Module 05 cscSecurity Breaches 2014 ca Department for Business Innovation and Skills Market Survey alan ! BG rege oremeetons of small 59% of respondents suffered staff related security business had a expect there wll be more breaches security breach security incidents in 2015 81% oflase oereenes organizations had ost of breaches neatly a security breach gos " SS months 695,0000+ were impacted due to data breach a ee ee 31% ireworst ee ae See I fenhcn mont error «> ‘©@ Overview of CEH Hacking @ Overview of Different Types of Methodology Rootkits © Understanding Techniques to Gain ih: RleniealatSteganogeniy andl Access to the System Steganalysis Techniques eee UR Res Sree @ Understanding Techniques to Hide teebniaues the Evidence of Compromise {@ Understanding Techniques to Create and Maintain Remote Access to the System Overview of System Hacking Penetration TestingB35 2-5 System Hacking Stage What you have at this stage: IP Range Namespace Employees os |e | « Target assessment Identified systems Identified services ers] Le ia) | | oO Intrusive probing User lists Security flaws ca) rans ¥ | fed | mmSystem Hacking: Hacking-Stage Technique/Exploit Used To bypass access controls to Password cracking, social gain access to the system engineering Gaining Access a To acquire the rights of Exploiting known system & Escalating Privileges another user or an admin vulnerabilities To create and maintain Trojans, spywares, backdoors, reeutine Boa iesoos remote access to the system keyloggers Tohide attackers malicious Files Rootkits, steganography @ Covering Tracks Clearing logsCEH Hacking Methodology (CHM) a3 H Hi 4 4 s 3 é Pcie ener opyaht © by EO-Gounci A ght Reserved. Reproduction k Suc Prot, aren aeeeyq (eee eee 2 Escalating Privileges 3 Executing Applications 4 5 Covering Tracks 6 Penetration TestingPassword Password cracking techniques are used to recover passwords from | computer systems Attackers use password cracking techniques to gain unauthorized access to the vulnerable system Most of the password cracking techniques are successful due to weak or easily guessable passwords Coy © by All Rights Reserved, Reproduction k Svcy Prohibited,Non-Electronic Attacks pee ae Active Online Attacks Passive Online Attacks Copy © by = Dictionary and Brute Forcing ‘Attack Hath Injection and Phiching ‘Trojan/Spyware/Keylogeers cog Paczword Gueczing © Wire sniffing © Marin-the-Middle Replay © Pre-Computed Hashes {Rainbow Table) Distributed Network VV Vv ved, Reproduction st robbedActive Online Attack: Dictionary, Brute Forcing and Rule-based Attack Brute Forcing Attack Rule-based A is PCTs) loaded into the cracking application that runs against This attack is used tana when the attacker password is broken ene The program tries = Dh @83€:=—© se EeActive Online Attack: 15a Libisialie hella rete nce TTT] Ue eon ny ete esc k eae) ree ee ee Pomrr oer) Cee nary ree fra ia i J ete Se ee ee ee ers eee[| POTS ec NiW Maree eho ky @ A default password is a password supplied by the with new equipment (e.g. switches, hubs, routers) that is password protected A @ Attackers use default passwords in the list of words or dictionary that they use to perform Coc Http://www detoultpassivord.us tpl Paonirso1g eeeActive Online Attack: Attacker installs Trojan/Spyware/Keylogger on victim's machine M&) to collect victim's user names and passwords (=) Trojan/Spyware/Keylogger runs in the background and send back & all user credentials to the attacker retin parce pee Victim logs on to the domain Z oO ee .@ > as Keylogger serdatogn ‘redenitet cher Vietimn AttackerExample of Active Online Attack Using Attacker Passwords Ceo Dee et) eee eats cee (if enabled) er etd DeLee pnetenenaneny artes or eed Ce ) copy the fomreaty rey Ge eeeditet eeeActive Online Attack: Hash Injection Attack x 4 hash injection attack allows an attacker to ig into a local session and use the hash to validate to network resources | ae } ‘The attacker finds and extracts a logged on i The Troe od Togged:-on hashes are ompromises server stored in the SAM file User fog on bracts Tagged on Joma ‘ein account hashPassive Online Attack: ete et ROO en (LAN) to access and record the raw network traffic Baer ec ae ae Brees Ge ec eur SO ee ee ee Hard to Perpetrate es eee eeePassive Online Attacks: and Original Connection Vietim Attacker \@ Relatively hard to perpetrate “Gain access to the “communieation channels Must be trusted by one or 7 and authentication Batnshies a eiffer. After the ce anit "@ Can sometimes be broken d, the tokens are ork to gain access by invalidating trafficOffline Attack: Rainbow Table Pic tels [OP erane compare tne tases | Enny to nacover Arainbow table is a Capture the hash of a Itis easy to recover precomputed table which passwords and compare it with passwords by comparing contains word lists like the precomputed hash table. captured password hashes dictionary files and brute fa match is found then the to the precomputed tables force lists and their hash password is cracked values e eee cei > 4258cc34599c530b28a6a8£225d668590 nhO2ida » e744b171 6cb£8d4dd0££4ce31a177151 C z » 3ed696a8571a843eda453a2294741843 » ©744b1716ch£8d4dd0££4ce31a177151 LeeTools to Create Rainbow Tables: rtgen and Winrtgen rtgen ©The rtgen program need several parameters to generate a rainbow table, the syntax of the command line is: Syntax plain table Winrtgen Winrtgen is @ graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMICHALL, NTLMICHALL, MSCACHE, MD2, M4, MDS, SHAL, RIPEMD160, MySQL323, MySOLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes fom tates a httefumewordst jon Suit ProhibitedOffline Attack: Distributed acer ae Gites A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords Le eo ee ‘The DNA Manager is installed in a central location where machines running ‘on DNA Client can access it over the network DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network DNA Client runs in the background, consuming only unused processor time The program combines the processing capabilities of all the clients connected to network and uses it to crack the passwordDistributed Password Broly ais © Plug-in architecture allows for additional file formats © Schedule support for flexible load balancing © Install and remove password recovery clients remotely © Enerypted network communications Features: © Distributed pazaward recovery over LAN, Internet, or both Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environmentAuthentication Security Accounts Manager (SAM) Database Worcer oren Ur psn RENO the een Directory database in domains. Passwords —_— are never stored in clear text; passwords are hashed and the results are stored in the SAM —— NTLM Authentication PAY were sce © The NTLM authentication pratacel types: ett ener 1, NTLM authentication protocol 2. UM authentication protocol © These protocols stores user's password in the __. SAM database using different hashing methods Kerberos Authentication im o Miosat hasupgaded ts deteuteuhertiatin ag Windows 8 protocol to Kerberos which provides a stronger authentication for client/server applications than NTLMHow PU Cl dtl in Windows SAM? fod Password hash using LM/NTLM. Midvaviade Shiela:1005:No PASSWORDEY¥ 8 steeanseneearsswe-0CB692050 5E797BEZAB2007973B09537 2: ABHOR (0 PASSWORD*####seeseexeseuensne BEA0C4SOARIIT&&I NOVDAHIORN TH Neeereteteeeeet papa voy ¥ v Username User Lm Hash NTN Hash “"LM hashes have been disabled in Windows Vista and later Windows operating systems, LM will be blank in those systems.”NTLM Authentication Process o Client Computer Window Domain Controller a ser types Shiela Domain controller has a stored copy of essword nt agen coenaaaane Se eecintaineene ae oa 4. a ee rte windows rune password through hash algorithms DC compares computer's response with he response ivereated with is own nash IFthey match, the logon is 2 ‘Computer sends response to challenge Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.Authentication Key Distribution Center (KDC) Authentication Server (As) Request tote TOS. |.» Ticket Granting Server (Iss) Database Reply ofthe T6Sto the lentsreques | Request oan application server to acest service Feit prove realy ithe server the cientisexpectingPassword Salting Password salting is a technique where random string of characters are added to the password before calculating their hashes Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks | Alice:root:b4ef21 8ba4303ce24a831e0317608de02bI8d ) < Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Cecil:root:209be1 4483b303¢23af347 61de02be038Tde08}< 4 Note: Windows password hashes are not saltedand fgdump Fad works ike iips/forwvetorasco.0r9 dump but aso a ._eiractscached (edentials and silows remote ws sens tna =m) network exection i be ry toes, can Mn Ataker aoe ett, Dumps a remote machine (292.1680.10) using specifies ete/foofusnet Se ved, Reproduction stcy ProhibitedPassword Cracking Tools: E-vale | LophtCrack Ophcrack ~ LophCrack i @ password aualting and recovery Cophereckis a Windows password cracker application packed with features such az scheduling, | bared on rainbow table, Itcomes with a) hash extraction from 64-bit Windows versions; and ||| Graphical User Interface and runs on 5 networks monitoring and decoding multiple platforms Intp/fopherack:sourceforge.netPassword Cracking Tools: Cals and pra ear Cain & Abel RainbowCrack @ Itallows recovery of various kind of passwords | | @ RainbowCrack cracks hashes with rainbow by sniffing the network, cracking encrypted tables. It uses time-memory tradeoff passwords using dictionary, brute-force, and algorithm to crack hashes cryptanalysis attacks biip/fwumorieit htie//projectrainbowerackcoman |B £ & fmt Offline NT Password & Registry Editor ‘neo foovsteknet Password Unlocker Bundle blip: fen ponssordanocker com Proactive System Password Recovery ‘ntfs ceometon John the Ripper ‘tna opervalcom Windows Password Cracker bt: ssindonrepessvertcrackercom fo (7 (@ ool Ye WinPassword nap: astivcom Passware Kit Enterprise ie /fumlesipnascn cor PasswordsPro tps onewniepe.com LsASecretsView nap: sosrsa.net tcp ponentsSB bi & © & Password Cracker ‘n:/feserogescom CloudCracker blips fa clowsocher om Windows Password Recovery Tool ‘nto /nnindowressvontsceowencon Hash Suite to: asst operant InsidePro ps mesnideposcn Tools ( Windows Password Recovery ex n.prscenecom Password Recovery Bundle i/o poser krbpwguess tete/nnemcare net THC-Hydra ap/fenws ther Windows Password Breaker Enterprise Ihte/ferececoverindermpsmverd omPassword Cracking Tool for Mobile: FlexiSPY Password Grabber Your Patten Coce Tenee Manon ae eae a Pinterest, Linkedin, GMail and Cuenta ST RNR ef for com Soagainst Password Cracking 6006006000 Enable information security audit to monitor and track password attacks Do not use the same password during password change Do not share passwords Do not use passwords that can be found in a dictionary Do not use cleartext protocols and protocols with weak encryption Raxhe Set the password change policy to 30 days Avoid storing passwords in an unsecured location Do not use any system's default passwords = All Rights Reserved Reproduction k Scy Probe,How to Defend against Password Cracking (conta) Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols 1Q _ {nsure that applications neither store passwords to memory nar write them to disk in clear text 111 Usea random string (salt) as prefix or suffix with the password before encrypting Pe ey 13 Never use passwords such as date of birth, spouse, or child’s or pet's name 414) Monitor the server’s logs for brute force attacks on the users accounts a 415 lock out an account subjected to too many incorrect password guesses Se ee1 Cracking Passwords q eee tee) 3 Executing Applications 4 5 Covering Tracks 6 Penetration TestingPrivilege {@Anattacker can gain access to the network using 2 non-admin user account, and the next step would be to gain administrative privileges |@ Attacker performs privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications @_ These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc Types of Privilege Escalation Vertical Privilege Escalation Horizontal Privilege Escalation © Refers to gaining higher privileges then the existing © Refers to acquiring the same level of privileges that already has been granted but assuming the identity of another user with the similar privilegesbeans l CeCe VEL mE b ite Most Windows applications do not use the fully qualified path when loading an external DLL library instead they search directory from which they have been loaded first If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL ‘Application Directory > a Application oadsmatow opt “AE Mao User instead free! ODL Installs the application A v Windows DOL brary Places malicious DOL in the application ‘eal ODL requted by the. exe apaication Attacker A ahs LoResetting Passwords Using Command Prompt If attacker succeeds in gaining administrati of any other non-administ Open the command prompt, type ‘command and press | to list out allthe user accounts on target system / LN i a eee See eee Cas Type the +o reset the password for specific account SePrivilege Escalation Tool: Active@ Password Changer Features Recovers passwords from multiple partitions and hard disk drives Detects and displays all Microsoft Security Databases (sam) Displays full aceount information for any local userPrivilege Escalation Offline NT Password & Registry Editor Iw foogontknet Windows Password Reset Kit btn junesireset window parsers. Windows Password Recovery Too! ‘to:/pssndowspesswerdssceoverd.com ElcomSoft System Recovery blip: fon scomofe core ‘Trinity Rescue Kit http ityhome.cr9 La & = @ wa @ eo! Me a Windows Password Recovery Bootdisk napster com PasswordLastic tp: pnewpasuerdlostccom Stellar Phoenix Password Recovery nap: essttariefocom Windows Password Recovery Personal nap: fusssindows-poswordecovery.com Lazesoft Recover My Password ep uneelorcoftcomHow to Defend Against Privilege Escalation | Pees Cr ereeeter Piece Deen aoa ts en Saeco aa cis er Toric 6 Peet aaa De cera) Creer toad nr ence) application coding errors and Crees Run services as unprivileged Bec een ee ea) methodology to limit the scope of programming errors and bugs AO vatch the systems regularly1 Cracking Passwords 2 Escalating Privileges 5 Covering Tracks 6 Penetration TestingApplications Cal Attackers execute malicious applications in this stage. This is called “owning” the system @ Attacker executes malicious programs remotely in the victim's machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc. wacke, keyloggers _— Spyware ccExecuting Applications: RemoteExec i @ J RemoteEx2c remotely install applications, executes programs/scriptz, and . updites fils and folders on Windows systems throughout the network QUA J allows attacker to modify the registry, change local admin pazewords, dizable local accounts, and copy/ Update/delete files and foldersExecuting Applications: PDQ Deploy is a software deployment tool that allows admins to silently install almost any application or patchExecuting Applications DameWare Remote Support 4 DameWare Remote Support lets you and = y) 41 Itallows attacker to |[| Keylogger £4} @ Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location Legitimate applications for keyloggers include in office and industrial settings to monitor employees’ computer jrenments where parents can monitar and spy on children’s activity activities and in home env formation about victim such as email ID, passwords, banking details, It allows attacker to gather confidential chat room activity, IRC, instant messages, ete, Physical keyloggers are placed between the keyboard hardware and the operating system © ven bd save tto Injection og fle remote tt Application ; Application , eo 8 a = «| Diver ESE Ga es — 5 Windows Kernel hevioezereetinsaled UserHardware Keystroke Loggers es ee|_| ab ed | Cen | eee i see ¢ | Se KeyGrabber The Keylogger. MTree Ean MOON Hardware Keyloggers: © KeyCobra (hitp://wwwkeycobra.com) © Keykatcher (http://kevketchercom)Keylogger: All In One Keylogger All In One Keylogger allows you to secretly track all activities from all computer users and automatically receive logs to a desire email/ETP/ LAN accounting wet (TE eros HiboUltimate Keylogger ta /unrntnctteogge com Advanced Keylogger ‘nin /enmaemeoggecom The Best Keylogger ‘neo/fsthebertheicaaecom SoftActivity Keylogger ter far soften Elite Keylogger -to/nrdetecom Powered Keylogger tp /faryeyiogercom StaffCop Standard Itounestteon.com Spyrix Personal Monitor hes/tasoyrccom PC Activity Monitor Standard ips funenpezme care KeyProwler It eyrosiercom[| Keyloggers for (Cont'd) ‘op Keylogger Spy Monitor ‘nupi/femotiasfecom Micro Keylogger tp /fuwom.neroke ogg com ‘t://mesrcfogcom Spy Keylogger ems ke ogee REFOG Personal Monitor 2 Revealer Keylogger Fetrsoinfecom Actual Keylogger ‘newfie cctaefoaaccom Realtime-Spy Spytector betp/femmnsealtnesgy sor BED wie/jmnsoyieicncom KidLogger ee So SpyBuddy® 2013 IetfnerolreonyherecomKeylogger for Mac: iS 2 ager for Mac invisibly Puri = ~ screenshots and also sends all reports es Pee uC Re et ere E Ce Roe es Sonn one | ‘ae noe a= leah aie ae oe ee a rome = sams aire Boers = aa Sr — hps/fwwamackeyoggercom oo" = i ‘ou coin ei ome = fae ss AA\Mac keylogger 3% = = 5Keyloggers for sp # & pe @ & Aobo Mac OS X Keylogger KidLogger for MAC ‘new/fisheioaaer maccom ews heoaeraet Perfect Keylogger for Mac MAC Log Manager ‘te fear asogtooh com ip /Aumckelogerin Award Keylogger for Mac Elite Keylogger Into/new oars sor tps/unecltekelogpernet Aobo Mac Keylogger Keyboard Spy Logger ‘muw/fobo.e tp://olotoomego sofware feet REFOG Keylogger for MAC es/nmssefogcom FreeMackeylogger tpn com = [Z) |b ry %‘Spyware is a program that records user's interaction with the computer and Internet without the user's knowledge and sends them to the remote attackers Spyware hides its process, files, and other objects in order to avoid detection and removal Itis similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the internet for download Itallows attacker to gather Information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc e Pro| war Paga, OQ « 5 eis oman obiveiyaowieed Fee con é Bes 2. QO-— & — a QS 9‘Spytech SpyAgent allows you to monitor everything users do on your computer It provides a large array of essential computer monitoring features, website, application, and chat elient blocking, lockdown scheduling, and remote delivery of logs via email or FTP Bed au aee |e = Be eo hike Thonwsppech webcom eect sapecaeceemmeaiesad saree See all keystrokes user type Reveals all website visits Records online chat conversations See every email they send and receiveAy hai td ee ene on ara Un! @ Power Spy secretly monitors and records all activities on your computer @ It records all Facebook use, keystrokes, emails, web sites visited, chats, and IMs in Windows Live Messenger, Skype, Yahoo Messenger, Tencent QQ, Google Talk, AOL Instant Messenger (AIM), and others Peer hit JematinsaficonNetVizor ‘e:/pmncezonet Remote Desktop Spy ‘ite fears Sobol ofr com Spector CNE Investigator ntr/Ane spectre com REFOG Employee Monitor mus/fennnsefoacom Employee Desktop Live er blip: fons cuceatecclegiencom = [Z) |b ry % Activity Monitor hes fosotactivc.com Child Control 2014 nap: pneusaeld.com Net Nanny Home Suite et /faenetrarny.com SoftActivity TS Monitor ap:/psoftactitncom SPECTOR PRO tp: funouspectroftcomak é hee F eBLASTER ‘:/pmospectorsofecom SSPro blip fonmasprfisesrg Imonitor Employee Activity Monitor tone emoayce nontorngsfrece Employee Monitoring ‘mus /fearsemoloeenenttanet OsMonitor blip fonoreneitor com S a) €e tc Aobo Filter for PC ‘nap: /unew.acbo nom ftercom SentryPC hews/fauseneypecom Personal Inspector t/t syersenocom iProtectYou Pro ap:/pasotiooucon Spytech SentryPC tp: respec com|_| USB Spyware: Ea USBSpy lets you capture, display, record, and analyze data what is ee iesciaser ae transferred aj lem! isknurae betwee ats device connected to PC and applications Tita /waieversikecon =Audio Spyware: and Spy Voice Recorder | asr Sound Snooper {© Spy Voice Recorder records voice chat © Voice activated recording message of instant messengers, including ae eevee se rec MSN voice chat, Skype voice chat, Yahoo! messenger voice chat, ICQ voice chat, QQ 2 Conference recordings voice chat, etc. © Radio broadcasts logging Spy Voice Recorder - oe ® Log-Sound Snooper - 9 MEME ie Hep ] rie Edie (EGET TERT ABADS- Ropar RegetedsSource)-OF | 00:00:03.5 Sop Mew Loos 04 2014 142148430: Wort) Ok 102:04-2014 14:21:48,430 - Work::SetWarkDirectory - Ok } (zoeani4 182140420 -Pemnete Cea cme | |czorane 12148490: susentane:Serarendat) (| | |} fesetama 182 dado Sa rinectodenarna (ocama aztaaaan 02-04-2014 14:21:48.431 - Worke:Fiun() rated 1 — ‘ Ft Ca Snpe Yahoo esarae 1 a< no euteet eetVideo Spyware: ‘WebCam Recorder records anything such as: Autodeteted mane Co) Cad rae)Cellphone Spyware: Mobile Spy records GPS locations and every SMS and logs every call including phone numbers with durations and afterwards you can view real-time results in your private online account —= wi { A is ne A 7 oe All Rights Reserved, Reproduction k cy Prohibited,[| f Shana & VRS Recording System EG Mewrfnencdecmen Modem Spy tee earned com MobiStealth Cell Phone Spy nttpyjonesobitecthcom ae SPYPhone GOLD ‘muw/foperacom SpyPhoneTap d ‘ter annseyonete com FlexisPY newfie eioncom SpyBubble tp (fun spn cam MOBILE SPY te Pone bie sy.com StealthGenie ae/ fun staligenecomGPS Spyware: SPYPhone sPyPhone software have ability to send events (captured data) from ee via Wi-Fi, 3G, GPRS, or SMS 3 ¥ Features call interception See call history cell 1D tracking,Spyware EasyGPS ALLin-ONE Spy ‘:/pncosyascom | nap: uewthespypbonecom FlexiSPY Trackstick blip: fone en com hp fore trecktick com GPS TrackMaker Professional -tt:/onmstraceakereom Mobistealth Pro tp:/prewsmebistectncom MOBILE SPY :/jnesnoblespycom mSpy ap:/esrson.com World-Tracker blip: fonmassorl troche com Tracking ie /Aueopteci com om OPEL Fhe 1PsVerbhutis Use pop-up blocker = anti-spyware/antivirus programs and keeps the signatures up to date Pov good professional firewall software and anti-keylogging software ga Pppecens phishing emails and delete them S ed J) oe new passwords for different online accounts and change them frequently, Jase ‘opening junk emails Do not click on links in unwanted or doubtful emails that may point to malicious sites =Against (Cont'd) Use keystroke interference software, which inserts randomized characters into every keystroke Sean the files befor installing them on to the computer and use registry editor or process explorer to check for the keystroke loggers Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for the attached connectors Install a host-based IDS, which can monitor your system and disable the installation of keyloggers Use automatic form-filling programs or virtual keyboard to enter user name and password Use Windows on-screen keyboard acest ly to enter the password or anyother | Use stare that frequently seas and monitor the changes nthe pte o network |How to Defend Against Keyloggers (Cont'd) Hardware Keylogger Countermeasures > Restrict physical access to sensitive computer systems Periodically check all the computers and check whether there is any hardware device connected to the computer b> Use encryption between the keyboard and its driver Use an anti-keylogger that detects the presence of a hardware < keylogger such as Oxynger KeyShieldAnti-Keylogger: Zemana AntiLogger O 8 Zemana Antilogger 3 TSS ST eliminates threats from = keyloggers, SSL banker ora Trojans, spyware, and more Features © $8L logger protection © Webcam logger protection © Key logger protection © Clipboard logger protection © Sereen logger protectionAnti-Keylogger ‘mew:/finn.actkeoogerscom PrivacyKeyboard i iri Rss DefenseWall HIPS ‘ttf softspherecom KeyScrambler nus fencssofewarecom | Hate Keyloggers ter/fBewenftcom SpyShelter STOP-LOGGER ap: pucusoyshoer.com GuardedID tp /fune goaded co PrivacyKeyboard tosspnewrvaeyeyboardcom Elite Anti Keylogger uw: /fanelteontheroave com CoDefender ps fanenar comAgainst Try to avoid using any computer system Adjust browser security settings to is not totally under your control medium or higher for internet zone —_—_— o1 || 02 gp._22 cautious about suspiclous ematls Enhance the security level of the é and sites computer ———_———————_——_— 03 | 04 >. . 2g UPMate the software regulary and Regularly check task manager report Use a firewall with outbound protection and Ms configuration manager report 7 LS “Update virus definition files and scan the system for spyware regularly SSS conv Install and use anti-spyware software All Rights Reserved, Reproduction Scy ProbeyCer why (Cont'd) L@ SP io & \o Perform <> 17 = safely and download cautiously Do not use administrative mode unless it is necessary Donet use|. for banking and other sensitive act Do not download free music files, screensavers, or smiley faces from Internet, Beware of 91). or)... Never dlick anywhere on these windows Carefully read all disclosures, including the license agreement and privacy statement before installing any application Donotstore ||, on any computer system that is not totally under your control So All Rights Reserved. Reproduction i Scy Probe,© Identify potentially unwanted programs and securely removes them © Detect and remove Spyware, Adware and Remove Malware, Trojans, Dialers, Worms, Keyloggers, Hijackers, Parasites, Rootkits, Rogue security products and many other types of threats FP sereninna ne Ayreon ‘Rao BawXoftSpySE Anti-Spyware ‘new//inrooretleiccom Spyware Terminator 2012 | ie rec Ad-Aware Free Antivirust bttn//wnelovoetecom Norton Internet Security ‘uw /faostoncom SpyHunter ‘tp: enigrasftrorecom ge (2 UF é Kaspersky Internet Security 2014 nap: unewhospersecom SecureAnywhere Complete 2012 nap: psebrootcom MacScan tps foaecon serena. Spybot ~ Search & Destroy hs /fanrasoternetwortnacra Malwarebytes Anti-Malware PRO ips/senmohwercytencrs1 Cracking Passwords 2 Escalating Privileges 2 ee q ES 5 Covering Tracks 6 Penetration Testingies, granting them full access |G Rootkits are programs that hide thelr presence as well as attacker's m: ‘to the server or host at that time and also in future © Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in ‘turn undermine the security of the target system causing malicious functions to be executed © Atypical rootkit comprises backdoor programs, DDS programs, packet sniffers, log-wiping utilities, IRC bots, etc. Attacker places a rootkit by: Objectives of rootkit: © Scanning for vulnerable computers. © To root the host system and gain and servers on the web ramote backdoor access © Wrapping it ina special package like games 5 Tapmecarac tlh ol frst of moins applications or processes ‘© Installing it on the public computers or corporate © Togather sensitive data, network traffic, etc. computers through social engineering from the system to which attackers might be restricted or possess no access @ Launching zero day attack (privilege escalation, Po Bate Boia Ween eden © To store other malicious programs on the system and act asa server resource for bot updates etc)Types of Rootkits pervi Rootkit Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system asa Replaces the original with one controlled by aremote attacker Hardware/Firmware Root! Hides in hardware devices or Adds malicious code or platform firmware which is not replaces original inspected for and Application Level Root! Replaces regular Replaces original system calls with fake Trojan, or with fake ones to modifies the behavior of about the attacker existing applications by injecting malicious code[invert data cecion |) | rpordaa ratio Fn: 7658223 eee ann ener Cul Unique process ‘Unique procass1O | Seats ‘Acivebrocestins ‘Acierocesins acteProcestnis Rs | usremy, 4 ste USTENTIY[ Orla = Seororen l (aun ene ey De eee ee eee RS ce eed es ee eeeee rarer naay eee et PC The infection technique is eee ete ego Cea eee each All Rights Reserved Reproduction k Sc Probe.Rootkit: Necurs 2 Necurs contains backdoor functionality, and control of the infected computer @ It monitors and filters and has been abserved to send spam and install rogue security software @_ Itenables further compromise by providing the functionality to: ee rors BUTE R nian rainy Sareea Pi ewe ee eee rer ies nes lea eax, [edpeCndburFerLength] push eax 3 OUT_BuFLen Tea eax, [ebpeCndBuF Fer] push eax our_sur push — 9catE18Rn } skeg2 push OAFERI9IaN 3 skeyt fall bNecurs_CadSearchaRootkit: Azazel Anti-debugging ° Avoids unhide, lo, ps, Idd detection Azazel is a userland based off of the original LD_PRELOAD technique from Jynx rootkit Hides files, directories, and remote connections © Hides processes and logins ° CAP hooks avoid local sniffing PAM backdoor for local and remote entry Log cleanup for utmp/wamp entries omacaipma Uses xor to obfuscate static stringsbYUbvUUUoUY Rootkit: ZeroAccess ZeroAccess is @ kernel-mode rootkit which Its capable of functioning on both it will employ its kernel-mode froma single rootkit. The rootkit’s purpose is to: installer and acts as a sophisticated delivery platform for other malware So[| Detecting Rootkits DOS ed It compares a snapshot of the file system, boot records, or memory with a psec known trusted baseline agains This technique compares characteristics of all system processes and executable perenne files with a database of known rootkit fingerprints stic/Behavi Any deviations in the system's normal activity or behavior may indicate the jased Detection presence of rootkit ee This technique compares runtime execution paths of all system processes and a rs executable files before and after the rootkit infection Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkitSteps for Detecting Rootkits Run "diz /s /b Bootintoaclean Step |] /ah" and "dir /s CD, run” 2 /b /a-b" inside "and PUCe Tocculecl ii im infected OS and save “onthe the results same drive and save the resultsHow to Defend against Rootkits from a trusted source after backing up the critical data Well-documented automated eee ict ks) cold Pc rE Perera ee ces esate Harden the or against the attack not to download any files/programs from untrusted sources Oe ere) firewalls are esate) teeter upd operating N systems and applicationsagainst (Conta) Verify the integrity of system files regularly using eryptographically strong digital fingerprint technologies Avoid logging In an account with administrative privileges Adhere to the least privilege principle Ensure the chosen antivirus software posses rootkit protection Do not install unnecessary applications and also disable the features and services not in use asVirus Removal Tool naps unusophoseom Hypersight Rootkit Detector hp zorceurntobscom Avira Free Antivirus map funnuastacom SanityCheck taforuresiendencecom GMER Inap/unmucmenet Rootkit Buster tp: fSoumioodcentessrendnicra.com F-Secure Antivirus tp: pve secarecom WinDetect nap: pets ant son.com TDSSKiller tp//eportsseret.com Prevx nap: eewspremeom eePDE Ne Wj a g-y- baal cation ET 7 wz 4 Hacker Existing Fle INTES File System NTFS Alternate Data Stream ADS is the ability to fork ADS allows an attacker (ADS) is a Windows hidden data into existing files to Inject malicious code stream which contains without changing or in files on an accessible metadata for the file such as altering their functionality, system and execute attributes, word count, size, or display to file them without being author name, and access and browsing utilities detected by the user modification time of the files Al RightsReserved. Reprod[| How to Create ce Notepad is stream compliant application Qo Pees Q © Click Yes’ to create the new file, enter some data and Save the file © Toview or modify the stream data hidden in step © Launch o:\>notepad Land 2, use the following myfile. txt: tiger. txt conmandsresnecvel | @ © J « ciecree cocoate renew notepad mysite.txt:1ion.txt file, enter some data and Save the file notepad myfite.txt:tiger.txt 9 * © View the file size of myfile. txt (It should be zero) asMove the contents of Location e:\ dopa Sacto Location e\ Trojan.ene (size: 2 MB) Readme.txt (size: 0) i Ol | To move the contents of Trojan.exe to Readme.xt (stream): \ C:\>type e:\Trojan exe > c:\Readme txt: Trojan.exe | r 0 9 | To create a link to the Trojan.exe stream inside the Readme.tat. | 1 C:\>mklink backdoor.exe Readme. txt: Trojan.exe To execute the Trojan.exe inside the Readme.txt (stream), type: C:\>backdoorL] — Ba To delete NTFS streams, move the suspected files to FAT partition Use third-party file integrity checker such as Tripwire to maintain integrity of an NTFS partition filesNTFS Stream Detector: StreamArmor Stream Armor discovers hidden Alternate eee Oe tours eed Copyright © by Ee-Sounel. AR‘ADS Spy refer ADS Manager pf dsteyrntcom Streams to cnet merofecom AlternateStreamView tps meu NTFS-Streams: ADS manipulation tool ind feergenect Stream Explorer en An.cebereosdecom ADS Scanner lef instore mn ADS Detector te eureforae et GMER lps ferencmer ne HijackThis It/recantinssom eeWhat is Steganography? ites Ca eu eataeel @ cover is the most popular methad to conceal the QQ Vitlzing » graphic image data in files (03 Matter can use stesancgraphy to hide messages suchas list ofthe compromised servers, source code for the hacking tool, plans for future attacks, ete Cover Medium YN St ‘ Extracting function, MS Ec coundl “Hackers ’ hee, Whe monn Stego Object aia cnieaied ts Copyright © by IEClassification of Cero vere] ‘Semagrams = Cond cay aeAudio Steganography DVvDROM Steganography Image ‘Steganography White Space ‘Steganography Natural Text ‘Steganography Document Steganography Hidden os Steganography ¥ eee a1 Folder Video Steganography ‘Steganography Web Spam/Email Steganography ‘Steganography a (C++ Source Code ‘Steganography ved. Reproduction Srey ProbiiedWhitespace Steganography Tool: SNOW The program snow is used to conceal messages in ASCII text by appending O Pier eon ee Because spaces and tabs are generally not visible in text viewers, the message 0 Peon daca oad NEN oy Ne eee CeCe Tr “nagic” readme.txt veadne2.txt Poesia rie thee ns Carer Coa nt rereen tren) pet Pere ore Frew dre com LeImage Steganography ra Ci ee ue ace Cea Deut Algorithms and Transformation © by E-Dounel A Rights ReLeast Significant Bit Insertion @ The of a pixel is called the Least Significant Bit (LSB) @ In least significant bit insertion method, the binary data of the and into the LSB of each pixel in the image file in a deterministic sequence © Modifying the LSB does not result in a noticeable difference because the net change is minimal and can be indiscer tothe human eye Example: Given a string of bytes © 00100111 11101001 11001000) (00100111 11001000 11101001) (11001000 00100111 11101001) The letter “His represented by binary digits 01001000. To hide this “H” above stream can be changed as: 90100120 11101001 11001000) (00100110 1100100: 11101000) (11001000 00100110 11101001) Toretrieve the “H" combine all LSB bitsMasking and filtering techniques are generally used on 24 bit The masking technique hides data using a method similar to watermarks on actual paper, and it can be done by modifying the luminance of parts of the image Masking techniques can be detected with simple statistical analysis but is resistant to lossy compression and image cropping The information is not hidden in the noise but in the significant areas of the imageAlgorithms and Transformation Another steganography technique is to hide data in mathematical functions used in the compression algorithms The data is embedded in the cover image by changing the coefficients of a transform of an image W For example, JPEG images use the Discrete Cosine Transform (DCT) technique to achieve image compression Types of transformation techniques 1) Pe ae ec et) Li 2 Discrete cosine transformation — (GB) Wavelet transformation > A Rights Reserved RepImage Steganography: QuickStego Caiksteg Steganogrenn Hie Secret ese Message ran nage QuickStego hides text in pictures so that only other users of QuickStego can retrieve and read the hidden secret messages Thee Tauckerypto com Gen Al RightsReserved. Reproduction Sry Prohibited:Hide In Picture map /fsoucetorgenet sifshuffle ps fannudolitecomou CryptaPix ep fosnutrigrfteom Imagettide Iis/ foe dencemommacm 2 OpenPuff tp fembeddedsunet OpenStego ews/tinropenseco.ito PHP-Class StreamSteganography tein/narushocieneg Red JPEG tps rretotlemainet Steganography Studio tai et urfoge et Virtual Stegenographic Laboratory (VSL) i facureeorge net Reprod| Document Steganography: Ig AAS Document FilesOffice XML map: nruongeakcom Data Stash pom shyjueesfvare.com idie Security Suite aod fonnstenona Hydan Ife Steg) ote soueetogenet StegoStick ews frourceforae net sNow panera comon TextHide tps prewtesthiecom Camouflage te feces. Texto hp rnewsebet net Reprodi Bo — 5 Steganography eee neo Peat CO ULL) rey Dre aaa Decne eet nad Soe ee eee ‘The techniques used in audio and image files are used in video files, as video Ce ey A ‘can be hidden in video files as every frame eo ee eee eeeVideo Steganography: clEH OmniHide PRO and Masker 2a peice oa [| GE eee ee ee De cee ea ee Ce ou eae Pee ena Ry eee ae ey files and folders inside of carrier files, such as image See eee files, video, program or sound files momifide. eee eee ea eee eee eee eeeSteganography Tools Stegostick es orcefoge net FA oursecret Lerner Stegsecret hep facocee suectrasnet @ RT Steganography OpenPuff apesepidesoucetorgenet es fembededow et Max File Encryption es fousoferacom MSU StegoVideo tpsinnucompresony PSM Encryptor Ie /taecorearanbase.cm BDV DataHider 3 nap /unmuteimetepad.com Hidden Data Detector nap: pun.dgtoleonidenecorr ReprodAudio Steganography cies Information can be hidden in an audio file by using LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz) Some of the audio steganography methods are echo data hiding, spread spectrum method, LSB coding, tone insertion, phase encoding, etc Me A Audi File Audio Files As Steg Too! stego object Steg Too! _ Information Information lights Reserved. Reproduction StyAudio Steganography oe 3 ee a1 DeepSound hides secret data into audio files ~ wave and flac Itenables extracting secret files directly from ‘audio CD tracks DeepSound might be used asa copyright marking software for wave, flac, and audio €D It also supports encrypting secret files using AES-256 to improve data protectiok Al RightsReserved. Reproduction Sry Prohibited.Steganography Tools Mp3stegz np fmo eae sourefovwenet MAXA Security Tools to fomnumo falcon BitCrypt es ferteshe souezecom MP3stego apdfomnuretieslnet ae Hide4PGP nes fusineeop.ontnchome.de Ee copriht © by CHAOS Universal map: fsofecraoscom SilentEye hes /tatenteveora QuickCrypto es /rarwaikereo.com CryptArkan ets /Pachrkcom StegoStick este oostilsourctera.net A Rights Renee. RepFolder Steganography: Invisible Secrets 4 Folder steganography refers to hiding secret information in foldersSteganography Tools Folder Lock FED Universal shield naps funmunewsoftwaesnet [te /runrsevestaecom WinMend Folder Hidden tps/pnewavinenendcom A+ Folder Locker tps onmuciontmotvcom Toolwiz BSafe Encrypted Magic Folders ed ftootvscom es/fonpemaciceom Hide Folders 2012 wmw| QuickCrypto totore.nt SS tenyrnrmariclcrto com B GiliSoft File Lock Pro YZ Max Folder Secure il) e/Ainatsetcom e/faumateaersecar.com ReprodWHitneneibscecetr pny oe Spam Mimic Spam steganography refers to hiding information in spam messagesSteganography Tools for Mobile Phones Steganography Master Stegais SPY PIX o aD bw Toa = crecanocnapny mncren htips//play googie com inepi//stegor com i [juve jac pbssofiware comPocket Stego e, StegoSec totic en ecoceotenita.ora Steganography Image ) StegDroid Alpha tt hy econ = Pete shbepahin Da Vinci Secret Image Secret Letter etsdion apoiecon teps//ier aooiecom Steganography Application & =) Steg-O-Matic dete sons ip teem co ler Pixelknot: Hidden Messages ‘ a Secret Tidings iss fovedororietifo ® epson aooiecon ReprodSteganalysis © Steganalysis is the art of discovering and rendering covert messages using steganography Challenge of Steganalysis hal ReprodSteganalysis Methods/Attacks on Steganography Only the stego object ix available for analysis ‘Attacker compares the stego-object and the ‘cover medium to identify the hidden message Attacker has the access to the stago algorithm, and beth the cover medium and the stego-object Partai ore eee This attack generates stego ‘objects from a known message using specific steganography tools in ‘order to identify the steganography algorithms ‘Attacker har the accass to ‘the hidden message and, the stogo object POUT cy [Attacker ha the access to the stego-object and stego algorithm m {. tly ProbibredDetecting Text and Image Steganography Text File W For the text files, the alterations are made to the character positions for hiding the data © The alterations are detected by looking for text patterns or disturbances, language used, and an unusual amount of blank spaces The hidden data in an image can be detected by determining changes in size, file format, the last modified timestamp, and the color palette pointing to the existence of the hidden data Statistical analysis method is used for image scanning prodSteganography Detection Tool: fala" Gargoyle Investigator™ Forensic Pro | .=|=_ Gargoyle Investigator™ Forensic Pro provides inspectors with the ability to conduct a quick search on a given ‘computer or machine for known contraband and hostile programs Its signature set contains aver 20 categories, including Botnet, Trojans, Steganography, Encryption, Keyloggers, etc. and helps in detecting stego files created by using Blindside, WeavWay, S-Tools, ete. steganography tools a ightSteganography Xstegsecret T Ip Regie soucg t ad Stego Suite Ita ponmusetstonetecheom StegAlyzerAS nap unnusareswcom StegAlyzerRTS tps fonnusore-wvcom StegSpy refs hantercom StegAlyzerSS nap: runessorcawvcom ‘Steganography Studio tei source et Virtual Steganographic Laboratory (VSL) es/tecscurcaorasnt Stegdetect hepa ctauesiong ImgStegano ers. choprenese Reprod- eeese see [a 41 Cracking Passwords 2 | Escalating Privileges 3 Executing Applications 4 | Hiding Files c=? 6 | a Copy © byCovering Ce ecg will try to cover the tracks to avoid their detection La Pr Dec ee eee ete ae Ud Peo ee Al RightsReserved. Reproduction Sry ProbbitedDisabling Auditing: Auditpol } @ Intruders will disable auditing immediately after gaining administrator privileges W@ At the end of their stay, the intruders will just turn on auditing again using auditpol.exe E-BoUNCHL Al Rights Reseed. ReprodClearing Logs If the system is exploited with the Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system Attacker uses clearlogs.exe utility to clear the security, system, and application logs inepy/mtsecurty.ni SL eeWindows Linux © Navigate to Start > Control Panel > System, © Novigates to /vax/1og directory on the and Security > Admi Linux system double click Event © Open plain text file containing log messages © Delete the all the log entries logged wile with text editor /var/1og/messages compromising of the system © Delete the all the log entries logged while compromising of the systemPo vet cinoma] | Remove Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, clear Toolbar data from the browsers f Privacy Settings in Windows 8.4 © Click on the Start button, choose Control Panel > Appearance and Personalization -> Taskbar and Start Menu © Click the Start Menu tab, and then, \der Privacy, clear the Store and display recently opened items in the Start menu and the taskbar check box From the Registry in Windows 8.1 @ HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer and then remove the key for “Recent Docs” © Delete all the values except "(Default)" PoyCovering Tracks Tool: CCleaner CCleaner is system optimization and cleaning tool It cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history SoCovering Tracks Tool: MRU-Blaster is an application for Windows BB) chat allows you to clean the most recently Used lists stored on your computer It allows you to clean out your temporary Internet files and cookies = (MR Blaster Rests Window a Tha Jorwnbrighaforccor ae lights Reserved. Reproduction Sry ProbbitedTrack Covering Wipe ClearProg pvt tance de Tracks Eraser Pro WinTools.net Professional hetodtonnuacertnet ets /Paevintootnet BleachBit dom RealTime Cookie & Cache 7 lear somefotenet Cleaner (RtC3) eterna Stes nrticnsof.co0 AbsoluteShield Internet Eraser Pro ps fauinternetrockeernercont Privacy Eraser eto /tanucebertrmettcom Free Internet Window Washer rap: ew.cusingcom Clear My History foie .com Reprod- eeese see [a 41 Cracking Passwords 2 | Escalating Privileges 3 Executing Applications 4 | Hiding Files 5 Covering Tracks Gg [eee eee] Copyight © byF Jesrwert cise start @ Perform Rule-based . Attack B Perform Brute Forcing Attack z * x. 3 Perform Dictionary Attack * Ww i Check for password Perform complexity Dumpster Di - x v Perform Social Perform Shoulder Engineering Surfing Perform Password Guessing e © Convince people to reveal the confidential inform: © Load the dictionary file into the cracking application that runs against user accounts © Run a program that tries every combination of characters until the password is broken SSPassword Cracking (Cont'd) Perform Trojan/, Spyware/keyloggers v Perform Hash Perform Distributed Injection Attack Network Attack * i i Perform Wire Perform Rainbow sniffing Table Attack a % i Perform Man-in- Perform Replay the-Middle Attack Attack Record every keystroke that an user types using keyloggers, Secretly gather person or organization personal information using spyware With the help of a Trojan, get access to the stored passwords In the Trojaned computer Inject 2 compromised hash Into a local session and use ‘the hash to validate to network resources Run packet sniffer tools on the LAN to access and record the raw network traffic that may include passwords sent to remote systems Acquires access to the communication channels between victim and server to extract the information Use a Sniffer to capture packets and authentication tokens. After extracting relevant Inf, place back the tokens on the network to gain access Recover password: protected files using the unused processing power of machines erozs the network to decrypt password Al RightsReserved. Reprod[| Privilege Escalation © START v Interactive logon privileges are estiicted? av © Use privilege escalation tools such as Active@ Password Changer, Offline NT Password & Registry Editor, Windows : Password Reset Kit, Windows % Password Recovery Tool, ElcomSoft System Recovery, Trinity Rescue kit, Windows Password Recovery Bootdisk, ete Copy © byCheck if firewall software ‘nd ant-beylogging software are installed v ‘check f the hardware systems are secured in a Tocked environment Trytouse keyloggers Try touse ‘Spywares Use tools for remote execution Use keyloggers such as all n One Keylogger, ultimate Keylogger, Advanced Keylogger, et. Use spywares such as Spytech SpyAgent, Sofeacbiity TS ‘Monitor, Sy Voice Recorder, Mobile Spy, SPYPhone, etc: ee opi © byPerform integrity Based Detection technique ¥ Perform Signature Based Detection technique ¥ Perform Cross View based Detection technique v Perform Heuristic Detection technique ~>| Perform steganalysis. technique * Use steganography to hide secret message x Use Windows hidden stream (NTFS-ADS) to Inject malicious code * ‘check if patches for OS ‘and applications are updated Check if antivirus and anti-spyware software are updated regularly ee ‘Try to instal the rootkit in the target system to maintain hidden access Perform integrity Based Detection, signature Based Detection, Cross View Based Detection, and Heunstie Detection techniques to detect rootkits Use anti-rootats such as Stinger, UniaekMe, Virus Removal Tool, Rootit Buster, ete. to cetect roothits Use NTFS alternate Data Stream (ADS) to Inject malicious code on a breached system and execute them without being detected by the user Use NTFS stream detectors such a5, streamarmor, ADS Spy, Streams, etc to detect INTFS-ADS stream se steganography technique to hide secret message within an ordinary message and fscrect tat the destination to maintain confidentiality of daca Use steganography detection tools such as Gargoyle Investigator Forensic Pro, xetogseeret, stego Sulte, Stogdetect, ot, to perform stepanalss Al RightsReserved. Reproduction Stypai Sem Close all remote connections to the victim machine ¥ Close any opened port Remove web activity tracks such as MRU, cookies, cache, temporary files and history © Disable auditing using tool such as Auditpal (© Tamper logfiles such as event log files, server log files and proxy log files by log poisoning or log flooding Use track covering tools such as CCleaner, MRU- Blaster, Wipe, Tracks Eraser Pro, Clear My History etc. eee9G Attackers use a variety of means to penetrate systems, such © Uses password racking techniques ta gain unauthorized access to the vulnerable system © Creates alist (dictionary) of all possible passwords from the information collected through social engineering and perform dictionary, brute force, and rule-based attack on the vitim’s machine to crack the passwords © Performs privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and ite associated applications © Executes malicious programs remetely in the victim’s machine to gather information © Uses keystroke loggers and spywares to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, et. © Uses rootkits to hide their presence 2s well as malicious activities, which grant them full access to the gerver or ost at that time and alzoin future Uses steganography techniques to hide messages such as list of the compromised servers, source code for the hacking tool, communication and coordination channel, plans for future attacks, et Once intruders have successfully gained administrator access on 2 system, they will try to cover the tracks to avoid their detection