GOLD
heepwspver........
StealthGenie
SpyPhoneTap
CelISPYExpert
IntpiAwnospyphonetop.con,
http://www.cellspyexpert.com
http://www.steohhgenle.com
1111111Milli
Telephone/Cell
Phone
Spyware
(7)
(7)
(7)
by EC-Council
Exam 312-50
System Hacking
GPS Spyware
H
GPS spyware is a device or software applicationthat
uses the Global Positioning System to determine the
location of a vehicle, mobiles, person, or other asset to
which it is attached or installed
Satellite
Vehicle
Hacker
Transmission Tower
Copyright by EC-Ce
Prohibited.
GPS Spyware
GPS spyware is a device or software application that uses the Global
Positioning System (GPS) to determine the location of a vehicle, person, or other
asset to which it is attached or installed. An attacker can use this software to track
the target person.
This spyware allows you to track the phone location points and saves or stores them in
a log file and sends them to the specified email address. You can then watch the
target user location points by logging into the specified email address and it displays
the connected point's trace of the phone location history on a map. This also sends
email notifications of location proximity alerts. An attacker traces the location of
the target person using GPS spyware as shown in the following figure.
Ethical
Hacking
and
Countermeasures System Hacking
..4
"........PSetellite
...'
-.
e...............
Vehicle
A w
...-.
Server
a..n
Hacker
Cie
Transmission Tower
FIGURE 5.51: Working of
GPS Spyware
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
Features
13 Call interception
e Location tracking
SPYERA
D O E :/ G A LS
LEADING
4710BAA
11
**
A P I r ma ,
'L
l4;71
R..
Ap A r l A q
13
Read SMS
Outgo ing on
c,
I '
.
.
-
history
i
4
. ,. .P............
,....."
I.
SM S
See
t.:
'
See call
13
!A
Mi s s e d
messages
e
i .
3......
'.---.---
In co mi ng , ,ep
Outg o i
ng (8 6
SYSIOrn
contact list
e Read messenger chat
sm
Wh a b A p p
DO M
ns ,
e Cell ID tracking
177 =
P. m I
e Web history
inCern log
ai
Outgoing
Location
Los
r
*
A7k*,-,-.4g1
http://spyer
acom
Copyright 0 by EC-Cs
Prohibited.
this
software:
e
Listen
to
phone
call
conversations
e
photos
taken
SPYERA
SPYERA
N E WORLDS LEADINO
im
F
4
I11'
AINISIND
wwwwwlw...
Owe.
Na.
wASENIO
116
OWN
ow,
alas s n)
SIWN=414wwwww-
rl1111
Ira
. - 7 : 1 .,
1 1M
1111 1 . .
. .
.1
MIMEO
N .1
u ms a ml
mai
11
. . . " "7.
Swag
W4
Ims w N w or n s a
wwwe
Ethical
Hacking
Countermeasures
Hacking
and
System
GPS
Spyware
yr
w
EasyGPS
ALL-in-ONE Spy
http://www.thespyphone.com
http://wwweasygps.com
Trackstick
FlexiSPY PRO-X
http://www.flexispy.com
GPS TrackMaker
Professional
http://www.gmtm.c..
http://www.trackstick.com
1
[
MobiStealth Pro
http://www.mobistealth.com
mSpy
http:
ww.buymspy.com
MOBILE SPY
http://www.rnobile-spy.com
GPS Retriever
http://www.mobilebugstore.com
World-Tracker
r.
http://wwwworld-tracker.com
.I
gh s eserved. eprod
y rohib
GPS Spyware
There are various software programs that can be used as GPS spyware to
trace the location of particular mobile devices. Attackers can also make use of the
following GPS spyware software to track the location of target mobiles:
e EasyGPS available at http://www.easvaps.com
e FlexiSPY PRO-X available at http://www.flexispy.com
e GPS TrackMaker Professional available at
http://www,gpstm.com
MOBILE SPY available at http://www.mobile-spy.com
e World-Tracker available at http://www.worldtracker.com
ALL-in-ONE Spy available at
http://www.thespvphone.com
e Trackstick available at http://www.trackstick.com
MobiStealth Pro available at
http://www.mobistealth.com
mSpy available at http://www.buymspy.com
GPS Retriever available at http://www.mobilebugstore.com
Ethical
Hacking
and
Countermeasures
System
Hacking
How
to
Against
Keyloggers
Defend
Install anti-spyware/antivirus
signatures
up
date
programs
and
keepsthe
to
J
the
installation of keyloggers
Install good professional firewall software and anti-
J
J
keylogging software
F
c eck the keyboard cables for the attached connectors
Choose
new
passwords
for
different
online
Use software that frequently scans and monitors the changes in the system
or network
Copyright by EC-Ca
J
JJ
Prohibited.
I'
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
e Keep track of the programs that are running on the computer. Use
software that
frequently scans and monitors the changes in the system or network. Usually
keyloggers
tend to run in the background transparently.
e Keep your hardware systems secure in a locked environment and frequently
check the
keyboard cables for the attached connectors, USB port, and computer
games such as
the PS2 that have been used to install keylogger software.
a Recognize and delete phishing emails because most attackers use phishing
emails
as
a
medium to transfer software keyloggers to a victim's system.
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
1..1 4. 1
III
Use live CD/DVD or write-protected Live USB for rebooting the computer
Use automatic form-filling programs or virtual keyboard to enter user
L, 1d a
_.
0
4
name
IV
and
password
Use Windows on-screen keyboard accessibility utility to enter the password or any
other confidential information
VII
Do not click on links in unwanted or doubtful emails that may point to
malicious
sites
,400"
Copyright 0 by Eeta
Prohibited.
41,
11.,
confidential details
such as credit card numbers and passwords through keyboards.
Use keystroke interference software, which inserts randomized characters
into every keystroke.
Use the Windows on-screen keyboard accessibility utility to enter the
password or any other confidential information. You can maintain your
information confidentially because here the mouse is used for entering any
information such as passwords, credit
Exam
312-50
card numbers, etc. into the keyboard instead of typing the passwords
using the keyboard.
Do not click on links in unwanted or suspicious emails that may point you to
malicious websites.
Exam
312-50
Restrict physical
to
sensitive
computer
access
systems
Period
ically
check
your
keyboard
interlace
for extra
components
Periodically
check
all the computers
and check
whether
there is any
hardware
device
connected to
the computer
Copyright 0 by EC-Co
Prohbited.
Olt
Ethical
Hacking
and
Countermeasures System
Hacking
CIEH
Anti-Keylogger
_
J
E..
Con'.eatusi I
Q13130131310111 0
CIO D 1:113111130111
-47 1111:113E1EICID
123
'tu-n
1-11 11 11-11-11-1--r
o 7-r-ll
LEL2
=Ell
CI
1,JLL000E.=_LI
LI
ELJUILLILLJUL
-1
pi I
Copyright 0 by FC-Cemsci. All Rights Reserved. Reproduction Is Sol
Prohinted.
Anti-Keyloggers
Ethical
Hacking
and
Countermeasures System
Hacking
7:21 AM
.11. AT&T 3G
Landscape
Cancel
Cc/Bcc:
Subject: Confidential I
space
FIGURE 5.53: Anti-Keylogger
Screenshot
Ethical
Hacking
and
Countermeasures System
Hacking
Anti-Keylogger:
Zemana
AntiLogger
Zecneec .W61.998.192210
Zemana
AntiLogger
eliminates
threats from keyloggers,
SSL
banker Trojans, spyware,
and
more
Features:
SSL logger
C EH
Your computer
zerv,aNia
is protected
tarot
Pectertan
o eeabkr. AreeKee.002.
These rroOJes oeoteet you =vow from calm.
LaccT.T,s suit as wows spyweee and twee
you fsi soft, nen ofl es a croup. a rceveuale
ana
Seeertecoer
enoWelocanlecc
ee
SystemOefense
Webcam logger
.,-.van
protection Key
e mewls
6rIammil
PrIORIIIM %WNW
logger protection
Clipboard
logger
protection
Screen
snattsktearddxw
protection
..:
r sYSe
fZW7
'
r t 0.. .'
logger
ofia
ek..141
protection
mr-
e41.1.1
..0
ere --1
httptlliawriszetnene.cam
Coveted 0 by
Probbeed.
Ethical
Hacking
Countermeasures
Hacking
and
System
Your computer Is
protected
'le
111111'
ntr-
Sveerlogger
....noWehcarillogger
AntCloboarrilogg
e!
77nag
enienconsole
Protection Stabstics
Analyzed
Blocked
:
:
1694
16
Last
Anal
yzed
objec
t
Last
Block
ed
Ethical
Hacking
and
Countermeasures
System
Hacking
Anti-Keylog gel
Anti-Keylogger
SpyShelter STOP-LOGGER
http://Know.onti-keyloggers.com
http://wwwspyshetter.com
DataGuard
PrivacyKeyboard
tatp://.........no-keyagger.com
AntiKeylogger
Ultimate
httpwwww.mcosecuritylob.corn
DefenseWall HIPS
http://Know.softsphere.corn
PrivacyKeyboard
http://www.privocykeyboard.rom
KeyScrambler
http://vinvor.qinsoftwore.com
I Hate Keyloggers
http://dewasoft.com
CoDefender
ht,Ps://www.encoss acorn
Anti-Keyloggers
Anti-keyloggers secure your system from spyware attacks, software
keyloggers, and hardware keyloggers. Some of anti-keyloggers that can be used
for securing your system against various threats are listed as follows:
e
kevlouers.com
e
keylogger.com
e
DefenseWall
HIPS
available
at
http://www.softsphere.com
Ethical
Hacking
and
Countermeasures
System
Hacking
H
Adjust browser security settings to medium
for Internet zone
0
Regularly check task manager
report
and
MS 0
configuration
manager
report
Be cautious
about
suspicious emails
and
sites
ei
Copyright CD by EC-Ca
Prohibited.
e Don't open suspicious emails and file attachments received from unknown
senders.
There is a great likelihood that you will get a virus, freeware, or
spyware on the
computer. Don't open unknown websites that are presented in spam mail
messages,
retrieved by search engines, or displayed in pop-up windows because they
may mislead
you to download spyware.
Exam
312-50
Exam
312-50
C
EH
Do not use public terminals for banking and other sensitive activities
Pal
Exam
312-50
Exam
Anti-Spyware: PC
Spyware Doctor
312-50
Tools
PC Tools Spyware
Doctor
delivers
simple
protection
against dangerous spyware
132
lamParis1519
It checks files
before
they
can get on your PC
and
compromise your computer
Protection Status
Protection Summary
5
ariM il=0114
intellnuara Protection
r p62
Iralddorr dralmma
555.51,55 dr
arriamaraaarr
ad a-5. hada.
15.5..
Larmlim I 5555,5rid
dpc toolsX15:251X
http://www.pctods.com
Exam
312-50
Intel!,Guard
Protection Summary
Threats Detected:
532
Scans Performed:
15
Items Scanned:
7,562
Database
Updates:
Subscription:
Last Smart
Update:
drels1
Last Scan:
ago
Support
Protection Status
le Balanced Mode Protection is ON
IntelliGuard Protection
LIB
20
Fwires
Settings
in
723
gaily scans
ago
0 pc tools
by Symantec
?
Help
Ethical
Hacking
and
Countermeasures
System
Hacking
Anti-Spyware F.
10.411
H
Kaspersky
SUPERAntiSpyware
10
Internet
Security
2013
http://wwwkospersky.com
SecureAnywhere
Complete
2012
http://www.webroot.corn
Malwarebytes
Anti-
Malware
PRO
http://www.malworebytes.org
Copyright 0 by EC-Ca MG& All Rights Reserved. Reproduction Is Stri aly
Prohibited.
Anti -Spywares
Antispywares scan your system and check for spyware such as malware,
Trojans, dialers, worms, keyloggers, and rootkits and removes them if any are
found. Antispyware provides real-time protection by scanning your system at
regular intervals, either weekly or daily. It scans to ensure the computer is free
from malicious software. A few antispyware programs are listed as follows:
(7)
SUPERAntiSpyware
available
at
2012
available
at
Antivirus+
available
at
http://superantispyware.com
e
Spyware
Terminator
http://wwwperx.com
e
Ad-Aware
Free
http://www.lavasoft.com
(7)
SecureAnywhere
Complete
2012
available
at
http://www.webroot.com
e MacScan available at http://macscan.securemac.com
Spybot Search & Destroy available at http://www.safer-networking.org
e Malwarebytes Anti-Malware PRO available at http://www.malwarebvtes.org
Exam
312-50
Cracidng
Passwords
Escalating
Privileges
Executing
Applications
A Penetration
Testing
Strirtly
Pmiluhireel
40,
Escalating Privileges
de
Hiding Files
Covering Tracks
Penetration Testing
Ethical Hacking and Countermeasures Copyright
EC-Council
by
Exam
312-50
Rootkits
H
Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to
the server or host at that time and also in future
j
Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn
underminethe security of the target system causing malicious functions to be executed
A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
servers
on
Objectives of rootkit:
e
the web
e Wrapping rootkit in a special package like games
backdoor
access
e
malicious
Installing rootkit on the public computers
applications or processes
or
corporate computers through social
engineering
etc.
iso
restricted
or possess no access
e)
Rootkits
Rootkits are software programs aimed to gain access to a computer
without being detected. These are malware that can be used to gain unauthorized
access to a remote system and perform malicious activities. The goal of the rootkit
is to gain root privileges to a system. By logging in as the root user of a system, an
attacker can perform any task such as installing software or deleting files, etc. It
works by exploiting the vulnerabilities in the operating system and applications. It
builds a backdoor login process to the operating system by which the attacker
can evade the standard login process. Once root access has been enabled, a rootkit
may attempt to hide the traces of unauthorized access by modifying drivers or kernel
modules and deserting active processes. Rootkits replace certain operating system
calls and utilities with its own modified versions of those routines that in turn
undermine the security of the target system causing malicious functions to be
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
games
e Installing rootkit on
through social
engineering
Ethical
Hacking
and
Countermeasures
System
Hacking
Types of
Rootkits
H
Hardware/Firmware Rootkit
r
2
Types of Rootkits
A rootkit is a type of malware that can hide itself from the operating
system and
antivirus applications in the computer. This program provides the attackers with
root-level access to the computer through the backdoors. These rootkits employ a
range of techniques to gain control of a system. The type of rootkit influences the
choice of attack vector. Basically there are six types of rootkits available. They are:
1
Hypervisor-level Rootkit
target operating system. This kind of rootkit works by modifying the system's
boot sequence and gets loaded instead of the original virtual machine monitor.
Kernel-level Rootkit
---- The kernel is the core of the operating system. These cover backdoors
on the computer and are created by writing additional code or by substituting
portions of kernel code with modified code via device drivers in Windows or
loadable kernel module in Linux. If the kit's code contains mistakes or bugs, the
stability of the system is greatly affected by the kernel-
Exam
312-50
level rootkits. These have the same privileges of the operating system, hence they
are difficult to detect and intercept or subvert operations of operating systems.
Application-level Rootkit
I
Hardware/Firmware Rootkit
Library-level Rootkits
Library-level rootkits work higher up in the OS and they usually patch,
hook, or supplant system calls with backdoor versions to keep the attacker
unknown. They replace original system calls with fake ones to hide information
about the attacker.
Ethical
Hacking
and
Countermeasures System
Hacking
Process
H
1
(4fl,r
Neekirpt
Hooks
Call FindNextFile
Call FindNextFile
KerneI32.dil
Kerne132.dd
Ox87654321+ ind N e xt
File -
Rootkit replaces
first 5 bytes of
code with
jmp
Ox90045123
Direct
Process 1
Process 2
Kernel
Unique process ID
Unique process ID
Object
Manipulation
(DKOM)
ActiveProcesLinks
LIST ENTRY
Ftlf41(
v:
'BUNK
ActiveProcesLinks
Process Identifiers
Process Identifiers
MEM
Unique process ID
ActiveProcesLinks
UST ENTRY II
LIST ENTRY {
'FUNK
FUNK
'BLINK
'DUNK
Process Identifiers I
Hooks
Process (After
0x87654321:FindNextFile code
Call FindNextFile
FindNextFile: 0x87654321
Kerne132.dil
0x87654321:FindNeXtFile
Rootkft code:
0x90045123: My Find
NextFile
Rootkit
replaces
>
first 5 bytes of code
with
jmp
Ox900451
23
Exam
312-50
Process 1
Direct
Kernel
Object
Manipulati
on
(DKOM)
Unique process ID
11
ActIveProceslI
nks
i Unique process ID
Unique process ID
ActiveProcesLinks
ActiveProcesLinks
LIST ENTRY I
LIST ENTRY {
*FUNK
'BLINK
Process 3
Process 2
'FUNK
'BLINK
'BLINK
Process Identifiers
LIST ENTRY(
"FLINK
.........
Process Identifiers
.1
Process Identifiers
by EC-Council
Ethical
Hacking
and
Countermeasures
System
Hacking
Rootkit: Fu
J Fu operates using
direct Kernel
object
manipulation
J
Fu
Components of
are
dropper (fu.exe)
and
driver (mcdirertit cycl
l'cPtproo)
CEH
mrenp>fu
3101
recess
fu.xe :9619
eras
:215319912M
cess
Systeet:4
rocas s
sets .exe :375
recess
csrss .exe :632
recess
win lower, .exo :661
rocess
services .x;999
recess
!sass -axe:732
recess
suchost -exe :912
recess
suchost.exe:11364
recess
suchost.exe:1092
recess
suchost .oxe:1176
rocs's*
sechost .exe :1299
recess
:goalie-axe:1116
coax
UPkoareServ ie . : 1592
casts
wig -axe:2836
rocas'
explorer oexis :5'72
recess
urecntf
recess
UMIrare Tray.exe :928
recess
IlMuwreliser
recess
ctf non .exe :1168
recess
cowl .exe:4211
recess
tasknor.exe:916
ota 1 number of processes 23
Copyright
Prohibited.
Rootkit: Fu
Fu is an infection database that operates using Direct Kernel Object
Manipulation (DKOM) and comes with two components, the dropper (fu.exe) and
the driver (msdirectx.sys). The Fu rootkit modifies the kernel object that represents
the processes on the system. All the kernel process objects are linked. When a user
process such as TaskMgr.exe requests the operating system for the list of
processes through an API, Windows walks the linked list of process objects and
returns the appropriate information. Fu unlinks the process object of the process it
is hiding. Therefore, as far as many applications are concerned, the process does not
exist.
The Fu rootkit can also allow you to hide and list processes and drivers by using
different hooking techniques. It can add privileges to any process token. This can
perform many actions in the Windows event viewer and appear as someone else's.
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
e Invite de commandes
:\temp>fu pl 30
Process: fu.exe:860
rocess;
:215309
1200
Process: System:4
Irocessz
smss.exe:376
Processt
csrss.exe:632
'rocess
winlogon.exe:664
Processt
seruices.exe:708
'rocess
lsass.exe:732
P r o c e s s
suchost.exe:912
'rocess
suchost.exe:1004
Process
suchost.exe:1092
P r o c e s s
suchost.exe:1176
Process.
suchost.exe:1284
rocess: spoolsv.exe:1416
Processz
UMwareSeruice.e:1592
'rocess; alg.exe:2036
'rocessz
explorer.exe:572
'rocess;
wscntfy.exe:580
Process:
UMwareIray.exe:920
Process:
UMwareUser.exe:1040
POCeSS
ctfmon.exe:1168
Process' cmd.exe:420
Proc 12 2; E; . taskmgr . exe : 816
otal number of processes
23
Exam
312-50
mw
Rootkit: KBeast
EH
ti KBeast (Kernel Beast) is kernel rootkit that loads as a kernel module. It supports kernel
2.6.16, 2.6.18, 2.6.32, and 2.6.35
-I It also has a userland component that provides remote access to the computer
KBeast gains its control over a computer by hooking the system call table and by hooking
the operations structures used to implement the netstat interface to userland
r>
Features
Hiding loadable kernel modules
Anti-kill process
Hiding files/directory
Anti-remove files
Isof)
C
op
yr
ig
ht
0
by
Me
Rootkit: KBeast
KBeast (Kernel Beast) is kernel rootkit that loads as a kernel module. It
supports kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. It provides remote access to the
systems by using its userland component. Using the kernel module, the userland
backdoor component can be invisible from other userland applications. This can
hide files, directories, and processes (ps, pstree, top, Isof) that start with a userdefined prefix. You can use keylogging abilities to capture the user activities. To
implement the netstat interface to userland, KBeast obtains access over the system
by hooking the system call table and operations structures.
The features of this rootkit include:
kernel module e
files/directory
Hiding
e Anti-remove files
Ethical
Hacking
and
Countermeasures System
Hacking
modules a
backdoor
e Remote binding backdoor hidden by the kernel rootkit
Ethical
Hacking
and
Countermeasures System
Hacking
Rootkit:
Hacker
Defender
HxDef Rootkit
C EH
Command Prompt
bdc
l i1 00 .ex e
1 92 .1 68 .8 .9 3
135 v4L
c on ne c ti ng
se r v er
.
receivi ng
banner
openi ng
bac kdoor
..
ba c kdo or
fo und
c he c ki ng
b ac k do or
b ac k do or
r ea dy
a u t h o ri zat i o n
s ent,
Wa i t i n g
for
reply
authorization SUCCESSFUL
bac kdoor
c los e
s hell
activate d!
an d
all
p rogz
to
e nd
session
I
Copyright by EC-Ca
Ethical
Hacking
and
Countermeasures
System
Hacking
Command Prompt
bdc
192.168.8.93
135 v4L
1i100.exe
III
connecting
server
receiving
banner
opening
backdoor ..
backdoor
found
checking
backdoor
backdoor
ready
a uthoriza tion
se nt ,
Wait in g
for
rep l y
authorization - SUCCESSFUL
backdoor activated!
c lose
she ll
to
s e ss io n
a nd all progz
end
Ethical
Hacking
and
Countermeasures
System
Hacking
Detecting
Rootkits
Integrity-Based
Detection
It compares a snapshot of the
file
system,
boot records, or memory with
a known
trusted baseline
SignatureBased
Detection
This technique
compares
characteristics of all
system
processes and executable
files with a database of
known
rootkit fingerprints
Cross ViewBased
Detection
Enumerates
key
elements
in
the
computer system such as
system files,
processes, and registry
keys
and
compares
them
to
an
algorithm
used
to
generate a similar data set that
does not
rely on the common
APIs.
Any
discrepancies between these
two data
sets indicate the presence of rootkit
Heuristic/Behavi
orBased
Detection
Liakt
Runtime
Execution
Path
Profiling
This technique compares runtime execution
paths of all system processes and
executable files before and after the rootkit
infection
Or
i
Detecting Rootkits
The rootkit detection techniques are classified as signature, heuristic,
integrity, cross-
Signature-based Detection
Signature-based detection methods work as a rootkit fingerprints. You can
compare the sequence of bytes from a file compared with another sequence of bytes
that belong to a
malicious program. This technique is mostly employed on system files. Rootkits that
are
invisible can be easily detected by scanning the kernel memory. The success of
signature-based detection is less due to the rootkit's tendency to hide files by
interrupting the execution path of the detection software.
isq
Heuristic Detection
Exam
312-50
Integrity-based Detection
Integrity-based detection functions by comparing a current file system,
boot records, or memory snapshot with a known, trusted baseline. The evidence or
presence of malicious activity can be noticed by the dissimilarities between the
current and baseline snapshots.
Cross-view-based Detection
"--j Cross-view-based detection techniques function by assuming the
operating system
has been subverted in some way. This enumerates the system files,
processes, and registry keys by calling common APIs. The gathered information is
then compared with the data set obtained through the use of an algorithm traversing
through the same data. This detection technique relies upon the fact that the API
hooking or manipulation of kernel data structure taints the data returned by the
operating system APIs, with the low-level mechanisms used to output the same
information free from DKOM or hook manipulation.
Runtime Execution Path Profiling
The Runtime Execution Path Profiling technique compares runtime
execution path
profiling of all system processes and executable files. The rootkit adds new
code near to a routine's execution path, in order to destabilize it. The number of
instructions executed before and after a certain routine is hooked and can be
significantly different.
Exam
312-50
Step 1
Run "dir / s /b /ah"
run
and "dir /s /b /a-h"
and
inside the potentially
on
infected OS and save the
save
results
Step 2
Boot into a clean CD,
"dir Is
/b /ah"
"dir Is lb /a-114"
the same drive and
the results
Step 3
Run a clean version of
WinDiff on the two
sets of
results to detect filehiding
ghostware (i.e.,
invisible
inside, but visible from
outside)
will be some false positives. Also, this does not detect stealth software that hides
in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
Note: There
Cop
yrig
ht 0
by
14
Steps
for
Detecting
Rootkits
Source:
http://research.microsoft.com
Follow these steps to detect rootkits:
1. Run "dir /s /b /ah" and "dir is lb /a-h" inside the potentially infected OS and
save
the
results.
2. Boot into a clean CD, run "dir Is /b /ah" and "dir /s /b la-h" on the same drive,
and
save
the results.
3. Run a clean version of WinDiff from the CD on the two sets of results to
detect
filehiding ghostware (e.g., invisible inside, but visible from outside).
Note: There can be some false positives. Also, this does not detect stealth software
that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
CEH
a
Reinstall OS/applications from a
trusted source after backing up the
critical data
Ethical
Hacking
and
Countermeasures System
Hacking
tJ
firewalls
Use
strong
authentication
Exam 312-50
AM
regularly
using
e
Ensure that the chosen antivirus software possesses rootkit protection
before
it
is
installed
You should avoid logging in an account with administrative
Exam
Anti-Rootkit: Stinger
EH
312-50
Ls a
Inftdece
r LAI dbl. yawed
Dowson
.1".,..01.1
....***Li*Vo.11
r.
1 VA
Seen whom...
O tt
Rd* ...mat
aktor.lare
Na
on)
+.1w
X.,
Anti-Rootkit: Stinger
Source: http://www.mcafee.com
McAfee Stinger helps you to detect and remove prevalent Fake Alert malware,
viruses, and threats identified in your system. Stinger scans rootkits, running
processes, loaded modules, the registry, and directory locations known to be used
by malware on the machine to keep scan times minimal. It can also repair the
infected files found in your system. It detects and deactivates all the viruses from
your system.
Ethical
Hacking
Countermeasures
Hacking
and
System
Preferences
1
4
r Racal only
F Paws,
W Rapew
17 BOOS We n
C Rename
F Rocakes
hsmissi
r las
g
e
On wus desseaon -
F Prone was
Oeler.
al
Iles
scorned
Detepon
NN
Scan sulubreclones
l
l
a
L
f
e
t
p
IP
Scan Now
w I MI Id
MI I seer Ire AI
floyds Rseese
Malls +10000:03 erred wee. 42111
MON sere
r Rama oppicatons
we velem
i
n
a
r
i
O
S
A
Y
S
C
I
Y
O
r
i
g
l
i
f
l
a
r
t
i
S
e
n
s
w
a
y
ca
I
lOiest i
Council
Exam
Anti-Rootkit: UnHackMe
312-50
C IE H
91
Features:
t)
Precise doublechecking
for
Windowsbased PC
w- .a.
, +Or
e x
EARL Sc.774
44..44rE.0
t3
n Instant tracking
of
malicious code
in the
tp,
16.
Crux-acts
t o4.
r_,Are sr. Er
NonvolkS41. E
fft S0,0,0 C.6
0.1
1 O ICf1
Ses co
=7.1,
Pr
Is.
4.1 ,
,SYSTEN1C,Nnaenool.
SYSTEM C nnaoovM.
No (mshcpsols
.n
SYSISTIKvir[Cor DI.
RFC 12 G1000dium M I CO CO .
RFC_4
Sonswww7M.croRs76..........
L,00ram
OM)
n,
74.
4031........%
SoboeSKErtrelli...........CMV LOCAL.................Mn.
aoftenrewmatowl.. 114,LOCAL...
Pa
SokvarNlvonftwi...
Ph
SoffineeiMieeente
Har_LOCAL.. a ,.
IRIET 10
.. OW II
vAndosa
Knoel
Pula
1.7
ON IN14m.
Owftia.
1
1+
Nen, 44,7
44pdP4
d..
111 '- ' rMa n
F M
0.a.........40.
"
14.444.4
,7
44 7
1.7 nh I I
areArnarxhil
44.14
IIMarIo)
7-440
w
SNSIDIKutir Ka nu
FrF7_1 OD, .
VI
http://www.greatis.com
'c-ft
Anti-Rootkit: UnHackMe
Source: http://www.greatis.com
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
11
tie
Ecit
dew
Reboot
11
tro
Reheah
t2
0x
Save Log
Item Name
a
Internet
re Browsers
a all Network
a Software Co
irn
at e
aM
(
El
Winclws
Set
SF
Kernel Auto
Fee Robbers
Prohibited:0
Suspicious, 9
Wamings.1
COMMeele
lWhols
17 Registry Run
dtri.exe
"OProgram Rles
Default Value
Revelry Key
Root Keb
\SYSIEM1CurrentControl
+Not m... 83
LS1SIEM CurrentControl...,
+Not m... 83
LSYSTEM1CurrentControl...
+Not m... 83
41
OftwArekM1CrOSOfTWA
1-
C:\PROGRAM FILES
\Software\ rekrosoft\
Kkh SZ
lAvrogram HIES
\Software\ Microsoft\
'CAProgram Files
REG SZ
'C:Wrogram Files
REG
CAPROGRAM FILES
\SoftwareValcuisoft\
11
(x136)lAuto-T...
4 Make Backup
REG
a CAWindows\ svmet2
4 Reeve Backup
4 Addle the !snare Lid
AR Item,
Expl
1k,
Bootaecute BootExecute
REG-N
co Ma
Inn rn en ,n,
Nfecm.rcr
Yairm minas
Pale Yellow waning.
1.1tCV I
noel
ta
Ethical
Hacking
and
Countermeasures
System
Hacking
Anti-Rootkits
Virus Removal Tool
Rootkit Buster
http://umno sophos.com
http://dosonloodcenter.trendmkro.com
Rootkit Razor
http://northsecuritylabs.com
http://www.tirersecure.com
RemoveAny
http://www.free-anti-spy.com
PAII
I
TDSSKiller
SanityCheck
http://www.resplendence.com
http://support.kaspersky.com
GMER
Prevx
http Wwww.prevx.com
Anti-Rootkits
The following anti-rootkits help you to remove various types of
malware such as rootkits, viruses, Trojan, and worms from your system. You can
download or purchase antirootkit software from home sites and install it on your PC
to be protected from rootkits. A few anti-rootkits are listed as follows:
e Virus Removal Tool available at http://www.sophos.com
e Hypersight Rootkit Detector available at
http://northsecuritvlabs.com
e Avira Free Antivirus Tool available at htth://www.avira.com
e SanityCheck available at htth://www.resplendence.com
e GMER available at http://www.gmer.net
Rootkit Buster available at
http://downloadcenter.trendmicro.com
e Rootkit Razor available at http://www.tizersecure.com
e RemoveAny available at http://www.free-anti-spy.com
Ethical
Hacking
and
Countermeasures System
Hacking
C EH
Inje
ct
maliciou
s
code in
the
existing
It,ygunt
file
>
Hacker
Existing File
(\/-
In addition to the file attributes, each file stored on an NTFS volume typically
contains
two data streams. The first data stream stores the security descriptor, and the
second stores the data within a file. Alternate data streams are another type of
named data stream that can be present within each file.
Alternate Data Stream (ADS) is any kind of data that can be attached to a file but not
in the file on an NTFS system. The Master File Table of the partition will contain a
list of all the data streams that a file contains, and where their physical location
on the disk is. Therefore, alternate data streams are not present in the file, but
attached to it through the file table. NTFS Alternate Data Stream (ADS) is a
Windows hidden stream that contains metadata for the file such as attributes, word
count, author name, and access and modification time of the files.
ADS is the ability to fork data into existing files without changing or altering their
functionality, size, or display to file browsing utilities. ADSs provide attackers
with a method of hiding rootkits or hacker tools on a breached system and allow
them to be executed without being detected by the system's administrator. Files with
ADS are impossible to detect using native file browsing techniques like the command
line or Windows Wxplorer. After attaching an ADS file to the original file, the size of
the file will show as the original size of the file regardless of the
Exam
312-50
size of the ADS anyfile.exe. The only indication that the file was changed is the
modification time stamp, which can be relatively innocuous.
Inject malicious
code In the existing file
Hacker
>
Existing File
ry
Ethical
Hacking
Countermeasures
System Hacking
and
-- 1 11 -
r-
C EH
7-1
ri
t)
Launch c: \>not ep ad
myfil e
e)
e
To modify
the
Launch c : \>notepad
myfi le . t xt : tiger . ta ct
stream
d at a ,
op en
d o c u men t
Myfile
txt:
new
lines
tig
er . txt' in
notepad
lines of data. e
lines of text e
e
e To modify the stream data, open the document 'myfile. txt : tiger . txt' in
Notepad.
Module 05
by
Page 735
Copyright
EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures
il
L
M
o
v
e
t
h
e
c
o
n
t
e
n
t
s
o
f
T
r
o
j
a
n
.
e
x
e
t
o
R
e
a
d
m
e
.
t
x
Location c:\
Trojan
.exe
(size:2
MB)
41111M
-1
Location c:\
Readme.txt (size: 0)
Trojan.exe
C:\start
1de
c : \ R e ad me . txt : Troj an . e xe
.7/
4mm:17
(stream):
Extract
C:\> c at c :\ R e ad me . txt:Troj an .e xe
Y
a
k
>
Trojan.exe
Readme.txt
(stream):
c:\>
cat
c:\Readme.txt:Trojan.exe
>
Trojan.exe
Note: Cat is a Windows 2003 Resource Kit Utility.
Move the contents of
Location c:\
Trojan.exe to Readme.txt
Trojan.exe
(size: 2 MB)
Locati
on c:\
Readme.txt (size: 0)
FIGURE 5.63: Working of NTFS Stream
Manipulation
Reproduction is
Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
LNS.exe from
(http://ntsecurity
.nu
/toolbox/Ins/)
1
To delete
NTFS
streams
, move
the
suspected files to FAT
third-party
partition
can
file
Use
checksum application to
maint
ain
integr
ity of
an
detect streams
NTFS
partiti
on
agains
t
unaut
horize
d
ADS
report of the ADSs' presence as well as gives the full path and length of each ADS that
is found.
Other means include copying the cover file to a FAT partition and then moving it back
to NTFS. This corrupts and loses the streams.
LNS.exe from http://ntsecuritv.nuitoolbox/Ins/ is a tool used to detect NTFS
streams.
This
tool
is useful in a forensic investigation.
You should do the following things to defend against
NTFS
streams:
Use up-to-date antivirus software on your system
Enable real-time scanning of antivirus as it will protect from execution of
malicious streams inside your system
e Use file monitoring software such LAD, as it helps you to detect creation of
additional
or
new data streams
by EC-Council
Exam
312-50
NTFS
Stream
Detector:
StreamArmor
Stream Armor discovers hidden
Alternate
wl
Ste
a. a. A,
them
completely from the system
, 41
5r4111.4.1O 0 . a r r a =el
NM, fr o MN
r m.
Irollor ma. laws Ila
Y. IN war .11.
. r et
=MU
1
Y=6 WMARO
WON
INENIMMOO
ImAnmOssow
.16
http://securityxploded
.com
Copyright 11:, by
Prohibited.
Exam 312-50
Ow
11Ir
tf.ftmftwmft-
w vft,r-
14.
*OM
Makma l l n i e
tftfe
=Ow drool=
....rm.
m..
A.I
.Pm
4 ..
r
Wil WM
WM. MOW,
.-.
room.
il-
O.
W
.E
a.
1
4.
-
.1.
L
WM
/.1.
mdemo
b
*Ago
krroft
OEM
Yonn.
1NW/d/
pwrr
NIWYMEN1wtfi
Exam
312-50
ADS Spy
Stream Explorer
http://www.merijn. nu
111
4,
ADS Manager
hupwdmitrybr..t.com
ADS Scanner
:
http://www.pointstone.com
Streams
RKDetector
http://technet.microsoft.com
http://stnywrkdetector. com
AlternateStreamView
GMER
http://www.nirsoft.net
http://www.grner.net
NTFS-Streams:
HijackThis
ADS
manipulation
Is
lb
. , +,
http://free.antildrus.com
tool
http://sourceforge.net
Copyright 0 by FC-Ce
Prohibited.
Exam
312-50
What Is Steganography.?
J
ordinary
message and extracting it at the destination to maintain
pie,3"
tr"'
confidentiality of data
-I Utilizing a graphic image as a cover is the most popular method to
conceal the
data in files
Source
hacking tool
Com
munic
ation
and
coordi
nation
channe
l
(1(
What is Steganography?
without the knowledge of the enemy. It replaces bits of unused data into the usual
filesgraphic, sound, text, audio, videowith some other bits that have been
obtained surreptitiously. The hidden data can be plaintext or ciphertext, or it can be
an image.
The lure of the steganography technique is that, unlike encryption, steganography
cannot be detected. When transmitting an encrypted message, it is evident that
communication has occurred, even if the message cannot be read. Steganography
is used to hide the existence of the message. An attacker can use it to hide
information even when encryption is not a feasible option. From a security point of
view, steganography is used to hide the file in an encrypted
Exam
312-50
format. This is done so that even if the file that is encrypted is decrypted, the
message will still remain hidden. Attackers can insert information such as:
Source code for hacking tool
List of compromised servers
e) Plans for future attacks
e Communication and coordination channel
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
CEH
Application of
Steganography
[2
]
312-50
Broadcast Monitoring
(Gibson, Pattern
Media Bridging
O
8
Copy Prevention or
Control
(DVD)
Metadata
Hiding
(Tracking
Information)
10
Covert Communication
Ownership Assertion
Fingerprinting
(Traitor Tracking)
Authentication
(Original vs. Forgery)
copyright 0 by Erramme. All RIghtsReserved. RapunductknisStelelly
PrahibiltAd.
Application of Steganography
The application of steganography differs in many areas and the area
depends on what feature of steganography is utilized. Steganography is applicable to:
Access Control System for Digital Content Distribution
In the Access Control System for Digital Content Distribution system, the
embedded data is "hidden," but is "explained" to publicize the content. In
this system, a prototype of an Access Control System for digital content is
developed to send data through the Internet. Using folder access keys, the
content owner embeds the content in a folder and uploads on the web
page. Here the content owner explains the content and publishes the
contact details on the World Wide Web to get an access-request from
users and they can contact him or her to get the access key. The valuable
data can be protected using special access keys.
Steganography File Systems
A Steganography File System has a level of security using which hiding data is
done by a series of fixed size files originally consisting of random bits on top of
which vectors could be superimposed in such a way as to allow levels of
security to decrypt all lower levels. Even the existence of any higher levels,
or an entire partition, is filled with random bits and files hidden in it.
Exam 312-50
t) Media Bridging
Using digital steganography, electronic communications can by
encrypted in the transport layer, such as a document file, image file, program,
or protocol.
e Copy Prevention or Control (DVD)
In the entertainment industry steganography can be used to protect copyrights
for DVDs and CDs. The DVD copy-protection program is designed to
support a copy generation management system.
Covert Communication
Ownership Assertion
Exam 312-50
System Hacking
clEH
Classification of
Steganography
Steganography
Linguistic
Steganography
Technical
Steganography
Semagrams
Open Codes
Null
C.iphrr
Visual
Semagrams
Covered
Ciphers
N/
Cipher
Text
Jargon
Semagrams
Code
Copyright 0
Prohibited.
Classification of Steganography
Steganography is classified into two areas based on techniques. They are
technical steganography and linguistic steganography. Technical steganography
hides a message using scientific methods, whereas the linguistic steganography
hides the message in the carrier, a medium used to communicate or transfer
messages or files. The steganography medium is usually defined as the
combination of the hidden message, the carrier, and the steganography key. The
following diagram depicts the classification of steganography.
Ethical
Hacking
and
Countermeasures System Hacking
Steganogra phy
Linguistic
Steganography
Technica
l
Steganogra
Semagrams
Codes
s p
Open
phy
Null Cipher
Visual
Semagrams
Covered
Ciphers
Grille Cipher
Text
Semagrams
.)
Ethical
Hacking
and
Countermeasures
System
Hacking
CEH
Technical
Steganography
Technical steganography uses physical or chemical means to hide
the
existence of a message
Technical steganography uses tools, devices, or methods to
conceal
messages
J
Uses redundant
tradition
page in a dot
onisstrictly
Technical Steganography
Invisible ink
This method uses invisible ink for hiding text
messages. e Microdots
It is a method that can be used to hide up to one page in a dot.
Computer-based methods
Use redundant information in texts, pictures, sounds, videos, etc.
Ethical
Hacking
and
Countermeasures
System
Hacking
Linguistic
Steganography
Hiding Message
J
written
natural
language
to
hide
message
in the carrier in some nonobvious
ways
the
It
is
categorized
into
Ty
pe
s
of
Semagrams
Visual
Semagrams
further
semagrams
Text
Semagrams
Use
innocent-looking
Hides a message by
modifying the appearance
of the carrier text,
such as subtle changes in
the font size or type,
adding extra spaces, or
different flourishes in
letters or handwritten
text
or
Linguistic Steganography
Linguistic steganography hides the message in the carrier in some inventive
ways. This technique is further categorized as semagrams or open codes.
Semagrams
This technique uses symbols and different signs to hide the data or
messages. This is further categorized as visual semagrams and text
semagrams.
e Visual Semagrams
This method uses unmalicious physical objects to transmit a message such
as doodles or the positioning of items on a desk or website.
e Text Semagrams
A text semagrams hides the text message by converting or transforming
its look and appearance of the carrier text message, such as changing font
sizes and styles, adding extra spaces as white spaces in the document, and
different flourishes in letters or handwritten text.
Ethical
Hacking
and
Countermeasures
System
Hacking
Linguistic
Steganography
H
(
C
o
n
t
'
d
)
pattern
on
the document that is unclear to the average reader
Open
steganography
divided into:
code
is
1. Jargon Code
It is a language that a group of
people
can
understand
but
is
meaningless
to
others
2. Covered Ciphers
The message is hidden
openly in the carrier medium
so that anyone who knows
the secret of how it was
concealed can recover it
abcd
efqh
ijklm
nop
ciphers are sub-divided into two types: null ciphers and grille ciphers.
Jargon Codes
Jargon codes are a language that a group of people can
understand but is meaningless to others. These codes use signals, terminology,
and conversations that have a special meaning that is known to some specific
group of people. A subset of jargon codes are cue codes, where certain prearranged
phrases convey meaning.
Covered Ciphers
The message is hidden openly in the carrier medium so that anyone who
knows the secret of how it was concealed can recover it. Covered ciphers are
categorized into two types: grille ciphers and null ciphers.
by EC-Council
Exam
312-50
A grille cipher employs a template that is used to cover the carrier message. The
words that appear in the openings of the template are the hidden message.
A null cipher hides the message by using some prearranged set of rules, such as
"read every fifth word" or "look at the third character in every word." It can also
be used to hide cipher text.
Exam
312-50
C!
Steganography Techniques
EH
Substitution Techniques
Substitut
t of the
over-object with a secret message
Statistical Techniques
[Embed messages by altering
statistical
properties of the cover objects
and use
hypothesis methods for extraction
- Transform Domain
Techniques
Distortion Techniques
Embed secret message in a
transform space of the signal
le.g. in the
frequency domain)
.2
Spread Spectrum
Techniques
Adopt ideas from spread
spectrum
communication to embed
secret
messages
Eilci
lforniatrion
that ensures creation of
cover for secret
communication
Steganography Techniques
Steganography techniques are classified into six groups
the cover modifications applied in the embedding process. They are:
based
on
Substitution Techniques
In this technique, the attacker tries to encode secret information by
substituting the insignificant bits with the secret message. If the receiver has the
knowledge of the places where the secret information is embedded, then they can
extract the secret message.
attacks. Transformations can be applied to blocks of images or over the entire image.
Exam 312-50
System Hacking
/f- )4
Statistical Techniques
Distortion Techniques
In this technique, a sequence of modifications is applied to the cover in
order to get a stego-object. The sequence of modifications is such that it represents
the specific message to be transmitted. The decoding process in this technique
requires knowledge about the original cover. The receiver of the message can
measure the differences between the original cover and the received cover to
reconstruct the sequence of modifications.
..164
Cover-generation Techniques
ix
In this technique, digital objects are developed for the purpose of being
a cover to secret communication. When this information is encoded it ensures the
creation of a cover for secret communication.
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Exam
312-50
Cover Image
Cover
Image
"*Lx
EC-Council "Hackers
"Hackers
are here. Where are
are
you?"
EC-Council
are here. Where
you?"
Copyright 0 by EC-Ce
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Cover Image
Cover Image
EC-Council
"Hackers
Stego Image
EC-Council
here
'Hackers
_Where are
are
your
FIGURE 5.65: How Steganography Works
Where
your
here.
are
Ethical
Hacking
Countermeasures
Hacking
and
System
EH
mm mm
Image
Steganograph
y
Audio
Steganography
White Space
Steganography
DVDROM
Steganography
Natural Text
Document
Steganography
Hidden OS
Steganography
Folder
Steganography
Video
Steganography
Web
Steganography
Spam/Email
Steganography
f
Steganography
11/..
Types of Steganography
Steganography is the art and science of writing hidden messages in such
a way that no one other than the intended recipient knows of the existence of the
message. The increasing uses of electronic file formats with new technologies have
made data hiding possible. Basic steganography can be broken down into two
areas: data hiding and document making. Document making deals with
protection against removal. It is further divided into
watermarking and fingerprinting.
The different types of steganography are listed
as
follows:
e Image Steganography
e
Document
steganography
Folder
Steganography
Video Steganography
Audio Steganography
Whitespace
Steganography
Web
Steganography
e Spam/Email
Steganography
e DVDROM
Steganography
e Natural Text
Steganography
e Hidden OS
Steganography
e C++ Source Code Steganography
Council
Exam
_I
Whitespace
Tool: SNOW
312-50
If the builtin
encryption
is used, the
message
cannot be
read even if
it is
detected
IF
Steganography
Administrator:
C:\Windows\system32\cmd.exe
J Because spaces and tabs are generally not visible in text viewers,
the
message
is effectively hidden from casual observers
1:\CEH-Tools\CEHOI Module
05 System Hacking\Whitespace Steganography
Tool\Snow\s wdos32>snow -C -m
"This
is
a
test
for Whitespace
Steganography using Snow" -p " :elcom" test.docx snowout.docx
ompressed by 41.90x
iessage
exceeded
available
space
by
approximately
c
C
http://www.darkside.com.au
Copyright 0 by EC-Council. All Rights Reserved. Reproduction is Strictly
Prohibited.
r:\CEH-Tools\CEHoS Module
05
Steganography Tool\Snow\s udos32>
System
Haching\Whitespace
Exam
312-50
Image Steganography
CIEH
In image steganography, the
information
is
hidden in image files of different
formats
such as .PNG, .JPG, .BMP, etc.
J
Cover Image
Copyright 0 by EC-Co awl. All Rights Reserved. Re producti on I s Stri cd y Prohibited.
Stoga
nogra
phy
Tool
Information
Image
Steganography
Image steganography allows you to conceal your secret message within an
image. You can take advantage of the redundant bit of the image to conceal your
message within it. These redundant bits are those bits of the image that have very
little effect on the image if altered. This alteration of bits is not detected easily. You
can conceal your information within images of different formats such as .PNG, .JPG,
.BMP, etc.
Images are the popular cover objects used for steganography. Image steganography
tools are used to replace redundant bits of image data with the message in such a
way that the effect cannot be detected by human eyes.
Image steganography techniques can be divided into two groups: Image domain and
transform domain. In image (spatial) domain techniques, messages are embedded
in the intensity of the pixels directly. In transform domain (frequency) techniques,
images are first transformed and then the message is embedded in the image.
There are three techniques that you can use to conceal you secret messages in
image
files:
Exam
312-50
The following figure depicts image steganography and the role of steganography
tools in the image steganography process.
gti
Cover image
S
t
e
g
a
n
o
g
r
a
p
h
y
T
o
o
l
Information
Information
FIGURE 5.67: How Image Steganography Works
Exam
312-50
H
J The right most bit of pixel is called the Least Signif
11001000)
(00100111
11001000
11101001)
(11001000
The letter "H" is represented by binary digits 01001000. To hide this "H" above stream can be changed as:
(00100110 11101001
00100110 11101001)
11001000)
(00100110
11001001
11101000)
(11001000
01001000
(11001000 00100111
And you want to hide the letter "H" in above 24 bit image as follows.
Now letter "H" is represented by binary digits 01001000. To hide this "H," the
previous stream can be changed to:
Ethical
Hacking
and
Countermeasures System Hacking
(00100110
if
11101001
11001000)
(00100110
11001001
11101000)
44
IL
44
.14
4119
H 4 01001000
FIGURE 5.68: Least Significant Bit Insertion Diagram
You just need to replace the LSB of each pixel of the image file as shown in this figure.
To retrieve this H at the other side, the person at the receiver side combines all the
LSB bits of the image file and thus is able to detect the H at the receiver side.
Exam
312-50
Masking
and
filtering
techniques
are
generally
used on 24
bit
and
grayscale
images
The information
is
not
hidden at the
"noise"
level of the image
Masking and
Filtering
Masking
techniques
hide
information in such a
way
that
the
hidden
message
is
inside the visible part
of
the
image
small, then people other than the intended users fail to notice that the image
contains a hidden message. This technique can be easily applied to the image as
it does not disturb the image. it is mostly used with JPEG images. Lossy JPEG
images are relatively immune to cropping and compression image operations.
Hence, the information is hidden in lossy JPEG images often using the masking
technique. The reason that a steganography image encoded with a marking
degrades in a lower rate under JPEG compression is that the message is hidden in
the significant areas of the picture.
Exam
312-50
H
J
mathematical
functions
coefficients
of
transform of an image
-1
JPEG images use the Discrete Cosine Transform (DCT) technique to achieve
image compression
111
Wavelet transformation
Discrete cosine
transformation
Wavelet transformation
Exam
312-50
CEH
J QuickStego hides text
in
pict
ures
so
that
only
othe
r
user
s of
Quic
kSte
go
can
retrieve and read the
hidden secret
messages
namcular bone
Irm
http://quickcrypto.co
m
Copyright 0 by [M
Prohibited.
message is hidden in an image, you can still save it as picture file; it will load just
like any other image and appear as it did before. The image can be saved,
emailed, uploaded to the web as before, and the only difference will be that it
contains hidden message.
QuickStego imperceptibly alters the pixels (individual picture elements) of the
image, encoding the secret text by adding small variations in color to the image. In
practice, to the human eye, these small differences do not appear to change the
image.
Exam
312-50
Exam 312-50
CEH
Hide In Picture
OpenStego
httP://sour eforge.net
http://openstego.sourteforge.net
PHP-Class
gifshuffle
S tr e a mS t e g a n o g r a p hy
http://www.phpclasses.org
JPEG
CryptaPix
Red
http://www.briggsoft.com
http://www.totalcmdnet
BMPSecrets
Steganography Studio
http://bmpsecrets.com
http://sterptudio.soufceforge.net
Laboratory (VSL)
http://wstsourreforge.net
Image Steganography
Tools
Like the tool QuickStego discussed previously, you can also use the
following image steganography tools to hide your secret messages in images:
Hide In Picture available at http://sourceforae.net
aifshuffle available at
http://www.darkside.com.au
e CryptaPix available at
http://www.briggsoft.com
e BMPSecrets available at
http://bmpsecrets.com
OpenPuff available at http://embeddedsw.net
e OpenStego available at http://opensteao.sourceforae.net
PHP-Class
StreamSteganography
available
at
http://www.phpclasses.org
e Red JPEG available at http://www.totalcmd.net
e Steganography Studio available at http://stegstudio.sourceforge.net
Virtual Steganographic Laboratory (VSL) available at http://vsl.sourceforge.net
Exam
312-50
H
N1N
Document Files
Document Files
11011
Steg
Tool
Steg Tool
Information
Information
aartatyp4 Infrwrt
rt6iiesH.,bron
Step
1
The whSlerforlWooldarill guide you shop by shop through
codinoldecoding.
WolnuInStocol yan orn oble to hide ony Woe in o
canc.' Ile
Henr,...na H IM, PDF),hrout ch coping
theta mineable o
coltab,.
It you She fear at with no way rho pang Men
warlC you can Sue the Flauch an-bec do to Malta
all saatngo in an ow Mow
flowchart
WI narrl
!;et-linin,
I I elp
in re on I
Mtp://wbstego.wbader.com
Copyright 0 by EC-Cam ci. All Rights Reserved. Reproduction is Stri y Prohibited.
Document Steganography
Similar to image steganography, document steganography is the
technique used to hide secret messages to be transferred in documents. The
following diagram illustrates the document steganography process:
Document Files
-41
.74
Document Files
1141
Steg Tool
Tool
Informati
on
Steg
Information
Ethical
Hacking
and
Countermeasures System
Hacking
Source: http://wbstego.wbailer.com
WbStego is a document steganography tool. Using this tool, you can hide
any type of file within carrier file types such as Windows bitmaps with 16, 256, or
16.7M colors, ASCII or ANSI text files, HTML fields, and Adobe PDF files.
.44410 lama
wbStog
4
=1111M11
;4.0
tfnI 0,r1
_
as..
Help
Selling;
Elowchert -Mode
conenue
Exam
312-50
H
*1
4
Merge Streams
hupwwww..ikernei...
http://www.fasterlight.com
StegParty
Office XML
hiipwwww.wongeek.com
http://www.crazyboy.com
Hydan
Data Stash
Steg1
http://www.skyjuicesoftware.com
http://stegj.sourceforge.net
FoxHole
StegoStick
http://foxhole.sourceforge.net
http://sourceforge.net
SNOW
http://www.stegano.ro
http://www.darkside.com.ou
Copyright 0 by Etta
Prohibited.
e StegParty available at
http://www.fasterlight.com
Hydan available at http://www.crazyboy.com
e StegJ available at http://stegi.sourceforge.net
e StegoStick available at http://sourceforge.net
e SNOW available at
http://www.darkside.com.au
Ethical
Hacking
and
Countermeasures System
Hacking
Video
Steganography
cl"
NM
I
I
I
The techniques used in audio and image files are used in video
files, as video consists of audio and images
Video Steganography
Video steganography involves hiding secret messages files of any
extensions in the continuously flowing video file. Here video files are used as the
carrier to carry the secret information from one end to another end. It keeps your
secret information more secure. As the carrier video file is a moving stream of
images and sound, it is difficult for the unintended recipient to notice the distortion
in the video file caused due to the secret message. It might go unobserved because of
continuous flow of the video.
As a video file is a combination of image and audio, all the techniques available for
image and audio steganography can also be applied to video steganography. It can
be used to hide a large number of secret messages.
Video
Steganograph
y:
OmniHide
PRO
CIEH
OmniHide Pro hides a file within another file. Any file can be
hidden within common image/music/ video/document formats. The
output file would work just as the original source file
tae
Hide your data from tnose
or)Ing eyes
vim rr:.:<<
Mask hit
C \ use rs PO el Is pa cc \ De kioMh w
eeapAng: Lsp.
le
Fit Tn new
iC\ Users P
mage
don
i
s\ The tiger
ciministr
IQr
Output
FOG
"eroAdr,i.ma,c6Dednep\ Non
images\ egev_deplay-OoTiPS
View convened file
when complata
e
o
http://ornnihide.com
Reaci
Copyright 0 by MC.
Prohibited.
Ethical
Hacking
and
Countermeasures
System
Hacking
ide
Hide your data from those prying eyes
10E1=7.I
Mask File
File To hide
ICAUsers\Administrator\Desktop\Input Images\tiger_display.jpg
options
Output File
ICAUsers\Administrator\Desktop\Input Images\tiger_display_Out.jpg
View converted file when complete
Hide
U r _
(5
Clear E
Exit
Ready
7 0
Exam
312-50
-=
BDV DataHider
http://www.securekitnet
http://www.bdvnotepad.com
RT Steganography
StegoStick
httrairesteavideo.sourceforge.net
http://sourcejorge.net
Masker
heepwwww,orpuk...
httpl/embeddedsw.net
OpenPuff
Stegsecret
http.//www.softeza.com
httpWstegsecret.sourceforpe.net
MSU StegoVideo
PSM Encryptor
http://www.compression.ru
httill/demo.powersottmakers.com
S
.
A
I
L
.
RT
Steganography
available
http://rtsteavideo.sourceforge.net
e Masker available at http://www.softpuls.com
e
Max
File
Encryption
available
at
http://www.softeza.com
MSU
StegoVideo
http://www.compression.ru
available
at
at
BDV
Data
Hider
available
at
http://www.bdvnotepad.com
StegoStick available at http://sourceforge.net
e OpenPuff available at http://embeddedsw.net
e Stegsecret available at http://stegsecret.sourceforge.net
PSM Encryptor available at http://demo.powersoftmakers.com
Exam
312-50
Audio Steganography
CEH
UMW!
Milml
1.11.
such
.RM, .WAV, etc.
as
.MP3,
frequencies
that
are inaudible to the human ear (>20,000 Hz)
Audio He
Audio Files
fti
IVY
Steg Tool
Information
Steg Tool
Information
Audio Steganography
Audio steganography allows you to conceal your secret message within an
audio file such as WAV, AU, and even MP3 audio files. It embeds secret messages in
audio files by slightly changing the binary sequence of the audio file. Changes in the
audio file after insertion cannot be detectable, so this secures the secret message
from prying eyes.
You need to ensure that the carrier audio file should not be significantly degraded
due to embedded secret data; otherwise, the eavesdropper can detect the
existence of the hidden message in the audio file. So the secret data should be
embedded in such a way that there is a slight change in the audio file that cannot be
detected by a human. Information can be hidden in an audio file by using an LSB
or by using frequencies that are inaudible to the human ear (>20,000 Hz).
Audio File
Exam
41
Steg Tool
Information
Information
FIGURE 5.73: Working of Audio Steganography
312-50
Exam
312-50
S
p
r
e
a
d
S
p
e
c
t
r
u
m
an
audio signal
The sensitive message is encoded in
the echo in the form of variations in
amplitude, decay rate, and offset
.4
t6
ml
M
e
t
h
o
d
I
t
41
Exam
312-50
To encode the resultant signal in to binary form, two different delay times are
used. These delay times should be below human perception. Parameters such as
decay rate and initial amplitude should also be set below threshold audible values
so that the audio is not hearable at all.
Exam
Audio Steganography
Methods
SI
A
(Con
t'd)
LSB Coding
bit
16.0.
one inse
CE
I
312-50
Phase
coding
is
described as the phase
in which an
is substituted
by
a
reference
phase
that
represents the data
tl It depends on the
inaudibility of low
power
tones in the presence of
significantly higher
spectral components
insertion
method
done through image
files It replaces the
An
indirect
exploitation
of the psychoacoustic
masking phenomenon in
the spectral domain
LSB of
information in
each
sampling point
with a
coded binary
string
It hides secret
message as
phase shifts in the
phase
spectrum of a digital
signal
_ The phase shifts cannot be
s11110.
signal-to-noise ratio
s111110
Copyright 0 by EC-Ca
Prohibited.
Tone Insertion
Exam
312-50
Phase Encoding
GE Phase coding is described as the phase in which an initial audio segment is
substituted
by a reference phase that represents the data. It encodes the secret
message bits as phase shifts in the phase spectrum of a digital signal, achieving a
soft encoding in terms of signal-to-noise ratio.
Ethical
Hacking
and
Countermeasures
System
Hacking
Audio
Steganography:
DeepSound
CEH
i.
6.._::_:
flac
data protection
g
reload
Add Iles
Encode
IFICY
CLE.B
IN
llorraS
nandri
la
r i.
S
e
c
t
e
d
F
d
e
l
e
a
l
r
W
a
y
IA M1Er
Ol aroplaer
02
Trac k
03 Track 34.rt
04 Track 4...a
OS track 5.wly
1 a w ima
_ Inr.ddrdr 14.
-eu
14`'
"
Oa Dapy_ 10aStarao,
kaoreatladvay
McacaabinJad11.03.
Monoabn dod I 240.wer
CAIA_IS011 WAV
Sagrarebawar
401k
01
Track
vont
4111.4
http:Mpinsoft.net
Copyright 0 by iSte [Md. All Rights Reserved. Reproduction is Strictly Prohibited.
DeepSound file browser and right-click the audio file to extract your secret file(s).
Ethical
Hacking
and
Countermeasures System Hacking
rm
me I
1 el f
I446,
rI lit
:7
41.
immell. IN
NEN
Unw
RREINIAR
41,14.411.14,
OP
Tn
ed RIERS
sem
el
sob. 111.6
lualye
wrw
REN ARD
=Mr
PENIMV111.
WC,. MO4
111./.
M...1.11,1,
WO CIWIft
..NO dor
. Co,.
41111M
Ism p ila 1
I. ...............7.1.
OA..
.11131... 411
Y Otamen.1.1
-*4111
0 43 3
1111..
vi
4.
wenn, Ye
C.10.01.
04111
=1. lea
ha
1 8 RR
RR
le AM NO IRIMAIMONR4
System Hacking
Audio Steganography
Tools
Mp3stegz
CIE H
CHAOS
Universal
http://mp3stegz.sourcelorge.net
http://sofechaos.com
http://www.maxa-tools.com
i.m.1 -=1 -
SilentEye
http://www.silenteye.org
.1
BitCrypt
http://bitcrypt.moshe-szweueccom
QuickCrypto
http://www.guklarypto.com
MP3Stego
hitp://www.petilcolas.net
OR 1
CryptArkan
httpl/www.kuskov.com
Hide4PGP
http://www.heim-repp.onlinehome.de
FL"
StegoStick
http://stegostkk.sourceforge.net
e QuickCrypto available at
http://www.auickcrvpto.com
e CryptArkan available at http://www.kuskov.com
ECCouncil
by
Exam 312-50
System Hacking
Folder
Steganography:
Invisible Secrets 4
Folder steganography refers to hiding secret information in folders
Ig V .1ri-1 'F
T. vy
,ecrets 4
1.144
File,
Popup Message
me. Hat
Oneuee rem
HTML
nman.clv
ddsc
Open
Ful Path
Document
CileariskWEISSITE1
OwornAlla
akm.
Cepakboorl
Type
t awards.htth
ClerinsWEISSITEA
Clalma1WEB5ITEITernplates1
DWI
File
...'
mon.dvit
/ rnam.css
'
ma
.cssasc h
lksupport
.jpg
"ay. 11101.
tote
Onstre, LicrrwA Two.
trend:.
le
Cascading
Style... Claina1WEISSITEI
Crypted File
CilislinenWEBSITEA
ACDSee ]PEG I.
C: \ ram \ WEBSITEI
Add folders
I a Add
Has
suerelmeoll
htt
CilabrunWEBSITEITerrolates1
Next
v s th
eseme t
Back
in
folders.
Source: httn://www.invisiblesecrets.com
Invisible Secrets 4 is file encryption software that keeps cybercriminals out of your
emails and prevents attackers from viewing your private files. This software not only
encrypts your private data and files for safe keeping and securing transfer across the
net, but also hides them in such a place that no one can identify them. Even an
attacker could not locate sensitive information. Since the places the private
documents are kept appear totally innocent, such as picture or sound files or web
pages, these types of files are a perfect disguise for sensitive information. This
software allows you to encrypt and hide documents directly from Windows Explorer,
and then automatically transfer them by email or via the Internet.
by EC-Council
Ethical
Hacking
Countermeasures
System Hacking
and
[Popup Message
Name
Full Path
tlawar
HIM_ Document
C: alinaWEE15ITE
ds.htm
ACDSee JPEG
C:\alinakWEBSITE\
Crypted File
DWT File
\WEBSITE \
awards
.jpg
\WEBSITE
amai
n.dvkis
c
mai
n.d
wt
mai
n.c
ss
mai
n.c
ss.i
sc
sup
por
t.jp
g
1111
Add
files
Ba
ck
C:%alina
Crypted File
C:\alina\WEBSITE\
C: \alina \WEBSITE
Add folders
Next >
Remove
' Help
Cryptboard
jlt Close
by EC-Council
Exam
312-50
EH
Folder Lock
y
r
]
Universal Shield
http://mvureverstrike.com
http://tywurnewsoftwores.net
A+ Folder Locker
httre/firmnygiontmotrix.com
http://www.pc-mogk.com
Toolwiz BSafe
QuickCrypto
http://mvw.toohuir.com
http://www.qukkcrypto.com
http://fspranet
http://uanu.moxfoldersecure.com
EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures
System
Hacking
Spam/Email
Steganography:
Spam Mimic
mweinerssirmifflanafigname
rEaffir
re,-
-r
r o
Imr a l l
..m161.
1.78
%rim
-
11 e11111161 ...IN I fin 11.4.1
r rrA r
rir
.
re
!NN W
r o i WM 1
4 Lb
r 1 rld IMMO 14
1111
MINIM M. GM 0
1. * 0 a r r
. s r* N
Fr. d r r m
r a ma w a o w* * loa am, MO1%W
Iirrowl
birrors tr o m
H P141
III/
LP WM =MN
411 f 1. Of rr Mk/ II1VMI
aN
17 ma Ya m, hibi
Bo mg s lu m am
I. avow Is NN
abalkas 4
Ian
va ha d m . ma ..
116 ow
a a
ga to me :a =la aaML. Metal we. 1.1 dam a oroy WS
re
r
14.40 ri lirrO
1
.
mr
r 01, fro.. 11
r
r
r r r r
-.1 , :-
1sd
C T.
http://wwwspantrni
Copyright 0 by EC-Com
Ethical
Hacking
and
Countermeasures
System
Hacking
De rich
too
!
Thant
-you
for
your
seriou
s
ce eas ne ses
zon
AWN. Spa ln I
of oar
offer
,C OM
I=1
lmfs
FIGUR
E 5.78:
Spam
Mimic
Main
Page
Encode
Enter your short secret message:
Alternate encodings:
Encode as spam with a password
Encode as fake PGP
Encode as fake Russian
MEI Encode as space
home encode I decode I explanation I credits I fag fic feedback I terms I Francais
v e r e r i s p a m m im fc . c o n i
11177LIG...
Encode
e n c o d e d E n o vim
Deer Colleepoo
newsletter
If
;amply
reply
as
with
34.ineet.
5 in cur
Our publiCatiOrs
-.se
OI
and
you
will
immediately he removed from our Club . This
=nil im
-Being sent in compliance with Senate Dill 1427 ;
Title
3 Section 133 . Do NOT confuse us with Internet
aura
artists ' Why wore for somebody else when you can
become
M ad
it
as p d i .
...b ui
memo
itio rc ee
row
be
seal
tima
=i n
yaui
dick
on S e nd )
or
Launch your
program
How to copy and
paste
in
Windows
How to copy and paste in X
How to copy and paste on a Mac
Exam
312-50
Natural
Text
Steganography: Sams
Big G Play Maker
Natural text steganography programs convert sensitive information
in to a userdefinable free speech such as a play
Wordlists
Equiv.
(Phi stutters 1
times)
Mire saes 'Mine's
a pint"
Harold says 'Hot
steamy gins!"
(A.darn skillets 1
times)
Jason says "Alive"
Pavan
scratches
head
1
times)
Jason says 'Yes
thank you " Mare
says 'Where?'
Harold says At your
command?'
(Mee
strikes Mike 1 limes)
Phi says Where?'
Paul says 'What does
MPEG mean?" Paul says
"Ahl An earthling!"
Kenny sees 'Hot
steamy wits!"
(Mice slots
forward 1 times)
JYA says "Mine's a
part"
M r F la n k, sa y * N o t : t a wn y g i l d "
Mee says "Hot steamy Tits!"
Phi says Did he mean to de
jug
then?"
Mt Hanky says '1 naves talk
politics."
Sear tAlk
gm,
ledehoul"
Jason says "But I
lead slashdor
Ear
end at nem
Co
py
rig
ht
hrtp://www.scrarndisk.cloraner
Ethical
Hacking
and
Countermeasures
System
Hacking
Sams
big
play
maker
General
Wordlists Equiv.
Hi, Confidential meeting at 5 PM, Must attend.
Exam
CE
cl
f
Levels of Visibility
g y re
312-50
c m u c u ul l i s
11111111111IMMINIII
Redundancy is needed
for a robust method
of
embedding
the
message,
but
it
subsequently
reduces the payload
Robustness and
payload
are inversely related.
Therefore, the smaller
the
payload, the more
robust
it will be
Data compression
techniques are of
two
types: lossy and_
lloosssslleessss
o Conversion of
lossless
information
compressed
to
lossy
information destroys
the secret information
present in the cover
EZE
Copyright 0 by Wt' .Ilia. All Rights Reserved. Reproduction isStritdy
Prohibited.
system:
e File system begins with random data.
e The encrypted blocks are written to the pseudorandom locations using the
key
acquired
from the filename and directory password to hide the file blocks in random
data. When
Exam
312-50
the file system continues to be written to, collisions occur and the
blocks are overwritten, allowing only a small portion of the disk space to be
safely utilized.
Multiple copies of each block should be written.
(7)
A method to identify the blocks when they are overwritten is also required.
Levels of Visibility
If the embedding process distorts the cover to the point that it is visually
unnoticeable, meaning if the image is visibly distorted, then the carrier is
insufficient for the payload. Likewise, if the image is not distorted, then the
carrier is adequate. The way a message is embedded will determine whether the
data is perceptible or not. To reduce the theft of data, the presence of a watermark
is often publicized. However, publicizing the presence of a watermark also
allows various methods to be implemented to attempt to alter or disable the
watermark. When the visibility of the data is increased, the potential for
manipulation of the data also increases.
Exam
312-50
Steganalysis
CEH
Steganalysis is the art of discovering and rendering covert messages using steganography
Challenge of Steganalysis
'Suspect information stream may or may not have encoded hidden data
Some of the suspect signals or files may have irrelevant data or noise
encoded into them
Steganalysis
Exam
312-50
Exam
Steganalysis
Methods/Attacks
on Steganography
312-50
C1EH
changed.
because
different
store
Known-
Known-message
message
Chosen-
algorithm
is known and both
the
and
the
formats
The
stego-object
and
the
original cover-object
are
available,
which
are
compared
to
identify
hidden
information
This attack generates
stego
objects from a chosen
Disabling or Active
stego
During the
communication
proces
active
attackers can
change the cover
Chosen-
message
using specific
steganography
tools in order to identify
the
steganography algorithms
The stego-object
and
steganography
algorithm are identified
Copyright 0 by W'
Prohibited.
n
.
file
works
Known-stego
cover
Steganography
original
stego-
This
Stego-only attack
The stego-only attack takes place when there is only the stego-medium,
which carries
out the attack. The only way that this attack can be avoided is by
detecting and extracting the embedded message.
Reformat attack
In this method the format of the file is changed. This works because
different file formats store data in different ways.
Known-cover attack
The known-cover attack is used with the presence of a stego-medium as
well as a
cover-medium. This would enable a comparison to be made between both the
mediums so that the change in the format of the medium can be detected.
EC-Council
.1011k
Known-message attack
The known-message attack presumes that the message and the stegomedium are present, and the technique by which the message was embedded
can be found.
Known-Stego attack
In this attack, the steganography algorithm is known and both the original
and stegoobject are available.
Chosen-stego attack
The chosen-stego attack takes place when the forensic investigator
generates a stegomedium from the message by using a special tool. Searching for signatures
that will enable the detection of other steganography mediums can carry out such an
attack.
i0"
Chosen-message attack
Ethical
Hacking
and
Countermeasures
System
Hacking
Text File
H
Image File
C
are made to the character
positions for hiding the data
C
J The alterations are detected by
MOM
to
the
existence
hidden
.J
of
the
data
Statistical
analysis
method is
used for image scanning
information within
the cover medium. In this, the unused bits of data in computer files such as
graphics, digital images, text, HTML, etc. are used for hiding sensitive information
from unauthorized users. Hidden data is detected in different ways depending on
the file used. The following file types require specific methods to detect hidden
messages. When a message is hidden in a file in such a way that only the
authorized user aware of the hidden message can read or recover the message,
probably the alteration is applied to the cover or carrier file. The alteration varies
based on the type of file used as carrier.
Text Files
For text files, the alterations are made to the character position for hiding
the data. These alterations can be detected by looking for text patterns or
disturbances, the language used, line height, and unusual number of blank spaces.
Image Files
The information that is hidden in the image can be detected by
determining changes in size, file format, last modified, last modified time stamp, and
color palette of the file.
Exam
312-50
Statistical analysis methods can be used when scanning an image. Assuming that
the least significant bit is more or less random is an incorrect assumption since
applying a filter that shows the LSBs can produce a recognizable image. Therefore, it
can be concluded that LSBs are not random. Rather, they consist of information about
the entire image.
Whenever a secret message is inserted into an image, LSBs are no longer
random. With encrypted data that has high entropy, the LSB of the cover will not
contain the information about the original and is more or less random. By using
statistical analysis on the LSB, the difference between random values and real
values can be identified.
Ethical
Hacking
and
Countermeasures System
Hacking
Detecting
Audio and
Video Steganography
C EH
Audio File
Statistical analysis method
can also be used for audio
files
since
the
LSB
modifications are also used
on audio
The
inaudible
frequencies
can
be
scanned for information
The odd distortions and
patterns
show
the
existence of the secret
data
Video File
Administrator
Video File
In video steganography, confidential information or any kind of files
with any extension are hidden in a carrier video file either by using audio
steganography or image steganography tools. Therefore, the detection of the
secret data in video files includes a combination of methods used in image and
audio files. Special code signs and gestures can also be used for detecting secret data.
Ethical
Hacking
and
Countermeasures System
Hacking
A011111111
Steganography Detection
IEH
Tool:
Gargoyle InvestigatorTM Forensic ProC
J
Gargoyle nvestigator'" Forensic Pro provides inspectors with the ability to conduct a quick
search on a given computer or machine for known contraband and hostile programs
- Its signature set contains over 20 categories, including Botnets, Trojans, Steganography, Encryption, Keyloggers,
I
etc. and helps in detecting stego files created by using BlindSide,
5-Tools, etc. steganography tools
WeavWav,
t.
Vair 1111~
vr
INF* Ililili
f l . 6 7)
4
tf-1
.
1
.
M
A
P
*
http://swiwwetstorretech.com
Copyright 0 by Ell:-Cg
Prohibited.
Steganography
Detection
Tool:
Gargoyle InvestigatorTM Forensic
Pro
Source: htto://www.wetstonetech.com
Gargoyle InvestigatorTM Forensic Pro is a tool that conducts quick searches on a given
computer or machines for known contraband and malicious programs. It is possible
to find remnants even though the program has been removed because the search is
conducted for the individual files associated with a particular program. Its
signature set contains over 20 categories, including botnets, Trojans, steganography,
encryption, keyloggers, etc. and helps in detecting stego files created by using
BlindSide, WeavWav, S-Tools, etc. It has the ability to perform a scan on a standalone computer or network resources for known malicious programs, the ability of
scan within archive files, etc.
Ethical
Hacking
and
Countermeasures
System
Hacking
,A tr
- .103 13113300 on
11,1
I.
1
rw
39.4
Mid
133
01
14
13
- 131311011
19/1W
313130 M A TH
1.3
349
1.4
09313d
41f17,11.41
WM
1
PewhtiN t 331331943334
794/
1.
-1
3
1
33
44,-11101
11
210
33
13
14
23
31
1.3
71
.13
11
11
17
19
I1
19
34
1/21711112.
217/71111
VANN
el1/11411111
-
. 3,0 -
IA / MI.. .1111.1111k
v.
ell. 1 1-433313
5/29/190011:01:10 DIA
52072200 I149,08111
1729/2200 11.04:10 119 I
II 9/14.24
$.:7147
44 02:
1149 AM
to. JO
?,11w1
1'.1.3
99""992
43. X171
0347431.
:011
1.1301
Pet!:(11
in
]
Exam
312-50
C1EH
Xstegsecret
StegAlyzerSS
http://stegsecret.sourceforge.net
http://www.sorc-wv.com
Stego Suite
StegMark SDK
http://www.wetstonetech.corn
http://www.datamark.com.sg
StegAlyzerAS
Steganography Studio
http://www.sarc-wv.com
httpl/stegstudio.sourceforge.net
Virtual
Steganographic
StegAlyzerRTS
Laboratory (VSL)
http://wo,ourceforge.net
http://www.sarc-tw.com
cy
StegSpy
Stegdetect
httpWwww.spy-huntertom
http://www.outguess.org
Laboratory
(VSL)
available
at
http://vsl.sourceforge.net
Stegdetect available at http://www.outguess.org
Ethical
Hacking
and
Countermeasures
System
Hacking
Cracking
Passwords
.
1
rnpyrishr 0
by FC-ltrad
Hiding Files
Covering Tracks
Penetration Testing
Ethical Hacking and Countermeasures Copyright
EC-Council
by
Exam
312-50
ring
ri ngs
4
4
The attacker may not wish to delete an entire log to cover his or her tracks as it
may require admin previleges. If the attacker is able to delete only the attack
event logs, even then the attacker hides himself or herself from being detected.
e The attacker can manipulate the log files with the help of: SECEVENT.EVT
(security):
failed logins, accessing files without privileges
e
Exam
312-50
Covering Tracks
H
Once intruders have successfully
., they will try to cover the tracks to
avoid their detection
Covering Tracks
Erasing evidence is a requirement for any attacker who would like to
remain obscure. This is one method to evade trace back. This starts with erasing
the contaminated logins and possible error messages that may have been generated
from the attack process. Next, attention is turned to effect any changes so that
future logins are not allowed. By manipulating and tweaking the event logs, the
system administrator can be convinced that the output of his or her system is
correct, and that no intrusion or compromise has actually taken place.
Since the first thing a system administrator does to monitor unusual activity is to
check the system log files, it is common for intruders to use a utility to modify the
system logs. In some cases, rootkits can disable and discard all existing logs. This
happens if the intruders intend to use the system for a longer period of time as a
launch base for future intrusions, if they remove only those portions of logs that can
reveal their presence with the attack.
It is imperative for attackers to make the system look like it did before they gained
access and established backdoors for their use. Any files that have been modified
need to be changed back to their original attributes. There are tools for covering
one's tracks with regard to the NT operating system. Information listed, such as
file size and date, is just attribute information contained within the file.
Exam
312-50
Exam
312-50
H
J Remove Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete,
In Windows 7
From
the
Registry
in
Windows 8
HKCU \Software \
Microsoft\
Windows\CurrentVe
rsion\
and
Explorer
remove
and
then
the
N
Copyright 0 by EC-Co
y Prohibited.
tracks:
e Private browsing
e
History in the
address
field
Disable stored
history
e
Delete
private data
e
Clear
cookies
on
exit e
Clear
cache
on
exit
Delete
downloads
e Disable password manager
e
Clear
password
data
in
manager
Ethical
Hacking
Countermeasures
Hacking
and
System
Delete
user
JavaScript
e
Set up multiple
users
e
(MRU) e
the
browsers
Turn
off
AutoComplete
4 Appearance and
Personalization 4
In Windows 7
e Click the Start button, choose Control
Panel
Taskbar and Start Menu.
e
Click the Start Menu tab, and then, under Privacy, clear the Store and
display
a
list
of
recently opened programs check box.
From the Registry in Windows 8
e
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and then
remove
the
key
for "Recent Does"
e Delete all the values except "(Default)"
Exam
312-50
C_1E H
:
Zi a z a ; : : 7 1 : : : 1 : : : : 1 : a u d i t y e l
im
/ mo t
/e at ego ry i .e y eto n -. .
:sgs e rs , A d mi nis
aud ityel
c ccc cc
/get
/c at ego ry :*
ys ts n
a ud it
po l ic y
ategory/Suhc ategory
ve le m
Secm1.X ymliniten Ex tttt len
Sotting
SUGGC33 and Fail
Success and Fall
iesem.
Lag ei l
Le t t tt t
"'sec Main Med.
Hamm
;Fatah Phi* 4
F e r.
Nu
No
No
No
No
No
No
o.
No
No
Devi ce
Nei
:n,e ct
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Cl aim.
Auditing
ga met e
run
Seaton
11.7.4 i n t r y
Fernall Oldnut
can
C e r t i l is e t ie n S e rv i ng .
A gg lima tie e
Needle Manipulation
Pile S hare
Fi lt er i ng ttt tt ur n Pa c ke t
O n ly
filtoring Manna Comma. ler
n th. , O hj met t t t t t t
r e mi t ,
D eta i le d V ile
Peacea ble S torage
Ce ntra l
Pel ieg
No
v ir i le .: ge e
No,. Sens itiee Privilege
0 , te r Pr i v il e y s I l s e
S .v.s ltie n
Nu
e ta t l e d Tra c ki ng
Proe m
C r.
'
Pr e e ns , te r mi na t i o n
No
No
No
No
No
No
No
Nu
No
No
Nu
lin
No
S tagieg
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Aro
Nu Auditing
No Auditing
I ls e
Pr ivi lege
Auditing
Ne
No
Auditing
duetting
http://www.microsoftcom
Copyright 0 by EC-Caused. All Rights Reserved. Reproduction is Shictly Prohibited.
Tool Auditpol.exe is a part of the NT resource kit and can be used as a simple
command-line utility to find out the audit status of the target system and also make
changes to it.
The attacker would need to install the utility in the WINNT directory. He or she
can then establish a null session to the target machine and run the command:
C:\> auditpol
This will reveal the current audit status of the system. He or she can choose to
disable the auditing by:
C
:\> auditpol
/d isable
Exam
312-50
This will make changes in the various logs that might register his or her actions. He
or she can choose to hide the registry keys changed later on.
The moment the intruders gain administrative privileges, they disable auditing with
the help of auditpol.exe. Once their work is done, after logout intruders again turn on
the auditing by using same tool: audit.exe.
0
AdminisUator. Command
Prompt
':NUleersAdmini
)auditpol / s e t
snob le / f a i l u r e : e n a b l e
he
d was successfully executed.
::NUerNildmini rrrrrrr >auditpol
a
/get
/c
/c
.
y/S
:A
Sett
ing
.yetem
Security System Ex
ion
System I
it y
IPsc Driver
Other System Events
Security State Change
1.... on/Losinff
1,09011
!mg.( f
Account Lockout
I Pec Main Mode
I Pec Quick Mode
IPc Extended Mode
Special Logon
Other Loaron/Logof f E
Network Policy Server
Uer / Device Claims
:lijr. t Access
rile System
Reg iutry
Marne l Object
SAM
Corti/ ict ion Services
Application Generated
Handle Manipulation
Pile Share
Filtering Platform Packet Drop
IN I tering Platform Co
ion
Other Object Access Events
Detailed Pile Share
Removable S
Central Policy Staging
Privilege Use
Nan Sensitive Privilege Use
Other Privilege Use Events
Sens it Iva Privilege Use
dret I led Tracking
Process Creation
Process Termination
bc
Success
Success
Success
Success
Success
and
and
and
and
and
No
No
No
No
No
No
No
No
No
No
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
Pale.
Pal
Pal'
Pal.
Pal
No Audit ing
No Audit ing
No Audit ing
No Audit ing
No Audit ing
Nu Aml I t
Exam
312-50
0.1,1
m.111- Ni.sn)
111
4.114.4.mmo{ 4111.04.
my
.-
41.103.
lellAm101410Pod
Mob dem lbw
I
IRO
1ofterarr
Maul
e PIN
NO I
Mem
80
I
o
SW..
also
on.. (give IhamIlkoments
5firsr Vary
SRO
r? %Iron ham wr Mrs
PR
O
II
rad
10
toad go Mod
r
miew
'we
ar.
ON... Cahn
En Cadloo
Craw. / r
..*
Gam
lower Cabot
SO
6,
SO
R I MS
OlsO
SO
1.1
z
m ar
Ethical
Hacking
and
Countermeasures
System
Hacking
tf
44r
alMa t i . a .
C41. ma= NY 0710
V11e, nu. au crow a
M C al . . MO MAW cn .
we,
4 OG1 ZAP W
Clamor
Na ma . Rp
., a
T..
CIZINMG "Wirt CO
IX 1411 to t 400, e l
0.111 re/ Neste be &bad (Vas. he Mut..
1 61.1
/ft
aired.
*.$
I. wan
- ,..-.
invItael En n o b
Or
r,,est ley. ,
f
O a..
co.nA
ebtorr
0 0.re Cree.
- tans
'Goma 0,
I 10
Cady
CGa
Me ,
Application
Tracks
p% Over* - 11
1 100
Y4
11 0
,..
100aars
W
in
do
w
s
T
as
ks
FIGURE 5.82: CCleaner Screenshot
Council
Exam
312-50
EH
MRU-Blaster is an application for Windows
that allows you to clean
the most recently used
lists stored on your
computer
1r 5.1.0
rye oleturo tent In wet mgt..) have teen ...led m thn leek., to al...3 eu re perranen
gwe 'hen n acannng. A, nom ha re clvd.od below wit ha ecarn.cl
Ochti s ae Awv...........k.5 &le invenfr,
s=tetss
r
Wit ikatel Results
-Ram!
'ma, lens Ueteded 37B
4
Wiecbweflectrol'
Feld.
lien
30
v Wodows 'Record Fold.
Ann . 33
4 Inlernal ENFloo, PRO item Nom Download
Dimino V 1.15 Litool3t1 Most Hem,' Appledon
4 MS Cit.o.13.4. . Moll Rocont Applealion
V NS DimmIrput Most Recent Appleolon
-Name
go GS riorlIrpul Nrot Resent Applretinn
ID
M Oliaosalt Mormoomot Console Rcm
h int
r CualcniteNaiicdicrnPhl nmn
C
7j
Clem Ms
SIIINN,
n......iFib
...di
m
C WIndonn Nv o Pews
II
Copyright 0 by
EC-Cs unci.
no.
Ethical
Hacking
and
Countermeasures System
Hacking
Resuks:
Total Items Detected: 378
v] Windows Recent
Folder Item 38
.01 Windows 'Recent'
Folder
Item
39
w Internet Explorer - MRU Item Recent
Download
Directory
MS Direct3D Most Recent Application
MS DirectDraw - Most Recent
Application
yr MS Directlnput - Most Recent
Application Name
t i nt MS Directlnput - Most Recent
Application - ID
iioj Microsoft Management Console - Recent
Fie List Fdel
soi Microsoft Management Console - Recent
Fie List File2
[.9 Microsoft Management Console - Recent
Fie List File3
LI Microsoft Management Console - Recent
Fie List File4
LiWindows Explorer - RecentDocs Stream
MRU - MAIN
LI Windows Explorer - RecentDocs Stream
MRU
Mein Menu
at us er imp / es t i h a v e b e e n ad d e d i n t h is s e c ti o n t o a l lo w
y o u t o p e r ma n e nt ly
ig n o re t h e m i n s c a n n i n g
A ny i t e m t h a t i s c h e c k e d b e lo w w il l b e
s c a n ne d .
altVlee2(
FA*" ot,
r..-;
W i n d o w s ' n u n . . . " D ia l o g M R U
rJ
ap ta tr il t n A-Ly s de w
AWSItf ew
Kr-
M icros o ft Ol fi ce MR U I te ms
rJ
Wi n d o w s S tr ea m M R U
M i c r os o f t O f f i c e " R e c e n t"
Wi n d o w s ' n e c e n r
fo l d e d s ]
I
tr.
l
F:/
C o le ! P res e n ta ti o ns MR U I t e ms
Various
Etat., Single
MRU Items
Wo r d Pe r f e c t M R U I t e ms
IN
Unread M ail C ount [' Win XP
Loga n )
fo ld eris l
W i n d ow s U s e r A s s i s t M R U s
P Windows Network
Items
Q u a t lr o Pr o MR U I t e ms
M S V is u a l S t u d i o G O M R U I t e ms
I ns tal l Lo cat io n s MR U
C us to miz e N ot il ic at io n s Pas t I te ms 21
Wi n d o w s O p e n W ith MR U s
A ny it e ms n ot o n t hi s 1s t
can
be fo u n d o n t he s ca n res u k s s c ree n .
P lug ins
MR U -Blas ter p lug- ins provid e add it ional c lea ni ng s up p ort
for
othe r ite ms o n d is k.
Go to Plugins
Save Settings
Clos e
by EC-Council
Exam
312-50
EvidenceEraser
http://privocyroot.com
http://xnewevidenceeroser.com
WinTools.net Professional
http://svanv.acesoft.net
http://svww.svintools.net
BleachBit
Cache
http://bleochbit.sourceforge.net
Cleaner
(RtC3)
http://www.kleinsoft.co.zo
AbsoluteShield
Internet
AdvaHist Eraser
Eraser Pro
http://www.odvocrypt.cjb.net
http://auw.internet-trock-eraser.com
Clear My History
http://unnwhide-my-ip.corn
Intp://svuou.eusing.com
Copyright 0 by ECte MCI. All Rights Reserved. Reproduction Is Sul cti y Prohibited.
Track Covering
Tools
Track covering tools protects your personal information throughout your
Internet browsing by cleaning up all the tracks of Internet activities on the
computer. They free cache space, delete cookies, clear Internet history shared
temporary files, delete logs, and discard junk. A few of these tools are listed as
follows
e
Eraser
Pro
available
at
http://www.acesoft.net
BleachBit
available
http://bleachbit.sourceforge.net
at
Cookie
&
Cache
Cleaner
(RtC3)
available
at
http://www.kleinsoft.co.za
AdvaHist Eraser available at http://www.advacrvpt.cib.net
e Free Internet Window Washer available at http://www.eusing.com
Exam
312-50
CE
H
r-
Cracking
PPasswords
Escalaitting
Privileges
Executing
1
1
Applications
Penetration
Testing
rip
r
-
Cracking Passwords
10100)
Executing Applications
Covering Tracks
Penetration Testing
Council
by EC-
Ethical
Hacking
and
Countermeasures
System
Hacking
Password
Cracking
H
Perform Manin-theMiddle
Attack
START
Perfor
m
Rulebas
J
Load the dictionary file into the
cracking application that mils
against
user accounts
Attack
Having
access to the
password?
Check
for
password
Perform Hybrid Attack
Acquires
access
to
the
communication
channels between victim and
server
to
extract the information
complexity
Perform
Dictionary
Attack
to remote systems
Perform
Brute forcing
Attack
Exam 312-50
System Hacking
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures System
Hacking
Lr
Password Cracking
Perform
Replay
Attack
(Cont'd)
Perform
Shoulder
Surfing
A
Perform
Password
Guessing
Perform
Trojan/Spy
ware/
Perform
Dumpster Diving
Perform
Social
Engineering
CEH
keyloggers
Perform
Hash
Injection
Attack
Perform
Rainbow
Attack
Perform PreComputed
Hashes
Perform
Distributed
Network Attack
Copyright 0 by Ette
Exam
312-50
Step
16:
Perform
dumpster diving
Check the trash bin of your target to check whether you find confidential passwords
anywhere. Step 17: Perform social engineering
Use the social engineering technique to gain
passwords.
Step
18:
Perform
shoulder
surfing
Check whether you can steal the password by using shoulder surfing.
Ethical
Hacking
and
Countermeasures System
Hacking
Privilege Escalation
41111111111111W
priumera.
tPii user
na
arts Etacted
passwords
Interactive
lognn
privile
ges
are
restri
cted?
Try
to
run
services
as
unprivileged
accounts
Use
privilege
escalation
tools
Use
privilege
escalation tools
such as Active@
Password
Changer,
Offline
NT
Password
& Registry Editor,
Windows
Password Reset Kit,
Windows
Password Recovery
Tool,
ElcomSoft System
Recovery,
Trinity Rescue Kit,
Windows
Password
Recovery Bootdisk,
etc.
Privilege Escalation
Once the attacker gains the system password, he or she then tries to
escalate their privileges to the administrator level so that they can install malicious
programs or malware on the target system and thus retrieve sensitive information
from the system. As a pen tester, you should hack the system as a normal user and
then try to escalate your privileges. The following are the steps to perform privilege
escalation:
Stepl: Try to log in with enumerated user names and cracked passwords
Once you crack the password, try to log in with the password obtained in order to
gain access to the system. Check whether interactive logon privileges are restricted.
If YES, then try to run the services as unprivileged
accounts.
Step2:
Try
to
run
services
as
unprivileged accounts
Before trying to escalate your privileges, try to run services and check whether
you have permissions to run services or not. If you can run the services, then use
privilege escalation tools to obtain high-level privileges.
Step3: Use privilege-escalation tools
Use privilege-escalation tools such as Active@ Password Changer, Offline NT
Password & Registry Editor, Windows Password Reset Kit, Windows Password
Recovery Tool, ElcomSoft System Recovery, Trinity Rescue Kit, Windows Password
Recovery Bootdisk, etc. These tools will help you to gain higher level privileges.
Ethical
Hacking
and
Countermeasures System
Hacking
clE
Executing
Applications
ltd. START
V
Check
if
firewall
software
and antikeylogging
software are installed
V
Check if
the
hardware
systemsar
e secured
in a
locked environment
ry
CO
use
keyloggers
V
etc.
Executing Applications
Pen testers should check the
loopholes.
Stepl: Check antivirus installation on the target system
Check if antivirus software is installed on the target system and if installed, check
that it is upto-date or not.
secured
in a locked
Exam
312-50
by EC-Council
All Rights Reserved. Reproduction is
Strictly Prohibited.
Ethical
Hacking
and
Countermeasures
System
Hacking
C EH
Hiding Files
W START
Mita irstallrootkits
steganalysis
in the target
Perform
technique
41
Use steganography
Detection technique
message
hide secret
Perform Signature
hidden
Use Windows
I
Based Detection
to
stream (NTFS-ADS)
technique
code
inject malicious
based Detection
are
and applications
technique
updated
Check
if
anti-
Hiding Files
An attacker installs rootkits to maintain hidden access to the system.
You should follow pen testing steps for detecting hidden files on the target
system.
Stepl: Install rootkits
First try to install the rootkit in the target system to maintain
hidden
access.
Step2:
Perform
integrity-based
Detection
techniques
Perform integrity-based detection, signature-based detection, cross-view-based
detection, and heuristic detection techniques to detect rootkits.
Exam
312-50
Exam
312-50
Covering Tracks
Close
all
remote
connections to
the
victim machine
Close
any
opened
t9 Tamper log files such as event log files, server log files
and
proxy
log files by log poisoning or log flooding
t) Use track covering tools such as CCleaner, MRUBlaster,
Wipe,
Tracks Eraser Pro, Clear My History, etc.
port
Copyright 0 by EC'-
Covering
Tracks
The pen tester should whether he or she can cover the tracks that he or she
has made during simulating the attack to conduct penetration testing. To check
whether you can cover tracks of your activity, follow these steps:
Stepl: Remove web activity tracks
First, remove the web activity tracks such as such as MRU, cookies, cache, temporary
files, and history.
Step2: Disable auditing
Try to disable auditing on your target system. You can do this by using tools such as
Auditpol. Step3: Tamper with log files
Try to tamper with log files such as event log files, server log files, and proxy log files
with log poisoning or log flooding.
Use track covering tools such as CCleaner, MRU-Blaster, Wipe, Tracks Eraser Pro,
Clear My History, etc.
Step5: Try to close all remote connections to the victim
machine Step6: Try to close any opened ports
Ethical
Hacking
and
Countermeasures System
Hacking
Module Summary
C EH
Module Summary
e Attackers use a variety of means to penetrate systems. e
Password guessing and cracking is one of the first steps. e
Password sniffing is a preferred eavesdropping tactic.
e
spyware tools
Invariably, attackers destroy evidence of "having been there and done the damage." e
Stealing files as well as hiding files are the means to sneak out
sensitive
information.