Ethical Hacking v10 Module 15 – System

Hacking
System Hacking
 • Understand techniques to gain system access
Goals • Understand password cracking
• Understand privilege escalation
• Understand how to create and maintain remote
access to a system
• Describe different types of rootkits
• Describe steganography
• Describe how to hide evidence of compromise
Module 15.0 System Hacking
• 15.1 System Hacking Methodology • 15.9 Other Methods for Obtaining
Passwords
• 15.2 Windows System Vulnerabilities and
Exploits • 15.10 Keylogging
• 15.3 Linux System Vulnerabilities and • 15.11 Spyware
Exploits • 15.12 Rootkits
• 15.4 Password Cracking Methods • 15.13 Hiding Files
• 15.5 Network Service Password Cracking • 15.14 Steganography
• 15.15 Privilege Escalation
• 15.6 Windows Password Cracking
• 15.16 Creating and Maintaining Remote
• 15.7 Linux Password Cracking Access
• 15.8 Password Cracking Tools • 15.17 Hiding Evidence
• 15.18 System Hacking Penetration Testing
 15.1 System
Hacking
Methodology
System Hacking Goals
• Gain access
• OS vulnerabilities
• Service and application vulnerabilities
• Social Engineering
• Escalate privilege
• Kernel flaws
• Social Engineering
• Execute applications
• Plant RATs
• Run payloads
• Hide files
• Leave malicious files on system
• Cover tracks
• Clear logs and history
15.2 Windows
System
Vulnerabilities
and Exploits
Common Windows Operating System Exploit Categories
Category Description

Remote code Any condition that allows attackers to execute arbitrary code
execution
Buffer or heap A programming error that allows attackers to overwrite allocated
overflow memory addresses with malicious code

Denial of service Any condition that allows attackers to use resources so that
legitimate requests can’t be served

Memory A programming error that allows attackers to access a program’s

corruption memory space and hijack the normal execution flow

Privilege Any condition that allows attackers to gain elevated access to a

escalation compromised system
 The Windows kernel is the core part of the
Windows operating system that manages
memory, schedules processing threads, and
manages device I/O

Windows Runs in Ring 0 and has priority over all other

processes
Kernel

Exploits that attack the kernel escalate

privileges and destabilize the entire system
 Program flaws that result in improper access or handling of
objects stored in memory

Memory corruption can lead to arbitrary code execution or

DoS

Often not logged by the Operating System and results in

Memory system destabilization

Vulnerabilities Common Windows memory exploits:

• Use-After-Free
• Buffer overflow
• Heap overflow
• Integer overflow
• Memory leak DoS
 15.3 Linux
System
Vulnerabilities
and Exploits
Linux Operating System
Vulnerabilities
• Linux distributions are versions of the open source
Linux operating system kernel that is packaged with
other components such as installation programs,
management tools, and other software
• Similar categories of vulnerabilities as in Windows:
• DoS
• Information disclosure
• Buffer or heap overflow
• Privilege escalation
• Remote code execution
• Memory corruption
• Security feature bypass
• Directory traversal
Feature Description
ret2libc • Existing function in the C library
• Eliminates the need for the attacker to inject their
own shell code to take control of a target
• Allows arbitrary code execution and escalation of
privilege
Insecure sudo • Similar to Windows RunAs command
• Under certain conditions, this vulnerability allows
attackers to by-pass protections and execute
commands that would normally require a password,
resulting in privilege escalation
Sticky bits • Permission bits set on directories
• Only the owner can delete or rename files in the
directory
• Useful in the shared directories /var/tmp and /tmp
• Sticky bit exploits can be disruptive and cause DoS
Frequently Exploited Linux Features
Exploit
https://www.exploit-
db.com/docs/english/28553-linux-classic-
return-to-libc-&-return-to-libc-chaining-
tutorial.pdf
• Exploit-db.com contains 24 sudo-related
exploits
• https://www.exploit-db.com/exploits/16216/
• https://www.thegeekdiary.com/what-is-suid-
sgid-and-sticky-bit/
• https://gist.github.com/anonymous/1016522
4
Feature Description Exploit
SUID executables • SUID allows a user to run a command as another user • https://www.pentestpartners.com/securit
• Used by administrators to change a user's password y-blog/exploiting-suid-executables/
• Allows an application to run as the owner, an SUID
permissions bit is set to allow this
• Many executables use SUID, but are poorly coded and
can allow an attacker to escalate privilege

Dirty COW Bug • A race condition in mm/gup.c leverages incorrect • https://www.exploit-db.com/

handling of copy-on-write (COW) feature by kernel exploits/40839/
memory subsystem /proc/self/mem • https://www.exploit-db.com/
• Allows writing to private, read-only memory mappings exploits/40616/
• Affects Linux kernel 2.6.22 < 3.9 (x86/x64.
• CVE-2016-5195

Frequently Exploited Linux Features (cont’d)

Feature Description Exploit
Five Year Bug • A race condition created by raw mode PTY • https://www.exploit-db.com/exploits/
local echo permits privilege escalation 33516/
• Affects Linux kernel 3.14-rc1 < 3.15-rc4 (x64).
• CVE-2014-0196

Remote Root • Insecure second checksum in udp.c can give • https://www.rapid7.com/db/vulnerabilities/panos-

Flaw a remote attacker total control of a system cve-2016-10229
using UDP traffic
• Affects pre-4.5 Linux kernel
• CVE-2016-10229

Frequently Exploited Linux Features (cont’d)

Where to Find System Exploits
• Metasploit Modules
• Packetstormsecurity.com
• exploit-db.com
• GitHub
• Google!
Packetstormsecurity.com Example
15.4 Password
Cracking
Methods
Where Passwords are Stored
• Security Accounts Manager (SAM)
• Active Directory (ntds.dit)
• /etc/passwd & /etc/shadow
Password Salting
• A salt is additional random data added to a user’s password before it
is hashed
• Lengthens randomizes the password, making it harder to crack
• Salts should be unique to each user, and never reused
Finding Default Passwords on the Internet
• Search for defaults on these sites:
• open-sez.me
• www.fortypoundhead.com
• cirt.net
• www.defaultpassword.us
• defaultpasswords.in
 • An attack where a password cracking
tool goes through a list of words until
it either finds the password or
exhausts the list

Dictionary • The hope is that a large enough list

contains the password because users
choose easy passwords
Attack The image part with
relationship ID rId2
was not found in
• Researchers have spent years collating
the file. wordlists
• Practical limitations:
• Must know user name, though
user names can also be in
wordlists
• Lists can become unwieldy in their
size (1.5 billion words ≈ 15 GB
uncompressed)
• Lockout policies on authentication
systems
 • Bypassing techniques include:
• Steal copy of file or database
Dictionary containing credentials (offline
cracking)
Attack (cont’d) The image part with
relationship ID rId3
was not found in
• Induce system to dump hashed
passwords
the file.
• Intercept authentication and send to a
password cracker
• Run cracker against network service
without lockout
• Run cracker against accounts exempt
from lockout (e.g., admin/root)
 • A Rainbow Table Attack is an attack in where passwords
in the wordlist have been pre-computed into their
corresponding hashes, then compressed in a highly
efficient manner
• Makes offline cracking much faster
• Works with stolen file of password hashes
• Reduction function reduces size of table
Rainbow Table • 64 GB of a rainbow table can contain around 70
trillion hashes
Attack • 64 GB of a wordlist can only contain around 6.5
billion passwords
• Requires less computational power than plaintext
dictionary.
• Password crackers that can use rainbow tables include
Ophcrack, RainbowCrack, and CAPEC
Credential
Brute Force • Used if the dictionary does not
Attacks
The image part with
relationship ID rId2
was not found in
the file.
contain the password
• Tries combinations of
characters until the password
is found
Credential • Short passwords (e.g., 4-digit
Brute Force PIN) can be brute forced in
minutes or even seconds
Attacks (cont’d)
The image part with
relationship ID rId2
was not found in
the file.
• As length and complexity of
password increases, brute
forcing becomes harder
• If brute forcing isn't feasible,
attacker might steal hash and
use that to authenticate
Distributed Password Cracking
• You can offload some of the cracking task
• Other computers
• John the Ripper
• Graphics card GPU
• hashcat
• Online password cracking services
• onlinehashcrack.com
• crackstation.net
• gpuhash.me
Online Password Cracking Service Example
15.5 Network
Service
Password
Cracking
Why Crack Network Service Passwords?
• Users regularly log into network services
• SMB, HTTP, FTP, RDP, Telnet, SSH, LDAP, SMTP, POP/IMAP, SQL
• Network services often store user credentials in the operating system
• Services are integrated into the OS
• Once cracked, the credentials can be used to log in directly to the OS or
against other network services
Simple Automated SMB Login Script
//Create credentials.txt text file of possible usernames/passwords
administrator “”
administrator password
administrator P@ssw0rd
administrator Pa22w0rd
administrator admin
Simple Automated SMB Login Script (cont’d)
//Use a FOR loop to discover which is correct
FOR /F “tokens=1,2*” %i in (credentials.txt)^
do net use \\target\IPC$ %j /u:victim.com\%i^
2>>nul^
&& echo %time% %date% >> outfile.txt^
%% echo \\target acct: %i pass: %j >>
outfile.txt
Pass the Hash Attacks
• Pass the Hash Attacks is a network-based attack
where the attacker steals hashed user credentials
and uses them to try to authenticate to the same
network the that created the hashed credentials
• Hashes come from hashdumps
• RAM, Windows Registry, Credentials files
• Metasploit post modules are extremely helpful
for
• Linux, Windows, Apps, other platforms
• Use additional tools to manipulate them
hashdumps include Metasploit modules, Hydra,
Medusa, Veil-Catapult
• Might not always work with use of Windows
Defender Credential Guard, Registry settings for
UAC
 • Intensive dictionary attack against a
network service
Network • Many services do not maintain their
own usernames/passwords
Authentication • They use operating system accounts

Brute Force The image part with

relationship ID rId3
• Target a user account that cannot be
locked out, such as administrator or
root
Attack
was not found in
the file.

• Different protocols used:

• SMB
• Telnet
• SMTP
• POP3/IMAP
Let’s try an intensive dictionary attack (brute force)
against a network service • HTTP
• FTP
 • Tools:

Network • Hydra
• Medusa
Authentication • Ncrack
• NetBIOS Auditing Tool
Brute Forcing The image part with
relationship ID rId2
• AET2 Brutus
• Aircrack-ng
Tools
was not found in
the file.
• John the Ripper
• Rainbow Crack
• Cain & Abel
• L0phtCrack
• Ophcrack
• Hashcat
• Metasploit modules
15.6 Windows
Password
Cracking
 • Windows passwords authenticate
users, services, and computers

Password • Apps often require passwords

• Stored in cleartext or as hashed
Cracking in values
• Other authentication methods can
Windows
The image part with
relationship ID rId3
was not found in be targeted
the file.
• Private keys, certificates,
Kerberos tickets, and LSA
secrets
• Security Account Manager (SAM)
stores local user names and
passwords
• LM or NTLM hash
• SYSKEY encrypts the SAM
• Using brute force across the The image part with relationship ID rId2 was not
found in the file.
network
• Dumping credentials from
memory
• LSA secrets, hashes, tokens,
copies of old passwords
• Offline cracking
• Extracting the SYSKEY boot key
• Dumping locally cached login
information

Password Cracking Options

• Other cracking options: The image part with relationship ID rId2 was not
found in the file.
• Use privileges from buffer
overflow, etc., to create a new
account
• Use a dumped hash to create a
new account or Kerberos ticket
• Keylogging
• Social engineering
• Boot into another Operating
System and overwrite existing
password storage

Password Cracking Options

(cont’d)
15.7 Linux
Password
Cracking
 • Originally stored in cleartext in
/etc/passwd
• Currently stored as hash values in
/etc/shadow; hashing algorithm
depends on the distribution

Cracking Linux Passwords

Attack Method Tools

• Metasploit module post/linux/gather/hashdump

Dump the hashes from a compromised • John the Ripper, etc.
machine and send them to a password cracker • RainbowCrack
• Hashcat
Dump cleartext passwords currently stored in
Mimipenguin—https://github.com/huntergregal/mimipenguin
memory
Pass the hash if the passwords take too long to
crack. Works particularly well against Samba Metasploit module auxiliary/scanner/smb/smb_login
with LM or NTLM authentication
• Meterpreter keyscan_start and keyscan_dump commands
Install a physical or software-based keylogger
• USB keyloggers
Use social engineering to obtain user • Kali Social Engineering Toolkit (SET)
passwords • WiFi-Pumpkin
Boot the target computer into single user mode • Reboot and edit GRUB to enter single user mode, then change the root
to reset the root password password

Cracking Linux Passwords

(cont’d)
15.8 Password
Cracking Tools
Password Recovery Tools
• Elcomsoft
• Passware Kit Forensic
• Windows Password Recovery tool Ultimate
• Stellar Phoenix Password Recovery
• PCUnlocker
• iSumsoft Windows Password Refixer
• BartPE
Password Cracking Tools
• L0pht
• pwdump7
• ophcrack
• Cain & Abel
• RainbowCrack
• John the Ripper
• THC-Hydra
• Medusa
• hashcat
Rainbow Table Creation Tools
• rtgen
• Winrtgen

• Also download pre-

made rainbow tables
• http://ophcrack.source
forge.net/tables.php
 15.9 Other
Methods for
Obtaining
Passwords
Passive Network Sniffing
• Use a sniffer such as Wireshark
• Capture clear text credentials
• Only works if the sniffer is on the same shared network segment
ARP Poisoning
• Use an ARP poisoner such as ettercap to capture login session
• Use Wireshark to capture clear text passwords
• Use Cain & Abel to ARP poison, capture and crack password hash
LLMNR Poisoning
• Link-Local Multicast Name
Resolution (LLMNR) and NBT-NS broadcast or
Netbios Name Service (NBT-NS) LLMNR multicast

are local Microsoft name

resolution mechanisms
• Used when DNS lookups fail
• NBT-NS is legacy
• Broadcast-based
• LLMNR was introduced in
Windows Vista
• Multicast-based
LLMNR Spoofing Tools
• Responder
• Metasploit
• NBNSpoof
• Inveigh
Defend Against Password Cracking
• Set a password policy including history, length, complexity, and
minimum/maximum age
• Do not use passwords such as date of birth, spouse/child/pet’s name
• Monitor for local and network-based dictionary/brute-forcing
• Prefer long pass phrases over shorter complex passwords
• Prefer two-factor authentication if possible
• Enable SYSKEY on Windows to protect the SAM database
• Avoid clear text protocols
• Avoid storing passwords in an unsecure location
Defend Against LLMNR/NBT-NS Poisoning
• Configure Group Policy to disable LLMNR & NBT-NS:
• Group Policy Editor à Local Computer Policy à Computer
Configuration à Administrative Templates à Network à DNS Client
à Turn off multicast name resolution
• Control Panel à Network and Internet à Network and Sharing
Center à Change Adapter Settings à Properties à TCP/IPv4 à
General à Advanced à WINS à Disable NetBIOS over TCP/IP
 15.10
Keylogging
Keylogging
• Use PassView or other keylogger
• Create a malicious autorun.inf on a USB stick:
• start pspv.exe/stext pspv.txt
Keylogger Types
• Hardware-based
• Inserted between keyboard and computer
• PC/BIOS Embedded
• Keyboard Keylogger
• External Keylogger
• PS/2 and USB adapters
• Acoustic/CAM keylogger
• Bluetooth Keylogger
• Wi-Fi Keylogger
• Kernel/Rootkit/Device Driver
• Hypervisor-based
• Form Grabbing-based
Hardware Keyloggers
• KeyCarbon
• Keyllama
• Keyboard logger
• KeyGhost
• KeyCobra
• KEYKatcher
Software Keyloggers
• Metasploit
• All In One Keylogger
• Free Keylogger
• Spyrix Personal Monitor
• SoftActivity Activity Monitor
• Keylogger Spy Monitor
• Micro Keylogger
• REFOG keylogger
• Realtime-Spy
• StaffCop Standard
How to Defend Against Keyloggers
• Use popup blockers and avoid opening junk email
• Install anti-spyware/anti-virus programs, keep updated
• Install software firewall and anti-keylogging software
• Recognize phishing emails
• Update and patch regularly
• Install a host-based IDS
• Use a password manager
• Restrict physical access to sensitive computers
• Visually inspect computers periodically
Anti-Keyloggers
• Zemana AntiLogger
• GuardedID
• KeyScrambler
• SpyShelter Free Anti-Keylogger
• DefenseWall HIPS
• Elite Anti Keylogger
 15.11
Spyware
Spyware
• Record desktop activity
• Monitor email
• Audio/Video surveillance
• Record/monitor Internet activity
• Record software usage/timings
• Log keystrokes
• Store activity log locally or in a central location
Spyware Tools
• Spytech SpyAgent
• PowerSpy
• ACTIVTrak
• USB Monitor
• Spy Voice Recorder
• Movavi Video Editor
• iSpy
• Free2X Webcam Recorder
• Phone Spy
• MobiStealth
• MOBILE SPY
How to Defend Against Spyware
• Avoid using systems not fully under your control
• Don’t open suspicious emails or file attachments
• Enable a software firewall
• Patch, update, an virus scan regularly
• Do not use a privileged/administrator account for ordinary tasks
• Do not download free music files, screensavers, games, etc.
• Beware of popup windows
Anti-Spyware Tools
• SUPERAntiSpyware
• Malware Bytes
• Hitman Pro
• MacScan
• Emsisoft Antimalware
• Spyware Terminator
 15.12
Rootkits
Rootkits
• Replace core parts of the OS
• Hard to detect and eliminate
• Objective is to provide Advanced Persistent Threat backdoor access
• Can be at various levels:
• Hypervisor - exploit Intel VT and AMD-V hardware features
• Hardware/Firmware - hide in hard drive, network card, BIOS
• Kernel (Ring 0) - substitute portions of kernel code
• Boot Loader - replace or modify the legitimate bootloader
• Application Level - replace standard application binaries
• Library Level - work higher up in the OS; they replace original system calls
with fake backdoor versions
Rootkit Tools
• Horse Pill
• GrayFish Rootkit
• Sirefef Necurs
• WingBird Rootkit
• Avatar
• Azazel
• ZeroAccess
• Alureon
How to Detect Rootkits
• Integrity-based
• Hash key files and periodically check if the hash has changed
• Signature-based
• Compare all system process and executable files to a database with known rootkit
signatures
• Heuristic/Behavior-based
• Look for any deviations in the system’s normal activity
• Runtime Execution Path Profiling
• Compare runtime execution paths of all system processes and executables before
and after infection
• Cross View-Based
• Compare key elements of the OS such as system files, processes, registry keys to a
known good state
Steps for Detecting Rootkits
• Check the file system
• Save results of dir /s /b /ah and dir /s /b /a-h, compare to that of a clean
system
• Use WinDiff, Tripwire, sigverif to check hashes
• Examine the registry
• Compare an export of HKEY_LOCAL_MACHINE\SOFTWARE and
HKEY_LOCAL_MACHINE\SYSTEM to those of a known clean system
Anti-Rootkit Tools
• Stinger
• Avast
• TDSSKiller
• Malwarebytes
• Rootkit buster
• UnHackMe
• Sophos Virus Removal Tool
• F-Secure Anti-Virus
• SanityCheck
• GMER
How to Defend Against Rootkits
• Be prepared to reinstall the OS and apps from a trusted source
• Perform kernel memory dump analysis
• Install rootkit scanners
• Harden the system against attack
• Install a HIDS/HIPS
• Keep system patched and monitored
 15.13
Hiding Files
Alternate Data Streams (NTFS Streams)
• Feature of NTFS
• Created to be compatible with MAC file system
• Aka ADS
ADS Example
• Hide a Trojan in a text file

notepad sample.txt:secret.txt

type c:\Trojan.exe >C:\readme.txt:Trojan.exe

mklink backdoor.exe readme.txt:Trojan.exe
backdoor
Defend Against NTFS Streams
• Move suspected files to a FAT partition, or email them as attachments
• Use file integrity checkers like Tripwire or md5sum to verify the file
hasn’t changed
Stream Detectors
• EventSentry
• adslist.exe
• StreamDetector
• ADS Detector
• Stream Armor
• Forensic Toolkit
• ADS Spy
• ADS Manager
• ADS Scanner
 15.14
Steganography
Steganography
• Hide data inside a file
• Data is hidden in plain sight
• Data can be anything:
• Text
• Image
• Media file
• Encrypted/not encrypted
• Carrier files appear perfectly normal
• You can read and play them
• Hidden data travels with the file
• Requires knowledge of which file is
the host and how to retrieve the
hidden data
Steganography Methods
• Image - use least significant bits to hold data
• Video - “”
• Audio - “”
• Document - use white space to hold data
• Folder
• White Space - hide messages in ASCII text
Steganography Methods
• Web - hide web objects behind other objects
• Spam/Email
• DVD - embed content in a CD/DVD
• Natural Text - convert sensitive information into
• Hidden OS (hide an OS inside another OS)
• Source Code (hide files in C++ or other source code)
Can You See the Difference?
Steganography Tools
• Steganography Master
• steghide
• Stegals
• SPY PIX
• Pixelknot
• Pocket Stego
• Da Vinci Secret Image
• Secret Tidings
• XIAO Steganography
• Steghide
• Our Secret
• SteganPEG
Steganalysis
• Detecting steganography
• Challenges include:
• Accurately determine which information stream might even have hidden data
• Accurate detection within digital images is difficult
• Hidden data might be encrypted
• Some suspect data streams/files may have deliberate noise encoded into
them
Detecting Steganography
• Good detection requires the original
• Text files
• Unusual patterns
• Appended extra spaces and invisible characters
• Image files
• Too many distortions in image
• Image quality degraded
• Compare original and stego images with respect to color composition, luminance, pixel
relationships
• Scan least significant bits (LSBs) for hidden data
• Audio files
• Scan inaudible frequencies and LSBs for hidden data
• Video files
• Use image and audio techniques
Steganography Detection Tools
• Gargoyle Investigator Forensic Pro
• Steganography Studio
• StegAlyzer
• Virtual Stenganographic Laboratory
• Stegdetect
15.15 Privilege
Escalation
What is Privilege Escalation?
• The act of exploiting a bug, design flaw or configuration oversight in
an operating system or software application
• The goal is to gain elevated access to resources that are normally
protected from an application or user
 The image part with relationship ID rId3 was not
found in the file.

Privilege Escalation in Windows

• Usually the primary objective
• Can take several attempts to gain the level
needed
• Exploits against the kernel, services, drivers,
and applications need privileged mode
Privilege Escalation Methods
Method/Vulnerability Description
Kernel Vulnerabilities • Exploit weaknesses in the OS kernel

Writable services • Edit the startup parameters of a service, including its

executable path and account
• Use unquoted service paths to inject a malicious app that the
service will run at start up
User application • Compromise applications such as Internet Explorer, Adobe
compromise Reader, or VNC to gain access to a workstation
• Use UAC bypass techniques to escalate privilege
• Attacks typically require a victim to open a file or web page
through social engineering
Privilege Escalation Methods (cont’d)

Method/Vulnerability Description
Local User Access • Bypass local Windows UAC; Use process injection to leverage
Control bypass a trusted publisher certificate
Weak process • Find processes with weak controls and attempt to inject
permissions malicious code into those processes
Shared folders • Search for sensitive information in shared folders
DLL hijacking • Elevate privileges by exploiting weak folder permissions,
unquoted service paths, or applications that run from
network shares
• Replace legitimate DLLs with malicious ones
Privilege Escalation Methods (cont’d)

Method/Vulnerability Description
Task Scheduler 2.0 • Task Scheduler 2.0 does not properly determine the security
context of its scheduled tasks, allowing an attacker to escalate
privilege
• Affects Windows Vista SP1/SP2, Windows Server 2008 Gold,
SP2/R2, Windows 7
• CVE-2010-3338, MS10-092
Missing patches and • Search for missing patches or common misconfigurations
misconfigurations that can lead to privilege escalation
Non-Windows Privilege Escalation Techniques
• Alter macOS and OSX boot daemon Launchd
• Edit macOS and OSX plists that are linked to startup executables to
run malicious code
• Change setuid and setgid on files in Linux/Unix to run in owner
privilege
• Use a web shell (web-based script) to inject malicious code on a
webserver to maintain persistent access and escalate privilege
Privilege Escalation Tools
• Dameware Remote Support
• ManageEngine Desktop Central
• Metasploit
• Searchsploit DB
• PDQ Deploy
• PSExec
• TheFatRat
Privilege Escalation Countermeasures
• Restrict interactive login privileges
• Encrypt sensitive data
• Assign least privilege to users and applications
• Assign standard accounts to services when possible
• Vulnerability scan, fuzz, and stress test applications
• Patch and update the kernel, web server, and other services regularly
• Change UAC settings to “Always Notify”
• Use fully qualified, quoted paths in all Windows applications
• Ensure executables are placed in write-protected directories
• In MAC Oses, make plist files read-only
• Disallow system utilities or software from scheduling tasks
• Disable the default local administrator account
15.16 Creating
and
Maintaining
Remote
Access
Remote Access Trojans and Backdoors
• A remote access Trojan (RAT) is a malware program that includes a back
door for administrative control over the target computer
• RATs are usually downloaded invisibly with a user-requested program --
such as a game -- or sent as an email attachment
• They are difficult to detect if designed to look like normal administrative
remote access tools
• They allow the attacker to connect later at any time
• Victim has a “listener” that opens a port for you to connect to
• Or, the victim can make a reverse connection to you, the hacker
• Good for getting past a firewall
• The hacker must set up a listener
RAT and Backdoor Tools
• Metasploit
• Sakula
• KjW0rm
• Havex
• Agent.BTZ
• Dark Comet
• AlienSpy
• SubSeven
• NetBus
• FatRat
• ProRat
15.17 Hiding
Evidence
Clearing Online Tracks
• Use private browsing • Clear cache on exit
• Delete browsing history • Delete downloads
• Disable stored history • Disable password manager
• Delete private data • Clear toolbar data
• Clear cookies on exit • Turn off AutoComplete
• Clear data in password • Use multiple user accounts
manager • Remove Most Recently Used
(MRU)
• Delete saved sessions
• Turn off most used apps and
• Delete user JavaScript recently opened items
Covering BASH Shell Tracks
• Disable history
• export HISTSIZE=0
• Clear history
• history -c //clears stored history
• history -w //clears history of current shell
• Clear user’s complete history
• cat /dev/null > ~.bash_history&& history -c && exit
• Shred history
• //Shred history file, then delete it, then clear evidence of this command
• shred ~/.bash_history
• shred ~/.bash_history&& cat /dev/null > .bash_history&& history -c && exit
• Use hidden files
• name a malicious file “. log” with a space between . and log - then hide in /dev or /tmp
Covering Network Tracks
• Use reverse HTTP shells
• Victim starts HTTP session to attacker
• This looks normal
• Use reverse ICMP tunnels
• Victim pings out past firewall with payload in ICMP data
• Use DNS tunneling
• Hide data inside DNS queries/replies
• Use TCP covert channels:
• IP ID field
• TCP ack #
• TCP initial sequence #
Disabling Auditing
auditpol /get /category:*
auditpol \\<target IP> /disable
Logs To Clear
• Windows
• Event Viewer Logs
• System
• Application
• Security
• Linux
• /var/log/messages
Covering Track Tools
• Clear_Event_Viewer_Logs.bat
• Free Internet Window Washer
• Metasploit clearev
• DBAN
• Privacy Eraser
• Wipe
• BleachBit
• ClearProg
• Clear My History
15.18 System
Hacking
Penetration
Testing
Steps to Performing System Hacking in
Penetration Testing
1. Identify password protected systems and services
2. Attempt buffer overflows and other remote exploits
3. Crack passwords using dictionary, brute force, rainbow tables, hash
dumping, and pass-the-hash
4. Install Trojans/spyware/keyloggers
5. If you obtain low-level access, attempt privilege escalation
• End user assistance through social engineering
• Exploit app or kernel weaknesses
6. Hide files as applicable
7. Cover tracks
 • There are many tools you can use to hack a
system
• When hacking system services, prefer
buffer overflows that allow remote
System privilege execution
Hacking • Ultimately seek to escalate privilege and
maintain control through payload
Review execution or a RAT
• If you exhaust your password cracking
dictionary, try brute forcing, MITM, or
social engineering to get the password
• Use NTFS Streams or steganography to
hide files and data
• Don’t forget to cover your tracks!
Lab 15: System
Hacking