Ceh v8 labs module 05 system hacking

607 views
569 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
607
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
161
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ceh v8 labs module 05 system hacking

  1. 1. CEH Lab M anual S y s te m H a c k in g M o d u le 0 5
  2. 2. M odule 05 - System H acking S y s t e m H a c k in g S y ste m h a c k in g is th e science o f testin g com p uters a n d n e tw o rk f o r v u ln era b ilities a n d p lu g -in s. La b S cen ario { I Valuable — intormntion____ Test your knowledge_____ a* Web exercise £Q! Workbook review Password hacking 1s one of the easiest and most common ways hackers obtain unauthorized computer 01‫ ־‬network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect tins. Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain. Passwords rely 011 secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities 01‫ ־‬network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and descnbes password vulnerabilities diat exit 111 computer networks and countermeasures to help prevent these vulnerabilities from being exploited 011 your systems. La b O b jectives The objective of tins lab is to help students learn to m o n ito r a system rem o tely and to extract hidden tiles and other tasks that include: ■ Extracting administrative passwords ■ HicUng files and extracting hidden files ■ Recovering passwords ■ Monitoring a system remotely [‫ “׳‬Tools dem onstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking La b Environm ent To earn‫־‬out die lab you need: ■ A computer mnning Windows Server 2012 ■ A web browser with an Internet connection ■ Administrative pnvileges to run tools La b Duration Tune: 100 Minutes C E H Lab Manual Page Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  3. 3. M odule 05 - System H acking O verview of System H acking The goal of system hacking is to gain access, escalate privileges, execute applications, and hide files. ^ task 1 Overview La b T a s k s Recommended labs to assist you 111 system hacking: ■ Extracting Administrator Passwords Using LCP ■ Hiding Files Using NTFS S tream s ■ Find Hidden Files Using ADS Spy ■ Hiding Files Using the S te a lth ■ Extracting SAM Hashes Using PW dump7 Tool Files Tool ■ Creating die Rainbow Tables Using W inrtge ■ Password Cracking Using R ain bo w C rack ■ ■ Extracting Administrator Passwords Using LOphtCrack Password Cracking Using O p h crack ■ System Monitoring Using R em o teE xec ■ Hiding Data Using Snow Steganography ■ Viewing, Enabling and Clearing the Audit Policies Using Auditpol ■ Password Recovery Using CHNTPW .ISO ■ User System Monitoring and Surveillance Needs Using S pytech ■ ■ Spy Agent Web Activity Monitoring and Recording using P ow er Spy 2 0 1 3 Image Steganography Using Q uickStego La b A n a ly sis Analyze and document the results related to the lab exercise. Give your opinion on the target’s security posture and exposure. P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB . C E H Lab Manual Page 309 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M odule 05 - System H acking E x t r a c t in g A d m in is tr a to r P a s s w o r d s U s in g L C P L i n k C o n tro l P ro to co l (L C P ) is p a r t o f th e P o in t-to -P o in t (P P P ) p ro to c o l I n P P P co m m un ication s, b o th th e sen d in g a n d receiving devices se n d o u t L C P p a c k e ts to d eterm in e specific in fo rm a tio n re q u ire d fo r d a ta tra n sm issio n . La b S cen ario l£^7 Valuable information S Test your knowledge_____ *a Web exercise £Q Workbook review Hackers can break weak password storage mechanisms by using cracking methods that outline 111 this chapter. Many vendors and developers believe that passwords are safe from hackers if they don’t publish the source code for their encryption algorithms. After the code is cracked, it is soon distributed across the Internet and becomes public knowledge. Password-cracking utilities take advantage of weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. La b O b jectives The objective of tins lab is to help students learn how to crack administrator passwords for ethical purposes. 111 this lab you will learn how to: ■ Use an LCP tool ■ Crack administrator passwords ^^Tools dem onstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking La b Environm ent To carry out the lab you need: C E H Lab Manual Page 310 ‫י‬ LCP located at D:CEH-ToolsCEHv8 M odule 05 System H ackingP assw ord C racking ToolsLCP ■ You can also download the latest version of LCP from the link http: /www.lcpsoft.com/engl1sh/index.11 tm Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  5. 5. M odule 05 - System H acking ■ If you decide to download the la te s t 111 the kb might differ version, then screenshots shown ■ Follow the wizard driven installation instnictions ■ Run this tool 111 W indow s S erver 2 0 1 2 ■ Administrative privileges to run tools ■ TCP/IP settings correctly configured and an accessible DNS server La b Duration Time: 10 Minutes O verview of L C P LCP program mainly audits user account passwords and recovers diem 111 Windows 2008 and 2003. General features of dns protocol are password recovery, brute force session distribution, account information importing, and hashing. It can be used to test password security, or to recover lost passwords. The program can import from die local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Sniff file. LCP supports dictionary attack, bmte force attack, as well as a hybrid of dictionary and bmte force attacks. La b T a s k s 9 TASK 1 1. Launch the S ta rt menu by hovering the mouse cursor 011 the lower-left corner of the desktop. Cracking Adm inistrator Password S | W in d o w s Se rver 2012 FIGURE 1 : W .1 indow S s erver 2012— Desktopview 2. Click the LCP app to launch LCP. m You can also download LCP from http:/ / www.lcpsoft.com . C E H Lab Manual Page 311 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  6. 6. M odule 05 - System H acking A d m in is tr a to r Start Server Manager Windows PowerShell Computer Control Panel T y Google Chrome Hyper-V Manager LCP tet *9 m Hyper-V Virtual Machine... SQL Server Installation Center... Mozilla Firefox Global Network Inventory ? Command Prompt £ © a I I Nmap Zenmap GUI Inwc* n$ * ie»T Workspace Studio Ku O Dnktop 3 FIGURE 1 W .2: indow S s erver 2012— pps A 3. The LCP main window appears. £ 7 LCP supports additional encryption of accounts by SYSKEY at import from registry and export from SAM file. LCP File View Import Session a c # 1 Dictionary attack ‫־‬ r ► ■ 6 Hybrid attack Dictionary word: User Name 0 LM Password Ready for passwords recovering TZI Help ?‫ ״ * * ■ ו‬a r Brute force attack /0 NT Password 0.0000 I <8 >14 % done LM Hash NT Hash 0 of 0 passwords were found (0.000%) FIGURE 1.3: LCP m window ain 4. From die menu bar, select Im po rt and then Im port from rem ote com puter. C E H Lab Manual Page 312 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  7. 7. M odule 05 - System H acking LCP | File View | Import | Session fh A . 1 Help Im port From Local Computer... 9 e Im port From Remote Computer... Im port From SA M File... Dictionary wc User Name D Im port From .LC File... X done LM Hash Im port From .LCS File... NT Hash Im port From PwD um p File... Import From Sniff File... CQ l CP is logically a transport layer protocol according to the OSI model Ready for passwords recovering 0 of 0 passwords were found (0.000%) FIGURE 1.4: Import die rem com ote puter 5. Select C om puter nam e or IP from registry, and click OK. address, select the Im po rt typ e as Im po rt Import from remote computer File View In Com puter OK Com p utet n a m e ot I P ad dress: □ W IN - 0 3 9 M R 5 H L 9 E 4 r D ictio n ary at! C ancel H e lp D ictio n ary word: Im port type Use r N am e (• ) Im port from registry O Im port from m em ory I CQlcp ch dieidentity ecks of thelinkedd eviceandeidier accep or rejectsthepeer ts device, thend eterm die ines accep lepacket sizefor tab tran issio . sm n I E n c r y p t transferred d a ta Connection E x e c u t e c o n n e c tio n S h a r e d reso u rce: h p c $ U s e r nam e: Adm inistrator Pa s s w o rd : I 0 H id e p a ss w o rd Ready for passw! FIGURE 1.5: Import from rem com ote puter window 6. The output window appears. C E H Lab Manual Page 313 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  8. 8. M odule 05 - System H acking _ LCP ‫[ ־‬C:Program Files (x86)LCPpwd80013.txt] File View Import Session r D ic tio n a ry a tta c k H ybrid a t t a c k D ic tio n a ry w ord: r 1 ‫© ״* ®״׳‬ • B ru te fo rc e a t t a c k 1 10 r U ser Nam e L M P a s s w o rd ^ A d m in is t r a t o r x Help a e + l ► 0 !?> ‫י יי‬ r □ X done 0 .0 0 0 0 < 8 NO P A S SW O . N T P a s s w o rd >14 LM H ash N T H ash X NO P A S S W O R D B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .J NO P A S S W O R D NO P A S S W O R D G uest L A N G U A R D .. . NO P A S SW O . X NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .J -C M artin NO P A S SW O . X NO P A S S W O R D 5 E B E 7 D F A 0 7 4 D A 8 E E .. S Ju g g y b o y NO P A S SW O . X NO P A S S W O R D 4 8 8 C D C D D 2 22 53 1 27 9. S Ja s o n NO P A S SW O . X NO P A S S W O R D 2D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C .. - C S h ie la S Main purpose of LCP programisuser account passw ords auditingand recovery in W indows NO P A S SW O . . ;U X NO P A S SW O . X NO P A S S W O R D 0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ... NO P A S S W O ... Ready for passwords recovering 1 of 7 passwords were found (14.286%) FIGURE 1.6: Importing the User Nam es 7. Now select any U ser N am e and click the L1L4 Play button. 8. Tins action generates passwords. LCP - [C:Program Files (x86)LCPpwd80013.txt.lcp] File View Import Session 0 0 4 ‫ ״מ‬D ic tio n a ry a t t a c k r 8 « * 1 1 1 ^ ‫ ״׳ ־‬l M o 1 H H ybrid a t t a c k D ic tio n a ry w ord: Adm inistrate 1 ‫"י‬ User N am e Adm inistrator ® G u e st LM P a s s w o rd 142857 / |7 *done E n din g com bin ation : A D M IN IS T R A T 0 R Z Z N T P a s s w o rd <8 N O P A S S W O ... N O P A S S W O ... e B ru te fo rc e a t t a c k S tartin g com bin ation : A D M I N I S T R A T O R A £ ‫ ־‬a : r Help >14 x NO P A S S W O ... LM H ash N T H ash NO P A S S W O R D ! B lA N G U A R . . . N O P A S S W O ... NO P A S S W O R D C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .. ^ M a r tin NO P A S S W O . . . a p p le NO P A S S W O R D 5 EBE7D FA 074D A 8EE NO P A S S W O . . . g re e n NO P A S S W O R D 4 8 8 C D C D D 222 53 1 27 9.. ^ 3 Ja s o n NO P A S S W O . . . q w e rty NO P A S S W O R D 2 D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C ® S h ie la NO P A S S W O . . . test NO P A S S W O R D O C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ... Ju g g y b o y Passwords recovering interrupted x B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .. NO P A S S W O R D x NO P A S S W O R D 5 of 7 passwords were found (71.429%) I FIGURE 1 : LCPg eratesthepassw for the s le te usern e .7 en ord ecd am La b A n a ly sis Document all die IP addresses and passwords extracted for respective IP addresses. Use tins tool only for trainmg purposes. C E H Lab Manual Page 314 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  9. 9. M odule 05 - System H acking P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L A B . T o o l/U tility In fo rm atio n C o lle cted /O b jec tiv es A chieved R em ote C o m p u ter N a m e : WIN-D39MR5HL9E4 O u tp u t: LC P User Name ■ Martin ■ Juggyboy ■ Jason ■ Sluela - NT Password apple green qwerty test Q uestio ns 1. Y11at is the main purpose of LCP? 2. How do von continue recovering passwords with LCP? In te rn e t C o n n ectio n R eq u ired □ Yes 0 No P latform S upported 0 C lassroom C E H Lab Manual Page 315 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  10. 10. M odule 05 - System H acking H id in g F ile s U s in g N T F S S t r e a m s A . stre a m co n sists o f d a ta a sso cia ted rvith a m a in fi le o r d irecto ry ( k n o ir n a s th e m a in n n n a m e d strea m ). E a c h f i e a n d d irecto ry in N T F S can h a ve m u ltip le d a ta stre a m s th a t a re g en era lly h id d en fr o m th e user. La b S cen ario / Valuable information ' Test your knowledge SB Web exercise m Workbook review Once the hacker has fully hacked the local system, installed their backdoors and port redirectors, and obtained all the information available to them, they will proceed to hack other systems on the network. Most often there are matching service, administrator, or support accounts residing on each system that make it easy for the attacker to compromise each system in a short amount of time. As each new system is hacked, the attacker performs the steps outlined above to gather additional system and password information. Attackers continue to leverage information 011 each system until they identity passwords for accounts that reside 011 highly prized systems including payroll, root domain controllers, and web servers. 111 order to be an expert ethical hacker and penetration tester, you must understand how to hide files using NTFS streams. La b O b jectives The objective of tins lab is to help students learn how to hide files using NTFS streams. & T o o ls dem onstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking It will teach you how to: ■ Use NTFS streams ■ Hide tiles La b Environm ent To carry out the lab you need: ■ A computer running W indow s S erver 2 0 0 8 as virtual machine ■ Formatted C: drive NTFS C E H Lab Manual Page Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  11. 11. M odule 05 - System H acking La b Duration Tune: 15 Minutes O verview of N T FS S tre a m s m NTFS (New Technology File System is ) die standard file systemof W indows. NTFS supersedes die FAT file system as the preferred file system tor Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as unproved support tor m etadata and die use of advanced data structures. La b T a s k s Sd. TASK 1 NTFS Stream s 1. Run this lab 111 Windows Server 2008 virmal machine 2. Make sure the C: drive is formatted for NTFS. 3. Create a folder called m agic on the C: drive and copy c a lc .e x e from C :w indow ssystem 32 to C:m agic. 4. Open a command prompt and go to C :m agic and type notepad re a d m e .tx t 111 command prompt and press Enter. 5. re a d m e .tx t 111 Notepad appears. (Click Y es button it prompted to create a new re a d m e .tx t file.) 6. Type H ello World! and Save the tile. £ 3 NTFS streamruns on W indows Server 2008 7. Note the tile s ize of the re a d m e .tx t by typing d ir 111 the command prompt. 8. Now hide c a lc .e x e inside the re a d m e .tx t by typing the following 111 the command prompt: typ e c :m a g ic c a lc .e x e > c :m a g ic re a d m e .tx t 1c a lc .e x e C E H Lab Manual Page 317 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  12. 12. M odule 05 - System H acking -lo|x| (cT Administrator C o m m a n d Prompt C : N n a g i c > n o t e p a d rea d n e . t x t C:Snagic>dir Uolune in driue C has no label. U olume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : nagic EQ a streamc n is ofdata o s ts asso ciatedwith am fileor ain directory(know a the m ns ain unnam stream ed ). 09/12/2012 09/12/2012 01/1 9 / 2 0 0 8 09/1 2 / 2 0 1 2 05:39 AM <DIR> 05:39 AM <D I R > 06:51 AM 1 8 8 . 4 1 6 cal c . e x e 05 : 4 0 AM 12 read n e . t x t 188 , 4 2 8 bytes 2 File<s> 2 Dir<s> 4 , 3 7 7 . 6 7 7 , 8 2 4 bytes free C : m a g i c >type c : n a g i c c a l c . e x e > c : n a g i c r e a d n e .txt:calc.exe C:magic> FIGURE 2.2: Com andprom withhidingcalc.e ecom and m pt x m Type d ir 111 command prompt and note the tile size of re a d m e .tx t. [ T Administrator C o m m a n d Prompt cT D i r e c t o r y of C: m a g i c 09/12/2012 09/12/2012 01/19/2008 09/12/2012 05:39 AM <D I R > 05:39 AM <D I R > 06:51 AM 18 8 , 4 1 6 cal c . e x e 12 read n e . t x t 0 5 : 4 0 AM 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free 2 Dir<s> C : n a g i c >type c : n a g i c c a l c . e x e > c : m a g i c r e a d m e .txt:calc.exe C : m a g i c >dir Uolune in driue C has no label. Uolune S e r i a l N u n b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C: n a g i c t._ NTFS supersedes the FAT file systema the s preferred file systemfor Microsoft’sW indows operating system s. 09/12/2012 09/1 2 / 2 0 1 2 01/19/2008 09/12/2012 05:39 A M < 05:39 A M < 18 8 , 4 1 6 cal c . e x e 06:51 AM 0 5 : 4 4 AM 12 read n e . t x t 1 88,428 bytes 2 F ile<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free 2 Dir<s> LJ FIGURE 23: Com andprom with execu ghiddenc lc.execom and m pt tin a m 10. The file size of the readme.txt should not change. Now navigate to the directory c:m agic and d e le te c a lc .e x e . 11. Return to the command prompt and type command: m klin k b ackd o o r.exe re a d m e .tx t:c a lc .e x e C E H Lab Manual Page 318 and press E nter Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. M odule 05 - System H acking V A d m in istra to r Com m and Prom pt . 09/12/2012 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2 - I□ ! X 05:39 A M <D I R > 06:51 A M 18 8 , 4 1 6 cal c . e x e 0 5 : 4 0 AM 12 r e a d m e . t x t 2 Fil e < s > 188 , 4 2 8 bytes 2 Dir<s> 4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free C:magic>type c:magiccalc.exe > c : m a g i c r e a d m e .txt:calc.exe C : m a g ic>dir Uolume in driue C has no label. Uolume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F D i r e c t o r y of C : magic 09 / 1 2 / 2 0 1 2 09 / 1 2 / 2 0 1 2 01 / 1 9 / 2 0 0 8 09 / 1 2 / 2 0 1 2 ffilA streamisaliiddenfile that islinkedtoanorm al (visib file. le) 05:39 A M <D I R > 05:39 A M <D I R > 06:51 A M 18 8 . 4 1 6 cal c . e x e 05:44 AM 12 r e a dme.txt 2 Fil e < s > 1 88,428 bytes 2 Dir<s> 4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free C : m a g i c > m klink b a c k d o o r . e x e r e a d m e . t x t: c a l c . e x e sym b o l i c link c r e a t e d t o r b a c k d o o r . e x e === >•> readme .txt :calc ■exe C:magic> FIGURE 2.4: Com andprom linkingdie executedhiddenc lc x m pt a .e e 12. Type backdoor, press E nter, and the the calculator program will be e xecu ted . ss - m im stra to r Com m and Pro m p t 09/12/2012 0 5 : 4 0 AM 2 F ile<s> 2 D ir<s> 12 rea d m e . t x t 188,42 8 bytes 18 8 . 4 2 4,377,677.8: C:magic>type c:magiccalc.exe > c:S 1 C:magic>dir U olume in drive C has no label. Uo l u m e S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F r D i r e c t o r y of C : magic 09/12/2012 09/12/2012 01/19/2008 09/12/2012 <DIR> 05:39 AM <DIR> 05:39 AM 188,41 06:51 AM 0 5 : 4 4 AM 1 188,4 2 File<s> 4,37 7 , 4 1 5 , 6 2 Dir<s> C : m a g i c > m k l i n k b a c k d o o r . e x e readme.t) s y m b o l i c link c r e a t e d f o r backdoor.ext C : m a g i c )ba c k d o o r Backspace | CE 1 _ !‫_ ע _ו‬ l I.‫ע‬ MR | _ I_ l L‫ע‬ MS | _ u _ l ‫־‬ 1 sqrt I.‫ע‬ _ l I l | jd 1 /x | _ l.‫ע‬ y C:macric> FIGURE 2.5: Com and prompt with executed hidden calc.exe m Lab A n a ly sis Document all die results discovered during die lab. P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB . C E H Lab Manual Page 319 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  14. 14. M odule 05 - System H acking Tool/Utility NTFS Streams Information Collected/Objectives Achieved Output: Calculator (calc.exe) file executed Q uestio ns 1. Evaluate alternative methods to hide the other exe files (like calc.exe). Internet Connection Required □Y es 0 No Platform Stipported 0 C E H Lab Manual Page 320 Classroom 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  15. 15. M odule 05 - System H acking 3 F in d H id d e n F ile s U s in g A D S S p y A d s S p y is a to o l u se d to list, view, o r delete A lte r n a te D n tn S tr e a m s ( A D S ) on W in d o w s S e r v e r 2 0 0 8 w ith N T F S file s y s te m . I C ON KEY / Valuable information S Test your knowledge ‫ ־ ־‬Web exercise = ffi! Workbook review La b S cen ario Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities or network analyzers. Tins chapter demonstrates just how easily hackers can gather password information from your network and describes password vulnerabilities that exit in computer networks and countermeasures to help prevent these vulnerabilities from being exploited on your systems. 111 order to be an expert ethical hacker and penetration tester, you must understand how to find hidden files using ADS Spy. La b O b jectives The objective of tins lab is to help students learn how to list, view, or delete A lte rn a te D ata S tream s and how to use them. It will teach you how to: ■ Use ADS Spy ■ Find hidden tiles t£~Tools dem onstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking La b Environm ent To cany out the lab you need: ‫י‬ ADS Spy located at D:CEH-ToolsCEHv8 M odule 05 System H ackingN TFS S tre a m D e te c to r ToolsADS Spy ■ You can also download the latest version of ADS http: / / www.mer1jn.11u/programs.php#adsspv ■ It you decide to download the la te s t 111 the lab might differ ■ Run tins tool 111 W indow s C E H Lab Manual Page 321 version, Spy from the link then screenshots shown S erver 2 0 1 2 Ethical Hacking and Countermeasures Copyright © by EC-Coundl All Rights Reserved. Reproduction is Stricdy Prohibited.
  16. 16. M odule 05 - System H acking La b Duration Tune: 10 Minutes O verview of A D S Sp y ‫ ^ 1ן‬jj-,5 (^ternate ‫ןחר‬ ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011 Data Stream is a technique Windows Server 2008 widi NTFS file systems. ADS Spy is a method of stonng ) used to store m eta-info on meta-inform ation of files, without actually stonng die information inside die file it files. belongs to. La b T a s k s m. TASK 1 A lternative Data Stream s 1. Navigate to the CEH-Tools director}‫ ־‬D:CEH-ToolsCEHv8 System H ackingN TFS S tream D e te c to r ToolsADS Spy 2. Double-click and launch ADS Spy. ADS Spy v1.11 -Written by Merijn A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of in fo h id d e n a s m etad ata o n files o n N T F S drives. T h e y a re not ^ visib le in Explorer a n d th e size th ey ta k e up is not rep orted by W in d o w s . R e c e n t brow ser h ijack e rs started u sing A D S to h id e their files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com ple tely sure th ey a re m alicious! [v (• Q u ic k s c a n (W in d o w s b a s e folder only) C Full s c a n (all N T F S drives) C S c a n only this folder: |7 Ig n o re s a fe system in fo d a ta stream s fe n c ry p ta b le ', ,Su m m aryln form ation '. e tc ) [‫־ ־‬ C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts J S c a n th e system for alte rnate d a ta stream s KlADS Spyis a sm all tool to list, view, or delete Alternate Data Streams (ADS) onWindows 2 1 02 with NTFS file system s. [R e a d y - FIGURE 3.1 W elcom screen of ADS Spy e 3. Start an ap prop riate 4. Click Scan C E H Lab Manual Page 322 R e m o v e s e le c te d stream s scan that you need. th e system fo r a lte rn a te d a ta stream s. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. M od
  17. 17. M odule 05 - System H acking ADS Spy v1.1 -Written by Merijn 1 A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of info h id d e n a s m e ta d a ta o n files o n N T F S drives. T h e y a re not /*. visib le in Exp lorer a n d th e size th ey ta k e u p is not rep orted by W in d o w s . R e c e n t brow ser h ijac k e rs started using A D S to h id e their files, a n d ve ry fe w anti-m alware s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o ve th e s e stream s. N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure they a re m alicious! Q u ic k s c a n (W in d o w s b a s e folder only) C | (» £ ‫ ־‬ADS are a w ay of storing metainformation regarding files, w ithout actually storing the information in the file it belongs to, carried over from early MacOS com patibility Full s c a n (all N T F S d r iv e s )| S c a n only this foldet: C 11 ? r v A Ig n o te s a fe system info d a ta stream s fe n c ry p ta b le ', 'Su m m aryln form ation ', e tc )| C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts j S c a n th e system for aite rnate d a ta stream s | R e m o v e s e le c te d stream s C:magicreadme txt: calc, exe (1051648 bytes) C :U s e rs A d m in is tra to r D o c u m e n ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s) □ C A U s e rs A d m in is tra to r F a v o rite s L in k s S u g g e s te d S it e s .u r l: fa v ic o n (894 b yte s) C:U sersA d m in istra to rM y D o c u m e n t s : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 bytes) C A W in d o w s .o ld .0 0 0 D o c u m e n ts a n d Se ttin g s A d m in is tra to r F a v o rite s L in k s Su g g e s te d S it e s .u r l: fa v ic o n (8 ! □ C : W in d o w s .o ld .0 0 0 U s e rs A d m in is tra to r F a vo rite s L in k s S u g g e 5 te d S it e s .u r l: fa v ic o n (894 bytes) | S c a n c o m p le te, fo un d G alte rn ate d a ta stream s (A D S 's ). FIGURE 3.2 ADS S windowwith Full Scan selected py 5. Find the ADS data streams. hidden info file while }*on scan the system for alternative 6. To remove the Alternate Data Stream, click Rem ove s e le c te d stream s. ADS Spy v1.11 -Written by Merijn A lte rn a te D a t a S tre a m s ( A D S ) a te p ie c e s of info h id d e n a s m e ta d a ta o n files on N T F S drives. T h e y a re not visib le in Exp lorer a n d th e size th ey ta k e u p is not rep otted b y W in d o w s . R e c e n t brow ser h ijack e rs started using A D S to h ide theit files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e th e s e stream s. N o te : this a p p c a n also disp lay legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure th ey a te m alicious! C Q u ic k s c a n ( W in d o w s b a s e foldet only) (* Full s c a n (all N T F S d rives) C S c a n only this folder: J 1✓ Ig n o te s a fe system info d a ta stream s ('e n cry p ta b le ', ‘Sum m aryln form ation ', e tc ) & Com patible with: Windows Server 2012, 20008 r C a lc u la te M D 5 c h e c k s u m s of stream s' co n ten ts S c a n th e system for alte rn ate d a ta stream s R e m o v e s e le c te d stream s □ C : m a g ic te a d m e .tx t: c a lc , e x e (1 05 1 G 48 b yte s) □ C U s e 1sAdm in istrato rD ocu m en ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (1 2 bytes) □ C .A U s e ts 'A d m 1 1s tra to rF avo r1te s L in k s S u g g e s te d S it e s .u r l: fa v ic o n (8 94 b y te s) n *‫ ׳׳‬C :U setsA d m in istrato rM y D o c u m e n t s : {7 2 6 B G F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s) /Windows.old.000Documents and SeKings^drnini$tfat0fFav0ritesLinksSuggested Sites.url: favicon (8 C : W in d o w s .o ld O O O U se rs A d m in is tra to r F a vo rite s Lin k s S u g g e ste d S it e s .u r l: fa v ic o n (894 b yte s) | S c a n c o m p le te, fo un d S alte rnate d a ta stream s (A D S 's ). FIGURE 3.3: Find die hidden streamfile C E H Lab Manual Page 323 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  18. 18. M odule 05 - System H acking L a b A n a ly s is Document all die results and reports gathered during die lab. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility Information Collected/Objectives Achieved Scan Option: Full Scan (all NTFS drives) ADS Spy Output: ■ Hidden files with its location ■ Hidden files size Q u e s t io n s 1. Analyze how ADS Spy detects NTFS streams. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 324 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  19. 19. M odule 05 - System H acking H id in g F ile s U s in g t h e S t e a l t h F ile s Tool S te a lth F i/e s u se a p ro cess c a lled steganography to h id e a n y file s in sid e o f a n o th e r f i e . I t is a n a lte rn a tiv e to en cryp tio n o f file s . ■ n co k ey ‫ ־־‬L a b S c e n a r io /V aluable The Windows NT NTFS hie system has a feature that is not well documented and is unknown to many NT developers and most users. A stream is a hidden file that is linked to a normal (visible) file. A stream is not limited in size and Test your know ledge there can be more than one stream linked to a normal tile. Streams can have any name that complies with NTFS naming conventions. 11 order to be an expert 1 sA W exercise eb ethical hacker and penetration tester, you must understand how to hide files m W orkbookreview using the Stealth Files tool. 1 1 this lab, discuss how to find hidden files inside of 1 other files using the Stealth Files Tool. inform ation___ L a b O b je c t iv e s The objective of tins lab is to teach students how to hide files using the Stealth Files tool. It will teach you how to: ■ Use the Stealth Files Tool ■ Hide files — Tools L a b E n v ir o n m e n t demonstrated in To carry out tins lab you need: this lab are available in ■ Stealth Files tool located at D:CEH-ToolsCEHv8 Module 05 System D:CEHHackingSteganographyAudio SteganographyStealth Files ToolsCEHv8 Module 05 System ■ A computer running Window Server 2012 (host machine) Hacking ■ You can also download the latest version of Stealth Files from the link http://www.froeb1s.com/e11glisl1/sf40.sl1tml C E H Lab Manual Page 325 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. M odule 05 - System H acking ■ If you decide to download the latest version, then screenshots shown in the lab might differ ■ Administrative privileges to run the Stealth files tool ■ Run this tool 111 Windows Server 2012 (Host Machine) L a b D u r a tio n Tune: 15 Minutes O v e r v ie w o f S t e a lt h F ile s T o o l £U Stenography is the art and science of writing hidden messages. Stealth files use a process called steganography to lude any tiles inside of another . . . . 7 . . . tile. It is an alternative to encryption ot tiles because no one can decrypt the encrypted information or data from die tiles unless diey know diat die ludden tiles exist. Lab T asks B TASK 1 Stenography 1. Follow the wizard-driven installation instructions to install Stealth Files Tool. 2. Launch Notepad and write Hello World and save the tile as Readme.txt on the desktop. readme - Notepad File Edit Format View Help f l e l l o W o rld ! & Stealth Files uses a process called steganography to hide any file or files inside of another file F IG U R E 4.1: Hello world in readme.txt 3. Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop. C E H Lab Manual Page 326 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  21. 21. M odule 05 - System H acking FIG U RE 4.2: Windows Server 2012 — Desktop view 4. Click the Stealth Files 4.0 app to open the Stealth File window. m You can also download Stealth File from http://www.froebis.com. F IG U R E 4.3: Windows Server 2012 —Apps 5. The main window of Stealth Files 4.0 is shown 111 the following figure. This is an alternative to encryption because no one can decrypt encrypted information or files unless they know that the hidden files exist. F IG U R E 4.4: Control panel of Stealth Files C E H Lab Manual Page 327 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  22. 22. M odule 05 - System H acking 6. Click Hide Files to start the process of hiding the files. 7. Click Add files. ‫ם‬ Stealth Files 4.0 - Hide Files... Step 1 ■ Choose Source Files: S Before Stealth Files hides a file, it compresses it and encrypts it with a password. Then you must select a carrier file, which is a file that contains die hidden files Destroy Source Filesl Remove Selected Files! Step 2 •Choose Carrier File: I r ‫^־‬J Create a Backup of the Carrier File! Step 3 ■ Choose Password: F IG U R E 4.5: Add files Window 8. In Stepl, add the Calc.exe from c:windowssystem32calc.exe. & Stealth Files 4.0 can be downloaded from the link: http://www.froebis .com/english/sf40. shtml C E H Lab Manual Page 328 9. In Step 2, choose the carrier file and add the file Readme.txt from the desktop. 10. In Step 3, choose a password such as magic (you can type any desired password). Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  23. 23. M odule 05 - System H acking 13 Stealth Files 4.0” Hide Files... !“ I‫ם‬ x Step 1 ■ Choose Source Files: C:W1ndowsSj1stem 32Vcacls.exe 5 You can also remove the hidden files from the carrier file by going to Remove Hidden Files and following the instructions I- Destroy Source Filesl Add Files! | Remove Selected Files! Step 2 Choose Carrier File. 1 1 C:Use sAdm inistratorDesktop eadm e.txt :d I- Create a Backup of the C arrier File! Choose Password: m agic) I Hide Files! | FIG U R E 4.6: Step 1-3 Window 11. Click Hide Files. 12. It will hide the file calc.exe inside the readme.txt located on the desktop. 13. Open the notepad and check the file; calc.exe is copied inside it. readme ‫ ־‬Notepad I~ I‫ם‬ : File Ed Form View H it at elp )H e llo W o rld ! h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f p p h if h lb k id o f h a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b f o jh k g g e e ia b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g leo n m b fn g b ln b h cik fd h k m g io d cfg n lg g o ad d cajm p ip fib h p p g g cg im m k a d n j &T When you are ready to recover your hidden files, simply open them up with Stealth Files, and if you gave the carrier file a password, you will prompted to enter it again to recover die hidden files e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h f p a la p p d b a c ile n o id lh ib e k p b h e jm if n g f h f a p m h a f b lif h lc g ia e b k ijik g o h d a g e e b ip b o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c fnln adn n oaon eop oop bb agm d aoh m ekd gfcekcnb cgm injem egp n nh ein oilgej o o ig lcd h a clc h jlh d g ib o o h e m b n a p m k m e p a o k jch h g cjb id fh a k c lg fb m a p n b d o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia kam gkajbbnlndbiggagm cgnbnm afohogackcdnkhbom gofpdegibikm jm dpfkg F IG U R E 4.7: Calc.exe copied inside notepad.txt 14. Now open the Stealth files Control panel and click Retrieve Files. C E H Lab Manual Page 329 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  24. 24. M odule 05 - System H acking t Stealth Fi1es 4.0 S Pictures will still look the same, sound file will still sound die same, and programs will still work fine a © Retrieve Files □ Remove Hidden Files e &■ These carrier files will still work perfecdy even with the hidden data in diem Hide Files About Stealth Files ‫־‬ Close Program F IG U R E 4.8: Stealth files main window 15. In Step 1 , choose the hie (Readme.txt) from desktop 111 which you have saved the calc.exe. 16. 11 Step 2, choose the path to store the retrieved hidden file. 1 1 the lab 1 1 the path is desktop. 17. Enter the password magic (the password that is entered to liide the tile) and click on Retrieve Files! Stealth File! 4.0 - Retrieve Files... S This carrier file can be any of these file types: E X E , D LL, OCX, COM, JPG , G IF, ART, MP3, AVI, WAV, DOC, BMP, and WMF. Most audio, video, and executable files can also be carrier files I ‫ ם1 ־־‬T x -Step1■ h o Crrie F : C o se a r ile C s rs A m is to D s to V a m.tx : U e d in tra r e k p re d e t I‫ ־־‬D stro Crrie F ! e y a r ile Step2-C o seD s a nD c ry h o e tin tio ire to : C s rs '.d in tra rV e k p :ll e V m is to D s to d r Step3• n r P ssw rd E te a o : |mg | a ic R etrieveF s ile ! F IG U R E 4.9: Retrieve files main window 18. The retrieved file is stored on the desktop. C E H Lab Manual Page 330 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  25. 25. M odule 05 - System H acking 05 Vorslon; IP Address MAC Addr•••: Host Name Windows NT 62 (non•) D4 BE 09 CJ CE 20 WIN-039MR6HL9E4 Qs- You can transfer the carrier file through die Internet, and die hidden files inside will transfer simultaneously. FIG U R E 4.10: Calc.ese running on desktop with the retrieved file L a b A n a ly s is Document all die results and reports gathered during die lab. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility Information Collected/Objectives Achieved Hidden Files: Calc.exe (calculator) Stealth Files Tool Retrieve File: readme.txt (Notepad) Output: Hidden calculator executed Q u e s t io n s 1. Evaluate other alternative parameters tor hiding tiles. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 331 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  26. 26. M odule 05 - System H acking Lab E x tr a c tin g S A M H a s h e s U s in g P W dum p7 Tool Pwdump7 can a s beusedt d / p m e t d i e Youcana w sc p a ue'teb [ u te e u i g lo o uuptcejls l ay o y sdf/ ) j s x c t n pnduffp7. x - c / c e f e d t e e d o k d 1/ . a backjp- dfi otI o key hxh led c n L a b S c e n a r io [£Z7 Valuable Passwords are a big part ot tins modern generation. You can use the password for your system to protect the business or secret information and you may Test your choose to limit access to your PC with a Windows password. These passwords know ledge are an important security layer, but many passwords can be cracked and while = W exercise eb that is worry, tliis clunk 111 the armour can come to your rescue. By using password cracking tools 01‫ ־‬password cracking technologies that allows hackers W orkbookreview to steal password can be used to recover them legitimately. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tlus lab, we discuss extracting the user logui password hashes to crack the password. iiiform ation___ L a b O b je c t iv e s Tlus lab teaches you how to: ■ Use the pw dum p7 tool ■ Crack administrator passwords L a b E n v ir o n m e n t To carry out the lab you need: _^Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking C E H Lab Manual Page 332 ■ Pwdump7 located at D:CEH-T00 lsCEHv8 Module 05 System HackingPassword Cracking Toolspwdump7 ■ Run tlus tool 011 Windows Server 2012 ■ You can also download the latest version of pwdump7 from the link http:/ /www.tarasco.org/security/pwdump 7/ 111dex.html ■ Administrative privileges to run tools Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  27. 27. M odule 05 - System H acking ■ TCP/IP settings correctly configured and an accessible DNS server ■ Run this lab in Windows Server 2012 (host machine) L a b D u r a tio n Time: 10 Minutes Overview of Pwdump7 Pwdump7 can be used to dump protected files. You can always copy a used file just by executing: pwdump7.exe -d c:lockedf11e.dat backup-lockedf11e.dat. Icon key Lab T asks Generating Hashes 1. Open the command prompt and navigate to D:CEH-ToolsCEHv8 Module 05 System HackingPassword Cracking Toolspwdump7. 2. Alternatively, you can also navigate to D:CEH-ToolsCEHv8 Module 05 System HackingPassword Cracking Toolspwdump7a11d right-click the pwdump7 folder and select CM prompt here to open the D command prompt. Ad ministraton C:Wi ndowssystem32cmd.exe [D:CEH-ToolsCEHv8 Module 05 Sys t e m Hack i n g P a s s w o r d C r ackingMJindows Hrac ke t*spw d u m p 7 > & Active directory passwords are stored in the ntds.dit file and currently the stored structure C E H Lab Manual Page 333 Password C F IG U R E 5.1: Command prompt at pwdump7 directory 3. Now type pwdump7.exe and press Enter, which will display all the password hashes. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. M odule 05 - System H acking Administrator: Command Prompt :CEH-T oolsCEHu8 Module 05 Sys t e m H a c k i n g P a s s w o r d C r a c k ingSWindows P a s sword C ackerspwdunp7) p w d ump? .exe w dunp vV.l - raw p a s sword e x tractor uthor: Andres Tarasco A cuna rl: h t t p : //www.514.es A d m i n i s t r a t o r : 5 0 0 :NO PASSWORD***** D 4 7 : :: G u e s t :501 :NO P A S S W O R D * ******* * * *** LA N G U A R D _ 1 1 _ U S E R : 1 0 0 6 : N O PASSWORD* A67B960: : : Mart in :1018 :NO P A S S W O R D * *****-***** *: BE40C4 5 0 A B 9 9 7 1 3 D F 1 E D C 5 B 4 0 C 2 S A *:NO PASSWORD* *:C25510219F66F9F12FC9BE662 * : 5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 ::: J u g g y b o y :1 0 1 9 :NO P A S S W O R D * ******** ***:488CDCDD2225312793ED6967B28C1025: Jason :1020 :NO PASS W O R D *- *■ **■ ***■*■**- * *■ S)liela:1021 :NO P A S S W O R D * * * * * * ** * * * * : 2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F : :: **:0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 : :: :CEH-ToolsCEHu8 Module 05 Sys t e m Hack i n g S P a s s w o r d C r a c k ingVWindows P a s sword C ac ke rs Spw d u m p 7 > & Always copy a used file just executing: pwdump7.exe -d c:lockedfile.dat backuplockedfile.dat. F IG U R E 5.2: pwdump7.exe result window 4. Now type pwdump7.exe > c:hashes.txt 111 the command prompt, and press Enter. 5 Tins command will copy all the data ot pwdump7.exe to the c:hashes.txt tile. (To check the generated hashes you need to navigate to the C: drive.) hashes.txt - Notepad File Edit Format View Help (A d m in istra to r: 500: NO PASSWORD****‫:******* ״ * * * * * * * * ״‬BE40C450AB99713DF1EDC5B40C25AD47 G uest:5 0 1 :NO PASSWORD**‫ : * ״ ״ ״ ״ * * ״ ״ ״ ״ * * ״ ״ ״ ״ ״ ״‬NO PASSWORD**‫:: : ״ ״ ״ ״ ״ ״ ״ * ״ ״ ״ ״ ״ ״ ״ ״ * ״ ״‬ LANGUARD_11_USER:1006:NO PASSWORD**********‫:********* ״ ״‬C25510219F66F9F12FC9BE662A67B960 M a rtin :1018:NO P A S S W O R D * * * * * * * * * * * * * * * 5 : ‫ ״ * * * ״ ״‬EBE7DFA074DA8EE8AEF1FAA2BBDE876 Duggyboy:1019:NO P A S S W O R D * 4 8 8 : * * ‫ ״ * * * * * * * * * * * * * * * * ״‬CDCDD2225312793ED6967B28C1025 ]ason:1020:NO PASSWORD* * * * * 2: * * * * * * * * * * * * * * * ‫ ״‬D20D252A479F485CDF5E171D93985BF Shiela:1021:N O P A S S W O R D * * * * 0 : ‫ ״ * * * * * * ״ * * ״ ״ * ״ ״ ״ ״‬CB6948805F797BF2A82807973B89537 F IG U R E 5.3: hashes.txt window L a b A n a ly s is Analyze all the password hashes gathered during die lab and figure out what die password was. C E H Lab Manual Page 334 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  29. 29. M odule 05 - System H acking PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility PWdump7 Information Collected/Objectives Achieved Output: List of User and Password Hashes ■ Administrator ■ Guest ■ Lauguard ■ Martin ■ Juggyboy ■ Jason ■ shiela Q u e s t io n s 1. What is pwdump7.exe command used for? 2. How do you copy the result of a command to a file? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 335 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  30. 30. M odule 05 - System H acking C re a tin g th e R a in b o w T a b le s U s in g W in rtg e n Winrtgen i a graphical ‫־‬ainbow Tables Generator that s i p / s UM, FastLM, s R /pot N T L M , L M C H 4LL, HaljLMCHALL, N I U M C H A L L , M S C A C H E , M D 2, M D 4, M D 5, S H A 1 R I P E M D 160, M j S O L J 23, M j S O L S H 4 1, , CiscoPIX, O K 4CLE, S H 4-2 ( 256) S H 4-2 ( , 384) and S H 4-2 ( 512) ha h s se. ICON KEY L a b S c e n a r io [£ V II7 aluable inform ation 111 computer and information security, the use ot password is essential for users to protect their data to ensure a seemed access to dieir system or machine. As users Test your become increasingly aware of the need to adopt strong passwords, it also brings know ledge challenges to protection of potential data. 111 tins lab, we will discuss creating die rainbow table to crack the system users’ passwords. 111 order to be an expert ethical = W exercise = eb hacker and penetration tester, you must understand how to create rainbow tables to m W orkbookreview crack the administrator password. L a b O b je c t iv e s The objective of this lab is to help students how to create and use rainbow table to perform system password hacking. L a b E n v ir o n m e n t To earn‫ ׳‬out die lab, you need: ^^Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking C E H Lab Manual Page 336 ■ Winrtgen Tool located at D:CEH-ToolsCEHv8 Module 05 System HackingRainbow Table Creation ToolsWinrtgen ■ A computer running Window Server 2012 ■ You can also download the latest version of Winrtgen from the link http: / Avwwox1d.it/projects.html ■ If you decide to download the latest version, then screenshots shown 111 the lab might differ Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  31. 31. M odule 05 - System H acking ■ Run this tool 011 Windows Server 2012 ■ Administrative pnvileges to mil tins program L a b D u r a tio n Time: 10 Minutes You cau also download Winrtge from O v e r v ie w o f R a in b o w T a b le iittpv'/w w w .oxid.it/fjrojeef ^ rainbow table is a precomputed table for reversing cryptograpliic hash functions, usually for cracking password hashes. Tables are usually used 111 recovering plaintext passwords, up to a certain length, consisting of a limited set of characters. Lab T ask TASK 1 Generating Rainbow Table 1. Double-click the winrtgen.exe tile. The main window of winrtgen is shown 111 die following figure. r ‫־‬ Winrtgen v2.8 (Rainbow Tables Generator) by mao F nm ile a e A dT b d a le S tu ta s R o em ve Ao t bu R o A em ve ll OK E it x FIG U R E 6.1: winrtgen main window Rainbow tables usually used to crack a lot of hash types such as m 2. Click die Add Table button. NTLM, MD5, SHA1 C E H Lab Manual Page 337 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  32. 32. M odule 05 - System H acking - ‫ם‬ Winrtgen v2.8 (Rainbow Tables Generator) by mao x £ Q You can also download Winrtge from http://www.oxid.it/project s.html. III Add Table Remove Remove All About OK Exit FIG U R E 6.2: creating die rainbow table 3. Rainbow Table properties window appears: i. Select ntlm from the Hash drop-down list u. Set die M Len as 4, die Max Len as 9, and the Chain Count of in 4000000 iii. Select loweralpha from die Charset drop-down list (tins depends on the password). 4. Click OK. Rainbow Table properties r Hash |ntlm £vTools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking Min Len I4 -Max Len rIndex I9 1 ° Chain Len— Chain Count — |2400 I4000000 |abcdefghijklmnopqrstuvwxyz Table properties Key space: 5646683807856 keys Disk space: 61.03 MB Success probability: 0.001697 (017%) Benchmark Optional parameter Hash speed: |Adm inistratot Step speed: Table precomputation tim e: Total precomputation tim e: Max cryptanalysis tim e: Benchmark | FIG U R E 6.3: selecting die Rainbow table properties 5. A file will be created; click OK. C E H Lab Manual Page 338 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  33. 33. M odule 05 - System H acking x Winrtgen v2.8 (Rainbow Tables Generator) by mao Filename Status n _ wra h # - _ _ 4 0 4 0 0 0o id 0 0 tlmlo e lp a 4 902 0 x 0 0 0 _ x 8 0 .rt II I Add Table Remove Remove All OK About Exit FIG U RE 6.4: Alchemy Remote Executor progress tab window Creating the hash table will take some time, depending on the selected hash and charset. Note: To save die time lor die lab demonstration, die generated hash table is kept 111 die following !older: D:CEH-ToolsCEHv8 Module 05 System HackingRainbow Table Creation ToolsYWinrtgen m You must be careful of your harddisk space. Simple rainbow table for 1 —5 alphanumeric and it costs about 613MB of your harddisk. 7 Created a hash table saved automatically 111 die folder containing . winrtgen.exe. ‫י‬ Winrtgen ' L 5 8 CEHv Module 05 System Hacking ► Rainbow Table Creation Tools ► Winrtgen ‫ ־&־‬Favorites ■ Desktop Downloads v C Date modified Type M charset.txt 7/10/2008 &29 PM Text Document | □ ntlm_loweralphag4-6_0_2400x4000000_ox... | 9/18/201211:31 AM RT File Recent places H! winrtgen.exe 7/10/200810:24 PM Application □ winrtgen.exe.sig % Search Winrtgen Name 7/10/2008 10:33 PM SJG File Size 6KB 62,500 KB 259 KB 1 KB Libraries [ J Documents Music II■! Pictures H Videos Computer & Local Disk ( C ) 1 m New Volume (D:) 4 items 1 item selected 61.0 M B State: Q Shared FIG U RE 6.5: Generated Rainbow table file C E H Lab Manual Page 339 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  34. 34. M odule 05 - System H acking L a b A n a ly s is Analyze and document the results related to the lab exercise. Tool/Utility Information Collected/Objectives Achieved Purpose: Creating Rainbow table with lower alpha Winrtge Output: Created Rainbow table: ntlm_lowe1‫־‬alpha#46_0_2400X4000000_ox... PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Internet Connection Required D Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 340 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  35. 35. M odule 05 - System H acking P a s s w o r d C r a c k in g U s in g R a in b o w C ra c k Rainbon'Crack i a computerprogram thatgenerates rainbow t b e t be usedin s als o password c a k n . rcig L a b S c e n a r io 1JV '— aluable inforination___ Computer passwords are like locks 011 doors; they keep honest people honest. It someone wishes to gam access to your laptop or computer, a simple login password Test your will not stop them. Most computer users do not realize how simple it is to access die know ledge____ login password tor a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access. Are you curious how easy it is tor as W exercise eb someone to gain access to your computer? Windows is still the most popular m W orkbookreview operating system, and die method used to discover the login password is die easiest. A hacker uses password cracking utilities and cracks vour system. That is how simple it is for someone to hack your password. It requires 110 technical skills, 110 laborious tasks, only simple words 01‫ ־‬programs. 111 order to be an ethical hacker and penetration tester, you must understand how to crack administrator password. 111 tins lab we discuss how to crack guest users or administrator passwords using RainbowCrack. L a b O b je c t iv e s The objective ot this lab is to help students to crack passwords to perform system password hacking. £~Tools demonstrated in this lab are L a b E n v ir o n m e n t available in To earn‫ ־‬out die lab, you need: D:CEHToolsCEHv8 ■ RainbowCrack Tool located at D:CEH-T00 lsCEHv8 Module 05 Module 05 System System HackingRainbow Table Creation ToolsRainbowCrack Hacking ■ A computer running Window Server 2012 ■ You can also download the latest version of RainbowCrack from the link http://proiect-ra111bowcrack.com/ C E H Lab Manual Page 1 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  36. 36. M odule 05 - System H acking ■ If you decide to download die latest version, then screenshots shown in die lab nuglit differ !2 2 You can also download Winrtge from http://www.oidd.it/project s.html ■ Run diis tool 011 Windows Server 2012 ■ Administrative privileges to mn diis program L a b D u r a tio n Tune: 10 Minutes O v e r v ie w o f R a in b o w C r a c k RauibowCrack is a computer program diat generates rainbow tables to be used ui password crackuig. RauibowCrack differs from "conventional" bmte force crackers in diat it uses large pre-computed tables called rauibow tables to reduce die lengdi of time needed to crack a password. Lab T ask E task 1 Generating the Rainbow Table 1. Double-click die rcrack_gui.exe tile. The maui window of RauibowCrack is shown ui die following figure. m RainbowCrack for G PU is the hash cracking program in RainbowCrack hash cracking utilities. FIG U RE 7.1: RainbowCrack main window 2. Click File, and dien click Add Hash... C E H Lab Manual Page 342 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. M odule 05 - System H acking RainbowCrack 1.5 File | Edit Rainbow Table Help Add Hash... P la in te x t in H ex Load Hashes from File... Load L M Hashes from P W D U M P File... Load N T LM Hashes from P W D U M P File.. Save Results... £Q! RainbowCrack for GPU is significantly faster than any non-GPU accelerated rainbow table lookup program and any straight G PU brute forcing cracker FIG U RE 7.2: Adding Hash values 3. The Add Hash window appears: i. Navigate to c:hashes, and opendie hashes.txt tile (which isalready generated using Pwdump7 located at c:hashes.txt 111 the previous Lab no:5) . ii. Right-click, copy die hashes from hashes.txt tile. iii. Paste into die Hash held, and give die comment (optional). iv. Click OK. hashes.txt - Notepad File £Q| RainbowCrack uses time-memoiy tradeoff algorithm to crack hashes. It differs from die hash crackers that use brute force algorithm Edit Format View Help Undo A d m in is tra to r:5 0 0 :NO Cut P A S SW O R D *********************: BE40C450AB Copy G u e st: 501: NO PASSW O RD ******************"! Paste P A S SW O R D ********************** ‫* ׳‬ LANGUARD_11_USER:1006:NO Delete PASSWORD‫ :***** * * * * ״ * * * * * * * * * * ״‬C25510219F Select All M a r t in :1018:NO Right * * * Reading order P A S S W O R D 5 : * * * * * * * * * ‫ * * * * * * ״‬to*left ‫ ״‬EBE7DFA07 ] uggy boy: 1019: NO Show Unicode control characters PAS S WORD488: * * * * * * * * * * * * * * * * * * * * ‫ ״‬CDCDD22 Insert Unicode control character Dason:1020:NO Open IME P A S S W O R D 2 :* * * * * * * * * * * * * * * * * * •* ‫ ״‬D20D252A4 _____________________________ _______Shiela:1021:N O PASSWORD* * * * * * * * * * * * * * * * * * * * * FIG U R E 7.3: Selecting the hashes C E H Lab Manual Page 343 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  38. 38. M odule 05 - System H acking RainbowCrack 1.5 File Edit Rainbow Table * ‫־‬ ‫י‬ Help P l a i n t e x t I n H ex £/Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking 0C86948805F797BF2A82807973889537 Comment (optional): password FIG U R E 7.4: Adding Hashes 4. The selected hash is added, as shown 111 die following figure. RainbowCrack 1.5 File Edit Rainbow Table Help H a sh P la in te x t @ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537 ? P l a i n t e x t I n Hex £ 2 Fun time-memory tradeofftool suites, including rainbow table generation, sort, conversion and lookup FIG U R E 7.5: Added hash show in window 5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv) 6. Added hashes are shown 111 the following figure. C E H Lab Manual Page 344 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. M odule 05 - System H acking RainbowCrack 1.5 £ 0 . RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet. P File Edit Rainbow Table H a sh 0 I ‫־־[ם‬r x TI Help P la in te x t P l a i n t e x t i n H ex 0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 ? ? @ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7 ? ? @ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 ? ‫ל‬ @ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 ? ? @ c 2 5 5 1 0 2 1 9 £ 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0 ? 1 FIG U R E 7.6: Added Hashes in the window 7. Click die Rainbow Table from die menu bar, and click Search Rainbow Table... £ 9 RainbowCrack for G PU software uses G PU from N V ID IA for computing, instead of CPU. By offloading computation task to G PU, the RainbowCrack for G PU software can be tens of times faster than nonG PU version. 8. Browse die Rainbow Table diat is alreadv generated 111 the previous lab, which is located at D:CEH-ToolsCEHv8 Module 05 System HackingRainbow Table Creation ToolsWinrtgen. 9. Click Open. C E H Lab Manual Page 345 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. M odule 05 - System H acking Open ^ Organize ▼ jA ” Windows Password Crac... ► winrtgen v ( j | | Search winrtgen New folder Recent places | ‫ב־‬ ‫־׳י‬ [ jjj P k i I Name Date modified Type Q ntlm.loweralphag4-6.0.24001(4000000.ox■.. Music | 9/18/2012 11:31 AM RT File Libraries j3] Documents J l Music E Q a time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table g Pictures 9 Videos 1^ Computer ^ Local Disk (C:) r . Local Disk (D:) 1 - Local Disk (£) > 1 Filename: ntlmjoweralpha*4-6_0_2400x4000000_oxid*£ v | Rainbow Tables (*.rt;*.rtc) Open FIG U R E 7.8: Added Hashes in the window 10. It will crack the password, as shown 111 the following figure. RainbowCrack 1.5 File Edit Rainbow Table Help P l a i n t e x t I n Hex te s t Com ment 74657374 H ash p a ssw o rd 3 0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 3 0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7 te s t 74657374 4 e e c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5 g ree n 677265656c ✓ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6 a p p le 6170706C 65 3 c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0 ? 3 2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f 3 £ • ‫ ־‬RainbowCrack focus == ! on the development of optimized time-memory tradeoff implementation, and generation of large rainbow tables. 7 q w e r ty t i n e o f a la rm c h e c k : tin e o f w a it: ti m e o f o t h e r o p e r a t i o n : ti m e o f d i s k r e a d : h a s h & re d u c e c a l c u l a t i o n o f c h a in t r a v e r s e : h a s h 4 r e d u c e c a l c u l a t i o n o f a la r m c h e c k : num ber o f a la r m : s p e e d o f c h a in t r a v e r s e : s p e e d o f a la r m c h e c k : 717765727479 2 .3 4 s 0 .0 0 s 0 .1 9 s 0 .0 8 s 5755200 35850648 55125 9 .7 1 m i l l i o n / s 1 5 .3 3 m l l l l o n / s /s 5 FIG U R E 7.9: Added Hashes in the window L a b A n a ly s is Analyze and document die results related to the lab exercise. C E H Lab Manual Page 346 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. M odule 05 - System H acking PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility Information Collected/Objectives Achieved RainbowCrack Hashes: ‫ י‬Administrator ‫ י‬Guest ‫ י‬Languard ‫ י‬Martin ■ Juggyboy ■ Jason ‫ י‬Shiela Password Cracked: ‫ י‬test ‫ י‬test ‫ י‬green ‫ י‬apple ‫ י‬qwerty Q u e s t io n s 1. What kind of hashes does RambowCrack support? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 347 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  42. 42. M odule 05 - System H acking Lab E x tra c tin g A d m in is tra to r P a s s w o r d s U s in g L O p h tC ra c k U)phtCrack i packed with powetfnlf a u e , such as sc du i g hash ex act s etrs he l n , tr ion f o / 64- i Windows v r i n ; multiprocessor al o i h s and network monitoring r// bt esos grtm, and d o i g I can import and crack U N I X passwordfiles and remote Windows ec d n . t machines. L a b S c e n a r io /V aluable inform ation Test your know ledge____ ^ W exercise eb Since security and compliance are high priorities for most organizations, attacks a company 01‫ ־‬organization's computer systems take many different forms, such as spooling, smurfing, and other types of denial-of-service (DoS) attacks. These attacks are designed to harm 01‫ ־‬interrupt the use of your operational systems. 011 r*‫ ..־‬W orkbookreview Password cracking is a term used to describe the penetration of a network, system, 01‫ ־‬resource with 01‫ ־‬without the use of tools to unlock a resource that has been secured with a password. 111 tins lab we will look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination of several scenarios, in tins lab we describe some of the techniques they deploy and the tools that aid them 111 their assaults and how password crackers work both internally and externally to violate a company's infrastructure. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack administrator passwords. 111 tins lab we crack the system user accounts using LOphtCrack. ^^Tools demonstrated in L a b O b je c t iv e s this lab are The lab teaches you how to: available in D:CEH■ Use the LOphtCrack tool ToolsCEHv8 ■ Crack administrator passwords Module 05 System Hacking C E H Lab Manual Page Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  43. 43. M odule 05 - System H acking L a b E n v ir o n m e n t To earn’ out the lab you need: ■ LOphtCrack tool located at D:CEH-ToolsCEHv8 Module 05 System HackingPassword Cracking ToolsLOphtCrack ■ Run tliis tool on Windows Server 2012 (host machine) ■ You can also download the latest version of LOphtCrack from the link http: / / www.lOphtcrack.com ■ Administrative privileges to run tools ■ Follow wizard driven installation instructions ■ TCP/IP settings correctly configured and an accessible DNS server ■ Tins tool requires the user to register or you can also use the evaluation version for a limited period of time L a b D u r a tio n Time: 10 Minutes O v e r v ie w o f L O p h t C r a c k LOphtCrack provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices and are rated as Strong, Medium, Weak, or Fail. Lab T asks TASK 1 Cracking Administrator Password 1. Launch the Start menu by hovering the mouse cursor to the lower left most corner of the desktop. || W d w S rv r21 in o s e e 02 vm 1 «‫ן1י!שי'י5״ימ״‬ i‫׳‬ m You can also download the LOphtCrack from http://www.lOphtcrack. C E H Lab Manual Page 349 FIG U R E 8.1: Windows Server 2012—Desktop view 2. Click the LOphtCrack6 app to open the LOphtCrack6 window Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  44. 44. M odule 05 - System H acking S ta rt Server Manager F a Administrator Windows PowerShel T Google Chrome Hyper-V Manager o ‫י‬ ‫י‬ Hyper-V Virtual Machine... SQL Server Installation Center... Computer Control Panel * J m Q K Command Prompt Mozilla Firefox Global Network Inventory < © I f Nmap Zenmap GUI Workspace Studio O‫־‬ 3 e /LOphtCrack supports pre-computed password hashes. Intrmrt fuplcrr‫׳‬ Drdlrp F IG U R E 8.2: Windows Server 2012 —Apps 3. Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next. LOphtCrack Password Auditor v6.0.16 x LOphtCrack 6 Wizard 6 Welcome to the LOphtCrack Wizard Ths wizard wil prompt you wth step-by-step nsbuctions to get you audting n mrxies First, the wizard w i help you determne where to retrieve your encrypted passwords from Second, you w i be prompted wth a few options regardng which methods to use to audit the passwords Third, you w i be prompted wth how you wish to report the results 6 Then. LOphtCrack w i proceed audting the passwords and report status to you along the way. notifying you when audfcng is complete Press Next' to conbnue wth the wizard LOphtCrack can also cracks U N IX password files. [7 jjjprit show me this wizard on startup ‫ך‬ FIG U RE 8.3: Welcome screen of die LOphtCrack Wizard 4. Choose Retrieve from the local machine in the Get Encrypted Passwords wizard and click Next. C E H Lab Manual Page 350 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  45. 45. M odule 05 - System H acking LO h ra kPa o A d rv .0 6 p tC c ssw rd u ito 6 .1 Get Encrypted Passwords Choose one of the folowng methods to retrieve the encrypted passwords | ♦ Retneve from the tocal machne | Pulls encrypted passwords from the local machrte's registry Admnatrator access a requred Retneve from a remote machne Retneve encrypted passwords from a remote machne on your doman Admrwtrator access is required Retneve from SAM /SYSTEM backup Use emergency repar disks, backup tapes, or volume shadow copy techr»ques to obtain a copy of the registry SAM and SY ST EM hives This contans a copy of your non-doman passwords Q Retneve by jnrffng the local network Sniffing captures encrypted hashes n transit over your network Logns.fie shamg and pmt shanng al use network authentication that can be captured. < Back ca LOphtCrack has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and U N IX machines, without requiring a thirdparty utility. Next > ■ | FIG U R E 8.4: Selecting die password from die local machine 5. Choose Strong Password Audit from the Choose Auditing Method wizard and click Next. 1 ‫'°׳‬ - ‫ן‬ FIG U R E 8.5: Choose a strong password audit 6. In Pick Reporting Style, select all Display encrypted password hashes. 7. Click Next. C E H Lab Manual Page 351 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  46. 46. M odule 05 - System H acking m LOphtCrack offers remediation assistance to system administrators. FIG U R E 8.6: Pick Reporting Style 8. Click Finish. LO h ra kPa o A d r v .0 6 p tC c ssw rd u ito 6 .1 ‫° ־‬ x Bogin Auditing P O _ ._ LOphtCrack lias realtime reporting that is displayed in a separate, tabbed interface. Step Step 2 6 LOphtCrack « now ready to begn the password aud*ing process Please confirm the folowng settings and go back and change anythng that ts not correct Retrieve passwords from the local machine Perform 'Quick' password audit Display doman password belongs to Display passwords v41en audited Display time spent auditing each password Give visible notification *tfien done audrtng Show method used to crack password [/] Save these settings as sesaon defaults Press ■finish'to bepn audtng ► Step 5 6«g1n Auditing FIG U RE 8.7: Begin Auditing 9. LOpntcrack6 shows an Audit Completed message, Click OK. 10. Click Session options Irom the menu bar. C E H Lab Manual Page 352 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. M odule 05 - System H acking Cracked Accounts J j. <N Weak Passwords Pause ‫־‬ d Stop Schedule Scheduled Audit Tasks Disable Force Password Expired Accounts Run y Report Domain User Name LM Hash__________________________ LM Password ,X WIN-D39MR... Administrator * missing * £ WIN-D39MR... Guest ‫ ״‬missing * J t WIN-D39MR... Jason * missing * 4 WIN-D39MR... Juggyboy * missing * <tw1N-D39MR... IANGUARD_11_USER * missing A WIN-D39MR... Martin ‫ ״‬missing LOphtCrack 6 I x to t a 00000000000000( uords 29151] 00000000000000 000 00000000000000( _wgrds_done 00000000000000 000 00000000000000( 00000000000000 000 1B5T 0TO? 00000000000000( 00000000000000 000 00000000000000( _______ 00000000000000 000 00000000000000( 00000000000000 000 Audit completed. _______ LtX&sslaezei 0d Oh 0» Os OK ____ tlMS-iSlt _ _ l ‫_־‬d o n S III > 4 X Messages 0 9/1 8 /2 0 1 2 0 9/1 8 /2 0 1 2 0 9 / 1 8/2 01 2 0 9/1 8 /2 0 1 2 1 4 :4 7 :4 8 M u ^ i - c o r e o p e r a t i o n w i t h 4 c o r e s . 1 4 :4 7 :5 2 Im p o r t e d 2 a c c o u n t s fr o m t h e l o c a l 1 4 :4 7 :5 2 A u d i t s t a r t e d . 1 4 :4 7 :5 2 A u d i t i n g s e s s i o n c o m p le t e d . m a c h in e FIG U R E 8.8: Selecting Session options £ Q LOphtCrack uses Dictionary, Hybrid, Recomputed, and Bmte Force Password auditing methods. 11. Auditing options For This Session window appears: i. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary Crack. ii. Select the Enabled, Crack NTLM Passwords check boxes 111 Dictionary/Brute Hybrid Crack. iii. Select the Enabled, Crack NTLM Passwords check boxes 111 Brute Force Crack. IV. Select the Enable Brute Force Minimum Character Count check box. v. Select the Enable Brute Force Maximum Character Count check box. 12. Click OK. C E H Lab Manual Page 353 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  48. 48. M odule 05 - System H acking ‫־‬m A d gO tio s Fo T isSessio u itin p n r h n Dictionary Crack The Dictionary Crack tests for passwords that are the same as the words fcste inthe wordfile. This d test *very fast and findsthe weakest passwords. Dictionary List 0 Crack NTLM Passwords Dictionary/Brute H ybrid Crack [2 Enabled 0 V Crack NTLM Passwords C m letter substitutions * om on (m slower) uch * Charactersto prepend - Charactersto append Precom puted E ! Enabled C The Dictionary/Brute H ybrid Crack tests forpasswordsthat are variations of the words inthe wordfile. Itfinds passwords such as Dana9 or monkeys! . This 9 test isfast andfinds weak passwords. Also known as 'ranbow tables', the Precom puted Cracktests for passwords aganst a precom puted hashes contan-edn a file orfiles This test is very fast andfinds passwords created fromthe sam e character set as the precom puted hashes. Preservng precom putation data speeds up consecutive m n exchange for disk space ns Ths crack works aganst LM and NTLM passwords, but not Una Hash File List Preserve Precomputation Data Location Ba/te Force Crack Language: J£rack NTLM Passwords The Brute Force Crack tests for passwords that are m up of the characters specified inthe ade character set I finds passwords such as "W eR3pfc6s■ or "vC5%6S*12b" This test is slow ' andfinds m < jmto strong passwords. e fc English alphabet ♦num bers CustomCharacter Set (list each character): E T N RIO AS D H LCFPU MYG W V BX K Q JZetnrioasd hlcfpumygwvbxkqjzOI 23456789 Brute Force M im mCharacter C in u ount Enabing a start orend point lets you control the m im mand m x u num of characters to in u a im m ber iterate. ‫נ‬ Brute Force M im mCharacter Count ax u To 9 The actual m x u character count used m a im m ay vary based on hash type Specfy a character set w m characters to ith ore crack strongerpasswords. ’ QK Qancel F IG U R E 8.9: Selecting die auditing options 13. Click Begin ' ' ‫ ר‬from the menu bar. LOphtCrack cracks the administrator password. 14. A report is generated with the cracked passwords. FIG U RE 8.10: Generated cracked Password C E H Lab Manual Page 354 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  49. 49. M odule 05 - System H acking L a b A n a ly s is Document all die results and reports gathered during die kb. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility LOphtCrack Information Collected/Objectives Achieved User Names: ‫ י‬Administrator ‫ י‬Guest ‫ י‬Jason ‫ י‬Juggvbov ‫ י‬LANGUARD_11_USER ‫ י‬Martin Password Found: ‫ י‬qwerty ■ green ‫ י‬apple Q u e s t io n s 1. What are the alternatives to crack administrator passwords? 2. Why is a brute force attack used 111 the LOphtCrack tool? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 355 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  50. 50. M odule 05 - System H acking P a s s w o r d C r a c k in g U s in g O p h c ra c k Ophcrnck i a free open source ( P L l c n e ) program that cracks Windows s G iesd passn‫׳‬rds by using L M hashes through rainbow t b e . o als ICON KEY /V aluable inform ation J? T your e$t ___know ledge____ » W exercise eb W orkbookreview L a b S c e n a r io a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. Tins weakness exists m practically all widely used systems instead of forcing users to choose well-chosen secrets that are likely to be difficult to remember. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not; we examine common forms of guessing attacks, password cracking utilities to develop examples of cryptographic protocols that are immune to such attacks. Poorly chosen passwords are vulnerable to attacks based upon copying information. 111 order to be an expert ethical hacker and penetration tester, you must understand how to crack the weak administrator 01‫־‬ system user account password using password cracking tools. 111 tins lab we show you how to crack system user accounts usmg Ophcrack. 111 L a b O b je c t iv e s The objective of this lab is to help students learn: ‫ י‬Use the OphCrack tool Tools ■ Crack administrator passwords demonstrated in this lab are L a b E n v ir o n m e n t available in D:CEHTo earn‫ ־‬out die lab, you need: ToolsCEHv8 Module 05 System " OphCrack tool located at D:CEH-T00 lsCEHv8 Module 05 System Hacking HackingPassword Cracking ToolsOphcrack ■ Run this tool 011 Windows Server 2 0 12 (Host Machine) ■ You can also download the latest version of LOphtCrack from the link http: / / ophcrack.sourceforge.net/ C E H Lab Manual Page 356 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. M odule 05 - System H acking ■ Administrative privileges to run tools ■ Follow the wizard-driven installation instructions L a b D u r a tio n Time: 15 Minutes O v e r v ie w o f O p h C r a c k Rainbow tables for LM hashes of alphanumeric passwords are provided for free by developers. By default, OphCrack is bundled with tables diat allow it to crack passwords no longer than 14 characters using only alphanumeric characters. Lab T ask TASK 1 Cracking the Password 1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. g| W d w S rv r21 n o s e e 02 v no !x ff1uKte u o a w c w notfj rv 0 e jje n iow u w r tvilwtor c ‫׳‬pv kud M O c O ‫ןןמישיייעןיימיירזמיי‬ FIG U R E 9.1: Windows Server 2012 - Desktop view 2. Click the OphCrack app to open the OphCrack window. m You can also download the OphCrack from http:/ /ophcrack.sourceforg e.net. FIG U R E 9.2: Windows Server 2012— Apps 3. The OphCrack main window appears. C E H Lab Manual Page 357 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. M odule 05 - S ystem H ackin g ophcrackC 1‫' ם ! ־‬ 4A Load Progress Statistics J Tables ^ 11/ Save Delete Cradt Help G Exit About Preferences B Rainbow tables for LM hashes of alphanumeric passwords are provided for free by die developers Preload: waitng | Brute force: waiting j Pwd found: 0/0 Time elapsed: | OhOmQs FIG U R E 9.3: OphCrack Main window 4. Click Load, and then click PW DUMP file. ophcrack U/ ‫ב‬ ,•..‫י‬ © & e <? Single hash PW D UM P file Session file & Ophcrack is bundled with tables that allows it to crack passwords no longer than 14 characters using only alphanumeric characters Encrypted SAM Local SAM with samdump2 Local SAM with pwdump 6 Remote SAM Directory Preload: _______ waiting_______| Brute force: | Progress waitng | PwdfouxJ: Fig 9.4: Selecting PWDUMP file 5. Browse die PWDUMP file diat is already generated by using PT)UMP7111 die previous lab 110:5 (located at c:hashes.txt). 6. Click Open C E H Lab Manual Page 358 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  53. 53. M odule 05 - System H acking O en PW UM file p D P 0C ^ ^ O Organize *** * Computer ■ Desktop C | Search Local Disk (C:) A Name Date modified Type ji. Program Files 9/17/2012 9:25 AM File folder Program Files (x86) 9/18/20122:18 PM File folder j TFTP-Root 9/4/2012 7:00 PM File folder j S P ] I §=- E m ‫־‬ H Users 9/18/20122:35 PM File folder 8/30/20121:06 PM File folder W in d o w s 9/15/2012 3:26 PM File folder 4• W indow s.old 4 Downloads available as Live CD distributions which automate the retrieval, decryption, and cracking of passwords from a Windows system. v ► Local Disk (C:) New folder 8/7/2012 1:50 AM File folder 8/8/2012 12:03 AM File folder Recent places J Music ) ^ Libraries j. usr (3| Documents J Music fcl Pictures .00 0 J,. ^ H Videos W in d o w s.o ld .rnd__________________ 9/19/2012 9:58 AM RND File Text Document r . ^ Local Disk (D:) 9/18/2012 3:06 PM 9/15/2012 2:53 PM System file [ user.js A Local Disk (C:) hashes.txt |j6j msdos.sys :■ Computer 9/6/20124:03 PM ‫ן‬ JS File v, v File name: hashes.txt j [All Files (*/) Open FIG U R E 9.5 import the hashes from PWDUMP file 7. Loaded hashes are shown 111 the following figure. ophcrack O Si «S IU Load Delete Save Tables Progress Statistics j O Preferences | User NT Hash Administrator BE40C450AB997... Guest 31d6cfe0d16ae9... C25510219F66F... LANGUARD.! 1_ Martin 5EBE7DFA074D... Juggyboy Jason £7 Ophcrack C racks LMandNTLM W indows hashes o Crack 488CDCDD2225... 2D20D252A479F... Shiela 0CB69488O5F79... Directory Preload: _______ waitng_______| Brute force: | Progress waiting ] Pwd foaxl: FIG U RE 9.6 Hashes are added 8. Click Table. The Table Selection window will appear as shown 111 die following figure. C E H Lab Manual Page 359 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. M odule 05 - System H acking ^ ‫י ז‬ o h ra k pc c IU Progress ',s ? ,g Tables Crack Table Selection Statistics 0 User Directory Table Status Administrator m XP free fast Guest • XP free small LANGUARD_11_ • XP special not installed Martin # XP german vl not installed not installed not installed Juggyboy • XP german v2 not installed Jason • Vista special not installed Shiela • Vista free not installed • Vista nine not installed • Vista eight not installed • Vista num not installed • Vista seven not installed < Vista eight XL • &Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking not installed • XP flash not installed III < • = enabled J = disabled | > • = not nstaled B B S S Pretoad: _______ waiting_______| Brute force: | waiting ] Pwd fouxJ: T«ne elapsed: Oh 0‫ וח‬Os FIG U RE 9.7: selecting die Rainbow table Note: You can download die free XP Rainbow Table, Vista Rainbow Tables from http:// ophcrack.sourcetorge.net/tables.php 9. Select Vista free, and click Install. ‫״‬G Table Selection lab le • XPfre fa e st • XPfreesmll a 9 XP sp cia e l • XP g rmnv e a 1 • XP g rmnv e a 2 • V sp cia ista e l | !• V fre ista e •V ne ista in #V e h ista ig t • V nm ista u < V se n • ista ve * X fla P sh <V e h X • ista ig t L < l < = nb d • e a le D cto ire ry III 4 = is b d d a le Sta s tu n t in lle o sta d n t in lle o sta d n t in lle o sta d n t in lle o sta d n t in ta d o s lle n t in lle o sta d n t in ta c o s lle n t in ta d o s lle n t in ta d o s lle n t in ta d o s lle n t in ta d o s lle n t in ta d o s lle n t in ta d o s lle ‫<ן‬ • =n tinta d o s lle 0 0 @ @ FIG U R E 9.8: Installing vista free rainbow table C E H Lab Manual Page 360 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. M odule 05 - System H acking 10. The Browse For Folder window appears; select the the table_vista_free folder (which is already download and kept at D:CEH-ToolsCEHv8 Module 05 System HackingPassword Cracking ToolsOphcrack) 11. Click OK. Browse For Folder Select the directory which contains the tables. &■ Ophcrack Free tables available for Windows XP, Vista and 7 4 J4 CEHv8 M odule 05 System Hacking A Password Cracking 4 W indows Password Crackers a A OphCrack tables_vista_free pwdump7 I winrtgen t > < steganography III Make New Folder V 1 OK l> Cancel 12. The selected table vista free is installed,; it shows a green color ball which means it is enabled. Click O . K ? x Table Selection & Loads hashes from encrypted SAM recovered from a Windows partition D cto ire ry ‫־‬b fa le • X fre fa P e st • X fre smll P e a • X sp cia P e l • X g anv P erm 1 • X g anv2 P erm • V sp cia ista e l > • V fre ista e •V ne ista in •V e h ista ig t • V nm ista u • V se n ista ve • X fla P sh * V eig t X ista h L C g F s(x 6 ta le :/Pro ram ile 8 )/ b s_vista e _fre < £ = enabled A > III 4 = disabled * * S tu ta s n t in ta d o s lle n t in ta d o s lle n t in ta d o s lle n t in lle o sta d n t in ta d o s lle n t in ta d e s lle o dk n is n t in ta c o s lle n t in lle o sta d n t in lle o sta d n t in lle o sta d n t in ta d o s lle n t in lle o sta d # = not installed Inta s ll FIG U R E 9.9: vista free rainbow table installed successfully 13. Click Crack: it will crack die password as shown 111 die following figure. C E H Lab Manual Page 361 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  56. 56. M odule 05 - System H acking ophcrack i «! Load Progress This is necessary if die generation of die LM hash is disabled (this is default for Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored). Statistics J User a/ ^ @ i Save Delete Tables Crack Help Bat Preferences LM Hash NT Hash Administrator LM Pwd 1 LM Pwd 2 NT Pwd BE40C450AB997... Guest 31d6cfe0d16ae9... LAN6UARDJ 1_... em pty C25510219F66F... Martin 5EBE7DFA074D... apple Juggyboy 488CDCDD2225... green Jason 2D20D252A479F... qwerty Shiela 0CB6948805F79... test !able Directory Status t> 4 Vista free C:/Program File... 100% in RAM Progress FIG U R E 9.10: passwords ate cracked L a b A n a ly s is Analyze and document the results related to the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. I Tool/Utility Information Collected/Objectives Achieved j User Names: ‫ י‬Administrator ‫ י‬Guest ‫ י‬LANGUARD_11_USER ‫ י‬Martin ‫־‬ OphCrack ‫י‬ ‫י‬ Juggyb°y Jason Slieiela Rainbow Table Used: Yista free Password Found: ‫ י‬apple ‫ י‬green ‫ י‬qwerty ‫ י‬test C E H Lab Manual Page 362 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  57. 57. M odule 05 - System H acking Q u e s t io n s 1. What are the alternatives to cracking administrator passwords? Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 363 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  58. 58. M odule 05 - System H acking S y s te m M o n ito rin g U s in g R e m o te E x e c System hacking i t s i n e of t s i gcomputers and netnorksfor v l e a i i i s s he c e c etn unrblte andplugging. L a b S c e n a r io ^_ Valuable inform ation___ Test your know ledge *A m To be an expert ethical hacker and penetration tester, you must have sound knowledge of footprinting, scanning, and enumeration. This process requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources. W exercise eb You should also have knowledge of gaining access, escalating privileges, executing W orkbookreview applications, lnding tiles, and covering tracks. L a b O b je c t iv e s The objective of tins lab is to help students to learn how to: ‫י‬ Modify Add /Delete registry kevs and or values ■ Install service packs, patches, and hotlixes ■ Copy folders and tiles Tools ‫ י‬Run programs, scripts, and applications demonstrated in this lab are ■ Deploy Windows Installer packages 111 silent mode available in D:CEHL a b E n v ir o n m e n t ToolsCEHv8 Module 05 System To earn‫ ־‬out die lab, you need: Hacking ■ Remote Exec Tool located at D:CEH-ToolsCEHv8 Module 05 System HackingExecuting Applications ToolsRemoteExec ■ Windows Server 2008 running on the Virtual machine ■ Follow die Wizard Driven Installation steps C E H Lab Manual Page Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  59. 59. M odule 05 - System H acking ■ You can also download die latest version of RemoteExec from the link http://www.isdecisions.com/en ■ If you decide to download die latest version, dien screenshots shown 111 die lab might differ ■ Administrative pnvileges to run tools L a b D u r a tio n Time: 10 Minutes O v e r v ie w o f R e m o t e E x e c RemoteExec, die universal deployer for Microsoft Windows systems, allows network administrators to run tasks remotely. Lab T ask TASK 1 1. Install and launch RemoteExec. Monitoring System RemoteExec R otecxec em ‫ח כ מ*כ‬ ‫0 ס־‬ ram e f*l demote jobs ^eco‫־‬ter ^ Schedue‫׳‬ ‫ ^׳‬o n Otos Albws vou ‫ מ‬corftare. rra-MOt 3rd exeats rerro:e jobs. Albws vou ‫ מ‬dsjMv reco‫׳‬ts or renew executions. Albws vou ro renote executions ard oerie‫-׳‬ate autara .. ConScu‫׳‬e Re*note€xec options. 0 3 . System Requirements: Target computers can have any of these operating systems: Microsoft Windows 2003/2008 (No Service Pack is required); an administration console with Microsoft Windows 2003/2008 Service Pack 6, IE5 or more. ,able of contert | Q a:cess | | uick FIG U RE 10.1: RemoteExec main window 2. To configure executing a file, double-click Remote jobs. C E H Lab Manual Page 365 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  60. 60. M odule 05 - System H acking : 00B Ne Virco ‫י‬ rep ‫״‬ £ Q RemoteExec considerably simplifies and accelerates all install and update tasks on a local or wide area network (W AN) as well as on remote machines. Alows you to dtspa,‫ ׳ ׳‬eports 0‫ ׳ ר׳‬errote execj$o1‫.«׳‬ Allows you to soedijte ‫׳‬errote e<ecjto1‫׳‬s snd generate sutoiia.. Configure RcmotcExcc optoas. TaDle ofcontert Quick access Remote execution requirements: The account running RemoteExec needs administrative rights on target computers. Microsoft file and printer sharing (SM B TCP 445) and ICM P (ping) should be enabled. These protocols also need to be allowed in any firewall between the administration console and target computers. FIG U R E 10.2: RemoteExec configuring Remote jobs 3. To execute a New Remote job, double-click die New Remote job option diat configures and executes a new remote job. Hie Tool* ]tfndo* Help & <nt€c 5o > cc New rcrrote )cb 5 0 : execu%oo ; Updax rstalafeon 1 - 0 |‫ ®•־‬M rstalaMn SI Systenn acton 1@ ■ ■! R otejo s em b Rem oteExec,‫׳‬Rerrote jobs ! fn Cean j t ork Lcca acrouv ‫. ׳‬ pp “ ■ c tp ; job My Renote J3bs ote . ranrenaMy Rem Actons ^ MyTarget Com puters Mows you /our favorite rem j»98 ste /our favorite rarcte actors. Yout favorite taroet conxiter bts. Mutote aaons j-™ My Renore 30 0s i ^ My Rertore Actors MyTargetCctoj»s ^ : Report‫־‬ : * T ScredJcr “ L-4^ Options EU Configure files to be generated: You see that the report has been added after the installation of Acrobat Reader in the scheduled tasks. A new section, “ Document generation,” is available to specify the output files. Select a PD F file to be generated in an existing folder. Make sure that the account running the task has write access to this folder. C E H Lab Manual Page 366 Table ofconteni | Q accea uick FIG U R E 10.3: RemoteExec configuring New Remote job 4. 11a New Remote job configuration you can view different categories to 1 work remotely. 5. Here as an example: we are executing die hie execution option. To execute double-click File Execution. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  61. 61. M odule 05 - System H acking hie Tools Wmiow‫׳‬ E? V Hep • B ‫5: ^־־‬eno‫־‬eE> . ec P.enote (061 } Q3£ ^0 !■ £ ‫יל‬ Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 05 System Hacking ; Ffc execuSon i 1-0 Update rstalafon j--j^|MSI ratilaaon HfcSyste»ac*>n j-uT F*? Coe‫ ׳‬ason 1 -^‫ ־‬Loca arroinr ‫׳‬rante I ~PCpLp =MJtcle aeons 5 ‫״‬ Nr teoote J>x “ j ^ Mr Rcnote *ctcrc :Nv Taract Ccrojtcn ^ : jfe Reporte‫־‬ ; ‘“ t ScTcdJcr !‫״‬y*Opfcon« New remote job RemoteExeciRefrote jobs/Newrem jc ote | ) Update retalafion (Si MSI m stalotion {§fcSystem action Fib Ooo‫־‬ation Local account m aintenance S I Popup (5 Multtfe actions Instil 5Marosoft jadaie reretefy. Instil o Winda^s Instiler > x > rsrrctSY• 3 qc Rcaoot,^Shutoovm ,V3< up a eonou» ‫־‬cnotdy. r C03y files or faWa5 » cirotc am u K n Chanas the bed xhincbati p s/< »Cand'or doeue a otho‫־‬local a e5 0 il Dectay 3 nessage to t r jttt ewe*: an t‫, ־‬em com * ote pute! Execute se!‫׳‬e‫׳‬al actons r one pass. IraMe QfcontenT| Quiet access | FIG U R E 10.4: RemoteExec configuring File Execution 6. In the File execution settings, browse die executable file, select Interactive from drop-down list of Context, and check the Auto option. Note: Using RemoteExec, you can: Install patches, service packs, and hotfixes Deploy Windows Installer packages in silent mode Run applications, programs, and scripts Copy files and folders FIG U R E 10.5: RemoteExec File execution settings 0 3 Automated reports: You may want to get all these reports automatically by email each time a scheduled attempt has been done. To do this, follow the steps below 7. Configuring die Filter Section: a. For the OS version, select = from die drop-down menu and specify die operating system. b. For the OS level, select = from die drop-down menu and select Workstation. c. For the IE version, select >= from die drop-down menu and specify the IE version. C E H Lab Manual Page 367 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  62. 62. M odule 05 - System H acking d. For die Service Pack, select = from die drop-down menu and speciiv die service pack version. hie !eia Once installed, RemoteExec aiid its documentation are accessible through die Windows Start menu. By default, RemoteExec is installed in evaluation mode. Tods V/niow Hep 3• ^ ‫־‬eno:e£>ec •3 11^ Reno* jobs • B ^ Newrarote tfc File execution ^ RenoteExeqReirote ]0b3/N rem job/^le executor ew ote ! l o Update rstaloton MSI rstalaMn *■: SwteT Kton | 6 -! [‫§ן‬ Schectie save r My Rorct® Jobs r-rj)«? C ra n ! D Jo ..loca( account rvam cena fflpo»M; < ‫ •י‬t+itr*e arm NyR«n»»>90c « La-nch tjfr La/rh ‫חו‬a r»?/» tab ^ ■ : Mk n :»Atc ,” v « o c rc Ny ljr jet (.croj'.efc • ls» Reports ScredJcf ^ ! Opton^ - ' * 0 OS verson B O S level * H K vcr»n save r K‫׳‬y Rem Acsoot ote ^ = ■.|| vw v ndow 7/2XB e Save r My Target C»m put«rc > H] M * 1 - •H Wortotatoo j ! □Regetry vw kM □ Oor't e:<e:j:e scan or a com puter wne‫׳‬e tne actor aas ahead/exeo.ee »‫״‬ C oflnoute‫*׳‬ FIG U R E 10.6: RemoteExec Filter tab C O ln ! e remote job was automatically set with the filter option, “Don’t execute again on a computer where the action was already executed.” So, even if several execution attempts have been scheduled, the installation of Acrobat Reader is executed only once on each computer. Selecting a Target Computer: Enter die target computer name manually by selecting Name from the drop-down list and clicking OK. tie B :cols vnnoow • 5 ‫־‬ RenoteExec £ 0 Rertote )005 1 j (‫)־‬ New remote jo fc I qgasssHi ____ File execution ^ Re‫׳‬roteE>e:/3emote jobs!New ‫־׳‬ errcre job/File execution I MO Update nstabton | Laandi Q? Launch ina new tab d Schedule P r | 0 MS nstafexn ; Systen actor i‫״‬Cp Fie: Opecttx‫־‬ Save n M Remote jx k y‫׳‬ S5ve n My Remote Actjors Lx cd rS f aaomtrranKTa... h ■ Poxo =-l§ mJtpfe actons j• ‫ ©■־‬My Reroe Jets ^ Save n My Taraet Cwtdu^s I Nv Rerote Actons Ny Tarost Cortxters Reaxte‫׳‬ j• ■ Scheduler •© ; ‫י‬V* O h rs • Do © C onfigure the report you want to generate automatically as if you wanted to display it. When you schedule a report, if you select die latest execution, the report is always generated for die latest execution. C E H Lab Manual Page 368 X J FIG U R E 10.7: RemoteExec Add/Edit a computer 9. To execute the defined action on die remote computer, click the Launch option 111 the nglit pane of die window. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

×