S y s t e m H a c k i n g M o d u le 05 Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam 2-50 C ertified Ethical H acker S y s te m H a c k in g M o d u le Engineered by Hackers Presented by Professionals i / CEH P n! E th ic a l H a c k in g a n d C o u n te rm e a s u r e s v M o d u le : S y s te m H a c k in g E xam -5 M o d u le P ag e 18 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0linCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker S e c u r ity N e w s CEH UrtifW itkMl lUclwt \ m September 26th, 2012 IEEE H a c k C o n fir m e d , 0 k P lain T e x t P a s s w o r d s V u ln e r a b le A fte r details w ere revealed by Radu Dragusin over at IEEEIog.com a fe w days ago that passw ords and user details fo r som e 100,000 m em b ers o f th e Institute o f E lectrica l and Electron ics Engineers had been m ade publicly available on the com pany's FTP server fo r at least a m onth, the organisation has n ow co nfirm ed it in a co m m u n ica tion to m em bers, advising them to change their details im m ediately The IEEE is an organisation th a t is designed to advance tech n olog y and has over 400,000 m em bers w orldw ide, m any o f th ose in clu din g em ployees at Apple, Google, IBM, O racle and Sam sung It is responsible fo r globally used standards like th e IEEE 802.3 Ethernet standard and th e IEEE 802.11 W irele ss N etw orking standard A t an organisation like this, you'd expect security to be high Still, this hack w as no hoax The o fficia l ann ou n cem en t o f it w as sent out yesterday and reads: "IEEE has becom e aw are o f an in c id e n t regarding in a d ve rte n t access to u n en cryp ted log files co n ta in in g user IDs and passw ords This m atter has been addressed and resolved N one o f you r fin ancial in form ation w as m ade accessible in this situation." h ttp ://w w w k itg u ru n e t Copyright © by EC-Caind All Rights Reserved Reproduction is Strictly Prohibited S e c u rity N e w s IE E E H a c k C o n firm e d , 0 k P la in T e x t P a s s w o rd s V u ln e b le Source: http://ww w.kitguru.net After details w ere revealed by Radu Dragusin over at IEEEIog.com recently that passwords and user details for some 100,000 m em bers of the Institute o f Electrical and Electronics Engineers had been made publicly available on the com pany's FTP server for at least a month, the organization confirm ed this in a c o m m u n ic a tio n to members, advising them to change their details immediately The IEEE is an organization that is designed to advance technology and has over 400,000 m em bers w orldw ide, many of those including em ployees at Apple, Google, IBM, Oracle, and Samsung It is responsible for globally used standards like the IEEE 802.3 Ethernet standard and the IEEE 802.11 W ireless Networking standard At an organization like this, you'd expect security to be high Still, this hack was no hoax The official ann ouncem ent of it reads: "IEEE has becom e aware of an incident regarding in a d v e rten t access to unencrypted log files containing user IDs and M o d u le P ag e 519 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker passwords This m atter has been addressed and resolved None of your financial inform ation was m ade accessible in this situation." The com pany continued saying though, that it was te chnica lly possible that during the tim e this inform ation was available, that som eone could have used it to access a user's account and therefore, as a "p re ca u tio n a ry m easure," the IEEE recom m ended all users change their account information Until that time, users were not be able to access their account at all In w hat seems like quite a bold move, the organization w ent on to explain to users that one of the best ways to protect them selves is to use a strong, unique password for their login Considering it was an IEEE security b lu nde r that caused the hack, advising other people on password strength seems a bit hypocritical That said, in M r Dragusin's reveal of the hacked information, he produced a graph detailing some of the most c om m on ly used passwords A lm ost 300 people used "123456" and other variations of numbers in that same configuration, while hundreds of others used passwords like "adm in," "student," and "ieee2012." Considering the involvem ent of IEEE m em bers in pushing the boun daries of current technology, you'd assume we w o u ld n 't need to turn to Eugene "The Plague" Belford to explain the im portance of password security C o p yrig h t © 2010-2013 K itG uru L im ited Author: Jon M a rtin d a le http://www.kitguru.net/channel/ion-martindale/ieee-hack-confirmed-100k-plain-textpasswords-vulnerable/ M o d u le P ag e 520 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker M o d u le O b je c tiv e s ‫י‬ C EH UrtilM itkKJl NmIm r ‫י‬ J System H acking: G oals J Types o f K eystroke Loggers an d S pyw ares J CEH H acking M e th o d o lo g y (C H M ) J A n ti-K e y lo g g e r and A n ti-S p yw a re s J P assw ord C racking J D e te c tin g R o o tkits J S tealing P assw ords U sing K eyloggers J A n ti-R o o tk its J M ic ro s o ft A u th e n tic a tio n J NTFS S trea m M a n ip u la tio n J H o w to D isable LM HASH J C lassificatio n o f S teg a n o g p h y H o w to D efend ag a in s t P assw ord J J ^ C racking S teganalysis M e th o d s /A tta c k s on S tega nog rap hy J P rivilege Escalation J C o vering Tracks J E xecuting A p p lic a tio n s J P e n e tra tio n Testing Copyright © by EC-G*ancil All Rights Reserved Reproduction is Strictly Prohibited M o d u le O b je c tiv e s The preceding modules dealt with the progressive intrusion that an attacker makes tow ards his or her target system(s) You should bear in mind that this does not indicate a cu lm in a tio n of the attack This m odule familiarizes you with: System Hacking: Goals Types of Keystroke Loggers and Spywares CEH Hacking Methodology (CHM) Anti-Keylogger and Anti-Spywares Password Cracking Detecting Rootkits Stealing Passwords Using Keyloggers Anti-Rootkits Microsoft Authentication NTFS Stream Manipulation H o w t o Disable LM HASH Classification of Steganography How to Defend against Password Steganalysis Methods/Attacks on Cracking Steganography Privilege Escalation Covering Tracks Executing Applications Penetration Testing M o d u le Page 521 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker In fo rm a tio n H a c k in g a t H a n d B e fo re S y s te m C E H S ta g e (•rtifwtf itkitjl W h a t you have at this stage: Copyright © by EG-Cowid All Rights Reserved Reproduction is Strictly Prohibited I n fo rm a tio n a t H a n d B e fo re S y s te m H a c k in g S ta g e Before beginning with system hacking, let's go over the phases you w ent through and the inform ation you collected so far Prior to this module, we discussed: F o o rin tin g M o d u le Footprinting is the process of a ccum ulating data regarding a specific network environment Usually this technique is applied for the purpose of finding ways to intrude into the netw ork environment Since footprinting can be used to attack a system, it can also be used to protect it In the footprinting phase, the attacker creates a profile of the target organization, with the inform ation such as its IP address range, namespace, and e m p lo y e e w e b usage Footprinting im proves the ease with which the systems can be exploited by revealing system vulnerabilities Determining the objective and location of an intrusion is the primary step involved in footprinting Once the objective and location of an intrusion is known, by using nonintrusive methods, specific in fo rm a tio n about the organization can be gathered For example, the w eb page of the organization itself may provide em ployee bios or a personnel directory, which the hacker can use it for the social engineering to reach the objective Conducting a W h ois query on the w eb provides the associated n e tw o rk s and d om ain names related to a specific organization M o d u le P ag e 522 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker S c a n n in g M o d u le Scanning is a procedure for identifying active hosts on a network, either for the purpose of netw ork security assessment or for attacking them In the scanning phase, the attacker finds inform ation about the target assessment through its IP addresses that can be accessed over the Internet Scanning is mainly concerned with the identification of systems on a netw ork and the identification of services running on each computer Some of the scanning procedures such as port scans and ping sweeps return inform ation about the services offered by the live hosts that are active on the Internet and their IP addresses The inverse mapping scanning procedure returns the inform ation about the IP addresses that not map to the live hosts; this allows an attacker to make suppositions about feasible addresses E n u m e r a tio n M o d u le Enum eration is the m ethod of intrusive probing into the target assessment through which attackers gather inform ation such as netw ork user lists, routing tables, and Sim ple N e tw o rk M a n a g e m e n t P rotocol (SNM P) data This is significant because the attacker crosses over the target territory to unearth inform ation about the network, and shares users, groups, applications, and banners The attacker's objective is to identify valid user accounts or groups w here he or she can remain inconspicuous once the system has been com prom ised E n um eration involves making active connections to the target system or subjecting it to direct queries Normally, an alert and secure system will log such attempts Often the inform ation gathered is w hat the target might have made public, such as a DNS address; however, it is possible that the attacker stumbles upon a rem ote IPC share, such as IPC$ in W in d o w s , that can be probed with a null session allowing shares and accounts to be enum erated M o d u le P ag e 523 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker S y s t e m H a c k i n g : G o a l s C («>«1fw4 E H itkMjl IlMhM r ‫־‬N Hacking-Stage |» | Gaining Access A np Escalating Privileges 15■ h ■ ‫יו * »י‬# ‫ י י׳‬1 Hiding Files ‫■יין‬ Goal Technique/Exploit Used To c o lle c t e n o u g h in fo r m a t io n P a s s w o rd e a v e s d ro p p in g , t o g a in access b r u te fo r c in g To create a privileged user account P assw ord cra ckin g , if the user level is obtained k n o w n e x p lo its To c re a te a n d m a in ta in b a c k d o o r access T ro ja n s To hide malicious files Rootkits To hide the presence of compromise Clearing logs Copyright © by E&Cauactl All Rights Reserved Reproduction isStrictly Prohibited S y s te m H a c k in g : G o a ls Every criminal com m its a crime to achieve certain goal Likewise, an attacker can also have certain goals behind performing attacks on a system The follow ing may be some of the goals of attackers in com m itting attacks on a system The table shows the goal of an attacker at different hacking stages and the te ch n iq u e used to achieve that goal M o d u le P ag e 524 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking Exam -5 C ertified Ethical H acker r s Hacking-Stage Goal Technique/Exploit Used Gaining Access To collect enough information to gain access Password eavesdropping, brute forcing A ao To create a privileged user account P assw ord cra ckin g, if th e user level is obtained k n o w n e xp lo its Executing Applications To create and maintain backdoor access Trojans Hiding Files To hide malicious files Rootkits Covering Tracks To hide the presence of compromise Clearing logs Escalating Privileges FIGURE 5.1: Goals for System Hacking M o d u le P ag e 525 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s S y ste m H acking C E H H a c k in g Exam -5 C ertified Ethical H acker M e Copyright © by EC-Cauactl All Rights Reserved Reproduction is Strictly Prohibited C E H H a c k in g M e th o d o lo g y (C H M ) N—(£ 4) ^ ‫ ^׳־־־‬Before hacking a system, an attacker uses fo otprinting, scanning, and e n u m e tio n techniques to detect the target area of the attack and the vuln e b ilitie s that prove to be d o o rw a y s for the attacker Once the attacker gains all the necessary inform ation, he or she starts hacking Similar to the attacker, an ethical hacker also follows the same steps to test a system or network In order to ensure the effectiveness of the test, the ethical hacker follows the hacking methodology The follow ing diagram depicts the hacking m e th o d o lo g y follow ed by ethical hackers: M o d u le P ag e 526 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is Strictly P ro h ib ite d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g _ C o v e r in g T r a c k s T o o l: M R U - B la s t e r C E H M R U -B laster is an a p p lic a tio n fo r W in d o w s th a t a llo w s you to clean th e m o st re ce n tly used lists s to re d on y o u r c o m p u te r It a llo w s y ou to clean o u t y o u r te m p o ry In te rn e t file s and cookies lostcr Result* Window 'ota! ItemsDetected 378 v‫ ׳‬Winctows'Recent' Folder Ifcm CO ‫י‬/ Winctows'Recent holder Hem•39 v Intorro• Explao‫ ׳‬MRUItem Rooont DownloadDiroctcty •/ MSlirec‫׳‬JD•Most Recent Applcatior! «/ M9Cir#c’D‫«*־‬v•Most R*c*nt Apple•ton ‫י‬/ MSDirecilrput Most Recent Applcatlon•Name •/ MSCirecilrpuf Most Rer*nt Applralinn•ID ‫✓י‬Microsoft Management Console•Recent FibLiu ■Filcl ✓ Mierwcft Management Console•Rftdent FilsLit( •F1l*2 v* Microsoft Management Conwlo •Recent FibLUt •FileO ✓ Microsoft Manaaemer* Console•Recent FiteList ■F1le4 v* WindowsExplorer RocertDocsStreamMRU MAIN ✓WinctowsEKporer • RecertDocsSifearnMRU•0 The olcwrc terns[at me! lequert)haveteensririedinthtf sectiontoalewjcutopenranenlM gnorethemn scannrg.AryHemthat itcheckedbelowwil fcezcarrv=d Ikxr/xtcA *vis?)h!tv■irjtvm/necawint P ;Internet E>cl01ef typedURLd f7 MicrovoltOfficeMRUItems 17 W’ndcvn'Run "DialogMRU WWindowStreamMRU _?J 17 GoogleTodbar History [7 WindowsFhj/SeaichMRUs !7 MicrosoftOlfee ’Recent"ldde!(s| f? Windows"Recent,tdd*!(*) _?J WVarouj £>410SingleMRUItem: _?J |7 Wrdcw*U»01A«1»t MRU4 (7 WindowNe»«\orkIfeirs 17 Miciosoft Feoedt MRUs (7 ,//oidPuftctMRU!!•ms |7 Qu«tt0‫׳‬P10MRUIKnt |7 Cercl F>0*0ntatan3MRUItem♦ WinjldlLocaCiouMHU 17 UriowMal Count (WinXPI oyniil ?1 r CuttcroireNrtiiicdtiinsPatl llwus _?J 17 MSVliual Studo60MRUIrerrvs f7 WindowsOrenVvlihMRU* _7J Anyit4m;ret onth* let c«11b«foundonth* scanr«cu(t tet••* http://www.brightfort.com Copyright © by E&Coinci All Rights Reserved Reproduction is Strictly Prohibited C o v e r in g T r a c k s T o o l: M R U - B la s t e r Source: http://www.brightfort.com MRU-Blaster is a program that allows you to clean most recently used lists on temporary Internet files, and cookies MRU list provides you with the complete about the names, locations of the last files you have accessed, opened, saved, and ensures your Internet privacy MRU-Blaster safely handles cleaning up of "usage other remnants that most programs leave behind M o d u le P a g e the system, information looked at It tracks" and E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g ($|5 M RU-Blaster Results W indow R e s u lts : T o ta l H em s D e te c te d : 378 W in d o w s 'R e c e n t ' F o ld e r Ite m ■ >■ lx‫ ׳‬l W in d o w s 'R e c e n t ' F o ld e r Ite m ■ ■y I n t e r n e t E x p lo r e r ■ M R U Ite m • R e c e n t D o w n lo a d D ir e c to r y ₪ M S D ir e c t D ■ M o s t R e c e n t A p p l i c a t io n y M S D ir e c t D r a w ■ M o s t R e c e n t A p p l i c a t io n y M S D i r e c t l n p u t ■ M o s t R e c e n t A p p l i c a t io n ■ N a m e c/x?cA nrs/7fo frxtnx/*) si'&vxrw w Nn to r p E x p !o r©r T.yP.®9? !W.f?.^ s' f* M ic r o s o ft O f f ic e M R U Ite m s w W in d o w s " R u n " D ia lo g M R U R/ W in d o w s S t r e a m M R U w G o o g le T o o lb a r H is to r y 17 W in d o w s F i n d / S e a r c h M R U s w M ic r o s o ft O f f ic e " R e c e n t " fo ld e r ( s ) W W in d o w s " R e c e n t " fo ld e r ( s ) w W in d o w s U s e r A s s is t M R U s W V a r io u s E x t r a S in g le M R U Ite m s w M ic r o s o ft R e g e d it M R U s w W in d o w s N e t w o r k Ite m s w W o r d P e r f e c t M R U Ite m s w Q u a tt r o P r o M R U Ite m s w C o r e l P r e s e n t a tio n s M R U Ite m s R In s ta ll L o c a t io n s M R U w U n r e a d M a il C o u n t ( W i n X P L o g o n ) w M S V is u a l S t u d io M R U Ite m s _?J ‫ ב‬1 r C u s to m iz e N o t if ic a t io n s P a s t Ite m s w W in d o w s O p e n W it h M R U s ‫\ ב‬ ‫\ ב‬ ‫ ב‬1 ‫[ ב‬ A n y ite m s n o t o n th is lis t c a n b e f o u n d o n t h e s c a n r e s u lts s c r e e n P lu g in s M R U - B la s t e r p lu g in s p r o v id e a d d itio n a l c l e a n in g s u p p o r t to r o t h e r ite m s o n d is k G o lo S a v e S e ttin g s P lu g in s D e le te S e ttin g s fro m R e g is tr y C lo s e FIGURE 5.8 : M R U -B la s te r P ro g m S e ttin g s M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g T r a c k C o v e r in g W ip e http:,//privacyroot,com T c k s E s e r P ro http://www.acesoft.net JW T o o ls ‫מ‬ http://www.evidenceeraser.com H http://www.wintools.net E v id e n c e E s e r W in T o o ls n e t P ro fe s s io n a l - B le a c h B it http://bleachbit.sourceforge.net http://www.kleinsoft.co.za ‫ט ט ט‬ E s e r P ro T R e a lT im e C o o k ie & C ache C le a n e r(R tC B ) A b s o lu te S h ie ld I n t e r n e t r1‫־‬ C E H http://www.internet-track-eraser.com □ □□ C le a r M y H is to r y r p n l http://www.hide-my-ip.com A d v a H is t E s e r http://www.advacrypt.cjb.net F ree I n t e r n e t W in d o w W a s h e r http://www.eusing,com Copyright © by E&Caincl All Rights Reserved Reproduction is Strictly Prohibited T r a c k C o v e r in g T o o ls Track covering tools protects your personal information throughout your Internet browsing by cleaning up all the tracks of Internet activities on the computer They free cache space, delete cookies, clear Internet history shared temporary files, delete logs, and discard junk A few of these tools are listed as follows Wipe available at http://privacyroot.com Q Tracks Eraser Pro available at http://www.acesoft.net Q BleachBit available at http://bleachbit.sourceforge.net e AbsoluteShield Internet Eraser Pro available at http://www.internet-track-eraser.com Clear My History available at http://www.hide-my-ip.com Q EvidenceEraser available at http://www.evidenceeraser.com Q WinTools.net Professional available at http://www.wintools.net Q RealTime Cookie & Cache Cleaner (RtC3) available at http://www.kleinsoft.co.za © AdvaHist Eraser available at http://www.advacrypt.cjb.net Q Free Internet Window Washer available at http://www.eusing.com M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g As a pen tester, you should evaluate the security posture of the target network or system To evaluate the security, you should try to break the security of your system by simulating various attacks on the system, just like an attacker would There are certain steps that you need to follow to conduct a system penetration test This section will teach you how to conduct a system hacking penetration test 151 £‫—־‬ Cracking Passwords Hiding Files s■ ^ Escalating Privileges Executing Applications M o d u le P a g e Covering Tracks ^r‫ ״‬U Penetration Testing E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g P a s s w o r d C START r a c k in g P e rfo rm W ire S n iffin g C E H P e rfo rm M a n -in -th e M id d le A tta c k A P e rfo rm R ule-base d A tta c k Load the dictionary file into the cracking application that runs against user accounts P e rfo rm S ylla b le A tta c k A C heck f o r p a s s w o rd P e rfo rm H y b rid A tta c k c o m p le x ity Run a program that tries every combination of characters until the password is broken Run packet sniffer tools on the LAN to access and record the raw network traffic that may include passwords sent to remote systems Acquires access to the communication channels between victim and server to extract the information a ^ KHi P e rfo rm B ru te fo rc in g P e rfo rm D ic tio n a ry A tta c k A tta c k J |* * * * | > L J Copyright © by E&Cauaci All Rights Reserved Reproduction is Strictly Prohibited P a s s w o r d C r a c k in g In an attempt to hack a system, the attacker initially tries to crack the password of the system, if any Therefore, as a pen tester, you should also try to crack the password of the system To crack the password, follow these steps: Stepl: Identify password protected systems Identify the target system whose security needs to be evaluated Once you identify the system, check whether you have access to the password, that means a stored password If the password is not stored, then try to perform various password cracking attacks one after the other on the target system Step 2: Perform a dictionary attack Perform a dictionary attack by loading the dictionary file into the cracking application that runs against user accounts Run the cracking application and observe the results If the application is allowing you to log in to the system, it means that the dictionary file contains the respective password If you are not able to log in to the system, then try other password-cracking techniques M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g Step3: Perform wire sniffing Run packet sniffer tools on the LAN to access and record the raw network traffic that may include passwords sent to remote systems Step4: Perform a rule-based attack Try to obtain the password by performing a rule-based attack Step5: Perform a syllable attack Try to extract the password by performing a syllable attack This attack is a combination of a brute force attack and a dictionary attack Step : Perform a hybrid attack Try to perform a hybrid attack This attack is used to find passwords that are a dictionary word with combinations of characters prepended or post pended to them Step7: Perform a brute force attack You should try every possible combination of characters until a password is found Step : Perform a man-in-the-middle attack Try to acquire access to the communication channels between victim and server to extract the information M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g (Cont'd) P e rfo rm R epla y P e rfo rm S h o u ld e r A tta c k S u rfin g —X— P e rfo rm P assw ord P e rfo rm Social G uessing E n g in e e rin g A —T ‫־‬ keyloggers n e tw o rk t o gain access Record e v e ry k eystro ke th a t an user ty p e s using keyloggers Secretly g a th e r p erson o r org a n iz a tio n personal in fo rm a tio n using spyw are W ith th e help o f a Trojan, get access t o th e store d passw ords in th e Trojaned com p u te r In je c t a c o m p ro m is e d hash in to a local session and use th e Perform T rojan/S pyw are/ Use a S n iffe r to c a p tu re packets and a u th e n tic a tio n tokens A fte r extra ctin g releva nt in fo , place back th e tokens on th e P e rfo rm D u m p s te r D ivin g A P e rfo rm Hash P e rfo rm Pre- In je c tio n A tta c k C o m p u te d Hashes hash to v a lid a te t o n e tw o rk resources Recover p a s s w ord-p rotected files using th e unused processing p o w e r o f m achines across th e n e tw o rk to d e c ry p t passw ord A P e rfo rm R a in b o w P e rfo rm D is trib u te d A tta c k N e tw o r k A tta c k Copyright © by E&Caincl All Rights Reserved Reproduction is Strictly Prohibited P a s s w o r d C r a c k in g ( C o n t’d) Step 9: Perform a replay attack Try to intercept the data in the communication and retransmit it Step 10: Perform password guessing Try to guess the possible combinations of passwords and apply them S te p ll: Perform TrojansSpyware/keyloggers Use malicious applications or malware such as Trojan/spyware/keyloggers to steal passwords Stepl2: Perform Hash Injection Attack Inject a compromised hash into a local session and use the hash to validate to network resources Step 13: Perform a rainbow attack Use a rainbow table that stores pre-computed hashes to crack the hashed password Step 14: Perform a distributed network attack Recover password-protected files using the unused processing power of machines across the network to decrypt passwords M o d u le P a g e 8 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g Step 15: Perform pre-computed hashes Use pre-computed hashes to crack passwords Step 16: Perform dumpster diving Check the trash bin of your target to check whether you find confidential passwords anywhere Step 17: Perform social engineering Use the social engineering technique to gain passwords Step 18: Perform shoulder surfing Check whether you can steal the password by using shoulder surfing M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g P r iv ile g e E s c a la t io n C E H Use p riv ile g e e s c a la tio n to o ls such as A ctive@ Passw ord Try to ru n s e rvice s as Changer, O fflin e NT Password u n p riv ile g e d acc o u n ts & R egistry Editor, W in d o w s Passw ord Reset Kit, W in d o w s Passw ord R ecovery Tool, E lcom S oft S ystem Recovery, Use p riv ile g e e s c a la tio n to o ls T rin ity Rescue Kit, W in d o w s Passw ord R ecovery B o o td isk, etc Copyright © by EfrCoincl All Rights Reserved Reproduction is Strictly Prohibited P r iv ile g e E s c a la t io n Once the attacker gains the system password, he or she then tries to escalate their privileges to the administrator level so that they can install malicious programs or malware on the target system and thus retrieve sensitive information from the system As a pen tester, you should hack the system as a normal user and then try to escalate your privileges The following are the steps to perform privilege escalation: Stepl: Try to log in with enumerated user names and cracked passwords Once you crack the password, try to log in with the password obtained in order to gain access to the system Check whether interactive logon privileges are restricted If YES, then try to run the services as unprivileged accounts Step2: Try to run services as unprivileged accounts Before trying to escalate your privileges, try to run services and check whether you have permissions to run services or not If you can run the services, then use privilege escalation tools to obtain high-level privileges Step3: Use privilege-escalation tools Use privilege-escalation tools such as Active(® Password Changer, Offline NT Password & Registry Editor, Windows Password Reset Kit, Windows Password Recovery Tool, ElcomSoft System Recovery, Trinity Rescue Kit, Windows Password Recovery Bootdisk, etc These tools will help you to gain higher level privileges M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g E x e c u t in g A p p lic a t io n s C E H Urti*W itkM l lUikw START V Check if firewall software and anti-k e y lo g g in g s o ftw a re are in s ta lle d ■ ▼ Check if the hardware system s are secured in a lo cked e n v iro n m e n t ; Try to use ke y lo g g e rs Try to use Use to o ls fo r S p y w a re s re m o te e x e c u tio n S Use keyloggers such as Spytech SpyAgent, All In One Keylogger, Powered Keylogger, Advanced Keylogger, etc S Use spywares such as SoftActivity TS Monitor, Spy Voice Recorder, WebCam Recorder, Mobile Spy, SPYPhone GOLD, etc Copyright © by EfrCaincl All Rights Reserved Reproduction is Strictly Prohibited ■■■I E x e c u t in g A p p lic a t io n s Pen testers should check the target systems by executing some applications in order to find out the loopholes in the system Here are the steps to check your system when you choose certain applications to be executed to determine loopholes Stepl: Check antivirus installation on the target system Check if antivirus software is installed on the target system and if installed, check that it is upto-date or not Step2: Check firewall anti-keylogging software installation on the target system Check if firewall software and anti-keylogging software is installed or not Step3: Check the hardware system Check if the hardware systems are secured in a locked environment Step4: Use keyloggers Try to install and use keyloggers on the system in order to record keystrokes Use keyloggers such as Spytech SpyAgent, All In One Keylogger, Powered Keylogger, Advanced Keylogger, etc M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g Step5: Use spyware Try to install and use spyware on the system in order to monitor the activities on the system Use spyware such as SoftActivity TS Monitor, Spy Voice Recorder, WebCam Recorder, Mobile Spy, SPYPhone GOLD, etc Step : Use tools for remote execution Try to install and use tools for remote execution M o d u le P a g e 2 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g C E H (g) START-‫״‬: Try to install the rootkit in the target system to maintain hidden access te c h n iq u e a Perform Integrity Based Detection, Signature Based Detection, Cross View Based Detection, and Heuristic Detection techniques to detect rootkits Perform Integrity Based Detection technique Use steganography to hide secret message » Use anti-rootkits such as Stinger, UnHackMe, Virus Removal Tool, Rootkit Buster, etc to detect rootkits Perform Signature Based Detection technique Use Windows hidden stream (NTFS-ADS) to inject malicious code P e rfo rm steg ana lysis t t> Use NTFS Alternate Data Stream (ADS) to inject malicious code on a breached system and execute them without being detected by the user Check if patches for OS and applications are updated Perform Cross View based Detection technique « Use NTFS stream detectors such as StreamArmor, ADS spy, Streams, etc to detect NTFS-ADS stream t) Use steganography technique to hide secret message within an ordinary message and extract it at the destination to maintain confidentiality of data ‫ט‬ Use steganography detection tools such as Gargoyle Investigator’" Forensic Pro, Xstegsecret, Stego Suite, Stegdetect, etc to perform steganalysis A Perform Heuristic Detection technique > Check if antivirus and anti-spyware software are updated regularly Copyright © by E&Caincl All Rights Reserved Reproduction is Strictly Prohibited H id in g F ile s An attacker installs rootkits to maintain hidden access to the system You should follow pen testing steps for detecting hidden files on the target system Stepl: Install rootkits First try to install the rootkit in the target system to maintain hidden access Step2: Perform integrity-based Detection techniques Perform integrity-based detection, signature-based detection, cross-view-based detection, and heuristic detection techniques to detect rootkits Step3: Use anti-rootkits programs Use anti-rootkits such as Stinger, UnHackMe, Virus Removal Tool, Rootkit Buster, etc to detect rootkits Step4: Use NTFS Alternate Data Streams (ADSs) Use NTFS Alternate Data Streams (ADSs) to inject malicious code on a breached system and execute it without being detected by the user M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g Step5: Use NTFS stream detectors Use NTFS stream detectors such as StreamArmor, ADS spy, Streams, etc to detect NTFS-ADS streams Step : Use steganography technique Use steganography techniques to hide secret messages within an ordinary message and extract it at the destination to maintain confidentiality of data Step7: Use steganography detection Use steganography detection tools such as Gargoyle Investigator™ Forensic Pro, Xstegsecret, Stego Suite, Stegdetect, etc to perform steganalysis M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g C o v e r in g T r a c k s START ^ v D is a b le a u d itin g V T a m p e r lo g file s V Close all rem ote connections to the victim machine C lo s e a n y o p e n e d p o rt « R em ove w e b a c tiv ity tra c k s such as M RU, cookies, cache, te m p o ry files and h is to ry ** D isable a u d itin g using to o l such as A u d itp o l « T a m p er log file s such as e v e n t log files, s e rv e r log files and p ro x y log files by log p o is o n in g o r log flo o d in g ® Use tra c k c o v e rin g to o ls such as CCIeaner, M R U-Blaster, W ip e, Tracks Eraser Pro, Clear M y H is to ry , etc Copyright © by EfrCoincl All Rights Reserved Reproduction is Strictly Prohibited C o v e r in g T r a c k s The pen tester should whether he or she can cover the tracks that he or she has made during simulating the attack to conduct penetration testing To check whether you can cover tracks of your activity, follow these steps: Stepl: Remove web activity tracks First, remove the web activity tracks such as such as MRU, cookies, cache, temporary files, and history Step2: Disable auditing Try to disable auditing on your target system You can this by using tools such as Auditpol Step3: Tamper with log files Try to tamper with log files such as event log files, server log files, and proxy log files with log poisoning or log flooding Step4: Use track covering tools Use track covering tools such as CCIeaner, MRU-Blaster, Wipe, Tracks Eraser Pro, Clear My History, etc Step5: Try to close all remote connections to the victim machine Step : Try to close any opened ports M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s S y s te m E x a m - C e r t if ie d E th ic a l H a c k e r H a c k in g M o d u le S u m m a r y C E H IthKJl lUck•* □ Attackers use a va rietyof m eansto penetrate systems □ Password guessing and cracking is one of the first steps □ P a s s w o rd s n i f f i n g is a p r e f e r r e d e a v e s d r o p p in g t a c t ic □ V u l n e r a b i l i t y s c a n n i n g a i d s t h e a t t a c k e r i n i d e n t i f y i n g w h i c h p a s s w o r d c r a c k in g te c h n iq u e t o use □ K e y s t r o k e lo g g in g a n d o t h e r s p y w a r e t o o l s a r e u s e d a s t h e y g a in e n t r y t o s y s te m s t o k e e p u p th e a tta c k s □ In v a r ia b ly , a tt a c k e r s d e s t r o y e v id e n c e o f " h a v i n g b e e n t h e r e a n d d o n e t h e d a m a g e " □ S t e a l i n g f i l e s a s w e l l a s h i d i n g f i l e s a r e t h e m e a n s t o s n e a k o u t s e n s it iv e i n f o r m a t io n Copyright © by E&Cauaci All Rights Reserved Reproduction is Strictly Prohibited * M o d u le S u m m a r y p•‫ ־‬v Q Attackers use a variety of means to penetrate systems © Password guessing and cracking is one of the first steps Q Password sniffing is a preferred eavesdropping tactic Q Vulnerability scanning aids the attacker in identifying which password cracking technique to use © Keystroke logging and other spyware tools are used to gain entry to systems to keep up attacks Invariably, attackers destroy evidence of "having been there and done the damage." Q Stealing files as well as hiding files are the means to sneak out sensitive information M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C l1 n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d ... lm in a tio n of the attack This m odule familiarizes you with: System Hacking: Goals Types of Keystroke Loggers and Spywares CEH Hacking Methodology (CHM) Anti-Keylogger and Anti-Spywares Password... k in g S ta g e Before beginning with system hacking, let's go over the phases you w ent through and the inform ation you collected so far Prior to this module, we discussed: F o o rin tin g... inconspicuous once the system has been com prom ised E n um eration involves making active connections to the target system or subjecting it to direct queries Normally, an alert and secure system will log