5.1 Cracking Passwords

Password Cracking

• Password cracking techniques are used to recover passwords from computer systems.
• Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
• Most of the password cracking techniques are successful due to weak or easily guessable passwords.

Types of Password Attacks

• Non-Electronic Attacks: Attacker need not posses technical knowledge to crack password, hence known as non-technical attack.
  • Shoulder Surfing
  • Social Engineering
  • Dumpster Diving
• Active Online Attacks: Attacker performs password cracking by directly communicating with the victim machine.
  • Dictionary and Brute Forcing Attack
  • Hash Injection and Phishing
  • Trojan/Spyware/Keyloggers
  • Password Guessing
• Passive Online Attacks: Attacker performs password cracking without communicating with the authorizing party.
  • Wire Sniffing
  • Man-in-the-Middle
  • Replay
• Offline Attack: Attacker copies the target’s password file and then tries to crack passwords in his own system at different location.
  • Pre-Computed Hashes (Rainbow Table)
  • Distributed Network

Non-Electronic Attacks

• Shoulder Surfing: Looking at either the user’s keyboard or screen while he/she is logging in.
• Social Engineering: Convincing people to reveal passwords
• Dumpster Diving: Searching for sensitive information at the user’s trash-bins, printer trash bins, and user desk for sticky notes.

Active Online Attack: Dictionary, Brute Forcing and Rule-based Attack

• Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
• Brute Forcing Attack: The program tries every combination of characters until the password is broken.
• Rule-based Attack: This attack is used when the attacker gets some information about the password.

• Hybrid Attack
• Syllable Attack
• Brute Force

Active Online Attack: Password Guessing

• The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim’s machine to crack the passwords.
  1. Find a valid user
  2. Create a list of possible passwords
  3. Rank passwords from high probability to low
  4. Key in each password, until correct password is discovered.

Default Passwords

• A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected.
• Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.

Active Online Attack: Trojan/Spyware/Keylogger

• Attacker installs Trojan/Spyware/Keylogger on victim’s machine to collect victim’s user names and passwords.
• Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker.

Example of Active Online Attack Using USB Drive

1. Download PassView, a password hacking tool
2. Copy the downloaded files to USB drive
3. Create autorun.info in USB drive[autorun] en=launch.bat
4. Contents of launch.bat
5. Insert the USB drive and the autorun window will pop-up (if enabled)
6. PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive

Active Online Attack: Hash Injection Attack

• A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources.
• The attacker finds and extracts a logged on domain admin account hash.
• The attacker uses the extracted hash to log on to the domain controller.

PtH: Path the Hash

Passive Online Attack: Wire Sniffing

• Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic.
• The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails.
• Sniffed credentials are used to gain unauthorized access to the target system.

Passive Online Attacks: Man-in-the-Middle and Replay Attack

• Gain access to the communication channels: In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
• Use sniffer: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
• Considerations:
  • Relatively hard to perpetrate
  • Must be trusted by one or both sides
  • Can sometimes be broken by invalidating traffic

SMBRelay, PeerAuth

Offline Attack: Rainbow Table Attack

• Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash value.
• Compare the Hashes: Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked.
• Easy to Recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
• Precomputed Hashes:
  • 1qazwed -> 21c40e47dba72e77518ee3ef88ad0cc8
  • hh021da -> 2ce80b192cfa47a0d6c8a2446314810b
  • 9da8dasf -> eb0f5690164ffabbed1744087a4d6761
  • sodifo8sf -> 2c749bf3fff89778efc50af7e4f8d6a8

Tools to Create Rainbow Tables: rtgen and Winrtgen

• rtgen: The rtgen program need serveral parameters to generate a rainbow table, the syntax of the command line is:
  • Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
• Winrtgen: Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2(256), SHA-2(384), and SHA-2(512) hashes.

Offline Attack: Distributed Network Attack

• A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords.
• The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network.
• DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network.
• DNA Client runs in the background, consuming only unused processor time.
• The program combines the processing capabilities of all the clients connected to network and uses it to crack the password.

Elcomsoft Distributed Password Recovery

• Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment.

Microsoft Authentication

• Security Accounts Manager (SAM) Database:
  • Windows stores user passwords in SAM, or in the Active Directory database in domain. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM.
• NTLM Authentication:
  • The NTLM authentication protocol types:
    • NTLM authentication protocol
    • LM authentication protocol
  • These protocols stores user’s password in the SAM database using different hashing methods.
• Kerberos Authentication:
  • Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM.

How Hash Passwords Are Stored in Windows SAM?

• Note: LM hashes have been disable in Windows Vista and later Windows operating systems, LM will be blank in those systems.

NTLM Authentication Process

 Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.

Kerberos Authentication

Password Salting

• Password salting is a technique where random string of character are added to the password to the password before calculating their hashes.
• Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks. Note: Windows password hashes are not salted

pwdump7 and fgdump

• PWDUMP extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database.
• fgdump works like pwdump but also extracts cached credentials and allows remove network execution.
• These tools must be run with administrator privileges.

Password Cracking Tools

• L0phtCrack: L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding.
• Ophcrack: Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
• Cain & Abel: It allows recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks.
• RainbowCrack: RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.

Password Cracking Tool for Mobile: FlexiSPY Password Grabber

• It capture the security pattern used to access the phone itself and crack the passcode used to unlock the iPhone, plus the actual passwords they use for social messaging.
• It allows you to login to their Facebook, Skype, Twitter, Pinterest, LinkedIn, GMail and other Email accounts directly from your own computer.

How to Defend against Password Cracking

• Enable information security audit to monitor and track password attacks.
• Do not use the same password during password change.
• Do not share passwords.
• Do not use passwords that can be found in a dictionary.
• Do not use cleartext protocols and protocols with weak encryption.
• Set the password change policy to 30 days.
• Avoid storing passwords in an unsecured location.
• Do not use any system’s default passwords.
• Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols.
• Ensure that application neither store passwords to memory nor write them to disk in clear text.
• Use a random string (salt) as prefix or suffix with the password before encrypting.
• Enable SYSKEY with strong password to encrypt and protect the SAM database.
• Never use passwords such as date of birth, spouse, or child’s or pet’s name.
• Monitor the server’s logs for brute force attacks on the users accounts.
• Lock out an account subjected to too many incorrect password guesses.

5.2 Escalating Privileges

Privilege Escalation

• An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges.
• Attacker performs privilege escalation attack which takes advantages of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
• These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc.
• Types of Privilege Escalation:
  • Vertical Privilege Escalation:
    • Refers to gaining higher privileges than the existing
  • Horizontal Privilege Escalation:
    • Refers to acquiring the same level of privileges that already has been granted but assuming the identify of another user with the similar privileges.

• User -> Admin:
  1. passwd (區網獲取AD gpp)
  2. vulnerability
  3. Weak permission: Service, File
  4. DLL Hijacking
• Admin -> Others/System:
  1. PtH
  2. Install Service (sc)
  3. (Access) Token Kidnapping
  4. Process Hijacking (RunFromProcess)
     • 其中1, 3, 4無log

Privilege Escalation Using DLL Hijacking

• Most Windows applications do not use the fully qualified path when loading an external DLL library instead they search directory from which they have been loaded first.
• If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL. 

Resetting Passwords Using Command Prompt

• If attacker succeeds in gaining administrative privileges, he/she can reset the passwords of any other non-administrative accounts using command prompt.
• Open the command prompt, type net user command and press Enter to list out all the user accounts on target system.
• Now type net user useraccountname * and press Enter, useraccountname is account name from list.
• Type the new password to reset the password for specific account.

Privilege Escalation Tool: Active@ Password Changer

• Active@ Password Changer resets local administrator and user passwords.

實體破SAM

Privilege Escalation Tools (重要)

• Offline NT Password & Registry Editor

Linux: chntpw

How to Defend Against Privilege Escalation

• Restrict the interactive logon privileges.
• Use encryption technique to protect sensitive data.
• Run users and applications on the least privileges.
• Reduce the amount of code that runs with particular privilege.
• Implement multi-factor authentication and authorization.
• Perform debugging using bounds checkers and stress tests.
• Run services as unprivileged accounts.
• Test operating system and application coding errors and bugs thoroughly.
• Implement a privilege separation methodology to limit the scope of programming errors and bugs.
• Path the systems regularly.

5.3 Executing Applications

Executing Applications

• Attackers execute malicious applications in this stage. This is called “owning” the system.
• Attacker executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.

Executing Application Tools

• RemoteExec:
  • RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network.
  • It allows attacker to modify the registry, change local admin passwords, disable local accounts, and copy/update/delete files and folders.
• PDQ Deploy:
  • PDQ Deploy is a software deployment tool that allows admins to silently install almost any application or patch.
• DameWare Remote Support:
  • DameWare Remote Support lets you mange servers, notebooks, and laptops remotely.
  • It allows attacker to remotely manage and administer Windows computers.

Keylogger

• Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location.
• Legitimate applications for keyloggers include in office and industrial settings to monitor employees’ computer activities and in home environments where parents can monitor and spy on children’s activity.
• It allows attacker to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc.
• Physical keyloggers are placed between the keyboard hardware and the operating system.

Types of Keystroke Loggers

• Keystroke Loggers:
  • Hardware Keystroke Loggers:
    • PC/BIOS Embedded
    • Keylogger Keyboard
    • External Keylogger:
      • Wi-Fi Keylogger
      • Bluetooth Keylogger
      • Acoustic/CAM Keylogger
      • PS/2 and USB Keylogger
  • Software Keystroke Loggers:
    • Application Keylogger
    • Kernel Keylogger
    • Hypervisor-based Keylogger
    • Form Grabbing Based Keylogger

Hardware Keyloggers

Keylogger: All In One Keylogger

• All In One Keylogger allows you to secretly track all activities from all computer users and automatically receive logs to a desire email/FTP/LAN accounting.

Keyloggers for Windows

keylogger for Mac: Amac Keylogger for Mac

• Amac Keylogger for Mac invisibly records all keystrokes types, IM chats, websites visited and takes screenshots and also sends all reports to the attacker by email, or upload everything to attacker’s website.

Spyware

• Spyware is a program that records user’s interaction with the computer and Internet without the user’s knowledge and sends them to the remote attackers.
• Spyware hides its process, files, and other objects in order to avoid detection and removal.
• It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download.
• It allows attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc.
• Spyware Propagation:
  • Drive-by download
  • Masquerading as anti-spyware
  • Web browser vulnerability exploits (IE)
  • Piggybacked software installation
  • Browser add-ons (Firefox)
  • Cookies

Spywares

• Spytech SpyAgent:
  • Spytech SpyAgent allows you to monitor everything users do on your computer.
  • It provides a large array of essential computer monitoring features, website, application, and chat client blocking, lockdown scheduling, and remote delivery of logs via email or FTP.
• Power Spy 2014:
  • Power Spy secretly monitors and records all activities on your computer.
  • It records all Facebook use, keystrokes, emails, web sites visited, chats, and IMs in Windows Live Messenger, Skype, Yahoo Messenger, Tencent QQ, Google Talk, AOL Instant Messenger (AIM), and others.

USB Spyware: USBSpy

• USBSpy lets you capture, display, record, and analyze data what is transferred between any USB device connected to PC and applications.

Audio Spyware: Spy Voice Recorder and Sound Snooper

• Spy Voice Recorder:
  • Spy Voice Recorder records voice chat message of instant messengers, including MSN voice chat, Skype voice chat, Yahoo! messenger voice chat, ICQ voice chat, QQ voice chat, etc.
• Sound Snooper:
  • Voice activated recording
  • Store records in any sound format
  • Conference recordings
  • Radio broadcasts logging

Video Spyware: WebCam Recorder

Cellphone Spyware: Mobile Spy

• Mobile Spy records GPS locations and every SMS and logs every call including phone numbers with durations and afterwards you can view real-time results in your private online account.

Telephone/Cellphone Spyware

GPS Spyware: SPYPhone

• SPYPhone software have ability to send events (captured data) from target phone to your web account via Wi-Fi, 3G, GPRS, or SMS.

How to Defend Against Keyloggers

• Use pop-up blocker.
• Install anti-spyware/antivirus programs and keeps the signatures up to date.
• Install good professional firewall software and anti-keylogging software.
• Recognize phishing emails and delete them.
• Choose new passwords for different online accounts and change them frequently.
• Avoid opening junk emails.
• Do not click on links in unwanted or doubtful emails that may point to malicious sites.
• Use keystroke interference software, which inserts randomized characters into every keystroke.
• Scan the files before installing them on to the computer and use registry editor or process explorer to check for the keystroke loggers.
• Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for the attached connectors.
• Use Windows on-screen keyboard accessibility utility to enter the password or any other confidential information.
• Install a host-based IDS, which can monitor your system and disable the installation of keyloggers.
• Use automatic form-filling programs or virtual keyboard to enter user name and password.
• Use software that frequently scans and monitors the changes in the system or network.
• Hardware Keylogger Countermeasures:
  • Restrict physical access to sensitive computer systems
  • Periodically check all the computers and check whether there is any hardware device connected to the computer
  • Use encryption between the keyboard and its driver
  • Use an anti-keylogger that detects the presence of a hardware keylogger such as Oxynger KeyShield

Q1) Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. How will you defend against hardware keyloggers when using public computers and Internet Kiosks?

• Alternate between typing the login credentials and typing characters somewhere else in the focus window
• Type a wrong password first,later type the correct password on the login page defeating the keylogger recording
• Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.
• The next key typed replaces selected text portion. E.g. if the password is “secret”,one could type “s”,then some dummy keys “asdfsd”. Then these dummies could be selected with mouse,and next character from the password “e” is typed,which replaces the dummies “asdfsd”
• The next key typed replaces selected text portion. E.g. if the password is “secret”,one could type “s”,then some dummy keys “asdfsd”. Then these dummies could be selected with mouse,and next character from the password “e” is typed,which replaces the dummies “asdfsd”

Q2) Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products?

1. Covert keylogger
2. Stealth keylogger
3. Software keylogger
4. Hardware keylogger

A2) As the hardware keylogger never interacts with the Operating System it is undetectable by anti-virus or anti-spyware products.

Q3) What is necessary in order to install a hardware keylogger on a target system?

1. The IP address of the system
2. The Administrator username and password
3. Physical access to the system
4. Telnet access to the system

A3) A hardware keylogger is an adapter that connects the keyboard to the PC. A hacker needs physical access to the PC in order to plug in the hardware keylogger.

Q4) Which of the following attacks can be perpetrated by a hacker against an organization with weak physical security controls?

1. Denial of service
2. Radio frequency jamming
3. Hardware keylogger
4. Banner grabbing

A4) A hardware keylogger can be installed to capture passwords or other confidential data once a hacker gains physical access to a client system.

Q5) Keyloggers are a form of _.

1. Spyware
2. Shoulder surfing
3. Trojan
4. Social engineering

A5) Keyloggers are a form of hardware or software spyware installed between the keyboard and operating system.

Q6) What is not a benefit of hardware keyloggers?

1. Easy to hide
2. Difficult to install
3. Difficult to detect
4. Difficult to log

A6) Hardware keyloggers are not difficult to install on a target system.

Anti-Keylogger: Zemana AntiLogger

• Zemana AntiLogger eliminates threats from keyloggers, SSL banker Trojans, spyware, and more.

How to Defend Against Spyware

• Try to avoid using any computer system which is not totally under your control.
• Adjust browser security settings to medium or higher for Internet zone.
• Be cautious about suspicious emails and sites.
• Enhance the security level of the computer.
• Update the software regularly and use a firewall with outbound protection.
• Regularly check task manager report and MS configuration manager report.
• Update virus definition files and scan the system for spyware regularly.
• Install and use anti-spyware software.
• Perform web surfing safely and download cautiously.
• Do not use administrative mode unless it is necessary.
• Do not use public terminals for banking and other sensitive activities.
• Do not download free music files, screensavers, or smiley faces from Internet.
• Beware of pop-up windows or web pages. Never click anywhere on these windows.
• Carefully read all disclosures, including the license agreement and privacy statement before installing any application.
• Do not store personal information on any computer system that is not totally under your control.

Anti-Spyware: SUPERAntiSpyware

• Identify potentially unwanted programs and securely removes them.
• Detect and remove Spyware, Adware and Remove Malware, Trojans, Dialers, Worms, Keyloggers, Hijackers, Parasites, Rootkits, Rogue security products and many other types of threats.

5.4 Hiding Files

Rootkits

• Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time and also in future.
• Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed.
• A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
• Attacker places a rootkit by:
  • Scanning for vulnerable computers and servers on the web.
  • Wrapping it in a special package like games.
  • Installing it on the public computers or corporate computers through social engineering.
  • Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)
• Objectives of rootkit:
  • To root the host system and gain remote backdoor access.
  • To mask attacker tracks and presence of malicious applications or processes.
  • To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access.
  • To store other malicious programs on the system and act as a server resource for bot updates.

Types of Rootkits

• Hypervisor Level Rootkit: Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.

• 利用CPU虛擬化，像是Intel VT和AMD-V
• Example: Blue Pill Rootkit

• Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity.

EFI

• Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes.

Example: Bootkit

• Boot Loader Level Rootkit: Replaces the original boot loader with one controlled by a remote attacker.
• Application Level Rootkit: Replaces regular application binaries with fake Trojan, or modifies the behavior of existing applications by injecting malicious code.
• Library Level Rootkits: Replaces original system calls with fake ones to hide information about the attacker.

How Rootkit Works

• 判斷檔案存在的方法:
  • Explorer
  • Netstat
  • TaskMgr 

Example for XP: hxdef Power On時看不到，要Power Off用memory forensics才看的到

Rootkit Examples

• Avatar:
  • Avatar rootkit runs in the background and gives remote attackers access to an infected PC.
  • It uses a driver infection technique twice: the first in the dropper so as to bypass detections by HIPS, and the second in the rootkit driver for surviving after system reboot.
  • The infection technique is restricted in its capability (by code signing policy for kernel-mode modules) and it works only on x86 systems.
• Necurs:
  • Necurs contains backdoor functionality, allowing remote access and control of the infected computer.
  • It monitors and filters network activity and has been observed to send spam and install rogue security software.
  • It enables further compromise by providing the functionality to:
    • Download additional malware
    • Hide its components
    • Stop security applications from functioning
• Azazel:
  • Azazel is a userland rootkit written in C based off of the original LD_PRELOAd technique from Jynx rootkit.
• ZeroAccess:
  • ZeroAccess is a kernel-mode rootkit which uses advanced techniques to hide its presence.
  • It is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer and acts as a sophisticated delivery platform for other malware.
  • If running under 32-bit Windows, it will employ its kernel-mode rootkit. The rootkit’s purpose is to:
    • Hide the infected driver on the disk
    • Enable read and write access to the encrypted files
    • Deploy self defense
  • The payload of ZeroAccess is to connect to a peer-to-peer botnet and download further files.

Detecting Rootkits

• Integrity-Based Detection: It compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
• Signature-Based Detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
• Heuristic/Behavior-Based Detection: Any deviations in the system’s normal activity or behavior may indicate the presence of rootkit.
• Runtime Execution Path Profiling: This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection.
• Cross View-Based Detection: Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit.

Steps for Detecting Rootkits

1. Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results.
2. Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results.
3. Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside)

Note: There will be some false positives. Also, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.

How to Defend against Rootkits

• Reinstall OS/applications from a trusted source after backing up the critical data.
• Well-documented automated installation procedures need to be kept.
• Perform kernel memory dump analysis to determine the presence of rootkits.
• Harden the workstation or server against the attack.
• Educate staff not to download any files/programs from untrusted sources.
• Install network and host-based firewalls.
• Ensure the availability of trusted restoration media.
• Update and patch operating systems and applications.
• Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies.
• Update antivirus and anti-spyware software regularly.
• Avoid logging in an account with administrative privileges.
• Adhere to the least privilege principle.
• Ensure the chosen antivirus software posses rootkit protection.
• Do not install unnecessary applications and also disable the features and services not in use.

Anti-Rootkits

• Stinger: Stinger scans rootkits, running processes, loaded modules, registry and directory locations known to be used by malware on the machine.
• UnHackMe: UnHackMe detects and removes malicious programs (rootkits/malware/adware/spyware/Trojans)
• GMER: GMER is an application that detects and removes rootkits. (很強的anti-rootkit)

Q1) A rootkit is a collection of tools (programs) that enable administrator-level access to a computer. This program hides itself deep into an operating system for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and may be used to create a hidden directory or folder designed to keep out of view from a user’s operating system and security software.

1. User level privileges
2. Ring 3 Privileges
3. System level privileges
4. Kernel level privileges

Q2) Which of the following are valid types of rootkits? (Choose three.)

1. Hypervisor level
2. Network level
3. Kernel level
4. Application level
5. Physical level
6. Data access level

Q3) How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

1. Defeating the scanner from detecting any code change at the kernel
2. Replacing patch system calls with its own version that hides the rootkit (attacker’s) actions
3. Performing common services for the application process and replacing real applications with fake ones
4. Attaching itself to the master boot record in a hard drive and changing the machine’s boot sequence/options

Q4) Which of the following is the primary objective of a rootkit?

1. It opens a port to provide an unauthorized service
2. It creates a buffer overflow
3. It replaces legitimate programs
4. It provides an undocumented opening in a program

A4) Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesn’t show the files and process implanted by the attacker.

Q5) _ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

1. Trojan
2. RootKit
3. DoS tool
4. Scanner
5. Backdoor

A5) Rootkits are tools that can hide processes from the process list,can hide files,registryentries,and intercept keystrokes.

Q6) What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

1. Copy the system files from a known good system
2. Perform a trap and trace
3. Delete the files and try to determine the source
4. Reload from a previous backup
5. Reload from known good media

A6) If a rootkit is discovered,you will need to reload from known good media. This typically means performing a complete reinstall.

Q7) What is a rootkit?

1. A simple tool to gain access to the root of the Windows system
2. A Trojan that sends information to an SMB relay
3. An invasive program that affects the system files, including the kernel and libraries
4. A tool to perform a buffer overflow

A7) A rootkit is a program that modifies the core of the operating system: the kernel and libraries.

Q8) What type of attack can be disguised as an LKM?

1. DoS
2. Trojan
3. Spam virus
4. Rootkit

A8) A rootkit can be disguised as an LKM.

Q9) What type of rootkit will patch, hook, or replace the version of system call in order to hide information?

1. Library level rootkits
2. Kernel level rootkits
3. System level rootkits
4. Application level rootkits

A9) Library leve rootkits is the correct answer. Kerel level focuses on replaceing specific code while application level will concentrate on modifying the behavior of the application or replacing application binaries. The type, system level, does not exist for rootkits.

Q10) What is the most dangerous type of rootkit?

1. Kernel level
2. Library level
3. System level
4. Application level

A10) A kernel-level rootkit is the most dangerous because it infects the core of the system.

NTFS Data Stream

• NTFS Alternate Data Stream (ADS) is a Windows hidden stream which contains metadata for the file such as attributes, word count, author name, and access and modification time of the files.
• ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities.
• ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user.

How to Create NTFS Streams

1. Launch c:\>notepad myfile.txt:lion.txt, Click ‘Yes’ to create the new file, enter some data and Save the file.
2. Launch c:\>notepad myfile.txt:tiger.txt, Click ‘Yes’ to create the new file, enter some data and Save the file.
3. View the file size of myfile.txt (It should be zero)
4. To view or modify the stream data hidden in step 1 and 2, use the following commands respectively:
   • notepad myfile.txt:lion.txt
   • notepad myfile.txt:tiger.txt

• Multiple Stream File System:
  • File, Record:
    • Data
    • ADS, …, …, … (多筆)
• 查NTFS hidden file: dir /r

NTFS Stream Manipulation

• To move the contents of Trojan.ext to Readme.txt (stream):
  • C:\>type c:\Trojean.ext > c:\Readme.txt:Trojan.ext
• To create a link to the Trojan.exe stream inside the Readme.txt file:
  • C:\>mklink backdoor.exe Readme.txt:Trojan.exe
• To execute the Trojan.exe inside the Readme.txt (stream), type:
  • C:\>backdoor

wmic

How to Defend against NTFS Streams

• To delete NTFS streams, move the suspected files to FAT partition.
• Use third-party file integrity checker such as Tripwire to maintain integrity of an NTFS partition files.
• Use programs such LADS and ADSSpy to detect streams.

NTFS Stream Detector: StreamArmor

• Stream Armor discovers hidden Alternate Data Streams (ADS) and cleans them completely from the system.

NTFS Stream Detectors

What is Steganography?

• Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data.
• Utilizing a graphic image as a cover is the most popular method to conceal the data in files.
• Attacker can use steganography to hide messages such as list of the compromised servers, source code for the hacking tool, plans for future attacks, etc.

S-Tools

Classification of Steganography

• Technical Steganography
• Linguistic Steganography:
  • Semagrams:
    • Visual Semagram
    • Text Semagrams
  • Open Codes:
    • Covered Ciphers:
      • Null Cipher
      • Grille Cipher
    • Jargon Code

Types of Steganography based on Cover Medium

• Image Steganography
• Document Steganography
• Folder Steganography
• Video Steganography
• Audio Steganography
• White Space Steganography: In the white space steganography, user hides the message in ASCII text by adding white spaces to the end of the lines.
• Web Steganography
• Spam/Email Steganography
• DVDROM Steganography
• Natural Text Steganography: Natural text steganography is converting the sensitive information into a user-definable free speech such as a play.
• Hidden OS Steganography: Hidden OS Steganography is the process of hiding one operation system into other.
• C++ Source Code steganography: In the C++ source code Steganography, user hides the set of tools in the files.

Whitespace Steganography Tool: SNOW

• The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines.
• Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers.
• If the built-in encryption is used, the message cannot be read even if it is detected.

Image Steganography

• In image steganography, the information is hidden in image files of different formats such as .PNG, .JPG, .BMP, etc.
• Image steganography tools replace redundant bits of image data with the message in such a way that the effect cannot be detected by human eyes.
• Image file steganography techniques:
  • Least Significant Bit Insertion
  • Masking and Filtering
  • Algorithms and Transformation

Least Significant Bit Insertion

• The right most bit of a pixel is called the Least Significant Bit (LSB).
• In least significant bit insertion method, the binary data of the message is broken and inserted into the LSB of each pixel in the image file in a deterministic sequence.
• Modifying the LSB does not result in a noticeable difference because the net change is minimal and can be indiscernible to the human eye.
• Example: Given a string of bytes
  • 00100111 11101001 11001000) (00100111 11001000 11101001) (11001000 00100111 11101001)
  • The letter “H” is represented by binary ditits 01001000. To hide this “H” above stream acan be changed as:
    • (00100110 11101001 11001000) (00100110 11001001 11101000) (11001000 00100110 11101001)
  • To retrieve the “H” combine all LSB bits 01001000

點陣圖

Masking and Filtering

• Masking and filtering techniques are generally used on 24 bit and grayscale images.
• The masking technique hides data using a method similar to watermarks on actual paper, and it can be done by modifying the luminance of parts of the image.
• Masking techniques can be detected with simple statistical analysis but is resistant to lossy compression and image cropping.
• The information is not hidden in the noise but in the significant areas of the image.

Algorithms and Transformation

• Another steganography techniques is to hide data in mathematical functions used in the compression algorithms.
• The data is embedded in the cover image by changing the coefficients of a transform of an image.
• For example, JPEG images use the Discrete Cosine Transform (DCT) technique to achieve image compression.
• Types of transformation techniques:
  • Fast fourier transformation
  • Discrete cosine transformation
  • Wavelet transformation

Image Steganography: QuickStego

• QuickStego hides text in pictures so that only other users of QuickStego can retrieve and read the hidden secret messages.

Image Steganography Tools

Document Steganography: wbStego

Document Steganography Tools

Video Steganography

• Video steganography refers to hiding secret information into a carrier video file.
• In video steganography, the information is hidden in video files of different formats such as .AVI, .MPG4, .WMV, etc.
• Discrete Cosine Transform (DCT) manipulation is usded to add secret data at the time of the transformation process of video.
• The techniques used in audio and image files are used in video files, as video consists of audio and images.
• A large number of secret messages can be hidden in video files as every frame consists of images and sound.

Video Steganography Tools

• OmnHide PRO: OmniHide Pro hides a file within another file. Any file can be hidden within common image/music/video/document formats. The output file would work just as the original source file.
• Masker: Masker is a program that encrypts your files so that a password is needed to open them, and then it hides files and folders inside of carrier files, such as image files, videos, program or sound files.

Audio Steganography

• Audio steganography refers to hiding secret information in audio files such as .MP3, .RM, .WAV, etc.
• Information can be hidden in an audio file by using LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz)
• Some of the audio steganography methods are echo data hiding, spread spectrum method, LSB coding, tone insertion, phase encoding, etc.

Audio Steganography: DeepSound

• DeepSound hides secret data into audio files – wave and flac.
• It enables extracting secret files directly from audio CD tracks.
• DeepSound might be used as a copyright marking software for wave, flac, and audio CD.
• It also supports encrypting secret files using AES-256 to improve data protection.

Audio Steganography Tools

Folder Steganography: Invisible Secrets 4

• Folder steganography refers to hiding secret information in folders.

Folder Steganography Tools

Spam/Email Steganography: Spam Mimic

• Spam steganography refers to hiding information in spam messages.

Steganography Tools for Mobile Phones

• Steganography Master
• Stegais
• SPY PIX

Steganalysis

• Steganalysis is the art of discovering and rendering covert messages using steganography.
• Challenge of Steganalysis:
  • Suspect information stream may or may not have encoded hidden data.
  • Efficient and accurate detection of hidden content within digital images is difficult.
  • The message might have been encrypted before inserting into a file or signal.
  • Some of the suspect signals or files may have irrelevant data or noise encoded into them.

• 破解難 -> 找源頭:
  • 工具
  • 原圖比對(但也只能懷疑圖有問題而已)

Steganalysis Methods/Attacks on Steganography

• Stego-only: Only the stego object is available for analysis.
• Known-stego: Attacker has the access to the stego algorithm, and both the cover medium and the stego-object.
• Known-message: Attacker has the access to the hidden message and the stego object.
• Known-cover: Attacker compares the stego-object and the cover medium to identify the hidden message.
• Chosen-message: This attack generates stego objects from a known message using specific steganography tools in order to identify the steganography algorithms.
• Chosen-stego: Attacker has the access to the stego-object and stego algorithm.

Detecting Text and Image Steganography

• Text File:
  • For the text files, the alterations are made to the character positions for hiding the data.
  • The alterations are detected by looking for text patterns or disturbances, language used, and an unusual amount of blank spaces.
• Image File:
  • The hidden data in an image can be detected by determining changes in size, file format, the last modified timestamp, and the color palette pointing to the existence of the hidden data.
  • Statistical analysis method is used for image scanning.

Detecting Audio and Video Steganography

• Audio File:
  • Statistical analysis method can be used for detecting audio steganography as it involves LSB modifications.
  • The inaudio frequencies can be scanned for hidden information.
  • The odd distortions and patterns show the existence of the secret data.
• Video File:
  • Detection of the secret data in video files includes a combination of methods used in image and audio files.

Steganography Detection Tool: Gargoyle Investigator Forensic Pro

• Gargoyle Investigator Forensic Pro provides inspectors with the ability to conduct a quick search on a given computer or machine for known contraband and hostile programs.
• Its signature set contains over 20 categories, including Botnets, Trojans, Steganography, Encryption, Keyloggers, etc. and helps in detecting stego files created by using BlindSide, WeavWav, S-Tools, etc. steganography tools.

Steganography Detection Tools

Q1) Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company.

She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture.

What technique was used by the Kiley Innovators employee to send information to the rival marketing company?

1. The Kiley Innovators employee used cryptography to hide the information in the emails sent
2. The method used by the employee to hide the information was logical watermarking
3. The employee used steganography to hide information in the picture attachments
4. By using the pictures to hide information,the employee utilized picture fuzzing

Q2) Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company’s largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason’s client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor.

Without any proof, Jason’s company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason’s company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on.

Jason’s supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason’s supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used?

1. Stealth Rootkit Technique
2. ADS Streams Technique
3. Snow Hiding Technique
4. Image Steganography Technique

Q3) Which Steganography technique uses Whitespace to hide secret messages?

1. snow
2. beetle
3. magnet
4. cat

Q4) Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?

1. Image Hide
2. Snow
3. Gif-It-Up
4. NiceText

Q5) You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company’s Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?

1. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
2. Package the Sales.xls using Trojan wrappers and telnet them back your home computer
3. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques
4. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

Q6) In which step Steganography fits in CEH System Hacking Cycle (SHC)

1. Step 2: Crack the password
2. Step 1: Enumerate users
3. Step 3: Escalate privileges
4. Step 4: Execute applications
5. Step 5: Hide files
6. Step 6: Cover your tracks

Q7) __ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer

1. Alternate Data Streams
2. Merge Streams
3. Steganography
4. NetBIOS vulnerability

Q8) Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message, the technique provides ‘security through obscurity’. What technique is Ricardo using?

1. RSA algorithm
2. Steganography
3. Encryption
4. Public-key cryptography

Q9) What is the process of hiding text within an image called?

1. Steganography
2. Encryption
3. Spyware
4. Keystroke logging

Q10) What are two methods used to hide files? (Choose all that apply.)

1. NTFS file streaming
2. Attrib command
3. Steganography??? 這也是吧
4. Encrypted File System

Q11) To hide information inside a picture, what technology is used?

1. Rootkits
2. Bitmapping
3. Steganography
4. Image Rendering

A11) Steganography is the right answer and can be used to hide information in pictures, music, or videos.

Q12) What encryption process uses one piece of information as a carrier for another?

1. Steganography
2. Hashing
3. MDA
4. Cryptointelligence

A12) Steganography is used to conceal information inside of other information, thus making it difficult to detect.

5.5 Covering Tracks

Covering Tracks

• Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection.
• Attacker uses following techniques to cover tracks on the target system:
  • Disable auditing
  • Clearing logs
  • Manipulating logs

Disabling Auditing: Auditpol

• Intruders will disable auditing immediately after gaining administrator privileges.
• At the end of their stay, the intruders will just turn on auditing again using auditpol.exe.

Clearing Logs

• Attacker uses clearlogs.exe utility to clear the security, system, and application logs.
• If the system is exploited with Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system.

Manually Clearing Event Logs

• Windows:
  • Navigate to Start > Control Panel > System and Security > Administrative Tools > double click Event Viewer.
  • Delete the all the log entries logged while compromising of the system.
• Linux:
  • Navigates to /var/log directory on the Linux system.
  • Open plain text file containing log messages with text editor /var/log/messages
  • Delete the all the log entries logged while compromising of the system.

Ways to Clear Online Tracks

• Remove Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, clear Toolbar data from the browsers.
• Privacy Settings in Windows 8.1:
  • Click on the Start button, choose Control Panel > Appearance and Personalization > Taskbar and Start Menu.
  • Click the Start Menu tab, and then, under Privacy, clear the Store and display recently opened items in the Start menu and the taskbar check box.
• From the Registry in Windows 8.1:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and then remove the key for “Recent Docs”
  • Delete all the values except “(Default)”

Covering Tracks Tools

• CCleaner:
  • CCleaner is system optimization and cleaning tool.
  • It cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history.
• MRU-Blaster:
  • MRU-Blaster is an application for Windows that allows you to clean the most recently used lists stored on your computer.
  • It allows you to clean out your temporary Internet files and cookies.

5.6 Penetration Testing

Password Cracking

• Convince people to reveal the confidential information.
• Load the dictionary file into the cracking application that runs against user accounts.
• Run a program that tries every combination of characters until the password is broken.
• Record every keystroke that an user types using keyloggers.
• Secretly gather person or organization personal information using spyware.
• With the help of a Trojan, get access to the stored passwords in the Trojaned computer.
• Inject a compromised hash into a local session and use the hash to validate to network resources.
• Run packet sniffer tools on the LAN to access and record the raw network traffic that may include passwords sent to remote systems.
• Acquires access to the communication channels between victim and server to extract the information.
• Use a Sniffer to capture packets and authentication tokens. After extracting relevant info, place back the tokens on the network to gain access.
• Recover password-protected files using the unused processing power of machines across the network to decrypt password.

Privilege Escalation

• Use privilege escalation tools such as Active@ Password Changer, Offline NT Password & Registry Editor, Windows Password Reset Kit, Windows Password Recovery Tool, ElcomSoft System Recovery, Trinity Rescue Kit, WIndows Password Recovery Bootdisk, etc.

Executing Applications

• Use keyloggers such as All In One Keylogger, Ultimate Keylogger, Advanced Keylogger, etc.
• Use spywares such as Spytech SpyAgent, SoftActivity TS Monitor, Spy Voice Recorder, Mobile Spy, SPYPhone, etc.

Hiding Files

• Try to install rootkit in the target system to maintain hidden access.
• Perform Integrity Based Detection, Signature Based Detection, Cross View Based Detection, and Heuristic Detection techniques to detect rootkits.
• Use anti-rootkits such as Stinger, UnHackMe, Virus Removal Tool, Rootkit Buster, etc. to detect rootkits.
• Use NTFS Alternate Data Stream (ADS) to inject malicious code on a breached system and execute them without being detected by the user.
• Use NTFS stream detectors such as StreamArmor, ADS Spy, Streams, etc. to detect NTFS-ADS stream.
• Use steganography techniques to hide secret message within an ordinary message and extract it at the destination to maintain confidentiality of data.
• Use steganography detection tools such as Gragoyle Investigator Forensic Pro, Xstegsecret, Stego Suite, Stegdetct, etc. to perform steganalysis.

Covering Tracks

• Remove web activity tracks such as MRU, cookies, cache, temporary files and history.
• Disable auditing using tool such as Auditpol.
• Tamper log files such as event log files, server log files and proxy log files by log poisoning or log flooding.
• Use track covering tools such as CCleaner, MRU-Blaster, Wipe, Tracks Eraser Pro, Clear My History, etc.

Module Summary

• Attackers use a variety of means to penetrate systems, such as:
  • Uses password cracking techniques to gain unauthorized access to the vulnerable system.
  • Creates a list (dictionary) of all possible passwords from the information collected through social engineering and perform dictionary, brute force, and rule-based attack on the victim’s machine to crack the passwords.
  • Performs privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
  • Executes malicious programs remotely in the victim’s machine to gather information.
  • Uses keystroke loggers and spywares to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc.
  • Uses rootkits to hide their presence as well as malicious activities, which grant them full access to the server or host at that time and also in future.
  • Uses steganography techniques to hide messages such as list of the compromised servers, source code for the hacking tool, communication and coordination channel, plans for future attacks, etc.
• Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection.