Module006SystemHacking Flashcards

Question

Why its not easy to implement mitm attacks

Answer 1

This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks because of the TCP sequence numbers and the speed of the communication. This method is relatively hard to perpetrate and can sometimes be broken by invalidating the traffic.

Answer 2

Reply Attack.

Answer 3

A rainbow table attack uses the cryptanalytic time-memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance.

Answer 4

Dictionary files brute force lists and their hashes

Answer 5

Due to thier smaller keyspace and shorter length

Answer 6

Keystreching and random salting

Answer 7

**rtgen** The rtgen program needs several parameters to generate a rainbow table. Syntax for the command line is http://project-rainbowcrack.com rtgen hash\_algorithm charset plaintext\_len\_min plaintext\_len\_max table\_index chain\_len chain\_num part\_index **Winrtgen** is a graphical rainbow table generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes http://www.oxid.it

Answer 8

Winrtgen supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes.

Answer 9

A Distributed Network Attack (DNA) is a technique used for recovering password-protected files that utilizes the unused processing power of machines across the network to decrypt passwords.

Answer 10

* Reads statistics and graphs easily * Adds user dictionaries to crack the password * Optimizes password attacks for specific languages * Modifies the user dictionaries * Comprises the stealth client installation functionality * Automatically updates client while updating the DNA server

Answer 11

* Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in the hashed format (one-way hash * The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file.

Answer 12

NTLM (NT LAN Manager) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works correctly in every situation. It has been on some Windows installations, where it worked successfully. NTLM authentication consists of two protocols: NTLM authentication protocol and LM authentication protocol. These protocols use different hash methodology to store users’ passwords in the SAM database.

Answer 13

* secret-key cryptography * mutual authentication * KDC trusted 3rd party =\> AS, TGS * Stronger for client server authentication than NTLM

Answer 14

NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; however, Vista and later Windows versions disable LM hash by default.

Answer 15

It is not possible to calculate LM hashes for passwords exceeding 14 characters in length.

Answer 16

LM, NTLMv1, NTLMv2 In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft negotiated Security Support Provider (SSP).

Answer 17

* The authorization mechanism of Kerberos provides the user with a Ticket Granting Ticket (TGT) that serves post-authentication for later access to specific services, Single Sign-On by which the user need not re-enter the password again for accessing any authorized services. * It is important to note that there is no direct communication between the application servers and Key Distribution Center (KDC); the service tickets, even if packed by TGS, reach the service only through the client willing to access them.

Answer 18

Password salting is a technique where random string of characters are added to the password before calculating their hashes Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks

Answer 19

Windows password hashes are not salted

Answer 20

In cryptography, a “salt” consists of random data bits used as an input to a one-way function, the other being a password. Instead of passwords, the output of the one-way function can be stored and used to authenticate users. A salt combines with a password by a key derivation function to generate a key for use with a cipher or other cryptographic algorithm. This technique generates different hashes for the same password. This makes cracking the passwords difficult.

Answer 21

* **pwdump7** extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database * **gdump** works like pwdump but also extracts cached credentials and allows remote network execution fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -p l4mep4ssw0rd Dumps a remote machine (192.168.0.10) using a specified user

Answer 22

* Password cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. * **L0phtCrack :** L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding * **ophcrack :** ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms * **RainbowCrack :** RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.

Answer 23

Cain & Abel (http://www.oxid.it)  Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)  Windows Password Key (https://www.lostwindowspassword.com)  hashcat (https://hashcat.net)  Passware Kit Forensic (https://www.passware.com)  John the Ripper (http://www.openwall.com)  THC-Hydra (https://github.com)  InsidePro (http://www.insidepro.com)  HashKiller.co.uk (https://hashkiller.co.uk)  LSASecretsView (http://www.nirsoft.net)  Password Cracker (http://www.amlpages.com)  Windows Password Recovery (https://www.passcape.com)  Password Recovery Bundle (https://www.top-password.com)  JRecoverer Database Bundle(http://www.lcpsoft.com)  Hash Suite (http://hashsuite.openwall.net)  Medusa (http://foofus.net)  Password Unlocker Bundle (https://www.passwordunlocker.com)  Offline NT Password & Registry Editor (https://pogostick.net)

Answer 24

1. Enable information security audit to monitor and track password attacks 2. Do not use the same password during password change 3. Do not share passwords 4. Do not use passwords that can be found in a dictionary 5. Do not use clear text protocols and protocols with weak encryption 6. Set password change policy to 30 days 7. Avoid storing passwords in an unsecured location 8. Do not use any systems default passwords 9. Make password guess hard by using 8 to 12 alpha numerical characters in combination of uppercase lowercase letters numbers and symbols 10. Ensure that applications neither store passwords to memory nor write them to disk in their text 11. Use random string salt as prefix or suffix in password before encrypting 12. Use SYSKEY with strong password to encrypt and protect SAM database 13. Never use passwords such as birth of date spouse of child’s or pets name 14. Monitor server logs for brute force attack on user accounts 15. Lockout an account subject to do many incorrect password guesses

Answer 25

OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD\_INSERT\_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. In many cases, the loader searches for dynamic libraries in multiple paths. This helps an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime. Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.

Answer 26

For example, Windows Administrators have to log on as a normal user and need to run their tools with admin privileges using token manipulation command “runas”. Attackers can take advantage of this to access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection.

Answer 27

%WINDIR%\AppPatch\sysmain.sdb hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb

Answer 28

UAC(RedirectEXE), inject malicious DLLs(InjectDLL), capture memory addresses (GetProcAddress) Disabling windows defender, privilage escalation, installing backdoors

Answer 29

File System Permission Weakness

Answer 30

1. Restrict the interactive logon privileges 2. Use encryption technique to protect sensitive data 3. Run users and applications on the least privileges 4. Reduce the amount of code that runs with particular privilege 5. Implement multi-factor authentication and authorization 6. Perform debugging using bounds checkers and stress tests 7. Run services as unprivileged accounts 8. Test operating system and application coding errors and bugs thoroughly 9. Implement a privilege separation methodology to limit the scope of programming errors and bugs 10. Patch and update the kernel regularly 11. Change UAC settings to “Always Notify”, so that it increases the visibility of the user when UAC elevation is requested 12. Restrict users from writing files to the search paths for applications 13. Continuously monitor file system permissions using auditing tools 14. Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes 15. Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions 16. Use fully qualified paths in all the Windows applications 17. Ensure that all executables are placed in write-protected directories 18. In MAC operating systems, prevent plist files from being altered by users making them read-only 19. Block unwanted system utilities or software that may be used to schedule tasks 20. Patch and update the web servers regularly 21. Disable the default local administrator account

Answer 31

Once attackers gain higher privileges on the target system by trying various privilege escalation attempts, they may attempt to execute a malicious application by exploiting a vulnerability to execute arbitrary code. * Attackers execute malicious applications in this stage. This is called “owning” the system * Attacker executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.

Answer 32

1. steal personal information 2. gain unauthorized access to system resources 3. crack passwords 4. capture screenshots 5. install a backdoor for maintaining easy access, and so on.

Answer 33

1. Backdoors-Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources. 2. Crackers-Piece of software or program designed for cracking a code or passwords. 3. Keyloggers-This can be hardware or a software type. In either case, the objective is to record each keystroke made on the computer keyboard. 4. Spyware-Spy software may capture the screenshots and send them to a specified location defined by the hacker. To this purpose, attackers have to maintain access to victims’ computers. After deriving all the requisite information from the victim’s computer, the attacker installs several backdoors to maintain easy access to it in the future.

Answer 34

Its a tool for executing applications RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network. It allows an attacker to modify the registry, change local admin passwords, disable local accounts, and copy/ update/delete files and folders.

Answer 35

1.  PDQ Deploy (https://www.pdq.com) 2.  Dameware Remote Support (https://www.dameware.com) 3.  ManageEngine Desktop Central (https://www.manageengine.com) 4.  PsExec (https://docs.microsoft.com) 5.  TheFatRat (https://github.com)

Answer 36

**Remote MSI package Installation:** RemoteExec can remotely deploy applications developed using .msi format to a number of Windows systems by specifying the path of .msi file that the attacker wants to deploy, and then choosing the action (install/uninstall/repair/update) to perform. **Remote Execution:** RemoteExec allows remote execution of programs (.exe, .bat, .cmd), scripts (.vbs, .js) and files associated to executables (.txt, .doc, .wav, .reg, .inf, .msi, etc.). **Registry Modification:** RemoteExec allows the remote modification of the registry on all Windows systems throughout the network, or of a specific subset of computers. You just have to indicate the path to the .reg, select the target systems and launch with a click. **File Operations:** RemoteExec allows copying, updating, or deleting files and folders on Windows systems throughout the network. **Password and Local Account Management:** RemoteExec allows remotely changing the Local Administrator Password and disabling all other local accounts to reinforce security. **Interaction with Remote Systems:** RemoteExec enables you to remotely power off, reboot or shutdown systems, wake up computers equipped with Wake-On-LAN technology, and lock or close user sessions.

Answer 37

Softwre cannot detect it. not OS dependent

Answer 38

* KeyGrabber * KeyCarbon (http://www.keycarbon.com) * Keyllama Keylogger (https://Keyllama.com) * Keyboard logger (https://www.detective-store.com) * KeyGhost (http://www.keyghost.com) * KeyCobra (http://www.keycobra.com) * KEYKatcher (https://keykatcher.com)

Answer 39

*  Spyrix Personal Monitor (http://www.spyrix.com) *  SoftActivity Activity Monitor (https://www.softactivity.com) *  Elite Keylogger (https://www.elitekeyloggers.com) *  Keylogger Spy Monitor (http://ematrixsoft.com) *  Micro Keylogger (https://www.microkeylogger.com) *  REFOG Personal Monitor (https://www.refog.com) *  Revealer Keylogger (https://www.logixoft.com) *  Realtime-Spy (http://www.realtime-spy.com) *  StaffCop Standard (https://www.staffcop.com) *  Ardamax Keylogger (https://www.ardamax.com) *  Ultimate Keylogger (http://www.ultimatekeylogger.com) *  Powered Keylogger (http://www.mykeylogger.com) *  Actual Keylogger (http://www.actualkeylogger.com) *  Spytector (https://www.spytector.com) *  Spy Keylogger (http://www.spy-key-logger.com) *  KidLogger (https://kidlogger.net) *  Advanced Keylogger (http://www.mykeylogger.com) *  KeyProwler (https://keyprowler.com)  Keylogger (https://github.com)

Answer 40

* Capture all keystrokes (keystrokes logger) * Record instant messages * Monitor application usage * Capture desktop activity and take screenshots * Quick search over the log * Send reports via email, FTP, network * Record microphone sounds * Generate and send HTML reports * Disable anti keyloggers and unwanted software * Filter monitored user accounts * Block unwanted URLs * Stop logging when the computer is idle

Answer 41

o Logs typed passwords o Logs keystrokes and chat conversations o Records websites and takes screenshots o Logs the Mac’s IP address o Automatically runs at startup stealthily o Enables you to apply settings to all users with one click

Answer 42

*  Elite Keylogger (https://www.elite-keylogger.net) *  Aobo Mac OS X KeyLogger (https://www.keylogger-mac.com) *  KidLogger for MAC (http://kidlogger.net) *  Perfect Keylogger for Mac (http://www.blazingtools.com) *  MAC Log Manager (http://www.keylogger.in) *  Award Keylogger for Mac (http://www.award-soft.com) *  Aobo Keylogger for Mac (https://aobo.cc) *  REFOG Keylogger for MAC (https://www.refog.com) *  FreeMacKeylogger (http://www.hwsuite.com) *  Spyrix Keylogger For Mac OS (http://www.spyrix.com) *  SniperSpy Mac (http://www.sniperspymac.com) *  Net Nanny for Mac (https://www.netnanny.com) *  Keyboard Spy Logger (http://alphaomega.software.free.fr) *  Keylogger (https://github.com)

Answer 43

1. Spyware is a stealthy program that **records user's interaction** with the computer and Internet without the user's knowledge and sends them to the remote attackers 2. Spyware **hides its process,** files, and other objects in order to avoid detection and removal 3. It is similar to Trojan horse, which is usually bundled as a **hidden component of freeware programs** that can be available on the Internet for download 4. It allows attacker to **gather information about a victim or organization** such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc.

Answer 44

1. Drive-by download 2. Masquerading as anti-spyware 3. Web browser vulnerability exploits 4. Piggybacked software installation 5. Browser add-ons 6. Cookies

Answer 45

1. Steals users’ personal information and sends it to a remote server or hijacker 2. Monitors users’ online activity 3. Displays annoying pop-ups 4. Redirects a web browser to advertising sites 5. Changes the browser's default setting and prevents the user from restoring 6. Adds several bookmarks to the browser's favorites list 7. Decreases overall system security level 8. Reduces system performance and causes software instability 9. Connects to remote pornography sites 10. Places desktop shortcuts to malicious spyware sites 11. Steals your passwords 12. Sends you targeted email 13. Changes the home page and prevents the user from restoring 14. Modifies the dynamically linked libraries (DLLs) and slows down the browser 15. Changes firewall settings 16. Monitors and reports websites you visit

Answer 46

Types of Spyware 1. Desktop 2. Email 3. Internet 4. Child-Monitoring 5. Screen Capturing 6. USB 7. Audio 8. Video 9. Print 10. Telephone Cellphone 11. GPS

Answer 47

Spytech SpyAgent allows you to monitor everything users do on your computer

Answer 48

Power Spy secretly monitors and records all activities on your computer

Answer 49

Anti-keyloggers, also called anti-keystroke loggers, detect and disable keystroke logger software. Anti-keylogger’s special design helps them to detect software keyloggers. Many large organizations, financial institutions, online gaming industries, as well as individuals use anti-keyloggers for protecting their privacy while using systems. This software prevents a keylogger from logging every keystroke typed by the victim and thus keeps all personal information safe and secure. An anti-keylogger scans a computer, detects, and removes keystroke logger software. If the software (anti-keylogger) finds any keystroke logging program on your computer, it immediately identifies and removes the keylogger, whether it is legitimate keystroke logging program or an illegitimate keystroke logging program.

Answer 50

It keeps track of who is doing what on your PC. It monitors your PC against the bad guys and prevents any kind of attempts to record or steal your private data and blocks any kind of suspicious activit  GuardedID (https://www.strikeforcecpg.com)  KeyScrambler (https://www.qfxsoftware.com)  SpyShelter Free Anti-Keylogger (https://www.spyshelter.com)  DefenseWall HIPS (http://www.softsphere.com)  Elite Anti Keylogger (http://www.elite-antikeylogger.com)

Answer 51

1. Identify potentially unwanted programs and securely removes them 2. Detect and remove Spyware, Adware, Malware, Trojans, Dialers, Worms, Keyloggers, Hijackers, Parasites, Rootkits, Rogue security products, and many other types of threats 3. Other tools 1. Kaspersky Internet Security 2018 (https://www.kaspersky.com) 2. SecureAnywhere Internet Security Complete (https://www.webroot.com) 3. adaware antivirus free (https://www.adaware.com) 4. MacScan (https://www.securemac.com) 5. Norton AntiVirus Basic (https://in.norton.com) 6. Spybot – Search & Destroy (https://www.safer-networking.org) 7. SpyHunter (https://www.enigmasoftware.com) 8. Malwarebytes for Windows (https://www.malwarebytes.com) 9. Zemana Anitmalware (https://www.zemana.com) 10. Hitman Pro (https://www.hitmanpro.com) 11. Emsisoft Antimalware (https://www.emsisoft.com) 12. Digital Care AntiVirus (http://www.paretologic.com) 13. Spyware Terminator 2015 (http://www.pcrx.com)

Answer 52

Rootkits are programs that **hide their presence** as well as attacker’s malicious activities, granting them full access to the server or host at that time and also in future Rootkits replace certain operating system calls and utilities with its own **modified versions** of those routines that in turn undermine the security of the target system causing **malicious functions** to be executed A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.

Answer 53

backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.

Answer 54

Scanning for **vulnerable** computers and servers on the web **Wrapping** it in a special package like games Installing it on the public computers or corporate computers through social engineering Launching **zero day attack** (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)

Answer 55

1. To root the host system and gain remote backdoor access 2. To mask attacker tracks and presence of malicious applications or processes 3. To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access 4. To store other malicious programs on the system and act as a server resource for bot updates

Answer 56

All files contain a set of attributes. There are different fields in the file attributes. The first field determines the format of the file, if it is a hidden, archive, or read-only file. The other field describes the time of the file creation, access, as well as its original length. The functions **GetFileAttributesEx()** and **GetFileInformationByHandle()** are used for these purposes. ATTRIB.exe displays or changes the file attributes. An attacker can hide, or even change the attributes of a victim’s files, so that the attacker can access them.

Answer 57

**Hypervisor Level Rootkit:** Acts as a **hypervisor** and modifies the **boot sequence** of the computer system to load the host operating system as a virtual machine. rootkits by exploiting hardware features such as **Intel VT and AMD-V**. These **rootkits runs in Ring-1** **Hardware/Firmware Rootkit:** Hides in hardware devices or platform firmware which is not inspected for code integrity **Kernel Level Rootkit:** Adds malicious code or replaces original OS kernel and device driver codes **Boot Loader Level Rootkit:** Replaces the original boot loader with one controlled by a remote attacker **Application Level Rootkit:** Replaces regular application binaries with fake Trojan or modifies the behavior of existing applications by injecting malicious code **Library Level Rootkits:** Replaces original system calls with fake ones to hide information about the attacker

Answer 58

System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode. **Inline function hooking is a technique** where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll. dll), placing an instruction so that any process calls hit the rootkit first. Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the “system” process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the PROCESS IDENTIFIERS structures. It has an ability to obtain read/write access to the \Device\Physical Memory object. It hide a process by unlinking it from the process list.

Answer 59

Horse Pill * Horse Pill is Linux kernel rootkit that resides inside the “initrd” using which it infects the system and deceives the system owner with the use of container primitives * It has three important parts; klibc-horsepill.patch, horsepill\_setopt, and horsepill\_infect * Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. * This also allows it run covert networking systems, such as dns tunnels. GrayFish * GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, hidden storage, and malicious command execution while remaining invisible * It injects its malicious code into the boot record which handles the launching of Windows at each step Sirefef * Sirefef Rootkit or ZeroAccess gives attackers full access to your systemwhile using stealth techniques in order to hide its presence from the affected device It hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can't detect it * It hides itself by **altering the internal processes** of an operating system so that your antivirus and anti-spyware can't detect it Necurs * Necurs contains backdoor functionality, allowing **remote access** and control of the infected computer * It monitors and filters **network activity** and has been observed to send spam and install rogue security software

Answer 60

ZwOpenProcess, PsLookupProcessByProcessId, KeStackAttachProcess.

Answer 61

MmSecureVirtualMemory.

Answer 62

* WingBird Rootkit * Avatar * Azazel * ZeroAccess * Alureon

Answer 63

**Integrity based detection:** it compares a snapshot of the **file system, boot records or memory** with a non-trusted baseline **Signature based detection:** This technique compares characteristics of all **system processes** and **executable files** with a database of known rootkit fingerprints. **Heuristic behaviour based detection:** **Any deviations in the system’s normal activity** or behavior may indicate the presence of rootkit **Runtime execution path profiling:** This technique compares **runtime execution paths** of all system processes and executable files before and after the rootkit infection **Cross view based detect:** Enumerates key elements in the computer system such as **system files**, **processes**, and **registry keys** and compares them to an **algorithm** used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit

Answer 64

Execution path hooking deviant

Answer 65

This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the operating system APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.

Answer 66

1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results. 2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive and save the results 3. Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside)

Answer 67

1. Run regedit.exe from inside the potentially infected operating system. 2. Export HKEY\_LOCAL\_MACHINE\SOFTWARE and HKEY\_LOCAL\_MACHINE\SYSTEM hives in text file format. 3. Boot into a clean CD (such as WinPE). 4. Run regedit.exe. 5. Create a new key such as HKEY\_LOCAL\_MACHINE\Temp. 6. Load the Registry hives named Software and System from the suspect operating system. The default location will be c:\windows\system32\config\software and c:\windows\system32\config\system. 7. Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.) 8. Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).

Answer 68

Does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, and so on

Answer 69

A common feature of these rootkits is that the attacker requires administrator access to the target system. The initial attack that leads to this access is often noisy. Monitor the excess network traffic that arises in the face of a new exploit. It goes without saying that log analysis is a part and parcel of risk management. The attacker may have shell scripts or tools that can help him or her cover his or her tracks, but surely there will be other telltale signs that can lead to proactive countermeasures, not just reactive ones. A reactive countermeasure is to back up all critical data excluding the binaries, and go for a fresh clean installation from a trusted source. One can do code check summing as a good defense against tools like rootkits. MD5sum.exe can fingerprint files and note integrity violations when changes occur. To defend against rootkits, use integrity checking programs for critical system files.

Answer 70

McAfee Stinger is a standalone utility used to detect and remove specific viruses. It helps administrators and users when dealing with an infected system. Stinger performs rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the "Threat List" option under advanced menu options in the Stinger application. Others * Avast Free Antivirus (https://www.avast.com) * TDSSKiller (https://usa.kaspersky.com) * Malwarebytes Anti-Rootkit (https://www.malwarebytes.com) * Rootkit Buster (http://www.trendmicro.co.in) * UnHackMe (http://www.greatis.com) * Virus Removal Tool (https://www.sophos.com) * F-Secure Anti-Virus ([https://www.f-secure.com](https://www.f-secure.com)) * Avira Free Antivirus (https://www.avira.com) * SanityCheck (http://www.resplendence.com) * Webroot (https://www.webroot.com)  GMER (http://www.gmer.net)

Answer 71

1. NTFS Alternate Data Stream (ADS) is a **Windows hidden stream** which contains metadata for the file such as attributes, word count, author name and access, and modification time of the files 2. ADS is the ability to **fork data into existing files** without changing or altering their functionality, size, or display to file browsing utilities 3. ADS allows an attacker to **inject malicious code** in files on an accessible system and execute them without being detected by the user 4. Alternate Data Stream (ADS) is any kind of data attached to a file, but not in the file on an NTFS system. The Master File Table of the partition will contain a list of all the data streams that a file contains, and where their physical location on the disk is. Therefore, alternate data streams are not present in the file, but attached to it through the file table. NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metadata for the file such as attributes, word count, author name, and access and modification time of the files. 5. Files with ADS are impossible to detect using native file browsing techniques like the command line or Windows Explorer. After attaching an ADS file to the original file, the size of the file will show as the original size of the file regardless of the size of the ADS added file. The only indication that the file was changed is the modification timestamp, which can be relatively innocuous.

Answer 72

1. Launch c:\\>notepad myfile.txt:lion.txt and click ‘Yes’ to create the new file, enter some data and Save the file 2. Launch c:\\>notepad myfile.txt:tiger.txt and click ‘Yes’ to create the new file, enter some data and Save the file 3. View the file size of myfile.txt (It should be zero) 4. To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad myfile.txt:lion.txt notepad myfile.txt:tiger.txt

Answer 73

1. **Hiding Trojan.exe (malicious program) into Readme.txt (stream):** Use the following command to move the contents of Trojan.exe to Readme.txt (stream): c:\\>type c:\Trojan.exe \>c:\Readme.txt:Trojan.exe The “type” command hides file in an Alternate Data Streams (ADS) behind an existing file. The colon (:) operator tells the command to create or use an ADS. 2. **Creating a link to the Trojan.exe stream inside the Readme.txt file:** After hiding the file Trojan.exe behind the Readme.txt file, you need to create a link to launch the Trojan.exe file from the stream. This creates a shortcut for Trojan.exe in the stream. C:\\>mklink backdoor.exe Readme.txt:Trojan.exe 3. **Executing the Trojan:** Type C:\\>backdoor to run the Trojan that you have hidden behind Readme.txt. Here, the backdoor is the shortcut created in the previous step, which on execution installs the Trojan.

Answer 74

* **To delete hidden NTFS streams, move the suspected files to FAT partition** * Use third-party file integrity checker such as **Tripwire File Integrity Monitor** to maintain integrity of NTFS partition files against unauthorized ADS * Use third-party utilities such as **EventSentry or adslist.exe** to show and manipulate hidden streams * Avoid writing important or critical data to alternate data streams * Use up-to-date antivirus software on your system. * Enable real-time antivirus scanning to protect against execution of malicious streams * Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory)to help detect creation of additional or new data streams.

Answer 75

**Stream Armor** Stream Armor discovers hidden Alternate Data Streams (ADS) and cleans them completely from the system Others * Stream Detector (http://www.novirusthanks.org) * Forensic Toolkit (https://www.mcafee.com) * ADS Manager (https://dmitrybrant.com) * ADS Scanner (https://www.pointstone.com) * ADS Spy (http://www.merijn.nu) * Streams (https://docs.microsoft.com) * AlternateStreamView (http://www.nirsoft.net) * ADS Detector (https://sourceforge.net) * GMER (http://www.gmer.net) * NTFS-Streams: ADS manipulation tool (https://sourceforge.net)

Answer 76

snow [-CQS] [-p passwd] [-l line-len] [-f file | -m message] [infile [ outfile]]

Answer 77

OpenStego OpenStego is a steganography application that provides following functions. o Data Hiding: It can hide any data within a cover file (e.g. images) o Watermarking: Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying. Others *  QuickStego (http://quickcrypto.com) *  CryptaPix (https://www.briggsoft.com) *  Hide In Picture (https://sourceforge.net) *  gifshuffle (http://www.darkside.com.au) *  PHP-Class Stream Steganography (https://www.phpclasses.org) *  Steganography Studio (http://stegstudio.sourceforge.net) *  OpenPuff (http://embeddedsw.net) *  Virtual Steganographic Laboratory (VSL) (http://vsl.sourceforge.net) *  Red JPEG XT (http://www.totalcmd.net) *  ImageHide (http://www.dancemammal.com)

Answer 78

StegoStick  StegJ (http://stegj.sourceforge.net)  Office XML (https://www.irongeek.com)  SNOW (http://www.darkside.com.au)  Data Stash (http://www.skyjuicesoftware.com)  Hydan (http://www.crazyboy.com)  Texto (http://www.eberl.net)

Answer 79

OmniHide Pro  RT Steganography (https://rtstegvideo.sourceforge.net)  StegoStick (https://sourceforge.net)  OpenPuff (http://embeddedsw.net)  MSU StegoVideo (http://www.compression.ru)

Answer 80

**GiliSoft File Lock Pro** Folder Lock (http://www.newsoftwares.net) Hide Folders 5 (https://fspro.net) WinMend Folder Hidden (http://www.winmend.com) Invisible Secrets 4 (http://www.invisiblesecrets.com) Max Folder Secure (http://maxpcsecure.com) QuickCrypto (http://www.quickcrypto.com) Universal Shield (http://www.everstrike.com)

Answer 81

* *Steganography Master** * *Stegais** SPY PIX (https://www.juicybitssoftware.com) Pixelknot: Hidden Messages (https://guardianproject.info) Pocket Stego (http://www.talixa.com) Steganography Image (https://play.google.com) StegoSec (http://csocks.altervista.org) StegDroid Alpha (https://play.google.com) Da Vinci Secret Image (https://play.google.com) Steg-O-Matic (https://itunes.apple.com) Secret Tidings (https://play.google.com) Steganography (https://github.com) Steganography Application (https://play.google.com)

Answer 82

detection distortion

Answer 83

* Stego-only * Known-stego * Known-message * Known-cover * Chosen-message * Chosen-stego

Answer 84

Gargoyle InvestigatorTM Forensic Pro

Answer 85

Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection **Attacker uses the following techniques to cover tracks on the target system** **Disable Auditing:** Disables auditing features of the target system **Clearing Logs:** Clear/delete the system log entries corresponding to his/her activities **Manipulating Logs:** Manipulates logs in such a way that he/she will not be caught in legal actions **In detials** Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.

Answer 86

SECEVENT.EVT (security): failed logins, accessing files without privileges , SYSEVENT.EVT, APPEVENT.EVT

Answer 87

**Disabling Auditing: Auditpol** Auditpol.exe is the command line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. C:\\>auditpol \\ C :\\>auditpol \\ /disable The moment that intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing by using the same tool (audit.exe). Attackers can use AuditPol to view defined auditing settings on the target computer, running the following command at the command prompt: auditpol /get /category:\*

Answer 88

Attacker uses **Clear\_Event\_Viewer\_Logs.bat** or clearlogs.exe utility to clear the security, system, and application logs If the system is exploited with the Metasploit, attacker uses **meterpreter shell** to wipe out all the logs from a Windows system **Steps to clear logs using Clear\_Event\_Viewer\_Logs.bat utility** 1. Download the Clear\_Event\_Viewer\_Logs.bat utility from the [https://www.tenforums.com](https://www.tenforums.com) 2. Unblock the .bat file 3. Right click or press and hold on the .bat file, and click/tap on Run as administrator. 4. If prompted by UAC, click/tap on Yes. 5. A command prompt will now open to clear the event logs. The command prompt will automatically close when finished. **Steps to clear logs using clearlogs.exe utility** 1. Download the clearlogs.exe utiliy from [http://www.ntsecurity.nu](http://www.ntsecurity.nu) 2. Run clearlogs.exe from the command prompt, and clear the security, system, and application logs using the following options * * C:\clearlogs.exe -app(for clearing application logs) * C:\clearlogs.exe -sec(for clearing application logs) * C:\clearlogs.exe -sys(for clearing application logs) **Steps to clear logs using meterpreter shell** If the system is exploited with the Metasploit, the attacker uses a meterpreter shell to wipe out all the logs from a Windows system: 1. Launch meterpretershell prompt of the Metasploit Framework. 2. Type clearev command in meterpreter shell prompt and press Enter. The logs of the target system will start being wiped out.

Answer 89

1. Windows 1. Navigate to Start-\>Control Panel-\>System and Security-\>Administrative Tools-\>double click Event Viewer 2. Delete the all the log entries logged while compromising of the system 2. Linux 1. Navigates to /var/log directory on the Linux system 2. Open plain text file containing log messages with text editor /var/log/messages 3. Delete all the log entries logged while compromising of the system

Answer 90

1. Use private browsing 2. Delete history in the address field 3. Disable stored history 4. Delete private data 5. Clear cookies on exit 6. Clear cache on exit 7. Delete downloads 8. Disable password manager 9. Clear data in password manager 10. Delete saved sessions 11. Delete user JavaScript 12. Set up multiple users 13. Remove Most Recently Used (MRU) 14. Clear Toolbar data from the browsers 15. Turn off AutoComplete

Answer 91

* The BASH is an sh-compatible shell which stores command history in a file called bash\_history * You can view the saved command history using more ~/.bash\_history command Attackers use following commands to clear the saved command history tracks: 1. Disabling history * **export HISTSIZE=0** 2. Clearing the history * **history –c (Clears the stored history)** * **history -w (Clears history of current shell)** 3. Clearing the user's complete history * **cat /dev/null \> ~.bash\_history && history -c && exit** 4. Shredding the history * **shred ~/.bash\_history (Shreds the history file, making its content unreadable)** * **shred ~/.bash\_history && cat /dev/null \> .bash\_history && history -c && exit (Shreds the history file and clear the evidence of the command)**

Answer 92

1. Using Reverse HTTP Shells 2. Using Reverse ICMP Tunnels 3. Using DNS Tunneling 4. Using TCP Parameters

Answer 93

Windows NTFS has a feature called as Alternate Data Streams that allows attackers to hide a file behind other normal files. Given below are some steps in order to hide file using NTFS: 1. Open the command prompt with an elevated privilege 2. Type the command “type C:\SecretFile.txt \>C:\LegitFile.txt:SecretFile.txt” (here, file is kept in C drive where SecretFile.txt file is hidden inside LegitFile.txt file) 3. To view the hidden file, type “more \< C:\SecretFile.txt” (for this you need to know the hidden file name) Unix Files in UNIX can be hidden just by appending a dot (.) in front of a file name. In UNIX, each directory is subdivided into two directories: current directory (.) and parent directory (..). Attackers give a similar name like “. ” (space is there, after . ). These hidden files are usually placed in /dev, /tmp, /etc. An attacker can also edit the log files to cover their tracks. However, sometimes using this technique of hiding files, an attacker can leave his trace behind because the command he used to open a file with will be recorded in a .bash\_history file. A smart attacker knows how to overcome such a problem; he does so by using export HISTSIZE=0 command.

Answer 94

CCleaner cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history * Internet Explorer: Temporary files, history, cookies, Autocomplete form history, index.dat. * Firefox: Temporary files, history, cookies, download history, form history * Google Chrome: Temporary files, history, cookies, download history, form history * Opera: Temporary files, history, and cookies * Safari: Temporary files, history, cookies, form history * Windows: Recycle Bin, Recent Documents, Temporary files and Log files. **Others**  DBAN (http://www.cybertronsoft.com)  Privacy Eraser (http://www.cybertronsoft.com)  Wipe (https://privacyroot.com)  BleachBit (https://www.bleachbit.org)  ClearProg (http://www.clearprog.de)  AVG TuneUp (https://www.avg.com)  Norton Utilities (https://in.norton.com)  Glary Utilities (http://www.glarysoft.com)  Clear My History (https://www.hide-my-ip.com)  WinTools.net Professional (http://www.wintools.net)  Free Internet Window Washer (http://www.eusing.com)

Module006SystemHacking Flashcards

(184 cards)