Professional Documents
Culture Documents
S y s te m
H a c k in g
M o d u le 0 5
S y s t e m H a c k in g
S y ste m h a c k in g is th e science o f testin g com p uters a n d n e tw o rk f o r v u ln era b ilities a n d p lu g -in s.
La b S cen ario
{ I Valuable
Password hacking 1s one of the easiest and most common ways hackers obtain unauthorized computer 01 network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect tins. Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain. Passwords rely 011 secrecy. After a password is compromised, its original owner isnt the only person who can access the system with it. Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities 01 network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and descnbes password vulnerabilities diat exit 111 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 your systems.
La b O b jectives
The objective of tins lab is to help students learn to m o n ito r a system rem o tely and to extract hidden tiles and other tasks that include: Extracting administrative passwords HicUng files and extracting hidden files Recovering passwords Monitoring a system remotely
[ Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
La b Environm ent
To earnout die lab you need: A computer mnning Windows Server 2012 A web browser with an Internet connection Administrative pnvileges to run tools
La b Duration
Tune: 100 Minutes
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
^ task 1
Overview
La b T a s k s
Recommended labs to assist you 111 system hacking: Extracting Administrator Passwords Using LCP Hiding Files Using NTFS
S tream s Spy Files Tool
Creating die Rainbow Tables Using W inrtge Password Cracking Using R ain bo w C rack
System Monitoring Using R em o teE xec Hiding Data Using Snow Steganography Viewing, Enabling and Clearing the Audit Policies Using Auditpol
Web Activity Monitoring and Recording using P ow er Spy 2 0 1 3 Image Steganography Using Q uickStego
La b A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on the targets security posture and exposure.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
E x t r a c t in g A d m in is tr a to r P a s s w o r d s U s in g L C P
L i n k C o n tro l P ro to co l (L C P ) is p a r t o f th e P o in t-to -P o in t (P P P ) p ro to c o l I n P P P co m m un ication s, b o th th e sen d in g a n d receiving devices se n d o u t L C P p a c k e ts to d eterm in e specific in fo rm a tio n re q u ire d fo r d a ta tra n sm issio n .
La b S cen ario
l^7 Valuable information
S
Hackers can break weak password storage mechanisms by using cracking methods that outline 111 this chapter. Many vendors and developers believe that passwords are safe from hackers if they dont publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. Password-cracking utilities take advantage of weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords.
La b O b jectives
The objective of tins lab is to help students learn how to crack administrator passwords for ethical purposes.
111
this lab you will learn how to: Use an LCP tool Crack administrator passwords
^^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
La b Environm ent
To carry out the lab you need:
LCP located at
You can also download the latest version of LCP from the link http: /www.lcpsoft.com/engl1sh/index.11 tm
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
If you decide to download the la te s t 111 the kb might differ Run this tool 111 W indow s
TCP/IP
version,
Administrative privileges to run tools settings correctly configured and an accessible DNS server
La b Duration
Time: 10 Minutes
O verview of L C P
LCP program mainly audits user account passwords and recovers diem 111 Windows 2008 and 2003. General features of dns protocol are password recovery, brute force session distribution, account information importing, and hashing. It can be used to test password security, or to recover lost passwords. The program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Sniff file. LCP supports dictionary attack, bmte force attack, as well as a hybrid of dictionary and bmte force attacks.
La b T a s k s
9 TASK 1
1. Launch the S ta rt menu by hovering the mouse cursor 011 the lower-left corner of the desktop.
S | W in d o w s Se rver 2012
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Start
A d m in is tr a to r
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
LCP
T
Computer Control Panel
*9
Hyper-V Virtual Machine...
m
SQL Server Installation Center...
tet
Inwc* n$ ieT *
Command Prompt
Mozilla Firefox
a
Ku Nmap Zenmap GUI
I I
Workspace Studio
Dnktop
LCP
File View Import Session Help
TZI
a c #
1 Dictionary attack Dictionary word: User Name LM Password r 0
6
Hybrid attack r
? * * a
Brute force attack 0.0000 I <8 >14 % done LM Hash NT Hash
/0
NT Password
rem ote
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
LCP
| File fh . 1 View | Import | Session A Help 9 e Im port From Local Computer... Im port From Remote Computer... Im port From SA M File... Dictionary wc User Name Im port From .LC File... Im port From .LCS File... Im port From PwD um p File... Import From Sniff File... D X done LM Hash NT Hash
address,
select the Im po rt
typ e
as Im po rt
C ancel
D ictio n ary word: Im port type Use r N am e ( ) Im port from registry O Im port from m em ory I I E n c r y p t transferred d a ta
H e lp
CQlcp ch ecksdieidentity of thelinkedd eviceandeidier accep tsor rejectsthepeer device, thend eterm ines die accep tab lepacket sizefor tran sm issio n .
Connection
E x e c u t e c o n n e c tio n S h a r e d reso u rce: h p c $ U s e r nam e: Pa s s w o rd : I Adm inistrator
H id e p a ss w o rd
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
a e + l 0 !?>
r D ic tio n a ry a tta c k r H ybrid a t t a c k r D ic tio n a ry w ord:
1 *
X done
LM H ash NO P A S S W O R D NO P A S S W O R D X X X X X NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D N T H ash B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .J NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .J 5 E B E 7 D F A 0 7 4 D A 8 E E .. 4 8 8 C D C D D 2 22 53 1 27 9. 2D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C .. 0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...
B ru te fo rc e a t t a c k
r L M P a s s w o rd NO P A S SW O . NO P A S SW O . . NO P A S SW O . NO P A S SW O . NO P A S SW O . NO P A S SW O . NO P A S SW O .
10
0 .0 0 0 0
N T P a s s w o rd
< 8
X
>14 X
NO P A S S W O ...
;U -C
S S
L A N G U A R D .. . M artin Ju g g y b o y Ja s o n
- C S h ie la
S Main purpose of LCP programisuser account passw ords auditingand recovery in W indows
N am e
0 0 4
D ic tio n a ry a t t a c k r
8 l 1 1 1 1^ M * o
" B ru te fo rc e a t t a c k 142857
e
*done
H ybrid a t t a c k
/ |7
N T P a s s w o rd
<8
>14 x
LM H ash NO P A S S W O R D NO P A S S W O R D
G u e st ! B lA N G U A R . . . ^ M a r tin Ju g g y b o y ^ 3 Ja s o n S h ie la
NO P A S S W O ...
x x
NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D NO P A S S W O R D
P A S S W O . . . a p p le P A S S W O . . . g re e n P A S S W O . . . q w e rty P A S S W O . . . test
La b A n a ly sis
Document all die IP addresses and passwords extracted for respective IP addresses. Use tins tool only for trainmg purposes.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L A B .
T o o l/U tility
WIN-D39MR5HL9E4
LC P
Q uestio ns
1. \Y11at is the main purpose of LCP? 2. How do von continue recovering passwords with LCP?
In te rn e t C o n n ectio n R eq u ired Yes P latform S upported 0 C lassroom 0
No
0 !Labs
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
H id in g F ile s U s in g N T F S S t r e a m s
A . stre a m co n sists o f d a ta a sso cia ted rvith a m a in fi le o r d irecto ry ( k n o ir n a s th e m a in n n n a m e d strea m ). E a c h f i e a n d d irecto ry in N T F S can h a ve m u ltip le d a ta stre a m s th a t a re g en era lly h id d en fr o m th e user.
La b S cen ario
/ Valuable information ' Test your knowledge SB Web exercise
m Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems on the network. Most often there are matching service, administrator, or support accounts residing on each system that make it easy for the attacker to compromise each system in a short amount of time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and password information. Attackers continue to leverage information 011 each system until they identity passwords for accounts that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you must understand how to hide files using NTFS streams.
La b O b jectives
The objective of tins lab is to help students learn how to hide files using NTFS streams.
& T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
It will teach you how to: Use NTFS streams Hide tiles
La b Environm ent
To carry out the lab you need: A computer running W indow s Formatted C:\ drive NTFS
S erver 2 0 0 8
as virtual machine
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
La b Duration
Tune: 15 Minutes
O verview of N T FS S tre a m s
NTFS (New Technology File System ) is die standard file systemof W indows.
NTFS supersedes die FAT file system as the preferred file system tor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved support tor m etadata and die use of advanced data structures.
La b T a s k s
Sd.
TASK
1. Run this lab 111 Windows Server 2008 virmal machine 2. Make sure the C:\ drive is formatted for NTFS. 3. Create a folder called m agic on the C:\ drive and copy c a lc .e x e from C :\w indow s\system 32 to C:\m agic. 4. Open a command prompt and go to C :\m agic and type notepad re a d m e .tx t 111 command prompt and press Enter.
re a d m e .tx t 111 Notepad appears. (Click Y es button it prompted to create a new re a d m e .tx t file.) 6. Type H ello World! and Save the tile.
NTFS Stream s
5.
7. Note the tile s ize of the re a d m e .tx t by typing d ir 111 the command prompt. 8. Now hide c a lc .e x e inside the re a d m e .tx t by typing the following 111 the command prompt:
typ e c :\m a g ic \c a lc .e x e > c :\m a g ic \re a d m e .tx t 1c a lc .e x e
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
(cT Administrator C o m m a n d Prompt C : N n a g i c > n o t e p a d rea d n e . t x t C:Snagic>dir Uolune in driue C has no label. U olume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \nagic 09/12/2012 09/12/2012 01/1 9 / 2 0 0 8 09/1 2 / 2 0 1 2 05:39 AM <DIR> 05:39 AM <D I R > 06:51 AM 1 8 8 . 4 1 6 cal c . e x e 05 : 4 0 AM 12 read n e . t x t 188 , 4 2 8 bytes 2 File<s> 2 Dir<s> 4 , 3 7 7 . 6 7 7 , 8 2 4 bytes free > c : \ n a g i c \ r e a d n e .txt:calc.exe
-lo|x|
EQ a streamc o n s is tsofdata asso ciatedwith am ainfileor directory(know na sthe m ain unnam edstream ).
C : \ m a g i c >type c : \ n a g i c \ c a l c . e x e C:\magic>
Type d ir 111 command prompt and note the tile size of re a d m e .tx t.
[ c T TAdministrator C o m m a n d Prompt D i r e c t o r y of C:\ m a g i c 09/12/2012 09/12/2012 01/19/2008 09/12/2012 05:39 AM <D I R > 05:39 AM <D I R > 06:51 AM 18 8 , 4 1 6 cal c . e x e 12 read n e . t x t 0 5 : 4 0 AM 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free 2 Dir<s> > c : \ m a g i c \ r e a d m e .txt:calc.exe
C : \ n a g i c >type c : \ n a g i c \ c a l c . e x e
C : \ m a g i c >dir Uolune in driue C has no label. Uolune S e r i a l N u n b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C:\ n a g i c 09/12/2012 09/1 2 / 2 0 1 2 01/19/2008 09/12/2012 05:39 A M < 05:39 A M < 18 8 , 4 1 6 cal c . e x e 06:51 AM 0 5 : 4 4 AM 12 read n e . t x t 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free 2 Dir<s>
t._ NTFS supersedes the FAT file systema s the preferred file systemfor MicrosoftsW indows operating system s.
LJ
FIGURE 23: Com m andprom ptwith execu tin ghiddenc a lc.execom m and
10. The file size of the readme.txt should not change. Now navigate to the directory c:\m agic and d e le te c a lc .e x e . 11. Return to the command prompt and type command:
m klin k b ackd o o r.exe re a d m e .tx t:c a lc .e x e
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
- I ! X
09/12/2012 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2
05:39 A M <D I R > 06:51 A M 18 8 , 4 1 6 cal c . e x e 0 5 : 4 0 AM 12 r e a d m e . t x t 2 Fil e < s > 188 , 4 2 8 bytes 2 Dir<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free > c : \ m a g i c \ r e a d m e .txt:calc.exe
C:\magic>type c:\magic\calc.exe
C : \ m a g ic>dir Uolume in driue C has no label. Uolume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \magic 09 / 1 2 / 2 0 1 2 09 / 1 2 / 2 0 1 2 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2 05:39 A M <D I R > 05:39 A M <D I R > 06:51 A M 18 8 . 4 1 6 cal c . e x e 05:44 AM 12 r e a dme.txt 2 Fil e < s > 1 88,428 bytes 2 Dir<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free
C : \ m a g i c > m klink b a c k d o o r . e x e r e a d m e . t x t: c a l c . e x e sym b o l i c link c r e a t e d t o r b a c k d o o r . e x e === >> readme .txt :calc exe C:\magic>
12. Type backdoor, press E nter, and the the calculator program will be
e xecu ted .
ss
09/12/2012
0 5 : 4 0 AM 2 F ile<s> 2 D ir<s>
C:\magic>type c:\magic\calc.exe
1
|
C:\magic>dir U olume in drive C has no label. Uo l u m e S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : \ magic 09/12/2012 09/12/2012 01/19/2008 09/12/2012 <DIR> 05:39 AM <DIR> 05:39 AM 188,41 06:51 AM 0 5 : 4 4 AM 1 188,4 2 File<s> 4,37 7 , 4 1 5 , 6 2 Dir<s>
Backspace
CE
1 I. L I.
sqrt
1
|
_ !_ _
MR |
l l l
I_
jd
MS
_ u _ _
l
/x
_ l.
y
FIGURE 2.5: Com m and prompt with executed hidden calc.exe
Lab A n a ly sis
Document all die results discovered during die lab.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Q uestio ns
1. Evaluate alternative methods to hide the other exe files (like calc.exe). Internet Connection Required
Y es
Platform Stipported
No
Classroom
0 !Labs
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
F in d H id d e n F ile s U s in g A D S S p y
A d s S p y is a to o l u se d to list, view, o r delete A lte r n a te D n tn S tr e a m s ( A D S ) on W in d o w s S e r v e r 2 0 0 8 w ith N T F S file s y s te m .
I C ON
KEY
La b S cen ario
Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and describes password vulnerabilities that exit in computer networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you must understand how to find hidden files using ADS Spy.
/ Valuable information
S
La b O b jectives
The objective of tins lab is to help students learn how to list, view, or delete A lte rn a te D ata S tream s and how to use them. It will teach you how to: Use ADS Spy Find hidden tiles
t~Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
La b Environm ent
To cany out the lab you need:
You can also download the latest version of ADS http: / / www.mer1jn.11u/programs.php#adsspv It you decide to download the la te s t 111 the lab might differ Run tins tool 111 W indow s
version,
S erver 2 0 1 2
Ethical Hacking and Countermeasures Copyright by EC-Coundl All Rights Reserved. Reproduction is Stricdy Prohibited.
La b Duration
Tune: 10 Minutes
O verview of A D S Sp y
1 ^ jj-,5 (^ternate ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 belongs to.
Data Stream ) is a technique Windows Server 2008 widi NTFS file systems. ADS Spy is a method of stonng used to store m eta-info on meta-inform ation of files, without actually stonng die information inside die file it files.
La b T a s k s
m.
TASK
1.
M od
( C C |7 [
Q u ic k s c a n (W in d o w s b a s e folder only) Full s c a n (all N T F S drives) S c a n only this folder: Ig n o re s a fe system in fo d a ta stream s fe n c ry p ta b le ', ,Su m m aryln form ation '. e tc ) C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts S c a n th e system for alte rnate d a ta stream s R e m o v e s e le c te d stream s
KlADS Spyis a sm all tool to list, view, or delete Alternate Data Streams (ADS) onWindows 2 0 1 2 with NTFS file system s.
[R e a d y -
scan
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C | (
Q u ic k s c a n (W in d o w s b a s e folder only) Full s c a n (all N T F S d r iv e s )| S c a n only this foldet: Ig n o te s a fe system info d a ta stream s fe n c ry p ta b le ', 'Su m m aryln form ation ', e tc )| C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts | R e m o v e s e le c te d stream s
ADS are a w ay of storing metainformation regarding files, w ithout actually storing the information in the file it belongs to, carried over from early MacOS com patibility
C 11 ? r
A lte rn a te D a t a S tre a m s ( A D S ) a te p ie c e s of info h id d e n a s m e ta d a ta o n files on N T F S drives. T h e y a re not visib le in Exp lorer a n d th e size th ey ta k e u p is not rep otted b y W in d o w s . R e c e n t brow ser h ijack e rs started using A D S to h ide theit files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n also disp lay legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure th ey a te m alicious!
C (* C
1 Ig n o te s a fe system info d a ta stream s ('e n cry p ta b le ', Sum m aryln form ation ', e tc )
C :\ m a g ic \ te a d m e .tx t: c a lc , e x e (1 05 1 G 48 b yte s) C \ U s e 1s\Adm in istrato r\D ocu m en ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (1 2 bytes) C .A U s e ts 'A d m 1 n 1s tra to r\F avo r 1te s \ L in k s \ S u g g e s te d S it e s .u r l: fa v ic o n (8 94 b y te s)
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
Document all die results and reports gathered during die lab.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives) Output: Hidden files with its location Hidden files size
ADS Spy
Q u e s t io n s
1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
co n
/V aluable
k ey
L a b S c e n a r io
The Windows NT NTFS hie system has a feature that is not well documented and is unknown to many NT developers and most users. A stream is a hidden file that is linked to a normal (visible) file. A stream is not limited in size and Test your know ledge there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 1 1 1 order to be an expert sA W eb exercise ethical hacker and penetration tester, you must understand how to hide files m W orkbookreview using the Stealth Files tool. 1 1 1 this lab, discuss how to find hidden files inside of other files using the Stealth Files Tool. inform ation___
L a b O b je c t iv e s
The objective of tins lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to: Use the Stealth Files Tool Hide files Tools L a b E n v ir o n m e n t demonstrated in To carry out tins lab you need: this lab are available in Stealth Files tool located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHHacking\Steganography\Audio Steganography\Stealth Files Tools\CEHv8 Module 05 System A computer running Window Server 2012 (host machine) Hacking You can also download the latest version of Stealth Files from the link http://www.froeb1s.com/e11glisl1/sf40.sl1tml
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
If you decide to download the latest version, then screenshots shown in the lab might differ Administrative privileges to run the Stealth files tool Run this tool 111 Windows Server 2012 (Host Machine)
L a b D u r a tio n
Tune: 15 Minutes
O v e r v ie w o f S t e a lt h F ile s T o o l
Stenography is the art and science of writing hidden messages.
Stealth files use a process called steganography to lude any tiles inside of another . . . . 7 . . . tile. It is an alternative to encryption ot tiles because no one can decrypt the encrypted information or data from die tiles unless diey know diat die ludden tiles exist.
Lab T asks
TASK 1
Stenography
1. Follow the wizard-driven installation instructions to install Stealth Files Tool. 2. Launch Notepad and write Hello World and save the tile as Readme.txt on the desktop.
readme - Notepad
File Edit Format View Help f l e l l o W o rld !
& Stealth Files uses a process called steganography to hide any file or files inside of another file
3. Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
4. Click the Stealth Files 4.0 app to open the Stealth File window.
5. The main window of Stealth Files 4.0 is shown 111 the following figure.
This is an alternative to encryption because no one can decrypt encrypted information or files unless they know that the hidden files exist.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
6. Click Hide Files to start the process of hiding the files. 7. Click Add files.
S Before Stealth Files hides a file, it compresses it and encrypts it with a password. Then you must select a carrier file, which is a file that contains die hidden files
Destroy Source Filesl Remove Selected Files! Step 2 Choose Carrier File:
I
r Create a Backup of the Carrier File! Step 3 Choose Password:
^J
8. In Stepl, add the Calc.exe from c:\windows\system32\calc.exe. & Stealth Files 4.0 can be downloaded from the link: http://www.froebis .com/english/sf40. shtml 9. In Step 2, choose the carrier file and add the file Readme.txt from the desktop. 10. In Step 3, choose a password such as magic (you can type any desired password).
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
13
! I
\ x
5 You can also remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions
I- Destroy Source Filesl Add Files! Step 2 Choose Carrier File. C:\Use s\Adm inistrator\Desktop\ eadm e.txt I- Create a Backup of the C arrier File! Choose Password: m agic) | Remove Selected Files!
:d
I Hide Files! |
11. Click Hide Files. 12. It will hide the file calc.exe inside the readme.txt located on the desktop. 13. Open the notepad and check the file; calc.exe is copied inside it.
readme Notepad File Ed it Form at View H elp
)H e llo W o rld ! h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h if h lb k id o f h a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b f o jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g leo n m b fn g b ln b h cik fd h k m g io d cfg n lg g o ad d cajm p ip fib h p p g g cg im m k a d n j &T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a password, you will prompted to enter it again to recover die hidden files e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h f p a la p p d b a c ile n o id lh ib e k p b h e jm if n g f h f a p m h a f b lif h lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fnln adn n oaon eop oop bb agm d aoh m ekd gfcekcnb cgm injem egp n nh ein oilgej o o ig lcd h a clc h jlh d g ib o o h e m b n a p m k m e p a o k jch h g cjb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbnlndbiggagm cgnbnm afohogackcdnkhbom gofpdegibikm jm dpfkg
I~ I
14. Now open the Stealth files Control panel and click Retrieve Files.
C E H Lab Manual Page 329 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Hide Files
Retrieve Files
& These carrier files will still work perfecdy even with the hidden data in diem
Close Program
F IG U R E 4.8: Stealth files main window
15. In Step 1 , choose the hie (Readme.txt) from desktop 111 which you have saved the calc.exe. 16. 1 1 1 Step 2, choose the path to store the retrieved hidden file. 1 1 1 the lab the path is desktop. 17. Enter the password magic (the password that is entered to liide the tile) and click on Retrieve Files!
S
This carrier file can be any of these file types: E X E , D LL, OCX, COM, JPG , G IF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files
I 1 T x
-Step1 C h o o seC a rrie rF ile : C :\ Us e rs \ A d m in is tra to r\ D e s k to p V re a d m e .tx t I D e stro yC a rrie rF ile ! Step2-C h o o seD e s tin a tio nD ire c to ry : C :\lls e rs V '.d m in is tra to rV D e s k to p \ r Step3 E n te rP a ssw o rd : |m a g ic | R etrieveF ile s !
F IG U R E 4.9: Retrieve files main window
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously.
L a b A n a ly s is
Document all die results and reports gathered during die lab.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Information Collected/Objectives Achieved Hidden Files: Calc.exe (calculator) Retrieve File: readme.txt (Notepad) Output: Hidden calculator executed
Q u e s t io n s
1. Evaluate other alternative parameters tor hiding tiles. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
Passwords are a big part ot tins modern generation. You can use the password for your system to protect the business or secret information and you may Test your choose to limit access to your PC with a Windows password. These passwords know ledge are an important security layer, but many passwords can be cracked and while = W eb exercise that is worry, tliis clunk 111 the armour can come to your rescue. By using password cracking tools 01 password cracking technologies that allows hackers W orkbookreview to steal password can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tlus lab, we discuss extracting the user logui password hashes to crack the password. iiiform ation___
L a b O b je c t iv e s
[Z7 Valuable
Tlus lab teaches you how to: Use the pw dum p7 tool Crack administrator passwords
L a b E n v ir o n m e n t
Pwdump7 located at D:\CEH-T00 ls\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7 Run tlus tool 011 Windows Server 2012 You can also download the latest version of pwdump7 from the link http:/ /www.tarasco.org/security/pwdump 7/ 111dex.html Administrative privileges to run tools
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
TCP/IP settings correctly configured and an accessible DNS server Run this lab in Windows Server 2012 (host machine)
L a b D u r a tio n
Time: 10 Minutes
Overview of Pwdump7
Pwdump7 can be used to dump protected files. You can always copy a used file just by executing: pwdump7.exe -d c:\lockedf11e.dat backup-lockedf11e.dat. Icon key
Lab T asks
Generating Hashes
1. Open the command prompt and navigate to D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7. 2. Alternatively, you can also navigate to D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\pwdump7a11d right-click the pwdump7 folder and select CM D prompt here to open the command prompt.
Ad ministraton C:\Wi ndows\system32\cmd.exe
[D:\CEH-Tools\CEHv8 Module 05 Sys t e m Hack i n g \ P a s s w o r d C r ackingMJindows Hrac ke t*s\pw d u m p 7 > Password C
& Active directory passwords are stored in the ntds.dit file and currently the stored structure
3. Now type pwdump7.exe and press Enter, which will display all the password hashes.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
& Always copy a used file just executing: pwdump7.exe -d c:\lockedfile.dat backuplockedfile.dat.
4. Now type pwdump7.exe > c:\hashes.txt 111 the command prompt, and press Enter. 5 Tins command will copy all the data ot pwdump7.exe to the c:\hashes.txt tile. (To check the generated hashes you need to navigate to the C: drive.)
hashes.txt - Notepad
File Edit Format View Help
(A d m in istra to r: 500: NO PASSWORD*********** * * * * * * * * :BE40C450AB99713DF1EDC5B40C25AD47 G uest:5 0 1 :NO PASSWORD** * * * * * : NO PASSWORD** * * : :: LANGUARD_11_USER:1006:NO PASSWORD******************* :C25510219F66F9F12FC9BE662A67B960 M a rtin :1018:NO P A S S W O R D * * * * * * * * * * * * * * * 5 : * * * EBE7DFA074DA8EE8AEF1FAA2BBDE876 Duggyboy:1019:NO P A S S W O R D * 4 8 8 : * * * * * * * * * * * * * * * * * * CDCDD2225312793ED6967B28C1025 ]ason:1020:NO PASSWORD* * * * * 2: * * * * * * * * * * * * * * * D20D252A479F485CDF5E171D93985BF Shiela:1021:N O P A S S W O R D * * * * 0 : * * * * * * * * * CB6948805F797BF2A82807973B89537
L a b A n a ly s is
Analyze all the password hashes gathered during die lab and figure out what die password was.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved Output: List of User and Password Hashes Administrator Guest Lauguard Martin Juggyboy Jason shiela
PWdump7
Q u e s t io n s
1. What is pwdump7.exe command used for? 2. How do you copy the result of a command to a file? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C re a tin g th e R a in b o w T a b le s U s in g W in rtg e n
Winrtgen i s a graphical Rainbow Tables Generator that s / i p p o / t s UM, FastLM, N T L M , L M C H 4LL, HaljLMCHALL, N I U M C H A L L , M S C A C H E , M D 2, M D 4, M D 5, S H A 1 , R I P E M D 160, M j S O L J 23, M j S O L S H 4 1, CiscoPIX, O K 4CLE, S H 4-2 ( 256) , S H 4-2 ( 384) and S H 4-2 ( 512) ha s h e s . ICON KEY L a b S c e n a r io
111 computer and information security, the use ot password is essential for users to protect their data to ensure a seemed access to dieir system or machine. As users Test your become increasingly aware of the need to adopt strong passwords, it also brings know ledge challenges to protection of potential data. 111 tins lab, we will discuss creating die rainbow table to crack the system users passwords. 111 order to be an expert ethical = = W eb exercise hacker and penetration tester, you must understand how to create rainbow tables to m W orkbookreview crack the administrator password.
L a b O b je c t iv e s
The objective of this lab is to help students how to create and use rainbow table to perform system password hacking.
L a b E n v ir o n m e n t
Winrtgen Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation Tools\Winrtgen A computer running Window Server 2012 You can also download the latest version of Winrtgen from the link http: / Avwwox1d.it/projects.html If you decide to download the latest version, then screenshots shown 111 the lab might differ
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Run this tool 011 Windows Server 2012 Administrative pnvileges to mil tins program
L a b D u r a tio n
Time: 10 Minutes
You cau also download Winrtge from
O v e r v ie w o f R a in b o w T a b le
iittpv'/w w w .oxid.it/fjrojeef ^ rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking password hashes. Tables are usually used 111 recovering plaintext passwords, up to a certain length, consisting of a limited set of characters.
Lab T ask TASK 1
1. Double-click the winrtgen.exe tile. The main window of winrtgen is shown 111 die following figure.
r
F ile n a m e Winrtgen v2.8 (Rainbow Tables Generator) by mao S ta tu s
A d dT a b le
R em o ve
R em o veA ll
A b o u t
OK
E x it
FIG U R E 6.1: winrtgen main window Rainbow tables usually used to crack a lot of hash types such as
m
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
3. Rainbow Table properties window appears: i. Select ntlm from the Hash drop-down list u. Set die M in Len as 4, die Max Len as 9, and the Chain Count of 4000000 iii. Select loweralpha from die Charset drop-down list (tins depends on the password). 4. Click OK.
Rainbow Table properties
r Hash |ntlm Min Len -Max Len rIndex Chain Len |2400 Chain Count I4000000
I4
I9
vTools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
|abcdefghijklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark Hash speed: Step speed: Table precomputation tim e: Total precomputation tim e: Max cryptanalysis tim e: Benchmark | Optional parameter |Adm inistratot
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
n tlm _ lo w e ra lp h a # 4 9 _ 0 _ 2 4 0 0 x 4 0 0 0 0 0 0 _ o x id 8 0 0 0 .rt
I I I
Add Table
Remove
Remove All
About
OK
Exit
Creating the hash table will take some time, depending on the selected hash and charset. Note: To save die time lor die lab demonstration, die generated hash table is kept 111 die following !older: D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation ToolsYWinrtgen
m You must be careful of your harddisk space. Simple rainbow table for 1 5 alphanumeric and it costs about 613MB of your harddisk.
winrtgen.exe.
Winrtgen
' L
&Favorites Desktop Downloads % Recent places
5
CEHv Module 05 System Hacking Rainbow Table Creation Tools Winrtgen
Name
M charset.txt
4 items
State: Q
Shared
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Tool/Utility Winrtge Information Collected/Objectives Achieved Purpose: Creating Rainbow table with lower alpha Output: Created Rainbow table: ntlm_lowe1alpha#46_0_2400X4000000_ox...
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
P a s s w o r d C r a c k in g U s in g R a in b o w C ra c k
Rainbon'Crack i sa computerprogram thatgenerates rainbow t a b l e st o be usedin password c r a c k i n g . L a b S c e n a r io
Computer passwords are like locks 011 doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple login password Test your will not stop them. Most computer users do not realize how simple it is to access die know ledge____ login password tor a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is tor as W eb exercise someone to gain access to your computer? Windows is still the most popular m W orkbookreview operating system, and die method used to discover the login password is die easiest. A hacker uses password cracking utilities and cracks vour system. That is how simple it is for someone to hack your password. It requires 110 technical skills, 110 laborious tasks, only simple words 01 programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack administrator password. 111 tins lab we discuss how to crack guest users or administrator passwords using RainbowCrack.
L a b O b je c t iv e s
~Tools demonstrated in this lab are L a b E n v ir o n m e n t available in To earn out die lab, you need: D:\CEHTools\CEHv8 RainbowCrack Tool located at D:\CEH-T00 ls\CEHv8 Module 05 Module 05 System System Hacking\Rainbow Table Creation Tools\RainbowCrack Hacking A computer running Window Server 2012
The objective ot this lab is to help students to crack passwords to perform system password hacking.
You can also download the latest version of RainbowCrack from the link http://proiect-ra111bowcrack.com/
C E H Lab Manual Page 1 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
If you decide to download die latest version, then screenshots shown in die lab nuglit differ Run diis tool 011 Windows Server 2012 Administrative privileges to mn diis program
L a b D u r a tio n
Tune: 10 Minutes
O v e r v ie w o f R a in b o w C r a c k
RauibowCrack is a computer program diat generates rainbow tables to be used ui password crackuig. RauibowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rauibow tables to reduce die lengdi of time needed to crack a password.
Lab T ask
E task 1
1. Double-click die rcrack_gui.exe tile. The maui window of RauibowCrack is shown ui die following figure.
m RainbowCrack for G PU is the hash cracking program in RainbowCrack hash cracking utilities.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
RainbowCrack 1.5
File | Edit Rainbow Table Help P la in te x t in H ex Add Hash... Load Hashes from File... Load L M Hashes from P W D U M P File... Load N T LM Hashes from P W D U M P File.. Save Results...
Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight G PU brute forcing cracker
3. The Add Hash window appears: i. Navigate to c:\hashes, and opendie hashes.txt tile (which isalready generated using Pwdump7 located at c:\hashes.txt 111 the previous Lab no:5) . Right-click, copy die hashes from hashes.txt tile. Paste into die Hash held, and give die comment (optional). Click OK.
hashes.txt - Notepad
File Edit Format View Help Undo
ii. iii.
iv.
Q| RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from die hash crackers that use brute force algorithm
A d m in is tra to r:5 0 0 :NO Cut P A S SW O R D *********************: BE40C450AB Copy G u e st: 501: NO PASSW O RD ******************"! Paste P A S SW O R D ********************** * LANGUARD_11_USER:1006:NO Delete PASSWORD***** * * * * * * * * * * * * * * : C25510219F Select All M a r t in :1018:NO Right Reading order P A S S W O R D 5 : ************ * * * to * *left ** EBE7DFA07 ] uggy boy: 1019: NO Show Unicode control characters PAS S WORD488: * * * * * * * * * * * * * * * * * * * * CDCDD22 Insert Unicode control character Dason:1020:NO Open IME P A S S W O R D 2 :* * * * * * * * * * * * * **** * * D20D252A4 _____________________________ _______Shiela:1021:N O PASSWORD* * * * * * * * * * * * * * * * * * * * *
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
RainbowCrack 1.5
File Edit Rainbow Table Help P l a i n t e x t I n H ex
/Tools
2 Fun time-memory tradeofftool suites, including rainbow table generation, sort, conversion and lookup
5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 111 the following figure.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
RainbowCrack 1.5
[r x
TI
0 . RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.
P File H a sh 0
Edit
Rainbow Table
Help P la in te x t ? ? ? ? ? P l a i n t e x t i n H ex ? ? ? 1
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7 @ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 @ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 @ c 2 5 5 1 0 2 1 9 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
7. Click die Rainbow Table from die menu bar, and click Search Rainbow Table...
9 RainbowCrack for G PU software uses G PU from N V ID IA for computing, instead of CPU. By offloading computation task to G PU, the RainbowCrack for G PU software can be tens of times faster than nonG PU version.
8. Browse die Rainbow Table diat is alreadv generated 111 the previous lab, which is located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Rainbow Table Creation Tools\Winrtgen. 9. Click Open.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Open
^ Organize jA Windows Password Crac... winrtgen v
( j | | Search winrtgen
| [ jjj
P I Type RT File
ki
J l Music
E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table
g 9
Pictures Videos
1^ ^
> 1
Filename: ntlmjoweralpha*4-6_0_2400x4000000_oxid* v | Rainbow Tables (*.rt;*.rtc) Open
10. It will crack the password, as shown 111 the following figure.
RainbowCrack 1.5
File H ash 3 3 3 0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 4 e e c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 te s t te s t g ree n a p p le ? q w e r ty Edit Rainbow Table Help P l a i n t e x t I n Hex 74657374 74657374 677265656c 6170706C 65 7 717765727479 Com ment p a ssw o rd
5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 3 3 c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0 2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
= = ! RainbowCrack focus on the development of optimized time-memory tradeoff implementation, and generation of large rainbow tables.
/s
L a b A n a ly s is
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved Hashes: Administrator Guest Languard Martin Juggyboy Jason Shiela Password Cracked: test test green apple qwerty
RainbowCrack
Q u e s t io n s
1. What kind of hashes does RambowCrack support? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
Since security and compliance are high priorities for most organizations, attacks a company 01 organization's computer systems take many different forms, such as spooling, smurfing, and other types of denial-of-service (DoS) attacks. These attacks are designed to harm 01 interrupt the use of your operational systems.
011
r*.. W orkbookreview Password cracking is a term used to describe the penetration of a network, system, 01 resource with 01 without the use of tools to unlock a resource that has been secured with a password. 111 tins lab we will look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination of several scenarios, in tins lab we describe some of the techniques they deploy and the tools that aid them 111 their assaults and how password crackers work both internally and externally to violate a company's infrastructure.
111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tins lab we crack the system user accounts using LOphtCrack.
^^Tools
demonstrated in L a b O b je c t iv e s this lab are The lab teaches you how to: available in D:\CEH Use the LOphtCrack tool Tools\CEHv8 Crack administrator passwords Module 05 System Hacking
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b E n v ir o n m e n t
To earn out the lab you need: LOphtCrack tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\LOphtCrack Run tliis tool on Windows Server 2012 (host machine) You can also download the latest version of LOphtCrack from the link http: / / www.lOphtcrack.com Administrative privileges to run tools Follow wizard driven installation instructions TCP/IP settings correctly configured and an accessible DNS server Tins tool requires the user to register or you can also use the evaluation version for a limited period of time
L a b D u r a tio n
Time: 10 Minutes
O v e r v ie w o f L O p h t C r a c k
LOphtCrack provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail.
Lab T asks TASK 1
1. Launch the Start menu by hovering the mouse cursor to the lower left most corner of the desktop.
|| W in d o w sS e rv e r2 0 1 2
vm 1 i 5!'1
m You can also download the LOphtCrack from http://www.lOphtcrack.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
S ta rt
Administrator
Server Manager
Windows PowerShel
Google Chrome
Hyper-V Manager
F a
Computer
T
Control Panel
o
Hyper-V Virtual Machine...
SQL Server Installation Center...
* J e
/LOphtCrack supports pre-computed password hashes.
Intrmrt fuplcrr
m
Command Prompt
Q
Mozilla Firefox
K
Global Network Inventory
<
Nmap Zenmap GUI
I f
Workspace Studio
Drdlrp
3
F IG U R E 8.2: Windows Server 2012 Apps
x
LOphtCrack 6 Wizard
Welcome to the LOphtCrack Wizard Ths wizard wil prompt you wth step-by-step nsbuctions to get you audting n mrxies First, the wizard w i help you determne where to retrieve your encrypted passwords from Second, you w i be prompted wth a few options regardng which methods to use to audit the passwords Third, you w i be prompted wth how you wish to report the results Then. LOphtCrack w i proceed audting the passwords and report status to you along the way. notifying you when audfcng is complete Press Next' to conbnue wth the wizard
4. Choose Retrieve from the local machine in the Get Encrypted Passwords wizard and click Next.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Choose one of the folowng methods to retrieve the encrypted passwords | Retneve from the tocal machne | Pulls encrypted passwords from the local machrte's registry Admnatrator access a requred Retneve from a remote machne Retneve encrypted passwords from a remote machne on your doman Admrwtrator access is required Retneve from SAM /SYSTEM backup Use emergency repar disks, backup tapes, or volume shadow copy techrques to obtain a copy of the registry SAM and SY ST EM hives This contans a copy of your non-doman passwords Q Retneve by jnrffng the local network Sniffing captures encrypted hashes n transit over your network Logns.fie shamg and pmt shanng al use network authentication that can be captured.
< Back
Next >
LOphtCrack has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and U N IX machines, without requiring a thirdparty utility.
ca
5. Choose Strong Password Audit from the Choose Auditing Method wizard and click Next.
1 - '
6. In Pick Reporting Style, select all Display encrypted password hashes. 7. Click Next.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
8. Click Finish.
LO p h tC ra c kPa ssw o rdA u d ito rv 6 .0 .1 6
Bogin Auditing
Step
LOphtCrack now ready to begn the password aud*ing process Please confirm the folowng settings and go back and change anythng that ts not correct Retrieve passwords from the local machine Perform 'Quick' password audit Display doman password belongs to Display passwords v41en audited Display time spent auditing each password Give visible notification *tfien done audrtng Show method used to crack password
Step 2
_ LOphtCrack lias real._ time reporting that is displayed in a separate, tabbed interface.
[/] Save these settings as sesaon defaults Press finish'to bepn audtng
Step 5
6g1n Auditing
9. LOpntcrack6 shows an Audit Completed message, Click OK. 10. Click Session options Irom the menu bar.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Cracked Accounts Weak Passwords Pause Stop Schedule Scheduled Audit Tasks
J j.
<N
d Domain
Run y Report User Name LM Password * missing * missing * * missing * * missing * * missing missing LM Hash__________________________
,X WIN-D39MR... Administrator WIN-D39MR... Guest J t WIN-D39MR... Jason 4 WIN-D39MR... Juggyboy <tw1N-D39MR... IANGUARD_11_USER A WIN-D39MR... Martin
LOphtCrack 6
Audit completed.
OK
LtX&sslaezei 0d Oh 0 Os
____ tlMS-iSlt _ _ l _d o n S
_______
> 4 X
FIG U R E 8.8: Selecting Session options Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force Password auditing methods.
11. Auditing options For This Session window appears: i. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary Crack. ii. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary/Brute Hybrid Crack. iii. Select the Enabled, Crack NTLM Passwords check boxes 111 Brute Force Crack.
IV.
Select the Enable Brute Force Minimum Character Count check box.
v. Select the Enable Brute Force Maximum Character Count check box. 12. Click OK.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
The Dictionary Crack tests for passwords that are the same as the words fcste dinthe wordfile. This test *very fast and findsthe weakest passwords. The Dictionary/Brute H ybrid Crack tests forpasswordsthat are variations of the words inthe wordfile. Itfinds passwords such as Dana9 9 or monkeys! . This test isfast andfinds weak passwords.
Precom puted
E ! Enabled C Hash File List
Location
Also known as 'ranbow tables', the Precom puted Cracktests for passwords aganst a precom puted hashes contan-edn a file orfiles This test is very fast andfinds passwords created fromthe sam e character set as the precom puted hashes. Preservng precom putation data speeds up consecutive m ns n exchange for disk space Ths crack works aganst LM and NTLM passwords, but not Una The Brute Force Crack tests for passwords that are m ade up of the characters specified inthe character set I finds passwords such as "W eR3pfc6s ' or "vC5%6S*12b" This test is slow andfinds m e < fc jmto strong passwords. Enabing a start orend point lets you control the m in im u mand m a x im u mnum berof characters to iterate.
English
The actual m a x im u mcharacter count used m ay vary based on hash type Specfy a character set w ith m ore characters to crack strongerpasswords.
QK
Qancel
13. Click Begin ' ' from the menu bar. LOphtCrack cracks the administrator password. 14. A report is generated with the cracked passwords.
FIG U RE 8.10: Generated cracked Password Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
Document all die results and reports gathered during die kb.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved User Names: Administrator Guest Jason Juggvbov LANGUARD_11_USER Martin Password Found: qwerty green apple
LOphtCrack
Q u e s t io n s
1. What are the alternatives to crack administrator passwords? 2. Why is a brute force attack used 111 the LOphtCrack tool? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
P a s s w o r d C r a c k in g U s in g O p h c ra c k
Ophcrnck i s a free open source ( GPL l i c e n s e d ) program that cracks Windows passn ords by using L M hashes through rainbow t a b l e s . ICON KEY L a b S c e n a r io
W eb exercise W orkbookreview
a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. Tins weakness exists m practically all widely used systems instead of forcing users to choose well-chosen secrets that are likely to be difficult to remember. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, password cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Poorly chosen passwords are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak administrator 01 system user account password using password cracking tools. 111 tins lab we show you how to crack system user accounts usmg Ophcrack.
111
L a b O b je c t iv e s
The objective of this lab is to help students learn: Use the OphCrack tool Tools Crack administrator passwords demonstrated in this lab are L a b E n v ir o n m e n t available in D:\CEHTo earn out die lab, you need: Tools\CEHv8 Module 05 System " OphCrack tool located at D:\CEH-T00 ls\CEHv8 Module 05 System Hacking Hacking\Password Cracking Tools\Ophcrack Run this tool 011 Windows Server 2 0 12 (Host Machine) You can also download the latest version of LOphtCrack from the link http: / / ophcrack.sourceforge.net/
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Time: 15 Minutes
O v e r v ie w o f O p h C r a c k
Rainbow tables for LM hashes of alphanumeric passwords are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack passwords no longer than 14 characters using only alphanumeric characters.
Lab T ask TASK 1
1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.
g| W n d o w sS e rv e r2 0 1 2
v n n o o tfj!x rv ff1 0 uK e te jje u n o io a ww u c w w r
m You can also download the OphCrack from http:/ /ophcrack.sourceforg e.net.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
ophcrackC
1' !
4A
Load Progress Delete Statistics Save
11/
Tables Cradt Help
^
Exit
G
About
Preferences
B Rainbow tables for LM hashes of alphanumeric passwords are provided for free by die developers
Preload:
waitng
| Brute force:
waiting
Pwd found:
0/0
Time elapsed: |
OhOmQs
U/
, ..
&
<?
& Ophcrack is bundled with tables that allows it to crack passwords no longer than 14 characters using only alphanumeric characters
Encrypted SAM Local SAM with samdump2 Local SAM with pwdump Remote SAM
Directory
Progress
waitng
| PwdfouxJ:
5. Browse die PWDUMP file diat is already generated by using P\\T)UMP7111 die previous lab 110:5 (located at c:\hashes.txt). 6. Click Open
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
O p en PW D UM P file
0C O^ ^
Organize Desktop
4 Downloads
***
* Computer
A Name
P ] I
New folder Date modified 9/17/2012 9:25 AM 9/18/20122:18 PM 9/4/2012 7:00 PM 9/18/20122:35 PM 8/30/20121:06 PM 9/15/2012 3:26 PM 8/7/2012 1:50 AM
=- E Hm
Type File folder File folder File folder File folder File folder File folder File folder File folder RND File Text Document System file JS File ji. Program Files Program Files (x86) j j TFTP-Root Users j. usr
J W in d o w s 4 W indow s.old
Recent places
available as Live CD distributions which automate the retrieval, decryption, and cracking of passwords from a Windows system.
J )Music
^ Libraries (3| Documents Music fcl Pictures H Videos : Computer Local Disk (C:) . ^ Local Disk (D:) v,
J,.
W in d o w s.o ld
.0 0 0
.rnd__________________
hashes.txt
|j6j msdos.sys
[ Auser.js
File name: hashes.txt
O
Load Progress
Si
Delete Statistics
S
Save
IU
Tables Crack
Preferences |
User
Administrator
Shiela
Directory
Progress
waiting
] Pwd foaxl:
8. Click Table. The Table Selection window will appear as shown 111 die following figure.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
o p h c ra c k IU
Tables Progress User Administrator Statistics 0
', ,s g ?
Crack
Table Selection
Table m XP free fast XP free small XP special # XP german vl XP german v2 Vista special Vista free Vista nine Vista eight Vista num Vista seven XP flash < Vista eight XL Directory Status not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed not installed
Guest
LANGUARD_11_
Martin Juggyboy
Jason Shiela
&Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
< = enabled
III
>
= disabled
= not nstaled
B B S S
Pretoad: _______ waiting_______| Brute force: | waiting ] Pwd fouxJ: Tne elapsed: Oh 0 Os
Note: You can download die free XP Rainbow Table, Vista Rainbow Tables from http:// ophcrack.sourcetorge.net/tables.php 9. Select Vista free, and click Install.
G Table Selection
lab le XPfre efa st XPfreesm a ll 9 XP sp e cia l XP g e rm a nv 1 XP g e rm a nv 2 V istasp e cia l | ! V istafre e V istan in e #V istae ig h t V istan u m < V istase ve n * X Pfla sh < V istae ig h tX L
D ire cto ry
Sta tu s n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in s ta lle d n o t in sta lle d n o t in s ta lle c n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d
< l < = e n a b le d
<
0 0 @ @
FIG U R E 9.8: Installing vista free rainbow table
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
10. The Browse For Folder window appears; select the the table_vista_free folder (which is already download and kept at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Password Cracking Tools\Ophcrack) 11. Click OK.
Browse For Folder
Select the directory which contains the tables.
& Ophcrack Free tables available for Windows XP, Vista and 7
t > <
steganography III OK
l> Cancel
12. The selected table vista free is installed,; it shows a green color ball which means it is enabled. Click O K . ? x Table Selection
fa b le X Pfre efa st X Pfre esm a ll X P sp e cia l X Pg erm anv 1 X Pg erm anv2 V istasp e cia l > V istafre e V istan in e V istae ig h t V istan u m V istase ve n X Pfla sh * V istaeig h tX L D ire cto ry S ta tu s n o t in s ta lle d n o t in s ta lle d n o t in s ta lle d n o t in sta lle d n o t in s ta lle d n e t in s ta lle d o nd is k n o t in s ta lle c n o t in sta lle d n o t in sta lle d n o t in sta lle d n o t in s ta lle d n o t in sta lle d
& Loads hashes from encrypted SAM recovered from a Windows partition
<
= enabled 4 = disabled
III
> In s ta ll
# = not installed
13. Click Crack: it will crack die password as shown 111 die following figure.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
ophcrack
i
Load Progress Delete Statistics
!
Save
a/
Tables
^
Crack
@
Help
i
Bat
Preferences NT Hash BE40C450AB997... 31d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB6948805F79... apple green qwerty test em pty LM Pwd 1 LM Pwd 2 NT Pwd
This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored).
LM Hash
Progress
L a b A n a ly s is
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. I Tool/Utility Information Collected/Objectives Achieved User Names: Administrator Guest LANGUARD_11_USER Martin
OphCrack
Juggyby
Jason Slieiela
Rainbow Table Used: Yista free Password Found: apple green qwerty test
C E H Lab Manual Page 362 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Q u e s t io n s
1. What are the alternatives to cracking administrator passwords? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
S y s te m M o n ito rin g U s in g R e m o te E x e c
System hacking i st he s c i e n c e of t e s t i n gcomputers and netnorksfor v u l n e r a b i l i t i e s andplugging. L a b S c e n a r io
^_ Valuable
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. This process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
*A m
You should also have knowledge of gaining access, escalating privileges, executing W orkbookreview applications, lnding tiles, and covering tracks.
L a b O b je c t iv e s
W eb exercise
Install service packs, patches, and hotlixes Copy folders and tiles Tools Run programs, scripts, and applications demonstrated in this lab are Deploy Windows Installer packages 111 silent mode available in D:\CEHL a b E n v ir o n m e n t Tools\CEHv8 Module 05 System To earn out die lab, you need: Hacking Remote Exec Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Executing Applications Tools\RemoteExec Windows Server 2008 running on the Virtual machine Follow die Wizard Driven Installation steps
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
You can also download die latest version of RemoteExec from the link http://www.isdecisions.com/en If you decide to download die latest version, dien screenshots shown 111 die lab might differ Administrative pnvileges to run tools
L a b D u r a tio n
Time: 10 Minutes
O v e r v ie w o f R e m o t e E x e c
RemoteExec, die universal deployer for Microsoft Windows systems, allows network administrators to run tasks remotely.
Lab T ask TASK 1
Monitoring System
RemoteExec
R em otecxec r\am e
f*l demote jobs ^ecoter ^ Schedue
* 0
Albws vou corftare. rra-MOt 3rd exeats rerro:e jobs. Albws vou dsjMv recots or renew executions. Albws vou ro renote executions ard oerie-ate autara .. ConScue Re*notexec options.
^ O o to n s
0 3 . System Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an administration console with Microsoft Windows 2003/2008 Service Pack 6, IE5 or more.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Ne
: 00B
Virco
rep
Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (W AN) as well as on remote machines.
Alows you to dtspa, eports 0 errote execj$o 1. Allows you to soedijte errote e<ecjto 1s snd generate sutoiia.. Configure RcmotcExcc optoas.
Remote execution requirements: The account running RemoteExec needs administrative rights on target computers. Microsoft file and printer sharing (SM B TCP 445) and ICM P (ping) should be enabled. These protocols also need to be allowed in any firewall between the administration console and target computers.
3. To execute a New Remote job, double-click die New Remote job option diat configures and executes a new remote job.
Hie Tool* ]tfndo* Help
R em otejo b s
Rem oteExec,Rerrote jobs job My Renote J3bs ote Actons . ranrenaMy Rem ^ MyTarget Com puters Mows you /our favorite rem stej98 /our favorite rarcte actors. Yout favorite taroet conxiter bts.
f jn tC o e r a k n
Lcca acrouv .
p c p tp ;
Mutote aaons j- My Renore 30 0s i ^ My Rertore Actors MyTargetCctojs ^ : Report :* T ScredJcr L-4^ Options
EU Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, Document generation, is available to specify the output files. Select a PD F file to be generated in an existing folder. Make sure that the account running the task has write access to this folder.
4. 1 1 1a New Remote job configuration you can view different categories to work remotely. 5. Here as an example: we are executing die hie execution option. To execute double-click File Execution.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
hie
Tools
Wmiow
Hep
E?
B ^:5eno . eE> ec P.enote (061
Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
; Ffc execuSon i 1-0 Update rstalafon j--j^|MSI ratilaaon HfcSysteac*>n j-uT F*? Coe ason 1 -^ Loca arroinr rante I ~PCpLp = MJtcle aeons 5 Nr teoote J>x j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : jfe Reporte ; t ScTcdJcr !y*Opfcon
} Q3 ^0 !
| ) Update retalafion (Si MSI m stalotion {fcSystem action Fib Oooation Local account m aintenance S I Popup (5 Multtfe actions
Instil 5Marosoft jadaie reretefy. Instil o Winda^s Instiler > 3 x > qcrsrrctSY Rcaoot,^Shutoovm ,\V3< rup a eonou cnotdy. C03y files or faWa5 cirotc am u K n Chanas the bed xhincbati p e5 s/< 0 Cand'or doeue a il otholocal a Dectay 3 nessage to t r jttt ewe*: an t * ,em ote com pute! Execute se!eal actons r one pass.
6. In the File execution settings, browse die executable file, select Interactive from drop-down list of Context, and check the Auto option.
Using RemoteExec, you can: Install patches, service packs, and hotfixes Deploy Windows Installer packages in silent mode Run applications, programs, and scripts Copy files and folders
Note:
FIG U R E 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below
7. Configuring die Filter Section: a. For the OS version, select = from die drop-down menu and specify die operating system. b. For the OS level, select = from die drop-down menu and select Workstation. c. For the IE version, select >= from die drop-down menu and specify the IE version.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
d. For die Service Pack, select = from die drop-down menu and speciiv die service pack version.
hie Tods V/niow Hep
!eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode.
3 3 ^ eno:e>ec 1 1^ Reno* jobs B ^ Newrarote tfc ! l o Update rstaloton MSI rstalaMn *: SwteT Kton | 6 -! ..loca( account rvam cena fflpoM; < t+itr*e arm NyRn>90c :
File execution
RenoteExeqReirote ]0b3/N ewrem ote job/^le executor
La-nch
tjfr La/rh a r?/ tab [ Schectie save r My Rorct Jobs ^ save r Ky Rem ote Acsoot Save r My Target Cm putrc
r-rj)? C D ra Jo n !
M v k n o :A c tc rc,
> - H] M * 1 !
Regetry vw kM
Oor't e:<e:j:e scan or a com puter wnee tne actor aas ahead/exeo.ee
C oflnoute*
FIG U R E 10.6: RemoteExec Filter tab C O ln ! e remote job was automatically set with the filter option, Dont execute again on a computer where the action was already executed. So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer.
Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK.
tie
:cols
vnnoow
File execution
ReroteE>e:/3emote jobs!New errcre job/File execution
____
^ Q? d P Laandi Launch ina new tab Schedule Save n M y Remote jx k S5ve n My Remote Actjors ^ Save n My Taraet Cwtdu^s
I MO Update nstabton
| r | 0 MS nstafexn ; Systen actor iCp Fie: Opecttx
I qgasssHi
L c x d
rS f aaomtrranKTa... h Poxo =-l mJtpfe actons j My Reroe Jets Nv Rerote Actons Ny Tarost Cortxters Reaxte j Scheduler ; I
V* O D h o rs
C onfigure the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution.
X J
FIG U R E 10.7: RemoteExec Add/Edit a computer
9. To execute the defined action on die remote computer, click the Launch option 111 the nglit pane of die window.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
123 Schedule the report: To configure schedule report, click on Schedule in the toolbar and, when prompted select die task that lias been created previously to install Acrobat Reader.
:cols
jgndw
Bf 3
B | RemoteExec Renote ;ods 0
>
File execution
RemoteExec/Refrote jcbs/Mew remote jOD/^e etecuton (JJ: Launch ir e new tab Schsdue Save mNy Renote 3 0 0 5 Efe Save mMy Renote Actiors save mMy Taraet conou:ers
N e w re rro z ejo b 0
j I S Lpictc nstalaton j MSI nstabtoa r ^ | Systen actor j-Cr File Ope-otwr : tSp L3co ecco1ntn ontenc...
.j :.;:
t3
j fl? PopLp NuDote actiors : 1 5 1My Remote Xbs W My Remote *CO O ns My Target C0xxters Re00r S e x ie r V 4 5 00 0
Don't execjte again on a computet v.+ !ee the acaon was atreacy executec
___
FIG U R E 10.8: RemoteExec executing the defined action
L a b A n a ly s is
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility RemoteExec Information Collected/Objectives Achieved File to Execute: Firefox setup 3-6.13.exe Computer Name: WIN-D39MRSHL9E4
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
H id in g D a ta U s in g S n o w S te g a n o g ra p h y
S/m i susedt oc o r n e a / m e s s a g e sinASCR t e x tbyappen din gn h i t e s p a c et ot h eendof l i n e s .B e c a u s e s p a c e sand t a b sme g e n e / a l l ynotv i s i b l ei nt e x tl i e ne / s ,A / em e s s a g ei sf f e c t i i e l yh i d d e n fmm m s i / a l o b s e r v e r s .At/di ft h eb u i l t i ne n a y p f / o ni su s e d ,f l . 7 em e s s a g ecann otbe/eadevenfi t i sd e t e c t e d . L a b S c e n a r io
VZD Valuable
information
W eb exercise
,!, W orkbookreview
Network steganography describes all the methods used tor transmitting data over a network without it being detected. Several methods for liiding data 111 a network have been proposed, but the main drawback of most of them is that they do not offer a secondary layer of protection. If steganography is detected, the data is in plaintext. To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to die machine being attacked.
L a b O b je c t iv e s
The objective of tins lab is to help students learn: Using Snow steganography to hide tiles and data Hiding tiles using spaces and tabs
L a b E n v ir o n m e n t
Snow located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Steganography\Whitespace Steganography\SNOW Run tins tool on Windows Server 2012
You can also download the latest version of Snow from the link http:/ / www. darkside.com.ausnow / If you decide to download the latest version, then screenshots shown 111 the lab might ditter
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b D u r a tio n
Tune: 10 Minutes
O v e r v ie w o f S n o w
1. Open a command prompt and navigate to D:\CEH-Tool\CEHv8 module 05 system hacking\steganography\white space steganography\snow 2. Open Notepad and type Hello World! and dien press enter and press die Hyphen key to draw a line below it. 3. Save die tile as readme.txt.
readme -Notepad
The encryption algorithm built in to snow is IC E, a 64-bit block cipher also designed by the author of snow. It runs in 1-bit cipher-feedback (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit of output),
4. Type diis command 111 the command slieU : readme2.txt. It is die name of anodier diat will be created automatically. snow -C -m "My swiss bank account number is 45656684512263 p "magic" readme.txt readme2.txt(magic is the password, you can type your desired password also)
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
r *
E : \ C E H - T o o l s S C E H u 8 M o d u l e 05 S y s t e m H a c k i n g N s t e g a n o g r a p h y \ w h i t e sp a c e s t e g a n o g r a p h y \ S n o w > s n o 1 - C -m M y s u i s s b a n k a c c o u n t n u m b e r is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " m a g i c" readme.txt readme2.txt C o m p r e s s e d by 23 M e s s a g e e x c e e d e d a v a i l a b l e s p a c e b y a p p r o x i m a t e l y 5 7 1 . 43x. An e x t r a 8 l ines w ere added.
E:\CEH-Tools\CEHu8 phy\Snow>
Module
05 S y s t e m H a c k i n g \ s t e g a n o g r a p h y \ w h i t e
space
steganogra
FIG U R E 11.2: Hiding Contents of readme,txt and die text in the readme2.txt file
5. Now die data ( M y Swiss bank account number is 45656684512263 ) is hidden inside die readme2.txt hie with die contents ot readme.txt.
If you want to compress a long message, or one not containing standard text, you would be better off compressing the message externally with a specialized compression program, and bypassing snow's optional compression step. This usually results in a better compression ratio.
6. The contents ot readme2.txt are readme.txt + M y Swiss bank account number is 45656684512263. 7. Now type snow -C -p "magic" Readme2.txt: diis will show die contents of readme.txt.(magic is die password which was entered while luding die data).
Administrator: Command Prompt
E : \ C E H - T o o l s S C E H u 8 M o d u l e 05 S y s t e m H a c k i n g \ s t e g a n o g r a p h y \ w h i t e sp a c e s t e g a n o g r a H phy\Snow>snou -C -m "M y s u i s s b a n k a c c o u n t n u m b e r is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " n a g i B c" r e a d m e . t x t r e a d m e 2 . t x t Compressed by 23.37X I M e s sage e x c e e d e d a v a i l a b l e s p a c e b y a p p r o x i m a t e l y 5 7 1 . 43x. I An e x t r a 8 lines w ere added. I E : \ C E H - T o n l s \ 0 F H u 8 M n H n l e 05 R u s t e m H a r k i n g \ s t e g a n o g r a p } 1y\l)hite phySSnouI'snow "magic" Readme2.txt My sw i s s b a n k a c c o u n t n u m b e r is 4 b b b b b U 4 5 1 2 2 6 3 E : \ C E H - T o o l s \ C E H u 8 M o d u l e 05 S y s t e m H a c k i n g \ s t e g a n o g r a p } 1y \ w h i t e space phy\Snow>
Cp
sp a ce steganograH I
I steganograH I
8. To check die tile 111 a GUI, open die readme2.txt 111 Notepad and select Edit ^Select all. You will see die hidden data inside readme2.txt 111 die form of spaces and tabs.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
(FIG URE 11.4: Contents of readme2.txt revealed with select all option
L a b A n a ly s is
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Information Collected/Objectives Achieved Output: You will see the hidden data inside Notepad
1. How would you liide the data of tiles widi secret data in other hies? 2. Which encryption is used 111 Snow? Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b S c e n a r io
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners in addition to identifying user accounts and shared resources. You should also have knowledge on gaining access, escalating privileges, executing applications, lndmg tiles, and covering tracks.
L a b O b je c t iv e s
L a b E n v ir o n m e n t
demonstrated in To earnout the lab, you need: this lab are Auditpol is a built-in command in Windows Server 2012 available in You can see the more audit commands from the following link: D:\CEHhttp:/ / technet.m1crosott.com/enTools\CEHv8 us /library /cc731451 %28v=ws. 100/029.aspx for Windows Server 2012 Module 05 System Hacking Run dns on Windows Server 2012
L a b D u r a tio n
Tnne: 10 Minutes
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
O v e r v ie w o f A u d itp o l
/g et
1. Select Start
Command Prompt.
C: \ U s e r s \ f l d n i n i s t r a t o r >
3. To view all die audit policies, type die following command 111 die command prompt: auditpol /get /category:* 4. Press Enter.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
si
A d m in istra to r: C o m m an d Pro m p t
/rem ove R em oves all per-user audit policysettings and disables all systemaudit policysettings.
C:\Users\Adnin istra to r> a u d itp o 1 /get /category: System audit p o lic y Category/Subcategory S e ttin g System S e c u r ity System Extension No A uditing Systen In t e g r it y No Auditing No A uditing IPsec D river Other Systen Events No Auditing S e c u r ity Sta te Change No A uditing Logon/Logoff Logon No A uditing Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No A uditing IPsec Quick Mode No Auditing IPsec Extended Mode No A uditing Sp e c ia l Logon No Auditing Other Logon/Logoff Events No Auditing No Auditing Network P o lic y Server User / Device C lain s No Auditing Object Access F i l e System No Auditing R e g istry No Auditing Kernel Object No Auditing SAM No Auditing C e r t if ic a tio n S e rvic es No Auditing A p p licatio n Generated No A uditing Handle Manipulation No Auditing P ile Share No Auditing F ilt e r in g Platform Packet Drop No Auditing F ilt e r in g Platform Connection No Auditing Other Object Access Events No Auditing D etailed F i l e Share No Auditing Removable Storage No A uditing No Auditing C en tral P o lic y Staging P r iv ile g e Use Non S e n s itiv e P r iv ile g e Use No Auditing Other P r iv ile g e Use Events No A uditing S e n s itiv e P r iv ile g e Use No Auditing D etailed Tracking Process Creation No A uditing Process Termination No A uditing DPAPI A c t iv it y No A uditing RPC Events No Auditing P o lic y Change A uth entication P o lic y Change No Auditing Authorization P o lic y Change No Auditing MPSSUC R ule-Level P o lic y Change No Auditing F ilt e r in g Platform P o lic y Change No Auditing No Auditing Other P o lic y Change Events Audit P o lic y Change No Auditing Account Management
5. To enable die audit policies, type die following command 111 die command prompt: auditpol /set /category:"system","account logon" /success:enable /failureienable 6. Press Enter.
Administrator: Command Prompt
D i r e c t o r y S e r v ic e C hanges D ire c to ry S e rv ic e R e p lic a tio n D e ta ile d D ire c to ry S erv ic e R e p lic a tio n D ire c to r y S e rv ic e A ccess A c c o u n t Logon K erberos S e rv ic e T ic k e t O p e ra tio n s O t h e r A c c o u n t Lo gon E v e n t s K erberos A u th e n tic a tio n S e rv ic e C re d en tial U alid atio n No No No No No No No No A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g A u d itin g logon1
C :\U se rs\A d m in is tra to r> a u d itp o l / s e t /c a te g o r y : "sy ste m ","a cc o u n t :e n a b le / f a i lu r e :e n a b le The command u a s s u c c e s s f u l l y e x e c u t e d . :: M i s e r s \ A d m i n i s t r a t o r >
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
7. To check if audit policies are enabled, type die following command 111 die command prompt auditpol /get /category:* 8. Press Enter.
Auditpol /get [/user[:<usemame> | <{sid [/category:* |<name> |< {g uid}>[,:<name |< {guid}> ... [/subcategory:* |<name> | < {guid}>[,:<name |< {guid Administrator Command Prompt
: \ U s e r s \ A d n i n i s t r a t o r ) a u d i t p o l /get iysten a u d i t p o l i c y Jategory/Subcategory Systen Security Systen Extension Systen Integrity IPsec D r i u e r O t h e r S y s t e n Eve n t s Security State Change Log o n / L o g o t t Logon Log o f f Account Lockout IPsec Mai n Mode IPsec Q u i c k Mode IPsec E x t e n d e d Mode S p e c i a l L ogon O t h e r L o g o n / L o g o f f Eve n t s Network Policy Server U s e r / D e v i c e Cla i n s Object A c c e s s File S y s t e n Registry Kernel Object SAM Certification Services Application Generated Handle Manipulation F i l e S hare Filtering Platforn Packet Drop Filtering Platforn Connection O t h e r O b j e c t A c c e s s Eve n t s D e t a i l e d Fil e S hare Renovable Storage Central Policy Staging r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e Use O t h e r P r i v i l e g e Use Eve n t s S e n s i t i v e P r i v i l e g e Use )etailed T r a c k i n g Pr o c e s s C r e a t i o n Pr o c e s s T e r n i n a t i o n DPAPI A c t i v i t y R P C Eve n t s 5o l i c y Cha n g e Authentication Policy Change A u t h o r i z a t i o n P o l i c y Cha n g e /category:* Setting Success Success Success Success Success No No No No No No No No No No No No No No No No No No No No No No No No and an d and and an d Failure Failure Failure Failure Failure
}> ]]
}>...]] t/ s d ] [A]
[/option:<option name>]
A udit ing Auditing A udit ing Auditing Auditing Au d i t ing Auditing Auditing Auditing Auditing Auditing A u d i t ing Auditing A u d i t ing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing Auditing
Auditpol /set [/user[:<usemame> | <{sid } >] [/include] [/exclude]] [/category:<name> |< {gui d}>[,:<name| <{guid}>. ..
No A u d i t i n g No A u d i t i n g
]]
[/success: <enable> |<disa ble>][/failure:<enable> |< disable>] [/subcategory:<name> |<{ guid}>[,:<name | <{guid} > [/success:<enable> | <disa ble>][/failure:<enable> | < disable>] [/option:<option name> /value: <enable> | <disable>]
-]]
9. To clear die audit policies, type die following command 111 die command prompt: auditpol /clear /y 10. Press Enter.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
[/v] [A]
11. To check if the audit policies are cleared, type the following command 111 the command prompt: auditpol Iget /category:* 12. Press Enter.
3!
A d m in istrato r: C o m m an d Pro m p t
Auditpol / set [/user[:<usemame> | <{sid }5 [ ]/include] [/exclude]] [/ category:<11ame> |< {gui d }>[,:<name| <{guid}>...
]]
[/success:<enable> | <disa ble>][/failure:<enable> |< disable>] [/subcategory:<name> |< { guid} >[,:<name | <{guid} >
...]]
[/success:<enable> |<disa ble>][/failure:<enable> |< disable>] [/option: <option 11ame> /value: <enable> |<disable>]
C:\Users\Adninistrator)auditpol /get /category:* Systen audit policy Cateqory/Subcategorv Sett ing Systen No Auditing Security Systen Extension No Auditing Systen Integrity IPsec Driver No Auditing No Auditing Other Systen Events Security State Change No Audit ing Luyun/Luyurf Logon No Auditing No Audit ing Logoff Account Lockout No Audit ing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing No Auditing Other Logon/Logoff Euents No Audit ing Network Policy Server User / Device Clains No Auditing Object Access File Systen No Audit ing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing No Audit ing Application Generated Handle Manipulation No Auditing File Share No Auditing No Audit ing Filtering Platforn Packet Drop No Audit ing Filtering Platforn Connection Other Object Access Events No Audit ing Detailed File Share No Audit ing No Audit ing Renovable Storage No Audit ing Central Policy Staging Privilege Use Non Sensitive Privilege Use No Auditing No Audit ing Other Privilege Use Events Sensitive Privilege Use No Auditing Detailed Tracking Process Creation No Auditing Process Ternination No Auditing No Audit ing DPAPI Activity No Audit ing RPC Events Policy Change Authentication Policy Change No Auditing No Auditing Authorization Policy Change MPSSUC Rule-Level Policy Change No Auditing Filtering Platforn Policy Change No Auditing Other Policy Change Events No Auditing Audit Policy Change No Auditing Account Managenent |< | _______________________ i n ______
v 1 >
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility AuditPol
Information Collected/Objectives Achieved Result open Auditpol Category: System Account Logon
Q u e s t io n s
1. How do you configure global resource SACLs using Auditpol? 2. Evaluate a report or backup an audit policy to a comma separated value (CSV) text tile. Internet Connection Required Yes Platform Supported 0 Classroom 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
L ab
13
P a s s w o r d R e c o v e r y U s in g C H N T P W .I S O
CHC\TTPU"ISO i s apassnordimveiyt o o l f a r trunson WindowsS e r v e r 2003,WindowsSenw 2008,andWindons 7 V i r t u a l M a c h i n e .
I C ON KEY
L a b S c e n a r io
Nowadays, attacking the password is one of die most straightforward hacking attacks. Passwords are the most common access control method used by system administers to manage the usage of network resources and applications. There are numerous feasible methods to crack passwords. To be an expert etliical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
111
tins lab, we show you how to erase or recover an admin password using CHNTPW.ISO.
L a b O b je c t iv e s
The objective of tins lab is to help students learn: Recovering the Password of Windows Server 2008 Tools L a b E n v ir o n m e n t demonstrated in this lab are To earn* out die lab, you need: available in CHNTPW.ISO located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHHacking\Password Recovery Tools\CHNTPW.ISO\cd110511 Tools\CEHv8 Module 05 System CHNTPW.ISO is tool to recover/erase the administrator passwords for Hacking Windows Server 2008 A computer running with Windows Server 2008 as YirUial Machine
L a b D u r a tio n
Time: 15 Minutes
C E H Lab Manual Page 380 Ethical Hacking and Countermeasures Copyright by EC-Couucil All Rights Reserved. Reproduction is Stricdy Prohibited.
O v e r v ie w o f C H N T P W .IS O
1. Start Hyper-V Manager by selecting Start ^ Hyper-V Manager. 2. Before starting diis lab make sure that Windows Server 2008 Virtual Machine is shut down.
3 Offline N T Password & Registry Editor can delete any password from nearly any installation of Windows almost instantly.
3. Now select Windows Server 2008 Yutual Machine and click Settings 111 die right pane of Hyper-V..
Hyper*V Manager
File Action View Help
Virtual Machines
N am e A a feck T rack5 gW in d o w s7
WIN-D39MR5HL9E4
New
JW in d o w 8
() StopS ervice
X Remove Server
C " Offline N T Password & Registry Editor simply deletes passwords instead of displaying them making it fast and easy to use.
Q R efresh V itw
U Help
Windows Server2008
Windows Scrvcr2008
> ij Connect...
Created: 8/8/201250123P W
Notes: None
Settings...
0 Start
< 1 :
4. Select D V D drive from IDE controller in die left pane ot Settings tor Windows Server 2008. 5. Check die Image file option and browse for die location of CHNTPW.ISO, and select Apply->OK.
Q No installation in Windows is required making this program an easy alternative to many other password recovery
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
I-HE
4 a
Select the controller and location on the coatroler to attach the CD/DVD drive. Controller: Location: 0 Qr use) IDEControler 1
C Offline NT Password & Registry Editor is completely free to download and use.
I Processor 1Virtual processor 0 IDE Controler 0 C J Hard Drive Windows Server2008.vhdx L U S C a m d g i______________ DVD Drive c d llO S ll.is gj SCSI Controler S 9 Legacy Network Adapter
Media Specify the media to use with ya_r virtual CD/DVD drive. O None () Image file: C: \LI8ers\Ad*ninistr a r ^Pesfctop \cd 110 511Vd 110 511. is
ffcne
COM2
To remove the virtual CD/D/O drive from the vrtual machne, dick Remove.
f* > n e N one
[T 1N am e
Y V'.ndows Server2008 Inregrabon Services Al services offered Srapshot = ile Location C: V> rogrcmData,Miaosoft\Win.. Smart Pacing File Location C: 'ProgramData 'Microsoft\Win..
FIG U R E 13.2: CHNTPW.ISO Windows Server 2008 settings & Tool will also remove passwords from 64-bit versions of Windows Operating Systems.
Offline N T Password & Registry Editor works with all popular Windows versions including Windows 7 and more.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
File Action
I Status; Off
8. After booting, Window will prompt you with: Step one: Select disk where the Windows installation is 9. Press Enter.
1 Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
I I
1 r x
0 1 11 fo
L J It works offline, that is, you have to shut down your computer and boot off a floppydisk or CD or another system.
Tested on: N T3.51 &N T 4: Server Workstation, C . A W in2k Prof & toSP3 SP4. Server, Cannot PD change D . XP H o M e Prof: up to
LI the w ay through the questions installation is Step O N E: Select disk w h e /dev/sda: 17.1 G B, 17179869184 bytes [Please select partition b y nunber or = qu it = automatically start disk drivers
Status: Running
B O I
FIG U R E 13.5: CHN TPW JSO Step One
10. Now you will see: Step TW O: Select PATH and registry files; press Enter.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
'
0 II 1 j i ? *
here are several steps to g o through: Disk optional loading disksdrivers PA T H select select, with w here are the N indow sof system File-select, w hat parts ofchange registry w e needfiles stored Then finally the password or registry If changes were M ade, write then back to diskedit itself Step O N E: Select disk w here the M indow s installation is
S ' This is a utility to (re)set the password of any user that has a valid (local) account on your N T system.
,lease select partition b y nunber or q = quit d = Manually automatically start disk drivers m = select disk drivers to load f = fetch additional drivers a= show all partitions foundfron floppy / usb M ounting /dev/sdal. assum ed filesystem type N T FS So, let sfron really check if with it is NTFS?
Step T M O : Select PA T H and registry files D EBU G path: w indow s found as M indow s
| Status: Running
____
11. Select which part of the registry to load, use predehned choices, or list die tiles with space as delimiter, and then press Enter.
L Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
II It ife
a show all partitions found 1 == show indow s < N TFS) partitions only Select: C 1 propbable W Selected 1 M ounting /dev/sdal. assum ed filesystem type N T FS So, let's from really check if with it is NTFS?
D EBU G path: w indow s found as M indow s32 D EBU G path: system found as System D EBU G path: found config32 found as config D EBU G path: correct case to be: M indows/System 32/config W hat is the path to the registry directory? (relative to w indc iMindows/System32/configl : D EBU G path: M indow s found as M indow s32 D EBU G path: System 32 found as System D EBU G path: found configcorrect found as config D EBU G path: case to be: M indows/System 32/config hrw xrw xrw x 2 0 0 262 14 4 12:50 C BCD -Tem plate hrw xrw xrw x 2 0 0 29097984 14:30 O M P O N E N T S 14:30 D EFA U LT hrw xrw xrw x 10 0 262 14 4 hrw xrw xrwx 10 0 0 2 0 0 8 Journal H rw xrw xrw x 10 0 8 1 9 2 12:10 S RegBack hrw xrw xrw x 10 0 262 14 4 14:30 A M hrw xrw xrw x 10 0 262 14 4 14:30 SECURITY hrw xrw xrw x 10 0 3 3 8 16 57 6 14:30 SO FT M A R E hrw xrw xrw x 10 0 943 71 84 14:30 SYSTEM hrw xrw xrw x 10 0 4 0 9 6 11:51 T xR [drw xrw xrw x 1 0 0 4 0 9 6 11:51 systemprofi1 e Select which part with of registry todelimiter load! use predef i r or list the files space as 1 Password reset [sam system security! 2 RecoveryConso1 3 - quit - return e toparameters previous [software!
y_
?A5
__
12. When you see: Step THREE: Password or registry edit, type yes (y), and press Enter.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
'
File
. 3 0 1
95
!Select w hichfiles part of registry todelimiter load* use predefined choices nr the as |1 -list Passw ord reset with [sanspace systen m 2RecoveryConsole eters security! [software] fc quit - return toparam previous Selected files: sa m system security C o p yin g san system security to /tm p
a It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD. The bootdisk includes stuff to access N TFS and FAT/FAT32 partitions and scripts to glue die whole thing together.
j~ S te p ~ T H R E E | k h n tp w P a s s w r d o r r e g i itr y e d i t~ ~
a a l
v e rs io n .9 9 .6 110511 , <c> P e t t e r NH a g e n fejive S ftM > n a m e0 (from lieader): N System R o ot\Sys tem 32 \C onf ig N M ) R O O T< K EY at offset: 0 x 0 0 1 0 2 0*< SubKey indexing type is: 6 6 6 cSA (If) wile size 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages < headerpage) U se d for data: 2 50 /2 08 00 blocks/bytes, unused: 1 4 /3 5 8 41 blocks/bytes. Live S Y ST E M >n a m e (from header): < S V S T E M > R O O T( K EY at offset: 0 x 0 0 1 0 2 0 Subkey indexing type is: 6 8 6 c < lh > wile size 9 4 3 7 1 8 4 (9 0 0 0 0 0 1 bytes, containing 2 1 6 4 pages ( 1 headerpage) Elsed for data: 1 0 0 2 1 1 /5 9 3 7 6 8 8 blocks/bytes, unused: 4 6 2 1 /3 2 7 8 6 9 6 blocks/bytes. hive (SECURITY) n a m e (from header): < e m R o o t\Sys tem 32 \C onf i gN SEC U R O O TK EY at offset: 0 x 0 0 1 0 2 0 Subkey indexing type( is: 6 6 c (If)RITY> wile size 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages 16 headerpage) H Jsed for data: 4 0 6 /2 2 2 7 2 blocks/bytes, unused: 5 /2 1 1 2 blocks/bytes. * S A M policy limits: wailed loginsord before lockout is M inim um length Passw ordpassw history count (> = = = = = = = = < > chntpw M ain Interactive M e n u< > = Loaded hives: < SA M ) (SYSTEM ) (SECURITY) I 1 - Edi t user data and passw ords 9 Registry o w with write support < 1Quit (youeditor, will b en asked if full there is som ething to save) W hat to do? Cl1
Status: Running
13. Loaded hives: <SAM><system><SECURITY> 1 Edit user data and passwords 9 Registry editor, now widi hill write support! Q Quit (you will be asked if diere is something to save) 1 1 1What to do? the default selected opdon will be [1]. Press Enter.
'
File
L 1
| Step TH REE: Password or registry edit ch n tp w version 1 1 0 5 1 1, < (c) Petter NSystem H ag en 32\Config\SAM live (SA M > n a m e0.99.6 (from header): \System RootN > R O O T K EY at offset: 0 x 0 0 1 0 2 0* Subkey indexing type( is: 6 6 6 c< lf> File 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages headerpage) Used size for data: 2 5 0 /2 0 8 0 0 blocks/bytes, unused: 1 4 /3 5 8 41 blocks/bytes. Live EM > n a m e (from header): < SYSTEM ) R O O T (SYST K EY at offset: 0 x 0 0 1 0 2 0 * Subkey indexing type is: 6 8 6 c < lh > wile size 9 4 3 7 1 8 4 1 9 0 0 0 0 0 1 bytes, containing 2 1 6 4 pages ( 1 headerpi U se d for data: 1 0 0 2 1 1 /5 9 3 7 6 8 8 blocks/bytes, unused: 4 6 2 1 /3 2 7 8 6 9 6 bloc Live (SECURITY> n a m e (from header): < em Root\System 32\ConfigN SECURITY: R O O T size K EY at offset: 0 x 0 0 1 0 2 0* * Subkey indexing type( is: 6 6 c (If) Wile 2 6 2 1 4 4 (4 0 0 0 0 1 bytes, containing 6 pages 16 headerpage) Used for data: 4 0 6 /2 2 2 7 2 blocks/bytes, unused: 5 /2 1 1 2 blocks/bytes. password history count : 0 k> = = = = = = = = < >chntpw M ain Interactive M e n u< > = Loaded hives: < S A M > (SYSTEM ) < SEC U R IT Y > I 1 - Edi t user data an d passw ords M hat to do? I l l >y K> = = = = = = = = < >chntpw M ain Interactive M e n u< > = Loaded hives: (SAM ) (SYSTEM ) < SEC U R IT Y > 1 - Edi t user data and passw ords W h at to do? [11 >
Status: Running
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
14. 1 1 1chntpw Edit User Info & Passwords, press Enter to enter the user name to change
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
File A ction M edia Clipboard V iew Help
0 (*) O
III I I ife
M a in In t e r a c t iv e M enu <> =
< S E C U R IT Y >
Ed i t
u se r*
p a ssw o rd s
hat
to
do?
Cl J
->
< S E C U R IT Y >
u se r
p a ssw o rd s
hat
to
do?
[1 3
->
c h n tp w < SA M > d a ta
< S E C U R IT Y >
u se r
R e g is t r y
e d it o r ,
now
Jh a t
to
do?
I l l E d it U ser In fo A d h in ? A D M IN !Lock?
c h n tp w
d is / lo c k w ith R ID (h e x )
U ser
SD i s a b l ey o u rs o f t w a r e f i r e w a l l( N o r t o nI n t e r n e t S e c u r i t yi so f t e nt h e c u l p r i t ) .
I Status; Running
F IG U R E1 3 . 1 0 :C H N T P W . I S Oc h n t p w E d i tU s e rI n f o&P a s s w o r d s
15.
1 1 1the User Edit Menu: 1 Clear (blank) user password 2 Edit (set new) user password (careful with tins on XP or Vista) 3 Promote user (make user an administrator) 4 Unlock and enable user account [seems unlocked already] q Quit editing user, back to user select The default option, Quit [q], is selected. Type 1 and press Enter.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
R
I File
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
A Action ctior M edia Clipboard V iew Help
U
I I
lo
ch n tp w < SA M > d a ta M a in In t e r a c t iv e M enu <>========<> h iv e s : E d it < SYSTEM > and < S E C U R IT > u se r p a ssw o rd s w ith f u ll w rite su p p o rt?
<> == = == == = <> Lo ad e d 1 9
R e g is t r y
e d it o r ,
now
M hat =====
to
do?
c h n tp w
B u ilt - in
acco u n t
fo r
a d n in is t e r in g
th e
c o M p u te r/ d o n a in
A ([ 1[ 1C It 1C
X I 1 1 ]
H o n e d ir r e q . N o rn a l a cco u n t W ks t r u s t a c t . A u to lo c k o u t (u n k n o w n 0 x 2 0 )
1 I 1
S rv tru s t a c t ( u n k n o w n 0x08> 1 1 (u n k n o w n 0 x 4 0 )
Passw d n ot re q . NMS a c c o u n t
on
XP
o r
U is ta )
a lr e a d y ]
Status: Running
a n
F IG U R E1 3 . 1 1 :C H N T P W J S OU s e !E d i tM e n u
16. Type ! after clearing die password of die user account, and press Enter.
'
File
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
A ction M edia Clipboard V iew Help
E d it
u se r
d a ta
and
p a ssw o rd s
lh a t :====
to
do?
C13 E d it U se r In fo P a s s w o rd s === =
ch n tp w
Is e r n a n e u l 1n a n e :o n n e n t to n e d i r
B u ilt - in
acco u n t
fo r
a d n in is t e r in g
th e
c o n p u t e r / d o n a in
has
H o n e d ir r e q . N o rn a l a cco u n t W ks t r u s t a c t. A u to lo c k o u t (u n k n o w n 0 x 2 0 )
on
XP
o r
U is ta )
a lr e a d y 3
(h e x )
Status: Running
F IG U R E1 3 . 1 2 :C H N T P W IS OP a s s w o r d C l e a r e d
17.
Load hives:
<SAM><system><SECURTTY>
1- Edit user data and passwords 9 - Registry editor, now with full write support!
C E H Lab Manual Page 387 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Q Quit (you will be asked if there is something to save) 1 1 1What to do?, the default selected option will be [1]. Type quit (q), and press Enter.
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n
A ction M edia Clipboard V iew Help
Ji 0 @ 0 n \> h
01f 5 03e8 ; : ! H d n in is tp a to r G uest IU S R _ W IN - U L Y 8 5 8 K H Q IP th e R ID U se rn an e f u lln a n e cohhent u se rn a n e to change: [A d n in is t r a t o r l
honedir
A cco C 1 [ 1 [ 1 [ C 1
B u ilt - in
acco u n t
fo r
a d M in is t e r in g
th e
c o w p u te r / d o M a in
(w h ic h
has
H o n e d ir * p e q . NoPM al a cco u n t M ks t r u s t a c t. A u to lo c k o u t (u n k n o w n 0 x 2 0 )
on
XP
o r
U is ta )
a lr e a d y !
M a in
In t e r a c t iv e
M enu
<> = = = = = = = = <>
( SYSTEM ) and
(S E C U R IT Y )
Ed i t
u se r
p a ssw o rd s
M hat
to
do?
t i l
>
Status: R unning
F I G U R E1 3 . 1 3 :C H N T P W J S Ol o a d i n g h i v e sQ u i to p t i o n 1 8 . 1 1 1Step FOUR: Writing back Changes, About to write file(s) back! D o it?,
here die default option will be [n]. Type yes [y] and press Enter.
File
W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n I .
Action M edia Clipboard View Vi! Help
< $ 0 II 1 fe
A ccount b i t s : 0x0010 D is a b le d IE T en p . d u p lic a te 1[ D o n a i n tr u s t ac IE 3 Pw d d o n t e x p ir [ 1 (u n k n o w n x )
B u ilt- in
account
i o r
a d n in is t e n n g
th e
c o n p u te r / d o n a in
It 1
0 18
I 1 [X 3 [ 1 I 1 C 1
H o n e d ir r e q . N o rn a l a cco u n t M ks t r u s t a c t . A u to lo c k o u t (u n k n o w n 8 x 2 0 )
1 3 1
1 (4 U n lo c k a n d e n a b l e u s e r a c c o u n t ) I q - Q u it e d it in g u s e r , b a c k to u s e r B e le c t : [q l ) 1 Passw o rd c le a r e d *
C seens s e le c t
u n lo c k e d
a lr e a d y !
U ser
w it h
R ID
(h e x )
c h n tp w (S A M ) d a ta
M a in
In te r a c tiv e
M enu
< )=
(S Y S T E M ) and
< S E C U R IT Y >
u se r
p a ssw o rd s
Status: Running
.0 A
F IG U R E1 3 . 1 4 :C H N T P W . I S OS t e p F o u r
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Q It w o r k so f f l i n e ,t h a ti s , y o uh a v et os h u t d o w ny o u r c o m p u t e ra n db o o to f fa f l o p p y d i s ko rC Do r a n o d i e rs y s t e m .
F I G U R E1 3 . 1 5 :C H N T P W J S OE d i tC o m p l e t e d
20. Now turn off die Windows Server 2008 Virtual Machine. 21. Open Hyper-V Manager settings of Windows Server 2008 and change die D V D drive option to None from IDE Controller 1 and then select click
^ Apply > O K .
Settings for W indows Server2008 on WIN-D39MR5HLSE4
Windows Server2008 Hardware Add Hardware |K> BIOS Boot from CD M Memory 1024 NB Select the controller and ocation on the controler to afcach the CD/DVD drive. Controller: IDE Controller 1 Media Specify the media to use with y a r virtual CD/DVD drve. | None O Image fie: C: VJsers\Admstrator'PesktopVd 11051 l\cd 11051 l.iso Location: 0 On use]
y z rx
4 (i
DVD Drive
DProcessor
1Virtual processor 3 W IDE Cor troiler 0 (_4 Hard Drive Windows Server2008. vhdx - U I0e Cortrotgr 1 ______________ * DVD Drive None 5 3 Li SCSI Ccntroler
Q Legacy Network Adapter Realtek PCIe GBE Family Contr... ^ COM 1 None COM2 None U Diskette Drive None
To remove the virtual CD10VD drive from this virtual ma1 ine, dick Remove.
Management__________________ ( L Name Windows Server2008 Integraaon Services Al services offered Snapshot File Location C: V*rogramOatay1iCT0soft\Win.. | Smart Paging File .ocabon C: V^ogramOatayiicrosoftVfVin.. ) Automatic Start Action Restart if previously running
F IG U R E1 3 . 1 6 :C H N T P W . I S OW i n d o w sS e n d e r2 0 0 8 S e t r i ! 1 g s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
22. Go to Windows Server 2008 Virtual Maclune, and click the Start button.
' * W i n d o w sS e r v e r 2 0 0 8o nW I N D 3 9 M R 5 H L 9 E 4V i r t u a lM a c h i n eC o n n e c t i o n I I
File Action M edia Clipboard View Help
' S[ 0 ]i )9 0 II I1 f c >
F IG U R E1 3 . 1 7 :s t a r t i n g w i n d o w ss e r v e r2 0 0 8
F IG U R E1 3 . 1 8 :W i n d o w sS e r v e r2 0 0 8 W i n d o w
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Lab A n a ly sis
Analyze and document the results related to the lab exercise.
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Tool/Utility CHNTPW.ISO
Information Collected/Objectives Achieved Machine Name: Windows server 2008 Output: Log into Windows Server 2008 without entering the user name and password
Q u estio n s
1. How do
you
configure
CHNTPW.ISO
111
Machine Settings?
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
/ V a lu a b le in f o r m a t io n
Test your k n o w le d g e
W e b e x e r c is e
W o r k b o o k r e v ie w
SpyAgent.
& Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
Lab O b jectives
The objective of this lab is to help smdents use Spytech and the SpyAgent tool. After completing tins lab, smdents will be able to: Install and configure Spytech SpyAgent Momtor keystrokes typed, websites visited, and Internet Traffic Data
A computer running Windows Server 2012 Administrative pnvileges to install and mil tools Run tins tool 111 Windows Server 2012 You can also download Spytech SpyAgent from http://www.spytechweb.com/spyagent.shtml II you decided to download the latest version, screenshots may differ
Lab Duration
Time: 15 Minutes
Lab T a sk s
The basic idea in diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
TAS K 1
Installation of Spytech SpyAgent Hacking\Keyloggers\Spytech SpyAgent
2. Double-click Setup.exe. You will see die following window. Click Next.
Spytech SpyAgent Setup
m Y o uc a nd o w n l o a d t h es p y t e c hS p y A g e n tf r o m
http:/ / uww.spytech-web.com N ext >
F IG U R E1 4 . 1 :I n s t a l l a t i o n o fS p y t e c h S p y A g e n t
Cancel
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
3. The Welcome wizard of Spytech SpyAgent setup program window appears; read die instructions and click Next.
Welcome Welcom e tothe Spytech SpyAgent Setup p ro g ra m . This p ro g ra mw ill in stall Spytech SpyAgent o nyou r co m p u te r. It is stro n g ly reco m m en d ed thatyou e x it a llWindows p ro g ram sb efore ru n n in g th is Setup p ro g ra m . C lick Cancel toq u it Setup and then close any p ro g ram syou have ru n n in g . C lick N ext tocontinue w ith the Setup p ro g ra m . WARNING: This p ro g ramis protected b y co p yrigh t lawand in tern atio n al treaties.
fA g m ?
U nauthorized rep ro d u ctio no rd istrib u tio no f th is p ro g ram ,o r any p o rtio no f it, m ay resu lt insevere civil and crim in al penalties, and w ill be prosecuted to th em a x im u mex ten tp ossib le u n der law .
<Back
N ext >
Cancel
F IG U R E1 4 . 2 :I n s t a l l a t i o n w i z a r d o fS p y t e c h S p y A g e n t
4. The Important Notes window appears, read die note and click Next
Important Notes Spytech SpyAgent BuildVersion 7 .5 6 .1 2 C o p yrig h t Spytech Software and D esign, Inc. 2 0 0 0 2 0 1 2 .
m A c t i v eM o d e :t h i s o p t i o na l l o w sS p y A g e n tt o b es t a r t e d i nm o n i t o r i n g m o d ew h e niti so p e n e dn on e e df o rm a n u a l l y s t a r t i n g i t sm o n i t o r i n g
w w w .sp ytech -w eb .co m What is Spytech SpyAgent? Spytech SpyAgent is a p ow erfu l and e a syto u se softw are u tility th at allow syou tolo g all keystrokes typed, w indow s and ap plications launched, w ebsites visited, passw ords used, icq/m sn /yah o o /aim conversations, and even a ll in tern et connections m ad e. A ll lo g s are easily view ed w iththe b u ilt inlo gview ers and can be saved toa convenient, easily viewed te x t fo rm a t fo re m ail tran sfer(b u ilt in )o r p rin to u ts. SpyAgent can also capture all em ails, as w ell as capture screenshots o f the desktop a t set tim e in tervals. SpyAgent can be ran o nw indow s startu pinactive m o n ito rin gm o d e
<Back
F IG U R E1 4 . 3 :I n s t a l l a t i o n w i z a r d
N ext >
Cancel
5. 6.
The Software License Agreement window appears; you must accept the agreement to install Spytech SpyAgent. Click Yes to continue.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Software License Agreement Please read the fo llo w in g LicenseA greem ent. Press the PAGE DOWN key tosee th e rest o f th e ag reem en t. License 1 . You m ay use the p ro g ramo n a sin g le co m p u ter at one tim e . You m ay n o t copy the p ro g ra man d accom panying m aterials except fo r backup purp oses touse insu p p o rt o fu sin g the p ro g ra mo na sin g le m achine at one tim e . 2 . You m ay o n ly in stall th is softw are o n a co m p u ter th at you o w n, o ro n a co m p u ter fro mw hichyou have consent o f the ow ner to in stall th is so ftw are. 3 . You m ay n o tm ake copies o f th ep ro g ra mfo r sale o rd istrib u tio n . 4 . This softw are is copyrighted, andall rig h ts th erein are reserved fo r Spytech Softw are. Purchase o f D oyou accept all th e te rm so f th ep receding LicenseAgreem ent? Ifyou choose N o, Setup w ill close. T0 in stall th is p roduct, you m u st accept th isag reem en t.
Prin t
<Back
F IG U R E1 4 . 4 :S e l e c tt h e A g r e e m e n t
Yes
N o
7. 8.
Choose die Destination Location to install Spytech SpvAgent. Click Next to continue installation.
Choose Destination Location Setup w ill in stall Spytech SpyAgent inthe fo llo w in gd irecto ry.
m S t e a l t hM o d e :t h i s o p t i o na l l o w sS p y A g e n tt o r u ni nt o t a ls t e a l t h . C o m b i n e dw i t h'A c t i v e M o d e 't h es o f t w a r ew i l l l o a da n dr u ni nm o n i t o r i n g m o d ei nc o m p l e t es t e a l t h
T0in stall to th is d irecto ry, click N ex t. T0in stall to a d ifferen td irecto ry, click Brow se and select an oth er d irecto ry. You can choose n o t toin stall Spytech SpyAgent, b y clicking Cancel toe x it Setup.
Brow se..
F IG U R E1 4 . 5 :S e l e c t i n g f o l d e rf o ri n s t a l l a t i o n
9.
Select SpyAgent installation type, and select Administrator/Tester die setup type.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Select SpyAgent Installation Type Click the type o f Setupyou p refer, then click N e x t. A dm in istrato r/Tester Pro g ramw ill be in stalled w ith the all softw are o p tio n s and accessible viaW indows start m e n u . This is reco m m en d edalso fo r new u sers! H elp d ocum ents are in stalled . C Stealth Installation Programw ill be in stalled w ith m in im u mreq u ired o p tio n s and n o shortcuts included inW indows start m en u . Also HELP D ocum ents ate N O T INSTALLED.
N ext >
Cancel
11.
m S p l a s hW a r n i n g : T h i so p t i o na l l o w sy o ut o d i s p l a yam e s s a g et ot h e u s e rw h e nS p y A g e n ti s s t a r t e d .T h i sm e s s a g ec a n b ec o n f i g u r e di nt h e A d v a n c e dS e t t i n g s > S p l a s hS c r e e nw i n d o w
The Ready to Install window appears. Click Next to start installing Spytech SpyAgent.
Ready To Install Setup n owhas enough in fo rm atio ntosta rt in stallin g Spytech SpyA gent. C lick Back tom ake any changes b efore co n tin u in g . Click Cancel toe x it Setup.
<Back
F IG U R E1 4 . 7 :R e a d y t o i n s t a l lw i n d o w
N ext >
Cancel
Yes
No
F IG U R E1 4 . 8 :S e l e c t i n ga nu n i n s t a l l e r
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
1 3 .
"
A NOTICE FOR ANTIVIRUS USERS M odern an tiviru sp ro g ram s can detect a w ide range o fp o ten tially d angerous p ro g ram s. This n o rm a llygoes fa rb eyond trad itio n al viruses and w o rm s andoften includes heuristic alerts, w hich basically m ean s thatyou can get alerts and w arn in gs w hen an antivirus p ro g ram"thinks it could be" so m e th in g . These w arn in gs sh o u ld be expected fo r the fo llo w in g types o f applications: Software th at lo gs o r captures keystrokes Software th at m o n ito rs u ser activity -Software th at allow syou torecover passw ords o ro th er p ersonal data Software th at m o n ito rs o r lo gs Internet o rn etw ork activity Since SpyAgent can d o all o f the above, so m e an tiviru s solu tio n sm a y d eemSpyAgent as ,p oten tially h arm fu l' o r a 'tro jan 'd espite it b eing a leg itim ate to o l tom o n ito ryo u r co m p u ter (and u sers). With a ll Spytech softw are, you can b e sure o u r prod u cts are 1 0 0 %safe touse and v iru sfre e . If you ru nin toany "trojan" related w arn in gs, it is very likely tob ea
L o gL o c a t i o n :t h i s a l l o w sy o ut os p e c i f yw h e r e y o uw a n tS p y A g e n tt os t o r e i t sa c t i v i t yl o g s .F o r W i n d o w sN T / 2 0 0 0 / X P s y s t e m sm o n i t o r i n gA L L u s e r siti sr e c o m m e n d e d t h a tt h el o gl o c a t i o nb es e t t ox : \ d o c u m e n t sa n d s e t t i n g s \ a l lu s e r s
< Back
N ext >
Cancel
F IG U R E1 4 . 9 :A c c e p tA n t i v i r u sn o t i c e
14. The Finished window appears. Click Close to end the setup.
If
<Back
F IG U R E1 4 . 1 0 :F i n i s hw i n d o w
C lo se
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
F IG U R E1 4 . 1 1 :W e l c o m eS p y A g e n tw i n d o w
16. The following window appears. Enter the password 111 New Password field, and retype the same password in Confirm field. 17. Click OK.
Old Password:
m S p y A g e n tc a n d e l i v e r i t sa c t i v i t yl o g s i ns e c r e tt o y o u ro w n p e r s o n a le m a i lo r F T Pa c c o u n t
New Password:
Confirm:
I
This password restricts other users from changing the SpyAgent settings.
F IG U R E1 4 . 1 2 :S e l e c t i n gN e wP a s s w o r d
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
click to continue...
F IG U R E1 4 . 1 3 :W e l c o m eS p y A g e n tw i n d o w
19. Configuration package wizard appears. Select the Complete +Stealth Configuration package. 20. Click Next.
1. C on fig uratio n
P leas e s e le c t a c o n fig u ra tio n p a cka g e fro m th e below options. f* C o m p le te -I- S te a lth C o n fig u ratio n
2 .E x t r a s 3 .C o n f i r mS e t t in g s 4 .A p p l y 5 .F i n i s h
Configure to run in total stealth, with all possible logging options preconfigured.
C C o m p le te C on fig uratio n
!
F IG U R E1 4 . 1 4 :S e l e c t i n gc o n f i g u r a t i o np a c k a g e
21. Choose additional options, and select the Display Alert on Startup check box. 22. Click Next.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
m In t e r n e tT r a f f ic D a t a :T h i sl o gA L L i n c o m i n ga n do u t g o i n g i n t e r n e td a t at r a n s m i t t e d a n dr e c e i v e db yu s e r s .A ll e m a i lp a s s w o r d s ,F T P p a s s w o r d s ,w e b s i t e t r a n s m i s s i o n s ,e t c .w i l lb e l o g g e db yt h i sf e a t u r e
F IG U R E1 4 . 1 5 :S e l e c t i n ga d d i t i o n a lo p t i o n
23.
QS p y A g e n tl i a st h e u n i q u ea b i l i t yt oa l l o w y o u t o h a v e i t sa c t i v i t y l o g sd e l i v e r e d t o y o u rp e r s o n a le m a i l a d d r e s so rF T Pa c c o u n t
F IG U R E1 4 . 1 6 :C o n f k m s e t t i n g w i z a r d
24.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
f e a s y c o n lig u r a lio n a n d s e tu p w iz a rd j
1 .C o n f i g u r a t i o n 2 .E x t r a s 3 .C o n f i r mS e t t in g s
4. A pply
5 .F i n i s h
F IG U R E1 4 . 1 7 :C o n f i g u r a t i o na p p l i e dw i n d o w
25.
The Configuration Finished window appears. Click Finish to successfully set up SpyAgent.
1 .C o n f i g u r a t i o n
m S p y A g e n tl i a sa b u i l ti n s c h e d u l i n g f e a t u r e t h a ta l l o w s y o u t oc o n f i g u r eS p y A g e n tt o l o g u s e ra c t i v i t i e sd u r i n g s p e c i f i ch o u r so fd i ed a y ,o r t ol o c k d o w n y o u rc o m p u t e r a tc e r t a i n t i m e s
2 .E x t r a s 3 .C o n f i r mS e t t i n g s 4 .A p p l y
5. Finish
| GOiMij--]
F IG U R E1 4 . 1 8 :C o n f i g u r a t i o nf i n i s h e dw i n d o w
26.
The main window of Spytech SpyAgent appears, as show 111 the following figure. Click Click to continue...
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
T^EST
I C lic k H e r e f o r O r d e r in g In f o r m a t io n
G e n e r a lU s e rA c tiv itie s K e y s t r o k e sT y p e d
0 K e y s L a s t j "'
G eneral
S ta r tu p S e ttin g s a n d C o n ftg
W i n d o w sV i e w e d
n fig u re L o g g in g O p tio n s
P r o g r a m s ( >
0 A p p lic a tio n ! V ^
!mote L o g D e live ry
II n fig u re R e m o te D e liv e ry
C l i p b o a r d
0 C lip b o a rd s
Ivanced O p tio n s
e r C o n tro l o n S p y A g e n t
E v e n t sT l f l
0 E v e n ts Log
I n t e r n e tA c t iv it i e s E M a i l sS e i
0 E-Mails L o g t^ :----
reenS py
c o rd D e s k t o p A c tiv ity
--------C h a tT r a n s c r i p t s
0 C o n v e r s a tio n s L o g ge d
= ! n a r tL o g g in g
A c tiv ity T r ig g e r e d L o g g in g
W e b s i t e sV i s i t e d
/fl 0 W e b s ite s L o g g e d
S c h e d u lin g
S c h e d u le M o n ito rin g 1
V iew M o s t P o p u la r A c tiv itie s S u m m a ry C lic k here fo r Easy C o n fig u ra tio n and S e tu p W izard
B e h a v io r A le rts
H P r o g r a m O p t io n s
L o g A c t io n s
I R e p o rts
H e lp
F IG U R E1 4 . 1 9 :M a i nw i n d o w o fS p y A g e n t
27.
G
t
General
S ta rtu p S e ttin g s an d C o n fig
K e y s t r o k e sT y p e d
0 K ey s Last Session
W i n d o w sV i e w e d
4 W indow s Logged
m
P r o g r a m sU s a g e
70 n A1 ; r h n e Logged 1 n n n .ri pplications
< ?3 2 ^S c r e e n S p yS c r e e n s h o t s
1 0 Sc ree n sh o ts Logged
C l i p b o a r dL o g s
0 C lip b o a rd s L ogged
F i l e / D o c u m e n t sU s a g e
0 File E v en ts Logged
Advanced O ptions
Fin er C o n tro l on S p y A g e n t
E v e n t sT i m e l i n e
9 1 Even ts Logged
C o m p u t e rU s a g e
2 S e s s io n s Logged
C o nte nt F iltering
Filter an d B lo ck A ctiv ity
I n te r n e t A c t iv itie s
ScreenSpy
R e c o rd D eskt<
E M a i l sS e n t / R e c e i v e d
0 E-M ails Logged
I n t e r n e tA c t i v i t i e s
0 C o n ne ctio n s Logged
S m artLogging
A c tiv ity T rig g e re d Logging
W e b s i t e sV i s i t e d
2 W e b site s Logged
C h a tT r a n s c r i p t s
0 C o n v e rs a tio n s Logged
Scheduling
S c h e d u le M o nito rin g T im e s
View M ost P opular A c tiv itie s Sum m ary C lick here fo r Easy C o n fig u ra tio n and Setup W izard
B e havior A lerts
n
I
j 11 P r o g r a m
O p tio n s
6 L o g A c t io n s
R e p o rts
1 1 H e lp
F IG U R E1 4 . 2 0 :S t a r tm o n i t o i n g
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
28. 29.
Click OK.
computer monicoring'nnd surveillance software G e n e ra l U se r A c tiv itie s
K e y s tro k e s T yp ed
0 Keys Last Session
S p y A g e n tl i a sa f e a t u r e c a l l e d S m a r t L o g g i n g d i a tl e t s y o u t r i g g e rm o n i t o r i n g w h e n c e r t a i n e v e n t sa r i s e ,i n s t e a d o f r u n n i n g c o n s t a n t l y l o g g i n g e v e r y t h i n g t h a tu s e r sd o . S m a r t L o g g i n g t i e si n t od i e k e y s t r o k e s ,w e b s i t e sv i s i t e d , a p p l i c a t i o n sr a n ,a n d w i n d o w s u s e d l o g g i n g f u n c t i o n s
R e m o te L o g D e livery
0 Clipboards Logge
E v e n ts T im elim 91 Events Logged
In te rn e t A c tiv itie s
E-M ails S e n t/ R e c e iv e d 0 E-Mails Logged ; ^ In te rn e t A ctivitie s
0 Connections Logged
Record Desktt
Sm a rtL o g g in g
C h a t T ra n s crip ts
0 Conversations Logged
View Most Popular Activities Summary Click here for Easy Configuration and Setup Wizard
P r o g r a m O p t io n s
L o g A c t io n s
I R e p o rts
H e lp
F IG U R E1 4 . 2 1 :E n t e r i n gt h ep a s s w o r d
30.
Stealth Notice window appears, read the instmctions click OK NOTE: To bring SpyAgent out of stealth mode, press CONTROL+SHIFT+ALT+M on your keyboard.
S p y A g e n ta l l o w sy o u t os a v ea l lo fS p y A g e n t ' s k e y s t r o k e s ,w e b s i t e s , w i n d o w s ,a p p l i c a t i o n s , c o n n e c t i o n s ,c l i p b o a r d , a c t i v i t y ,p r i n tj o b s ,f i l e u s a g e ,a n dd o c u m e n t sl o g s t oas p e c i f i e dd i r e c t o r ya t o n c ef o re a s i e rv i e w i n g l a t e ro no rs o y o uc a n c l e a ry o u rl o g sw i t h o u t l o s i n gd a t a .
H U
F IG U R E1 4 . 2 2 :S t e a l t hm o d en o t i c e
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
31.
It will show the following window, with the options select Do not show this Help Tip again and select D o not show Related Help Tips like this again. Click click to continue...
S p y A g e n t is n o w m o n i t o r in g y o u r c o m p u t e r . T o s t o p m o n i t o r in g p r e s s S p y A g e n t 's h o t k e y c o m b in a t io n - b y d e f a u l t it is C O N T R O L + A L T + S H IF T + M - th e n e n t e r y o u r S p y A g e n t p a s s w o rd .
m S p y A g e n tf e a t u r e sa l a r g es e to fr e p o r t i n g t o o l s t h a ta l l o w y o u t os a v ea n d p r e p a r e l o g d a t a f o rl a t e r v i e w i n g ,d o c u m e n t a t i o n ,a n d p r i n t i n g .A l lr e p o r t sa r e f o r m a t t e d i n H T M Lf o r m a t f o rv i e w i n g w i t h y o u rw e b b r o w s e r .
D o n o t s h o iv t h is H e lp T ip a g a i ! t h i s a g a in
7A D o n o t s h o w R e l a t e d H e l p T i p s
F IG U R E1 4 . 2 3 :S t a r tm o n i t o i n g
32. 33.
Now browse the Internet (anything). To bring spyAgent out ot stealth mode press CONTROL+SHIFT+ALT+M on your keyboard. It will ask for the Access Password; enter the password and click OK.
F IG U R E1 4 . 2 4 :E n t e r i n gt h ep a s s w o r d
34. 35.
To check user keystrokes from the keyboard, click Keystrokes Typed Irom General User Activities. It will show all the resulting keystrokes as shown in the following screenshot.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
14 entries
_ i j Actions. c Jum p to Log 3
J J F orm at
S e le c t a K e y s t r o k e s L o g E n t r y Tim Administrator Administrator Administrator Administrator Snag 1tEditor.exe K e y s tro k e s T y p e d |[B ac ks p ac e][B a ck sp ac e][B ac ks p a ce ][B ac ks p ac e][B a ck sp a ce ][B ac ks p a ce ]| [B a ck s p a c e ][B a c k s p a c e ]S p y [B a c k s p a c e ][B a c k s p a c e ][B a c k s p a c e ]It will show th e follwmg window se ld [B a ck sp a ce ]e ct D o n to [B ac ks p ac e][B a ck sp ac e]o t show this H elp T ip ag ain and Do not show R elated H elp Tips like this agin [B acksp ace] [B a ck sp a ce ][B ac ks p ac e]am [B a ck sp a ce ], click on click to count 1[B a ck sp a ce ] [B a ck sp a c e j[B a c k s p a c e j[B a c k s p a c e ]m [B a c k s p a c e ]t 1nue Snagit Editor Jul 24, 2012 2:35:58 PM Tue Tue Tue Tue 7/24/12 7/24/12 7/24/12 7/24/12 @ 2:12:27 2:12:29 2:12:56 2:13:03 PM PM PM PM
Note: Log entries preceeded with a '* ' indicate a password entry.
F IG U R E1 4 . 2 5 :R e s u l t e dk e y s t r o k e s
36. 37.
To check the websites visited by the user, click Website Visited from
Internet Activities.
It will show all the user visited websites results, as shown in the following screenshot.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Lab A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Information Collected/Objectives Achieved Output: Monitoring keystrokes typed Website log entries Pages visited for selected website Internet traffic data
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Test your k n o w le d g e
*A m
W e b e x e r c is e
W o r k b o o k r e v ie w
Today, employees are given access to computers, telephones, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance of their employees. ]M any employees also are given laptop computers and wireless telephones diev can take home and use for business outside die workplace. Wliedier an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation.
1 1 1 tins lab, we explain monitoring employee or sftident activity using Power Spy
2013.
Lab O b jectives
& Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
The objective of tins lab is to help students use the Activity Monitor tool. After completing diis lab, students will be able to: Install and configure Power Spy 2013 Monitor keystrokes typed, websites visited, and Internet Traffic Data
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
If you decided to download latest version screenshots may differ Run diis tool 111 Windows Server 2012
Lab Duration
Time: 15 Minutes
Lab T a sk s
The basic idea 111 diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System
TAS K 1
Installation of Power Spy 2 0 1 3 Hacking\Spywares\Email and Internet Spyware\Power Spy.
2. Double-click pcspy.exe. The Software License Agreement window appears. You must accept the agreement to install Power Spy. 3. Click Next 111 die License Agreement wizard.
S e tu p P o w e r S p y
W e lc o m e t o t h e S e tu p W iz a r d ! T h is w ill in s ta ll t h e s o f t w a r e o n y o u r c o m p u t e r . I t is r e c o m m e n d e d t o c lo s e a ll o t h e r a p p lic a tio n s b e f o r e c o n tin u in g .
C lic k N e x t t o c o n t in u e , o r C a n c e l t o e x it S e tu p .
B y c lic k in g N e x t y o u a r e a g r e e in g t o t h e f o llo w in g t e r m s o f L ic e n s e A g r e e m e n t .
License A g ree m en t: DIS C LA M ER : A ll o u r products a re d is trib u te d an d licensed on an 'a s is* basis an d no w a rra n tie s o r g u ara n te es o f a n y k in d a re prom ised b y e M a trix S o ft (th e *C o m p an y *) an d P ow er Spy ( th e *S o ftw a re ') as to t h e ir perfo rm a n ce , r e lia b ilit y o r s u ita b ility to a n y g iv e n task. In no e v e n t sh a ll th e S o ftw are be lia b le fo r a n y loss of d a ta o r A N Y D A M A G E S OF
m Y o uc a nd o w n l o a d t h eP o w e rS p y2 0 1 3f r o m
http:/ / ematrixsoft.com/ittde x.php
F IG U R E1 5 . 1 :I n s t a l l a t i o n o fS p y t e c h S p y A g e n t
4. Setup has finished the installation 011 the system. Click Finish.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C o m p le tin g S e tu p
S etu p has finished installing product on y o u r com puter. Click Finish to exit th e Setu p W izard.
K e y s t r o k e sT y p e d l o ga l lk e y s t r o k e s ,i n c l u d i n g o p t i o n a ln o n a l p h a n u m e r i c a lk e y s ,t y p e d w i t ht i m e ,W i n d o w s u s e r n a m e ,a p p l i c a t i o nn a m e a n dw i n d o wc a p t i o n
F IG U R E1 5 . 2 :S e l e c td i e A g r e e m e n t
5.
W ith a d m in istrativ e rights, y o u ca n check, d e le te a n d exp ort logs, c h a n g e settings, a n d h a v e c o m p le te a ccess to th e so ftw a re
6.
The Setup login password window appears. Enter the password 111 the New password field, and retype the same password 111 the Confirm password held. Click Submit.
7.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
S e tu p lo g in p a s s w o rd
Setup a password to login the software. The password can include uppercase letters, lowercase letters, numbers and symbols.
S c r e e n S n a p s h o t s a u t o m a t i c a l l yc a p t u r e s s c r e e n s h o t so fe n t i r e d e s k t o p o ra c t i v e w i n d o w sa ts e t i n t e r v a l s .S a v es c r e e n s h o t sa s JPEGf o r m a ti m a g e so n y o u r c o m p u t e rh a r d d i s k . A u t o m a t i c a l l ys t o p s c r e e n s h o t w h e n u s e ri si n a c t i v e
F IG U R E1 5 . 4 :S e l e c t i n gN e wP a s s w o r d
8.
F IG U R E1 5 . 5 :p a s s w o r dc o n f i r m a t i o nw i n d o w
9.
The Enter login Password window appears. Enter the password (which is already set).
F IG U R E1 5 . 6 :E n t e rt h ep a s s w o r d
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
11.
QS t e a l t h M o d e :P o w e r S p yr u n a b s o l u t e l y i n v i s i b l y u n d e rW i n d o w ss y s t e m sa n d d o e s n o ts h o w i n W i n d o w s t a s k l i s tN o n ew i l lk n o w i t s r u n n i n g u n l e s s y o u t e l lt h e m ! Y o uc a na l s o c h o o s et oh i d e o ru n h i d e P o w e rS p y i c o n a n d i t su n i n s t a l le n t r y
Y o u c a n t o ta lly t r y t h e s o ftw a re o n y o u rs e lf. C lic k Sta rt m o n ito rin g a n d Ste a lth M o d e o n it's c o n tro l p a n e l, t h e n d o a n y th in g as u su a l o n t h e PC: vis itin g w e b sites, re a d in g e m a ils , c h a ttin g o n fa c e b o o k o r Sk yp e , e tc . T h e n , u s e y o u r h o tk e y t o u n h id e its c o n tro l p a n e l, a n d click a n ic o n o n t h e le ft t o c h e c k lo g s.
U ser N am e : U n lo c k C o d e :
F IG U R E1 5 . 7 :R e g i s t e rp r o d u c tw i n d o w
12.
The main window of Power Spy appears, as displayed 111 die following tigure.
Power Spy
Control Panel
Buy now
ea T a s k S c h e d u l e :Y o u c a n s e ts t a r t i n g a n d e n d i n g t i m ef o re a d it a s k t o a u t o m a t i c a l l ys t a r ta n d s t o p t h e m o n i t o r i n g j o b .
D
A p p licatio n s ex ec u te d
f * n
Keystrokes
w eb sites visited
Ste a lth M o d e
jm
C o n fig u ra tio n
clipboard
1
m ic ro p h o n e
F IG U R E1 5 . 8 :M a i nw i n d o w o fP o w e rS p y
13.
k t A S K 2
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Power Spy
Control Panel
Buy now
f
*m
Keystrokes
w eb sites visited
JP
clipboard
Stea lth M o d e
C o n fig u ra tio n
A p p licatio n s ex ec u te d
t
m ic ro p h o n e
About
Uninstall
y = i J L o g sV i e w :c h o o s e t o v i e w d i f f e r e n tt y p eo fl o g s f r o m p r o g r a m m a i n i n t e r f a c e . Y o uc a n d e l e t es e l e c t e d l o g s o rc l e a ra l ll o g s ,s e a r c h l o g so r e x p o r tl o s s i n g r e p o r t s i n H T M Lf o r m a t
F IG U R E1 5 . 9 :S t a r tm o n i t o r i n g
14.
F IG U R E1 5 . 1 0 :S y s t e m R e b o o tR e c o m m e n d e dw i n d o w
15. 16.
Click Stealth Mode (stealth mode runs the Power Spy completely invisibly on the computer) . The Hotkey reminder window appears. Click OK (to unhide Power Spy, use the Ctrl+Alt+X keys together on your PC keyboard).
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Power Spy
Control Panel
Buy now
| g
f
Hotkey reminder
K eystrokes
S to p m o n ito rin g
The Stealth M o d e is started and the software will run com pletely invisibly. To unhide it, use your hotkey: Ctrl + Al + X . (Press the 3 keys togeth er on your keyboard). Hotkey o nly works in current W in d o w s user account. It is disabled in other user accounts for security.
I K 1
Applications executed
w m
cn p D o a ra
Y
microphone
About
(>
Un in stall
E x p o rt
a ll
lo g s
D e le te
a ll lo g s
m E a s y t o u s eI n t e r f a c e : c o n f i gP o w e rS p yw i t h e i d i e rW i2a r df o rc o m m o n u s e r so rc o n t r o lp a n e lf o r a d v a n c e du s e r s .U s e r f r i e n d l yg r a p h i c a lp r o g r a m i n t e r f a c em a k e sit e a s yf o r b e g i n n g e r s .
F IG U R E1 5 . 1 1 :S t e a l t hm o d ew i n d o w
1 ves
F IG U R E1 5 . 1 2 :S t e a l d im o d en o t i c e
o |1 N
18. 19.
Now browse the Internet (anytiling). To bring Power Spy out of stealth mode, press CONTROL+ALT+X on your keyboard. The Run as administrator window appears. Click Run.
R u n as a d m in is tra to r
W ith a d m in istrativ e rights, y o u c a n check, d e le te a n d exp ort logs, c h a n g e settings, and h a v e c o m p le te a ccess t o th e s o ftw a re
F IG U R E1 5 . 1 3 :R i m a sa d m i n i s t r a t o r
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
20. 21.
The Enter login password window appears. Enter the password (which is already set) . Click Submit.
F IG U R E1 5 . 1 4 :E n t e rt h ep a s s w o r d
22.Click Later 111 the Register product window to continue if it appears. 23. Click Stop monitoring to stop the monitoring.
Power Spy
Control Panel
Buy now (
f *
m
K e y s tro k e s
w eb sites visited
S to p m o n ito rin g
(D
A p p licatio n s ex ec u te d
JP
c lip b o a r d
Ste a lth M o d e
C o n fig u ra tio n
1
m ic ro p h o n e
About
E x p o r t a ll lo g s
D e le te
a ll lo g s
F IG U R E1 5 . 1 5 :S t o pt h em o n i t o r i n g
24.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Power
S p y Control Panel
m P r o g r a m E x e c u t e d l o g a l lp r o g r a m si n c l u d i n g a p p l i c a t i o n ,e x e c u t a b l ef i l e , d o c u m e n t sa n d d i r e c t o r i e s n a v i g a t e d w i t ht i m e , W i n d o w su s e r n a m e , a p p l i c a t i o n / d o c u m e n t / d i r e c t o r yn a m ea n d f i l ep a t h s . .
CS
screenshots
f *
m
D
Applications executed
P
Yahoo messenger
CS)
C o n fig u ra tio n
clipboard
1
microphone a ll lo g s
A b o u t
E x p o r t a ll l o g s
D e le te
F IG U R E1 5 . 1 6 :S e l e c t i n gk e y s t r o k e sf r o m P o w e rs p yc o n t r o lp a n e l
25. 26.
It will show all the resulted keystrokes as shown 111 the following screenshot. Click the Close button.
4!C nto) fM |(O .0 v li/JWUJ :> /* M N M M Iir u n t i* VSa/Xl2*M** * *
1 7 3 * 0 1 1 32 = M t4 3 0 M :; 2 SU IO .I2m l-/3fXl2W.1m tomntor 1jynt12l-.H-.i7m Aannatittm fjpHVn.10d < 1|m iPM Ktm inr jn !(K^rwtwA
V fo g r "n lw m
< *
* M O *
________________
:\ p f0 9 *
o r:
1 > * <
< *
W l(O .I)v
( 4 j0 * tV W n jm
lVaU4J:}SfM
leabcatonP*h
J
F IG U R E1 5 . 1 7 :R e s u l t e dk e y s t r o k e s Q )D o c u m e n t sO p e n e d l o g a l lt e x tc o n t e n t so f d o c u m e n t so p e n e d i n M S W o r da n d N o t e P a d .
27. 28.
To check the websites visited by the user, click Website visited in the
Power Spy Control Panel.
It will show all the visited websites, as shown 111 the following screenshot.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
1 va/xu 2 :4 2 :2 7m VJ2UX122 :4 2 :2 3fM I va/3t1 22 :4 2 :2 0fW : /*nc1 7 IJ P M 1 v3t/2c12 2i4 2jl0 m Sy2l,3C I2 2:J7 :4 0PM
btfpjfttnteroaot.ctr\(toggesrfny1ea-tefr<nrt{*p h t p y / g n a lT n o o > ta n \ jb u ra s < tty o rc *to > 1> } tvto/'B ra frix so ft c a m k e o o o o o < 1e*trtrt.g > c h n p /fm M(U^ w ,u 1u-!b1 t-1].lw<Uu->~>tn1>lkM-an>7)UI. * 1 * ^ 3 1 *U F'b3C ffalm roltr h t^ K / A r w r .g o n te < o \ te a rtf'> aw o <kc 1iH>w<K j 1mfc tn !^/,nUwn.ilIliAU :vHVVM(1 fap j/rw *.Q > o1 )e.x > .rfttarT < *1< ri0-riGr nK -f0 y g > T C t> J0 c a x > jnaAsio1T 0 > y w ^ jn a b a o a o o i 0na*sS$1jr**< c.3..43j4M X.1!SO.Z3K
Featured Product
Power Spy
2 0 13spy software
Umm caam unl <Lrotly ii roar PC*croon It rterd1 < ond1 (*diuitaMo, vxthost b*in|dtrt<1 .Tt1l1 c4ptur*t ill
Lab A n a ly sis
Analyze and document die results related to the lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Information Collected/Objectives Achieved Output: Monitoring keystrokes typed Website log entries Pages visited for selected website Internet traffic data
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
1.___ s
V a lu a b le in fo r m a tio n
T est your k n o w le d g e
W e b e x e r c is e
W o r k b o o k r e v ie w
7 Tools demonstrated in this lab are available in D :\ C E H Tools\CEHv8 Module 0 5 System Hacking
Lab O b jectives
Tlie objective of tins lab is to help the students learn how to messages 111 an image.
hide secret text
"
QuickStego
Hacking\Steganography\lmage Steganography\QuickStego
You can also download Quick Stego tool from http: / /quickc1Tpto.com/ free-steganographv-software.html It you decided to download latest version screenshots may differ Run this tool 111 Windows Server 2012
Lab Duration
Time: 10 Minutes
Lab T a sk s
The basic idea 111 diis section is to: 1. Follow die wizard-driven installation steps to install Quick Stego
TAS K 1
Hide the text inside the image
m Y o uc a nd o w n l o a d d i eQ u i c k S t e g of r o m
http:/ / quickcrypto.com
F IG U R E1 6 . 1 :M a i i iw i n d o w o ft h eQ u i c k S t e g o
3.
C E H Lab Manual Page 418
Click Open Image in the Picture, Image, Photo File dialog box.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
m Im a g eT y p e st h a tc a n b eo p e n e d j p g / . j p e g ,. g i f , o r. b m pf o r m a t s
F I G U R E1 6 . 2 :O p e n i n g t h ei m a g e
4. 5.
S e l e c tA nI m a g eF i l eT oO p e n
Image Steg... QuickStego
V c
TUI
Search QuickStego
D o w n lo a d ^ Recent p Music
9/20/2012 4:42 PM
JPEG image
Libraries
( 1 Documej
J ' -Music
Saved Hidden Text Images b m pformat only
Computer ^ Local Dis v < File name: | lamborghini_5.jpg v | | Images (*.bmp;*.jpg;*.jpeg;*.gif v | Open Cancel k . Pictures 9 Videos
F IG U R E1 6 . 3 :S e l e c t i n g d i ei m a g e
6. The selected image is added; it will show a message diat reads: THIS IMAGE
DOES NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Ik UQ u i c k S t e g od o e sn o t E N C R Y P Tt h es e c r e tt e x t m e s s a g et h o u g h iti sw e l l h i d d e n i nt h ei m a g e . Q u i c k C r y p t oi n c l u d e st h e f u n c t i o n so fQ u i c k S t e g o b u ta l s oa l l o w sy o ut o s e c u r e l ye n c r y p tt e x ta n d f i l e sa n de v e nh i d ef i l e so n y o u rc o m p u t e r .
F IG U R E1 6 . 4 :S e l e c t e d i m a g e i sd i s p l a y e d
Open Text
F IG U R E1 6 . 5 :S e l e c t e dt e x tf i l e
9. Select Text F11e.txt tile, and then click the Open button.
C E H Lab Manual Page 420 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
d i
^ ^ *fr | ,j..
S e l e c tF i l et oO p e n
Image Steg... > QuickStego v Q | | Search QuickStego
ra!
P
Organize
E 0 #
Date m odified
9 /2 0 /2 0 1 2 5:0 0 P M
Type
Text D o cu m e nt
T h ec o t ef u n c t i o n so f Q u i c k S t e g oa r ea l s op a r to f Q u i c k C r y p t o ,d i e r e f o r et h e p r o d u c tw i l lb es u p p o r t e d f o rt h ef o r e s e e a b l ef u t u r e . F u n c t i o n a l i t yo ni t sw a yi s t h ea b i l i t yt oh i d em e s s a g e s i n s i d ea u d i of i l e s ,e . g .m p 3 a n dw a v .
^ 0
Libraries Documei
Open
F IG U R E1 6 . 6 :S e l e c t i n gt l i et e x tf i l e
10. 11.
The selected text will be added; click Hide Text 111 the Steganography dialog box. It shows the following message: The text message is now hidden in
image. Q u i c k S t e g oS t e g a n o g r a p h yH i d eaS e c r e tT e x tM e s s a g ei na nI m a g e
H i el a r g e rd i ei m a g e , t h em o r et e s tt l i a tc a n b e c o n c e a l e d w i t h i n .Q u i c k S t e g o w i l lt e l ly o u h o w m a n y T c h a r a c t e r so ft e x ty o u m u s t l o s e ify o u g o o v e rt h i sl i m i t p e rp i c t u r e .L ip r a c t i c ea l o to f s e c r e tt e s tc a n b e h i d d e n i n e v e n as m a l li m a g e .
!Picture, Image, Photo File | Open Image | Save Image |
ca
1 1
1
Open Text
F IG U R E1 6 . 7 :H i d i n gt h et e s t
12.
To save the image (where the text is hidden inside the image) click Save Image in the Picture, Image, Photo File dialog box.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
EQ QuickStego imperceptibly alters the pixels (individual picture elements) of the image, encoding the secret text by adding small variations in color to the image. In practice, to the hum an eye, these small differences do not appear to change the image
* jg Libraries t> ( j ) Documents > J l Music Network * . Favorites 4 % Desktop Downloads Recent places I Libraries System Folder ( ? ) ( J ) ' 7 Organize f t IM Desktop^
F IG U R E1 6 . 8 :S a v et h es t e g a n o g r a p h yi m a g e
13.
Provide the tile name as stego, and click Save (to save tins file on the desktop).
S a v eT h eI m a g eF i l eT o
v C Search Desktop
New folder
O F! D/ !rar
I stego I | Im age ( .bmp)
* Hide Folders
F IG U R E1 6 . 9 :B r o w s ef o rs a v e df i l e 1 4 . Exit
from the QuickStego window. Again open QmckStego, and click the Picture, Image, Photo File dialog box.
15. 16.
Browse the Stego file (which is saved on desktop). The hidden text inside the image will appear as displayed in the following figure.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
03A p p r o x i m a t e l y2 M Bo f f r e e h a r d d i s k s p a c e( p l u s e x t r as p a c ef o ra n y i m a g e s )
F IG U R E1 6 . 1 0 :H i d d e nt e x ti ss h o w e d
Lab A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
Tool/Utility QuickStego
Information Collected/Objectives Achieved Image Used: Lamborghi11i_5.jpg Output: The hidden text inside the image will be shown
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.