5.1 Understand the different types of passwords, password attacks, and password cracking techniques Exam Focus: Understand the different types of passwords, password attacks, and password cracking techniques. Objective includes: Understand the different types of passwords. Identify the different types of password attacks. Identify password cracking techniques. Goals of system hacking The following are the goals of system hacking: Gaining access: Collects enough information in order to gain access. Password eavesdropping and brute forcing techniques are used to gain access. Escalating privileges: Creates a privileged user account if the user level is obtained. Password cracking and known exploits techniques are used to escalate privileges. Executing applications: Creates and maintains backdoor access. Hiding files: Hides malicious files. Covering tracks: Hides the presence of compromise. Password A password is a combination of characters, integers, and special symbols that allow a user to access a file or any program. The password prevents an unauthorized user from accessing a file or any application. The following are the different types of passwords: Power on password: It protects the system from being powered on by an unauthorized person. A prompt appears while the system starts up when the Power-on password has been set; the Power-on password needs to be entered before an operation system boots. Hard drive password: A user's hard drive password is used for the user and a master hard drive password is used for the system administrator. If a user has changed his hard drive's password, the administrator can use the master password to get access to the hard drive. Supervisor password (BIOS password): It is also known as a BIOS password. It protects the system information stored in the BIOS. A user is required to enter the Supervisor password to get access to the BIOS in order to change the system configuration. User password: It is required for most accounts. After entering the user name, the user is prompted for a password. Two passwords are required to be entered if the account requires both primary and secondary passwords. System password: It controls access to particular terminals and is required at the discretion of the security administrator. These passwords are often required to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines. Default password A default password is defined as a password provided by the manufacturer with new equipment that is password protected. The following online tools can be used to search default passwords: http://www.phenoelit-us.org http://www.defaultpassword.com http://cirt.net http://default-password.info http://www.defaultpassword.us http://www.passwordsdatabase.com Password complexity A user can create a password in different ways to increase the complexity of the passwords. The user can create passwords: Containing letters, special characters, and numbers cd1@78 Containing only numbers 56568579 Containing only special characters @#$%#@#$ Containing letters and numbers hkjh2345 Containing only letters MARKPETE Containing only letters and special characters mar#kjm Containing only special characters and numbers 234@$90 Types of password attacks The following are types of password attacks: Passive online attack In a passive online attack, the attacker puts a sniffer to get information about the network raw data packets. The attacker further analyzes those packets and gets the password information. The following attacks come under the passive online attack: Wire sniffing attack: To access and record the raw network traffic, attackers run packet sniffer tools on the LAN. The captured data may contain passwords that are sent to remote systems during Telnet, FTP, rlogin sessions, and electronic mail sent and received. MITM attack: A man-in-the-middle attack occurs when an attacker successfully inserts an intermediary software or program between two communicating hosts. Replay attack: In a replay attack, whenever packets pass between two hosts on a network, attackers capture packets including passwords or digital signatures. Attackers then resend the captured packet to the system in an attempt to obtain an authenticated connection. The attacker does not know the actual password in this type of attack, but can simply replay the captured packet. Active online attack In active online attacks, an attacker needs to get the password of the victim by guessing it. It includes the following attacks: Password guessing: A password guessing attack takes place when an unauthorized user guesses usernames and passwords to log on repeatedly to a computer or network. Many password guessing programs that try to break passwords are present on the Internet. The following are the considerations of the password guessing attack: o Time consuming o Needs huge amount of network bandwidth o Easily detected The following are the types of password guessing attacks: o o Brute force attack Dictionary attack Trojan/ spyware/ keyloggers: By using a Trojan, an attacker gets access to the stored passwords in the attacked computer and can read personnel documents, delete files, and display pictures. Spyware is software that collects information regarding a user without his knowledge. When the user downloads software from the Internet, spyware can get into a computer. Spyware can search the contents of a hard disk, address book of an e-mail, or any information about the computer, and transmits the information to the advertisers or other interested parties. A keylogger is a software tool that traces all or specific activities of a user on a computer. Once a keylogger is installed on a victim's computer, it can be used for recording all keystrokes on the victim's computer in a predefined log file. An attacker can configure a log file in such a manner that it can be sent automatically to a predefined e-mail address. Some of the main features of a keylogger are as follows: o It can record all keystrokes. o It can capture all screenshots. o It can record all instant messenger conversations. o It can be remotely installed. o It can be delivered via FTP or e-mail. Hash injection: A hash injection attack permits an attacker to inject a compromised hash into a local session and validate to network resources by using the hash. The attacker finds and extracts a logged on domain admin account hash. The attacker logs on to the domain controller by using the extracted hash. Offline attack Offline attacks are time consuming. They often lead to brute force attacks. Some important offline attacks are as follows: Brute force attack: In Windows hacking, a brute force attack plays a vital role. In a brute force attack, an attacker uses software that tries a large number of key combinations in order to get a password. To prevent such attacks, users should create passwords more difficult to guess, e.g., using a minimum of eight characters, alphanumeric combinations, and lower-upper case combinations, etc. Dictionary attack: A dictionary attack is a type of password guessing attack. This type of attack finds the password of a user by using a dictionary of common words. It can also use common words in either upper or lower case in order to find a password. Many programs are available on the Internet to automate and execute dictionary attacks. Hybrid attack: The attack is referred to as a hybrid attack when an attacker performs a dictionary as well as a brute force attack. Rainbow attack: A rainbow attack retrieves plain text passwords by using a hash table. The rainbow attack is considered as the fastest method of password cracking. All the possible hashes for a set of characters are calculated and then stored in a table known as the Rainbow table to implement the rainbow attack. These password hashes are then used with the tool that uses the Rainbow algorithm and searches the Rainbow table until the password is not fetched. Distributed Network Attack (DNA): A Distributed Network Attack is used to recover password-protected files. It decrypts passwords by using the unused processing power of machines across the network. In this attack, a DNA manager is installed in a central location. Machines running DNA clients in the central location can access the DNA manager over the network. The DNA manager coordinates the attack and assigns the small portions of the key search to machines distributed over the network. A DNA client runs in the background and consumes only unused processor time. The program combines the processing capabilities of all the clients that are connected to the network and uses it to perform key search to decrypt them. Non-electronic attack Non-electronic attack is an attack that does not require any technical knowledge. It includes the following attacks: Social engineering: Social engineering is the art of convincing people and making them disclose useful information, such as account names and passwords. This information is further exploited by hackers to gain access to a user's computer or network. This method involves mental ability of people to trick someone rather than their technical skills. A user should always distrust people who ask him for his account name, password, computer name, IP address, employee ID, or other information that can be misused. Proper user training is an effective way of mitigating social engineering attacks. The following are the different types of social engineering attacks. Shoulder surfing: Shoulder surfing is a type of in person attack in which an attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. An attacker can also gather information by looking at open documents on the employee's desk, posted notices on the notice boards, etc. Dumpster diving: Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information. Dumpster divers check and separate items from commercial or residential trash to get the information they desire. This information may be used for identity theft and for breaking physical information security. Password cracking Password cracking techniques are used for recovering passwords from computer systems. Attackers use password cracking techniques in order to gain unauthorized access to the vulnerable system. Many password cracking techniques are successful as many people use weak or easily guessable passwords. Password cracking techniques The following are password cracking techniques: Dictionary attack: In a dictionary attack, a dictionary file is loaded into the cracking application running against user accounts. Brute forcing attack: In a brute force attack, the programs try a large number of key combinations in order to get a password. Hybrid attack: It is like a dictionary attack. But in this attack, attackers add some numbers and symbols to the words from the dictionary and attempt to crack the password. Syllable attack: It is the combination of both the brute force attack and dictionary attack. Rule-based attack: It is used when the attacker gets some information regarding the password. Manual password cracking (guessing) The following steps are taken for manual password cracking (guessing): 1. 2. 3. 4. Find a valid user. Create a list of possible passwords. Rank passwords from high probability to low. Key in each password, until the correct password is discovered. Automatic password cracking The following steps are taken for automatic password cracking: 1. 2. 3. 4. 5. 6. Find a valid user. Find the algorithm used for encryption. Obtain the encrypted passwords. Create a list of the possible passwords. Encrypt each word. Verify whether there is a match for each user ID. Using a USB drive for stealing passwords Take the following steps to steal passwords using a USB drive: 1. Select a password hacking tool. 2. Copy the downloaded files to the USB drive. 3. Create autorun.inf in the USB drive. [autorun] en=launch.bat 4. Insert the USB drive. The autorun window will pop-up (if enabled). Password2 is executed in the background and passwords will be stored in the .TXT files in the USB drive. 5.2 Authentication mechanism, password sniffing, various password cracking tools, and countermeasures Exam Focus: Authentication mechanism, password sniffing, various password cracking tools, and countermeasures. Objective includes: Understand Microsoft Authentication mechanism. Describe password sniffing. Identifying various password cracking tools. Identify various password cracking countermeasures. Authentication Authentication is a process to verify the identity of a person, network host, or system process. In the authentication process, the provided credentials are compared with the credentials that are stored in the database of an authentication server. Basic authentication Basic authentication is the simplest method of authentication. It is based on the premise that the client must authenticate itself with a user-ID and a password for each realm. The realm value (which is case-sensitive) is a string that may have additional semantics specific to the authentication scheme. The realm value should be considered as an opaque string, which can only be compared for equality with other realms on that server. The server will service the request if, and only if, it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters. To receive authorization, the client sends the user ID and password, separated by a single colon (":") character, within a base64 encoded string in the credentials. Security holes in the basic authentication scheme The basic authentication scheme uses the username and password. It uses base64 encoding to encrypt the password. In spite of this, many security holes are available in the basic authentication scheme. The password is stored on the server in an encrypted format, but it is passed from the client to the server in the plain text format across the network. Therefore, the username and password can be easily read in the plain text format by any attacker listening with a packet sniffer. The username and password are passed not just when the user first types them, they are passed with every request. Hence, the packet sniffer does not need to listen at any particular time, but just long enough to observe any single request coming across the wire. The encryption used in the authentication is not very secure and can be easily decoded. Digest authentication scheme The digest authentication scheme is a replacement of the basic authentication scheme and is based on the challenge response model. In digest authentication, the password is always transmitted as an MD5 digest of the user's password. The password is never sent across the network in a clear text format and cannot be determined with the help of a sniffer. Function of digest authentication scheme In this authentication scheme, an optional header permits the server to specify the algorithm to create the checksum or digest (by default, the MD5 algorithm). The digest authentication scheme provides the challenge using a randomly chosen value. This randomly chosen value is a serverspecified data string. It may be uniquely generated each time a 401 response is made. A valid response includes the following: Checksum (by default, the MD5 checksum) of the username Password Given random value HTTP method Requested URL In this way, the password is never sent in a clear text format. Drawback: The password is not sent in a clear text format, but an attacker can gain access using the digested password, as the digested password is really all the information required to access the web site. SAM database User passwords are stored by Windows in the Security Accounts Manager (SAM) database or in the Active Directory database in domains. Passwords are never stored in clear text. Passwords are hashed. The results are stored in the SAM. NTLM authentication scheme NTLM is a protocol that authenticates users and computers based on an authentication challenge and response. The NTLM authentication process is used by all members of the Windows NT family. NTLM authentication does not send the user's password (or hashed representation of the password) across the network. Instead, NTLM authentication utilizes challenge/response mechanisms to ensure that the actual password never traverses the network. How does it work? The client sends a login request to the telnet server when the authentication process begins. The server replies with a randomly generated 'token' to the client. The client hashes the currently logged-on user's cryptographically protected password with the challenge and sends the resulting "response" to the server. The server receives the challenge-hashed response and compares it in the following manner: The server takes a copy of the original token. Now it hashes the token against the user's password hash from its own user account database. If the received response matches the expected response, the user is successfully authenticated to the host. Drawbacks: NTLM authentication is not entirely safe because NTLM hashes (or challenge/response pairs) can be cracked with the help of brute force password guessing. The "cracking" program would iteratively try all possible passwords, hashing each and comparing the result to the hash that the malicious user has obtained. When it discovers a match, the malicious user would know that the password that produced the hash is the user's password. This authentication technique works only with Microsoft Internet Explorer. NTLM authentication process The following are the steps of the NTLM authentication process: 1. 2. 3. 4. 5. 6. A user types a password into the logon window. Windows OS runs the password via hash algorithm. The computer sends login request to Domain Controller (DC). DC sends logon challenge. The computer sends response to the challenge. DC compares computer's response with the response it created with its own hash. If they are the same, the logon is successful. Domain Controller holds a stored copy of the user's hashed password. Differences between the various NTLM authentication schemes There are three NTLM authentication schemes: LM NTLMv1 NTLMv2 The following table shows the differences between the three schemes: Attributes LM NTLMv1 NTLMv2 Password case sensitive No Yes Yes Hash key length 56bit + 56bit - - Password hash algorithm DES (ECB mode) Md4 Md4 C/R key algorithm DES (ECB mode) DES (ECB mode) HMAC_Md5 C/R value length 64bit + 64bit + 64bit 64bit + 64bit + 64bit 128bit Kerberos Kerberos provides a single sign-on solution for users. It also provides protection for logon credentials. Kerberos 5 is the current version. It relies upon symmetric-key cryptography using the Advanced Encryption Standard (AES) symmetric encryption protocol. Kerberos uses end-toend security to deliver confidentiality and integrity for authentication. It is used to prevent against eavesdropping and replay attacks. It makes use of several different elements: Key distribution center (KDC): It is a central server, which consists of a database storing all users, hosts, and network services for Kerberos. Each entry in the database of the KDC is known as a principal. The KDC basically contains two services, which are as follows: 1. Ticket Granting Server (TGS): It is used to issue ticket-granting tickets, and service and host tickets. 2. Authentication Server (AS): It is used to issue tickets for network services. Kerberos authentication server: It hosts the functions of the KDC. It validates or rejects the authenticity and timeliness of tickets. Ticket-granting ticket: It is a small, encrypted identification file. It has a limited validity period. After authentication, the KDC subsystem of authentication services, such as Kerberos, grants the TGT file to a user for data traffic protection. The TGT file contains the session key, its expiration date, and the user's IP address. The user's IP address protects the user from man-in-the-middle attacks. Ticket: It is an encrypted message that provides a proof that a user is authorized to access an object. Users request tickets to access objects. They are given a ticket if they have authenticated and are authorized (based on having a TGT). Kerberos tickets have specific lifetimes and usage parameters. A client must request a renewal or a new ticket to continue communication with any server once a ticket expires. Kerberos authentication Certificate-based authentication scheme A certificate-based authentication scheme authenticates a user using a public key cryptography. A digital certificate is an electronic document. It includes identification information, public key, and the digital signature of a certification authority based on that certification authority's private key. A user presents his digital certificate containing the public key and the signature of the certification authority when the user connects to the server. The server verifies the validity of the signature and whether the certificate has been provided by a trusted certificate authority or not. The server then uses the public key cryptography to authenticate the user in order to prove that the user truly holds the private key associated with the certificate. Microsoft Passport authentication Microsoft Passport authentication is based on single sign-on authentication. In this authentication, a user is required to remember only one username and password to be authenticated for multiple services. The Passport is a suite of services used to authenticate users across a number of applications. The Passport single sign-on service is an authentication service that allows users to create a single set of credentials. The single set of credentials will enable users to sign in to any participating site supporting the Passport service. The Passport single signon service enables the use of one set of credentials in order to access any Passport-enabled site, such as MSN, Hotmail, and MSN Messenger. Form-based authentication scheme A form-based authentication scheme is a technique by which a form composed in HTML with the <FORM> and <INPUT> tags, indicating fields for users to input their username/password, is used to authenticate users. Once the user inputs the data via HTTP or SSL, it is evaluated by some server-side logic and if the credentials are valid, a cookie is given to the user to be reused on subsequent visits. The form-based authentication scheme works in the following manner: A client generates a request for a protected resource (e.g. a transaction details page). The Internet Information Server (IIS) receives the request. If the requesting client is authenticated by IIS, the user/client is passed on to the Web application. If the client does not contain a valid authentication ticket/cookie, the Web application will redirect the user to the URL where the client is prompted to enter his credentials to gain access to the secure resource. On providing the required credentials, the client is authenticated/processed by the Web application. Password sniffing Password sniffing is a technique used for harvesting passwords. It includes monitoring traffic on a network in order to pull out information. Various software are available from several companies and people can either perform it manually or write their own code for a specific purpose. In password sniffing, programs or devices pursue the traffic that moves around a network. They examine individual packets of data to pull out data that contains passwords. Sometimes, passwords are displayed in plain text inside the system and make it easy for the password sniffer to identify them and match them with user names. If passwords are encrypted, a decryption program may be needed to pull passwords out of the data stream. Active sniffing In active sniffing, sniffing is performed on a switched network and packets are injected into the network that causes traffic. Active sniffing is needed to bypass the segmentation that is provided by switches. Switches maintain their own ARP cache in a Content Addressable Memory (CAM) and keep track of which host is connected to which port. Difference between active sniffing and passive sniffing In passive sniffing, no packet is generated by the tool; it just sits there and captures all packets. In passive sniffing, an intruder gets access to the network by compromising the physical security. For example, an intruder walks into the building with his laptop and plugs in to access the network so that he/she may capture data. In active sniffing, the intruder generates some spoofed packets and captures authentic packets. For example, malicious ethernet packets generated using libnet will force the switch to learn, in a spanning tree algorithm, that the machine with the MAC address X (X being the address used by the Active sniffer) is located on that specific port. LAN Manager hash LAN Manager hash is the format used by Microsoft LAN Manager and Microsoft Windows to store user passwords that are less than 15 characters long. All the letters are converted to uppercase: 123456QWERTY when this password is encrypted with the LM algorithm. To make the password 14 characters in length, it is padded with null (blank) characters: 123456QWERTY_. The 14 character string is split in half before encrypting this password: 123456Q and WERTY_ Each string is individually encrypted and the results are concatenated: 123456Q = 6BF11E04AFAB197F WERTY_ = F1E9FFDCC75575B15 The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15 The first 7 characters of the password are used to derive the first 8 bytes and characters 8 through 14 of the password are used to derive the second 8 bytes. The second half will be 0xAAD3B435B51404EE if the password is less than 7 characters. Salting Salting prevents deriving passwords from the password file. In salting, stored representation differs. It has an advantage that it defeats pre-computed hash attacks. It involves the use of the same password but different hashes. Example: Mark:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d John:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Sally:root:209be1:a483b303c23af34761de02be038fde08 LM hash backward compatibility Windows 2000-based servers and Windows Server 2003-based servers can authenticate users who connect with computers running the earlier versions of Windows. Kerberos is not used for authentication by older Windows clients. Windows 2000 and Windows Server 2003 support LAN Manager (LM), Windows NT (NTLM), and NTLM version 2 (NTLMv2) authentications for backward compatibility. Disable LM hash The following methods are used to disable LM hash: Use a password having at least 15 characters. When the password length exceeds 15 characters, LM hash is not generated. Edit the registry to implement the NoLMHash Policy. Locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Add key, type NoLMHash. Use a group policy in order to implement the NoLMHash Policy. o Disable "Network security: Do not store LAN Manager hash value on next password change" in Local Security Policy -> Security Options Password crackers A password cracker is an application program used to identify an unknown or forgotten password to a computer or network resources. A human cracker can use the password cracker to obtain unauthorized access to resources. A password cracker can also identify encrypted passwords. The program may be able to decrypt the password after retrieving the password from the computer's memory. The password cracker can create an encrypted version of the password that matches the original by using the same algorithm as the system program. Some password cracker programs look for hybrids of dictionary entries and numbers. For example, a password cracker may look for ants01; ants02; ants03, etc. This can be useful where users include a number in their password. The following are various password crackers: Cain & Abel: Cain and Abel is a multipurpose tool that can be used to perform many tasks, such as Windows password cracking, Windows enumeration, and VoIP session sniffing. This password cracker can handle a wide variety of tasks. This password cracking program can perform the following types of tasks: Dictionary attack, Brute force attack, Cryptanalysis attack, Recording VOIP sessions, Decoding scrambled passwords, Uncovering cached password, etc. John the Ripper: John the Ripper is a fast password cracker available for various environments. Its primary purpose is to detect weak Unix/Linux passwords. Initially developed for the Unix operating system, it currently runs on fifteen different platforms. John the Ripper is a fast password cracking tool that is available for most versions of UNIX, Windows, DOS, BeOS, and Open VMS. John the Ripper requires a user to have a copy of the password file. THC Hydra: THC Hydra is a fast network authentication cracker that supports many different services. Hydra was a software project developed by a German organization called "The Hacker's Choice" (THC) that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords. The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA. Aircrack: Aircrack is the fastest WEP/WPA cracking tool. Aircrack is used for 802.11a/b/g WEP and WPA cracking. Aircrack is also used to attack WPA 1 or 2 networks using cryptographic methods or by brute force. L0phtCrack: L0phtCrack is a password auditing and recovery application. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers' tools of choice, although most use old versions because of its low price and availability. Airsnort: Airsnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. Airsnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys. SolarWinds: SolarWinds is an overplus of network discovery/monitoring/attack tools. They have created dozens of special purpose tools. Some of them are router password decryption, an SNMP brute force cracker, a TCP connection reset program, etc. Pwdump: Pwdump is a Windows password recovery tool. It can extract NTLM and LanMan hashes from a Windows system. It is also used to display password histories. The output data is in L0phtcrack-compatible form and can be written to an output file. RainbowCrack: RainbowCrack is a computer program that generates rainbow tables to be used in password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically. Brutus: Brutus is a password cracking tool that performs both dictionary and brute force attacks in which passwords are randomly generated from given characters. Brute forcing can be performed on the following authentications: HTTP (Basic Authentication), HTTP (HTML Form/CGI), POP3 (Post Office Protocol v3) FTP (File Transfer Protocol), SMB (Server Message Block), and Telnet. NWPCrack: NWPCrack is used to crack a single account on the Netware server using the dictionary attack. It tries to log onto the network using a dictionary file, which contains all possible passwords. This file contains every word in English, many words in other languages, celebrity names, slang, titles of books, movies, and TV shows, etc. NWPCrack attempts to login as SUPERVISOR or any other USER ID and tries each entry of the dictionary file. P0f: P0f is a passive OS fingerprinting tool that is used to identify the operating system of a target host simply by examining captured packets even when the device is behind a packet firewall. It does not generate any additional direct or indirect network traffic. P0f can also be used to gather various information, such as firewall presence, NAT use (for policy enforcement), existence of a load balancer setup, the distance to the remote system and its uptime, etc. Dsniff: Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Legion: Legion is a password cracking tool that is used to automate password guessing in the NetBIOS session. It scans multiple IP address ranges for Windows shares and also offers a manual dictionary attack tool. Fgdump: Fgdump works like pwdump; however, it also extracts cached credentials and permits remote network execution. Cracking Windows NT Passwords An attacker can easily crack the Windows NT operating system. As you know that the Windows NT operating system stores the usernames and hashed passwords in the SAM file that is located in the Windows\system32\config directory. However, while the Window NT operating system is running, the SAM file cannot be accessed. So, the attacker can copy the SAM file by either booting the target system with an alternate operating system, such as DOS or Linux with a boot CD or by copying it from the repair directory. When a network administrator uses the RDISK feature of Windows NT to back up the operating system, a compressed copy of the SAM file "SAM._" is created in C:\windows\nepair directory. This file can be expanded by using the following command: C:\>expand sam._ sam Once the SAM._ file is uncompressed, it can be cracked by using either a dictionary, hybrid, or brute-force attack by using a tool like L0phtCrack. Defend against password cracking The following actions should be taken to defend against password cracking: 8-12 alphanumeric characters should be used in combination of uppercase and lowercase letters, numbers, and symbols to make passwords so that it may be difficult for users to guess the password. The same password should not be used during password change. The password change policy should be set to 30 days. The server's logs for brute force attacks should be monitored on the user accounts. Passwords should not be stored in an unsecured location. Passwords that can be found in a dictionary should not be used. Passwords such as date of birth, spouse, or child's or pet's name should never be used. SYSKEY should be enabled with strong password to encrypt and protect the SAM database. 5.3 Understand privilege escalation, key loggers, and other spyware technologies Exam Focus: Understand privilege escalation, key loggers, and other spyware technologies. Objective includes: Understand privilege escalation. Gain insights on key loggers and other spyware technologies. Learn how to defend against spyware. Privilege escalation Privilege escalation is an attempt to gain a higher level of access than is permitted under an attacker's account. An attacker can use a non-admin user account to gain access to the network, and the next step will be to gain administrative privileges. Take the following steps for privilege escalation: 1. Login with enumerated usernames and cracked passwords. 2. If interactive logon privileges are restricted, infect target with keylogger to collect domain passwords, otherwise take the following steps: 1. Replace sethec.exe with cmd.exe. 2. Create a hidden admin account. 3. Run services as unprivileged accounts. 4. Infect target with keylogger in order to collect domain passwords. StickyKeys StickyKeys is an accessibility feature to aid users who have physical disabilities. The StickyKey dialog shows up when the shift key is pressed 5 times at the logon screen. The program that launches StickKeys is located at c:\windows\system32\sethc.exe. Users will get a command prompt with administrator privileges if users use cmd.exe in place of the sethec.exe, which is responsible for the stickykey dialog, and then press shift key 5 times at logon screen to call sethc.exe. Create a hidden admin account Take the following steps to create a hidden admin account: 1. Launch command prompt and type "NET USER Juggyboy PASSWORD" where "PASSWORD" can be any password you like and press enter. 2. Go to registry editor and navigate to the key. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] 3. Create a new DWORD value, write its name as the "JuggyBoy", and close the registry editor. Juggyboy will be a hidden user with administrative privileges. Gain domain privileges Take the following steps to gain domain privileges: 1. 2. 3. 4. An attacker infects a victim's local PC with a software keylogger. The victim logs on to the domain server with his credentials. The keylogger sends login credentials to a hacker. The attacker gains access to the domain server. Defend against privilege escalation The following actions should be taken to defend against privilege escalation: Sensitive data should be protected using the encryption technique. The interactive logon privileges should be restricted. Users and applications should be run on the least privilege. Multi-factor authentication and authorization should be implemented. Services should be run as unprivileged accounts. The systems should be regularly pached. Alchemy Remote Executor Alchemy Remote Executor is a system management tool that allows network administrators to execute programs on remote network computers without leaving their workplace. From the hacker's point of view, it can be useful for installing keyloggers, spyware, Trojans, and Windows rootkits. One necessary condition for using the Alchemy Remote Executor is that the user/attacker must have the administrative passwords of the remote computers on which the malware is to be installed. Keystroke loggers Keystroke loggers are programs or hardware devices. They monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location. Keyloggers are placed between the keyboard hardware and the operating system. The following are the types of keystroke loggers: The following are various keyloggers: Advanced Keylogger Spytech SpyAgent Perfect Keylogger Powered Keylogger KeyGhost iMonitorPC Business Plus KeyProwler Pro XPCSpy Pro KeyProwler PC Activity Monitor Standard PC Activity Monitor Lite Handy Keylogger Stealth Keylogger Keylogger Spy Monitor All In One Keylogger REFOG Personal Monitor WinSession Logger Actual Keylogger Spy Lantern Keylogger Pro Spytector PC Spy Keylogger Golden Eye Emsa FlexInfo Pro Revealer Keylogger Quick Keylogger Spy Keylogger Actual Spy IKS Software Keylogger Ghost Keylogger Acoustic/ CAM keylogger Acoustic keylogger uses the acoustic cryptanalysis to monitor the sound created by someone typing on a computer. A subtly different acoustic signature is made by each character on the keyboard when stroked. The keystroke signature that relates to keyboard character can be identified through statistical methods, such as frequency analysis. The following are used in this analysis to map sounds to letters: Repetition frequency of similar acoustic keystroke signatures Timings between different keyboard strokes and other context information, such as the probable language in which the user is writing A fairly long recording (1000 or more keystrokes) is needed to collect a big enough sample. CAM keylogger External keyloggers The following are external keyloggers: External keyloggers Image PS/2 keylogger USB keylogger Wi-Fi keylogger Bluetooth keylogger Defend against keyloggers The following actions should be taken to defend against keyloggers: Antivirus software should be installed and the signatures should be kept up to date. Host-based IDS that can monitor the system should be installed and the installation of keyloggers should be disabled. Good professional firewall software and anti-keylogging software should be installed. Hardware systems should be kept secure in a locked environment and the keyboard cables should be frequently checked for the attached connectors. New passwords should be selected for different online accounts and changed frequently. Software that can frequently scan and monitor the change or modification should be used in the system or network. Pop-up blocker should be used and opening junk emails should be avoided. The files should be scanned before installing them on to the computer and the keystroke loggers should be checked by using registry editor or process explorer. Anti-keylogger Anti-keylogger detects or disables software keyloggers. Some anti-keyloggers match signatures of keylogger code with a signature database. Other keyloggers protect keyboard drivers and kernels from being manipulated by keyloggers. It becomes difficult for malicious spyware and Trojan programs to capture keystrokes when they use virtual keyboard or touch screen. Spyware Spyware is a program that partially controls a user's computer without the user's permission. The various types of personal information such as Internet surfing habits, and Web sites that the user has visited can be collected using spyware programs. Spyware programs can also interfere with the control of a user's computer, such as installing additional software, redirecting Web browser activities, accessing Web sites blindly, etc. The following can lead to spyware propagation: Drive-by download Piggybacked software installation Browser add-ons Cookies Web browser vulnerability exploits Masquerading as anti-spyware Types of spyware The following are the types of spyware: Telephone and cellphone spyware: It monitors and records the phone calls and text messages. It tracks employee cell phone usage. Attackers install spyware on the devices that they want to track. Spyware secretly sends data to attackers via SMS or email. The following are telephone and cellphone spywares: o Telephone Spy o MobiStealth Cell Phone Spy o VRS Recording System o SPYPhone Gold o SPYPhone Tap o Phone Spy o FlexiSPY o Modem Spy GPS spyware: It is a device or software application that makes use of the Global Positioning System to find the location of a vehicle, person, or other asset to which it is attached or installed. The following are GPS spywares: o EasyGPS o ALL-in-ONE Spy o FlexiSPY PRO o Trackstick o Mobile Spy o MobiStealth Pro o World-Tracker o SPYPhone Audio spyware: It can be used for the following purposes: o Monitors and records a variety of sounds on the computer. o Records and spies on voice chat messages of different instant messengers. o Hides and monitors conference recordings, phone calls, and radio broadcasts. USB spyware: It copies files from USB devices to your hard disk in hidden mode without any request. It may also capture, display, record, and analyze data transferred between any USB device connected to a PC and applications. The following are USB spywares: o USB Spy o USB Hacksaw o USBDeview o USB Data Protection Tool o USB Grabber o USB Monitor o USB Data Theft Protection Tool Screen capturing spyware: It captures screenshots of local or remote PCs at a predefined interval of time. It permits monitoring screens in real-time of all the user activities on the network. Screen capturing spywares may also capture the following activities in real time: o Keystrokes o Mouse activity o Visited website URLs o Printer activity Screen capturing spyware generally saves screenshots to a local disk or forwards them to an attacker through FTP or email. The following are screen capturing spywares: o o o o o o o o Hidden Recorder IcyScreen Hidden Camera SoftActivity TS Monitor Desktop Spy PC Tattletale Quick Screen Note Computer Screen Spy Monitor Desktop spyware: It provides information about what, when, and how network users did on their desktops. It has the following features: o It performs live recording of remote desktops. o It records and monitors Internet activities. o It records software usage and timings. o It records activity log and store at one centralized location. o It logs user's keystrokes. The following are desktop spywares: o o o o o o o o SpyMe Tools SSPro Easy Remote Chily Employee Monitoring Remote Desktop Spy Employee Desktop Live Viewer Desktop Spy X NetVizor Email and Internet spyware: Email spyware monitors, records, and forwards incoming and outgoing emails, including web-mail services like Gmail and Hotmail. It records instant messages conducted in AIM, MSN, Yahoo, MySpace, Facebook, etc. Internet spyware delivers the following information: o It delivers a summary report of the overall web usage. o It records the date/time of visits. o It records the active time spent on each website. o It blocks access to a specific web page or an entire website. The following are Email and Internet spywares: o o o o o o o o Imonitor Employee Activity Wiretap Professional Employee Monitoring Spy Software XP OsMonitor Spylab WebSpy Ascendant NFM Personal Inspector Print spyware: It is useful in remote printer usage monitoring. It can be used to detect exact print job properties, such as number of copies, number of printed pages, and content printed. The following are print spywares: o Spyarsenal o All-Spy Print o O & K Print Watch o Accurate Printer Monitor o Print Job Monitor o Print Censor o PrintTrak Child monitoring spyware: It is used to control and supervise how children use the PC and Internet. It uses specified keywords to block kids from accessing inappropriate web content. It monitors activities for selected users, such as websites, keystrokes, and screenshots and records selected activities, screenshots, keystrokes, and websites. The following are child monitoring spywares: o Silent Monitoring o iProtectYou Pro o Net Nanny Home Suite o Big Mother o KSS Parental Control o SpyOn Baby o CyberSieve o SentryPC Video spyware: It is used to secretly monitor and record webcams and video IM conversions. Attackers can remotely view webcams through the web or mobile phones. Users can use video spyware for video surveillance of sensitive facilities. The following are video spywares: o WebCam Recorder o Digi-Watcher o WebcamMagic o Eyeline Video Surveillance Software o EyeSpyFX o Capturix VideoSpy o I-Can-See-You o Hidden Camera Control Functions of spyware The following are functions of spyware: It steals user's personal information and sends it to a remote server or hijacker. It monitors user's online activity. It displays annoying pop-ups and redirects a web browser to advertising sites. It changes web browser's default settings and prevents the user from restoring. It adds multiple bookmarks to the web browser's favorites list. It decreases overall system security level. It places desktop shortcuts to malicious spyware sites. It connects to remote pornography sites. It reduces system performance and causes software instability. Spector Spector is a spy software program that is used to record everything a system does on the Internet. Every hour, Spector automatically takes hundreds of snapshots of whatever is on the computer screen and saves the snapshots in a hidden location that is on the system's hard drive. Some versions of Spector can also record activity on Macintosh systems via snapshots, keystrokes, and Web site logging. Anti-spector can be used to detect and remove Spector. 5.4 Identify different ways to hide files, understand rootkits, and understand alternate data streams Exam Focus: Identify different ways to hide files, understand rootkits, and understand alternate data streams. Objective includes: Identify different ways to hide files. Understanding rootkits. Learn how to identify rootkits and steps involved. Understand Alternate Data Streams. Hiding files Take the following steps to hide files: 1. Install the rootkit in the target system in order to maintain hidden access. 2. Perform Integrity Based Detection, Signature Based Detection, Cross View Based Detection, and Heuristic Detection techniques in order to detect rootkits. 3. Detect rootkits using anti-rootkits, such as RootkitRevealer, McAfee Rootkit Detective, SanityCheck, Sophos Anti-Rootkit, etc. 4. Inject malicious code on a breached system using NTFS Alternate Data Stream (ADS) and execute it without being executed by the user. 5. Detect NTFS-ADS stream by using NTFS stream detectors, such as ADS Scan Engine, ADS spy, NTFS Streams Info, etc. 6. Hide a secret message within an ordinary message by using the steganography technique and extract the information at the destination in order to maintain confidentiality of data. 7. Perform steganalysis by using steganography detection tools, such as Stegdetect, Stego Watch, StegSpy, Xstegsecret, etc. Rootkit A rootkit is a set of tools that take administrative control of a computer system without authorization by the computer owners and/or legitimate managers. The rootkit needs root access to be installed in the Linux operating system; however, the attacker can get root access at any time once installed. Rootkits have the following features: They permit an attacker to run packet sniffers secretly in order to capture passwords. They permit an attacker to set a Trojan into the operating system, opening a backdoor for anytime access. They permit an attacker to replace utility programs that can be used for detection of the attacker's activity. They provide utilities to install Trojans with the same attributes as legitimate programs. Types of rootkits The following are types of rootkits: Hypervisor level rootkit: It loads itself by modifying the boot sequence of the machine. It does not modify the original virtual machine monitor or operating system. Kernel level rootkit: It adds malicious code or replaces the original OS kernel and device driver codes. Application level rootkit: It replaces regular application binaries with fake Trojan, or injects malicious code to modify the behavior of existing applications. Hardware/firmware rootkit: It hides hardware devices or platform firmware that is not inspected for code integrity. Boot loader level rootkit: It replaces the original boot loader with one that is controlled by a remote attacker. Library level rootkit: It replaces original system calls with fake ones in order to hide information regarding the attacker. Fu Fu is a rootkit. It operates using direct kernel object manipulation. Dropper (fu.exe) and driver (msdirectx.sys) are components of Fu. It permits attackers to hide processes and drivers, add privileges to any process token, hide information from user-mode applications and even from kernel-mode modules, and remove to-be-hidden entries from two linked lists with symbolic names. Chkrootkit Chkrootkit is a toolkit used to check whether a rootkit is installed in the Linux operating system or not. It contains the following tools: Tools Description chkrootkit It is a shell script that checks system binaries for rootkit modification. ifpromisc.c It checks whether the network interface is in promiscuous mode or not. chklastlog.c It checks for the deletion of the last log. chkwtmp.c It checks for wtmp deletions. check_wtmpx.c It checks for wtmpx deletions. chkproc.c It checks for signs of LKM Trojans. chkdirs.c It checks for signs of LKM Trojans. chkutmp.c It checks for utmp deletions. Steps for detecting rootkits Take the following steps for detecting rootkits: 1. Run "dir/s/b/ah" and "dir/s/b/a-h" inside the potentially infected OS and save the results. 2. Boot into a clean CD, run "dir/s/b/ah" and "dir/s/b/a-h/" on the same drive and save the results. 3. Run a clean version of WinDiff from the CD on the two sets of results to detect filehiding ghostware. Techniques for detecting rootkits The following techniques are used for detecting rootkits: Integrity based detection: In this technique, a comparison is made between a snapshot of the file system, boot records, or memory and a known trusted baseline. Signature based detection: In this technique, a comparison is made between characteristics of all system processes and executable files and a database of known rootkit fingerprints. Heuristic based detection: In this technique, deviations from normal system patterns and behavior are looked to find unidentified rootkits based on the execution path hooks it uses. Cross view based detection: In this technique, system files, processes, and registry keys are enumerated and a comparison is made between them and an algorithm used to generate a similar data set that does not rely on the system's common APIs. Defend against rootkits The following actions should be taken to defend against rootkits: OS/applications should be reinstalled from a trusted source after backing up the critical data. The well-documented automated installation procedures should be kept. Network and host-based firewalls should be installed. Strong authentication should be used. The availability of trusted restoration media should be stored. The workstation or server should be hardened against the attack. The patches for operating systems and applications should be updated. Antivirus and anti-spyware software should be updated regularly. Anti-Rootkits The following are Anti-Rootkits: GMER Trend Micro RootkitBuster Rootkit Razor RemoveAny Sophos Anti-Rootkit F-Secure BackLight Avira AntiRootkit Tool SanityCheck NTFS NTFS is an advanced file system designed for use specifically in Windows NT, Windows 2000/2003/2008, and Windows XP/Vista/7 operating systems. It supports the following: File system recovery Large storage media Long file names NTFS provides the following features: Disk quotas Distributed link tracking Compression Mounted drives NTFS also provides security features, such as encryption and file and folder permissions. These features are not available on FAT volumes. Alternate Data Streams Alternate Data Streams (ADS) is a feature of the NTFS file system that allows more than one data stream to be associated with a filename, using the filename format "filename:streamname". Alternate streams are not listed in Windows Explorer, and their size is not included in the file size. ADS provides the hacker a place to hide root kits or hacker tools, which can be executed without being detected by the system administrator. Alternate Data Streams are strictly a feature of the NTFS file system. Alternate Data Streams may be used as a method to hide executables or proprietary content. Create NTFS streams Take the following steps to create NTFS streams: 1. Launch c: > notepad myfile.txt:lion.txt. Click 'Yes' to create the new file and type 10 lines of data. Save the file. 2. Launch c: > notepad myfile.txt:tiger.txt. Click 'Yes' to create the new file and type other 20 lines of text. Save the file. 3. View the file size of myfile.txt. It should be zero. 4. Open the document 'myfile.txt.tiger.txt' in notepad. NTFS stream manipulation Use the following command to move the contents of Trojan.exe to Readme.txt (stream): C:\> type c:\Trojan.exe > c:\Readme.txt:Trojan.exe Use the following command to execute the Trojan.exe inside the Readme.txt (stream): C:\> start c:\ Readme.txt:Trojan.exe Use the following command to extract the Trojan.exe from the Readme.txt (stream): C:\> cat c:\Readme.txt:Trojan.exe > Trojan.exe NTFS stream detectors The following are NTFS stream detectors: ADS Spy List NTFS Streams (LNS) LADS StreamArmor NTFS Streams Info Streams ADS Locater ADS Manager Defend against NTFS streams Deleting a stream file involves copying the front file to a FAT partition and then copying it back to NTFS. When the file is moved to the FAT partition, streams are lost. LNS.exe can detect streams. 5.5 Understand steganography technologies and tools used Exam Focus: Understand steganography technologies and tools used. Objective includes: Steganography techniques Types of steganography Steganalysis Steganography In steganography, harmful messages are embedded within other seemingly harmless messages for hiding the information. In steganography, bits of unused data, such as graphics, sound, text, and HTML, are replaced with bits of invisible information in regular computer files. The hidden information can be in the form of plain text, cipher text, or even in the form of images. Steganography techniques The following are steganography techniques: Substitution technique: It substitutes redundant part of the cover-object with a secret message. Spread spectrum technique: It embeds secret messages by adopting ideas from spread spectrum communication. Distortion technique: It uses signal distortion to store information and measures the deviation from the original cover in the extraction step . Cover generation technique: It encodes information. This ensures the creation of cover in order to have secret communication. Transform domain technique: It embeds a secret message in a transform space of the signal. Types of steganography The following are the types of steganography: Image steganography Document steganography Folder steganography Video steganography Audio steganography White space steganography Web steganography Spam/email steganograpghy DVDROM steganography Natural text steganography Hidden OS steganography C+ source code steganography The following are some important types of steganography: Image steganography: This type of steganography hides the information in image files of different formats, such as .PNG, .JPG, .BMP, etc. Image steganography tools replace redundant bits of image data with the message in such a manner that the human eyes cannot detect the effect. The following are image steganography tools: o ImageHide o Contraband o QuickStego o Camera/Shy o gifshuffle o JPHIDE and JPSEEK o OutGuess o StegaNote Folder steganography: This type of steganography hides secret information in folders. The following are folder steganography tools: o StegoStick o PSM Encryptor o QuickCrypto o XPTools o Max Folder Secure o Universal Shield o WinMend Folder Hidden o Hide My Files Video steganography: This type of steganography hides the information in video files of different formats, such as .AVI, .MPG4, .WMV, etc. The following are video steganography tools: o Masker o MSU StegoVideo o Max File Encryption o BDV DataHider o Xiao steganography o CHAOS Universal o RT steganography o OmniHide PRO Audio steganography: This type of steganography hides secret information in audio files, such as .MP3, .RM, .WAV, etc. The following are audio steganography tools: o MAXA Security Tools o MP3Stego o Stealth Files o Steghide o audiostegano o Hide4PGP o BitCrypt o CHAOS Universal Spam/email steganography: This type of steganography hides information in spam messages. Natural text steganography: Natural text steganography programs convert sensitive information into a user-definable free speech, such as a play. Image hide Image hide is a steganography program that is used to hide text within an image. Malicious data can be encrypted or decrypted into images that appear identical to the original images using steganography. It is estimated that approximately 300KB of information can be hidden when a 640 x 480 pixel image with a color resolution of 256 colors is used. For their payload, high resolution images are noted. For example, a 1024 x 768 pixel image with a 24-bit color resolution can carry about 2.3MB as payload. Image hide warns its users that the image file should not use the JPEG format because it is a lossy algorithm and malicious data may be lost during compression. Steganalysis Steganalysis is used to discover and render covert messages using steganography. The following are the challenges of steganalysis: The suspect information stream may or may not include encoded hidden data. Efficient and accurate detection of hidden content within digital messages. Some of the suspect signals or files may have irrelevant data or noise encoded into them. Encrypts the hidden data before it is inserted into a file or signal. Steganalysis methods The following are steganalysis methods: Stego-only: In this method, only the steganography medium is available for analysis. Known-stego: In this method, original and stego-object are available and the steganography algorithm is known. Disabling or active: In this method, active attackers can change the cover during the communication process. Reformat: In this method, the format of the file is changed. Different file formats store data in different formats. Known-cover: In this method, the stego-object is compared with the original cover object in order to detect hidden information. Chosen-message: In this method, patterns in the stego-object are determined. These patterns refer to the use of the specific steganography tools or algorithms. Chosen-stego: In this method, the stego-object and steganography algorithm are identified. Snow.exe Snow.exe is a steganography tool. It is used to hide secret data in text files. It uses the concept that spaces and tabs are generally not visible in text viewers. Hence, a message can be effectively hidden; it will not affect the text's visual representation for the casual observer. This is achieved by appending white spaces to the ends of lines in ASCII text. Watermarking Watermarking is the irreversible process of embedding information into digital media. Digital watermarks are used to provide copyright protection for intellectual property that is in digital form. Watermarking is basically divided into two main sections: Visible watermarking: In visible watermarking, data or information is clearly visible on the picture or on the video. Generally, this type of watermarking is used to identify the owner of the media and to enforce the copyright. It also serves the purpose of advertisement. Invisible watermarking: In invisible watermarking, information is added in a hidden form to the digital media. One of the major applications of invisible watermarking is to prevent unauthorized copying of digital media. 2Mosaic The 2Mosaic tool is used for watermark breaking. It is an attack against a digital watermarking system. In this type of attack, an image is placed together after chopping it into small pieces. The web browser renders the small pieces into one image when this image is embedded into a web page. This image appears as a real image with no watermark in it. This attack is successful because it is not possible to read watermark in very small pieces. 5.6 Understand covering tracks, tools used and erase evidences Exam Focus: Understand covering tracks, tools used and erase evidences. Objective includes: Covering tracks Need of covering tracks Ways to clear online tracks Covering tracks Intruders try to cover the tracks to avoid their detection once they have gained administrator access on a system. The intruder installs several backdoors to gain easy access in the future when all the information of interest has been stripped off from the target. Attackers cover tracks due to the following reasons: To attack again To cover the tracks to avoid their detection To install backdoors to gain access in future Attackers can use track covering tool, such as Traceless, WinZapper, ZeroTracks, WinTools.net Ultimate, Evidence Eliminator, Armor Tools, Clear My History, and EvidenceEraser Process used by a hacker for covering tracks Covering tracks is the last important step of remote hacking. It includes deletion of all logs on the remote system. All entries of the /var folder are required to be deleted in Linux or UNIX. All events and logs are deleted if a Windows operating system is used. Hackers take these steps to keep their identities anonymous. The hacker generally removes security events or error messages that have been logged in order to avoid detection. Hackers either clear the event logs or disable auditing to prevent detection. Intruders first disable auditing when they gain administrator access. Windows auditing records certain events in a log file that is stored in Windows Event Viewer. These events may be logging into the system, an application, or an event log. An administrator is responsible for choosing the level of logging implemented on a system. Hackers want to determine the level of logging implemented in order to determine whether they have to clear events that indicate their presence on the system. Actions for covering tracks Take the following actions for covering tracks: Remove web activity tracks, such as MRU, cookies, cache, and temporary files and history. Disable auditing using tool such as Auditpol. Tamper log files such as event log files and proxy log files by log poisoning or log flooding. Close all remote connections to the victim machine. Close any opened port. Ways to clear online tracks The following are the ways used to clear online tracks: Remove Most Recently Used (MRU) list. Delete cookies. Clear cache. Turn off AutoComplete. Clear Toolbar data from the browsers. Execute applications Take the following steps to execute applications: 1. 2. 3. 4. 5. 6. Check if antivirus software is installed and up to date. Check if firewall software and anti-keylogging software are installed. Check if the hardware systems are secured in a locked environment. Use keyloggers. Use spywares. Use tools for remote execution. Auditpol Auditpol is a tool included in the Windows NT Resource Kit for system administrators to disable or enable auditing from the Windows command line. It is also used to determine the level of logging implemented by a system administrator. It is strictly a command-line tool that is invoked by typing and has several switches that allow displaying, setting, clear, back up, and restoring settings. Chapter Summary In this chapter, we learned about different types of passwords, password attacks, and password cracking techniques. In this chapter, we discussed about Microsoft Authentication mechanism, privilege escalation, key loggers, spyware, rootkits, and alternate data streams. This chapter is also focused on steganography technologies and covering tracks. Glossary 2Mosaic 2Mosaic is a tool used for watermark breaking. 2Mosaic Steganographic tool Auditpol Auditpol is a tool included in the Windows NT Resource Kit for system administrators to disable or enable auditing from the Windows command line. Authentication Authentication is a process of verifying the identity of a person, network host, or system process. Default password A default password is a password provided by the manufacturer with new equipment that is password protected. Dskprobe Steganography detection tool LAN Manager hash LAN Manager hash is the format used by Microsoft LAN Manager and Microsoft Windows to store user passwords that are less than 15 characters long. NTLM NTLM is a protocol that authenticates users and computers based on an authentication challenge and response. P0F Passive Fingerprinting tool Passive sniffing In passive sniffing, no packet is generated by the tool; it just sits there and captures all packets. In passive sniffing, an intruder gets access to the network by compromising the physical security. For example, an intruder walks into the building with his laptop and plugs in to access the network so that he/she may capture data. Password A password is a combination of characters, integers, and special symbols that allows a user to access a file or any program. Password cracking Password cracking is required to recover passwords from computer systems. Privilege escalation Privilege escalation is an attempt to gain a higher level of access than is permitted under an attacker's account. Rootkit A rootkit is a set of tools that take administrative control of a computer system without authorization by the computer owners and/or legitimate managers. Salting Salting prevents deriving passwords from the password file. Spyware Spyware is a program that takes partial control over a user's computer without user's permission. Steganography Steganography is an art and science of hiding information by embedding harmful messages within other seemingly harmless messages. Watermarking Watermarking is the irreversible process of embedding information into digital media.