CEH v8 Labs Module 05 System Hacking PDF

CEH Lab M anual
S y s te m
H a c k in g
M o d u le 0 5
M odule 05 - System H acking
S y s t e m H a c k in g
S y ste m h a c k in g is th e science o f testin g com p uters a n d n e tw o rk f o r v u ln era b ilities a n d p lu g -in s.
La b S cen ario
{ I Valuable
intormntion____ Test your knowledge_____ a* Web exercise Q! Workbook review
Password hacking 1s one of the easiest and most common ways hackers obtain unauthorized computer 01 network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect tins. Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain. Passwords rely 011 secrecy. After a password is compromised, its original owner isnt the only person who can access the system with it. Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities 01 network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and descnbes password vulnerabilities diat exit 111 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 your systems.
La b O b jectives
The objective of tins lab is to help students learn to m o n ito r a system rem o tely and to extract hidden tiles and other tasks that include: Extracting administrative passwords HicUng files and extracting hidden files Recovering passwords Monitoring a system remotely
[ Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
La b Environm ent
To earnout die lab you need: A computer mnning Windows Server 2012 A web browser with an Internet connection Administrative pnvileges to run tools
La b Duration
Tune: 100 Minutes
C E H Lab Manual Page
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
O verview of System H acking

The goal of system hacking is to gain access, escalate privileges, execute applications, and hide files.
^ task 1
Overview
La b T a s k s
Recommended labs to assist you 111 system hacking: Extracting Administrator Passwords Using LCP Hiding Files Using NTFS
S tream s Spy Files Tool
Find Hidden Files Using ADS
Hiding Files Using the S te a lth
Extracting SAM Hashes Using PW dump7 Tool
Creating die Rainbow Tables Using W inrtge Password Cracking Using R ain bo w C rack

Extracting Administrator Passwords Using LOphtCrack Password Cracking Using O p h crack
System Monitoring Using R em o teE xec Hiding Data Using Snow Steganography Viewing, Enabling and Clearing the Audit Policies Using Auditpol
Password Recovery Using CHNTPW .ISO

Spy Agent
User System Monitoring and Surveillance Needs Using S pytech

Web Activity Monitoring and Recording using P ow er Spy 2 0 1 3 Image Steganography Using Q uickStego
La b A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on the targets security posture and exposure.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .
C E H Lab Manual Page 309
E x t r a c t in g A d m in is tr a to r P a s s w o r d s U s in g L C P
L i n k C o n tro l P ro to co l (L C P ) is p a r t o f th e P o in t-to -P o in t (P P P ) p ro to c o l I n P P P co m m un ication s, b o th th e sen d in g a n d receiving devices se n d o u t L C P p a c k e ts to d eterm in e specific in fo rm a tio n re q u ire d fo r d a ta tra n sm issio n .
La b S cen ario
l^7 Valuable information
S
Test your knowledge_____
*a Web exercise Q Workbook review
Hackers can break weak password storage mechanisms by using cracking methods that outline 111 this chapter. Many vendors and developers believe that passwords are safe from hackers if they dont publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. Password-cracking utilities take advantage of weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords.
La b O b jectives
The objective of tins lab is to help students learn how to crack administrator passwords for ethical purposes.
111
this lab you will learn how to: Use an LCP tool Crack administrator passwords
^^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
La b Environm ent
To carry out the lab you need:
LCP located at
D:\CEH-Tools\CEHv8 M odule 05 System H acking\P assw ord C racking Tools\LCP
You can also download the latest version of LCP from the link http: /www.lcpsoft.com/engl1sh/index.11 tm
If you decide to download the la te s t 111 the kb might differ Run this tool 111 W indow s
TCP/IP
version,
then screenshots shown
Follow the wizard driven installation instnictions

S erver 2 0 1 2
Administrative privileges to run tools settings correctly configured and an accessible DNS server
La b Duration
Time: 10 Minutes
O verview of L C P
LCP program mainly audits user account passwords and recovers diem 111 Windows 2008 and 2003. General features of dns protocol are password recovery, brute force session distribution, account information importing, and hashing. It can be used to test password security, or to recover lost passwords. The program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Sniff file. LCP supports dictionary attack, bmte force attack, as well as a hybrid of dictionary and bmte force attacks.
La b T a s k s
9 TASK 1
1. Launch the S ta rt menu by hovering the mouse cursor 011 the lower-left corner of the desktop.
Cracking Adm inistrator Password
S | W in d o w s Se rver 2012
FIGURE 1 .1 :W indow sS erver 2012 Desktopview
2. Click the LCP app to launch LCP.
m You can also download LCP from http:/ / www.lcpsoft.com .
Start
A d m in is tr a to r
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
LCP
T
Computer Control Panel
*9
Hyper-V Virtual Machine...
m
SQL Server Installation Center...
tet
Inwc* n$ ieT *
Command Prompt
Mozilla Firefox
Global Network Inventory
a
Ku Nmap Zenmap GUI
I I
Workspace Studio
Dnktop
FIGURE 1 .2: W indow sS erver 2012 A pps
3. The LCP main window appears.

7 LCP supports additional encryption of accounts by SYSKEY at import from registry and export from SAM file.
LCP
File View Import Session Help
TZI
a c #
1 Dictionary attack Dictionary word: User Name LM Password r 0
6
Hybrid attack r
? * * a
Brute force attack 0.0000 I <8 >14 % done LM Hash NT Hash
/0
NT Password
Ready for passwords recovering
0 of 0 passwords were found (0.000%)
FIGURE 1.3: LCP m ain window
4. From die menu bar, select Im po rt and then Im port from

com puter.
rem ote
LCP
| File fh . 1 View | Import | Session A Help 9 e Im port From Local Computer... Im port From Remote Computer... Im port From SA M File... Dictionary wc User Name Im port From .LC File... Im port From .LCS File... Im port From PwD um p File... Import From Sniff File... D X done LM Hash NT Hash
CQ l CP is logically a transport layer protocol according to the OSI model
FIGURE 1.4: Import die rem ote com puter
5. Select C om puter nam e or IP from registry, and click OK.

File View In
Com puter
address,
select the Im po rt
typ e
as Im po rt
Import from remote computer

OK Com p utet n a m e ot I P ad dress: W IN - 0 3 9 M R 5 H L 9 E 4 r D ictio n ary at!
C ancel
D ictio n ary word: Im port type Use r N am e ( ) Im port from registry O Im port from m em ory I I E n c r y p t transferred d a ta
H e lp
CQlcp ch ecksdieidentity of thelinkedd eviceandeidier accep tsor rejectsthepeer device, thend eterm ines die accep tab lepacket sizefor tran sm issio n .
Connection
E x e c u t e c o n n e c tio n S h a r e d reso u rce: h p c $ U s e r nam e: Pa s s w o rd : I Adm inistrator
H id e p a ss w o rd
Ready for passw!
FIGURE 1.5: Import from rem ote com puter window
6. The output window appears.
LCP [ C:\Program Files (x86)\LCP\pwd80013.txt]

a e + l 0 !?>
r D ic tio n a ry a tta c k r H ybrid a t t a c k r D ic tio n a ry w ord:
1 *
X done
LM H ash NO P A S S W O R D NO P A S S W O R D X X X X X NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D N T H ash B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .J NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .J 5 E B E 7 D F A 0 7 4 D A 8 E E .. 4 8 8 C D C D D 2 22 53 1 27 9. 2D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C .. 0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...
B ru te fo rc e a t t a c k
r L M P a s s w o rd NO P A S SW O . NO P A S SW O . . NO P A S SW O . NO P A S SW O . NO P A S SW O . NO P A S SW O . NO P A S SW O .
10
0 .0 0 0 0
U ser Nam e ^ A d m in is t r a t o r G uest
N T P a s s w o rd
< 8
X
>14 X
NO P A S S W O ...
;U -C
S S
L A N G U A R D .. . M artin Ju g g y b o y Ja s o n
- C S h ie la
S Main purpose of LCP programisuser account passw ords auditingand recovery in W indows
FIGURE 1.6: Importing the User Nam es
7. Now select any U ser
N am e
and click the L1L4 Play button.

ra :
8. Tins action generates passwords.

LCP - [C:\Program Files (x86)\LCP\pwd80013.txt.lcp]
0 0 4
D ic tio n a ry a t t a c k r
8 l 1 1 1 1^ M * o
" B ru te fo rc e a t t a c k 142857
e
*done
H ybrid a t t a c k
D ic tio n a ry w ord: Adm inistrate
/ |7
S tartin g com bin ation : A D M I N I S T R A T O R A
E n din g com bin ation : A D M IN IS T R A T 0 R Z Z
User N am e Adm inistrator
LM P a s s w o rd N O P A S S W O ... N O P A S S W O ... N O P A S S W O ... NO NO NO NO
N T P a s s w o rd
<8
>14 x
LM H ash NO P A S S W O R D NO P A S S W O R D
N T H ash B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .. NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .. 5 EBE7D FA 074D A 8EE 4 8 8 C D C D D 222 53 1 27 9.. 2 D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C O C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...
G u e st ! B lA N G U A R . . . ^ M a r tin Ju g g y b o y ^ 3 Ja s o n S h ie la
NO P A S S W O ...
x x
NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D
P A S S W O . . . a p p le P A S S W O . . . g re e n P A S S W O . . . q w e rty P A S S W O . . . test
Passwords recovering interrupted
FIGURE 1 .7 : LCPg en eratesthepassw ordfor the s e le c te dusern am e
La b A n a ly sis
Document all die IP addresses and passwords extracted for respective IP addresses. Use tins tool only for trainmg purposes.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L A B .
T o o l/U tility
In fo rm atio n C o lle cted /O b jec tiv es A chieved R em ote C o m p u ter N a m e : O u tp u t:
WIN-D39MR5HL9E4
LC P
User Name Martin Juggyboy Jason Sluela
NT Password apple green qwerty test
Q uestio ns
1. \Y11at is the main purpose of LCP? 2. How do von continue recovering passwords with LCP?
In te rn e t C o n n ectio n R eq u ired Yes P latform S upported 0 C lassroom 0
No
0 !Labs
H id in g F ile s U s in g N T F S S t r e a m s
A . stre a m co n sists o f d a ta a sso cia ted rvith a m a in fi le o r d irecto ry ( k n o ir n a s th e m a in n n n a m e d strea m ). E a c h f i e a n d d irecto ry in N T F S can h a ve m u ltip le d a ta stre a m s th a t a re g en era lly h id d en fr o m th e user.
La b S cen ario
/ Valuable information ' Test your knowledge SB Web exercise
m Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems on the network. Most often there are matching service, administrator, or support accounts residing on each system that make it easy for the attacker to compromise each system in a short amount of time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and password information. Attackers continue to leverage information 011 each system until they identity passwords for accounts that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you must understand how to hide files using NTFS streams.
La b O b jectives
The objective of tins lab is to help students learn how to hide files using NTFS streams.
& T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
It will teach you how to: Use NTFS streams Hide tiles
La b Environm ent
To carry out the lab you need: A computer running W indow s Formatted C:\ drive NTFS
S erver 2 0 0 8
as virtual machine
La b Duration
Tune: 15 Minutes
O verview of N T FS S tre a m s
NTFS (New Technology File System ) is die standard file systemof W indows.
NTFS supersedes die FAT file system as the preferred file system tor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved support tor m etadata and die use of advanced data structures.
La b T a s k s
Sd.
TASK
1. Run this lab 111 Windows Server 2008 virmal machine 2. Make sure the C:\ drive is formatted for NTFS. 3. Create a folder called m agic on the C:\ drive and copy c a lc .e x e from C :\w indow s\system 32 to C:\m agic. 4. Open a command prompt and go to C :\m agic and type notepad re a d m e .tx t 111 command prompt and press Enter.
re a d m e .tx t 111 Notepad appears. (Click Y es button it prompted to create a new re a d m e .tx t file.) 6. Type H ello World! and Save the tile.
NTFS Stream s
5.
3 NTFS streamruns on W indows Server 2008
7. Note the tile s ize of the re a d m e .tx t by typing d ir 111 the command prompt. 8. Now hide c a lc .e x e inside the re a d m e .tx t by typing the following 111 the command prompt:
typ e c :\m a g ic \c a lc .e x e > c :\m a g ic \re a d m e .tx t 1c a lc .e x e
(cT Administrator C o m m a n d Prompt C : N n a g i c > n o t e p a d rea d n e . t x t C:Snagic>dir Uolune in driue C has no label. U olume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \nagic 09/12/2012 09/12/2012 01/1 9 / 2 0 0 8 09/1 2 / 2 0 1 2 05:39 AM <DIR> 05:39 AM <D I R > 06:51 AM 1 8 8 . 4 1 6 cal c . e x e 05 : 4 0 AM 12 read n e . t x t 188 , 4 2 8 bytes 2 File<s> 2 Dir<s> 4 , 3 7 7 . 6 7 7 , 8 2 4 bytes free > c : \ n a g i c \ r e a d n e .txt:calc.exe
-lo|x|
EQ a streamc o n s is tsofdata asso ciatedwith am ainfileor directory(know na sthe m ain unnam edstream ).
C : \ m a g i c >type c : \ n a g i c \ c a l c . e x e C:\magic>
FIGURE 2.2: Com m andprom ptwithhidingcalc.e x ecom m and
Type d ir 111 command prompt and note the tile size of re a d m e .tx t.
[ c T TAdministrator C o m m a n d Prompt D i r e c t o r y of C:\ m a g i c 09/12/2012 09/12/2012 01/19/2008 09/12/2012 05:39 AM <D I R > 05:39 AM <D I R > 06:51 AM 18 8 , 4 1 6 cal c . e x e 12 read n e . t x t 0 5 : 4 0 AM 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free 2 Dir<s> > c : \ m a g i c \ r e a d m e .txt:calc.exe
C : \ n a g i c >type c : \ n a g i c \ c a l c . e x e
C : \ m a g i c >dir Uolune in driue C has no label. Uolune S e r i a l N u n b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C:\ n a g i c 09/12/2012 09/1 2 / 2 0 1 2 01/19/2008 09/12/2012 05:39 A M < 05:39 A M < 18 8 , 4 1 6 cal c . e x e 06:51 AM 0 5 : 4 4 AM 12 read n e . t x t 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free 2 Dir<s>
t._ NTFS supersedes the FAT file systema s the preferred file systemfor MicrosoftsW indows operating system s.
LJ
FIGURE 23: Com m andprom ptwith execu tin ghiddenc a lc.execom m and
10. The file size of the readme.txt should not change. Now navigate to the directory c:\m agic and d e le te c a lc .e x e . 11. Return to the command prompt and type command:
m klin k b ackd o o r.exe re a d m e .tx t:c a lc .e x e
and press E nter
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
V . A d m in istra to r Com m and Prom pt
- I ! X
09/12/2012 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2
05:39 A M <D I R > 06:51 A M 18 8 , 4 1 6 cal c . e x e 0 5 : 4 0 AM 12 r e a d m e . t x t 2 Fil e < s > 188 , 4 2 8 bytes 2 Dir<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free > c : \ m a g i c \ r e a d m e .txt:calc.exe
C:\magic>type c:\magic\calc.exe
C : \ m a g ic>dir Uolume in driue C has no label. Uolume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \magic 09 / 1 2 / 2 0 1 2 09 / 1 2 / 2 0 1 2 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2 05:39 A M <D I R > 05:39 A M <D I R > 06:51 A M 18 8 . 4 1 6 cal c . e x e 05:44 AM 12 r e a dme.txt 2 Fil e < s > 1 88,428 bytes 2 Dir<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free
ffilA streamisaliiddenfile that islinkedtoanorm al (visib le) file.
C : \ m a g i c > m klink b a c k d o o r . e x e r e a d m e . t x t: c a l c . e x e sym b o l i c link c r e a t e d t o r b a c k d o o r . e x e === >> readme .txt :calc exe C:\magic>
FIGURE 2.4: Com m andprom pt linkingdie executedhiddenc a lc .e x e
12. Type backdoor, press E nter, and the the calculator program will be
e xecu ted .
ss
m im stra to r Com m and Pro m p t
12 rea d m e . t x t 188,42 18 8 . 4 2 8 bytes 4,377,677.8: > c:S
09/12/2012
0 5 : 4 0 AM 2 F ile<s> 2 D ir<s>
C:\magic>type c:\magic\calc.exe
1
|
C:\magic>dir U olume in drive C has no label. Uo l u m e S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \ magic 09/12/2012 09/12/2012 01/19/2008 09/12/2012 <DIR> 05:39 AM <DIR> 05:39 AM 188,41 06:51 AM 0 5 : 4 4 AM 1 188,4 2 File<s> 4,37 7 , 4 1 5 , 6 2 Dir<s>
Backspace
CE
1 I. L I.
sqrt
1
|
_ !_ _
MR |
l l l
I_
jd
MS
C : \ m a g i c > m k l i n k b a c k d o o r . e x e readme.t) s y m b o l i c link c r e a t e d f o r backdoor.ext C : \ m a g i c )ba c k d o o r C:\macric>
_ u _ _
l
/x
_ l.
y
FIGURE 2.5: Com m and prompt with executed hidden calc.exe
Lab A n a ly sis
Document all die results discovered during die lab.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .
Tool/Utility NTFS Streams
Information Collected/Objectives Achieved Output: Calculator (calc.exe) file executed
Q uestio ns
1. Evaluate alternative methods to hide the other exe files (like calc.exe). Internet Connection Required
Y es
Platform Stipported
No
Classroom
0 !Labs
F in d H id d e n F ile s U s in g A D S S p y
A d s S p y is a to o l u se d to list, view, o r delete A lte r n a te D n tn S tr e a m s ( A D S ) on W in d o w s S e r v e r 2 0 0 8 w ith N T F S file s y s te m .
I C ON
KEY
La b S cen ario
Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and describes password vulnerabilities that exit in computer networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you must understand how to find hidden files using ADS Spy.
/ Valuable information
S
Test your knowledge
= Web exercise ffi! Workbook review
La b O b jectives
The objective of tins lab is to help students learn how to list, view, or delete A lte rn a te D ata S tream s and how to use them. It will teach you how to: Use ADS Spy Find hidden tiles
t~Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
La b Environm ent
To cany out the lab you need:
ADS Spy located at D:\CEH-Tools\CEHv8
M odule 05 System H acking\N TFS S tre a m D e te c to r Tools\ADS Spy Spy
You can also download the latest version of ADS http: / / www.mer1jn.11u/programs.php#adsspv It you decide to download the la te s t 111 the lab might differ Run tins tool 111 W indow s
version,
from the link
then screenshots shown
S erver 2 0 1 2
Ethical Hacking and Countermeasures Copyright by EC-Coundl All Rights Reserved. Reproduction is Stricdy Prohibited.
La b Duration
Tune: 10 Minutes
O verview of A D S Sp y
1 ^ jj-,5 (^ternate ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 belongs to.
Data Stream ) is a technique Windows Server 2008 widi NTFS file systems. ADS Spy is a method of stonng used to store m eta-info on meta-inform ation of files, without actually stonng die information inside die file it files.
La b T a s k s
m.
TASK
1.
Navigate to the CEH-Tools director} D:\CEH-Tools\CEHv8

System H acking\N TFS S tream D e te c to r Tools\ADS Spy Spy.
M od
A lternative Data Stream s
2. Double-click and launch ADS
ADS Spy v1.11 -Written by Merijn

A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of in fo h id d e n a s m etad ata o n files o n N T F S drives. T h e y a re not visib le in Explorer a n d th e size th ey ta k e up is not rep orted by W in d o w s . R e c e n t brow ser h ijack e rs started u sing A D S to h id e their files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com ple tely sure th ey a re m alicious! [v ^
( C C |7 [
Q u ic k s c a n (W in d o w s b a s e folder only) Full s c a n (all N T F S drives) S c a n only this folder: Ig n o re s a fe system in fo d a ta stream s fe n c ry p ta b le ', ,Su m m aryln form ation '. e tc ) C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts S c a n th e system for alte rnate d a ta stream s R e m o v e s e le c te d stream s
KlADS Spyis a sm all tool to list, view, or delete Alternate Data Streams (ADS) onWindows 2 0 1 2 with NTFS file system s.
[R e a d y -
FIGURE 3.1 W elcom e screen of ADS Spy
3. Start an ap prop riate 4. Click Scan
scan
that you need.
th e system fo r a lte rn a te d a ta stream s.
ADS Spy v1.1 1 -Written by Merijn

A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of info h id d e n a s m e ta d a ta o n files o n N T F S drives. T h e y a re not visib le in Exp lorer a n d th e size th ey ta k e u p is not rep orted by W in d o w s . R e c e n t brow ser h ijac k e rs started using A D S to h id e their files, a n d ve ry fe w anti-m alware s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o ve th e s e stream s. N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure they a re m alicious! v /*.
C | (
Q u ic k s c a n (W in d o w s b a s e folder only) Full s c a n (all N T F S d r iv e s )| S c a n only this foldet: Ig n o te s a fe system info d a ta stream s fe n c ry p ta b le ', 'Su m m aryln form ation ', e tc )| C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts | R e m o v e s e le c te d stream s
ADS are a w ay of storing metainformation regarding files, w ithout actually storing the information in the file it belongs to, carried over from early MacOS com patibility
C 11 ? r
j S c a n th e system for aite rnate d a ta stream s
C:\magic\readme txt: calc, exe (1051648 bytes)

C :\U s e rs \ A d m in is tra to r\ D o c u m e n ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s) C A U s e rs \ A d m in is tra to r\ F a v o rite s \ L in k s \ S u g g e s te d S it e s .u r l: fa v ic o n (894 b yte s) C:\U sers\A d m in istra to r\M y D o c u m e n t s : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 bytes) C A W in d o w s .o ld .0 0 0 \ D o c u m e n ts a n d Se ttin g s \ A d m in is tra to r\ F a v o rite s \ L in k s \ Su g g e s te d S it e s .u r l: fa v ic o n (8 ! C :\ W in d o w s .o ld .0 0 0 \ U s e rs \ A d m in is tra to r\ F a vo rite s \ L in k s \ S u g g e 5 te d S it e s .u r l: fa v ic o n (894 bytes)
| S c a n c o m p le te, fo un d G alte rn ate d a ta stream s (A D S 's ).
FIGURE 3.2 ADS S py windowwith Full Scan selected
5. Find the ADS data streams.
hidden info file
while }*on scan the system for alternative

s e le c te d stream s.
6. To remove the Alternate Data Stream, click Rem ove

ADS Spy v1.11 -Written by Merijn
A lte rn a te D a t a S tre a m s ( A D S ) a te p ie c e s of info h id d e n a s m e ta d a ta o n files on N T F S drives. T h e y a re not visib le in Exp lorer a n d th e size th ey ta k e u p is not rep otted b y W in d o w s . R e c e n t brow ser h ijack e rs started using A D S to h ide theit files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n also disp lay legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure th ey a te m alicious!
C (* C
Q u ic k s c a n ( W in d o w s b a s e foldet only) Full s c a n (all N T F S d rives) S c a n only this folder:
1 Ig n o te s a fe system info d a ta stream s ('e n cry p ta b le ', Sum m aryln form ation ', e tc )
& Com patible with: Windows Server 2012, 20008
C a lc u la te M D 5 c h e c k s u m s of stream s' co n ten ts S c a n th e system for alte rn ate d a ta stream s R e m o v e s e le c te d stream s
C :\ m a g ic \ te a d m e .tx t: c a lc , e x e (1 05 1 G 48 b yte s) C \ U s e 1s\Adm in istrato r\D ocu m en ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (1 2 bytes) C .A U s e ts 'A d m 1 n 1s tra to r\F avo r 1te s \ L in k s \ S u g g e s te d S it e s .u r l: fa v ic o n (8 94 b y te s)
* C :\U sets\A d m in istrato r\M y D o c u m e n t s : {7 2 6 B G F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s)
/Windows.old.000\Documents and SeKings^drnini$tfat0f\Fav0rites\Links\Suggested Sites.url: favicon (8

C :\ W in d o w s .o ld O O O \ U se rs\ A d m in is tra to r\ F a vo rite s \ Lin k s\ S u g g e ste d S it e s .u r l: fa v ic o n (894 b yte s)
| S c a n c o m p le te, fo un d S alte rnate d a ta stream s (A D S 's ).
FIGURE 3.3: Find die hidden streamfile
L a b A n a ly s is
Document all die results and reports gathered during die lab.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives) Output: Hidden files with its location Hidden files size
ADS Spy
Q u e s t io n s
1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
H id in g F ile s U s in g t h e S t e a l t h F ile s Tool

S te a lth F i/e s u se a p ro cess c a lled steganography to h id e a n y file s in sid e o f a n o th e r f i e . I t is a n a lte rn a tiv e to en cryp tio n o f file s .
co n
/V aluable
k ey
L a b S c e n a r io
The Windows NT NTFS hie system has a feature that is not well documented and is unknown to many NT developers and most users. A stream is a hidden file that is linked to a normal (visible) file. A stream is not limited in size and Test your know ledge there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 1 1 1 order to be an expert sA W eb exercise ethical hacker and penetration tester, you must understand how to hide files m W orkbookreview using the Stealth Files tool. 1 1 1 this lab, discuss how to find hidden files inside of other files using the Stealth Files Tool. inform ation___
L a b O b je c t iv e s
The objective of tins lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to: Use the Stealth Files Tool Hide files Tools L a b E n v ir o n m e n t demonstrated in To carry out tins lab you need: this lab are available in Stealth Files tool located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHHacking\Steganography\Audio Steganography\Stealth Files Tools\CEHv8 Module 05 System A computer running Window Server 2012 (host machine) Hacking You can also download the latest version of Stealth Files from the link http://www.froeb1s.com/e11glisl1/sf40.sl1tml
If you decide to download the latest version, then screenshots shown in the lab might differ Administrative privileges to run the Stealth files tool Run this tool 111 Windows Server 2012 (Host Machine)
L a b D u r a tio n
Tune: 15 Minutes
O v e r v ie w o f S t e a lt h F ile s T o o l
Stenography is the art and science of writing hidden messages.
Stealth files use a process called steganography to lude any tiles inside of another . . . . 7 . . . tile. It is an alternative to encryption ot tiles because no one can decrypt the encrypted information or data from die tiles unless diey know diat die ludden tiles exist.
Lab T asks
TASK 1
Stenography
1. Follow the wizard-driven installation instructions to install Stealth Files Tool. 2. Launch Notepad and write Hello World and save the tile as Readme.txt on the desktop.
readme - Notepad
File Edit Format View Help f l e l l o W o rld !
& Stealth Files uses a process called steganography to hide any file or files inside of another file
F IG U R E 4.1: Hello world in readme.txt
3. Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.
FIG U RE 4.2: Windows Server 2012 Desktop view
4. Click the Stealth Files 4.0 app to open the Stealth File window.
m You can also download Stealth File from http://www.froebis.com.
F IG U R E 4.3: Windows Server 2012 Apps
5. The main window of Stealth Files 4.0 is shown 111 the following figure.
This is an alternative to encryption because no one can decrypt encrypted information or files unless they know that the hidden files exist.
F IG U R E 4.4: Control panel of Stealth Files
6. Click Hide Files to start the process of hiding the files. 7. Click Add files.
Step 1 Choose Source Files:
Stealth Files 4.0 - Hide Files...
S Before Stealth Files hides a file, it compresses it and encrypts it with a password. Then you must select a carrier file, which is a file that contains die hidden files
Destroy Source Filesl Remove Selected Files! Step 2 Choose Carrier File:
I
r Create a Backup of the Carrier File! Step 3 Choose Password:
^J
F IG U R E 4.5: Add files Window
8. In Stepl, add the Calc.exe from c:\windows\system32\calc.exe. & Stealth Files 4.0 can be downloaded from the link: http://www.froebis .com/english/sf40. shtml 9. In Step 2, choose the carrier file and add the file Readme.txt from the desktop. 10. In Step 3, choose a password such as magic (you can type any desired password).
13
Stealth Files 4.0 Hide Files...

Step 1 Choose Source Files: C:\W1ndows\Sj1stem 32Vcacls.exe
! I
\ x
5 You can also remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions
I- Destroy Source Filesl Add Files! Step 2 Choose Carrier File. C:\Use s\Adm inistrator\Desktop\ eadm e.txt I- Create a Backup of the C arrier File! Choose Password: m agic) | Remove Selected Files!
:d
I Hide Files! |
FIG U R E 4.6: Step 1-3 Window
11. Click Hide Files. 12. It will hide the file calc.exe inside the readme.txt located on the desktop. 13. Open the notepad and check the file; calc.exe is copied inside it.
readme Notepad File Ed it Form at View H elp
)H e llo W o rld ! h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h if h lb k id o f h a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b f o jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g leo n m b fn g b ln b h cik fd h k m g io d cfg n lg g o ad d cajm p ip fib h p p g g cg im m k a d n j &T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a password, you will prompted to enter it again to recover die hidden files e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h f p a la p p d b a c ile n o id lh ib e k p b h e jm if n g f h f a p m h a f b lif h lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fnln adn n oaon eop oop bb agm d aoh m ekd gfcekcnb cgm injem egp n nh ein oilgej o o ig lcd h a clc h jlh d g ib o o h e m b n a p m k m e p a o k jch h g cjb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbnlndbiggagm cgnbnm afohogackcdnkhbom gofpdegibikm jm dpfkg
I~ I
F IG U R E 4.7: Calc.exe copied inside notepad.txt
14. Now open the Stealth files Control panel and click Retrieve Files.
C E H Lab Manual Page 329 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
t Stealth Fi1es 4.0

S Pictures will still look the same, sound file will still sound die same, and programs will still work fine
Hide Files
Retrieve Files
Remove Hidden Files
& These carrier files will still work perfecdy even with the hidden data in diem
About Stealth Files
Close Program
F IG U R E 4.8: Stealth files main window
15. In Step 1 , choose the hie (Readme.txt) from desktop 111 which you have saved the calc.exe. 16. 1 1 1 Step 2, choose the path to store the retrieved hidden file. 1 1 1 the lab the path is desktop. 17. Enter the password magic (the password that is entered to liide the tile) and click on Retrieve Files!
S
This carrier file can be any of these file types: E X E , D LL, OCX, COM, JPG , G IF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files
Stealth File! 4.0 - Retrieve Files...
I 1 T x
-Step1 C h o o seC a rrie rF ile : C :\ Us e rs \ A d m in is tra to r\ D e s k to p V re a d m e .tx t I D e stro yC a rrie rF ile ! Step2-C h o o seD e s tin a tio nD ire c to ry : C :\lls e rs V '.d m in is tra to rV D e s k to p \ r Step3 E n te rP a ssw o rd : |m a g ic | R etrieveF ile s !
F IG U R E 4.9: Retrieve files main window
18. The retrieved file is stored on the desktop.
05 Vorslon; IP Address MAC Addr: Host Name
Windows NT 62 (non) D4 BE 09 CJ CE 20 WIN-039MR6HL9E4
Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously.
FIG U R E 4.10: Calc.ese running on desktop with the retrieved file
L a b A n a ly s is
Document all die results and reports gathered during die lab.
Tool/Utility Stealth Files Tool
Information Collected/Objectives Achieved Hidden Files: Calc.exe (calculator) Retrieve File: readme.txt (Notepad) Output: Hidden calculator executed
Q u e s t io n s
1. Evaluate other alternative parameters tor hiding tiles. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Lab
E x tr a c tin g S A M H a s h e s U s in g P W dum p7 Tool

Pwdump7 can a l s obeusedt od u / u p p m t e c t e d j i l e s Youcana l w ay sc o p ya u s e d ' f t / eb ) [ j u s te x e c u t i n g pnduffp7. e x ed c \ / o c k e d f 1/ e . d a t backjphxh dfi led otI c o nkey L a b S c e n a r io
Passwords are a big part ot tins modern generation. You can use the password for your system to protect the business or secret information and you may Test your choose to limit access to your PC with a Windows password. These passwords know ledge are an important security layer, but many passwords can be cracked and while = W eb exercise that is worry, tliis clunk 111 the armour can come to your rescue. By using password cracking tools 01 password cracking technologies that allows hackers W orkbookreview to steal password can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tlus lab, we discuss extracting the user logui password hashes to crack the password. iiiform ation___
[Z7 Valuable
Tlus lab teaches you how to: Use the pw dum p7 tool Crack administrator passwords
L a b E n v ir o n m e n t
To carry out the lab you need:

_^Tools
demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking

Pwdump7 located at D:\CEH-T00 ls\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7 Run tlus tool 011 Windows Server 2012 You can also download the latest version of pwdump7 from the link http:/ /www.tarasco.org/security/pwdump 7/ 111dex.html Administrative privileges to run tools
TCP/IP settings correctly configured and an accessible DNS server Run this lab in Windows Server 2012 (host machine)
L a b D u r a tio n
Time: 10 Minutes
Overview of Pwdump7
Pwdump7 can be used to dump protected files. You can always copy a used file just by executing: pwdump7.exe -d c:\lockedf11e.dat backup-lockedf11e.dat. Icon key
Lab T asks
Generating Hashes
1. Open the command prompt and navigate to D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7. 2. Alternatively, you can also navigate to D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7a11d right-click the pwdump7 folder and select CM D prompt here to open the command prompt.
Ad ministraton C:\Wi ndows\system32\cmd.exe
[D:\CEH-Tools\CEHv8 Module 05 Sys t e m Hack i n g \ P a s s w o r d C r ackingMJindows Hrac ke t*s\pw d u m p 7 > Password C
& Active directory passwords are stored in the ntds.dit file and currently the stored structure
F IG U R E 5.1: Command prompt at pwdump7 directory
3. Now type pwdump7.exe and press Enter, which will display all the password hashes.
Administrator: Command Prompt

:\CEH-T ools\CEHu8 Module 05 Sys t e m H a c k i n g \ P a s s w o r d C r a c k ingSWindows P a s sword C ackers\pwdunp7) p w d ump? .exe w dunp vV.l - raw p a s sword e x tractor uthor: Andres Tarasco A cuna rl: h t t p : //www.514.es A d m i n i s t r a t o r : 5 0 0 :NO PASSWORD***** D 4 7 : :: G u e s t :501 :NO P A S S W O R D * ******* * * *** LA N G U A R D _ 1 1 _ U S E R : 1 0 0 6 : N O PASSWORD* A67B960: : : Mart in :1018 :NO P A S S W O R D * *****-***** J u g g y b o y :1 0 1 9 :NO P A S S W O R D * ******** Jason :1020 :NO PASS W O R D *** * ******* * S)liela:1021 :NO P A S S W O R D * * * * * * ** * * * *: BE40C4 5 0 A B 9 9 7 1 3 D F 1 E D C 5 B 4 0 C 2 S A *:NO PASSWORD* *:C25510219F66F9F12FC9BE662 * : 5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 ::: ***:488CDCDD2225312793ED6967B28C1025: * : 2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F : :: **:0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 : ::
:\CEH-Tools\CEHu8 Module 05 Sys t e m Hack i n g S P a s s w o r d C r a c k ingVWindows P a s sword C ac ke rs Spw d u m p 7 >
& Always copy a used file just executing: pwdump7.exe -d c:\lockedfile.dat backuplockedfile.dat.
F IG U R E 5.2: pwdump7.exe result window
4. Now type pwdump7.exe > c:\hashes.txt 111 the command prompt, and press Enter. 5 Tins command will copy all the data ot pwdump7.exe to the c:\hashes.txt tile. (To check the generated hashes you need to navigate to the C: drive.)
hashes.txt - Notepad
File Edit Format View Help
(A d m in istra to r: 500: NO PASSWORD*********** * * * * * * * * :BE40C450AB99713DF1EDC5B40C25AD47 G uest:5 0 1 :NO PASSWORD** * * * * * : NO PASSWORD** * * : :: LANGUARD_11_USER:1006:NO PASSWORD******************* :C25510219F66F9F12FC9BE662A67B960 M a rtin :1018:NO P A S S W O R D * * * * * * * * * * * * * * * 5 : * * * EBE7DFA074DA8EE8AEF1FAA2BBDE876 Duggyboy:1019:NO P A S S W O R D * 4 8 8 : * * * * * * * * * * * * * * * * * * CDCDD2225312793ED6967B28C1025 ]ason:1020:NO PASSWORD* * * * * 2: * * * * * * * * * * * * * * * D20D252A479F485CDF5E171D93985BF Shiela:1021:N O P A S S W O R D * * * * 0 : * * * * * * * * * CB6948805F797BF2A82807973B89537
F IG U R E 5.3: hashes.txt window
L a b A n a ly s is
Analyze all the password hashes gathered during die lab and figure out what die password was.
Tool/Utility
Information Collected/Objectives Achieved Output: List of User and Password Hashes Administrator Guest Lauguard Martin Juggyboy Jason shiela
PWdump7
Q u e s t io n s
1. What is pwdump7.exe command used for? 2. How do you copy the result of a command to a file? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
C re a tin g th e R a in b o w T a b le s U s in g W in rtg e n
Winrtgen i s a graphical Rainbow Tables Generator that s / i p p o / t s UM, FastLM, N T L M , L M C H 4LL, HaljLMCHALL, N I U M C H A L L , M S C A C H E , M D 2, M D 4, M D 5, S H A 1 , R I P E M D 160, M j S O L J 23, M j S O L S H 4 1, CiscoPIX, O K 4CLE, S H 4-2 ( 256) , S H 4-2 ( 384) and S H 4-2 ( 512) ha s h e s . ICON KEY L a b S c e n a r io
111 computer and information security, the use ot password is essential for users to protect their data to ensure a seemed access to dieir system or machine. As users Test your become increasingly aware of the need to adopt strong passwords, it also brings know ledge challenges to protection of potential data. 111 tins lab, we will discuss creating die rainbow table to crack the system users passwords. 111 order to be an expert ethical = = W eb exercise hacker and penetration tester, you must understand how to create rainbow tables to m W orkbookreview crack the administrator password.
[ II7V aluable inform ation
The objective of this lab is to help students how to create and use rainbow table to perform system password hacking.
To earn out die lab, you need:

^^Tools

Winrtgen Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation Tools\Winrtgen A computer running Window Server 2012 You can also download the latest version of Winrtgen from the link http: / Avwwox1d.it/projects.html If you decide to download the latest version, then screenshots shown 111 the lab might differ
Run this tool 011 Windows Server 2012 Administrative pnvileges to mil tins program
L a b D u r a tio n
Time: 10 Minutes
You cau also download Winrtge from
O v e r v ie w o f R a in b o w T a b le
iittpv'/w w w .oxid.it/fjrojeef ^ rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking password hashes. Tables are usually used 111 recovering plaintext passwords, up to a certain length, consisting of a limited set of characters.
Lab T ask TASK 1
Generating Rainbow Table
1. Double-click the winrtgen.exe tile. The main window of winrtgen is shown 111 die following figure.
r
F ile n a m e Winrtgen v2.8 (Rainbow Tables Generator) by mao S ta tu s
A d dT a b le
R em o ve
R em o veA ll
A b o u t
OK
E x it
FIG U R E 6.1: winrtgen main window Rainbow tables usually used to crack a lot of hash types such as
m
2. Click die Add Table button.
NTLM, MD5, SHA1
Winrtgen v2.8 (Rainbow Tables Generator) by mao
Q You can also download Winrtge from http://www.oxid.it/project s.html.
III Add Table Remove Remove All About OK Exit
FIG U R E 6.2: creating die rainbow table
3. Rainbow Table properties window appears: i. Select ntlm from the Hash drop-down list u. Set die M in Len as 4, die Max Len as 9, and the Chain Count of 4000000 iii. Select loweralpha from die Charset drop-down list (tins depends on the password). 4. Click OK.
Rainbow Table properties
r Hash |ntlm Min Len -Max Len rIndex Chain Len |2400 Chain Count I4000000
I4
I9
vTools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
|abcdefghijklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark Hash speed: Step speed: Table precomputation tim e: Total precomputation tim e: Max cryptanalysis tim e: Benchmark | Optional parameter |Adm inistratot
FIG U R E 6.3: selecting die Rainbow table properties
5. A file will be created; click OK.
Winrtgen v2.8 (Rainbow Tables Generator) by mao

Filename Status
n tlm _ lo w e ra lp h a # 4 9 _ 0 _ 2 4 0 0 x 4 0 0 0 0 0 0 _ o x id 8 0 0 0 .rt
I I I
Add Table
Remove
Remove All
About
OK
Exit
FIG U RE 6.4: Alchemy Remote Executor progress tab window
Creating the hash table will take some time, depending on the selected hash and charset. Note: To save die time lor die lab demonstration, die generated hash table is kept 111 die following !older: D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation ToolsYWinrtgen
m You must be careful of your harddisk space. Simple rainbow table for 1 5 alphanumeric and it costs about 613MB of your harddisk.
7 . Created a hash table saved automatically 111 die folder containing
winrtgen.exe.
Winrtgen
v C Search Winrtgen Size 6KB 62,500 KB 259 KB 1 KB
' L
&Favorites Desktop Downloads % Recent places
5
CEHv Module 05 System Hacking Rainbow Table Creation Tools Winrtgen
Name
M charset.txt
Date modified 7/10/2008 &29 PM
Type Text Document RT File Application SJG File
| ntlm_loweralphag4-6_0_2400x4000000_ox... | 9/18/201211:31 AM H! winrtgen.exe winrtgen.exe.sig
7/10/200810:24 PM 7/10/2008 10:33 PM
Libraries [ J Documents Music II! Pictures H Videos
Computer & Local Disk ( C )
1 m New Volume (D:)
4 items
1 item selected 61.0 M B
State: Q
Shared
FIG U RE 6.5: Generated Rainbow table file
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Tool/Utility Winrtge Information Collected/Objectives Achieved Purpose: Creating Rainbow table with lower alpha Output: Created Rainbow table: ntlm_lowe1alpha#46_0_2400X4000000_ox...
Internet Connection Required D Yes Platform Supported 0 Classroom 0 !Labs 0 No
P a s s w o r d C r a c k in g U s in g R a in b o w C ra c k
Rainbon'Crack i sa computerprogram thatgenerates rainbow t a b l e st o be usedin password c r a c k i n g . L a b S c e n a r io
Computer passwords are like locks 011 doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple login password Test your will not stop them. Most computer users do not realize how simple it is to access die know ledge____ login password tor a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is tor as W eb exercise someone to gain access to your computer? Windows is still the most popular m W orkbookreview operating system, and die method used to discover the login password is die easiest. A hacker uses password cracking utilities and cracks vour system. That is how simple it is for someone to hack your password. It requires 110 technical skills, 110 laborious tasks, only simple words 01 programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack administrator password. 111 tins lab we discuss how to crack guest users or administrator passwords using RainbowCrack.
1 ' JV aluable inforination___
~Tools demonstrated in this lab are L a b E n v ir o n m e n t available in To earn out die lab, you need: D:\CEHTools\CEHv8 RainbowCrack Tool located at D:\CEH-T00 ls\CEHv8 Module 05 Module 05 System System Hacking\Rainbow Table Creation Tools\RainbowCrack Hacking A computer running Window Server 2012
The objective ot this lab is to help students to crack passwords to perform system password hacking.
You can also download the latest version of RainbowCrack from the link http://proiect-ra111bowcrack.com/
!2 2 You can also download Winrtge from http://www.oidd.it/project s.html
If you decide to download die latest version, then screenshots shown in die lab nuglit differ Run diis tool 011 Windows Server 2012 Administrative privileges to mn diis program
L a b D u r a tio n
Tune: 10 Minutes
O v e r v ie w o f R a in b o w C r a c k
RauibowCrack is a computer program diat generates rainbow tables to be used ui password crackuig. RauibowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rauibow tables to reduce die lengdi of time needed to crack a password.
Lab T ask
E task 1
Generating the Rainbow Table
1. Double-click die rcrack_gui.exe tile. The maui window of RauibowCrack is shown ui die following figure.
m RainbowCrack for G PU is the hash cracking program in RainbowCrack hash cracking utilities.
FIG U RE 7.1: RainbowCrack main window
2. Click File, and dien click Add Hash...
RainbowCrack 1.5
File | Edit Rainbow Table Help P la in te x t in H ex Add Hash... Load Hashes from File... Load L M Hashes from P W D U M P File... Load N T LM Hashes from P W D U M P File.. Save Results...
Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight G PU brute forcing cracker
FIG U RE 7.2: Adding Hash values
3. The Add Hash window appears: i. Navigate to c:\hashes, and opendie hashes.txt tile (which isalready generated using Pwdump7 located at c:\hashes.txt 111 the previous Lab no:5) . Right-click, copy die hashes from hashes.txt tile. Paste into die Hash held, and give die comment (optional). Click OK.
hashes.txt - Notepad
File Edit Format View Help Undo
ii. iii.
iv.
Q| RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from die hash crackers that use brute force algorithm
A d m in is tra to r:5 0 0 :NO Cut P A S SW O R D *********************: BE40C450AB Copy G u e st: 501: NO PASSW O RD ******************"! Paste P A S SW O R D ********************** * LANGUARD_11_USER:1006:NO Delete PASSWORD***** * * * * * * * * * * * * * * : C25510219F Select All M a r t in :1018:NO Right Reading order P A S S W O R D 5 : ************ * * * to * *left ** EBE7DFA07 ] uggy boy: 1019: NO Show Unicode control characters PAS S WORD488: * * * * * * * * * * * * * * * * * * * * CDCDD22 Insert Unicode control character Dason:1020:NO Open IME P A S S W O R D 2 :* * * * * * * * * * * * * **** * * D20D252A4 _____________________________ _______Shiela:1021:N O PASSWORD* * * * * * * * * * * * * * * * * * * * *
FIG U R E 7.3: Selecting the hashes
RainbowCrack 1.5
File Edit Rainbow Table Help P l a i n t e x t I n H ex
/Tools
0C86948805F797BF2A82807973889537 Comment (optional): password
FIG U R E 7.4: Adding Hashes
4. The selected hash is added, as shown 111 die following figure.

RainbowCrack 1.5
File H a sh @ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537 Edit Rainbow Table Help P la in te x t ? P l a i n t e x t I n Hex
2 Fun time-memory tradeofftool suites, including rainbow table generation, sort, conversion and lookup
FIG U R E 7.5: Added hash show in window
5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 111 the following figure.
RainbowCrack 1.5
[r x
TI
0 . RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.
P File H a sh 0
Edit
Rainbow Table
Help P la in te x t ? ? ? ? ? P l a i n t e x t i n H ex ? ? ? 1
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7 @ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 @ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 @ c 2 5 5 1 0 2 1 9 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
FIG U R E 7.6: Added Hashes in the window
7. Click die Rainbow Table from die menu bar, and click Search Rainbow Table...
9 RainbowCrack for G PU software uses G PU from N V ID IA for computing, instead of CPU. By offloading computation task to G PU, the RainbowCrack for G PU software can be tens of times faster than nonG PU version.
8. Browse die Rainbow Table diat is alreadv generated 111 the previous lab, which is located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation Tools\Winrtgen. 9. Click Open.
Open
^ Organize jA Windows Password Crac... winrtgen v
( j | | Search winrtgen
| [ jjj
P I Type RT File
New folder Name Q ntlm.loweralphag4-6.0.24001(4000000.ox..
ki
Recent places Music
Date modified 9/18/2012 11:31 AM
Libraries j3] Documents
J l Music
E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table
g 9
Pictures Videos
1^ ^
Computer Local Disk (C:)
r . Local Disk (D:) 1 - Local Disk ()
> 1
Filename: ntlmjoweralpha*4-6_0_2400x4000000_oxid* v | Rainbow Tables (*.rt;*.rtc) Open
10. It will crack the password, as shown 111 the following figure.
RainbowCrack 1.5
File H ash 3 3 3 0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 4 e e c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 te s t te s t g ree n a p p le ? q w e r ty Edit Rainbow Table Help P l a i n t e x t I n Hex 74657374 74657374 677265656c 6170706C 65 7 717765727479 Com ment p a ssw o rd
5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 3 3 c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0 2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
= = ! RainbowCrack focus on the development of optimized time-memory tradeoff implementation, and generation of large rainbow tables.
t i n e o f a la rm c h e c k : tin e o f w a it: ti m e o f o t h e r o p e r a t i o n : ti m e o f d i s k r e a d : h a s h & re d u c e c a l c u l a t i o n o f c h a in t r a v e r s e : h a s h 4 r e d u c e c a l c u l a t i o n o f a la r m c h e c k : num ber o f a la r m : s p e e d o f c h a in t r a v e r s e : s p e e d o f a la r m c h e c k :
2 .3 4 s 0 .0 0 s 0 .1 9 s 0 .0 8 s 5755200 35850648 55125 9 .7 1 m i l l i o n / s 1 5 .3 3 m l l l l o n / s
/s
L a b A n a ly s is
Analyze and document die results related to the lab exercise.
Tool/Utility
Information Collected/Objectives Achieved Hashes: Administrator Guest Languard Martin Juggyboy Jason Shiela Password Cracked: test test green apple qwerty
RainbowCrack
Q u e s t io n s
1. What kind of hashes does RambowCrack support? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Lab
E x tra c tin g A d m in is tra to r P a s s w o r d s U s in g L O p h tC ra c k

U)phtCrack i spacked with powetfnlf e a t u r e s , such as sc he du l i n g , hash ex tr act ion f r o / / / 64b i t Windows v e r s i o n s ; multiprocessor al g o r i t h m s , and network monitoring and d ec o d i n g .I t can import and crack U N I X passwordfiles and remote Windows machines. L a b S c e n a r io
/V aluable inform ation Test your know ledge____ ^ W eb exercise
Since security and compliance are high priorities for most organizations, attacks a company 01 organization's computer systems take many different forms, such as spooling, smurfing, and other types of denial-of-service (DoS) attacks. These attacks are designed to harm 01 interrupt the use of your operational systems.
011
r*.. W orkbookreview Password cracking is a term used to describe the penetration of a network, system, 01 resource with 01 without the use of tools to unlock a resource that has been secured with a password. 111 tins lab we will look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination of several scenarios, in tins lab we describe some of the techniques they deploy and the tools that aid them 111 their assaults and how password crackers work both internally and externally to violate a company's infrastructure.
111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tins lab we crack the system user accounts using LOphtCrack.
^^Tools
demonstrated in L a b O b je c t iv e s this lab are The lab teaches you how to: available in D:\CEH Use the LOphtCrack tool Tools\CEHv8 Crack administrator passwords Module 05 System Hacking
To earn out the lab you need: LOphtCrack tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\LOphtCrack Run tliis tool on Windows Server 2012 (host machine) You can also download the latest version of LOphtCrack from the link http: / / www.lOphtcrack.com Administrative privileges to run tools Follow wizard driven installation instructions TCP/IP settings correctly configured and an accessible DNS server Tins tool requires the user to register or you can also use the evaluation version for a limited period of time
L a b D u r a tio n
Time: 10 Minutes
O v e r v ie w o f L O p h t C r a c k
LOphtCrack provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail.
Lab T asks TASK 1
Cracking Administrator Password
1. Launch the Start menu by hovering the mouse cursor to the lower left most corner of the desktop.
|| W in d o w sS e rv e r2 0 1 2
vm 1 i 5!'1
m You can also download the LOphtCrack from http://www.lOphtcrack.
FIG U R E 8.1: Windows Server 2012Desktop view
2. Click the LOphtCrack6 app to open the LOphtCrack6 window
S ta rt
Administrator
Server Manager
Windows PowerShel
Google Chrome
Hyper-V Manager
F a
Computer
T
Control Panel
o
Hyper-V Virtual Machine...

SQL Server Installation Center...
* J e
/LOphtCrack supports pre-computed password hashes.
Intrmrt fuplcrr
m
Command Prompt
Q
Mozilla Firefox
K
Global Network Inventory
<
Nmap Zenmap GUI
I f
Workspace Studio
Drdlrp
3
F IG U R E 8.2: Windows Server 2012 Apps
3. Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next.

LOphtCrack Password Auditor v6.0.16
x
LOphtCrack 6 Wizard
Welcome to the LOphtCrack Wizard Ths wizard wil prompt you wth step-by-step nsbuctions to get you audting n mrxies First, the wizard w i help you determne where to retrieve your encrypted passwords from Second, you w i be prompted wth a few options regardng which methods to use to audit the passwords Third, you w i be prompted wth how you wish to report the results Then. LOphtCrack w i proceed audting the passwords and report status to you along the way. notifying you when audfcng is complete Press Next' to conbnue wth the wizard
LOphtCrack can also cracks U N IX password files.
[7 jjjprit show me this wizard on startup
FIG U RE 8.3: Welcome screen of die LOphtCrack Wizard
4. Choose Retrieve from the local machine in the Get Encrypted Passwords wizard and click Next.
LO p h tC ra c kPa ssw o rdA u d ito rv 6 .0 .1 6
Get Encrypted Passwords
Choose one of the folowng methods to retrieve the encrypted passwords | Retneve from the tocal machne | Pulls encrypted passwords from the local machrte's registry Admnatrator access a requred Retneve from a remote machne Retneve encrypted passwords from a remote machne on your doman Admrwtrator access is required Retneve from SAM /SYSTEM backup Use emergency repar disks, backup tapes, or volume shadow copy techrques to obtain a copy of the registry SAM and SY ST EM hives This contans a copy of your non-doman passwords Q Retneve by jnrffng the local network Sniffing captures encrypted hashes n transit over your network Logns.fie shamg and pmt shanng al use network authentication that can be captured.
< Back
Next >
LOphtCrack has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and U N IX machines, without requiring a thirdparty utility.
ca
FIG U R E 8.4: Selecting die password from die local machine
5. Choose Strong Password Audit from the Choose Auditing Method wizard and click Next.
1 - '
FIG U R E 8.5: Choose a strong password audit
6. In Pick Reporting Style, select all Display encrypted password hashes. 7. Click Next.
m LOphtCrack offers remediation assistance to system administrators.
FIG U R E 8.6: Pick Reporting Style
8. Click Finish.
LO p h tC ra c kPa ssw o rdA u d ito rv 6 .0 .1 6
Bogin Auditing
Step
LOphtCrack now ready to begn the password aud*ing process Please confirm the folowng settings and go back and change anythng that ts not correct Retrieve passwords from the local machine Perform 'Quick' password audit Display doman password belongs to Display passwords v41en audited Display time spent auditing each password Give visible notification *tfien done audrtng Show method used to crack password
Step 2
_ LOphtCrack lias real._ time reporting that is displayed in a separate, tabbed interface.
[/] Save these settings as sesaon defaults Press finish'to bepn audtng
Step 5
6g1n Auditing
FIG U RE 8.7: Begin Auditing
9. LOpntcrack6 shows an Audit Completed message, Click OK. 10. Click Session options Irom the menu bar.
Cracked Accounts Weak Passwords Pause Stop Schedule Scheduled Audit Tasks
J j.
<N
Disable Force Password Expired Accounts
d Domain
Run y Report User Name LM Password * missing * missing * * missing * * missing * * missing missing LM Hash__________________________
,X WIN-D39MR... Administrator WIN-D39MR... Guest J t WIN-D39MR... Jason 4 WIN-D39MR... Juggyboy <tw1N-D39MR... IANGUARD_11_USER A WIN-D39MR... Martin
LOphtCrack 6
to t a ] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( uords 29151 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( _wgrds_done 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( 1 0 B T 5 O T ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ( _______ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (
Audit completed.
OK
LtX&sslaezei 0d Oh 0 Os
____ tlMS-iSlt _ _ l _d o n S
_______
III Messages 0 9/1 8 /2 0 1 2 0 9/1 8 /2 0 1 2 0 9 / 1 8/2 01 2 0 9/1 8 /2 0 1 2 1 4 :4 7 :4 8 M u ^ i - c o r e o p e r a t i o n w i t h 4 c o r e s . 1 4 :4 7 :5 2 Im p o r t e d 2 a c c o u n t s fr o m t h e l o c a l 1 4 :4 7 :5 2 A u d i t s t a r t e d . 1 4 :4 7 :5 2 A u d i t i n g s e s s i o n c o m p le t e d . m a c h in e
> 4 X
FIG U R E 8.8: Selecting Session options Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force Password auditing methods.
11. Auditing options For This Session window appears: i. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary Crack. ii. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary/Brute Hybrid Crack. iii. Select the Enabled, Crack NTLM Passwords check boxes 111 Brute Force Crack.
IV.
Select the Enable Brute Force Minimum Character Count check box.
v. Select the Enable Brute Force Maximum Character Count check box. 12. Click OK.
A u d itin gO p tio n s Fo rT h isSessio n

Dictionary Crack Dictionary List 0 Crack NTLM Passwords Dictionary/Brute H ybrid Crack [2 Enabled 0 V Crack NTLM Passwords C om m onletter substitutions * (m uch slower) * Charactersto prepend - Charactersto append
The Dictionary Crack tests for passwords that are the same as the words fcste dinthe wordfile. This test *very fast and findsthe weakest passwords. The Dictionary/Brute H ybrid Crack tests forpasswordsthat are variations of the words inthe wordfile. Itfinds passwords such as Dana9 9 or monkeys! . This test isfast andfinds weak passwords.
Precom puted
E ! Enabled C Hash File List
Preserve Precomputation Data
Location
Also known as 'ranbow tables', the Precom puted Cracktests for passwords aganst a precom puted hashes contan-edn a file orfiles This test is very fast andfinds passwords created fromthe sam e character set as the precom puted hashes. Preservng precom putation data speeds up consecutive m ns n exchange for disk space Ths crack works aganst LM and NTLM passwords, but not Una The Brute Force Crack tests for passwords that are m ade up of the characters specified inthe character set I finds passwords such as "W eR3pfc6s ' or "vC5%6S*12b" This test is slow andfinds m e < fc jmto strong passwords. Enabing a start orend point lets you control the m in im u mand m a x im u mnum berof characters to iterate.
Ba/te Force Crack Language:
Jrack NTLM Passwords
English
alphabet num bers CustomCharacter Set (list each character):

E T N RIO AS D H LCFPU MYG W V BX K Q JZetnrioasd hlcfpumygwvbxkqjzOI 23456789
Brute Force M in im u mCharacter C ount
The actual m a x im u mcharacter count used m ay vary based on hash type Specfy a character set w ith m ore characters to crack strongerpasswords.
Brute Force M ax im u mCharacter Count

To 9
QK
Qancel
F IG U R E 8.9: Selecting die auditing options
13. Click Begin ' ' from the menu bar. LOphtCrack cracks the administrator password. 14. A report is generated with the cracked passwords.
FIG U RE 8.10: Generated cracked Password Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
Document all die results and reports gathered during die kb.
Tool/Utility
Information Collected/Objectives Achieved User Names: Administrator Guest Jason Juggvbov LANGUARD_11_USER Martin Password Found: qwerty green apple
LOphtCrack
Q u e s t io n s
1. What are the alternatives to crack administrator passwords? 2. Why is a brute force attack used 111 the LOphtCrack tool? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
P a s s w o r d C r a c k in g U s in g O p h c ra c k
Ophcrnck i s a free open source ( GPL l i c e n s e d ) program that cracks Windows passn ords by using L M hashes through rainbow t a b l e s . ICON KEY L a b S c e n a r io
/V aluable inform ation

J? T e$t your ___know ledge____
W eb exercise W orkbookreview
a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. Tins weakness exists m practically all widely used systems instead of forcing users to choose well-chosen secrets that are likely to be difficult to remember. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, password cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Poorly chosen passwords are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak administrator 01 system user account password using password cracking tools. 111 tins lab we show you how to crack system user accounts usmg Ophcrack.
111
The objective of this lab is to help students learn: Use the OphCrack tool Tools Crack administrator passwords demonstrated in this lab are L a b E n v ir o n m e n t available in D:\CEHTo earn out die lab, you need: Tools\CEHv8 Module 05 System " OphCrack tool located at D:\CEH-T00 ls\CEHv8 Module 05 System Hacking Hacking\Password Cracking Tools\Ophcrack Run this tool 011 Windows Server 2 0 12 (Host Machine) You can also download the latest version of LOphtCrack from the link http: / / ophcrack.sourceforge.net/
Administrative privileges to run tools Follow the wizard-driven installation instructions

L a b D u r a tio n
Time: 15 Minutes
O v e r v ie w o f O p h C r a c k
Rainbow tables for LM hashes of alphanumeric passwords are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack passwords no longer than 14 characters using only alphanumeric characters.
Lab T ask TASK 1
Cracking the Password
1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.
g| W n d o w sS e rv e r2 0 1 2
v n n o o tfj!x rv ff1 0 uK e te jje u n o io a ww u c w w r
FIG U R E 9.1: Windows Server 2012 - Desktop view
tvilwtor c cpv kud M O O
2. Click the OphCrack app to open the OphCrack window.
m You can also download the OphCrack from http:/ /ophcrack.sourceforg e.net.
FIG U R E 9.2: Windows Server 2012 Apps
3. The OphCrack main window appears.
M odule 05 - S ystem H ackin g
ophcrackC
1' !
4A
Load Progress Delete Statistics Save
11/
Tables Cradt Help
^
Exit
G
About
Preferences
B Rainbow tables for LM hashes of alphanumeric passwords are provided for free by die developers
Preload:
waitng
| Brute force:
waiting
Pwd found:
0/0
Time elapsed: |
OhOmQs
FIG U R E 9.3: OphCrack Main window
4. Click Load, and then click PW DUMP file.

ophcrack
Single hash PW D UM P file Session file
U/
, ..
&
<?
& Ophcrack is bundled with tables that allows it to crack passwords no longer than 14 characters using only alphanumeric characters
Encrypted SAM Local SAM with samdump2 Local SAM with pwdump Remote SAM
Directory
Progress
Preload: _______ waiting_______| Brute force: |
waitng
| PwdfouxJ:
Fig 9.4: Selecting PWDUMP file
5. Browse die PWDUMP file diat is already generated by using P\\T)UMP7111 die previous lab 110:5 (located at c:\hashes.txt). 6. Click Open
O p en PW D UM P file
0C O^ ^
Organize Desktop
4 Downloads
***
* Computer
A Name
Local Disk (C:)
| Search Local Disk (C:)
P ] I
New folder Date modified 9/17/2012 9:25 AM 9/18/20122:18 PM 9/4/2012 7:00 PM 9/18/20122:35 PM 8/30/20121:06 PM 9/15/2012 3:26 PM 8/7/2012 1:50 AM
=- E Hm
Type File folder File folder File folder File folder File folder File folder File folder File folder RND File Text Document System file JS File ji. Program Files Program Files (x86) j j TFTP-Root Users j. usr
J W in d o w s 4 W indow s.old
Recent places
available as Live CD distributions which automate the retrieval, decryption, and cracking of passwords from a Windows system.
J )Music
^ Libraries (3| Documents Music fcl Pictures H Videos : Computer Local Disk (C:) . ^ Local Disk (D:) v,
J,.
W in d o w s.o ld
.0 0 0
8/8/2012 12:03 AM 9/19/2012 9:58 AM 9/18/2012 3:06 PM 9/15/2012 2:53 PM 9/6/20124:03 PM
.rnd__________________
hashes.txt
|j6j msdos.sys
[ Auser.js
File name: hashes.txt
[All Files (*/) Open
FIG U R E 9.5 import the hashes from PWDUMP file
7. Loaded hashes are shown 111 the following figure.

ophcrack
O
Load Progress
Si
Delete Statistics
S
Save
IU
Tables Crack
Preferences |
User
Administrator
NT Hash BE40C450AB997... 31d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB69488O5F79...
Guest LANGUARD.! 1_ Martin Juggyboy Jason
7 Ophcrack C racks LMandNTLM W indows hashes
Shiela
Directory
Progress
Preload: _______ waitng_______| Brute force: |
waiting
] Pwd foaxl:
FIG U RE 9.6 Hashes are added
8. Click Table. The Table Selection window will appear as shown 111 die following figure.
o p h c ra c k IU
Tables Progress User Administrator Statistics 0
', ,s g ?
Crack
Table Selection
Table m XP free fast XP free small XP special # XP german vl XP german v2 Vista special Vista free Vista nine Vista eight Vista num Vista seven XP flash < Vista eight XL Directory Status not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed
Guest
LANGUARD_11_
Martin Juggyboy
Jason Shiela
&Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
< = enabled
III
>
= disabled
= not nstaled
B B S S
Pretoad: _______ waiting_______| Brute force: | waiting ] Pwd fouxJ: Tne elapsed: Oh 0 Os
FIG U RE 9.7: selecting die Rainbow table
Note: You can download die free XP Rainbow Table, Vista Rainbow Tables from http:// ophcrack.sourcetorge.net/tables.php 9. Select Vista free, and click Install.
G Table Selection
lab le XPfre efa st XPfreesm a ll 9 XP sp e cia l XP g e rm a nv 1 XP g e rm a nv 2 V istasp e cia l | ! V istafre e V istan in e #V istae ig h t V istan u m < V istase ve n * X Pfla sh < V istae ig h tX L
D ire cto ry
Sta tu s n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in s ta lle d n o t in sta lle d n o t in s ta lle c n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d
< l < = e n a b le d
III 4= d is a b le d =n o tin s ta lle d
<
0 0 @ @
FIG U R E 9.8: Installing vista free rainbow table
10. The Browse For Folder window appears; select the the table_vista_free folder (which is already download and kept at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\Ophcrack) 11. Click OK.
Browse For Folder
Select the directory which contains the tables.
& Ophcrack Free tables available for Windows XP, Vista and 7
J4 CEHv8 M odule 05 System Hacking

4
a
Password Cracking W indows Password Crackers

A
OphCrack tables_vista_free pwdump7 winrtgen I
t > <
steganography III OK
l> Cancel
Make New Folder
12. The selected table vista free is installed,; it shows a green color ball which means it is enabled. Click O K . ? x Table Selection
fa b le X Pfre efa st X Pfre esm a ll X P sp e cia l X Pg erm anv 1 X Pg erm anv2 V istasp e cia l > V istafre e V istan in e V istae ig h t V istan u m V istase ve n X Pfla sh * V istaeig h tX L D ire cto ry S ta tu s n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in sta lle d n o t in s ta lle d n e t in s ta lle d o nd is k n o t in s ta lle c n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in s ta lle d n o t in sta lle d
& Loads hashes from encrypted SAM recovered from a Windows partition
C :/Pro g ramF ile s(x 8 6 )/ ta b le s_vista _fre e
<
= enabled 4 = disabled
III
> In s ta ll
# = not installed
FIG U R E 9.9: vista free rainbow table installed successfully
13. Click Crack: it will crack die password as shown 111 die following figure.
ophcrack
i
Load Progress Delete Statistics
!
Save
a/
Tables
^
Crack
@
Help
i
Bat
Preferences NT Hash BE40C450AB997... 31d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB6948805F79... apple green qwerty test em pty LM Pwd 1 LM Pwd 2 NT Pwd
This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored).
User Administrator Guest LAN6UARDJ 1_... Martin Juggyboy Jason Shiela
LM Hash
!able t> 4 Vista free
Directory C:/Program File...
Status 100% in RAM
Progress
FIG U R E 9.10: passwords ate cracked
L a b A n a ly s is
Analyze and document the results related to the lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. I Tool/Utility Information Collected/Objectives Achieved User Names: Administrator Guest LANGUARD_11_USER Martin
OphCrack
Juggyby
Jason Slieiela
Rainbow Table Used: Yista free Password Found: apple green qwerty test
Q u e s t io n s
1. What are the alternatives to cracking administrator passwords? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
S y s te m M o n ito rin g U s in g R e m o te E x e c
System hacking i st he s c i e n c e of t e s t i n gcomputers and netnorksfor v u l n e r a b i l i t i e s andplugging. L a b S c e n a r io
^_ Valuable
inform ation___ Test your know ledge
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. This process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
*A m
You should also have knowledge of gaining access, escalating privileges, executing W orkbookreview applications, lnding tiles, and covering tracks.
W eb exercise
The objective of tins lab is to help students to learn how to:
Modify Add /Delete registry kevs and or values
Install service packs, patches, and hotlixes Copy folders and tiles Tools Run programs, scripts, and applications demonstrated in this lab are Deploy Windows Installer packages 111 silent mode available in D:\CEHL a b E n v ir o n m e n t Tools\CEHv8 Module 05 System To earn out die lab, you need: Hacking Remote Exec Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Executing Applications Tools\RemoteExec Windows Server 2008 running on the Virtual machine Follow die Wizard Driven Installation steps
You can also download die latest version of RemoteExec from the link http://www.isdecisions.com/en If you decide to download die latest version, dien screenshots shown 111 die lab might differ Administrative pnvileges to run tools
L a b D u r a tio n
Time: 10 Minutes
O v e r v ie w o f R e m o t e E x e c
RemoteExec, die universal deployer for Microsoft Windows systems, allows network administrators to run tasks remotely.
Lab T ask TASK 1
1. Install and launch RemoteExec.
Monitoring System
RemoteExec
R em otecxec r\am e
f*l demote jobs êcoter ^ Schedue
* 0
Albws vou corftare. rra-MOt 3rd exeats rerro:e jobs. Albws vou dsjMv recots or renew executions. Albws vou ro renote executions ard oerie-ate autara .. ConScue Re*notexec options.
^ O o to n s
0 3 . System Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an administration console with Microsoft Windows 2003/2008 Service Pack 6, IE5 or more.
,able of contert | |Q uick a:cess |
FIG U RE 10.1: RemoteExec main window
2. To configure executing a file, double-click Remote jobs.
Ne
: 00B
Virco
rep
Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (W AN) as well as on remote machines.
Alows you to dtspa, eports 0 errote execj$o 1. Allows you to soedijte errote e<ecjto 1s snd generate sutoiia.. Configure RcmotcExcc optoas.
TaDle ofcontert Quick access
Remote execution requirements: The account running RemoteExec needs administrative rights on target computers. Microsoft file and printer sharing (SM B TCP 445) and ICM P (ping) should be enabled. These protocols also need to be allowed in any firewall between the administration console and target computers.
FIG U R E 10.2: RemoteExec configuring Remote jobs
3. To execute a New Remote job, double-click die New Remote job option diat configures and executes a new remote job.
Hie Tool* ]tfndo* Help
& < 5 c n o t c > c

New rcrrote )cb 5 0 : execu%oo ; Updax rstalafeon 1 - 0 | M SI rstalaMn Systenn acton 1@ ! !
R em otejo b s
Rem oteExec,Rerrote jobs job My Renote J3bs ote Actons . ranrenaMy Rem ^ MyTarget Com puters Mows you /our favorite rem stej98 /our favorite rarcte actors. Yout favorite taroet conxiter bts.
f jn tC o e r a k n
Lcca acrouv .
p c p tp ;
Mutote aaons j- My Renore 30 0s i ^ My Rertore Actors MyTargetCctojs ^ : Report :* T ScredJcr L-4^ Options
EU Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, Document generation, is available to specify the output files. Select a PD F file to be generated in an existing folder. Make sure that the account running the task has write access to this folder.
Table ofconteni | Q uickaccea
FIG U R E 10.3: RemoteExec configuring New Remote job
4. 1 1 1a New Remote job configuration you can view different categories to work remotely. 5. Here as an example: we are executing die hie execution option. To execute double-click File Execution.
hie
Tools
Wmiow
Hep
E?
B ^:5eno . eE> ec P.enote (061
Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
; Ffc execuSon i 1-0 Update rstalafon j--j^|MSI ratilaaon HfcSysteac*>n j-uT F*? Coe ason 1 -^ Loca arroinr rante I ~PCpLp = MJtcle aeons 5 Nr teoote J>x j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : jfe Reporte ; t ScTcdJcr !y*Opfcon
} Q3 ^0 !
New remote job

RemoteExeciRefrote jobs/Newrem ote jc
| ) Update retalafion (Si MSI m stalotion {fcSystem action Fib Oooation Local account m aintenance S I Popup (5 Multtfe actions
Instil 5Marosoft jadaie reretefy. Instil o Winda^s Instiler > 3 x > qcrsrrctSY Rcaoot,^Shutoovm ,\V3< rup a eonou cnotdy. C03y files or faWa5 cirotc am u K n Chanas the bed xhincbati p e5 s/< 0 Cand'or doeue a il otholocal a Dectay 3 nessage to t r jttt ewe*: an t * ,em ote com pute! Execute se!eal actons r one pass.
IraMe QfcontenT| |Quiet access
FIG U R E 10.4: RemoteExec configuring File Execution
6. In the File execution settings, browse die executable file, select Interactive from drop-down list of Context, and check the Auto option.
Using RemoteExec, you can: Install patches, service packs, and hotfixes Deploy Windows Installer packages in silent mode Run applications, programs, and scripts Copy files and folders
Note:
FIG U R E 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below
7. Configuring die Filter Section: a. For the OS version, select = from die drop-down menu and specify die operating system. b. For the OS level, select = from die drop-down menu and select Workstation. c. For the IE version, select >= from die drop-down menu and specify the IE version.
d. For die Service Pack, select = from die drop-down menu and speciiv die service pack version.
hie Tods V/niow Hep
!eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode.
3 3 ^ eno:e>ec 1 1^ Reno* jobs B ^ Newrarote tfc ! l o Update rstaloton MSI rstalaMn *: SwteT Kton | 6 -! ..loca( account rvam cena fflpoM; < t+itr*e arm NyRn>90c :
File execution
RenoteExeqReirote ]0b3/N ewrem ote job/^le executor
La-nch
tjfr La/rh a r?/ tab [ Schectie save r My Rorct Jobs ^ save r Ky Rem ote Acsoot Save r My Target Cm putrc
r-rj)? C D ra Jo n !
0 OS verson B O S level H K vcrn
= v .|| vw ndow e 7/2XB * H j Wortotatoo
M v k n o :A c tc rc,
> - H] M * 1 !
Ny ljr jet (.croj'.efc ls Reports ScredJcf ^ ! Opton^ - ' *
Regetry vw kM
Oor't e:<e:j:e scan or a com puter wnee tne actor aas ahead/exeo.ee
C oflnoute*
FIG U R E 10.6: RemoteExec Filter tab C O ln ! e remote job was automatically set with the filter option, Dont execute again on a computer where the action was already executed. So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer.
Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK.
tie
:cols
vnnoow
File execution
ReroteE>e:/3emote jobs!New errcre job/File execution
RenoteExec 1 0 Rertote )005 j () New remote jo fc
____
^ Q? d P Laandi Launch ina new tab Schedule Save n M y Remote jx k S5ve n My Remote Actjors ^ Save n My Taraet Cwtdu^s
I MO Update nstabton
| r | 0 MS nstafexn ; Systen actor iCp Fie: Opecttx
I qgasssHi
L c x d
rS f aaomtrranKTa... h Poxo =-l mJtpfe actons j My Reroe Jets Nv Rerote Actons Ny Tarost Cortxters Reaxte j Scheduler ; I
V* O D h o rs
C onfigure the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution.
X J
FIG U R E 10.7: RemoteExec Add/Edit a computer
9. To execute the defined action on die remote computer, click the Launch option 111 the nglit pane of die window.
123 Schedule the report: To configure schedule report, click on Schedule in the toolbar and, when prompted select die task that lias been created previously to install Acrobat Reader.
:cols
jgndw
Bf 3
B | RemoteExec Renote ;ods 0
>
File execution
RemoteExec/Refrote jcbs/Mew remote jOD/ê etecuton (JJ: Launch ir e new tab Schsdue Save mNy Renote 3 0 0 5 Efe Save mMy Renote Actiors save mMy Taraet conou:ers
N e w re rro z ejo b 0
j I S Lpictc nstalaton j MSI nstabtoa r ^ | Systen actor j-Cr File Ope-otwr : tSp L3co ecco1ntn ontenc...
.j :.;:
t3
j fl? PopLp NuDote actiors : 1 5 1My Remote Xbs W My Remote *CO O ns My Target C0xxters Re00r S e x ie r V 4 5 00 0
Don't execjte again on a computet v.+ !ee the acaon was atreacy executec
___
FIG U R E 10.8: RemoteExec executing the defined action
L a b A n a ly s is
Analyze and document die results related to die lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility RemoteExec Information Collected/Objectives Achieved File to Execute: Firefox setup 3-6.13.exe Computer Name: WIN-D39MRSHL9E4
Internet Connection Required Yes Platform Supported 0 Classroom 0 1Labs 0 No
H id in g D a ta U s in g S n o w S te g a n o g ra p h y
S/m i susedt oc o r n e a / m e s s a g e sinASCR t e x tbyappen din gn h i t e s p a c et ot h eendof l i n e s .B e c a u s e s p a c e sand t a b sme g e n e / a l l ynotv i s i b l ei nt e x tl i e ne / s ,A / em e s s a g ei sf f e c t i i e l yh i d d e n fmm m s i / a l o b s e r v e r s .At/di ft h eb u i l t i ne n a y p f / o ni su s e d ,f l . 7 em e s s a g ecann otbe/eadevenfi t i sd e t e c t e d . L a b S c e n a r io
VZD Valuable
information
Test your know ledge

m k
W eb exercise
,!, W orkbookreview
Network steganography describes all the methods used tor transmitting data over a network without it being detected. Several methods for liiding data 111 a network have been proposed, but the main drawback of most of them is that they do not offer a secondary layer of protection. If steganography is detected, the data is in plaintext. To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to die machine being attacked.
The objective of tins lab is to help students learn: Using Snow steganography to hide tiles and data Hiding tiles using spaces and tabs
To earnout die lab, you need:

^ Tools
Snow located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Steganography\Whitespace Steganography\SNOW Run tins tool on Windows Server 2012
You can also download the latest version of Snow from the link http:/ / www. darkside.com.ausnow / If you decide to download the latest version, then screenshots shown 111 the lab might ditter
L a b D u r a tio n
Tune: 10 Minutes
O v e r v ie w o f S n o w
Snow exploits die steganograplnc nature of whitespace. Locating trailing whitespace

111 text is like tinduig a polar bear 111 a snowstorm. It uses die ICE encryption
algoridun, so the name is diematically consistent.

Lab T ask
1. Open a command prompt and navigate to D:\CEH-Tool\CEHv8 module 05 system hacking\steganography\white space steganography\snow 2. Open Notepad and type Hello World! and dien press enter and press die Hyphen key to draw a line below it. 3. Save die tile as readme.txt.
readme -Notepad
The encryption algorithm built in to snow is IC E, a 64-bit block cipher also designed by the author of snow. It runs in 1-bit cipher-feedback (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit of output),
F ile E d it Fo rm at V iew H e lp Hello World! 1
FIG U R E 11.1: Contents of readme.txt
4. Type diis command 111 the command slieU : readme2.txt. It is die name of anodier diat will be created automatically. snow -C -m "My swiss bank account number is 45656684512263 p "magic" readme.txt readme2.txt(magic is the password, you can type your desired password also)
Administrator Command Prompt
r *
E : \ C E H - T o o l s S C E H u 8 M o d u l e 05 S y s t e m H a c k i n g N s t e g a n o g r a p h y \ w h i t e sp a c e s t e g a n o g r a p h y \ S n o w > s n o 1 - C -m M y s u i s s b a n k a c c o u n t n u m b e r is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " m a g i c" readme.txt readme2.txt C o m p r e s s e d by 23 M e s s a g e e x c e e d e d a v a i l a b l e s p a c e b y a p p r o x i m a t e l y 5 7 1 . 43x. An e x t r a 8 l ines w ere added.
. & '/ '/ .
E:\CEH-Tools\CEHu8 phy\Snow>
Module
05 S y s t e m H a c k i n g \ s t e g a n o g r a p h y \ w h i t e
space
steganogra
FIG U R E 11.2: Hiding Contents of readme,txt and die text in the readme2.txt file
5. Now die data ( M y Swiss bank account number is 45656684512263 ) is hidden inside die readme2.txt hie with die contents ot readme.txt.
If you want to compress a long message, or one not containing standard text, you would be better off compressing the message externally with a specialized compression program, and bypassing snow's optional compression step. This usually results in a better compression ratio.
6. The contents ot readme2.txt are readme.txt + M y Swiss bank account number is 45656684512263. 7. Now type snow -C -p "magic" Readme2.txt: diis will show die contents of readme.txt.(magic is die password which was entered while luding die data).
E : \ C E H - T o o l s S C E H u 8 M o d u l e 05 S y s t e m H a c k i n g \ s t e g a n o g r a p h y \ w h i t e sp a c e s t e g a n o g r a H phy\Snow>snou -C -m "M y s u i s s b a n k a c c o u n t n u m b e r is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " n a g i B c" r e a d m e . t x t r e a d m e 2 . t x t Compressed by 23.37X I M e s sage e x c e e d e d a v a i l a b l e s p a c e b y a p p r o x i m a t e l y 5 7 1 . 43x. I An e x t r a 8 lines w ere added. I E : \ C E H - T o n l s \ 0 F H u 8 M n H n l e 05 R u s t e m H a r k i n g \ s t e g a n o g r a p } 1y\l)hite phySSnouI'snow "magic" Readme2.txt My sw i s s b a n k a c c o u n t n u m b e r is 4 b b b b b U 4 5 1 2 2 6 3 E : \ C E H - T o o l s \ C E H u 8 M o d u l e 05 S y s t e m H a c k i n g \ s t e g a n o g r a p } 1y \ w h i t e space phy\Snow>
Cp
sp a ce steganograH I
I steganograH I
FIG U R E 11.3: Revealing the hidden data of readme2.txt
8. To check die tile 111 a GUI, open die readme2.txt 111 Notepad and select Edit ^Select all. You will see die hidden data inside readme2.txt 111 die form of spaces and tabs.
readme2 - Notepad File Edit Form at View H elp Hello World!
(FIG URE 11.4: Contents of readme2.txt revealed with select all option
L a b A n a ly s is
Analyze and document die results related to die lab exercise.
Tool/Utility Snow Steganography

L a b Q u e s t io n s
Information Collected/Objectives Achieved Output: You will see the hidden data inside Notepad
1. How would you liide the data of tiles widi secret data in other hies? 2. Which encryption is used 111 Snow? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
V ie w in g , E n a b lin g , a n d C le a rin g t h e A u d it P o lic ie s U s in g A u d itp o l

Aj i d r i p o l i sa m/mjandi n Windon: 1 S e rv er2012,Windows Se rv er2008,and Windows S e r v e r 200J andi sn e q / t h e d j b r q / t e t y i n gorcmfgmigan a u d i t p o l i c yatt h es n b c a t e g o yl e v e l
I C ON KEY
I 7 /V aluable inform ation Test your know ledge ** W eb exercise W orkbookreview
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners in addition to identifying user accounts and shared resources. You should also have knowledge on gaining access, escalating privileges, executing applications, lndmg tiles, and covering tracks.
The objective of tins lab is to help students learn:

.^Tools
How to set audit policies
demonstrated in To earnout the lab, you need: this lab are Auditpol is a built-in command in Windows Server 2012 available in You can see the more audit commands from the following link: D:\CEHhttp:/ / technet.m1crosott.com/enTools\CEHv8 us /library /cc731451 %28v=ws. 100/029.aspx for Windows Server 2012 Module 05 System Hacking Run dns on Windows Server 2012
L a b D u r a tio n
Tnne: 10 Minutes
O v e r v ie w o f A u d itp o l
Aucftpddisplays information 011 performance and functions to man^xiateaudit policies.

Lab T ask
D isplays the current audit policy.
/g et
1. Select Start
Command Prompt.
2. Administrator: A command prompt will appears as shown in die following figure.

reserved. M icrosoft Windows tUersion 6.2.8400] <c> 2 0 1 2 M i c r o s o f t C o r p o r a t i o n , fill r i g h t s
/set Sets the audit policy.
C: \ U s e r s \ f l d n i n i s t r a t o r >
/list D isplays selectable policyelem ents.
FIG U RE 12.1: Administrator Command Prompt in windows server 2012
/backup S aves the audit policyto a file.
3. To view all die audit policies, type die following command 111 die command prompt: auditpol /get /category:* 4. Press Enter.
si
A d m in istra to r: C o m m an d Pro m p t
M icrosoft Windows [Uersion 6.2.8400] r ig h ts reserved. <c> 2012 M icrosoft Corporation. A l l ;
/restore R estores the audit policy fromafilethat w as previouslycreated by usingauditpol /backup.
/ clear C lears die audit policy.
/rem ove R em oves all per-user audit policysettings and disables all systemaudit policysettings.
C:\Users\Adnin istra to r> a u d itp o 1 /get /category: System audit p o lic y Category/Subcategory S e ttin g System S e c u r ity System Extension No A uditing Systen In t e g r it y No Auditing No A uditing IPsec D river Other Systen Events No Auditing S e c u r ity Sta te Change No A uditing Logon/Logoff Logon No A uditing Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No A uditing IPsec Quick Mode No Auditing IPsec Extended Mode No A uditing Sp e c ia l Logon No Auditing Other Logon/Logoff Events No Auditing No Auditing Network P o lic y Server User / Device C lain s No Auditing Object Access F i l e System No Auditing R e g istry No Auditing Kernel Object No Auditing SAM No Auditing C e r t if ic a tio n S e rvic es No Auditing A p p licatio n Generated No A uditing Handle Manipulation No Auditing P ile Share No Auditing F ilt e r in g Platform Packet Drop No Auditing F ilt e r in g Platform Connection No Auditing Other Object Access Events No Auditing D etailed F i l e Share No Auditing Removable Storage No A uditing No Auditing C en tral P o lic y Staging P r iv ile g e Use Non S e n s itiv e P r iv ile g e Use No Auditing Other P r iv ile g e Use Events No A uditing S e n s itiv e P r iv ile g e Use No Auditing D etailed Tracking Process Creation No A uditing Process Termination No A uditing DPAPI A c t iv it y No A uditing RPC Events No Auditing P o lic y Change A uth entication P o lic y Change No Auditing Authorization P o lic y Change No Auditing MPSSUC R ule-Level P o lic y Change No Auditing F ilt e r in g Platform P o lic y Change No Auditing No Auditing Other P o lic y Change Events Audit P o lic y Change No Auditing Account Management
< | ___________________ h i ___________________ ____ [ >

FIG U R E 12.2: Auditpol viewing die policies
5. To enable die audit policies, type die following command 111 die command prompt: auditpol /set /category:"system","account logon" /success:enable /failureienable 6. Press Enter.
D i r e c t o r y S e r v ic e C hanges D ire c to ry S e rv ic e R e p lic a tio n D e ta ile d D ire c to ry S erv ic e R e p lic a tio n D ire c to r y S e rv ic e A ccess A c c o u n t Logon K erberos S e rv ic e T ic k e t O p e ra tio n s O t h e r A c c o u n t Lo gon E v e n t s K erberos A u th e n tic a tio n S e rv ic e C re d en tial U alid atio n No No No No No No No No A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g logon1
/ resourceSA C L C onfigures global resource systemaccess control lists (S A C L s).
C :\U se rs\A d m in is tra to r> a u d itp o l / s e t /c a te g o r y : "sy ste m ","a cc o u n t :e n a b le / f a i lu r e :e n a b le The command u a s s u c c e s s f u l l y e x e c u t e d . :: M i s e r s \ A d m i n i s t r a t o r >
FIG U R E 12.3: Auditpol Local Security Policies in Windows Server 2012
7. To check if audit policies are enabled, type die following command 111 die command prompt auditpol /get /category:* 8. Press Enter.
Auditpol /get [/user[:<usemame> | <{sid [/category:* |<name> |< {g uid}>[,:<name |< {guid}> ... [/subcategory:* |<name> | < {guid}>[,:<name |< {guid Administrator Command Prompt
: \ U s e r s \ A d n i n i s t r a t o r ) a u d i t p o l /get iysten a u d i t p o l i c y Jategory/Subcategory Systen Security Systen Extension Systen Integrity IPsec D r i u e r O t h e r S y s t e n Eve n t s Security State Change Log o n / L o g o t t Logon Log o f f Account Lockout IPsec Mai n Mode IPsec Q u i c k Mode IPsec E x t e n d e d Mode S p e c i a l L ogon O t h e r L o g o n / L o g o f f Eve n t s Network Policy Server U s e r / D e v i c e Cla i n s Object A c c e s s File S y s t e n Registry Kernel Object SAM Certification Services Application Generated Handle Manipulation F i l e S hare Filtering Platforn Packet Drop Filtering Platforn Connection O t h e r O b j e c t A c c e s s Eve n t s D e t a i l e d Fil e S hare Renovable Storage Central Policy Staging r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e Use O t h e r P r i v i l e g e Use Eve n t s S e n s i t i v e P r i v i l e g e Use )etailed T r a c k i n g Pr o c e s s C r e a t i o n Pr o c e s s T e r n i n a t i o n DPAPI A c t i v i t y R P C Eve n t s 5o l i c y Cha n g e Authentication Policy Change A u t h o r i z a t i o n P o l i c y Cha n g e /category:* Setting Success Success Success Success Success No No No No No No No No No No No No No No No No No No No No No No No No and an d and and an d Failure Failure Failure Failure Failure
}> ]]
}>...]] t/ s d ] [A]
[/option:<option name>]
A udit ing Auditing A udit ing Auditing Auditing Au d i t ing Auditing Auditing Auditing Auditing Auditing A u d i t ing Auditing A u d i t ing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing
No A u d i t i n g No A udit ing No A u d i t i n g No No No No A udit ing Auditing Auditing Auditing
Auditpol /set [/user[:<usemame> | <{sid } >] [/include] [/exclude]] [/category:<name> |< {gui d}>[,:<name| <{guid}>. ..
No A u d i t i n g No A u d i t i n g
]]
[/success: <enable> |<disa ble>][/failure:<enable> |< disable>] [/subcategory:<name> |<{ guid}>[,:<name | <{guid} > [/success:<enable> | <disa ble>][/failure:<enable> | < disable>] [/option:<option name> /value: <enable> | <disable>]
FIG U RE 12.4: Auditpol enabling system and account logon policies
-]]
9. To clear die audit policies, type die following command 111 die command prompt: auditpol /clear /y 10. Press Enter.
Adm inistrator: Com m and Prom pt

Com pu te r A c count Management S e c u r i t y Group Management D i s t r i b u t i o n Group Management A p p l i c a t i o n Group Management O t h e r A c co u n t Management E v e n t s DS A c c e s s D i r e c t o r y S e r v i c e Ch an ges D ire c to ry S erv ice R e p lic a tio n D e ta ile d D ire c to ry S erv ice R e p lic a tio n D i r e c t o r y S e r v i c e A c ce s s Account Logon K erberos S e rv ic e T ic k e t O p e ra tio n s O t h e r A c co unt Logon E v e n t s Kerberos A u th e n tic a ti o n S e rv ic e C re d e n tia l U alid atio n C :\U sers\A d m in istrato r)a u d itp o l / c l e a r /y rhe command was s u c c e s s f u l l y e x e c u t e d . C :\U sers\A d m in istrato r> No No No No No No No No No A uditing A u d iting A uditing A uditing A uditing A uditing A uditing A u d iting A u d iting and and and and Failu re Failu re Failu re Failu re
auditpol /list [/user |/category |subcateg ory[:<categoryname> | <{g uid}>|*]]
Success Success Success Success
[/v] [A]
FIG U R E 12.5: Auditpol clearing die policies
11. To check if the audit policies are cleared, type the following command 111 the command prompt: auditpol Iget /category:* 12. Press Enter.
3!
A d m in istrato r: C o m m an d Pro m p t
Auditpol / set [/user[:<usemame> | <{sid }5 [ ]/include] [/exclude]] [/ category:<11ame> |< {gui d }>[,:<name| <{guid}>...
]]
[/success:<enable> | <disa ble>][/failure:<enable> |< disable>] [/subcategory:<name> |< { guid} >[,:<name | <{guid} >
...]]
[/success:<enable> |<disa ble>][/failure:<enable> |< disable>] [/option: <option 11ame> /value: <enable> |<disable>]
C:\Users\Adninistrator)auditpol /get /category:* Systen audit policy Cateqory/Subcategorv Sett ing Systen No Auditing Security Systen Extension No Auditing Systen Integrity IPsec Driver No Auditing No Auditing Other Systen Events Security State Change No Audit ing Luyun/Luyurf Logon No Auditing No Audit ing Logoff Account Lockout No Audit ing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing No Auditing Other Logon/Logoff Euents No Audit ing Network Policy Server User / Device Clains No Auditing Object Access File Systen No Audit ing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing No Audit ing Application Generated Handle Manipulation No Auditing File Share No Auditing No Audit ing Filtering Platforn Packet Drop No Audit ing Filtering Platforn Connection Other Object Access Events No Audit ing Detailed File Share No Audit ing No Audit ing Renovable Storage No Audit ing Central Policy Staging Privilege Use Non Sensitive Privilege Use No Auditing No Audit ing Other Privilege Use Events Sensitive Privilege Use No Auditing Detailed Tracking Process Creation No Auditing Process Ternination No Auditing No Audit ing DPAPI Activity No Audit ing RPC Events Policy Change Authentication Policy Change No Auditing No Auditing Authorization Policy Change MPSSUC Rule-Level Policy Change No Auditing Filtering Platforn Policy Change No Auditing Other Policy Change Events No Auditing Audit Policy Change No Auditing Account Managenent |< | _______________________ i n ______
v 1 >
FIG U R E 12.6: Auditpol clearing die audit policies
L a b A n a ly s is
Tool/Utility AuditPol
Information Collected/Objectives Achieved Result open Auditpol Category: System Account Logon
Q u e s t io n s
1. How do you configure global resource SACLs using Auditpol? 2. Evaluate a report or backup an audit policy to a comma separated value (CSV) text tile. Internet Connection Required Yes Platform Supported 0 Classroom 0 No
L ab
13
P a s s w o r d R e c o v e r y U s in g C H N T P W .I S O
CHC\TTPU"ISO i s apassnordimveiyt o o l f a r trunson WindowsS e r v e r 2003,WindowsSenw 2008,andWindons 7 V i r t u a l M a c h i n e .
I C ON KEY
I 7 /V aluable inform ation Test your know ledge ** W eb exercise W orkbookreview
Nowadays, attacking the password is one of die most straightforward hacking attacks. Passwords are the most common access control method used by system administers to manage the usage of network resources and applications. There are numerous feasible methods to crack passwords. To be an expert etliical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
111
tins lab, we show you how to erase or recover an admin password using CHNTPW.ISO.
The objective of tins lab is to help students learn: Recovering the Password of Windows Server 2008 Tools L a b E n v ir o n m e n t demonstrated in this lab are To earn* out die lab, you need: available in CHNTPW.ISO located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHHacking\Password Recovery Tools\CHNTPW.ISO\cd110511 Tools\CEHv8 Module 05 System CHNTPW.ISO is tool to recover/erase the administrator passwords for Hacking Windows Server 2008 A computer running with Windows Server 2008 as YirUial Machine
L a b D u r a tio n
Time: 15 Minutes
C E H Lab Manual Page 380 Ethical Hacking and Countermeasures Copyright by EC-Couucil All Rights Reserved. Reproduction is Stricdy Prohibited.
O v e r v ie w o f C H N T P W .IS O
ONTPWJSOis an offline NT password and registry editor, boot disk/CD.

Lab T ask
1. Start Hyper-V Manager by selecting Start ^ Hyper-V Manager. 2. Before starting diis lab make sure that Windows Server 2008 Virtual Machine is shut down.
3 Offline N T Password & Registry Editor can delete any password from nearly any installation of Windows almost instantly.
3. Now select Windows Server 2008 Yutual Machine and click Settings 111 die right pane of Hyper-V..
Hyper*V Manager
File Action View Help
H>per-V Mjnager 3 j WIN-DMWR5HL9E4
Virtual Machines
N am e A a feck T rack5 gW in d o w s7
WIN-D39MR5HL9E4
New
Im port V irtual M achine..,

j^l Hypcr-V Settings...
JW in d o w 8
V irtual Sw itchM anager.., .J V irtual S A NM anager... yjL E dit D isk ...

Snapshots
The selected virtual 1aeh1e has Inspect Disk...
() StopS ervice
X Remove Server
C " Offline N T Password & Registry Editor simply deletes passwords instead of displaying them making it fast and easy to use.
Q R efresh V itw
U Help
Windows Server2008
Windows Scrvcr2008
> ij Connect...
Created: 8/8/201250123P W
Notes: None
Settings...
0 Start
Surtm ay M em cry N etw D rk n g| P .epiccbor
< 1 :
Snapshot ^ M ove... E xoort... fijl R enam e... L D elete...
FIG U R E 13.1: CHNTPW.ISO Windows Server 2008 settings
4. Select D V D drive from IDE controller in die left pane ot Settings tor Windows Server 2008. 5. Check die Image file option and browse for die location of CHNTPW.ISO, and select Apply->OK.
Q No installation in Windows is required making this program an easy alternative to many other password recovery
Settings for Windows Server2008 on WIN-D39MR5HL9E4

Windows Server2008 A Hardware *2]l Acd Hardware
I-HE
4 a
Select the controller and location on the coatroler to attach the CD/DVD drive. Controller: Location: 0 Qr use) IDEControler 1
C Offline NT Password & Registry Editor is completely free to download and use.
I Processor 1Virtual processor 0 IDE Controler 0 C J Hard Drive Windows Server2008.vhdx L U S C a m d g i______________ DVD Drive c d llO S ll.is gj SCSI Controler S 9 Legacy Network Adapter
Media Specify the media to use with ya_r virtual CD/DVD drive. O None () Image file: C: \LI8ers\Ad*ninistr a r ^Pesfctop \cd 110 511Vd 110 511. is
Physical CDA)VD drive:
R ealtekP C IeG B EF am ilyC ontr..

COM 1
ffcne
COM2
To remove the virtual CD/D/O drive from the vrtual machne, dick Remove.
f* > n e N one
I t J Diskette Crive ft M anagem ent________________
[T 1N am e
Y V'.ndows Server2008 Inregrabon Services Al services offered Srapshot = ile Location C: V> rogrcmData,Miaosoft\Win.. Smart Pacing File Location C: 'ProgramData 'Microsoft\Win..
f>) ALtomatic Start Action

Restart if previously running
FIG U R E 13.2: CHNTPW.ISO Windows Server 2008 settings & Tool will also remove passwords from 64-bit versions of Windows Operating Systems.
6. Now go to Hyper-V Manager and right-click Windows Server 2008. and
select Connect to start Windows Server 2008 Virtual Maclune.
Offline N T Password & Registry Editor works with all popular Windows versions including Windows 7 and more.
FIG U RE 13.3: CHNTPW.ISO Connecting to Windows Server 2008
7. Click die Start ^
button; Windows Server 2008 will start.
Windows Server2008 on WIN-D39MR5HL9E4 -Virtual Machine Connection L^_ I

Media Clipboard View Help
File Action
^ |o| > < s >0 II 1 fe__________________________________ I
The virtual machine ,Windows Server2008' is turned off

To start the virtual machine, select Start from the Action menu
I Status; Off
FIG U R E 13.4: starting windows server 2008 O/S
8. After booting, Window will prompt you with: Step one: Select disk where the Windows installation is 9. Press Enter.
1 Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
I I
1 r x
F ile A ctio n M e d ia C lip b o a rd V ie w H e lp

W i n d o w s Kegistry L d i t U t i l i t y floppy / cnntpw < c > 1 9 9 7v2 2 010 Petter H ageno pnordahlPeunet.no G N UG PL license, seeN files n 1 > This utility will enable you too change or blank the password any user (incl. adninistpator) n an W indow sN T/^k/'XP/U i sta of W IT H O U T knowing the old password. Unlocking locked/disabled accounts also supported.
0 1 11 fo
L J It works offline, that is, you have to shut down your computer and boot off a floppydisk or CD or another system.
Tested on: N T3.51 &N T 4: Server Workstation, C . A W in2k Prof & toSP3 SP4. Server, Cannot PD change D . XP H o M e Prof: up to
LI the w ay through the questions installation is Step O N E: Select disk w h e /dev/sda: 17.1 G B, 17179869184 bytes [Please select partition b y nunber or = qu it = automatically start disk drivers
Status: Running
B O I
FIG U R E 13.5: CHN TPW JSO Step One
10. Now you will see: Step TW O: Select PATH and registry files; press Enter.
'
Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
0 II 1 j i ? *
here are several steps to g o through: Disk optional loading disksdrivers PA T H select select, with w here are the N indow sof system File-select, w hat parts ofchange registry w e needfiles stored Then finally the password or registry If changes were M ade, write then back to diskedit itself Step O N E: Select disk w here the M indow s installation is
S ' This is a utility to (re)set the password of any user that has a valid (local) account on your N T system.
,lease select partition b y nunber or q = quit d = Manually automatically start disk drivers m = select disk drivers to load f = fetch additional drivers a= show all partitions foundfron floppy / usb M ounting /dev/sdal. assum ed filesystem type N T FS So, let sfron really check if with it is NTFS?
Step T M O : Select PA T H and registry files D EBU G path: w indow s found as M indow s
| Status: Running
____
FIG U RE 13.6: CHNTPW.ISO Step Two
11. Select which part of the registry to load, use predehned choices, or list die tiles with space as delimiter, and then press Enter.
L Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
< 9@0 ^^Tools
II It ife
a show all partitions found 1 == show indow s < N TFS) partitions only Select: C 1 propbable W Selected 1 M ounting /dev/sdal. assum ed filesystem type N T FS So, let's from really check if with it is NTFS?
D EBU G path: w indow s found as M indow s32 D EBU G path: system found as System D EBU G path: found config32 found as config D EBU G path: correct case to be: M indows/System 32/config W hat is the path to the registry directory? (relative to w indc iMindows/System32/configl : D EBU G path: M indow s found as M indow s32 D EBU G path: System 32 found as System D EBU G path: found configcorrect found as config D EBU G path: case to be: M indows/System 32/config hrw xrw xrw x 2 0 0 262 14 4 12:50 C BCD -Tem plate hrw xrw xrw x 2 0 0 29097984 14:30 O M P O N E N T S 14:30 D EFA U LT hrw xrw xrw x 10 0 262 14 4 hrw xrw xrwx 10 0 0 2 0 0 8 Journal H rw xrw xrw x 10 0 8 1 9 2 12:10 S RegBack hrw xrw xrw x 10 0 262 14 4 14:30 A M hrw xrw xrw x 10 0 262 14 4 14:30 SECURITY hrw xrw xrw x 10 0 3 3 8 16 57 6 14:30 SO FT M A R E hrw xrw xrw x 10 0 943 71 84 14:30 SYSTEM hrw xrw xrw x 10 0 4 0 9 6 11:51 T xR [drw xrw xrw x 1 0 0 4 0 9 6 11:51 systemprofi1 e Select which part with of registry todelimiter load! use predef i r or list the files space as 1 Password reset [sam system security! 2 RecoveryConso1 3 - quit - return e toparameters previous [software!
y_
?A5
__
FIG U R E 13.7: CHN TPW JSO loading registry request
12. When you see: Step THREE: Password or registry edit, type yes (y), and press Enter.
'
File
Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection I

Action Media Clipboard Clipboa View Help
. 3 0 1
95
!Select w hichfiles part of registry todelimiter load* use predefined choices nr the as |1 -list Passw ord reset with [sanspace systen m 2RecoveryConsole eters security! [software] fc quit - return toparam previous Selected files: sa m system security C o p yin g san system security to /tm p
a It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD. The bootdisk includes stuff to access N TFS and FAT/FAT32 partitions and scripts to glue die whole thing together.
j~ S te p ~ T H R E E | k h n tp w P a s s w r d o r r e g i itr y e d i t~ ~
a a l
v e rs io n .9 9 .6 110511 , <c> P e t t e r NH a g e n fejive S ftM > n a m e0 (from lieader): N System R o ot\Sys tem 32 \C onf ig N M ) R O O T< K EY at offset: 0 x 0 0 1 0 2 0*< SubKey indexing type is: 6 6 6 cSA (If) wile size 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages < headerpage) U se d for data: 2 50 /2 08 00 blocks/bytes, unused: 1 4 /3 5 8 41 blocks/bytes. Live S Y ST E M >n a m e (from header): < S V S T E M > R O O T( K EY at offset: 0 x 0 0 1 0 2 0 Subkey indexing type is: 6 8 6 c < lh > wile size 9 4 3 7 1 8 4 (9 0 0 0 0 0 1 bytes, containing 2 1 6 4 pages ( 1 headerpage) Elsed for data: 1 0 0 2 1 1 /5 9 3 7 6 8 8 blocks/bytes, unused: 4 6 2 1 /3 2 7 8 6 9 6 blocks/bytes. hive (SECURITY) n a m e (from header): < e m R o o t\Sys tem 32 \C onf i gN SEC U R O O TK EY at offset: 0 x 0 0 1 0 2 0 Subkey indexing type( is: 6 6 c (If)RITY> wile size 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages 16 headerpage) H Jsed for data: 4 0 6 /2 2 2 7 2 blocks/bytes, unused: 5 /2 1 1 2 blocks/bytes. * S A M policy limits: wailed loginsord before lockout is M inim um length Passw ordpassw history count (> = = = = = = = = < > chntpw M ain Interactive M e n u< > = Loaded hives: < SA M ) (SYSTEM ) (SECURITY) I 1 - Edi t user data and passw ords 9 Registry o w with write support < 1Quit (youeditor, will b en asked if full there is som ething to save) W hat to do? Cl1
Status: Running
FIG U R E 13.8: CHNTFW.ISO Step Three
13. Loaded hives: <SAM><system><SECURITY> 1 Edit user data and passwords 9 Registry editor, now widi hill write support! Q Quit (you will be asked if diere is something to save) 1 1 1What to do? the default selected opdon will be [1]. Press Enter.
'
File
Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection

Action Media Clipboard View Help
L 1
Q CEH-Tools is also Mapped in Virtual Machine as Network Drive Z:
| Step TH REE: Password or registry edit ch n tp w version 1 1 0 5 1 1, < (c) Petter NSystem H ag en 32\Config\SAM live (SA M > n a m e0.99.6 (from header): \System RootN > R O O T K EY at offset: 0 x 0 0 1 0 2 0* Subkey indexing type( is: 6 6 6 c< lf> File 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages headerpage) Used size for data: 2 5 0 /2 0 8 0 0 blocks/bytes, unused: 1 4 /3 5 8 41 blocks/bytes. Live EM > n a m e (from header): < SYSTEM ) R O O T (SYST K EY at offset: 0 x 0 0 1 0 2 0 * Subkey indexing type is: 6 8 6 c < lh > wile size 9 4 3 7 1 8 4 1 9 0 0 0 0 0 1 bytes, containing 2 1 6 4 pages ( 1 headerpi U se d for data: 1 0 0 2 1 1 /5 9 3 7 6 8 8 blocks/bytes, unused: 4 6 2 1 /3 2 7 8 6 9 6 bloc Live (SECURITY> n a m e (from header): < em Root\System 32\ConfigN SECURITY: R O O T size K EY at offset: 0 x 0 0 1 0 2 0* * Subkey indexing type( is: 6 6 c (If) Wile 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages 16 headerpage) Used for data: 4 0 6 /2 2 2 7 2 blocks/bytes, unused: 5 /2 1 1 2 blocks/bytes. password history count : 0 k> = = = = = = = = < >chntpw M ain Interactive M e n u< > = Loaded hives: < S A M > (SYSTEM ) < SEC U R IT Y > I 1 - Edi t user data an d passw ords M hat to do? I l l >y K> = = = = = = = = < >chntpw M ain Interactive M e n u< > = Loaded hives: (SAM ) (SYSTEM ) < SEC U R IT Y > 1 - Edi t user data and passw ords W h at to do? [11 >
Status: Running
FIG U RE 13.9: CHNTPW.ISO loading hives
Module 0 5 - S y ste m H acking
14. 1 1 1chntpw Edit User Info & Passwords, press Enter to enter the user name to change
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
File A ction M edia Clipboard V iew Help
E C j N Ts t o r e si t su s e r i n f o r m a t i o n ,i n c l u d i n g c r y p t e dv e r s i o n so ft h e p a s s w o r d s ,i naf i l ec a l l e d ' s a m ' ,u s u a l l yf o u n di n \ w i n n t \ s y s t e m 3 2 \ c o n f i g . T h i sf i l ei sap a r to fd i e r e g i s t r y ,i nab i n a r yf o r m a t p r e v i o u s l yu n d o c u m e n t e d , a n dn o te a s i l ya c c e s s i b l e .
0 (*) O
III I I ife
M a in In t e r a c t iv e M enu <> =
: > == ======< > c h n t p w ,o a d e d 1 h iv e s : < SAM > d a ta
< SYSTEM > and
< S E C U R IT Y >
Ed i t
u se r*
p a ssw o rd s
hat
to
do?
Cl J
->
y M a in In te r a c tiv e M enu <> =
>========< > c h n t p w saded 1 h iv e s : Ed i t < SA M > d a ta
< SYSTEM > and
< S E C U R IT Y >
u se r
p a ssw o rd s
hat
to
do?
[1 3
->
y M a in In te r a c tiv e M enu <>=
> ========<> saded 1 9 h iv e s : Ed i t
c h n tp w < SA M > d a ta
< SYSTEM > and
< S E C U R IT Y >
u se r
p a ssw o rd s w ith f u ll w rite si
R e g is t r y
e d it o r ,
now
Jh a t
to
do?
I l l E d it U ser In fo A d h in ? A D M IN !Lock?
c h n tp w
--------------- U s e r n a w e A d h in i s t r a t o r Gues t I U S R _ W I N U L Y 8 5 8 K H Q I P ? 1e c t : f <j|ui t .
d is / lo c k w ith R ID (h e x )
U ser
SD i s a b l ey o u rs o f t w a r e f i r e w a l l( N o r t o nI n t e r n e t S e c u r i t yi so f t e nt h e c u l p r i t ) .
I Status; Running
F IG U R E1 3 . 1 0 :C H N T P W . I S Oc h n t p w E d i tU s e rI n f o&P a s s w o r d s
15.
1 1 1the User Edit Menu: 1 Clear (blank) user password 2 Edit (set new) user password (careful with tins on XP or Vista) 3 Promote user (make user an administrator) 4 Unlock and enable user account [seems unlocked already] q Quit editing user, back to user select The default option, Quit [q], is selected. Type 1 and press Enter.
R
I File
A Action ctior M edia Clipboard V iew Help
U
I I
lo
ch n tp w < SA M > d a ta M a in In t e r a c t iv e M enu <>========<> h iv e s : E d it < SYSTEM > and < S E C U R IT > u se r p a ssw o rd s w ith f u ll w rite su p p o rt?
<> == = == == = <> Lo ad e d 1 9
R e g is t r y
e d it o r ,
now
M hat =====
to
do?
C13 E d it U se r In f o & P a s s w o rd s ====
c h n tp w
--------------U se rn a n e A d n in i s t r a t o r G ues t IU S R _ M IN - U L Y 8 5 8 K H Q IP (S e le c t : f lo r s im p ly - Q u it, . e n t e r th e - lis t u se rs , 0 x < R ID > - U s e r w it h R ID u se rn a n e to c h a n g e : [ A d n in is t r a t o r l (h e x )
C" D i s a b l ea l l" d o w n l o a d a c c e l e r a t o r "p r o g r a m s ;t h e y w i l lm o r et h a nl i k e l y c o r r u p ty o u rd o w n l o a d .
[R ID Ils e r n a M e !fu ll nane Ic o M M e n t b io M e d i r
B u ilt - in
acco u n t
fo r
a d n in is t e r in g
th e
c o M p u te r/ d o n a in
A ([ 1[ 1C It 1C
ccount b it s : 0x0010 D is a b le d Tenp. d u p lic a t e 1 D o n a in tru s t ac 1 Pw d d o n t e x p ir 3 (u n k n o w n 0 x 1 0 )
X I 1 1 ]
H o n e d ir r e q . N o rn a l a cco u n t W ks t r u s t a c t . A u to lo c k o u t (u n k n o w n 0 x 2 0 )
1 I 1
S rv tru s t a c t ( u n k n o w n 0x08> 1 1 (u n k n o w n 0 x 4 0 )
Passw d n ot re q . NMS a c c o u n t
- - U s e r E d i t M e n u : 1 1 C le a r (b la n k ) u s e r p a ssw o rd I 2 E d it (s e t n ew ) u s e r p a ssw o rd (c a r e fu l w ith t h is 3 P ro n o te u s e r (n a k e u s e r an a d n i n i s t r a t o r ) (4 - U n l o c k a n d e n a b l e u s e r a c c o u n t) E s e e n s u n lo c k e d I q Q u it e d i t in g u se r, back to u s e r s e le c t !? e le c t : tg 3 > 1 _
on
XP
o r
U is ta )
a lr e a d y ]
Status: Running
a n
F IG U R E1 3 . 1 1 :C H N T P W J S OU s e !E d i tM e n u
16. Type ! after clearing die password of die user account, and press Enter.
'
File
A ction M edia Clipboard V iew Help
E d it
u se r
d a ta
and
p a ssw o rd s
lh a t :====
to
do?
C13 E d it U se r In fo P a s s w o rd s === =
ch n tp w
--------------U se rn a n e Adni n i s tra to r G ues t IU S R _ M IN - U L Y 8 5 8 K H Q IP
Is e r n a n e u l 1n a n e :o n n e n t to n e d i r
B u ilt - in
acco u n t
fo r
a d n in is t e r in g
th e
c o n p u t e r / d o n a in
s e r is n en b e r o f 1 g ro u p s: 10000220 = A d n in is t r a t o r s (w h ic h A ccount b it s : 0x0010 3 D is a b le d 3 Tenp. d u p lic a t e 3 D o n a in tru s t ac 3 Pw d d o n t e x p ir 3 (u n k n o w n 0 x 1 0 ) = J ! ' 5 X I 1 3
has
n e n b e rs) 1 1 1 I 1 Passw d NMS a c c S rv tru (u n k n o w (u n k n o w not ou n s t n 0 n 0 re q . t a ct x08) x40)
H o n e d ir r e q . N o rn a l a cco u n t W ks t r u s t a c t. A u to lo c k o u t (u n k n o w n 0 x 2 0 )
- - - U s e r E d it M enu: 1 C le a r (b la n k ) u se r 2 - E d it (s e t new ) u s e r 3 - P ro n o te u s e r (n a k e (4 U n lo c k a n d e n a b le u q - Q u it e d it in g u se r, S e le c t : Cg3 > 1 P a s s w o rd c le a r e d * S e le c t : - Q u it , ) r s in p lM e n t e r th e
p a ssw o rd p a ssw o rd (c a re fu l w ith th is u s e r an a d n in is t r a t o r ) s e r a c c o u n t) C s e e n s u n lo c k e d back to u s e r s e le c t
on
XP
o r
U is ta )
a lr e a d y 3
- lis t u se rs , 0 x < R ID > - U s e r w i t h R ID u se rn a n e to c h a n g e : C A d n in is t r a t o r 3 t
(h e x )
Status: Running
F IG U R E1 3 . 1 2 :C H N T P W IS OP a s s w o r d C l e a r e d
17.
Load hives:
<SAM><system><SECURTTY>
1- Edit user data and passwords 9 - Registry editor, now with full write support!
C E H Lab Manual Page 387 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Q Quit (you will be asked if there is something to save) 1 1 1What to do?, the default selected option will be [1]. Type quit (q), and press Enter.
Q C E H -T o o ls is als o M a p p e d in V irtu a l M a c h in e as N e tw o rk D rive Z:

File
A ction M edia Clipboard V iew Help
Ji 0 @ 0 n \> h
01f 5 03e8 ; : ! H d n in is tp a to r G uest IU S R _ W IN - U L Y 8 5 8 K H Q IP th e R ID U se rn an e f u lln a n e cohhent u se rn a n e to change: [A d n in is t r a t o r l
honedir
A cco C 1 [ 1 [ 1 [ C 1
B u ilt - in
acco u n t
fo r
a d M in is t e r in g
th e
c o w p u te r / d o M a in
A d n in is t r a t o r s unt h it s : 0x0010 D is a b le d T en p . d u p lic a t e D o n a in tr u s t ac Pw d d o n ' t e x p ir (u n k n o w n 0 x 1 0 ) I 1 1X1 C 1 C 1 t 1
(w h ic h
has
nenbeps) I [ E [ I 1 1 1 1 1 Passw d n ot NMS a c c o u n S rv t p u s t <u n k n o w n 0 (u n k n o w n 0 peq. t a ct x88) x40)
H o n e d ir * p e q . NoPM al a cco u n t M ks t r u s t a c t. A u to lo c k o u t (u n k n o w n 0 x 2 0 )
U s e r E d it M enu: 1 - C le a r (b la n k ) u s e r p a ssw o rd 2 E d it (s e t n ew ) u s e r p a ssw o rd (c a r e f u l w it h t h is 3 - P ro n o te u s e r (n a k e u s e r an a d n i n i s t r a t o r ) (4 - U n lo c k a n d e n a b le u s e r a c c o u n t ) [s e e n s u n lo c k e d q - Q u it e d it in g u se r, back to u s e r s e le c t S e le c t : [q ] > 1 P a s s w o rd c le a r e d
on
XP
o r
U is ta )
a lr e a d y !
[ > === = = = = = < > c h n t p w saded 1 h iv e s : (S A M ) d a ta
M a in
In t e r a c t iv e
M enu
<> = = = = = = = = <>
( SYSTEM ) and
(S E C U R IT Y )
Ed i t
u se r
p a ssw o rd s
M hat
to
do?
t i l
>
Status: R unning
[ Z yT o o ls demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
F I G U R E1 3 . 1 3 :C H N T P W J S Ol o a d i n g h i v e sQ u i to p t i o n 1 8 . 1 1 1Step FOUR: Writing back Changes, About to write file(s) back! D o it?,
here die default option will be [n]. Type yes [y] and press Enter.
File
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n I .
Action M edia Clipboard View Vi! Help
< $ 0 II 1 fe
A ccount b i t s : 0x0010 D is a b le d IE T en p . d u p lic a te 1[ D o n a i n tr u s t ac IE 3 Pw d d o n t e x p ir [ 1 (u n k n o w n x )
B u ilt- in
account
i o r
a d n in is t e n n g
th e
c o n p u te r / d o n a in
It 1
0 18
I 1 [X 3 [ 1 I 1 C 1
H o n e d ir r e q . N o rn a l a cco u n t M ks t r u s t a c t . A u to lo c k o u t (u n k n o w n 8 x 2 0 )
1 3 1
Passw d n ot peq. NM S a c c o u n t Srv tru s t act
1 (4 U n lo c k a n d e n a b l e u s e r a c c o u n t ) I q - Q u it e d it in g u s e r , b a c k to u s e r B e le c t : [q l ) 1 Passw o rd c le a r e d *
C seens s e le c t
u n lo c k e d
a lr e a d y !
U ser
w it h
R ID
(h e x )
()= = = = = = = = < > Loaded 1 h iv e s : E d it
c h n tp w (S A M ) d a ta
M a in
In te r a c tiv e
M enu
< )=
(S Y S T E M ) and
< S E C U R IT Y >
u se r
p a ssw o rd s
IS t e p _ F O U R ^ _ M r it in g _ b a c k _ c h a n g e s About to w rite f ile (s ) back Do it ? [n ] : y_
Status: Running
.0 A
F IG U R E1 3 . 1 4 :C H N T P W . I S OS t e p F o u r
19. The edit is completed.
Q It w o r k so f f l i n e ,t h a ti s , y o uh a v et os h u t d o w ny o u r c o m p u t e ra n db o o to f fa f l o p p y d i s ko rC Do r a n o d i e rs y s t e m .
F I G U R E1 3 . 1 5 :C H N T P W J S OE d i tC o m p l e t e d
20. Now turn off die Windows Server 2008 Virtual Machine. 21. Open Hyper-V Manager settings of Windows Server 2008 and change die D V D drive option to None from IDE Controller 1 and then select click
^ Apply > O K .
Settings for W indows Server2008 on WIN-D39MR5HLSE4
Windows Server2008 Hardware Add Hardware |K> BIOS Boot from CD M Memory 1024 NB Select the controller and ocation on the controler to afcach the CD/DVD drive. Controller: IDE Controller 1 Media Specify the media to use with y a r virtual CD/DVD drve. | None O Image fie: C: VJsers\Admstrator'PesktopVd 11051 l\cd 11051 l.iso Location: 0 On use]
y z rx
4 (i
DVD Drive
DProcessor
1Virtual processor 3 W IDE Cor troiler 0 (_4 Hard Drive Windows Server2008. vhdx - U I0e Cortrotgr 1 ______________ * DVD Drive None 5 3 Li SCSI Ccntroler
O Physical CDA>VD dive: |Drive F:' v|
Q C E H -To ols is als o M a p p e d in V irtu a l M a c h in e as N e tw o rk D rive Z:
Q Legacy Network Adapter Realtek PCIe GBE Family Contr... ^ COM 1 None COM2 None U Diskette Drive None
To remove the virtual CD10VD drive from this virtual ma1 ine, dick Remove.
Management__________________ ( L Name Windows Server2008 Integraaon Services Al services offered Snapshot File Location C: V*rogramOatay1iCT0soft\Win.. | Smart Paging File .ocabon C: VôgramOatayiicrosoftVfVin.. ) Automatic Start Action Restart if previously running
F IG U R E1 3 . 1 6 :C H N T P W . I S OW i n d o w sS e n d e r2 0 0 8 S e t r i ! 1 g s
22. Go to Windows Server 2008 Virtual Maclune, and click the Start button.
' * W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n I I
File Action M edia Clipboard View Help
' S[ 0 ]i )9 0 II I1 f c >
The virtual machine , Windows Server2008' is turned off

To start the virtual machine, select 'Start' from the Action menu
F IG U R E1 3 . 1 7 :s t a r t i n g w i n d o w ss e r v e r2 0 0 8
23. Windows server 2008 boots without requiring any password.
F IG U R E1 3 . 1 8 :W i n d o w sS e r v e r2 0 0 8 W i n d o w
Lab A n a ly sis
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Tool/Utility CHNTPW.ISO
Information Collected/Objectives Achieved Machine Name: Windows server 2008 Output: Log into Windows Server 2008 without entering the user name and password
Q u estio n s
1. How do
you
configure
CHNTPW.ISO
111
Windows Server 20 08 Virtual
Machine Settings?
Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Lab
User System Monitoring and Surveillance Needs Using Spytech SpyAgent

Spytech SpyAgent is powerful computer spy sojhrare that allons you to monitor everything users do on your computer, in total stealth. SpyA gent prorides a large array o f essential computer monitoring features, as well as website, application, and chat client blocking, lockdown scheduling, and remote delivery o f logs via email or FTP.
I C O N K E Y
Lab S cen a rio

Today, employees are given access to computer, telephone, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance of their employees. Many employees also are given laptop computer and wireless phones they can take home and use for business outside the workplace. Whether an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation.
1 1 1 tins lab, we explain monitoring employee or student activity using Spytech
/ V a lu a b le in f o r m a t io n
Test your k n o w le d g e
W e b e x e r c is e
W o r k b o o k r e v ie w
SpyAgent.
& Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
Lab O b jectives
The objective of this lab is to help smdents use Spytech and the SpyAgent tool. After completing tins lab, smdents will be able to: Install and configure Spytech SpyAgent Momtor keystrokes typed, websites visited, and Internet Traffic Data
Lab Environm ent

To perform the lab, you need:
A computer running Windows Server 2012 Administrative pnvileges to install and mil tools Run tins tool 111 Windows Server 2012 You can also download Spytech SpyAgent from http://www.spytechweb.com/spyagent.shtml II you decided to download the latest version, screenshots may differ
Lab Duration
Time: 15 Minutes
O verview of Sp ytech SpyA gent

SpyAgent is a powerful solution that can log all keystrokes, emails, windows, websites, applications, Internet connections, chat conversations, passwords, print jobs, documents viewed, and even screenshots. SpyAgent runs 111 complete stealth with optional email delivery and logging and lockdown scheduling. SpyAgent also features powerful filtering and access control feauires, such as Chat Blocking (to restnct access to chat software), Application Blocking (to prevent specific applications from being executed), and Website Filtering.
Lab T a sk s
The basic idea in diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
TAS K 1
Installation of Spytech SpyAgent Hacking\Keyloggers\Spytech SpyAgent
2. Double-click Setup.exe. You will see die following window. Click Next.
Spytech SpyAgent Setup
m Y o uc a nd o w n l o a d t h es p y t e c hS p y A g e n tf r o m
http:/ / uww.spytech-web.com N ext >
F IG U R E1 4 . 1 :I n s t a l l a t i o n o fS p y t e c h S p y A g e n t
Cancel
3. The Welcome wizard of Spytech SpyAgent setup program window appears; read die instructions and click Next.
Welcome Welcom e tothe Spytech SpyAgent Setup p ro g ra m . This p ro g ra mw ill in stall Spytech SpyAgent o nyou r co m p u te r. It is stro n g ly reco m m en d ed thatyou e x it a llWindows p ro g ram sb efore ru n n in g th is Setup p ro g ra m . C lick Cancel toq u it Setup and then close any p ro g ram syou have ru n n in g . C lick N ext tocontinue w ith the Setup p ro g ra m . WARNING: This p ro g ramis protected b y co p yrigh t lawand in tern atio n al treaties.
fA g m ?
U nauthorized rep ro d u ctio no rd istrib u tio no f th is p ro g ram ,o r any p o rtio no f it, m ay resu lt insevere civil and crim in al penalties, and w ill be prosecuted to th em a x im u mex ten tp ossib le u n der law .
<Back
N ext >
Cancel
F IG U R E1 4 . 2 :I n s t a l l a t i o n w i z a r d o fS p y t e c h S p y A g e n t
4. The Important Notes window appears, read die note and click Next
Important Notes Spytech SpyAgent BuildVersion 7 .5 6 .1 2 C o p yrig h t Spytech Software and D esign, Inc. 2 0 0 0 2 0 1 2 .
m A c t i v eM o d e :t h i s o p t i o na l l o w sS p y A g e n tt o b es t a r t e d i nm o n i t o r i n g m o d ew h e niti so p e n e dn on e e df o rm a n u a l l y s t a r t i n g i t sm o n i t o r i n g
w w w .sp ytech -w eb .co m What is Spytech SpyAgent? Spytech SpyAgent is a p ow erfu l and e a syto u se softw are u tility th at allow syou tolo g all keystrokes typed, w indow s and ap plications launched, w ebsites visited, passw ords used, icq/m sn /yah o o /aim conversations, and even a ll in tern et connections m ad e. A ll lo g s are easily view ed w iththe b u ilt inlo gview ers and can be saved toa convenient, easily viewed te x t fo rm a t fo re m ail tran sfer(b u ilt in )o r p rin to u ts. SpyAgent can also capture all em ails, as w ell as capture screenshots o f the desktop a t set tim e in tervals. SpyAgent can be ran o nw indow s startu pinactive m o n ito rin gm o d e
<Back
F IG U R E1 4 . 3 :I n s t a l l a t i o n w i z a r d
N ext >
Cancel
5. 6.
The Software License Agreement window appears; you must accept the agreement to install Spytech SpyAgent. Click Yes to continue.
Software License Agreement Please read the fo llo w in g LicenseA greem ent. Press the PAGE DOWN key tosee th e rest o f th e ag reem en t. License 1 . You m ay use the p ro g ramo n a sin g le co m p u ter at one tim e . You m ay n o t copy the p ro g ra man d accom panying m aterials except fo r backup purp oses touse insu p p o rt o fu sin g the p ro g ra mo na sin g le m achine at one tim e . 2 . You m ay o n ly in stall th is softw are o n a co m p u ter th at you o w n, o ro n a co m p u ter fro mw hichyou have consent o f the ow ner to in stall th is so ftw are. 3 . You m ay n o tm ake copies o f th ep ro g ra mfo r sale o rd istrib u tio n . 4 . This softw are is copyrighted, andall rig h ts th erein are reserved fo r Spytech Softw are. Purchase o f D oyou accept all th e te rm so f th ep receding LicenseAgreem ent? Ifyou choose N o, Setup w ill close. T0 in stall th is p roduct, you m u st accept th isag reem en t.
Prin t
<Back
F IG U R E1 4 . 4 :S e l e c tt h e A g r e e m e n t
Yes
N o
7. 8.
Choose die Destination Location to install Spytech SpvAgent. Click Next to continue installation.
Choose Destination Location Setup w ill in stall Spytech SpyAgent inthe fo llo w in gd irecto ry.
m S t e a l t hM o d e :t h i s o p t i o na l l o w sS p y A g e n tt o r u ni nt o t a ls t e a l t h . C o m b i n e dw i t h'A c t i v e M o d e 't h es o f t w a r ew i l l l o a da n dr u ni nm o n i t o r i n g m o d ei nc o m p l e t es t e a l t h
T0in stall to th is d irecto ry, click N ex t. T0in stall to a d ifferen td irecto ry, click Brow se and select an oth er d irecto ry. You can choose n o t toin stall Spytech SpyAgent, b y clicking Cancel toe x it Setup.
D estination D irecto ry C :\ProgramFiles (x8G )\Spytech Softw areVSpytech Sp
Brow se..
Space Required: 3 0 4 8K SpaceAvailable: 5 2 3 1 7 3 6K <Back N ext > Cancel
F IG U R E1 4 . 5 :S e l e c t i n g f o l d e rf o ri n s t a l l a t i o n
9.
Select SpyAgent installation type, and select Administrator/Tester die setup type.
10. Click Next.
Select SpyAgent Installation Type Click the type o f Setupyou p refer, then click N e x t. A dm in istrato r/Tester Pro g ramw ill be in stalled w ith the all softw are o p tio n s and accessible viaW indows start m e n u . This is reco m m en d edalso fo r new u sers! H elp d ocum ents are in stalled . C Stealth Installation Programw ill be in stalled w ith m in im u mreq u ired o p tio n s and n o shortcuts included inW indows start m en u . Also HELP D ocum ents ate N O T INSTALLED.
Space R equired: 3 0 4 8K Space Available: 5 2 3 1 5 7 6K <Back

F IG U R E1 4 . 6 :s e l e c t i n g i n s t a l l a t i o n t y p e
N ext >
Cancel
11.
m S p l a s hW a r n i n g : T h i so p t i o na l l o w sy o ut o d i s p l a yam e s s a g et ot h e u s e rw h e nS p y A g e n ti s s t a r t e d .T h i sm e s s a g ec a n b ec o n f i g u r e di nt h e A d v a n c e dS e t t i n g s > S p l a s hS c r e e nw i n d o w
The Ready to Install window appears. Click Next to start installing Spytech SpyAgent.
Ready To Install Setup n owhas enough in fo rm atio ntosta rt in stallin g Spytech SpyA gent. C lick Back tom ake any changes b efore co n tin u in g . Click Cancel toe x it Setup.
<Back
F IG U R E1 4 . 7 :R e a d y t o i n s t a l lw i n d o w
N ext >
Cancel
12. It will prompt for include an uninstaller. Click Yes.

Spytech SpyAgent Setup
Would you like to include an uninstaller?
Yes
No
F IG U R E1 4 . 8 :S e l e c t i n ga nu n i n s t a l l e r
Module 0 5 - S ystem H acking
1 3 .
A Notice For Antivirus Users
window appears; read die text click Next.
"
A NOTICE FOR ANTIVIRUS USERS M odern an tiviru sp ro g ram s can detect a w ide range o fp o ten tially d angerous p ro g ram s. This n o rm a llygoes fa rb eyond trad itio n al viruses and w o rm s andoften includes heuristic alerts, w hich basically m ean s thatyou can get alerts and w arn in gs w hen an antivirus p ro g ram"thinks it could be" so m e th in g . These w arn in gs sh o u ld be expected fo r the fo llo w in g types o f applications: Software th at lo gs o r captures keystrokes Software th at m o n ito rs u ser activity -Software th at allow syou torecover passw ords o ro th er p ersonal data Software th at m o n ito rs o r lo gs Internet o rn etw ork activity Since SpyAgent can d o all o f the above, so m e an tiviru s solu tio n sm a y d eemSpyAgent as ,p oten tially h arm fu l' o r a 'tro jan 'd espite it b eing a leg itim ate to o l tom o n ito ryo u r co m p u ter (and u sers). With a ll Spytech softw are, you can b e sure o u r prod u cts are 1 0 0 %safe touse and v iru sfre e . If you ru nin toany "trojan" related w arn in gs, it is very likely tob ea
L o gL o c a t i o n :t h i s a l l o w sy o ut os p e c i f yw h e r e y o uw a n tS p y A g e n tt os t o r e i t sa c t i v i t yl o g s .F o r W i n d o w sN T / 2 0 0 0 / X P s y s t e m sm o n i t o r i n gA L L u s e r siti sr e c o m m e n d e d t h a tt h el o gl o c a t i o nb es e t t ox : \ d o c u m e n t sa n d s e t t i n g s \ a l lu s e r s
< Back
N ext >
Cancel
F IG U R E1 4 . 9 :A c c e p tA n t i v i r u sn o t i c e
14. The Finished window appears. Click Close to end the setup.
If
Finished Setup is com p lete and Spytech SpyAgent is nowin stalled !
17 Run SpyAgent 1 View H elp D ocum entation
Click C lose toend th e Setup
<Back
F IG U R E1 4 . 1 0 :F i n i s hw i n d o w
C lo se
15. The following window appears. Click click to continue...
W e lc o m e t o S p y A g e n t ! ( S t e p 1 ) B e f o r e y o u c a n s t a r t u s in g S p y A g e n t y o u m u s t c o n fig u r e y o u r p a s s w o rd t h a t w ill b e u s e d fo r a c c e s s in g S p y A g e n t . D o n o t lo s e t h i s p a s s w o r d a s it c a n n o t b e r e s e t w i t h o u t a r e in s ta lla tio n o f S p y A g e n t.
F IG U R E1 4 . 1 1 :W e l c o m eS p y A g e n tw i n d o w
16. The following window appears. Enter the password 111 New Password field, and retype the same password in Confirm field. 17. Click OK.
Old Password:
m S p y A g e n tc a n d e l i v e r i t sa c t i v i t yl o g s i ns e c r e tt o y o u ro w n p e r s o n a le m a i lo r F T Pa c c o u n t
New Password:
Confirm:
I
This password restricts other users from changing the SpyAgent settings.
F IG U R E1 4 . 1 2 :S e l e c t i n gN e wP a s s w o r d
18. The following window appears. Click click to continue.
W e lc o m e t o S p y A g e n t ( S t e p 2 ) You w ill n o w b e p r e s e n te d w it h t h e E asy C o n fig u r a tio n W iz a r d . Y o u c a n u s e t h is w iz a r d t o q u i c k l y s e t u p S p y A g e n t 's m o s t f r e q u e n t l y u s e d fe a tu r e s . Y ou ca n r e s ta r t th is w iz a r d a t a n y t i m e in t h e f u t u r e .
click to continue...
F IG U R E1 4 . 1 3 :W e l c o m eS p y A g e n tw i n d o w
19. Configuration package wizard appears. Select the Complete +Stealth Configuration package. 20. Click Next.
1. C on fig uratio n
P leas e s e le c t a c o n fig u ra tio n p a cka g e fro m th e below options. f* C o m p le te -I- S te a lth C o n fig u ratio n
2 .E x t r a s 3 .C o n f i r mS e t t in g s 4 .A p p l y 5 .F i n i s h
Configure to run in total stealth, with all possible logging options preconfigured.
C C o m p le te C on fig uratio n
Configure with all possible logging options preconfigured.

C Ty p ic al C on fig uratio n
Configure with the most commonly used logging options preconfigured.
!
F IG U R E1 4 . 1 4 :S e l e c t i n gc o n f i g u r a t i o np a c k a g e
21. Choose additional options, and select the Display Alert on Startup check box. 22. Click Next.
m In t e r n e tT r a f f ic D a t a :T h i sl o gA L L i n c o m i n ga n do u t g o i n g i n t e r n e td a t at r a n s m i t t e d a n dr e c e i v e db yu s e r s .A ll e m a i lp a s s w o r d s ,F T P p a s s w o r d s ,w e b s i t e t r a n s m i s s i o n s ,e t c .w i l lb e l o g g e db yt h i sf e a t u r e
F IG U R E1 4 . 1 5 :S e l e c t i n ga d d i t i o n a lo p t i o n
23.
The Confirm Settings wizard appears. To continue click Next.

0
1. C o n fig u ratio n 2. E x tras 3. C onfirm S etting s 4. Apply 5. Finish
A re you su re you w an t to co ntinue y o u r co n fig u ratio n ? I f so, click NEXT.

S e t t in g s to b e a p p lie d : A ll lo g g in g o p tio n s w ill b e p re c o n fig u r e d fo r o p tim a l S t e a lt h U s e r s w ill b e a le r te d S p y A g e n t is ru n n in g
QS p y A g e n tl i a st h e u n i q u ea b i l i t yt oa l l o w y o u t o h a v e i t sa c t i v i t y l o g sd e l i v e r e d t o y o u rp e r s o n a le m a i l a d d r e s so rF T Pa c c o u n t
F IG U R E1 4 . 1 6 :C o n f k m s e t t i n g w i z a r d
24.
The Configurations Applied window appears. Click Next.
f e a s y c o n lig u r a lio n a n d s e tu p w iz a rd j
1 .C o n f i g u r a t i o n 2 .E x t r a s 3 .C o n f i r mS e t t in g s
4. A pply
C o n fig u ratio n s A pplied!
A l l s e le c t e d s e t t in g s h a v e b e e n a p p lie d s u c c e s s f u lly ! C l i c k F I N I S H to fin is h t h e e a s y c o n fig u r a tio n w iz a rd I
5 .F i n i s h
F IG U R E1 4 . 1 7 :C o n f i g u r a t i o na p p l i e dw i n d o w
25.
The Configuration Finished window appears. Click Finish to successfully set up SpyAgent.
1 .C o n f i g u r a t i o n
C o n fig u ratio n Finished!
m S p y A g e n tl i a sa b u i l ti n s c h e d u l i n g f e a t u r e t h a ta l l o w s y o u t oc o n f i g u r eS p y A g e n tt o l o g u s e ra c t i v i t i e sd u r i n g s p e c i f i ch o u r so fd i ed a y ,o r t ol o c k d o w n y o u rc o m p u t e r a tc e r t a i n t i m e s
2 .E x t r a s 3 .C o n f i r mS e t t i n g s 4 .A p p l y
5. Finish
You h a v e now s u c c e s s fu lly se tu p S p y A g e n t ! I f yo u w is h to c h a n g e a n y s e t t in g s fu rth e r, c l i c k on th e b u tto n s on t h e S p y A g e n t in t e r f a c e for m o re o p t io n s !
| GOiMij--]
F IG U R E1 4 . 1 8 :C o n f i g u r a t i o nf i n i s h e dw i n d o w
26.
The main window of Spytech SpyAgent appears, as show 111 the following figure. Click Click to continue...
TÊST
I C lic k H e r e f o r O r d e r in g In f o r m a t io n
G e n e r a lU s e rA c tiv itie s K e y s t r o k e sT y p e d
0 K e y s L a s t j "'
G eneral
S ta r tu p S e ttin g s a n d C o n ftg
W i n d o w sV i e w e d
n fig u re L o g g in g O p tio n s
P r o g r a m s ( >
0 A p p lic a tio n ! V ^
!mote L o g D e live ry
II n fig u re R e m o te D e liv e ry
C l i p b o a r d
0 C lip b o a rd s
W e lc o m e t o S p y A g e n t* ( S t e p 3 ) j| ,js l% S p y A g e n t ' s u s e r i n t e r f a c e . T h i s i s w h e r e y o u c a n s ta r t a n d s to p m o n ito rin g , v i e w a c t i v i t y lo g s , c h a n g e s e t t i n g s , a n d c o n fig u r e t h e s o ftw a r e . I
Ivanced O p tio n s
e r C o n tro l o n S p y A g e n t
E v e n t sT l f l
0 E v e n ts Log
>ntent F ilte rin g

e r a n d B lo c k A c tiv ity
I n t e r n e tA c t iv it i e s E M a i l sS e i
0 E-Mails L o g t^ :----
reenS py
c o rd D e s k t o p A c tiv ity
--------C h a tT r a n s c r i p t s
0 C o n v e r s a tio n s L o g ge d
= ! n a r tL o g g in g
A c tiv ity T r ig g e r e d L o g g in g
W e b s i t e sV i s i t e d
/fl 0 W e b s ite s L o g g e d
S c h e d u lin g
S c h e d u le M o n ito rin g 1
V iew M o s t P o p u la r A c tiv itie s S u m m a ry C lic k here fo r Easy C o n fig u ra tio n and S e tu p W izard
B e h a v io r A le rts
R e a l- tim e A c tiv ity A l e r t s
H P r o g r a m O p t io n s
L o g A c t io n s
I R e p o rts
H e lp
F IG U R E1 4 . 1 9 :M a i nw i n d o w o fS p y A g e n t
27.
G
t
To check the general user activities, click Start Monitoring.

--------------------- 1 I w-l
m
G e n e ra l U s e r A c t iv itie s
C lic k H e r e f o r O r d e r in g I n f o r m a t io n
Monitoring User Activities
General
S ta rtu p S e ttin g s an d C o n fig
K e y s t r o k e sT y p e d
0 K ey s Last Session
W i n d o w sV i e w e d
4 W indow s Logged
m
P r o g r a m sU s a g e
70 n A1 ; r h n e Logged 1 n n n .ri pplications
!figure Logging O ptions
< ?3 2 ^S c r e e n S p yS c r e e n s h o t s
1 0 Sc ree n sh o ts Logged
Remote Log D elivery

C o n fig u re R e m o te D e liv e ry
C l i p b o a r dL o g s
0 C lip b o a rd s L ogged
F i l e / D o c u m e n t sU s a g e
0 File E v en ts Logged
Advanced O ptions
Fin er C o n tro l on S p y A g e n t
E v e n t sT i m e l i n e
9 1 Even ts Logged
C o m p u t e rU s a g e
2 S e s s io n s Logged
C o nte nt F iltering
Filter an d B lo ck A ctiv ity
I n te r n e t A c t iv itie s
ScreenSpy
R e c o rd D eskt<
E M a i l sS e n t / R e c e i v e d
0 E-M ails Logged
I n t e r n e tA c t i v i t i e s
0 C o n ne ctio n s Logged
S m artLogging
A c tiv ity T rig g e re d Logging
W e b s i t e sV i s i t e d
2 W e b site s Logged
C h a tT r a n s c r i p t s
0 C o n v e rs a tio n s Logged
Scheduling
S c h e d u le M o nito rin g T im e s
View M ost P opular A c tiv itie s Sum m ary C lick here fo r Easy C o n fig u ra tio n and Setup W izard
B e havior A lerts
n
I
R e a l-tim e A c tiv ity A le rtfc ff
j 11 P r o g r a m
O p tio n s
6 L o g A c t io n s
R e p o rts
1 1 H e lp
F IG U R E1 4 . 2 0 :S t a r tm o n i t o i n g
28. 29.
When the Enter Access Password window appears, enter the

password.
Click OK.
computer monicoring'nnd surveillance software G e n e ra l U se r A c tiv itie s
K e y s tro k e s T yp ed
0 Keys Last Session
Click H ere for O rd erin g In fo rm a tio n

G en era l
Startup Settings and Config

W in d o w s V ie w e d 4 Windows Logged
S p y A g e n tl i a sa f e a t u r e c a l l e d S m a r t L o g g i n g d i a tl e t s y o u t r i g g e rm o n i t o r i n g w h e n c e r t a i n e v e n t sa r i s e ,i n s t e a d o f r u n n i n g c o n s t a n t l y l o g g i n g e v e r y t h i n g t h a tu s e r sd o . S m a r t L o g g i n g t i e si n t od i e k e y s t r o k e s ,w e b s i t e sv i s i t e d , a p p l i c a t i o n sr a n ,a n d w i n d o w s u s e d l o g g i n g f u n c t i o n s
CoSlgure Logging Options

P ro g r a m s U s a g e S c rc e n S p y Scre en sh o ts
0 Screenshots Logged
>70 Applications Logged
Configure Remote Delivery

C lip b o a rd Logs
R e m o te L o g D e livery
0 Clipboards Logge
E v e n ts T im elim 91 Events Logged
Advanced Options Finer Control on SpyAgent

C o n te n t Filterin g
Filter and Block Activity

S c re e n S p y
In te rn e t A c tiv itie s
E-M ails S e n t/ R e c e iv e d 0 E-Mails Logged ; ^ In te rn e t A ctivitie s
0 Connections Logged
Record Desktt
Sm a rtL o g g in g
Activity Triggered Logging

S c h e d u lin g
W e b s ite s V isited W ebsites Logged
C h a t T ra n s crip ts
0 Conversations Logged
Schedule Monitoring Times

B e h a v io r A lerts n
View Most Popular Activities Summary Click here for Easy Configuration and Setup Wizard
Real-time Activity AlertAJ?
P r o g r a m O p t io n s
L o g A c t io n s
I R e p o rts
H e lp
F IG U R E1 4 . 2 1 :E n t e r i n gt h ep a s s w o r d
30.
Stealth Notice window appears, read the instmctions click OK NOTE: To bring SpyAgent out of stealth mode, press CONTROL+SHIFT+ALT+M on your keyboard.
S p y A g e n ta l l o w sy o u t os a v ea l lo fS p y A g e n t ' s k e y s t r o k e s ,w e b s i t e s , w i n d o w s ,a p p l i c a t i o n s , c o n n e c t i o n s ,c l i p b o a r d , a c t i v i t y ,p r i n tj o b s ,f i l e u s a g e ,a n dd o c u m e n t sl o g s t oas p e c i f i e dd i r e c t o r ya t o n c ef o re a s i e rv i e w i n g l a t e ro no rs o y o uc a n c l e a ry o u rl o g sw i t h o u t l o s i n gd a t a .
H U
F IG U R E1 4 . 2 2 :S t e a l t hm o d en o t i c e
31.
It will show the following window, with the options select Do not show this Help Tip again and select D o not show Related Help Tips like this again. Click click to continue...
S p y A g e n t is n o w m o n i t o r in g y o u r c o m p u t e r . T o s t o p m o n i t o r in g p r e s s S p y A g e n t 's h o t k e y c o m b in a t io n - b y d e f a u l t it is C O N T R O L + A L T + S H IF T + M - th e n e n t e r y o u r S p y A g e n t p a s s w o rd .
m S p y A g e n tf e a t u r e sa l a r g es e to fr e p o r t i n g t o o l s t h a ta l l o w y o u t os a v ea n d p r e p a r e l o g d a t a f o rl a t e r v i e w i n g ,d o c u m e n t a t i o n ,a n d p r i n t i n g .A l lr e p o r t sa r e f o r m a t t e d i n H T M Lf o r m a t f o rv i e w i n g w i t h y o u rw e b b r o w s e r .
D o n o t s h o iv t h is H e lp T ip a g a i ! t h i s a g a in
7A D o n o t s h o w R e l a t e d H e l p T i p s
F IG U R E1 4 . 2 3 :S t a r tm o n i t o i n g
32. 33.
Now browse the Internet (anything). To bring spyAgent out ot stealth mode press CONTROL+SHIFT+ALT+M on your keyboard. It will ask for the Access Password; enter the password and click OK.
F IG U R E1 4 . 2 4 :E n t e r i n gt h ep a s s w o r d
34. 35.
To check user keystrokes from the keyboard, click Keystrokes Typed Irom General User Activities. It will show all the resulting keystrokes as shown in the following screenshot.
SpyAgent Keystrokes Log V iew er

0 Save Log Save 1 C lea r
14 entries
_ i j Actions. c Jum p to Log 3
J J F orm at
S e le c t a K e y s t r o k e s L o g E n t r y Tim Administrator Administrator Administrator Administrator Snag 1tEditor.exe K e y s tro k e s T y p e d |[B ac ks p ac e][B a ck sp ac e][B ac ks p a ce ][B ac ks p ac e][B a ck sp a ce ][B ac ks p a ce ]| [B a ck s p a c e ][B a c k s p a c e ]S p y [B a c k s p a c e ][B a c k s p a c e ][B a c k s p a c e ]It will show th e follwmg window se ld [B a ck sp a ce ]e ct D o n to [B ac ks p ac e][B a ck sp ac e]o t show this H elp T ip ag ain and Do not show R elated H elp Tips like this agin [B acksp ace] [B a ck sp a ce ][B ac ks p ac e]am [B a ck sp a ce ], click on click to count 1[B a ck sp a ce ] [B a ck sp a c e j[B a c k s p a c e j[B a c k s p a c e ]m [B a c k s p a c e ]t 1nue Snagit Editor Jul 24, 2012 2:35:58 PM Tue Tue Tue Tue 7/24/12 7/24/12 7/24/12 7/24/12 @ 2:12:27 2:12:29 2:12:56 2:13:03 PM PM PM PM
Note: Log entries preceeded with a '* ' indicate a password entry.
F IG U R E1 4 . 2 5 :R e s u l t e dk e y s t r o k e s
36. 37.
To check the websites visited by the user, click Website Visited from
Internet Activities.
It will show all the user visited websites results, as shown in the following screenshot.
Lab A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E
T A L K
T O
Y O U R
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Tool/Utility Spytech SpyAgent
Information Collected/Objectives Achieved Output: Monitoring keystrokes typed Website log entries Pages visited for selected website Internet traffic data
Web Activity Monitoring and Recording Using Power Spy 2013

Power Spy 2013 sojhmre allowsyon to secretly won!tor and record a ll activities on yonr computer, and this is completely legal.
Lab S cen a rio

^___ V a lu a b le i n f o r m a t i o n _________
Test your k n o w le d g e
*A m
Today, employees are given access to computers, telephones, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance of their employees. ]M any employees also are given laptop computers and wireless telephones diev can take home and use for business outside die workplace. Wliedier an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation.
1 1 1 tins lab, we explain monitoring employee or sftident activity using Power Spy
2013.
Lab O b jectives
& Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
The objective of tins lab is to help students use the Activity Monitor tool. After completing diis lab, students will be able to: Install and configure Power Spy 2013 Monitor keystrokes typed, websites visited, and Internet Traffic Data
Lab Environm ent

To perform die lab, you need: A computer running Windows Server 2012 Administrative privileges to install and mil tools You can also download Power Spy tool from http:/ / ematr1xsoft.com/download-power-spv-software.php
If you decided to download latest version screenshots may differ Run diis tool 111 Windows Server 2012
Lab Duration
Time: 15 Minutes
O verview of Pow er Sp y 2013

Power Spy software records Facebook use and all keystrokes typed, and captures all chats and IMs 111 Windows Live Messenger (MSN Messenger) , Skype, Yahoo Messenger, Tencent QQ, Google Talk, GADU-GADU, ICQ, AOL Instant Messenger (AIM), and odiers. It records all websites visited, emails read, documents opened, windows opened, clipboard activities, passwords typed, and applications executed.
Lab T a sk s
The basic idea 111 diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
TAS K 1
Installation of Power Spy 2 0 1 3 Hacking\Spywares\Email and Internet Spyware\Power Spy.
2. Double-click pcspy.exe. The Software License Agreement window appears. You must accept the agreement to install Power Spy. 3. Click Next 111 die License Agreement wizard.
S e tu p P o w e r S p y
W e lc o m e t o t h e S e tu p W iz a r d ! T h is w ill in s ta ll t h e s o f t w a r e o n y o u r c o m p u t e r . I t is r e c o m m e n d e d t o c lo s e a ll o t h e r a p p lic a tio n s b e f o r e c o n tin u in g .
C lic k N e x t t o c o n t in u e , o r C a n c e l t o e x it S e tu p .
B y c lic k in g N e x t y o u a r e a g r e e in g t o t h e f o llo w in g t e r m s o f L ic e n s e A g r e e m e n t .
License A g ree m en t: DIS C LA M ER : A ll o u r products a re d is trib u te d an d licensed on an 'a s is* basis an d no w a rra n tie s o r g u ara n te es o f a n y k in d a re prom ised b y e M a trix S o ft (th e *C o m p an y *) an d P ow er Spy ( th e *S o ftw a re ') as to t h e ir perfo rm a n ce , r e lia b ilit y o r s u ita b ility to a n y g iv e n task. In no e v e n t sh a ll th e S o ftw are be lia b le fo r a n y loss of d a ta o r A N Y D A M A G E S OF
m Y o uc a nd o w n l o a d t h eP o w e rS p y2 0 1 3f r o m
http:/ / ematrixsoft.com/ittde x.php
F IG U R E1 5 . 1 :I n s t a l l a t i o n o fS p y t e c h S p y A g e n t
4. Setup has finished the installation 011 the system. Click Finish.
C o m p le tin g S e tu p
S etu p has finished installing product on y o u r com puter. Click Finish to exit th e Setu p W izard.
K e y s t r o k e sT y p e d l o ga l lk e y s t r o k e s ,i n c l u d i n g o p t i o n a ln o n a l p h a n u m e r i c a lk e y s ,t y p e d w i t ht i m e ,W i n d o w s u s e r n a m e ,a p p l i c a t i o nn a m e a n dw i n d o wc a p t i o n
F IG U R E1 5 . 2 :S e l e c td i e A g r e e m e n t
5.
The Run as administrator window appears. Click Run.

R u n as a d m in is tra to r
W ith a d m in istrativ e rights, y o u ca n check, d e le te a n d exp ort logs, c h a n g e settings, a n d h a v e c o m p le te a ccess to th e so ftw a re
m N e tC h a t t i n g C o n v e r s a t i o n s m o n i t o r a n dr e c o r da l ll a t e s tv e r s i o n W i n d o w sL i v eM e s s e n g e r/ S k y p e/M S NM e s s e n g e r/ IC Q/A IM/Y a h o o ! M e s s e n g e r sB O T HS ID E S c h a t t i n gc o n v e r s a t i o n sw i t h t i m e ,c h a tu s e r s ,a n da l l c o m i n g / o u t g o i n gm e s s a g e s

F I G U R E1 5 . 3 :S e l e c t i n g f o l d e rf o ri n s t a l l a t i o n
6.
The Setup login password window appears. Enter the password 111 the New password field, and retype the same password 111 the Confirm password held. Click Submit.
7.
S e tu p lo g in p a s s w o rd
Setup a password to login the software. The password can include uppercase letters, lowercase letters, numbers and symbols.
S c r e e n S n a p s h o t s a u t o m a t i c a l l yc a p t u r e s s c r e e n s h o t so fe n t i r e d e s k t o p o ra c t i v e w i n d o w sa ts e t i n t e r v a l s .S a v es c r e e n s h o t sa s JPEGf o r m a ti m a g e so n y o u r c o m p u t e rh a r d d i s k . A u t o m a t i c a l l ys t o p s c r e e n s h o t w h e n u s e ri si n a c t i v e
New password: Confirm password:
F IG U R E1 5 . 4 :S e l e c t i n gN e wP a s s w o r d
8.
The Information dialog box appears. Click OK.

Information
Your passw ord is created . You w ill use it to lo g in th e software.
F IG U R E1 5 . 5 :p a s s w o r dc o n f i r m a t i o nw i n d o w
9.
The Enter login Password window appears. Enter the password (which is already set).
10. Click Submit

Q = !S e l f A c t i o n s r e c o r d P o w e rS p ya d m i n i s t r a t o r o p e r a t i o n s ,l i k es t a r to rs t o p m o n i t o r i n g
F IG U R E1 5 . 6 :E n t e rt h ep a s s w o r d
11.
QS t e a l t h M o d e :P o w e r S p yr u n a b s o l u t e l y i n v i s i b l y u n d e rW i n d o w ss y s t e m sa n d d o e s n o ts h o w i n W i n d o w s t a s k l i s tN o n ew i l lk n o w i t s r u n n i n g u n l e s s y o u t e l lt h e m ! Y o uc a na l s o c h o o s et oh i d e o ru n h i d e P o w e rS p y i c o n a n d i t su n i n s t a l le n t r y
The Register product window appears. Click Later to continue.

R e g is te r p ro d u c t
A n ic o n is d is p la y e d o n D e s k to p t o d is a b le S te a lth M o d e in t r ia l v e rs io n .
Y o u c a n t o ta lly t r y t h e s o ftw a re o n y o u rs e lf. C lic k Sta rt m o n ito rin g a n d Ste a lth M o d e o n it's c o n tro l p a n e l, t h e n d o a n y th in g as u su a l o n t h e PC: vis itin g w e b sites, re a d in g e m a ils , c h a ttin g o n fa c e b o o k o r Sk yp e , e tc . T h e n , u s e y o u r h o tk e y t o u n h id e its c o n tro l p a n e l, a n d click a n ic o n o n t h e le ft t o c h e c k lo g s.
Y o u c a n a lso clic k C o n fig u ra tio n t o c h a n g e s e ttin g s , s e tu p a n e m a il t o re c e iv e lo g s f r o m a n y lo c a tio n , su c h as a r e m o te PC. iP ad o r a s m a rt p h o n e .
If y o u lik e t h e p ro d u c t, click P u rc h a se b u tt o n b e lo w t o b u y a n d r e g is te r it. S te a lth M o d e w ill b e e n a b le d a f t e r it is u n lo c k e d w it h y o u r r e g is tra tio n in fo rm a tio n .
U ser N am e : U n lo c k C o d e :
F IG U R E1 5 . 7 :R e g i s t e rp r o d u c tw i n d o w
12.
The main window of Power Spy appears, as displayed 111 die following tigure.
Power Spy
Control Panel
Buy now
ea T a s k S c h e d u l e :Y o u c a n s e ts t a r t i n g a n d e n d i n g t i m ef o re a d it a s k t o a u t o m a t i c a l l ys t a r ta n d s t o p t h e m o n i t o r i n g j o b .
D

A p p licatio n s ex ec u te d
f * n
Keystrokes
w eb sites visited
Sta rt m o n ito rin g
Ste a lth M o d e
jm
C o n fig u ra tio n
clipboard
1
m ic ro p h o n e
Export all logs
Delete all logs
F IG U R E1 5 . 8 :M a i nw i n d o w o fP o w e rS p y
13.
k t A S K 2
Click Start monitoring.
Monitoring and Recording User Activities
Power Spy
Control Panel
Buy now
f
*m
Keystrokes
w eb sites visited
Sta rt m o n ito rin g
JP
clipboard
Stea lth M o d e

t
m ic ro p h o n e
About
Uninstall
Export all logs
Delete all logs
y = i J L o g sV i e w :c h o o s e t o v i e w d i f f e r e n tt y p eo fl o g s f r o m p r o g r a m m a i n i n t e r f a c e . Y o uc a n d e l e t es e l e c t e d l o g s o rc l e a ra l ll o g s ,s e a r c h l o g so r e x p o r tl o s s i n g r e p o r t s i n H T M Lf o r m a t
F IG U R E1 5 . 9 :S t a r tm o n i t o r i n g
14.
The System Reboot Recommended window appears. Click OK.

System Reboot Recommended
O n e or more monitoring features require system reboot to start working. It is recom m ended to close the software first (click Stealth M o d e or X on the right top corner), then restart your computer.
The message displays only once.
F IG U R E1 5 . 1 0 :S y s t e m R e b o o tR e c o m m e n d e dw i n d o w
15. 16.
Click Stealth Mode (stealth mode runs the Power Spy completely invisibly on the computer) . The Hotkey reminder window appears. Click OK (to unhide Power Spy, use the Ctrl+Alt+X keys together on your PC keyboard).
Power Spy
Control Panel
Buy now
| g
f
Hotkey reminder
K eystrokes
S to p m o n ito rin g
The Stealth M o d e is started and the software will run com pletely invisibly. To unhide it, use your hotkey: Ctrl + Al + X . (Press the 3 keys togeth er on your keyboard). Hotkey o nly works in current W in d o w s user account. It is disabled in other user accounts for security.
I K 1
Applications executed
w m
cn p D o a ra
Y
microphone
About
(>
Un in stall
E x p o rt
a ll
lo g s
D e le te
a ll lo g s
m E a s y t o u s eI n t e r f a c e : c o n f i gP o w e rS p yw i t h e i d i e rW i2a r df o rc o m m o n u s e r so rc o n t r o lp a n e lf o r a d v a n c e du s e r s .U s e r f r i e n d l yg r a p h i c a lp r o g r a m i n t e r f a c em a k e sit e a s yf o r b e g i n n g e r s .
F IG U R E1 5 . 1 1 :S t e a l t hm o d ew i n d o w
17. The Confirm window appears Click Yes.

Comfirm
A re yo u sure yo u re m e m b e r this?
1 ves
F IG U R E1 5 . 1 2 :S t e a l d im o d en o t i c e
o |1 N
18. 19.
Now browse the Internet (anytiling). To bring Power Spy out of stealth mode, press CONTROL+ALT+X on your keyboard. The Run as administrator window appears. Click Run.
R u n as a d m in is tra to r
W ith a d m in istrativ e rights, y o u c a n check, d e le te a n d exp ort logs, c h a n g e settings, and h a v e c o m p le te a ccess t o th e s o ftw a re
F IG U R E1 5 . 1 3 :R i m a sa d m i n i s t r a t o r
20. 21.
The Enter login password window appears. Enter the password (which is already set) . Click Submit.
F IG U R E1 5 . 1 4 :E n t e rt h ep a s s w o r d
22.Click Later 111 the Register product window to continue if it appears. 23. Click Stop monitoring to stop the monitoring.
Power Spy
Control Panel
Buy now (
f *
m
K e y s tro k e s
w eb sites visited
S to p m o n ito rin g
(D
JP
c lip b o a r d
Ste a lth M o d e
1
m ic ro p h o n e
About
E x p o r t a ll lo g s
D e le te
a ll lo g s
F IG U R E1 5 . 1 5 :S t o pt h em o n i t o r i n g
24.
To check user keystrokes from the keyboard, click Keystrokes in

Power Spy Control Panel.
Power
S p y Control Panel
m P r o g r a m E x e c u t e d l o g a l lp r o g r a m si n c l u d i n g a p p l i c a t i o n ,e x e c u t a b l ef i l e , d o c u m e n t sa n d d i r e c t o r i e s n a v i g a t e d w i t ht i m e , W i n d o w su s e r n a m e , a p p l i c a t i o n / d o c u m e n t / d i r e c t o r yn a m ea n d f i l ep a t h s . .
CS
screenshots
f *
m
K e y s tro k e s websites visited
Sta rt m on ito rin g
D
Applications executed
P
Yahoo messenger
CS)
clipboard
1
microphone a ll lo g s
A b o u t
E x p o r t a ll l o g s
D e le te
F IG U R E1 5 . 1 6 :S e l e c t i n gk e y s t r o k e sf r o m P o w e rs p yc o n t r o lp a n e l
25. 26.
It will show all the resulted keystrokes as shown 111 the following screenshot. Click the Close button.
4!C nto) fM |(O .0 v li/JWUJ :> /* M N M M Iir u n t i* VSa/Xl2*M** * *
1 7 3 * 0 1 1 32 = M t4 3 0 M :; 2 SU IO .I2m l-/3fXl2W.1m tomntor 1jynt12l-.H-.i7m Aannatittm fjpHVn.10d < 1|m iPM Ktm inr jn !(K^rwtwA
.>> !w a y im m(attjiwrotorew wm:

:ofcrtAi Ht 1 r 1 (m (>M)|wWiAraVAi 1 o g r*l (nK)rweeeF V ( / '<1 1 A t*u :C rayonH e s(*Jmcoofofto'pWct
V fo g r "n lw m
In VKf . ! < w un5W:
< *
* M O *
{CtrkfCtrfc >>0r.(m jhf)(PfoCW
________________
:\ p f0 9 *
V yapa (H )tw o*ofr
o r:
1 > * <
< *
W l(O .I)v
( 4 j0 * tV W n jm
lVaU4J:}SfM
5^gt E>[ io* 23.2052 2:MJS 1
leabcatonP*h
J
F IG U R E1 5 . 1 7 :R e s u l t e dk e y s t r o k e s Q )D o c u m e n t sO p e n e d l o g a l lt e x tc o n t e n t so f d o c u m e n t so p e n e d i n M S W o r da n d N o t e P a d .
27. 28.
To check the websites visited by the user, click Website visited in the
Power Spy Control Panel.
It will show all the visited websites, as shown 111 the following screenshot.
1 va/xu 2 :4 2 :2 7m VJ2UX122 :4 2 :2 3fM I va/3t1 22 :4 2 :2 0fW : /*nc1 7 IJ P M 1 v3t/2c12 2i4 2jl0 m Sy2l,3C I2 2:J7 :4 0PM
btfpjfttnteroaot.ctr\(toggesrfny1ea-tefr<nrt{*p h t p y / g n a lT n o o > ta n \ jb u ra s < tty o rc *to > 1> } tvto/'B ra frix so ft c a m k e o o o o o < 1e*trtrt.g > c h n p /fm M(U^ w ,u 1u-!b1 t-1].lw<Uu->~>tn1>lkM-an>7)UI. * 1 * ^ 3 1 *U F'b3C ffalm roltr h t^ K / A r w r .g o n te < o \ te a rtf'> aw o <kc 1iH>w<K j 1mfc tn !^/,nUwn.ilIliAU :vHVVM(1 fap j/rw *.Q > o1 )e.x > .rfttarT < *1< ri0-riGr nK -f0 y g > T C t> J0 c a x > jnaAsio1T 0 > y w ^ jn a b a o a o o i 0na*sS$1jr**< c.3..43j4M X.1!SO.Z3K
I eMatrixSoft Power Spy oftnar offlral tr. me* 2 0 0 4
Featured Product
Power Spy
PC Screen Spy Monitor
2 0 13spy software
Umm caam unl <Lrotly ii roar PC*croon It rterd1 < ond1 (*diuitaMo, vxthost b*in|dtrt<1 .Tt1l1 c4ptur*t ill
2 0 13 1vgif PC. 10 nmtr b nrertormci falect lorcatm int

F IG U R E1 5 . 1 8 :R e s u l to fv i s i t e dw e b s i t e s
Lab A n a ly sis
Analyze and document die results related to the lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E
T A L K
T O
Y O U R
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Tool/Utility PowerSpy 2013
Information Collected/Objectives Achieved Output: Monitoring keystrokes typed Website log entries Pages visited for selected website Internet traffic data
Image Steganography Using QuickStego

Q nickS tego hides te x t in pictures so that only other users o f Q uickStego can retrieve and read the hidden secret messages.
I CON KEY
Lab S cen a rio

Porn sites are tilled with images that sometimes change multiple times each day, require authentication 111 some cases to access their "better" areas of content, and by using stenograpluc techniques, would allow an agent to retrieve messages from their home bases and send back updates, all 111 porn trading. Thumbnails could be scanned to find out if there are any new messages for die day; once decrypted, diese messages would point to links on die same site with the remaining information encrypted. Terrorists know that so many different types of tiles can hold all sorts of hidden information, and tracking or finding these files can be an almost impossible task. These messages can be placed 111 plain sight, and the servers that supply these tiles will never know it. Finding these messages is like finding the proverbial "needle" 111 the World Wide Web haystack.
111 order to be an expert an etliical hacker and penetration tester, you must understand how to lude the text inside the image. 111 diis lab, we show how text is hidden inside an image using the QuickStego tool.
1.___ s
V a lu a b le in fo r m a tio n
T est your k n o w le d g e
7 Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
Lab O b jectives
Tlie objective of tins lab is to help the students learn how to messages 111 an image.
hide secret text
Lab Environm ent

To perform the lab, you need: A computer running Windows Server 2012 Administrative privileges to install and 11111 tools
"
QuickStego
is located at D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Steganography\lmage Steganography\QuickStego
You can also download Quick Stego tool from http: / /quickc1Tpto.com/ free-steganographv-software.html It you decided to download latest version screenshots may differ Run this tool 111 Windows Server 2012
Lab Duration
Time: 10 Minutes
O verview of Steg anog raphy

Steganography is the art and science of writing hidden messages 111 such a way that no one, apart from the sender and intended recipient, suspects the existence of die message, a form of security7 through obscurity. Steganography includes die concealment of information widiin computer hies. 111 digital steganography, electronic communications may include stenographic coding inside of a transport layer, such as a document tile, image tile, program, or protocol.
Lab T a sk s
The basic idea 111 diis section is to: 1. Follow die wizard-driven installation steps to install Quick Stego
TAS K 1
Hide the text inside the image
2. Launch Quick Stego from Start menu apps
m Y o uc a nd o w n l o a d d i eQ u i c k S t e g of r o m
http:/ / quickcrypto.com
F IG U R E1 6 . 1 :M a i i iw i n d o w o ft h eQ u i c k S t e g o
3.
Click Open Image in the Picture, Image, Photo File dialog box.
m Im a g eT y p e st h a tc a n b eo p e n e d j p g / . j p e g ,. g i f , o r. b m pf o r m a t s
F I G U R E1 6 . 2 :O p e n i n g t h ei m a g e
4. 5.
Browse the image from D:\CEH-Tools\CEHv8 Module 05 System

Hacking\Steganography\lmage Steganography\QuickStego.
Select lamborgini_5.jpg. and then click the Open button.

L J:
Organize
S e l e c tA nI m a g eF i l eT oO p e n
Image Steg... QuickStego
V c
TUI
Search QuickStego
New folder Nam e Date modified Type
D o w n lo a d ^ Recent p Music
9/20/2012 4:42 PM
JPEG image
Libraries
( 1 Documej
J ' -Music
Saved Hidden Text Images b m pformat only
Computer ^ Local Dis v < File name: | lamborghini_5.jpg v | | Images (*.bmp;*.jpg;*.jpeg;*.gif v | Open Cancel k . Pictures 9 Videos
F IG U R E1 6 . 3 :S e l e c t i n g d i ei m a g e
6. The selected image is added; it will show a message diat reads: THIS IMAGE
DOES NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE.
Ik UQ u i c k S t e g od o e sn o t E N C R Y P Tt h es e c r e tt e x t m e s s a g et h o u g h iti sw e l l h i d d e n i nt h ei m a g e . Q u i c k C r y p t oi n c l u d e st h e f u n c t i o n so fQ u i c k S t e g o b u ta l s oa l l o w sy o ut o s e c u r e l ye n c r y p tt e x ta n d f i l e sa n de v e nh i d ef i l e so n y o u rc o m p u t e r .
F IG U R E1 6 . 4 :S e l e c t e d i m a g e i sd i s p l a y e d
7. To add die text to the image, click box.
Open Text
from the Text File dialog
F IG U R E1 6 . 5 :S e l e c t e dt e x tf i l e
8. Browse the text file from D:\CEH-Tools\CEHv8 Module 05 System

Hacking\Steganography\lmage Steganography\QuickStego.
9. Select Text F11e.txt tile, and then click the Open button.
C E H Lab Manual Page 420 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
d i
^ ^ *fr | ,j..
S e l e c tF i l et oO p e n
Image Steg... > QuickStego v Q | | Search QuickStego
ra!
P
Organize
New folder Nam e

__,Text File.txt
E 0 #
Date m odified
9 /2 0 /2 0 1 2 5:0 0 P M
'f f Favorites Desktop
Type
Text D o cu m e nt
Downloa Recent p = Music
T h ec o t ef u n c t i o n so f Q u i c k S t e g oa r ea l s op a r to f Q u i c k C r y p t o ,d i e r e f o r et h e p r o d u c tw i l lb es u p p o r t e d f o rt h ef o r e s e e a b l ef u t u r e . F u n c t i o n a l i t yo ni t sw a yi s t h ea b i l i t yt oh i d em e s s a g e s i n s i d ea u d i of i l e s ,e . g .m p 3 a n dw a v .
^ 0
Libraries Documei
J 1 Music f c l Pictures 9 Videos
Open
F IG U R E1 6 . 6 :S e l e c t i n gt l i et e x tf i l e
10. 11.
The selected text will be added; click Hide Text 111 the Steganography dialog box. It shows the following message: The text message is now hidden in
image. Q u i c k S t e g oS t e g a n o g r a p h yH i d eaS e c r e tT e x tM e s s a g ei na nI m a g e
H i el a r g e rd i ei m a g e , t h em o r et e s tt l i a tc a n b e c o n c e a l e d w i t h i n .Q u i c k S t e g o w i l lt e l ly o u h o w m a n y T c h a r a c t e r so ft e x ty o u m u s t l o s e ify o u g o o v e rt h i sl i m i t p e rp i c t u r e .L ip r a c t i c ea l o to f s e c r e tt e s tc a n b e h i d d e n i n e v e n as m a l li m a g e .
!Picture, Image, Photo File | Open Image | Save Image |
ca
1 1
Steganography 1 Gel Text |
1
Open Text
The text m e s s a g e is n ow hidden in image.
F IG U R E1 6 . 7 :H i d i n gt h et e s t
12.
To save the image (where the text is hidden inside the image) click Save Image in the Picture, Image, Photo File dialog box.
EQ QuickStego imperceptibly alters the pixels (individual picture elements) of the image, encoding the secret text by adding small variations in color to the image. In practice, to the hum an eye, these small differences do not appear to change the image
* jg Libraries t> ( j ) Documents > J l Music Network * . Favorites 4 % Desktop Downloads Recent places I Libraries System Folder ( ? ) ( J ) ' 7 Organize f t IM Desktop^
F IG U R E1 6 . 8 :S a v et h es t e g a n o g r a p h yi m a g e
13.
Provide the tile name as stego, and click Save (to save tins file on the desktop).
S a v eT h eI m a g eF i l eT o
v C Search Desktop
New folder
J ) Music Computer System Folder
O F! D/ !rar
I stego I | Im age ( .bmp)
* Hide Folders
F IG U R E1 6 . 9 :B r o w s ef o rs a v e df i l e 1 4 . Exit
Open Image 111
from the QuickStego window. Again open QmckStego, and click the Picture, Image, Photo File dialog box.
15. 16.
Browse the Stego file (which is saved on desktop). The hidden text inside the image will appear as displayed in the following figure.
03A p p r o x i m a t e l y2 M Bo f f r e e h a r d d i s k s p a c e( p l u s e x t r as p a c ef o ra n y i m a g e s )
F IG U R E1 6 . 1 0 :H i d d e nt e x ti ss h o w e d
Lab A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E
T A L K
T O
Y O U R
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Tool/Utility QuickStego
Information Collected/Objectives Achieved Image Used: Lamborghi11i_5.jpg Output: The hidden text inside the image will be shown
Internet Connection Required Yes Platform Supported 0 !Labs 0 No

CEH v8 Labs Module 05 System Hacking PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 05 System Hacking PDF

Uploaded by

Copyright:

Available Formats

CEH Lab M anual

M odule 05 - System H acking

intormntion____ Test your knowledge_____ a* Web exercise Q! Workbook review

C E H Lab Manual Page

M odule 05 - System H acking

O verview of System H acking

Find Hidden Files Using ADS

Hiding Files Using the S te a lth

Extracting SAM Hashes Using PW dump7 Tool

Extracting Administrator Passwords Using LOphtCrack Password Cracking Using O p h crack

Password Recovery Using CHNTPW .ISO

User System Monitoring and Surveillance Needs Using S pytech

C E H Lab Manual Page 309

M odule 05 - System H acking

Test your knowledge_____

*a Web exercise Q Workbook review

D:\CEH-Tools\CEHv8 M odule 05 System H acking\P assw ord C racking Tools\LCP

C E H Lab Manual Page 310

M odule 05 - System H acking

then screenshots shown

Follow the wizard driven installation instnictions

Cracking Adm inistrator Password

FIGURE 1 .1 :W indow sS erver 2012 Desktopview

2. Click the LCP app to launch LCP.

m You can also download LCP from http:/ / www.lcpsoft.com .

C E H Lab Manual Page 311

M odule 05 - System H acking

Global Network Inventory

FIGURE 1 .2: W indow sS erver 2012 A pps

3. The LCP main window appears.

Ready for passwords recovering

0 of 0 passwords were found (0.000%)

FIGURE 1.3: LCP m ain window

4. From die menu bar, select Im po rt and then Im port from

C E H Lab Manual Page 312

M odule 05 - System H acking

CQ l CP is logically a transport layer protocol according to the OSI model

Ready for passwords recovering

0 of 0 passwords were found (0.000%)

FIGURE 1.4: Import die rem ote com puter

5. Select C om puter nam e or IP from registry, and click OK.

Import from remote computer

Ready for passw!

FIGURE 1.5: Import from rem ote com puter window

6. The output window appears.

C E H Lab Manual Page 313

M odule 05 - System H acking

LCP [ C:\Program Files (x86)\LCP\pwd80013.txt]

U ser Nam e ^ A d m in is t r a t o r G uest

Ready for passwords recovering

1 of 7 passwords were found (14.286%)

FIGURE 1.6: Importing the User Nam es

7. Now select any U ser

and click the L1L4 Play button.

8. Tins action generates passwords.

D ic tio n a ry w ord: Adm inistrate

S tartin g com bin ation : A D M I N I S T R A T O R A

E n din g com bin ation : A D M IN IS T R A T 0 R Z Z

User N am e Adm inistrator

LM P a s s w o rd N O P A S S W O ... N O P A S S W O ... N O P A S S W O ... NO NO NO NO

N T H ash B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .. NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .. 5 EBE7D FA 074D A 8EE 4 8 8 C D C D D 222 53 1 27 9.. 2 D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C O C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...

Passwords recovering interrupted

intormntion Test your knowledge_ a* Web exercise Q! Workbook review