5.1 Understand the different types of passwords, password attacks, and password cracking
techniques
Exam Focus: Understand the different types of passwords, password attacks, and password
cracking techniques. Objective includes:



Understand the different types of passwords.
Identify the different types of password attacks.
Identify password cracking techniques.
Goals of system hacking
The following are the goals of system hacking:





Gaining access: Collects enough information in order to gain access. Password
eavesdropping and brute forcing techniques are used to gain access.
Escalating privileges: Creates a privileged user account if the user level is obtained.
Password cracking and known exploits techniques are used to escalate privileges.
Executing applications: Creates and maintains backdoor access.
Hiding files: Hides malicious files.
Covering tracks: Hides the presence of compromise.
Password
A password is a combination of characters, integers, and special symbols that allow a user to
access a file or any program. The password prevents an unauthorized user from accessing a file
or any application. The following are the different types of passwords:





Power on password: It protects the system from being powered on by an unauthorized
person. A prompt appears while the system starts up when the Power-on password has
been set; the Power-on password needs to be entered before an operation system boots.
Hard drive password: A user's hard drive password is used for the user and a master
hard drive password is used for the system administrator. If a user has changed his hard
drive's password, the administrator can use the master password to get access to the hard
drive.
Supervisor password (BIOS password): It is also known as a BIOS password. It
protects the system information stored in the BIOS. A user is required to enter the
Supervisor password to get access to the BIOS in order to change the system
configuration.
User password: It is required for most accounts. After entering the user name, the user is
prompted for a password. Two passwords are required to be entered if the account
requires both primary and secondary passwords.
System password: It controls access to particular terminals and is required at the
discretion of the security administrator. These passwords are often required to control
access to terminals that might be targets for unauthorized use, such as dialup and public
terminal lines.
Default password
A default password is defined as a password provided by the manufacturer with new equipment
that is password protected. The following online tools can be used to search default passwords:






http://www.phenoelit-us.org
http://www.defaultpassword.com
http://cirt.net
http://default-password.info
http://www.defaultpassword.us
http://www.passwordsdatabase.com
Password complexity
A user can create a password in different ways to increase the complexity of the passwords. The
user can create passwords:

Containing letters, special characters, and numbers
cd1@78

Containing only numbers
56568579

Containing only special characters
@#$%#@#$

Containing letters and numbers
hkjh2345

Containing only letters
MARKPETE

Containing only letters and special characters
mar#kjm

Containing only special characters and numbers
234@$90
Types of password attacks
The following are types of password attacks:
Passive online attack
In a passive online attack, the attacker puts a sniffer to get information about the network raw
data packets. The attacker further analyzes those packets and gets the password information. The
following attacks come under the passive online attack:



Wire sniffing attack: To access and record the raw network traffic, attackers run packet
sniffer tools on the LAN. The captured data may contain passwords that are sent to
remote systems during Telnet, FTP, rlogin sessions, and electronic mail sent and
received.
MITM attack: A man-in-the-middle attack occurs when an attacker successfully inserts
an intermediary software or program between two communicating hosts.
Replay attack: In a replay attack, whenever packets pass between two hosts on a
network, attackers capture packets including passwords or digital signatures. Attackers
then resend the captured packet to the system in an attempt to obtain an authenticated
connection. The attacker does not know the actual password in this type of attack, but can
simply replay the captured packet.
Active online attack
In active online attacks, an attacker needs to get the password of the victim by guessing it. It
includes the following attacks:

Password guessing: A password guessing attack takes place when an unauthorized user
guesses usernames and passwords to log on repeatedly to a computer or network. Many
password guessing programs that try to break passwords are present on the Internet. The
following are the considerations of the password guessing attack:
o Time consuming
o Needs huge amount of network bandwidth
o
Easily detected
The following are the types of password guessing attacks:
o
o

Brute force attack
Dictionary attack
Trojan/ spyware/ keyloggers: By using a Trojan, an attacker gets access to the stored
passwords in the attacked computer and can read personnel documents, delete files, and
display pictures.
Spyware is software that collects information regarding a user without his knowledge.
When the user downloads software from the Internet, spyware can get into a computer.
Spyware can search the contents of a hard disk, address book of an e-mail, or any
information about the computer, and transmits the information to the advertisers or other
interested parties.

A keylogger is a software tool that traces all or specific activities of a user on a computer.
Once a keylogger is installed on a victim's computer, it can be used for recording all
keystrokes on the victim's computer in a predefined log file. An attacker can configure a
log file in such a manner that it can be sent automatically to a predefined e-mail address.
Some of the main features of a keylogger are as follows:
o It can record all keystrokes.
o It can capture all screenshots.
o It can record all instant messenger conversations.
o It can be remotely installed.
o It can be delivered via FTP or e-mail.
Hash injection: A hash injection attack permits an attacker to inject a compromised hash
into a local session and validate to network resources by using the hash. The attacker
finds and extracts a logged on domain admin account hash. The attacker logs on to the
domain controller by using the extracted hash.
Offline attack
Offline attacks are time consuming. They often lead to brute force attacks. Some important
offline attacks are as follows:


Brute force attack: In Windows hacking, a brute force attack plays a vital role. In a
brute force attack, an attacker uses software that tries a large number of key combinations
in order to get a password. To prevent such attacks, users should create passwords more
difficult to guess, e.g., using a minimum of eight characters, alphanumeric combinations,
and lower-upper case combinations, etc.
Dictionary attack: A dictionary attack is a type of password guessing attack. This type
of attack finds the password of a user by using a dictionary of common words. It can also
use common words in either upper or lower case in order to find a password. Many
programs are available on the Internet to automate and execute dictionary attacks.



Hybrid attack: The attack is referred to as a hybrid attack when an attacker performs a
dictionary as well as a brute force attack.
Rainbow attack: A rainbow attack retrieves plain text passwords by using a hash table.
The rainbow attack is considered as the fastest method of password cracking. All the
possible hashes for a set of characters are calculated and then stored in a table known as
the Rainbow table to implement the rainbow attack. These password hashes are then used
with the tool that uses the Rainbow algorithm and searches the Rainbow table until the
password is not fetched.
Distributed Network Attack (DNA): A Distributed Network Attack is used to recover
password-protected files. It decrypts passwords by using the unused processing power of
machines across the network. In this attack, a DNA manager is installed in a central
location. Machines running DNA clients in the central location can access the DNA
manager over the network. The DNA manager coordinates the attack and assigns the
small portions of the key search to machines distributed over the network. A DNA client
runs in the background and consumes only unused processor time. The program
combines the processing capabilities of all the clients that are connected to the network
and uses it to perform key search to decrypt them.
Non-electronic attack
Non-electronic attack is an attack that does not require any technical knowledge. It includes the
following attacks:



Social engineering: Social engineering is the art of convincing people and making them
disclose useful information, such as account names and passwords. This information is
further exploited by hackers to gain access to a user's computer or network. This method
involves mental ability of people to trick someone rather than their technical skills. A
user should always distrust people who ask him for his account name, password,
computer name, IP address, employee ID, or other information that can be misused.
Proper user training is an effective way of mitigating social engineering attacks. The
following are the different types of social engineering attacks.
Shoulder surfing: Shoulder surfing is a type of in person attack in which an attacker
gathers information about the premises of an organization. This attack is often performed
by looking surreptitiously at the keyboard of an employee's computer while he is typing
in his password at any access point such as a terminal/Web site. An attacker can also
gather information by looking at open documents on the employee's desk, posted notices
on the notice boards, etc.
Dumpster diving: Dumpster diving is a term that refers to going through someone's trash
in an attempt to find out useful or confidential information. Dumpster divers check and
separate items from commercial or residential trash to get the information they desire.
This information may be used for identity theft and for breaking physical information
security.
Password cracking
Password cracking techniques are used for recovering passwords from computer systems.
Attackers use password cracking techniques in order to gain unauthorized access to the
vulnerable system. Many password cracking techniques are successful as many people use weak
or easily guessable passwords.
Password cracking techniques
The following are password cracking techniques:





Dictionary attack: In a dictionary attack, a dictionary file is loaded into the cracking
application running against user accounts.
Brute forcing attack: In a brute force attack, the programs try a large number of key
combinations in order to get a password.
Hybrid attack: It is like a dictionary attack. But in this attack, attackers add some
numbers and symbols to the words from the dictionary and attempt to crack the
password.
Syllable attack: It is the combination of both the brute force attack and dictionary attack.
Rule-based attack: It is used when the attacker gets some information regarding the
password.
Manual password cracking (guessing)
The following steps are taken for manual password cracking (guessing):
1.
2.
3.
4.
Find a valid user.
Create a list of possible passwords.
Rank passwords from high probability to low.
Key in each password, until the correct password is discovered.
Automatic password cracking
The following steps are taken for automatic password cracking:
1.
2.
3.
4.
5.
6.
Find a valid user.
Find the algorithm used for encryption.
Obtain the encrypted passwords.
Create a list of the possible passwords.
Encrypt each word.
Verify whether there is a match for each user ID.
Using a USB drive for stealing passwords
Take the following steps to steal passwords using a USB drive:
1. Select a password hacking tool.
2. Copy the downloaded files to the USB drive.
3. Create autorun.inf in the USB drive.
[autorun] en=launch.bat
4. Insert the USB drive. The autorun window will pop-up (if enabled). Password2 is
executed in the background and passwords will be stored in the .TXT files in the USB
drive.
5.2 Authentication mechanism, password sniffing, various password cracking tools, and
countermeasures
Exam Focus: Authentication mechanism, password sniffing, various password cracking tools,
and countermeasures. Objective includes:




Understand Microsoft Authentication mechanism.
Describe password sniffing.
Identifying various password cracking tools.
Identify various password cracking countermeasures.
Authentication
Authentication is a process to verify the identity of a person, network host, or system process. In
the authentication process, the provided credentials are compared with the credentials that are
stored in the database of an authentication server.
Basic authentication
Basic authentication is the simplest method of authentication. It is based on the premise that the
client must authenticate itself with a user-ID and a password for each realm. The realm value
(which is case-sensitive) is a string that may have additional semantics specific to the
authentication scheme. The realm value should be considered as an opaque string, which can
only be compared for equality with other realms on that server. The server will service the
request if, and only if, it can validate the user-ID and password for the protection space of the
Request-URI. There are no optional authentication parameters. To receive authorization, the
client sends the user ID and password, separated by a single colon (":") character, within a
base64 encoded string in the credentials.
Security holes in the basic authentication scheme
The basic authentication scheme uses the username and password. It uses base64 encoding to
encrypt the password. In spite of this, many security holes are available in the basic
authentication scheme. The password is stored on the server in an encrypted format, but it is
passed from the client to the server in the plain text format across the network. Therefore, the
username and password can be easily read in the plain text format by any attacker listening with
a packet sniffer. The username and password are passed not just when the user first types them,
they are passed with every request. Hence, the packet sniffer does not need to listen at any
particular time, but just long enough to observe any single request coming across the wire. The
encryption used in the authentication is not very secure and can be easily decoded.
Digest authentication scheme
The digest authentication scheme is a replacement of the basic authentication scheme and is
based on the challenge response model. In digest authentication, the password is always
transmitted as an MD5 digest of the user's password. The password is never sent across the
network in a clear text format and cannot be determined with the help of a sniffer.
Function of digest authentication scheme
In this authentication scheme, an optional header permits the server to specify the algorithm to
create the checksum or digest (by default, the MD5 algorithm). The digest authentication scheme
provides the challenge using a randomly chosen value. This randomly chosen value is a serverspecified data string. It may be uniquely generated each time a 401 response is made. A valid
response includes the following:





Checksum (by default, the MD5 checksum) of the username
Password
Given random value
HTTP method
Requested URL
In this way, the password is never sent in a clear text format.
Drawback: The password is not sent in a clear text format, but an attacker can gain access using
the digested password, as the digested password is really all the information required to access
the web site.
SAM database
User passwords are stored by Windows in the Security Accounts Manager (SAM) database or in
the Active Directory database in domains. Passwords are never stored in clear text. Passwords
are hashed. The results are stored in the SAM.
NTLM authentication scheme
NTLM is a protocol that authenticates users and computers based on an authentication challenge
and response. The NTLM authentication process is used by all members of the Windows NT
family. NTLM authentication does not send the user's password (or hashed representation of the
password) across the network. Instead, NTLM authentication utilizes challenge/response
mechanisms to ensure that the actual password never traverses the network.
How does it work?
The client sends a login request to the telnet server when the authentication process begins. The
server replies with a randomly generated 'token' to the client. The client hashes the currently
logged-on user's cryptographically protected password with the challenge and sends the resulting
"response" to the server. The server receives the challenge-hashed response and compares it in
the following manner:



The server takes a copy of the original token.
Now it hashes the token against the user's password hash from its own user account
database.
If the received response matches the expected response, the user is successfully
authenticated to the host.
Drawbacks:


NTLM authentication is not entirely safe because NTLM hashes (or challenge/response
pairs) can be cracked with the help of brute force password guessing. The "cracking"
program would iteratively try all possible passwords, hashing each and comparing the
result to the hash that the malicious user has obtained. When it discovers a match, the
malicious user would know that the password that produced the hash is the user's
password.
This authentication technique works only with Microsoft Internet Explorer.
NTLM authentication process
The following are the steps of the NTLM authentication process:
1.
2.
3.
4.
5.
6.
A user types a password into the logon window.
Windows OS runs the password via hash algorithm.
The computer sends login request to Domain Controller (DC).
DC sends logon challenge.
The computer sends response to the challenge.
DC compares computer's response with the response it created with its own hash. If they
are the same, the logon is successful. Domain Controller holds a stored copy of the user's
hashed password.
Differences between the various NTLM authentication schemes
There are three NTLM authentication schemes:



LM
NTLMv1
NTLMv2
The following table shows the differences between the three schemes:
Attributes
LM
NTLMv1
NTLMv2
Password case sensitive No
Yes
Yes
Hash key length
56bit + 56bit
-
-
Password hash algorithm DES (ECB mode)
Md4
Md4
C/R key algorithm
DES (ECB mode)
DES (ECB mode)
HMAC_Md5
C/R value length
64bit + 64bit + 64bit 64bit + 64bit + 64bit 128bit
Kerberos
Kerberos provides a single sign-on solution for users. It also provides protection for logon
credentials. Kerberos 5 is the current version. It relies upon symmetric-key cryptography using
the Advanced Encryption Standard (AES) symmetric encryption protocol. Kerberos uses end-toend security to deliver confidentiality and integrity for authentication. It is used to prevent
against eavesdropping and replay attacks. It makes use of several different elements:




Key distribution center (KDC): It is a central server, which consists of a database
storing all users, hosts, and network services for Kerberos. Each entry in the database of
the KDC is known as a principal. The KDC basically contains two services, which are as
follows:
1. Ticket Granting Server (TGS): It is used to issue ticket-granting tickets, and
service and host tickets.
2. Authentication Server (AS): It is used to issue tickets for network services.
Kerberos authentication server: It hosts the functions of the KDC. It validates or
rejects the authenticity and timeliness of tickets.
Ticket-granting ticket: It is a small, encrypted identification file. It has a limited validity
period. After authentication, the KDC subsystem of authentication services, such as
Kerberos, grants the TGT file to a user for data traffic protection. The TGT file contains
the session key, its expiration date, and the user's IP address. The user's IP address
protects the user from man-in-the-middle attacks.
Ticket: It is an encrypted message that provides a proof that a user is authorized to access
an object. Users request tickets to access objects. They are given a ticket if they have
authenticated and are authorized (based on having a TGT). Kerberos tickets have specific
lifetimes and usage parameters. A client must request a renewal or a new ticket to
continue communication with any server once a ticket expires.
Kerberos authentication
Certificate-based authentication scheme
A certificate-based authentication scheme authenticates a user using a public key cryptography.
A digital certificate is an electronic document. It includes identification information, public key,
and the digital signature of a certification authority based on that certification authority's private
key. A user presents his digital certificate containing the public key and the signature of the
certification authority when the user connects to the server. The server verifies the validity of the
signature and whether the certificate has been provided by a trusted certificate authority or not.
The server then uses the public key cryptography to authenticate the user in order to prove that
the user truly holds the private key associated with the certificate.
Microsoft Passport authentication
Microsoft Passport authentication is based on single sign-on authentication. In this
authentication, a user is required to remember only one username and password to be
authenticated for multiple services. The Passport is a suite of services used to authenticate users
across a number of applications. The Passport single sign-on service is an authentication service
that allows users to create a single set of credentials. The single set of credentials will enable
users to sign in to any participating site supporting the Passport service. The Passport single signon service enables the use of one set of credentials in order to access any Passport-enabled site,
such as MSN, Hotmail, and MSN Messenger.
Form-based authentication scheme
A form-based authentication scheme is a technique by which a form composed in HTML with
the <FORM> and <INPUT> tags, indicating fields for users to input their username/password, is
used to authenticate users. Once the user inputs the data via HTTP or SSL, it is evaluated by
some server-side logic and if the credentials are valid, a cookie is given to the user to be reused
on subsequent visits.
The form-based authentication scheme works in the following manner:




A client generates a request for a protected resource (e.g. a transaction details page).
The Internet Information Server (IIS) receives the request. If the requesting client is
authenticated by IIS, the user/client is passed on to the Web application.
If the client does not contain a valid authentication ticket/cookie, the Web application
will redirect the user to the URL where the client is prompted to enter his credentials to
gain access to the secure resource.
On providing the required credentials, the client is authenticated/processed by the Web
application.
Password sniffing
Password sniffing is a technique used for harvesting passwords. It includes monitoring traffic on
a network in order to pull out information. Various software are available from several
companies and people can either perform it manually or write their own code for a specific
purpose. In password sniffing, programs or devices pursue the traffic that moves around a
network. They examine individual packets of data to pull out data that contains passwords.
Sometimes, passwords are displayed in plain text inside the system and make it easy for the
password sniffer to identify them and match them with user names. If passwords are encrypted, a
decryption program may be needed to pull passwords out of the data stream.
Active sniffing
In active sniffing, sniffing is performed on a switched network and packets are injected into the
network that causes traffic. Active sniffing is needed to bypass the segmentation that is provided
by switches. Switches maintain their own ARP cache in a Content Addressable Memory (CAM)
and keep track of which host is connected to which port.
Difference between active sniffing and passive sniffing
In passive sniffing, no packet is generated by the tool; it just sits there and captures all packets.
In passive sniffing, an intruder gets access to the network by compromising the physical security.
For example, an intruder walks into the building with his laptop and plugs in to access the
network so that he/she may capture data. In active sniffing, the intruder generates some spoofed
packets and captures authentic packets. For example, malicious ethernet packets generated using
libnet will force the switch to learn, in a spanning tree algorithm, that the machine with the MAC
address X (X being the address used by the Active sniffer) is located on that specific port.
LAN Manager hash
LAN Manager hash is the format used by Microsoft LAN Manager and Microsoft Windows to
store user passwords that are less than 15 characters long. All the letters are converted to
uppercase: 123456QWERTY when this password is encrypted with the LM algorithm. To make
the password 14 characters in length, it is padded with null (blank) characters:
123456QWERTY_. The 14 character string is split in half before encrypting this password:
123456Q and WERTY_ Each string is individually encrypted and the results are concatenated:
123456Q = 6BF11E04AFAB197F
WERTY_ = F1E9FFDCC75575B15
The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15
The first 7 characters of the password are used to derive the first 8 bytes and characters 8 through
14 of the password are used to derive the second 8 bytes. The second half will be
0xAAD3B435B51404EE if the password is less than 7 characters.
Salting
Salting prevents deriving passwords from the password file. In salting, stored representation
differs. It has an advantage that it defeats pre-computed hash attacks. It involves the use of the
same password but different hashes.
Example:



Mark:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
John:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Sally:root:209be1:a483b303c23af34761de02be038fde08
LM hash backward compatibility
Windows 2000-based servers and Windows Server 2003-based servers can authenticate users
who connect with computers running the earlier versions of Windows. Kerberos is not used for
authentication by older Windows clients. Windows 2000 and Windows Server 2003 support
LAN Manager (LM), Windows NT (NTLM), and NTLM version 2 (NTLMv2) authentications
for backward compatibility.
Disable LM hash
The following methods are used to disable LM hash:


Use a password having at least 15 characters. When the password length exceeds 15
characters, LM hash is not generated.
Edit the registry to implement the NoLMHash Policy. Locate the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Add key, type NoLMHash.

Use a group policy in order to implement the NoLMHash Policy.
o Disable "Network security: Do not store LAN Manager hash value on next
password change" in Local Security Policy -> Security Options
Password crackers
A password cracker is an application program used to identify an unknown or forgotten
password to a computer or network resources. A human cracker can use the password cracker to
obtain unauthorized access to resources.
A password cracker can also identify encrypted passwords. The program may be able to decrypt
the password after retrieving the password from the computer's memory. The password cracker
can create an encrypted version of the password that matches the original by using the same
algorithm as the system program.
Some password cracker programs look for hybrids of dictionary entries and numbers. For
example, a password cracker may look for ants01; ants02; ants03, etc. This can be useful where
users include a number in their password.
The following are various password crackers:





Cain & Abel: Cain and Abel is a multipurpose tool that can be used to perform many
tasks, such as Windows password cracking, Windows enumeration, and VoIP session
sniffing. This password cracker can handle a wide variety of tasks. This password
cracking program can perform the following types of tasks: Dictionary attack, Brute force
attack, Cryptanalysis attack, Recording VOIP sessions, Decoding scrambled passwords,
Uncovering cached password, etc.
John the Ripper: John the Ripper is a fast password cracker available for various
environments. Its primary purpose is to detect weak Unix/Linux passwords. Initially
developed for the Unix operating system, it currently runs on fifteen different platforms.
John the Ripper is a fast password cracking tool that is available for most versions of
UNIX, Windows, DOS, BeOS, and Open VMS. John the Ripper requires a user to have a
copy of the password file.
THC Hydra: THC Hydra is a fast network authentication cracker that supports many
different services. Hydra was a software project developed by a German organization
called "The Hacker's Choice" (THC) that uses a dictionary attack to test for weak or
simple passwords on one or many remote hosts running a variety of different services. It
was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly
chosen passwords. The project supports a wide range of services and protocols:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL,
REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP,
NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco
enable, and Cisco AAA.
Aircrack: Aircrack is the fastest WEP/WPA cracking tool. Aircrack is used for
802.11a/b/g WEP and WPA cracking. Aircrack is also used to attack WPA 1 or 2
networks using cryptographic methods or by brute force.
L0phtCrack: L0phtCrack is a password auditing and recovery application. It is used to
test password strength and sometimes to recover lost Microsoft Windows passwords, by
using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the
crackers' tools of choice, although most use old versions because of its low price and
availability.










Airsnort: Airsnort is a Linux-based WLAN WEP cracking tool that recovers encryption
keys. Airsnort operates by passively monitoring transmissions. It uses Ciphertext Only
Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.
SolarWinds: SolarWinds is an overplus of network discovery/monitoring/attack tools.
They have created dozens of special purpose tools. Some of them are router password
decryption, an SNMP brute force cracker, a TCP connection reset program, etc.
Pwdump: Pwdump is a Windows password recovery tool. It can extract NTLM and
LanMan hashes from a Windows system. It is also used to display password histories.
The output data is in L0phtcrack-compatible form and can be written to an output file.
RainbowCrack: RainbowCrack is a computer program that generates rainbow tables to
be used in password cracking. RainbowCrack differs from "conventional" brute force
crackers in that it uses large pre-computed tables called rainbow tables to reduce the
length of time needed to crack a password drastically.
Brutus: Brutus is a password cracking tool that performs both dictionary and brute force
attacks in which passwords are randomly generated from given characters. Brute forcing
can be performed on the following authentications: HTTP (Basic Authentication), HTTP
(HTML Form/CGI), POP3 (Post Office Protocol v3) FTP (File Transfer Protocol), SMB
(Server Message Block), and Telnet.
NWPCrack: NWPCrack is used to crack a single account on the Netware server using
the dictionary attack. It tries to log onto the network using a dictionary file, which
contains all possible passwords. This file contains every word in English, many words in
other languages, celebrity names, slang, titles of books, movies, and TV shows, etc.
NWPCrack attempts to login as SUPERVISOR or any other USER ID and tries each
entry of the dictionary file.
P0f: P0f is a passive OS fingerprinting tool that is used to identify the operating system
of a target host simply by examining captured packets even when the device is behind a
packet firewall. It does not generate any additional direct or indirect network traffic. P0f
can also be used to gather various information, such as firewall presence, NAT use (for
policy enforcement), existence of a load balancer setup, the distance to the remote system
and its uptime, etc.
Dsniff: Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP
traffic.
Legion: Legion is a password cracking tool that is used to automate password guessing in
the NetBIOS session. It scans multiple IP address ranges for Windows shares and also
offers a manual dictionary attack tool.
Fgdump: Fgdump works like pwdump; however, it also extracts cached credentials and
permits remote network execution.
Cracking Windows NT Passwords
An attacker can easily crack the Windows NT operating system. As you know that the Windows
NT operating system stores the usernames and hashed passwords in the SAM file that is located
in the Windows\system32\config directory. However, while the Window NT operating system is
running, the SAM file cannot be accessed. So, the attacker can copy the SAM file by either
booting the target system with an alternate operating system, such as DOS or Linux with a boot
CD or by copying it from the repair directory. When a network administrator uses the RDISK
feature of Windows NT to back up the operating system, a compressed copy of the SAM file
"SAM._" is created in C:\windows\nepair directory. This file can be expanded by using the
following command:


C:\>expand sam._ sam
Once the SAM._ file is uncompressed, it can be cracked by using either a dictionary,
hybrid, or brute-force attack by using a tool like L0phtCrack.
Defend against password cracking
The following actions should be taken to defend against password cracking:








8-12 alphanumeric characters should be used in combination of uppercase and lowercase
letters, numbers, and symbols to make passwords so that it may be difficult for users to
guess the password.
The same password should not be used during password change.
The password change policy should be set to 30 days.
The server's logs for brute force attacks should be monitored on the user accounts.
Passwords should not be stored in an unsecured location.
Passwords that can be found in a dictionary should not be used.
Passwords such as date of birth, spouse, or child's or pet's name should never be used.
SYSKEY should be enabled with strong password to encrypt and protect the SAM
database.
5.3 Understand privilege escalation, key loggers, and other spyware technologies
Exam Focus: Understand privilege escalation, key loggers, and other spyware technologies.
Objective includes:



Understand privilege escalation.
Gain insights on key loggers and other spyware technologies.
Learn how to defend against spyware.
Privilege escalation
Privilege escalation is an attempt to gain a higher level of access than is permitted under an
attacker's account. An attacker can use a non-admin user account to gain access to the network,
and the next step will be to gain administrative privileges.
Take the following steps for privilege escalation:
1. Login with enumerated usernames and cracked passwords.
2. If interactive logon privileges are restricted, infect target with keylogger to collect
domain passwords, otherwise take the following steps:
1. Replace sethec.exe with cmd.exe.
2. Create a hidden admin account.
3. Run services as unprivileged accounts.
4. Infect target with keylogger in order to collect domain passwords.
StickyKeys
StickyKeys is an accessibility feature to aid users who have physical disabilities. The StickyKey
dialog shows up when the shift key is pressed 5 times at the logon screen. The program that
launches StickKeys is located at c:\windows\system32\sethc.exe. Users will get a command
prompt with administrator privileges if users use cmd.exe in place of the sethec.exe, which is
responsible for the stickykey dialog, and then press shift key 5 times at logon screen to call
sethc.exe.
Create a hidden admin account
Take the following steps to create a hidden admin account:
1. Launch command prompt and type "NET USER Juggyboy PASSWORD" where
"PASSWORD" can be any password you like and press enter.
2. Go to registry editor and navigate to the key.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
3. Create a new DWORD value, write its name as the "JuggyBoy", and close the registry
editor. Juggyboy will be a hidden user with administrative privileges.
Gain domain privileges
Take the following steps to gain domain privileges:
1.
2.
3.
4.
An attacker infects a victim's local PC with a software keylogger.
The victim logs on to the domain server with his credentials.
The keylogger sends login credentials to a hacker.
The attacker gains access to the domain server.
Defend against privilege escalation
The following actions should be taken to defend against privilege escalation:






Sensitive data should be protected using the encryption technique.
The interactive logon privileges should be restricted.
Users and applications should be run on the least privilege.
Multi-factor authentication and authorization should be implemented.
Services should be run as unprivileged accounts.
The systems should be regularly pached.
Alchemy Remote Executor
Alchemy Remote Executor is a system management tool that allows network administrators to
execute programs on remote network computers without leaving their workplace. From the
hacker's point of view, it can be useful for installing keyloggers, spyware, Trojans, and Windows
rootkits. One necessary condition for using the Alchemy Remote Executor is that the
user/attacker must have the administrative passwords of the remote computers on which the
malware is to be installed.
Keystroke loggers
Keystroke loggers are programs or hardware devices. They monitor each keystroke as user types
on a keyboard, logs onto a file, or transmits them to a remote location. Keyloggers are placed
between the keyboard hardware and the operating system. The following are the types of
keystroke loggers:
The following are various keyloggers:




























Advanced Keylogger
Spytech SpyAgent
Perfect Keylogger
Powered Keylogger
KeyGhost
iMonitorPC Business Plus
KeyProwler Pro
XPCSpy Pro
KeyProwler
PC Activity Monitor Standard
PC Activity Monitor Lite
Handy Keylogger
Stealth Keylogger
Keylogger Spy Monitor
All In One Keylogger
REFOG Personal Monitor
WinSession Logger
Actual Keylogger
Spy Lantern Keylogger Pro
Spytector
PC Spy Keylogger
Golden Eye
Emsa FlexInfo Pro
Revealer Keylogger
Quick Keylogger
Spy Keylogger
Actual Spy
IKS Software Keylogger

Ghost Keylogger
Acoustic/ CAM keylogger
Acoustic keylogger uses the acoustic cryptanalysis to monitor the sound created by someone
typing on a computer. A subtly different acoustic signature is made by each character on the
keyboard when stroked. The keystroke signature that relates to keyboard character can be
identified through statistical methods, such as frequency analysis. The following are used in this
analysis to map sounds to letters:


Repetition frequency of similar acoustic keystroke signatures
Timings between different keyboard strokes and other context information, such as the
probable language in which the user is writing
A fairly long recording (1000 or more keystrokes) is needed to collect a big enough sample.
CAM keylogger
External keyloggers
The following are external keyloggers:
External keyloggers
Image
PS/2 keylogger
USB keylogger
Wi-Fi keylogger
Bluetooth keylogger
Defend against keyloggers
The following actions should be taken to defend against keyloggers:



Antivirus software should be installed and the signatures should be kept up to date.
Host-based IDS that can monitor the system should be installed and the installation of
keyloggers should be disabled.
Good professional firewall software and anti-keylogging software should be installed.





Hardware systems should be kept secure in a locked environment and the keyboard
cables should be frequently checked for the attached connectors.
New passwords should be selected for different online accounts and changed frequently.
Software that can frequently scan and monitor the change or modification should be used
in the system or network.
Pop-up blocker should be used and opening junk emails should be avoided.
The files should be scanned before installing them on to the computer and the keystroke
loggers should be checked by using registry editor or process explorer.
Anti-keylogger
Anti-keylogger detects or disables software keyloggers. Some anti-keyloggers match signatures
of keylogger code with a signature database. Other keyloggers protect keyboard drivers and
kernels from being manipulated by keyloggers. It becomes difficult for malicious spyware and
Trojan programs to capture keystrokes when they use virtual keyboard or touch screen.
Spyware
Spyware is a program that partially controls a user's computer without the user's permission. The
various types of personal information such as Internet surfing habits, and Web sites that the user
has visited can be collected using spyware programs. Spyware programs can also interfere with
the control of a user's computer, such as installing additional software, redirecting Web browser
activities, accessing Web sites blindly, etc. The following can lead to spyware propagation:






Drive-by download
Piggybacked software installation
Browser add-ons
Cookies
Web browser vulnerability exploits
Masquerading as anti-spyware
Types of spyware
The following are the types of spyware:

Telephone and cellphone spyware: It monitors and records the phone calls and text
messages. It tracks employee cell phone usage. Attackers install spyware on the devices
that they want to track. Spyware secretly sends data to attackers via SMS or email.
The following are telephone and cellphone spywares:
o Telephone Spy
o MobiStealth Cell Phone Spy
o VRS Recording System
o SPYPhone Gold
o SPYPhone Tap
o Phone Spy
o FlexiSPY
o Modem Spy




GPS spyware: It is a device or software application that makes use of the Global
Positioning System to find the location of a vehicle, person, or other asset to which it is
attached or installed. The following are GPS spywares:
o EasyGPS
o ALL-in-ONE Spy
o FlexiSPY PRO
o Trackstick
o Mobile Spy
o MobiStealth Pro
o World-Tracker
o SPYPhone
Audio spyware: It can be used for the following purposes:
o Monitors and records a variety of sounds on the computer.
o Records and spies on voice chat messages of different instant messengers.
o Hides and monitors conference recordings, phone calls, and radio broadcasts.
USB spyware: It copies files from USB devices to your hard disk in hidden mode
without any request. It may also capture, display, record, and analyze data transferred
between any USB device connected to a PC and applications. The following are USB
spywares:
o USB Spy
o USB Hacksaw
o USBDeview
o USB Data Protection Tool
o USB Grabber
o USB Monitor
o USB Data Theft Protection Tool
Screen capturing spyware: It captures screenshots of local or remote PCs at a
predefined interval of time. It permits monitoring screens in real-time of all the user
activities on the network. Screen capturing spywares may also capture the following
activities in real time:
o Keystrokes
o Mouse activity
o Visited website URLs
o Printer activity
Screen capturing spyware generally saves screenshots to a local disk or forwards them to
an attacker through FTP or email. The following are screen capturing spywares:
o
o
o
o
o
o
o
o
Hidden Recorder
IcyScreen
Hidden Camera
SoftActivity TS Monitor
Desktop Spy
PC Tattletale
Quick Screen Note
Computer Screen Spy Monitor

Desktop spyware: It provides information about what, when, and how network users did
on their desktops. It has the following features:
o It performs live recording of remote desktops.
o It records and monitors Internet activities.
o It records software usage and timings.
o It records activity log and store at one centralized location.
o It logs user's keystrokes.
The following are desktop spywares:
o
o
o
o
o
o
o
o

SpyMe Tools
SSPro
Easy Remote
Chily Employee Monitoring
Remote Desktop Spy
Employee Desktop Live Viewer
Desktop Spy X
NetVizor
Email and Internet spyware: Email spyware monitors, records, and forwards incoming
and outgoing emails, including web-mail services like Gmail and Hotmail. It records
instant messages conducted in AIM, MSN, Yahoo, MySpace, Facebook, etc. Internet
spyware delivers the following information:
o It delivers a summary report of the overall web usage.
o It records the date/time of visits.
o It records the active time spent on each website.
o It blocks access to a specific web page or an entire website.
The following are Email and Internet spywares:
o
o
o
o
o
o
o
o

Imonitor Employee Activity
Wiretap Professional
Employee Monitoring
Spy Software XP
OsMonitor
Spylab WebSpy
Ascendant NFM
Personal Inspector
Print spyware: It is useful in remote printer usage monitoring. It can be used to detect
exact print job properties, such as number of copies, number of printed pages, and
content printed. The following are print spywares:
o Spyarsenal
o All-Spy Print
o O & K Print Watch
o Accurate Printer Monitor
o Print Job Monitor
o Print Censor
o


PrintTrak
Child monitoring spyware: It is used to control and supervise how children use the PC
and Internet. It uses specified keywords to block kids from accessing inappropriate web
content. It monitors activities for selected users, such as websites, keystrokes, and
screenshots and records selected activities, screenshots, keystrokes, and websites. The
following are child monitoring spywares:
o Silent Monitoring
o iProtectYou Pro
o Net Nanny Home Suite
o Big Mother
o KSS Parental Control
o SpyOn Baby
o CyberSieve
o SentryPC
Video spyware: It is used to secretly monitor and record webcams and video IM
conversions. Attackers can remotely view webcams through the web or mobile phones.
Users can use video spyware for video surveillance of sensitive facilities. The following
are video spywares:
o WebCam Recorder
o Digi-Watcher
o WebcamMagic
o Eyeline Video Surveillance Software
o EyeSpyFX
o Capturix VideoSpy
o I-Can-See-You
o Hidden Camera Control
Functions of spyware
The following are functions of spyware:









It steals user's personal information and sends it to a remote server or hijacker.
It monitors user's online activity.
It displays annoying pop-ups and redirects a web browser to advertising sites.
It changes web browser's default settings and prevents the user from restoring.
It adds multiple bookmarks to the web browser's favorites list.
It decreases overall system security level.
It places desktop shortcuts to malicious spyware sites.
It connects to remote pornography sites.
It reduces system performance and causes software instability.
Spector
Spector is a spy software program that is used to record everything a system does on the Internet.
Every hour, Spector automatically takes hundreds of snapshots of whatever is on the computer
screen and saves the snapshots in a hidden location that is on the system's hard drive. Some
versions of Spector can also record activity on Macintosh systems via snapshots, keystrokes, and
Web site logging. Anti-spector can be used to detect and remove Spector.
5.4 Identify different ways to hide files, understand rootkits, and understand alternate data
streams
Exam Focus: Identify different ways to hide files, understand rootkits, and understand alternate
data streams. Objective includes:




Identify different ways to hide files.
Understanding rootkits.
Learn how to identify rootkits and steps involved.
Understand Alternate Data Streams.
Hiding files
Take the following steps to hide files:
1. Install the rootkit in the target system in order to maintain hidden access.
2. Perform Integrity Based Detection, Signature Based Detection, Cross View Based
Detection, and Heuristic Detection techniques in order to detect rootkits.
3. Detect rootkits using anti-rootkits, such as RootkitRevealer, McAfee Rootkit Detective,
SanityCheck, Sophos Anti-Rootkit, etc.
4. Inject malicious code on a breached system using NTFS Alternate Data Stream (ADS)
and execute it without being executed by the user.
5. Detect NTFS-ADS stream by using NTFS stream detectors, such as ADS Scan Engine,
ADS spy, NTFS Streams Info, etc.
6. Hide a secret message within an ordinary message by using the steganography technique
and extract the information at the destination in order to maintain confidentiality of data.
7. Perform steganalysis by using steganography detection tools, such as Stegdetect, Stego
Watch, StegSpy, Xstegsecret, etc.
Rootkit
A rootkit is a set of tools that take administrative control of a computer system without
authorization by the computer owners and/or legitimate managers. The rootkit needs root access
to be installed in the Linux operating system; however, the attacker can get root access at any
time once installed.
Rootkits have the following features:




They permit an attacker to run packet sniffers secretly in order to capture passwords.
They permit an attacker to set a Trojan into the operating system, opening a backdoor for
anytime access.
They permit an attacker to replace utility programs that can be used for detection of the
attacker's activity.
They provide utilities to install Trojans with the same attributes as legitimate programs.
Types of rootkits
The following are types of rootkits:






Hypervisor level rootkit: It loads itself by modifying the boot sequence of the machine.
It does not modify the original virtual machine monitor or operating system.
Kernel level rootkit: It adds malicious code or replaces the original OS kernel and
device driver codes.
Application level rootkit: It replaces regular application binaries with fake Trojan, or
injects malicious code to modify the behavior of existing applications.
Hardware/firmware rootkit: It hides hardware devices or platform firmware that is not
inspected for code integrity.
Boot loader level rootkit: It replaces the original boot loader with one that is controlled
by a remote attacker.
Library level rootkit: It replaces original system calls with fake ones in order to hide
information regarding the attacker.
Fu
Fu is a rootkit. It operates using direct kernel object manipulation. Dropper (fu.exe) and driver
(msdirectx.sys) are components of Fu. It permits attackers to hide processes and drivers, add
privileges to any process token, hide information from user-mode applications and even from
kernel-mode modules, and remove to-be-hidden entries from two linked lists with symbolic
names.
Chkrootkit
Chkrootkit is a toolkit used to check whether a rootkit is installed in the Linux operating system
or not. It contains the following tools:
Tools
Description
chkrootkit
It is a shell script that checks system binaries for rootkit modification.
ifpromisc.c
It checks whether the network interface is in promiscuous mode or not.
chklastlog.c
It checks for the deletion of the last log.
chkwtmp.c
It checks for wtmp deletions.
check_wtmpx.c It checks for wtmpx deletions.
chkproc.c
It checks for signs of LKM Trojans.
chkdirs.c
It checks for signs of LKM Trojans.
chkutmp.c
It checks for utmp deletions.
Steps for detecting rootkits
Take the following steps for detecting rootkits:
1. Run "dir/s/b/ah" and "dir/s/b/a-h" inside the potentially infected OS and save the results.
2. Boot into a clean CD, run "dir/s/b/ah" and "dir/s/b/a-h/" on the same drive and save the
results.
3. Run a clean version of WinDiff from the CD on the two sets of results to detect filehiding ghostware.
Techniques for detecting rootkits
The following techniques are used for detecting rootkits:




Integrity based detection: In this technique, a comparison is made between a snapshot
of the file system, boot records, or memory and a known trusted baseline.
Signature based detection: In this technique, a comparison is made between
characteristics of all system processes and executable files and a database of known
rootkit fingerprints.
Heuristic based detection: In this technique, deviations from normal system patterns
and behavior are looked to find unidentified rootkits based on the execution path hooks it
uses.
Cross view based detection: In this technique, system files, processes, and registry keys
are enumerated and a comparison is made between them and an algorithm used to
generate a similar data set that does not rely on the system's common APIs.
Defend against rootkits
The following actions should be taken to defend against rootkits:








OS/applications should be reinstalled from a trusted source after backing up the critical
data.
The well-documented automated installation procedures should be kept.
Network and host-based firewalls should be installed.
Strong authentication should be used.
The availability of trusted restoration media should be stored.
The workstation or server should be hardened against the attack.
The patches for operating systems and applications should be updated.
Antivirus and anti-spyware software should be updated regularly.
Anti-Rootkits
The following are Anti-Rootkits:







GMER
Trend Micro RootkitBuster
Rootkit Razor
RemoveAny
Sophos Anti-Rootkit
F-Secure BackLight
Avira AntiRootkit Tool

SanityCheck
NTFS
NTFS is an advanced file system designed for use specifically in Windows NT, Windows
2000/2003/2008, and Windows XP/Vista/7 operating systems. It supports the following:



File system recovery
Large storage media
Long file names
NTFS provides the following features:




Disk quotas
Distributed link tracking
Compression
Mounted drives
NTFS also provides security features, such as encryption and file and folder permissions. These
features are not available on FAT volumes.
Alternate Data Streams
Alternate Data Streams (ADS) is a feature of the NTFS file system that allows more than one
data stream to be associated with a filename, using the filename format "filename:streamname".
Alternate streams are not listed in Windows Explorer, and their size is not included in the file
size. ADS provides the hacker a place to hide root kits or hacker tools, which can be executed
without being detected by the system administrator. Alternate Data Streams are strictly a feature
of the NTFS file system. Alternate Data Streams may be used as a method to hide executables or
proprietary content.
Create NTFS streams
Take the following steps to create NTFS streams:
1. Launch c: > notepad myfile.txt:lion.txt. Click 'Yes' to create the new file and type 10
lines of data. Save the file.
2. Launch c: > notepad myfile.txt:tiger.txt. Click 'Yes' to create the new file and type other
20 lines of text. Save the file.
3. View the file size of myfile.txt. It should be zero.
4. Open the document 'myfile.txt.tiger.txt' in notepad.
NTFS stream manipulation
Use the following command to move the contents of Trojan.exe to Readme.txt (stream):
C:\> type c:\Trojan.exe > c:\Readme.txt:Trojan.exe
Use the following command to execute the Trojan.exe inside the Readme.txt (stream):
C:\> start c:\ Readme.txt:Trojan.exe
Use the following command to extract the Trojan.exe from the Readme.txt (stream):
C:\> cat c:\Readme.txt:Trojan.exe > Trojan.exe
NTFS stream detectors
The following are NTFS stream detectors:








ADS Spy
List NTFS Streams (LNS)
LADS
StreamArmor
NTFS Streams Info
Streams
ADS Locater
ADS Manager
Defend against NTFS streams
Deleting a stream file involves copying the front file to a FAT partition and then copying it back
to NTFS. When the file is moved to the FAT partition, streams are lost. LNS.exe can detect
streams.
5.5 Understand steganography technologies and tools used
Exam Focus: Understand steganography technologies and tools used. Objective includes:



Steganography techniques
Types of steganography
Steganalysis
Steganography
In steganography, harmful messages are embedded within other seemingly harmless messages
for hiding the information. In steganography, bits of unused data, such as graphics, sound, text,
and HTML, are replaced with bits of invisible information in regular computer files. The hidden
information can be in the form of plain text, cipher text, or even in the form of images.
Steganography techniques
The following are steganography techniques:



Substitution technique: It substitutes redundant part of the cover-object with a secret
message.
Spread spectrum technique: It embeds secret messages by adopting ideas from spread
spectrum communication.
Distortion technique: It uses signal distortion to store information and measures the
deviation from the original cover in the extraction step .


Cover generation technique: It encodes information. This ensures the creation of cover
in order to have secret communication.
Transform domain technique: It embeds a secret message in a transform space of the
signal.
Types of steganography
The following are the types of steganography:












Image steganography
Document steganography
Folder steganography
Video steganography
Audio steganography
White space steganography
Web steganography
Spam/email steganograpghy
DVDROM steganography
Natural text steganography
Hidden OS steganography
C+ source code steganography
The following are some important types of steganography:


Image steganography: This type of steganography hides the information in image files
of different formats, such as .PNG, .JPG, .BMP, etc. Image steganography tools replace
redundant bits of image data with the message in such a manner that the human eyes
cannot detect the effect. The following are image steganography tools:
o ImageHide
o Contraband
o QuickStego
o Camera/Shy
o gifshuffle
o JPHIDE and JPSEEK
o OutGuess
o StegaNote
Folder steganography: This type of steganography hides secret information in folders.
The following are folder steganography tools:
o StegoStick
o PSM Encryptor
o QuickCrypto
o XPTools
o Max Folder Secure
o Universal Shield
o WinMend Folder Hidden
o Hide My Files




Video steganography: This type of steganography hides the information in video files of
different formats, such as .AVI, .MPG4, .WMV, etc. The following are video
steganography tools:
o Masker
o MSU StegoVideo
o Max File Encryption
o BDV DataHider
o Xiao steganography
o CHAOS Universal
o RT steganography
o OmniHide PRO
Audio steganography: This type of steganography hides secret information in audio
files, such as .MP3, .RM, .WAV, etc. The following are audio steganography tools:
o MAXA Security Tools
o MP3Stego
o Stealth Files
o Steghide
o audiostegano
o Hide4PGP
o BitCrypt
o CHAOS Universal
Spam/email steganography: This type of steganography hides information in spam
messages.
Natural text steganography: Natural text steganography programs convert sensitive
information into a user-definable free speech, such as a play.
Image hide
Image hide is a steganography program that is used to hide text within an image. Malicious data
can be encrypted or decrypted into images that appear identical to the original images using
steganography. It is estimated that approximately 300KB of information can be hidden when a
640 x 480 pixel image with a color resolution of 256 colors is used. For their payload, high
resolution images are noted. For example, a 1024 x 768 pixel image with a 24-bit color
resolution can carry about 2.3MB as payload. Image hide warns its users that the image file
should not use the JPEG format because it is a lossy algorithm and malicious data may be lost
during compression.
Steganalysis
Steganalysis is used to discover and render covert messages using steganography. The following
are the challenges of steganalysis:




The suspect information stream may or may not include encoded hidden data.
Efficient and accurate detection of hidden content within digital messages.
Some of the suspect signals or files may have irrelevant data or noise encoded into them.
Encrypts the hidden data before it is inserted into a file or signal.
Steganalysis methods
The following are steganalysis methods:







Stego-only: In this method, only the steganography medium is available for analysis.
Known-stego: In this method, original and stego-object are available and the
steganography algorithm is known.
Disabling or active: In this method, active attackers can change the cover during the
communication process.
Reformat: In this method, the format of the file is changed. Different file formats store
data in different formats.
Known-cover: In this method, the stego-object is compared with the original cover
object in order to detect hidden information.
Chosen-message: In this method, patterns in the stego-object are determined. These
patterns refer to the use of the specific steganography tools or algorithms.
Chosen-stego: In this method, the stego-object and steganography algorithm are
identified.
Snow.exe
Snow.exe is a steganography tool. It is used to hide secret data in text files. It uses the concept
that spaces and tabs are generally not visible in text viewers. Hence, a message can be effectively
hidden; it will not affect the text's visual representation for the casual observer. This is achieved
by appending white spaces to the ends of lines in ASCII text.
Watermarking
Watermarking is the irreversible process of embedding information into digital media. Digital
watermarks are used to provide copyright protection for intellectual property that is in digital
form. Watermarking is basically divided into two main sections:


Visible watermarking: In visible watermarking, data or information is clearly visible on
the picture or on the video. Generally, this type of watermarking is used to identify the
owner of the media and to enforce the copyright. It also serves the purpose of
advertisement.
Invisible watermarking: In invisible watermarking, information is added in a hidden
form to the digital media. One of the major applications of invisible watermarking is to
prevent unauthorized copying of digital media.
2Mosaic
The 2Mosaic tool is used for watermark breaking. It is an attack against a digital watermarking
system. In this type of attack, an image is placed together after chopping it into small pieces. The
web browser renders the small pieces into one image when this image is embedded into a web
page. This image appears as a real image with no watermark in it. This attack is successful
because it is not possible to read watermark in very small pieces.
5.6 Understand covering tracks, tools used and erase evidences
Exam Focus: Understand covering tracks, tools used and erase evidences. Objective includes:



Covering tracks
Need of covering tracks
Ways to clear online tracks
Covering tracks
Intruders try to cover the tracks to avoid their detection once they have gained administrator
access on a system. The intruder installs several backdoors to gain easy access in the future when
all the information of interest has been stripped off from the target.
Attackers cover tracks due to the following reasons:



To attack again
To cover the tracks to avoid their detection
To install backdoors to gain access in future
Attackers can use track covering tool, such as Traceless, WinZapper, ZeroTracks, WinTools.net
Ultimate, Evidence Eliminator, Armor Tools, Clear My History, and EvidenceEraser
Process used by a hacker for covering tracks
Covering tracks is the last important step of remote hacking. It includes deletion of all logs on
the remote system. All entries of the /var folder are required to be deleted in Linux or UNIX. All
events and logs are deleted if a Windows operating system is used. Hackers take these steps to
keep their identities anonymous. The hacker generally removes security events or error messages
that have been logged in order to avoid detection. Hackers either clear the event logs or disable
auditing to prevent detection. Intruders first disable auditing when they gain administrator
access. Windows auditing records certain events in a log file that is stored in Windows Event
Viewer. These events may be logging into the system, an application, or an event log. An
administrator is responsible for choosing the level of logging implemented on a system. Hackers
want to determine the level of logging implemented in order to determine whether they have to
clear events that indicate their presence on the system.
Actions for covering tracks
Take the following actions for covering tracks:





Remove web activity tracks, such as MRU, cookies, cache, and temporary files and
history.
Disable auditing using tool such as Auditpol.
Tamper log files such as event log files and proxy log files by log poisoning or log
flooding.
Close all remote connections to the victim machine.
Close any opened port.
Ways to clear online tracks
The following are the ways used to clear online tracks:





Remove Most Recently Used (MRU) list.
Delete cookies.
Clear cache.
Turn off AutoComplete.
Clear Toolbar data from the browsers.
Execute applications
Take the following steps to execute applications:
1.
2.
3.
4.
5.
6.
Check if antivirus software is installed and up to date.
Check if firewall software and anti-keylogging software are installed.
Check if the hardware systems are secured in a locked environment.
Use keyloggers.
Use spywares.
Use tools for remote execution.
Auditpol
Auditpol is a tool included in the Windows NT Resource Kit for system administrators to disable
or enable auditing from the Windows command line. It is also used to determine the level of
logging implemented by a system administrator. It is strictly a command-line tool that is invoked
by typing and has several switches that allow displaying, setting, clear, back up, and restoring
settings.
Chapter Summary
In this chapter, we learned about different types of passwords, password attacks, and password
cracking techniques. In this chapter, we discussed about Microsoft Authentication mechanism,
privilege escalation, key loggers, spyware, rootkits, and alternate data streams. This chapter is
also focused on steganography technologies and covering tracks.
Glossary
2Mosaic
2Mosaic is a tool used for watermark breaking.
2Mosaic
Steganographic tool
Auditpol
Auditpol is a tool included in the Windows NT Resource Kit for system administrators to disable
or enable auditing from the Windows command line.
Authentication
Authentication is a process of verifying the identity of a person, network host, or system process.
Default password
A default password is a password provided by the manufacturer with new equipment that is
password protected.
Dskprobe
Steganography detection tool
LAN Manager hash
LAN Manager hash is the format used by Microsoft LAN Manager and Microsoft Windows to
store user passwords that are less than 15 characters long.
NTLM
NTLM is a protocol that authenticates users and computers based on an authentication challenge
and response.
P0F
Passive Fingerprinting tool
Passive sniffing
In passive sniffing, no packet is generated by the tool; it just sits there and captures all packets.
In passive sniffing, an intruder gets access to the network by compromising the physical security.
For example, an intruder walks into the building with his laptop and plugs in to access the
network so that he/she may capture data.
Password
A password is a combination of characters, integers, and special symbols that allows a user to
access a file or any program.
Password cracking
Password cracking is required to recover passwords from computer systems.
Privilege escalation
Privilege escalation is an attempt to gain a higher level of access than is permitted under an
attacker's account.
Rootkit
A rootkit is a set of tools that take administrative control of a computer system without
authorization by the computer owners and/or legitimate managers.
Salting
Salting prevents deriving passwords from the password file.
Spyware
Spyware is a program that takes partial control over a user's computer without user's permission.
Steganography
Steganography is an art and science of hiding information by embedding harmful messages
within other seemingly harmless messages.
Watermarking
Watermarking is the irreversible process of embedding information into digital media.