Академический Документы
Профессиональный Документы
Культура Документы
Module 05
Ethical
Hacking
and
Countermeasures System Hacking
System Hacking
Module 05
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
System Hacking
and
clE
Security News
nr aS
NEWS
Security News
IEEE Hack
Passwords
Vulnerable
Confirmed,
100k
Plain
Text
Source: http://www.kitguru.net
After details were revealed by Radu Dragusin over at IEEElog.com recently that
passwords and user details for some 100,000 members of the Institute of Electrical and
Electronics Engineers had been made publicly available on the company's FTP
server for at least a month, the organization confirmed this in a communication to
members, advising them to change their details immediately.
The IEEE is an organization that is designed to advance technology and has over
Council
EC-
Prohibited.
passwords. This matter has been addressed and resolved. None of your financial
information was made accessible in this situation."
The company continued saying though, that it was technically possible that during the
time this information was available, that someone could have used it to access a
user's account and therefore, as a "precautionary measure," the IEEE recommended
all users change their account information. Until that time, users were not be able to
access their account at all.
In what seems like quite a bold move, the organization went on to explain to users that
one of the best ways to protect themselves is to use a strong, unique password for
their login. Considering it was an IEEE security blunder that caused the hack,
advising other people on password strength seems a bit hypocritical.
That said, in Mr Dragusin's reveal of the hacked information, he produced a graph
detailing some of the most commonly used passwords. Almost 300 people used
"123456" and other variations of numbers in that same configuration, while hundreds
of others used passwords like "admin," "student," and "ieee2012." Considering the
involvement of IEEE members in pushing the boundaries of current technology, you'd
assume we wouldn't need to turn to Eugene "The Plague" Belford to explain the
importance of password security.
http://www.kitguru.net/channel/ion-martindale/ieee-hack-confirmed-100kplain-textpasswords-vulnera ble/
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures
System
Hacking
CH
Module Objectives
-I System Hacking: Goals
CEH Hacking Methodology
-I
Spywares
(CHM)
J Password Cracking
Detecting
Keyloggers
Rootkits
Microsoft
Anti-
Authentication
Rootkits
Password
Cracking
J
Steganalysis
Methods/Attacks
Steganography
Privilege Escalation
-I Executing Applications
Classification of Steganography
on
-i Covering Tracks
.1
Penetration Testing
Module Objectives
The preceding modules dealt with the progressive intrusion that an
attacker makes towards his or her target system(s). You should bear in mind that
this does not indicate a culmination of the attack. This module familiarizes you with:
System Hacking: Goals
Spywares
Password Cracking
Detecting Rootkits
Anti-Rootkits
Microsoft Authentication
= How to Disable LM HASH
Steganalysis Methods/Attacks
Cracking
Steganography
Privilege Escalation
Covering Tracks
Executing Applications
Penetration Testing
on
72
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
,i.0-004011110111ftopi
.
r
o
Footprinting Module
Scanning Module
IP Range
Namespace
Enumeration Module
Target assessment
Intrusive probing
Identification of
User lists
services
Security flaws
Employee web
Identification of
usage
www
4P
systems
1
Copyright C by FC-COMCg. All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting Module
Footprinting is the process of accumulating data regarding a specific
network environment. Usually this technique is applied for the purpose of finding
ways to intrude into the network environment. Since footprinting can be used to attack a
system, it can also be used to protect it. In the footprinting phase, the attacker creates a
profile of the target organization, with the information such as its IP address range,
namespace, and employee web usage.
Footprinting improves the ease with which the systems can be exploited by revealing
system vulnerabilities. Determining the objective and location of an intrusion is the
primary step involved in footprinting. Once the objective and location of an intrusion is
known, by using nonintrusive methods, specific information about the organization can be
gathered.
For example, the web page of the organization itself may provide employee bios or a
personnel directory, which the hacker can use it for the social engineering to reach
the objective. Conducting a Whois query on the web provides the associated
networks and domain names related to a specific organization.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Scanning Module
Scanning is a procedure for identifying active hosts on a network, either
for the purpose of network security assessment or for attacking them. In the
scanning phase, the attacker finds information about the target assessment through its
IP addresses that can be accessed over the Internet. Scanning is mainly concerned with
the identification of systems on a network and the identification of services running on
each computer.
Some of the scanning procedures such as port scans and ping sweeps return information
about the services offered by the live hosts that are active on the Internet and their IP
addresses. The inverse mapping scanning procedure returns the information about
the IP addresses that do not map to the live hosts; this allows an attacker to make
suppositions about feasible addresses.
Enumeration Module
Enumeration is the method of intrusive probing into the target assessment
through which attackers gather information such as network user lists, routing tables,
and Simple Network Management Protocol (SNMP) data. This is significant because
the attacker crosses over the target territory to unearth information about the network,
and shares users, groups, applications, and banners.
The attacker's objective is to identify valid user accounts or groups where he or she can
remain inconspicuous once the system has been compromised. Enumeration involves
making active connections to the target system or subjecting it to direct queries.
Normally, an alert and secure system will log such attempts. Often the information
gathered is what the target might have made public, such as a DNS address; however,
it is possible that the attacker stumbles upon a remote IPC share, such as IPC$ in
Windows, that can be probed with a null session allowing shares and accounts to be
enumerated
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
-.
0=0.
0011111m.m011MIMINI
Access
Escalating Privileges
Goal
Technique/Exploit Used
To
collect
enough
information to gain access
To create a privileged user
account if the user level is
obtained
To
and
backdoor
Password
eavesdropping,
forcing
brute
Password
cracking, known
exploits
create
maintain
access
Trojans
Hiding Files
Rootkits
Clearing logs
Covering Tracks
Likewise, an
system. The
on a system.
the technique
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Hacking-Stage
E
l
Gaining Access
Goal
To collect enough information
to gain access
Escalating Privileges
Executing
Applications
To
create
and
maintain backdoor
access
Hiding Files
Technique/Exploit Used
Password eavesdropping,
brute forcing
Password
cracking, known
exploits
Trojans
Rootkits
To hide malicious files
Covering Tracks
Clearing logs
Council
Cracking Passwords
Escalating Privileges
Hiding Files
(.
g
m
Covering Tracks
&
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Cracking Passwords
. Escalating Privileges
Executing Applications
Enumeration
Hiding Files
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Cracking
Passwords
Escalating
Privileges
Executing
Applications
Penetration
Testing
Covering
Tracks
Hiding
Files
This section describes the first step, i.e., password cracking, that will tell you how and
what types of different tools and techniques an attacker uses to crack the password of
the target system.
u_
MI Cracking Passwords
Escalating Privileges
Executing Applications
Hiding Files
Covering Tracks
Ethical Hacking and Countermeasures Copyright
_ Penetration Testing
Council
by EC-
Password Cracking
EH
Password
cracking
techniques are used to
recover passwords from
computer systems
Prohibited.
Password Cracking
Password cracking is the process of recovering passwords from the data that
has been transmitted by a computer system or stored in it. The purpose of password
cracking might be to help a user recover a forgotten or lost password, as a preventive
measure by the system administrators to check for easily crackable passwords or it
can also be used to gain unauthorized access to a system.
Many hacking attempts start with password cracking attempts. Passwords are the key
piece of information necessary to access a system. Consequently, most attackers use
password cracking techniques to gain unauthorized access to the vulnerable system.
Passwords may be cracked manually or with automated tools such as a dictionary or
brute-force method.
The computer programs that are designed for cracking passwords are the functions
of the number of possible passwords per second that can be checked. Often users,
while creating passwords, select passwords that are predisposed to being cracked such
as using a pet's name or choosing one that's simple so they can remember it. Most of
the passwords cracking techniques are successful due to weak or easily guessable
passwords.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Password
Complexity
E"
MIN
4
Passwords
that
contain
only letters and
special
characters
bob&ba
Passwords
that
contain
only
special
characters
and
numbers
"INS
Passwords
that
contain only special
characters & #6!
(%)
Passwords that
contain letters and
numbers
meet123
1234345
Password Complexity
Password complexity plays a key role in improving security against attacks.
It is the important element that users should ensure while creating a password. The
password should not be simple since simple passwords are prone to attacks. The
passwords that you choose should always be complex, long, and difficult to remember.
The password that you are setting for your account must meet the complexity
requirements policy setting.
ap1@52
Passwords that contain only numbers: 23698217
e Passwords that contain only special characters:
&*#@!(%) e Passwords that contain letters and
numbers: meet123
e Passwords that contain only letters: POTHMYDE
e
Module 05
Page 530
EC-Council
Ethical
by
Ethical Hacking and Countermeasures
Ethical Hacker System Hacking
Dictionary
Forcing
The program
It works like a
dictionary
attack,
but
every
combination of adds some numbers
characters until
and symbols tothe
the password is
words from the
broken
dictionary
and
4
Syllable
rute
Attack
It is the
combination of
both brute force
attack and the
dictionary attack
clEY
Hybrid
Attack
Attack
Iti
Copyright 0 by FS-Ce
Prohibited.
Dictionary Attacks
In a dictionary attack, a dictionary file is loaded into the cracking application
that runs against user accounts. This dictionary is the text file that contains a number of
dictionary words. The program uses every word present in the dictionary to find the
password. Dictionary attacks are more useful than brute force attacks. But this attack
does not work with a system that uses
passph rases.
This attack can be applied under two situations:
e
In cryptanalysis, it is used to find out the decryption key for obtaining
plaintext
from
ciphertext.
(7) In computer security, to avoid authentication and access the computer by
guessing
passwords.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Hybrid Attack
..---. This type of attack depends upon the dictionary attack. There are chances that
people might change their password by just adding some numbers to their old password.
In this type of attack, the program adds some numbers and symbols to the words from
the dictionary and tries to crack the password. For example, if the old password is
"system," then there is a chance that the person will change it to "systeml" or
"system2."
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Syllable Attack
A syllable attack is the combination of both a brute force attack and the
dictionary attack. This cracking technique is used when the password is not an existing
word. Attackers use the dictionary and other methods to crack it. It also uses the possible
combination of every word present in the dictionary.
Rule-based Attack
This type of attack is used when the attacker gets some information
about the password. This is the most powerful attack because the cracker knows the
type of password. For example, if the attacker knows that the password contains a
two- or three-digit number, then he or she will use some specific techniques and
extract the password in less time.
By obtaining useful information such as use of numbers, the length of password, and
special characters, the attacker can easily adjust the time for retrieving the password to
the minimum and enhance the cracking tool to retrieve passwords. This technique
involves brute force, dictionary, and syllable attacks.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
le Shoulder Surfing
Wire Sniffing
Attacker performs
password hacking without
communicating with the
authorizing party
te Social Engineering
Dumpster Diving
Man-in-the-Middle
et
Replay
A
4. Non-Electronic Attacks
et Pre-Computed Hashes
et Distributed Network
his
e Rainbow
location
Hash Injection
3. Offline Attack
(i
ti
system at different
s ei Password Guessing
own
Trojan/Spyware/Keylogger
ti Phishing
Copyright 10 by EC-Gauped. All Rights Reserved. Reproduction is Strictly
Prohibited.
Replay
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Offline Attacks
Offline attacks occur when the intruder checks the validity of the passwords.
He or she observes how the password is stored in the targeted system. If the user
names and the passwords are stored in a file that is readable, it becomes easy for the
intruder to gain access to the system. In order to protect your passwords list they
should always be kept in an unreadable form, which means they have to be encrypted.
Offline attacks are often time consuming. They are successful because the LM
hashes are vulnerable due to a smaller keyspace and shorter length. Different
password cracking techniques are available on the Internet.
The techniques to prevent or protect from offline
attacks
are:
Distributed
network
Rainbow
Non-electronic Attacks
Non-e!ectronic attacks are also known as non-technical attacks. This kind of
attack doesn't require any technical knowledge about the methods of intruding into
another's system. Therefore, it is called a non-electronic attack. There are three types of
non-electronic attacks. They are:
e
Shoulder
surfing
Social
engineering e
Dumpster
diving
Module 05 Page 535
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Passive
Wire
Sniffing
Online
Attack:
Computational
ly
omplex
.74
Victim
Attacker
Victim
share on the LAN. Any data sent across the LAN is actually sent to each and every
machine connected to the LAN. If an attacker runs a sniffer on one system on the LAN,
he or she can gather data sent to and from any other system on the LAN. The majority of
sniffer tools are ideally suited to sniff data in a hub environment. These tools are called
passive sniffers as they passively wait for data to be sent, before capturing the
information. They are efficient at imperceptibly gathering data from the LAN. The
captured data may include passwords sent to remote systems during Telnet, FTP, rlogin
sessions, and electronic mail sent and received. Sniffed credentials are used to gain
unauthorized access to the target system. There are a variety of tools available on the
Internet for passive wire sniffing.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
omputationall
y
Complex
Victim
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
0
Sniff
Victim
MITM / Replay
Cr An
Web Server
Traffic
Attacker
Considerations
Gain access to
the
communication
channels
Use sniffer
Relatively hard to
perpetrate
Must be trusted by one
or
both sides
In
a replay attack, packets and
authentication
tokens are captured using a sniffer. After
the
relevant info is
information is extracted, the packets are placed back on the network. This type of
attack can be used to replay bank transactions or other similar types of data transfer in
the hope of replicating or changing activities, such as deposits or transfers.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
0
Victim
Original
Connection
Sniff
#1
1. up
.1
L.
MITM
Replay
Web Server
Traffic
FIGURE 5.4: Passive Online Attack by Using Man-in-the-Middle and Replay Attack
Active
Online
Password Guessing
Attack:
IEH
Network
Netwo
rk
Considerations
k
Networ
Time consuming
Requires huge amounts
of network bandwidth
Easily detected
Attacker
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Network
140,4401*
Attacker
FIGURE 5.5: Active Online Attack by Using Password Guessing Method
EC-Council
by
Ethical
Hacking
Countermeasures
Hacking
and
System
r41)
pictures
Copyright 0 by EC-Co
Prohibited.
"
f:Ln
A keylogger is a program that records all the keystrokes that are typed on the
computer keyboard without the knowledge of the user. Once keystrokes are logged,
they are shipped to the attacker, or hidden in the machine for later retrieval. The
attacker then scrutinizes them carefully for the purpose of finding passwords or other
useful information that could be used to compromise the system.
For example, a keylogger is capable of revealing the contents of all emails composed
by the user of the computer system on which the keylogger has been installed.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
C EH
a
I
7 0
Attacker
Victim Computer
Copyright 0 by FS-Co
Prohibited.
Attacker
Computer
Victim
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Computed Ii _
Convert huge word lists
like dictionary files and
brute force lists into
password hashes using
techniques such as
rainbow tables
It is easy to recover
passwords by
comparing captured
password hashes to the
precomputed tables
Precomputed Hashes
lqazwed
41254cc31599c530b28a6a8f225d668390
hh021da
c744b1716cbf8d4ddOff4lice31a177151
9da8dasf
3cd696a8571a843ccla453a229d741843
so di fo 8s f
7ad7d6f a6bb4fd28ab98b3dd33261e8f
Copyright by EC-Ca
Prohbited.
Offline attacks occur when the intruder checks the validity of the passwords.
He or she observes how the password is stored. If the user names and the passwords
are stored in a file that is readable, it becomes easy for him or her to gain access to
the system. Hence, the passwords list must be protected and kept in an unreadable form,
such as an encrypted form.
Offline attacks are time consuming. They are successful because the LM hashes are
vulnerable due to smaller keyspace and shorter length. Different password cracking
techniques are available on the Internet.
There are two types of offline attacks that an attacker can perform to discover the
password.
e Rainbow Attacks
e Distributed network Attacks
Rainbow Attacks
A rainbow attack is the implementation of the cryptanalytic time-memory trade-off
technique. Cryptanalytic time-memory trade-off is the method that requires less time
for cryptanalysis. It uses already calculated information stored in the memory to crack
the cryptography. In the
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
rainbow attack, the same technique is used; the password hash table is created in
advance and stored into the memory. Such a table is called a "rainbow table."
Rainbow Table
A rainbow table is a lookup table specially used in recovering the plaintext
password from a cipher text. The attacker uses this table to look for the password and
tries to recover the password from password hashes.
Computed Hashes
An attacker computes the hash for a list of possible passwords and compares
it with the pre-computed hash table (rainbow table). If a match is found, then the
password is cracked.
Pre-Computed Hashes
Only encrypted passwords should be stored in a file containing user
name/encrypted password pairs. The typed password is encrypted using the hash
function of cryptography during the logon process, and it is then compared with the
password that is stored in the file.
Encrypted passwords that are stored can prove useless against dictionary attacks. If
the file that contains the encrypted password is in a readable format, the attacker can
easily detect the hash function. He or she can then decrypt each word in the dictionary
using the hash function, and then compare with the encrypted password. Thus the
attacker obtains all passwords that are words listed in the dictionary.
Storage of hashes requires large memory space such as LM "hashes" require 310
Terabytes and NT Hashes < 15 chars requires 5,652,897,009 Exabytes. Use a time-space
tradeoff technique to reduce memory space required to store hashes.
1gazwed
->
4259cc34599c530b28a6a8f225d668590
hh021da
->
c744b1716cbf8d4ddOff4ce31a177151
9da8dasf
->
3cd696a8571a843cda453a229d741843
sodifo8sf
->
7ad7d6fa6bb4fd28ab98b3dd33261e8f
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
clf
IC
,146,
MEV .1111=6111A1
*Lob.. table 61.66._/ouvraluhal1-7_11_1166161x966016111611_11 rt 6.1.
uach Iyorlahno
at in
oh 16661.ha
16
1.3,661
.11vmaft In 6,,a,
76 77 711 79 7a er
.,
...o11.1arru,Ilaz
atop.
itirr
gr.
1
v.v.
9
Che,Loa
12400
61
6.166
MAW %
We655
Pm.
taBL0EN311111,1111017011SILIVWXR
1t1
MUDS
.16.1MIAIII
ehx wee P3530129112 lrya
1-tirehar 1 wora 11
i6vontlal CCCCC 1n mint head. Frain a retteellann1MMONNInele,
Ca tow. CO BUB
hawk-.
111
21"2.W.VN11'3"Z. .9 1..1.12.. 11 7-
7,,
rwmt,
.,,.
Ionian
7
1 2 =111
44
= : : 1 : : : : : 1 : 1 2 :4=1:I I I: : .4 .1. : :
aavaaabam chola. neve
al IV n 7.6
6O
.6.1nbou chdhal li
4 (il o. 7.6
6)
Miiiike -.1.....................0.. liou........................1 I ea o. , . 4 . .
valnhlh 091013319160M
11.
.tne I
Carmel noaam
N
h
t
0
1
W
a
r
t
.
w
w
a
rrideowme
annname
harInwamt
rabahma
it
mew *.
an .
...
http://www.oxid.it
se
Tools to Create Rainbow Tables: Winrtgen and
rtgen
C)
Winrtgen
Source: http://www.oxid.it
Winrtgen is a graphical Rainbow Tables Generator that helps attackers to create
rainbow tables from which they can crack the hashed password. It supports LM, FastLM,
NTLM, LMCHALL, HaIfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5,
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Rainbow Table
properties
Hash
Mn Len
Chan Len
klas Len
Chan
Coal
Imam
IM
O
10
N el tables
Ip
loco=
.l
Eat
IABCDEFGHUKLMNOPQRSTUVWX12
Table poodles
Key
space.
Operand pdasetel
ch
lA
drenrsbalog
mal
k
Ha
sh
spe
"
ed
Ste
Cancel
p
spe
ed
Table
plecomputation tine
Told
pteccerpulatson
time
I
Meal
ctyplanalysis tine
enchrnaik I
rtgen
Source: http://project-rainbowcrack.com
RainbowCrack is a general propose implementation that takes advantage of the timememory trade-off technique to crack hashes. This project allows you to crack a
hashed password. The rtgen tool of this project is used to generate the rainbow tables.
The rtgen program needs several parameters to generate a rainbow table; you can use
following syntax of the command line to generate rainbow tables:
Syntax: rtgen hash_algorithm charset plaintext_Ien_min plaintext_len_max
table_index chain_len chain_num part_index
o Administrator: Command Prompt - rtgen ntlm loweralpha 1 7 0 1000 4000000 0 I ID
-NillennewlIdisinistratorDownloads
loweralpha
\rainbowcrack-1.5-win64>rtgen
1 V 181611 41611418181 a
Duren. sahis nt lm_lowera lphalll -7_0_1000x40000810_0. rt parame ters
, ash A.gordehn:
nt lni
, ash lane h I
16
' NIP.Mt I
abcderghijkleinopgrstuuwxyz
nt
1st
'.1barea. in tax:
Sill 7`. 7b 77 78
79 7a
bursas Ilanouth:
AsTiostremt length range :
. &see isLr sr* :
.1sTintemt total:
61
62 63
64 65 66
67 68 69 6a 6 b 6c
6d be
68
70 71
72 75
26
1 - 7
0,41130810000
8353082582
4
FIGURE 5.8: rtgen Generate Rainbow Table in Window
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
=NM
C lE!!
A Distributed Network Attack (DNA) technique is used for recovering passwordprotected files using the unused processing power of machines across the
network to decrypt passwords
II In this attack, a DNA manager is installed in a central location where
machines
running DNA clients can access it over the network
The
DNA
Manager
is
installed in a
central location
running on DNA
Client can
access it
over the
network
DNA Manager
coordinates
the
attack and allocates
small
portions of the
key
search
to
machines
that
are
distributed
over the network
The
program
combines
the
processing
capabilities of all
the
clients connected to
network and uses it
to
perform key search
to
decrypt them
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Network Management
The Network Traffic application in Windows is used for the purpose of
network management. The Network Traffic dialog box is used to find out the network
speed that DNA uses and each work unit length of the DNA client. Using the work unit
length, a DNA client can work without contacting the DNA server. The DNA client
application has the ability to contact the DNA server at the beginning and ending of the
work unit length.
The user can monitor the job status queue and the DNA. When the data is collected
from the Network Traffic dialog box, modification to the client work unit can be made.
When the size of the work unit length increases, the speed of the network traffic
decreases. If the traffic has been decreased, the client work on the jobs would require a
longer amount of time. Therefore, fewer requests to the server can be made due to the
reduction in the bandwidth of network traffic.
Elcomsoft
Distributed
Password Recovery
O
Features:
LP 1
War
p ujAN
1.3
110..1.19
moo. , I=
4.01. OW MN
pm
.1 on.
1 Er
C
411..111
-
P,
PM.
.iwn
...,
r a
-1
Im
A
...
impa: 4
n L... s
311.
4.,
Mnd
Iw o
ii
Ail PM*
=11
m.1.1
morns
.0.1MI I
krlo
ti
Install and remove
password
recovery clients remotely
E.P1.11.moPP*
.
- Ay.,
T
i
AIMPIC141000.61ra
I/ MOMS
W.. Ire 41 .
..
.,
-
.
m
.
Lgli
T.
..
-ailP
...:..'.''.
..1..
.
.
I
".....
'''..".
**a=
4* 1.
:
http:fiwwwelcomsoftconi
networked
PC
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
fi e
Ice
lever
pwv
ageni
A1pIy
AMIL
Help
13 Han
iL
II
P'
A234.4
reg 1.)kx
1, 1111.R141.1
rAN J U V I NNIMIL
Celele
de
resarre3 tone
orNress
See m
des
,1
L12,11.
Eb Enable
I.007 %
Ter13.2i
0.526 %
110414.149
5.297%
7111,4415,549
0.792 14
Reva.Poo
0.000 %
CSolt.Aw
0.543 %
amen/ owed
everew sped
stain
nn.
456 recovered
roni.
423 recovered
I en.
219 recovered
0.9111%
g l fa l le n
Doable
dewed erne
1h. Won.
170
12 ow
42 recovered
7
I net.
20
not averted
recovered
Connectio
n
Mats
tote
Ceche AM
Leg
7,
: 5,
Atte*
i
Cpl
Cannon:
Remit
I
Character Gmups
M'ilsainum
g.1.11+41MCM . . . . 1 .
D
813N507119Q
reeek Soren
i1,44sa.
1 1 , 4 < >10/11
Hells /S..A
D
0
Mask
0 le ngth
loceloot
ovine
. no ectne Von
MT
Se
O il
yore
1Id
Agent
Moir
Sena,
Add Filen
En4514
Help
S ue
11
23
Nide
I 44% I
6 doo5., .
Wrest speed
Cleave
Fo a m
dewed bee
Teoll
A
.elec
Ian
mos ey te e
rel./0'0
0.903 %
A te40.410
1007%
427
re0vv0e
0.120 %
11 te40.1do
t
on.
Coenecboe
GLI
Maus
456
I on.
A944a2
evesw owed
ii Teoll.ehe
5247%
a Tes15.elce
0.701 %
12 m
li Re
0.050 %
7w.
d
119
-2 9 . 2 8 W1
recenve
dst
d
470
silMIMIZI211
oozes
42 recovered
r rot opts
Alerts
LSJ
old i 7,
net listedr 6 6
en a mead II
wised
Creel/weed leg
Wads I
cacti
Reset
Ceem l
louteet
errne
.. . en v t ele
a
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Non-Electronic Attacks
CIEH
Looking at either the user's
keyboard or screen
while
he/she
is
logging in
Convincing people to
reveal the confidential
information
Non-Electronic Attacks
Non-electronic attacks are also termed non-technical attacks. This kind of
attack doesn't require any technical knowledge about the methods of intruding
into another's system. Therefore, it is named a non-electronic attack. There are four
types of non-electronic attacks, which are: social engineering, shoulder surfing, keyboard
sniffing, and dumpster diving.
Dumpster Diving
Due to less security than there is today, dumpster diving was actually quite popular
in the 1980s. The term "dumpster diving" refers to any useful, general information that
is found and taken from areas where it has been discarded. These areas include
trash cans, curbside containers, dumpsters, and the like, from which the information
can be obtained for free. Curious and/or malicious attackers may find password files,
manuals, sensitive documents, reports, receipts, credit card numbers, or diskettes that
have been thrown away.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Simply, the examination of waste products that have been dumped into the dumpster
areas may be helpful to attackers, and there is ample information to support this
concept. Such useful information was dumped with no thought to whose hands it may
end up in. This data can be utilized by the attackers to gain unauthorized access on
others' computer systems, or the objects found can prompt other types of attacks such
as those based on social engineering.
Shoulder Surfing
HP
Social Engineering
-- In computer security, social engineering is the term that represents a non-
technical
kind of intrusion. Typically, this relies heavily on human interaction and often
involves tricking other people into breaking normal security procedures. A social
engineer runs a "con game" to break the security procedures. For example, an attacker
using social engineering to break into a computer network would try to gain the trust
of someone who is authorized to access the network, and then try to extract the
information that compromises the network security.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Keyboard Sniffing
Keyboard sniffing allows you to interpret the password as the target
enters the keystrokes using keyloggers.
CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
Default Passwords
CEH
J A default password is a password supplied by the manufacturer
with
new
equipment that is password protected
Online tools to search default
passwords:
mylefty
7CY
NSF
JOY
http://www.defaultpassword.us
1===aiiii&
7e.
http://securityoverride.org
htt p://ww w. routerpasswords.com
raaorio4
* Y
74YR
ilbee
e-Yeeefte Ir-.
Pe
le7e
S Y JNO Y I
Mawr.
...11.
Re. MD Ye
ye.)
.r.e
KY
-7,7,
KY
http://www.virus.org
Wm
VS=
fel
feneY28, WO Be
77c y cl ky FY
.ae Emmy. ieeem
nee YelY70%.
<MY , Ye
.
tralw
r............
7tro
{MN,
yl y
WY
my
y r.
tee.
telY
rye
L111,
YE
ION
YIP
CEM
eMe
10Y
mem
illeeelY
my
ley
y
Pei
Yee. A
1
gurerow,
y y Ye
ye w .
Yea Ye
.....7
Me
y
tee
477
nu"
11111
ye
ye
A...
yew
WV
Ivey
H.
In
la Y
in+.
Yew
Y e.
dieeyeel
o
http://securityoverride.org
Copyright 0 by EC-Ca
Prohibited.
Default Passwords
Source: http://securitvoverride.org
Default passwords are passwords supplied by manufacturers with new equipment.
Usually the default password provided by the manufacturers for password protected
devices allows the device to be accessed during its initial setup. Online tools that can
be used to search for default passwords include:
http://cirt.net
http://default-password.info
e http://www.defaultpassword.us
e
http://www.passwordsdatabase.
com
https://w3dt.net
e
http://www.virus
.org
http://opensez.me
http://securitvoverride.org
http://www.routerpasswor
ds.com
http://www.fortypoundhe
ad.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
M.
l i e
mfor.f mto
it
IOW
St
1/10
Mt !
o .
Kb
4
I. M i . . 7
1 .11.
Vt
Ka
r rt. *.
1.4
.1.
, ow.
,17, 51 711,417/11
"
7.
dormo.. a
wanifie
JO
M,
.117
141.11.
II
User-
Vendor
Model
3COM
CoreBuilde
3COM
3COM
CoreBuilde
3COM
Acc
ess
SuperStack
Switch
II
SuperStack
II
Switch
OfficeConnect
812 ADSL
Version
7000/6000/3500/
2500
Type
name
Telnet
7000/6000/3500/
Debug
2500
3COM
HiPerARC
v4.1.x
Telnet
3COM
LANplex
2500
Huawei
Tech
LANplex
2500
Telnet
3COM
2000/2700
3COM
LinkSwitc
Adm
3COM
Telnet
E960
3COM
NetBuilde
r
3COM
Netbuilde
Debug
5x0
2200
r
3COM
Office
Connect
ISDN
Routers
2700
Telnet
Tech
Telnet
Tech
Ad
min
SNMP
Multi
debug
Admin
Telnet
Telnet
tech
ILMI
Synnet
(none)
Tech
PASSWORD
adminttd
(none)
Synnet
Synnet
Tech
n/a
Multi
Telnet
Password
adminttd
Tech
Tech
Admin
TABLE 5.1: Online Tools To Search Default Password
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
clE
(Guessing)
Frequency
attacks
of
is
is
high
less
Find a
I ri
user
Create a list of
passwords
possible
passwords
Rank
from high
probability to low
Key in each
password,
until
correct
password
is discovered
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
administra tor
""
administrator password
a d mi n i s tr a to r
a d mi n i s tr a to r [Etc.]
From a directory that can access the text file, the command is typed as follows:
c:\>FOR
/F "tokens=1,2*"
%i in
(credentials.txt)A
\\victim.com\IPC$
%j
/u:victim.com\%iA
2>>nulA
%time%
\\victim.com acct:
c: \> t yp e
%date%
>> outfile.txtA
%i pass:
%j
>> outfile.txt
outfile.txt
The outfile.txt contains the correct user name and password if the user name and
password in credentials.txt are correct. An open session can be established with the
victim server using the attacker's system.
Automatic
Cracking
Algorithm
Find a valid
user
Password
CIE
a nn
Obtain the
encrypted passwords
Encrypt each
word
40 404.,
NIF
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
There are password lists that can be fed to these crackers to carry out a
In its simplest form,
algorithm
automation
dictionary attack.
particular encryption
passwords, encrypting each word, and checking for a match for each user ID known.
This process is repeated until the desired results are obtained or all options are
should
include
exhausted.
the
steps:
passwords
Encrypt each
word
manual attack,
automate
the
process. There are several free programs that can assist in this effort. Some of these free
programs are Legion, Jack the Ripper, NetBIOS
these
automation
Auditing Tool
simple loop using the NT/2000 shell for command. All the attacker has to do is to create
a simple user name and password file. He or she can then reference this file within a
FOR
command.
C:\> FOR
/F "token=1,
do net use
2*" %i in (credentials.txt)
\\target\IPC$
%i /u:
%j
LOphtCrack
or
and
running it against user accounts that the application locates. Dictionary attacks are
more effective with long words.
(7) The brute force method is the most inclusive, although slow. Usually it tries
every
possible letter and number combination in its
automated exploration.
starts with
strong passwords
for their
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Stealing
Using
USB Drive
clE
Passwords
&tract Password
Attacker
Insert
the
and
autorun
USB
drive
PassView
is
executed
in
the
the
window
will
pop-up
(if enabled)
Download
PassView,
start
password hacking
p s p v.e x e / s t e x t
tool
p s p v.t x t
Copy
Create autorun.Inf in USB drive
[auto
the
files
downloaded
to
USB drive
run]
e n = l au nc
h . b at
them. One can try recovering them automatically using a USB drive. This requires
plugging the USB in any port of the computer in which the passwords have been stored.
This trick is applicable for Windows XP, Windows 7, Windows Vista, and Windows 2000.
All the applications included are portable and light enough that they can be
downloaded in the USB disk in few seconds. You can also hack stored Messenger
passwords. Using tools and a USB pendrive you can create a rootkit to hack passwords
from the target computer.
Stealing passwords using a USB device is carried out with the help of the following steps:
1. You need a password hacking tool
Council
Ethical Hacking and Countermeasures Copyright by ECAll Rights Reserved. Reproduction is Strictly
Prohibited.
2. Copy the downloaded .exe files of password hacking tools to USB drive.
3. Create a notepad document and put the following content or code in the
notepad
[autorun]
en=launch.bat
After writing this content into Notepad, save the document as autorun.inf and
copy this file to the USB drive.
4.
5. Insert the USB drive and the autorun window pop-up (if enabled).
6. A password-hacking tool is executed in the background and passwords can be
stored
in
the .TXT files in the USB drive.
In this way, you can create your own USB password recovery toolkit and use it to
steal the stored passwords of your friends or colleagues without the knowledge of the
person. This process takes only a few seconds to retrieve passwords.
AAL
Attacke
r
Module 05 Page 562
Fassword-,
.
v
.
.
c
.
,
m
'
s
c
o
m
p
,
n
e
,
al
Council
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Stealing
Using
Keyloggers
Passwords
/
J Keyloggers provide an easiest and most effective means of stealing a all victim's user
names
.A7
and
passwords
4 "
Attacker infects
victim's local PC with
a software keylogger
ot
>
lb : :
:::
.:.......
-
Attacker
011.
Keylogger sends
login credentials to
hacker
Victim
Domain
Server
malware. Keyloggers can expose all the keystrokes entered by the target including
user names and passwords for any websites. A remote keylogger can give an attacker
access not only to your email and online accounts, but it can compromise your
financial details as well. Keyloggers are used by people to find a certain piece of
information such as a user name or password. The pictorial representation clearly
explains the way attackers steal passwords using keyloggers.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
,1 1 1 j . ir in rfII,
ti it lin
Art ,,l's ,x al 4 wt
Ife
fin
f I ft14151 yil
4,
dilt. I
It.
Attacker
a rykkaget wr05
Victim
ii:a; in r
Domain
Server
ha, i,-4
Attacrt
gains
to domain server
Keyloggers
When stealing passwords, the attacker first infects the victim's local PC with a
software keylogger. When the victim logs on to the domain server with his or her
credentials, the keylogger automatically sends login credentials (user name, passwords)
to the attacker without the knowledge of the victim. Once the attacker gets the victim's
login credentials, he or she logs on to the domain server and may perform any action.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Microsoft Authentication
Windows Security
SAM Database
Windows stores user passwords in the Security
Accounts Manager database (SAM), or in the
Active Directory database in domains.
Passwords are never stored in clear text;
passwords are hashed and the results are stored
in the SAM
Enter network
password
Enter your passe/0.d
61
ad
-.44Pin
in
1:E=EC
Remember my credentials
011MigiLEZZEZMIP
t,* The NTLM authentication protocol types:
1.
NTLM authentication
protocol
2.
LM
authentication
protocol
o These protocols stores user's password in the
SAM
atabase using differenthashing methods
to
connect to.
The
Kerberos
Microsoft has upgraded its default
authentication
protocol to Kerberos which provides a
stronger
uthentication for client/server applications than NTLMA
"gl Windows 8
Copyright 0 by ECtig
Prohibited.
Microsoft Authentication
SAM Database
The acronym SAM database is the Security Accounts Manager database. This
is used by Windows to manage user accounts and passwords in the hashed format
(one-way hash). Passwords are never stored in plaintext format. They are stored in the
hashed format to protect them from attacks. The SAM database is implemented as a
registry file and the Windows kernel obtains and keeps an exclusive filesystem lock on
the SAM file. As this file is provided with a filesystem lock, this provides some measure
of security for the storage of the passwords.
It is not possible to copy the SAM file to another location in the case of online attacks.
Since the SAM file is locked with an exclusive filesystem lock, it cannot be copied or
moved while Windows is running. The lock will not release until the blue screen
exception has been thrown or operating system has shut down. However, making the
password hashes available for offline brute-force attacks, the on-disk copy of the
contents of the SAM file can be dumped using various techniques.
Microsoft introduced the SYSKEY function in Windows NT 4.0 in an attempt to
improve the security of the SAM database against offline software cracking. The on-disk
copy of the SAM file
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
is partially encrypted when the SYSKEY is enabled. In this way the password hash values
for all local accounts stored in the SAM are encrypted with a key.
Even if its contents were discovered by some subterfuge, the keys are encrypted with
a oneway hash, making it difficult to break. Also, some versions have a secondary key,
making the encryption specific to that copy of the OS.
NTLM Authentication
NTLM (NT LAN Manager) is a proprietary protocol employed by many
Microsoft products to perform challenge/response authentication, and it is the default
authentication scheme that Microsoft firewall and proxy server products use. This
software was developed to address the problem of working with Java technologies in a
Microsoft-oriented environment. Since it does not rely on any official protocol
specification, there is no guarantee that it works correctly in every situation. It has
been on some Windows installations, where it worked successfully. NTLM
authentication consists of two protocols: NTLM authentication protocol and LM
authentication protocol. These protocols use different hash methodology to store
users' passwords in the SAM database.
Kerberos
--Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret-key cryptography.
This provides mutual authentication. Both the server and the user verify the identity of
each other. Messages sent through Kerberos protocol are protected against replay
attacks and eavesdropping.
Kerberos makes use of Key Distribution Center (KDC), a trusted third party. This consists
of two logically distinct parts: an Authentication server (AS) and a Ticket Granting
Server (TGS). Kerberos works on the basis of "tickets" to prove the user's identity.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Windows Security
Enter network password
Enter your password to connect to:
4
1
.
yin
==
El Remember my credentials
Cancel
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Are
CIEH
tb
111100
Martin/magician
624AAC413795CDC1
11110
Martin:
1008:
4E835F1CD90F4C76:6F585FF8
FF6
280B59CCE252FDB500E88:::
c:\windows\system32\ config\SAM
17 X
Administrator:500:598DDCE2660D3193AAD3B435B51404EE:2D20D252A479F485CDF5E171D9398
5BF::: Guest:501:NO PASSWORD*********************:NO
PASSWORD*********************:::
HelpAssistant:1000:B991A1DA16C539FE4158440889BE1FFA:2E83DB1AD7FD1DC981F36412863
604E9::: SUPPORT_388945a0:1002:NO
PASSWORD*********************:F5C1D381495948F434C42AEE04DE990C:::
Hackers:1003:37035B1C4AE2B0C5B75E0C8D76954A50:7773C08920232397CAE08170496
4B786::: Admin:1004:NO PASSWORD*********************:NO
PASSWORD*********************:::
Martin:1005:624AAC413795CDC1AAD3B435B51404EE:C5A237B7E9D8E708D8436B6148A25
FA1:::
John:1006:624AAC413795CDC1FF17365FAF1FFE89:3B1B47E42E0463276E3DED6CEF349F93
:::
Jason:1007:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280B59CCE252FDB500EB8:::
ISmithl:
:1624AAC413795CDC14E835F1CD90F4C76146F585FF8FF6280B59CCE252FDB500EB1:::
:$
User name Usei ID
LM Hash
NTLM Hash
"LM hashes have been disabled in Windows Vista and later Windows operating systems, LM will be blank in those
systems."
Copyright 0 by EC-Quad. All Rights Reserved. Reproduction is
Shicti y Prohibited.
Guest:501:NO
PASSWORD*********************-
NOPASSWORD*********************
HelpAssistant:1000:8991A1DA16C539FE4158440889BE1FFA:2E83DB1AD7FD1DC981F36
412863 604E9:::
SUPPORT_388945a0:1002:NO
PASSWORD*********************:F5C1D381495948F434C42A
EE04DE990C:::
Attackers:1003:37035B1C4AE2B0C5B75E0C8D76954A50:7773C08920232397CAE081704
964B7 86:::
Council
EthkalHaddngandCounterrneasuresCopydght(Oby
EC-
Prohibited.
Martin:1005:624AAC413795CDC1AAD3B435851404EE:C5A237B7E9D8E708D843686148
A25FA 1:::
John :1006 :624AAC413795CDC1FF17365FAF1FFE89 :3 B1B47 E42 E0463276E3 DE
D6CEF349F93:::
Jason:1007:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280859CCE252FDB500
EB8:::
Smith:1008:624AAC413795CDC14E835F1CD90F4C76:6F585FF8FF6280859CCE252FDB500
EB8::: When the user changes his or her password, the creation and storage of valid
LM hashes is disabled in many versions of Windows. This is the default setting for
Windows Vista and Windows 7. The LM hash can be blank in the versions in which
disabled LM hash is the default setting. Selecting the option to remove LM hashes
enables an additional check during password change operations, but does not clear LM
hash values from the SAM immediately. Activating the option additional check stores
a "dummy" value in the SAM database and has no relationship to the user's
password and is same for all user accounts. LM hashes cannot be calculated for the
passwords exceeding 14 characters in length. Thus, the LM hash value is set to a
"dummy" value when a user or administrator sets a password of more than 14
characters.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Exam
312-50
Certified
H
C
1.40111111.
LM hash or LAN Manager hash is the primary hash format that Microsoft LAN
Manager
and Microsoft Windows use to store user passwords of up to 14 characters
length
are
'IIIIIIIIOIIIIIIIIIII'
123456Q = 6BF11E04AFAB197F
12 Microsoft
WERTY_ = FlE9FFDCC75575E115
The hash is
6BF11E04AFAB197FF1E9FFDCC75575B15
Note: LM hashes have been disabled in Windows Vista and later Windows operating systems
Copyright 0 by EIG-Ca
Prohibited.
Before encrypting, the 14 characters of the passwords are split into two seven byte
halves. That means one seven byte string with '123456Q' and the second seven byte
string with 'WERTY_'. Each string is encrypted individually and the results
concatenated.
i.e.,
123456Q
= 6BF11E04AFAB197F
WERTY = F1E9FFDCC75575B15
6BF11E04AFAB197FF1E9FFDCC75575B15
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
What Is
Hash?
LAN
Manager
(Cont'd)
OM!
The first 8 bytes are derived from the first 7 characters of the
password and the second 8 bytes are derived from
characters 8 through 14 of the password
characters,
always
the
be
Copyright by EC-Ca
Prohibited.
ctl y
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
LM "Hash"
Generation
Padded with NULL
to 14 characters
cehpassl
Separated
into
two
7-
Converted to
character
the uppercase
COMINIM
I
strings
1'
Constant I
DES
11=1.11111111M1
41IllMIMM
LM Hash
LM "Hash" Generation
The LM hash also called as the LAN manager hash used by many versions of
Windows for storing passwords less than 15 characters.
The following figure explains the process of generating an
password "cehpass1".
(blank) characters,
i.e.,
padding. The two seven-character strings are then used as the encryption keys for
the encryption of a constant using the DES (Digital Encryption Standard) symmetric
cipher. At last, to create the LM hash, the resulting DES-encrypted blocks are
concatenated.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
cehpassl
CEHPASS
1*
Constant
Constant
DES X
DES
Concatenate
LM Hash
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Exam
LM
No
56bit + 56bit
NTLMv1
Certified
C EH
NTLMv2
YES
YES
MD4
MD5
64bit + 64bit
128bit
128bit
56bit + 56bit +
16bit
312-50
56bit + 56bit +
128bit
16bit
C/R Algorithm
DES (ECB
64bit + 64bit +
64bit + 64bit +
64bit
64bit
HMAC_MD5
128bit
Key
Hash
Length
Length
Password
Hash
Algorithm
Value
Algorithm
LM
NTLMv1
NTLMv2
No
YES
64bit + 64bit
128bit
128 bit
128 bit
128 bit
56bit + 56bit
DES (ECB mode)
MD4
MDS
by
NTLM Authentication
Process
d
User
Client
types
password
into
logon
Computer
Marti n
* * * * * * * *
window
1111.111.1111.1111111.1111.11.
Hash
Algorithm
4E835FICOSIOPAC76:6F585FFSF
F6
Windows
runs
passw ord
through
hash
algorithm
280B59CCR252FOBSOCEB8:::
Martin:1008:624AAC413795C
DC
14E835F1CD90F4C76:6F585FF
OF
DC
compares
computer's
response
with
the
response
it created with its own
hash
F62801359CCE252FDS500E813: :
Computer
Aa r8
ppq
kgj 8 9
Aa r8
ppq
kgj89 pqr
Note, Microsoft has upgraded its default authentication protocol to Kerberos, which
e The client types the user name and password in to the logon window.
e Windows runs the password through a hash algorithm and generates a hash
for
the
password that has been entered in the logon window.
e The client computer sends a login request along with domain name to the
domain
controller.
"nonce"
and sends it to the client computer.
e The client computer encrypts the nonce with a hash of the user password and
sends
back to the domain controller.
Module 05 Page 575
it
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
t) The domain controller retrieves the hash of the user password from the SAM and
uses it
to encrypt the nonce. The domain controller then compares the encrypted
value with
the value received from the client. If the values match, the client is
authenticated and
the logon is success.
ri
lient Computer
C
User types
Martin
ile * * * * * * * * *
window
password
Hesh
Algorithm
umuswaromeni:Aasysirorit
71011511CCLIWITSUODLIS:::
Windows
runs
password through
DC compares
hash algorithm
computer's
response with the
response
it created with its own
hash
Aa
re
PP9
kg 16
9 pqr
Computer sends
response to challenge
Aa r8
ppq
eg g
9 pqr
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Kerberos Authentication
C H
nLe
Authentication Server
Reply
of
(AS)
authentication server
to
the
user
request
Database
Application Server
Copyright 0 by EC-Caums11 All Rights Reserved. Reproduction is Stri ctl y Prohibited.
Kerberos Authentication
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret-key cryptography.
This provides mutual authentication. Both the server and the user verify the identity of
each other. Messages sent through Kerberos protocol are protected against replay
attacks and eavesdropping.
Kerberos makes use of Key Distribution Center (KDC), a trusted third party. This consists
of two logically distinct parts: an Authentication server (AS) and a Ticket Granting Server
(TGS).
The authorization mechanism of Kerberos provides the user with a Ticket Granting Ticket
(TGT) that serves post-authentication for later access to specific services, Single Sign On
by which the user is not required to re-enter the password again for accessing any
services that he is authorized for. It is important to note that there will be no direct
communication between the application servers and Key Distribution Center (KDC); the
service tickets, even if packeted by TGS, reach the service only through the client wishing
to access them.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
>
Authentication
Reply of authentication
Server
server
(AS)
(TGS)
Database
Application Server
FIGURE 5.16: Kerberos Authentication
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
clE H
Salting
Salting technique prevents deriving
passwords from the password file
Stored representation differs
Advantage:
Defeats
pre-computed
hash
attacks
Alice:root:b4ef2113ba4303ce24a83fe0317608de02bf38d1.0Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Cecikroot:209belia483b303c23af34761de02be038fde08
Salting
Salting is a way of making passwords more secure by adding random
strings of characters to passwords before their md5 hash is calculated. This makes
cracking passwords harder. The longer the random string, the harder it becomes to
break or crack the password.
The random string of characters should be a combination of alphanumeric
characters. The security level or the strength of protection of your passwords against
various password attacks depends on the length of the random string of characters.
This defeats pre-computed hash attacks.
In cryptography, a salt consists of random bits that are used as one of the inputs to a
one-way function and the other input is a password. Instead of passwords, the output
of the one-way function can be stored and used to authenticate users. A salt can also
be combined with a password by a key derivation function to generate a key for use
with a cipher or other
cryptographic algorithm.
With this technique different hashes can be generated for the same password. This
makes the attacker's job of cracking the passwords difficult.
In this example, the two users Alice and Cecil have the same passwords but with
different hash values. Since a random hash is generated for each individual user:
Alice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Module 05 Page 579
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Bob:roota9c4fa:3282abd0308323ef0349dc7232c
349ac
Cecil:root:209be1:a483b303c23af34761de02be03
8fde08
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
CIE H
Adowesta..CWIndomn symetn3Aand.exe
pwdump7 . exe
...MI
*TT
hrt.
O.
,f
.1.111141WO
4.4
--
PWDUMP
extracts LM
and
NTLM
password
hashes of
local user
accounts
from the
Security
Account
Manager
(SAM)
r
M . .
fgdump .exe -h
192.168.0.10
-u
AnAdministrativeUser
-p
14mep4sswOrd
database
me
* U M. Abaft
Noma rim
ha
IP film
re b.*,
tee
.1s-o.
*CM
(192.168.0.10) using a
specified
user
P
pwdump7
fgdump t.?)
and
CENuR
otu le
RS
P ua u t e r 7 D P u d o . P 7 - e x e
t :A u nt , u 7 .1
raw
p ass w ord
e xt r a c
to r
ys t ee
H at M ing Pas a wo od
El
Pas sw or d
: Mba r:
Aeon .
1.12
Andres
htt p
Tap as . .
.S14
es
gee, No
i.t
s t :501 :NO
NCO
PASSWORD
670960:: :
AiN9 :Hp pagsposptua
Anip
'uggyboy t 1010 t NO PASSWORD
11140C4t 11A0991.13DF1EDCS9140C2C A
.NO PAS
PASSWOADmm.m.
uawerwe
earemete
-C25510219F66F9F12FC9BE66.
ee0P.10C4c
SA D99711 DA1 TDC511491C254D47
w
AFESE93B6701/90D9CEB3E222P9609015 A
If
' in i:1016
:NO
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
-7
if
you
are
<Build
(64-bit)
-Summary
ail
ed
se
rv
er
s:
ON
E
uccessful servers:
27.0.0.1
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
LOphtCrack
CIEH
LOphtCrack is a password auditing and recovery application packed with features such as scheduling,
hash extraction from 64-bit Windows versions, multiprocessor algorithms, and networks monitoring and
decoding
64
it W 6-6. A
1.1
LOphtCrack
Source:
http://www.lOphtcrack.com
LOphtCrack is a tool designed to audit password and recover applications. It is used to
recover lost Microsoft Windows passwords with the help of dictionary, hybrid, rainbow
table, and brute force attacks and it is also used to check the strength of the password.
The security defects that are inherent in windows password authentication system can
be disclosed easily with the help of LOphtCrack.
Windows operating systems, based on the LAN Manager networking protocols,
use an authentication system that consists of an 8-byte challenge returning a 24-byte
response across the network from client to server in a challenge/response format. The
server matches the response against its own independent calculation of the 24-byte
response expected and the match results in authentication. The algorithm divides the
password into seven-character segments and then hashes individually. This allows
the attacker to restrict the password cracking to seven letters and makes the process
easier. The weakness of the password hash, coupled with the transmission of the
hash across the network in the challenge/response format, makes LM-based
systems highly susceptible to challenge/response interception followed by
dictionary and brute-force attacks by LOphtCrack. LOphtCrack 6 has the built-in
ability to import passwords from remote Windows, including 64-bit versions of Vista,
Windows 7, and Unix machines, without requiring a third-party utility.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
(1
A
L w 1_,
Run
Import
Import
Session
Wizard Hashes From Sniff er
Cracked Accounts
Weak
Passwords Schedule Scheduled
Auda
Tasks
Expired Accounts
Begin
, 071
shownwa
Options
2.2
4 .
.2Les.
eporl
Bun
Damon
User Name
WIN4XQN3
hash
;149
-blzr.sz titre
Ade...strata
et,
WIN+15581.C..
Adesnetrator
_13d
Od Oh Ors Os
sitit 1011
II
3-0931,1
=P
=
08 31
1
:59 s ng e-core
operation.
08/31/2012 04:37:01 Imported 2 accounts from the local machine
08/31/2012
04:37:01 Audit started.
08/31/2012
04:37:01 Auditing session completed.
_SOS*
NualltiaLLISZE
LOphtCrack c - [Untitbd1]
View
Menu
st
- Help
00
Run Import
Import
Session
wonno mous Diann ',Beer
Begin
Pause
Stop
Dictionary
0
0.00%
Hybrid
Precomputed
0.00 %
0.00%
Options
1
1111
1 11
1MilliMral
ve account, to audi,.
Empty: 556%
1
15
2
0
Empty
Hah Risk
Mmilum Risk
Lou Risk
5.56%
63.33 %
11.11 %
0.00%
Mesage:
05 22 2009 13:23 :1 8 Crac
rack.
e.
rot
X
X
Braised AccoLnts
Weft Passwords
Schedule Schedrled
Aucit
T as k,
Aotto.uNt,
:flintier
3 4
5 6
1 8 9 10 11 12 13 14
Pa.-wad L.qm
Paceworal rflarortnr
Not. 173 DO%
17 Alpha
100.133 %
0 Alphawsnerk
0 Alohsnurnerk/Symbol
0.03%
0.03%
0 AlchfrornerK15ifibol.International
05/22/2009
rack .
0.0C %
L14
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
1
-
Ethical
Hacking
Countermeasures
Hacking
and
System
Ophcrack
Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User
Interface and runs on multiple platforms
apilosis
0 ill
4:1
di
,Ish
2 9 6 1 1 09c116111122
131.3 b 1
01ed
1. 291,011511a211
1. 851 $ 1 4
01.111,
6 /0197 4c 6, 98 3
1. 1 t1 3 16 5 . 0 kre
a mp l y
911002e0 c5.11
LIM
.6
4811,1.1
1111151
empt y
Pod I
LU
DeC
sw
ow.1i
cl . b . e.
10 121 9. 1b aN O T IM 711141.4 *
PAMPA
a I I kW eV ell1111111.1.3,111 1/1
6/141.4
(O WN
Prd
IA Nod
v.
tell
N a
11111. 71
011c5 gbelx012 1
17b. rs65
enrry
51w
ele
17. 111
o n e ,
1 .. 1"1
11.10ilat
1 6 4 4 1 . 1 0 / 46 11/M IS10
row,
161
Ti f f
D OC11
legINO WN10,,.121:111.02
WAS
MAO
Meb1101e271C CO I O S / 6 1 5 2 1 d e l
U MW)
own
Mond
*1
5 , [ 4 0 6 / 9 00 1 0 111.4115/25 1Mo
49
WW1
med111. 0
046
1 1/111111 113135011404a
Imp,
70116
411.
kaNclOWQ/1162101
11161 4
4 111 11
4 4 . 1 01.V.11114 e411101*- 1 . 1
1.111$1
GOAT
1
Noy
10114
5411111
Wryley
40 1 . 1 4 1 , T W e aa l &? 1 60r c l
4 1111$01, 40
11.1c12011d1111 ,1111
11.1
611111011131161 4 1 J 0 k X0211110/
W.Dy
111. 0
Ilt f
11 0 1 11 1 417.1101.1111016111Y
on
3 6 k T k a l 1111 51 40
1,
1 4 11 2 112 11/ r e121114 1
0 1 2 41111172.1114 111
WM .
OLULIT,
11114111
UAW
,
lb:1 0
o n a ml i V j p . -
11:11 0 1
Amisal,
0111
O us ee ,
%ma,*
http://opheracksourceforge.net
Copyright 0 by EC-Canall. All Rights Reserved. Reproduction is Strictly
Prohibited.
Ophcrack
Source: http://obhcrack.sourceforge.net
Ophcrack is a Windows password cracking tool that uses rainbow tables for
cracking passwords. It comes with a graphical user interface and runs on different
operating systems such as Windows, Linux/Unix, etc.
Features:
Cracks LM and NTLM hashes.
e
passwords e
Real-time graphs to
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
091x,
act
adi
W
Sues..
...finnan
HI Hail
IPA
Mes
h
21bIdefted6ecta22.411e41Ib5 I tOest
L
O
N
tit Pel I
LM
Perd 2
NT Orel
ZiCC
. . P.,
cop
MUWR
empty
de l..
.970197m7eee7183pard31013651.04ee
WI DP
empty
',amid
Seblil410M11410...11,135b51404.
...le6ed17e31601b1a311111<e1171
COWIN
empty
esteem
011cSabtel16929aad3D435b51.04t
Othe9UPICY71Th12.62101'3b803
TESI
emit*,
sett
mee539f6e6.b,tancals1351251.04,
19.0d61a9:c 5<e11tIk560ec5.0076
0000.12
tr.Pt1
docen2
9ee0be19374-11,6111KIS4tee39H62
AWLS
emery
Man
bel53ea38001140-ak,199315,335113.
WINO
empty
wed
19eaeate91elfidifeac13639651101tre
60569109,258e0:2311130581,95226.1
LICI1A1.0
empty
lammed
ALTIAA
...0.1
Ann.
ceet8etnt9791.7asP3635.311e0eet
G O.
empty
goat
.57bc016109.116,4.4133.115b1104.e
01.0.241110167c4A62,Se5810.<3
1U11111Pr
empty
6a199de5623et621eed3b1351351401te
WALT(
empty
1elb7a/vanta1dedasse1ket35k7.0Pec
d6lie3I.46tblek043264.20021507,
91 1169
empty
n 0469
Ta76613e173Aleenlead3ed1111,31104.
9I6161PI19535t2271176416115ISIGIA
71AGAS
empty
trot
13380041563titea65035051 4t t
I1CS2asea01es42.11MOldNecied
ROXY
eMpty
nay
13 ee561192e1 ladY7t4201tklbSet6
Ma1lyallellaWerItel6el6e4411160.1
prleet.06,, 1 r..
9218.11649th17bc2161b2373404c
9311079714174410130511941113759
001140 61,04e
M eda l,
..ba.
Quaid,
Sums
Om. ts a r
me i
Peel fend
PedeP
Pm eletnelt I,
OP Om Cs
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Fk
Veen
[veva. look
-eip
R.
NTLM Nash.
go MUM, Part. (0)
16-Cach. Mac. (
0v. lfin (0)
L
cern 05.1371001
e o 1,01410! X
Has,
A001, +105
Mohr,
9 CRAM 1,105
Hal-es
4. ow Nos
B.A.
+ RUN 2 M:15
t.'".
Partevrabd Orbit
-
AM.^
W IN1
Moo
1.
I.P1
0
01,110.70.5
trIki her.nps chalenr
0
ern IA Soc., Sec.,
mach.
15
.17
P HOIONC
(
Rtwat
Manta
limn< .1
004510
4s 00.170.14 .1-01
(0)
Pm
n02
q; 0
1,..185L+
taint
pre
tom
were Mgr:
[deft
Ewa 1
0s
)(0)
"Inl e t.
01
P05140les (0)
(0)
5110-1 Fleshes
910-2 Hashes
(0)
It WPM] 160
rba,e,
Kerb SPraulh
OS
Rados 9wed
-Key
6 In PS . Mies
(0)
:0
nhee (0)
eI
WOOL
Ha
4 146Q1. Hash.
(0j)d
1.1.01(0001.
WitiriAmmw.o.ddir
ti
Li0000:14* 000
Ccerrded 0 by 134111111111.All Rights Resented Reproduction IsSedcdy Prohibited.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
JQJ c.1
File View Configure Tools Help
6.i4ii4111*
Decoders 1
1+
El
n3Ea 00%
112 CCDU
I
rader
iaf C
Password
LM 8 PRIM Hash,
NTLMv2 Hashes
(0)
gm
MS-Cadre
Hashes (I
User ricrac
X
4arrrillt4
Dcbonary Attack
yptanalyses Attack
X Test
ActiveSync
Hashes
AA0384358514...
13E40C450A599..
AAD313435B514... 71D0F2152916.
15
NTLM Hashes
APOP4.D5
Select Al
CRAM-MD5
Note
Hashes
OSPF-MD5
Test password
I
RLFv2-MD5
Hashes
VRRP-HMAC
Hashe:
VNC.3DES (0)
t.02 Hashes (0)
KA Hashes (0)
Add to of
.d
t i SHA-1 Hashes (0)
SHA-2 Hashes (0)
Delete
PreAuth
Madre
Remove Al
Hast
Shared-
Key
IKE-PSK
Remove
Accents
Kasha
Radius
Insert
Remove
,M, RIPEMD-160
Kerb5
Hashes
(0)
Export
4l
N111
Hashes
I NT Hash
LM Hashes + challenge
Rairibowaack-Orite
nd
Query
_a nasras
Attad
Hashes
12i)
emPtY '
A rr.-, f00 10 .
klr.
Wreless
1 LM
X 1111
ylGuest
X Len
r=g
LM & NTLM
11
1
Lost packets: 0%
is
47
RainbowCrack
H
RainbowCrackcracks hashes with rainbow tables. It uses timememory tradeoff algorithm
to crack hashes
ti
Memory tradeoff tool suites,
including
r a.
M7
CO
Maa
raa.es:
lie .1.2.,..4,711112161..i.Creellailli,10:
il Z3.1
1P
4,11
1 , . .
Me : e a 1 1 3
1,H1515
ANALI
in ;:{3.
.,,.......
(54..
43:,
m, .
.,,r1
aa,,,
sue..
Yd.
WM .
format
trtc-1
t.
Computation
processor
support
Fa.
so
MI6
on
multi-core
..1.1111
rpm
7!
111,11
7. I*
wol;
L.::
0-11
.1
rWir,1 611011-1,04 ,
al.pc
:r. 0.1.3. UMW WI
1
.14.10.WW
0-40.
It. .2
RainbowCrack
Source: http://proiect-rainbowcrack.com
pre-computation is finished, you will be able to crack the cipher text in the rainbow
tables easily and quickly.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
RainbowCrack 1.5
File Ede
Comment
A c25510219f66f9f12fc9be662a67b960
Id Sebe7dfa074dafte8aeflfaa2bbde876
apple
Hash
? Admin
6170706c65
Martin
A 488cdcdd2225312793ed6967b28c1025
green
677265656e
Juggyboy
id 2d20d252a479f485cdf5e171d93985bf
gwerty
717765727479
Jason
test
74657374
Shiela
0cb6948805f797bf2a82807973b89537
Plaintext
nu
Messages
time of alarm check:
2.14 s
time of wait:
0.00
0.17 s
0.59 s
14388000
35916894
number of alarm:
57632
11.11 million/s
16.82 million/s
10
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
http://www.posswarclunlocker.com
http://www.lostpassword.com
PasswordsPro
http://www.insidepro.com
4
http://www.ekomsoft.com
LSASecretsView
http://www.nirsoft.net
LCP
http://www.lcpsoft.com
T
M!
Password Cracker
http://www.ornIpages.corn
WinPassword
http://lastbit.com
ar
Copyright 0 by
Prohibited.
cracker.com
e WinPassword available at http://lastbit.com
e Passware Kit Enterprise available at
http://www.lostpassword.com
PasswordsPro available at http://www.insidepro.com
LSASecretsView available at http://www.nirsoft.net
LCP available at http://www.lcpsoft.com
Password Cracker available at http://www.amlpages.com
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Password Cracking
Tools
H
(Co
nt'
d)
Kon-Boot
http://www.thelead82.corn
Windows
Password
Recovery
krbpwguess
http://www.rgure.net
Tool
http Wwww.windowsposswordsrecovery.com
THC Hydra
http://www.thc.org
Hash Suite
http://hashsuite.operogoN.net
it
SAMInside
http://onvivrecoverwindovespossword.com
http://www.insidepro.corn
4.
0.
C0171
Copyright C by
Prohibited.
Hash
Suite
http://hashsuite.openwall.net
available
at
SAMInside
available
at
http://www.insidepro.com
e
Windows
Password
available
Recovery
at
http://www.passcape.com
e
password.com
e Krbpwguess available at http://www.cgure.net
e THC Hydra available at http://www.thc.org
Windows Password Breaker Enterprise available at
http://www.recoverwindowspassword.com
Rekeysoft Windows Password Recovery Enterprise available at
http://www.rekevsoft.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
Copyright 0 by EG-Ce
Prohibited.
Council
EC-
Ethical
Hacking
Countermeasures
Hacking
and
System
CEH
How to Disable LM
HASH
Use a Password that is at least 15
Characters
Long
LM hash is not generated when the
password length exceeds 15 characters
Policy
by
SYSTEM
Control \ L sa
Add key, type NoLMHash
4 Windows Settings
4:3 In the list of available policies, double-click Network security: Do not store
LAN
Manager hash value on next password change.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasur
es
System
Hacking
How to Defend
against
Password
Cracking
Enable information
security audit to
monitor
and track
C EH
Do not use
pass
Doword
nots that
sha
re can
pasbe
sw found
ordin
s a
dictio
nary
change
password
attacks
Do not
use any
system's
default
passwor
ds
s
a
Avoid storing
with
passwords
Do not use
cleartext
protocols
and protocols
in
an
e Set the password change policy as often as possible, i.e., for every 30 days.
Avoid storing passwords in an unsecured location because passwords that are
stored in places such as in a computer files are easily subjected to attacks.
Do not use any system's default passwords.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Ensure that applications neither store passwords to memory nor write them to Vr
disk
Use a random string (salt) as prefix or suffix with the password before
encrypting
I
Enable SYSKEY with strong password to encrypt and protect the SAM database
I
"t4
Never use passwords such as date of birth, spouse, or child's or pet's name
'+g/
Monitor the server's logs for brute force attacks on the users accounts
attacks.
e Ensure that applications neither store passwords to memory nor write them to
disk. If
the passwords are stored to memory the passwords can be stolen. Once the
password is
known it is very easy for the attacker to escalate their rights in the application.
e Use a random string (salt) as prefix or suffix with the password before encrypting.
This is
used for nullifying pre-computation and memorization. Since salt is usually
different for
all individuals, it is impractical for the attacker to construct the tables with a
single
encrypted version of each candidate password. UNIX systems usually use 12-bit
salt.
Enable SYSKEY with a strong password to encrypt and protect the SAM
database. Usually, the password information of user accounts is stored in the
SAM database. It is very easy for the password-cracking software to target the
SAM database for accessing the passwords of user accounts. So, to avoid such
instances, SYSKEY comes into the picture. SYSKEY provides protection to
the user account password information, i.e.,
Module 05 Page 597
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
e Lock out an account subjected to too many incorrect password guesses. This
provides
protection against brute-force attacks and guessing.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Employee ID
Employee Address
Employee
SSN
Employee
Designation
Department
Manager Name
Manager ID
Terminatio
Notice Period
Effective
Date
Benefits
Continuat
ion
is =gr.
Termination Reason
Y X
Severance
Sending spam
tmanating Viruses
Port scanning
Surfing porn
Installing shareware
Copyright 0 by EC-Ca
Prohibited.
Module 05 Page
'
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Employes Nam.
Employee 10
Employee Address
Employee SSN
Employee Designation
Department
Manager Name
Manager ID
Terminatio
Notke Period
n
Effective
Date
Severance
Benefits
Opening unsolicited e mail
Continuation
Sending span
Emanating
Viruses
P011 scanning
vie
Surfing peril
Installing shareware
Termination Reason
Prohibited.
Cracking
Passwords
lk
Testing
Privileges
Escalating
Executing
Applications
10
Covering
Tracks
Cracking Passwords
Hiding Files
Executing Applications
Module 05 Page 601
Covering Tracks
_ Penetration Testing
Ethical Hacking and Countermeasures Copyright
Council
by EC-
Privilege Escalation
C EH
_I An attacker can gain access to the network using a non-admin user account, and the next
step
be to gain administrative privileges
would
Attacker performs privilege escalation attack which takes advantage of design flows,
programming errors, bugs, and configuration oversights in the OS and software
application to gain administrative access to the network and its associated applications
-I
These privileges allows attacker to view private information, delete files, or install
malicious
programs
User
Attacker
I can access the network
usingiohn's user account
but I need "Admin"
privileges?
Privilege Escalation
In a privilege escalation attack, the attacker gains access to the networks
and their associated data and applications by taking the advantage of defects in
design, software application, poorly configured operating systems, etc.
Once an attacker has gained access to a remote system with a valid user name and
password, he or she will attempt to increase his or her privileges by escalating the
user account to one with increased privileges, such as that of an administrator. For
example, if the attacker has access to a W2K SP1 server, he or she can run a tool such
as ERunAs2X.exe to escalate his or her privileges to that of SYSTEM by using "nc.exe
-I -p 50000 -d -e cmd.exe." With these privileges the attacker can easily steal personnel
information, delete files, and can even deploy malicious, i.e., unwanted program such as
Trojans, viruses, etc. into the victim's systems.
Privilege escalation is required when you want to gain unauthorized access to targeted
systems. Basically, privilege escalation takes place in two forms. They are vertical
privilege escalation and horizontal privilege escalation.
Horizontal Privilege Escalation: In horizontal privilege escalation, the unauthorized user
tries to access the resources, functions, and other privileges that belong to the
authorized user who has similar access permissions. For instance, online banking user
A can easily access user B's bank account.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Vertical Privilege Escalation: In vertical privilege escalation, the unauthorized user tries
to gain access to the resources and functions of the user with higher privileges, such as
application or
site administrators.
For example, someone performing online banking can access the site with
administrative functions.
Attacker
User
I can access the network
using John's user account
but
I
need
"AdmIn"
privileges?
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
C EH
110"
Features
e
in
SAN
hve
file
at
C:MIndeva1SYSTEM3ACONF1G
\SAM
size 93.23GA. Fie System: MTN
e Recovers passwords
from
multiple partitions
and
hard disk drives
path:
dew Cr O.
To7JUserel DOM
User Name
it
I mamma
Microsoft
Security
Databases
(SAM)
000031FS
COOOMB
O
OODIF4
Dercrptbm
AdnitletatOr
MGSCF7-Service
Guest
cow..
tnIdr
II
nits
ca me
http://www.password-changer.com
Copyright 0 by MCP MCA. All Rights Reserved. Reproduction i s Stridly Prohibited.
Privilege
Escalation
Password Changer
Tool:
Active@
Source: http://www.password-changer.com
Active@Password Changer is a password recovery tool that resets or recovers the
local administrator and the user passwords when the administrator has lost or
forgotten his or her password or if the administrator's user account was locked out or
disabled. Its main features includes recovering passwords from multiple partitions
and hard disk drives, displaying and detecting all the Microsoft Security Databases,
resetting administrator's/user's password, displaying complete account information for
any local user, etc.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
System Hacking
and
User Name
A, 000001F
Description
Admrestra tor
000003E9
MGSOFT-Service
00000 1F5
Guest
000003E13
BvSsh VrtualUsers
< 1T:ad(
Next >
Cancel
FTtelp
Council
EC-
Prohibited.
http://pagostiek.net
http://www.rirler.corn
PasswordLastic
http://www.reset-windobvs-passsvord.net
http://www.passwordlostic.com
Tool
Recovery
httpWwww.windowsposswordsrecovery.com
http://www.stellarinfo.com
Personal
http://wwww.ekomsoft.com
http://www.windows-posswordrecovery.carn
111
Windows
Administrator
Password Reset
http://www.systoolsgroup.com
Copyright 0 by EC-Ca
Prohibited.
ElcomSoft
System
http://www.elcomsoft.com
Recovery
available
at
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Windows
Password
http://www.windowspasswordrecoverv.com
Recovery
Personal
available
at
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Implement multi-factor
authentication and authorization
Test
operating
system
and
and
bugs
application
coding
Implement
a
privilege
separation methodology to
limit
the
scope
of
programming errorsand bugs
errors
thoroughly
-=1-
authorization e
accounts
e Use encryption technique to protect sensitive data
e Implement a privilege separation methodology to limit the scope of programming
errors
and bugs
tj Reduce the amount of code that runs with particular privilege
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
Cracking
PPaasssswwoorr dd ss
C1E
Executing
Applications
4
Cracking Passwords
Escalating Privileges
*OS Executing Applications
Hiding Files
r]
Covering Tracks
Council
by EC-
Executing Applications
J Attackers execute malicious applications in this stage. This is called "owning" the system
_I Attacker executes malicious programs remotely in the victim's machine to gather
information
that leads to exploitation or loss of privacy, gain unauthorized access to system
resources,
crack the password, capture the screenshots, install backdoor to maintain easy
access, etc.
oackep
keyfoggers
011M111.
44. (
Backdoors
Spyware
y0
a
0
c
re.
01
1411
Crackers
am..
,ic.a
L
.,...4
VERO
kieJfioi
a
:Copyright CD by EC-Causal. All lbgbtsllese nied..Reprod ucti on Is Strictly Problbited.
Executing Applications
Attackers execute malicious applications in this stage. This is called
"owning" the system. Executing applications is done after the attacker gains the
administrative privileges. The attacker may try to execute some of his or her own
malicious programs remotely on the victim's machine to gather information that
leads to exploitation or loss of privacy, gain unauthorized access to system
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
from the victim's computer, the attacker installs several backdoors to maintain
easy access to the victim's computer in the future.
CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
-.1M11.
Executing
Applications:
RemoteExec
J
RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on
Windows systems throughout the network
it allows attacker to moaity tne registry, cnange local aamm passworas, aisame local accounts,
ana copy/ update/delete files and folders
Msi
MIK
.nstallahon
USI ostalation
................
-orm.
3
V wog.
Frets.
..
MIR
a.0 ...1
szamsisimmimmmwm=0=
OM/
game
Meng
=.0
i,r t w I7
6111111114110
nis-=
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Renoteteec
MSI installation
.unch
Isla
ameoM
en
l_g
(1Lpdate
instaltalon
MY file
[AKIH.MSEELC(.K4MCEM-reeMCOlve MedukOSSystentisle
rem
System
n My Renate
mien
Actors
m
Save n MV Tartlet f , .
ateductraune
Me
Operation
.4
Local
account
ORmaJon
narafmn
P.P.P
KAMM
actors
Log level
ma %WM
nM
y Remote
AmiffreolM)
Actions
AIP,
My
Tomei
Sys
Computers
. account
fl
f r galrEmMMOIM
!, Repenter
Rotate
-odes
SdledUer
Opbans
mmeer m
am. Atmleowsi
mue
L as . m e p o?
i ft
IMF a rot, t
Arm,
CM_
MSI installation
eS
.1.ome
gm..
Wren.
Launch
Meta
m CS
11/xlmato,
.csen
770
1.7.71
tf[PUsm
' WOW
1,6"
tkbrm's
Sched.le
0.1
Fl
eM
ZornereBsc
r;
He
executon
Usdate
System
action
J'
Re
Operation
a
n
t
4
l
o
r
d
a
m
I
M
M
O
eb. actssm
" Mt
IM My Renew labs
My Remote
Its' dv
Russets
tot*
Aeheni
Ittr t 0.111Pll
R eVC C II
Save n My Re...
Save n MY
Renate :alas
Nen mg
3o13
Save nMyRe..........
..sm.
d
a
m
O
p
e
c
r
s
war
aresea-Gr
table Of .
DULA( ear
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Executing
Applications:
PDQ Deploy
PDQ Deploy is a software deployment tool that allows admins
AIaPDllaral i k
PDQ
140 617P,
ID Creven
De
2
"
11
ki)
0 1.7
11
., Edn&Deploy
leather Non [ZNew
Selimpula L
De.
Carrog_
EtuOted
11
feue
Faded
Success-
Instal
iet Adrninbtratot
1 Skype
elver
seconds
Computes
Compute.
Swte Step
WIN-LXONIWR)R91.4 Stotcaeelul
ii
Computers
Mu
Is
0 Running
Deployments
Submit Ferdbath
http://www.odminor3enol.com
Copyright 0 by EC-Cannon. All Rights Reserved. Reproduction i s Stri y
Prohibited.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Marie& 3,
ee
NI
loYments
DeP
11 All Schedules
Skype
11 to
p sieve
,/ Edrt Installer
mime
gp Installer Library
ar Installers
.otia,
r Installer
% Deployments T7 Schedules
DstaM1Welelit
ID
Created
List
e al 7
Elapsed Time
Cornput_
Faded
1
Success..
0
Computers
Computer
Status
Step
WIN-LXQN3WR3R9M
Successful
Computers
3,Deploy Nov
Error
rpeta.
FIGURE 5.29: PDQ Display Screenshot
Installer
1 Skype
User
- 41
New 54Pre.44
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Executing
Applications:
DameWare
Utilities
C H
NT
DameWare NT Utilities (NTU) lets you manage servers, notebooks, and laptops remotely
It allows attacker to remotely manage and administer Windows computers
Orr,V
Urchve
iedir
ibur
41 -
Ai 0 r=
rd
r.er
1111=111147X,,
J...
11.14 0!laga .
l ad S . . g r.
" i k . e c to r..
Vp P h
c r. b c , Ar p
1.4
1...
q 14OF 2 L 1
. 1 64 .
.6
-P
la
%,L. Corp.
4b5w..= 1114 Cons.
11.
W ow
:41
g
W P.41P 3ilaHLPE4
-
am LA.Coi/v/Ralvl
el MN IV15LCrY.41 WWI.. I
Urn It /014 4.1114IS4P
,r
f i e rl u r a.
l awI li
&Wu .
Le t rr i c c e,
OW. el v. v 4 s , c r
Mama
/..
CAVIIIMSPATJ
Airma.
S
I..
lrafg rfn
uP d x
CI ,J
LN/a
Irrirmas
1.440
tourrearm
VI1v4aro4rImrd1.rocrot
Lurla
.g
g
V I v b f k r r v . r ol l e . V.vo M1
(WArdp...41
10110,1,
MANN
rE
r W
0/140
Ved
W
Slatiw
lt ..
0. 4 K * 4
IL.514111.11
CMINPileo P igeO r i l t vo r P m e
tw a re rFrrn.
or
Ix
vs.
/ yp r
ine
Balm
-
Pomp! UPON:4.0M
9041$01:
3ZkIlielt1
http://wwwdomeware.com
Copyright 0 by EC-Csuecil. All Rights Reserved. Reproduction isStridly
Prohibited.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
4lik
Ail
4x
BrOveSer
Actise Directory
t ?ri:k fl e d
94A
TOIalSeMCAI
* Na AD Membership
-
aioal itlj 0
SteAus 1Coactele.
qp
WORACROUP
qa
No
PDC
Statm
Startup
Account
tinny
Aunnin
Manual
LocalSystem
CAWnelows\ systernnsechost
Monad
LocelSrecen
CAVAndovrAsystcrraZarchost
Actor/141k
LocalSyseern
CAPAndoreAsystern32'sedrast
Autornaur
LoralSystem
CAWndows\ Sy4em32`spealer
Manua/
LoralSystem
CAVAndowssysternlAsvchort
Manual
localSystern
[W reckers\ Systerr2Zevelmer_
Manual
localSystern
CAWIndows\Systern32`..svehost--
Manual
10CalS/Stert
CMYnclows\Srgern32..swhost
Manual
localSystern
CAWndowsSrxern32`axhost
Manual
Manual
locaSystem
Automatic
NT AUTHOR.. C:\Wndowsbysterr32ssavvccehtaosstt
- Q Severs (4)
%coped
Pen
0/31.1339MRSHL9E4
XON3WR3INM
ning
la AA N-MSSFLOCAKA1 (Windows R
II I I I 1 2
Sam
*Printer
WNreblem
LLY115810414
P
Snip Serocte-Workstations 13)
ADMIN
Rennet
'Remote
ADMIN- PC
Restart
di
Remote s
Sewer
*Remota I
10 natal
Rarrrote 1
4
'Remote!
Snake..
. gip
WNDOWS8
VCempctere
Fasorite Domains
F.oreeklachnes
Batch
4A
411.414111
r.
CAWndows\ Systern32`vochost
Scree..
19 Lernavc &nuke.0
P Shaw Sarvica Naos
IAI
II it
30 RI kb rA
. am pi
3.4:4110/01
9/4/2012
1:2531PM
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Keylogger
C EH
Keyloggers
Copyright 0 by EC-Ca
instant messages, bank and credit card numbers, and other information that is typed
by people every day. The data, i.e., transmitted over the encrypted Internet connection,
is also vulnerable to keylogging because the keylogger tracks the keys struck before they
are encrypted for transmission.
The keylogger program is installed onto the user's system invisibly through email
attachments or through "drive-by" downloads when users visits certain websites.
Keystroke loggers are
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
stealth software that sits between keyboard hardware and the operating system, so
that they can record every keystroke.
A keylogger can:
e Record each keystroke, i.e., typed by the user, on his or her computer keyboard.
e Capture screenshots at regular intervals of time showing user activity such as
when
he
or she types a character or clicks a mouse button.
e
Track the activities of users by logging Window titles, names of launched
applications,
and other information.
e Monitor online activity of users by recording addresses of the websites that
they
have
visited and with the keywords entered by them, etc.
(7) Record all the login names, bank and credit card numbers, and passwords
including
hidden passwords or data that are in asterisks or blank spaces.
e Record online chat conversations.
e Make unauthorized copies of both outgoing email messages and incoming
email
messages.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CIE H
Keystroke
Loggers
L Application Keylogger
il!POPPI=111
11111111.111=
Kernel Keylogger
Rootkit
Keylogger
Keylogsta
eYlotter
4
I
ftyperyisor-based
_A
Key logger
Form Grabbing
Based Keylogger
Copyright 0 by EC-Ca and. All Rights Reserved. Reproduction s Stri
Prohibited.
Hardware Loggers
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
or
desktop
security
all the
keystrokes and you can retrieve the keystrokes information in real time by
connecting
through a Bluetooth device.
e Wi-Fi Keylogger Operates completely stand alone. Unlike a Bluetooth
keylogger, this
kind of keylogger doesn't require it be near the computer on which the
dongle
(recording device in Bluetooth keylogger) is installed to retrieve the
keystroke
information. This keylogger requires no software or drivers and is
completely
undetectable; it works on any PC. This records the keystrokes and sends the
information
by email over a predefined time interval.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical Hacking and Countermeasures
Ethical Hacker
System Hacking
Kernel
Keylogger
Rootkit
Keylogger
Device Driver Keylogger
Hypervisor-based Keylogger
Form-Grabbing-Based Keylogger
Application Keylogger
An application keylogger allows you to observe everything the user types in his or her
emails, chats, and other applications, including passwords. With this you even can trace
the records of Internet activity. It is a completely invisible keylogger to track and record
everything happening within the entire network.
Kernel Keylogger
This method is used rarely because it is difficult to write as it requires a high level of
proficiency from the developer of the keylogger. It is also difficult to conflict. These
keyloggers exist at the kernel level. Consequently, they are difficult to detect,
especially for user-mode applications. This kind of keylogger acts as a keyboard
device driver and thus gains access to all the information typed on the keyboard.
Rootkit Keylogger
The rootkit-based keylogger is a forged Windows device driver that records all
keystrokes. This keylogger hides from the system and is undetectable even with
standard tools or dedicated tools.
Device Driver Keylogger
This kind of keylogger usually acts as a device driver. The device driver keylogger
replaces the existing I/O driver with the embedded keylogging functionality. All the
keystrokes performed on the computer are saved into a hidden logon file and then it is
sent to the destination through the Internet. The log files sent to the destination by this
keylogger are hidden and it is tough to distinguish from the operating system files, even
while doing a directory listing of hidden files.
Hypervisor-based Keylogger
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Methodology of Attacker
Using Remote Keylogger
in
CEH
As the user connects to Internet, these files are sent to the remote location as configured by
attacker
Keyboard
Save It to a
log file
Send It
0111
<
Injection
to a remote
location
Hacker
Application
Keefoggatt Injection
Vetoer Injection
kr end Inflection
el=
Application *
Driver
Icesi
Sohntanterl
Um
types
Windows Kernel
Con
keyboar
d
PASSWORD
Sends
-327670
EM
Keyboard
malicious fi le
User
addresses, etc. As the victim connects to the Internet, these files are sent to the
remote location as configured by the attacker. Here the attacker does not need to have
physical access to the victim's machine.
Council
Ethical Hacking and Countermeasures Copyright by ECAll Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Keyboard
Injection
Save it to a
log file
Send It
ton remote
Application
location
........ ..
Hacker
Driver Injection
Driver
Kernel Infection
ee
-32761)
User types
on a keyboard
-
PASSWORD
Sends
malicious file
User
1 M N I F t r S ; ; ; ;
; ; ;
V A I.I V .1.11.11.te. V 1 j
E1::::
MII 11111 . . . I M E
MMEM.. Ilrl I
11
Windows Kernel
HAL
Keyboard
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Acoustic/CAM Keylogger
H
Acoustic Keylogger
CAM Keylogger
3 _
Capturing
Receiver
Camera
Typed
Alphabet
Transmit to
th
e
Takes
Screens hot
Electromagn ((
-etic Waves
flip
ko
Hacker
Hacker
1 1 W
User
each key is used because some letters will be used much more than others.
Acoustic Keylogger
>t*
Capturing
Receiver
Alphabet
Electromagn
-etic Waves
MI
N.
- - r u m- a m m o .
MI
1111111011M
W ON Ne MO M,
1111,
EN
EP
NI IP NJ na-
111
1N.
User
User Press "A"
FIGURE 5.32: Acoustic Keyloggers
A CAM keylogger makes use of the webcam to record the keystrokes. The cam installed
takes screenshots of the keystrokes and the monitor and sends the recorded
screenshots to the attacker account at periodical intervals. The attacker can retrieve
the keystroke information by probing the screen shots sent by the CAM keylogger.
CAM Keylogger
Cam
era
oto
Transm
it to
the
Hacker
Takes
Screenshot
User
by
CEH
Keyloggers
CM)
P5/2 Keylogger
'mks\
USB Keylogger
Wi-Fi Keylogger
Bluetooth Keylogger
Hardware Keylogger
Keylogger embedded
inside the keyboard
Keyloggers
Beside the information discussed previously, acoustic/CAM keyloggers, there
are other external keyloggers that you can use to monitor the keystrokes of someone's
system. These external keyloggers can be attached between a usual PC keyboard and a
computer to record each keystroke.
You can use following external hardware keyloggers to monitor user activity:
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures
System
Hacking
1"151.1111114441114111 1 11
PS/2 Keylogger
Keylogger
embedded
inside
the
keyboard
USB Keylogger
Wi-Fi Keylogger
Bluetooth Keylogger
Hardware Keylogger
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
CIEH
eral
User ACil
ows Loosed
Prcgra
rli
IRI
Ascalon
,-s
-'e"""
ko,ISHRO
printing
-1
Records
online
chat
Celrowpr Usagn
5 lemiwni vaned
Internet Activities
Internet Activities
E Stals SentiReceived
,g)
Ls connections Lumped
AL, Ella:
TiLinhcl ipts
lb a
renv,,... no.PA
SMSOLOOltIn.
1111
=1011101101
C Program Options
p4
Log Actions
Reports
Help
http://www.spytech-web.com
It
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Exam
312-50
Certified
You can download this software keylogger from its home site and install it on the
computer you want to monitor, and then just click Start Monitoring. That's it! It will
record a number of things for you about user activity on the computer.
General
Startup Settings and Ceeki
LSIi
Viewed
elycstroikentssTyped
Windows
15 Windows Logged
Programs Usag
Screenshots
eenSpy
Cil
15 Screenshots
Advanced Options
File/Documents
137 File Events Logged
Computer Usage
Content Filtering
5 Sessions Logged
ScreenSpyy
Record Deakiop Activity
Internet Activities
Internet Activities
Is Connechans Logged
SmartLogging
E Mails Sent/Received
0 E-Mails Logged
Websites Visited
o Websites Logged
fai
Chat Transcripts
WO O Conversabons Legged
Program
Options
Behavior Alerts
Scheduling
Log Actions
Reports
Help
Council
Ethical Hacking and Countermeasures Copyright CO by ECAll Rights Reserved. Reproduction is Strictly
Prohibited.
IEH
T.ftlioiyiu.imt
arall
E..2.1111111
de
0,1.'"..
4MISEIM
MEOW
no
P1.105,101.1
.1.1=11
INIMIMM11.
111
= !MYRA :V: Wm./a
n. -
fm
=77.4:;174=
y+w
.' 1.
n mow. v.. *Wm..,. n ...on .M1* .......
1114
1.1 . OM. a ...we
.6.101011111
wrW AS
.
a
r
e
...x...0.0c0.~.7, 4.4t
+
1.1144116
11Slw
al 14 Le.A.LL
Li 44:ILA
Copyright
Prohibited.
A ll I n
One
ht t r
Key logger
is
: / /
w w w .r e l v t e c.c o m
i n v isi b l e
keylogge
of t
wa r
t h a t
a l l
ow s
you
to
record
surveillan
ce
s
k eys t r
okes
a nd
ea c
monitors
of
he
user
co
on
he
m puter .
It
all
ow s
you
secretly
t o
activity
track
all
email/FTP/LA
N
ac t i
m
vi t i
es
fr om
is
c om pl
ete
ll
co
l y
put
o
i n
user s
nd
a u t m a t i c a l l
recei
Ca
pt u r
ve
l ogs
t o
es i r
ed
ac c
ou
vi s i
u
nt .
T he
keyl
ogge
r
a utom
bl
You
c a
do
fo l l
ow i
ng
i ngs
y
a c t i
s i
ng
va t
es
it s
lf
wh
en
Wi n
dow s
st
ar t s
nd
a t i c a l l
a l l
keys t r
okes
( k
eys t r
okes
l o gge
is
s of t
wa r
r )
e
R ecord
i ns t a
nt
m es s a
ges
e
M on
i t
or
a p
l i c a t i
u s a
ge
e
Ca
pt u r
des k t
Ca
pt u r
s c r
Qu
ick
S en
repo
a c t i
vi t
e
ee
ns
hot s
e
ea r c
r t s
over
vi
m a i l ,
l og
F T P,
netw or k
e
R e co rd
mi c r
oph
one
sou
ds
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Generate HTML
reports
e
anti
Disable
keyloggers
e Disable unwanted
software e Filter monitored
user accounts e Captured
screenshots
e Send reports by FTP
e
format e
Block unwanted
tflitatp$0.444144i4 V11111
URLs
e Stop logging when the computer is idle
tog
E.
Mr
7
77
77
i t
ls e
MU
141.01.
15101$7.12 61131.7
2 .1 X
f.c10"001,901r.
Log viewer
4
PO ..
MA
17
25
PI
16
17
.......p.1217.1.01[41;
6 rmu VIJana
LK
1.
*Wm
4 4./
IMMO 717706
411.
4
16r
10.1.1.66 10571
***It 4 7P . / . 17 . 0 11 . - h r
111.11.170 101.5 1666601.7.1. 7
31
I rem.
. 4*
II
11
44
1 C l
601
W
01:1612
-P7 1716.5. 1166.6 68r
6009111.4 11 .111 6 6 . 0 . 6
11.6.11.64611.611151.216.61.171..
=ORM
W,17
.1
1124114i P.
C195,2012 711.
ta
7
Om. 0.66
5.
11.1112 12
1.162.1
Co C !mma
Mil21,2 '13211 VG* I al GO.. C.ren.
6 5 . 1 2 26
Va. CY. .7
N o , * Lai
S. 16 Yaw n.
Pact
Rams
II616
E.. 9
Pan 7. Rm.
5.611.1
1.
e.
Ak45.< co
. ea 40
7
6
.
1
1
1
6
6
156.5
A155.6.55
.
'res .*/
I Ad. Wnclew
6014511,21,x.} Nun
4a6.5,2
.1
4.1. 400 i
u ne oerogg o r
As*
4444
N o r a , v a s * -4 . m ft .. . a......................no 1456.04111
6.77672 16 36 26 .17.7.......................65566.611 m15.. 118.
4176_
PIM
pc.) tc.)
157111anc. pas.. KP7Strek. R..164 rdel. spy 141 Ni 16 j Sri saftwan tool 11.
1
1
PC ...MOW 394 The .4.1. 1.-) Pi Pi Pi (7
147169366 calt.oe Plloas you 10 9.544 lia GP (6.) 16.)
16.) (6.) .all
Corp4613 26r j6.)
(0.) )4.)
(0.) usees
auleruically
logs so a dos.
e.
liflIslbC
i...11111a
L
e
g
a
r
t
.
.
111111104.
II
1 rwIN,,10.
w
_1
S4
141 LI
ou
1 1 - 1 4 1.'_
"
2 14....................I
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Fl!
http://www.ultimotekeylogger. corn
imr-
Advanced Keylogger
1 1 11
http://nunv.mykeylogger.com
EH
Powered Keylogger
http://nnonrmykeylogger.com
StaffCop Standard
hnOWnmn,stofftop.cam
iMonitorPC
http://www.thebestkeylogger.com
http://www.imonitorpc.corn
4111,
114
SoftActivity Keylogger
http://narrw.softoctivity.com
http://wwwpcocme.corn
Elite Keylogger
KeyProwler
http://wwwwidesiep.corn
http://keyprowler.com
http://www.mvkevlogger.com
e The Best Keylogger available at
http://www.thebestkeylogger.com
e SoftActivity Keylogger available at
http://www.softactivitv.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
(:)
CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
U lti m a t e
K e y l o g g e r
FV V VC I C U
H
I NC y lV 5 6 C 1
http://www.ultimatekeyloggercom
http://www.mykeyloggercom
Advanced Keylogger
StaffCop Standard
http://www.mykeylogger.com
I
I
I
httpl/www.staficop.com
iM onitorPC
http://www.imonitorpc.cam
SoftActivity Keylogger
http://www.softactivity.com
el
Elite Keylogger
KeyProwler
http://www.widestep.corn
httpl/keyprowler.com
Copyright 0 by EC-CIIIICil.
Prohibited.
You can also use following keyloggers that runs on the Windows operating
system:
Keylogger Spy Monitor available at http://ematrixsoft.com
REFOG Personal Monitor available at http://www.refog.com
e Actual Keylogger available at
http://www.actualkeylogger.com
e Spytector available at http://www.spytectorcom
Spy
available at http://www.actualspv.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
11
_ -,11101111111111m'-
..-
1.
os
ot
km.
m.
S
efto.
O w.
.0*
. YM
Y,
Ya
,. . ,
1
..
.. Fa
.le
PM
...a
.1
"
"
MY
...
mei l
"
N
.
1111111.111.111111111111.11.1111"1"
...................................................................
1.1.1.11111111MME0
'
'
Immalimmum
"2171dckeYloggrer.cory,
Copyright 0 by E0010100. All Rights Reserved. Reproduction is Stnctiv Prong:med..
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
IlLACM1=0
and
System
4. A
41111 1 1 1 111111..
L0
.1:r
le .
71 47.1.
MINN
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
lotp://kidloggernet
http://www.keylogger.in
logkext
http://www.oword-soft.com
https://code.google.com
I1=11.!
Mac Keylogger
Keyboard Spy
http://www.m.vorchsoft.com
http://olphoornego.softwore. free*
FreeMacKeylogger
http://www.refog. tom
http://www.Mvsuite.com
pyrigh
by
Is Stri y Pro ib
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Keyboard
Spy
available
httolialphaomega.software.free.fr
at
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Hardware
Keyloggers
12_10111. 1Ir 71
KeyGrabb
yi0gger
4111r
, Interface
tos
er
Security
Hardware Ke
M..11.
1.11...1111.1
WA. .
hy 0.01.1C
14.10.1.,
It
&w o w
om w
.!
WI 04
11 11.114101It
4 oe Om
M . .
VIt
1141111
traMm.
0
0
0
Soria
NIIIMMINEIN
/.
" 4
.
0
Wm 541.991
MIIME
wmp dm
.. ...1
111.
ni
111
lies
4 t11
. R r a r r ertd IA
4 " a . 1 "
=.t
_ ____
- "
IteYGraobber
KeYGhost
n'wwwkeyglibitco,
Copyright 0 by MIME MI Rights Reserved ReensclisSion is Stfictiv Proihibtted.
Hardware Keyloggers
A hardware keylogger is a device that is connected in between a keyboard
and the computer. It is used to record the keystrokes on the target user
computer. Hardware keyloggers log all keyboard activity to their internal memory.
The advantage of a hardware keylogger over software keyloggers is they it can log the
keystrokes as soon as the computer starts. You can use following hardware keystroke
loggers to achieve your goals.
KeyGhost
Source: http://www.keyghost.com
KeyGhost is a tiny plug-in device that records every keystroke typed on any computer.
You can also monitor and record email communication, chatroom activity, instant
messages, website addresses, search engine searches, and more with this plug-in
keylogger. You do not have to install any software to record or retrieve keystrokes.
Features:
It is easy to use
Installs in seconds; just plug it in
Can be unplugged and information retrieved on another PC
Module 05 Page 642
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
I I
Interface
Security APP
wrenc ley0csicorn
Keyenose
HanSWIM
P i vny
A g a, device MN
de
nicardIfint
M ylbe w
y
koysirtike
airy PC
C
al
1
alq,
ebn p a r e
MM
11 = oas
m
0
0
Ud t
kir be
1 0 b e k n e u b e s.
lea-maKolibassoali
1
,4
01.......................
ma ma. .
we b
e.
*sr
t w..u"...mukiedum
u
AO
KA /011,01P,0
Masa.
%s
m
. su9
M
u
d
r
1199
ewe
411111NN
11)r1.r.re
Keylmer
461110
tin
Keytihost CS9
Genii
11111. N
KeyGrabber
Source: http://www.kevdemon.com
KeyGrabber is a hardware device that allows you to log keystrokes from a PS/2 or
USB keyboard. A hardware video-logger is a tiny frame-grabber for capturing
screenshots from a VGA, DVI, or HDMI video source.
Hardware Keylogger
WWI is
AbAedou re
y l o g g r f ,
Itayl yry r ,
it
.1A rienic a
....A.A. al . .I.,
tnt wo. . mi n a
in
be
IRM
,
h e. a v v
laiift
wst
vides
Ia
11
111=111
KeyCiab
. .. ol d.
im11
"
Sm. /
si L l a
.0 4,41.4
0-
i vb o ani .
NOW
1 4 4 . 9 9
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Spyware
C EH
usually
bundled as a hidden component of freeware
programs that can be available on
the Internet for download
Drive-by download
Masquerading
as
antispyware
Web browser
vulnerability exploits
SpYwone
elopsomuo,
Piggybacked
software
installation
Browser add-ons
Cookies
Co pyri ght 0 by EC-Cs Noci. All Rights Reserved. Reproduction is Strictly Prohibited.
Spyware
Spyware is stealthy computer monitoring software that allows you to secretly
record all activities of a computer user. It automatically delivers logs to you via email or
FTP, including all areas of the system such as email sent, websites visited, every
keystroke (including login/password of ICQ, MSN, AOL, AIM, and Yahoo Messenger or
Webmail), file operations, and online chat conversations. It also takes screenshots at set
intervals, just like a surveillance camera directly pointed at the computer monitor.
Spyware is usually bundled as a hidden component of freeware or shareware
programs that can be downloaded from the Internet.
Spyware Propagation
Installing the spyware on the user's computer doesn't require any consent from the
user. You can install the spyware on the user's computer without their knowledge by
"piggybacking" the spyware on other software programs. This is possible because
spyware uses advertising cookies, which is one of the spyware subclasses. You can also
be affected by spyware when you visit a website that distributes spyware. This is
sometimes called "drive-by downloading" since it installs itself when you "drive by" the
website.
Because of a lack of user's attention in downloading and installing applications
from the Internet, it is possible that the spyware is installed. The spyware propelled
with other programs on the Internet masquerade as antispyware and run on the
user's computer without any notice, when the user downloads and installs programs
that are bundled with spyware.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
:11
Attacker
User
Place
desktop
spyware
shortcuts
sites
Connect
to
to
malicious
remote
pornography sites
Reduce system performance and causes software
instability Steal your passwords
Send you targeted email
Module 05 Page 645
EC-
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
e Change the home page and prevent the user from restoring:
e
Modifie the dynamically linked libraries (DLLs) and slow down the
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
) Types of Spyware
A
'
There are 10 main types of spyware operating on the Internet that an attacker
can use to steal information about user activity on computer without his/her
consent and knowledge. The following are these 10 types:
e Desktop Spyware
e
Spyware
Child
Monitoring Spyware e
Video Spyware
e Print Spyware
e
Screen Capturing
Spyware e
USB
Spyware
Audio
Spywa
re GPS
Spywar
e
e Cell Phone and Telephone Spyware
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Desktop Spyware
CEH
Desktop spyware provides information
regarding what network users did on their
desktops, how, and when
Live recording
of remote
desktops
ILL
Record activity
log and store at
one
centralized
location
Record
software usage
and timings
Record and'
monitor Internet
ctivities
Copyright
0 by
Mg Nod.
Logs users'
keystrokes
Desktop Spyware
Desktop spyware is software that allows an attacker to gain information
about a user's activities or gather personal information about the user and send it via
the Internet to third parties without the user's knowledge or consent. It provides
information regarding what network users did on their desktops, how, and when.
Desktop spyware allows attackers to perform the
following:
e Live recording of remote desktops
e
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Activity Monitoral lows you to track any LAN and gives you the
detailed
information on what, how, and when network users performed
J
bew.lblwlm
Features
3e
to.
1..m. T.,
%a% a,
it IA'
411
IIMM .
1 4
awe
.4
.4 1
*.
-
9
View
communication
history
Take
snapshots
of the remote
computer
M.
http://wwwsoftoct&ftycom
Copyright 0 by MUMMA. All Rights Reserved. Reproduction isStrictly Prohbited.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Record activity log for all workplaces in one centralized location on a main
computer with Activity Monitor installed
Store complete history of communications for every user (emails sent and
received, IM chats, messages typed in web forums)
e Track any user's keystrokes, even passwords on your screen, in real-time mode
Total control over networked computers. Start or terminate remote
processes, run commands, copy files from remote systems. You may even
turn the computer off or restart it, not to mention logging off the current user
Deploy Activity Monitor Agent (the client part of the software) remotely
from the administrator's PC to all computers in your network
1 .,
I9
flArr
.14 Lk'
ru
_J
`t)
_J
3,
Aro
cm,4111.1 00.
990,9
100
urn..
Il l
4x.ws
L4
florrr
s VOW
-.0
',6trID005019.70.a.r
5
4
E
GanKCAAS 76,1. r0
0044.
5
1
7
i'ATITTI34,333.337tarll
1
7
0
1
0
1
1
1
1
0
ClgoorC
411
CstozoL
.rY
3.r.
wlsx.
1,1741
LS.
Int o be nt .
0
6
N
I
IOC
19101.1
beds.
6R
Serer
4.4eraPapedb.
.619.1333 3e
LITA601115
. 04LOWSLOWILAYLM9at DE.
NT
MICPWC511331.3
0.0106kre R90 96nr,
r0969 3,.../9.91,Cw em
1140,11 60
1......C9690
C
50.10. 0 01 C 0 t
belmencese.ran two
c rI r 0: Mf 5 s a . 3 : vA w
+.LarecnM. g
Cr.
Aral 140,160.
11$ Sri go.r.lop
rm...ari sverailett
Wo e
94.1 wet
:minx 11.6a14neriror
Eol
Ernrra
?wow R r 0 r u n p r a m i s o r a
LFC
ne.SononeLo.
GiirATInd-aono
1>Y0 0.0.1totleoo2
ilorergar
C
15X.
mc vibe ay..
Y
O
L
l
m
0041114.
91.101.11ammeIp,l
-ekr .1,0. kr
..15,11,5AT.A.C4WYleve
.
1.9
s
1.1.4poPI.LL
0,0 nrI rm
,aor
11.3171
9119.60 U00
kM N,
C9,
r
3
a
C
C.
3
4
3
n
re
p,7
1
0
7
410119ekb
rv1e#b RI err.r.
e1.1.1. I *AM*
Tna,
L"..11101.111
wersnr
Lot
prom
14
to m
0$
040Rker
0
00 Lentrro
WannerOnua
fr
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical Hacking
Countermeasures
System Hacking
and
CEH
Desktop
Spyware
Net Spy Pro
http://www.net-monitoring-softwore.cOM
SSPro
http://www.gpsoftdev.com
OsMonitor
RecoveryFix Employee
4
Activity Monitor
http://www.os-monitorcom
http://www.recoveryfix.com
Employee
Desktop
LANVisor
Live
http://www.lonvisorcom
11.1111IF
Viewer
http://www.nucleustechnologies.co
m
NetVizor
http://www.netvizornet
Copyright 0 by EC-Cs
Shicty Prohibited.
Desktop Spyware
There is various desktop spyware available in the market that an
attacker can use to monitor remote user desktops. This spyware can be used to
monitor and record every detail of user PC and Internet activity. An attacker
can log keystrokes, websites visited by the user, programs running on the
user computer, chat conversations, email communication, downloaded
files, opened/closed windows, etc. You can also take snapshots of the remote
user desktop and much more. Some of desktop spyware software that
attackers may use for monitoring user desktops remotely are listed as
follows:
spy-software.com
e SSPro available at http://www.gpsoftdev.com
e
RecoveryFix
Employee
Activity
Monitor
available
at
http://www.recovervfix.com
Employee
Desktop
Live
Viewer
available
at
http://www.nucleustechnologies.com
e NetVizor available at http://www.netvizor.net
tj Net Spy Pro available at http://www.netmonitoring-software.com
tj REFOG Employee Monitor available at
http://www.refog.com
OsMonitor available at http://www.os-monitor.com
LANVisor available at http://www.lanvisor.com
e Work Examiner Standard available at http://www.workexaminer.com
Module 05 Page 651
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
1111111
Gc4
OW=
I I f II I
Internet Spyware
Internet spyware allows attacker to monitor all the web pages accessed by
the users
J It provides a summary report of overall web usage
J It records the date/time of visits and the active time spent on
each website J It blocks access to a particular web page or an
complete website
J
rhT
Internet Spyware
Internet spyware is a utility that allows you to monitor all the web pages
accessed by the users on your computer in your absence. It makes a chronological record
of all visited URLs. This automatically loads at system startup. It runs in stealth mode,
which means it runs in the background and the users on your computer can never
detect this tool is installed on the computer. All the visited URLs are written into a log
file and sent to a specified email address. Using Internet spyware, one can perform web
activity surveillance on any computer. It
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
provides a summary report of overall web usage such as websites visited, and the
time spent on each website, as well as all applications opened along with the date/time
of visits. It also allows you to block access to a specific web page or an entire website by
mentioning the URLs or the keywords that you want to block on your computer.
EC-CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Email
and
Internet
Spyware: Power Spy
Gr.
Power
Spy
Panel
your computer
J
It
records
use,
all
keystrokes, emails,
web
sites visited, chats, and
IMs
in
Windows
Live
Messenger,
Skype, Yahoo Messenger,
Tencent QQ, Google
Talk, AOL Instant
Messenger (AIM), and
others
Nosstokss
S000nstsgs
*10.11s1VIstbd
A
USSaies naps
Ergs
Yahoo Ilesson(OK
E molt
10
APoloalcos
Doconsools
Cl000md
Selmosaslm
0 Aiwa& Carew.
r4..401;:)444.4544 lac
http://ematrixsoft.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Power Spy
Buy Now
Control Panel
tan Monitoring
00 Stealth Mode
0
Screensnots
Visited
Faceboos
Ke,s1rokes
itt
:h
es
ft
USN Messenger
Messenger
Mbytes
Ensues
Yahoo
onfiguration
ser Manual
echnical
Support
Administrator
ppiicabons
Documents
Clipboard
ele_ I.e-
ninstall Me
ee
=I
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Spylab WebSpy
http://www.spectorsoftcom
http://www.spylab.org
CEH
ti
!monitor
Employee
Activity Monitor
Personal Inspector
http://www.spyarsenaLcom
http://www.employee-monitoringsoftware.ct
CyberSpy
Employee Monitoring
http://www.cyberspysoftware.com
http://www.employeentonitoring.net
AceSpy
OsMonitor
http://www.ocespy.corn
http://www.os-monitor.com
EmailObserver
Ascendant NFM
http://www.softsecurity.com
http://www.ascendant-security.com
http://www.emploveemonitoring.net
e OsMonitor available at http://www.os-monitor.com
e Ascendant NFM available at http://www.ascendant-securitv.com
(7)
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CEH
websites
also records the time at which they opened the applications, how much time they are
spending on the Internet or computer, what they are doing on the computer, and so on.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Child
Monitoring
Spyware:
Net Nanny Home Suite
`'
*r .
iffa COM&
e rr
11015100
. l ,......... ION1.4.M.
...m.o.
ma . . . 4 r.
rr
MEM IP,
P oar a
el
Mani
01
Como
.
-
ma lao
Inaam
110.0
0111a
.10
00.0.
WA._
MM. 0 ow...
Ian
Mr a al
Fr-J
oft. ...mu -dr.. .
1.
_ I l i a MI
anew
14140
Setting Window
Filter Window
http:/lwww.netnanny.com
Copyright 0 by EC-CO ENCi. All Rights Reserved. Reproduction is StriCdy Prohbited.
customizable restrictions for each family member. You can see reports of your children's
Internet activity and logs of instant messages.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Setting Window
"................."
Filter Window
7.-
EC-Council
Exam 312-50
K9 Web Protection
CyberSieve
Software
http://www.softforyou. tom
L]
Child Control
http://www.soleld. corn
http://www. profiltechnology.com
SentryPC
PC Pandora
MN) //www.sentrypt.
iProtectYou Pro
ulrp://i#
softforyotr. fan
;
T
KidsWatch
http://www. kids watch. corn
lf71
E 1!!!!!!!
1
11.1111P
(7)
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
CEH
Record ng
Screen capturing spyware takes screenshots
or record screens video in stealth mode
(Invisible/hidden to users) of local or
remote computers at a predefined
interval of time with encryption
capability
It a llows monitoringscreensin
realtime of all the user activities on
the
network
Capturing
Sen
These spywares may also capture
keystrokes, mouse activity, visited
website URLs, and printer activity in
real time
Screen
capturing
spyware
generallysaves screenshots to a local
disk or sends them to an attacker via
FTP or email
Copyright by EC-Ca
of users on the computer as they are looking at the computer live. This program runs
transparently in the background. It takes screenshots for each and every application
opened on the computer so users can know about each and every action of the computer
in real-time.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Screen
Capturing
Spyware: SoftActivity TS
Monitor
SoftActivity
TS
Monitor
is
terminal
server
sessions
recorder
that
captures
every user action
It captures screenshots
of
user activity such as
picture
of each visited web
page,
opened program, sent
or
received IM message,
etc.
..-..........
iLIIIMLIM
:
...Eli
MA.=
Ail
y
ma ..
*4
4
X 40.25
2 01.
.1{ .
O*,
I. I/
by Inc. Jahn
WWI.
To.01
err.
1II m
http://www.softoctivity.com
Copyright by EC-Corned. All Rights Reserved. Reproduction is Strictly Prohibited.
011E11
nmin
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
ts
lop
tropm
Ws WArliVitY GIO0Ik
Rowans Usage
Soyenbwo
hTis month
Smarm
ow
tio
hie
hand.u,
'112012
6-4161
Imll data
10:
. L. , 120 12
Range
Wok Dural
Carpde
Umar
1199169
1
00:35:59
CYPRESS HV J O .
C0.0330
00.0325
C0.0502
00:01:36
20
CYPRESS HV Paler
16
12
00:00:49
010017
or2n.
MTV, -
1,4.1f/tot...I: Ye.
by oar/ Jobs
WC =
Ida cl;
snrnr,
e
1
tfs ,
ler., , ,
-. ,-,
INIE1=110
&
wa d
Mert. ow ed we Sigel
00:000s4
26
6700 06
0316111
*Ca 0,7
has )
Pc
hoc twit
Newt
Item
12
1111=
m
g
e
Z
i
m
.
Council
C EH
http://ematrixsoft.com
IcyScreen
http://www.16softwore.com
http://wwwlesoftrejion.corn
Guardbay
Spector Pro
Remote
Computer
lutp://www.spectorsoft.com
Monitoring Software
http://www.guardbay.com
PC Tattletale
http://www.pciattletale.com
07
3
Ii
Computer
f2"
HT Employee Monitor
http://www.hidefools.com
Screen
Spy Monitor
http://www.mysuperspy.com
HT
Employee
Monitor
available
at
available
at
http://www.hidetools.com
e
Spy
Employee
Monitor
http://www.spvsw.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
cIE
USB spywarecoples flies from USB devices to your
hard
disk in hidden mode without any request
USB Spyware
USB spyware is a program or software designed for spying on the
computer and dumping into the USB device. USB spyware copies the spyware files from
USB devices on to the hard disk without any request and notification. This runs in a
hidden mode so the users of the computer will not be aware of the presence of the
spyware on their computer.
USB spyware provides a multifaceted solution in the province of USB communications.
The USB spyware is capable of monitoring USB devices' activity without creating
additional filters, devices, etc., which might damage the driver structure in the system.
USB spyware lets you capture, display, record, and analyze the data that is transferred
between any USB device connected to a PC and applications. This enables working on
device driver or hardware development, which provides a powerful platform for
effective coding, testing, and optimization and makes it a great tool for debugging
software.
It captures all the communications between a USB device and its host and saves it into a
hidden file for later review. A detailed log presents a summary of each data transaction
along with its support information. The USB spyware uses low system resources of the
host computer. This works with its own time stamp to log all the activities in the
communication sequence.
USB spyware does not contain any adware or spyware. It works with most recent
variants of Windows.
Module 05 Page b65
EC-Council
to USB spyware copies files from USB devices to your hard disk in hidden mode
without
any request
It creates a hidden file/directory with the current date and begins the
background
copying process
e It allows you to capture, display, record, and analyze data transferred between
any
USB
device connected to a PC and applications
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
m.. Ilgy
ps
14 1. Oa P..
L. a
-11/..211111a
1:111.1.11. al
21
311,M1,101.,f .11111/6
Oro R..
Po e s t '
itsA:akjeenaiPt haw_ a
amass
19tao4 taut..
o.oraro
lala101111.1L
IIUS,k,9113001 POW ..
P 1016U.M.I.FCRUPT ..6
V
l
0,01A
(
1.1191011 115111.. (MK
aaA
0.4X0It
0-117f1101
0.0101.01
(1,011E
U51600.4 04IE WNW
M
E
izaa
.1
. 14 a
Peet
C
V
112.11 .1 I-
Oft
NM
ISK.DP.M1105..1",
111.U...01001, 6
Ivr wow
'us ...,
Of
airb..k.11.461111(111141112
OW .0*.0111101 11,Wa .
6.104
a
al
ulda0o4 (.!10e .
0 *MI
a :gm
U0P00, 0401
rs1.4 (a.t.
*tar
I if
Stid NW
laaa
laya
C
La
1:14: 1:a0.11.
,,
I:
--
11. .11.1
ttPtE17
* Kw.
0
."
o *Jun
11.1.
1406 .. 0.11M4
is (1.09/1/
1.KBPXYI (UM .
V5100)119.1111t L./
14.
11111140ST
1 jVITIOLPTY0/6.. N
<4......ry...Pc -
0 bur
- - , ........
- VsP 0......11........
ta.a.
low or
--AAA
1111111
141),.1.1
..........
,
E. l .
111,710.1..
CI O. SOL
(.9199
110110
.h:tp Nwww.ev
erstrike cam
any USB device connected to a PC and applications. This makes it a great tool for
debugging software, working on a device driver or hardware development, and provides a
powerful platform for
effective coding, testing, and optimization. It makes USB traffic readily accessible for
analysis and debugging. Its filters and triggers cut the chase and presents only
required data. Its interface makes communications easy to follow.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Et h ic a l
Ha cking
a nd
Co un t e rm e asu re s
S yste m Ha c king
qA
Ea
-
Vow
Vee p
Cebers
t1.0
is 1
L!
Typo
Nut.
MB
IN
0
Wu _011_1741830, 1 _IRMA
0.0=313
1
ELLE _011_171TERAU41_TAANS
0.050372
2
NU CRPITERRU71 _TRANS
060936
3
BULKOR JMTERRUPT_TRANS
0060006
Lft0
O x
PC ,
-
Apure Ina
(Lapsed .
O pus
- ore Root me
- oirc
&P0
MN 4
EPOICEEZ I
816100626010131Rel US8U-ssersal
Ulf
Mal
NMI
-a rc Root I4.
ay
Port
I:
No
dr.xs
070101
URB
arraesd
Q-/
octal
- arc "mop)
Ore
=.
S
0.070101
6
Root
I
USEPD0-4
10.01E
US8405-4
Pi
10.110
USE00.0.4
IN
10416
16E000-4
BUYOR_OITBRINPI _TRAMS
el
id
10.016
US8P00-4 10
sIII
US10130-4 10.1110
el
12
IN
111JLE_OR_INTERALPI TRANS
0.070101
Wu O DOIXR el _10316..
7
BUX_CO_INNtReUP1 TRANS
0.070101
US8e00-4
N
N
I0a1118..
U91000-4
(0410..
112100-4
10410..
U9000-4
BUIRORINTERSLOlTRANIS
0.110159
Stark .1ms
Pp. Obtxt
u9100-4 (O. 11 1
PI
MB
Pi
81410..
USBe00-4
IS
-.
Mal( .
U61,00-4
(041[..
,..
. -
Capturno %Pits
Orsts Now
Opts Obeid
Swats
0 x
K
-
USA Dims.
'Naples.
US0000-4
6100030
useht.1.
Chnoween
USD HO
M _7110000..
81198310
lidUsb
Sake Lim
Clans GUID
HIDOots
PAC 7A0-710 3.110 011E 4:0UXSYS
Ej
_thisLikL
IX
itauteallior
010..e.
0000
K..:
00
D.
Ole
00 00 00
00000000
Asc.%
18300
Mo dul e 05 P age 66 8
Council
EC-
Al l R i gh t s R e se rv e d . Re p r o d u ct i o n i s St ri c t l y
Prohibited.
USB Spyware
USB Monitor
USB Monitor Pro
http://www.hhdsoftware.com
http://www.usb-monitor.com
USB Grabber
USB
http://usbgrabber.sourceforge.net
Activity
Monitoring Software
http://wvwv.datadoctor.org
USBTrace
Stealth iBot Computer Spy
http://www.sysnucleus.com
http://wvwv.brickhousesecurity.com
On'
KeyCarbon USB Hardware
tf
USBDeview
httpwwww.nk,oft.net
Keylogger
http://www.spyworedirert.net
err
http://www.aggtoft.com
Copyright 0 by EC-Ca
USB Spyware
A few of USB
spyware tools
follows:
KeyCarbon
USB
Hardware
Keylogger
available
at
http://www.spywaredirect.net
e USB 2GB Keylogger available at http://diij.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Audio Spyware
H
Audio
illance
of different instant
messengers such as
MSN
voice
chat,
Skype voice chat,
ICQ voice
chat, MySpace voice chat, etc.
Pr
on the
attacker
Audio Spyware
Audio spyware is the sound surveillance program that is designed to capture the sound
waves or voice onto the computer. The spyware can be installed on the computer
without the permission of the computer user. The audio spyware is installed on the
computer in a silent manner without sending any notification to the user and runs in
the background to record various sounds on the computer secretly. Using audio
spyware doesn't require any administrative privileges.
Audio spyware monitors and records a variety of sounds on the computer. The recorded
sounds are saved into a hidden file on the local disk for later retrieve. Therefore,
attackers or malicious users use this audio spyware to snoop and monitor conference
recordings, phone calls, and radio broadcasts, which may contain the confidential
information.
Audio spyware is capable of recording and spying voice chat messages of various
popular instant messengers. With this audio spyware people can watch over their
employees or children and see who they are communicating with.
Audio spyware can be used to monitor digital audio devices such as various
messengers, microphones, and cell phones. It can record audio conversations by
eavesdropping and monitor all ingoing and outgoing calls, text messages, etc. They
allow live call monitoring, audio surveillance, track SMS, logging all calls, and GPRS
tracking.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
C EH
Sound Snooper
J Voice activated recording
el +pa. %Firs
Isar, eh. 1,21.
Option About
Options Help
Voice
MEM 00:00:27.9 I
stop
l
7
LV L .I
cot Ootienc
AroStoit
r Hde Trey Icon r MICE Instal Pe&
RetodRajCVIora
old 0,y... Obi tut,
I
I oar.,
Record TrokrAsnagernen1
Co Auto Record When SlOo. Volta Chat
AzIontO
I Auto Record When OCI YOU Chet
ArtIvAta
7 ALIO Record When ',ANY:VR.5.M. VORA COI
AMAX r 'WO FtecogdWhen Noce Chat Room
Acts..
tr. . r 4",
510
00
25 23
, 10
hotkRy searp
Default Hotkey COI a All .R
r Seltwkev
Ctrl All 4 I
ry DR
Pause
50
02 09
http://wwwsound-snoopercom
XCd
http://www.mysuperspy.com
voice recorder on the system. It invisibly records online chat conversations made in
popular chat programs or instant messengers including different types of voice
chats available on the Internet such as MSN Voice Chat, Skype Voice Chat, Yahoo!
Messenger Voice chat, ICQ Voice Chat, QQ Voice Chat, etc. This can also record other
streaming audio from the Internet, music played, sounds from the microphone,
earphones, etc.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Spy
Voice
Recorder
File Option About
IIIIIIIIIIIII
Stop
00:00:27.9
Recording Options
Save FiesiNnutes
6- Default Hotkey
Set Hotkey
Exit
OK
X Car"'
- - Sound Snooper
Source: http://www.sound-snoopercom
Sound Snooper is computer spy software that allows you to monitor sound and voice
recorders on the system. It invisibly starts recording once it detects sound and
automatically stops recording when the voice disappears. You can use this in
recording conferences, monitoring phone calls, radio broadcasting logs, spying and
employee monitoring, etc. It has voice activated recording, can support multiple
sound cards, stores records of any sound format, sends emails with recorded
attachments, and is supported by Windows.
CliC Sound Snooper
File Options Help
SB Live! Wave Device
Voice
510
I11
11! er
00 25 23
Pause
50
02:05:32
Council
EC-
Ethical
Hacking
Countermeasures
Hacking
and
System
Video Spyware
Video spyware
secretly
monitors
and
records
webcams
and
video
IM
conversions
Video spyware
can be used for
video
surveillance
of
sensitive facilities
C EH
Attackers
can
remotely
view webcams via
the
web
or
mobile
phones
User
Copyright 0 by Etta Mad. All Rights Reserved. Reproduction is Strictly
Prohibited.
User
Hacker
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Exam
312-50
Certified
Record wizard
WebCam
Recorder
records
anything
on
screen such as:
e Webcams playing in your
browser
13 Video IM conversations
ti
Content from
video sites such
as YouTube
Any video
playing on your
desktop
Ersh
Video
Spyware:
WebCam
Recorder
741.1 Source: http://webcamrecorder.com
WebCam Recorder is
Council
EC-
Ethical
Hacking
and
Countermeasures System Hacking
Record wizard
Auto-detected image
Cancel
R arle
I
Finish
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Video Spyware
Eyeline Video Surveillance
WebcamMagic
httpww..... robomogk.c.
15"-:
1.14iii:mT r1:
H
Software
http://www.nchsoftware.com
MyWebcam Broadcaster
Capturix VideoSpy
http://www.eyespylx.com
http://www.capturix.com
I-Can-See-You
WebCam Looker
http://www.internetsafetysoftwore.com
http://felenasoft.com
Digi-Watcher
SecuritySpy
http://www. bens oftware.com
iSpy
http://www.sarbash.com
http://www.ispyconnect.com
Video Spyware
Many video spyware programs are available in the market for secret
video surveillance. The attacker can use this software to secretly monitor and record
webcams and video IM conversions. An attacker can use video spyware to remotely
view webcams in order to get live footage of secret communication. With the help of
this spyware, attackers can record and play anything displayed on victim's screen. A
few of the video spyware programs used for these purposes are listed as follows:
e WebcamMagic available at http://www.robomagic.com
MyWebcam Broadcaster available at http://www.eyespyfx.com
e I-Can-See-You available at
http://www.internetsafetvsoftware.com
e Digi-Watcher available at http://www.digi-watcher.com
e NET Video Spy available at http://www.sarbash.com
Eyeline Video Surveillance Software available at
http://www.nchsoftware.com
e Capturix VideoSpy available at http://www.capturix.com
WebCam Looker available at http://felenasoft.com
e SecuritySpy available at http://www.bensoftware.com
iSpy available at htto://www.ispvconnect.com
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking and
Countermea
sures System
Hacking
,
A
PI
ri
nt
Spyware
pl C ell ,E
M
ir
.1
114
1111Printer
Spool
/44::27: M
Print Server
User
Attacker
Copyright 0 by Mk Md.
All Rights Reserved.
Reproduction is Strictly
Prohibited.
Print Spyware
Attackers can monitor the printer usage of the target
organization remotely by using print spyware. Print spyware is printer
usage monitoring software that monitors printers in the organization.
Print spyware provides precise information about print activities for
printers in the office or local printers, which helps in optimizing
printing, saving costs, etc. It records all information related to the
printer activities and saves the information in encrypted logs and
sends the log file to a specified email address over the Internet. The log
report consists of the exact print job properties such as number of pages
printed, number of copies, content printed, the date and time at which
the print action took place.
Print spyware records the log reports in different formats for various
purposes such as web format for sending the reports to an email
through the web or Internet and in hidden encrypted format to
store on the local disk.
The log reports generated will help attackers in analyzing printer
activities. The log report shows how many documents were printed by
each employee or workstation, along with the time period. This helps in
monitoring printer usage and to determine how employees are using the
printer. This software also allows limiting access to the printer. This
log report helps attackers to trace out information about sensitive and
secret documents that have been printed.
Countermeasures Copyright
Ethical
Hacking
Countermeasures
Hacking
and
System
Spool
wIMINEmmamka=1
Printer
Print Sewer
Attacker
FIGURE 5.47: Working of Print Spyware
User
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Print
Spyware:
Activity Monitor
Printer
Printer Activity Monitor allows you to monitor and audit printers and find out which documents are
printed on each of the selected printers, the number of pages printed, the computer ordering the
printing, etc.
Yul Y. e.
"irr
INA/bnira) I
Klial 311
Mg,
.31119
/AI"
MAI,
311.36
non
la,.
.13
111
Ms
.3
.1
WI KV,
A
u
11=1 a als
74
I
C 11 111
.13/0
Cl
MI
.1
41
MI ..".
r
I=
4 .11..
4
I
II=3
14
11.
.I.
1313..........
.............mr.
=w e
r
81
"
=:1 a*
&aro
a
1
CI WA%
.11.11
A
=1 I..
311,311.
t
I :1.
1, TAW
fralroiltin
fork%
5.5
: .0,3. ..,
CJ , .r.
:
.4,44.
., .7.
NA44111
.00
".........44.
............1 el ..w.
1..............
41- e
=I
MI
M
OK
41
WI .
r.
,41
a
1/
3.,.J
4.111.
; =I
http://www.redrine-softwore.com
Copyright 0 by Ell:ta NBC'. All Rights Reserved. Reproduction Is
Prohibited.
cd y
simultaneously
Monitor printers remotely
(s4 Generate reports about printer usage
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
1.a I
ampftofta
Nair
.
ir
lala
afta .
t
m
a
w
EC-
Ethical
Hacking
Countermeasures
Hacking
and
System
Print Spyware
4)
http://www.spyorsenaLcom
http://www.imonitorsoft.com
PrintTrak
http://www.aggsoft.com
httpWwwwlygil.com
Printer
Copier
http://usefulsoft.com
Admin
Tracking
System
http://www.printeradmin.com
14,6
Print Inspector
All-Spy Print
http://www.softperfect.com
http://www.oll-spy.com
LL
Print365
http://krawasoft.com
http://www.prnwatch.com
Copyright by
Prohibited.
Print Spyware
Attackers can also use the following printer monitoring applications as printer
spyware to get information about target printer usage. This printer spyware helps
attackers to track printer usage such as content of documents printed, number copies
printed, date and time at which the print action took place, and so on. A few print
spyware programs are listed as follows:
e Print Monitor Pro available at http://www.sovarsenal.com
e Accurate Printer Monitor available at
http://www.aggsoft.com
e Print Censor Professional available at
http://usefulsoft.com
Admin
Copier
Tracking
System
available
at
http://www.printeradmin.com
Print Inspector available at http://www.softperfect.com
Print365 available at http://krawasoft.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Telephone/Cellphone Spyware
J Telephone/cellphone spyware monitors and records phone
calls,
text
messages, and tracks employee cell phone usage
J Attackers install spyware on the devices they want to track,
which secretly
sends data such as call history, text message, web browser
history, actual
location of phone, contacts, etc. to attackers through SMS or
email
>
e
401
-
User
Transmissio
n
Tower
Hacker
IMP
-A
Telephone/cell phone spyware is a software tool that gives you full access to
monitor a victim's phone or cell. It will completely hide itself from the user of the
phone. It will record and log all activity on the phone such as Internet use, text
messages, and phone calls. Then you can access the logged information via the
software's main website or you can also get this tracking information through SMS or
email. Usually, this spyware can be used to monitor and track phone usage of
employees. But attackers are using this spyware to trace information from their
target person's or organization's telephones/cell phones. Using this spyware doesn't
require any authorized privileges.
Most common telephone/cell phone spyware features include:
Call History - allows you to see the entire call history of the phone
incoming & outgoing calls).
(both
View Text Messages enables you to view all incoming and outgoing text
messages. Even deleted messages can be viewed in the log report.
Web Site History the entire history of all websites visited through the phone
will be recorded to the log report file.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
tj GPS Tracking The spyware will show you where the phone is in real time. There
is
also
a log of the cell phone's location so you can see where the phone has been.
It works as depicted in the following diagram.
Nir."
Ei
t*
User
Transmi
ssion
Tower
FIGURE 5.49: Working of Telephone/Cell Phone Spyware
Hacker
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CEH
t
MO
B ILE
..1.}L.X
VIE*"
.
.
--
13.41../1
7 ..
7112 ow.
/
1=1 ;
111=11
71=
11 = 1 M O = M a
1:1=
--1
11
INELom
MII
lIL
=111 +uni
SI=S1
1 11
MIN:
.tw
http:/
"
11111
P..
/www phonespysoftwarcogni
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
hca, .
cp
GI
l e i , esoR
4.m.
, -
Ms* I a. .
IR Sm
Cm
1.
. 111, 51 1
31 1
MI MP
g.
.1- . rI l l
1.01-70.
111W71.3
So
Ono.
117 . 0 35. 13 00 1
... Id ,, t..., ,
2017-0.2777 0 VI
1321...V .J es t
1.379 3
353 301.71 3
merr.s .
...tidy Let , .
1173
2...41411111,010 1 e
at
Lorat
1 = 70 . =
11350
1111
We
.1 .1 i . fo k.
m r.. . 1 11 2 0 1 0
.14-
1,t
./
.1...
.0
1..
L e g.
u re s . . . 5
1
(6)
i
11% 01
Wry
ACIBILE
5.103, .
13;m1
...................1.161
4
11114513 115113
IINVI 014
Be oa lm e w
r Ylne
N
. 2 1
BO
O
MI
ACJ-46.1.1- CI
III PRY
LIM
iftI
01/4
3 7 1 . 0 . 0 41 0 1 .
0017
a n s wan
5 0 0 . 5 1 1 . 0 . . . 5 h we
U..
1075.-**31.
1 NZ 201.317 1,130,711.1133
MLR
11 4 s ( 1330ri 3
2 / 010-1031511
MOIRE
r*a
rean ni
MO
1 1 1.1.1
aw n
10
.40.0356
U-
IMC
R/ R a..,
un .......................3
..^ 1
1,
rra
' ,IL ,
UAL
. . r
...s
3300.1.0............0.........
M0.00
8.-
V i05.0
.... .. -.
1157.301 0 .5 0 01 .0 71.
.
e
..
.
beery Inners rm
.110
'whim
IMPIMORS
O
woa.
41.101
2 7 1. 3 7 W
2
0
5
7
VW
YR
on ,
ml.
A + id . i . 0
ria10. 4
0/1I14
01.1.1M
30.1,001 1 0
o h n o p l a , 1 4 4 . [ A l . ..........................
11
11M1,
re3 3 5 0 . 1 . 0 .
7
7
W.
Ws *
soy e avnbr
.........,
rd
137011
R
Ps, VAL
Imam.
-
111
.:131L05.1.
VG7
31*.D34016
611.1n1.1
l
CouncH
Exam
312-50
Telephone/Cellphone Spyware
FlexiSPY OMNI
http://www.nch.com.ou
http://www.flerisPV,om
Modem Spy
SpyBubble
http://nrww.modemspy.com
http://www.spybobble.com
MOBILE SPY
1101
http://www.mobile-spy.corn
SPYPhone GOLD
heepwspver........
StealthGenie
SpyPhoneTap
CelISPYExpert
IntpiAwnospyphonetop.con,
http://www.cellspyexpert.com
http://www.steohhgenle.com
1111111Milli
Telephone/Cell
Phone
Spyware
Like Mobile Spy, an attacker can also use the following software
programs as telephone/cell phone spyware to record all activity on a phone
such as Internet usage, text messages and phone calls, etc. The following are
some available telephone/cell phone spyware programs:
(7)
(7)
(7)
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
GPS Spyware
H
GPS spyware is a device or software applicationthat uses
the Global Positioning System to determine the location of
a vehicle, mobiles, person, or other asset to which it is
attached or installed
Satellite
Vehicle
Hacker
Transmission Tower
Copyright by EC-Ce
GPS Spyware
GPS spyware is a device or software application that uses the Global
Positioning System (GPS) to determine the location of a vehicle, person, or other
asset to which it is attached or installed. An attacker can use this software to track the
target person.
This spyware allows you to track the phone location points and saves or stores them in a
log file and sends them to the specified email address. You can then watch the target
user location points by logging into the specified email address and it displays the
connected point's trace of the phone location history on a map. This also sends email
notifications of location proximity alerts. An attacker traces the location of the target
person using GPS spyware as shown in the following figure.
..4
"........PSetellite
...........'
-.
e...............
Vehicle
A w
...-.
Server
a..n
Hacker
Cie
Transmission Tower
FIGURE 5.51: Working of GPS
Spyware
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Features
13 Call interception
e Location tracking
13
Read SMS
messages
e
SPYERA
D O E : / G A LS LEADING
4710BAA
11
'L
l4;71
t.:
c,
Outgo ing on
!A
R..
/
'
Ap A r l A q
I '
Mi s s e d
-.. I nco mi n g , , ep
4
. ,. .P............
,....."
I.
O utgo
i ng
(8
6
SYSIOrn
SM S
13
See call
history
**
A P I r ma ,
i .
3......
'.---.---
See contact
list
e Read messenger chat
sm
Wh a b A p p
DO M
ns,
e Cell ID tracking
177 =
P. m I
e Web history
inCern log
ai
Outgoing
Location
Los
r
*
A7k*,-,-.4g1
http://spyeracom
Copyright 0 by EC-Cs
Prohibited.
photos
taken
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
SPYERA
SPYERA
N E WORLDS LEADINO
im
F
4
I11'
AINISIND
wwwwwlw...
Owe.
Na.
wASENIO
116
OWN
ow,
alas s n)
SIWN=414wwwww-
rl1111
Ira
. - 7 : 1 .,-
1 1M
1111 1 . .
. .
.1
MIMEO
N .1
u ms a ml
mai
11
. . . " "7.
Swag
W4
Ims w N w or n s a
wwwe
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
GPS
Spyware
yrw
ALL-in-ONE Spy
http://www.thespyphone.com
EasyGPS
http://wwweasygps.com
FlexiSPY PRO-X
http://www.flexispy.com
1
[
Trackstick
http://www.trackstick.com
MobiStealth Pro
http://www.mobistealth.com
mSpy
http:
ww.buymspy.com
MOBILE SPY
http://www.rnobile-spy.com
r.
GPS Retriever
http://www.mobilebugstore.com
World-Tracker
http://wwwworld-tracker.com
.I
gh s eserved. eprod
y rohib
GPS Spyware
There are various software programs that can be used as GPS spyware to
trace the location of particular mobile devices. Attackers can also make use of the
following GPS spyware software to track the location of target mobiles:
e EasyGPS available at http://www.easvaps.com
e FlexiSPY PRO-X available at http://www.flexispy.com
e GPS TrackMaker Professional available at
http://www,gpstm.com
MOBILE SPY available at http://www.mobile-spy.com
e World-Tracker available at http://www.world-tracker.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
How
to
Against
Keyloggers
Defend
the
installation of keyloggers
Install good professional firewall software and anti-keylogging
J
J
J
J
software
F
c eck the keyboard cables for the attached connectors
Use software that frequently scans and monitors the changes in the system
or network
Copyright by EC-Ca
I'
J
JJ
e Install antivirus and antispyware software. Viruses, Trojans, and other malware
are the
mediums through which software keyloggers invade the computer.
Antivirus and
antispyware are the first line of defense against keyloggers. Using keylogger
cleaning
applications available online, keyloggers detected by the antivirus can be
deleted from
the computer.
e
Install host-based IDS, which can monitor your system and disable the
installation
of
keyloggers.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
e
Enable firewalls on the computer. Firewalls prevent outside access to the
computer.
Firewalls prevent the transmission of recorded information back to the attacker.
e Keep track of the programs that are running on the computer. Use software
that
frequently scans and monitors the changes in the system or network. Usually
keyloggers
tend to run in the background transparently.
e Keep your hardware systems secure in a locked environment and frequently
check the
keyboard cables for the attached connectors, USB port, and computer games
such as
the PS2 that have been used to install keylogger software.
Recognize and delete phishing emails because most attackers use phishing
emails
as
a
medium to transfer software keyloggers to a victim's system.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
1..1 4. 1
Use live CD/DVD or write-protected Live USB for rebooting the computer
Use automatic form-filling programs or virtual keyboard to enter user
L, 1d a
_.
0
4
name
IV
and
password
Use Windows on-screen keyboard accessibility utility to enter the password or any
other confidential information
VII
Do not click on links in unwanted or doubtful emails that may point to
malicious
sites
,400"
Copyright 0 by Eeta
41,
11.,
filling
program will remove the use of typing your personal, financial, or confidential
details
such as credit card numbers and passwords through keyboards.
Use keystroke interference software, which inserts randomized characters
into every keystroke.
Use the Windows on-screen keyboard accessibility utility to enter the password
or any other confidential information. You can maintain your information
confidentially because here the mouse is used for entering any information
such as passwords, credit
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
passwords
Do not click on links in unwanted or suspicious emails that may point you to
malicious websites.
CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
Restrict physical
access to sensitive
computer
systems
Periodicall
y check
your keyboard
interlace
for extra
components
Periodically
check
all the computers and
check
whether there is
any hardware
device
connected to
the computer
Copyright 0 by EC-Co
Prohbited.
Olt
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
CIEH
Anti-Keylogger
_
J
E..
Con'.eatusi I
Q13130131310111 0
CIO D 1:113111130111
-47 1111:113E1EICID
123
1-11 11 11-11-11-1--r
'tu-n
o 7-r-ll
LEL2
=Ell
CI
1,JLL000E.=_LI
LI
ELJUILLILLJUL
-1
pi I
Prohinted.
Anti-Keyloggers
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
7:21 AM
.11. AT&T 3G
Landscape
Cancel
Cc/Bcc:
Subject: Confidential I
space
FIGURE 5.53: Anti-Keylogger Screenshot
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Anti-Keylogger:
Zemana
AntiLogger
Zecneec .W61.998.192210
Zemana
AntiLogger
eliminates
threats from keyloggers,
SSL
banker Trojans, spyware,
and
more
Features:
Your computer
Pectertano
ana Seeertecoer
enoWelocanlecce
e
snattsktearddxw
SystemOefense
.,-.van
protection
e mewls
6rIammil
PrIORIIIM %WNW
logger
r sYSe
fZW7
protection
Screen
tarot
0
eeabkr. AreeKee.002.
Webcam logger
Clipboard
zerv,aNia
is protected
..:
C EH
logger
r t 0.. .'
'
ofia
ek..141
protection
mr-
e41.1.1
..0
ere --1
httptlliawriszetnene.cam
Coveted 0 by
Probbeed.
Webcam logger, Keyloggers, Clipboard logger, Screen logger, spyware, SSL banker,
Trojans, etc.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Your computer Is
protected
'le
111111'
ntrSveerlogger
....noWehcarillogger
AntCloboarrilogge!
77nag
enienconsole
Protection Stabstics
Analyzed
Blocked
:
:
1694
16
Last
Analyzed
object
Last
Blocked
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Anti-Keylog gel
Anti-Keylogger
SpyShelter STOP-LOGGER
http://Know.onti-keyloggers.com
http://wwwspyshetter.com
DataGuard
PrivacyKeyboard
tatp://.........no-keyagger.com
AntiKeylogger Ultimate
httpwwww.mcosecuritylob.corn
DefenseWall HIPS
PrivacyKeyboard
http://Know.softsphere.corn
http://www.privocykeyboard.rom
KeyScrambler
http://vinvor.qinsoftwore.com
httplArnow.elne-antikeylogger.corn
I Hate Keyloggers
CoDefender
http://dewasoft.com
ht,Ps://www.encoss acorn
Anti-Keyloggers
Anti-keyloggers secure your system from spyware attacks, software
keyloggers, and hardware keyloggers. Some of anti-keyloggers that can be used for
securing your system against various threats are listed as follows:
e
Anti-Keylogger
available
at
http://www.anti-
kevlouers.com
e
PrivacyKeyboard available at
http://www.anti-
keylogger.com
e
DefenseWall
HIPS
available
at
http://www.softsphere.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Be cautious about
suspicious emails
and
sites
ei
anti-
0
Update the software regularly and
use
a
firewall with outbound protection
Copyright CD by EC-Ca
Prohibited.
e Don't open suspicious emails and file attachments received from unknown
senders.
There is a great likelihood that you will get a virus, freeware, or spyware
on the
computer. Don't open unknown websites that are presented in spam mail
messages,
retrieved by search engines, or displayed in pop-up windows because they may
mislead
you to download spyware.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
C EH
Do not use public terminals for banking and other sensitive activities
Pal
e Always use caution with anything found on the Internet while downloading
and
installing free software. Before downloading any software, make sure that it is
from a
trusted website. The license agreement, security warning, and privacy
statements that
are associated with the software should be read thoroughly to get a clear
understanding
before you download.
tj Do not use administrative mode unless it is necessary because malicious
programs such
as spyware are executed when you are in the administrator mode. As a result,
attackers
may take complete control over your system.
e Do not use public terminals for accessing banking account, checking credit
card
statements, and other sensitive activities. Public systems are not at all secure,
as they
are accessed by many users. The company that operates the public terminals
may not
even check their system for spyware.
Do not download free music files, screensavers, or smiley faces from the
Internet because when you download such free programs there is a possibility
that spyware comes along with them invisibly.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Anti-Spyware:
Spyware Doctor
PC
Tools
PC Tools Spyware
Doctor
delivers
simple
protection
against dangerous spyware
132
lamParis1519
Protection Status
Protection Summary
5
ariM il=0114
intellnuara Protection
r p62
Iralddorr dralmma
555.51,55 dr
arriamaraaarr
ad a-5. hada.
15.5..
Larmlim I 5555,5rid
dpc toolsX15:251X
http://www.pctods.com
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Intel!,Guard
Protection Summary
Threats Detected:
532
Scans Performed:
15
Items Scanned:
7,562
Database Updates:
Subscription:
Last Smart
Update:
Last Scan:
Support
Protection Status
le Balanced Mode Protection is ON
IntelliGuard Protection
LIB
20
Fwires
Settings
in
723
drels1
Less than 1 hour
ago
Less than 1 hour
gaily scans
ago
0 pc tools
by Symantec
Help
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Anti-Spyware F.
10.411
H
Kaspersky
SUPERAntiSpyware
10
Internet
Security
2013
http://wwwkospersky.com
SecureAnywhere
Complete
2012
http://www.webroot.corn
Malwarebytes
Anti-
Malware
PRO
http://www.malworebytes.org
Copyright 0 by EC-Ca MG& All Rights Reserved. Reproduction Is Stri aly
Prohibited.
Anti -Spywares
Antispywares scan your system and check for spyware such as malware,
Trojans, dialers, worms, keyloggers, and rootkits and removes them if any are found.
Antispyware provides real-time protection by scanning your system at regular
intervals, either weekly or daily. It scans to ensure the computer is free from
malicious software. A few antispyware programs are listed as follows:
(7)
SUPERAntiSpyware
available
at
2012
at
http://superantispyware.com
e
Spyware
http://wwwperx.com
Terminator
available
Ad-Aware
Free
Antivirus+
available
at
http://www.lavasoft.com
(7)
SecureAnywhere
Complete
2012
available
at
http://www.webroot.com
e MacScan available at http://macscan.securemac.com
Spybot Search & Destroy available at http://www.safer-networking.org
e Malwarebytes Anti-Malware PRO available at http://www.malwarebvtes.org
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Cracidng
Passwords
Escalating
Privileges
Executing
Applications
A Penetration
Testing
Strirtly
Pmiluhireel
40,
Like malicious applications, there are also many protective applications that
are
capable of preventing or detecting and deleting malicious applications. In order to avoid
malicious applications being detected by protective applications, attackers hide
malicious files inside other legitimate files.
Cracking Passwords
'''111`
Escalating Privileges
Module 05 Page 709
de
Hiding Files
Covering Tracks
Penetration Testing
Ethical Hacking and Countermeasures Copyright
Council
by EC-
Rootkits
H
Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the
server or host at that time and also in future
j
Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn
underminethe security of the target system causing malicious functions to be executed
A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
servers
on
Objectives of rootkit:
e
backdoor
the web
e Wrapping rootkit in a special package like games
access
e
malicious
Installing rootkit on the public computers or
applications or processes
from
iso
Rootkits
Rootkits are software programs aimed to gain access to a computer without
being detected. These are malware that can be used to gain unauthorized access to a
remote system and perform malicious activities. The goal of the rootkit is to gain root
privileges to a system. By logging in as the root user of a system, an attacker can
perform any task such as installing software or deleting files, etc. It works by exploiting
the vulnerabilities in the operating system and applications. It builds a backdoor login
process to the operating system by which the attacker can evade the standard login
process. Once root access has been enabled, a rootkit may attempt to hide the traces of
unauthorized access by modifying drivers or kernel modules and deserting active
processes. Rootkits replace certain operating system calls and utilities with its own
modified versions of those routines that in turn undermine the security of the target
system causing malicious functions to be executed. A typical rootkit is comprised of
backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
All files contain a set of attributes. There are different fields in the file attributes. The
first field is used to determine the format of the file, that is, if it is a hidden, archive, or
read-only file. The other field describes the time the file was created, when it was
accessed, as well as its original length. The functions GetFileAttributesEx() and
GetFilelnformationByHandle() enable this. ATTRIB.exe is used to display or change
file attributes. An attacker can hide, or even change the attributes of a victim's files, so that
attacker can access them.
Module 05 Page 710
Council
EC-
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Types of
Rootkits
H
Hardware/Firmware Rootkit
r
2
Types of Rootkits
A rootkit is a type of malware that can hide itself from the operating system
and
antivirus applications in the computer. This program provides the attackers with rootlevel access to the computer through the backdoors. These rootkits employ a range of
techniques to gain control of a system. The type of rootkit influences the choice of
attack vector. Basically there are six types of rootkits available. They are:
1
Hypervisor-level Rootkit
Council
Ethical Hacking and Countermeasures Copyright by ECAll Rights Reserved. Reproduction is Strictly
Prohibited.
level rootkits. These have the same privileges of the operating system, hence they are
difficult to detect and intercept or subvert operations of operating systems.
Application-level Rootkit
I
Hardware/Firmware Rootkit
Library-level Rootkits
Library-level rootkits work higher up in the OS and they usually patch,
hook, or supplant system calls with backdoor versions to keep the attacker
unknown. They replace original system calls with fake ones to hide information about
the attacker.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Process
H
1
(4fl,r
Neekirpt
Hooks
Call FindNextFile
Call FindNextFile
KerneI32.dil
Kerne132.dd
Ox87654321+ ind N e xt
File -
Rootkit
replaces
first 5 bytes of
code with
jmp
Ox90045123
Direct
Kernel
Object
Manipulation
(DKOM)
Process 1
Process 2
Unique process ID
Unique process ID
ActiveProcesLinks
LIST ENTRY
Ftlf41(
v:
'BUNK
ActiveProcesLinks
Process Identifiers
Process Identifiers
MEM
Unique process ID
ActiveProcesLinks
UST ENTRY II
LIST ENTRY {
'FUNK
FUNK
'BLINK
'DUNK
Process Identifiers I
Hooks
Call FindNextFile
Import data section
FindNextFile: 0x87654321
Kerne132.dil
0x87654321:FindNeXtFile
Rootkft code:
5
.
5
6
:
H
o
w
R
o
o
t
k
i
t
s
W
o
rk
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Exam
312-50
Certified
Process 1
Direct
Kernel
Object
Manipulatio
n
(DKOM)
Unique process ID
11
i Unique process ID
Unique process ID
ActiveProcesLinks
ActiveProcesLinks
ActIveProceslIn
ks
LIST ENTRY I
LIST ENTRY {
*FUNK
'BLINK
Process 3
Process 2
'FUNK
'BLINK
'BLINK
Process Identifiers
LIST ENTRY(
"FLINK
.........
Process Identifiers
.1
Process Identifiers
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Rootkit: Fu
J Fu operates using
direct
Kernel
object
manipulation
J Components of Fu
are
dropper
(fu.exe)
and
driver (mcdirertit cycl
l'cPtproo)
CEH
mrenp>fu
3101
recess
fu.xe :9619
eras
:215319912M
cess
Systeet:4
rocas s
sets .exe :375
recess
csrss .exe :632
recess
win lower, .exo :661
rocess
services .x;999
recess
!sass -axe:732
recess
suchost -exe :912
recess
suchost.exe:11364
recess
suchost.exe:1092
recess
suchost .oxe:1176
rocs's*
sechost .exe :1299
recess
:goalie-axe:1116
coax
UPkoareServ ie . : 1592
casts
wig -axe:2836
rocas'
explorer oexis :5'72
recess
urecntf
recess
UMIrare Tray.exe :928
recess
IlMuwreliser
recess
ctf non .exe :1168
recess
cowl .exe:4211
recess
tasknor.exe:916
ota 1 number of processes 23
Copyright
Rootkit: Fu
Fu is an infection database that operates using Direct Kernel Object
Manipulation (DKOM) and comes with two components, the dropper (fu.exe) and the
driver (msdirectx.sys). The Fu rootkit modifies the kernel object that represents the
processes on the system. All the kernel process objects are linked. When a user
process such as TaskMgr.exe requests the operating system for the list of processes
through an API, Windows walks the linked list of process objects and returns the
appropriate information. Fu unlinks the process object of the process it is hiding.
Therefore, as far as many applications are concerned, the process does not exist.
The Fu rootkit can also allow you to hide and list processes and drivers by using
different hooking techniques. It can add privileges to any process token. This can
perform many actions in the Windows event viewer and appear as someone else's.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
e Invite de commandes
:\temp>fu pl 30
Process: fu.exe:860
rocess;
:21530912
00
Process: System:4
Irocessz
smss.exe:376
Processt
csrss.exe:632
'rocess
winlogon.exe:664
Processt
seruices.exe:708
'rocess
lsass.exe:732
P r o c e s s
suchost.exe:912
'rocess
suchost.exe:1004
Process
suchost.exe:1092
P r o c e s s
suchost.exe:1176
Process.
suchost.exe:1284
rocess: spoolsv.exe:1416
Processz
UMwareSeruice.e:1592
'rocess; alg.exe:2036
'rocessz
explorer.exe:572
'rocess;
wscntfy.exe:580
Process:
UMwareIray.exe:920
Process:
UMwareUser.exe:1040
POCeSS
ctfmon.exe:1168
Process' cmd.exe:420
Proc 12 2; E; . taskmgr . exe : 816
otal number of processes
23
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
mw
C EH
Rootkit: KBeast
ti KBeast (Kernel Beast) is kernel rootkit that loads as a kernel module. It supports kernel
2.6.16, 2.6.18, 2.6.32, and 2.6.35
-I It also has a userland component that provides remote access to the computer
KBeast gains its control over a computer by hooking the system call table and by hooking
the operations structures used to implement the netstat interface to userland
r>
Features
Hiding loadable kernel modules
Anti-kill process
Hiding files/directory
Anti-remove files
Copyr
ight 0
by
Me
Rootkit: KBeast
KBeast (Kernel Beast) is kernel rootkit that loads as a kernel module. It
supports kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. It provides remote access to the
systems by using its userland component. Using the kernel module, the userland
backdoor component can be invisible from other userland applications. This can hide
files, directories, and processes (ps, pstree, top, Isof) that start with a user-defined
prefix. You can use keylogging abilities to capture the user activities. To implement
the netstat interface to userland, KBeast obtains access over the system by hooking
the system call table and operations structures.
The features of this rootkit include:
module
Hiding
files/directory
e Hiding process (ps, pstree, top, Isof)
e Anti-remove files
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
modules a
backdoor
e Remote binding backdoor hidden by the kernel rootkit
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Rootkit:
Defender
HxDef Rootkit
Hacker
C EH
Command Prompt
bdc
li100.exe
19 2. 16 8. 8 .9 3
135 v4L
c o nne c ti ng
s er v e r
receiving
banner
ope ni ng
bac kdoor
bac kdoo r
..
fou nd
c he c ki ng
ba c kdo o r
ba c kdo o r
rea dy
authorization
sent,
Wai t i n g
for
rep l y
authorization SUCCESSFUL
backd oor
clo s e
shel l
activated !
and
all
prog z
to
e nd
session
I
Copyright by EC-Ca
Council
Ethical
Hacking
Countermeasures
Hacking
and
System
Command Prompt
bdc
192.168.8.93
135 v4L
connecting
1i100.exe
III
server
receiving banner
.
opening
backdoor
..
backdoor
found
checking
backdoor
backdoor
ready
a uthoriza tion
se nt,
Waiting
for
rep l y
authorization - SUCCESSFUL
backdoor activated!
c lose sh ell
e nd
s e ss io n
a nd al l progz
to
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Detecting Rootkits
Integrity-Based
Detection
It compares a snapshot of the file
system,
boot records, or memory with a
known
trusted baseline
Cross
ViewBased
Detection
SignatureBased
Detection
This technique compares
characteristics of all
system
processes and executable
files with a database of
known
rootkit fingerprints
Heuristic/Behavio
rBased Detection
Liakt
Runtime
Execution
Path
Profiling
This technique compares runtime execution
paths of all system processes and executable
files before and after the rootkit infection
Ori
Detecting Rootkits
The rootkit detection techniques are classified as signature, heuristic, integrity,
cross-
Signature-based Detection
Signature-based detection methods work as a rootkit fingerprints. You can
compare the sequence of bytes from a file compared with another sequence of bytes that
belong to a
malicious program. This technique is mostly employed on system files. Rootkits that are
invisible can be easily detected by scanning the kernel memory. The success of
signature-based detection is less due to the rootkit's tendency to hide files by
interrupting the execution path of the detection software.
isq
Heuristic Detection
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Integrity-based Detection
Integrity-based detection functions by comparing a current file system, boot
records, or memory snapshot with a known, trusted baseline. The evidence or
presence of malicious activity can be noticed by the dissimilarities between the current
and baseline snapshots.
Cross-view-based Detection
"--j Cross-view-based detection techniques function by assuming the operating
system
has been subverted in some way. This enumerates the system files,
processes, and registry keys by calling common APIs. The gathered information is then
compared with the data set obtained through the use of an algorithm traversing through
the same data. This detection technique relies upon the fact that the API hooking or
manipulation of kernel data structure taints the data returned by the operating system
APIs, with the low-level mechanisms used to output the same information free from
DKOM or hook manipulation.
Runtime Execution Path Profiling
The Runtime Execution Path Profiling technique compares runtime
execution path
profiling of all system processes and executable files. The rootkit adds new
code near to a routine's execution path, in order to destabilize it. The number of
instructions executed before and after a certain routine is hooked and can be
significantly different.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Step 1
Run "dir / s /b /ah"
and "dir /s /b /a-h"
inside the potentially
infected OS and save the
results
Step 2
Step 3
There will be some false positives. Also, this does not detect stealth software that hides in
BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
Note:
Copyrig
ht 0 by
14
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CEH
a
Reinstall OS/applications from a
trusted source after backing up the
critical data
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
tJ
Install
firewalls
and
System
network
and
Use
host-based
strong
authentication
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
AM
installed
You should avoid logging in an account with administrative
privileges You should adhere to the least privilege principle
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Anti-Rootkit: Stinger
C EH
Stinger is a standalone utility used to detect and remove specific viruses. By default,
Stinger
scans
rootkits, running processes, loaded modules, registry and directory locations known to
be used by
J
Ls a
Inftdece
r LAI dbl. yawed
.1".,..01.11 VA
....***Li*Vo.11
X.,
r.
Rd* ...mat
aktor.lare
Dowson
on)
Seen whom...
O tt
+.1w Na n
Anti-Rootkit: Stinger
Source: http://www.mcafee.com
McAfee Stinger helps you to detect and remove prevalent Fake Alert malware,
viruses, and threats identified in your system. Stinger scans rootkits, running
processes, loaded modules, the registry, and directory locations known to be used by
malware on the machine to keep scan times minimal. It can also repair the infected
files found in your system. It detects and deactivates all the viruses from your system.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Preferences
14
Sti
ng
er
Ell
a
r Racal only
F Paws,
W Rapew
17 BOOS We n
C Rename
F Rocakes
Lfe
hsmissi
r las al
tp
IP
Scan Now
gsleellelemeen
112
SIM
Iles
Detepon
NN
w I MI Id
Oeler.
scorned
ane
Scan sulubreclones
bee
Rseese
Malls +10000:03 erred wee. 42111
MON sere
On wus desseaon -
F Prone was
we velem
Rama oppicatons
i
n
a
r
i
O
S
A
Y
S
C
I
Y
O
r
i
g
l
i
f
l
a
r
t
i
S
e
n
s
w
a
y
ca
I
lOiest i
Council
Anti-Rootkit: UnHackMe
C IE H
91
Features:
Precise doublechecking
for
Windowsbased PC
t)
w- .a.
16.
e x
EARL Sc.774
44..44rE.0
n Instant tracking of
Crux-acts
to- 4.
, +Or
Pr
,SYSTEN1C,Nnaenool.
SYSTEM C nnaoovM.
SYSISTIKvir[Cor DI.
RFC 12 G1000dium M I CO CO .
RFC_4
Sonswww7M.croRs76..........
Ses co
=7.1,
L,00ram
OM)
Is.
4.1 ,
.n
n,
74.
4031........%
SoboeSKErtrelli...........CMV LOCAL.................Mn.
aoftenrewmatowl.. 114,LOCAL...
Pa
Rite S.1
SokvarNlvonftwi...
Ph
r_,Are sr. Er
NonvolkS41. E
fft S0,0,0 C.6
0.1
1 O ICf1
SoffineeiMieeente
Har_LOCAL.. a ,.
IRIET 10
.. OW II
vAndosa
Knoel Pula
malicious code in
Nen, 44,7
44pdP41.7
ON IN14m.
Owftia.
1
t3
the
tp,
1+
11
1
' r a n d . . 0.a.........40.
1. n h I I
7 areArnarxhil
44.14
- ' M F M
IIMarIo)
7-440
w
SNSIDIKutir Ka nu
FrF7_1 OD, .
VI
"
14.444.4
,7
44 7
http://www.greatis.com
'c-ft
Anti-Rootkit: UnHackMe
Source: http://www.greatis.com
UnHackMe is basically anti-rootkit software that helps you in identifying and removing
all types of malicious software such as rootkits, Trojans, worms, viruses, and so on. The
main purpose of UnHackMe is to prevent rootkits from harming your computer,
helping users protect themselves against masked intrusion and data theft. UnHackMe
also includes the Reanimator feature, which you can use to perform a full spyware check.
Features:
Precise double-checking for a Windows-based PC
e Instant tracking of malicious code in the system
viruses and
so on)
Does not slow up the PC and it is compatible with antivirus programs
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
11
tie
Ecit
dew
Reboot
11
t2
0x
Reheah
Save Log
Item Name
a 4 Internet Expl
re Browsers
a all Network Set
irn
aM
(
El
Winclws
SF
Kernel Auto
Fee Robbers
Registry Run
(allb)\he8t10...
lWhols
17 Registry Run
COMMeele
4 Reeve Backup
4 Addle the !snare Lid
"OProgram Rles
Default Value
Revelry Key
Root Keb
\SYSIEM1CurrentControl
+Not m... 83
LS1SIEM CurrentControl...,
+Not m... 83
LSYSTEM1CurrentControl...
+Not m... 83
41
OftwArekM1CrOSOfTWA
dtri.exe
1-
\Software\ rekrosoft\
Kkh SZ
lAvrogram HIES
\Software\ Microsoft\
Prohibited:0
Suspicious, 9
Wamings.1
4 Make Backup
AR Item,
1k,
a Software Co
at e
tro
REG SZ
'CAProgram Files
REG SZ
'C:Wrogram Files
REG
CAPROGRAM FILES
\SoftwareValcuisoft\
11
(x136)lAuto-T...
(X86)\ADV...
Registry Run sycnet2
\symet2Ante
A Bootaecute
BootExecute
co Ma
Nfecm.rcr
REG
a CAWindows\ svmet2
REG-N
Innrne n, n,
Yairm minas
Pale Yellow waning.
1.1tCV I
noel
ta
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Anti-Rootkits
Virus Removal Tool
Rootkit Buster
http://umno sophos.com
http://dosonloodcenter.trendmkro.com
Rootkit Razor
http://northsecuritylabs.com
http://www.tirersecure.com
RemoveAny
http://www.free-anti-spy.com
PAIII
TDSSKiller
SanityCheck
http://www.resplendence.com
http://support.kaspersky.com
GMER
Prevx
http Wwww.prevx.com
Anti-Rootkits
The following anti-rootkits help you to remove various types of malware
such as rootkits, viruses, Trojan, and worms from your system. You can download or
purchase antirootkit software from home sites and install it on your PC to be protected
from rootkits. A few anti-rootkits are listed as follows:
e Virus Removal Tool available at http://www.sophos.com
e Hypersight Rootkit Detector available at
http://northsecuritvlabs.com
e Avira Free Antivirus Tool available at htth://www.avira.com
e SanityCheck available at htth://www.resplendence.com
e GMER available at http://www.gmer.net
Rootkit Buster available at
http://downloadcenter.trendmicro.com
e Rootkit Razor available at http://www.tizersecure.com
e RemoveAny available at http://www.free-anti-spy.com
e TDSSKiIIer available at http://suhport.kaspersky.com
Prevx available at http://www.prevx.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
C EH
Inject
malicious
code in the
It,ygunt
existing file
>
Hacker
Existing File
(\/-
In addition to the file attributes, each file stored on an NTFS volume typically
contains
two data streams. The first data stream stores the security descriptor, and the second
stores the data within a file. Alternate data streams are another type of named data
stream that can be present within each file.
Alternate Data Stream (ADS) is any kind of data that can be attached to a file but not in
the file on an NTFS system. The Master File Table of the partition will contain a list of
all the data streams that a file contains, and where their physical location on the
disk is. Therefore, alternate data streams are not present in the file, but attached to it
through the file table. NTFS Alternate Data Stream (ADS) is a Windows hidden
stream that contains metadata for the file such as attributes, word count, author name,
and access and modification time of the files.
ADS is the ability to fork data into existing files without changing or altering their
functionality, size, or display to file browsing utilities. ADSs provide attackers with a
method of hiding rootkits or hacker tools on a breached system and allow them to be
executed without being detected by the system's administrator. Files with ADS are
impossible to detect using native file browsing techniques like the command line or
Windows Wxplorer. After attaching an ADS file to the original file, the size of the file
will show as the original size of the file regardless of the
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
size of the ADS anyfile.exe. The only indication that the file was changed is the
modification time stamp, which can be relatively innocuous.
Inject malicious
code In the existing file
Hacker
>
Existing File
ry
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
System Hacking
and
-- 1 11 -
r-
C EH
7-1
ri
t)
Launch c: \>not ep ad
myfil e
e)
e
To modify the
Launch c : \>notepad
myfi le . t xt : tiger . ta ct
stream
d at a ,
op en
d o c u men t
Myfile
txt:
er
lines
tig
.
new
txt'
in
notepad
(It should
be zero)
of data. e
lines of text e
e To modify the stream data, open the document 'myfile. txt : tiger . txt' in
Notepad.
Module 05
EC-Council
Page 735
Copyright
by
Ethical
Hacking
and
Countermeasures
ilL
M
o
v
e
t
h
e
c
o
n
t
e
n
t
s
o
f
T
r
o
j
a
n
.
e
x
e
t
o
R
e
a
d
m
e
.
t
x
Location c:\
Trojan.e
xe
(size:2
MB)
41111M
-1
Location c:\
Readme.txt (size: 0)
C:\> type e:
Trojan.e
xe
C:\start
1de
c : \ R e ad me . txt : Troj an . e xe
.7/
4mm:17
Extract
C:\> c at c :\ R e ad me . txt:Troj an .e xe
Y
a
k
>
Trojan.exe
(stream):
c:\>
start
c:\Readme.txt:Trojan.exe
e To extract the Trojan.exe from the
Readme.txt
(stream):
c:\>
cat
c:\Readme.txt:Trojan.exe
>
Trojan.exe
Note: Cat is a Windows 2003 Resource Kit Utility.
Move the contents of
Location c:\
Trojan.exe to Readme.txt
Trojan.exe
(size: 2 MB)
Locatio
n c:\
Readme.txt (size: 0)
FIGURE 5.63: Working of NTFS Stream
Manipulation
Ethical
Hacking
Countermeasures
Hacking
and
System
How to
NTFS
Streams
Defend
against
LNS.exe from
(http://ntsecurity.
nu
/toolbox/Ins/) can
1
To delete
NTFS
streams,
move the
suspected files to FAT
party
partition
file
Use
third-
checksum application to
maintain
integrity of
an
NTFS
partition
against
unauthorize
d ADS
detect streams
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
NTFS
Stream
Detector:
StreamArmor
Stream Armor discovers hidden Alternate
wl
Ste
a. a. A,
them
completely from the system
, 41
5r4111.4.1O 0 . a r r a =el
NM, fr o MN
r m.
Irollor ma. laws Ila
Y. IN war .11.
. r et
=MU
1
Y=6 WMARO
WON
INENIMMOO
ImAnmOssow
.16
http://securityxploded.com
Copyright 11:, by
tf.ftmftwmftw vft,rtftfe
=Ow drool=
....rm.
m..
A.I
.Pm
4 ..
r
Wil WM
WM. MOW,
.-.
room.
il-
O.
W
.E
a.
1
4.
-
.1.
L
WM
/.1.
mdemo
4 Ow
14.
*OM 1NW/d/
Makma l l n i e
krroft
*Ago
OEM
Yonn.
pwrr
NIWYMEN1wtfi
11Ir
b
EC-CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
ADS Spy
Stream Explorer
http://www.merijn. nu
1114
,
ADS Scanner
ADS Manager
hupwdmitrybr..t.com
http://www.pointstone.com
Streams
RKDetector
http://technet.microsoft.com
http://stnywrkdetector. com
AlternateStreamView
GMER
http://www.nirsoft.net
http://www.grner.net
NTFS-Streams:
HijackThis
ADS
Is
lb
. , +,
manipulation
http://free.antildrus.com
tool
http://sourceforge.net
Copyright 0 by FC-Ce
Prohibited.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
What Is Steganography.?
J
pie,3"
ordinary
message and extracting it at the destination to maintain confidentiality of
tr"'
data
-I Utilizing a graphic image as a cover is the most popular method to conceal
the
data in files
Source code
hacking
Communi
cation and
coordinatio
n channel
(1(
What is Steganography?
It has been argued that one of the shortcomings of various detection programs is
their
primary focus on streaming text data. What if an attacker bypasses normal
surveillance techniques and still steals or transmits sensitive data? A typical situation
would be where an attacker manages to get inside a firm as a temporary or contract
employee and surreptitiously seeks out sensitive information. While the organization
may have a policy of not allowing electronic equipment to be removed from a
facility, a determined attacker can still find a way with techniques such as
steganography.
Steganography is defined as the art of hiding data behind some other data
without the knowledge of the enemy. It replaces bits of unused data into the usual
filesgraphic, sound, text, audio, videowith some other bits that have been
obtained surreptitiously. The hidden data can be plaintext or ciphertext, or it can be an
image.
The lure of the steganography technique is that, unlike encryption, steganography
cannot be detected. When transmitting an encrypted message, it is evident that
communication has occurred, even if the message cannot be read. Steganography is
used to hide the existence of the message. An attacker can use it to hide information
even when encryption is not a feasible option. From a security point of view,
steganography is used to hide the file in an encrypted
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
format. This is done so that even if the file that is encrypted is decrypted, the message
will still remain hidden. Attackers can insert information such as:
Source code for hacking tool
List of compromised servers
e) Plans for future attacks
e Communication and coordination channel
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Application of Steganography C E H
[2]
Broadcast Monitoring
(Gibson, Pattern
Media Bridging
[
4
1
O
8
Copy Prevention or
Control
(DVD)
Metadata
Hiding
(Tracking
Information)
10
Covert Communication
Ownership Assertion
Fingerprinting
(Traitor Tracking)
Authentication
(Original vs. Forgery)
copyright 0 by Erramme. All RIghtsReserved. RapunductknisStelelly
PrahibiltAd.
Application of Steganography
The application of steganography differs in many areas and the area depends
on what feature of steganography is utilized. Steganography is applicable to:
Access Control System for Digital Content Distribution
In the Access Control System for Digital Content Distribution system, the
embedded data is "hidden," but is "explained" to publicize the content. In this
system, a prototype of an Access Control System for digital content is
developed to send data through the Internet. Using folder access keys, the
content owner embeds the content in a folder and uploads on the web page.
Here the content owner explains the content and publishes the contact
details on the World Wide Web to get an access-request from users and they
can contact him or her to get the access key. The valuable data can be protected
using special access keys.
Steganography File Systems
A Steganography File System has a level of security using which hiding data is
done by a series of fixed size files originally consisting of random bits on top of
which vectors could be superimposed in such a way as to allow levels of security
to decrypt all lower levels. Even the existence of any higher levels, or an entire
partition, is filled with random bits and files hidden in it.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
t) Media Bridging
Using digital steganography, electronic communications can by encrypted
in the transport layer, such as a document file, image file, program, or protocol.
e Copy Prevention or Control (DVD)
In the entertainment industry steganography can be used to protect copyrights for
DVDs and CDs. The DVD copy-protection program is designed to support a
copy generation management system.
Covert Communication
Ownership Assertion
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
Classification of Steganography
clEH
Steganography
Linguistic
Steganography
Technical
Steganography
Semagrams
Open Codes
Null C.iphrr
Visual
Semagrams
Covered
Ciphers
N/
Text
Jargon
Semagrams
Code
Copyright 0
Prohibited.
Cipher
Classification of Steganography
Steganography is classified into two areas based on techniques. They are
technical steganography and linguistic steganography. Technical steganography hides a
message using scientific methods, whereas the linguistic steganography hides the
message in the carrier, a medium used to communicate or transfer messages or files.
The steganography medium is usually defined as the combination of the hidden
message, the carrier, and the steganography key. The following diagram depicts the
classification of steganography.
Ethical
Hacking
and
Countermeasures System Hacking
Steganogra phy
Linguistic
Steganography
Technical
Steganograp
hy
Semagrams
Visual
Semagrams
s p
Open Codes
Null Cipher
Covered
Ciphers
Grille Cipher
Text
Semagrams
.)
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
CEH
Technical
Steganography
J
tradition
page in a dot
onisstrictly Prohibited.
Technical Steganography
Technical steganography has methods to achieve message hiding. Some of them include:
t)
Invisible ink
This method uses invisible ink for hiding text
messages. e Microdots
It is a method that can be used to hide up to one page in a dot.
Computer-based methods
Use redundant information in texts, pictures, sounds, videos, etc.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Linguistic
Steganography
Hiding Message
J
written
natural language to hide the message
in the carrier in some nonobvious
ways
It
is
categorized
into
Type
s of
Semagrams
Visual
Semagrams
further
semagrams
Text
Semagrams
Use
innocent-looking
Hides
a
message
by
modifying the appearance of
the carrier text,
such as subtle changes in
the font size or type, adding
extra spaces, or different
flourishes in letters or
handwritten text
or
Linguistic Steganography
Linguistic steganography hides the message in the carrier in some inventive
ways. This technique is further categorized as semagrams or open codes.
Semagrams
This technique uses symbols and different signs to hide the data or messages.
This is further categorized as visual semagrams and text semagrams.
e Visual Semagrams
This method uses unmalicious physical objects to transmit a message such as
doodles or the positioning of items on a desk or website.
e Text Semagrams
A text semagrams hides the text message by converting or transforming its
look and appearance of the carrier text message, such as changing font sizes
and styles, adding extra spaces as white spaces in the document, and different
flourishes in letters or handwritten text.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Linguistic
Steganography
H
(C
ont
'd)
Open
steganography
divided into:
code
1. Jargon Code
It is a language that a group of
people
can
understand
but
is
meaningless
to
others
2. Covered Ciphers
The message is hidden openly
in the carrier medium so that
anyone who knows the secret of
how it was
concealed can recover it
abcd
efqh
ijklm
nop
Covered
cipher
is
categorized
is
1111
into:
1. Null Ciphers
t A null cipher is an ancient
form
of
encryption
where
the
plaintext is
mixed with a large amount of
noncipher material
".!. It can also be used to hide ciphertext
2. Grille Ciphers
In this technique, a grille is
created
by cutting holes in a piece of
paper
When the receiver places the
grille over the text, the
intended message can be
retrieved
Jargon Codes
Jargon codes are a language that a group of people can understand
but
is meaningless to others. These codes use signals, terminology, and
conversations that have a special meaning that is known to some specific group of
people. A subset of jargon codes are cue codes, where certain prearranged phrases
convey meaning.
Covered Ciphers
The message is hidden openly in the carrier medium so that anyone who
knows the secret of how it was concealed can recover it. Covered ciphers are
categorized into two types: grille ciphers and null ciphers.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
A grille cipher employs a template that is used to cover the carrier message. The
words that appear in the openings of the template are the hidden message.
A null cipher hides the message by using some prearranged set of rules, such as "read
every fifth word" or "look at the third character in every word." It can also be used to
hide cipher text.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
C!EH
Steganography Techniques
Substitution Techniques
Statistical Techniques
[Embed messages by altering
statistical
properties of the cover objects
and use
hypothesis methods for extraction
Substitut
t of the
over-object with a secret message
.2
spread
embed
Eilci
lforniatrion that
ensures creation of cover for
secret
communication
Steganography Techniques
Steganography techniques are classified into six groups
cover modifications applied in the embedding process. They are:
based on the
Substitution Techniques
In this technique, the attacker tries to encode secret information by
substituting the insignificant bits with the secret message. If the receiver has the
knowledge of the places where the secret information is embedded, then they can extract
the secret message.
transform
domain
technique
of
steganography
hides
the
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
/f- )4
Statistical Techniques
Distortion Techniques
In this technique, a sequence of modifications is applied to the cover in order
to get a stego-object. The sequence of modifications is such that it represents the
specific message to be transmitted. The decoding process in this technique requires
knowledge about the original cover. The receiver of the message can measure the
differences between the original cover and the received cover to reconstruct the
sequence of modifications.
..164
Cover-generation Techniques
ix
In this technique, digital objects are developed for the purpose of being a
cover to secret communication. When this information is encoded it ensures the
creation of a cover for secret communication.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Cover Image
Cover Image
"*Lx
EC-Council "Hackers
are here. Where are
you?"
EC-Council "Hackers
are here. Where are
you?"
Copyright 0 by EC-Ce
Prohibited.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Cover Image
Cover Image
EC-Council
"Hackers
here _Where
Stego Image
EC-Council
'Hackers
are
your
FIGURE 5.65: How Steganography Works
are
your
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
EH
mm mm
Image
Steganography
Audio
Steganography
White Space
Steganography
DVDROM
Steganography
Natural Text
Steganography
Document
Steganography
Hidden OS
Steganography
Folder
Steganography
Video
Steganography
Web
Steganography
Spam/Email
Steganography
f
11/..
Types of Steganography
Steganography is the art and science of writing hidden messages in such a
way that no one other than the intended recipient knows of the existence of the message.
The increasing uses of electronic file formats with new technologies have made data
hiding possible. Basic steganography can be broken down into two areas: data
hiding and document making. Document making deals with protection against
removal. It is further divided into
watermarking and fingerprinting.
The different types of steganography are listed as
follows:
e Image Steganography
e
Document
steganography
Folder
Steganography
Video Steganography
Audio Steganography
Whitespace
Steganography e Web
Steganography
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
e Spam/Email
Steganography
e DVDROM
Steganography
e Natural Text
Steganography
Module 05 Page 756
e Hidden OS
Steganography
e C++ Source Code Steganography
Council
C
IF
_I
Whitespace
Tool: SNOW
If the builtin
encryption
is used, the
message
cannot be
read even if
it is
detected
Steganography
Administrator:
C:\Windows\system32\cmd.exe
1:\CEH-Tools\CEHOI Module
05
System Hacking\Whitespace
Steganography
Tool\Snow\s wdos32>snow -C -m "This is a test for Whitespace Steganography
using Snow" -p " :elcom" test.docx snowout.docx
ompressed by 41.90x
iessage exceeded available space by approximately
340.35x. n extra 7 lines were added.
1:\CEH-Tools\CEHuS Module
05
System
Tool\Snow\s wdos32>
Hacking\Whitespace
c
C
J Because spaces and tabs are generally not visible in text viewers, the
message
is effectively hidden from casual observers
Steganography
http://www.darkside.com.au
Copyright 0 by EC-Council. All Rights Reserved. Reproduction is Strictly
Prohibited.
r:\CEH-Tools\CEHoS Module
05
System
Haching\Whitespace
Steganography
Tool\Snow\s udos32>
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Image Steganography
CIEH
In image steganography, the
information
is
hidden in image files of different
formats
such as .PNG, .JPG, .BMP, etc.
J
Cover Image
Copyright 0 by EC-Co awl. All Rights Reserved. Re producti on I s Stri cd y Prohibited.
Stoganog
raphy
Tool
Information
Image
Steganography
Image steganography allows you to conceal your secret message within an
image. You can take advantage of the redundant bit of the image to conceal your
message within it. These redundant bits are those bits of the image that have very little
effect on the image if altered. This alteration of bits is not detected easily. You can
conceal your information within images of different formats such as .PNG, .JPG, .BMP, etc.
Images are the popular cover objects used for steganography. Image steganography
tools are used to replace redundant bits of image data with the message in such a
way that the effect cannot be detected by human eyes.
Image steganography techniques can be divided into two groups: Image domain and
transform domain. In image (spatial) domain techniques, messages are embedded in
the intensity of the pixels directly. In transform domain (frequency) techniques, images
are first transformed and then the message is embedded in the image.
There are three techniques that you can use to conceal you secret messages in
image
files:
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
The following figure depicts image steganography and the role of steganography
tools in the image steganography process.
gti
Cover image
St
e
g
a
n
o
gr
a
p
h
y
T
o
ol
Information
Information
FIGURE 5.67: How Image Steganography Works
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
11001000)
(00100111
11001000
11101001)
(11001000
The letter "H" is represented by binary digits 01001000. To hide this "H" above stream can be changed as:
(00100110 11101001
00100110 11101001)
11001000)
(00100110
11001001
11101000)
(11001000
01001000
(11001000 00100111
And you want to hide the letter "H" in above 24 bit image as follows.
Now letter "H" is represented by binary digits 01001000. To hide this "H," the previous
stream can be changed to:
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
(00100110
if
11101001
11001000)
(00100110
11001001
11101000)
44
IL
44
.14
4119
H 4 01001000
FIGURE 5.68: Least Significant Bit Insertion Diagram
You just need to replace the LSB of each pixel of the image file as shown in this figure.
To retrieve this H at the other side, the person at the receiver side combines all the LSB
bits of the image file and thus is able to detect the H at the receiver side.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Masking
and
filtering
techniques
are
generally
used on 24 bit
and
grayscale
images
The information is
not
hidden at the
"noise"
level of the image
Masking and
Filtering
Masking techniques
hide
information in such a
way
that the hidden message
is
inside the visible part of
the
image
luminosity and opacity of the image. If the change in the luminance is small, then
people other than the intended users fail to notice that the image contains a
hidden message. This technique can be easily applied to the image as it does not
disturb the image. it is mostly used with JPEG images. Lossy JPEG images are
relatively immune to cropping and compression image operations. Hence, the
information is hidden in lossy JPEG images often using the masking technique. The
reason that a steganography image encoded with a marking degrades in a lower rate
under JPEG compression is that the message is hidden in the significant areas of the
picture.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
functions
that are in compression algorithms
J
coefficients
of
transform of an image
-1
JPEG images use the Discrete Cosine Transform (DCT) technique to achieve
image compression
111
Wavelet transformation
Discrete
transformation e
cosine
Wavelet
transformation
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CEH
in
pictures
so that
only
other
users of
QuickSte
go can
retrieve and read the
hidden secret
messages
Irm
http://quickcrypto.com
Copyright 0 by [M
Prohibited.
encoding the secret text by adding small variations in color to the image. In practice, to
the human eye, these small differences do not appear to change the image.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CEH
OpenStego
httP://sour eforge.net
http://openstego.sourteforge.net
PHP-Class
gifshuffle
S tr e a mS t e g a n o g r a p hy
http://www.phpclasses.org
JPEG
CryptaPix
Red
http://www.briggsoft.com
http://www.totalcmdnet
BMPSecrets
Steganography Studio
http://bmpsecrets.com
http://sterptudio.soufceforge.net
Laboratory (VSL)
http://wstsourreforge.net
Image Steganography
Tools
Like the tool QuickStego discussed previously, you can also use the following
image steganography tools to hide your secret messages in images:
Hide In Picture available at http://sourceforae.net
aifshuffle available at
http://www.darkside.com.au
e CryptaPix available at
http://www.briggsoft.com
e BMPSecrets available at
http://bmpsecrets.com
OpenPuff available at http://embeddedsw.net
e OpenStego available at http://opensteao.sourceforae.net
PHP-Class
StreamSteganography
available
at
http://www.phpclasses.org
e Red JPEG available at http://www.totalcmd.net
e Steganography Studio available at http://stegstudio.sourceforge.net
Virtual Steganographic Laboratory (VSL) available at http://vsl.sourceforge.net
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
N1N
Document Files
Document Files
11011
Steg Tool
Steg Tool
Information
Information
aartatyp4 Infrwrt
rt6iiesH.,bron
Step
1
The whSlerforlWooldarill guide you shop by shop through
codinoldecoding.
WolnuInStocol yan orn oble to hide ony Woe in o canc.'
Ile
Henr,...na H IM, PDF),hrout ch coping theta
mineable o
coltab,.
It you She fear at with no way rho pang Men warlC you
can Sue the Flauch an-bec do to Malta all saatngo in an
ow Mow
flowchart
WI narrl
!;et-linin,
I I elp
in re on I
Mtp://wbstego.wbader.com
Copyright 0 by EC-Cam ci. All Rights Reserved. Reproduction is Stri y Prohibited.
Document Steganography
Similar to image steganography, document steganography is the technique
used to hide secret messages to be transferred in documents. The following diagram
illustrates the document steganography process:
Document Files
-41
.74
Document Files
1141
Steg Tool
Informatio
n
Steg Tool
Information
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Source: http://wbstego.wbailer.com
WbStego is a document steganography tool. Using this tool, you can hide any
type of file within carrier file types such as Windows bitmaps with 16, 256, or 16.7M
colors, ASCII or ANSI text files, HTML fields, and Adobe PDF files.
.44410 lama
wbStog4
=1111M11
;4.0
tfnI 0,r1
Help
Selling;
_
as..
Elowchert -Mode
conenue
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
*1
4
Merge Streams
hupwwww..ikernei...
http://www.fasterlight.com
Office XML
hiipwwww.wongeek.com
http://www.crazyboy.com
StegParty
Hydan
Data Stash
Steg1
http://www.skyjuicesoftware.com
http://stegj.sourceforge.net
FoxHole
StegoStick
http://foxhole.sourceforge.net
http://sourceforge.net
SNOW
http://www.stegano.ro
http://www.darkside.com.ou
Copyright 0 by Etta
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Video Steganography
cl"
NMI
II
The techniques used in audio and image files are used in video files, as
video consists of audio and images
A large number of secret messages can be hidden in video files since they
are a moving stream of images and sound
Video Steganography
Video steganography involves hiding secret messages files of any extensions
in the continuously flowing video file. Here video files are used as the carrier to
carry the secret information from one end to another end. It keeps your secret
information more secure. As the carrier video file is a moving stream of images and
sound, it is difficult for the unintended recipient to notice the distortion in the video
file caused due to the secret message. It might go unobserved because of continuous
flow of the video.
As a video file is a combination of image and audio, all the techniques available for
image and audio steganography can also be applied to video steganography. It can be
used to hide a large number of secret messages.
Council
Ethical Hacking and Countermeasures Copyright by ECAll Rights Reserved. Reproduction is Strictly
Prohibited.
Video
Steganography:
CIEH
OmniHide PRO
OmniHide Pro hides a file within another file. Any file can be hidden
within common image/music/ video/document formats. The output file
would work just as the original source file
tae
Hide your data from tnose
or)Ing eyes
vim rr:.:<<
Mask hit
C \ use rs PO el Is pa cc \ De kioMh w
eeapAng: Lsp.
le
Fit Tn new
iC\ Users P
mage
don
i
s\ The tiger
ciministr
IQr
Output
FOG
"eroAdr,i.ma,c6Dednep\ Non images\
egev_deplay-OoTiPS
View convened file
when complata
e
o
http://ornnihide.com
Reaci
Copyright 0 by MC.
Prohibited.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
ide
Hide your data from those prying eyes
10E1=7.I
Mask File
File To hide
ICAUsers\Administrator\Desktop\Input Images\tiger_display.jpg
tio
ns
Output File
ICAUsers\Administrator\Desktop\Input Images\tiger_display_Out.jpg
View converted file when complete
Hide
U r _
(5
Clear E
Exit
Ready
7 0
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
-=
BDV DataHider
http://www.securekitnet
http://www.bdvnotepad.com
RT Steganography
StegoStick
httrairesteavideo.sourceforge.net
http://sourcejorge.net
Masker
heepwwww,orpuk...
httpl/embeddedsw.net
OpenPuff
Stegsecret
http.//www.softeza.com
httpWstegsecret.sourceforpe.net
MSU StegoVideo
PSM Encryptor
http://www.compression.ru
httill/demo.powersottmakers.com
S
.
A
I
L
.
RT
Steganography
available
http://rtsteavideo.sourceforge.net
e Masker available at http://www.softpuls.com
e
Max
File
http://www.softeza.com
Encryption
available
at
at
MSU
StegoVideo
available
at
http://www.compression.ru
e
BDV
Data
Hider
available
at
http://www.bdvnotepad.com
StegoStick available at http://sourceforge.net
e OpenPuff available at http://embeddedsw.net
e Stegsecret available at http://stegsecret.sourceforge.net
PSM Encryptor available at http://demo.powersoftmakers.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Audio Steganography
CEH
UMW!
Milml
1.11.
as
.MP3,
.RM, .WAV, etc.
Audio He
Audio Files
fti
IVY
Steg Tool
Information
Steg Tool
Information
Audio Steganography
Audio steganography allows you to conceal your secret message within an
audio file such as WAV, AU, and even MP3 audio files. It embeds secret messages in audio
files by slightly changing the binary sequence of the audio file. Changes in the audio file
after insertion cannot be detectable, so this secures the secret message from prying eyes.
You need to ensure that the carrier audio file should not be significantly degraded
due to embedded secret data; otherwise, the eavesdropper can detect the existence of
the hidden message in the audio file. So the secret data should be embedded in such a
way that there is a slight change in the audio file that cannot be detected by a human.
Information can be hidden in an audio file by using an LSB or by using frequencies
that are inaudible to the human ear (>20,000 Hz).
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Audio File
41
Steg Tool
Information
Information
FIGURE 5.73: Working of Audio Steganography
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
S
p
r
e
a
d
S
p
e
c
tr
u
m
an
audio signal
The sensitive message is encoded in the
echo in the form of variations in
amplitude, decay rate, and offset
.4
t6
M
e
t
h
o
d
I
t
ml
41
namely, initial amplitude, decay rate, and offset or delay to hide secret data. When the
offset between carrier signal and echo decreases, these two signals get mixed at a
certain point of time where it is not possible for the human ear to distinguish between
these two signal. At this point, an echo sound can be heard as an added resonance to
the original signal. However, this point of undistinguishable sounds depends on
factors such as quality of original audio signal, type of sound, and listener.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
To encode the resultant signal in to binary form, two different delay times are used.
These delay times should be below human perception. Parameters such as decay
rate and initial amplitude should also be set below threshold audible values so that the
audio is not hearable at all.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
LSB Coding
one inse
bit
insertion
done
through
image
An indirect exploitation
of
information in each
sampling point with
a
coded binary string
SI A
16.0.
Phase
coding
is
described as the phase in
which an
is substituted
by a reference phase
that represents the
data
tl It depends on the
inaudibility of low
power
tones in the presence of
significantly higher
spectral components
method
CE
I
of the psychoacoustic
masking phenomenon in
the spectral domain
s11110.
signal-to-noise ratio
s111110
Copyright 0 by EC-Ca
Prohibited.
Tone Insertion
This method involves embedding data in the audio signal by inserting low
power tones. These low power tones are not audible in the presence of significantly
higher audio signals. As it is not audible, it conceals the existence of your secret
message. It is very difficult for the eavesdropper to detect the secret message from the
audio signal. This method helps to avoid attacks such as low-pass filtering and bit
truncation.
The audio steganography software implements one of these audio steganography
methods to embed the secret data in the audio files.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Phase Encoding
GE Phase coding is described as the phase in which an initial audio segment is
substituted
by a reference phase that represents the data. It encodes the secret message
bits as phase shifts in the phase spectrum of a digital signal, achieving a soft
encoding in terms of signal-to-noise ratio.
CouncH
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Audio
Steganography:
DeepSound
CEH
i.
6.._::_:
protection
g
reload
Add Iles
Encode
IFICYCLE.BI
N
llorraSnandri
la
r i.
Se
cted
Fdel
eal
r
Way
IA M1Er
Ol aroplaer
02
Trac k
03 Track 34.rt
04 Track 4...a
OS track 5.wly
1 a w ima
_ Inr.ddrdr 14.
-eu
14`'
"
Oa Dapy_ 10aStarao,
kaoreatladvay
McacaabinJad11.03.
Monoabn dod I 240.wer
CAIA_IS011 WAV
Sagrarebawar
401k
01
Track
vont
4111.4
http:Mpinsoft.net
Copyright 0 by iSte [Md. All Rights Reserved. Reproduction is Strictly Prohibited.
DeepSound file browser and right-click the audio file to extract your secret file(s).
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
rm
1 el f me I
I
-
rI lit
:7
41.
immell.
IN NEN
Unw
RREINIAR
e d RIERS
sem
41,14.411.14,
OP
Tn
el
sob. 111.6
446,
lualye
wr w
RENARD
=Mr
PENIMV111.
WC,. MO4
111./.
M...1.11,1,
WO CIWIft
..NO dor
. Co,.
Ism p ila 1
41111M
I. ...............7.1.
OA..
Y Otamen.1.1
-*4111
0 43 3
.11131... 411
1111..
4.
wenn, Ye
C.10.01.
04111
=1. lea
ha
1 8 RR
RR
vi
le AM NO IRIMAIMONR4
EC-Council
System Hacking
CIE H
CHAOS
Universal
http://mp3stegz.sourcelorge.net
http://sofechaos.com
http://www.maxa-tools.com
i.m.1 -=1 -
SilentEye
http://www.silenteye.org
.1
BitCrypt
http://bitcrypt.moshe-szweueccom
QuickCrypto
http://www.guklarypto.com
MP3Stego
hitp://www.petilcolas.net
OR 1
CryptArkan
httpl/www.kuskov.com
Hide4PGP
http://www.heim-repp.onlinehome.de
FL"
StegoStick
http://stegostkk.sourceforge.net
ECCouncil
by
System Hacking
Folder
Steganography:
Invisible Secrets 4
Folder steganography refers to hiding secret information in folders
Ig V .1ri-1 'F T.
vy
,ecrets 4
1.144
File,
Popup Message
me. Hat
Oneuee rem
nman.clvd
dsc
Open Cepakboorl
Ful Path
HTML
OwornAlla
akm.
Type
t awards.htth
Document
CileariskWEISSITE1
ACDSee ]PEG I...
Crypted File
ClerinsWEISSITEA
Clalma1WEB5ITEITernplates1
DWI
File
...' mon.dvit
CilabrunWEBSITEITerrolates1
/ rnam.css
'
ma
.cssasc h
lksupport.j
pg
"ay. 11101.
Onstre, LicrrwA Two.
trend:.
le tote
suerelmeoll
Crypted File
CilislinenWEBSITEA
ACDSee ]PEG I.
C: \ ram \ WEBSITEI
Add folders
I
htt
Cascading
Style... Claina1WEISSITEI
a Add Has
v s th
Next
eseme t
Back
encrypt and hide documents directly from Windows Explorer, and then automatically
transfer them by email or via the Internet.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
System Hacking
and
[Popup Message
Name
Full Path
tlawards.
HIM_ Document
C: alinaWEE15ITE
html
ACDSee JPEG
C:\alinakWEBSITE\
Crypted File
awards.jp
DWT File
Templates\
amain.d
vkisc
Style...
C:%alina
\WEBSITE
main.d
wt
main.c
ss
\WEBSITE
Cascading
Crypted File
C:\alina\WEBSITE\
C: \alina \WEBSITE
Add folders
Remove
Cryptboard
main.c
ss.isc
suppo
rt.jpg
Next >
' Help
1111 Add
files
Back
jlt Close
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
y
r
]
http://tywurnewsoftwores.net
A+ Folder Locker
C EH
Universal Shield
http://mvureverstrike.com
httre/firmnygiontmotrix.com
http://www.pc-mogk.com
Toolwiz BSafe
QuickCrypto
http://mvw.toohuir.com
http://www.qukkcrypto.com
http://fspranet
http://uanu.moxfoldersecure.com
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Spam/Email
Steganography:
Spam Mimic
mweinerssirmifflanafigname
rEaffir
re,-
-r
r o
Imr a l l
..m161.
1.78
%rim
-
11 e11111161 ...IN I fin 11.4.1
r rrAr
rir
.
re
!NN W
r oi WM 1
4 Lb
r 1 rld IMMO 14
1111
MINIM M. GM 0
1. * 0 a r r
. s r* N
Fr. d r r m
r a ma w a o w* * loa am, MO1%W
Iirrowl
birrors tr o m
H P141
III/
LP WM =MN
411 f 1. Of rr Mk/ II1VMI
aN
17 ma Ya m, hibi
Bo mg s l u m am
I . a vo w I s N N
abalk as 4
Ian
va h a d m. ma ..
116 ow
a a
ga to me :a =la aaML. Metal we. 1.1 dam a oroy WS
re
r
14.40 ri lirrO
1
.
mr
r 01, fro.. 11
r
r
r r r r
-.1 , :-
1sd
C T.
http://wwwspantrni
Copyright 0 by EC-Com
encodes the secret message as spam with a password, fake PGP, fake Russian, and space.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
will
De
rich
too
!
Thantyou for
your
serious
ceeas nes es zo
n
of
oar
offer
AWN. Spa ln I
I=1
,C OM
lmfs
FIGU
RE
5.78:
Spam
Mimi
c
Main
Page
Encode
Enter your short secret message:
Alternate encodings:
Encode as spam with a password
Encode as fake PGP
Encode as fake Russian
MEI Encode as space
home encode I decode I explanation I credits I fag fic feedback I terms I Francais
v e r e r i s p a m m im fc . c o n i
11177LIG...
Encode
e n c o d e d E n o vim
as
5 in cur
Our publiCatiOrs
-.se
you
act now .
M ad
as p
it
di.
...b ui
memo
itiorcee
ro w
be
seal
tima
=i n
yaui
dick
o n S e n d)
or
Natural
Steganography:
Big G Play Maker
Text
Sams
Equiv.
E
ar
gm,
ledehoul"
Jason says "But I lead
slashdor
end at nem
hrtp://www.scrarndisk.cloraner
C
o
p
y
ri
g
h
t
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Abo
ut
Edi
t
I
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CE
clf
Levels of Visibility
g y re
c m u c u ul l i s
11111111111IMMINIII
Redundancy is needed
for a robust method of
embedding
the
message,
but
it
subsequently
reduces the payload
Robustness and payload
are inversely related.
Therefore, the smaller
the
payload, the more
robust
it will be
Data compression
techniques are of
two
types: lossy and_
lloosssslleessss
o Conversion of
lossless
information
compressed
to
lossy
information
destroys
the secret information
present in the cover
EZE
Copyright 0 by Wt' .Ilia. All Rights Reserved. Reproduction isStritdy
Prohibited.
storage device, thereby allowing the hidden data to be embedded within a host file
system. It also allows users to give names and password (access keys) for the files.
In this method, the data is obfuscated using cryptographic algorithms, but the
presence of data is denied without the corresponding access key, i.e., given by the user.
Without the appropriate access key (password) the attacker cannot get the data of the
file.
The following method is used to construct a steganographic file
system:
e File system begins with random data.
e The encrypted blocks are written to the pseudorandom locations using the key
acquired
from the filename and directory password to hide the file blocks in random
data. When
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
the file system continues to be written to, collisions occur and the
blocks are overwritten, allowing only a small portion of the disk space to be
safely utilized.
Multiple copies of each block should be written.
(7)
A method to identify the blocks when they are overwritten is also required.
Levels of Visibility
If the embedding process distorts the cover to the point that it is visually
unnoticeable, meaning if the image is visibly distorted, then the carrier is
insufficient for the payload. Likewise, if the image is not distorted, then the carrier
is adequate. The way a message is embedded will determine whether the data is
perceptible or not. To reduce the theft of data, the presence of a watermark is often
publicized. However, publicizing the presence of a watermark also allows various
methods to be implemented to attempt to alter or disable the watermark. When the
visibility of the data is increased, the potential for manipulation of the data also
increases.
not result in any noticeable difference in the image. Nevertheless, embedded data could
become damaged. Some other popular algorithms, namely Windows Bitmap (BMP) and
Graphic Interchange Format (GIF), are considered lossless compressions. The
compressed image is an exact representation of the original.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Steganalysis
CEH
Steganalysis is the art of discovering and rendering covert messages using steganography
Challenge of Steganalysis
'Suspect information stream may or may not have encoded hidden data
Some of the suspect signals or files may have irrelevant data or noise
encoded into them
Steganalysis
between cover image and stego-image file size is the simplest signature. Many
signatures are evident using some of the color schemes of the cover image.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Once detected, a stego-image can be destroyed or the hidden message can be modified.
Some of the data that is hidden behind the images using the Image Domain Tool can
prove to be useless.
Challenges of Steganalysis:
e
hidden data e
Some of the suspect signals or files may have irrelevant data or noise
encoded
them
into
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Exam
Steganalysis
Methods/Attacks
on Steganography
312-50
Certified
C1EH
changed.
This
works
because
different file formats store
data in different ways
Known-stego
Steganography
Known-cover
algorithm
is known and both the
original
and
the
stegoobject are available
The hidden message
and the corresponding
stegoimage are known
Known-message
message
Chosen-
Disabling or Active
During the
communication
proces
active
attackers can
change the cover
Chosen-stego
The stego-object
and
steganography
algorithm are identified
a
Copyright 0 by W'
Prohibited.
Steganography attacks are split into eight types: stego-only attacks, reformat
attacks, known-cover attacks, known-message attacks, known-stego attacks, chosenstego attacks, chosen-message attacks, and disabling attacks.
Stego-only attack
The stego-only attack takes place when there is only the stego-medium, which
carries
out the attack. The only way that this attack can be avoided is by detecting
and extracting the embedded message.
Reformat attack
In this method the format of the file is changed. This works because
Known-cover attack
The known-cover attack is used with the presence of a stego-medium as
well as a
cover-medium. This would enable a comparison to be made between both the
mediums so that the change in the format of the medium can be detected.
EC-Council
.1011k
Known-message attack
The known-message attack presumes that the message and the stegomedium are present, and the technique by which the message was embedded
can be found.
Known-Stego attack
In this attack, the steganography algorithm is known and both the original
and stegoobject are available.
Chosen-stego attack
The chosen-stego attack takes place when the forensic investigator generates a
stegomedium from the message by using a special tool. Searching for signatures
that will enable the detection of other steganography mediums can carry out such an
attack.
i0"
Chosen-message attack
that is used to reduce the raggedness associated with the stego-medium. Resampling is
normally used to resize the image. Softening of the stego-medium applies a uniform
blur to an image to smooth edges and reduce contrasts and cause less distortion than
blurring.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Detecting
Text
and
Image Steganography
Text File
H
Image File
can
C
are made to the character
positions for hiding the data
be detected by determining
changes in size, file format, the
last modified timestamp, and the
MOM
the
data
looking for text patterns or
disturbances, language used,
and
an unusual amount of blank
spaces
.J
Statistical
analysis
method is
used for image scanning
within
the cover medium. In this, the unused bits of data in computer files such as graphics,
digital images, text, HTML, etc. are used for hiding sensitive information from
unauthorized users. Hidden data is detected in different ways depending on the file
used. The following file types require specific methods to detect hidden messages.
When a message is hidden in a file in such a way that only the authorized user aware
of the hidden message can read or recover the message, probably the alteration is
applied to the cover or carrier file. The alteration varies based on the type of file used
as carrier.
Text Files
For text files, the alterations are made to the character position for hiding the
data. These alterations can be detected by looking for text patterns or disturbances,
the language used, line height, and unusual number of blank spaces.
Image Files
The information that is hidden in the image can be detected by determining
changes in size, file format, last modified, last modified time stamp, and color palette of
the file.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Statistical analysis methods can be used when scanning an image. Assuming that the
least significant bit is more or less random is an incorrect assumption since applying
a filter that shows the LSBs can produce a recognizable image. Therefore, it can be
concluded that LSBs are not random. Rather, they consist of information about the entire
image.
Whenever a secret message is inserted into an image, LSBs are no longer random.
With encrypted data that has high entropy, the LSB of the cover will not contain the
information about the original and is more or less random. By using statistical
analysis on the LSB, the difference between random values and real values can be
identified.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Detecting
Audio
and
Video Steganography
C EH
Audio File
Statistical analysis method can
also be used for audio files since
the LSB modifications are also
used on audio
The inaudible frequencies can
be scanned for information
The odd distortions and
patterns show the existence of
the secret data
Video File
Administrator
e The odd distortions and patterns show the existence of the secret data
Video File
In video steganography, confidential information or any kind of files
with any extension are hidden in a carrier video file either by using audio
steganography or image steganography tools. Therefore, the detection of the secret
data in video files includes a combination of methods used in image and audio files.
Special code signs and gestures can also be used for detecting secret data.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
A011111111
IEH
Gargoyle InvestigatorTM Forensic ProC
Gargoyle nvestigator'" Forensic Pro provides inspectors with the ability to conduct a quick search on
a given computer or machine for known contraband and hostile programs
- Its signature set contains over 20 categories, including Botnets, Trojans, Steganography, Encryption, Keyloggers,
I
etc. and helps in detecting stego files created by using BlindSide,
5-Tools, etc. steganography tools
WeavWav,
t.
Vair 1111~
vr
INF* Ililili
f l . 6 7)
4
tf-1
.1.
MAP
*
http://swiwwetstorretech.com
Copyright 0 by Ell:-Cg
Steganography
Detection
Tool:
Gargoyle InvestigatorTM Forensic Pro
Source: htto://www.wetstonetech.com
Gargoyle InvestigatorTM Forensic Pro is a tool that conducts quick searches on a given
computer or machines for known contraband and malicious programs. It is possible to
find remnants even though the program has been removed because the search is
conducted for the individual files associated with a particular program. Its signature
set contains over 20 categories, including botnets, Trojans, steganography, encryption,
keyloggers, etc. and helps in detecting stego files created by using BlindSide,
WeavWav, S-Tools, etc. It has the ability to perform a scan on a stand-alone computer
or network resources for known malicious programs, the ability of scan within archive
files, etc.
Module 05 Pa,
7!"
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
,A tr
- .103 13113300 on
11,1
I.
39.4
1
rw
Mid
133
01
14
13
794/
1.
349
1.4
313130 M A TH
41f17,11.41
1.3
PewhtiN t 331331943334
- 131311011 19/1W
09313d
-1
WM
1
3
1
19
34
1/21711112.
217/71111
44,-11101
VANN
el1/11411111
33
11
210
33
13
14
23
31
1.3
71
.13
11
11
17
I1
19
V
. 3,0 -
IA / MI.. .1111.1111k
v.
ell. 1 1-433313
5/29/190011:01:10 DIA
52072200 I149,08111
1729/2200 11.04:10 119 I
II 9/14.24
$.:7147
44 02:
1149 AM
to. JO
?,11w1
1'.1.3
99""992
43. X171
0347431.
:011
1.1301
Pet!:(11
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
in
]
StegAlyzerSS
http://stegsecret.sourceforge.net
http://www.sorc-wv.com
Stego Suite
StegMark SDK
http://www.wetstonetech.corn
http://www.datamark.com.sg
StegAlyzerAS
Steganography Studio
http://www.sarc-wv.com
httpl/stegstudio.sourceforge.net
Virtual
Steganographic
StegAlyzerRTS
Laboratory (VSL)
http://wo,ourceforge.net
http://www.sarc-tw.com
StegSpy
C1EH
cy
Stegdetect
httpWwww.spy-huntertom
http://www.outguess.org
Laboratory
(VSL)
available
at
http://vsl.sourceforge.net
Stegdetect available at http://www.outguess.org
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Cracking
Passwords
.1
rnpyrishr 0 by
FC-ltrad
Hiding Files
Covering Tracks
Penetration Testing
Ethical Hacking and Countermeasures Copyright
Council
by EC-
ring
ri ngs
4
4
install backdoors. Thus, the attacker can gain users' sensitive information such as
user names and passwords of bank accounts, email IDs, etc.
The attacker may not wish to delete an entire log to cover his or her tracks as it may
require admin previleges. If the attacker is able to delete only the attack event logs,
even then the attacker hides himself or herself from being detected.
e The attacker can manipulate the log files with the help of: SECEVENT.EVT
(security):
failed logins, accessing files without privileges
e
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Covering Tracks
H
Once intruders have successfully
., they will try to cover the tracks to
avoid their detection
Covering Tracks
Erasing evidence is a requirement for any attacker who would like to remain
obscure. This is one method to evade trace back. This starts with erasing the
contaminated logins and possible error messages that may have been generated from
the attack process. Next, attention is turned to effect any changes so that future logins
are not allowed. By manipulating and tweaking the event logs, the system
administrator can be convinced that the output of his or her system is correct, and that
no intrusion or compromise has actually taken place.
Since the first thing a system administrator does to monitor unusual activity is to
check the system log files, it is common for intruders to use a utility to modify the
system logs. In some cases, rootkits can disable and discard all existing logs. This
happens if the intruders intend to use the system for a longer period of time as a launch
base for future intrusions, if they remove only those portions of logs that can reveal
their presence with the attack.
It is imperative for attackers to make the system look like it did before they gained
access and established backdoors for their use. Any files that have been modified need
to be changed back to their original attributes. There are tools for covering one's
tracks with regard to the NT operating system. Information listed, such as file size
and date, is just attribute information contained within the file.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
In Windows 7
From
the
Registry
in Windows
8
HKCU
\Software
\
Microsoft\
Windows\CurrentVersi
on\
Explorer
remove
and
then
the
N
Copyright 0 by EC-Co
y Prohibited.
History in the
address
field
Disable
stored
history
e
Delete
private data
Clear cookies on
exit e
Clear
cache on exit e
Delete
downloads
e Disable password manager
e
manager e
Delete saved
sessions
Module 05 Page 806
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
and
Countermeasures System Hacking
Delete
user
JavaScript
e
Set up multiple
users
e
e
Click the Start button, choose Control
Panel
Taskbar and Start Menu.
e Click the Start Menu tab, and then, under Privacy, clear the Store and display a
list
of
recently opened programs check box.
From the Registry in Windows 8
e HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and then remove
the
key
for "Recent Does"
e Delete all the values except "(Default)"
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
C_1E H
Zi a z a ; : : 7 1 : : : 1 : : : : 1 : a u d i t y e l
/ mo t
/ eat ego r yi .e y et on - ..
im
:sgs e rs , A d mi nis
cc ccc c
)a udity el
/get
/ c a t e g o r y : * y s ts n a u d i t p o l i c y
ategory/Suhc ategory
ve le m
Secm1.X ymliniten Ex tttt len
Sotting
SUGGC33 and Fail
Success and Fall
iesem.
Lag ei l
Le t t tt t
"'sec Main Med.
Hamm
;Fatah Phi* 4
117.sle V t ;d44 '*n *
Other 44 0 . / 1 .0 . 0 1 f
Nu
No
No
No
No
No
No
No
No
User / De vice
Nei
F e r.
o.
Clai m.
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
:n,e ct
ga met e
run
Seaton
11.7.4 i n t r y
Fernall Oldnut
can
C e r t i l is e t ie n S e rv i ng .
A gg lima tie e
Needle Manipulation
Pile S hare
Fi lt er i ng ttt tt ur n Pa c ke t
O n ly
filtoring Manna Comma. ler
n th. , O hj met t t t t t t
r e mi t ,
D eta i le d V ile
Peacea ble S torage
Ce ntra l Pe lie g S ta gieg
Auditing
v ir i le .: ge e
No,. Sens itiee Privilege Aro
0 , te r Pr i v il e y s I l s e
S .v.s ltie n
Pr ivile ge I ls e
Auditing
e ta t l e d Tra c ki ng
Proe m
C r.
'
Pr e e ns , te r mi na t i o n
No
No
No
No
No
No
No
Nu
No
No
Nu
lin
No
No
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Auditing
Nu Auditing
No Auditing
Nu
Ne
No
Auditing
duetting
http://www.microsoftcom
Copyright 0 by EC-Caused. All Rights Reserved. Reproduction is Shictly Prohibited.
changes to it.
The attacker would need to install the utility in the WINNT directory. He or she can
then establish a null session to the target machine and run the command:
C:\> auditpol
This will reveal the current audit status of the system. He or she can choose to
disable the auditing by:
C
:\> auditpol
/d isable
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
This will make changes in the various logs that might register his or her actions. He or
she can choose to hide the registry keys changed later on.
The moment the intruders gain administrative privileges, they disable auditing with the
help of auditpol.exe. Once their work is done, after logout intruders again turn on the
auditing by using same tool: audit.exe.
AdminisUator. Command Prompt
':NUleersAdmini
)auditpol / s e t
snob le / f a i l u r e : e n a b l e
he
d was successfully executed.
::NUerNildmini rrrrrrr >auditpol
/get
:A
/c
/c a
.
y/S
Sett
ing
.yetem
Security System Ex
ion
System I
it y
IPsc Driver
Other System Events
Security State Change
1.... on/Losinff
1,09011
!mg.( f
Account Lockout
I Pec Main Mode
I Pec Quick Mode
IPc Extended Mode
Special Logon
Other Loaron/Logof f E
Network Policy Server
Uer / Device Claims
:lijr. t Access
rile System
Reg iutry
Marne l Object
SAM
Corti/ ict ion Services
Application Generated
Handle Manipulation
Pile Share
Filtering Platform Packet Drop
IN I tering Platform Co
ion
Other Object Access Events
Detailed Pile Share
Removable S
Central Policy Staging
Privilege Use
Nan Sensitive Privilege Use
Other Privilege Use Events
Sens it Iva Privilege Use
dret I led Tracking
Process Creation
Process Termination
bc
Success
Success
Success
Success
Success
and
and
and
and
and
No
No
No
No
No
No
No
No
No
No
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
Audit
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
ing
Pale.
Pal
Pal'
Pal.
Pal
No Audit ing
No Audit ing
No Audit ing
No Audit ing
No Audit ing
Nu Aml I t
41.103.
0.1,1
m.111- Ni.sn)
111
4.114.4.mmo{ 4111.04.
my
.-
r
toad go Mod
lellAm101410Pod
80
(.1
1.
S
W
.
.
I
a
l
s
o
on.. (give IhamIlkoments
5firsr Vary
r? %Iron ham wr Mrs
O
rada
10
r
miew
'we
r.
ON... Cahn
En Cadloo
Craw. / r
..*
Gam
lower Cabot
SO
6,
SO
R I MS
OlsO
SO
II
SRO
PR
1.1
z
m ar
hard disk space for further use. With this tool, you can erase your tracks very easily.
It also cleans traces of your online activities such as your Internet history.
Ethical
Hacking
Countermeasures
Hacking
and
System
tf
44r
alMa t i . a .
C41. ma= NY 0710
V11e, nu. au crow a
M C al . . MO MAW cn .
we,
4 OG1 ZAP W
Clamor
Na ma . Rp
., a
CIZINMG "Wirt CO
T..
IX 1411 to t 400, e l
0.111 re/ Neste be &bad (Vas. he Mut.. 1 61.1 /ft
aired.
*.$
- ,..-.
invItael En n o b Or
r,,est ley. , f
O a..
co.nA
ebtorr
0 0.re Cree.
- tans
'Goma 0,
CGa
Me ,
Application
Tracks
I 10 Cady
p% Over* - 11
1 100
Y4
11 0
,..
100aars
Wi
ndo
ws
Tas
ks
FIGURE 5.82: CCleaner Screenshot
Council
C EH
rye oleturo tent In wet mgt..) have teen ...led m thn leek., to al...3 eu re perranen
gwe 'hen n acannng. A, nom ha re clvd.od below wit ha ecarn.cl
Ochti s ae Awv...........k.5 &le invenfr,
s=tetss
r
Wit ikatel Results
-Ram!
'ma, lens Ueteded 37B
4 Wiecbweflectrol' Feld.
lien
30
v Wodows 'Record Fold.
Ann . 33
4 Inlernal ENFloo, PRO item Nom Download
Dimino V 1.15 Litool3t1 Most Hem,' Appledon
4 MS Cit.o.13.4. . Moll Rocont Applealion
V NS DimmIrput Most Recent Appleolon
-Name
go GS riorlIrpul Nrot Resent Applretinn ID
M Oliaosalt Mormoomot Console Rcm
Fill
LIO ' Phi
4 GOKMOItOor000mert Condit. FlonnolFiF Lill Po2
v Nioonft Klareogooti Conaula
Li4t l'ile3
o Women Sesneoesners Console Recent FiSs List De4
se Widows E cio.oe RaceriDoes Siloam MRU MAIN
V Windows E octet IllecertDoes Snow MRU 0
C WIndonn Nv o Pews
II
hint
r CualcniteNaiicdicrnPhl nmn
C
n......iFib
7j
Oho two No GO
Go to Moir
Clem Ms
SIIINN,
no.
...dim
Copyright 0 by
EC-Cs unci.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Resuks:
Total Items Detected: 378
v] Windows Recent Folder
Item
38
.01 Windows 'Recent' Folder
Item
39
w Internet Explorer - MRU Item Recent Download
Directory
MS Direct3D Most Recent Application
MS DirectDraw - Most Recent Application
yr MS Directlnput - Most Recent Application
Name
t i nt MS Directlnput - Most Recent Application ID
iioj Microsoft Management Console - Recent Fie
List Fdel
soi Microsoft Management Console - Recent Fie
List File2
[.9 Microsoft Management Console - Recent Fie
List File3
LI Microsoft Management Console - Recent Fie
List File4
LiWindows Explorer - RecentDocs Stream MRU MAIN
LI Windows Explorer - RecentDocs Stream MRU
Mein Menu
at us er imp / es t i h a v e b e e n ad d e d i n t h is s e c ti o n t o a l lo w yo u to
p e r ma n e n t l y
ig n o re t h e m i n s c a n n i n g
A ny i t e m t h a t i s c h e c k e d b e lo w w il l b e
s c a n ne d .
altVlee2(
ot,
r..-;
rJ
ap ta tr il t n A-Ly s de w
AWSItf ew FA*"
Kr-
M icros o ft Ol fi ce MR U I te ms
rJ
Wi n d o w s S tr ea m M R U
Wi n d o w s F i n d / S e a r c h M R U s
M i c r os o f t O f f i c e " R e c e n t" fo l d e d s ]
Wi n d o w s ' n e c e n r
W i n d ow s U s e r A s s i s t M R U s
tr.
l
F:/
IN
fo ld er is l
Mic roso ft Regedit MR Us
Wo r d Pe r f e c t M R U I t e ms
Various
Items
C o le ! P res e n ta ti o ns MR U I t e ms
Q ua t l r oP r o MR U I te ms
M S V is u a l S t u d i o G O M R U I t e ms
I ns ta l l Loca ti o ns M R U
C us to mi z e N oti li ca ti o ns P as t I te ms 21
Wi n d o w s O p e n W ith MR U s
A ny it e ms n ot o n t hi s 1s t
can
be fo u n d o n t he s ca n res u k s s c ree n .
P lug ins
MR U -Blas ter p lug- ins provid e add it ional c lea ni ng s up p ort
for
othe r ite ms o n d is k.
Go to Plugins
Save Settings
Clos e
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
EvidenceEraser
http://privocyroot.com
http://xnewevidenceeroser.com
WinTools.net Professional
http://svanv.acesoft.net
http://svww.svintools.net
RealTime
BleachBit
Cookie
&
http://bleochbit.sourceforge.net
http://www.kleinsoft.co.zo
AbsoluteShield
Internet
AdvaHist Eraser
http://www.odvocrypt.cjb.net
Eraser Pro
http://auw.internet-trock-eraser.com
Clear My History
http://unnwhide-my-ip.corn
Copyright 0 by ECte MCI. All Rights Reserved. Reproduction Is Sul cti y Prohibited.
Track Covering
Tools
Track covering tools protects your personal information throughout your
Internet browsing by cleaning up all the tracks of Internet activities on the computer.
They free cache space, delete cookies, clear Internet history shared temporary files,
delete logs, and discard junk. A few of these tools are listed as follows
e
Eraser
Pro
available
at
http://www.acesoft.net
BleachBit
available
at
http://bleachbit.sourceforge.net
e
eraser.com
e Clear My History available at http://www.hide-mv-ip.com
e EvidenceEraser available at http://www.evidenceeraser.com
Cookie
&
Cache
Cleaner
(RtC3)
available
at
http://www.kleinsoft.co.za
AdvaHist Eraser available at http://www.advacrvpt.cib.net
e Free Internet Window Washer available at http://www.eusing.com
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
CEH
Escalaitting
Privileges
Executing
1
1
Applications
Penetration
Testing
rip
r-
Cracking Passwords
10100)
Executing Applications
Covering Tracks
Penetration Testing
Ethical Hacking and Countermeasures Copyright
Council
by EC-
Ethical
Hacking
Countermeasures
Hacking
and
System
Password
Cracking
H
Perform Man-intheMiddle Attack
START
J
Perform
Rule-bas
Attack
user accounts
Having
access to the
password?
Check
for
password
complexity
Acquires
access
to
communication
channels between victim
server
to
extract the information
Perform
Dictionary
Attack
to remote systems
Perform
the
and
Brute
forcing
Attack
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
System Hacking
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
Lr
and
System
Password Cracking
Perform
Replay
Attack
(Cont'd)
Perform
Shoulder
Surfing
A
Perform
Password
Guessing
Perform
Trojan/Spywa
re/
keyloggers
Perform
Hash
Injection
Attack
Perform
Social
Engineering
Perform
Dumpster Diving
CEH
Perform
Distributed
Network Attack
Copyright 0 by Ette
Perform
Rainbow
Attack
Inject a compromised hash into a local session and use the hash to validate to
network resources.
Step 13: Perform a rainbow attack
Use a rainbow table that stores pre -computed hashes to crack the hashed
password. Step 14: Perform a distributed network attack
Recover password-protected files using the unused processing power of machines
across the network to decrypt passwords.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Privilege Escalation
41111111111111W
priumera.tPii
user na
arts Et-acted
passwords
Interactive
lognn
privileges
are
restricted
?
Use
privilege
escalation
tools
Use
privilege
escalation
tools
such
as
Active@
Password
Changer, Offline NT
Password
& Registry Editor,
Windows
Password Reset Kit,
Windows
Password
Recovery
Tool,
ElcomSoft
System
Recovery,
Trinity Rescue Kit,
Windows
Password
Recovery
Bootdisk,
etc.
Privilege Escalation
Once the attacker gains the system password, he or she then tries to escalate
their privileges to the administrator level so that they can install malicious programs or
malware on the target system and thus retrieve sensitive information from the system.
As a pen tester, you should hack the system as a normal user and then try to escalate
your privileges. The following are the steps to perform privilege escalation:
Stepl: Try to log in with enumerated user names and cracked passwords
Once you crack the password, try to log in with the password obtained in order to gain
access to the system. Check whether interactive logon privileges are restricted.
If YES, then try to run the services as unprivileged
accounts. Step2: Try to run services as unprivileged
accounts
Before trying to escalate your privileges, try to run services and check whether you
have permissions to run services or not. If you can run the services, then use privilege
escalation tools to obtain high-level privileges.
Step3: Use privilege-escalation tools
Use privilege-escalation tools such as Active@ Password Changer, Offline NT
Password & Registry Editor, Windows Password Reset Kit, Windows Password
Recovery Tool, ElcomSoft System Recovery, Trinity Rescue Kit, Windows Password
Recovery Bootdisk, etc. These tools will help you to gain higher level privileges.
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
clE
Executing
Applications
ltd. START
V
Check if firewall
software
and
antikeylogging
software are installed
V
Check if the
hardware
systemsare
secured in a
locked environment
ry
CO
use
keyloggers
V
Executing Applications
Pen testers should check the target systems by executing some applications
in order to find out the loopholes in the system. Here are the steps to check your
system when you choose certain applications to be executed to determine loopholes.
secured
in a locked
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
C EH
Hiding Files
W START
Mita irstallrootkits
in the target
Perform steganalysis
technique
Use steganography to
Detection technique
Perform Signature
Based Detection
stream (NTFS-ADS) to
technique
based Detection
technique
updated
Check
if
anti-spyware
Hiding Files
An attacker installs rootkits to maintain hidden access to the system. You
should follow pen testing steps for detecting hidden files on the target system.
Stepl: Install rootkits
First try to install the rootkit in the target system to maintain hidden
access. Step2: Perform integrity-based Detection techniques
Perform
integrity-based
detection,
signature-based
detection,
cross-view-based
Council
EC-
Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Covering Tracks
Close any
opened
t9 Tamper log files such as event log files, server log files and
proxy
log files by log poisoning or log flooding
t) Use track covering tools such as CCleaner, MRU-Blaster,
Wipe,
Tracks Eraser Pro, Clear My History, etc.
port
Copyright 0 by EC'-
Covering
Tracks
The pen tester should whether he or she can cover the tracks that he or she has
made during simulating the attack to conduct penetration testing. To check whether
you can cover tracks of your activity, follow these steps:
Stepl: Remove web activity tracks
First, remove the web activity tracks such as such as MRU, cookies, cache, temporary
files, and history.
Step2: Disable auditing
Try to disable auditing on your target system. You can do this by using tools such as
Auditpol. Step3: Tamper with log files
Try to tamper with log files such as event log files, server log files, and proxy log files
with log poisoning or log flooding.
Use track covering tools such as CCleaner, MRU-Blaster, Wipe, Tracks Eraser Pro,
Clear My History, etc.
Step5: Try to close all remote connections to the victim
machine Step6: Try to close any opened ports
by
EC-Council
All Rights Reserved. Reproduction is Strictly
Prohibited.
Ethical
Hacking
Countermeasures
Hacking
and
System
Module Summary
C EH
Module Summary
e Attackers use a variety of means to penetrate systems. e
Password guessing and cracking is one of the first steps. e
Password sniffing is a preferred eavesdropping tactic.
e
spyware tools
Invariably, attackers destroy evidence of "having been there and done the damage." e
Stealing files as well as hiding files are the means to sneak out
sensitive
information.