Module 05 Unmask theSecurity Breaches 2014 | EW Department for Business Innovation and Skills Market Survey olan " 58% oftarge orgonizations of small 59% cf respondents . sulfered staf rolated security business had a expect there vill be more breaches security breach security incidents in 2035 81% of large organizations had Cost of breaches nearly ee GD soudied inthe last 12 months | 695,0000+ were impacted due to data breach ~ ) oy some oe re 31% ne worst security breaches. 4 were actually caused De byinadvertent human 4 \ error oe Reserved, Reproductions sry Probie@ Overview of CEH Hacking ‘@ Overview of Different Types of Methodology Rootkits Understanding Techniques to Gain ie CosiauctSieaicsanieeal | Access to the System ait, Steganalysis Techniques Understanding Privilege Escalati ote 7 ea ecm | Understanding Techniques to Hide Techniqu jechniques the Evidence of Compromise © Understanding Techniques to Create and Maintain Remote Access to the Overview of System Hacking System Penetration Testing HA GoneBefore System Hacking Stage What you have at this stage: IP Range Namespace Employees “_ — Target acsessment Identified systems Identified services Scanning = [rere a | | Oo Intrusive probing User lists Security flaws Cd rents ; | ° | 3M a a i GOR Ge oeSystem Hacking: Hacking-Stage Technique/Exploit Used “To bypass access controls to Passwrord cracking, social gain access to the system engineering {ES Gaining Access To acquire the rights of Exploiting known system ES Escalating Priuteges another rer an cnn vulneabites a To create and maintain Trojans, spywares, backdoors, remote access to the system keyloggers Executing Applications -— —— ‘To hide attackers malicious Se aaiiaaeein Rootkits, steganography (> Hiding Files © Covering Tracks Clearing logsCEH Hacking Methodology (CHM) (C\EH ue castes Ree Tt a eer g ed r 3 6 BIg = Enumeration i (esa) ee eae era dCEH Cracking Passwords 2 Escalating Privileges Executing Applications 4 | Hiding Files Covering Tracks 6 | Penetration TestingPassword | Password cracking techniques are used to recover passwords from | computer systems Attackers use password cracking techniques to gain unauthorized access to the vulnerable system Most of the password cracking techniques are successful due to weak or easily guessable passwords Gee Al igh Reserve, Reproduction Sry Prohibited.a Shoulder Surfing. Social Engineering © Dumpster Diving ic Attacks Active Online Attacks act e sass cet armnseed sackiie eee Vash jection and Phishing es ae no ere elcoren « © Password Guessing © Passive Online Attacks w ee Offline Attack (Rainbow Table) crack passwords in his own system at different location Distributed Network oeActive Online Attack: Dictionary, Brute Forcing and Rule-based Attack Brute Forcing pitic Tod psi CSer tits | a ib Attack loaded into the The program tries cracking application s This attack d that runs against us 5 : mbna ee upgiche when the attacker password is broken ee = = | ee eeActive Online Attack: a \ iia ead Remeron TT th) RT possible passwords from the See ee en ect Seen ea eR Deo foment ind Petree bata password, until of possible er passwords probability to low ae ee es ee ee eae|_| Default Passwords 4 A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected 4) y that they use to perform, Attackers use default passvrords in the list of words or dictiona cols to search default passwords: Wika: //vwon.defeuttpasswrord.us itp /fovwvinas.org yeserved Reproduction sty Prohibited.Active Online Attack: Trojan/Spyware/Keylogger Attacker installs Trojan/Spyware/Keylogger on victim's machine to collect victim's user names and passwords Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker ‘Attach fete vitin's Toca PC ith jan! Tejan/Spyare) eyioeer sends in (indents to hacer Domain Attacker ae Reserved, Reproductions sry ProbieExample of Active Online Attack Using Attacker ee rico autorun window will pop-up (ifenabled) ee Pr oaee ee omen Ee [oreees| Poe Cen Sate ee assView is executed in the background and passwords will be stored inthe Peery Perry ee) Ce USB drive eaeActive Online Attack: Hash Injection Attack RS A hash injection attack allows an attacker to F £ into a local session and use the hash to validate to network resources | Ba } The attacker finds and extracts a logged on i Cc my = Compromises server loggec-on hashes are stored in the SAM fle Uaerieecn Etract a logged on domain ‘admin account hashPassive Online Attack: Deen Caen wraLe Cae WRU UAC SCL Renate eee (FTP, rlogin sessions, etc.) and emails Sniffed credentials are used to g citer cee Hard to Perpetrate ee ee eaeoriginal Connection cp I Bi Web Server MmTM / Replay Vietim irate Attacker @ Relatively hard to perpetrate Gain access to the attacker acquires ‘communication channels “@ Must be trusted by one or E both sides ies enitted ‘@ Can sometimes be broken by invalidating traffic Ge oeOffline Attack: Rainbow Table Attack | Robo table Comparsthe Hashes [UNEagninenee A rainbow table is a Capture the hash of @ Itis easy to recover precomputed table which passwords and compare it with passwords by comparing contains word lists like the precomputed hash table. captured password hashes dictionary files and brute fa match is found then the to the precomputed tables force lists and their hash password is cracked values : ea » 4259cc34599c530b28a6a8£225d668590 {_hho21da » ¢744b171 6cb£ 8d4dd0££4ce31a177151 9da8dast » 3cd696a8571a843cda453a229d741843 sodifoBsf * ©744b171 6ch£8d4dd0ffdce31a177151Tools to Create Rainbow Tables: rtgen and Winrtgen rtgen The rtgen program need several parameters to generate a rainbow table, the syntax of the command line is Syntax: = Winrtgen Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MDS, SHAL, RIPEMD160, MySQ1323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes eae [zal Tip (fared os BoeOffline Attack: Distributed Network Attack A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords Li ee eee on DNA Client can access it over the network ‘The DNA Manager |s installed in a central location where machines running A DNA Manager coordinates the attack and allocates small portions of the bal key search to machines that are distributed over the network re DNA Client runs in the background, consuming only unused processor time The program combines the processing capabilities of all the clients connected to network and uses it to crack the passwordDoE e alone M Crier cel Recovery Features: istributed password recovery over LAN, Internet, oF both © Plug-in architecture allows for additional file formats © Schedule support for flexible lo balancing © Install and remove password recovery clients remotely © Encrypted network communications Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment.Authentication Security Accounts Manager (SAM) Database Windows stores user passwords in SAM, or in the Active Directory database in domains. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM NTLM Authentication Fen © im renaeont stor © The NTLM authentication protocol types: 1. NTLM authentication protocol 2. LM authentication pretecel © These protocols stores user’s password in the SAM database using different hashing methods Kerberos Authentication Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM GoneHow PU comes ease in Windows SAM? fe Password hash using LM/NTLM pa, piiarereaee pubs, Shiela:1005:NO PASSWORDY e+ Se sanannasenaseaae® :0CB694000 58797BF2A82807973B89537 2:No PASSWORD**** a Aisi ase TOS voy v Pe eee eer ton ach Na Hoch “LM hashes have been disabled in Windows Vista and later Windows operating systems, LM will be blank in those systems.” Gone Ane iy Probie.NTLM Authentication Process 4 Client Computer Window Domain Controller EB User types Shiela Domain controller has a stored copy of passwort int logon wensesesss the users hashed password window Windows (US gl ini 0s. mo ans passer through 2c compare computer's hash elgorthm 1 reporee wh arerponce E inereated with #2 own hash If they match, the logon is 9 ‘omputer sends response to challenge Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.Authentication Key Distribution Center (KDC) Authentication Server (As) othe caer veqoaet feustteterostoeente tet | Ticker Granting Server (Tes) Database Reply ofthe 16S tothe en's reauest Request to an apoieation server to acess sence o Raplpto provelt realy isthe serverthe cent isexpecting Application Server oe mo| Password Salting Password salting is a technique where random string of characters are added to the password before calculating their hashes (+ Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks Alico:root:b4ef21 8ba4303ce24083fe0317/608de02bts8d)<~. Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Cecil:root:209be1 {a483b303c23af34761de02be038Fde08]}< Note: Windows password hashes are not salted rRpwdumpi7 and fgdump ‘gdump works the chump bit 3a brtracts cached credentials and silowsremate netierk execution Thete Fe rn 0K my Bengt i, attacker ent at Mneptecvord Dumps 2 remote machine (192168.0.10) using a specified npdheoprnet Cepyreht © by ED-Gouneil Al righ Reserved, ReproductionPassword Cracking Tools vit | LOphtCrack Opherack a LOphtCrack is a password auditing and recovery Opherack is a Windows password cracker application packed with features such as scheduling, based on rainbow tables. It comes with a vA hash extraction from 64-bit Windows versions, and Graphical User Interface and runs on networks monitoring and decoding multiple platforms tap://weva lophtcrackcom ntp://ooherack sourceforve.net Bz Se rey Prone,Password Cracking Tools Evite| per eT Deut ies clos @ Itallows recovery of various kind of passwords || 1 RainbowCrack cracks hashes with rainbow by sniffing the network, cracking encrypted tables. It uses time-memory tradeoff passwords using dictionary, brute-force, and algorithm to crack hashes cryptanalysis attacks hitpy/wanwoniertOffline NT Password & Registry Editor toy rogostik et Password Unlocker Bundle nto na pesswcrciniocer-com Proactive System Password Recovery Into//umekomsef.com John the Ripper Inepi/ruopenvaleom Windows Password Cracker toy jan wiedous porsverderecter com WinPassword ito, fast com Passware Kit Enterprise | eo /aneelostcsswerdeom PasswordsPro to /onssinedepr.coms LsASecretsView io frnsnbsofunet Lp tp: faneeleps ccmTools ee cele & Password Cracker to enmnanipagescom CloudCracker itossivnow-cludeockercom ‘Windows Password Recovery Tool nto fnurdowpossuresecovery.com Hash Suite toy este openvanet InsidePro tan insdepracoms e- Ge Ir Se Re le oa} Windows Password Recovery nt //empeseopecom ] Password Recovery Bundle | neo fneecornessworcom krbpwguess bp/tenecerene THC-Hydra nea foescheora Windows Password Breaker Enterprise nto fam. seconerwindonapossrorceern moePassword Cracking Tool for Mobile: FlexiSPY Password Grabber ‘Your Pattern Code Teen ha rere Les aa Crees a Ie ETE Cree eR thy Cnt Rem cos hit uno sy cm eeeagainst 600060086 Password Cracking = Enable information security audit to monitor and track password attacks Do not use the same pessword during password change Do not share passwords Do not use — that can be found in a dictionary Do not use cleartext protocols and protocols with weak encryption Set the password change policy to 30 days Avoid storing passwords in an unsecured location xf 2 axe Do not use any system's default passwords fee oeHow to Defend against Password Cracking (ona) _ Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols 1 Ensure that applications neither store passwords to memory nor write them to disk in clear text 1411) Usea random string (salt) as prefix or suffix with the password before encrypting AZ __ Enable sySKEY with strong pas 13) Never use passwords such as date of birth, spouse, o child's or pet's name Coe | 41Q Monitor the server’s logs for brute force attacks on the users accounts a 15 Lock out an account subjected to too many incorrect password guesses en eeeey i) (== 3 Executing Applications 4 Hiding Files 5 Covering Tracks 6 | Penetration Testing obviaE “@_ Anattacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges | Attacker performs privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the 0S and saftwrare application to gain administrative access to the network and its associated applications | These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc. Types of Privilege Escalation Vertical Privilege Escalation Horizontal Privilege Escalation © Refers to gaining higher privileges than the © Refers to acquiring the same level of privileges existing thet already has been granted but assuming. the identity of another user with the similar privileges Attacker ‘cam access the network using los user User ccount but ned “Admin” prhleges? Gebeanie motor VCCI buted Most Windows applications do not use the fully qualified path when loading an external DLL library instead they search directory from which they have been loaded first (© If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL Application Directory Inetale the application Application loads malicious ODL a Netcre User Instead of real DDL “ oe v ‘windows DDL brary Places malicious DDL inthe application ealoo1 required by ‘he exe appatlon Attacker = Ge Reproduction i Sty Probe,Resetting Passwords Using Command Prompt Ifattacker succeeds in gaining administrati of any other non-admini cA ‘pen the command prompt, type ‘command and press. tolist out all the user accounts on target system Sn Bo nome ‘eccount name from list Type the toreset the password for specific account eeePrivilege Escalation Tool: Active@ Password Changer A Active@ Password Changer resets local administrator and gf A user passwords , payne Features © Recovers passwords from ‘multiple partitions and hard disk drives e Detects and displays all Microsoft Security Databases (sam) Displays full account information for any local user pnw po Sen Reproduction s sty Prohibited.Privilege Escalation fn Offline NT Password & Registry Editor 7 ito oogostiknet \ Windows Password Reset Kit toi /onmnserctwindowrpaiswordet Windows Password Recovery Tool toy rom. windonspesswordsecoverycom ElcomSoft System Recovery nto /ommcckorsftcor Trinity Rescue Kit ntoyeistyome.or De wm iF Windows Password Recovery Bootdisk oan rtercrn PasswordLastic nto: pesswordesticcom Stellar Phoenix Password Recovery naps stelatafocon Windows Password Recovery Personal ntp://anese indo possverdiecovery.com Lezesoft Recover My Password nto /aneenesntcomHow to Defend Against Privilege Escalation 1 Pesan d-c Pcs Peete ee csc Chr TS Pee eter ce 5 eae Ce Coon ed Pree eae Cee Test operating system and Petr cca) y] aed be bugs thoroughly stn) ene Dee Antes ‘of programming errors and bugs 5 eee ees Reproductionsey A Cracking Passwords 2 Escalating Privileges 5 Covering Tracks 6 | Penetration TestingpW ey ede Cercba hey it) a Attackers execute malicious applications in this stage. This is called “owning” the system ‘Attacker executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc. packer keyloggers —- Spyware oo = ie = & 4 Crackers res5033Executing Applications: RemoteExec i @ J RemoteFxec remotely installs applications, executes programs/seripts, and ‘updates files end folders on Windows ystems throughout the netseock oun A. Itellows attacker to modify the registry, change local admin passwords, [sizable toes! accounts, and copy/ update/delete files and folders Taig forwisdcccioracom Cepyraht © by ED-Geunell Al RightsReserved, ReproductionExecuting Applications: PDQ Deploy is a software deployment tool that allows admins to silently install almost any application or patch ‘heap www caminarsenalcom Ge eeeExecuting Applications: DameWare Remote Support 1 DameWare Remote Support lets you and 4 Itallows attacker to| Keylogger & Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location Legitimate applications for keyloggers include in office and industrial settings to monitor employees’ computer activities and in home environments where parents can monitor and spy on children’s activity e &_ Itallows attacker to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc. Physical keyloggers are placed between th — ae Becton BE Fontan cS @ = =e oo a= =< keyboard hardware and the operating system oo Ueartnee ‘ enateyboard ia »| Windows Kernel } rer ds one assworo liu fe Cosy Keyboard evfloggergetieslled UserTypes ofKeyloggers | EW ———— Ke KeyGrabber The Keylogger. | | ré Tre kojoncat ae @ soomettis SIF. con pag =22 Le Seaoe ee = "yreeiice’ Reeiatioees aati o- Soe on \eanmom> Se ee Qian TiteDat Stamping KeyGhose $x Ban Gitte aCe SX och Bernie, ote KeyGhost = MP orem OO Hardware Keyloggers: © KeyCobra (http://wwwkeycobra.com) @ KeyKatcher (http://keykatcher.com) Ge al Se ToKeylogger: All In One Keylogger Allin One Keylogger allows you to secretly track all activities from all computer users: and automatically receive logs to a desire email/FTP/ LAN accountingUltimate Keylogger Powered Keylogger Int miniethplggercom Inte /Anwanbeyoggercon ‘Advanced Keylogger StaffCop Standard Into /fwnvberoage.cor na /fvstaoscom The Best Keylogger Intoitenethederteseggercors Spyrix Personal Monitor Ito neeseyriccom SoftActivity Keylogger toon soflactvycor PC Activity Monitor Standard Into Aaw.pcnecom Elite Keylogger Intoy/unwuwicesten.com KeyProwler to. feeyrover com Ge moe|_| Keyloggers for (Cont'd) Keylogger Spy Monitor Into femstiiftcor Micro Keylogger thip//onemntvalloggs som Spy Keylogger Into:/rews spp hey oggercom Actual Keylogger Imtponewcocualeniorgercom @ REFOG Personal Monitor Revealer Keylogger Inep/fetrefoncom nea fertoanocon Spytector to /onmsspyectorcrn Realtime-Spy fone pyc KidLogger Imtoyfeidiongernet SpyBuddy® 2013 to-//anaentoreanpterecom Ge moeKeylogger for Mac: ere aes rc eres screenshots and also sends all reports Pr oe : eee eee oo) enn a= 2 —— i = ane Mes Z : =e Seen ee Re ees etp//wowwamackeyloggercom A Mac Keyloggeri wo 1 (S (D> Co | ‘obo Mac OS X Keylogger to nmesoggermeccom Perfect Keylogger for Mac toa bttingtoos.com ‘Award Keylogger for Mac tod femmewardsoftcom ‘Aobo Mac Keylogger Intpi/footoce REFOG Keylogger for MAC py fanerefog cer fe CD) Hel Fee NG Ge KidLogger for MAC to /fidoggernet MAC Log Manager tone keveogerin Elite Keylogger Inte /fucte keylogger net Keyboard Spy Logger new/robphoomecasfevere eet FreeMacKeylogger p/n ste com moeSpyware is a program that records user's interaction with the computer and internet without the user's, knowledge and sends them to the remote attackers © Spyware hides its process, files, and other objects in order to avoid detection and removal = tis similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for dawnload j= Itallows attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc yare Propa, oo oO Cc riverby downlo: ) izeybacked software a @ Masquerading a 2 QO Browser adchons @ spyware @ Web browser cookies vulnerability exploits O Ge eeSpytech SpyAgent allows you to monitor pee eecetied NRE everything users do on your computer soccer It provides a large array of essential computer z mene monitoring features, website, application, and chat client blocking, lockdown scheduling, and remote delivery of logs via email or FTP See all keystrokes user type cae Reveals all website visits — Records online chat conversations Soe every email they send and receive hnepiurmusprtech web com GoSpyware: Power Spy 2014 Power Spy secretly monitors and records all activities on your computer & Itrecords all Facebook use, keystrokes, emails, web sites visited, chats, and IMss in Windows Live Messenger, Skype, Yahoo Messenger, Tencent QQ, Google Talk, AOL Instant Messenger (AIM), and others eeeCaley Netvtzor Activity Monitor PS Heomntinet ft/sec. com Remote Desktop Spy toy fun. olobebsprsoftware.com Child Control 2014 mew fanonesletcam Spector CNE Investigator Net Nanny Home Suite Intofnospetorene com o/s aetnannycom REFOG Employee Monitor SoftActivity TS Monitor Ineo/fuseo.cm nos soactv. corn Employee Desktop Live Viewer tod fom ouceetecnologien som SPECTOR PRO tpn specterseftcors 1 0 (D> Ce = el | % GePl spyware ms | = a ¢ ae ee eBLASTER Into sm apectorofccm SSPro toy /umns.opsoede.org Imonitor Employee Activity Monitor Into /fivierotoyesmontoring-sehvorece Employee Monitoring Imtoi/fmerptoeernonitorhgnet OsMonitor Int funeuosmantarcom Aobo Filter for PC nto /nnaobo porn fitercom SentryPC Iwi /onseatypecon Personal Inspector Inte/Avoeseyarcenetcom iProtectYou Pro Into fssoiforyoucom Spytech SentryPC tpn spytecsed core| USB Spyware: re UsBSpy lets you capture, display, record, and analyze data what is transferred between any USB device connected to PC and applications Rite anweresbiecon Ge eePUR hain ge Spy Voice Recorder | sr © Spy Voice Recorder records voice chat ‘message of instant messengers, including MSN voice chat, Skype voice chat, Yahoo! messenger voice chat, ICQ voice chat, OQ voice chat, etc J SpyNoice Recorder = File Help Stop |View Logs = } [feng = Gat Wah Sigpe or Yahoo Messenger Sound Snooper Voice activated recording Store record: any sound format Conference recordings Radio broadcasts logging [log Sound Snooper = oz | Fite edit [C2 OL 2014 TAT AB AD Ropods RegeerhsSouce)- OF 10204-2014 14 21:48 430 -Werk:int}-Ok 102:04-2014 14:21:48,430 - Work: SefWorkDirectond) - Ok | 102.04.2014 14:21:40.420 - Parameter: Get aiTimel) - en SidServFunc: SendPendingl} Cj | SieServf unc: EncSendPendng| Running the sevice | Werk: Run) stated ‘WaveD0. wavelnOen| CREAN aa fitp'//wurn souna-snoopercorh 3 Reproductions Ir Probie.Video Spyware: WebCam Recorder records anything such as: iWebeure ‘utodeected inane Nera Coen Selected | wie Fey | [Use marl adbetan > Cael 4 Ca ‘seal Ca desktop cerry Peed displayed Ce meCellphone Spyware: Mobile Spy records GPS locations and every SMS and logs every calll including phone numbers with durations and afterwards you can view real-time results in your private online account Ge|] / Shan bad @& VRS Recording System EQ Me Mnonnchconce FlexisPY to /anelerspy coms Modem Spy toy /unusmdensoycom SpyBubble | Into /aneespyoabblecomt MobiStealth Cell Phone Spy MOBILE SPY ea & 6 ‘SPYPhone GOLD Into /spyeracoon StealthGenie (ntp,//uns.steatboeiecom ‘SpyPhoneTap toss spyphanetapcors mSpy tame. cm Ge moeGPS Spyware: SPYPhone SPYPhone software have ability to send events (captured data) from t. Features call interception contact/ict Cell 1D tracking eb account via Wi-Fi, 3G, GPRS, or SMS Seecall history eva ‘argon oe enero ‘eara it (SS Gl co iz EasyGPS toy fanucosyypscom FlexiSPY toy aerioecom GPS TrackMaker Professional toy /anwctacenoir.cor MOBILE SPY toy /rmnodlespycom World-Tracker Inty/unuwalétrackercom Ge ALL-in-ONE Spy te Putheryphone: Trackstick o/c corm Mobistealth Pro toons anbitcalthcom mSpy a /Pns.cmn Tracking tf spyted.com moeAgainst Install anti-spyware/antivirus programs and keeps the signatures up to date | ! Use pop-up blocker fist good professional firewall software and anti-keylogging softwere 4 lecognize phishing emails and delete them ¢ oS t Jo0se new pesswords for different online accounts and change them frequently " “Avoid opening junk emails I Do not click on links in unwanted or doubtful emails that may point to malicious sites oe ‘Al igh Reserved, ReproductionAgainst (Cont'd) Use tepole imate sofare heh wsersrandomed aces evreyicke | ‘Sean the files before installing them on to the computer and use registry editor or process explorer to check for the keystroke loggers Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for the attached connectors Use Windows on-screen keyboard accessibility utility to enter the password or any other | Ue sofvare that raquarty ear and meritor the changes inthe este or network | oe ‘A gs eseHow to Defend Against Keyloggers (oro ta) Hardware Keylogger Countermeasures 2 Restrict pi to sensitive computer systems Periodically and check whether there is any hardware device connected to the computer i>: Use encryption between the keyboard and its driver Use an anti-keylogger that detects the presence of a hardware keylogger such as Oxynger KeyShield ee eeAnti-Keylogger: Zemana AntiLogger © Zemane AntiLogger eliminates threats from keyloggers, SSL banker Trojans, spyware, and more re * ici) O- O- O~ w Features SSL logger protection ® Webcam logger protection © Key logger protection i © Clipboard logger protection Screen logger protection https’. remana.com eeeAnti-Keylogger Inte fonniant kelogerscom PrivacyKeyboard (oman efonoercom DefenseWall HIPS itoy/nneceoipbere.con KeyScrambler nea fnapsvorecom I Hate Keyloggers Intoy/dewesoftcons a SpyShelter STOP-LOGGER ito /fsspyieltrcom GuardediD | ito/onne.guetdedi.com PrivacyKeyboard item privacrteyboerdcom Elite Anti Keylogger na /Pvselteantefoggercom CoDefender Itps/fomowencessa.com oeAgainst Try to avoid using any computer system Adjust browser security settings to * which is not totally under your control medium or higher for internet zone — o1 02 Be cautious about suspicious emails Enhance the security level of the i and sites computer ‘og Udate the software regularly and Regularly check task manager report 8 usea firewall with outbound protection and MS configuration manager report ~” Update virus definition files and scan e Install and use anti-spyware software We the system for spyware regularly foeW-Cerow birdy (Cont’d) Be Pic I i i 4 Perform») safely and download cautiously Do not use administrative mode unless it is necessary Donotuse =) for banking and other sensitive activities Do not dawnload free music files, screensavers, or smiley faces fram Internet Beware of <==). or 7/11. Never click anywhere on these windows Carefully read all disclosures, including the license agreement and privacy statement before installing any application Donat siore |) || 116 any CoMputensysiem that is nontelally under your control Gone‘© Identify potentially unwanted programs and securely removes them | Detect and remove Spyware, Adware and Remove Malware, Trojans, Dialers, Worms, Keyloggers, Hijackers, Parasites, Rootkits, Rogue security products and, many other types of threats arent {2mm ont Yano Hata bee KEatnCICOMBIONED gos GoneBal XoftSpySE Anti-Spyware Inte /fonsperetclegecom Spyware Terminator 2012 toy nwperecan Ad-Aware Free Antivirust ito Uomchverftcom Norton Internet Security toy fia cortoncom ‘SpyHunter tp yfanenigmarrwere.com BS ge (2 Ge Kaspersky Internet Security 2014 to:/meekospersy cor SecureAnywhere Complete 2012 tov /onnsncbroct.ors MacScan tox//maceeanecurermoccom ‘Spybot - Search & Destroy mta/Avsfernetvortingovg Malwarebytes Anti-Malware PRO nto/fomes norerchyteorg| oe A Cracking Passwords 2 Escalating Privileges a | Gq se] 5 Covering Tracks 6 | Penetration Testing obvi|@ Rootkits are programs that hide their presence as well as attacker's malicious activities, granting ther full access to the server or host at that time and also in future ‘@ Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed | Atypical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc. Attacker places a rootkit by: Objectives of rootkit: © Scanning for vulnerable computers © To root the host system and gain and servers on the web remote backdoor access © Tomask attacker tracks end presence of malicious © Weappingiit in. special package like games applications or processes, © Installing it on the public computers or corporate © ‘To gather sensitive data, network traffic, etc computers through social engineering from the system to which attackers might be restricted or possess no access © Launching 2er0 day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) © Tostore other malicious programe on the system and act as a server resource for bot updatesTypes of Rootkits Hypervisor Level Hardware/Firmware Rootkit Rootkit Acts as a hypervisor and Hides in hardware devices or ‘Adds malicious code or modifies the boot sequence of platform firmware which is not replaces original OS 1 the computer system to load inspected for code integrit and device driver co the host operating system as a RA al Boot Loader Level Application Level Rootkit Rootkit Replaces the original boot Replaces regular applica Replaces original system calls loader with one controlled by b ies with fake Trojan, or with fake ones to hid @ remote attacker modifies the behavior of infor jon about the attacker existing applications by injecting malicious code eeeEe ener (0100048429: mytindestle Dies Car] ses ad (Kom) Unique process 1 ActiveProcestinks | enTay( | UST ENTRY: *PLNK a0 FUNK uN > “BUN Process ert [Process dentifers Deo ey ene Bee ieee man kod ee eaees ka ene aT Ce eke mode modules) and it oeRootkit: Necurs 4 Necurs contains backdoor functional SH and control of the infected computer 4 Itmonitors and filters and has been observed to send spam and install rogue security soft 4. Itenables further compromise by providing the functionality to: Fee eats: ry rater rite ees Poors DUORD Key2} 77Prebuila key: DHORD Crate eax, [ebp-OndBurFerLength] eae 3 OUT_BuFLen eax, [ebpstnddur Fer) eax > OUT_ouF ScAretoen skey2 SaFES990N E skept bNecurs_Cndsearcha ee eeRootkit: Azazel Anti-debugging. ‘Avoids unbide, lof, ps, Idd detection Azazel isa userland : based { off of the original LD_PRELOAD technique from Jynx rootkit Hides files, directories, and remote connections PCAP hooks avoid local sniffing PAM backdoor for local and remote entry omaca>mn e ° ° © Hides processes and logins ° ° © Log cleanup for utmp/wtmp entries ° Uses xor to obfuscate static strings oT ee eeeRootkit: ZeroAccess Ee + Zerohecessis kernel mode roethit which Bits cable of ntonng on both 32 a it will employ its kernel-mode s froma single rootkit, The rootkit’s purpose is to: installer and acts as a sophisticated delivery pletform for other malware The payload of ZeroAccess isto er et and download further files.|_| Detecting Rootkits Pe oo It compares a snapshot of the file system, boot records, or memory with a Peta known trusted baseline wgiaiebmneed This technique compares characteristics of all eystem processes and executable person files with 2 database of known rootkit fingerprints ticlBehavior Any deviations in the system’s normal activity or behavior may indicate the Heui Based Detection presence of rootkit, ‘This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs, Any discrepancies between these two data sets indicate the presence of rootkit, Copyright © by ED Council A Rens Reserved. Reproduction s Strictly Prohibited,ps for Detecting Rootkits Tree Step | Bootintoaciean | Step [Mir rC cee §86| | CD, run” 2E U4 he Bt | f "and Ee PU eeu elie i o infected OS and save “onthe baer) same drive and Save the resultsHow to Defend against Rootkits from not to download a trusted source after backing | any files/programs from up the critical data untrusted sources Were a Eee eel eeu ee etc kd Pees ee eu ee reac dIny Pr Claris TUT Cea S rden the or U; and patch operating against the attack systems and applications nec ere) eee CeUe Phils al) Verify the integrity of system files regularly using eryptographi erprint technologies lly strong digital Update antivirus and anti-spyware software regularly Avoid logging in an account with administrative privileges Adhere to the least privilege principle Ensure the chosen antivirus software posses rootkit protection Do not install unnecessary applications and also disable the features and services not in use Eo SeVirus Remaval Too! Ito /faesophon. cy Hypersight Rootkit Detector neo//oonttsecartylibscom Avira Free Antivirus tp aan ovra.com SanityCheck Into /anesemendencscom GMER Into //usanamec.net eo Rootkit Buster ito://dewnloadcentertrendnirecom F-Secure Ai o/s securcom WinDetect Into: ne reeontspycom TDSSkiller nto: /euppothorpercy com Prevx fnew /furevscomInjact maou a —