Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CEH - Module 5 : System Hacking

4,624 views

Published on

CEH - Module 5 : System Hacking (version 7)

Published in: Technology
  • Penis Enlargement and Enhancement Techniques: What REALLY Works?!? ●●● http://t.cn/Ai88iYkP
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Longest and best orgasms ever, I love it. And she thinks it's hot, a real turn on for both of us ♥♥♥ http://t.cn/AiQ0txm6
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • System for lasting clear skin, How to get flawless complexion ex-sufferer reveals his secrets ◆◆◆ https://tinyurl.com/ybbtmvh8
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • System for lasting clear skin, How to get flawless complexion ex-sufferer reveals his secrets ●●● https://bit.ly/2xJfKi2
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Controversial method reveals inner psychology of techniques you can use to get your Ex back! See it now! ➤➤ http://goo.gl/nkXEkK
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CEH - Module 5 : System Hacking

  1. 1. Module 5 System Hacking
  2. 2. Password Cracking Password Cracking Techniques ’ Types of Password Attacks Automatic Password Cracking Algorithm Privilege Escalation Executing Applications Keylogger Spyware Rootkits Detecting Rootkits NTFS Data Stream What is Steganography? Steganalysis Covering Tracks I ; . a. / /// T: - I i F: 7 7
  3. 3. Information at Hand Before System Hacking Stage What you have at this stage: scanning Module A IP Range 1. Target . Intrusive assessment probing Employee web . Identification 2. User lists usage °f services 3. Security flaws . Identification of systems Namespace copyright 9 by ll-H31 All Rights Rmuved. Rep: uduclian ls strictly Prohibited.
  4. 4. System Hacking: Goals Hacking-Stage Technique] Exploit Used Password eavesdropping, brute forcing To collect enough information Galnlng Access . to gain access To create a privileged user Escalating Privileges account if the user level is obtained Password cracking, known exploits To create and maintain Executing Appllcatlons backdoor access Trojans Hldlng Files To hide malicious files Rootkits To hide the presence of compromise Covering Tracks Clearing logs Copyright Q by All Riglvu RusL1vm. l.Rcpruduc1iurIl> Strictly Pmliibilcd.
  5. 5. CEI-I Hacking Methodology (CHM) Footprinting System Hacking Maintaining Gaining Access Access T‘-. , Covering Tracks Clearing Logs CDIM '¢hl 9 hr All lights Rauvcd. Reproduction is Strictly Prolrilmed.
  6. 6. CEH System Hacking Steps Escalating _"'/ Executing Privileges I Applications Covering - Hiding ‘ Tracks Files / i ‘Q. Penetration J Testing WW ‘Eh! 9 hr All Ruhts Racrved. Reproduction is Strictly Prohibit-d.
  7. 7. . r *. ».¢; :'W : T' '2 ‘J4. . ». / E l -"= l~~W~»~IIo >ir: i~iI1lIi; . ll-J<lIlIll| _l| l3$-‘ : IK‘— I. l-'1:i- In ‘, .I; .‘: e rauuiuaii 9r: |»$'1'. 'lnlIuL- inm JIIIIIQIIIKT-I -1'1-'tl= lII| : “EH :4 x. “ gram «.1 , a, Attackers use password cracking techniques to gain unauthorized access to the vulnerable s stem . - v ‘M . __, ._. ,.; ., . ,,, A“) _ fl . ax‘ / Most of the password cracking techniques are ¥/ Q . successful due to weak or easily guessable A ‘ ‘ T passwords --i-sin -I-I= u—. -.. -’i . . T " ’ . T" ' . ‘lIifélii£1lhgtansiyiiliflslrtieil. -slielrib-illiai Iuuiiii, -‘. .i: n-, i
  8. 8. Passwords that contain letters, special characters, and numbers ap1@52 Passwords that contain only numbers 2369821 7 V; I, Passwords that contain only special characters 8r*#@! (%) Passwords that contain letters and numbers meet123 Passwords that contain only letters POTHMYDE Complexity Passwords that contain only letters and special clrararters bob@&ba Passwords that contain only special characters and numbers 123@$45 -- r . A . ~ '~. ill . , ' _. ' '. '1u’rIf'-iI". l'Z""l, '4‘i, . Fr '- . ‘lIlfslilsli(= :tsn‘isi!5‘Iltaslrtiéi1.1lielilfI«1rI: ai u. -ram , ,
  9. 9. Q: rj 0 '1 I: d Password‘ '"-*~~'i' taco’-'= *«'i"'° I1‘: I 2:111 11% 1;. u:u: vi. ) .3 com is v‘ to v n 1 The program tries every combination of It is the combination of characters until the both brute force attack and password is broken the dictionary attack _: uItK-— H| ldd]| }:. . ‘til‘. I 2. : tvi'-in-, -'l| P=l'-ll-— ‘tir-r it . ‘tir. r It A dictionary file is It works like a dictionary attack, This attack is used when the loaded into the cracking but adds some numbers and attacker gets some intormation application that runs symbols to the words from the 850113 The l-‘B5SW°| ’d against user accounts dictionary and tries to crack the password copyright 8 by ED-BIZ" zit All Rights Reserved. lteprodactlon Is striiaty Prohibited.
  10. 10. ,_, ,_ Types of : —.*. ss'= ~'—? ~:: ::i: "". .: '| '|E Xi QW‘“s"m copyright 9 by El: -Co’ " an All Ruhts RBEIVEU. Reproduction is Strictly Prohlbned.
  11. 11. Passive Online 1-lttacks: Wire Sniffing Attackers run packet sniffer tools on the LAN to access and record the raw no. ..” network traffic 5% Victim Attacker Victim E If The captured data may include ‘$.19. passwords sent to remote systems during , ,,. ,.»-" Telnet, FTP, rlogin sessions, and electronic mail sent and received cnwiehtfi '71 All Rights Reserved. Reproduction is Strictly Prohlbled.
  12. 12. ss'r»~<-' :1. i. Sniffing Sniff credentials off the wire while logging in to a server and then replay them to gain access If an attacker is able to eavesdrop on Windows ‘ logins, then this approach can . . a spare random guesswork 4»; v E 1 Password guessing _ / is a tough task copyright 0 by El; -Gr’ :11 All lights Raelved. Reproduction is smaly Prohibited.
  13. 13. Passive Online Attack: Man-in-the-Middle and Replay Attack Vicum 5 sniff MITM / Replay g e. . . . . . . . . . . . . . . .. ) . ... . . ... .. Attacker I In a MlTM attack, the attacker acquires access to the C°"s'derat'°ns: communication channels between victim and server to 1. Relatively hard to extract the information perpetrate 2. Must be trusted by i In a replay attack, packets and authentication tokens one or both sides are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access 3. Can sometimes be broken by invalidating traffic Cupyfghl Q by All lights Rmcvved. Reproduction is Strictly Prohibicd.
  14. 14. Active Online Attack: Password Guessing The attacker takes a set of dictionary words and names, and tries all the possible combinations to crack the password Considerations: I Time consuming I Requires huge amounts of network bandwidth I Easily detected Word List Attacker Cowl ighl Q by All lights Rincvvcd. Reproduction is Strictly l'roliibited.
  15. 15. Active Online Attack: vv '-I 9 rs I I 5 'na_-9,: a-are v. .-aw-v no-. ~.y, ~:; Is ' . . _ ,1.«. ..r_- - _ , iiziur‘ ¢ :1 v2.29 1 s - I Spyware is a type of malware that allows attackers to secretly gather information about a A Kt’-’V'°B8eT i5 3 P’°8T3m I . _ person or organization that runs in the background and allows remote attackers to record every keystroke With the help of a Trojan, an attacker gets access to the stored passwords in the attacked computer and is able to read personal documents, delete files, and display pictures Copyrght Q by El: -cur: on All lights Reserved. Reproduction is strictly PfOl’| li)fl2d.
  16. 16. Active Online Attack: Hash Injection Attack ‘I A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources ‘ The attacker finds and extracts a logged on domain admin account hash '-" The attacker uses the extracted hash to log on to the domain controller inject a compromised ,4’ hash into a local session ’ Vlctlm Computer cupyiighte by All Rghts limcrvod. Reproduction is Stiictiy Pioliibiod.
  17. 17. Rainbow Attacks: flash Rainbow Tabla Convert huge word " " ’ Compute the hash for a It is easy to recover like dictionary files and list of possible passwords passwords by brute form lists into and compare it with the rnmparrng rapturpd p; r~; -;. .-Qrd l|3.5l1({‘. rising precomputecl hash table. password hashes to the techniques such as lt a match is found then precomputed tables rainbow tables the password is r, ldt kml lqazwed —> 4259cc34S99c53 hh02lda —> c744b1716cbf8d‘> 9da8dasf —> 3cd696a857la84 sodifo8sf ~> 7ad7d6fa6bb4fd2= cupyrthl G by Hi All Rights Ruuved. Reproduction Is Strictly Prohibled.
  18. 18. r C _ A T‘; '. '."%I€1l, Network Attack 1. A Distributed Network Attack (DNA) technique is used for recovering password-protected files using the unused processing power of machines across the network to decrypt passwords 2. In this attack, a DNA manager is installed in a central location where machines running DNA clients can access it over the network . »’ - J DNA Manager DNA Client runs in coordinates the the background, attack and uxrrsurriing only ! "'1'= -“l| |:— '. ‘fii=4l= .IIIhlliflIL= #' JllO[JlP‘. mmll unusr-rl processor '-"»'~"l'Tllm°-*“’l”lll I IIlTlIi; I¢)| I,'l‘r£ portions of the key time il{= I-‘n: "IL‘i unau -r. ir-gm-i= tw‘i= Search to machines """"‘—"““"“ omuv ii: -.-uun'. 'xmf- that are distributed "“""""l‘ "'l"'”"" nvpr the network l’l~""~'l9‘l'? """‘l‘-"*" cram: -I‘: -t--oi= ;-rug: iiium : l L "‘. V " m’. -mi-2-I= 1911,‘, -; = F. J" . ‘lIzfglilsiitaivgnuslrflN951I-zell. -ill-illfshfivct-2 HI-! ill! ‘., Is.4,l
  19. 19. i: ':3’. coms: ..- Distributed Password Recovery A‘ I Icomnall Dntwmn Pun-ell Ra: -wry nsuoutnmnn mm: H r . ‘ anon-wamuzourmunxunwauanuawnm‘ ' http: //www. eIcomsofl. com (ouvr'a1t -D by E1:-Co . :1! Ali Rights Reserved. Reumduuion 15 Strictly Prohibited.
  20. 20. v 7. fittacks ‘ Looking at either the user's keyboard or screen while -'5'""'| “'= " he/ she is logging in e'1!uflu: — W<. ~a»‘-= i=a: «., ,H V -7-I-{El llvlum. -it= i : I|; JiIl= -l= lflI| ;~ | I'flIl: - Searching for sensitive uh rd t, I i ' ' infomtation at the user’: trash- mvea E can ' en la ' bins, printer trash bins, and user desk for sticky notes p Convincing people to information copyright 9 by El: -Go" Ell All lights Raaved. Reproduction is Strictly Prohibited.
  21. 21. !"! "."! ”.'°! " lath r . . -"v . ‘lIi£‘:4r‘l51:(-:9-, n:-Iyltrl‘. . r Default T? ass= ~=‘: :f: r A default password is a password supplied by the manufacturer with new equipment that is password protected AI Le ss Online tools can be used Vendov Model version not Username Password to search default passwords: sccm ccrsau later 750: '00:-‘saw/ :50: raine: Debue swre: scone Cuebu ld= r rcosgsooc-r'asoor: soa T: We: Tech no BCCM -‘aemn : t. 3 1.: T-. -lne: Aunt i« . n:I ? L'C‘l. § am! -1 :53: T9 he’. (mug 99- ‘I2? 3L‘C‘L‘ J-V: Iex :53: Tel net 'e; h an accm so-&wIt: " :0:-32700 tame: ‘ed’: ‘at’: http: //www. phenoelit-us. org NM} 56: mm Mm http: //www. defau| t pusawordxom sccim vets. ilfier 5i'. '= ruu ECCVJ ‘lekhu 5:! ’ Mul: Anrn Fr I"Cn! I jr't’: i.'. jfitr: ti. nrt~p: t r ton frrxm-rs Si. 1 Isl net nfs http: //clefault-pIssworid. info ' - iLzt. l : ..oers: a:lr il ; ‘.wi: ch :20: 72 he: debug Sm he: mt”: //Www'd"h"“p'”w°'d'"5 atom scocrstacir ll swath :73: I-zine: rem ‘av http: //www. passwordsdata base. com : t.<. 'i. t ‘J‘t ceccinrect S1.‘ ABEL uui: adrrrnttd acm ma hrrp: //v/ ww. pheno€liHrs. org
  22. 22. Manual Password Cracking (Guessing) Copyright it by All Rights Rt-_-. r:1ved. Rcuruduc1iorris Strictly Pruh ibftod.
  23. 23. »' I . . kl - "W I ‘:13’-If 7°» , "-“ atIzcarrgirsrc-titanztagir-réfl. -riiii‘itl‘1s1rr: e stirtu, ii. t:_ri: :rs-' ; :‘: ci~1-ir. »retm'_ ‘ii’? /1i‘: il"? tl_lt‘; I?= ,!, _Lf; ’l Q-‘r§Li. fi! )_1*fT’H: i_lI_t; t_i. s l . 1 R 6 R 5 Find a valid Verify whether Encrypt each user there is a match word for each user ID i my my Nilyizhlr lira -vi-iiu until ’ iii? !i‘! m:—r-ti ! l’: |z‘i~,1'. ‘lIlli. li~‘ ")‘: -‘ltd, -t-irrarrra-~ 2 R 3 4 i Find the Obtain the Create a list of alggrifhm used encrypted the possible for encryption passwords passwords -’i '-:1:-: -1;" _ $1 vi-: iii}". .1-. _«l
  24. 24. rim 4 . . . . “:1 .73 th- Ip~ix. , ii‘! Stealing Passwords Using 2 ‘ . r_f: .i i Insertiisairto , 1 ‘ " ’ V w -' Extract Password . . 3, _ A‘ K ____, ‘ A. » . ' *- Auackei User Passwords (. ) ra; ./ ‘H i. _/”77 VP‘-. r' ‘. ."’T<; .‘. D’. V ; . . i - ~22-, ' ‘mu will need a K 1 my the t"‘=5Fe aulwun ml . ‘ l l'-' 1"‘-'4"’*l o: .v i: i-sdedf les _ lr l W’ llllm , , lock it; to-si ml ‘RF r+——iw- I , iautw. -uui onslaunch . bat Al. ) '} ‘£*. *i. £xt‘ * A r v ‘ rnnmn“ nf lmmrfl hm Irtgett [hr U33 (1; {W . ‘I Password} is execut-—d / | old he dLllLlUli " "N iJ= "—l‘i»l' i-‘»i“'J dml . §‘cll, .:L' — » ' _ . 3. 3 an i| h_—. “: ,l. .'. A. low ~-tit, D; M'‘‘‘“ ‘ H, _ I/ VH1 . I ‘ V i ”ew), Em 5,‘ slated iile. lXTlil: s “ ‘ it the , |ii dwe
  25. 25. .; .s: . : : 1,17‘ Authentication SAM Database Windows stores user passwords in the Security Accounts Manager database (SAM), or in the Active Directory database in domains. Passwords are never stored in clear text; passwords are hashed and the results are stored In the SAM NTLM Authentication The NTUM authentication protocol consists of two authentication protocols: the NILM and the {M authentication protocol. Ihese protocols use different hashing methods to securely store a user's password In the SAM database Kerberos 4 J w’ d - 7 Microsoft has upgraded its default authentication protocol , K/ J | n to Kerberos, a considerablymore secure option than NTLM Copyright © by [C-Ciiii ‘all All nighu Reserved. Reproduction is mricdy Prohibkud.
  26. 26. I111 . - nu. : . _ V l E’ i‘ How J. e. ss'= «»‘3:: £‘. s are Stored in Windows SAM? Password hash using LM/ NTLM Ha: t'.1n:1008: 62-1AAC413795CDC1 4!3835F1CD90!'4C76 : 615 85!‘E‘8!"F6 Martin/ magician v v I w A-ll T‘ 280BS9CCE252FDB500l-:38: : : SAM File is located at c : windoi-is system32configSAM SE24.-; ‘.: 'b; :‘bAAI‘33-JSSESL-Q ll! |«ll. IflAllI. hIxklAl-xlf) A. l.ZAJ. E ‘ "‘ PASE'JiC- ’_: :Ei~ . =.a7=.5=‘ t. I'lIFEE-7;Z “' rIlll‘| IkAl| AIlAIAh- . _EI3ZVEJ. Zl. Z‘E'['. I'. " ' virvrflfvtflvvvvva-fivvi-. ~F[rtvirirvvtvitvttrivvtvr. Z}: ‘AJ. ;:; Username User ID LM Hash NTLM Hash “LM hash has been disabled in Windows Vista and Windows 7, LM will be blank in those systems. ” >? L=L3J . ‘_I if:47|£1ll§1sJ| 'i‘Ai
  27. 27. What is LAN Manager Hash? LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and L Microsoft Windows use to store user passwords that are less than 15 characters long - When this password is encrypted with the LM algorithm, all the letters are converted to ‘ uppercase: 123456QWERTY The password is padded with null (blank) characters to make it 14 characters in length: 123456QwERTY_ WERTY_, each string is individually encrypted and the results concatenated: 1234560, = 6BF11E04AFAB197F Note, WERTY_ = F1E9FFDCC75575Bl5 LM Hash has been disabled in Windows Vista and Windows 7. 0 Before encrypting this password, 14 character string is split in half: 1234S6Q and «.3?! The hash is 6BF11E04AFAB197FF1E9FFDCC7S575B1S Coimiehlfi 51 All Ruins Rmuvc-ii. Reproduction is Stiicdy Prohibited.
  28. 28. What is LAN Manager Hash? The first 8 bytes are derived from the first 7 characters of the password and the ~ £4 «.9 second 8 bytes are derived from characters 8 through 14 of the password If the password is less than 7 characters, the second half will always be 0xAAD3B43SB51404EE ( Suppose, for this example, the user‘s password has an LM hash of I OxC23413A8A1E7665f AAD3B435BSl404EE LC5 cracks the password as "WELCOM E” protocol, that offers improved security over the UV‘ Hash has been disabled in Windows Vista and Windows 7. NTLMv2 is a challenge/ response authentication Note: J I A obsolete LM protocol Cupyfghl Q by All lights Rauved. Reproduction is Strictiy Prohibind.
  29. 29. Livi. ii Padded with NULL to 14 characters oehmani Constant ” Generation ’s. _, , Separated into ll Converted to t 7 h t wo —c arac er the uppercase strings CEHMAN 1“"“ KW Key Constant DES DES Concatenate LM Hash
  30. 30. LM, NTLMVI, and NTLMv2 Attribute LM NTLMVI -- NTLMVZ ! Password Case Sensitive No YES YES an Hash Key Length 56bit + 56bit - - To T Password Hash Algorithm DES (ECB mode) MD4 MD5 TI-Q‘ Hash Value Length 64bit + 64bit 128blt 128blt WY 128bii: 56bit + sear: + '5sba”+ saint" + CRK Le h / ey “st 16bit 16bit T-r: —-jg C/ R Algorithm pas (eca mode) DES lECB model i-lMAC_MD5 64bit+64bIt+ 64bit+64‘+ new C/ R Value Length “bit “bk Copyr ighl Q by All Rights Rusuvuil. Reproduction is Strictly Plollibfikd.
  31. 31. ” t kin F}, E 0'9"‘ C°"‘P“‘°' Window Domain Controller U5“ M3“ Martin Dnimiin K rwtiollei luv 24 '-'(Il(>3d ropyni pe('9‘u0rd'nrO, |O1g0n zit ik xi: -2: »x >« in an x- xii the user's hashed password ‘i'l ill, U‘ l-last Algorrhm Windows runs password through hash dl§Uilll‘lIi 5 DC compares computer's : response with the response 5 it created with its own hash (omputersend gin request to DC E l-: ll’lHyl'lIr<lI(li, [ll1?lUg(i7l sd : SllCf€". S Aa t8 ppq kqj89 pqr . . . A . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ad [8 Ppq PQL Lomputer sends response to challenge Note: Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM. will-; -Ii I31“ i-irlllfnri: -.~ Ulyl I I 1 . i . r": - ‘ JII ICJTI51il= :iEl'iH! hlI(fi: lI'i
  32. 32. Kerberos Authentication Key Distribution Center (KDC) the authe- U-. 'A'. H.l1£€W': i Qeply of H mew Cminn server . . . . . . . . . . . . . . ‘ . 4 . ... ... in the mar ’equ-Est <. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .|. ... Reply of the "Si I: ths : |iant’s vs-: }i_€-sf A‘ Windows Serverzoos Reuuest to e- d| JLI‘". dUu" zuw to a; ;e, : . .ervi-. '= Rep y to grove it I-E. §i“( V5 the genre’ If-e . "E' I Is enpefilng 4,; .. _x, 1 Application Server Cuvyiighl Q by All R3,-hu. R: :L1vcd. Rcpvuduc1iuiIi-. Sliidiy Prohibit: -d.
  33. 33. Salting technique prevents deriving passwords from the password file Stored representation differs Advantage: Defeats pre-computed hash attacks Salting A| i(e: r00t : b4ef'2 1 3|)a4303(eZ4a83fE'031 7608de0lbf38d Same passwc-'d but diffarew hashes Non: Windows password hashes are not sailed. BOI): i00t: .39(4L3t3282abd03083235-f0349dC7232C 3493C F3 F0 (‘i O O 5-. ’ N O D C G 9-‘ a483b303c23af34761de02be038fdeO8 Cupyi ighl E by All Rights. Rv_<. L1vL-I1. Rcpiuducliuli is Siiiclly l’ruhIl. i1ed.
  34. 34. PWdump7 and Fgdump pwdump7 . exe Attacker [Sf fgdlnnp. =xc -1, 192.1ea. u.1u "‘€o. ,,, t "? or —u Anldministrntiveflser —p l4mep4sswOrd Dumps a remote machine [192.168.0.l0) using a specified user Cupyi ighl 9 by All Rights. K5C1VL‘d. Reproduction is Sh idly Piohibitnd.
  35. 35. L0phtCrack i-, iIu-W4 - . [| ,rui: r,k~Jr] M» ‘*1’ 0 w u /5 P111 it-non Imam Beam ‘ Semen . ‘.: ara mzrcz From svvvu “Johan: balm Am-mun <. '/ear Psssuordx f-wed 3:ro. ;rIt'. Icthflar U rt 3 R 4 202216 Add’! started. : O::16 El EETEL‘. U-I Lvl-; t%; mry Audit 102116 s-H91 L" : ii. :rinr-ary A| .r! ‘<l . ;o: :1vs Aim: mi p‘un <u1pla'. mL Juan i: mnIetrd mtp r/ /www. lophruaolr. com All Rlihts RA: -.. g-wt Copyrlsrt D by UHIISI . l7.i. x.r i. |ut.1‘>un is Strictly Prohibited.
  36. 36. Ophcrack Opikiak ‘. Load Z-elete Pro: 355 iatrstrts User Acfiwnsv ator '3 rd *1afl‘crS '9:t»1 sash rt Jason John ‘ta tn Swuli I SLP°CIfl | ’_3%9-0 54} ‘all: Save = ‘relenm. es LM hash Ni Main 3i3E(feUd. naeC431t‘ 5‘. "v80OCE266KJ3l 93A 71 1&9»-(id M‘ 3?U5S81C4AE‘. ‘BDCS8 B‘ 1£«; L'»‘«t&lE3f| ‘E-I ; E5E(,0ifiL. ‘(. ‘lC'Z‘7 6.v4lAC~N 3&3! 65B9F8W1S28($$9 b.4AAC9!J7V5L'_I_l , é1l‘:4IE-‘i. EJ4&: '.'»'r: b. '.1ANZ‘lX3i"?5LJ"l , Cfi3.’B7[E‘E'8€T'U6 ! '>;4l. AC-0'. 3’9$C-. i 5P5-E»‘? FBFFéZiIZ6<. '3 FSCIE }Bi<95°48F43 [NVKIUV XGIUS http. -// ophcrock. sourceforge. net Eopyrght 3', by EC-FD All It: his Reserved. Reproduction is Str'vL'tl‘, ‘ Proribimd.
  37. 37. .1 far iv‘ :3’; 3:? . . ‘_iV-" )1; IEaO'«r; ". -. ,.. ... .- [i j; u-1s. ~trLr1m-l- ggv. 'i~1.. ~y: ».». n ‘ u '- in-low l‘- -«I .1 V11-J Ff‘ _I$‘t ii. rte - 3:’ ~11 APi‘»>. ,4rr '. ,g_>" raw rt: .. a:r Vf-‘-1 mu. 'L‘»i: :t rKEF'—'1" vi-1'-iFK'i°+-I-ti 1-I . in x F .37: . nl: '~ : ..; ..-- *1. _‘4 ~a<: n: rm 9: GI. II! we -«. .r. . in .4 o-, »-. »» _. Hare-s ~. p+, ~o, .—« i , " "T , .-. rr. rm. '.: ~. .-. 1 so ‘I-1-=2 -rniu I ‘Ell. . ‘l§. l.ll‘4"4z'-. ~. h. *'rp'/ /wvwv. n mitt
  38. 38. r r. 1 : .i, .. 1.. ‘LPG: Efi R. ahbowTafle Nab >> Plaintext, Plazntexr. in flex séldaocelésfld‘5193ud3b43SbS1-1042: : v»«2:> . ‘?7>*)3‘I>. ‘.‘. >i> Aihxrusuuzox 3703sblcaaezboc5b'75eDc8d76954a50 *>“: '*"~: '*"‘* 7‘*": “"":7*>7?“*‘"~*""? *’ Hackers _E39913]dal5i:539{e-Z15844088‘9bel(fa 7-"*?7"‘”°f’ *5"‘? *="‘4=? “f?7“1‘?9"? ” Helplssxstanz 534uI': ~'il379Scdcl-k835£Lcd90!4c76 “. ’.‘2."". ‘."‘. ‘,’. ’ . ‘?, "’. ‘.". ".‘. ‘.‘. ’.’ , . . Jason HE. ‘-I-HAD-3137‘35CflElf!173E: S!At1!! Pfi‘3 »"""N""‘I" " ""? ' ‘r"“? ' ". John i. ’x2~laai: -’£ifl‘1'9t’-crirload'Jb4'15b$X404te 7"‘7'«> >711'H7>u>: > Hruun 624uuc4l379Scdcl-k835£i. c¢30:4c76 . v . . = , . I? "". ‘.‘. ‘-? ,‘. ‘.‘. '-. .. . . . Said: A Kessaqes To0ls'3Ys(eIs ). ‘|SCk1.IAi}ul. Il1f. ‘|lS Passsaand CLev: keLs. Lunt: oucr. ack-1.~11-uu)r. a1.ubcv-zzsck-1.41~uu; Lv: tack. exe: Cuutitetsfi1rs: uhuucusuk—l.4l—Ir1n‘usutl: uui: Latk—l. -ll—iur: ';tcu: c|z. :xe: . . . . v. ._ In tn. wcratl-1.41-nn: cxa: ‘l. exe: . » . A . . ~ . I :2 r I" System heck1:gll1ndous Fassucird frat me x. -. '- -_ In Ir - System h. e:1nnq'. Uxndove Ysssuoxd C: scuexs: am: ncucxsck—1.-11—u)n! zsxnboucrr stem izacizsnrzillsndovs Pusuoxs Erarxersxzsmbouczacit-L.41-mmrexnbcvcrsck-1.41-umirczacmexez - « s‘. Lr: i.ubouc: uv: k—l. -11-vxnnaanbuvcxnc -1.41-UIrnlClu£it. Exe: - - A -A ' - Y 7» ' I‘ -. Sy$V. en 1.4l~'u: ‘ir. cLack. exe: w ~ i ' - - ‘ "- 7 "- i Syslen hacluuuifltuduvs Passuutd Cr. scker. s‘. Le 1:Sy: r,en Lack| nqUIndaus Password E(ai: kexs. xaxnbuvuczurk-L.4l—nntu1n. 't>ciII(lack-1.£1-v. nr. lc: ac)r. exe: An appl: http: //project-roinbowcruck. com Copyr ght I. ‘ by All Rights Rcstrvcd RCD'lJd| lE‘ti0fl is Strictii, ‘ Prohibited.
  39. 39. Password Cracking Tools ("T . Q ‘ . Proactive System Password John the Ripper — Ii“pi/ /iVIVl| ’.0P€liWU”. (U17} ' Recovery u L mtp: //Iviulv £'i((lI7)SOff. f0Ill I I Jul’ 3| Kerbcrack . Password Unlocker Bundle 2 2 hrrp: //nrsecumymru Ilflfl. ‘// IVIUI1/. flf1S€| '! |(£11411/Oa'kEr‘.4'Om i / ‘ . Q Windows Password Reset Recover Keys ' ’ hr? !“/ /remvrr keycmm professlonal ‘_ mtpz/ /Iviulv Iesetwrndowspas5|/ .'oId. rom , Windows Password Reset Windows Password Cracker S d d Iiffp. ‘// |VIV'. lVinI10l| /Sp(Ii<W0r'd—rrflrirEV. (0m “ta/ I) ar h d d : , Yffll IVLUIO/ IE5? I/ ll) OV. '€[J0f§l| 'Oi' . (DIYI Cupyrightfi by All Rights Rmuved. Reproduction is. Strictly Prohibm-d.
  40. 40. Password Cracking Tools 1-I I v’ ‘ krbpwguess E RockXP ¥ . . - . hlip‘/ /wI'. v.rquIc. m.'I hnp: //www. kamenjn/ n T 1 Windows Password Unlocker PasswordsPro hrrp/ /wvw. p(1s<ivorduniorkarxom -j ’ hrrp: //'ivv. chnrei1.mm mm '/ /wn-w. Io<lpasnu(w d. (om :7 OI rip: //wwnulrp mfr. mm ' K Win Password LSASecretsView 1 F‘ mm 7// lmrlm mm Imp: //www nnmfr, m>r ’; :7'T‘ WWW T 1 Passware Kit Enterprise Igfih J LCP 6 Copyright G by All Ruhts Rmuved. R1-pruducllun is. Striuly Prohibit: -d.
  41. 41. LM Hash Backward Compatibility Windows 2000-based sewers and Windows Sewer 2003-based servers can authenticate users who connect with computers that are running the earlier versions of Windows Older Windows clients do not use Kerberos for authentication For backward compatibility, Windows 2000 and Windows Server 2003 support: r LAN Manager [LM] authentication r Windows NT (NTLM) authentication r NTLM version 2 (NTLMv2) authentication copyngm o by All fights Raerved. Repmducllon is Strictly Prohiblcd.
  42. 42. i_$_i'uv 1‘t9~ 1:l>TtE_i_i, l i: —~ lL. r.i"i_, ii isiisIZiE; ¢i. ls . .4 Use a Password that is at least 15 Characters Long Method 3 ' LM hash is not generated when the password length exceeds 15 characters Implement the NoLMHash Policy by editing the registry Locate the following key: - L’-f‘. -’-.1_. ’_Zt"-'il? :‘ = ':sti-: rr: >.; ,—: .~" rrt _= —: N: :i‘1 r, .L, — ' Add key type ioi. MHash Method 2 Implement the NoLMHash Policy by using group policy - Disable "Network security: Do not store LAN Manager hash value on next password change“ in local Security Policy -9 Security Options Method 1 Y3’ . , , ‘,= -=: i+, , - anIzcatgizim--. asn: gggru: mmil-r. ifisiu: a- uigirnami
  43. 43. ff. ’ * 7' 3., .. '.: '_against Password Cracking? Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols Do not use the same password during password change Set the password change policy to 30 days Monitor the server's logs for brute force attacks on the users accounts Avoid storing passwords in an unsecured location Do not use passwords that can be found in a dictionary Never use passwords such as date of birth, spouse, or child's or pet’: name Enable with strong password to encrypt and protect the SAM database copyright 8 by El: -CI‘ ' : ri All ltghts Reserved. Reproduction is strictly Prohibited.
  44. 44. Implement and Enforce Strong Security Folicy Permanent Account Lockout — Employee Privilege Abuse Emp| oyee Name Employee Maren Employee Designation Manager Name Termlnadon Eifectfve Date Benefits Continuation Termlnaflon Reason ~. ' 2-: Opening unsolrciled e-maul Sending spam kmanatlng VIVUSGS Pon sunning Employee ID Employee SSN Department Manager ID Notice Period Severance Attempted unauthorized access Sulfing pom Installmg shareware Possession ol hacking tools Q a o‘. { Refusal to abide by security pohcy : , Sending unsnlirhrd 9-mail Allowing kids to use company computer Disablillg virus smnncr ‘ Runnmg P2P file sharing ' Ul1dUlhDli£Ed file/ web serving ‘ Annoying the System Admin copynght O by El; -Gr :11 All Rum: Reserved. Ileprodunlon Is strictly Prohibited.
  45. 45. CEH System Hacking Steps Cracking ‘Q’ Passwords A 1, }; Fi' Escalating _"'/ i_'_ Executing * ‘ Privileges I Applications Covering » Hiding Tracks Files Q Penetration ‘ ‘ Testing copyr Qt: -y All lights Raerved. Repruducllon is ictly Prohibited.
  46. 46. r Prisri1eg‘«e An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges , £»§. ' ‘C “S, Su—. .1,/ __ V , v s 7! 7 I can access the network using John's user account but I need __ ‘Admin’ privileges? copyrzht D by En-Go” : rl All Ruins Raerved. Reproduction is Striuly Prohibned.
  47. 47. Escalation of Privileges StickyKeys / (llHlllU*, ‘—f i’_)0ii~iiziU: .i-i nwmg mr, Mn hwy 5 'lv- mm or -mi-, uy (. 'irx; l.-915:0! ‘, (IAuII‘ 0: grain URL AU tiwmm L49: up L», L-e~. m.; Lu: W 4 alum! lnl-e; Hni. ~t_u<.7-. in : |n mi Lu-. .—. sum. -<. ‘.. «. in ram-i lu&5ALhv. vJ; -iiuelgigomlrufiur Va ‘JlirJ, Oe, i; rm Lding; ‘ I Ilx (an, eI ‘ Lem-; i Slit kyKeys is an . a¢(essibi| ity feature in Windows OS to aid users who have phy5|Ld| disabilities. at the logon screen and the Stii. kyKey dialog shows up The program that launches the Stickykeys is located at Ii we replace the sethc. exe which is responsible for the sticky key dialog, with , and then (‘all hy pressing shift key ‘3 times at logon screen, we wiil get .1 command prompt with administrator privileges um: -: M rznmft might fix ‘hi’. i" hitiirm’iiingr.1d! ". rr-rid: -nng lhlfi tnrhniqim t. F‘ll‘1.'lhIP, . "5 . Cupylight Q by that All Rights Rcmvved. RL-piuductiun 15. Strictly Pioiiibm-d.
  48. 48. .. ~ _‘i ‘. ', if ""', Fi". .L INC l L’ Ad min User Create a hidden admin account E’ _ Launch toiiiniaiid pr0i1i; ;'. aridtype" A i l H ‘. '.ilIi~iv "PA§§WOFlD" lil’l HO’ .4iiy password you like and piess enter Go to editor arid lidk gate to the key [HM Y_ I()( Al _MAE H| Ni's(_i€ Ivi'ARtMirrosoftwi4irlmvs N lLurieiit}ersior'N l1l0gO’ll5[J? Cldl/ ZiLOUl‘It5l. U€i€Kl_lSU (io Hi‘ . i iw-w w"itz- its i'i. =.iiii- llli' "JLiggyboy, " and close the registry editor Juggyboy will be a liiddeii user with Adiiiiiiistiative F-'i'i, ‘l eges o I 7 . . ‘"1 - ‘ JII : L‘:4i‘is1:i-: t=, n:-iihiziagii-:
  49. 49. Escalation of Pr vileges »"z: imiiii, i:r-r Domainuser Gain Domain Privileges Attacxei ll lets. - iir? Irr*". |ar1|-’i' ‘4‘lC'l"l‘il2flSCn’IiT'P wt~ A z-ii’-wrirn nriiiiair as-niei . I.Wl'I ms : re3enlials . ... ... ... ... ... ... ... . IA) Attacker v. ‘ ecer ti al: to H at km a A: l.ackei ga "3 access to 210flIuIll‘; ErV€l Cuwi ighi G by ll-{H3 All R¥_; hLs REUVDU. Kc-piuductiun is Strictly Proliibited.
  50. 50. Active@ Password Changer £1 5] ‘I sxw Fae: c: '.'rz~oo'. -45's ——-4 ’ Lsev name: Acmn ‘ E. i _ RD: mommy; ‘ . ‘se- 5 am mites “as see-* RACCQ5 . 4 brgec Fdl NUWQ: mam: Ii] Exrshng: charge no: I- F Password never expres I’ A: <:omr as dnsabled F‘ ‘. F5 Cea zhns User's Password save Logan Hours :1 < Back . I Cancel | Help ‘ hn‘Pv‘/ /WWW. password changcnmm pylighl El: -CIEI All Rights Re-. e1vud. Ruuvu ' run is St ‘ Pvuhibficd,
  51. 51. Privilege Escalation Tools —0b Stellar Phoenix Password Recovery Mtp: //www rem vet anypass word. (am Passware Password Recovery Klt Mtp: //www Iostpasmn-nrr1.mm Password Unlocker Bundle htrp. -// u‘ww. pm mvoIdun! orlrer. mm Offline NT Password & Registry Editor http: //pnqmrark net LL Windows Password Reset Kit Mtg‘/ /ww w. resehvilxlolvsvpnsslvm d. nel Windows Password Recovery Tool hm: .// www. wundawspasnwIrr1sm'overy. rom Elcomsoft System Recovery h1ry1.'/ /vvmvriconu mftrnm Trinity Rescue Kit Imp: //tr: nnyhome. org Cow: ighl D by All Rghu Rmuvud. Rupruducuun is Slriuly Pvohibied.
  52. 52. How to Defend against Privilege Escalation? Use encryption technique to protect sensitive data Restrict the interactive logon privileges Run users and applications on the least privileges Patch the systems regularly Implement multlfacflii authentication and authorization Run services as * aprlvileged accounts C0P'V"¢i| l@ W All Rights Reserved. Re-prndnmnn is Smarty VVm| h"M4
  53. 53. CEI-I System Hacking Steps A Cracking k Passwords ti- Escalating Privileges / Executing Applications Covering Hiding Tracks Files L Penetration ‘flu Testing flaw-shtfibv All lights Reserved. Reproduction is Strictly Prohibited.
  54. 54. . . Z ' . .:a Applications Attackers execute malicious applications in this stage. This is called "owning” the system copyright 8 by El: -60"’ in All REM: Banned. Reproduction is Strictly Prohibited.
  55. 55. Alchemy Remote Executor I Alchemy Remote Executor is a ; Rm. .. r, ,c. ,.. ,,. ,,, _._. ,o system management tool that He pliiulari Heb allows you to execute programs 0 3' B ’ ' ? F‘ C F «; on remote network computers Wu" °"°“°"i '°"" i Pleaie soedy Ihe cvogarn ycu wish lo um on the iernoie corruleu, optzond working dr llocdlor the remoie cormuiersl and ooifiondy the list of adckonai lie: ma! shoudbe coped I The program executes on ’°"‘“""°'*°°"°“°'*'°°’°'"’°‘*"°" multiple remote computers simultaneously Council Lune: Won rig dreamy Iooliond bail: in runs! cases] Addmrs! tie: iw rim im . -.hod-1 be raped in in; iaigei rnachnt beanie the progam exzculionl hnp: //wwwalchemy-Iab. corn Copyright 9 by EC-CI3I All Right; Reserved, Rt‘ulDllilLiii'. ill l‘. Strictly P-ovibitud,
  56. 56. Remotefixec "InuT me -Flh t{n7u”€Ion Acenm fig Fla Carolus D C0wRerno9E -ecSc«o' but ‘Gm Flu Camden: Lnsldacluuvoexacue :1r39c-$414 wnoow: 2003 fines-auus wmmmaa 513993755 Wndo. vx21l]3 :1v/ sessssa w. -om 2003 305886422 Wndowx 2003 Clmssusa v/ new 2001 Qrsa9n342'a. w-so-x.1n3 flrse9ssss~w-uxm 2003 59388878.‘ wmoaszml SKBKBSEI wnaamzun : !‘B89‘3588 jumasas jnmsssv zjrssoora 21113901017 :1r. s3m21 4 jraauznan jrsaonos 0 Reboot §a§§§a§§§§ < 1 r/ /www. pnIroo/ s.com Conyvnghr 20 by IE-III“ All Rights R': ‘serv; —'d. R‘: u'u:1urtxunxs Svctlv, ‘ Profwuitec
  57. 57. Execute This! TobewImemedd'enedodslm: uiwIdenheFleneculobadcorIouunane: ' lhe box lbeled lvfldia Cm'uJ‘en' U10 hfildvl line corrulen you with lo large: Add A Ihcksluidckklhcfnecue F’vogun'tulm TheIenlsol| heF‘vogunExe(monwlbe dzolayedbeiow Fig no copy lo Remote Cotroder ll you wuh lo copy a bed He to Ihe uernole . .. - cuwua: belove execmm demo II n the Denna! -on oi Fle la Remote Carrvaev bones ldaeled ‘Fie to Ccw to Remote Cora: -Jet‘ And Dcxlnal-on at Fab Ia Hemole Carole! ‘ Iv Ihtst boxes at Ien Fleloisectxeonfiaruotetmouu u, ¢,q». ,,; y,ey; ,,9,d, ,¢, ,.y, ,1.5,‘° Execxle‘ boa H be execufied Avalahle Corwulev: Imp: //Www. cyntrIgaI. mm (‘opyngm I by Eflrfiufll rva-d. R: -u'u:1uL". un x; Srvinly Pr: J“w: )fiLd.
  58. 58. 1,) . . . . . . . .. «I, tfi. harm! io at .3 3 ’x : J Aw an Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard; logs on to a file or transmits them to a remote location Keyloggers are pla(ed between the keyboard hardware and the operating system Legitimate applications for keyloggers include in office and industrial settings to monitor employees’ computer activities and in home environments where parents can monitor and spy on children's activity I‘! 2 ‘ll . 4 l . Application -‘ - Application - Keyboard swag", Injection " ‘ " ' a lag file "'iA". Z4'4lll]L'a*l mm Ill'iJllll. 'u1lIh Driver remote location . ('. I“; ‘llI . ‘.‘--i n . Windows Kernel msswono : ,-e. ‘L, . |- 1-1 . . Keyboard i'; l I‘ * ’, ;t‘ r . “L K. . ’ E-J_u'. IT«'l'; ‘|“l! '=. '1 fl a‘lI: E§Fl§1:1=: tgmléPIugm-: e[1i-Ill-inlhmtei u. -:ai1.oim. J
  59. 59. i'_"‘+~' . :+. : fit {4_; _»+~, ~:. };i' A: -. ‘. T.t~: r.; ‘,r. ;:; ;.y. :»3j. .~: u~-~- — *>——~vv -—- A Keystroke « ‘~_. - Loggers Hardware 5°fl; N&f¢ Keystroke loggers Keystroke loggers Application J J Kerylogger PCIBIOS ‘ Keylogger External ‘ y K; m¢| Em bedded Keyboard Kevlogger T Kgyloggef Rootklt Kayloggdr PS/2 and USB AcoustIc/ CAM ‘ Bluetooth W| -FI ‘ Device Driver K9Vl°: :£F Koylouer Keylogger Keylogger Keylogger _. _ r s. , ‘~ L, 1’-“. — _. ". ~JQ'. l.‘: {i1l'; -IY‘l. ": . NIxrglitgzr-: m~. géIIxaggia-remit-Iulfiji g LLLL
  60. 60. Acoustic/ CAM Keylogger Acoustic Keylogger CAM Keyrogger ttttttttttt 3-; tttt u Capturing Typed Tmnsmn to Receiver Alphabet 5 the Hark->r Electromagn T-1l<P; 5 -etic Waves ((0 ll 9 User User Press "A" User Press "A" Cupyr ight G by All Rh, -ho. R(bt.1VL‘d. RL‘pIl)duCliUl| i5 Strictly Nuhibited.
  61. 61. PS/2 Keylogger USB Keyiogger Wi-Fi Keylogger KeV'°33°" embedded Biuetooth Keylogger Hardware K€Yl°€3e| ’ inside the keyboard Cupyr ighl Q by All lights Rv_~. urvL-ii. Reproduction is Strictly Pruhitzitcd.
  62. 62. Keylogger: Advanced Keylogger ' -'-:9.an(ed K. Jagger :0. sum. Sci! »-are fl Lnoou pahnorfli vn-cm wanna 63 J9 vvwvodnn cluv logs Oprn user lnavual Reqluru nuvt Welcome: QU(k tasks D Vb: .1: n-wbgs ‘ v. .. nu. .. . :.u. .n. {AW mm Aa. ... ... o Klylnquct r. ... ... ... J nut acneuneu nludcsbou Q men. For updllnx r. ... a a. ... .., .:. . an. 1.. .. ... ... .a ‘-3 son: I-gs us run: now cu Nola onhnu umn stall Advantnd -uyvo-an hrtp. //www. n1ykeyJoqqcncom copyvzm 9 by En-G03! All Rum; Rauved. Reproduction is Slricuy Prohibled.
  63. 63. >>trai user Achwlnes . ,. -mi nurn . ..« . Gen-val ‘-5("‘I . -. xn‘ Cw-" I-oaama : >~ .4’l Lc». , RC5!‘ 4-L J2:. ;:i : n~; ‘.»; o». a ' ' I > ‘ RomotnLogDu1i-m-y : ,v . -gm ulc L: 0’! ( I {vi an] . Advanced Dphans Fw'<'C~vv"loI‘in-‘A)| *n Content Fiiuring r ‘t'a)(1DKI 4,: av Screenspy . . xv: Lew. »-1'»: I--2: 4 ‘ Smart aging A. -.-. , , -nan. "H, Scheduling n « 1V‘! m. m.. y.. v. -‘.7. View Mosi Popular Acmilies Summavy Behavior Alerts Click here im Easy Conilguv Allan and Sulup Wizard '7'” "" “"“" "W" on. '«o, T.u; an-2-vrinI°J-iltvur ! ~x; v.i(l[-im -{(1. httpé/ /www. kcy! oggcr. org copyright 8 by El; -Gr :11 AI Ri§_: “E'. Fin: -:rvcd. Rr. 'Dr0d0C1|0n| SSIri1Iy Prohibited.
  64. 64. Keylogger: Perfect Keylogger [“= ‘~v~~‘w»~wv 3933‘ ii Saba HI & IIIQI . ... .:. ... '." . ..'. ... " PERFE (( Am he wed Why in bar ‘Vt an -nnaln 1 .4eu. .-genus. -.. KI-IYl. ()(i(§FR 5 5 7 u 1.‘ is 1: D — )8 19 3': n 3. ’°"'h“ Em ‘5 N L’ ‘E 2? Ewe ioc 5: Dale Maze recast lo6a.19"l9 3.-cu Jo“ «we be kowsrnok-. ~: Look: 0 '>. -aeeremols Wetme: Limes ® Wognotday. is September Click an image to cniarge. w"e-= r:<i«-r mane 51 . .’i 1.‘ FL‘ }_IEi. x,_. T ‘*3 . 1 - http: //www. blazingtoo/ s.com Copyright D by £6-CI-cl N! ktms Reserved Rv: pl uduciiun i-. Sir idly I'il. WHDflL‘d.
  65. 65. Keylogger: Powered Keylogger ‘ Powered wow: 2.! wllnnu Sokwm - Ieqsvrom [ms zomwlcri -W-v-°= 'A"~~‘*~ , .¢i. o.woc. u .2 Aux-drouxe anti 1 ‘-«J Hxodpalwum 7} Rocondmbwmv '71 Rea-uioru mm» L] Recudmeevrlvtn _gj aocmrncriwyvm 7, Record atrkahm mm Am-cue ocl-om lourrcurds: no [ ,1 sum. nu. ..-«. =u vyu.1I> -L"‘2C09 5 S6 -53 PM 1-xi risk are DESKYOD -1."‘25L'1s'r 5 S6 51'} PM roar mslu Gt? Av: h‘»! nC‘: ,Hnp ‘rs 4<‘7‘? .'JU9 ‘G: n: E1PM test mih axe ': ‘:| 'n1ng -5"‘2Ci‘J'3 5156153 FM ‘arr’: Tomb 1.'aLirr‘. FMKT‘ . . Serve‘ TE. =t. -.- ; a:r: :r~: 0< _er: 'c1 T. -”.1.~. t.: ' ; a;n: n: me: turn‘ Y)‘ N : ar‘eTLQi: n'ei 13:11-: n:i d v¢. |co: e>- 5:12-s~: u / /wwwmykeybggenmm cowrda: 0 bylc-{Incl All Rights Reserved, Ruuroduclion is Slvictiv Pro? biied
  66. 66. ,: j,x= -*'loI3g, _gl: {. in}. ,'“’? l''! - ; . 1’. .. mm X‘ I he--‘ er r_-: ~.1i " " ”AWob7a Mac ()rS_)(rir(ey"Log"gier Pro 4" "‘ Aobo Mac OS X KeyLogqer Pro 3 2 Cenerai Sicreenshots Emmi FYP Scrcunshots Emaii FTP’ ‘7 Enable screenshot recording I? ‘ upload the log by FTP every 30 minutes Capture new screenshots every. 20 minutes oi Seconds Host name‘ your ftp ip or hostname 7 Pa V‘ A M50 M-it 0'5 X Kwloqqer Pro 3 2 U59 V‘ " Aoao Mac OS X KEYLDQQEV Pro 3 2 General Streenshots Emaii FTP Pa Generai Screenshors Email FTP J . pr Run , m/egg“ evemlm You ‘W “ms Rem I Send the logs by emai every 31:1 Ti nuts: 5“ pnswod Send To yowma. ;'. qma.1 tom M Appiy Password 7‘ ' : :d"; g;; m smtp, gri‘a I (am 557 i Uscrnime youroma ':1omai1.(om M Record keystrokes typed and websites visited , _ Password on View the Log. . Clear Keystrokes. .. C ‘ N‘ Use secured ISSU corocction M Automatically Delete logs after 10 day, vi PH ,1; 1 Customize Hot Key ‘‘A ‘ “rd Yes‘ HEW Default hot key to access kevlogger Ctri+Ait+A Hide and Go’ Hide and Co‘ >gr]PI —m(1(. r um a_. J.‘i, l"'1j_1q 5|’. ~43vU°1/1‘_ e_i . 1 — ’ .11» im: ri. «.a. i.iii. ar-1-ii-tsmii-1.ufM-12.izmaiiaiuei
  67. 67. v Q r‘ 1 - - g. - - | I 1 *V‘* N laid’? .. ":» " " Pevfect Kevlogger for var: Opxions " ‘ ” ’'''''‘' “' ‘“““’ “" ““ -‘*1 ' ""' General Screenshols Alerts Ernm FTP _ . -. .. ’ V7331-Ioo: : ._'. . ‘ "‘ DOFH drugs Search museum. wile ‘ husband 7 _ boss _ c. .~, .,, .~. ». :.. inn r» 150 nnlboolu wmmg won mm ~ ‘ . . W 1 ~%~m-» ‘ow, ' . . ~ . ; . . ‘ ‘ , .., .. . .‘. .» _; wuumv , u.~u ~ ' Add keywords you want to mon-tor . ‘ ’ “‘ U Win-n a keyword is detected _ _ P’ Make a screenshol IV Send email notification { sum. sm. ~w, ~u . . , A. In " ‘ ' ‘ * sir. .. ‘ "V '-Ems’: ' -7* -""‘ J H‘ -«Katan= a-(.113-u-: -in-uit-Iulifi-L-u u. -.m-Z132!
  68. 68. Hardware Keylogger: KeyGhost Interf_ace Security ‘, .sv. ~u. .,«¢ In, The KeyGhos1 Haniware Auteur: is a tiny plug-In device that 5 rvcords ovory 0 keystroke typed on 5 any PC computer. '5 u—3—n Veawu move - - 21.. ... . "w. " L, -3: . Clack the Ink bebv» to uni the Kryfibost SX website. llrg www Ke«'Gho=1r<vmS. '' | (oyGho¢l Exwrnal Slam! alone Ilodols he)LihcsUlv; v've Luvtm ‘I3-xi ash pry ~ 589 ORDER I-"’rI‘ 1 pm I“ 13;; -fipagg P1. ‘ M§g; ]1,14= Flap lfiwgg, — S Kg, -ohm Pm: SE 2 Meg_aL7y. e rum . ler“oq- .99 3 hrrpy/ vvwwkeyghasr. mm cu ' hl®byI. I<B£ Al Ri5'f'. S Rcuevved. Ru; uudu: :1lu Strictly Pvohilmed.
  69. 69. Keyloggers ‘G iMonitorPC Business Plus I: ltp; //www. lmuniturpc r (om XPCSpy Pro hm’): //vnvunl prcnftmm PC Activity Monitor Standard hrtp: //www. pn1rn1rrmm Ha ndy Keylogger hnp: //vrww. Imndy keyloggenram KeyProw| er Pro II rrp '/ /w| vw. kr= ypmwJH. rnm KeyProw| er h I1/I: //www. lreyprowJer. r om PC Activity Monitor Lite hrrp: //Mvwrprarrrmmm Stealth Keylogger Imp . '// ww w. nmplusnar. (nm Cnpyiighl 9 by All lights Rmuved. Rcpmducliun is Strictly Pruhibmd.
  70. 70. Keyloggers 612* Keylogger Spy Monitor hi rp: //Mvw. ermm : ‘x: ofLwnI REFOG Personal Monitor PI mi I/ /wwurrefrxy. (om Actual Keylogger Imp. -// www. nrturrlkeylnggrrr mm Spytector 'lYf]'? I// WIV|1/‘S/ )yff('0I. a“0IVI All In One Keylogger hrrp: //iuivwniyr»-r. mm Winsession Logger hrrp: //rromosofirom Spy Lantern Keylogger Pro hrtp-/ /wwiwrpy lrmternmnm PC Spy Keylogger hnp : //wuIw, pr— <py—keylngger. rorn Cupyr ighl G by All Wghls R(5€1V£’d. RCpIDdIlC1iUl| i> Slrictiy Pruhibm-d.
  71. 71. Golden Eye Imp: //wmv. monltorin9—spy—so/ lware. tom Revealer Keylogger In rtp: //umrw. loghroft. rom Spy Keylogger h rrp: //wMv. <prkey-loggerxom IKS Software Keylogger Imp. ‘// amcrlsro. (om Emsa Flexlnfo Pro hnp 1/www. e— system 5. ro Quick Keylogger Imp 4// www. quidr rkcyloggcr. com Actual Spy hnp: //Www. at1uaIspy. cnm Ghost Keylogger Imp: //www. Irey! ogger. n at L; mranr-Ix ‘I! ’ a‘| I:Eglil£‘Il(2!at‘.2I! HH.951I-: al£.1llvInl5g1lI15.i an
  72. 72. ts _ = so Spyware is a program that records user's interaction with the computer and Internet without the a user's knowledge. Spyware is stealthy, hiding its process, files, and other objects in order to avoid removal. 4;‘ Z’ b kd ftw Drive-by download fir ' Ffgy a(. e 50 are installation Masquerading as anti-spyware Web browser vulnerability exploits copynghtfi by El: -cat’ an All lights Rauved. Reproduction Is striuiy Prohibited.
  73. 73. What Does the Spyware Do? Steals users‘ personal information and sends it to a remote server or hijacker Reduces system performance and causes 5°f‘W3'° instabilitv Displays annoying pop-ups and redirects a web browser to Cornects to remote advenlslng shes pornography r. it. =s Changes web browser's default setting and prevents the user from restoring Places desktop shortcuts to malicious spywire sites Adds multiple bookmarks to the web browser’: favorites list Dec reeses overall system security level Copyright 9 by All Rights Rauved. Reproduction is Strictly Prohibited,
  74. 74. Types of Spywares Cell Phone and 0 Telephone Spyware O Desktop Spyware % 0 Email and “¥ Internet Spyware Child Monitoring 0 Spyware ‘W USB Spyware 0 Screen Capturing 3 Kg Spyware O 0 Print Spyware D ' Cupyr‘ | t® by All R‘; -lits Ri5L1vcd. Kcpruductiur| ‘-. idly Prohibit: -<1.
  75. 75. Desktop Spyware Desktop spyware provides information regarding what network users did on their desktops, how, and when ‘ Q Live recording of remote desktops , ‘ Record and monitor Loss users kevstrokes 6 Internet activities 0 Record activity log and store at one centralized location Record software usage and timings copyright o by All Ruhts Raorved. Reproduction is Strictly Proiiibllr. -d.
  76. 76. Desktop Spyware: Activity Monitor , :‘y | 'q . ..r1:. new -. r:: ..%-‘I2. Q4 ‘5_¢~4 1’-.3?‘a7£. g _ no-wule-m M mlfiuumue‘ nuuy s: W. “ 4 M Eu-«‘n. pu"| A,‘ . 3 . . « rm. 7 x . 1 , 5. _. a. . . Iameaam Av: -t| —‘n:9u' ¢_ n n: :r I QM? 5-v: -2:1»-. : omnuovw ; T lr"n‘I . ;m '2 . : . ~w: znm-us»: Lcr lg: -vi : ... ,mm. ,. L, '4.. . _ I M. Ma -wm _. um. . —_-cm. --1-‘~pol. [§, ‘II. ..; .:! fRI1-~ .5-nu mu win. .. V»: Sud liufiltvmg Dtub e -fix: av-me ‘. :~mumev kon n Renal: I-gent http: //www. softactivity. cam Copyright 8 by EB-CIECI AH Rights Reserved. Reproductiun isstrictly l'vumbiL-d,
  77. 77. Desktop Spyware SpyMe Tools Q SSPro hup: //www. lu‘brussuJuUom. ¢om W InIlp. //www. gpso/1dcv. u.>m gr‘ Ja . .‘ . . . , L; 5, Easy Remote Chlly Employee Monitoring ‘ ‘ Mrn'/ /www. Inbrn<mIuuon<. rnm ’ hfffl'/ /)V| '|V. I(! '0W’I‘y/ iV. fOm 1‘ "-J; ' Remote Desktop Spy H D Employee Desktop Live Viewer ‘ *‘ hYf]I: //I‘lIV| U.g7fllJfl/ (py <of1w(1rP. rnm H I hffpi/ /WWL1/JlIll"t’U<fl'1'hI14'II0gi€S. (Om ‘ j es 0 e izor D kt S X “ N tV hm-1-/ /www. vimr<pysofvwnr». rnm ‘ hnp-/ /wwwspytern webxnm Copyright E by All Rglub; Rcnuvud. Rupuuduc1iuni: . Strictly l'rombI1L>d.
  78. 78. r€_ . l”l'i I—"lJ «X . . 9” hr. ‘.5.-. .n , -.‘ and Spyware Email spyware E—mai| spyware monitors, records, and forwards incoming _‘ Internet Spyware provides a and outgoing emails, including summaw report of overall Web web-mail services like Gmail usage and Hotmail _ *~ It records the date/ time of visits It records "lstam messages and the active time npent on conducted in. AIM, MSN, each website Yahoo, MySpace, Facebook, etc. It bl k I 9 if, W b " oc access 0 3 sp . c IC e page or an entire website Internet spyware _ . _‘ . , LN‘ . 1' .912 * we? ’ r“ rnyspoce sun! , h$” ', u-1.1?’-«T1-'-I . ‘lI2C2lfi§11(a1en‘.91-H((951I-M1.-Ill-I-lairii-s is i—1,. :14 f, ‘ _ VT an-till. -‘. .u. <.l
  79. 79. Email and Internet Spyware. eBLASTER e BLASTE R’ H"””" Dem? " (’'"'"'"a'' sum mrumi . .. Dh‘§a'ul. ::1n . , j 1 1 ; ,, ’,c, ;., g,; ,,, ,.. ,., , A--~«-v-w-~ if '_1ulIl>@l}I| nil nxntn Acvvrrku-an Deb-cw: 0 on on’ y ‘ Samn= .ea: v'. : Chev EC iohmiomavl com : }.(. ,¢, , . g c, ‘ _ V _ _ Vurrvia'. R¢ov: a:i: Ovmt Ftmhxt [null Hwwvd Altruk: '1-mar Azud-urns: 1:! -at Inaum nos-. .u; e Fcrvncld non». /iv, Moll a round n, v.ud Mun: Send a Test Email hrfp-7/www. specrorsoft. com oowght G by EH31 All Rights Reserved. Rnnroducrscm is Strictly Prohibited.
  80. 80. Internet and E-mail Spyware Imonitor Employee Actlvlty " Wiretap Professional hrrp / /WIVW. PmplDyPP-ntflfllfanllq-50'! Wflr? rr Iirrp: //www. wirrr/1ppIn. mm Employee Monitoring [9 Spy Software XP ' ‘ htfp / /|VI| 'lL‘. Pfllplayflémfllllfflllnq net _‘ llffp/ /L'JIVU. '.§Dffb exam OsMonItor LJ Spylab WebSpy hnp / /ivI'iA. '.os-monitor‘ mm ‘ liftp'/ /i. uIw. i.spylab orq git-_ Ascendant NFM Personal Inspector : Imp: //iviiriv asrendaiir-rerurity ram iirrp '/ /wu/ iu. spyorsena! ,rom ma Cupyiigtilfl by All Rghts Rmuveii. Reproduction is Strictly | ‘lDillbi'. K.‘d.
  81. 81. ;. /l', iI- 1!" lI‘_L'1_I'_' f _l‘. iw'*: .’l'_: :;'; .‘~u Control and supervise how children use the PC and Internet Block kids from accessing inappropriate web content using specified keywords Monitor activities for selected users such as websites, keystrokes and screenshots / i , _ Record selected activities, including scteenshots, keystrokes, and websites : . '. .« j ", :lu"[l4'C-il'ivl'_§" . ~I| :,: ;4ns1-. <-_. u.~. genmm. -:m. qii§r. uEt1;u-a mg; 3 14:31?
  82. 82. Child Monitoring Spyware : Brunt-u ficxfiunrnusl mu usu add A E311; A n_| ||evu(IlA4$-fiance Irammd 91?: El mm. -.. ¢. ‘A1!-Dtl r-menu ruswnswmm Dd : -""4" 9 Y W ‘V A-: v.uua;1~ we F-noawt rn:9.cv: waon rnr>. eou. .-. .. "" ' "5' ‘ " "" * j). ou~a' (-2 -. iw-M-on FI1£SW~»‘L. !¢N§V(-t U21 "‘"°‘°""°"' “'1' , m um um- D-“ """"‘ 1"‘ -; : . m-yam sn. zs‘; ;IE~; ; 5 was mm as E: mum -: t‘u« rouaomon Vewu zws , - w, '.“‘u mm gnu: run: .4 An- _u Hcosit Works , _ '4 ‘ ‘ _ D: “mm mm M‘ u_, _ , L<44)LJu. V>lli; I_.1flA J «Am-. ,A. li. .. . ~. a — . , aw-~«~ . ,,. ‘.: :.*r: :;, .;; :,: +:“. ‘:“ Dip, “ M . mu, _-_ I ), Dgifs-Ni'<&lo| ’Nt <. .MnL-. M:. m:ru4:. v«. .e1.1:v; 01 B 3 HQ)“, .- ‘, Per; iiL)I rum, -«so: mom‘. rmnwx D‘ . .,, -4 1 more»: rr. r<: _-Ina wan-. wmnwz . D3’ nu ma W-. -an r-lust, -.su LN‘lNa 1-. M‘~; Q’ . ~.n—n L. ..“ xuacrsaku rnrsiym uvmzzruwz D” PM-sci ruuawt Fltiwbu w-in; lutu-‘I , , Elzl Pl! -'4-‘raw M»: -,mmmvmxm. imvnr1 an El :0 '-v'- -- . wxu-. mm: ~.<. rm; -wnMm : sf D= l ‘7<‘-M" mxsw Fi'. £$_W1t[-; '¢«‘. vNTF‘iMi-fI. i', . Elm Ia-«rm . ... ... ... ... ... ... ... ... .. . . U Q uni = ... ..» 5». 1;! -m‘ mix. .. that "v"MD<l http: //wwwndvancedparenlnicontltvtcom Copy: gm .7.‘ by . . fiuucvvud Ru; n.~Ju; »c~ru v. SMLLL, P'w. ~mk; i:ud.
  83. 83. Child Monitoring Spyware iProtectYou Pro in tlp. //www. s ollfm you. ( am I Q Si| entMonitoring ixlrp: //www. silcnlrnomialilrg. mm Big Mother in rip: //www. rupcajnm in Net Nanny Home Suite him’/ /wwu/ .nernnnny. rom Spy0n Baby iirrp-/ /imvwxpyingmnrhinaworn Cybersieve hrrp: //wwwrsn/ rfu ryatuom SentryPC hnp: //'u. 'w. spyr4=rh—web ram II*: ::%& , KS5 Parental Control hnp -/ /www. isnfiwIse. mm G. ‘ M Copyright Q by All Rkghts Rcmvved. Reproduction is. Strictly Pvohibm-d.
  84. 84. Q ‘— A O ‘I ‘Q P‘ I V 5' r I K i I F I 1 ) »_ . ... ;.-. ,u :1; , _, Spyware I :1-qr-. r=m-mgillnlir| :.~qgw: =Iu; ~t= I{(= r-as-4-rr: r=IrI-iii-Ii: <-i7‘ior-all-)« Izrm-ii-— ‘ ‘W5. " 1' : I : -11:1-l: ll'lrI: u III! ’-1'-'nI clmllm; ‘: <=‘°~§ , "». .~. i’ = lll-werrrl-mil-)lirI: .~.1-ir: r:ark turn: -.luiiur= -uz‘-ll’ iirv-ms: 7', J GD = lIill'lWl= k.oII lii: 'Il= ii‘iVl¢iiI u " § 4 ' ; , These spywares may also capture keystrokes, mouse activity, " visited website URLs and printer activity in Real-time ""' - "" 52 Screen capturing spyware generally saves screenshots to local _ ¢' - ' ‘l disk or send them to attacker via f-'| 'P or e-mail ‘)4 U C ‘ 35 3 cowrlghtflbyic-crrcri e. . . ... -. . All fights Raerved. Reproduction Is strictly Prohibned.
  85. 85. Screen Capturing Spyware: Spector Pro SPECTOR PRO" Record all Their Emails, Chats, Keystrokes and Web Sites Visited mg. '. m-. ..- -u—u. Pu-ma --. « sp-r. ..--u - Tuscan: Pro rods vi! " 8 trunk! ‘ rang ‘I was stunned by how sifidcni Specter Pro is a tracking EVERYTHNG I user does. ‘ http. '// wwursperstorsoitcom Copyr ight E by El: -IJIDCI All Rights Resenv. dl Ru Druduciiull is Strictly Prohibit; -d.
  86. 86. Screen Capturing Spyware hlip; //wwn/ .0leunsu/ mum lllip‘/ /WWW.1fiS0ffiV| JI&'. i. om i a Hidden Recorder E lcyscreen ‘ Hidden Camera SoftActivity TS Monitor mm: //vvww. oieansafr (am hrm: //wwv/ .m[m(IivIry. mm PC Tattletale in mi '/ /wtvv. u[I(rr: rrIr= rnio-. rnrn D kt S (D es op py , hrrri '/ /wtvLu. <pymsmni. rnm 5‘ Quick Screen Note $1 Computer Screen Spy Monitor ‘ hrrp: //wwmoieansafr mm - imp '/ /www, mycuperspyxom Cupyr igiit Q by All Rflghts Rrnorvud. Reproduction is. Strictly Proiiiizitcd.
  87. 87. r win’: 1. ’ Spyware USB spyware copies files from USB devices to your hard disk in hidden mode without any request It may also capture, display, record and analyze data transferred between any USB device a connected to PC and applications J53‘? copyright c by [C-coimcli All Rights Reserved. Reproduction is Strictly Prohibited.
  88. 88. USB Spyware: USBDumper _><J D-tmdvlzs horn USB drvoce | udltClt1y' E ‘. rhcurroex Byowgg I Uplnm 5 Add macto to MS Wotd documut Macro Ha M 3:10 VF»: -_ wad ta Browso F7 Add mama to MS Excel document Mocroflc I-13:10 Fuev EB-colt-:1 Browse 5 Copy fiofsllo USB device E ‘uxt-J; w.; »m B I‘, want ul C "w-.1:-d. m-gz-w av :45: ex: hrrp; //www. valgasu. arg . 39 . cupyuigm 0 by E9411 Al! Right; RECIVQI1. Rn-pmducllon is. Slvictiy Prohiblln-d.
  89. 89. USB Spyware USB Hacksaw USB Spy fl Inup: //www. uvc: s!: IIu: .¢om _ I Iurlp. //www. huk 5.ory USBDeview h rm : //um-w. nIr<of1 net | USB sniffer n m1 '/ /henniI. papIlfauI! .fver, fr C1. _. USB Monitor . i USB Data Protection Tool Imp: //mvw. hhdsof1’wnre. rom "' " . hrrpy/ www. liveu<hmanvmn-am ‘xx’ I-zq . W T :3 USB Data Theft Protection Tool USB Grabber 911,-; run; -1-/ /www. mnm1nn: <b. rnm ‘ ‘__, ._j‘_‘ hnp-/ /mglmlrireamylH: inngvy. mm Copyright E by All lights R¢5uvud. Rupuuduc1iuni: . Strictly l'mmbI1r: d.
  90. 90. .n . , "pL1l| '_ N”, _‘ _ .2 3’) -"“ lJllliffllfl:1§1:| '.%-lllaitaril-Mimi -i. u_ rv re xx: ; ‘s : : Spyware . . '" K It records and spies Audio spyware monitors I . . . voice chat message of and records variety of ' 7 . _ different instant sounds on the computer §_’_/ messengers A" ' Malicious users use audio spyware . ,/I to snoop and monitor conference ’ '" . f recordings, phone calls, radio r"fl ; broadcasts i
  91. 91. Audio Spyware: RohoNanny, Stealth Recorder Pro and Spy Voice Recorder ‘u Hnnw xwiiriry . u.| rn 3 “W "“***' “"‘ """ : .. 1;-.1 A5,: 00:01:%.2 6"» l T-r-- "at" L ‘A4-zrisie. V; '.i. ’tis0.r ; _l rm I 301»: .e~‘»: -l Firrenl level I’. _ ’ >r rum 1 M)£1!l ilk Yiariflfi Fifi‘ 1'1’-Li ‘F371 '-moron: z-atom 5-«LI-fivnhbaydr yaiup '. ... rimwun - A10 5¢<rti1'is~J “Av-arrr-nr N8~'l- iJ «her >| y:i< «I1! -341 I'~: tI no Nrrrbgq .31 gm; .. Stealih Netnrrlr Him 1/ WI] 4/ Jun I‘i mp 1| «Keri. -. ‘-¢<r4.Nl fl-: "~Uo M"""""9""" ifuiii 1 ')!1r-gr. I -re ; no; Ht! -us L>e''('_-E , 2 mail rr: :ower y '"l ' ‘-1 9 l‘ m ""”'"r"‘ Audatrrriav Room: L Plow ‘"" I'I'| fin uu-uu hltp. ‘// www. 50 f Ulfllin y. com J ‘u: i.. n:siar ivce " , . A J J A. .r: i:S :1 Love 3 i - ' Blri lraricon 7 ; 'T in-. wv‘'»rnl 'ln1 (I éwr icco-d av lan: hr. ; http: //Www. topsecretsoftware. oom O 92 0 Copyright 9 by El 1 All Rlghu Rt-si: rvi: L1. Rcumdlltllon l5 Stfictlv Prohibited.
  92. 92. Video Spyware I Video spyware secretly monitors and records webcams and video IM conversions U Attackers can remotely view webcams via the web or mobile phones U Video spywa re can be used for video surveillance of sensitive facilities Copyright Q by All Rkghts Rcmvved. Reproduction is Strictly Proiiibned.
  93. 93. Video Spyware: http-'/ /www. snrbash. ciom CD| !yl'gi'Il E by »'| iii 5 . . -’--suervud. Reproduction is Stricfly Prohibited.
  94. 94. Video Spyware WebCam Recorder Digi—Watcher filly}/ /V/ Efltlliilliltultfuhltllll Iitlp. //wivw. dIgi' ivuttlrcuoirr ’ , E eline Video Surveillance 1 WebcamMagic Svflw J MTV‘/ /wwiu. rohomagir. mm 0 are h mi / /wivmntlimfriwrrr. ram EyeSpyFX ‘*7 Capturix Videospy ri rm : //wiviumyespyfr ram hrrp: //wivw. m/rrurirr. rnm I-Can-See-You Hidden Camera Control rirrrr '/ /WIVWJHfP7‘P1PI€(7_fP1y(flff| U(l! P mm imp: //wiiiii/ .rem;1ulz<, mm Copyright G by All R'gliL<. Reserved. Repr uduction is Siriciiy lnutiibited.
  95. 95. Print Spyware I Printer spyware facilitates remote printer usage monitoring I It can be used to detect exact print job properties such as number of copies, number of printed pages, and content printed -’ I . ... ... ... ... ... ... ... ... ... ... .. . ... ... ... ... ... ... ... .. . . Printer Print Server 0-rw-izht 9 hr All Ruhts Raerveii. Reproduction is Strluly Prohibited.
  96. 96. Print Spyware: Printer Activity Monitor ~11 rtun riruvul or warm tuirruvls 4 nuns . , can-; .m-ueani i—. m,un» 3 rmumcw-: mm ilienar I l'*wI&0| K You IKE-iv-Oral bankylmuuu V 5 owner: 5 ‘i/ I02‘l'). "CI!3hAII'd'aiiIr 5 wznniusov 5 ; omn_vau-mum Q mu mm- 1 uvp. o.w. .~au. i 1 gnu 1 sauna _1 mrov on -_1 wanna: -,-i. 1 ‘due on '_i riamnir _) <7-«M. :~o 3 m. H. ' WIDE! N! !! at »: n Amen at: in; Iva um-v ‘_L‘l than me iwllc-vi «um arrears : .m>£ [.5 un iai~I BSJVE Lime 3!Ii| ]!l UI! lllliUJli! Ifl Gateratlon Tasks _, an-4-. ».. . . .,. .i Gcnuflrsfi-ylirl . . -, ,. Rqaorls laslis _; ;m-tr-ii _ : lrnd: .«r- . fir-yum. .. guru: -$"‘“"""‘i' , save . nsn. :.. ..i . ii. Ncwioatiori To-its o In! j. rude». .. -i. » a mu —rr. 'r-7 nnrrx llclaled Talc: Q rm: ~ , em. 7-"- -, tmrllnre . »»-. —.- _. _, Mange ' nus; rs-. . h(tp. ‘// wwiiv. redlr'ne- war mm convriirht O by ! ¢~ oiincl All Rights Fleservec. Rv: .i-. idu .1 lc: LL Strictly Pro’ ibited
  97. 97. Print Spyware A _ ‘ Spyarsenal Print Monitor 0 A| |—Spy Print hlrp; //wwwsyyuvso: nuI. ( um hrlp. //www. uI! gpyrwvn @ Prlntsnlffer Imp */ /mt. /w. pr Inlsni/ /er. cum 0&K Print Watch hrip: //www. ;nn| vnr(h. rom ! K-“I Accurate Printer Monltor Print Job Monitcr I h"P'/ /W| VW-0PY‘‘I‘°f? 07'" PIrrp: //nmvwrimnnilarsofr. mm Print Censor ' PrintTrak hrrp -/ /uvefulm/ r.m m I1 tip '/ /www. Iyg: I.(om Cowl ighl G by All Rglxu Rtsuvud. Rcpruducuun is Strictly Prohibited.
  98. 98. Telephonel Cellphone Spyware I Telephone/ cellphone spyware monitors and records phone calls, text messages, and tracks employee cell phone usage I Attackers install spyware on the devices they want to track. Which secretly send data to attackers through SMS or email Satellite User Transmission Tower Hacker Cuuyrighl 9 by All Ruhts Rmuved. Reproduction is Strictly Prohibited.
  99. 99. Cellphone Spyware: { me. l. kw — ‘a re (M-JR» h. -.4 V <"»p, .»r. .. ! .: r «. »r. ».-, wu. .. , 9.. -»am. —. lrvo-n-V Elrlnnv 1' M; l V(—'F rrnl‘-e -, g. cm me-to . -no pr-g peqe~uin: rr, a: u». <'| b4;v-< --3 Int: -.c: no-; ~09 m r. r. .. ~.. l 7107 : n.. <;ln. r.m View Voice Call Logs Mu W3 : :¢: :n-5 3 : u s re: ei. ea cw xhtéd E-live use‘ _ s. ... s.. .‘. ._-p. .. . , . .__“; '.. _ _, , - zoumauzon mool 1 (901)952-0520 15021 201-1512 uncmng 2); ‘? J4 (J1/“li(lJl ‘l E63161; U76 ‘lf0_.2Ci 1632 ncarlflc mvoazoaezzool mnansusae ‘($021201 :43: aw-1; V3137‘ 34-2: 3} 5- cn v¢'c2::1n>n. ~ 7- was : :9'vm V; 'Lléimr; . zcmo4r2oo72sool vgsozurzauzu u-3021201 mm-ma ‘J4 )x; c~wl ‘ : C23;J‘l 1:2: : .: .nc Mann. uuool 1{1M):5ulx: a usoznoaaaaz mcwm; rm ru 11171101; 1‘v‘c. *w: ‘.“~ an A «'03-Pr! ms Iwrfimnc , :-. w.. m». ; ; >:io7ua—1si2u5oal li!02)291J6Zi2 16032291133 outcome unansuma gy Imam Frcrrvrj um» Or htip: //www. phanespysoflware. com Cnpyr gm 3? by All Rights Rc~si: rvcd. Rcu. 'odu:1ion : . Str c: ly Pvutilbitc-<1.
  100. 100. Telephonel Cellphone Spyware Mobistealth Cell Phone Spy llttp: //www. rnobi'sleultli.4um Telephone Spy ti rrp / /www. spymsrm1I. mm SPYPhone GOLD Flfffl. ‘// SfIyPI‘l1.(Dfl| N a’ Q , VRS Recording System h rrp: //www. n(h. rnm. rru SpyPhoneTap ii rrp: //mvu. umnr1emspy mm II rrp. -// www. spyphnnetap mm I ‘E Modem Spy [I lré . . ’r'I—- l ; 3 Phone spy “W F| exiSPY l _-J’ »- an- i x imp '/ /www. gonod<. mm hrrp'/ /vnvw. flempy, /om y l l Cupyrighlfl by All Rghts Reserved. Reproduction is Strictly Prohibit: -d,
  101. 101. GPS spyware is a device or software application that uses the Global Positioning System to determine the location of a vehicle, person, or other asset to which it is attached or installed Q S ; 1 / ll - _ A. 5 Satellite 4 Server 4 9 . ... H Internet , _,: 1, (§ ‘ A v I / "-7‘ "‘1:n‘ . . [,1 ‘ ‘ ‘ . ... ... ... ... ... ... ... ... . . .) FT‘. ’ J ‘ . » -:0 i I r» / l —E ~ J Vehicle Transmission Tower Hacker 1' 1 , .~-'. ‘u ‘; "‘l! '€'i. ,: . "lL‘-’l" ; ‘llIL‘2lI‘151:(-_-'. -.n‘. :-Mlilasll-: éI! .-alldiltitlIi-:1 an-2iil? j:: «-LYl
  102. 102. Copyright 9 by [E-co‘-mcé‘. All Rights Reserved. Reproduction is Strictly Prohibited.
  103. 103. GPS Spyware EasyGPS ALL-in-ONE Spy tr up r/ /myw. ¢'usyyps. (orrr lr tlp. //wivw. lli(')pypIi0m. ‘.( om Trackstick Pr rryr: //www. rrnrksrirkmm FIexiSPY PRO hrtp 1// |'IWW, flE mpy. (om . , L5 Mobile Spy ~ MobiStea| th Pro imp '/ /wwu/ .pIr nnespysnfrrvnremm lr rrp '/ /win/ w.mn£r r rtenlrhmnm hrrp: //rvww. world—rrarker. mm imp ’/ /syryrerrlxom l World-Tracker SPYPhone Q. Cowl ight Q by All Rights Rrnorvori. Reproduction is Strictly Prohibited.
  104. 104. How to Defend against Keyloggers? Install antivlrus software and keep the signatures up to date Install a Host-based IDS which can monitor your system and disable the installation of keyloggers Install good professional firewall software and anti—keylogging software Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for the attached connectors Choose now passwords for different online accounts and change them frequently Use software that frequently scans and monitors the rlmnges II‘! the systcrrn nr network Use pop-up blocker and avoid opening junk emails Scan the files before installing them on to the computer and use registry editor or process explorer to check for the keystroke loggers Copyright 9 by All Ruhts Reserved. Reproduction is Strictly Prohibited.
  105. 105. Anti keyloggers detect and disable software keyloggers _J Some of the anti-keyloggers work by matching , . l . , with a signature database while others protect keyboard drivers and kernels from manipulation by keyloggers Using a ‘or touch screen makes it difficult for malicious spyware and Trojan programs to capture keystrokes oannnuuu as e T M Copyright 0 byu‘. -cI—i All Rights Reserved. Reproduction is smr: r1y Prnhlhm-<1‘
  106. 106. Anti-Key ogger: Zemana Ilntilmgger Z Ieninnalnlilouel 1 9 7.706 0 ' Prou-. Ll-on Consul: V AnlI—KI. -yluuqel : Enabled ~“a@¢_‘_w_ mhwurueecuvnuavevvwuaebvvumuwo Inyhou-d. e.¢rmIInugpuswuusmsdho-dummy, Mfi-Wécddmnl mantra-¢e, e-bmltyuIhnd. INsvu&rs: niar. |I! y -mo-w W-wmmzmmmwm Symnonluun h”w"“ dlugeiuenl Consul: Last l‘loc| <rd ldj '. ‘~w.4»«, u L] -_j‘"Hr. v~q VA hllp. ’// www. zemamz. com aapyngtu 0 by Bfli All Rights Reserved. Rs amdumnn us tnmy Prnhnbied.
  107. 107. Anti-Keyloggers Advanced Anti Keylogger ' hupl/ /www. nmt; ' keyfoygcv mom hllp. //www. unrl lu: y{oggc: .na-I ‘ Anti—Key| ogger . . '31‘ __ VI: E PrivacyKeyboard E Anti Keyloggers 2010 hnn'/ /www. anrl—I<ry1oggm‘. mm h rm: //www. amik»y1ngger<101(Lrnm Defensewall HIPS " Keyscrambler I 5.1 3 Mn’! I/ /www. <o]1£phPIe. rnm MT/ "// |Il| VW. qfl€0fYlVUft‘, l‘0I" Imp -/ /wu/ w.n= mnve keyfnggerunm L‘ 1112;: '/ /rlewamfr‘ mm Anti-Keylogger Elite I Hate Keyloggers Copy1'¢hl© by All R‘ghL$ Rmuvud. Rupvuducliun is Strictly lhuhibiud.
  108. 108. against Spyware? ‘Q - Adjust browser security settings to medium for Internet zone o Enhance the security level of the computer b - Be cautious about suspicious emails and sites é - Install and use anti-spyware software Perform web surfing safely and download cautiously I I O’, - Update the software regularly and use a firewall with ' outbound protection , °_l- Update virus definition files and scan the system for spyware regulary Copyright a by All mghu. Rmuved. Reproduction is Strictly Prohibited.
  109. 109. Anti-Spyware: Spyware Doctor yware Doctor l L’: ,'. -!u: '1_'f'. i.'i': '; uiu', .s: -.- é- ’. ).l Scanslone on j mdwuam Prorezlone '1 it lmoafioznonr T. H smm, ¢.. ;.y. r. R« Inlonnazioni di protuione generali 0 unmm smut upon “ lluma scan: -me 9 Helnuao '5 vevsmm A 0 were Wvm! umnnfin pct-1»: is ' Prorezione-i ‘i O Veuact-e nronblo 8130601 0 Veuame datmase 61578!) G Hell-Srgnotue 5.112329 0 emmumguummm 0 mmhxnnmnmn O un: Im. um: nmnr. nunuI . 5'31: “"{. “* gr :3’ 1:’ re‘: 0 ‘em’ :2»: :. :'! 'i. "') "ti-0': ~i: "*a: c"i 9 "r1: a‘R'( rcrva http. //www. pctoo! s.com copyright C by £1;-cnncl / vl Rig ms Reserve a. Re production is Strictly Piuh ibitcd.
  110. 110. Anti-Spy-wares . . , R Kasperskylnternetsecurity Counterspy in L llIlyI/ /WWW. SIlIlb€ll$0fll'illl; '.(Dlll «T: i, W) hrtp/ /iuww. knspeis! ry. mnI Norton Internet Security — Ad Aware ' ‘ hrrp; //wwu. '.IavrrmfI. mm liPfp'/ /W| VtU. §ym(1f)fP( rom J] SpyHunter Spy Sweeper £5 in try: R'/ /www. pn igmasofnvmw . m in hrrp-/ /www. ivr= hmnr. mm [Li 0 -3 MacScan (for MAC OS X) imp : //mar cmn. seruremnr. ram Spyware Terminator PI rm : //wrvic/ xriyiirarerermin riror mm copyright as by All Rghts Rar.1ved. Repruductionis Strictly Proliibitc-<1.
  111. 111. CEI-I System Hacking Steps Cracking Passwords ’ . ' . ‘I ‘t Escalating R_"'/ I] '_ Executing Privileges M I Applications Covering Tracks "°"°i; :Zi‘. ’.2 I copyr Gby All lights Rarzrved. Reproduction‘ ictly Prohibited.
  112. 112. Rootkits , .« / ’A , . V ‘ ‘ Rootkits are kernel programs having the , ability to hide themselves and cover up ' traces of activities It replaces certain operating system calls and utilities with its own modified versions of those routines Hacker The attacker acquires root access to the system by installing a virus, Trojan horse program, or spyware, in order to exploit it a I V‘ Rootkit allows the attacker to maintain hidden access , , —~ "" to the system Copyright E by All lights Rmuvud. Repi u-ductiun is Strictly Prohibited.
  113. 113. Types ofIi? .;; . Modifies the boot sequence Adds malicious code or ‘lRep| aces regular application V‘ 0' “'9 machifie '0 '03“ replaces original 05 binaries with fake Trojan, or themselves instead of the kemel and device driver modifies the behavm, of °'i3i”"' "i”“°' '"a°hi”° codes existing applications by monitor or operating system iniening malicious code Application Level 1 Hypervisor Level : Rootkit 1 Kernel Level Rootkit i Rootkit l 3 Library Level Rootkits Hardware/ Firmware Boot Loader Level Rootkit Rootkit Hides in hardware devices Replaces the original boot Replaces original system or platfomi firmware loader with one controlled calls with fake ones to hide ‘ which is not inspected for by a remote attacker infonnation about the ‘ code integrity attacker c V copyrlghtfibyili-lirrfml . ... .. .. . . All Imhts Raerved. Reproduction Is strialy Prohibited.
  114. 114. How i: '.. ‘:. 2 TI? " ': ‘Works? Process (Before Hooking) ‘ Process (After Hooking] L019 SECFCI1. (355 $‘: YlOl1.. Call FlncitexiFila I Call FindNextF la | m.‘>Gr‘ data ’-ertim , lmrinrt tints tertmri Hooks FiricNex: : '1 OI37551311 Fir'dNe-i'. Fi|2; 0187654321 KE'"E_'_n'j‘? > K9”? ?? 1' Rootkit replaces first 5 OX3/D3432‘: -I'CN€X’(F1leC0d€ :1-. iI.7'a:4:2i: FindNextFxle -V H .7 H) b f d ‘, _ h Rnolkrtcndz: ‘Vte‘° ‘° 9 "”‘ lI. uni 1.1.’ | My Ii(If. lP'i ii: lm>'5 ’ - ’ 0x90045123 ' if 7 7 7 A 7 — A i' ‘1 Process 1 | Process 2 l Process 3 Dirac‘ Kernel Unique process ID ‘ Unique process ID E Unique pcocess ID ed: A4.-. t|v: Priooesl. lnl<s A: threProcesLInk: ‘L Anwehoeesunks M3"'PU'3"°n usr ENTRY] 3 L T EN'TRY( . LIST ENTRVl _ _ . . . E;_ . .. ... .. (DKOM) Le. _ y <» U ‘BLINK l ! ' l LINK Process Identifiers Process ldenl. rire's Process Identifiers Before rootkit infection V ' After rootltit infection DKOM rootkits hide a process by unlinking it from the process list .3 3 V ' , L:f gl , '3 ' ! d‘4’ilT'-(ill-Z-I 1?’-‘-i, _ -Ii ’. -’ . iIr: c:4iig. — - . ‘ , , ,
  115. 115. Rootkit: ]: "u Fu operates using direct Kernel object manipulation Components of Fu are dropper (fu. eIe) and driver (msdirectmsys) It allows attacker to: Hide processes and drivers Hide information from user-mode applications and even from kernel-mode modules Add privileges to any process token Remove to-be-hidden entries from two linked lists Wi("l symbol c names Copyr ight Q by EB-CD3! All Rialii-. Rcservciikcuvuduniiori is Strictly Proliibled.
  116. 116. .r‘ 0. Detecting 7.: :: i: ,:; :;* 15 Signature Based Detection This technique compares characteristics of Integrity Based Detection all system processes and executable files with a database of known rootltit It compares a snapshot of the file , , fingerprints system, boot records, or memory with a known trusted baseline - F , _r Heuristic Detection I . It looks for deviations from normal system patterns and behavior to _ _ find unidentified rootkits based on Enumerates system files, processes, and registry keys the execution Pam hooks it uses and compares them to an algorithm used to generate a similar data set that does not rely on the system's common APls Cross View based Detection copyright 9 by ED-i': n"’ zit All lights Raaved. Reproduction Is Stridiy Prohibited.
  117. 117. All-= li' Steps for Detecting " ‘ Run "ciir / s / b / ah"and "dir / s / b / a—h" . ' - inside the potentially infected OS and save the results Boot into a clean CD, run "dir / s /1: / a11" and "cur / b / .3—h"on the same drive and save the results 7“r’f ‘ 25:: Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i. e., invisible inside, but visible from outside) Note: There will be some false positives. Also, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, ett. 5“? _"' ‘,9-j. Ifa| ".'l'; -IF , JII: c4i1s1:4stsr. aei~nMam-:2ii. -ill-I-I{5nu: ui us, -ti W
  118. 118. n 2- 1 . I IQ 50 r C I .2 . : 22 . - 3. J ; , against Rootkits? 7 ‘T Reinstall OS/ applications from a trusted source after " backing up the critical data 1‘: Staff with ill-defined responsibilities , _ Well-documented automated installation procedures ' need to he keep :1‘ Install network and host-baaed firewalls 11- Use strong authentication - Store the availability of trusted restoration media Harden the workstation or server against the " 7 attack Update the patches for operating systems and ' applications Update antlvlnis and anti-spyware software ' regularly copyrlghtfi I113;-l3D‘Z’l: ll All Imhts Raerved. Reproduction Is strictly Prohibited.
  119. 119. Anti-Rootkit: RootkitRevealer and Mcfifee Rootkit Detective -Rgu1m1[)u1L'. lHI| : 1‘! ‘ 51.. umzw. .. IV 2,‘ H . .‘. -.| . "M . ,a . . Vi mm. rm 31 V : .3-M I _ . V m Tnnlup 5:. Ductvlor ‘D-1lJ. M'SECURWV‘P: i$/ 5«Ifl‘t'>‘. 7/'15«‘21)‘09l3AM Jan: Iuuruneocrlamurncodvanlxl‘ 59"? “-“ ‘HILN6ECLRlVv‘P: a:¢/ 5«I«; «S!4l‘ 7rlSf. ‘0"J awn , lI'ut0eI56sJruI: |' " ' Vaw hddnn ptocazver. and libs ' ‘Jaw hnnhfl Kev‘-Me; ‘ W zwv -. u-uIm‘. «'. »|—= AF! 5 View haaden vcawv msrvam " 'JeuhrIJ§<enjumpcd<fe>-ohm“. 3 *‘‘‘'°‘‘' ‘“''‘° ' ’ ”"‘°‘ “‘”""’°"" """°“““" _ V ’ ' ‘ __‘ 41» twp: —ax. ..u, ... ‘ . v.‘o»- an W" °' °'°( 2”“ . n.9-. [9 1 3,. .. ><n‘, nulaw u. --, m | ’,} 335;’ '3 "' : _ ¢1.: ..: ¢'rx, : u I an un uaeuman A‘n4:n; Al“| . V ‘ 3 Lxstw-6 s= mudva‘s= upu 'rz~: vx: .“ AM ‘nun: mchnawou -wax : M-awrv: [3 Hi ua sonwnns xunma Cm cm 24 0.153 M4 0245 I Wmmi. Au 3 W WM“ mm, M“ M _, W C] H! uausorlwans ‘M-e1o: oflO m, M33 0«103CI«88 ads I . L , ,, _w, ,L. _.. W W_, m“_M__m, ,_, __ M 1, W", U ""‘U"‘-5°"‘~"AF‘5 ‘~“'= °°°W"°'— 3 ; 4:nacs= m um's': .ac~a 7/2930332.‘ ' Au am: mun anew Mu nu not ‘mad D WLM‘-‘V-D"‘W*‘*E RM-mw"'‘“v°' 11: Si»uI¢‘1=nMu‘¢Ju w. .u~s a/ mnmezvu 54 : u «a mu. .. . a.m. . «bx L-A 1s‘w’rd D HKLM'»SDFlWARE M: :1o: dVF‘Ioi 3 , &>I-, --e‘: ~mw. ,daq ' *l| v11.| l1'u*. 'PM H mm mu». -a. -.; .., ,, y- [-111 ‘N715 D ‘M‘—_“; ,.‘. u[| p‘0L ’ Z r ‘ 7/: Q:1])33.‘9 RH ‘L 1] MI] flsbkn -3310!) I721 til 11 W? !‘ C] H» LM‘. SDFTWt4REM-cIo: dlFuol Haw: on one: we 0:03 exam W»? 3' ‘V F? *3 '¢= "'‘°"' ‘*''~’’“ ”' [J m u«u. sonw: .ns ‘M-ao: oNF>ro0 Lmuay Sum oasacms 25:: 1:5.’ 91 _ ? "’f°'_ “Z T‘ 5” ‘ 7’ ‘” ‘‘‘‘“'''‘‘’'‘’‘‘’‘ "" ""““‘ "" C] HKLMSIJV IWA-HE M. ::o: avP. oo Lhaplq sum; Ul‘. v4L£1l&2‘. «‘F«la53 91 ‘"’“"“‘ ""“‘""" " W‘: "1"" " “°‘‘''”'“ "'"”"‘ ‘ VI/ ‘EU’ 51:’-V 1 "¢¢lIhufA‘D6%: P WU“-'3”"“"F‘E “""‘°°°"'**"°' nu «U-‘woo: u: ... .,, vzomac mu . -. m.». .m . v.. a-. .. ‘ J1»! 7cLr: nJ3:: n -xu , ~a¢. nnum Nndy: »»I1w. .c-2 I/ :s. :uJ32;nAu ’ . ; ---a: enr»omA‘»4:n: 30" ‘Mm 3 4m. :q's'= := n H. ‘-4.2039 ‘ -omm ms»: AP! Scan comma Mme: rcgmy M. y:! '/aha: 1.‘ 3} : xIivl! -<' warn}: , r Jnlzlfinvfi-, -ivy, -an tn: 1! any fine"! .wnuA4n‘~; ’-: 1! 4/AIR AIAM ‘ mu». hfllm’ uh F-111 Wu! ‘ ‘Sun J Sang: http-’/ /I erhnet. mlcmsuj r . rum Copyught $5 by EC-GIQEI All With! ) Rcswvcu‘ Reuvuduuion i: Sn ulv Promblxrd.
  120. 120. Anti-Rootkits n 50 hos Anti-Rootkit GMER [% p Imp; //www. supIms. :mn 'IUp‘/ /W| VW2.glm3I. III! ( F—Secure BackLight Trend Micro Rootkitfiuster {' hm: :// vnv| u‘/ —<enue. mm mr; v:/ /rtmvufoadrenrrr, ncndInlrIa. ram 3 _‘ Avila AntiRootkit Tool Rootkit Razor 1 ‘ hnp: //www. frrr nv. rnm hrrpJ/ nv'u. ur: z»= rm*/ Imrom l R SanityCheck E RemoveAny htm : //wuvuuecplrndenre. mm , Imp '/ /heave-nv. 'nId, u1 l __ fie cupynghm by All Right: Rmuved. Rcpvuducliun is. Strictly Prohibilcd.
  121. 121. NTFS Alternate Data Stream (ADS) is a Windows hidden stream which contains metadata for the file such as attributes, word count, author name, and access and modification time of the files I! 2- ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities *3 ADS allows an attacker to inject malicious code on a breached system and executes them without being detected by the user 1 ' gnu. ..---ni---. ..; :». . .0‘ n —— r -, ‘ ll 2"’? 2»; -.v. .‘an<i; -1:-43*-'-1+4 ; ‘lIIEflf1s1:(ata: ‘.sibPlHas! I-: éI! .-ailviilhfilli-:1 u. -:iii. a1.: .-Li
  122. 122. How to Create NTFS Streams? Notepad is stream compliant application Launch c: >notepad myfile . txt : lion. txt Click ‘Yes’ to create the new file and type 10 lines of data Save the file Launch c: >notopad. nyfilo . txt : tiger . txt < , ..«. -4‘ Click ‘Yes’ to create the new file and type other 20 lines of text Save the file , View the file size of myfile . bet (it should be zero) To modify the stream data, open document ‘ X — 'myfi1e . txt: tiger . t: xt' in notepad « copy: ighl © by All Rghts Rmuvcil. Reproduction is. Strictly Proiiibitc-<1.
  123. 123. NTFS Stream Manipulation H‘ Move the contents of Location c: . ... .I'3j3'31?’fT. L9.lL? ?9!l‘§'3?‘3.. ..) Locnion c: L; .2 Tro]an. exe (SIZE: 2 MB) Raadmg, txt (size; 0) To move the contents of Trojanexe to Readme. txt (stream): C: > type c: Trojan. exe > c: Readme. txt: Trojan. exe To execute the Trojan. exe inside the Readme. txt (stream): C: start c: Readme. txt: Trojan. exe To extract the Trojan. exe from the Readme. txt (stream): C: > cat c: Readme txt: Trojan. exe > Trojan. exe Note: Cat is a Wlndows 2003 Resource Kit Utlllty mpyugmo by All Ruhts Raerveit. Reproduction is Strictly Prohibled.
  124. 124. Deleting a stream file involves copying the from file to a FAT partition and then copying it back to NTFS Streams are lost when the file is moved to the FAT Partition LNS. exe from (hrtp: //nt security. nu/ cgl- bin/ download/ Ins. exe. pl) can detect streams
  125. 125. NTFS Stream Detect r: ADS Scan Engine I ADS k-I-on Lula: --VIIJDD. MEG I-nuance. -. (V-aV be» u. l-vv~<4V-vrfl. s&v- «gm u 3-: m.4 In »: -3 A-n-_. ‘:n 4:-: r.: n~-. ):a: 'A| n‘l: l . A. _)o n-, . :uI n In . -.u-. .,. -.-vgu . -.m. - . ,u «mu . up hnp: //www. /Ieesa]tworeroo! bnx. mm ‘25 . Cuvylighl © by UH»-cl AH Rlnhts Reserved, RELmdu(tiun i-. SI: idly Pvuh ibimd.
  126. 126. NTFS Stream Detectors ADS Spy List NTFS Streams (LNS) , hllp; //wwwuneiUu. m/ . VI(UL/ /|v‘| .4.'. Ill5L'(uIiIy. ml T LADS M (p '/ /wwu/ .he ya uftde Strea mArmor h mu : //www. Inom'mnaIyrIr1.m m NTFS Streams Info Strea ms I Imp '/ /vvww. isgco. kiev. u/1 hrrp: //rfirhnnmkrnrnfr mm my ADS Locator hnp: //mvu/ ‘cafe! nenvnrklngnlg ADS Manager imp r/ /dmitryhrnnr mm Cuyyl ighi Q by All Rights Reitvvcd. Reproduction is. Strictly Prohibited.
  127. 127. ‘What is ‘ Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data Utilizing a graphic image as a cover is the most popular method to conceal the data in files Ust of the compromised servers gt-iiir-1:»-r-r-Ll‘- Z-it . iii-»= ‘rr-i-iiiiaig (ml 3 : lt-| iu: - i'r(: a.$: t=i;4:ri~‘ Communication and coordination channel copyright 9 by [Him ’i: :i All Ruhts Racrved. Reproduction is smuiy Prohibfled.
  128. 128. Techniques Substitute redundant Embed secret massage pit of tho novir-object in I transform IDIOI of with I socrot manage the signal (e. g. in the frequency domain) Encode information that Adopt Ideas from ensures creation of apread spewum cover for aeaet 7 communication to communication embed nmrt massages Stun information by Embed massagns by signal distortion and in 33'5": 33“-“Nil the extraction step P"°P¢"“€5 0' "'9 “W3 rnouuros tho deviation °b5“*’ “d "’° "'VP°‘h°“‘ from the original cover ''"’“‘°‘’ ‘" ”'''"'i°" Copyrightfl by All Ki, -lit; Ri'_': L'1V(. ‘Ll. Rcproduciioli isslricily Prohibited.
  129. 129. How Steganography Works? Cover Image Cover Image EC-Council "Hackers 393° ""339 are here. Wh are are you? " EC-Council "Hackers are here. Where are 3., "°”§"'- cupyngm a by All Rkghu Rcmvved. Rn-pmducllun is. strictly Prohibncd.
  130. 130. Image Steganography Stoganography _‘ _, r1’- DVDROM Staganogra phy Document Steganography White Space Staganography Natural Text Staganography abcd " ef ' 1 ijk V“ ‘ non a/ ' Folder Steganography Wei: Staganography K- if Hidden OS Stazanography Video Steganography life. ) 4 . Spam/ Email Steganography C++ Source Code Steganography U-,1-. '.I. "«‘; l' 3 F1‘! m: :--. ... .-.1.-. ..v. .. ..:14.2-ms. -.It»: ‘.u{+m: .1 : u.-: an '
  131. 131. Whitespace Steganography Tool: SNOW 1. The program snow is used to conceal messages in by appending whitespace to the end of lines 2. Because spaces and tabs are generally not visible in , the message is effectively hidden from casual observers 3. Ifthe — is used, the message cannot be read even if it is detected WIN W§sysIem17ir: m«1 exe mi. ..-. .~. .i, . «ml ‘Srli n xii. -<. I». i.. |w~~. ..m I: n "H. -,. -i | ll| J ni '. i‘H'' »: .L iu: .uu. . ..- ~. .w. i.-. i . . ruI. «i»l. - . ,.. ..~ in, ,. ,.. ..«. ..a. ... wi-, ;-'. :n. m:__ fin nxzti-.1 fl liner UCl‘i. ‘ Aridcd. I| Z‘». Dur: uri('riY. :: and Scuiru , ‘D(7'.2i‘. (0 ‘ — "p. ~:, :.ccat" nul. ",nuI. lK! . net int; at '>Pf1 I|2‘»Dur_'uriL'nL'. and Suttnri ni. |l: :;i. lupZ‘ hrrp: //www. dmksid(= Copvrellt G by II-‘II All Rlfims fieserved. Reproduction is Slriiaiy Prohlbled.
  132. 132. Image Steganography O In image steganography, the information is hidden in image files of different formats such as . PNG, .JPG, .BMP, etc. I Image steganography tools replace redundant bits of image data with the message in such a way that the effect can not be detected by human eyes .4 . .". _ J‘. 4" r ' Cover image ,1 ’ 4 > (over image . p. ? (A ‘. -. Ix .47’/7 u ’ P "- . ' [*4 [*4 flu Steganography Stego Image Steganography Tool Tuol information information Copyright E by All lights R¢5uvr: d.Itupruduc1iuni: . Strictly Prohibited.
  133. 133. Image Steganography: Hermetic Stego . i._iC. >.<J °°'= 'j1‘operaiion (3 Encrypt the data tile and hide it in the input image(s) " (‘ Eidract the data file from the input image(s) and decrypt II F Select iiist input image F Delete unsuitable input images (after coniiimouon) Filewith datoio be hidden i | C'tempinputtinonces xls 09' I inputimoigestoider | li: ;zemp. npui Our I L»! I Stegoimuge -ii » ‘ ‘ -rir Operation Hide data Dataiile C iempinpuriinoncesx| s [“—"'F{fi§}fi§aj‘¢ """" “ Dainiile size 1 332,224bytesV "“‘”“'““‘”"‘ """""”"”’”‘ Inpuiimagesioider Ctempinput i . Siego images iolder C iempstego i The data was successtutiy hidden In the lollowing 5 images rocki 00 bmp (3 806 254 bytes) i-°°d °°"‘9'~"5“°“ i si_covei bmp (2,2U2.678 bytes) Ll Clear Copyto clipboard | Help Ouit | I: i:cv_, ri_3ht I Clfil" . '1|ifi'iE Hermetic Systems i-i~_». w "iE"’9f: C : |— Clnbne user rnauai htrp: //www. hermeI’lc. ch copyrem 1'; by El: -cuncl All Rights Reserved. Re production is Strir tiy Pr vii ibiiud.
  134. 134. Image Steganography Tools ImageHide Contraband hup: //www. :lum r: mummu). a om Mlp/ fJlh1.wm QuickStego ” “ Camera/ Shy him: //mvunqrlitkrrypro tom ; fl M1/I: //cnurrrynrge net - gifshuffle JPHIDE and JPSEEK I Imp : //V/ wu. r1m'k: irIP. rnrn. rm . 7‘ h rrp -/ /nnrhir. mm I * 0utGuess StegaNote I hm-I : //www. ourgue<r, org Imp '/ /wnma/ .pInnel5oum: =mdexom Cupylighl Q by All Rights Rmuvcd. Reproduction is. Strictly Prohibned.
  135. 135. Document Steganography: wbstego 1! N Dot uvmmf Fi | P'~. Inhinrnnatioll lrfinmxatinn . m., ,; n. ... .‘ . an: 2110' «cm H 'eImme In (/1: wh I ‘rm masts g: l'I: ufl ml gnaw vzvu :1: : wnc: m-mu’ u. ~JunuA. -uv. uJng ~’nn'~h: Huo4 you as me '0 has an. was In : row " T74‘ ‘I 'TV ' 7'; Hum: -r : “o"ana’h nphcdfiy N m 9 3-9 ‘W I may Mr Wu mg, iv» (. n)gIIv‘wnO«‘: ,na t-mu» wt nwrrn~»A~d- Ir‘ n--, r' n| -.1-fnrqz . n m »-«. w.u-u Frvm I 1:! gm _; .=nr, = Elwmnwr uzae I: I . :mmua 7) Spot‘ run I‘: 2-aw can Imp: //ivbsrego. wbullcr. com Coavrlgn: E‘; by I5-G1 AIRh1ht5 Rcscrvec. Reoroducmn :5 Sulmv : >»ommm.
  136. 136. Document Steganography Tools , ‘T Merge Streams H FoxHole ' JIEIP; //| "|v“.4 rr tkerm-Lt urn Irltp: /// uxhulr. -. your ccfon_n: .rret Office XML Imp: //www. rm ngeeicrnm an CryptArkan hnp: //wwwr Hm Kmv mm Xidie Security Suite Imp: //w ww. sregnnnm Is 1 3 StegPa rty E h"[| .'/ /|'| VVtfI'1‘TPV"ghY. F0177 Data Stash I = 3] Hydan Imp: //www. ckyjuiresa/ twrr/ exam Imp: //w ww. mrzylm yxnm Currvviehlfi b1 All Ruhts Rmervod. Reproduction is. Strictly Prohibit: -d.
  137. 137. Video Steganography Tools Masker MSU Stegovideo —— http. //www. su/ tpuimonr IINLV-/ /l0I! |plL‘)$’UII4lll q Max File Encryption BDV DataHider Q) hm: :/ /www. to/ teza. rri in Ir rrp: //tuww. ndunaleprrd. rnm Xiao Steganography "V CHAOS Universal hm): //xirra mlgnnogrrrphy. en. mfmnt(. rnm V hrrp: //saferhnot rorn I I RT Steganography OmniHide PRO hrryr-/ /<nrrm-fnrgranr-I imp '/ /fimnlhrrie mm Copyr ight Q I71 All Rghts Rtsurvud. Reproduction is Strictly Proiriimod.
  138. 138. Audio Steganograpl1y: Mp3stegz Audio steganography refers to hiding a secret information in audio files such as . MP3, . RM, ___. J*‘"’*'““°’ . WAV, etc. '1’o; HvrImI‘Icm , ___. ..-. .___ t Information information _l mu no»: 12. . .., ~.— nz ‘ ".5 1: «av .10. z. » I-It-an} : mu. -m uuinatt um-v tum http: //sourr: efarge. net C E H coir/ r'¢lit O by II-%d r-- -a -- All Rihts Reserved. Re production is Strictiy Pf0liIbk(d.
  139. 139. Audio Steganography Tools ) MAXA Security Tools " ‘ MP3Stego QI itilp4// Wli/ W.p€I/ (t0kI). m.'I lrttp; //www. Irrtrxu—lao! >.wm Steghide Prr1/r: //cteghrde. smrrrefiwgener I Stealth Files a hrrp: //wivw. fmebI<. rom Hide4PGP ii rrp '/ /WIVIVJIP inz—n= pp. nn! rm= hrime. r1; I audiostegano hrtp: //www. rnnrm. vnrlrs. rnm CHAOS Universal hr? /r: //saferhnotroni 6 Q‘. BitCrypt hrrp: //himypr mmhc srwelzenmm Copyright 9 by All Rghts Reserved. Reproduction is. Strictly Proliitmcd.
  140. 140. Folder Steganography. Invisible Secrets 4 Folder teganography refers to hiding a secret information in folders “"""“" """" ' lnvisiDleSecrets4 I, Pies Poona Menage Select the me-. vnu min in mm. n ma -. ar—. ie. .,; ir. , ; «,i. ..; e; (Vou cm aid files by dicocmq than in ttr; I90. Cid NEXT to cortnze. .. Nari-s Type rd Burl» - 4;] awards rm H1 «L Dotcrnert c, my-a‘i‘-wt But in A 3:: :1 "M : "“"v' '5; & amid-. ca; ACD: '¢c 195-; t. .. : ah: 'i'IVE3SllE' . ,, , ‘ than uymbi-we Q mari. d»t. rI. c Cry, -led He C ‘i.5|n5‘i'NEBStt[‘umiclate: '; — Vltafudrl DWI Fle C alna'iWEBS[l[‘tTerVtlates'i jiiul nus Casual! !! fl‘. -‘tr. .. C a| ruiWE8SiT£'t 3 inan. (:: .es; (acted He C ‘ia| n3‘i'NE BSIlE't ‘§ uuport pg Mos-2 JPE-S t. .. C tau»‘i'-vtnstrn < > 3 Add H25 3 Add room (3 Remove fl Cryzlboaid I M X -M stiicdrlu ' II‘ It) ll’ , u,_. ,., u, , ,,m_. “cm, s-. in-v. ... .i. ..r Vlntlhlbr http 3// wins’ / nvrsibiesecre ts. (am I C H Copyright o by tn-can-cu v-« »« ----- Ali Rlrihts R: §Q1VQd. REDl0d| JCliUflx‘4 Stilctiv “rot: biteii.
  141. 141. Folder Steganography Tools I ’ _ l-ll « I “- Stegostrck :5 H PSM Encryptor II lllip. ’// )(l. ‘yUSi/ lk. S0lli(8]U!9€. ll1'l _, ] lrftp. //wwisupowerzo/ tnmkers. com ‘M. £3 '—‘ , ru- § QuickCrypto . -‘ XPToo| s ‘_. hr? !"/ /www. qrrirkrrypro. mm . . . _’ * hrrpz/ /Mvw. xpfrmlc. net L. r A ‘ i’ Max Folder Secure W Universal Shield fin '/ /ww . mnfnlz1i= rsrrrmmm hrri: //uw ueverst rlimnm I fl W I I [ | W 7 I ’ WinMend Folder Hidden Hide My Files him’/ /wrvu/ .wrnmcnd. mm ‘ impJ/ wiiiii/ ,<e(retfllesafrwrriexom .21 Copyright Q by All Rkghts Rcncvvou. Reproduction is. Strictly Proiiibned.
  142. 142. Spam/ Email Steganography: S‘. ;_aa: =-3:1. lg’: ii. mzi. :: Spam steganography refers to hiding information in spam messages spa n rrriizaire Encod Ema vow «hon secret message rrr. t'ani'iiori» I T: * 9- ' Mrinndte encoding; --‘rm: encode I decode htlpz/ /www. sponiInlrrilr. com Copyright ED by EC-CIIZ -ml All Rights Reserved. Reproduction is Strictly Prohibited.
  143. 143. Natural Text Steganography: Sa. ms Big G Play Maker Natural text steganography programs convert sensitive information in to a user- definable free speech such as a play mm bIv_(. g| ¢.Iy maker Jami Wm Eiuv Hr C; vn‘; .wlso‘ maolrn] sf? iii M Le me-d 1.1., “ mg "Al-r—“ -e. um‘ Ines] . -. cu. .. , .m' : .1.m . .., . wv. ~.7-- P; I-1.55’ 'm, .;. . i . m.w-17' Win Jul r; HI-c '| I‘1c'. | TM-1,5 'w"ur2i' ‘Wm: our: MPEG Man’-’ . w :4. u». .~y‘ I-u rlaavw ; u' PM-. .., T-.1>. n.-av. » 5-u-w. -.. .*‘ M’Haré<) xar-. Ina-aka! aolmzz‘ Srnza, -. ~4v. -ycutxu-~. :_u“ latui ,4»: "Eu 1 read ‘. |¢~Ju! _-I“ itni rt i vu- htrp: //www. scmmdv'sk. dara. net Cupyc ighl Q by EC-On All Rhhts fieserved. R: -pvuducliun is. St: idly Prohibited.
  144. 144. Steganalysis is the art of discovering and rendering covert messages using steganography Suspect information Efficient and accurate lo I 0 10 stream may or may —~ detection of hidden 0101 or not have encoded _ -' content within hidden data -1 digital Images 101‘ ‘_ ‘Z'n——I| i=uJ:4'— -I’ -'ir-i: cIn: IivHL- Some of the , suspect signals " ' hidden data °'' “'35 "‘3V ha“ . before inserted i"e'°"3"‘ dam °" Into a flle or signal noise encoded Into them copyright 9 by El: -tin‘ i at All lights Raerved. Itepromction is strictly Prohibned.
  145. 145. 1 _. r “ 4‘ . l ~. ... -.C*e. ».S/ .€. —.~ Steganalysis I! Sieganography 8 I Only the steganography medium is available for analysis = :*-ix" A-wlvli‘ SO11. The format of the file is changed. This works because different file formats store data in different ways Original and stego—ob]ect are available and the steganography algorithm is known The hidden message and the corresponding nego- image are known iiiIL1'-ii’ iii-—i. ‘r. I;4‘— iiil! i'i'lti—<I'iif-i>, ‘i~, ?=l;4?-‘ The stego-object is compared with the original cover object to detect hidden information The goal is to determine patterns In the soego-object that may point to the use of the specific staganography tools or algorithms During the I The stegcvobiact and I I A . ,. . , : :TVI: :;ac: :e°: ;r: mss' _'n: ‘l'; l.! l I1 0]}! !! r‘~ . :l! ii'i'l'gi V. I ill-‘i'—i I »‘I ('—l ll‘ stegznoirggsiy algorithm change the cover 1 J L 1 am‘ ‘H ' _. ‘ . s f -. , pl}! |_l ’ "fl ' ‘.1-xii? -iii! "-I’-‘I
  146. 146. Steganography Detection Tool: Stegdetect P iilteg File OBI lii)fi'5 I 4 j Sensmwcy _iiphide F cuiqimi: _lll‘MSiblE Duieman ' I IlYr3'l-"a/ ll’ «av: p; nualnv C "E Dliifli / Si aiiviiiiiylio: aw iiuaino E—Cri. e’ ! E-canriincvllot don neqairve L '4‘Er[‘lluBi' / Scanning/ l.ot con IIE air-9 I. IL L‘ri. e' Iscanriinglliot can negaiw i 'Ji [‘rhv! 1“ 'llrr| la’l'ii'1]" nnjalrw ‘ in-4 Hark-mg“ nejawa slaw Ha‘| m'u" miaina Message window 3taIlIriq'. lvui1|I' mi zi U32 5~4riiu. ,sie l‘ w -'i, i-'sl LLL The *tFgd= pmr ‘F. mm 1.11M Fame 6 2- mlghl rim rave heen : Stsnmq sieuu*u: e.: Ml’ Cw -.1 UZE Iirrp / wfloinguess. org aipyngm e by El; -Ce-cl All Rlflhts Rt5i: ivi: d.RcpiudiiciionisSlri.1ly Proiiibitc .
  147. 147. Steganography Detection Tools . ~ 3 flllyl/ /W| l4‘W. S[Jy ’llIfll£'l. iUI}l Stego Watch Kg] Gargoyle Investigator him: //wis'iu. iw3rstnnerr-(h, mm Forenslc Pro lirtp / /MIIIIIIJ. Ii/9Y§f0!VPfPi’h, (Oni £ I StegAlyzerAS -‘ hrrp : //wivw. ‘oI1II'I| .'V. (OlIl StegA| yze rSS lirrp-/ /ii/ ivw. mn' iw. rnm . —_ T M StegAlyzerRTS "‘ StegMark 51‘; I ' hnp : //wwiu. mrr —ivv. mm imp I/ /wiiIw. r!rrmnirirk. (om. cg cuoyr iglit c by All Ruhts R(5£1VQ| l. Reproduction is Siricdy Prohibited.
  148. 148. CEH System Hacking Steps Cracking Passwords ‘ Executing J 32- . Escalating Privileges ' 1 Applications / Covering » Hiding Tracks Files 9 Penetration "'. Testing Copyright 8 by All Rghts Risorved. Reproduction is Stridiy Prohibled.
  149. 149. _: ’ ! flu'. If-1"" Vvllry Cover '. T“ :1 . ;s? "1 ‘ 1 The can attack a ain b’ ‘I '1 - V 5 tax :1 . .. ; 2. Theytan («: mertl1erra<: ksm . / ‘ : _ """“ avoid their (l(-"(r'l[l0rI ‘ i 1 , » v 3. They can imtall backdoois to 1:? Li w_, _ gain auess in luture i l'»‘-iIi(9.1(. .i . _ n‘ i . 1. SECEVEN‘| '.EV‘I' (security): Failed logins, accessing files without privileges Z. SYsEVENT. EVT (system): Driver failure, things not operating correctly 3. APPEVENT. EVT(app| lcat| ons) The attacker might not want to delete the entire log I(‘: 'J-. n‘r?1'HI(9§ll'l! (1.'lli'l ulfigi
  150. 150. r Covering :45 Once Intruders have successfully gained administrator access on a system, they will to cover the tracks to avoid their detection Target User When all the infomiation of interest has been stripped off from the target, the Intruder installs several backdoors so that he or she can gain easy access in the future copyright 9 by El: -cu‘ i at All lights Raerved. Ilepromctlon Is strictly Prohlbned.
  151. 151. Ways to Clear Online Tracks Remove Most Recently Used (MRU), delete cookies, clear cache, turn off Autocomplete, clear Toolbar data from the browsers ‘ From the Registry HKCUSoftwareMicrosoftWin dowsCurrentVenlonExplorer and then remove the key for “Recent Docs" Right—c| ic| ~< on the Start menu, choose Properties > Start Menu tab > Customize > Advanced > Clenr List > uncheck “List my most recently opened documents" l V V Delete all the values exrept "(DefIultl" Cupyr ighl D by All Riglm. Reserved. Repiuducllun is. 511 ictly Proliibncd.
  152. 152. Disabling Auditing: Auditpol _i Intruders will disable auditing immediately after gaining administrator privileges At the end of their stay, the intruders will just turn on auditing again using auditpol. exe j____. '. i illnil. e:(z 'e'in. ‘:lr: v in; .. ... .-. ..r. .-im. .3.. ii . . n | .i. ix: nmiir Enahiad rlliletnl lrdl bi l‘), "l"l). A Vinrsrictniinlflnriyqertnht " nrrau l . :*m -d: :.blc l'i(III‘n«I am. .i. «.. ,wi . iirrp. ','7v; u'i/ .1mi‘croso_i’t. mm Oowlflht Q by El}-GIZI All fights Raaved. Ileproiiunlon is Slrlcfly Prohlbled.

×