Module006SystemHacking Flashcards
Disctionary attack is applicable under two situations
-
Methods to improve the success of a dictionary attack
-
What is cryptanalysis
Cryptanalysis is a brute-force attack on an encryption employing a search of the keyspace.
What is Brute Force attack
-
What is Rule based attack
Attackers use this type of attack when they obtain some information about the password. This is a more powerful attack than the dictionary and brute-force attacks, because the cracker knows the password type. For example, if the attacker knows that the password contains a two-or three-digit number, he or she will use some specific techniques to extract the password quickly.
What is Hybrid attack ?
Brute force + dictionary
Syllable Attack
Hackers use this cracking technique when passwords are not known words. Attackers use the dictionary and other methods to crack them, as well as all possible combinations of them.
Combination of brute force and dictionary attack
Password Guessing
The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim’s machine to crack the passwords
- Find a valid user
- Create a list of possible passwords
- Rank passwords from high probability to low
- Key in each password, until correct password is discovered
Manual Password-Cracking Algorithm
FOR loop thing
Default Passwords
- A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected
- Attackers use default passwords present in the list of words or dictionary that they use to perform password guessing attack
Active Online Attack: Trojan/Spyware/Keylogger
Attacker installs Trojan/Spyware/Keylogger on victim’s machine to collect victim’s user names and passwords Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker
What is Trojan
A Trojan is a program that masks itself as a benign application. The software initially appears to perform a desirable or benign function but instead steals information or harms the system. With a Trojan, attackers can gain remote access and perform various operations limited by user privileges on the target computer.
What is Spyware
Spyware is a type of malware that attackers install on a computer to secretly gather information about its users without their knowledge. Spyware hides itself from the user and can be difficult to detect.
What is keylogger
A keylogger is a program that records all user keystrokes without the user’s knowledge. Keyloggers ship the log of user keystrokes to an attacker machine or hide it in the victim’s machine for later retrieval. The attacker then scrutinizes them carefully for finding passwords or other useful information that could compromise the system.
Active Online Attack Using USB Drive
- You need to download PassView, a password hacking tool.
- Copy the downloaded .exe PassView file to the USB drive.
- Create a Notepad document, and put the following content or code in the notepad: [autorun] en=launch.bat
After writing this content into Notepad, save the document as autorun.inf and copy this file to the USB drive.
- Open Notepad, and write the following content: start pspv.exe/stext pspv.txt After that, save file as launch.bat and copy this file to the USB drive.
- Insert the USB drive and the autorun window pop-up appears (if enabled).
- PassView (or other password-hacking tool) runs in the background and stores the passwords in the .txt files on the USB drive.
Active Online Attack: Hash Injection Attack
This type of attack is possible when the target system uses a hash function as part of the authentication process to authenticate its users. Generally, the system stores hash values of the credentials in the SAM database/file on a Windows computer. In such cases, the server computes the hash value of the user-submitted credentials or allows user to input the hash value directly. The server then checks it against the stored hash value for authentication. Attackers take advantage of such authentication mechanisms and first exploit the target server to retrieve the hashes from the SAM databases. They then input the hashes acquired directly into the authentication mechanism to authenticate with stolen user’s pre-computed hashes. Thus, in a hash injection attack, the attackers inject a compromised hash into a local session and then use the hash to authenticate to the network resources.
LLMNR, NBT-NS
LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service)
Active Online Attack: LLMNR/NBT-NS Poisoning
-
LLMNR port
-
NBT-NS port
-
Steps in LLMNR/NBT-NS
- User sends a request to connect to the data sharing system, \DataServer which she mistakenly typed as \DtaServr.
- The \DataServer responds to the user saying that it does not know the host named \DtaServr.
- The user then performs LLMNR/NBT-NS broadcast to find out if anyone in the network knows the host name\DtaServr.
- The attacker replies to the user saying that it is \DataServer and accepts user NTLMv2 hash and responds to the user with an error.
LLMNR/NBT-NS Poisoning Tools
Responder.py
Passive Online Attack: Wire Sniffing
-
Passive Online Attacks: Man-in-the-Middle and Replay Attack
In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
Relatively hard to perpetrate
Must be trusted by one or both sides
Can sometimes be broken by invalidating traffic
Why its not easy to implement mitm attacks
This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks because of the TCP sequence numbers and the speed of the communication. This method is relatively hard to perpetrate and can sometimes be broken by invalidating the traffic.
Which attack is used to replay back transactions
Reply Attack.
What is a rainbow attack
A rainbow table attack uses the cryptanalytic time-memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance.
What is contained in Rainbow table
Dictionary files brute force lists and their hashes
Rainbow attack is time consuming ?
Yes
Why rainbow attack can be successful
Due to thier smaller keyspace and shorter length
How rainbow attacks can be prevented
Keystreching and random salting
Tools to create Rainbow tables: rtgen and Winrtgen
rtgen The rtgen program needs several parameters to generate a rainbow table. Syntax for the command line is http://project-rainbowcrack.com
rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
Winrtgen is a graphical rainbow table generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes
http://www.oxid.it
What hashes Winrtgen supports
Winrtgen supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes.
What is Offline Attack: Distributed Network Attack
A Distributed Network Attack (DNA) is a technique used for recovering password-protected files that utilizes the unused processing power of machines across the network to decrypt passwords.
Features of Distributed Network Attack
- Reads statistics and graphs easily
- Adds user dictionaries to crack the password
- Optimizes password attacks for specific languages
- Modifies the user dictionaries
- Comprises the stealth client installation functionality
- Automatically updates client while updating the DNA server
Security Accounts Manager (SAM) Database
- Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in the hashed format (one-way hash
- The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file.
NTLM
NTLM (NT LAN Manager) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works correctly in every situation. It has been on some Windows installations, where it worked successfully. NTLM authentication consists of two protocols: NTLM authentication protocol and LM authentication protocol. These protocols use different hash methodology to store users’ passwords in the SAM database.
does ntml use SAM datbase
-
two protocols used in ntlm
-
Kerberos Authentication
- secret-key cryptography
- mutual authentication
- KDC trusted 3rd party => AS, TGS
- Stronger for client server authentication than NTLM
If you have to protect against reply attacks and eves dropping which authentication protocol will you use ?
kerberos
How Hash Passwords Are Stored in Windows SAM?
-
NTLM LM hashes in various versions of windows
NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; however, Vista and later Windows versions disable LM hash by default.
when is it not possible to capture LM hashes ?
It is not possible to calculate LM hashes for passwords exceeding 14 characters in length.
NTLM 3 methods of challenge-response
LM, NTLMv1, NTLMv2
In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft negotiated Security Support Provider (SSP).
SSP
-
NTLM diagram
-
“nonce”
-
Kerberos Authentication Diagram
-
Autherization in Kerberos
- The authorization mechanism of Kerberos provides the user with a Ticket Granting Ticket (TGT) that serves post-authentication for later access to specific services, Single Sign-On by which the user need not re-enter the password again for accessing any authorized services.
- It is important to note that there is no direct communication between the application servers and Key Distribution Center (KDC); the service tickets, even if packed by TGS, reach the service only through the client willing to access them.
What is password salting
Password salting is a technique where random string of characters are added to the password before calculating their hashes
Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks
Are Windows password hashes are salted ???
Windows password hashes are not salted
More about salting
In cryptography, a “salt” consists of random data bits used as an input to a one-way function, the other being a password. Instead of passwords, the output of the one-way function can be stored and used to authenticate users. A salt combines with a password by a key derivation function to generate a key for use with a cipher or other cryptographic algorithm. This technique generates different hashes for the same password. This makes cracking the passwords difficult.
Tools to exract password hashes
- pwdump7 extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database
- gdump works like pwdump but also extracts cached credentials and allows remote network execution fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -p l4mep4ssw0rd Dumps a remote machine (192.168.0.10) using a specified user
Which types of password hashes and from where pwdump7 gets them
-
which password hash extraction tool extracts cached credentials and allows remote network execution ?
fgdump
Password Cracking Tools: L0phtCrack, ophcrack, Rainbowcrack
- Password cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords.
- L0phtCrack : L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding
- ophcrack : ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms
- RainbowCrack : RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.
Other password cracking tools
Cain & Abel (http://www.oxid.it)
Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)
Windows Password Key (https://www.lostwindowspassword.com)
hashcat (https://hashcat.net)
Passware Kit Forensic (https://www.passware.com)
John the Ripper (http://www.openwall.com)
THC-Hydra (https://github.com)
InsidePro (http://www.insidepro.com)
HashKiller.co.uk (https://hashkiller.co.uk)
LSASecretsView (http://www.nirsoft.net)
Password Cracker (http://www.amlpages.com)
Windows Password Recovery (https://www.passcape.com)
Password Recovery Bundle (https://www.top-password.com)
JRecoverer Database Bundle(http://www.lcpsoft.com)
Hash Suite (http://hashsuite.openwall.net)
Medusa (http://foofus.net)
Password Unlocker Bundle (https://www.passwordunlocker.com)
Offline NT Password & Registry Editor (https://pogostick.net)
How to defend against Password Cracking
- Enable information security audit to monitor and track password attacks
- Do not use the same password during password change
- Do not share passwords
- Do not use passwords that can be found in a dictionary
- Do not use clear text protocols and protocols with weak encryption
- Set password change policy to 30 days
- Avoid storing passwords in an unsecured location
- Do not use any systems default passwords
- Make password guess hard by using 8 to 12 alpha numerical characters in combination of uppercase lowercase letters numbers and symbols
- Ensure that applications neither store passwords to memory nor write them to disk in their text
- Use random string salt as prefix or suffix in password before encrypting
- Use SYSKEY with strong password to encrypt and protect SAM database
- Never use passwords such as birth of date spouse of child’s or pets name
- Monitor server logs for brute force attack on user accounts
- Lockout an account subject to do many incorrect password guesses
How to Defend against LLMNR/NBT-NS Poisoning
Add image
DYLD_INSERT_LIBRARIES
OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. In many cases, the loader searches for dynamic libraries in multiple paths. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.
Privilege escalation
-
Privilege escalation using DLL hijacking
-
Privilege escalation by exploiting vulnerabilities
-
Privilege escalation using DYLIB hijacking
-
Privilege exclusion using Spectre and meltdown vulnerabilities
-
Other privilege escalation techniques
-
How to defend against privilege escalation
-
Access token manipulation
-
Application shipping
-
File system permission weakness
-
Parth interception
-
Scheduled task
-
Launch Demon
-
Plist modification
-
Set UID and setgid
-
Web Shell
-
windows admin “runas”
For example, Windows Administrators have to log on as a normal user and need to run their tools with admin privileges using token manipulation command “runas”. Attackers can take advantage of this to access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection.
sbinst.exe
%WINDIR%\AppPatch\sysmain.sdb hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb
Some of shims can be used to do what ? shims and attacks
UAC(RedirectEXE), inject malicious DLLs(InjectDLL), capture memory addresses (GetProcAddress)
Disabling windows defender, privilage escalation, installing backdoors
which technique is used to manipulate windows service binaries and self extracting installers
File System Permission Weakness
Privilage escalation counter measures
- Restrict the interactive logon privileges
- Use encryption technique to protect sensitive data
- Run users and applications on the least privileges
- Reduce the amount of code that runs with particular privilege
- Implement multi-factor authentication and authorization
- Perform debugging using bounds checkers and stress tests
- Run services as unprivileged accounts
- Test operating system and application coding errors and bugs thoroughly
- Implement a privilege separation methodology to limit the scope of programming errors and bugs
- Patch and update the kernel regularly
- Change UAC settings to “Always Notify”, so that it increases the visibility of the user when UAC elevation is requested
- Restrict users from writing files to the search paths for applications
- Continuously monitor file system permissions using auditing tools
- Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes
- Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions
- Use fully qualified paths in all the Windows applications
- Ensure that all executables are placed in write-protected directories
- In MAC operating systems, prevent plist files from being altered by users making them read-only
- Block unwanted system utilities or software that may be used to schedule tasks
- Patch and update the web servers regularly
- Disable the default local administrator account
What is meant by “owning” the system
-
What is executing applications
Once attackers gain higher privileges on the target system by trying various privilege escalation attempts, they may attempt to execute a malicious application by exploiting a vulnerability to execute arbitrary code.
- Attackers execute malicious applications in this stage. This is called “owning” the system
- Attacker executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.
What all things can result from Executing Applications ?
- steal personal information
- gain unauthorized access to system resources
- crack passwords
- capture screenshots
- install a backdoor for maintaining easy access, and so on.
What all are the malicious programs attackers execute on target systems ?
- Backdoors-Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources.
- Crackers-Piece of software or program designed for cracking a code or passwords.
- Keyloggers-This can be hardware or a software type. In either case, the objective is to record each keystroke made on the computer keyboard.
- Spyware-Spy software may capture the screenshots and send them to a specified location defined by the hacker. To this purpose, attackers have to maintain access to victims’ computers. After deriving all the requisite information from the victim’s computer, the attacker installs several backdoors to maintain easy access to it in the future.
RemoteExec
Its a tool for executing applications
RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network.
It allows an attacker to modify the registry, change local admin passwords, disable local accounts, and copy/ update/delete files and folders.
Other tools for executing applications
- PDQ Deploy (https://www.pdq.com)
- Dameware Remote Support (https://www.dameware.com)
- ManageEngine Desktop Central (https://www.manageengine.com)
- PsExec (https://docs.microsoft.com)
- TheFatRat (https://github.com)
What all things remoteexec can do ?
Remote MSI package Installation: RemoteExec can remotely deploy applications developed using .msi format to a number of Windows systems by specifying the path of .msi file that the attacker wants to deploy, and then choosing the action (install/uninstall/repair/update) to perform.
Remote Execution: RemoteExec allows remote execution of programs (.exe, .bat, .cmd), scripts (.vbs, .js) and files associated to executables (.txt, .doc, .wav, .reg, .inf, .msi, etc.).
Registry Modification: RemoteExec allows the remote modification of the registry on all Windows systems throughout the network, or of a specific subset of computers. You just have to indicate the path to the .reg, select the target systems and launch with a click.
File Operations: RemoteExec allows copying, updating, or deleting files and folders on Windows systems throughout the network.
Password and Local Account Management: RemoteExec allows remotely changing the Local Administrator Password and disabling all other local accounts to reinforce security.
Interaction with Remote Systems: RemoteExec enables you to remotely power off, reboot or shutdown systems, wake up computers equipped with Wake-On-LAN technology, and lock or close user sessions.
What are keyloggers ?
-
Ligitimate applications of keyloggers
-
What info attackers can gain from keyloggers
-
where are physical keyloggers placed ?
-
Keyloggers ka sequence image
-
Types of keyloggers diagram
-
Advantages/Disadvantages of h/w keyloggers
Softwre cannot detect it. not OS dependent
List of hardware keyloggers
- KeyGrabber
- KeyCarbon (http://www.keycarbon.com)
- Keyllama Keylogger (https://Keyllama.com)
- Keyboard logger (https://www.detective-store.com)
- KeyGhost (http://www.keyghost.com)
- KeyCobra (http://www.keycobra.com)
- KEYKatcher (https://keykatcher.com)
Keyloggers for windows
- Spyrix Personal Monitor (http://www.spyrix.com)
- SoftActivity Activity Monitor (https://www.softactivity.com)
- Elite Keylogger (https://www.elitekeyloggers.com)
- Keylogger Spy Monitor (http://ematrixsoft.com)
- Micro Keylogger (https://www.microkeylogger.com)
- REFOG Personal Monitor (https://www.refog.com)
- Revealer Keylogger (https://www.logixoft.com)
- Realtime-Spy (http://www.realtime-spy.com)
- StaffCop Standard (https://www.staffcop.com)
- Ardamax Keylogger (https://www.ardamax.com)
- Ultimate Keylogger (http://www.ultimatekeylogger.com)
- Powered Keylogger (http://www.mykeylogger.com)
- Actual Keylogger (http://www.actualkeylogger.com)
- Spytector (https://www.spytector.com)
- Spy Keylogger (http://www.spy-key-logger.com)
- KidLogger (https://kidlogger.net)
- Advanced Keylogger (http://www.mykeylogger.com)
- KeyProwler (https://keyprowler.com) Keylogger (https://github.com)
All In One Keylogger Windows features
- Capture all keystrokes (keystrokes logger)
- Record instant messages
- Monitor application usage
- Capture desktop activity and take screenshots
- Quick search over the log
- Send reports via email, FTP, network
- Record microphone sounds
- Generate and send HTML reports
- Disable anti keyloggers and unwanted software
- Filter monitored user accounts
- Block unwanted URLs
- Stop logging when the computer is idle
Amac keylogger
o Logs typed passwords o Logs keystrokes and chat conversations o Records websites and takes screenshots o Logs the Mac’s IP address o Automatically runs at startup stealthily o Enables you to apply settings to all users with one click
Other Keyboards for mac
- Elite Keylogger (https://www.elite-keylogger.net)
- Aobo Mac OS X KeyLogger (https://www.keylogger-mac.com)
- KidLogger for MAC (http://kidlogger.net)
- Perfect Keylogger for Mac (http://www.blazingtools.com)
- MAC Log Manager (http://www.keylogger.in)
- Award Keylogger for Mac (http://www.award-soft.com)
- Aobo Keylogger for Mac (https://aobo.cc)
- REFOG Keylogger for MAC (https://www.refog.com)
- FreeMacKeylogger (http://www.hwsuite.com)
- Spyrix Keylogger For Mac OS (http://www.spyrix.com)
- SniperSpy Mac (http://www.sniperspymac.com)
- Net Nanny for Mac (https://www.netnanny.com)
- Keyboard Spy Logger (http://alphaomega.software.free.fr)
- Keylogger (https://github.com)
Whats is spyware ?
- Spyware is a stealthy program that records user’s interaction with the computer and Internet without the user’s knowledge and sends them to the remote attackers
- Spyware hides its process, files, and other objects in order to avoid detection and removal
- It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download
- It allows attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc.
Spyware Propagation
- Drive-by download
- Masquerading as anti-spyware
- Web browser vulnerability exploits
- Piggybacked software installation
- Browser add-ons
- Cookies
What does spyware do ?
- Steals users’ personal information and sends it to a remote server or hijacker
- Monitors users’ online activity
- Displays annoying pop-ups
- Redirects a web browser to advertising sites
- Changes the browser’s default setting and prevents the user from restoring
- Adds several bookmarks to the browser’s favorites list
- Decreases overall system security level
- Reduces system performance and causes software instability
- Connects to remote pornography sites
- Places desktop shortcuts to malicious spyware sites
- Steals your passwords
- Sends you targeted email
- Changes the home page and prevents the user from restoring
- Modifies the dynamically linked libraries (DLLs) and slows down the browser
- Changes firewall settings
- Monitors and reports websites you visit
Types of Spywares
Types of Spyware
- Desktop
- Internet
- Child-Monitoring
- Screen Capturing
- USB
- Audio
- Video
- Telephone Cellphone
- GPS
Spytech SpyAgent
Spytech SpyAgent allows you to monitor everything users do on your computer
Power Spy
Power Spy secretly monitors and records all activities on your computer
Spyware tools diagram1
-
Spyware tools diagram2
-
How to defend against keyloggers (diagram)
-
Hardware Keylogger countermeasures (diagram)
-
Anti Keyloggers
Anti-keyloggers, also called anti-keystroke loggers, detect and disable keystroke logger software. Anti-keylogger’s special design helps them to detect software keyloggers. Many large organizations, financial institutions, online gaming industries, as well as individuals use anti-keyloggers for protecting their privacy while using systems. This software prevents a keylogger from logging every keystroke typed by the victim and thus keeps all personal information safe and secure. An anti-keylogger scans a computer, detects, and removes keystroke logger software. If the software (anti-keylogger) finds any keystroke logging program on your computer, it immediately identifies and removes the keylogger, whether it is legitimate keystroke logging program or an illegitimate keystroke logging program.
Zemana AntiLogger and other
It keeps track of who is doing what on your PC. It monitors your PC against the bad guys and prevents any kind of attempts to record or steal your private data and blocks any kind of suspicious activit
GuardedID (https://www.strikeforcecpg.com) KeyScrambler (https://www.qfxsoftware.com) SpyShelter Free Anti-Keylogger (https://www.spyshelter.com) DefenseWall HIPS (http://www.softsphere.com) Elite Anti Keylogger (http://www.elite-antikeylogger.com)
How to defend against spyware (diagram)
-
SUPERAntiSpyware Anti Spyware and others
- Identify potentially unwanted programs and securely removes them
- Detect and remove Spyware, Adware, Malware, Trojans, Dialers, Worms, Keyloggers, Hijackers, Parasites, Rootkits, Rogue security products, and many other types of threats
- Other tools
- Kaspersky Internet Security 2018 (https://www.kaspersky.com)
- SecureAnywhere Internet Security Complete (https://www.webroot.com)
- adaware antivirus free (https://www.adaware.com)
- MacScan (https://www.securemac.com)
- Norton AntiVirus Basic (https://in.norton.com)
- Spybot – Search & Destroy (https://www.safer-networking.org)
- SpyHunter (https://www.enigmasoftware.com)
- Malwarebytes for Windows (https://www.malwarebytes.com)
- Zemana Anitmalware (https://www.zemana.com)
- Hitman Pro (https://www.hitmanpro.com)
- Emsisoft Antimalware (https://www.emsisoft.com)
- Digital Care AntiVirus (http://www.paretologic.com)
- Spyware Terminator 2015 (http://www.pcrx.com)
What is rootkit
Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time and also in future
Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed
A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
Rootkit comprises of
backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
Attacker places a rootkit by
Scanning for vulnerable computers and servers on the web
Wrapping it in a special package like games
Installing it on the public computers or corporate computers through social engineering
Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)
Objectives of Rootkits
- To root the host system and gain remote backdoor access
- To mask attacker tracks and presence of malicious applications or processes
- To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access
- To store other malicious programs on the system and act as a server resource for bot updates
File Attributes and rootkits
All files contain a set of attributes. There are different fields in the file attributes. The first field determines the format of the file, if it is a hidden, archive, or read-only file. The other field describes the time of the file creation, access, as well as its original length. The functions GetFileAttributesEx() and GetFileInformationByHandle() are used for these purposes. ATTRIB.exe displays or changes the file attributes. An attacker can hide, or even change the attributes of a victim’s files, so that the attacker can access them.
ATTRIB.exe
-
Types of rootkits
Hypervisor Level Rootkit: Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine. rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1
Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity
Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes
Boot Loader Level Rootkit: Replaces the original boot loader with one controlled by a remote attacker
Application Level Rootkit: Replaces regular application binaries with fake Trojan or modifies the behavior of existing applications by injecting malicious code
Library Level Rootkits: Replaces original system calls with fake ones to hide information about the attacker
bootkit
-
How rootkits work(diagram)
-
How rootkits work(text)
System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode. Inline function hooking is a technique where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll. dll), placing an instruction so that any process calls hit the rootkit first.
Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the “system” process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the PROCESS IDENTIFIERS structures. It has an ability to obtain read/write access to the \Device\Physical Memory object. It hide a process by unlinking it from the process list.
Rootkits: Horse Pill, GrayFish, Sirefef, Necurs
Horse Pill
- Horse Pill is Linux kernel rootkit that resides inside the “initrd” using which it infects the system and deceives the system owner with the use of container primitives
- It has three important parts; klibc-horsepill.patch, horsepill_setopt, and horsepill_infect
- Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage.
- This also allows it run covert networking systems, such as dns tunnels.
GrayFish
- GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, hidden storage, and malicious command execution while remaining invisible
- It injects its malicious code into the boot record which handles the launching of Windows at each step
Sirefef
- Sirefef Rootkit or ZeroAccess gives attackers full access to your systemwhile using stealth techniques in order to hide its presence from the affected device It hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can’t detect it
- It hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can’t detect it
Necurs
- Necurs contains backdoor functionality, allowing remote access and control of the infected computer
- It monitors and filters network activity and has been observed to send spam and install rogue security software
Which root toolkit also allows it run covert networking systems, such as dns tunnels.
-
which root toolkit has dnscat bundled with it
-
what does dnscat do ?
-
Grayfish Rootkit does code/data injection into processes with help of ?
ZwOpenProcess, PsLookupProcessByProcessId, KeStackAttachProcess.
Which system function does Grayfish call ?
MmSecureVirtualMemory.
Other popular rookit
- WingBird Rootkit
- Avatar
- Azazel
- ZeroAccess
- Alureon
Detecting Rootkits
Integrity based detection: it compares a snapshot of the file system, boot records or memory with a non-trusted baseline
Signature based detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
Heuristic behaviour based detection: Any deviations in the system’s normal activity or behavior may indicate the presence of rootkit
Runtime execution path profiling: This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection
Cross view based detect: Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit
Tripware
-
AIDE
-
Why The success of signature-based detection is less in rootkits ?
-
What causes heuristic-based detectors to identify rootkits ?
Execution path hooking deviant
Cross view-based detection in detail
This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the operating system APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.
Steps for detecting Rootkits examining file system
- Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results.
- Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results
- Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside)
Steps for detecting Rootkits examining registry
- Run regedit.exe from inside the potentially infected operating system.
- Export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format.
- Boot into a clean CD (such as WinPE).
- Run regedit.exe.
- Create a new key such as HKEY_LOCAL_MACHINE\Temp.
- Load the Registry hives named Software and System from the suspect operating system. The default location will be c:\windows\system32\config\software and c:\windows\system32\config\system.
- Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.)
- Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).
In which cases manula rootkit detection does not work ?
Does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, and so on
How to defend against rootkits (image)
-
How to defend against rootkits (text)
-
MD5sum.exe
A common feature of these rootkits is that the attacker requires administrator access to the target system. The initial attack that leads to this access is often noisy. Monitor the excess network traffic that arises in the face of a new exploit. It goes without saying that log analysis is a part and parcel of risk management. The attacker may have shell scripts or tools that can help him or her cover his or her tracks, but surely there will be other telltale signs that can lead to proactive countermeasures, not just reactive ones.
A reactive countermeasure is to back up all critical data excluding the binaries, and go for a fresh clean installation from a trusted source. One can do code check summing as a good defense against tools like rootkits. MD5sum.exe can fingerprint files and note integrity violations when changes occur. To defend against rootkits, use integrity checking programs for critical system files.
Anti-Rootkit Stinger and others
McAfee Stinger is a standalone utility used to detect and remove specific viruses. It helps administrators and users when dealing with an infected system. Stinger performs rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the “Threat List” option under advanced menu options in the Stinger application.
Others
- Avast Free Antivirus (https://www.avast.com)
- TDSSKiller (https://usa.kaspersky.com)
- Malwarebytes Anti-Rootkit (https://www.malwarebytes.com)
- Rootkit Buster (http://www.trendmicro.co.in)
- UnHackMe (http://www.greatis.com)
- Virus Removal Tool (https://www.sophos.com)
- F-Secure Anti-Virus (https://www.f-secure.com)
- Avira Free Antivirus (https://www.avira.com)
- SanityCheck (http://www.resplendence.com)
- Webroot (https://www.webroot.com) GMER (http://www.gmer.net)
NTFS Data Stream
- NTFS Alternate Data Stream (ADS) is a Windows hidden stream which contains metadata for the file such as attributes, word count, author name and access, and modification time of the files
- ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities
- ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user
- Alternate Data Stream (ADS) is any kind of data attached to a file, but not in the file on an NTFS system. The Master File Table of the partition will contain a list of all the data streams that a file contains, and where their physical location on the disk is. Therefore, alternate data streams are not present in the file, but attached to it through the file table. NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metadata for the file such as attributes, word count, author name, and access and modification time of the files.
- Files with ADS are impossible to detect using native file browsing techniques like the command line or Windows Explorer. After attaching an ADS file to the original file, the size of the file will show as the original size of the file regardless of the size of the ADS added file. The only indication that the file was changed is the modification timestamp, which can be relatively innocuous.
Steps to create NTFS Streams
- Launch c:\>notepad myfile.txt:lion.txt and click ‘Yes’ to create the new file, enter some data and Save the file
- Launch c:\>notepad myfile.txt:tiger.txt and click ‘Yes’ to create the new file, enter some data and Save the file
- View the file size of myfile.txt (It should be zero)
- To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad myfile.txt:lion.txt notepad myfile.txt:tiger.txt
NTFS Stream Manipulation
- Hiding Trojan.exe (malicious program) into Readme.txt (stream): Use the following command to move the contents of Trojan.exe to Readme.txt (stream): c:\>type c:\Trojan.exe >c:\Readme.txt:Trojan.exe The “type” command hides file in an Alternate Data Streams (ADS) behind an existing file. The colon (:) operator tells the command to create or use an ADS.
- Creating a link to the Trojan.exe stream inside the Readme.txt file: After hiding the file Trojan.exe behind the Readme.txt file, you need to create a link to launch the Trojan.exe file from the stream. This creates a shortcut for Trojan.exe in the stream. C:\>mklink backdoor.exe Readme.txt:Trojan.exe
- Executing the Trojan: Type C:\>backdoor to run the Trojan that you have hidden behind Readme.txt. Here, the backdoor is the shortcut created in the previous step, which on execution installs the Trojan.
How to Defend against NTFS Streams
- To delete hidden NTFS streams, move the suspected files to FAT partition
- Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain integrity of NTFS partition files against unauthorized ADS
- Use third-party utilities such as EventSentry or adslist.exe to show and manipulate hidden streams
- Avoid writing important or critical data to alternate data streams
- Use up-to-date antivirus software on your system.
- Enable real-time antivirus scanning to protect against execution of malicious streams
- Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory)to help detect creation of additional or new data streams.
EventSentry or adslist.exe, Tripwire File Integrity Monitor
-
NTFS Stream Detectors
Stream Armor Stream Armor discovers hidden Alternate Data Streams (ADS) and cleans them completely from the system
Others
- Stream Detector (http://www.novirusthanks.org)
- Forensic Toolkit (https://www.mcafee.com)
- ADS Manager (https://dmitrybrant.com)
- ADS Scanner (https://www.pointstone.com)
- ADS Spy (http://www.merijn.nu)
- Streams (https://docs.microsoft.com)
- AlternateStreamView (http://www.nirsoft.net)
- ADS Detector (https://sourceforge.net)
- GMER (http://www.gmer.net)
- NTFS-Streams: ADS manipulation tool (https://sourceforge.net)
What is steganography (image)
-
snow tool
snow [-CQS] [-p passwd] [-l line-len] [-f file | -m message] [infile [ outfile]]
image stego tools
OpenStego
OpenStego is a steganography application that provides following functions. o Data Hiding: It can hide any data within a cover file (e.g. images) o Watermarking: Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying.
Others
- QuickStego (http://quickcrypto.com)
- CryptaPix (https://www.briggsoft.com)
- Hide In Picture (https://sourceforge.net)
- gifshuffle (http://www.darkside.com.au)
- PHP-Class Stream Steganography (https://www.phpclasses.org)
- Steganography Studio (http://stegstudio.sourceforge.net)
- OpenPuff (http://embeddedsw.net)
- Virtual Steganographic Laboratory (VSL) (http://vsl.sourceforge.net)
- Red JPEG XT (http://www.totalcmd.net)
- ImageHide (http://www.dancemammal.com)
document stego tools
StegoStick
StegJ (http://stegj.sourceforge.net) Office XML (https://www.irongeek.com) SNOW (http://www.darkside.com.au) Data Stash (http://www.skyjuicesoftware.com) Hydan (http://www.crazyboy.com) Texto (http://www.eberl.net)
Video Stego tools
OmniHide Pro
RT Steganography (https://rtstegvideo.sourceforge.net) StegoStick (https://sourceforge.net) OpenPuff (http://embeddedsw.net) MSU StegoVideo (http://www.compression.ru)
Audio stego tools
-
Folder stego tools
GiliSoft File Lock Pro
Folder Lock (http://www.newsoftwares.net)
Hide Folders 5 (https://fspro.net)
WinMend Folder Hidden (http://www.winmend.com)
Invisible Secrets 4 (http://www.invisiblesecrets.com)
Max Folder Secure (http://maxpcsecure.com)
QuickCrypto (http://www.quickcrypto.com)
Universal Shield (http://www.everstrike.com)
Spam Stego tool
-
Tego tools for modbile
- *Steganography Master**
- *Stegais**
SPY PIX (https://www.juicybitssoftware.com)
Pixelknot: Hidden Messages (https://guardianproject.info)
Pocket Stego (http://www.talixa.com)
Steganography Image (https://play.google.com)
StegoSec (http://csocks.altervista.org)
StegDroid Alpha (https://play.google.com)
Da Vinci Secret Image (https://play.google.com)
Steg-O-Matic (https://itunes.apple.com)
Secret Tidings (https://play.google.com)
Steganography (https://github.com)
Steganography Application (https://play.google.com)
Whats is Steganalysis ? (image)
-
Two aspeccts of Steganalysis
detection distortion
Steganalysis Methods/Attacks on Steganography
- Stego-only
- Known-stego
- Known-message
- Known-cover
- Chosen-message
- Chosen-stego
Detecting Steganography (image)
-
Steganography detection tools
Gargoyle InvestigatorTM Forensic Pro
Covering Tracks
Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection
Attacker uses the following techniques to cover tracks on the target system
Disable Auditing: Disables auditing features of the target system
Clearing Logs: Clear/delete the system log entries corresponding to his/her activities
Manipulating Logs: Manipulates logs in such a way that he/she will not be caught in legal actions
In detials
Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.
Which EVT files generally are deleted
SECEVENT.EVT (security): failed logins, accessing files without privileges , SYSEVENT.EVT, APPEVENT.EVT
Disabling Auditing: Auditpol
Disabling Auditing: Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.
C:\>auditpol \
C :\>auditpol \ /disable
The moment that intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing by using the same tool (audit.exe).
Attackers can use AuditPol to view defined auditing settings on the target computer, running the following command at the command prompt: auditpol /get /category:*
Clearing logs
Attacker uses Clear_Event_Viewer_Logs.bat or clearlogs.exe utility to clear the security, system, and application logs
If the system is exploited with the Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system
Steps to clear logs using Clear_Event_Viewer_Logs.bat utility
- Download the Clear_Event_Viewer_Logs.bat utility from the https://www.tenforums.com
- Unblock the .bat file
- Right click or press and hold on the .bat file, and click/tap on Run as administrator.
- If prompted by UAC, click/tap on Yes.
- A command prompt will now open to clear the event logs. The command prompt will automatically close when finished.
Steps to clear logs using clearlogs.exe utility
- Download the clearlogs.exe utiliy from http://www.ntsecurity.nu
- Run clearlogs.exe from the command prompt, and clear the security, system, and application logs using the following options
- C:\clearlogs.exe -app(for clearing application logs)
- C:\clearlogs.exe -sec(for clearing application logs)
- C:\clearlogs.exe -sys(for clearing application logs)
- C:\clearlogs.exe -app(for clearing application logs)
Steps to clear logs using meterpreter shell
If the system is exploited with the Metasploit, the attacker uses a meterpreter shell to wipe out all the logs from a Windows system:
- Launch meterpretershell prompt of the Metasploit Framework.
- Type clearev command in meterpreter shell prompt and press Enter. The logs of the target system will start being wiped out.
Clear_Event_Viewer_Logs.bat
-
meterpreter shell to wipe out all the logs
-
Manually clearing event logs
- Windows
- Navigate to Start->Control Panel->System and Security->Administrative Tools->double click Event Viewer
- Delete the all the log entries logged while compromising of the system
- Linux
- Navigates to /var/log directory on the Linux system
- Open plain text file containing log messages with text editor /var/log/messages
- Delete all the log entries logged while compromising of the system
Ways to clear Online Tracks (image)
-
What attackers can do to clear thier online tracks ?
- Use private browsing
- Delete history in the address field
- Disable stored history
- Delete private data
- Clear cookies on exit
- Clear cache on exit
- Delete downloads
- Disable password manager
- Clear data in password manager
- Delete saved sessions
- Delete user JavaScript
- Set up multiple users
- Remove Most Recently Used (MRU)
- Clear Toolbar data from the browsers
- Turn off AutoComplete
Covering BASH Shell Tracks
- The BASH is an sh-compatible shell which stores command history in a file called bash_history
- You can view the saved command history using more ~/.bash_history command
Attackers use following commands to clear the saved command history tracks:
- Disabling history
- export HISTSIZE=0
- Clearing the history
- history –c (Clears the stored history)
- history -w (Clears history of current shell)
- Clearing the user’s complete history
- cat /dev/null > ~.bash_history && history -c && exit
- Shredding the history
- shred ~/.bash_history (Shreds the history file, making its content unreadable)
- shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit (Shreds the history file and clear the evidence of the command)
Covering Tracks on network (2 images)
-
Covering Tacks on network (text top level)
- Using Reverse HTTP Shells
- Using Reverse ICMP Tunnels
- Using DNS Tunneling
- Using TCP Parameters
Covering Tracks on OS
Windows
NTFS has a feature called as Alternate Data Streams that allows attackers to hide a file behind other normal files. Given below are some steps in order to hide file using NTFS:
- Open the command prompt with an elevated privilege
- Type the command “type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt” (here, file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file)
- To view the hidden file, type “more < C:\SecretFile.txt” (for this you need to know the hidden file name)
Unix
Files in UNIX can be hidden just by appending a dot (.) in front of a file name. In UNIX, each directory is subdivided into two directories: current directory (.) and parent directory (..). Attackers give a similar name like “. ” (space is there, after . ). These hidden files are usually placed in /dev, /tmp, /etc.
An attacker can also edit the log files to cover their tracks. However, sometimes using this technique of hiding files, an attacker can leave his trace behind because the command he used to open a file with will be recorded in a .bash_history file. A smart attacker knows how to overcome such a problem; he does so by using export HISTSIZE=0 command.
export HISTSIZE=0
-
Covering Tracks Tools
CCleaner cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history
- Internet Explorer: Temporary files, history, cookies, Autocomplete form history, index.dat.
- Firefox: Temporary files, history, cookies, download history, form history
- Google Chrome: Temporary files, history, cookies, download history, form history
- Opera: Temporary files, history, and cookies
- Safari: Temporary files, history, cookies, form history
- Windows: Recycle Bin, Recent Documents, Temporary files and Log files.
Others
DBAN (http://www.cybertronsoft.com)
Privacy Eraser (http://www.cybertronsoft.com)
Wipe (https://privacyroot.com)
BleachBit (https://www.bleachbit.org)
ClearProg (http://www.clearprog.de)
AVG TuneUp (https://www.avg.com)
Norton Utilities (https://in.norton.com)
Glary Utilities (http://www.glarysoft.com)
Clear My History (https://www.hide-my-ip.com)
WinTools.net Professional (http://www.wintools.net)
Free Internet Window Washer (http://www.eusing.com)
Pen test Privilage Escalation(image)
-
Pen test Executing Applications (image)
-
Pen test Hiding Files (image)
-
Pen test Covering Tracks (image)
-