Ceh V8 Labs Module 05 System Hacking 76o5b
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 2z6p3t
Overview 5o1f4z
& View Ceh V8 Labs Module 05 System Hacking as PDF for free.
More details 6z3438
- Words: 43,151
- Pages: 117
CEH Lab Manual
System Hacking Module 05
Module 05 - System Hacking
System Hacking System hacking is the science of testing computers and networkfor vulnerabilities and plug-ins.
Lab Scenario {— I Valuable intommtion_____ Test your knowledge______ a* Web exercise £Q! Workbook review
hacking 1s one o f the easiest and most common ways hackers obtain unauthorized computer 01 ־network access. Although strong s that are difficult to crack (or guess) are easy to create and maintain, s often neglect tins. Therefore, s are one of the weakest links 111 die uiformation-secunty chain. s rely 011 secrecy. After a is compromised, its original owner isn’t the only person who can access the system with it. Hackers have many ways to obtain s. Hackers can obtain s from local computers by using -cracking software. To obtain s from across a network, hackers can use remote cracking utilities 01 ־network analyzers. Tins chapter demonstrates just how easily hackers can gather information from your network and descnbes vulnerabilities diat exit 111 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 vour systems.
Lab Objectives The objective o f tins lab is to help students learn to m onitor a system rem otely and to extract hidden files and other tasks that include:
[ “׳Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
■
Extracting istrative s
■
HicUng files and extracting hidden files
■
Recovering s
■
Monitoring a system remotely
Lab Environment To earn ־out die lab you need: ■
A computer running Windows Server 2012
■
A web browser with an Internet connection
■
istrative pnvileges to run tools
Lab Duration Tune: 100 Minutes
C E H L ab M an u al Page
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Overview of System Hacking The goal o f system hacking is to gain access, escalate privileges, execute applications, and hide files.
stask
1
Overview
Lab Tasks Recommended labs to assist you 111 system hacking: ■ Extracting s Using L ■ Hiding Files Using NTFS Stream s ■ Find Hidden Files Using ADS Spy ■ Hiding Files Using the Stealth Files Tool ■ Extracting SAM Hashes Using PWdump7 Tool ■
Creating die Rainbow Tables Using Winrtge
■ Cracking Using RainbowCrack ■
Extracting s Using LOphtCrack
■ Cracking Using Ophcrack ■ System Monitoring Using R em oteE xec
■ Hiding Data Using Snow Steganography ■
Viewing, Enabling and Clearing the Audit Policies Using Auditpol
■ Recovery Using CHNTPW.ISO
■
System Monitoring and Surveillance Needs Using Spytech Spy Agent
■
Web Activity Monitoring and Recording using Power Spy 2013
■ Image Steganography Using Q uickStego
Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on the target’s security posture and exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S L AB .
C E H L ab M an u al Page 309
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Extracting s Using L Link Control Protocol (L) ispart of the Point-to-Point (PPP)protocol In PPP communications, both the sending and receiving devices send out L packets to determine specific information requiredfor data transmission.
Lab Scenario l£^7 Valuable information S
Test your knowledge______
*a Web exercise £ Q Workbook review
Hackers can break weak storage mechanisms by using cracking methods that outline 111 this chapter. Many vendors and developers believe that s are safe from hackers if they don’t publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. -cracking utilities take advantage o f weak encryption. These utilities do the grunt work and can crack any , given enough time and computing power. In order to be an expert ethical hacker and penetration tester, you m ust understand how to crack s.
Lab Objectives Tlie objective o f tins lab is to help students learn how to crack s for ethical purposes. 111 this lab you will learn how to:
^^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 310
■
Use an L tool
■
Crack s
Lab Environment To carry out the lab you need: י
L located at D:\CEH-Tools\CEHv8 Module 05 System H acking\w ord Cracking Tools\L
■
You can also the latest version o f L from the link http: / www.lsoft.com/engl1sh/1ndex.htm E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
If you decide to the la te st version, then screenshots shown 111 the lab might differ
■ Follow the wizard driven installation instructions ■ Run this tool 111 W indows Server 2012 ■ istrative privileges to run tools ■ T/IP settings correctly configured and an accessible DNS server
Lab Duration Time: 10 Minutes
Overview of L L program mainly audits w ords and recovers diem 111 Windows 2008 and 2003. General features o f diis protocol are recovery, brute force session distribution, information importing, and hashing. It can be used to test security, or to recover lost s. Tlie program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Smtt tile. L s dictionary attack, bmte lorce attack, as well as a hybrid ot dictionary and bmte torce attacks.
Lab Tasks 9
TASK 1
1. Launch the Start menu by hovering the mouse cursor 011 the lower-left corner of the desktop.
Cracking
S | Windows Server 2012
FIGURE 1.1: Windows Server 2012 —Desktop view
2 . Click the L app to launch L.
m You can also L from http: / / www.lsoft.com.
C E H L ab M an u al Page 311
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Start
Server Manager
Windows PowerShell
Computer
Control
T
y
Google Chrome
Hyper-V Manager
L
tet
*9
m
Hyper-V Virtual Machine...
SQL Server Installation Center...
Mozilla Firefox
Global Network Inventory
? Command Prompt
£ Ifflfmrtbfimr
a
©
II
Nmap Zenmap GUI
Woikspace Studio
O
3
Ku
Dnktop
FIGURE 1.2: Windows Server 2012 —Apps
3 . The L main window appears. £ 7 L s additional encryption of s by SYSKEY at import from registry and export from SAM file.
TZI
L File
View
Im port
Session
a c # "יDictionaiy attack
r
► ■6 Hybrid attack
Dictionary word:
Name
Help
0 LM
Ready fo r s recovering
? ״ * * ■ וa r
Brute force attack
I0 NT
0.0000 I <8
>14
% done LM Hash
NT Hash
0 of 0 s were found (0.000%)
FIGURE 1.3: L main window
4 . From die menu bar, select Import and then Import from rem ote com puter.
C E H L ab M an u al Page 312
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
L | File
View | Im port | Session
fh
A
Help
9 e
Im port From Local Computer...
1
Im port From Remote Computer... Im port From SAM File...
Dictionary wc
1
Im port From .LC File...
Name
X done LM Hash
Im port From .LCS File...
NT Hash
Im port From PwDump File... Im port From Sniff File...
C Q l is logically a transport layer protocol according to the OSI model
Ready fo r s recovering
0 of 0 s were found (0.000%)
FIGURE 1.4: Import die remote computer
5. Select Computer nam e or IP ad d ress, select the Import type as Import from registry, and click OK. Import from remote computer File
View
In
Computer OK
Computet name ot IP address: r
Dictionary at!
Dictionary word: Name
□
WIN-039MR5HL9E4
Cancel Help
Import type (•) Import from registry
O Import from memory I I Encrypt transferred data
C Q l c p checks die identity of the linked device and eidier accepts or rejects the peer device, then determines die acceptable packet size for transmission.
Connection Execute connection Shared resource: hpc$ name: : I 0 Hide Ready for w!
FIGURE 1.5: Import from remote computer window
6. The output window appears.
C E H L ab M an u al Page 313
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
_
L [ ־C:\Program Files (x86)\L\pwd80013.txt] File
View
Im port
Session
r
Dictionary attack
Hybrid attack
Dictionary word: Name
LM NO WO.
Guest
S Main purpose of L program is s auditing and recovery in Windows
r
1• © ״*®״ ׳
Brute force attack
1 10
r
^ inistrator
x
Help
a e + l ► 0 !?> י יי r
□
0.0000
NT
NO WO. .
<8
NO WO...
X done
>14
LM Hash
X
NO
BE40C45QAB99713DF.J
NO
NO C25510219F66F9F12F.J
X
NT Hash
^ L A N G U A R D .. . NO WO.
X
NO
- C Martin
NO WO.
X
NO
5EBE7DFA074DA8EE..
S Juggyboy
NO WO.
X
NO
488CD CD D222531279.
■ fi Jason
NO WO.
X
NO
2D 20D 252A479F485C..
- C Shiela
NO WO.
X
NO
0CB6948805F797BF2...
Ready fo r s recovering
1 of 7 s were found (14.286%)
FIGURE 1.6: Importing the Names
7 . N ow select any U ser Name and click the L1L4Play button. 8. Tins action generates s.
־r a :
L - [C:\Program Files (x86)\L\pwd80013.txt.l] File
View
Im port
Session
Help
* o e 0 0 4 H 11 1 1 ^ ־8 ״׳l« M ״מDictionary attack
r
Hybrid attack
Dictionary word: istrate 1
"יBrute force attack 14.2857 *d o n e
/ |7
Starting combination: A Name
LM
Ending combination: AD MINIS TRAT 0 RZZ
NT
<8
£ NO WO... ® G uest
NO WO...
>14 x
NO WO...
x
NT Hash
NO
BE40C45CAB99713DF..
NO
NO
- E lANGUAR...
NO WO...
NO
C25510219F66F9F12F..
^ M a r t in
NO WO... apple
NO
5EBE7DFA074DA8EE
^Qjuqqyboy
NO WO... green
NO
488CDCD D222531279..
^ 3 Jason
NO WO... qwerty
NO
2D20D252A479F485C..
® S h ie la
NO WO... test
NO
OCB6948805F797B F2...
s recovering interrupted
x
LM Hash
5 o f 7 s were found (71.429%)
I
FIGURE 1.7: L generates the for the selected name
Lab Analysis Document all die IP addresses and s extracted for respective IP addresses. Use tins tool only for training purposes.
C E H L ab M anual Page 314
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
P L EA S E TALK TO Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved Remote Computer Name: W IN -D 39MR 5H L 9E 4 Output:
L
Name
-
■ ■ ■ ■
-
Martin Juggvboy Jason Sluela
N T apple green qwerty test
Questions 1. \Y11at is the main purpose o f L? 2 . How do von continue recovering s with L?
Internet Connection Required □ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 315
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Hiding Files Using NTFS Streams A. stream consists of data associated rvith a main file or directory (known as the main unnamed stream). Each fie and directory in N TF S can have multiple data streams that aregenerally hiddenfrom the .
Lab Scenario / Valuable information ' Test your knowledge SB Web exercise m
Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems 011 the network. Most often there are matching service, , or s residing 011 each system that make it easy for the attacker to compromise each system in a short am ount o f time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and information. Attackers continue to leverage inform ation 011 each system until they identity s for s that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to hide files using NTFS streams.
Lab Objectives The objective o f tins lab is to help students learn how to lnde files using NTFS streams.
& T ools
It will teach you how to:
dem onstrated in ■ Use NTFS streams this lab are available in ■ Hide tiles D:\CEHTools\CEHv8 Module 05 System Hacking To carry out the lab you need:
Lab Environment
C E H L ab M an u al Page
■
A com puter running W indows Server 2008 as virtual machine
■
Form atted C:\ drive NTFS
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Duration Tune: 15 Minutes
Overview of NTFS Stream s m
NTFS (New Technology File System) is die standard file system of Windows.
NTFS supersedes die FAT file system as the preferred file system lor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved lor metadata and die use of advanced data structures.
Lab Tasks Sd. TASK 1
1. Run this lab 111 Windows Server 2008 virtual machine 2 . Make sure the C:\ drive is formatted for NTFS.
NTFS Stream s
3 . Create a folder called m agic on the C:\ drive and copy c a lc .e x e from C :\w indow s\system 32 to C:\magic.
4 . O pen a com m and prom pt and go to C:\magic and type notepad re e.txt 111 com m and prom pt and press Enter.
5. re e.txt 111 N otepad appears. (Click Y es button 11 prom pted to create a new re e.txt file.)
6. Type Hello World! and Save the file.
£ 3 NTFS stream runs on Windows Server 2008
7 . N ote the file siz e o f the re e.txt by typing dir 111 the command prom pt.
8. N ow hide c a lc .e x e inside the re e.txt by typing the following 111 the com m and prompt: type c:\m a g ic\ca lc.ex e > c:\m agic\re e.txt 1c a lc .e x e
C E H L ab M an u al Page 317
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
-lo|x|
(cT Command Prompt C : N n a g ic > n o t e p a d
re a d n e .tx t
C : S n a g ic > d ir U o lu n e i n d r i u e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y
E Q a stream consists of data associated with a main file or directory (known as the main unnamed stream).
0 9 /1 2 /2 0 1 2 0 9 /1 2 /2 0 1 2 0 1 /1 9 /2 0 0 8 0 9 /1 2 /2 0 1 2
of
C :\n a g ic
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 0 5 : 4 0 AM 12 r e a d n e . t x t 1 8 8 ,4 2 8 b y te s 2 F ile < s > 2 D ir < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e
C : \ m a g ic > ty p e
c : \ n a g ic \c a lc . e x e
> c :\n a g ic \r e a d n e . t x t: c a lc . e x e
C :\m a g ic >
FIGURE 2.2: Command prompt with hiding calc.exe command
Type dir 111 com m and prom pt and note the tile size o f re e.txt. [cTT Command Prompt D ir e c to r y 0 0 0 0
9 /1 9 /1 1 /1 9 /1
2 /2 2 /2 9 /2 2 /2
01 01 00 01
2 2 8 2
of
C :\n a g ic
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 12 r e a d n e . t x t 0 5 : 4 0 AM 1 8 8 ,4 2 8 b y te s 2 F ile < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s fr e e 2 D ir < s >
C : \ n a g ic > ty p e
c : \ n a g ic \c a lc . e x e
> c :\m a g ic \ r e a d m e . t x t : c a l c . e x e
C :\m a g ic > d ir U o lu n e i n d r i u e C h a s n o l a b e l . U o lu n e S e r i a l N u n b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y
t.__ NTFS supersedes the FAT file system as die preferred file system for Microsoft’s Windows operating systems.
0 9 /1 2 /2 0 1 0 9 /1 2 /2 0 1 0 1 /1 9 /2 0 0 0 9 /1 2 /2 0 1
2 2 8 2
of
C :\n a g ic
0 5 : 3 9 AM < 0 5 : 3 9 AM < 1 8 8 ,4 1 6 c a lc . e x e 0 6 : 5 1 AM 0 5 : 4 4 AM 12 r e a d n e . t x t 1 8 8 ,4 2 8 b y te s 2 F ile < s > 4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e 2 D ir < s >
LJ FIGURE 23: Command prompt with executing hidden calc.exe command
10. Tlie tile s iz e o f the ree.txt should not ch ange. N ow navigate to the directory c:\m agic and d e le te ca lc .e x e .
11. Return to the com m and prom pt and type command: mklink b ack door.exe read m e.txt:calc.exe and press Enter
C E H L ab M an u al Page 318
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
V. A d m in is tra to r Com m and P rom pt 0 9 /1 2 /2 0 1 2 0 1 /1 9 /2 0 0 8 0 9 /1 2 /2 0 1 2
-I□ ! X
0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 0 5 : 4 0 AM 12 re a d m e .tx t 2 F ile < s > 1 8 8 ,4 2 8 b y te s 2 D ir < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e
C :\m a g ic > ty p e
c :\m a g ic \c a lc .e x e
> c :\ m a g ic \ r e a d m e . t x t : c a l c . e x e
C :\m a g i c > d i r U o lu m e i n d r i u e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y 0 0 0 0
ffilA stream is a liidden file that is linked to a normal (visible) file.
9 9 1 9
/1 /1 /1 /1
2 /2 2 /2 9 /2 2 /2
01 01 00 01
of
2 2 8 2
C :\m a g ic
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 .4 1 6 c a lc . e x e 0 5 : 4 4 AM 12 r e a d m e .tx t 2 F ile < s > 1 8 8 ,4 2 8 b y te s 2 D ir < s > 4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e
C : \ m a g ic > m k lin k b a c k d o o r .e x e r e a d m e . t x t : c a lc . e x e s y m b o lic l i n k c r e a te d t o r b a c k d o o r .e x e = = = >•> r e a d m e . t x t : c a l c . e x e
u
C :\m a g ic >
-
FIGURE 2.4: Command prompt linking die executed hidden calc.exe
12. Type backdoor, press Enter, and the the calculator program will be ex ecu ted .
HB
-
m im s tra to r C om m and P rom pt
0 9 /1 2 /2 0 1 2
0 5 : 4 0 AM 2 F ile < s > 2 D ir < s >
C :\m a g ic > ty p e
122 r e a d m e . t x t 1 1 8 8 ,. 4 2 8 b y t e s 4 ,3 7 7 ,6 7 7 .8 :
c : \ m a g ic \c a lc .e x e
> c :S
1
C :\m a g ic > d ir U o lu m e i n d r i v e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y 0 0 0 0
9 /1 9 /1 1 /1 9 /1
2 /2 2 /2 9 /2 2 /2
012 012 008 012
of
r
C :\m a g ic
< D IR > 0 5 :3 9 AM < D IR > 0 5 :3 9 AM 1 8 8 ,4 1 0 6 :5 1 AM 0 5 :4 4 AM 1 8 8 ,4 2 F ile < s > 4 ,3 7 7 ,4 1 5 ,6 2 D ir < s >
1
C :\ m a g ic > m k lin k b a c k d o o r .e x e r e a d n e . t i s y m b o lic l i n k c r e a te d f o r b a c k d o o r .e x t C :\m a g ic )b a c k d o o r
| 1 ־1 _!ע ע_ו _lI_lI.ע _lI_u_lI.ע _lI _l.ע Backspace
CE
sqrt |
_ !_ 1 .
MR |
j d
MS |
C : \ m a c r ic >
1/x |
y
FIGURE 2.5: Command prompt with executed hidden calc.exe
Lab Analysis Document all die results discovered during die lab.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S L AB .
C E H L ab M anual Page 319
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Tool/Utility NTFS Streams
Information Collected/Objectives Achieved Output: Calculator (calc.exe) file executed
Questions 1. Evaluate alternative m ethods to hide the other exe files (like calc.exe).
Internet Connection Required □ Yes
0 No
Platform Stipported 0 Classroom
C E H L ab M an u al Page 320
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
3 Find Hidden Files Using ADS Spy A ds Spy is a tool used to list, view, or deleteAlternate Data Stream (AD S) on Windons Server2008 nith N T F S filesystems. I CON
KEY
/ Valuable information S
Test your knowledge
m. Web exercise ffi! Workbook review
Lab Scenario Hackers have many ways to obtain s. Hackers can obtain s from local computers by using -cracking software. To obtain s from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather inform ation from your network and describes vulnerabilities that exit in com puter networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to find hidden files using ADS Spy.
Lab Objectives The objective o f tins lab is to help students learn how to list, view, or delete A lternate Data Stream s and how to use them. It will teach you how to:
t£~Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 321
■
Use ADS Spy
■
Find hidden tiles
Lab Environment To carry out the lab you need: י
ADS Spy located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\NTFS Stream D etector Tools\ADS Spy
■
You can also the latest version o f ADS Spy from the link http: / / www.menjn.11u/program s.php#adsspv
■
It you decide to the la te st version, then screenshots shown 111 the lab might differ
■
Run tins tool 111 W indows Server 2012 E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Lab Duration Tune: 10 Minutes
Overview of ADS Spy ן1 ^ ןחרjj-,5 (^ternate Data Stream) is a technique used to store meta-info on files.
ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 Windows Server 2008 with NTFS file systems. ADS Spy is a method o f stonng meta-information o f files, without actually stonng die information inside die file it belongs to.
Lab Tasks m. TASK 1 Alternative Data Streams
1.
Navigate to the CEH-Tools director} ־D:\CEH-Tools\CEHv8 Mod S ystem Hacking\NTFS Stream D etector Tools\ADS Spy
2 . Double-click and launch ADS Spy. ADS Spy v1.11 - Written by Merijn Alternate Data Streams (ADS) are pieces of info hidden as metadata on files on NTFS drives. They are not ^ visible in Explorer and the size they take up is not reported by Windows. Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app can also display legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! [v
(• Quick scan (Windows base folder only) C Full scan (all NTFS drives)
J
C Scan only this folder: |7 Ignore safe system info data streams fencryptable', ,Summarylnformation'. etc) [ ־־Calculate MD5 checksums of streams' contents Scan the system for alternate data streams
KlADS Spy is a small tool to list, view, or delete Alternate Data Streams (ADS) on Windows 2012 with NTFS file systems.
Remove selected streams
[Ready”
FIGURE 3.1 Welcome screen of ADS Spy
3 . Start an appropriate sca n that you need. 4 . Click Scan th e sy stem for alternate data stream s.
C E H L ab M an u al Page 322
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
ADS Spy v1.11 - Written by Merijn Alternate Data Streams (ADS) are pieces of info hidden as metadata on files on NTFS drives. They are not /*. visible in Explorer and the size they take up is not reported by Windows. Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app can also display legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! v
£ ־ADS are a w ay of storing metainformation regarding files, without actually storing the information in the file it belongs to, carried over from early MacOS compatibility
C Quick scan (Windows base folder only) | (» Full scan (all NTFS drives)| C Scan only this folder:
A
11? Ignore safe system info data streams ('encryptable', 'Summarylnformation', etc)| r
j
Calculate MD5 checksums of streams' contents Scan the system for aiternate data streams
j|
Remove selected streams
C:\magic\ree tx t: calc.exe (1051648 bytes) C:\llsers\\Documents: {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) □ C:\s\\Favorites\Links\Suggested Sites.url: favicon (894 bytes) CAsV\dministrator\My Documents: {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) CAWindows.old.000\Documents and Settings\\Favorites\Links\Suggested Sites.url: favicon (8! □ C:\Windows.old.OOO\s\\Favorites\Links\Suggested Sites.url: favicon (894 bytes)
|Scan complete, found Galternate data streams (ADS's).
FIGURE 3.2 ADS Spy window with Full Scan selected
5. Find the ADS hidden info file while }*ou scan the system for alternative data streams.
6. To remove the Alternate Data Stream, click R em ove s e le c te d stream s. ADS Spy v1.11 - Written by Merijn Alternate Data Streams (ADS) ate pieces of info hidden as metadata on files on NTFS drives. They are not visible in Explorer and the size they take up is not repotted by Windows. Recent browser hijackers started using ADS to hide theit files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app can also display legitimate ADS streams. Don't delete streams if you are not completely sure they ate malicious!
C Quick scan (Windows base folder only) (* Full scan (all NTFS drives) C Scan only this folder:
J
1✓ Ignore safe system info data streams ('encryptable', ‘Summarylnformation', etc)
& Compatible with: Windows Server 2012, 20008
r
Calculate MD5 checksums of streams' contents Scan the system for alternate data streams
□ □ □ *׳׳
Remove selected streams
C:\magic\ree.txt: calc.exe (1051G48 bytes) C\s\\Documents : {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) C.As'1n1strator\Favor1tes\Links\Suggested Sites.url: favicon (894 bytes) C:\s\\My Documents: {726BGF7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) /Windows.old.000\Documents and SeKings^drnini$tfat0f\Fav0rites\Links\Suggested Sites.url: favicon (8 C:\Windows.oldOOO\s\\Favorites\Links\Suggested Sites.url: favicon (894 bytes)
|Scan complete, found S alternate data streams (ADS's).
FIGURE 3.3: Find die hidden stream file
C E H L ab M anual P ag e 323
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Analysis Document all die results and reports gathered during die lab.
P LE AS E TALK TO Y OU R I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives)
ADS Spy
Output: ■ ■
Hidden files with its location Hidden files size
Questions 1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required □ Yes Platform ed 0 Classroom
C E H L ab M an u al Page 324
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Hiding Files Using the Stealth Files Tool Stealth F/'/es use aprocess called steganography to hide anyfiles inside of anotherfie . It is an alternative to encryption offiles.
■con key ־־Lab Scenario / Valuable information_____ Test your knowledge sA Web exercise m
Workbook review
The Windows N T NTFS hie system has a feature that is not well documented and 1s unknown to many N T developers and m ost s. A stream 1s a hidden file that is linked to a norm al (visible) file. A stream is not limited 111 size and there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to hide tiles using the Stealth Files tool. 111 this lab, discuss how to tind hidden tiles inside o f other tiles using the Stealth Files Tool.
Lab Objectives The objective o f this lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to:
— Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 325
■
Use the Stealth Files Tool
■
Hide tiles
Lab Environment To carry out tins lab you need: ■
Stealth Files tool located at D:\CEH-Tools\CEHv8 Module 05 System H acking\Steganography\Audio Steganography\Stealth Files
■
A com puter running Window Server 2012 (host machine)
■
You can also the latest version o f Stealth Files from the link http://w w w .froebis.com /engl 1sh /sf 40 .shtml
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
If you decide to the la te st version, then screenshots shown in the lab might differ
■
istrative privileges to run the Stealth files tool
■
Run this tool 111 Windows Server 2012 (Host Machine)
Lab Duration Time: 15 Minutes
Overview of Stealth Files Tool £U Stenography is the art arid science of writing hidden messages.
Stealth files use a process called steganography to lude any tiles inside o f another .
.
.
.
.
7
.
.
me. It is an alternative to encryption ot files because no one can decrypt tlie encrypted information or data from die files unless they know diat die ludden files exist.
Lab Tasks B
TASK 1
Stenography
1. Follow the wizard-driven installation instructions to install Stealth Files Tool.
2. Launch Notepad and write Hello World and save the file as R e e.txt on the desktop. re e - N otepad File
Edit
Format
View
Help
f l e l l o W o rld !
& Stealth Files u se s a process called steganography to hide any file or files inside of another file
FIGURE 4.1: Hello world in ree.txt
3. Launch the Start m enu by hovering the mouse cursor on the lowerleft corner o f the desktop.
C E H L ab M anual Page 326
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
FIGURE 4.2: Windows Server 2012 —Desktop view
4 . Click the Stealth Files 4.0 app to open the Stealth File window.
m You can also Stealth File from http: / /www. froebis. com.
FIGURE 4.3: Windows Server 2012 —Apps
5. The main window o f Stealth Files 4.0 is shown 111 the following figure.
This is an alternative to encryption b ecau se no one can decrypt encrypted information or files unless they know that the hidden files exist.
FIGURE 4.4: Control of Stealth Files
C E H L ab M anual P ag e 327
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
6. Click Hide Files to start the process of hiding the files. 7 . Click Add files.
ם
Stealth Files 4.0 - Hide Files... Step 1 ■Choose Source Files:
S Before Stealth Files hides a file, it compresses it and encrypts it with a . Then you must select a carrier file, which is a file that contains die hidden files
Destroy Source Filesl Remove Selected Files! Step 2 • Choose Carrier File:
I r
^־J Create a Backup of the Carrier File!
Step 3 ■Choose :
FIGURE 4.5: Add files Window
8. In S te p l, add the C a lc.ex e from c:\w in d ow s\system 32\calc.exe. & Stealth Files 4.0 can be ed from the link: http://www.froebis ■com/english/sf40. shtml
C E H L ab M an u al Page 328
9 . In Step 2 , choose the carrier file and add the file R e e.txt f r o m the desktop.
10. In Step 3, choose a such as m agic (you can type any desired ).
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
13
Stealth Files 4.0” Hide Files...
!“ Iם
\ x
Step 1 ■Choose Source Files: C:\W1ndows\Sj1stem32Vcacls.exe
5 You can also
remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions
I-
Destroy Source Filesl Add Files!
|
Remove Selected Files!
Step 2 Choose Carrier File. C:\Use1s\\Desktop\ree.txt I-
:d
Create a Backup of the Carrier File! Choose :
magic)
I Hide Files! |
FIGURE 4.6: Step 1-3 Window
11. Click Hide Files. 12. It will hide the file c a lc .e x e inside the re e.txt located on the desktop.
13. O pen the notepad and check the file; c a lc .e x e is copied inside it. re e ־N otepad File
Edit
F orm at
V iew
I ~ I ם
:
H elp
)H e llo W o rld !
&T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a , you will prompted to enter it again to recover die hidden files
h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h ifh lb k id o fh a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b fo jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g le o n m b fn g b ln b h c ik fd h k m g io d c fg n lg g o a d d c a jm p ip fib h p p g g c g im m k a d n j e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h fp a la p p d b a c ile n o id lh ib e k p b h e jm ifn g f h f a p m h a fb lifh lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fn ln a dn n o a o n eo p o o p b b ag m d a oh m e kd gfce kcn b cg m injem e g p nn h e in o ilg e j o o ig lc d h a c lc h jlh d g ib o o h e m b n a p m k m e p a o k jc h h g c jb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbn ln d b ig ga g m cg nb n m a foh o g a ckcd n khb o m g o fp d e g ib ikm jm d p fkg
FIGURE 4.7: Calc.exe copied inside notepad.txt
14. N ow open the Stealth files Control and click Retrieve Files. C E H L ab M anual Page 329
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
t
\ Stealth Fi1es 4.0
S Pictures will still look the same, sound file will still sound die same, and programs wTill still work fine
&■ These carrier files will still work perfecdy even with the hidden data in diem
a
Hide Files
©
Retrieve Files
□
Remove Hidden Files
e
About Stealth Files
-־
Close Program FIGURE 4.8: Stealth files main window
15. 111 Step 1, choose the tile (Ree.txt) from desktop 111 which you have saved the c a lc .e x e .
16. 111 Step 2, choose the path to store the retrieved hidden file. 111 the lab the path is desktop.
17. Enter the m agic (the that is entered to liide the tile) and click on R etrieve Files! Stealth File! 4.0
S
This carrier file can be any of these file types: EXE, DLL, OCX, COM, JPG, GIF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files
-
Retrieve Files...
I ־־1 ם
T x
- Step 1 ■Choose Carrier File: C: \U sers\\D esktopVree. txt I-
z l
Destroy Carrier File!
Step 2 - Choose Destination Directory: C :\ll sersV'.dministtatorVD esktop\
d
r Step 3 • Enter : | magic|
Retrieve Files!
FIGURE 4.9: Retrieve files main window
18. The retrieved file is stored on the desktop.
C E H L ab M anual Page 330
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
0 5 Vorslon; IP Address MAC Addr•••: Host Name
Windows NT 62 (non•) D4 BE 09 CJ CE 20 WIN-039MR6HL9E4
Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously.
FIGURE 4.10: Calc.ese running on desktop with the retrieved file
Lab Analysis Document all die results and reports gadiered during die lab.
P LE AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved H id d e n Files: Calc.exe (calculator)
S tealth Files T ool
R etrieve File: ree.txt (Notepad) O u tp u t: Hidden calculator executed
Questions 1. Evaluate other alternative parameters tor hiding files. Internet Connection Required □ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 331
0 !Labs
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab
Extracting SAM Hashes Using PWdump7 Tool Pn׳dump7 can alsobeusedto du/uppmtectedpiles You canalways copya used'ft/eb)[justexecuting pnduffp7.exe -dc\lakedf11e.datbackjip-hxhdfiledot Iconkey
Lab Scenario [£Z7 Valuable iiiformation_____
s are a big part ot this m odern generation. You can use the for your system to protect the business or secret inform ation and you may choose to limit access to your PC with a W indows . These s are an im portant security layer, but many s can be cracked and while that is worry, tliis clunk 111 the arm our can come to your rescue. By using cracking tools or cracking technologies that allows hackers to steal can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack s. 111 tins lab, we discuss extracting the hashes to crack the .
Test your knowledge =
Web exercise Workbook review
Lab Objectives Tins lab teaches you how to: ■
Use the pwdump7 tool
■
Crack s
Lab Environment To carry out the lab you need:
_^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 332
■
Pwdump7 located at D:\CEH-Tools\CEHv8 Module 05 System H acking\w ord Cracking Tools\pwdum p7
■
Run tins tool on W indows Server 2012
■
You can also the latest version o f pwdump7 from the link http:/ / www.tarasco.org/security/pwdum p 7 / 111dex.html
■
istrative privileges to run tools E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
T/IP settings correctly configured and an accessible DNS server
■
Run this k b in W indows Server 2012 (host machine)
Lab Duration Time: 10 Minutes
Overview of Pwdump7 Pw dum p 7 can be used to dum p protected tiles. You can always copy a used file just by executing: pwdum p 7 .exe -d c:\lockedf 11e.dat backup-lockedf 11e.dat. Icon key
Lab Tasks 1. O pen the com m and prom pt and navigate to D:\CEH-Tools\CEHv8 Generating H ashes
Module 05 S ystem H acking\w ord Cracking Tools\pwdump7.
2 . Alternatively, you can also navigate to D:\CEH-Tools\CEHv8 Module 05 S ystem H acking\w ord Cracking Tools\pwdump7and right-click the pwdump7 tolder and select CMD prompt here to open the
com m and prom pt. Ad mi ni straton C:\Wi ndows\system32\cmd.exe [ D :\C E H -T o o ls \C E H v 8 Hrac ke t*s \p w d u m p 7 >
& Active directory w ords are stored in the ntds.dit file and currently the stored structure
M o d u le 05 S y s te m H a c k in g \ P a s s w o r d C r a c k in g M J in d o w s
P a s s w o rd C
FIGURE 5.1: Command prompt at pwdump7 directory
3 . N ow type pw dum p7.exe and press Enter, which will display all the hashes.
C E H L ab M an u al Page 333
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
: Command Prompt :\ C E H - T o o ls \ C E H u 8 M o d u le 05 S y s te m H a c k in g \ P a s s w o rd C ra c k in g S W in d o w s a c k e rs \ p w d u n p 7 ) pwdum p?. exe w dunp v V . l - ra w p a s s w o rd e x t r a c t o r u t h o r : A n d re s T a r a s c o A c u n a r l : h t t p : / / w w w .5 1 4 .e s A d m i n i s t r a t o r :5 0 0 :N O ***** D 4 7 :: : G u e s t :5 0 1 :N O ** ** * ** * * * *** LA N G U A R D _1 1 _U S E R :1 0 0 6 :N O * A67B960: : : M a rt i n :1 0 1 8 :N O ******-***** J u g g y b o y :1 0 1 9 :N O * ******** J a s o n :1 0 2 0 :N O WORD*-**■*■***■*■**-*■* S h i e l a :1 0 2 1 :N O * * * * * * * * * * * :\ C E H -T o o ls \ C E H u 8 ac ke r s Spwdump7 >
& Always copy a used file just executing: pwdum p7.exe -d c:\lockedfile.dat backuplockedfile.dat.
P a s s w o rd C
*: BE40 C 45 0 A B 99 7 13 D F1 ED C 5 B 4 0C 2 SA *:NO * * :C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C 9 B E 6 6 2 * :5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 : : : * * * :4 8 8 C D C D D 2 2 2 5 3 1 2 7 9 3 E D 6 9 6 7 B 2 8 C 1 0 2 5 : * :2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F :: : * * :0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 :: :
M o d u le 05 S y s te m H a c k in g S P a s s w o rd C ra c k in g V W in d o w s
P a s s w o rd C
FIGURE 5.2: pwdump7.exe result window
4 . N ow type pw dum p7.exe > c:\h ash es.txt 111 the com m and prom pt, and press Enter.
5
Tins com m and will copy all the data ot pw dum p7.exe to the c:\h a sh es.tx t file. (To check the generated hashes you need to navigate to the C: drive.) hashes.txt - Notepad File
Edit
Format
View
Help
( A d m in i s t r a t o r : 5 0 0 : NO * * * * * * * * * * * ״ * * * * * * * * ״: BE40C450AB997 13DF1EDC5B4 0C25 AD4 7 G u e s t: 5 0 1 : NO * * * ״ ״ ״ ״ * * ״ ״ ״ ״ * * ״ ״ ״ ״ ״ ״: NO * * ״ ״ ״ ״ ״ ״ ״ * ״ ״ ״ ״ ״ ״ ״ ״ * ״ ״: : : LANGUARD_11_: 1 0 0 6 : NO * * * * * * * * * * * * * ״ ״ * * * ״ ״ ״: C2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C9 B E 6 6 2 A 6 7 B 9 6 0 M a r t i n :1 0 1 8 :NO P A S S W O R D * * * * * * * * * * * * * * * 5 : ״ * * * ״ ״EBE7DFA074DA8EE8AEF1FAA2BBDE876
Duggyboy : 1 0 1 9 : NO P A S S W O R D * 4 8 8 : * * ״ * * * * * * * * * * * * * * * * ״CDCDD2225312793ED6967B28C1025 3 a s o n :1 0 2 0 :N O P A S S WOR D * * * * * 2 : * * * * * * * * * * * * * * * ״D20D252A479F485CDF5E171D93985BF S h i e l a :1 0 2 1 :NO P A S S W O
R
D
* * * * 0 : ״ * * * * * * ״ * * ״ ״ * ״ ״ ״ ״CB6948805F797BF2A82807973B89537
FIGURE 5.3: hashes.txt window
Lab Analysis Analyze all the hashes gathered during die lab and figure out what die was.
C E H L ab M anual Page 334
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
P L EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved O u tp u t: List o f and Hashes
PW dum p7
■ ■ Guest ■ Lauguard ■ Martin ■ Juggyboy ■ Jason ■ shiela
Questions 1. W hat is pwdum p 7 .exe com m and used for? 2 . How do you copy the result o f a comm and to a file?
Internet Connection Required □ Yes
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 335
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Creating the Rainbow Tables Using Winrtgen Winrtgen is a graphical ־Rainbow Tables Generator that s/ippo/ts LM , FastLM, N TLM , LMCHALL> H aljLM CH ALL, K T IM C H A L L , M SCACH E, MD2, MD4, MD5, SH A 1, RIPEMD160, M jSO LJ23, M ySQ LSH AI, CiscoPIX, O RACLE, SH A -2 (256), SH A -2 (384) and SFL4-2 (512) hashes.
Lab Scenario
ICON KEY [£II7 Valuable information
111 computer and information security, the use ot is essential for s to protect their data to ensure a seemed access to dieir system or machine. As s become increasingly aware o f the need to adopt strong s, it also brings challenges to protection o f potential data. 111 diis lab, we will discuss creating die rainbow table to crack the system s’ s. 111 order to be an expert ethical hacker and penetration tester, you must understand how to create rainbow tables to crack the .
Test your knowledge == Web exercise m
Workbook review
Lab Objectives The objective o f this lab is to help students how to create and use rainbow table to perform system hacking.
Lab Environment To earn ׳out die lab, you need:
^^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 336
■
Winrtgen Tool located at D:\CEH-Tools\CEHv8 Module 05 S ystem Hacking\Rainbow Table Creation Tools\Winrtgen
■
A com puter running Window Server 2012
■
You can also the latest version o f Winrtgen from the link http: / / www.ox1d.it/ projects.html
■
If you decide to the latest version, then screenshots shown 111 the lab might differ E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
Run this tool 011 Windows Server 2012
■
istrative pnvileges to run tins program
Lab Duration Time: 10 Minutes You can also Winrtge from
Overview of Rainbow Table
s lunj/www 0x1dlt/p10ject A rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking hashes. Tables are usually used 111 recovering plaintext s, up to a certain length, consisting o f a limited set of characters.
Lab Task TASK 1 Generating Rainbow Table
1. Double-click die winrtgen.exe tile. The main window of winrtgen is shown 111 die following tigure.
r ־
W inrtgen v2.8 (Rainbow Tables Generator) by mao Filename
Add T able
m
Rainbow tables usually used to crack a lot of hash types such as
Status
Remove
About
Remove All
OK
Exit
FIGURE 6.1: winrtgen main window
2 . Click die Add Table button.
N T L M , M D 5 , SH A1
C E H L ab M an u al Page 337
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
-
W inrtgen v2.8 (Rainbow Tables Generator) by mao
ם
x
£ Q You can also Winrtge from http://www.oxid.it/project s.html.
III
Add Table
Remove
Remove All
OK
About
Exit
FIGURE 6.2: creating die rainbow table
3 . Rainbow Table properties window appears: i. Select ntlm from the Hash drop-down list 11. Set die Min Len as 4, die Max Len as 9, and the Chain Count o f 4000000
iii. Select loweralpha from die Charset drop-down list (diis depends on the ). 4.
Click OK. R ain bow Table p rop erties r
Hash |ntlm
£ v T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Min Len I4
-M ax Len rIndex 1°
I9
Chain Len—
Chain Count —
|2400
I4000000
|abcdefghiiklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark
Optional parameter
Hash speed:
|
Step speed: Table precomputation time: Total precomputation time: Max cryptanalysis time: Benchmark |
FIGURE 6.3: selecting die Rainbow table properties
5. A file will be created; click OK.
C E H L ab M an u al Page 338
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
x
W inrtgen v2.8 (Rainbow Tables Generator) by mao Filename
Status
ntlm_lowe(alpha#4-9_0_2400x4000000_oxid8000.rt
III
Add Table
Remove
Remove All
OK
About
Exit
FIGURE 6.4: Alchemy Remote Executor progress tab window
Creating the hash table will take some time, depending on the selected hash and charset.
Note: To save die time tor die lab demonstration, die generated hash table is kept in die following !older: D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation ToolsYWinrtgen
m
You must be careful of your harddisk space. Simple rainbow table for 1 —5 alphanumeric and it costs about 613MB of your harddisk.
Created a hash table saved automatically 111 die folder containing
7.
winrtgen.exe.
י
Winrtgen
'L
5 CEHv8 M o d u le 05 S y stem H acking
־&־Favorites ■
D esktop
J§ . D o w n lo ad s %
^
R ecen t pla ce s
► R ainbow T able C re ation T ools ► W inrtgen
v
C
Search W inrtgen
N am e
D ate m od ifie d
T ype
M c h arset.tx t
7/1 0 /2 0 0 8 &29 PM
T ext D o c u m e n t
|□
ntlm _low eralphag4-6_0_2400x4000000_ox... |
9/18/201211:31 A M
RT File
H! w in rtg en .e x e
7 /1 0 /2 0 0 8 1 0 :2 4 PM
A pplic ation
□
7/1 0 /2 0 0 8 10:33 PM
SJG File
w inrtgen.e xe.sig
Size 6KB 62,500 KB 259 KB 1 KB
Libraries [ J D o c u m e n ts M usic II■! P ictu res H
Videos
C o m p u te r &
Local Disk ( C )
1 m N ew V o lu m e (D:)
4 ite m s
1 ite m se le c te d 61.0 MB
State: Q
S hared
FIGURE 6.5: Generated Rainbow table file
C E H L ab M anual Page 339
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Analysis Analyze and document the results related to the lab exercise.
Tool/Utility
Information Collected/Objectives Achieved P urpose: Creating Rainbow table with lower alpha
W inrtge
O u tp u t: Created Rainbow table: ntlm_lowe 1־alpha# 4 -
6_ 0_ 2400X 4000000_ o x ...
P L E A S E TALK TO Y OU R I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Internet Connection Required D Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 340
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Cracking Using RainbowCrack Rainbon'Crack is a computerprogram thatgenerates rainbow tables to be used in cracking.
Lab Scenario 1'— J Valuable mforination_____ Test your knowledge______ a s Web exercise m
Workbook review
Computer s are like locks on doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple will not stop them. Most computer s do not realize how simple it is to access die for a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is for someone to gain access to your computer? Windows is still the most popular operating system, and die method used to discover the is die easiest. A hacker uses cracking utilities and cracks vour system. That is how simple it is for someone to hack your . It requires 110 technical skills, 110 laborious tasks, onlv simple words 01 ־programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack . 111 tins lab we discuss how to crack guest s or s using RainbowCrack.
Lab Objectives £ ~ T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page
The objective ot this lab is to help students to crack p assw ord s to perform system hacking.
Lab Environment To earn ־out die lab, you need:
1
■
RainbowCrack Tool located at D:\CEH-T0 0 ls\CEHv8 Module 05 S ystem Hacking\Rainbow Table Creation Tools\RainbowCrack
■
A com puter running Window Server 2012
■
You can also the latest version o f RainbowCrack from the link h ttp ://proiect-ra111bowcrack.com/ E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
!2 2 You can also Winrtge from http: / /www. oidd.it/project s.html
■
If you decide to die latest version, dien screenshots shown in die lab nnght differ
■
Run diis tool 011 Windows Server 2012
■
istrative privileges to m n diis program
Lab Duration Tune: 10 Minutes
Overview of RainbowCrack RainbowCrack is a computer program diat generates rainbow tables to be used 111 cracking. RainbowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rainbow tables to reduce die lengdi of time needed to crack a .
Lab Task E
t a s k
1
Generating the Rainbow Table
1. Double-click die rcrack_gui.exe tile. The main window of RainbowCrack is shown 111 die following figure.
m RainbowCrack for GPU is the hash cracking program in RainbowCrack hash cracking utilities.
FIGURE 7.1: RainbowCrack main window
2 . Click File, and dien click Add Hash...
C E H L ab M anual Page 342
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
RainbowCrack 1.5 File | E d it
R a in b o w T a b le
H e lp P la in te x t in
A d d H a s h ...
H ex
L o a d H a s h e s f r o m File... L o a d LM H a s h e s f r o m P W D U M P File... L o a d N T L M H a s h e s f r o m PW D U M P File.. S a v e R e su lts...
£Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight GPU brute forcing cracker
FIGURE 7.2: Adding Hash values
3.
The Add Hash window appears: i.
Navigate to c:\hashes, and open die hashes.txt tile (which is already generated using Pwdump 7 located at c:\hashes.txt 111 the previous Lab no:5) .
ii.
Right-click, copy die hashes from hashes.txt tile.
iii.
Paste into die Hash held, and give die comment (optional).
1V.
Click OK. hashes.txt - Notepad
File
Edit
Format
View
Help
Undo
A d m i n i s t r a t o r : 5 0 0 : NO
Cut
P A S S W O R D * * * * * * * * * * * * * * * * * * * * * : BE40C450AB
£ Q | RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from the hash crackers that use brute force algorithm
G u e s t : 5 0 1 : NO P A S S W O R D * * * * * * * * * * * * * * * * * * " !
Copy
P A S S W O R D ********************** * ׳
Paste
LANGUARD_11_: 1 0 0 6 : NO * * * * * * * * * ״ * * * * * * * * * * ״: C2 5 5 1 0 2 1 9 F
Delete Select All
M a r t i n :1 0 1 8 :NO P
A
S
S
W
O
R
D
order : * * * * * * * * * * * * ״Right * * * to * * left * * ״Reading EBE7DFA07
5
] ug g y b o y : 1 0 1 9 : NO
Show Unicode control characters
4 8 8 : * * * * * * * * * * * * * * * * * * * * ״CDCDD22
Insert Unicode control character
D a s o n :1 0 2 0 :N O P
A
S
S
W
O
R
D
:* * * * * * * * * * * * *Open * * * *IME * • * ״D20D252A4
2
S h ie la :1 0 2 1 :N O ************ *********
________________________ _____ -
J
1*Kli ■1*JLW -V.IW
:: —
FIGURE 7.3: Selecting the hashes
C E H L ab M anual Page 343
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
RainbowCrack 1.5 File
Edit
R ainbow T able
* י־
Help P l a i n t e x t I n H ex
£/Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
0C86948805F797BF2A82807973889537 Comment (optional):
FIGURE 7.4: Adding Hashes
4 . The selected hash is added, as shown 111 die following figure. RainbowCrack 1.5 File
Edit
Rainbow Table
H elp
H a sh
P la in te x t
@ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537
?
P l a i n t e x t I n Hex
£ 2 Fun time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
FIGURE 7.5: Added hash show in window
5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 111 the following figure.
C E H L ab M anual Page 344
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
RainbowCrack 1.5
£ 0 . RainbowCrack's purpose is to generate rainbow tables and not to crack s per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.
P File
Edit
Rainbow T able
H a sh 0
I ־־[םr x TI
H elp P la in te x t
P l a i n t e x t i n H ex
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
?
?
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7
?
?
@ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
?
ל
@ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
?
?
@ c 2 5 5 1 0 2 1 9 £ 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
?
1
FIGURE 7.6: Added Hashes in the window
7 . Click die Rainbow Table from die menu bar, and click Search Rainbow Table...
£ 9 RainbowCrack for GPU software uses GPU from NVIDIA for computing, instead of U. By offloading computation task to GPU, the RainbowCrack for GPU software can be tens of times faster than nonGPU version.
8. Browse die Rainbow Table diat is already generated 111 die previous lab, which
is located at D:\CEH-Tools\CEHv8 Module Hacking\Rainbow Table Creation Tools\Winrtgen.
05
System
9 . Click Open.
C E H L ab M anual Page 345
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Open ^ O rganize ▼
jA
”
W indow s Crac...
► w in rtg e n
v
( j | | Search w in rtg e n
New fo ld e r
Recent places
| ב־
־׳י
[jjj
P
ki
|
I
N am e
Date m o d ifie d
Type
Q
9/18/2012 11:31 A M
RT File
M usic
^
ntlm .loweralphag4-6.0.24001(4000000.ox■..
Libraries j3 ] Docum ents
J l M usic
E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table
g
Pictures
9
Videos
1^
C om puter ^
Local Disk (C:)
r - Local Disk (D:) 1 - Local Disk (£ )
>1 Filenam e:
ntlmjoweralpha*4-6_0_2400x4000000_oxid*£ v
| Rainbow Tables (*.rt;*.rtc) Open
FIGURE 7.8: Added Hashes in the window
10. It will crack the , as shown 111 the following figure. RainbowCrack 1.5 File
Edit
Rainbow Table
H elp
H ash
P l a i n t e x t I n Hex
Com ment p a ssw o rd
0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
3
0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
te s t
74657374
4 8 8 c d c 6 d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
g ree n
677265656c
✓ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
a p p le
6170706C65
3
c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0
?
3
2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
3
£=•=!־RainbowCrack focus on tlie development of optimized time-memory tradeoff implementation, and generation of large rainbow tables.
te s t
74657374
3
7 q w e r ty
tine of alarm check: tine of wait: time of other operation: time of disk read: hash & reduce calculation of chain traverse: hash 4 reduce calculation of alarm check: number of alarm: speed of chain traverse: speed of alarm check:
717765727479
2 .3 4 s 0.00 s 0 .1 9 s 0 .0 8 s 5755200 35850648 55125 9 .7 1 million/s 1 5 .3 3 mllllon/s
/s
5
FIGURE 7.9: Added Hashes in the window
Lab Analysis Analyze and document die results related to the lab exercise.
C E H L ab M anual Page 346
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
P L EA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved H a sh e s: י י י י
Guest Languard Martin
■ Juggyb°y R ainbow C rack
■ י
Jason Sluela
P assw ord C racked: י י י י י
test test green apple qwerty
Questions 1. W hat kind o f hashes does RainbowCrack ?
Internet Connection Required □ Yes
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 347
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab
Extracting s Using LOphtCrack U)phtCrack is packed with powerfulfeatures, such as scheduling, hash extraction fro/// 64-bit Windows versions; multiprocessor algorithms, and network monitoring and decoding. It can impotf and crack U N IX files and remote Windows machines.
Lab Scenario / Valuable information Test your knowledge______ ^
Web exercise
r*־.. Workbook review
Since security and compliance are high priorities for m ost organizations, attacks 011 a company 01 ־organization's com puter systems take many different forms, such as spooling, smurfing, and other types o f demal-of-service (DoS) attacks. These attacks are designed to harm 01 ־interrupt the use o f your operational systems. cracking is a term used to describe the penetration o f a network, system, 01 ־resource with 01 ־w ithout the use o f tools to unlock a resource that has been secured with a . 111 tins lab we will look at what cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination o f several scenarios, m tins lab we describe some o f the techniques they deploy and the tools that aid them 111 their assaults and how crackers work both internally and externally to violate a company's infrastructure. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to crack s. 111 tins lab we crack the system s using LOphtCrack.
^^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page
Lab Objectives The lab teaches you how to: ■
Use the LOphtCrack tool
■
Crack inistrator s
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Environment To earn’ out the lab you need: ■
LOphtCrack tool located at D:\CEH-Tools\CEHv8 Module 05 S ystem H acking\w ord Cracking Tools\LOphtCrack
■ Run tliis tool on W indows Server 2012 (host machine) ■ You can also the latest version o f LOphtCrack trom the link http: / / www.lOphtcrack.com ■ istrative privileges to run tools ■
Follow wizard driven installation instructions
■ T/IP settings correctly configured and an accessible D N S server
■ Tins tool requires the to or you can also use the evaluation version for a limited period o f time
Lab Duration Tune: 10 Minutes
Overview of LOphtCrack LOphtCrack provides a scoring metric to quickly assess quality. s are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail.
Lab Tasks TASK 1 Cracking
1. Launch the Start m enu by hovering the mouse cursor to the lower left m ost corner o f the desktop.
| | Windows Server 2012
vm 1i״ימ״« ׳5 י! שי'י1 ן
m You can also the LOphtCrack from http: / / www.lOphtcrack.
C E H L ab M anual Page 349
FIGURE 8.1: Windows Server 2012—Desktop view
2 . Click the LOphtCrack6 app to open the LOphtCrack6 window
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Start Server M anager
W indow s Pow erShel
Google Chrome
Hyper-V M anager
Fa
T
o
יי
Com puter
Control
Hyper-V Virtual Machine...
SQL Server Installation Center...
m
*J
C om m and P rom pt
e / LOphtCrack s pre-computed hashes.
inistrator
Intrmrtfupterr׳
Drdlrp
Q
K
Mozilla Firefox
Global Network Inventory
<©
If
N m ap Zenm ap GUI
W orkspace Studio
O ־
3 FIGURE 8.2: Windows Server 2012 —Apps
3 . Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next. LOphtCrack A uditor v6.0.16
x LO p h tC rack 6 W izard
W elcom e to th e LOphtCrack 6 Wizard This wizard wil prompt you w th step-by-step n sb u c tio n s to g e t you aud tin g n m n u te s First, th e wizard w i help y ou d e term n e w here to retrieve your encrypted p a ssw ords from Se c o n d , you w i b e prom pted w th a few options re g a rd n g which m ethods to u se to audit th e w ords Third, you w i b e prom pted w th how you wish to report the results T hen. LOphtCrack 6 w i p ro ce ed a u d tin g th e w ords a n d report sta tu s to you along th e w ay. notifying y ou w hen audfcng is com plete Press Next' to c onbnue w th th e w izard
LOphtCrack can also cracks UNIX files.
[7 ךjjjprit show m e this w izard o n startup
FIGURE 8.3: Welcome screen of die LOphtCrack Wizard
4 . Choose Retrieve from th e local m achine 111 the Get Encrypted P assw ord s wizard and click Next.
C E H L ab M anual Page 350
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
LOphtCrack A uditor v6.0.16
G e t E n cry p te d P assw ords
C hoose o n e of th e fo lo w n g m eth ods to retrieve th e e n crypted w ords | ♦ R etneve from th e tocal m a c h n e | Pulls encrypted p a ssw ords from th e local m a c h n e 's registry A dm natra to r a c c e s s a r eq u red R etneve from a rem ote m a c h n e R etneve encrypted p a ssw ords from a remote m a c h n e on your d o m a n rwtra tor a c c e s s is required R etneve from SAM/SYSTEM b a c k u p U se em ergency r e p a r disks, b a c k u p ta p e s, or volume sha dow copy te ch r» q u es to obtain a copy of th e registry SAM a n d SYSTEM hives This c o n ta n s a copy of your non-d o m an w ords Q R etneve by jnrffng th e local netw ork Sniffing c a p tu res encrypted h a s h e s n transit o ver your netw ork L o g n s .f ie sh a m g a n d p m t shanng a l u se netw ork authentication th a t c a n b e captured.
< Back
ca
LOphtCrack has a built-in ability to import s from remote Windows, including 64-bit versions of Vista, Windows 7, and UNIX machines, without requiring a thirdparty utility.
Next >
■|
FIGURE 8.4: Selecting die from die local machine
5. Choose Strong P assw ord Audit from the C hoose Auditing Method wizard and click Next.
1- ׳° '
ן
FIGURE 8.5: Choose a strong audit
6. In Pick Reporting Style, select all Display encrypted w ord h a sh es.
7 . Click Next.
C E H L ab M an u al Page 351
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
m LOphtCrack offers remediation assistance to system s.
FIGURE 8.6: Pick Reporting Style
8. Click Finish. LOphtCrack Auditor v6.0.16
־°
x
Bogin Auditing
P
Step LOphtCrack 6 « now ready to b e g n th e w ord aud*ing p ro ce ss Plea se confirm th e f o lo w n g settings an d go b a c k a n d c h a n g e a n y th n g th a t ts not correct
O
Step 2
.__ LOphtCrack lias realtime reporting that is displayed in a separate, tabbed interface.
R etrieve w ords from th e local m achine Perform 'Q uick' w ord audit Display d o m a n w ord belongs to Display p assw ords v41en a udited Display time sp ent auditing e a c h w ord Give visible notification *tfien d o n e a udrtn g S how m ethod u se d to c ra ck w ord
[ / ] S a v e th e s e settings a s s e s a o n defaults Press ■finish'to b e p n audfcng
►Step 5 6«g1n Auditing
FIGURE 8.7: Begin Auditing
9 . LO pntcrack 6 shows an Audit Com pleted message, Click OK. 10. Click S e ssio n options Irom the menu bar.
C E H L ab M an u al Page 352
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Cracked s
J j.
Weak s Pause
־d
Stop
Schedule Scheduled Audit Tasks
Disable Force Expired s
Run y Report LM
LMHash__________________________
,X WIN-D39MR... A d m in istrato r
* m issing *
OCKXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
£ WIN-D39MR... G uest
״m issing *
0000000000000000000000000000000(
J t WIN-D39MR... Jason
* m issing *
0000000000000000000000000000000(
4
* m issing *
Domain
Name
WIN-D39MR... Ju g g y b o y
* m issing
A WIN-D39MR... M artin
״m issing
oooooooooootxxxxxxxxxxxxxxxxxxxx LOphtCrack 6
I
x
0000000000000000000000000000000(
u o rd s t o t a ] 29151 _words_done
10BT5OT?
_______
0000000000000000000000000000000(
Audit c o m p leted .
_______ LtX& sslaezei 0d Oh 0» Os
OK
____tlMS-lSlt _ _ l _־d o n S
III
> 4 X
Messages 0 9 /1 8 /2 0 1 2 0 9 /1 8 /2 0 1 2 0 9 /1 8 /2 0 1 2 0 9 /1 8 /2 0 1 2
1 4 :4 7 :4 8 1 4 :4 7 :5 2 1 4 :4 7 :5 2 1 4 :4 7 :5 2
M u ^ i- c o r e o p e r a tio n w ith 4 c o re s . I m p o r te d 2 a c c o u n ts fro m t h e l o c a l A u d it s t a r t e d . A u d itin g s e s s i o n c o m p le te d .
m a c h in e
FIGURE 8.8: Selecting Session options £ Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force auditing methods.
11. Auditing options For This S e ssio n window appears:
i. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Dictionary Crack.
ii. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Dictionary/Brute Hybrid Crack.
iii. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Brute Force Crack. IV.
Select the Enable Brute Force Minimum Character Count check box.
v. Select the Enable Brute Force Maximum Character Count check box.
12. Click OK.
C E H L ab M an u al Page 353
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
־m
Auditing O ptions For This Session Dictionary C rack
T he Dictionary C ra ck te s ts fo r p a ssw o rd s th a t a re th e sa m e a s th e w ords fcsted in t h e w ord file. This te st * very fa s t a n d finds th e w e a k e s t p a ssw o rd s.
D ictionary List 0
C ra ck NTLM P a ssw o rd s
D ictionary/B rute Hybrid C ra ck [ 2 E nabled
0
*
C h a rac ters to p rep e n d
-
C h a rac ters to a p p e n d
V C rack NTLM P a ssw o rd s Com mon letter su bstitutions (m uch slow er)
*
T h e D ictionary/B rute Hybrid C ra ck te s ts for p a ssw o rd s th a t a re v a n atio n s of th e w ords in th e w ord file. It finds p a ssw o rd s su c h a s D a n a 99 or m onkeys! . This te st is fa st a n d finds w e a k p a ssw o rd s.
P re co m p u ted E ! E n ab led C
Also k n o w n a s r a n b o w ta b le s ', th e P re com puted C rack te s ts fo r p a ssw o rd s a g a r is t a p rec o m p u te d h a s h e s c o n tan -ed n a file or files This te s t is very fast a n d finds p a ssw o rd s c re a te d from th e sa m e c h a r a c te r se t a s th e p re c o m p u te d h a s h e s . P re se rv n g preco m p u ta tio n d a ta s p e e d s up c o n s e c u tiv e m n s r e x c h a n g e for disk s p a c e
Hash File List
Preserve Precomputation Data
Location
T h s c ra c k w o rk s a g a r o t LM a n d NTLM p a ssw o rd s, but n o t U n a B a/te F o rce C rack
g]Enabled
L an g u a g e:
J £ r a c k NTLM P a ssw o rd s
T h e Brute F orce C ra ck te s ts fo r p a ssw o rd s th a t a re m a d e u p of th e c h a r a c te r s sp ecified in t h e c h a r a c te r se t I finds p a ssw o rd s su c h a s "WeR3pfc6s■' o r "vC 5% 6S*12b" T his t e s t is slow a n d finds me
English
a lp h a b e t ♦ n u m b ers C ustom C h a ra c te r S e t (list e a c h c h arac ter): E T N RIOAS D H LCFPU M YG W VBXKQ JZetnrioasd hlcfpumygwvbxkqjzOI 23456789
Brute Force Minimum C h a ra c te r Count Brute Force Maximum C h a ra c te r Count
To
9
נ
E n a b in g a start or e n d point lets you control th e minimum a n d maxim um n u m b e r of c h a r a c te r s to iterate. T h e a c tu a l maxim um c h a r a c te r c o u n t u s e d may vary b a s e d o n h a s h ty p e S p e c fy a c h a r a c te r se t with m ore c h a r a c te r s to c ra c k stro n g e r p a s s w o rd s .
’ QK
Q ancel
FIGURE 8.9: Selecting die auditing options
13. Click Begin ' ' רfrom the menu bar. LOphtCrack cracks the inistrator w ord.
14. A report is generated with the cracked s.
FIGURE 8.10: Generated cracked
C E H L ab M anual P ag e 354
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Lab Analysis Document all die results and reports gathered during die lab.
P LE AS E TALK TO YOUR I N S T R U C T O R IF YOU H AVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved U ser N a m e s:
L O p h tC rac k
י י י י י י
Guest Jason Juggvbov LA N G U A R D _ 11_ Martin
P assw ord F ound: י ■ י
qwerty green apple
Questions 1. W hat are the alternatives to crack s? 2 . W hy is a brute force attack used 111 the LOphtCrack tool?
Internet Connection Required □ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 355
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Cracking Using Ophcrack Ophcrnck is a free open source (GPL licensed) pmgram that cracks Windows n ׳ords by using LM hashes through rainbon ׳tables. ICON KEY Valuable / information . **יTe$t your _____knowledge _______
Web exercise » Workbook review
Lab Scenario 111 a security system that allows people to choose their own s, those people tend to choose s that can be easily guessed. Tins weakness exists 111 practically all widely used systems instead o f forcing s to choose well-chosen secrets that are likely to be difficult to . The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Pooiiy chosen s are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak or system using cracking tools. 111 tins lab we show you how to crack system s using Ophcrack.
Lab Objectives The objective o f this lab is to help students learn: Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 356
י
Use the OphCrack tool
■
Crack inistrator s
Lab Environment To earn ־out die lab, you need: "
OphCrack tool located at D:\CEH-Tools\CEHv8 Module 05 System H acking\w ord Cracking Tools\Ophcrack
■
Run this tool on W indows Server 2012 (Host Machine)
■
You can also the latest version o f LOphtCrack from the link h ttp :/ / ophcrack.sourceforge.net/ E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
■
istrative privileges to run tools
■
Follow the wizard-driven installation instructions
Lab Duration Time: 15 Minutes
Overview of OphCrack Rainbow tables for LM hashes of alphanumeric s are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack s no longer than 14 characters using only alphanumeric characters.
Lab Task TASK 1 Cracking the
1. Launch the Start m enu by hovering the mouse cursor on the lower-left corner of the desktop.
g | Wndows Server 2012
vnnootfj!xrvff1 0uKetejjeunoioawwucwwr
tvilwtor cc׳pv kud MOO
ןןמישיייעןיימיירזמיי FIGURE 9.1: Windows Server 2012 - Desktop view
2 . Click the OphCrack app to open the OphCrack window.
m You cau also tlie OphCrack from http:/ / ophcrack. sourceforg e.net.
FIGURE 9.2: Windows Server 2012—Apps
3 . Tlie OphCrack main window appears.
C E H L ab M an u al Page 357
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
ophcrackC
1' ם ! ־
Load
Delete
Progress
Statistics
J
4A
11/
Save
Tables
C radt
Help
^
G
Exit
About
Preferences
B Rainbow tables for LM hashes of alphanumeric s are provided for free by the developers
Preload:
w attn g
| Brute force:
waiting
j Pwd found:
0/0
Time e lapsed: |
OhOmQs
FIGURE 9.3: OphCrack Main window
4 . Click Load, and then click PWDUMP file. ophcrack
U/
ב
,•©..י
&
C
Single h a sh PW DUMP file S essio n file
& Ophcrack is bundled with tables that allow s it to crack w ords no longer than 14 characters using only alphanumeric characters
E n cry p te d SAM Local SAM w ith sa m d u m p 2 Local SAM w ith p w d u m p 6 R e m o te SAM
D irectory
Preload: _______ waiting_______| Brute force: |
P rogress
waiting
| Pw dfouxJ:
Fig 9.4: Selecting PWDUMP file
5. Browse die PWDUMP file diat is already generated by using P\\T)U M P 7 111 die previous lab 110:5 (located at c :\h a sh e s.tx t). 6. Click Open
C E H L ab M an u al Page 358
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Open PWDUMP file
0 CO
^
^
Organize ■
available as Live CD distributions which automate the retrieval, decryption, and cracking of s from a Windows system.
Desktop
A
Date modified
Type
9/17/2012 9:25 AM
File folder
Program Files (x86)
9/18/2012 2:18 PM
File folder
j
TFTP-Root
9/4/2012 7:00 PM
File folder
j
s
9/18/20122:35 PM
File folder
8/30/20121:06 PM
File folder
W in d o w s
9/15/2012 3:26 PM
File folder
4 • W in d o w s .o ld
8/7/2012 1:50 AM
File folder
J,.
W in d o w s .o ld .0 0 0
8/8/2012 12:03 AM
File folder
^
.r n d __________________
9/19/2012 9:58 AM
RND File Text Document
j . u sr
(3| Documents
J
Music fc l Pictures Videos
r : ■ Computer Local Disk (C:) . ^ Local Disk (D:)
P
j i . Program Files
Libraries
H
| Search Local Disk (C:)
Name
Recent places
J ) Music
^
C
] I
§ =־- EH m
4 s S
v
*** * Computer ► Local Disk (C:)
New folder
hashes.txt
9/18/2012 3:06 PM
|j6j msdos.sys
9/15/2012 2:53 PM
System file
[A .js
9/6/20124:03 PM
JS File
ן
v, v j [All Files ( * /)
File name: hashes.txt
Open
FIGURE 9.5 import the hashes from PWDUMP file
7. Loaded hashes are shown 111 the following figure. ophcrack
O
Si
«S
iu
Load
Delete
Save
Tables
P rogress
Statistics
j
Preferences
O
o
Crack
| NT H ash
A d m in istra to r
BE40C450AB997...
G uest
3 1d6cfe0d16ae9... C25510219F66F...
LANGUARDJ 1_ M artin
5EBE7DFA074D...
Juggyboy Jason
488CDCDD2225...
Shiela
0CB69488O5F79...
2D20D252A479F...
£ 7 Ophcrack Cracks L M andN TL M Windows hashes Directory
Pretoad: _______ waiting_______] Brute force: |
P rogress
waiting
] Pwd fbcrtd:
FIGURE 9.6 Hashes are added
8. Click Table. The Table Selection window will appear as shown 111 die following figure.
C E H L ab M anual Page 359
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
^ י ז
ophcrack
Progress
IU
',,sg?
Tables
Crack
Table Selection
Statistics 0
D irectory
Table m XP fre e fast
n o t installed
G uest
•
XP f re e sm all
n o t installed
LANGUARD_11_
•
XP special
n o t installed
M artin
# XP g e rm a n v l
n o t installed
Ju g g y b o y
•
XP g e rm a n v2
n o t installed
Jaso n
•
Vista special
n o t installed
Shiela
•
Vista free
n o t installed
•
Vista nin e
n o t installed
•
Vista eight
n o t installed
•
Vista n u m
n o t installed
•
Vista seven
n o t installed
•
XP flash
n o t installed
<• Vista e ig h t XL
& T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Status
A d m in istra to r
n o t installed
III
< •
= e nabled
J = disabled
•
|
>
= n o t n sta le d
B B S S Preload: _______ waiting_______| Brute force: |
waiting
] Pwd fbuxJ:
T«ne elapsed:
Oh 0 וחOs
FIGURE 9.7: selecting die Rainbow table
Note: You can die free XP Rainbow Table, Vista Rainbow Tables from h ttp :// ophcrack.sourcelorge.net/tables.php
9. Select Vista free, and click Install. ״G
Table Selection lable
Directory
XP free fast
not installed
•
XP free small
not installed
9 XP special
not installed
•
XP german v1
not installed
•
XP german v2
not installed
•
Vista special
not installed
| ! • Vista free •
not installec
Vista nine
not installed
# Vista eight •
not installed
Vista num
not installed
<• Vista seven
not installed
*
not installed
XP flash
<• Vista eight XL
not installed
III
<• = enabled
0
Status
•
0
4 = disabled
•
<ן
= not installed
@@ FIGURE 9.8: Installing vista free rainbow table
C E H L ab M anual Page 360
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
10. The Browse For Folder window appears; select the the table_vista_free folder (which is already and kept at D:\CEH-Tools\CEHv8 Module 05 System Hacking\ Cracking Tools\Ophcrack)
11. Click OK. Browse For Folder Select the directory which contains the tables.
&■ Ophcrack Free tables available for Windows XP, Vista and 7
4
A
J4 CEHv8 Module 05 System Hacking Cracking
4
Windows Crackers
a
A
OphCrack tables_vista_free
I
pwdump7 winrtgen t>
V
steganography
1
III
< Make New Folder
OK
l>
Cancel
12. The selected table vista free is installed,; it shows a green color ball which means it is enabled. Click OK. ?
Table Selection Directory
־fable
& Loads hashes from encrypted SAM recovered from a Windows partition
Status
•
XP free fast
not installed
•
XP free small
not installed
•
XP special
not installed
•
XP german v1
not installed
•
XP german v2
not installed
•
Vista special
net installed
> •
Vista free
C:/Program Files (x86)/tables_vista_free
•
Vista nine
not installec
•
Vista eight
not installed
•
Vista num
not installed
•
Vista seven
not installed
•
XP flash
not installed
Vista eight XL
not installed
III
= enabled
A
on disk
*
< •
x
4 = disabled
*
*
>
# = not installed Install
FIGURE 9.9: vista free rainbow table installed successfully
13. Click Crack: it will crack die as shown 111 die following figure.
C E H L ab M anual Page 361
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
ophcrack
i This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the is longer than 14 characters (in which case the LM hash is not stored).
Load
Delete
Progress
Statistics
J
«!
a/
^
@
i
Save
Tables
Crack
Help
Bat
Preferences
LM Hash
N T Hash
BE40C450AB997...
Guest
31d6cfe0d16ae9...
LM Pwd 1
LM Pwd 2
N T Pwd
empty
C25510219F66F...
LANGUARD 11_... Martin
5EBE7DFA074D...
apple
Juggyboy
488CDCDD2225...
green
Jason
2D20D252A479F...
qwerty
Shiela
0CB6948805F79...
test
!ab le
Directory
Status
t> 4 Vista f ree
C :/P ro g ram File...
100% in RAM
Progress
FIGURE 9.10: s ate cracked
Lab Analysis Analyze and document the results related to the lab exercise.
P L E A S E TALK TO Y OU R I N S T R U C T O R IF YOU H AVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
I
T o o l/U tility
Information C ollected /O b jectives Achieved
j
Names:
OphCrack
י י י י
Guest LA N G U A R D _ 11_ Martin
־ י י
Juggyb°y Jason Slieiela
Rainbow Table Used: Yista free Found: י י י י
C E H L ab M anual Page 362
apple green qwerty test E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Questions 1. W hat are the alternatives to cracking s?
In te rn e t C o n n ectio n R eq u ired
□ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 363
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
System Monitoring Using RemoteExec System hacking is the science of testing computers and networksfor vulnerabilities andplugging.
Lab Scenario ^_ Valuable information_____ Test your knowledge *A Web exercise m
Workbook review
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tliis process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying s and shared resources. You should also have knowledge of gaining access, escalating privileges, executing applications, liiduig tiles, and covering tracks.
Lab Objectives The objective o f tins lab is to help students to learn how to:
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page
י
Modify Add / D elete registry keys and or values
■
Install service packs, patches, and hottixes
■
Copy folders and tiles
י
Run programs, scripts, and applications
■
Deploy Windows Installer packages 111 silent mode
Lab Environment To earn ־out die lab, you need: ■
Remote Exec Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Executing Applications Tools\Rem oteExec
■
Windows Server 2008 running on the Yutual machine
■
Follow die Wizard Driven Installation steps
E th ica l H a ck in g and C ounterm easures Copyright © by EC -Coundl All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
■
You can also die latest version o f R em oteE xec from the link http://w w w .isdecisions.com /en
■
If you decide to die latest version, dien screenshots shown 111 die lab might differ
■
istrative pnvileges to run tools
Lab Duration Tune: 10 Minutes
Overview of RemoteExec Rem oteExec, die universal deployer for Microsoft Windows systems, allows network s to run tasks remotely.
Lab Task TASK 1
1. Install and launch RemoteExec.
Monitoring System R em oteExec Remotecxec
־מ*כ0כ0ח
rame f*l demote jobs *eco׳ter ^ 5
^׳Ootons
Albws vou מcorftxre. rra vo* 3rd exeats rerro:e jobs. Albws vou מdsjMv r*co׳ts or rencte exsajoons. Albws vou ro sctvAJe renote extortions arc! o*ne־׳ate autara .. ConScu׳e Re*note€»c colors.
© S y s te m Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an istration console with Microsoft Windows 2003/2008 Service Pack 6 , IE5 or more. , able of contert || Quick a:cess |
FIGURE 10.1: RemoteExec main window
2 . To configure executing a file, double-click Remote jobs.
C E H L ab M anual Page 365
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
: 00B
Ne
Virco
י
rep
״
£ Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (WAN) as well as on remote machines.
ABows you to dtspa, ׳ ׳eports 0 ׳ ר׳errote execj$o1«׳. Allows youto soedijte ׳errote e<ecjto1׳s snd generate sutoiia.. Configure RcmotcExcc opto!־:.
TaDle ofcontert Quick access
Remote execution requirements: The running RemoteExec needs istrative rights on target computers. Microsoft file and printer sharing (SMB T 445) and ICMP (ping) should be enabled. These protocols also need to be allowed in any firewall between the istration console and target computers.
FIGURE 10.2: RemoteExec configuring Remote jobs
3 . To execute a New Remote job, double-click die New Remote job option diat configures and ex e c u te s a new remote job. Hta
Tool* ]tfn d o *
Help
& 5cnotc€>c< Remote jobs : 0 ^ New rcrrote )cb ; execu%oo ! 1 - 0 Updax rstalafeon | ® •־MSI rstalaMn !■■@1 Systenn acton j— fj Plb CDeraton ; *j: Lcea arrouo ־-r.an־ma..
;■“ ptp
RemoteExecjRerrote jobs
job My Renote J3bs My Remote Actons ^ My Target Computers
Mows you /our favorite remste j»98 /our favorite rarcte actors. Yout favorite taroet conxiter bts.
Mutote aaons j .™ My Renoie Joos i ^ My Rertore Actors : ^ My Target C croj^rs Report־ ־:^j. ScrcdJcr L-4^ Options
E U Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, “Document generation,” is available to specify the output files. Select a PDF file to be generated in an existing folder. Make sure that the running the task has write access to this folder.
C E H L ab M anual Page 366
Table ofconteni |Quick accea
FIGURE 10.3: RemoteExec configuring New Remote job
4 . 111 a New Remote job configuration you can view different categories to work remotely.
5. Here as an example: we are executing die file execution option. To execute double-click File Execution.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
hie
Tods
Wmiow ׳Hep
E?
V
•
B ^־־:5eno־.eE>ec P.enote (061
}Q 3 £ ^ 0! ■
£ י לTools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
; Ffc execuSon i 1 - 0 Update rstalafon j--j^|MSI rstalaaon HfcSyste»ac*>n j-uT F*? Otxralon 1- ^ ־loca a rra n t ׳rante I ~PLp =״MJtcle actons 5 Nr teoote J>x “ j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : m jfe Repcrte־ ; ‘“t ScredJcr !״y*Opfcon«
New remote job RemoteExeciRerote jobs/New remote jc
| ) Update retalafion (Si MSI mstalotion {§fc System action Fib Ooo־ation Lccd maintenance S I Popup ( 5 Multtie actions
Instil 5 Marosoft jadaie reretefy. Instil o Windows Instiler >3x>qc rerrctSY. Rcaoot,^Shutoovrn,\V3
I raMe QfcontenT||Quiet access
FIGURE 10.4: RemoteExec configuring File Execution
6. In die File execution settings, browse die executable file, select Interactive from drop-down list of Context, and check the Auto option. Note: Using RemoteExec, you can: Install patches, service packs, and hotfixes Deploy Windows Installer packages in silent mode Run applications, programs, and scripts Copy files and folders
FIGURE 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below
7. Configuring die Filter Section: a.
For the OS version, select = from die drop-down menu and specify die operating system.
b. For the OS level, select = from die drop-down menu and select Workstation.
c.
C E H L ab M anual P ag e 367
For the IE version, select >= from die drop-down menu and specify the IE version.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
d. For the Service Pack, select = from die drop-down menu and specify die service pack version. hie
!eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode.
Tods
V/niow
Hep
3••3 ^ ־eno:e£>ec 1-1 ^ Reno* jobs • B ^ New rarote tfc
File execution RemoteExeqReirote jobs/New remote job/^le executor
! lo
Update rstaloton MSI rstaloaon * ■: SwteT Kton | 6 -! r -rj) « ? CDraJon ! loai rvamcena •י nitr*e arm NyR«n»»>90c «
Mvk«no:»Actcrc,”
Ny ljr jet (.croj'.efc •ls» Reports ScredJcf ^ ! Opton^ - ' *
^
La-nch
tjfr
L a/rh חוa r»?/» tab
[ §ןSc^edLie save r My Rorct® Jobs 0 OS verson
=■v.||
vwndowe 7/2XB
BO S level
*
H K vcr»n
>- H ] M * 1
^
save r K׳y Remote Acsoot
^
:.. Save r My Target■C»mput«rc
•Hj Wortotatoo
!
□Regecrvvw kM □ Oor't e:<e:j:e scan or a computer wne׳e tne actor a as ahead/ exeo.ee
»״ Coflnoute*׳
FIGURE 10.6: RemoteExec Filter tab C Q t i !e remote job was automatically set with the filter option, “Don’t execute again on a computer where the action was already executed.” So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer.
Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK. tie
B
vn 5
loos
•
noow
־
RenoteExec Rertote Nca• remote jofc
£10
)005
j ()־
I q g a sssH i
_______
F ile ex e c u tio n Re׳roteE>e:/3 emote jobs !New ־׳errcre job/File execution
I MO |
Update n stab ton r | 0 MS n stafexn ; Sysfcn actor i ״ Fie: Opeattjr
^
Laandi
Q?
launch in a new tab
d
Schedule
P
Save n My ׳Remote jx k
_
S5ve n My Remote Actjors
rSf
Lcxd aaomttranKTa... h ■ Poxo = -l§ mJtpfe actons j• ©■־My R ero e Jets
^
Save n My Taraet Cwtdu^s
Ny Rerote Actons Ny T»05t COTOLters Reaxte׳ j••■© Scheduler •יV * Oabors I
;
© C o n fig u re the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution.
C E H L ab M anual Page 368
XJ FIGURE 10.7: RemoteExec Add/Edit a computer
9 . To execute the defined action on die remote computer, click the Launch option 111 the nglit pane of die window.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
e
1 2 3 Schedule th e report: To configure schedule report, click on Schedule in the toolbar and, when prom pted select the task that lias been created previously to install Acrobat Reader.
:c o ls
jg n d w
־Bf3
כ אי׳
•
>
B | ־RemoteExec Remote ;ods 0 © New rerroze job
|
j IS j r | ^־ j-C r :־־tSp
File execution
j“ fl? PopLp NuDoie actiors : ■151 My Remote 3c*» W My Remote *coons My Target C0״xxters S - ii, Reporter S^ediier
0
RemoteExec/Refrote jcbs/Mew remote jOD/^e etecuton
Lpictc nstalaton MSI n stab to a Systen actor File Ope-otwr L3co ecco1ntn־ontenc...
. j ־:.;: ־
(JJ: Launch ir e n ew tab t 3 S ch sd u e Save m My Renote 3005 Efe
Save m My Renote Actiors save mMy Taraet conou:ers
□Don't execjte again on a computer v.+!e־e the acaon was aireacy executec
V45׳00כ0ח
___ FIGURE 10.8: RemoteExec executing the defined action
Lab Analysis Analyze and document die results related to die lab exercise.
P LE AS E TALK TO Y OUR I N S T R U C T O R IF YOU H AVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
T o o l/U tility
In fo rm atio n C o lle cted /O b jec tiv es A chieved File to E x ecu te: Firefox setup 3-6.13.exe
R em o teE x ec C o m p u te r N a m e : W IN-D39M RSHL9E4
In tern et C o n n ectio n R eq u ired □ Yes
0 No
P latform S upported 0 C lassroom
C E H L ab M anual Page 369
0 1Labs
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Hiding Data Using Snow Steganog raphy S n crn ׳is u se d to co rn ea /m essa g es in A S C R te x t ly a p p e n d in g n h ite sp a c e to th e e n d o f lin e s . B eca u se sp a ces a n d ta b s a /e g e n e /a lly n o t v isib le in te x t v ie /1 e /s , A /e w essa g e is e ffe c tiv e ly h id d e n fio m o b serv ers. A t/d f
th e b u it-in e n c ry p tio n is rn e a \ th e m essa g e c a m /o tb e re a d even f
c a su a l
i t is d e te cte d .
Lab Scenario
VZDValuable information
Test your knowledge mk Web exercise ,־!־, Workbook review
Network steganography describes all the methods used tor transmitting data over a network without it being detected. Several methods for liiduig data 111 a network have been proposed, but the main drawback o f most of them is that they do not offer a secondary layer of protection. If steganography is detected, the data is in plaintext. To be an expert ethical hacker and penetration tester, you must have sound knowledge o f footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked.
Lab O bjectives The objective o f this lab is to help students learn: ■
Using Snow steganography to hide tiles and data
■
Hiding tiles using spaces and tabs
Lab Environment To earn ־out die lab, you need: י ^ ־Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 370
Snow located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Steganography\Whitespace Steganography\SNOW
י
Run tins tool on Windows Server 2012
■
You can also the latest version o f Snow from the link h ttp :/Avww.darks 1de.com .au/snow /
■
If you decide to the la te st version, then screenshots shown the lab might ditter
111
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Duration Tune: 10 Minutes
Overview of Snow Snow exploits die steganograplnc nature of whitespace. Locating trailing whitespace like tinduig a polar bear 111 a snowstorm. It uses die ICE encryption algoridun, so the name is diemadcally consistent.
111 text is
Lab Task 1.
Open a command prom pt and navigate to D:\CEH-Tool\CEHv8 module 05 system hacking\steganography\white sp a ce steganography\snow
2.
Open Notepad and type Hello World! and dien press enter and press die Hyphen key to draw a line below it.
3.
Save die die as ree.txt. ree - N otepad
The encryption algorithm built in to snow is ICE, a 64-bit block cipher also designed by the author o f snow. It runs in 1-bit cipher- (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit o f output),
File
Edit
Format
View
Help
H e llo W o rld ! 1
FIGURE 11.1: Contents of ree.txt
4.
Type diis command 111 the command sheU: ree2.txt. It is die name of anodier diat will be created automatically. sn o w -C -m "My s w is s bank accou n t number is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 ” p "magic" re e.txt re e2.txt(m agic is th e w ord, you can type your desired w ord also)
C E H L ab M an u al Page 371
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Command Prompt
׳ ־ן° r * ׳
E:\CEH-ToolsSCEHu8 Module 05 S y stem H a c k in g N s te g a n o g r a p h y \w h ite s p a c e s t e g a n o g r a p h y\S n ow > sn o 1» -C -m ״My s u i s s bank a c c o u n t number i s 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p "magi c" r e a d m e .tx t r e a d m e 2 .tx t Com pressed by 23 . '&־/'/. M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x . An e x t r a 8 l i n e s were a d d e d . E:\C EH -Tools\CEH u8 Module 05 S y stem H a c k in g \s t e g a n o g r a p h y \w h it e s p a c e s t e g a n o g r a phy\Snow>
FIGURE 11.2: Hiding Contents of ree, txt and die text in the ree2.txt file
5. N ow die data (‘ My S w iss bank number is 45656684512263 ”) is hidden inside die re e2.txt hie with die contents of ree.txt. I f you want to compress a long message, or one not containing standard text, you would be better off compressing the message externally with a specialized compression program, and bying snow's optional compression step. This usually results in a better compression ratio.
6. The contents ol re e2.txt are ree.txt + My Sw iss bank number is 45656684512263.
7. N ow type sn ow -C -p "magic" Ree2.txt: diis will show die contents of ree.txt.(magic is die which was entered while luding die data). : Command Prompt E:\CEH-ToolsSCEHu8 Module 05 S y stem H a c k in g \s t e g a n o g r a p h y \w h it e s p a c e s t e g a n o g r a H phy\Snow >snou -C -m "My s u i s s bank a c c o u n t number i s 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " n a g i B c" r e a d m e .t x t r e a d m e 2 .tx t ■ C om pressed by 2 3 .37X I M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x . I An e x t r a 8 l i n e s were a d d e d . I E : \ C E H - T o n l s \ 0 F H u 8 M n r i n l e 0 5 R u s t e m H a r k in g \ste g a n o g r a p } 1y \ l ) h i t e s p a c e s t e g a n o g r a H phySSnouI'snow —C - p "m agic" R ea d m e2 .tx t I My s w i s s bank a c c o u n t number i s 4bbbbbU4512263 I E:\C EH-Tools\CEH u8 Module 05 S y stem H a c k in g \ste g a n o g r a p } 1y \w h it e sp a c e s t e g a n o g r a H phy\Snow> I
FIGURE 11.3: Revealing the hidden data o f ree2.txt
8. To check die tile 111 a G U I, open die re e2.txt 111 Notepad and select Edit ^־S elect all. You will see die hidden data inside ree2.txt 111 die form of spaces and tabs.
C E H L ab M an u al Page 372
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
ree2 - Notepad File
Edit
Format
View
_
□
X
Help
H e l l o W o r ld !
(FIGURE 11.4: Contents of ree2.txt revealed with select all option
Lab Analysis Analyze and document die results related to die lab exercise.
P L EA S E TALK TO Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
T o o l/U tility
In fo rm atio n C o lle cted /O b jec tiv es A chieved
Snow Steganography
O u tp u t: You will see the hidden data inside N otepad
Lab Q uestions 1.
How would you lude die data of tiles widi secret data in other tiles?
2. Which encryption is used 111 Snow? In te rn e t C o n n ectio n R eq u ired □ Yes
0 No
P latform S upported 0 C lassroom
C E H L ab M an u al Page 373
0 !Labs
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Viewing, Enabling, and Clearing the Audit Policies Using Auditpol Ajidffpolis a con/n/andin Windons Server2012, Windons Server2008, and Windoirs Server 200J andis leqnhedforqueryingorconfgningan a!iditpolicyatthesnbcafespylevel I CON KEY I7 / Valuable information Test your knowledge ** Web exercise Workbook review
Lab Scenario To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying s and shared resources. You should also have knowledge on gaining access, escalating privileges, executing applications, luduig tiles, and covering tracks.
Lab Objectives The objective o f tins lab is to help students learn: י
How to set audit policies
Lab Environment .^ T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
To earn ־out the lab, you need: ■
Auditpol is a built-in com m and in Windows Server 2012
■
You can see the more audit commands from the following link: h ttp :/ / technet.m icrosott.com /enus /library /cc731451 %28v=ws. 100/029.aspx for W indows Server 2012
י
Run diis on Windows Server 2012
Lab Duration Time: 10 Minutes
C E H L ab M an u al Page
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Overview of Auditpol Aucftpd displays information policies.
011
performance and functions to man^xiate audit
Lab Task /get Displays the current audit policy.
1.
Select Start
2.
: A command prom pt will appears as shown 111 die following
Command Prompt.
figure. ־־
: Command Prompt
M ic r o s o f t Windows [U e r s io n 6 . 2 . 8 4 0 0 ]
2 012 M i c r o s o f t C o r p o r a t io n , f i l l r i g h t s r e s e r v e d .
/set Sets the audit policy.
C :\U s e r s \A d m in i s t r a t o r >
/list Displays selectable policy elements.
FIGURE 12.1: Command Prompt in windows server 2012
3. To view all die audit policies, type die following command 111 die command prompt: /backup Saves the audit policy to a file.
C E H L ab M an u al Page 375
auditpol /get /category:*
4.
Press Enter.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
: Command Prompt
si
M i c r o s o f t Windows [ U e r s i o n 6 . 2 . 8 4 0 0 ]
2 0 1 2 M i c r o s o f t C o r p o r a t i o n . A l l ;r i g h t s C :\U sers\A d n in i s t r a t o r > a u d i t p o 1 / g e t S ystem a u d i t p o l i c y C ategory/S ubcategory S y s te m S e c u r i t y System E x t e n s i o n S ysten I n t e g r i t y IPsec D riv e r O th er S y ste n E vents S e c u r i t y S t a t e Ch an g e L ogon/Logoff Logon Logoff Lockout I P s e c Main Mode I P s e c Q u i c k Mode I P s e c E x t e n d e d Mode S p e c i a l Logon O th er Logon/Logoff Events Netw ork P o l i c y S e r v e r U se r / D evice C la i n s O bject Access F i l e S ystem R egistry K ernel O bject SAM C e r tif ic a tio n S ervices A p p lic a tio n G en erated H an d le M a n i p u l a t i o n P il e S hare F i l t e r i n g P l a t f o r m P a c k e t D ro p F i l t e r i n g P la tfo rm C onnection O th er O b ject A ccess Events D e ta ile d F i l e Share R em o v ab l e S t o r a g e C e n tra l P o lic y S ta g in g P r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e Use O t h e r P r i v i l e g e Use E v e n t s S e n s i t i v e P r i v i l e g e Use D e ta ile d T racking P rocess C rea tio n P ro ce ss T erm in atio n DPAPI A c t i v i t y RPC E v e n t s P o l i c y Ch an ge A u t h e n t i c a t i o n P o l i c y Ch an g e A u t h o r i z a t i o n P o l i c y C han ge MPSSUC R u l e - L e v e l P o l i c y C ha n ge F i l t e r i n g P l a t f o r m P o l i c y Ch an ge O t h e r P o l i c y C h an g e E v e n t s A u d i t P o l i c y C h an g e A c c o u n t M an ag em ent
/ restore Restores the audit policy from a file that was previously created by using auditpol /backup.
/ clear Clears die audit policy.
/remove Removes all per- audit policy settings and disables all system audit policy settings.
reserved.
H
/category:♦• S ettin g No No No No No
A uditing A uditing A uditing A uditing A uditing
No No No No No No No No No No
A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing
No No No No No No No No No No No No No No
A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing
No A u d i t i n g No A u d i t i n g No A u d i t i n g No No No No
A uditing A uditing A uditing A uditing
No No No No No No
A uditing A uditing A uditing A uditing A uditing A uditing
<|____________________ hi____________________ ____ [> FIGURE 12.2: Auditpol viewing die policies
5. To enable die audit policies, type die following command 111 die command prompt: auditpol /set /category:"system",'" logon" /success:enable /failureienable
6.
Press Enter. A d m in is tra to r: C om m and P ro m p t
/ resourceSACL Configures global resource system access control lists (SACLs).
D ir e c t o r y S e r v ic e C hanges D ir e c to r y S e r v ic e R e p lic a t io n D e t a ile d D ir e c to r y S e r v ic e R e p lic a t io n D ir e c to r y S e r v ic e A c c e ss A c c o u n t L ogon K e r b e r o s S e r v i c e T ic k e t O p e r a t io n s O th e r A cco u n t Logon E v e n ts K erb eros A u th e n tic a tio n S e r v ic e C r e d e n tia l U a lid a tio n
No No No No
A A A A
u d it in g u d it in g u d itin g u d it in g
No No No No
A A A A
u d it in g u d itin g u d it in g u d itin g
C : \U s e r s \ A d m in is t r a t o r > a u d it p o l / s e t / c a t e g o r y : " s y s t e m " ," a c c o u n t :e n a b le / f a i l u r e : e n a b l e T he com m and u a s s u c c e s s f u l l y e x e c u t e d .
lo g o n 1
): M i s e r s \ A d m i n i s t r a t o r >
FIGURE 12.3: Auditpol Local Security Policies in Windows Server 2012
C E H L ab M anual Page 376
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
7. To check if audit policies are enabled, type die following command 111 die command prom pt auditpol /get /category:* 8.
Press Enter.
Auditpol /g e t [/[:<usemame> | <{sid
}>]]
[ / category:* |
| < {g uid}> [,:< name | < {guid}>
...]] [/subcategory:* |
| < {guid}>[,:
}>...]] [/option:
System Hacking Module 05
Module 05 - System Hacking
System Hacking System hacking is the science of testing computers and networkfor vulnerabilities and plug-ins.
Lab Scenario {— I Valuable intommtion_____ Test your knowledge______ a* Web exercise £Q! Workbook review
hacking 1s one o f the easiest and most common ways hackers obtain unauthorized computer 01 ־network access. Although strong s that are difficult to crack (or guess) are easy to create and maintain, s often neglect tins. Therefore, s are one of the weakest links 111 die uiformation-secunty chain. s rely 011 secrecy. After a is compromised, its original owner isn’t the only person who can access the system with it. Hackers have many ways to obtain s. Hackers can obtain s from local computers by using -cracking software. To obtain s from across a network, hackers can use remote cracking utilities 01 ־network analyzers. Tins chapter demonstrates just how easily hackers can gather information from your network and descnbes vulnerabilities diat exit 111 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 vour systems.
Lab Objectives The objective o f tins lab is to help students learn to m onitor a system rem otely and to extract hidden files and other tasks that include:
[ “׳Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
■
Extracting istrative s
■
HicUng files and extracting hidden files
■
Recovering s
■
Monitoring a system remotely
Lab Environment To earn ־out die lab you need: ■
A computer running Windows Server 2012
■
A web browser with an Internet connection
■
istrative pnvileges to run tools
Lab Duration Tune: 100 Minutes
C E H L ab M an u al Page
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Overview of System Hacking The goal o f system hacking is to gain access, escalate privileges, execute applications, and hide files.
stask
1
Overview
Lab Tasks Recommended labs to assist you 111 system hacking: ■ Extracting s Using L ■ Hiding Files Using NTFS Stream s ■ Find Hidden Files Using ADS Spy ■ Hiding Files Using the Stealth Files Tool ■ Extracting SAM Hashes Using PWdump7 Tool ■
Creating die Rainbow Tables Using Winrtge
■ Cracking Using RainbowCrack ■
Extracting s Using LOphtCrack
■ Cracking Using Ophcrack ■ System Monitoring Using R em oteE xec
■ Hiding Data Using Snow Steganography ■
Viewing, Enabling and Clearing the Audit Policies Using Auditpol
■ Recovery Using CHNTPW.ISO
■
System Monitoring and Surveillance Needs Using Spytech Spy Agent
■
Web Activity Monitoring and Recording using Power Spy 2013
■ Image Steganography Using Q uickStego
Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on the target’s security posture and exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S L AB .
C E H L ab M an u al Page 309
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Extracting s Using L Link Control Protocol (L) ispart of the Point-to-Point (PPP)protocol In PPP communications, both the sending and receiving devices send out L packets to determine specific information requiredfor data transmission.
Lab Scenario l£^7 Valuable information S
Test your knowledge______
*a Web exercise £ Q Workbook review
Hackers can break weak storage mechanisms by using cracking methods that outline 111 this chapter. Many vendors and developers believe that s are safe from hackers if they don’t publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. -cracking utilities take advantage o f weak encryption. These utilities do the grunt work and can crack any , given enough time and computing power. In order to be an expert ethical hacker and penetration tester, you m ust understand how to crack s.
Lab Objectives Tlie objective o f tins lab is to help students learn how to crack s for ethical purposes. 111 this lab you will learn how to:
^^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 310
■
Use an L tool
■
Crack s
Lab Environment To carry out the lab you need: י
L located at D:\CEH-Tools\CEHv8 Module 05 System H acking\w ord Cracking Tools\L
■
You can also the latest version o f L from the link http: / www.lsoft.com/engl1sh/1ndex.htm E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
If you decide to the la te st version, then screenshots shown 111 the lab might differ
■ Follow the wizard driven installation instructions ■ Run this tool 111 W indows Server 2012 ■ istrative privileges to run tools ■ T/IP settings correctly configured and an accessible DNS server
Lab Duration Time: 10 Minutes
Overview of L L program mainly audits w ords and recovers diem 111 Windows 2008 and 2003. General features o f diis protocol are recovery, brute force session distribution, information importing, and hashing. It can be used to test security, or to recover lost s. Tlie program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Smtt tile. L s dictionary attack, bmte lorce attack, as well as a hybrid ot dictionary and bmte torce attacks.
Lab Tasks 9
TASK 1
1. Launch the Start menu by hovering the mouse cursor 011 the lower-left corner of the desktop.
Cracking
S | Windows Server 2012
FIGURE 1.1: Windows Server 2012 —Desktop view
2 . Click the L app to launch L.
m You can also L from http: / / www.lsoft.com.
C E H L ab M an u al Page 311
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Start
Server Manager
Windows PowerShell
Computer
Control
T
y
Google Chrome
Hyper-V Manager
L
tet
*9
m
Hyper-V Virtual Machine...
SQL Server Installation Center...
Mozilla Firefox
Global Network Inventory
? Command Prompt
£ Ifflfmrtbfimr
a
©
II
Nmap Zenmap GUI
Woikspace Studio
O
3
Ku
Dnktop
FIGURE 1.2: Windows Server 2012 —Apps
3 . The L main window appears. £ 7 L s additional encryption of s by SYSKEY at import from registry and export from SAM file.
TZI
L File
View
Im port
Session
a c # "יDictionaiy attack
r
► ■6 Hybrid attack
Dictionary word:
Name
Help
0 LM
Ready fo r s recovering
? ״ * * ■ וa r
Brute force attack
I0 NT
0.0000 I <8
>14
% done LM Hash
NT Hash
0 of 0 s were found (0.000%)
FIGURE 1.3: L main window
4 . From die menu bar, select Import and then Import from rem ote com puter.
C E H L ab M an u al Page 312
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
L | File
View | Im port | Session
fh
A
Help
9 e
Im port From Local Computer...
1
Im port From Remote Computer... Im port From SAM File...
Dictionary wc
1
Im port From .LC File...
Name
X done LM Hash
Im port From .LCS File...
NT Hash
Im port From PwDump File... Im port From Sniff File...
C Q l is logically a transport layer protocol according to the OSI model
Ready fo r s recovering
0 of 0 s were found (0.000%)
FIGURE 1.4: Import die remote computer
5. Select Computer nam e or IP ad d ress, select the Import type as Import from registry, and click OK. Import from remote computer File
View
In
Computer OK
Computet name ot IP address: r
Dictionary at!
Dictionary word: Name
□
WIN-039MR5HL9E4
Cancel Help
Import type (•) Import from registry
O Import from memory I I Encrypt transferred data
C Q l c p checks die identity of the linked device and eidier accepts or rejects the peer device, then determines die acceptable packet size for transmission.
Connection Execute connection Shared resource: hpc$ name: : I 0 Hide Ready for w!
FIGURE 1.5: Import from remote computer window
6. The output window appears.
C E H L ab M an u al Page 313
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
_
L [ ־C:\Program Files (x86)\L\pwd80013.txt] File
View
Im port
Session
r
Dictionary attack
Hybrid attack
Dictionary word: Name
LM NO WO.
Guest
S Main purpose of L program is s auditing and recovery in Windows
r
1• © ״*®״ ׳
Brute force attack
1 10
r
^ inistrator
x
Help
a e + l ► 0 !?> י יי r
□
0.0000
NT
NO WO. .
<8
NO WO...
X done
>14
LM Hash
X
NO
BE40C45QAB99713DF.J
NO
NO C25510219F66F9F12F.J
X
NT Hash
^ L A N G U A R D .. . NO WO.
X
NO
- C Martin
NO WO.
X
NO
5EBE7DFA074DA8EE..
S Juggyboy
NO WO.
X
NO
488CD CD D222531279.
■ fi Jason
NO WO.
X
NO
2D 20D 252A479F485C..
- C Shiela
NO WO.
X
NO
0CB6948805F797BF2...
Ready fo r s recovering
1 of 7 s were found (14.286%)
FIGURE 1.6: Importing the Names
7 . N ow select any U ser Name and click the L1L4Play button. 8. Tins action generates s.
־r a :
L - [C:\Program Files (x86)\L\pwd80013.txt.l] File
View
Im port
Session
Help
* o e 0 0 4 H 11 1 1 ^ ־8 ״׳l« M ״מDictionary attack
r
Hybrid attack
Dictionary word: istrate 1
"יBrute force attack 14.2857 *d o n e
/ |7
Starting combination: A Name
LM
Ending combination: AD MINIS TRAT 0 RZZ
NT
<8
£ NO WO... ® G uest
NO WO...
>14 x
NO WO...
x
NT Hash
NO
BE40C45CAB99713DF..
NO
NO
- E lANGUAR...
NO WO...
NO
C25510219F66F9F12F..
^ M a r t in
NO WO... apple
NO
5EBE7DFA074DA8EE
^Qjuqqyboy
NO WO... green
NO
488CDCD D222531279..
^ 3 Jason
NO WO... qwerty
NO
2D20D252A479F485C..
® S h ie la
NO WO... test
NO
OCB6948805F797B F2...
s recovering interrupted
x
LM Hash
5 o f 7 s were found (71.429%)
I
FIGURE 1.7: L generates the for the selected name
Lab Analysis Document all die IP addresses and s extracted for respective IP addresses. Use tins tool only for training purposes.
C E H L ab M anual Page 314
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
P L EA S E TALK TO Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved Remote Computer Name: W IN -D 39MR 5H L 9E 4 Output:
L
Name
-
■ ■ ■ ■
-
Martin Juggvboy Jason Sluela
N T apple green qwerty test
Questions 1. \Y11at is the main purpose o f L? 2 . How do von continue recovering s with L?
Internet Connection Required □ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 315
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Hiding Files Using NTFS Streams A. stream consists of data associated rvith a main file or directory (known as the main unnamed stream). Each fie and directory in N TF S can have multiple data streams that aregenerally hiddenfrom the .
Lab Scenario / Valuable information ' Test your knowledge SB Web exercise m
Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems 011 the network. Most often there are matching service, , or s residing 011 each system that make it easy for the attacker to compromise each system in a short am ount o f time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and information. Attackers continue to leverage inform ation 011 each system until they identity s for s that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to hide files using NTFS streams.
Lab Objectives The objective o f tins lab is to help students learn how to lnde files using NTFS streams.
& T ools
It will teach you how to:
dem onstrated in ■ Use NTFS streams this lab are available in ■ Hide tiles D:\CEHTools\CEHv8 Module 05 System Hacking To carry out the lab you need:
Lab Environment
C E H L ab M an u al Page
■
A com puter running W indows Server 2008 as virtual machine
■
Form atted C:\ drive NTFS
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Duration Tune: 15 Minutes
Overview of NTFS Stream s m
NTFS (New Technology File System) is die standard file system of Windows.
NTFS supersedes die FAT file system as the preferred file system lor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved lor metadata and die use of advanced data structures.
Lab Tasks Sd. TASK 1
1. Run this lab 111 Windows Server 2008 virtual machine 2 . Make sure the C:\ drive is formatted for NTFS.
NTFS Stream s
3 . Create a folder called m agic on the C:\ drive and copy c a lc .e x e from C :\w indow s\system 32 to C:\magic.
4 . O pen a com m and prom pt and go to C:\magic and type notepad re e.txt 111 com m and prom pt and press Enter.
5. re e.txt 111 N otepad appears. (Click Y es button 11 prom pted to create a new re e.txt file.)
6. Type Hello World! and Save the file.
£ 3 NTFS stream runs on Windows Server 2008
7 . N ote the file siz e o f the re e.txt by typing dir 111 the command prom pt.
8. N ow hide c a lc .e x e inside the re e.txt by typing the following 111 the com m and prompt: type c:\m a g ic\ca lc.ex e > c:\m agic\re e.txt 1c a lc .e x e
C E H L ab M an u al Page 317
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
-lo|x|
(cT Command Prompt C : N n a g ic > n o t e p a d
re a d n e .tx t
C : S n a g ic > d ir U o lu n e i n d r i u e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y
E Q a stream consists of data associated with a main file or directory (known as the main unnamed stream).
0 9 /1 2 /2 0 1 2 0 9 /1 2 /2 0 1 2 0 1 /1 9 /2 0 0 8 0 9 /1 2 /2 0 1 2
of
C :\n a g ic
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 0 5 : 4 0 AM 12 r e a d n e . t x t 1 8 8 ,4 2 8 b y te s 2 F ile < s > 2 D ir < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e
C : \ m a g ic > ty p e
c : \ n a g ic \c a lc . e x e
> c :\n a g ic \r e a d n e . t x t: c a lc . e x e
C :\m a g ic >
FIGURE 2.2: Command prompt with hiding calc.exe command
Type dir 111 com m and prom pt and note the tile size o f re e.txt. [cTT Command Prompt D ir e c to r y 0 0 0 0
9 /1 9 /1 1 /1 9 /1
2 /2 2 /2 9 /2 2 /2
01 01 00 01
2 2 8 2
of
C :\n a g ic
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 12 r e a d n e . t x t 0 5 : 4 0 AM 1 8 8 ,4 2 8 b y te s 2 F ile < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s fr e e 2 D ir < s >
C : \ n a g ic > ty p e
c : \ n a g ic \c a lc . e x e
> c :\m a g ic \ r e a d m e . t x t : c a l c . e x e
C :\m a g ic > d ir U o lu n e i n d r i u e C h a s n o l a b e l . U o lu n e S e r i a l N u n b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y
t.__ NTFS supersedes the FAT file system as die preferred file system for Microsoft’s Windows operating systems.
0 9 /1 2 /2 0 1 0 9 /1 2 /2 0 1 0 1 /1 9 /2 0 0 0 9 /1 2 /2 0 1
2 2 8 2
of
C :\n a g ic
0 5 : 3 9 AM < 0 5 : 3 9 AM < 1 8 8 ,4 1 6 c a lc . e x e 0 6 : 5 1 AM 0 5 : 4 4 AM 12 r e a d n e . t x t 1 8 8 ,4 2 8 b y te s 2 F ile < s > 4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e 2 D ir < s >
LJ FIGURE 23: Command prompt with executing hidden calc.exe command
10. Tlie tile s iz e o f the ree.txt should not ch ange. N ow navigate to the directory c:\m agic and d e le te ca lc .e x e .
11. Return to the com m and prom pt and type command: mklink b ack door.exe read m e.txt:calc.exe and press Enter
C E H L ab M an u al Page 318
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
V. A d m in is tra to r Com m and P rom pt 0 9 /1 2 /2 0 1 2 0 1 /1 9 /2 0 0 8 0 9 /1 2 /2 0 1 2
-I□ ! X
0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 0 5 : 4 0 AM 12 re a d m e .tx t 2 F ile < s > 1 8 8 ,4 2 8 b y te s 2 D ir < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e
C :\m a g ic > ty p e
c :\m a g ic \c a lc .e x e
> c :\ m a g ic \ r e a d m e . t x t : c a l c . e x e
C :\m a g i c > d i r U o lu m e i n d r i u e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y 0 0 0 0
ffilA stream is a liidden file that is linked to a normal (visible) file.
9 9 1 9
/1 /1 /1 /1
2 /2 2 /2 9 /2 2 /2
01 01 00 01
of
2 2 8 2
C :\m a g ic
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 .4 1 6 c a lc . e x e 0 5 : 4 4 AM 12 r e a d m e .tx t 2 F ile < s > 1 8 8 ,4 2 8 b y te s 2 D ir < s > 4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e
C : \ m a g ic > m k lin k b a c k d o o r .e x e r e a d m e . t x t : c a lc . e x e s y m b o lic l i n k c r e a te d t o r b a c k d o o r .e x e = = = >•> r e a d m e . t x t : c a l c . e x e
u
C :\m a g ic >
-
FIGURE 2.4: Command prompt linking die executed hidden calc.exe
12. Type backdoor, press Enter, and the the calculator program will be ex ecu ted .
HB
-
m im s tra to r C om m and P rom pt
0 9 /1 2 /2 0 1 2
0 5 : 4 0 AM 2 F ile < s > 2 D ir < s >
C :\m a g ic > ty p e
122 r e a d m e . t x t 1 1 8 8 ,. 4 2 8 b y t e s 4 ,3 7 7 ,6 7 7 .8 :
c : \ m a g ic \c a lc .e x e
> c :S
1
C :\m a g ic > d ir U o lu m e i n d r i v e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y 0 0 0 0
9 /1 9 /1 1 /1 9 /1
2 /2 2 /2 9 /2 2 /2
012 012 008 012
of
r
C :\m a g ic
< D IR > 0 5 :3 9 AM < D IR > 0 5 :3 9 AM 1 8 8 ,4 1 0 6 :5 1 AM 0 5 :4 4 AM 1 8 8 ,4 2 F ile < s > 4 ,3 7 7 ,4 1 5 ,6 2 D ir < s >
1
C :\ m a g ic > m k lin k b a c k d o o r .e x e r e a d n e . t i s y m b o lic l i n k c r e a te d f o r b a c k d o o r .e x t C :\m a g ic )b a c k d o o r
| 1 ־1 _!ע ע_ו _lI_lI.ע _lI_u_lI.ע _lI _l.ע Backspace
CE
sqrt |
_ !_ 1 .
MR |
j d
MS |
C : \ m a c r ic >
1/x |
y
FIGURE 2.5: Command prompt with executed hidden calc.exe
Lab Analysis Document all die results discovered during die lab.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T IO N S R E L A T E D T O T H I S L AB .
C E H L ab M anual Page 319
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Tool/Utility NTFS Streams
Information Collected/Objectives Achieved Output: Calculator (calc.exe) file executed
Questions 1. Evaluate alternative m ethods to hide the other exe files (like calc.exe).
Internet Connection Required □ Yes
0 No
Platform Stipported 0 Classroom
C E H L ab M an u al Page 320
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
3 Find Hidden Files Using ADS Spy A ds Spy is a tool used to list, view, or deleteAlternate Data Stream (AD S) on Windons Server2008 nith N T F S filesystems. I CON
KEY
/ Valuable information S
Test your knowledge
m. Web exercise ffi! Workbook review
Lab Scenario Hackers have many ways to obtain s. Hackers can obtain s from local computers by using -cracking software. To obtain s from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather inform ation from your network and describes vulnerabilities that exit in com puter networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to find hidden files using ADS Spy.
Lab Objectives The objective o f tins lab is to help students learn how to list, view, or delete A lternate Data Stream s and how to use them. It will teach you how to:
t£~Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 321
■
Use ADS Spy
■
Find hidden tiles
Lab Environment To carry out the lab you need: י
ADS Spy located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\NTFS Stream D etector Tools\ADS Spy
■
You can also the latest version o f ADS Spy from the link http: / / www.menjn.11u/program s.php#adsspv
■
It you decide to the la te st version, then screenshots shown 111 the lab might differ
■
Run tins tool 111 W indows Server 2012 E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Lab Duration Tune: 10 Minutes
Overview of ADS Spy ן1 ^ ןחרjj-,5 (^ternate Data Stream) is a technique used to store meta-info on files.
ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 Windows Server 2008 with NTFS file systems. ADS Spy is a method o f stonng meta-information o f files, without actually stonng die information inside die file it belongs to.
Lab Tasks m. TASK 1 Alternative Data Streams
1.
Navigate to the CEH-Tools director} ־D:\CEH-Tools\CEHv8 Mod S ystem Hacking\NTFS Stream D etector Tools\ADS Spy
2 . Double-click and launch ADS Spy. ADS Spy v1.11 - Written by Merijn Alternate Data Streams (ADS) are pieces of info hidden as metadata on files on NTFS drives. They are not ^ visible in Explorer and the size they take up is not reported by Windows. Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app can also display legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! [v
(• Quick scan (Windows base folder only) C Full scan (all NTFS drives)
J
C Scan only this folder: |7 Ignore safe system info data streams fencryptable', ,Summarylnformation'. etc) [ ־־Calculate MD5 checksums of streams' contents Scan the system for alternate data streams
KlADS Spy is a small tool to list, view, or delete Alternate Data Streams (ADS) on Windows 2012 with NTFS file systems.
Remove selected streams
[Ready”
FIGURE 3.1 Welcome screen of ADS Spy
3 . Start an appropriate sca n that you need. 4 . Click Scan th e sy stem for alternate data stream s.
C E H L ab M an u al Page 322
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
ADS Spy v1.11 - Written by Merijn Alternate Data Streams (ADS) are pieces of info hidden as metadata on files on NTFS drives. They are not /*. visible in Explorer and the size they take up is not reported by Windows. Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app can also display legitimate ADS streams. Don't delete streams if you are not completely sure they are malicious! v
£ ־ADS are a w ay of storing metainformation regarding files, without actually storing the information in the file it belongs to, carried over from early MacOS compatibility
C Quick scan (Windows base folder only) | (» Full scan (all NTFS drives)| C Scan only this folder:
A
11? Ignore safe system info data streams ('encryptable', 'Summarylnformation', etc)| r
j
Calculate MD5 checksums of streams' contents Scan the system for aiternate data streams
j|
Remove selected streams
C:\magic\ree tx t: calc.exe (1051648 bytes) C:\llsers\\Documents: {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) □ C:\s\\Favorites\Links\Suggested Sites.url: favicon (894 bytes) CAsV\dministrator\My Documents: {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) CAWindows.old.000\Documents and Settings\\Favorites\Links\Suggested Sites.url: favicon (8! □ C:\Windows.old.OOO\s\\Favorites\Links\Suggested Sites.url: favicon (894 bytes)
|Scan complete, found Galternate data streams (ADS's).
FIGURE 3.2 ADS Spy window with Full Scan selected
5. Find the ADS hidden info file while }*ou scan the system for alternative data streams.
6. To remove the Alternate Data Stream, click R em ove s e le c te d stream s. ADS Spy v1.11 - Written by Merijn Alternate Data Streams (ADS) ate pieces of info hidden as metadata on files on NTFS drives. They are not visible in Explorer and the size they take up is not repotted by Windows. Recent browser hijackers started using ADS to hide theit files, and very few anti-malware scanners detect this. Use ADS Spy to find and remove these streams. Note: this app can also display legitimate ADS streams. Don't delete streams if you are not completely sure they ate malicious!
C Quick scan (Windows base folder only) (* Full scan (all NTFS drives) C Scan only this folder:
J
1✓ Ignore safe system info data streams ('encryptable', ‘Summarylnformation', etc)
& Compatible with: Windows Server 2012, 20008
r
Calculate MD5 checksums of streams' contents Scan the system for alternate data streams
□ □ □ *׳׳
Remove selected streams
C:\magic\ree.txt: calc.exe (1051G48 bytes) C\s\\Documents : {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) C.As'1n1strator\Favor1tes\Links\Suggested Sites.url: favicon (894 bytes) C:\s\\My Documents: {726BGF7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) /Windows.old.000\Documents and SeKings^drnini$tfat0f\Fav0rites\Links\Suggested Sites.url: favicon (8 C:\Windows.oldOOO\s\\Favorites\Links\Suggested Sites.url: favicon (894 bytes)
|Scan complete, found S alternate data streams (ADS's).
FIGURE 3.3: Find die hidden stream file
C E H L ab M anual P ag e 323
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Analysis Document all die results and reports gathered during die lab.
P LE AS E TALK TO Y OU R I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives)
ADS Spy
Output: ■ ■
Hidden files with its location Hidden files size
Questions 1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required □ Yes Platform ed 0 Classroom
C E H L ab M an u al Page 324
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Hiding Files Using the Stealth Files Tool Stealth F/'/es use aprocess called steganography to hide anyfiles inside of anotherfie . It is an alternative to encryption offiles.
■con key ־־Lab Scenario / Valuable information_____ Test your knowledge sA Web exercise m
Workbook review
The Windows N T NTFS hie system has a feature that is not well documented and 1s unknown to many N T developers and m ost s. A stream 1s a hidden file that is linked to a norm al (visible) file. A stream is not limited 111 size and there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to hide tiles using the Stealth Files tool. 111 this lab, discuss how to tind hidden tiles inside o f other tiles using the Stealth Files Tool.
Lab Objectives The objective o f this lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to:
— Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 325
■
Use the Stealth Files Tool
■
Hide tiles
Lab Environment To carry out tins lab you need: ■
Stealth Files tool located at D:\CEH-Tools\CEHv8 Module 05 System H acking\Steganography\Audio Steganography\Stealth Files
■
A com puter running Window Server 2012 (host machine)
■
You can also the latest version o f Stealth Files from the link http://w w w .froebis.com /engl 1sh /sf 40 .shtml
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
If you decide to the la te st version, then screenshots shown in the lab might differ
■
istrative privileges to run the Stealth files tool
■
Run this tool 111 Windows Server 2012 (Host Machine)
Lab Duration Time: 15 Minutes
Overview of Stealth Files Tool £U Stenography is the art arid science of writing hidden messages.
Stealth files use a process called steganography to lude any tiles inside o f another .
.
.
.
.
7
.
.
me. It is an alternative to encryption ot files because no one can decrypt tlie encrypted information or data from die files unless they know diat die ludden files exist.
Lab Tasks B
TASK 1
Stenography
1. Follow the wizard-driven installation instructions to install Stealth Files Tool.
2. Launch Notepad and write Hello World and save the file as R e e.txt on the desktop. re e - N otepad File
Edit
Format
View
Help
f l e l l o W o rld !
& Stealth Files u se s a process called steganography to hide any file or files inside of another file
FIGURE 4.1: Hello world in ree.txt
3. Launch the Start m enu by hovering the mouse cursor on the lowerleft corner o f the desktop.
C E H L ab M anual Page 326
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
FIGURE 4.2: Windows Server 2012 —Desktop view
4 . Click the Stealth Files 4.0 app to open the Stealth File window.
m You can also Stealth File from http: / /www. froebis. com.
FIGURE 4.3: Windows Server 2012 —Apps
5. The main window o f Stealth Files 4.0 is shown 111 the following figure.
This is an alternative to encryption b ecau se no one can decrypt encrypted information or files unless they know that the hidden files exist.
FIGURE 4.4: Control of Stealth Files
C E H L ab M anual P ag e 327
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
6. Click Hide Files to start the process of hiding the files. 7 . Click Add files.
ם
Stealth Files 4.0 - Hide Files... Step 1 ■Choose Source Files:
S Before Stealth Files hides a file, it compresses it and encrypts it with a . Then you must select a carrier file, which is a file that contains die hidden files
Destroy Source Filesl Remove Selected Files! Step 2 • Choose Carrier File:
I r
^־J Create a Backup of the Carrier File!
Step 3 ■Choose :
FIGURE 4.5: Add files Window
8. In S te p l, add the C a lc.ex e from c:\w in d ow s\system 32\calc.exe. & Stealth Files 4.0 can be ed from the link: http://www.froebis ■com/english/sf40. shtml
C E H L ab M an u al Page 328
9 . In Step 2 , choose the carrier file and add the file R e e.txt f r o m the desktop.
10. In Step 3, choose a such as m agic (you can type any desired ).
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
13
Stealth Files 4.0” Hide Files...
!“ Iם
\ x
Step 1 ■Choose Source Files: C:\W1ndows\Sj1stem32Vcacls.exe
5 You can also
remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions
I-
Destroy Source Filesl Add Files!
|
Remove Selected Files!
Step 2 Choose Carrier File. C:\Use1s\\Desktop\ree.txt I-
:d
Create a Backup of the Carrier File! Choose :
magic)
I Hide Files! |
FIGURE 4.6: Step 1-3 Window
11. Click Hide Files. 12. It will hide the file c a lc .e x e inside the re e.txt located on the desktop.
13. O pen the notepad and check the file; c a lc .e x e is copied inside it. re e ־N otepad File
Edit
F orm at
V iew
I ~ I ם
:
H elp
)H e llo W o rld !
&T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a , you will prompted to enter it again to recover die hidden files
h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h ifh lb k id o fh a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b fo jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g le o n m b fn g b ln b h c ik fd h k m g io d c fg n lg g o a d d c a jm p ip fib h p p g g c g im m k a d n j e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h fp a la p p d b a c ile n o id lh ib e k p b h e jm ifn g f h f a p m h a fb lifh lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fn ln a dn n o a o n eo p o o p b b ag m d a oh m e kd gfce kcn b cg m injem e g p nn h e in o ilg e j o o ig lc d h a c lc h jlh d g ib o o h e m b n a p m k m e p a o k jc h h g c jb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbn ln d b ig ga g m cg nb n m a foh o g a ckcd n khb o m g o fp d e g ib ikm jm d p fkg
FIGURE 4.7: Calc.exe copied inside notepad.txt
14. N ow open the Stealth files Control and click Retrieve Files. C E H L ab M anual Page 329
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
t
\ Stealth Fi1es 4.0
S Pictures will still look the same, sound file will still sound die same, and programs wTill still work fine
&■ These carrier files will still work perfecdy even with the hidden data in diem
a
Hide Files
©
Retrieve Files
□
Remove Hidden Files
e
About Stealth Files
-־
Close Program FIGURE 4.8: Stealth files main window
15. 111 Step 1, choose the tile (Ree.txt) from desktop 111 which you have saved the c a lc .e x e .
16. 111 Step 2, choose the path to store the retrieved hidden file. 111 the lab the path is desktop.
17. Enter the m agic (the that is entered to liide the tile) and click on R etrieve Files! Stealth File! 4.0
S
This carrier file can be any of these file types: EXE, DLL, OCX, COM, JPG, GIF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files
-
Retrieve Files...
I ־־1 ם
T x
- Step 1 ■Choose Carrier File: C: \U sers\\D esktopVree. txt I-
z l
Destroy Carrier File!
Step 2 - Choose Destination Directory: C :\ll sersV'.dministtatorVD esktop\
d
r Step 3 • Enter : | magic|
Retrieve Files!
FIGURE 4.9: Retrieve files main window
18. The retrieved file is stored on the desktop.
C E H L ab M anual Page 330
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
0 5 Vorslon; IP Address MAC Addr•••: Host Name
Windows NT 62 (non•) D4 BE 09 CJ CE 20 WIN-039MR6HL9E4
Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously.
FIGURE 4.10: Calc.ese running on desktop with the retrieved file
Lab Analysis Document all die results and reports gadiered during die lab.
P LE AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved H id d e n Files: Calc.exe (calculator)
S tealth Files T ool
R etrieve File: ree.txt (Notepad) O u tp u t: Hidden calculator executed
Questions 1. Evaluate other alternative parameters tor hiding files. Internet Connection Required □ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 331
0 !Labs
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab
Extracting SAM Hashes Using PWdump7 Tool Pn׳dump7 can alsobeusedto du/uppmtectedpiles You canalways copya used'ft/eb)[justexecuting pnduffp7.exe -dc\lakedf11e.datbackjip-hxhdfiledot Iconkey
Lab Scenario [£Z7 Valuable iiiformation_____
s are a big part ot this m odern generation. You can use the for your system to protect the business or secret inform ation and you may choose to limit access to your PC with a W indows . These s are an im portant security layer, but many s can be cracked and while that is worry, tliis clunk 111 the arm our can come to your rescue. By using cracking tools or cracking technologies that allows hackers to steal can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack s. 111 tins lab, we discuss extracting the hashes to crack the .
Test your knowledge =
Web exercise Workbook review
Lab Objectives Tins lab teaches you how to: ■
Use the pwdump7 tool
■
Crack s
Lab Environment To carry out the lab you need:
_^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 332
■
Pwdump7 located at D:\CEH-Tools\CEHv8 Module 05 System H acking\w ord Cracking Tools\pwdum p7
■
Run tins tool on W indows Server 2012
■
You can also the latest version o f pwdump7 from the link http:/ / www.tarasco.org/security/pwdum p 7 / 111dex.html
■
istrative privileges to run tools E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
T/IP settings correctly configured and an accessible DNS server
■
Run this k b in W indows Server 2012 (host machine)
Lab Duration Time: 10 Minutes
Overview of Pwdump7 Pw dum p 7 can be used to dum p protected tiles. You can always copy a used file just by executing: pwdum p 7 .exe -d c:\lockedf 11e.dat backup-lockedf 11e.dat. Icon key
Lab Tasks 1. O pen the com m and prom pt and navigate to D:\CEH-Tools\CEHv8 Generating H ashes
Module 05 S ystem H acking\w ord Cracking Tools\pwdump7.
2 . Alternatively, you can also navigate to D:\CEH-Tools\CEHv8 Module 05 S ystem H acking\w ord Cracking Tools\pwdump7and right-click the pwdump7 tolder and select CMD prompt here to open the
com m and prom pt. Ad mi ni straton C:\Wi ndows\system32\cmd.exe [ D :\C E H -T o o ls \C E H v 8 Hrac ke t*s \p w d u m p 7 >
& Active directory w ords are stored in the ntds.dit file and currently the stored structure
M o d u le 05 S y s te m H a c k in g \ P a s s w o r d C r a c k in g M J in d o w s
P a s s w o rd C
FIGURE 5.1: Command prompt at pwdump7 directory
3 . N ow type pw dum p7.exe and press Enter, which will display all the hashes.
C E H L ab M an u al Page 333
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
: Command Prompt :\ C E H - T o o ls \ C E H u 8 M o d u le 05 S y s te m H a c k in g \ P a s s w o rd C ra c k in g S W in d o w s a c k e rs \ p w d u n p 7 ) pwdum p?. exe w dunp v V . l - ra w p a s s w o rd e x t r a c t o r u t h o r : A n d re s T a r a s c o A c u n a r l : h t t p : / / w w w .5 1 4 .e s A d m i n i s t r a t o r :5 0 0 :N O ***** D 4 7 :: : G u e s t :5 0 1 :N O ** ** * ** * * * *** LA N G U A R D _1 1 _U S E R :1 0 0 6 :N O * A67B960: : : M a rt i n :1 0 1 8 :N O ******-***** J u g g y b o y :1 0 1 9 :N O * ******** J a s o n :1 0 2 0 :N O WORD*-**■*■***■*■**-*■* S h i e l a :1 0 2 1 :N O * * * * * * * * * * * :\ C E H -T o o ls \ C E H u 8 ac ke r s Spwdump7 >
& Always copy a used file just executing: pwdum p7.exe -d c:\lockedfile.dat backuplockedfile.dat.
P a s s w o rd C
*: BE40 C 45 0 A B 99 7 13 D F1 ED C 5 B 4 0C 2 SA *:NO * * :C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C 9 B E 6 6 2 * :5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 : : : * * * :4 8 8 C D C D D 2 2 2 5 3 1 2 7 9 3 E D 6 9 6 7 B 2 8 C 1 0 2 5 : * :2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F :: : * * :0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 :: :
M o d u le 05 S y s te m H a c k in g S P a s s w o rd C ra c k in g V W in d o w s
P a s s w o rd C
FIGURE 5.2: pwdump7.exe result window
4 . N ow type pw dum p7.exe > c:\h ash es.txt 111 the com m and prom pt, and press Enter.
5
Tins com m and will copy all the data ot pw dum p7.exe to the c:\h a sh es.tx t file. (To check the generated hashes you need to navigate to the C: drive.) hashes.txt - Notepad File
Edit
Format
View
Help
( A d m in i s t r a t o r : 5 0 0 : NO * * * * * * * * * * * ״ * * * * * * * * ״: BE40C450AB997 13DF1EDC5B4 0C25 AD4 7 G u e s t: 5 0 1 : NO * * * ״ ״ ״ ״ * * ״ ״ ״ ״ * * ״ ״ ״ ״ ״ ״: NO * * ״ ״ ״ ״ ״ ״ ״ * ״ ״ ״ ״ ״ ״ ״ ״ * ״ ״: : : LANGUARD_11_: 1 0 0 6 : NO * * * * * * * * * * * * * ״ ״ * * * ״ ״ ״: C2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C9 B E 6 6 2 A 6 7 B 9 6 0 M a r t i n :1 0 1 8 :NO P A S S W O R D * * * * * * * * * * * * * * * 5 : ״ * * * ״ ״EBE7DFA074DA8EE8AEF1FAA2BBDE876
Duggyboy : 1 0 1 9 : NO P A S S W O R D * 4 8 8 : * * ״ * * * * * * * * * * * * * * * * ״CDCDD2225312793ED6967B28C1025 3 a s o n :1 0 2 0 :N O P A S S WOR D * * * * * 2 : * * * * * * * * * * * * * * * ״D20D252A479F485CDF5E171D93985BF S h i e l a :1 0 2 1 :NO P A S S W O
R
D
* * * * 0 : ״ * * * * * * ״ * * ״ ״ * ״ ״ ״ ״CB6948805F797BF2A82807973B89537
FIGURE 5.3: hashes.txt window
Lab Analysis Analyze all the hashes gathered during die lab and figure out what die was.
C E H L ab M anual Page 334
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
P L EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved O u tp u t: List o f and Hashes
PW dum p7
■ ■ Guest ■ Lauguard ■ Martin ■ Juggyboy ■ Jason ■ shiela
Questions 1. W hat is pwdum p 7 .exe com m and used for? 2 . How do you copy the result o f a comm and to a file?
Internet Connection Required □ Yes
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 335
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Creating the Rainbow Tables Using Winrtgen Winrtgen is a graphical ־Rainbow Tables Generator that s/ippo/ts LM , FastLM, N TLM , LMCHALL> H aljLM CH ALL, K T IM C H A L L , M SCACH E, MD2, MD4, MD5, SH A 1, RIPEMD160, M jSO LJ23, M ySQ LSH AI, CiscoPIX, O RACLE, SH A -2 (256), SH A -2 (384) and SFL4-2 (512) hashes.
Lab Scenario
ICON KEY [£II7 Valuable information
111 computer and information security, the use ot is essential for s to protect their data to ensure a seemed access to dieir system or machine. As s become increasingly aware o f the need to adopt strong s, it also brings challenges to protection o f potential data. 111 diis lab, we will discuss creating die rainbow table to crack the system s’ s. 111 order to be an expert ethical hacker and penetration tester, you must understand how to create rainbow tables to crack the .
Test your knowledge == Web exercise m
Workbook review
Lab Objectives The objective o f this lab is to help students how to create and use rainbow table to perform system hacking.
Lab Environment To earn ׳out die lab, you need:
^^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 336
■
Winrtgen Tool located at D:\CEH-Tools\CEHv8 Module 05 S ystem Hacking\Rainbow Table Creation Tools\Winrtgen
■
A com puter running Window Server 2012
■
You can also the latest version o f Winrtgen from the link http: / / www.ox1d.it/ projects.html
■
If you decide to the latest version, then screenshots shown 111 the lab might differ E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
■
Run this tool 011 Windows Server 2012
■
istrative pnvileges to run tins program
Lab Duration Time: 10 Minutes You can also Winrtge from
Overview of Rainbow Table
s lunj/www 0x1dlt/p10ject A rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking hashes. Tables are usually used 111 recovering plaintext s, up to a certain length, consisting o f a limited set of characters.
Lab Task TASK 1 Generating Rainbow Table
1. Double-click die winrtgen.exe tile. The main window of winrtgen is shown 111 die following tigure.
r ־
W inrtgen v2.8 (Rainbow Tables Generator) by mao Filename
Add T able
m
Rainbow tables usually used to crack a lot of hash types such as
Status
Remove
About
Remove All
OK
Exit
FIGURE 6.1: winrtgen main window
2 . Click die Add Table button.
N T L M , M D 5 , SH A1
C E H L ab M an u al Page 337
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
-
W inrtgen v2.8 (Rainbow Tables Generator) by mao
ם
x
£ Q You can also Winrtge from http://www.oxid.it/project s.html.
III
Add Table
Remove
Remove All
OK
About
Exit
FIGURE 6.2: creating die rainbow table
3 . Rainbow Table properties window appears: i. Select ntlm from the Hash drop-down list 11. Set die Min Len as 4, die Max Len as 9, and the Chain Count o f 4000000
iii. Select loweralpha from die Charset drop-down list (diis depends on the ). 4.
Click OK. R ain bow Table p rop erties r
Hash |ntlm
£ v T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Min Len I4
-M ax Len rIndex 1°
I9
Chain Len—
Chain Count —
|2400
I4000000
|abcdefghiiklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark
Optional parameter
Hash speed:
|
Step speed: Table precomputation time: Total precomputation time: Max cryptanalysis time: Benchmark |
FIGURE 6.3: selecting die Rainbow table properties
5. A file will be created; click OK.
C E H L ab M an u al Page 338
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
x
W inrtgen v2.8 (Rainbow Tables Generator) by mao Filename
Status
ntlm_lowe(alpha#4-9_0_2400x4000000_oxid8000.rt
III
Add Table
Remove
Remove All
OK
About
Exit
FIGURE 6.4: Alchemy Remote Executor progress tab window
Creating the hash table will take some time, depending on the selected hash and charset.
Note: To save die time tor die lab demonstration, die generated hash table is kept in die following !older: D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation ToolsYWinrtgen
m
You must be careful of your harddisk space. Simple rainbow table for 1 —5 alphanumeric and it costs about 613MB of your harddisk.
Created a hash table saved automatically 111 die folder containing
7.
winrtgen.exe.
י
Winrtgen
'L
5 CEHv8 M o d u le 05 S y stem H acking
־&־Favorites ■
D esktop
J§ . D o w n lo ad s %
^
R ecen t pla ce s
► R ainbow T able C re ation T ools ► W inrtgen
v
C
Search W inrtgen
N am e
D ate m od ifie d
T ype
M c h arset.tx t
7/1 0 /2 0 0 8 &29 PM
T ext D o c u m e n t
|□
ntlm _low eralphag4-6_0_2400x4000000_ox... |
9/18/201211:31 A M
RT File
H! w in rtg en .e x e
7 /1 0 /2 0 0 8 1 0 :2 4 PM
A pplic ation
□
7/1 0 /2 0 0 8 10:33 PM
SJG File
w inrtgen.e xe.sig
Size 6KB 62,500 KB 259 KB 1 KB
Libraries [ J D o c u m e n ts M usic II■! P ictu res H
Videos
C o m p u te r &
Local Disk ( C )
1 m N ew V o lu m e (D:)
4 ite m s
1 ite m se le c te d 61.0 MB
State: Q
S hared
FIGURE 6.5: Generated Rainbow table file
C E H L ab M anual Page 339
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Analysis Analyze and document the results related to the lab exercise.
Tool/Utility
Information Collected/Objectives Achieved P urpose: Creating Rainbow table with lower alpha
W inrtge
O u tp u t: Created Rainbow table: ntlm_lowe 1־alpha# 4 -
6_ 0_ 2400X 4000000_ o x ...
P L E A S E TALK TO Y OU R I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Internet Connection Required D Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 340
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Cracking Using RainbowCrack Rainbon'Crack is a computerprogram thatgenerates rainbow tables to be used in cracking.
Lab Scenario 1'— J Valuable mforination_____ Test your knowledge______ a s Web exercise m
Workbook review
Computer s are like locks on doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple will not stop them. Most computer s do not realize how simple it is to access die for a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is for someone to gain access to your computer? Windows is still the most popular operating system, and die method used to discover the is die easiest. A hacker uses cracking utilities and cracks vour system. That is how simple it is for someone to hack your . It requires 110 technical skills, 110 laborious tasks, onlv simple words 01 ־programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack . 111 tins lab we discuss how to crack guest s or s using RainbowCrack.
Lab Objectives £ ~ T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page
The objective ot this lab is to help students to crack p assw ord s to perform system hacking.
Lab Environment To earn ־out die lab, you need:
1
■
RainbowCrack Tool located at D:\CEH-T0 0 ls\CEHv8 Module 05 S ystem Hacking\Rainbow Table Creation Tools\RainbowCrack
■
A com puter running Window Server 2012
■
You can also the latest version o f RainbowCrack from the link h ttp ://proiect-ra111bowcrack.com/ E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
!2 2 You can also Winrtge from http: / /www. oidd.it/project s.html
■
If you decide to die latest version, dien screenshots shown in die lab nnght differ
■
Run diis tool 011 Windows Server 2012
■
istrative privileges to m n diis program
Lab Duration Tune: 10 Minutes
Overview of RainbowCrack RainbowCrack is a computer program diat generates rainbow tables to be used 111 cracking. RainbowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rainbow tables to reduce die lengdi of time needed to crack a .
Lab Task E
t a s k
1
Generating the Rainbow Table
1. Double-click die rcrack_gui.exe tile. The main window of RainbowCrack is shown 111 die following figure.
m RainbowCrack for GPU is the hash cracking program in RainbowCrack hash cracking utilities.
FIGURE 7.1: RainbowCrack main window
2 . Click File, and dien click Add Hash...
C E H L ab M anual Page 342
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
RainbowCrack 1.5 File | E d it
R a in b o w T a b le
H e lp P la in te x t in
A d d H a s h ...
H ex
L o a d H a s h e s f r o m File... L o a d LM H a s h e s f r o m P W D U M P File... L o a d N T L M H a s h e s f r o m PW D U M P File.. S a v e R e su lts...
£Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight GPU brute forcing cracker
FIGURE 7.2: Adding Hash values
3.
The Add Hash window appears: i.
Navigate to c:\hashes, and open die hashes.txt tile (which is already generated using Pwdump 7 located at c:\hashes.txt 111 the previous Lab no:5) .
ii.
Right-click, copy die hashes from hashes.txt tile.
iii.
Paste into die Hash held, and give die comment (optional).
1V.
Click OK. hashes.txt - Notepad
File
Edit
Format
View
Help
Undo
A d m i n i s t r a t o r : 5 0 0 : NO
Cut
P A S S W O R D * * * * * * * * * * * * * * * * * * * * * : BE40C450AB
£ Q | RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from the hash crackers that use brute force algorithm
G u e s t : 5 0 1 : NO P A S S W O R D * * * * * * * * * * * * * * * * * * " !
Copy
P A S S W O R D ********************** * ׳
Paste
LANGUARD_11_: 1 0 0 6 : NO * * * * * * * * * ״ * * * * * * * * * * ״: C2 5 5 1 0 2 1 9 F
Delete Select All
M a r t i n :1 0 1 8 :NO P
A
S
S
W
O
R
D
order : * * * * * * * * * * * * ״Right * * * to * * left * * ״Reading EBE7DFA07
5
] ug g y b o y : 1 0 1 9 : NO
Show Unicode control characters
4 8 8 : * * * * * * * * * * * * * * * * * * * * ״CDCDD22
Insert Unicode control character
D a s o n :1 0 2 0 :N O P
A
S
S
W
O
R
D
:* * * * * * * * * * * * *Open * * * *IME * • * ״D20D252A4
2
S h ie la :1 0 2 1 :N O ************ *********
________________________ _____ -
J
1*Kli ■1*JLW -V.IW
:: —
FIGURE 7.3: Selecting the hashes
C E H L ab M anual Page 343
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
RainbowCrack 1.5 File
Edit
R ainbow T able
* י־
Help P l a i n t e x t I n H ex
£/Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
0C86948805F797BF2A82807973889537 Comment (optional):
FIGURE 7.4: Adding Hashes
4 . The selected hash is added, as shown 111 die following figure. RainbowCrack 1.5 File
Edit
Rainbow Table
H elp
H a sh
P la in te x t
@ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537
?
P l a i n t e x t I n Hex
£ 2 Fun time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
FIGURE 7.5: Added hash show in window
5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 111 the following figure.
C E H L ab M anual Page 344
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
RainbowCrack 1.5
£ 0 . RainbowCrack's purpose is to generate rainbow tables and not to crack s per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.
P File
Edit
Rainbow T able
H a sh 0
I ־־[םr x TI
H elp P la in te x t
P l a i n t e x t i n H ex
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
?
?
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7
?
?
@ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
?
ל
@ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
?
?
@ c 2 5 5 1 0 2 1 9 £ 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
?
1
FIGURE 7.6: Added Hashes in the window
7 . Click die Rainbow Table from die menu bar, and click Search Rainbow Table...
£ 9 RainbowCrack for GPU software uses GPU from NVIDIA for computing, instead of U. By offloading computation task to GPU, the RainbowCrack for GPU software can be tens of times faster than nonGPU version.
8. Browse die Rainbow Table diat is already generated 111 die previous lab, which
is located at D:\CEH-Tools\CEHv8 Module Hacking\Rainbow Table Creation Tools\Winrtgen.
05
System
9 . Click Open.
C E H L ab M anual Page 345
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Open ^ O rganize ▼
jA
”
W indow s Crac...
► w in rtg e n
v
( j | | Search w in rtg e n
New fo ld e r
Recent places
| ב־
־׳י
[jjj
P
ki
|
I
N am e
Date m o d ifie d
Type
Q
9/18/2012 11:31 A M
RT File
M usic
^
ntlm .loweralphag4-6.0.24001(4000000.ox■..
Libraries j3 ] Docum ents
J l M usic
E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table
g
Pictures
9
Videos
1^
C om puter ^
Local Disk (C:)
r - Local Disk (D:) 1 - Local Disk (£ )
>1 Filenam e:
ntlmjoweralpha*4-6_0_2400x4000000_oxid*£ v
| Rainbow Tables (*.rt;*.rtc) Open
FIGURE 7.8: Added Hashes in the window
10. It will crack the , as shown 111 the following figure. RainbowCrack 1.5 File
Edit
Rainbow Table
H elp
H ash
P l a i n t e x t I n Hex
Com ment p a ssw o rd
0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
3
0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
te s t
74657374
4 8 8 c d c 6 d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
g ree n
677265656c
✓ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
a p p le
6170706C65
3
c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0
?
3
2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
3
£=•=!־RainbowCrack focus on tlie development of optimized time-memory tradeoff implementation, and generation of large rainbow tables.
te s t
74657374
3
7 q w e r ty
tine of alarm check: tine of wait: time of other operation: time of disk read: hash & reduce calculation of chain traverse: hash 4 reduce calculation of alarm check: number of alarm: speed of chain traverse: speed of alarm check:
717765727479
2 .3 4 s 0.00 s 0 .1 9 s 0 .0 8 s 5755200 35850648 55125 9 .7 1 million/s 1 5 .3 3 mllllon/s
/s
5
FIGURE 7.9: Added Hashes in the window
Lab Analysis Analyze and document die results related to the lab exercise.
C E H L ab M anual Page 346
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
P L EA S E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved H a sh e s: י י י י
Guest Languard Martin
■ Juggyb°y R ainbow C rack
■ י
Jason Sluela
P assw ord C racked: י י י י י
test test green apple qwerty
Questions 1. W hat kind o f hashes does RainbowCrack ?
Internet Connection Required □ Yes
0 No
P latform S upported
0 C lassroom
C E H L ab M an u al Page 347
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab
Extracting s Using LOphtCrack U)phtCrack is packed with powerfulfeatures, such as scheduling, hash extraction fro/// 64-bit Windows versions; multiprocessor algorithms, and network monitoring and decoding. It can impotf and crack U N IX files and remote Windows machines.
Lab Scenario / Valuable information Test your knowledge______ ^
Web exercise
r*־.. Workbook review
Since security and compliance are high priorities for m ost organizations, attacks 011 a company 01 ־organization's com puter systems take many different forms, such as spooling, smurfing, and other types o f demal-of-service (DoS) attacks. These attacks are designed to harm 01 ־interrupt the use o f your operational systems. cracking is a term used to describe the penetration o f a network, system, 01 ־resource with 01 ־w ithout the use o f tools to unlock a resource that has been secured with a . 111 tins lab we will look at what cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination o f several scenarios, m tins lab we describe some o f the techniques they deploy and the tools that aid them 111 their assaults and how crackers work both internally and externally to violate a company's infrastructure. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to crack s. 111 tins lab we crack the system s using LOphtCrack.
^^Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page
Lab Objectives The lab teaches you how to: ■
Use the LOphtCrack tool
■
Crack inistrator s
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Environment To earn’ out the lab you need: ■
LOphtCrack tool located at D:\CEH-Tools\CEHv8 Module 05 S ystem H acking\w ord Cracking Tools\LOphtCrack
■ Run tliis tool on W indows Server 2012 (host machine) ■ You can also the latest version o f LOphtCrack trom the link http: / / www.lOphtcrack.com ■ istrative privileges to run tools ■
Follow wizard driven installation instructions
■ T/IP settings correctly configured and an accessible D N S server
■ Tins tool requires the to or you can also use the evaluation version for a limited period o f time
Lab Duration Tune: 10 Minutes
Overview of LOphtCrack LOphtCrack provides a scoring metric to quickly assess quality. s are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail.
Lab Tasks TASK 1 Cracking
1. Launch the Start m enu by hovering the mouse cursor to the lower left m ost corner o f the desktop.
| | Windows Server 2012
vm 1i״ימ״« ׳5 י! שי'י1 ן
m You can also the LOphtCrack from http: / / www.lOphtcrack.
C E H L ab M anual Page 349
FIGURE 8.1: Windows Server 2012—Desktop view
2 . Click the LOphtCrack6 app to open the LOphtCrack6 window
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Start Server M anager
W indow s Pow erShel
Google Chrome
Hyper-V M anager
Fa
T
o
יי
Com puter
Control
Hyper-V Virtual Machine...
SQL Server Installation Center...
m
*J
C om m and P rom pt
e / LOphtCrack s pre-computed hashes.
inistrator
Intrmrtfupterr׳
Drdlrp
Q
K
Mozilla Firefox
Global Network Inventory
<©
If
N m ap Zenm ap GUI
W orkspace Studio
O ־
3 FIGURE 8.2: Windows Server 2012 —Apps
3 . Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next. LOphtCrack A uditor v6.0.16
x LO p h tC rack 6 W izard
W elcom e to th e LOphtCrack 6 Wizard This wizard wil prompt you w th step-by-step n sb u c tio n s to g e t you aud tin g n m n u te s First, th e wizard w i help y ou d e term n e w here to retrieve your encrypted p a ssw ords from Se c o n d , you w i b e prom pted w th a few options re g a rd n g which m ethods to u se to audit th e w ords Third, you w i b e prom pted w th how you wish to report the results T hen. LOphtCrack 6 w i p ro ce ed a u d tin g th e w ords a n d report sta tu s to you along th e w ay. notifying y ou w hen audfcng is com plete Press Next' to c onbnue w th th e w izard
LOphtCrack can also cracks UNIX files.
[7 ךjjjprit show m e this w izard o n startup
FIGURE 8.3: Welcome screen of die LOphtCrack Wizard
4 . Choose Retrieve from th e local m achine 111 the Get Encrypted P assw ord s wizard and click Next.
C E H L ab M anual Page 350
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
LOphtCrack A uditor v6.0.16
G e t E n cry p te d P assw ords
C hoose o n e of th e fo lo w n g m eth ods to retrieve th e e n crypted w ords | ♦ R etneve from th e tocal m a c h n e | Pulls encrypted p a ssw ords from th e local m a c h n e 's registry A dm natra to r a c c e s s a r eq u red R etneve from a rem ote m a c h n e R etneve encrypted p a ssw ords from a remote m a c h n e on your d o m a n rwtra tor a c c e s s is required R etneve from SAM/SYSTEM b a c k u p U se em ergency r e p a r disks, b a c k u p ta p e s, or volume sha dow copy te ch r» q u es to obtain a copy of th e registry SAM a n d SYSTEM hives This c o n ta n s a copy of your non-d o m an w ords Q R etneve by jnrffng th e local netw ork Sniffing c a p tu res encrypted h a s h e s n transit o ver your netw ork L o g n s .f ie sh a m g a n d p m t shanng a l u se netw ork authentication th a t c a n b e captured.
< Back
ca
LOphtCrack has a built-in ability to import s from remote Windows, including 64-bit versions of Vista, Windows 7, and UNIX machines, without requiring a thirdparty utility.
Next >
■|
FIGURE 8.4: Selecting die from die local machine
5. Choose Strong P assw ord Audit from the C hoose Auditing Method wizard and click Next.
1- ׳° '
ן
FIGURE 8.5: Choose a strong audit
6. In Pick Reporting Style, select all Display encrypted w ord h a sh es.
7 . Click Next.
C E H L ab M an u al Page 351
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
m LOphtCrack offers remediation assistance to system s.
FIGURE 8.6: Pick Reporting Style
8. Click Finish. LOphtCrack Auditor v6.0.16
־°
x
Bogin Auditing
P
Step LOphtCrack 6 « now ready to b e g n th e w ord aud*ing p ro ce ss Plea se confirm th e f o lo w n g settings an d go b a c k a n d c h a n g e a n y th n g th a t ts not correct
O
Step 2
.__ LOphtCrack lias realtime reporting that is displayed in a separate, tabbed interface.
R etrieve w ords from th e local m achine Perform 'Q uick' w ord audit Display d o m a n w ord belongs to Display p assw ords v41en a udited Display time sp ent auditing e a c h w ord Give visible notification *tfien d o n e a udrtn g S how m ethod u se d to c ra ck w ord
[ / ] S a v e th e s e settings a s s e s a o n defaults Press ■finish'to b e p n audfcng
►Step 5 6«g1n Auditing
FIGURE 8.7: Begin Auditing
9 . LO pntcrack 6 shows an Audit Com pleted message, Click OK. 10. Click S e ssio n options Irom the menu bar.
C E H L ab M an u al Page 352
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Cracked s
J j.
Weak s Pause
־d
Stop
Schedule Scheduled Audit Tasks
Disable Force Expired s
Run y Report LM
LMHash__________________________
,X WIN-D39MR... A d m in istrato r
* m issing *
OCKXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
£ WIN-D39MR... G uest
״m issing *
0000000000000000000000000000000(
J t WIN-D39MR... Jason
* m issing *
0000000000000000000000000000000(
4
* m issing *
Domain
Name
WIN-D39MR... Ju g g y b o y
* m issing
A WIN-D39MR... M artin
״m issing
oooooooooootxxxxxxxxxxxxxxxxxxxx LOphtCrack 6
I
x
0000000000000000000000000000000(
u o rd s t o t a ] 29151 _words_done
10BT5OT?
_______
0000000000000000000000000000000(
Audit c o m p leted .
_______ LtX& sslaezei 0d Oh 0» Os
OK
____tlMS-lSlt _ _ l _־d o n S
III
> 4 X
Messages 0 9 /1 8 /2 0 1 2 0 9 /1 8 /2 0 1 2 0 9 /1 8 /2 0 1 2 0 9 /1 8 /2 0 1 2
1 4 :4 7 :4 8 1 4 :4 7 :5 2 1 4 :4 7 :5 2 1 4 :4 7 :5 2
M u ^ i- c o r e o p e r a tio n w ith 4 c o re s . I m p o r te d 2 a c c o u n ts fro m t h e l o c a l A u d it s t a r t e d . A u d itin g s e s s i o n c o m p le te d .
m a c h in e
FIGURE 8.8: Selecting Session options £ Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force auditing methods.
11. Auditing options For This S e ssio n window appears:
i. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Dictionary Crack.
ii. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Dictionary/Brute Hybrid Crack.
iii. Select the Enabled, Crack NTLM P assw ord s check boxes 111 Brute Force Crack. IV.
Select the Enable Brute Force Minimum Character Count check box.
v. Select the Enable Brute Force Maximum Character Count check box.
12. Click OK.
C E H L ab M an u al Page 353
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
־m
Auditing O ptions For This Session Dictionary C rack
T he Dictionary C ra ck te s ts fo r p a ssw o rd s th a t a re th e sa m e a s th e w ords fcsted in t h e w ord file. This te st * very fa s t a n d finds th e w e a k e s t p a ssw o rd s.
D ictionary List 0
C ra ck NTLM P a ssw o rd s
D ictionary/B rute Hybrid C ra ck [ 2 E nabled
0
*
C h a rac ters to p rep e n d
-
C h a rac ters to a p p e n d
V C rack NTLM P a ssw o rd s Com mon letter su bstitutions (m uch slow er)
*
T h e D ictionary/B rute Hybrid C ra ck te s ts for p a ssw o rd s th a t a re v a n atio n s of th e w ords in th e w ord file. It finds p a ssw o rd s su c h a s D a n a 99 or m onkeys! . This te st is fa st a n d finds w e a k p a ssw o rd s.
P re co m p u ted E ! E n ab led C
Also k n o w n a s r a n b o w ta b le s ', th e P re com puted C rack te s ts fo r p a ssw o rd s a g a r is t a p rec o m p u te d h a s h e s c o n tan -ed n a file or files This te s t is very fast a n d finds p a ssw o rd s c re a te d from th e sa m e c h a r a c te r se t a s th e p re c o m p u te d h a s h e s . P re se rv n g preco m p u ta tio n d a ta s p e e d s up c o n s e c u tiv e m n s r e x c h a n g e for disk s p a c e
Hash File List
Preserve Precomputation Data
Location
T h s c ra c k w o rk s a g a r o t LM a n d NTLM p a ssw o rd s, but n o t U n a B a/te F o rce C rack
g]Enabled
L an g u a g e:
J £ r a c k NTLM P a ssw o rd s
T h e Brute F orce C ra ck te s ts fo r p a ssw o rd s th a t a re m a d e u p of th e c h a r a c te r s sp ecified in t h e c h a r a c te r se t I finds p a ssw o rd s su c h a s "WeR3pfc6s■' o r "vC 5% 6S*12b" T his t e s t is slow a n d finds me
English
a lp h a b e t ♦ n u m b ers C ustom C h a ra c te r S e t (list e a c h c h arac ter): E T N RIOAS D H LCFPU M YG W VBXKQ JZetnrioasd hlcfpumygwvbxkqjzOI 23456789
Brute Force Minimum C h a ra c te r Count Brute Force Maximum C h a ra c te r Count
To
9
נ
E n a b in g a start or e n d point lets you control th e minimum a n d maxim um n u m b e r of c h a r a c te r s to iterate. T h e a c tu a l maxim um c h a r a c te r c o u n t u s e d may vary b a s e d o n h a s h ty p e S p e c fy a c h a r a c te r se t with m ore c h a r a c te r s to c ra c k stro n g e r p a s s w o rd s .
’ QK
Q ancel
FIGURE 8.9: Selecting die auditing options
13. Click Begin ' ' רfrom the menu bar. LOphtCrack cracks the inistrator w ord.
14. A report is generated with the cracked s.
FIGURE 8.10: Generated cracked
C E H L ab M anual P ag e 354
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Lab Analysis Document all die results and reports gathered during die lab.
P LE AS E TALK TO YOUR I N S T R U C T O R IF YOU H AVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
Tool/Utility
Information Collected/Objectives Achieved U ser N a m e s:
L O p h tC rac k
י י י י י י
Guest Jason Juggvbov LA N G U A R D _ 11_ Martin
P assw ord F ound: י ■ י
qwerty green apple
Questions 1. W hat are the alternatives to crack s? 2 . W hy is a brute force attack used 111 the LOphtCrack tool?
Internet Connection Required □ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 355
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Cracking Using Ophcrack Ophcrnck is a free open source (GPL licensed) pmgram that cracks Windows n ׳ords by using LM hashes through rainbon ׳tables. ICON KEY Valuable / information . **יTe$t your _____knowledge _______
Web exercise » Workbook review
Lab Scenario 111 a security system that allows people to choose their own s, those people tend to choose s that can be easily guessed. Tins weakness exists 111 practically all widely used systems instead o f forcing s to choose well-chosen secrets that are likely to be difficult to . The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Pooiiy chosen s are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak or system using cracking tools. 111 tins lab we show you how to crack system s using Ophcrack.
Lab Objectives The objective o f this lab is to help students learn: Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 356
י
Use the OphCrack tool
■
Crack inistrator s
Lab Environment To earn ־out die lab, you need: "
OphCrack tool located at D:\CEH-Tools\CEHv8 Module 05 System H acking\w ord Cracking Tools\Ophcrack
■
Run this tool on W indows Server 2012 (Host Machine)
■
You can also the latest version o f LOphtCrack from the link h ttp :/ / ophcrack.sourceforge.net/ E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
■
istrative privileges to run tools
■
Follow the wizard-driven installation instructions
Lab Duration Time: 15 Minutes
Overview of OphCrack Rainbow tables for LM hashes of alphanumeric s are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack s no longer than 14 characters using only alphanumeric characters.
Lab Task TASK 1 Cracking the
1. Launch the Start m enu by hovering the mouse cursor on the lower-left corner of the desktop.
g | Wndows Server 2012
vnnootfj!xrvff1 0uKetejjeunoioawwucwwr
tvilwtor cc׳pv kud MOO
ןןמישיייעןיימיירזמיי FIGURE 9.1: Windows Server 2012 - Desktop view
2 . Click the OphCrack app to open the OphCrack window.
m You cau also tlie OphCrack from http:/ / ophcrack. sourceforg e.net.
FIGURE 9.2: Windows Server 2012—Apps
3 . Tlie OphCrack main window appears.
C E H L ab M an u al Page 357
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
ophcrackC
1' ם ! ־
Load
Delete
Progress
Statistics
J
4A
11/
Save
Tables
C radt
Help
^
G
Exit
About
Preferences
B Rainbow tables for LM hashes of alphanumeric s are provided for free by the developers
Preload:
w attn g
| Brute force:
waiting
j Pwd found:
0/0
Time e lapsed: |
OhOmQs
FIGURE 9.3: OphCrack Main window
4 . Click Load, and then click PWDUMP file. ophcrack
U/
ב
,•©..י
&
C
Single h a sh PW DUMP file S essio n file
& Ophcrack is bundled with tables that allow s it to crack w ords no longer than 14 characters using only alphanumeric characters
E n cry p te d SAM Local SAM w ith sa m d u m p 2 Local SAM w ith p w d u m p 6 R e m o te SAM
D irectory
Preload: _______ waiting_______| Brute force: |
P rogress
waiting
| Pw dfouxJ:
Fig 9.4: Selecting PWDUMP file
5. Browse die PWDUMP file diat is already generated by using P\\T)U M P 7 111 die previous lab 110:5 (located at c :\h a sh e s.tx t). 6. Click Open
C E H L ab M an u al Page 358
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Open PWDUMP file
0 CO
^
^
Organize ■
available as Live CD distributions which automate the retrieval, decryption, and cracking of s from a Windows system.
Desktop
A
Date modified
Type
9/17/2012 9:25 AM
File folder
Program Files (x86)
9/18/2012 2:18 PM
File folder
j
TFTP-Root
9/4/2012 7:00 PM
File folder
j
s
9/18/20122:35 PM
File folder
8/30/20121:06 PM
File folder
W in d o w s
9/15/2012 3:26 PM
File folder
4 • W in d o w s .o ld
8/7/2012 1:50 AM
File folder
J,.
W in d o w s .o ld .0 0 0
8/8/2012 12:03 AM
File folder
^
.r n d __________________
9/19/2012 9:58 AM
RND File Text Document
j . u sr
(3| Documents
J
Music fc l Pictures Videos
r : ■ Computer Local Disk (C:) . ^ Local Disk (D:)
P
j i . Program Files
Libraries
H
| Search Local Disk (C:)
Name
Recent places
J ) Music
^
C
] I
§ =־- EH m
4 s S
v
*** * Computer ► Local Disk (C:)
New folder
hashes.txt
9/18/2012 3:06 PM
|j6j msdos.sys
9/15/2012 2:53 PM
System file
[A .js
9/6/20124:03 PM
JS File
ן
v, v j [All Files ( * /)
File name: hashes.txt
Open
FIGURE 9.5 import the hashes from PWDUMP file
7. Loaded hashes are shown 111 the following figure. ophcrack
O
Si
«S
iu
Load
Delete
Save
Tables
P rogress
Statistics
j
Preferences
O
o
Crack
| NT H ash
A d m in istra to r
BE40C450AB997...
G uest
3 1d6cfe0d16ae9... C25510219F66F...
LANGUARDJ 1_ M artin
5EBE7DFA074D...
Juggyboy Jason
488CDCDD2225...
Shiela
0CB69488O5F79...
2D20D252A479F...
£ 7 Ophcrack Cracks L M andN TL M Windows hashes Directory
Pretoad: _______ waiting_______] Brute force: |
P rogress
waiting
] Pwd fbcrtd:
FIGURE 9.6 Hashes are added
8. Click Table. The Table Selection window will appear as shown 111 die following figure.
C E H L ab M anual Page 359
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
^ י ז
ophcrack
Progress
IU
',,sg?
Tables
Crack
Table Selection
Statistics 0
D irectory
Table m XP fre e fast
n o t installed
G uest
•
XP f re e sm all
n o t installed
LANGUARD_11_
•
XP special
n o t installed
M artin
# XP g e rm a n v l
n o t installed
Ju g g y b o y
•
XP g e rm a n v2
n o t installed
Jaso n
•
Vista special
n o t installed
Shiela
•
Vista free
n o t installed
•
Vista nin e
n o t installed
•
Vista eight
n o t installed
•
Vista n u m
n o t installed
•
Vista seven
n o t installed
•
XP flash
n o t installed
<• Vista e ig h t XL
& T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Status
A d m in istra to r
n o t installed
III
< •
= e nabled
J = disabled
•
|
>
= n o t n sta le d
B B S S Preload: _______ waiting_______| Brute force: |
waiting
] Pwd fbuxJ:
T«ne elapsed:
Oh 0 וחOs
FIGURE 9.7: selecting die Rainbow table
Note: You can die free XP Rainbow Table, Vista Rainbow Tables from h ttp :// ophcrack.sourcelorge.net/tables.php
9. Select Vista free, and click Install. ״G
Table Selection lable
Directory
XP free fast
not installed
•
XP free small
not installed
9 XP special
not installed
•
XP german v1
not installed
•
XP german v2
not installed
•
Vista special
not installed
| ! • Vista free •
not installec
Vista nine
not installed
# Vista eight •
not installed
Vista num
not installed
<• Vista seven
not installed
*
not installed
XP flash
<• Vista eight XL
not installed
III
0
Status
•
0
4 = disabled
•
<ן
= not installed
@@ FIGURE 9.8: Installing vista free rainbow table
C E H L ab M anual Page 360
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
10. The Browse For Folder window appears; select the the table_vista_free folder (which is already and kept at D:\CEH-Tools\CEHv8 Module 05 System Hacking\ Cracking Tools\Ophcrack)
11. Click OK. Browse For Folder Select the directory which contains the tables.
&■ Ophcrack Free tables available for Windows XP, Vista and 7
4
A
J4 CEHv8 Module 05 System Hacking Cracking
4
Windows Crackers
a
A
OphCrack tables_vista_free
I
pwdump7 winrtgen t>
V
steganography
1
III
< Make New Folder
OK
l>
Cancel
12. The selected table vista free is installed,; it shows a green color ball which means it is enabled. Click OK. ?
Table Selection Directory
־fable
& Loads hashes from encrypted SAM recovered from a Windows partition
Status
•
XP free fast
not installed
•
XP free small
not installed
•
XP special
not installed
•
XP german v1
not installed
•
XP german v2
not installed
•
Vista special
net installed
> •
Vista free
C:/Program Files (x86)/tables_vista_free
•
Vista nine
not installec
•
Vista eight
not installed
•
Vista num
not installed
•
Vista seven
not installed
•
XP flash
not installed
Vista eight XL
not installed
III
= enabled
A
on disk
*
< •
x
4 = disabled
*
*
>
# = not installed Install
FIGURE 9.9: vista free rainbow table installed successfully
13. Click Crack: it will crack die as shown 111 die following figure.
C E H L ab M anual Page 361
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
ophcrack
i This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the is longer than 14 characters (in which case the LM hash is not stored).
Load
Delete
Progress
Statistics
J
«!
a/
^
@
i
Save
Tables
Crack
Help
Bat
Preferences
LM Hash
N T Hash
BE40C450AB997...
Guest
31d6cfe0d16ae9...
LM Pwd 1
LM Pwd 2
N T Pwd
empty
C25510219F66F...
LANGUARD 11_... Martin
5EBE7DFA074D...
apple
Juggyboy
488CDCDD2225...
green
Jason
2D20D252A479F...
qwerty
Shiela
0CB6948805F79...
test
!ab le
Directory
Status
t> 4 Vista f ree
C :/P ro g ram File...
100% in RAM
Progress
FIGURE 9.10: s ate cracked
Lab Analysis Analyze and document the results related to the lab exercise.
P L E A S E TALK TO Y OU R I N S T R U C T O R IF YOU H AVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
I
T o o l/U tility
Information C ollected /O b jectives Achieved
j
Names:
OphCrack
י י י י
Guest LA N G U A R D _ 11_ Martin
־ י י
Juggyb°y Jason Slieiela
Rainbow Table Used: Yista free Found: י י י י
C E H L ab M anual Page 362
apple green qwerty test E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Questions 1. W hat are the alternatives to cracking s?
In te rn e t C o n n ectio n R eq u ired
□ Yes
0 No
Platform ed 0 Classroom
C E H L ab M an u al Page 363
0 !Labs
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
System Monitoring Using RemoteExec System hacking is the science of testing computers and networksfor vulnerabilities andplugging.
Lab Scenario ^_ Valuable information_____ Test your knowledge *A Web exercise m
Workbook review
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tliis process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying s and shared resources. You should also have knowledge of gaining access, escalating privileges, executing applications, liiduig tiles, and covering tracks.
Lab Objectives The objective o f tins lab is to help students to learn how to:
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page
י
Modify Add / D elete registry keys and or values
■
Install service packs, patches, and hottixes
■
Copy folders and tiles
י
Run programs, scripts, and applications
■
Deploy Windows Installer packages 111 silent mode
Lab Environment To earn ־out die lab, you need: ■
Remote Exec Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Executing Applications Tools\Rem oteExec
■
Windows Server 2008 running on the Yutual machine
■
Follow die Wizard Driven Installation steps
E th ica l H a ck in g and C ounterm easures Copyright © by EC -Coundl All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
■
You can also die latest version o f R em oteE xec from the link http://w w w .isdecisions.com /en
■
If you decide to die latest version, dien screenshots shown 111 die lab might differ
■
istrative pnvileges to run tools
Lab Duration Tune: 10 Minutes
Overview of RemoteExec Rem oteExec, die universal deployer for Microsoft Windows systems, allows network s to run tasks remotely.
Lab Task TASK 1
1. Install and launch RemoteExec.
Monitoring System R em oteExec Remotecxec
־מ*כ0כ0ח
rame f*l demote jobs *eco׳ter ^ 5
^׳Ootons
Albws vou מcorftxre. rra vo* 3rd exeats rerro:e jobs. Albws vou מdsjMv r*co׳ts or rencte exsajoons. Albws vou ro sctvAJe renote extortions arc! o*ne־׳ate autara .. ConScu׳e Re*note€»c colors.
© S y s te m Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an istration console with Microsoft Windows 2003/2008 Service Pack 6 , IE5 or more. , able of contert || Quick a:cess |
FIGURE 10.1: RemoteExec main window
2 . To configure executing a file, double-click Remote jobs.
C E H L ab M anual Page 365
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
: 00B
Ne
Virco
י
rep
״
£ Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (WAN) as well as on remote machines.
ABows you to dtspa, ׳ ׳eports 0 ׳ ר׳errote execj$o1«׳. Allows youto soedijte ׳errote e<ecjto1׳s snd generate sutoiia.. Configure RcmotcExcc opto!־:.
TaDle ofcontert Quick access
Remote execution requirements: The running RemoteExec needs istrative rights on target computers. Microsoft file and printer sharing (SMB T 445) and ICMP (ping) should be enabled. These protocols also need to be allowed in any firewall between the istration console and target computers.
FIGURE 10.2: RemoteExec configuring Remote jobs
3 . To execute a New Remote job, double-click die New Remote job option diat configures and ex e c u te s a new remote job. Hta
Tool* ]tfn d o *
Help
& 5cnotc€>c< Remote jobs : 0 ^ New rcrrote )cb ; execu%oo ! 1 - 0 Updax rstalafeon | ® •־MSI rstalaMn !■■@1 Systenn acton j— fj Plb CDeraton ; *j: Lcea arrouo ־-r.an־ma..
;■“ ptp
RemoteExecjRerrote jobs
job My Renote J3bs My Remote Actons ^ My Target Computers
Mows you /our favorite remste j»98 /our favorite rarcte actors. Yout favorite taroet conxiter bts.
Mutote aaons j .™ My Renoie Joos i ^ My Rertore Actors : ^ My Target C croj^rs Report־ ־:^j. ScrcdJcr L-4^ Options
E U Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, “Document generation,” is available to specify the output files. Select a PDF file to be generated in an existing folder. Make sure that the running the task has write access to this folder.
C E H L ab M anual Page 366
Table ofconteni |Quick accea
FIGURE 10.3: RemoteExec configuring New Remote job
4 . 111 a New Remote job configuration you can view different categories to work remotely.
5. Here as an example: we are executing die file execution option. To execute double-click File Execution.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
hie
Tods
Wmiow ׳Hep
E?
V
•
B ^־־:5eno־.eE>ec P.enote (061
}Q 3 £ ^ 0! ■
£ י לTools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
; Ffc execuSon i 1 - 0 Update rstalafon j--j^|MSI rstalaaon HfcSyste»ac*>n j-uT F*? Otxralon 1- ^ ־loca a rra n t ׳rante I ~PLp =״MJtcle actons 5 Nr teoote J>x “ j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : m jfe Repcrte־ ; ‘“t ScredJcr !״y*Opfcon«
New remote job RemoteExeciRerote jobs/New remote jc
| ) Update retalafion (Si MSI mstalotion {§fc System action Fib Ooo־ation Lccd maintenance S I Popup ( 5 Multtie actions
Instil 5 Marosoft jadaie reretefy. Instil o Windows Instiler >3x>qc rerrctSY. Rcaoot,^Shutoovrn,\V3
I raMe QfcontenT||Quiet access
FIGURE 10.4: RemoteExec configuring File Execution
6. In die File execution settings, browse die executable file, select Interactive from drop-down list of Context, and check the Auto option. Note: Using RemoteExec, you can: Install patches, service packs, and hotfixes Deploy Windows Installer packages in silent mode Run applications, programs, and scripts Copy files and folders
FIGURE 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below
7. Configuring die Filter Section: a.
For the OS version, select = from die drop-down menu and specify die operating system.
b. For the OS level, select = from die drop-down menu and select Workstation.
c.
C E H L ab M anual P ag e 367
For the IE version, select >= from die drop-down menu and specify the IE version.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
d. For the Service Pack, select = from die drop-down menu and specify die service pack version. hie
!eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode.
Tods
V/niow
Hep
3••3 ^ ־eno:e£>ec 1-1 ^ Reno* jobs • B ^ New rarote tfc
File execution RemoteExeqReirote jobs/New remote job/^le executor
! lo
Update rstaloton MSI rstaloaon * ■: SwteT Kton | 6 -! r -rj) « ? CDraJon ! loai rvamcena •י nitr*e arm NyR«n»»>90c «
Mvk«no:»Actcrc,”
Ny ljr jet (.croj'.efc •ls» Reports ScredJcf ^ ! Opton^ - ' *
^
La-nch
tjfr
L a/rh חוa r»?/» tab
[ §ןSc^edLie save r My Rorct® Jobs 0 OS verson
=■v.||
vwndowe 7/2XB
BO S level
*
H K vcr»n
>- H ] M * 1
^
save r K׳y Remote Acsoot
^
:.. Save r My Target■C»mput«rc
•Hj Wortotatoo
!
□Regecrvvw kM □ Oor't e:<e:j:e scan or a computer wne׳e tne actor a as ahead/ exeo.ee
»״ Coflnoute*׳
FIGURE 10.6: RemoteExec Filter tab C Q t i !e remote job was automatically set with the filter option, “Don’t execute again on a computer where the action was already executed.” So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer.
Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK. tie
B
vn 5
loos
•
noow
־
RenoteExec Rertote Nca• remote jofc
£10
)005
j ()־
I q g a sssH i
_______
F ile ex e c u tio n Re׳roteE>e:/3 emote jobs !New ־׳errcre job/File execution
I MO |
Update n stab ton r | 0 MS n stafexn ; Sysfcn actor i ״ Fie: Opeattjr
^
Laandi
Q?
launch in a new tab
d
Schedule
P
Save n My ׳Remote jx k
_
S5ve n My Remote Actjors
rSf
Lcxd aaomttranKTa... h ■ Poxo = -l§ mJtpfe actons j• ©■־My R ero e Jets
^
Save n My Taraet Cwtdu^s
Ny Rerote Actons Ny T»05t COTOLters Reaxte׳ j••■© Scheduler •יV * Oabors I
;
© C o n fig u re the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution.
C E H L ab M anual Page 368
XJ FIGURE 10.7: RemoteExec Add/Edit a computer
9 . To execute the defined action on die remote computer, click the Launch option 111 the nglit pane of die window.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
e
1 2 3 Schedule th e report: To configure schedule report, click on Schedule in the toolbar and, when prom pted select the task that lias been created previously to install Acrobat Reader.
:c o ls
jg n d w
־Bf3
כ אי׳
•
>
B | ־RemoteExec Remote ;ods 0 © New rerroze job
|
j IS j r | ^־ j-C r :־־tSp
File execution
j“ fl? PopLp NuDoie actiors : ■151 My Remote 3c*» W My Remote *coons My Target C0״xxters S - ii, Reporter S^ediier
0
RemoteExec/Refrote jcbs/Mew remote jOD/^e etecuton
Lpictc nstalaton MSI n stab to a Systen actor File Ope-otwr L3co ecco1ntn־ontenc...
. j ־:.;: ־
(JJ: Launch ir e n ew tab t 3 S ch sd u e Save m My Renote 3005 Efe
Save m My Renote Actiors save mMy Taraet conou:ers
□Don't execjte again on a computer v.+!e־e the acaon was aireacy executec
V45׳00כ0ח
___ FIGURE 10.8: RemoteExec executing the defined action
Lab Analysis Analyze and document die results related to die lab exercise.
P LE AS E TALK TO Y OUR I N S T R U C T O R IF YOU H AVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
T o o l/U tility
In fo rm atio n C o lle cted /O b jec tiv es A chieved File to E x ecu te: Firefox setup 3-6.13.exe
R em o teE x ec C o m p u te r N a m e : W IN-D39M RSHL9E4
In tern et C o n n ectio n R eq u ired □ Yes
0 No
P latform S upported 0 C lassroom
C E H L ab M anual Page 369
0 1Labs
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Hiding Data Using Snow Steganog raphy S n crn ׳is u se d to co rn ea /m essa g es in A S C R te x t ly a p p e n d in g n h ite sp a c e to th e e n d o f lin e s . B eca u se sp a ces a n d ta b s a /e g e n e /a lly n o t v isib le in te x t v ie /1 e /s , A /e w essa g e is e ffe c tiv e ly h id d e n fio m o b serv ers. A t/d f
th e b u it-in e n c ry p tio n is rn e a \ th e m essa g e c a m /o tb e re a d even f
c a su a l
i t is d e te cte d .
Lab Scenario
VZDValuable information
Test your knowledge mk Web exercise ,־!־, Workbook review
Network steganography describes all the methods used tor transmitting data over a network without it being detected. Several methods for liiduig data 111 a network have been proposed, but the main drawback o f most of them is that they do not offer a secondary layer of protection. If steganography is detected, the data is in plaintext. To be an expert ethical hacker and penetration tester, you must have sound knowledge o f footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked.
Lab O bjectives The objective o f this lab is to help students learn: ■
Using Snow steganography to hide tiles and data
■
Hiding tiles using spaces and tabs
Lab Environment To earn ־out die lab, you need: י ^ ־Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
C E H L ab M an u al Page 370
Snow located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Steganography\Whitespace Steganography\SNOW
י
Run tins tool on Windows Server 2012
■
You can also the latest version o f Snow from the link h ttp :/Avww.darks 1de.com .au/snow /
■
If you decide to the la te st version, then screenshots shown the lab might ditter
111
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Lab Duration Tune: 10 Minutes
Overview of Snow Snow exploits die steganograplnc nature of whitespace. Locating trailing whitespace like tinduig a polar bear 111 a snowstorm. It uses die ICE encryption algoridun, so the name is diemadcally consistent.
111 text is
Lab Task 1.
Open a command prom pt and navigate to D:\CEH-Tool\CEHv8 module 05 system hacking\steganography\white sp a ce steganography\snow
2.
Open Notepad and type Hello World! and dien press enter and press die Hyphen key to draw a line below it.
3.
Save die die as ree.txt. ree - N otepad
The encryption algorithm built in to snow is ICE, a 64-bit block cipher also designed by the author o f snow. It runs in 1-bit cipher- (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit o f output),
File
Edit
Format
View
Help
H e llo W o rld ! 1
FIGURE 11.1: Contents of ree.txt
4.
Type diis command 111 the command sheU: ree2.txt. It is die name of anodier diat will be created automatically. sn o w -C -m "My s w is s bank accou n t number is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 ” p "magic" re e.txt re e2.txt(m agic is th e w ord, you can type your desired w ord also)
C E H L ab M an u al Page 371
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
Command Prompt
׳ ־ן° r * ׳
E:\CEH-ToolsSCEHu8 Module 05 S y stem H a c k in g N s te g a n o g r a p h y \w h ite s p a c e s t e g a n o g r a p h y\S n ow > sn o 1» -C -m ״My s u i s s bank a c c o u n t number i s 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p "magi c" r e a d m e .tx t r e a d m e 2 .tx t Com pressed by 23 . '&־/'/. M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x . An e x t r a 8 l i n e s were a d d e d . E:\C EH -Tools\CEH u8 Module 05 S y stem H a c k in g \s t e g a n o g r a p h y \w h it e s p a c e s t e g a n o g r a phy\Snow>
FIGURE 11.2: Hiding Contents of ree, txt and die text in the ree2.txt file
5. N ow die data (‘ My S w iss bank number is 45656684512263 ”) is hidden inside die re e2.txt hie with die contents of ree.txt. I f you want to compress a long message, or one not containing standard text, you would be better off compressing the message externally with a specialized compression program, and bying snow's optional compression step. This usually results in a better compression ratio.
6. The contents ol re e2.txt are ree.txt + My Sw iss bank number is 45656684512263.
7. N ow type sn ow -C -p "magic" Ree2.txt: diis will show die contents of ree.txt.(magic is die which was entered while luding die data). : Command Prompt E:\CEH-ToolsSCEHu8 Module 05 S y stem H a c k in g \s t e g a n o g r a p h y \w h it e s p a c e s t e g a n o g r a H phy\Snow >snou -C -m "My s u i s s bank a c c o u n t number i s 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " n a g i B c" r e a d m e .t x t r e a d m e 2 .tx t ■ C om pressed by 2 3 .37X I M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x . I An e x t r a 8 l i n e s were a d d e d . I E : \ C E H - T o n l s \ 0 F H u 8 M n r i n l e 0 5 R u s t e m H a r k in g \ste g a n o g r a p } 1y \ l ) h i t e s p a c e s t e g a n o g r a H phySSnouI'snow —C - p "m agic" R ea d m e2 .tx t I My s w i s s bank a c c o u n t number i s 4bbbbbU4512263 I E:\C EH-Tools\CEH u8 Module 05 S y stem H a c k in g \ste g a n o g r a p } 1y \w h it e sp a c e s t e g a n o g r a H phy\Snow> I
FIGURE 11.3: Revealing the hidden data o f ree2.txt
8. To check die tile 111 a G U I, open die re e2.txt 111 Notepad and select Edit ^־S elect all. You will see die hidden data inside ree2.txt 111 die form of spaces and tabs.
C E H L ab M an u al Page 372
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Module 05 - System Hacking
ree2 - Notepad File
Edit
Format
View
_
□
X
Help
H e l l o W o r ld !
(FIGURE 11.4: Contents of ree2.txt revealed with select all option
Lab Analysis Analyze and document die results related to die lab exercise.
P L EA S E TALK TO Y OUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .
T o o l/U tility
In fo rm atio n C o lle cted /O b jec tiv es A chieved
Snow Steganography
O u tp u t: You will see the hidden data inside N otepad
Lab Q uestions 1.
How would you lude die data of tiles widi secret data in other tiles?
2. Which encryption is used 111 Snow? In te rn e t C o n n ectio n R eq u ired □ Yes
0 No
P latform S upported 0 C lassroom
C E H L ab M an u al Page 373
0 !Labs
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Viewing, Enabling, and Clearing the Audit Policies Using Auditpol Ajidffpolis a con/n/andin Windons Server2012, Windons Server2008, and Windoirs Server 200J andis leqnhedforqueryingorconfgningan a!iditpolicyatthesnbcafespylevel I CON KEY I7 / Valuable information Test your knowledge ** Web exercise Workbook review
Lab Scenario To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying s and shared resources. You should also have knowledge on gaining access, escalating privileges, executing applications, luduig tiles, and covering tracks.
Lab Objectives The objective o f tins lab is to help students learn: י
How to set audit policies
Lab Environment .^ T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
To earn ־out the lab, you need: ■
Auditpol is a built-in com m and in Windows Server 2012
■
You can see the more audit commands from the following link: h ttp :/ / technet.m icrosott.com /enus /library /cc731451 %28v=ws. 100/029.aspx for W indows Server 2012
י
Run diis on Windows Server 2012
Lab Duration Time: 10 Minutes
C E H L ab M an u al Page
E th ica l H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
Overview of Auditpol Aucftpd displays information policies.
011
performance and functions to man^xiate audit
Lab Task /get Displays the current audit policy.
1.
Select Start
2.
: A command prom pt will appears as shown 111 die following
Command Prompt.
figure. ־־
: Command Prompt
M ic r o s o f t Windows [U e r s io n 6 . 2 . 8 4 0 0 ]
/set Sets the audit policy.
C :\U s e r s \A d m in i s t r a t o r >
/list Displays selectable policy elements.
FIGURE 12.1: Command Prompt in windows server 2012
3. To view all die audit policies, type die following command 111 die command prompt: /backup Saves the audit policy to a file.
C E H L ab M an u al Page 375
auditpol /get /category:*
4.
Press Enter.
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
: Command Prompt
si
M i c r o s o f t Windows [ U e r s i o n 6 . 2 . 8 4 0 0 ]
/ restore Restores the audit policy from a file that was previously created by using auditpol /backup.
/ clear Clears die audit policy.
/remove Removes all per- audit policy settings and disables all system audit policy settings.
reserved.
H
/category:♦• S ettin g No No No No No
A uditing A uditing A uditing A uditing A uditing
No No No No No No No No No No
A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing
No No No No No No No No No No No No No No
A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing
No A u d i t i n g No A u d i t i n g No A u d i t i n g No No No No
A uditing A uditing A uditing A uditing
No No No No No No
A uditing A uditing A uditing A uditing A uditing A uditing
<|____________________ hi____________________ ____ [> FIGURE 12.2: Auditpol viewing die policies
5. To enable die audit policies, type die following command 111 die command prompt: auditpol /set /category:"system",'" logon" /success:enable /failureienable
6.
Press Enter. A d m in is tra to r: C om m and P ro m p t
/ resourceSACL Configures global resource system access control lists (SACLs).
D ir e c t o r y S e r v ic e C hanges D ir e c to r y S e r v ic e R e p lic a t io n D e t a ile d D ir e c to r y S e r v ic e R e p lic a t io n D ir e c to r y S e r v ic e A c c e ss A c c o u n t L ogon K e r b e r o s S e r v i c e T ic k e t O p e r a t io n s O th e r A cco u n t Logon E v e n ts K erb eros A u th e n tic a tio n S e r v ic e C r e d e n tia l U a lid a tio n
No No No No
A A A A
u d it in g u d it in g u d itin g u d it in g
No No No No
A A A A
u d it in g u d itin g u d it in g u d itin g
C : \U s e r s \ A d m in is t r a t o r > a u d it p o l / s e t / c a t e g o r y : " s y s t e m " ," a c c o u n t :e n a b le / f a i l u r e : e n a b l e T he com m and u a s s u c c e s s f u l l y e x e c u t e d .
lo g o n 1
): M i s e r s \ A d m i n i s t r a t o r >
FIGURE 12.3: Auditpol Local Security Policies in Windows Server 2012
C E H L ab M anual Page 376
E th ical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 05 - System Hacking
7. To check if audit policies are enabled, type die following command 111 die command prom pt auditpol /get /category:* 8.
Press Enter.
Auditpol /g e t [/[:<usemame> | <{sid
}>]]
[ / category:* |
...]] [/subcategory:* |
}>...]] [/option:
Related Documents c2h70
Ceh V8 Labs Module 05 System Hacking 76o5b
December 2019 76
Ceh V8 Labs Module 12 Hacking Webservers.pdf z1p6o
December 2019 54
Ceh V8 Labs Module 03 Scanning Networks.pdf 2w6l16
October 2019 134
Ceh Module 07: System Hacking 1bx56
July 2020 0
Ceh Module 05: Scanning 2v2bd
November 2019 58
Ceh V8 Labs Module 02 Footprinting And Reconnaissance.pdf 6xj37
December 2019 108More Documents from "Deris Bogdan Ionut" 4n5x4w
Ceh V8 Labs Module 05 System Hacking 76o5b
December 2019 76
Quick Introduction To Canalyzer 6xl1d
October 2019 84
Prezentare Rx Craniu An I Sem Ii 65l6s
May 2023 0
Definitii Drumuri 3jl1x
November 2019 27
Tipos De Protocolo De Enrutamiento q2m1i
November 2019 46