Professional Documents
Culture Documents
CEH v8 Labs Module 05 System Hacking
CEH v8 Labs Module 05 System Hacking
System Hacking
Module 05
System Hacking
System hacking is the science of testing computers and networkfor vulnerabilities and plug-ins.
Lab Scenario
{ I Valuable intommtion_____ Test your knowledge______ a* Web exercise Q! Workbook review
Password hacking 1s one o f the easiest and most common ways hackers obtain unauthorized computer 01 network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect tins. Therefore, passwords are one of the weakest links 1 1 1 die uiformation-secunty chain. Passwords rely 011 secrecy. After a password is compromised, its original owner isnt the only person who can access the system with it. Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities 01 network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and descnbes password vulnerabilities diat exit 1 1 1 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 vour systems.
Lab Objectives
The objective o f tins lab is to help students learn to m onitor a system rem otely and to extract hidden files and other tasks that include:
[ Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Extracting administrative passwords HicUng files and extracting hidden files Recovering passwords Monitoring a system remotely
Lab Environment
To earn out die lab you need: A computer running Windows Server 2012 A web browser with an Internet connection Administrative pnvileges to run tools
Lab Duration
Tune: 100 Minutes
C E H L ab M an u al Page
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
stask
Lab Tasks
Recommended labs to assist you 1 1 1 system hacking: Extracting Administrator Passwords Using LCP Hiding Files Using NTFS Stream s Find Hidden Files Using ADS Spy Hiding Files Using the Stealth Files Tool Extracting SAM Hashes Using PWdump7 Tool Creating die Rainbow Tables Using Winrtge
Overview
Hiding Data Using Snow Steganography Viewing, Enabling and Clearing the Audit Policies Using Auditpol
User System Monitoring and Surveillance Needs Using Spytech Spy Agent Web Activity Monitoring and Recording using Power Spy 2013
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on the targets security posture and exposure.
C E H L ab M an u al Page 309
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
l^7 Valuable information S Test your knowledge______
Hackers can break weak password storage mechanisms by using cracking methods that outline 1 1 1 this chapter. Many vendors and developers believe that passwords are safe from hackers if they dont publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. Password-cracking utilities take advantage o f weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power. In order to be an expert ethical hacker and penetration tester, you m ust understand how to crack administrator passwords.
Lab Objectives
Tlie objective o f tins lab is to help students learn how to crack administrator passwords for ethical purposes. 111 this lab you will learn how to: Use an LCP tool Crack administrator passwords
^^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Environment
To carry out the lab you need:
You can also download the latest version o f LCP from the link http: / www.lcpsoft.com/engl1sh/1ndex.htm
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page 310
If you decide to download the la te st version, then screenshots shown 1 1 1 the lab might differ
Follow the wizard driven installation instructions Run this tool 1 1 1 W indows Server 2012 Administrative privileges to run tools
TCP/IP settings correctly configured and an accessible DNS server
Lab Duration
Time: 10 Minutes
Overview of LCP
LCP program mainly audits user account passw ords and recovers diem 1 1 1 Windows 2008 and 2003. General features o f diis protocol are password recovery, brute force session distribution, account information importing, and hashing. It can be used to test password security, or to recover lost passwords. Tlie program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Smtt tile. LCP supports dictionary attack, bmte lorce attack, as well as a hybrid ot dictionary and bmte torce attacks.
Lab Tasks
9 TASK 1
1. Launch the Start menu by hovering the mouse cursor 011 the lower-left
corner of the desktop.
Cracking Administrator Password
C E H L ab M an u al Page 311
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Start
Server Manager Windows PowerShell Google Chrome Hyper-V Manager LCP
Administrator
T
Computer Control Panel
*9
Hyper-V Virtual Machine...
m
SQL Server Installation Center...
te t
?
Command Prompt Mozilla Firefox Global Network Inventory
I f f l f m r tbfimr Dnktop
a
Ku Nmap Zenmap GUI O
II
Woikspace Studio
TZI
a c #
"Dictionaiy attack Dictionary word: r 0 LM Password
6
Hybrid attack r
? * * a
Brute force attack 0.0000 I <8 >14 % done LM Hash NT Hash
I0
NT Password
User Name
4 . From die menu bar, select Import and then Import from rem ote
com puter.
C E H L ab M an u al Page 312
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
LCP
| File View | Im port | Session Help
fh
A
1
Im port From Local Computer... Im port From Remote Computer... Im port From SAM File... 1
9 e
X done
LM Hash NT Hash
Im port From .LC File... Im port From .LCS File... Im port From PwDump File... Im port From Sniff File...
Cancel Help
C Q l c p checks die identity of the linked device and eidier accepts or rejects the peer device, then determines die acceptable packet size for transmission.
Connection Execute connection Shared resource: hpc$ User name: Administrator Password: I 0 Hide password Ready for passw!
C E H L ab M an u al Page 313
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
a e + l 0 !?>
r Dictionary attack r Hybrid attack r LM Password NO PASSWO. NO PASSWO. . NO PASSWO. NO PASSWO. NO PASSWO. NO PASSWO. NO PASSWO...
X
1 *
0.0000 <8 >14
X
1 10
NT Password
X done
LM Hash NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NT Hash BE40C45QAB99713DF.J NO PASSWORD C25510219F66F9F12F.J 5EBE7DFA074DA8EE.. 488CD CD D222531279. 2D 20D 252A479F485C.. 0CB6948805F797BF2...
^ L A N G U A R D .. . NO PASSWO.
X X X X X
S Juggyboy
fi Jason - C Shiela
S Main purpose of LCP program is user account passwords auditing and recovery in Windows
7 . N ow select any U ser Name and click the L 1L 4Play button. 8. Tins action generates passwords.
LCP - [C:\Program Files (x86)\LCP\pwd80013.txt.lcp]
File View Im port Session Help
r a :
8 l 1 1 1^ M * o e 0 0 4 H 1
Dictionary attack r Hybrid attack "Brute force attack / |7 14.2857 *d o n e Ending combination: AD MINIS TRAT 0 RZZ <8 x x >14 x NO PASSWO... LM Hash NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NO PASSWORD NT Hash BE40C45CAB99713DF.. NO PASSWORD C25510219F66F9F12F.. 5EBE7DFA074DA8EE 488CDCD D222531279.. 2D20D252A479F485C.. OCB6948805F797B F2... Dictionary word: Administrate 1 Starting combination: ADMINISTRATORA User Name G uest -E l ANGUAR... ^ M a r t in ^Qjuqqyboy ^ 3 Jason S h ie la LM Password NO PASSWO... NO PASSWO... NO PASSWO... apple NO PASSWO... green NO PASSWO... qwerty NO PASSWO... test NT Password
Administrator NO PASSWO...
FIGURE 1.7: LCP generates the password for the selected username
Lab Analysis
Document all die IP addresses and passwords extracted for respective IP addresses. Use tins tool only for training purposes.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Tool/Utility
LCP
Questions
1. \Y11at is the main purpose o f LCP? 2 . How do von continue recovering passwords with LCP?
C E H L ab M an u al Page 315
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
/ Valuable information ' Test your knowledge SB Web exercise m Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems 011 the network. Most often there are matching service, administrator, or support accounts residing 011 each system that make it easy for the attacker to compromise each system in a short am ount o f time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and password information. Attackers continue to leverage inform ation 011 each system until they identity passwords for accounts that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to hide files using NTFS streams.
Lab Objectives
The objective o f tins lab is to help students learn how to lnde files using NTFS streams.
& T ools
dem onstrated in Use NTFS streams this lab are available in Hide tiles D:\CEHTools\CEHv8 Module 05 System Hacking To carry out the lab you need:
Lab Environment
A com puter running W indows Server 2008 as virtual machine Form atted C:\ drive NTFS
C E H L ab M an u al Page
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Duration
Tune: 15 Minutes
NTFS supersedes die FAT file system as the preferred file system lor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved support lor metadata and die use of advanced data structures.
Lab Tasks
Sd. TASK 1
NTFS Stream s
1. Run this lab 1 1 1 Windows Server 2008 virtual machine 2 . Make sure the C:\ drive is formatted for NTFS. 3 . Create a folder called m agic on the C:\ drive and copy c a lc .e x e from
C :\w indow s\system 32 to C:\magic.
7 . N ote the file siz e o f the readm e.txt by typing dir 1 1 1 the command
prom pt.
C E H L ab M an u al Page 317
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
-lo|x|
C : S n a g ic > d ir U o lu n e i n d r i u e C h a s n o l a b e l . U o lu m e S e r i a l N u m b e r i s 3 4 C 9 - D 7 8 F D ir e c to r y 0 9 /1 2 /2 0 1 2 0 9 /1 2 /2 0 1 2 0 1 /1 9 /2 0 0 8 0 9 /1 2 /2 0 1 2 of C :\n a g ic
E Q a stream consists of data associated with a main file or directory (known as the main unnamed stream).
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 0 5 : 4 0 AM 12 r e a d n e . t x t 1 8 8 ,4 2 8 b y te s 2 F ile < s > 2 D ir < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e c : \ n a g ic \c a lc . e x e > c :\n a g ic \r e a d n e . t x t: c a lc . e x e
Type dir 1 1 1 com m and prom pt and note the tile size o f readm e.txt.
[ c T TAdministrator Command Prompt
D ir e c to r y 0 0 0 0 9 /1 9 /1 1 /1 9 /1 2 /2 2 /2 9 /2 2 /2 01 01 00 01 2 2 8 2 of C :\n a g ic 0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 12 r e a d n e . t x t 0 5 : 4 0 AM 1 8 8 ,4 2 8 b y te s 2 F ile < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s fr e e 2 D ir < s > c : \ n a g ic \c a lc . e x e > c :\m a g ic \ r e a d m e . t x t : c a l c . e x e
C : \ n a g ic > ty p e
t.__ NTFS supersedes the FAT file system as die preferred file system for Microsofts Windows operating systems.
LJ
FIGURE 23: Command prompt with executing hidden calc.exe command
10. Tlie tile s iz e o f the readme.txt should not ch ange. N ow navigate to the
directory c:\m agic and d e le te ca lc .e x e .
C E H L ab M an u al Page 318
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
V . A d m in is tra to r Com m and P rom pt 0 9 /1 2 /2 0 1 2 0 1 /1 9 /2 0 0 8 0 9 /1 2 /2 0 1 2 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 ,4 1 6 c a lc . e x e 0 5 : 4 0 AM 12 re a d m e .tx t 2 F ile < s > 1 8 8 ,4 2 8 b y te s 2 D ir < s > 4 ,3 7 7 ,6 7 7 ,8 2 4 b y te s f r e e c :\m a g ic \c a lc .e x e > c :\ m a g ic \ r e a d m e . t x t : c a l c . e x e
-I ! X
C :\m a g ic > ty p e
0 5 : 3 9 AM < D IR > 0 5 : 3 9 AM < D IR > 0 6 : 5 1 AM 1 8 8 .4 1 6 c a lc . e x e 0 5 : 4 4 AM 12 r e a d m e .tx t 2 F ile < s > 1 8 8 ,4 2 8 b y te s 2 D ir < s > 4 ,3 7 7 ,4 1 5 ,6 8 0 b y te s f r e e
12. Type backdoor, press Enter, and the the calculator program will be
ex ecu ted .
H B
0 9 /1 2 /2 0 1 2
C :\m a g ic > ty p e
c : \ m a g ic \c a lc .e x e
r
1
MR | MS |
Lab Analysis
Document all die results discovered during die lab.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Questions
1. Evaluate alternative m ethods to hide the other exe files (like
calc.exe).
C E H L ab M an u al Page 320
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
3
Find Hidden Files Using ADS Spy
A ds Spy is a tool used to list, view, or deleteAlternate Data Stream (AD S) on Windons Server2008 nith N T F S filesystems.
I CON KEY
Lab Scenario
Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather password inform ation from your network and describes password vulnerabilities that exit in com puter networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to find hidden files using ADS Spy.
Lab Objectives
The objective o f tins lab is to help students learn how to list, view, or delete A lternate Data Stream s and how to use them. It will teach you how to:
t~Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Environment
To carry out the lab you need:
You can also download the latest version o f ADS Spy from the link http: / / www.menjn.11u/program s.php#adsspv It you decide to download the la te st version, then screenshots shown 1 1 1 the lab might differ Run tins tool 1 1 1 W indows Server 2012
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C E H L ab M an u al Page 321
Lab Duration
Tune: 10 Minutes
ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 Windows Server 2008 with NTFS file systems. ADS Spy is a method o f stonng meta-information o f files, without actually stonng die information inside die file it belongs to.
Lab Tasks
m. TASK 1
Alternative Data Streams
1.
( Quick scan (Windows base folder only) C Full scan (all NTFS drives)
KlADS Spy is a small tool to list, view, or delete Alternate Data Streams (ADS) on Windows 2012 with NTFS file systems.
[Ready
3 . Start an appropriate sca n that you need. 4 . Click Scan th e sy stem for alternate data stream s.
C E H L ab M an u al Page 322
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
ADS are a w ay of storing metainformation regarding files, without actually storing the information in the file it belongs to, carried over from early MacOS compatibility
C Quick scan (Windows base folder only) | ( Full scan (all NTFS drives)| C Scan only this folder:
11? Ignore safe system info data streams ('encryptable', 'Summarylnformation', etc)| r Calculate MD5 checksums of streams' contents Scan the system for aiternate data streams
A
j|
Remove selected streams
C:\magic\readme tx t: calc.exe (1051648 bytes) C:\llsers\Administrator\Documents: {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) C:\Users\Administrator\Favorites\Links\Suggested Sites.url: favicon (894 bytes) CAUsersV\dministrator\My Documents: {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) CAWindows.old.000\Documents and Settings\Administrator\Favorites\Links\Suggested Sites.url: favicon (8! C:\Windows.old.OOO\Users\Administrator\Favorites\Links\Suggested Sites.url: favicon (894 bytes)
5. Find the ADS hidden info file while }*ou scan the system for alternative
data streams.
C Quick scan (Windows base folder only) (* Full scan (all NTFS drives) C Scan only this folder:
1 Ignore safe system info data streams ('encryptable', Summarylnformation', etc) r Calculate MD5 checksums of streams' contents Scan the system for alternate data streams * Remove selected streams
C:\magic\readme.txt: calc.exe (1051G48 bytes) C\Users\Administrator\Documents : {726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) C.AUsers'Adm1n1strator\Favor1tes\Links\Suggested Sites.url: favicon (894 bytes) C:\Users\Administrator\My Documents: {726BGF7C-E889-4EFE-8CA3-AEF4943DBD38} (12 bytes) /Windows.old.000\Documents and SeKings^drnini$tfat0f\Fav0rites\Links\Suggested Sites.url: favicon (8 C:\Windows.oldOOO\Users\Administrator\Favorites\Links\Suggested Sites.url: favicon (894 bytes)
C E H L ab M anual P ag e 323
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
Document all die results and reports gathered during die lab.
Tool/Utility
Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives)
ADS Spy
Output:
Hidden files with its location Hidden files size
Questions
1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs
C E H L ab M an u al Page 324
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
The Windows N T NTFS hie system has a feature that is not well documented and 1s unknown to many N T developers and m ost users. A stream 1s a hidden file that is linked to a norm al (visible) file. A stream is not limited 1 1 1 size and there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to hide tiles using the Stealth Files tool. 111 this lab, discuss how to tind hidden tiles inside o f other tiles using the Stealth Files Tool.
Lab Objectives
The objective o f this lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to:
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Environment
To carry out tins lab you need:
Stealth Files tool located at D:\CEH-Tools\CEHv8 Module 05 System H acking\Steganography\Audio Steganography\Stealth Files
A com puter running Window Server 2012 (host machine) You can also download the latest version o f Stealth Files from the link http://w w w .froebis.com /engl 1sh /sf 40 .shtml
C E H L ab M an u al Page 325
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
If you decide to download the la te st version, then screenshots shown in the lab might differ Administrative privileges to run the Stealth files tool Run this tool 1 1 1 Windows Server 2012 (Host Machine)
Lab Duration
Time: 15 Minutes
me. It is an alternative to encryption ot files because no one can decrypt tlie encrypted information or data from die files unless they know diat die ludden files exist.
Lab Tasks
B TASK 1
1. Follow the wizard-driven installation instructions to install Stealth Files
Tool. Stenography
2. Launch Notepad and write Hello World and save the file as R eadm e.txt
on the desktop.
readm e - N otepad
File Edit Format View Help
f l e l l o W o rld !
& Stealth Files u se s a process called steganography to hide any file or files inside of another file
3. Launch the Start m enu by hovering the mouse cursor on the lowerleft corner o f the desktop.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
4 . Click the Stealth Files 4.0 app to open the Stealth File window.
m You can also download Stealth File from http: / /www. froebis. com.
5. The main window o f Stealth Files 4.0 is shown 1 1 1 the following figure.
This is an alternative to encryption b ecau se no one can decrypt encrypted information or files unless they know that the hidden files exist.
C E H L ab M anual P ag e 327
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
6. Click Hide Files to start the process of hiding the files. 7 . Click Add files.
S Before Stealth Files hides a file, it compresses it and encrypts it with a password. Then you must select a carrier file, which is a file that contains die hidden files
Destroy Source Filesl Remove Selected Files! Step 2 Choose Carrier File:
I
r Create a Backup of the Carrier File! Step 3 Choose Password:
^J
9 . In Step 2 , choose the carrier file and add the file R eadm e.txt f r o m the
desktop.
10. In Step 3, choose a password such as m agic (you can type any desired
password).
C E H L ab M an u al Page 328
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
13
! I
\ x
remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions
I-
Step 2 Choose Carrier File. C:\Use1s\Administrator\Desktop\readme.txt ICreate a Backup of the Carrier File! Choose Password: magic) :d
I Hide Files! |
11. Click Hide Files. 12. It will hide the file c a lc .e x e inside the readm e.txt located on the
desktop.
13. O pen the notepad and check the file; c a lc .e x e is copied inside it.
readm e N otepad
File Edit F orm at V iew H elp
I ~ I
)H e llo W o rld ! h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h ifh lb k id o fh a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b fo jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g le o n m b fn g b ln b h c ik fd h k m g io d c fg n lg g o a d d c a jm p ip fib h p p g g c g im m k a d n j e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h fp a la p p d b a c ile n o id lh ib e k p b h e jm ifn g f h f a p m h a fb lifh lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fn ln a dn n o a o n eo p o o p b b ag m d a oh m e kd gfce kcn b cg m injem e g p nn h e in o ilg e j o o ig lc d h a c lc h jlh d g ib o o h e m b n a p m k m e p a o k jc h h g c jb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbn ln d b ig ga g m cg nb n m a foh o g a ckcd n khb o m g o fp d e g ib ikm jm d p fkg
&T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a password, you will prompted to enter it again to recover die hidden files
14. N ow open the Stealth files Control panel and click Retrieve Files.
C E H L ab M anual Page 329 E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
t
Stealth Fi1es 4.0
S Pictures will still look the same, sound file will still sound die same, and programs w T ill still work fine
Hide Files
-
Retrieve Files
& These carrier files will still work perfecdy even with the hidden data in diem
Close Program
FIGURE 4.8: Stealth files main window
15. 1 11 Step 1, choose the tile (Readme.txt) from desktop 1 1 1 which you have
saved the c a lc .e x e .
16. 1 1 1 Step 2, choose the path to store the retrieved hidden file. 111 the lab
the path is desktop.
17. Enter the password m agic (the password that is entered to liide the tile)
and click on R etrieve Files!
S - Step 1 Choose Carrier File: C: \U sers\Administrator\D esktopVreadme. txt IDestroy Carrier File!
Retrieve Files...
I 1
T x
This carrier file can be any of these file types: EXE, DLL, OCX, COM, JPG, GIF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files
z l
Retrieve Files!
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously.
Lab Analysis
Document all die results and reports gadiered during die lab.
Tool/Utility
S tealth Files T ool
Questions
1. Evaluate other alternative parameters tor hiding files. Internet Connection Required
Yes
0 No
C E H L ab M an u al Page 331
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
Lab Scenario
[Z7 Valuable iiiformation_____ Test your knowledge = Web exercise Workbook review
Passwords are a big part ot this m odern generation. You can use the password for your system to protect the business or secret inform ation and you may choose to limit access to your PC with a W indows password. These passwords are an im portant security layer, but many passwords can be cracked and while that is worry, tliis clunk 1 1 1 the arm our can come to your rescue. By using password cracking tools or password cracking technologies that allows hackers to steal password can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tins lab, we discuss extracting the user login password hashes to crack the password.
Lab Objectives
Tins lab teaches you how to: Use the pwdump7 tool Crack administrator passwords
Lab Environment
To carry out the lab you need:
_^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Run tins tool on W indows Server 2012 You can also download the latest version o f pwdump7 from the link http:/ / www.tarasco.org/security/pwdum p 7 / 111dex.html Administrative privileges to run tools
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page 332
Lab Duration
Time: 10 Minutes
Overview of Pwdump7
Pw dum p 7 can be used to dum p protected tiles. You can always copy a used file just by executing: pwdum p 7 .exe -d c:\lockedf 1 1 e.dat backup-lockedf 1 1 e.dat. Icon key
Lab Tasks
1. O pen the com m and prom pt and navigate to D:\CEH-Tools\CEHv8
Generating H ashes Module 05 S ystem H acking\Passw ord Cracking Tools\pwdump7.
& Active directory passw ords are stored in the ntds.dit file and currently the stored structure
3 . N ow type pw dum p7.exe and press Enter, which will display all the
password hashes.
C E H L ab M an u al Page 333
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M o d u le 05 S y s te m H a c k in g S P a s s w o rd C ra c k in g V W in d o w s
& Always copy a used file just executing: pwdum p7.exe -d c:\lockedfile.dat backuplockedfile.dat.
4 . N ow type pw dum p7.exe > c:\h ash es.txt 1 1 1 the com m and prom pt, and
press Enter.
Tins com m and will copy all the data ot pw dum p7.exe to the c:\h a sh es.tx t file. (To check the generated hashes you need to navigate to the C: drive.)
hashes.txt - Notepad
File Edit Format View Help
( A d m in i s t r a t o r : 5 0 0 : NO PASSWORD* * * * * * * * * * * * * * * * * * * : BE40C450AB997 13DF1EDC5B4 0C25 AD4 7 G u e s t: 5 0 1 : NO PASSWORD* * * * * * * : NO PASSWORD* * * * : : : LANGUARD_11_USER: 1 0 0 6 : NO PASSWORD* * * * * * * * * * * * * * * * : C2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F C9 B E 6 6 2 A 6 7 B 9 6 0 M a r t i n :1 0 1 8 :NO P A S S W O R D * * * * * * * * * * * * * * * 5 : * * * EBE7DFA074DA8EE8AEF1FAA2BBDE876
Duggyboy : 1 0 1 9 : NO P A S S W O R D * 4 8 8 : * * * * * * * * * * * * * * * * * * CDCDD2225312793ED6967B28C1025
3 a s o n :1 0 2 0 :N O P A S S WOR D * * * * * 2 : * * * * * * * * * * * * * * * D20D252A479F485CDF5E171D93985BF S h i e l a :1 0 2 1 :NO P A S S W O R D * * * * 0 : * * * * * * * * * CB6948805F797BF2A82807973B89537
Lab Analysis
Analyze all the password hashes gathered during die lab and figure out what die password was.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Tool/Utility
PW dum p7
Questions
1. W hat is pwdum p 7 .exe com m and used for? 2 . How do you copy the result o f a comm and to a file?
0 No
0 C lassroom
0 !Labs
C E H L ab M an u al Page 335
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
111 computer and information security, the use ot password is essential for users to protect their data to ensure a seemed access to dieir system or machine. As users become increasingly aware o f the need to adopt strong passwords, it also brings challenges to protection o f potential data. 111 diis lab, we will discuss creating die rainbow table to crack the system users passwords. 111 order to be an expert ethical hacker and penetration tester, you must understand how to create rainbow tables to crack the administrator password.
Lab Objectives
The objective o f this lab is to help students how to create and use rainbow table to perform system password hacking.
Lab Environment
To earn out die lab, you need:
^^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Winrtgen Tool located at D:\CEH-Tools\CEHv8 Module 05 S ystem Hacking\Rainbow Table Creation Tools\Winrtgen
A com puter running Window Server 2012 You can also download the latest version o f Winrtgen from the link http: / / www.ox1d.it/ projects.html If you decide to download the latest version, then screenshots shown 1 1 1 the lab might differ
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page 336
Run this tool 011 Windows Server 2012 Administrative pnvileges to run tins program
Lab Duration
Time: 10 Minutes
You can also download Winrtge from
s lunj/www 0x1dlt/p10ject A rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking password hashes. Tables are usually used 1 1 1 recovering plaintext passwords, up to a certain length, consisting o f a limited set of characters.
Lab Task
TASK 1
Generating Rainbow Table
r
Filename
Add T able
Remove
Remove All
About
O K
Exit
C E H L ab M an u al Page 337
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
III
Add Table
Remove
Remove All
About
O K
Exit
iii. Select loweralpha from die Charset drop-down list (diis depends on the password).
4. Click OK.
R ain bow Table p rop erties
r
Hash |ntlm
Min Len I4
-M ax Len rIndex I9 1
v T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
|abcdefghiiklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark Hash speed: Step speed: Table precomputation time: Total precomputation time: Max cryptanalysis time: Benchmark | Optional parameter |Administrator
C E H L ab M an u al Page 338
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
III
Add Table
Remove
Remove All
About
O K
Exit
Creating the hash table will take some time, depending on the selected hash and charset.
Note: To save die time tor die lab demonstration, die generated hash table
is kept in die following !older: D:\CEH-Tools\CEHv8 Module 05 System
Hacking\Rainbow Table Creation ToolsYWinrtgen
You must be careful of your harddisk space. Simple rainbow table for 1 5 alphanumeric and it costs about 613MB of your harddisk.
7.
'L
&Favorites D esktop
5
CEHv8 M o d u le 05 S y stem H acking N am e M c h arset.tx t | ntlm _low eralphag4-6_0_2400x4000000_ox... | R ainbow T able C re ation T ools W inrtgen D ate m od ifie d 7/1 0 /2 0 0 8 &29 PM 9/18/201211:31 A M 7 /1 0 /2 0 0 8 1 0 :2 4 PM 7/1 0 /2 0 0 8 10:33 PM T ype T ext D o c u m e n t RT File A pplic ation SJG File
J . D o w n lo ad s % R ecen t pla ce s
1 m N ew V o lu m e (D:)
4 ite m s
1 ite m se le c te d 61.0 MB
State: Q
S hared
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
Analyze and document the results related to the lab exercise.
Tool/Utility
W inrtge
0 No
C E H L ab M an u al Page 340
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
1 ' J Valuable mforination_____ Test your knowledge______ a s Web exercise m Workbook review
Computer passwords are like locks on doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple login password will not stop them. Most computer users do not realize how simple it is to access die login password for a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is for someone to gain access to your computer? Windows is still the most popular operating system, and die method used to discover the login password is die easiest. A hacker uses password cracking utilities and cracks vour system. That is how simple it is for someone to hack your password. It requires 110 technical skills, 110 laborious tasks, onlv simple words 01 programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack administrator password. 111 tins lab we discuss how to crack guest users or administrator passwords using RainbowCrack.
Lab Objectives
~ T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
The objective ot this lab is to help students to crack p assw ord s to perform system password hacking.
Lab Environment
To earn out die lab, you need:
RainbowCrack Tool located at D:\CEH-T0 0 ls\CEHv8 Module 05 S ystem Hacking\Rainbow Table Creation Tools\RainbowCrack
A com puter running Window Server 2012 You can also download the latest version o f RainbowCrack from the link h ttp ://proiect-ra111bowcrack.com/
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page
!2 2 You can also download Winrtge from http: / /www. oidd.it/project s.html
If you decide to download die latest version, dien screenshots shown in die lab nnght differ Run diis tool 011 Windows Server 2012 Administrative privileges to m n diis program
Lab Duration
Tune: 10 Minutes
Overview of RainbowCrack
RainbowCrack is a computer program diat generates rainbow tables to be used 1 1 1 password cracking. RainbowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rainbow tables to reduce die lengdi of time needed to crack a password.
Lab Task
E
t a s k
m RainbowCrack for GPU is the hash cracking program in RainbowCrack hash cracking utilities.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
RainbowCrack 1.5
File | E d it R a in b o w T a b le H e lp P la in te x t in H ex
Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight GPU brute forcing cracker
3.
i.
The Add Hash window appears: Navigate to c:\hashes, and open die hashes.txt tile (which is already generated using Pwdump 7 located at c:\hashes.txt 1 1 1 the previous Lab
no:5) .
ii. iii.
1V.
Right-click, copy die hashes from hashes.txt tile. Paste into die Hash held, and give die comment (optional). Click OK.
hashes.txt - Notepad
Edit Format View Help
File
A d m i n i s t r a t o r : 5 0 0 : NO P A S S W O R D * * * * * * * * * * * * * * * * * * * * * : BE40C450AB
Q | RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from the hash crackers that use brute force algorithm
Right Reading order :************ * * * to * * left ** EBE7DFA07 Show Unicode control characters Insert Unicode control character
S h ie la :1 0 2 1 :N O PASSWORD************ *********
::
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
RainbowCrack 1.5
File Edit R ainbow T able Help P l a i n t e x t I n H ex
/Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
2 Fun time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 1 1 1 the following figure.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
RainbowCrack 1.5
I [ r x T I
0 . RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.
P File H a sh 0
Edit
Rainbow T able
H elp P la in te x t ? ? ? ? ? P l a i n t e x t i n H ex ? ? ? 1
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7 @ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 @ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 @ c 2 5 5 1 0 2 1 9 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
7 . Click die Rainbow Table from die menu bar, and click Search Rainbow
Table...
9 RainbowCrack for GPU software uses GPU from NVIDIA for computing, instead of CPU. By offloading computation task to GPU, the RainbowCrack for GPU software can be tens of times faster than nonGPU version.
8. Browse die Rainbow Table diat is already generated 1 1 1 die previous lab,
which is located at D:\CEH-Tools\CEHv8 Module Hacking\Rainbow Table Creation Tools\Winrtgen.
05 System
9 . Click Open.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Open
^ O rganize jA W indow s Password Crac... w in rtg e n v
( j | | Search w in rtg e n
| [jjj
P I Type RT File
ki
J l M usic
E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table
g 9
Pictures Videos
1^
> 1
Filenam e: ntlmjoweralpha*4-6_0_2400x4000000_oxid* v | Rainbow Tables (*.rt;*.rtc) Open
5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 3 3 c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0 2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
==!RainbowCrack focus on tlie development of optimized time-memory tradeoff implementation, and generation of large rainbow tables.
tine of alarm check: tine of wait: time of other operation: time of disk read: hash & reduce calculation of chain traverse: hash 4 reduce calculation of alarm check: number of alarm: speed of chain traverse: speed of alarm check:
/s
Lab Analysis
Analyze and document die results related to the lab exercise.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Tool/Utility
Juggyby
R ainbow C rack
Questions
1. W hat kind o f hashes does RainbowCrack support?
0 No
0 C lassroom
0 !Labs
C E H L ab M an u al Page 347
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
Lab Scenario
/ Valuable information Test your knowledge______ ^ Web exercise
Since security and compliance are high priorities for m ost organizations, attacks 011 a company 01 organization's com puter systems take many different forms, such as spooling, smurfing, and other types o f demal-of-service (DoS) attacks. These attacks are designed to harm 01 interrupt the use o f your operational systems. Password cracking is a term used to describe the penetration o f a network, system, 01 resource with 01 w ithout the use o f tools to unlock a resource that has been secured with a password. 111 tins lab we will look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination o f several scenarios, m tins lab we describe some o f the techniques they deploy and the tools that aid them 1 1 1 their assaults and how password crackers work both internally and externally to violate a company's infrastructure. 111 order to be an expert ethical hacker and penetration tester, you m ust understand how to crack administrator passwords. 111 tins lab we crack the system user accounts using LOphtCrack.
^^Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Objectives
The lab teaches you how to: Use the LOphtCrack tool Crack adm inistrator passwords
C E H L ab M an u al Page
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Environment
To earn out the lab you need:
LOphtCrack tool located at D:\CEH-Tools\CEHv8 Module 05 S ystem H acking\Passw ord Cracking Tools\LOphtCrack
Run tliis tool on W indows Server 2012 (host machine) You can also download the latest version o f LOphtCrack trom the link http: / / www.lOphtcrack.com Administrative privileges to run tools Follow wizard driven installation instructions
Tins tool requires the user to register or you can also use the evaluation version for a limited period o f time
Lab Duration
Tune: 10 Minutes
Overview of LOphtCrack
LOphtCrack provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail.
Lab Tasks
TASK 1
Cracking Administrator Password
1. Launch the Start m enu by hovering the mouse cursor to the lower left
m ost corner o f the desktop.
vm 1 i 5 ! '1
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Start
Server M anager W indow s Pow erShel Google Chrome Hyper-V M anager
Adm inistrator
Fa
Com puter
T
Control Panel
o
Hyper-V Virtual Machine...
*J
m
C om m and P rom pt
Q
Mozilla Firefox
K
Global Network Inventory
e
/ LOphtCrack supports pre-computed password hashes.
I n t r m r tf u p t e r r
<
N m ap Zenm ap GUI
If
W orkspace Studio
Drdlrp
3
FIGURE 8.2: Windows Server 2012 Apps
x
LO p h tC rack 6 W izard
W elcom e to th e LOphtCrack 6 Wizard This wizard wil prompt you w th step-by-step n sb u c tio n s to g e t you aud tin g n m n u te s First, th e wizard w i help y ou d e term n e w here to retrieve your encrypted p a ssw ords from Se c o n d , you w i b e prom pted w th a few options re g a rd n g which m ethods to u se to audit th e passw ords Third, you w i b e prom pted w th how you wish to report the results T hen. LOphtCrack 6 w i p ro ce ed a u d tin g th e passw ords a n d report sta tu s to you along th e w ay. notifying y ou w hen audfcng is com plete Press Next' to c onbnue w th th e w izard
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C hoose o n e of th e fo lo w n g m eth ods to retrieve th e e n crypted passw ords | R etneve from th e tocal m a c h n e | Pulls encrypted p a ssw ords from th e local m a c h n e 's registry A dm natra to r a c c e s s a r eq u red R etneve from a rem ote m a c h n e R etneve encrypted p a ssw ords from a remote m a c h n e on your d o m a n Admrwtra tor a c c e s s is required R etneve from SAM/SYSTEM b a c k u p U se em ergency r e p a r disks, b a c k u p ta p e s, or volume sha dow copy te ch r q u es to obtain a copy of th e registry SAM a n d SYSTEM hives This c o n ta n s a copy of your non-d o m an passw ords Q R etneve by jnrffng th e local netw ork Sniffing c a p tu res encrypted h a s h e s n transit o ver your netw ork L o g n s .f ie sh a m g a n d p m t shanng a l u se netw ork authentication th a t c a n b e captured.
< Back
Next >
LOphtCrack has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and UNIX machines, without requiring a thirdparty utility.
ca
5. Choose Strong P assw ord Audit from the C hoose Auditing Method
wizard and click Next.
1- '
7 . Click Next.
C E H L ab M an u al Page 351
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
8. Click Finish.
LOphtCrack Password Auditor v6.0.16
Bogin Auditing
Step
LOphtCrack 6 now ready to b e g n th e passw ord aud*ing p ro ce ss Plea se confirm th e f o lo w n g settings an d go b a c k a n d c h a n g e a n y th n g th a t ts not correct
Step 2
R etrieve passw ords from th e local m achine Perform 'Q uick' passw ord audit Display d o m a n passw ord belongs to Display p assw ords v41en a udited Display time sp ent auditing e a c h passw ord Give visible notification *tfien d o n e a udrtn g S how m ethod u se d to c ra ck passw ord
.__ LOphtCrack lias realtime reporting that is displayed in a separate, tabbed interface.
Step 5
6g1n Auditing
9 . LO pntcrack 6 shows an Audit Com pleted message, Click OK. 10. Click S e ssio n options Irom the menu bar.
C E H L ab M an u al Page 352
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Cracked Accounts Weak Passwords Pause Stop Schedule Scheduled Audit Tasks
J j.
<N
d Domain
Run y Report User Name LM Password * m issing * m issing * * m issing * * m issing * * m issing m issing LMHash__________________________ OCKXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0000000000000000000000000000000( 0000000000000000000000000000000(
u o rd s t o t a ] 29151 _words_done
oooooooooootxxxxxxxxxxxxxxxxxxxx
LOphtCrack 6 x
0000000000000000000000000000000( 0000000000000000000000000000000(
_______
1 0 B T 5 O T ?
Audit c o m p leted .
OK
FIGURE 8.8: Selecting Session options Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force Password auditing methods.
ii. Select the Enabled, Crack NTLM P assw ord s check boxes 1 1 1
Dictionary/Brute Hybrid Crack.
iii. Select the Enabled, Crack NTLM P assw ord s check boxes 1 1 1 Brute
Force Crack.
IV.
Select the Enable Brute Force Minimum Character Count check box.
v. Select the Enable Brute Force Maximum Character Count check box.
C E H L ab M an u al Page 353
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
T he Dictionary C ra ck te s ts fo r p a ssw o rd s th a t a re th e sa m e a s th e w ords fcsted in t h e w ord file. This te st * very fa s t a n d finds th e w e a k e s t p a ssw o rd s.
D ictionary/B rute Hybrid C ra ck [ 2 E nabled V C rack NTLM P a ssw o rd s Com mon letter su bstitutions (m uch slow er) P re co m p u ted E ! E n ab led C Hash File List Also k n o w n a s r a n b o w ta b le s ', th e P re com puted C rack te s ts fo r p a ssw o rd s a g a r is t a p rec o m p u te d h a s h e s c o n tan -ed n a file or files This te s t is very fast a n d finds p a ssw o rd s c re a te d from th e sa m e c h a r a c te r se t a s th e p re c o m p u te d h a s h e s . P re se rv n g preco m p u ta tio n d a ta s p e e d s up c o n s e c u tiv e m n s r e x c h a n g e for disk s p a c e T h s c ra c k w o rk s a g a r o t LM a n d NTLM p a ssw o rd s, but n o t U n a B a/te F o rce C rack * C h a rac ters to a p p e n d 0 * C h a rac ters to p rep e n d T h e D ictionary/B rute Hybrid C ra ck te s ts for p a ssw o rd s th a t a re v a n atio n s of th e w ords in th e w ord file. It finds p a ssw o rd s su c h a s D a n a 99 or m onkeys! . This te st is fa st a n d finds w e a k p a ssw o rd s.
Location
g]E n a b le d
L an g u a g e: English
J r a c k NTLM P a ssw o rd s
T h e Brute F orce C ra ck te s ts fo r p a ssw o rd s th a t a re m a d e u p of th e c h a r a c te r s sp ecified in t h e c h a r a c te r se t I finds p a ssw o rd s su c h a s "WeR3pfc6s' o r "vC 5% 6S*12b" T his t e s t is slow a n d finds me<fcjm to strong p a ssw o rd s. E n a b in g a start or e n d point lets you control th e minimum a n d maxim um n u m b e r of c h a r a c te r s to iterate. T h e a c tu a l maxim um c h a r a c te r c o u n t u s e d may vary b a s e d o n h a s h ty p e S p e c fy a c h a r a c te r se t with m ore c h a r a c te r s to c ra c k stro n g e r p a s s w o rd s .
a lp h a b e t n u m b ers C ustom C h a ra c te r S e t (list e a c h c h arac ter): E T N RIOAS D H LCFPU M YG W VBXKQ JZetnrioasd hlcfpumygwvbxkqjzOI 23456789
To
QK Q ancel
13. Click Begin ' ' from the menu bar. LOphtCrack cracks the
adm inistrator passw ord.
C E H L ab M anual P ag e 354
Lab Analysis
Document all die results and reports gathered during die lab.
Tool/Utility
L O p h tC rac k
Questions
1. W hat are the alternatives to crack administrator passwords? 2 . W hy is a brute force attack used 1 1 1 the LOphtCrack tool?
C E H L ab M an u al Page 355
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
111 a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. Tins weakness exists 1 1 1 practically all widely used systems instead o f forcing users to choose well-chosen secrets that are likely to be difficult to remember. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, password cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Pooiiy chosen passwords are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak administrator or system user account password using password cracking tools. 111 tins lab we show you how to crack system user accounts using Ophcrack.
Lab Objectives
The objective o f this lab is to help students learn:
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Environment
To earn out die lab, you need:
" OphCrack tool located at D:\CEH-Tools\CEHv8 Module 05 System H acking\Passw ord Cracking Tools\Ophcrack
Run this tool on W indows Server 2012 (Host Machine) You can also download the latest version o f LOphtCrack from the link h ttp :/ / ophcrack.sourceforge.net/
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C E H L ab M an u al Page 356
Lab Duration
Time: 15 Minutes
Overview of OphCrack
Rainbow tables for LM hashes of alphanumeric passwords are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack passwords no longer than 14 characters using only alphanumeric characters.
Lab Task
TASK 1
Cracking the Password
1. Launch the Start m enu by hovering the mouse cursor on the lower-left
corner of the desktop.
m You cau also download tlie OphCrack from http:/ / ophcrack. sourceforg e.net.
C E H L ab M an u al Page 357
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
ophcrackC
1' !
4A
Load Progress Delete Statistics Save
11/
Tables C radt Help
^
Exit
G
About
Preferences
B Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers
Preload:
w attn g
| Brute force:
waiting
j Pwd found:
0/0
Time e lapsed: |
OhOmQs
U/
, ..
&
<?
& Ophcrack is bundled with tables that allow s it to crack passw ords no longer than 14 characters using only alphanumeric characters
D irectory
P rogress
waiting
| Pw dfouxJ:
5. Browse die PWDUMP file diat is already generated by using P\\T)U M P 7 1 1 1 die previous lab 110:5 (located at c :\h a sh e s.tx t). 6. Click Open
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page 358
0 CO
Organize
] I
New folder A Name j i . Program Files Program Files (x86) j j TFTP-Root Users
j . u sr J W in d o w s
=- E Hm
Date modified 9/17/2012 9:25 AM 9/18/2012 2:18 PM 9/4/2012 7:00 PM 9/18/20122:35 PM 8/30/20121:06 PM 9/15/2012 3:26 PM 8/7/2012 1:50 AM 8/8/2012 12:03 AM 9/19/2012 9:58 AM 9/18/2012 3:06 PM 9/15/2012 2:53 PM 9/6/20124:03 PM Type File folder File folder File folder File folder File folder File folder File folder File folder RND File Text Document System file JS File
Desktop
4 Downloads
S Recent places
available as Live CD distributions which automate the retrieval, decryption, and cracking of passwords from a Windows system.
J ) Music
4 W in d o w s .o ld
J,.
W in d o w s .o ld .0 0 0 .r n d __________________
r
: Computer Local Disk (C:) . ^ Local Disk (D:) v,
hashes.txt
O
Load P rogress User A d m in istra to r G uest
Si
Delete Statistics
S
Save
iu
Tables | NT H ash BE40C450AB997... 3 1d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB69488O5F79... Crack
Preferences
LANGUARDJ 1_ M artin
Juggyboy Jason
Shiela
waiting
] Pwd fbcrtd:
8. Click Table. The Table Selection window will appear as shown 1 1 1 die
following figure.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
ophcrack
IU
Tables Progress User A d m in istra to r G uest LANGUARD_11_ M artin Ju g g y b o y Jaso n Shiela Statistics 0
', ,sg ?
Crack
Table Selection
Table m XP fre e fast XP f re e sm all XP special XP g e rm a n v2 Vista special Vista free Vista nin e Vista eight Vista n u m Vista seven XP flash D irectory Status n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed n o t installed
# XP g e rm a n v l
< Vista e ig h t XL
& T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
III = n o t n sta le d
>
B B S S
Preload: _______ waiting_______| Brute force: | waiting ] Pwd fbuxJ: Tne elapsed: Oh 0 Os
Note: You can download die free XP Rainbow Table, Vista Rainbow
Tables from h ttp :// ophcrack.sourcelorge.net/tables.php
Table Selection
Directory Status not installed not installed not installed not installed not installed not installed not installec not installed not installed not installed not installed not installed not installed
9 XP special
| ! Vista free # Vista eight < Vista seven < Vista eight XL
III
<
= not installed
@@
FIGURE 9.8: Installing vista free rainbow table
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
10. The Browse For Folder window appears; select the the table_vista_free
folder (which is already download and kept at D:\CEH-Tools\CEHv8
Module 05 System Hacking\Password Cracking Tools\Ophcrack)
& Ophcrack Free tables available for Windows XP, Vista and 7
I
V
t> <
steganography
III
1
OK
l>
Cancel
12. The selected table vista free is installed,; it shows a green color ball which
means it is enabled. Click OK.
Table Selection
fable
?
Status
Directory
> *
XP free fast XP free small XP special XP german v1 XP german v2 Vista special Vista free Vista nine Vista eight Vista num Vista seven XP flash Vista eight XL C:/Program Files (x86)/tables_vista_free
not installed not installed not installed not installed not installed net installed on disk not installec not installed not installed not installed not installed not installed
& Loads hashes from encrypted SAM recovered from a Windows partition
III
>
13. Click Crack: it will crack die password as shown 1 1 1 die following figure.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
ophcrack
i
Load Progress Delete Statistics
!
Save
a/
Tables N T Hash
^
Crack
@
Help LM Pwd 1
i
Bat LM Pwd 2 N T Pwd
Preferences
This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored).
LM Hash
BE40C450AB997... 31d6cfe0d16ae9... C25510219F66F... 5EBE7DFA074D... 488CDCDD2225... 2D20D252A479F... 0CB6948805F79... apple green qwerty test empty
Progress
Lab Analysis
Analyze and document the results related to the lab exercise.
T o o l/U tility
User Names:
Administrator Guest LA N G U A R D _ 11_USER Martin Juggyby Jason Slieiela
OphCrack
Questions
1. W hat are the alternatives to cracking administrator passwords?
In te rn e t C o n n ectio n R eq u ired
0 No
0 !Labs
C E H L ab M an u al Page 363
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
^_ Valuable information_____ Test your knowledge *A Web exercise m Workbook review
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tliis process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 1 1 1 addition to identifying user accounts and shared resources. You should also have knowledge of gaining access, escalating privileges, executing applications, liiduig tiles, and covering tracks.
Lab Objectives
The objective o f tins lab is to help students to learn how to:
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking Modify Add / D elete registry keys and or values
Install service packs, patches, and hottixes Copy folders and tiles Run programs, scripts, and applications Deploy Windows Installer packages 1 1 1 silent mode
Lab Environment
To earn out die lab, you need:
Remote Exec Tool located at D:\CEH-Tools\CEHv8 Module 05 System Hacking\Executing Applications Tools\Rem oteExec Windows Server 2008 running on the Yutual machine
C E H L ab M an u al Page
E th ica l H a ck in g and C ounterm easures Copyright by EC -Coundl All Rights Reserved. Reproduction is Strictly Prohibited.
You can also download die latest version o f R em oteE xec from the link http://w w w .isdecisions.com /en If you decide to download die latest version, dien screenshots shown 1 1 1 die lab might differ Administrative pnvileges to run tools
Lab Duration
Tune: 10 Minutes
Overview of RemoteExec
Rem oteExec, die universal deployer for Microsoft Windows systems, allows network administrators to run tasks remotely.
Lab Task
TASK 1
Monitoring System
R em oteExec
Remotecxec
ram e
f*l demote jobs *ecoter ^ 5<hedue
*0 0
Albws vou corftxre. rra vo* 3rd exeats rerro:e jobs. Albws vou dsjMv r*cots or rencte exsajoons. Albws vou ro sctvAJe renote extortions arc! o*neate autara .. ConScue Re*notec colors.
^Ootons S y s te m Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an administration console with Microsoft Windows 2003/2008 Service Pack 6 , IE5 or more.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Ne
: 00B
Virco
rep
Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (WAN) as well as on remote machines.
ABows you to dtspa, eports 0 errote execj$o 1. Allows youto soedijte errote e<ecjto 1s snd generate sutoiia.. Configure RcmotcExcc opto!:.
Remote execution requirements: The account running RemoteExec needs administrative rights on target computers. Microsoft file and printer sharing (SMB TCP 445) and ICMP (ping) should be enabled. These protocols also need to be allowed in any firewall between the administration console and target computers.
3 . To execute a New Remote job, double-click die New Remote job option
diat configures and ex e c u te s a new remote job.
Hta Tool* ]tfn d o * Help
; p cp tp
Mows you /our favorite remste j98 /our favorite rarcte actors. Yout favorite taroet conxiter bts.
Mutote aaons j . My Renoie Joos i ^ My Rertore Actors : ^ My Target C croj^rs Report :^j. ScrcdJcr L4^ Options
E U Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, Document generation, is available to specify the output files. Select a PDF file to be generated in an existing folder. Make sure that the account running the task has write access to this folder.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
hie
Tods
Wmiow Hep
E?
B ^:5eno.eE>ec P.enote (061
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
; Ffc execuSon i 1 - 0 Update rstalafon j--j^|MSI rstalaaon HfcSysteac*>n j-uT F*? Otxralon 1 - ^ loca a rra n t rante I ~PCpLp =MJtcle actons 5 Nr teoote J>x j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : m jfe Repcrte ; t ScredJcr !y*Opfcon
}Q 3 ^ 0!
| ) Update retalafion (Si M SI mstalotion {fc System action Fib Oooation Lccd account maintenance S I Popup ( 5 Multtie actions
Instil 5 Marosoft jadaie reretefy. Instil o Windows Instiler >3x>qc rerrctSY. Rcaoot,^Shutoovrn,\V3<r up a eonou cnotdy. C03y files or folder5 cirotc a m u K n Chanas tt c bed x h in c b e ti pe5s/<wc and'or dococ ail ctho local a Dectay 3 nessage to t r jttt ewe*: an t * ,emote compute! Execute se!eal actons r one pass.
FIGURE 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below
b. For the OS level, select = from die drop-down menu and select c. For the IE version, select >= from die drop-down menu and specify the IE version.
C E H L ab M anual P ag e 367
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
d. For the Service Pack, select = from die drop-down menu and specify die service pack version.
hie Tods V/niow Hep
!eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode.
33 ^ eno:e>ec 1 -1 ^ Reno* jobs B ^ New rarote tfc Update rstaloton MSI rstaloaon * : SwteT Kton | 6 -! r -rj) ? CDraJon ! loai account rvam cena nitr*e arm NyRn>90c Ny ljr jet (.croj'.efc ls Reports ScredJcf ^ ! Opton^ - ' *
File execution
RemoteExeqReirote jobs/New remote job/^le executor
^ tjfr
! lo
[ S c ^ e d L ie
save r My Rorct Jobs ^ 0 OS verson BO S level H K vcrn * = v.|| Hj Wortotatoo vwndowe 7/2XB ^ save r Ky Remote Acsoot :.. Save r My Target Cmputrc
M v k n o :A c tc rc,
>- H ] M * 1 !
R eg ecrvv w k M
Oor't e:<e:j:e scan or a computer wnee tne actor a as ahead/ exeo.ee
Coflnoute*
FIGURE 10.6: RemoteExec Filter tab C Q t i !e remote job was automatically set with the filter option, Dont execute again on a computer where the action was already executed. So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer.
Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK.
tie loos
v n 5
noow
_______
1 0
j ()
) 0 0 5
F ile ex e c u tio n
ReroteE>e:/3 emote jobs !New errcre job/File execution
^ Q? d P
Laandi launch in a new tab Schedule Save n M y Remote jx k S5ve n My Remote Actjors
I MO
|
I q g a sssH i
rS f
Update n stab ton r | 0 MS n stafexn ; Sysfcn actor i Cp Fie: Opeattjr
Lcxd aaomttranKTa... h Poxo = -l mJtpfe actons j My R ero e Jets Ny Rerote Actons Ny T05t COTOLters Reaxte j Scheduler V * Oabors I ;
C o n fig u re the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution.
XJ
FIGURE 10.7: RemoteExec Add/Edit a computer
9 . To execute the defined action on die remote computer, click the Launch
option 1 1 1 the nglit pane of die window.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
:c o ls
jg n d w
1 2 3 Schedule th e report: To configure schedule report, click on Schedule in the toolbar and, when prom pted select the task that lias been created previously to install Acrobat Reader.
Bf3
B | RemoteExec Remote ;ods 0 New rerroze job j IS j r | ^ j-C r : t Sp
>
File execution
RemoteExec/Refrote jcbs/Mew remote jOD/^e etecuton . j :.;: 0
Lpictc nstalaton MSI n stab to a Systen actor File Ope-otwr L3co ecco1ntn ontenc...
j fl? PopLp NuDoie actiors : 151 My Remote 3c* W My Remote *coons My Target C0xxters S - ii, Reporter S^ediier
Don't execjte again on a computer v.+!e e the acaon was aireacy executec
V4 5 0 0 0
___
FIGURE 10.8: RemoteExec executing the defined action
Lab Analysis
Analyze and document die results related to die lab exercise.
In fo rm atio n C o lle cted /O b jec tiv es A chieved File to E x ecu te: Firefox setup 3-6.13.exe C o m p u te r N a m e : W IN-D39M RSHL9E4
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Lab Scenario
V Z D Valuable
information
Network steganography describes all the methods used tor transmitting data over a network without it being detected. Several methods for liiduig data 111 a network have been proposed, but the main drawback o f most of them is that they do not offer a secondary layer of protection. If steganography is detected, the data is in plaintext. To be an expert ethical hacker and penetration tester, you must have sound knowledge o f footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked.
Lab O bjectives
The objective o f this lab is to help students learn: Using Snow steganography to hide tiles and data Hiding tiles using spaces and tabs
Lab Environment
To earn out die lab, you need: ^ Tools
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Run tins tool on Windows Server 2012 You can also download the latest version o f Snow from the link h ttp :/Avww.darks 1de.com .au/snow /
111
If you decide to download the la te st version, then screenshots shown the lab might ditter
C E H L ab M an u al Page 370
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Duration
Tune: 10 Minutes
Overview of Snow
111 text is
Snow exploits die steganograplnc nature of whitespace. Locating trailing whitespace like tinduig a polar bear 111 a snowstorm. It uses die ICE encryption algoridun, so the name is diemadcally consistent.
Lab Task
1. 2. 3.
The encryption algorithm built in to snow is ICE, a 64-bit block cipher also designed by the author o f snow. It runs in 1-bit cipher-feedback (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit o f output),
Open a command prom pt and navigate to D:\CEH-Tool\CEHv8 module 05 system hacking\steganography\white sp a ce steganography\snow Open Notepad and type Hello World! and dien press enter and press die Hyphen key to draw a line below it. Save die die as readme.txt.
readme - N otepad
File Edit Format View Help
H e llo W o rld ! 1
4.
Type diis command 111 the command sheU: readme2.txt. It is die name of anodier diat will be created automatically.
sn o w -C -m "My s w is s bank accou n t number is 4 5 6 5 6 6 8 4 5 1 2 2 6 3 p "magic" readm e.txt readm e2.txt(m agic is th e passw ord, you can type your desired passw ord also)
C E H L ab M an u al Page 371
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
r *
E:\CEH-ToolsSCEHu8 Module 05 S y stem H a c k in g N s te g a n o g r a p h y \w h ite s p a c e s t e g a n o g r a p h y\S n ow > sn o 1 -C -m My s u i s s bank a c c o u n t number i s 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p "magi c" r e a d m e .tx t r e a d m e 2 .tx t Com pressed by 23 . &'/'/. M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x . An e x t r a 8 l i n e s were a d d e d . E:\C EH -Tools\CEH u8 Module 05 S y stem H a c k in g \s t e g a n o g r a p h y \w h it e s p a c e s t e g a n o g r a phy\Snow>
FIGURE 11.2: Hiding Contents of readme, txt and die text in the readme2.txt file
5. N ow die data ( My S w iss bank account number is 45656684512263 ) is hidden inside die readm e2.txt hie with die contents of readme.txt.
I f you want to compress a long message, or one not containing standard text, you would be better off compressing the message externally with a specialized compression program, and bypassing snow's optional compression step. This usually results in a better compression ratio.
7. N ow type sn ow -C -p "magic" Readme2.txt: diis will show die contents of readme.txt.(magic is die password which was entered while luding die data).
Administrator: Command Prompt
E:\CEH-ToolsSCEHu8 Module 05 S y stem H a c k in g \s t e g a n o g r a p h y \w h it e s p a c e s t e g a n o g r a H phy\Snow >snou -C -m "My s u i s s bank a c c o u n t number i s 4 5 6 5 6 6 8 4 5 1 2 2 6 3 " - p " n a g i B c" r e a d m e .t x t r e a d m e 2 .tx t C om pressed by 2 3 .37X I M essage e x c e e d e d a v a i l a b l e s p a c e by a p p r o x im a te ly 5 7 1 . 4 3 x . I An e x t r a 8 l i n e s were a d d e d . I
E : \ C E H - T o n l s \ 0 F H u 8 M n r i n l e 0 5 R u s t e m H a r k in g \ste g a n o g r a p } 1y \ l ) h i t e s p a c e s t e g a n o g r a H phySSnouI'snow C - p "m agic" R ea d m e2 .tx t I M y s w i s s bank a c c o u n t number i s 4bbbbbU4512263 I E:\C EH-Tools\CEH u8 Module 05 S y stem H a c k in g \ste g a n o g r a p } 1y \w h it e sp a c e s t e g a n o g r a H phy\Snow> I
8. To check die tile 111 a G U I, open die readm e2.txt 111 Notepad and select Edit ^S elect all. You will see die hidden data inside readme2.txt 111 die form of spaces and tabs.
C E H L ab M an u al Page 372
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
readme2 - Notepad
File Edit Format View Help
H e l l o W o r ld !
Lab Analysis
Analyze and document die results related to die lab exercise.
In fo rm atio n C o lle cted /O b jec tiv es A chieved O u tp u t: You will see the hidden data inside N otepad
Lab Q uestions
1. How would you lude die data of tiles widi secret data in other tiles? 2. Which encryption is used 111 Snow? In te rn e t C o n n ectio n R eq u ired Yes P latform S upported 0 C lassroom 0 !Labs 0 No
C E H L ab M an u al Page 373
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources. You should also have knowledge on gaining access, escalating privileges, executing applications, luduig tiles, and covering tracks.
Lab Objectives
The objective o f tins lab is to help students learn: How to set audit policies
Lab Environment
.^ T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
You can see the more audit commands from the following link: h ttp :/ / technet.m icrosott.com /enus /library /cc731451 %28v=ws. 100/029.aspx for W indows Server 2012 Run diis on Windows Server 2012
Lab Duration
Time: 10 Minutes
C E H L ab M an u al Page
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Overview of Auditpol
Aucftpd displays information policies.
011
Lab Task
/get
Displays the current audit policy.
1. 2.
Command Prompt.
C :\U s e r s \A d m in i s t r a t o r >
3. To view all die audit policies, type die following command 111 die command prompt:
/backup Saves the audit policy to a file.
4.
Press Enter.
C E H L ab M an u al Page 375
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
si
/ restore Restores the audit policy from a file that was previously created by using auditpol /backup.
/remove Removes all per-user audit policy settings and disables all system audit policy settings.
C :\U sers\A d n in i s t r a t o r > a u d i t p o 1 / g e t S ystem a u d i t p o l i c y C ategory/S ubcategory S y s te m S e c u r i t y System E x t e n s i o n S ysten I n t e g r i t y IPsec D riv e r O th er S y ste n E vents S e c u r i t y S t a t e Ch an g e L ogon/Logoff Logon Logoff Account Lockout I P s e c Main Mode I P s e c Q u i c k Mode I P s e c E x t e n d e d Mode S p e c i a l Logon O th er Logon/Logoff Events Netw ork P o l i c y S e r v e r U se r / D evice C la i n s O bject Access F i l e S ystem R egistry K ernel O bject SAM C e r tif ic a tio n S ervices A p p lic a tio n G en erated H an d le M a n i p u l a t i o n P il e S hare F i l t e r i n g P l a t f o r m P a c k e t D ro p F i l t e r i n g P la tfo rm C onnection O th er O b ject A ccess Events D e ta ile d F i l e Share R em o v ab l e S t o r a g e C e n tra l P o lic y S ta g in g P r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e Use O t h e r P r i v i l e g e Use E v e n t s S e n s i t i v e P r i v i l e g e Use D e ta ile d T racking P rocess C rea tio n P ro ce ss T erm in atio n DPAPI A c t i v i t y RPC E v e n t s P o l i c y Ch an ge A u t h e n t i c a t i o n P o l i c y Ch an g e A u t h o r i z a t i o n P o l i c y C han ge MPSSUC R u l e - L e v e l P o l i c y C ha n ge F i l t e r i n g P l a t f o r m P o l i c y Ch an ge O t h e r P o l i c y C h an g e E v e n t s A u d i t P o l i c y C h an g e A c c o u n t M an ag em ent
/category: S ettin g No No No No No No No No No No No No No No No No No No No No No No No No No No No No No A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing
No A u d i t i n g No A u d i t i n g No A u d i t i n g No No No No No No No No No No A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing A uditing
5. To enable die audit policies, type die following command 111 die command prompt:
auditpol /set /category:"system",'"account logon" /success:enable /failureienable
6.
Press Enter.
A d m in is tra to r: C om m and P ro m p t
D ir e c t o r y S e r v ic e C hanges D ir e c to r y S e r v ic e R e p lic a t io n D e t a ile d D ir e c to r y S e r v ic e R e p lic a t io n D ir e c to r y S e r v ic e A c c e ss A c c o u n t L ogon K e r b e r o s S e r v i c e T ic k e t O p e r a t io n s O th e r A cco u n t Logon E v e n ts K erb eros A u th e n tic a tio n S e r v ic e C r e d e n tia l U a lid a tio n
No No No No No No No No
A A A A A A A A
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
7. To check if audit policies are enabled, type die following command 111 die command prom pt auditpol /get /category:* 8.
Auditpol /g e t [/user[:<usemame> | <{sid [ / category:* | <nam e> | < {g uid}> [,:< name | < {guid}>
Press Enter.
Administrator Command Prompt
:\U s e r s \A d n in is tr a to r )a u d itp o l /g e t /c a te g o r y :* iy s t e n a u d it p o l i c y J a t e g o r y /S u b c a te g o r y S e ttin g S y ste n S e c u r i t y S y s t e n E x te n s io n S u c c e s s and S y ste n I n t e g r it y S u c c e s s and I P s e c D r iu e r S u c c e s s and O th er S y s t e n E u en ts S u c c e s s and S e c u r i t y S t a t e Change S u c c e s s and L ogon /L ogot t Logon No A u d it in g L o g o ff No A u d itin g No A u d it in g A ccou n t Lockout No A u d itin g IP s e c Main Mode I P s e c Q uick Mode No A u d itin g I P s e c E xten d ed Mode No A u d it in g No A u d itin g S p e c i a l Logon O th er L o g o n /L o g o ff E u en ts No A u d itin g No A u d itin g N etw ork P o l i c y S e r u e r U se r / D e u ic e C la in s No A u d itin g O b ject A c c e s s F i l e S y s te n No A u d itin g R e g is t r y No A u d it in g K e rn el O b jec t No A u d itin g SOM No A u d it in g No A u d itin g C e r t i f i c a t i o n S e r u ic e s A p p lic a t io n G e n e ra ted No A u d itin g H andle M a n ip u la tio n No A u d itin g F i l e S hare No A u d itin g F i l t e r i n g P l a t f o r n P a c k e t Drop No A u d itin g No A u d itin g F i l t e r i n g P l a t f o r n C o n n ec tio n O th er O b jec t A c c e s s E u en ts No A u d itin g No A u d itin g D e t a il e d F i l e S hare R en ou ab le S to r a g e No A u d itin g C e n tr a l P o l i c y S t a g in g No A u d itin g r i u i l e g e Use Non S e n s i t i u e P r i u i l e g e Use No A u d itin g O th er P r i u i l e g e Use E u en ts No A u d it in g No A u d itin g S e n s i t i u e P r i u i l e g e Use ) e t a i l e d T r a c k in g No A u d it in g P r o c e s s C r e a tio n No A u d itin g P r o c e s s T e r n in a tio n DPAPI A c t i u i t y No A u d itin g No A u d itin g RPC E u en ts 5o l i c y Change A u t h e n t ic a t io n P o l i c y Change No A u d itin g No A u d itin g A u t h o r iz a t io n P o l ic u Change
}> ]]
...]]
}>...]]
[/option:<option name>]
F a i lu r e F a i lu r e F a i lu r e F a i lu r e F a i lu r e
t/sd]
[A]
Auditpol /se t [/user[:<usemame> | <{sid } >] [/ include] [/ exclude]] [/category: <nam e> | < {gui d}>[,:<nam e| <{guid}>. ..
]]
[/success: <enable> | <disa ble>][/failure:<enable> | < disables] [ / subcategory:<name> | < { guid}>[,:<name | < {guid} >
...
9. To clear die audit policies, type die following command 111 die command prompt:
auditpol /clear /y
[ / success:<enable> | <disa ble>][/failure:<enable> | < disable >] [/option:<option name> /value: <enable> | <disable>]
C E H L ab M an u al Page 377
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
[M [A ]
r he command was s u c c e s s f u l l y e x e c u t e d .
C :\U s e r s \A d m in is tr a to r >
11. To check if the audit policies are cleared, type the following command 111 die command prompt:
auditpol Ig et /category:*
Auditpol / set [/user[:<usemame> | <{sid } 5,I [/ include] [/ exclude]] [ / category:<name> | < {gui d }> [,:<nam e| < {guid}> . ..
1 1
[/success:<enable> | <disa ble>][/failure:<enable> | < disable >] [/subcategory:<nan 1e> | < { guid} > [,:<name | < {guid} >
...
[/success:<enable> | <disa ble>][/failure:<enable> | < disable >] [/option: <option 11ame> /value: <enable> | <disable>]
C :\U s e rs \A d n in istr a to r ) a u d i t p o l /g e t /c a te g o r y :* S ysten a u d it p o lic y C a te q o ry /S u b ca teg o rv S e tt ing S y ste n No A u d i t i n g S e c u r ity S y ste n E x tension No A u d i t i n g S y ste n I n t e g r i ty IPsec D riv e r No A u d i t i n g No A u d i t i n g O th e r S y s te n E vents S e c u r i t y S t a t e Change No A u d i t i n g Luyun/L uyurf L og on No A u d i t i n g No A u d i t i n g Logoff Account Lockout No A u d i t i n g I P s e c M ain Mode No A u d i t i n g I P s e c Q u i c k Mode No A u d i t i n g I P s e c E x t e n d e d Mode No A u d i t i n g S p e c i a l L og on No A u d i t i n g No A u d i t i n g O th er Logon/Logoff E uents No A u d i t i n g N etw ork P o l i c y S e r v e r U se r / D e vic e C la i n s No A u d i t i n g O bject Access F ile S y ste n No A u d i t i n g R egistry No A u d i t i n g K ernel O bject No A u d i t i n g SAM No A u d i t i n g C e r tif ic a tio n S erv ices No A u d i t i n g No A u d i t i n g A p p lic a tio n G e nerated H andle M a n ip u la tio n No A u d i t i n g F il e Share No A u d i t i n g No A u d i t i n g F i l t e r i n g P l a t f o r n P a c k e t Drop No A u d i t i n g F i l t e r i n g P la tf o r n C onnection O th e r O b jec t Access E vents No A u d i t i n g D e ta ile d F il e Share No A u d i t i n g No A u d i t i n g R enovable S to ra g e No A u d i t i n g C e n tra l P o lic y S tag in g P r i v i l e g e Use Non S e n s i t i v e P r i v i l e g e Use No A u d i t i n g No A u d i t i n g O t h e r P r i v i l e g e U se E v e n t s S e n s i t i v e P r i v i l e g e Use No A u d i t i n g D e ta ile d T racking P ro cess C reatio n No A u d i t i n g P rocess T ern in atio n No A u d i t i n g No A u d i t i n g DPAPI A c t i v i t y No A u d i t i n g RPC E v e n t s P o l i c y Change A u t h e n t i c a t i o n P o l i c y Change No A u d i t i n g No A u d i t i n g A u t h o r i z a t i o n P o l i c y Change MPSSUC R u l e - L e v e l P o l i c y C h a n g e No A u d i t i n g F i l t e r i n g P l a t f o r n P o l i c y Change No A u d i t i n g O t h e r P o l i c y Change E v e n ts No A u d i t i n g A u d it P o l i c y Change No A u d i t i n g Account M anagenent | <| ____________________________in_______
v 1 >
C E H L ab M an u al Page 378
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
Analyze and document the results related to the lab exercise.
In fo rm atio n C o lle c te d /O b je c tiv e s A chieved R esult open A uditpol C ategory: System Account Logon
Q uestions
1. 2. How do you configure global resource SACLs using Auditpol? Evaluate a report or backup an audit policy to a comma separated value (CSV) text file.
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
13
Password Recovery Using CHNTPW.ISO
CHNTPWISO isapassiwrdrecoverytoo!1hatmis on WindonsServer2003, WindonsSener 2008, and Windons 7 Virtual-Machine.
I CON KEY
I7 / Valuable information Test your knowledge ** Web exercise Workbook review
Lab Scenario
Nowadays, attacking the password is one o f die most straightforward hacking attacks. Passwords are the most common access control method used by system administers to manage the usage of network resources and applications. There are numerous feasible methods to crack passwords. To be an expert etliical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. Tins process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
111
this lab, we show you how to erase or recover an admin password using CHNTPW.ISO.
Lab Objectives
Tlie objective o f tins lab is to help students learn:
Recovering the Passw ord of W indows Server 2008
Tools dem onstrated in this lab are To earn* out die lab, you need: available in CHNTPW .ISO located at D:\CEH-Tools\CEHv8 Module 05 System D:\CEHH acking\Passw ord R ecovery Tools\CHNTPW.ISO\cd110511 Tools\CEHv8 Module 05 System CHNTPW .ISO is tool to recover/erase the administrator passwords for Hacking Windows Server 2008
Lab Environment
Lab Duration
Time: 15 Minutes
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page 380
Overview of CHNTPW.ISO
ONTPWJSOis an offline N T password and registry editor, boot disk/CD.
Lab Task
1. 2.
3 Offline N T Password & Registry Editor can delete any password from nearly any installation o f Windows almost instandy.
Start Hyper-V Manager by selecting Start ^ Hyper-V Manager. Before starting diis lab make sure diat Windows Server 2008 Virtual Machine is shut down. Now select Windows Server 2008 Yiitual Machine and click Settings die right pane of Hyper-V..
H yp e r*V M a n a g e r File Action View Help
3.
111
V irtu a l M achines
Name A
WIN-D39MR5HL9E4
New Import Virtual Machine.., j^l Hypcr-V Settings... Virtual Switch Manager.., .J Virtual SAN Manager...
JW in d o w 8
Snapshots
The selected virtual 1aeh1e has
C " Offline N T Password & Registry Editor simply deletes passwords instead o f displaying diem making it fast and easy to use.
Windows Server2008
W in d o w s S c rv c r2 0 0 8 >ij Connect... Settings... Created: 8/8/2012 5 0123 PW Notes: None 0 Start Snapshot
^
Surtmay Memcry Netvrarkng | P.epiccbor
Move... Exoort...
f i j l Rename...
< 1 :
Delete...
4. 5.
Select DVD drive from IDE controller in die left pane of Settings tor Windows Server 2008. Check die Image file option and browse for die location of CHNTPW.ISO, and select Apply->OK.
Q N o installation in Windows is required making this program an easy alternative to many other password recovery
C E H L ab M an u al Page 381
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
I-H E
a
Select the controller and location on the coatroler to attach the CD/DVD drive. Controller: Location: 0 Qr use) IDEControler 1
C Offline NT Password & Registry Editor is com pletely free to download and use.
I Prxessor 1 Virtual processor 0 IDE Controler 0 C J Hard Drive Windows Server2008.vhdx L U S C a m d g i______________ DVD Drive c d llO S ll.is gj SCSI Controler S 9 Legacy Network Adapter Realtek PCIe G BE Family Contr..
Media Specify the media to use with ya_r virtual CD/DVD drive. O None () Image file: C: \LI8ers\Ad*ninistrar ^Pesfctop\cd110511Vd 110511. is
COM 1
ffcne To remove the virtual CD/D/O drive from the vrtual machne, dick Remove.
COM2
f*>ne I t J Diskette Crive None ft
[ T 1N n c
Y
Management________________ V'.ndows Server2008 Inregrabon Services Al services offered Srapshot =ile Location C: V> rogrcmData,Miaosoft\Win.. Smart Paang File Location C: 'ProgramData'Microsoft\Win..
FIGURE 13.2: CHNTPW.ISO Windows Server 2008 settings & Tool will also remove passwords from 64-bit versions o f Windows Operating Systems.
6.
Now go to Hyper-V Manager and right-click Windows Server 2008. and select Connect to start Windows Server 2008 Virtual Maclune.
Offline N T Password & Registry Editor works with all popular Windows versions including Windows 7 and more.
7.
C E H L ab M an u al Page 382
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
,
File
I Status; O ff
8. After booting, Window will prompt you with: Step one: S elect disk
where the Windows installation is
9.
1
File
Press Enter.
Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
Action Media Clipboard View Help
I - 1 rx I
1 11 fo
LJ It works offline, that is, you have to shut down your computer and boot o ff a floppydisk or CD or another system.
W i n d o w s K e g i s t r y Ldit U t i l i t y fl o p p y / c n n t p w <c> 1 99 7 2 0 1 0 P e t t e r N H a g e n p n o r d a h l P e u n e t . n o GNU G P L v2 license, see fi l e s on CD T hi s u t i l i t y will e n a b l e y o u to c h a n g e or b l a n k the p a s s w o r d of any u s e r ( i n c l . a d n i n i s t r a t o r > on an !lindows N T / Z k / X P / U i s t a W I T H O U T k n o w i n g the o l d p as sw or d. U n l o c k i n g l o c k e d / d i s a b l e d a c c o u n t s a ls o su pp o r t e d .
T e s t e d on:
AD.
LI S t e p ONE: Select
the way
through
the q u e s t i o n s in s t a l l a t i o n bytes is
d i s k whe 17179869184
/ d e v / s d a : 17.1 GB,
[Please s e l e c t p a r t i t i o n by n u n b e r or = qui t = a u t o m a t i c a l l y st a r t d i s k d r i v e r s
Status: Running
10. N ow you will see: Step TWO: S elect PATH and registry files; press Enter.
C E H L ab M an u al Page 383
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
'
File Action
II 1 ji ? *
h ere are se ver al st ep s to go through: D i s k s e l e c t w i t h o p t i o n a l l o ad i n g of d i s k d r iv e r s P ATH select, w he re are the N i n d o w s sy st e m s fi l es s t o r e d F i l e - s e l e c t , wh at par ts of r e g i s t r y we n e e d Th en f i n a l l y the p a s s w o r d c h a n g e or r e g i s t r y e di t itself If c h a n g e s w er e Made, w r i t e t he n b a c k to d i s k
S t e p ONE:
Se le c t
disk where
the M i n d o w s
installation
is
S ' This is a utility to (re)set the password o f any user that has a valid (local) account on your N T system.
filesystem
type NTFS
| Status: R u n n in g
____
FIGURE 13.6: CHNTPW.ISO Step Two
11. Select which part of the registry to load, use predefined choices, or list die files with space as delimiter, and then press Enter.
L
File
<9 @ 0 ^^T o o ls
dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
II It ife
partitions only
M o u n t i n g f r o m / de v/ s da l. w i t h a s s u m e d f i l e s y s t e m So, let's re al l y c h e c k if it is NT F S?
type NT FS
y_
?A5
__
D E B U G path: wi nd o w s f o u n d as M i n d o w s D E B U G path: s y s t e m 3 2 f o u n d as S y s t e m 3 2 D E B U G path: c o n f i g f o u n d as c o n f i g D E B U G path: f o u n d c o r r e c t c as e to be: M i n d o w s / S y s t e m 3 2 / c o n f ig W ha t is the p a t h to the r e g i s t r y d i r e c t o r y ? (r el a t i v e to windc iMindows/System32/configl : D E B U G path: M in d o w s f o u n d as M i n d o w s D E B U G path: S y s t e m 3 2 f o u n d as S y s t e m 3 2 D E B U G path: c o n f i g f o u n d as c o n f i g D E B U G path: f o u n d c o r r e c t c a s e to be: M i n d o w s / S y s t e m 3 2 / c o n f i g hrwxrwxrwx 2 0 0 262144 12:50 BCD-Template hrwxrwxrwx 2 0 0 29097984 14:30 COMPONENTS 1 4 : 3 0 D E FA UL T hrwxrwxrwx 1 0 0 262144 20 08 Jo urnal hrwxrwxrwx 1 0 0 0 Hrwxrwxrwx 1 0 0 8192 12:10 RegBack hrwxrwxrwx 1 0 0 262144 14:30 SAM hrwxrwxrwx 1 0 0 262144 1 4 : 3 0 SE CU R I T Y hrwxrwxrwx 1 0 0 33816576 14:30 SOFTMARE hrwxrwxrwx 1 0 0 9437184 14:30 SYSTEM hrwxrwxrwx 1 0 0 40 96 11:51 TxR [drwxrwxrwx 1 0 0 4096 11 :5 1 s y s t e m p r o f i 1e Se lec t w h i c h part of r e g i s t r y to load! use or list the fil es w i t h s p ac e as d e l i m i t e r 1 P a s s w o r d res et [ sam s y s t e m se cu ri ty ! 2 R e c o v e r y C o n s o 1e p a r a m e t e r s [so ft wa re ! 3 - qu it - re tu r n to p r e v i o u s pr e d e f i r
12. W hen you see: Step THREE: Password or registry edit, type yes (y), and press Enter.
C E H L ab M anual P ag e 384
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
'
File Action
. 3
0 1
9 5
!Select whi ch part of re gistry to load* use p r ed ef ine d choices n r list the files with space as de li mi te r |1 - Pass wo rd reset [san s ys tew security! m2 - Re cov ery Con so le paramet er s [software] fc quit - return to previous Selected files: sam syste m security Copying san syst em sec urity to /tmp
a It works offline, that is, you have to shutdown your computer and boot o ff a floppydisk or CD. The bootdisk includes stuff to access NTFS and FAT/FA T32 partitions and scripts to glue die whole thing together.
j~Step~THREE| P a s s w r d_ or _r e^ i t r y e d i t ~ ~ k h n t p w version 0.99.6 110511 , <c> P et ter N Hagen fejive <SftM> name (from lieader): < NSy s temRoo t\Sys tem32\Conf igNSAM) ROOT KEY at offset: 0x0 01 02 0 * * Subkey indexing type is: 666c (If) w i l e size 26 214 4 (400001 bytes, con ta in in g 6 pages < 1 headerpage) Used for data: 25 0/ 20 80 0 blocks/bytes, unused: 14 /3584 blocks/bytes. L i v e ( S YST EM > name (from header): <SVSTEM> ROOT KEY at offset: 0x 0 01 02 0 Subkey indexing type is: 686c <lh> w i l e size 943 718 4 (9000001 bytes, c o n ta in in g 2164 pages ( 1 headerpage) Elsed for data: 100 211 /59 376 88 blocks/bytes, unused: 462 1/3 278 696 blocks/bytes. h i v e (SECURITY) name (from header): < emRoo t\Sys tem32\Conf igNS EC UR IT Y > ROOT KEY at offset: 0x 0 01 02 0 Subkey indexing type is: 666c (If) w i l e size 26214 4 (400001 bytes, co nt ain ing 6 pages ( 1 headerpage) HJsed for data: 406/22 272 blocks/bytes, unused: 5/2112 blocks/bytes. * SAM policy limits: w a i l e d logins before lockout M i n i m u m passw ord length Password history count is
(> === = = = = = <> ch ntp w Main Interactive M en u < >= L o a d e d hives: <SAM) (SYSTEM) (SECURITY) I 1 - Edi t us er data and pa sswords 9 Reg istry editor, now with full write support < 1 - Quit (you will be aske d if there is s o me thi ng What to do? Cl1
to save)
Status: Running
a a l
FIGURE 13.8: CHNTPW.I SO Step Three
13. Loaded hives: <SAM ><system><SECURITY> 1 Edit user ckta and passwords 9 Registry editor, now with hill write support! Q Quit (you will be asked if there is something to save) 1 1 1 What to do? the default selected option will be [1]. Press Enter.
' Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
Media Clipboard View Help
L .
File Action
| Step THREE: Pa ssw ord or registry edit chntpw version 0.99.6 110511 , (c) Pe tte r N Hagen live (SAM> name (from header): < \ S y s t e m R o o t N Sy st em3 2\ Con fi g\S AM ) ROOT KEY at offset: 0x0 01 02 0 * Subkey indexing type is: 666c <lf> File size 2621 44 (400001 bytes, c o nta in ing 6 pages ( 1 headerpage) U s e d for data: 250 /2 08 00 blocks/bytes, unused: 14/35 84 blocks/bytes. L i v e (SYSTEM> name (from header): <SYSTEM) ROOT KEY at offset: 0x0 01 02 0 * Subkey indexing type is: 686c <lh> w i l e size 9 437 18 4 19000001 bytes, c o n ta in in g 2164 pages ( 1 headerpi Used for data: 100211 /5 93 76 88 blocks/bytes, unused: 46 21 /32 78 696 bloc L i v e (S E C U R I T Y > name (from header): < e m R o o t \ S y s t e m 3 2 \ C o n f i g N S E C U R I T Y : ROOT KEY at offset: 0x0 01 02 0 * * Subkey indexing type is: 666c (If) W i l e size 2621 44 (400001 bytes, c o nta in ing 6 pages ( 1 headerpage) U s e d for data: 406 /22272 blocks/bytes, unused: 5/2112 blocks/bytes.
p a s s w o r d history count
: 0
k >========< > c hn tp w Main Interactive Menu <> = L o a d e d hives: <SAM> (SYSTEM) <SECURIT Y> I 1 - Edi t u se r data and pa sswords
Mhat
to do?
Ill
-> y
K >========< > c hn tp w Main Interactive Menu <>= Load ed hives: (SAM) (SYSTEM) <SECURITY> 1 - Edi t user d at a and passwords
What
Status: Running
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
14. 1 1 1 chntpw Edit User Info & Passwords, press Enter to enter the user name to change
Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
File Action Media Clipboard
II
View
Help
E C j N T stores its user information, including crypted versions o f the passwords, in a file called 'sam', usually found in \w innt\system 32\config. This file is a part o f die registry, in a binary format previously undocumented, and not easily accessible.
( * ) O
I I if e
:>=== === ==< > c h n t p w Main In t e r a c t iv e Me nu <> = ,oaded h i v e s : <SA M> <SY ST EM > <SE CU RI TY > 1 Edi t user* d a t a an d pa ss wor ds
hat
to do?
Cl J -> y
>========< > c h n t p w Main I n t e r ac ti ve Me nu <> = saded hives: <SAM> <S Y ST EM > <SE CU RI TY > 1 - Edi t u s e r d a t a and pa ss wor ds
hat
to do?
[13
-> y
>===== === <> c h n t p w Main I n t e r ac ti ve Me nu <>= saded hives: <SAM> <S Y ST EM > <SE CU RI TY > 1 - Edi t us er d at a an d pa ss wor ds 9 - Reg is tr y editor, n o w w i t h full wri te si Jhat to do? Ill
fidhin? ADMIN
!- Loc k? d i s / lo ck (hex)
U s e r w i t h RID
S Disable your software firewall (Norton Internet Security is often the culprit).
I Status; Running
15.
1 1 1 the User Edit Menu: 1 Clear (blank) user password 2 Edit (set new) user password (careful with diis on XP or Vista) 3 Promote user (make user an administrator) 4 Unlock and enable user account [seems unlocked already] q Quit editing user, back to user select The default option, Quit [q], is selected. Type 1 and press Enter.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
R
I File
lo
<> == === == =< > c h n t p w Main I n t e r a c t i v e M e n u < > = = = = = = = = < > L o a d e d h i v e s : <S A M > < S Y S T E M > < S E C U R I T > I 1 - E di t u s e r d a t a a n d p a ss w o r d s I 9 - R e g i s t r y editor, n o w w i t h full wr i t e s u pp or t? Mhat to do? C13
C " Disable all "download accelerator" programs; they will more than likely corrupt your download.
===== c h n t p w Edit U s e r Info & P a s s w o r d s ==== ------------ U s e r n a n e Adni ni s t rat or G ues t IU S R _ M I N - U L Y 8 5 8 K H Q I P (Select: f - Quit, . - list users, 0 x < R I D > - U s e r w i t h RID (hex) lor si mp ly e n t e r the u s e r n a n e to c h a n g e : [ A d n i n i s t r a t o r l [RID IlsernaMe !full name IcoMMen t B ui l t - i n a c c o u n t fo r a d n i n i s t e r i n g the c o M p u t e r / d o n a i n bioMedi r
XI 1 1 ]
1 I 1 1 1
- - U s e r Edit Menu: 1 1 C l e a r (blank ) u s e r p a s s w o r d I 2 Edit (set new) u s e r p a s s w o r d (care ful w i t h this on XP or Uista) 3 P r o m o te u s e r (Make u s e r an a d m i n i s t r a t o r ) (4 - U n l o c k a nd en a b le u s e r ac co u n t) Eseen s u n l o c k e d alr ea dy ] I q Quit edi ting user, b a c k to u s e r se lec t !?elect: > 1_
Status: Running
an
FIGURE 13.11: CHNTPWJSO User Edit Menu
16. Type ! after clearing die password o f die user account, and press Enter.
'
File
1 - E dit
u s e r d a t a an d p a s s w o r d s
lhat
to do?
C13 == = =
Jsernane ulInane :oHHent Bu i l t - i n a c c o u n t f o r a d m i n i s t e r i n g the c o h p u t e r / d o n a i n tonedi r s e r is M e m b e r of 1 groups: 10000220 = A d n i n i s t r a t o r s (w hi c h has 1 Me m be rs ) A cco un t bits: 0 x 0 0 1 0 = 1 P a s s w d not req. 3 Disabled J H o M e d i r req. 3 Tenp. d u p l i c a t e ! XI Norwal ac co un t 1 NMS acc ou nt 1 Srv trust act 3 Do mai n trust ac ' Wks trust act. 3 Pw d d o n t e x p i r 5 1 Au to loc kout I (u n kn ow n 0x08) 3 (un kn ow n 0x20) 1 (u n kn ow n 0x40) 3 ( un kn ow n 0x10)
- - - U s e r Edit Menu: 1 C l e a r (blank) u s e r p a s s w o r d 2 - Ed it (set new) u s e r p a s s w o r d (ca reful w i t h this on X P or Uista) 3 - P r o M o t e u s e r (Make u s e r an a d w i n i s t r a t o r ) (4 U n l o c k an d e na b l e u s e r a c co un t) Cs eeM S u n l o c k e d al rea dy3 q - Q uit e d i t i n g user, b a c k to u s e r se l e c t Select: Cg3 > 1 Pa ss wo r d cle ar ed * Select: - Q u i t , - list users, 0 x <R I D > - U s e r w i t h R I D (hex) )r s i m v 1 m e n t e r the u s e r n a n e to ch ange: [ A d n i n i s t r a t o r l t
Status: Running
17. Load hives: <SAM><system><SECURTTY> 1 - Edit user data and passwords 9 - Registry editor, now with full write support!
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C E H L ab M an u al Page 387
Q Quit (you will be asked if diere is somediiiig to save) 1 1 1 What to do?, the default selected option will be [1]. Type quit (q), and press Enter.
Q C E H -T o o ls is als o M a p p e d in V irtu a l M a c h in e as N e tw o rk D rive Z: Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection
Media 0 Clipboard II It View jfe Help Q
0 1 f5 0 3e8
File Action @
RID
Usernane fullnane cohhent
honedir
B ui l t - i n
account
the c o w p u t e r / d o M a i n
1 ne n be ps ) I [ E [ I 1 1 1 1 1 P a ss w d not peq. NMS acc ou nt Srv t p u s t act <u n kn o w n 0x88) (un kn ow n 0x40)
- U s e r E di t Menu: 1 - C l e a r (b lank) u s e r p a s s w o r d 2 Ed it (set new) u s e r p a s s w o r d (car efu l w i t h this on X P or Uista ) 3 - Pr on ot e u s e r (nake u s e r an a d n i n i s t r a t o r ) (4 - U n l o c k a n d e n a b l e u s e r a c c o un t) [seen s u n l o c k e d al rea dy! q - Q uit e d i t i n g user, b a c k to u s e r se l e c t Select: [q] > 1 P a s s w o r d c l ea re d
I n te r a c t i v e
M e n u <> = = = = = = = = <>
Mhat
to do?
til
>
Status: Running
[IyTools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
18. In Step FOUR: Writing back Changes, About to write file(s) back! Do it?, here die default option will be [n]. Type yes [y] and press Enter.
Windows Server2008 on WIN-D39MR5HL9E4 W - Virtual Machine Connection
Media Clipboard Vi! View
ior
<$
I.
File Action
Help
adninistenng t he conputer/donain
Built-in
account
II I t
ife
Account bits: 0x 001 0 It 1 Dis ab le d IE Tenp. du plicate 1[ Donain trust ac IE 3 Pwd d o n t exp ir 1[ 1 (unknown 0 x 1 8 )
I 1 [X3 [ 1 I 1 C 1
H o n e d i r req. Nornal account Mks trust act. Auto lockout (unknown 8x20)
1(4 Un l o c k and enable u se r account) Cseens u n lo ck ed already! I h ~ Quit ed it i n g user, back to u s e r select B e l e c t : [ql ) 1 Password cleared* U se r w it h RID (hex) ()========<> ch n t p w Main In te ractive Menu <)= Loaded hives: (SAM) (S YSTEM) <SECURI TY > 1 Edit u se r d a t a and pa sswords
: y_
Status: Running
.0 A
FIGURE 13.14: CHNTPW.ISO Step Four
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Q It works offline, that is, you have to shutdown your computer and boot o ff a floppydisk or CD or anodier system.
20. Now turn off die Windows Server 2008 Virtual Machine. 21. Open Hyper-V Manager settings o f Windows Server 2008 and change die DVD drive option to None from IDE Controller 1 and then select click
^ Apply >OK.
Settings for Windows Server2008 on WIN-D39MR5HLSE4
Windows Server2008 Hardware Add Hardware |K> BIOS Boot from CD M Memory 1024 NB D Processor 1 Virtual processor L J Hard Drive Windows Server2008. vhdx - KU I0e Cortroter 1 _____________ * DVD Drive None 53Li SCSI Ccntroler O Physical CDA>VD dive: | Drive F:' v| Q Legacy Network Adapter Realtek PCIe G8E Family Contr... ^ COM 1 None COM2 None U Diskette Drive None Select the controller and ocation on the controler to afcach the CD/DVD drive. Controller: IDE Controller 1 Media Specify the media to use with y a r virtual CD/DVD drve. | None O Image fie: C: VJsers\Admslrator'PesktopVd 11051 l\cd 11051 l.iso Location: 0 On use]
y zrx
( i
DVD Drive
To remove the virtual CD10VD drive from this virtual ma1 ine, dick Remove.
Management_________________ (L Name Windows Server2008 Integration Services Al services offered Snapshot File Location C: V>rogramOatay1icrosoft\Win.. | Smart Paging File .ocabon C'ProgramOataVlicrosoftV/Vin.. ) Automatic Start Action Restart if previously running
FIGURE 13.16: CHN1PW.ISO Windows Sender 2008 Setri!1 gs E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
22. Go to Windows Server 2008 Virtual Maclune, and click the Start button.
'* Windows Server2008 on WIN-D39MR5HL9E4 - Virtual Machine Connection I I
Media Clipboard View Help
File Action
'S [ 0 ] i)
0 I II 1 fc
>
E tliical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
Analyze and document die results related to the lab exercise.
T o o l/U tility
C H N T P W .IS O
O u tp u t: Log into Windows Server 2008 without entering the user name and password
Q uestions
1. How do
you
configure CHNTPW.ISO
111
Machine Settings?
E th ica l H a ck in g and C ounterm easures Copyright by EC-Couucil All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
Lab Scenario
Today, employees are given access to computer, telephone, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance o f their employees. Many employees also are given laptop computer and wireless phones they can take home and use for business outside the workplace. Whether an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation. 111 tins lab, we explain monitoring employee or suident activity using Spytech SpyAgent.
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Objectives
The objective of tins lab is to help smdents use Spytech and the SpyAgent tool. After completing tins lab, smdents will be able to: Install and configure Spytech SpyAgent Monitor keystrokes typed, w eb sites visited, and Internet Traffic Data
Lab Environment
To perform the lab, you need:
C E H L ab M an u al Page 392 E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
A computer running Windows Server 2012 Administrative pnvileges to install and m n tools Run tins tool in Windows Server 2012 You can also download Spytech SpyAgent from http://www.spytechw eb.com /spyagent.shtml II you decided to download the latest version, screenshots may differ
Lab Duration
Time: 15 Minutes
Lab Tasks
The basic idea in diis section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System TASK 1
Installation of Spytech SpyAgent Hacking\Keyloggers\Spytech SpyAgent
2.
Double-click Setup.exe. You will see die following window. Click Next.
Spytech SpyAgent Setup
http:/ / uww.spytech-web.com
Next >
Cancel
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
3. Tlie W elcome wizard of Spytech SpyAgent setup program window appears; read die instructions and click Next.
Welcome
Welcome to the Spytech SpyAgent Setup program. This program will install Spytech SpyAgent on your computer. It is strongly recommended that you exit all Windows programs before running this Setup program. Click Cancel to quit Setup and then close any programs you have running. Click Next to continue with the Setup program. WARNING: This program is protected by copyright law and international treaties.
fA g m ?
Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible under law.
< Back
Next >
Cancel
4.
Tlie Important N otes window appears, read die note and click Next
Important Notes
Spytech SpyAgent Build Version 7.56.12 Copyright Spytech Software and Design, Inc. 2000-2012. www. spy tech-web. com What is Spytech SpyAgent? Spytech SpyAgent is a powerful and easy-to-use software utility that allows you to log all keystrokes typed, windows and applications launched, websites visited, passwords used, icq/msn/yahoo/aim conversations, and even all internet connections made. All logs are easily viewed with the built in log viewers and can be saved to a convenient, easily viewed text format for email transfer(built in) or printouts. SpyAgent can also capture all emails, as well as capture screenshots of the desktop at set time intervals. SpyAgent can be ran on windows startup in active monitoring mode
Active M ode: this option allows SpyAgent to be started in monitoring mode when it is opened no need for manually starting its monitoring
< Back
Next >
Cancel
5. 6.
The Softw are L icen se A greem ent window appears; you m ust accept the agreement to install Spytech SpyAgent. Click Y es to continue.
E tliical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
License 1. You may use the program on a single computer at one time. You may not copy the program and accompanying materials except for backup purposes to use in support of using the program on a single machine at one time. 2. You may only install this software on a computer that you own, or on a computer from which you have consent of the owner to install this software. 3. You may not make copies of the program for sale or distribution. 4. This software is copyrighted, and all rights therein are reserved for Spytech Software. Purchase of
Do you accept all the terms of the preceding License Agreement? If you choose No, Setup will close. T 0 install this product, you must accept this agreement.
< Back
Yes
No
7. 8.
Choose die Destination Location to install Spytech SpvAgent. Click Next to continue installation.
Choose Destination Location
Setup will install Spytech SpyAgent in the following directory.
Stealth M ode: this option allows SpyAgent to run in total stealth. Combined with 'Active Mode' the software will load and run in monitoring mode in complete stealth
T 0 install to this directory, click Next. T 0 install to a different directory, click Browse and select another directory. You can choose not to install Spytech SpyAgent, by clicking Cancel to exit Setup.
< Back
Next >
Cancel
9.
Select SpyAgent installation type, and select Administrator/Tester die setup type.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Administrator/Tester
Program will be installed with the all software options and accessible via Windows start menu. This is recommended also for new users! Help documents are installed. Program will be installed with minimum required options and no shortcuts included in Windows start menu. Also HELP Documents ate NOT INSTALLED.
Stealth Installation
< Back
Next >
Cancel
11.
The Ready to Install window appears. Click Next to start installing Spvtech SpyAgent.
Ready To Install
Setup now has enough information to start installing Spytech SpyAgent. Click Back to make any changes before continuing. Click Cancel to exit Setup.
Splash W arning: This option allows you to display a message to the user when SpyAgent is started. This message can be configured in the Advanced Settings > Splash Screen window
< Back
Next >
Cancel
Yes
No
FIGU RE 14.8: Selecting an uninstaller E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
13. A Notice For Antivirus Users window appears; read die text click Next.
^ " A NOTICE FOR ANTIVIRUS USERS
Modern antivirus programs can detect a wide range of potentially dangerous programs. This normally goes far beyond traditional viruses and worms and often includes heuristic alerts, which basically means that you can get alerts and warnings when an antivirus program "thinks it could be" something. These warnings should be expected for the following types of applications: Software that logs or captures keystrokes Software that monitors user activity - Software that allows you to recover passwords or other personal data Software that monitors or logs Internet or network activity Since SpyAgent can do all of the above, some antivirus solutions may deem SpyAgent as ,potentially harmful' or a 'trojan' despite it being a legitimate tool to monitor your computer (and users). With all Spy tech software, you can be sure our products are 100%safe to use and virus-free. If you run into any "trojan" related warnings, it is very likely to be a
L o g L ocation: this allows you to specify where you want SpyAgent to store its activity logs. For Windows N T /2000/X P systems monitoring ALL users it is recommended that the log location be set to x:\docum ents and settings\all users
< Back
Next >
Cancel
14. The Finished window appears. Click C lose to end the setup.
If
Finished
Setup is complete and Spytech SpyAgent is now installed!
17 Run SpyAgent
< Back
Close
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
16. The following window appears. E nter the password 111 New Passw ord field, and retype the same password in Confirm field. 17. Click OK.
O ld P a s s w o rd :
SpyAgent can deliver its activity logs in secret to your own personal email or FTP account
N e w P a s s w o rd :
C o n firm :
I
T h is p a s s w o rd r e s tr ic t s o th e r u s e rs fro m c h a n g in g th e S p y A g e n t s e ttin g s .
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
click to continue...
FIGU RE 14.13: Welcome SpyAgent window
19. Configuration package wizard appears. Select the C om plete + Stealth Configuration package. 20. Click Next.
1. C o n fig u ra tio n
C o m p le te C o n fig u ra tio n
Configure with all possible logging options preconfigured.
T y p ic a l C o n fig u ra tio n
Configure with the m ost com m only used logging options preconfigured.
!
FIGURE 14.14: Selecting configuration package
21. Choose additional options, and select the Display Alert on Startup check box. 22. Click Next.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
In tern et Traffic D ata: This log ALL incoming and outgoing internet data transmitted and received by users. All email passwords, FTP passwords, website transmissions, etc. will be logged by this feature
23.
Q SpyAgent lias die unique ability to allow you to have its activity logs delivered to your personal e-mail address or FTP account
24.
E tliical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
A ll selecte d s e ttin g s have been applied s u c c e s s fu lly ! C lic k F IN IS H to finish the easy configuration wizard!
5. Finish
25.
The Configuration Finished window appears. Click Finish to successfully set up SpyAgent.
SpyAgent lias a built in scheduling feature that allows you to configure SpyAgent to log user activities during specific hours of die day, or to lock down your computer at certain times
C o n fig u ra tio n F in is h e d !
You have now s u c c e s s fu lly setup S p yA gent! I f you wish to change any s e ttin g s further, c lic k on the buttons on the S p yA gent in terface for more o p tio n s !
|GOiMij--]
FIGU RE 14.18: Configuration finished window
26.
The main window o f Spytech SpyAgent appears, as show in the following tigure. Click Click to continue...
C E H L ab M anual P ag e 401
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
T^EST
I C lic k H e re fo r O rd e r in g I n f o r m a t io n
G eneral
Startup Settings and Conftg
Windows Viewed
nfigure Logging Options
Programs
0 A p p lic a tio n !
(
V
>
^
!mote L o g D e live ry
nfigure Remote Delivery
Clipboard
0 C lip b o a rd s
W e lc o m e t o S p y A g e n t * ( S t e p 3 ) j|,js l% S p y A g e n t 's u s e r in t e r f a c e . T h is is w h e r e y o u c a n s t a r t a n d s t o p m o n it o r in g , v i e w a c t i v i t y lo g s , c h a n g e s e t t in g s , a n d c o n f ig u r e t h e s o f t w a r e .
Ivanced O p tio n s
e r Control on SpyAgent
Events Tlfl
0 E v e n ts Log
reenS py
cord Desktop Activity
---------------Chat Transcripts
0 C o n v e rs a tio n s Logged
= ! n a r tL o g g in g
Activity Triggered Logging
Websites Visited
/fl 0 W ebsites Logged
S c h e d u lin g
Schedule Monitoring 1
V iew M o s t P o p u la r A c tiv itie s S u m m a ry C lic k here fo r Easy C o n fig u ra tio n and S e tu p W izard
B e h a v io r A le rts
Real-time A ctivity A l e r t s
H Program Options
Log Actions
( Reports
Help
27. G
t
m
G e n e ra l U s e r A c t iv itie s
General
Startup Settings and Conflg
Keystrokes Typed
0 Keys Last Session
Windows Viewed
4 Windows Logged
m
Programs Usage
7n Applications A ; rh n e Logged nnn.iH 70
Clipboard Logs
0 C lipboards Logged
File/Documents Usage
0 File Events Logged
Advanced O ptions
Finer Control on SpyAgent
Events Timeline
9 1 Events Logged
Computer Usage
2 Sessions Logged
C o nte nt F iltering
Filter and Block Activity
In te r n e t A c t iv itie s
ScreenSpy
Record Deskt<
E-Mails Sent/Received
0 E-M ails Logged
Internet Activities
0 Connections Logged
Sm artLogging
Websites Visited
2 W ebsites Logged
Chat Transcripts
0 Conversations Logged
Scheduling
Schedule Monitoring Times
View M ost Popular A ctivitie s Summ ary C lick here (or Easy C o n fig u ra tio n and Setup W izard
B e havior A lerts
n
I
1 1 Program Options
6 Log Actions
Reports
i! Help
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
28. 29.
Click OK.
C lic k H e r e fo r O r d e r in g In f o r m a t io n
General
Startup Settings and Config
Windows Viewed
4 Windows Logged C o S lg u re Logging Options
SpyAgent lias a feature called SmartLogging diat lets you trigger monitoring when certain events arise, instead of nuuiing constantly logging everything that users do. SmartLogging ties into die keystrokes, websites visited, applications ran, and windows used logging functions
Programs Usage
> 70 Applications Logged
ScrcenSpy Screenshots
0 Scree nsh ots Logged
Clipboard Logs
0 C lip bo ards Logge
Advanced Options
Finer Control on SpyAgent
Events Timelim
91 Events Logged
Content Filtering
Filter and Block Activity
ScreenSpy
Record Deskt<
;
^
Internet Activities
0 C on ne ction s Logged
SmartLogging
Activity Triggered Logging
Websites Visited
2 W ebsites Logged
Chat Transcripts
0 C on ve rsa tio n s Logged
Scheduling
Schedule Monitoring Tim es
View Most Popular Activities Summary Click here for Easy Configuration and Setup Wizard
P ro g ra m O p tio n s Lo g A c tio n s
Behavior Alerts
I R e p o rts
H e lp
30.
Stealth Notice window appears, read the instructions click OK N O T E : To bring SpyAgent out o f stealth mode, press CONTROL+SHIFT+ALT+M on your keyboard.
HU SpyAgent allows you to save all o f SpyAgent's keystrokes, websites, windows, applications, connections, clipboard, activity, print jobs, file usage, and documents logs to a specified directory at once - for easier viewing later on - or so you can clear your logs without losing data.
FIGURE 14.22: Stealth mode notice E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al P ag e 403
31.
It will show the following window, with the options select Do not sh o w th is Help Tip again and select Do not sh o w Related Help Tips like this again. Click click to continue...
S p y A g e n t is n o w m o n i t o r in g y o u r c o m p u t e r . T o s t o p m o n i t o r in g p r e s s S p y A g e n t 's h o t k e y c o m b in a t io n - b y d e f a u l t it is C O N T R O L + A L T + S H IF T + M - th e n e n t e r y o u r S p y A g e n t p a s s w o rd . SpyAgent features a large set o f r eporting tools that allow you to save and prepare log data for later viewing, documentation, and printing. All reports are formatted in HTML fomiat for viewing with your webbrowser.
Do not shoiv this Help Tip agai Do not show Related Help Tips ! th is again
7A
32. 33.
N ow browse the Internet (anything). To bring spyAgent out ot stealth mode press CONTROL+SHIFT+ALT+M on your keyboard. It will ask for the Access Password; enter the password and click OK.
34. 35.
To check user keystrokes from the keyboard, click K eystrokes Typed Irom General User A ctivities. It will show all the resulting keystrokes as shown in the following screenshot.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
S p y A g e n t K e y stro k e s Log V ie w e r
0 Save Log Save 1 C lea r
14 e n tries
_ i j Actions. c Jum p to Log 3
J J F orm at
K e y s tro k e s T y p e d
|[B ac ks p ac e][B a ck sp ac e][B ac ks p a ce ][B ac ks p ac e][B a ck sp a ce ][B ac ks p a ce ]| [B a ck s p a c e ][B a c k s p a c e ]S p y [B a c k s p a c e ][B a c k s p a c e ][B a c k s p a c e ]It will show th e follwmg window se ld [B a ck sp a ce ]e ct D o n to [B ac ks p ac e][B a ck sp ac e]o t show this H elp T ip ag ain and Do not show R elated H elp Tips like this agin [B acksp ace] [B a ck sp a ce ][B ac ks p ac e]am [B a ck sp a ce ], click on click to count 1[B a ck sp a ce ] [B a ck s p a c e j[B a c k s p a c e j[B a c k s p a c e ]n 1[B a ck sp a ce ]t 1nue
Note: Log entries preceeded with a '* ' indicate a password entry.
36. 37.
To check the websites visited by the user, click W ebsite V isited from
Internet A ctivities.
It will show all the user visited websites results, as shown in the following screenshot.
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion your targets security posture and exposure.
011
T o o l/U tility
M onitoring keystrokes typed Website log entries Pages visited for selected website Internet traffic data
C E H L ab M an u al Page 406
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Scenario
^_ Valuable information_____ Test your knowledge *A Web exercise m Workbook review
Today, employees are given access to computers, telephones, and other electronic communication equipment. Email, instant messaging, global positioning systems, telephone systems, and video cameras have given employers new ways to monitor the conduct and performance of their employees. ]Many employees also are given laptop computers and wireless telephones diev can take home and use for business outside die workplace. Whedier an employee can claim a reasonable expectation of privacy when using such company-supplied equipment 111 large part depends upon the steps die employer has made to minimize that expectation. 111 tins lab, we explain monitoring employee or student activity using Power Spy 2013.
Lab Objectives
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
The objective o f tins lab is to help students use the Activity Monitor tool. After completing diis lab, students will be able to: Install and configure Power Spy 2013 Monitor keystrokes typed, websites visited, and Internet Traffic Data
Lab Environment
To perform die lab, you need: A computer running Windows Server 2012 Administrative privileges to install and m n tools You can also download Power Spy tool from http:/ / ematr1xsoft.com/ download-power-spy-software.php
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M an u al Page
If you decided to download latest version screenshots may differ Run this tool 111 Windows Server 2012
Lab Duration
Time: 15 Minutes
Lab Tasks
The basic idea 111 dus section is to: 1. Navigate to D:\CEH-Tools\CEHv8 Module 05 System TASK 1
Installation of Power Spy 2013 Hacking\Spywares\Email and Internet Spyware\Power Spy.
2. 3.
Double-click pcspy.exe. The Software License Agreement window appears. You must accept the agreement to install Power Spy. Click Next in die License Agreement wizard.
By clicking Next you are agreeing to the following terms of License Agreement.
License Agreem ent: DISCLAMER: A ll o u r products are distrib u te d and licensed on an 'as is* basis and no w a rra n tie s or guarantees of a n y k in d are prom ised b y eM atrixSoft (the *Company*) and Power Spy (th e *Softw are') as to th e ir perform ance, re lia b ility or s u ita b ility to a n y given task. In no event shall th e Software be lia b le fo r a n y loss of data o r A N Y DAMAGES OF
4.
011
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Completing Setup
Setup has finished installing product on your computer. Click Finish to exit the Setup Wizard.
Keystrokes Typed log all keystrokes, including optional nonalphanumerical keys, typed with time, Windows username, application name and window caption
5.
Run as administrator
W ith administrative rights, you can check, delete and export logs, change settings, and have complete access to the software
N et Chatting Conversations monitor and record all latest version Windows Live Messenger / Skype / MSN Messenger / IC Q / AIM / Yahoo! Messengers BOTH SIDES chatting conversations with time, chat users, and all coming/outgoing messages FIGURE 15.3: Selecting folder for installation
6.
Tlie S etup login passw ord window appears. Enter the password 111 the N ew passw ord field, and retype the same password 111 the Confirm passw ord held. Click Submit.
7.
E tliical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Screen Snapshots automatically captures screenshots of entire desktop or active windows at set intervals. Save screenshots as JPEG format images on your computer harddisk Automatically stop screenshot when user is inactive
8.
9.
The Enter login Passw ord window appears. Enter the password (which is already set).
FIGU RE 15.6: Enter the password E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
11.
Q Stealth Mode: Power Spy run absolutely invisibly under Windows systems and does not show in Windows task list Xone will know its running unless you tell them! You can also choose to hide or unhide Power Spy icon and its uninstall entry
Register product
An icon is displayed on Desktop to disable Stealth Mode in trial version. You can totally try the software on yourself. Click Start monitoring and Stealth Mode on it's control panel, then do anything as usual on the PC: visiting web sites, reading emails, chatting on facebook or Skype, etc. Then, use your hotkey to unhide its control panel, and click an icon on the left to check logs. You can also click Configuration to change settings, setup an email to receive logs from any location, such as a remote PC. iPad or a smart phone. If you like the product, click Purchase button below to buy and register it. Stealth Mode will be enabled after it is unlocked with your registration information.
12.
111
die following
Power Spy
Control Panel
Buy now
Task Schedule: You can set starting and ending time for eadi task to automatically start and stop the monitoring job.
ea
D
A p p licatio n s ex ec u te d
f * n
Keystrokes
w eb sites visited
Start monitoring
jm
clipboard
m ic ro p h o n e
Stealth Mode
Configuration
13.
k t A S K 2
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Power Spy
Control Panel
Buy now
Keystrokes
websites visited
Start m onitoring
*m JP
Applications executed
Stealth Mode
Configuration
clipboard
microphone
Uninstall
About
y=i JLogs View: choose to view different type of logs from program main interface. You can delete selected logs or clear all logs, search logs or export lossing reports in HTML format
14.
FIGU RE
15. 16.
Click Stealth Mode (stealth mode runs the Power Spy completely invisibly on the computer) . The Hotkey reminder window appears. Click OK (to unhide Power Spy, use the Ctrl+Alt+X keys together on your PC keyboard).
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Power Spy
Control Panel
Buy now | g
f
H otkey rem inder
Keystrokes
Stop monitoring
The Stealth Mode is started and the software will run completely invisibly. To unhide it, use your hotkey: Ctrl + Al + X. (Press the 3 keys together on your keyboard). Hotkey only works in current Windows user account. It is disabled in other user accounts for security.
I K 1
Applications executed
w m
cnpDoara
Y
microphone
About
(>
Uninstall
Easy-to-use Interface: config Power Spy with either Wi2ard for common users or control panel for advanced users. Userfriendly graphical program interface makes it easy for beginngers.
17.
ves
|1
No
18. 19.
N ow browse the Internet (anytiling). To bring Power Spy out of stealth mode, press CONTROL+ALT+X on your keyboard. The Run a s adm inistrator window appears. Click Run.
Run as administrator
With administrative rights, you can check, delete and export logs, change settings, and have complete access to the software
FIGU RE 15.13: Rim as administrator E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
20. 21.
The Enter login passw ord window appears. Enter the password (which is already set) . Click Submit.
22. 23.
Click Later in the R egister product window to continue if it appears. Click Stop monitoring to stop the monitoring.
Power Spy
Control Panel
Buy now
Keystrokes
websites visited
Stop m onitoring
(D *
Applications executed
JP
clipboard
microphone
Stealth Mode
Configuration
About
24.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Program Executed log all programs including application, executable file, documents and directories navigated with time, Windows username, application/document/ direct ory name and file paths..
Power
S p y Control Panel
screenshots
f *
m
Keystrokes
websites visited
Start monitoring
D
Applications executed
P
Yahoo messenger
(O)
Configuration
clipboard
microphone
About
25. 26.
It will show all the resulted keystrok es as shown screenshot. Click the C lose button.
4!C n to ) fM |(O .0 v li/JW U J:>/* M N M M Iir
1/3fX12w.1m 173>OCl3?-.H!t7W 173*01132 = M t43 0M :;2SUIO.I2m u n ti* im tm i Aor*t,t.tgr *awiHIr fjp H V n .10d <1 |m iPMKtminr jn {CtrkfCtrfc
111
the following
!VKf In (K^rwtwA H
(*(a*
t x y t m jh f X P ^ o C W _____
o A a 'c A a
'
< *
W l(O .I)v
(4 j0 * -t V W n jm
1 (m AraVAi 1o gr* l (nK)rweeeF V(/' <1 1At*u :to ra g ra nH e s(*Jm coof ofto'pW ct
lV a U 4 J:}S fM
J
FIGU RE 15.17: Resulted keystrokes Q ) Documents Opened log all text contents of documents opened in MS Word and NotePad.
27. 28.
To check the websites visited by the user, click W ebsite visited in the
Pow er Spy Control Panel.
111
the following
E tliical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
btfpjfttnteroaot.ctr\(toggesrfny 1 ea-tefr<nrt {*p h t p y /g n alT n o o > tan \jb u ras-< tty-o rc*to> 1 >} tY to/'B ra frjc s o ft c am k e o o o o o< 1e*trtrt .g > c hnp/fmM (U^ w,u1u-!b1t-1].lw<Uu->~1tn1>lkM-an>7)UI.*1*^31U F'bJC onalnvc**r w o *r <kc 1iH>w<Kj 1m fc tn h t^ K /A r w r.g o n te < o \te a rtf'> a !^/, nUwn.ilIliAU :vHVVM *pt-ttftoO T-tA p(1 fCpj/rw*.Q>o1 )e.x>.rfttarT<11-<ri0 -riGr nK-f 0 ygJ 1 C -t>J0 cax>jnaAsio1-T0 >ywjna baoaooi 0na*sS$1jr**<c.3..43j4MX.1 !SO.Z3K 4
I eM atrixS o ft
Featured Product
Power Spy 201 .
>3
Um m caam unl < Lrotly 11 roar PC*croon It rterd1 <ond1 (*diuitaMo, M thot b*ing .H1icjpturot ill 1v g if PC. 10 nmtr bn w l o r m t i f a ie c t lor c atm in t
Lab Analysis
Analyze and document die results related to the lab exercise. Give your opinion on your targets security posture and exposure.
T o o l/U tility
M onitoring keystrokes typed Website log entries Pages visited for selected website Internet traffic data
C E H L ab M anual P ag e 416
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
KEY
Lab Scenario
Porn sites are tilled with images that sometimes change multiple times each day, require authentication 111 some cases to access their "better" areas o f content, and by using stenograpluc techniques, would allow an agent to retrieve messages from their home bases and send back updates, all 111 porn trading. Thumbnails could be scanned to find out if there are any new messages for die day; once decrypted, these messages would point to links on die same site with the remaining information encrypted. Terrorists know that so many different types of files can hold all sorts of hidden information, and tracking or finding these files can be an almost impossible task. These messages can be placed 111 plain sight, and the servers that supply these files will never know it. Finding these messages is like finding the proverbial "needle" 111 the W orld Wide Web haystack.
111 order to be an expert an etlucal hacker and penetration tester, you must understand how to lude the text inside the image. 111 tliis lab, we show how text is hidden inside an image using the QuickStego tool.
c a Workbook review
7 Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 05 System Hacking
Lab Objectives
The objective o f tins lab is to help the smdents learn how to hide secret text m e ssa g e s 111 an image.
Lab Environment
To perform the lab, you need: A computer ninning Windows Server 2012 Administrative privileges to install and run tools
C E H L ab M an u al Page 417
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
"
You can also download Quick Stego tool from http: / /quickc 1Tpto.com/ H ee-steganog1 aphv-soitware.html II you decided to download latest version screenshots may differ Run diis tool 111 Windows Server 2012
Lab Duration
Time: 10 Minutes
Overview of Steganography
Steganography is the art and science o f writing hidden messages 111 such a way diat no one, apart from the sender and intended recipient, suspects the existence o f die message, a form o f security through obscurity. Steganography includes die concealment o f information within computer hies. 111 digital steganography, electronic communications may include stenographic coding inside of a transport layer, such as a document tile, image file, program, or protocol.
Lab Tasks
The basic idea 111 diis section is to: 1. TASK 1
Hide the text inside the image
http:/ / quickcrypto.com
3.
C E H L ab M anual Page 418
Click Open Im age in the Picture, Im age, Photo File dialog box.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
4. 5.
Organize New folder Name Date modified 9/20/2012 4:42 PM Type JPEG image
TUI
Search QuickStego
(1 Documej
J'-
Music
k. Pictures 9 Videos Computer ^ Local Dis v < File name: | lamborghini_5.jpg v | | Images (*.bmp;*.jpg;*.jpeg;*.gif v | Open Cancel
6. The selected image is added; it will show a message that reads: THIS IMAGE
DOES NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
QuickStego does not ENCRYPT the secret text message though it is well hidden in the image. QuickCrypto includes the functions o f QuickStego but also allows you to securely encrypt text and files and even hide files on your computer.
7. To add the text to the image, click Open Text from the T ext File dialog box.
8. 9.
C E H L ab M anual Page 420
Select Text F11e.txt tile, and then click the Open button.
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
di
^ ^ *fr 1
ra!
P
Organize
E 0 #
Date modified File.txt 9/20/2012 5:00 PM Type Text Document
'ff
Desktop
The cote functions of QuickStego are also part of QuickCrypto, therefore the product will be supported for the foreseeable future. Functionality on its way is the ability to hide messages inside audio files, e.g. mp3 and wav.
Open
10. 11.
The selected text will be added; click Hide T ext dialog box.
im age.
111
the Steganography
H ie larger die image, the more test tliat can be concealed within. QuickStego will tell you how many characters o f text you must lose if you go over this limit per picture. Li practice a lot of secret test can be hidden in even a small image.
!Picture, Image, Photo File
ca
| Open Image |
Save Image
1 1
Steganography
1
1 Gel Text |
Open Text
12.
To save the image (where the text is hidden inside the image) click S ave Im age in the Picture, Im age, Photo File dialog box.
C E H L ab M anual P ag e 421
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
EQ QuickStego imperceptibly alters the pixels (individual picture elem ents) of the image, encoding the secret text by adding small variations in color to the image. In practice, to the human eye, th ese small differences do not appear to change the im age
13.
Provide the tile name as ste g o , and click S ave (to save tins file on the desktop).
Save The Image File To
( ? ) ( J ) ' 7 f t I M Desktop^ Organize New folder Libraries System Folder v C Search Desktop
. Favorites Desktop
4
Downloads Recent places Music Computer System Folder Network I stego I | Image ( .bmp)
% J) * jg
Libraries
O F! D/ !rar
*
Hide Folders
14.
Exit from the Q uickStego window. Again open QmckStego, and click Open Im age 111 the Picture, Im age, Photo File dialog box.
15. 16.
Browse the S teg o file (which is saved on desktop). The hidden text inside the image will appear as displayed in the following figure.
E th ical H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Q 3 Approximately 2MB of free hard disk space (plus extra space for any images)
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
T o o l/U tility
Q uickS tego
C E H L ab M anual P ag e 423
E th ica l H a ck in g and C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.