Contenu connexe
Similaire à Ceh v8 labs module 05 system hacking
Similaire à Ceh v8 labs module 05 system hacking (20)
Ceh v8 labs module 05 system hacking
- 1. CEH Lab M anual
S y s te m
H a c k in g
M
o d u le
0 5
- 2. M odule 05 - System H acking
S y s t e m H a c k in g
S y ste m h a c k in g is th e science o f testin g com p uters a n d n e tw o rk f o r v u ln era b ilities a n d
p lu g -in s.
La b S cen ario
{ I Valuable
—
intormntion____
Test your
knowledge_____
a* Web exercise
£Q! Workbook review
Password hacking 1s one of the easiest and most common ways hackers obtain
unauthorized computer 01 ־network access. Although strong passwords that are
difficult to crack (or guess) are easy to create and maintain, users often neglect tins.
Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain.
Passwords rely 011 secrecy. After a password is compromised, its original owner isn’t
the only person who can access the system with it. Hackers have many ways to
obtain passwords. Hackers can obtain passwords from local computers by using
password-cracking software. To obtain passwords from across a network, hackers
can use remote cracking utilities 01 ־network analyzers. Tins chapter demonstrates
just how easily hackers can gather password information from your network and
descnbes password vulnerabilities diat exit 111 computer networks and
countermeasures to help prevent these vulnerabilities from being exploited 011 your
systems.
La b O b jectives
The objective of tins lab is to help students learn to m o n ito r a system rem o tely
and to extract hidden tiles and other tasks that include:
■ Extracting administrative passwords
■ HicUng files and extracting hidden files
■ Recovering passwords
■ Monitoring a system remotely
[ “׳Tools
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
La b Environm ent
To earn־out die lab you need:
■ A computer mnning Windows Server 2012
■ A web browser with an Internet connection
■ Administrative pnvileges to run tools
La b Duration
Tune: 100 Minutes
C E H Lab Manual Page
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 3. M odule 05 - System H acking
O verview of System H acking
The goal of system hacking is to gain access, escalate privileges, execute applications,
and hide files.
^ task 1
Overview
La b T a s k s
Recommended labs to assist you 111 system hacking:
■ Extracting Administrator Passwords Using LCP
■ Hiding Files Using NTFS
S tream s
■ Find Hidden Files Using ADS
Spy
■
Hiding Files Using the S te a lth
■
Extracting SAM Hashes Using PW dump7 Tool
Files Tool
■ Creating die Rainbow Tables Using W inrtge
■ Password Cracking Using R ain bo w C rack
■
■
Extracting Administrator Passwords Using LOphtCrack
Password Cracking Using O p h crack
■ System Monitoring Using R em o teE xec
■ Hiding Data Using Snow Steganography
■ Viewing, Enabling and Clearing the Audit Policies Using Auditpol
■
Password Recovery Using CHNTPW .ISO
■ User System Monitoring and Surveillance Needs Using S pytech
■
■
Spy Agent
Web Activity Monitoring and Recording using P ow er Spy 2 0 1 3
Image Steganography Using Q uickStego
La b A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on
the target’s security posture and exposure.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D TO T H I S L AB .
C E H Lab Manual Page 309
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 4. M odule 05 - System H acking
E x t r a c t in g A d m in is tr a to r
P a s s w o r d s U s in g L C P
L i n k C o n tro l P ro to co l (L C P ) is p a r t o f th e P o in t-to -P o in t (P P P ) p ro to c o l I n P P P
co m m un ication s, b o th th e sen d in g a n d receiving devices se n d o u t L C P p a c k e ts to
d eterm in e specific in fo rm a tio n re q u ire d fo r d a ta tra n sm issio n .
La b S cen ario
l£^7 Valuable
information
S
Test your
knowledge_____
*a Web exercise
£Q Workbook review
Hackers can break weak password storage mechanisms by using cracking
methods that outline 111 this chapter. Many vendors and developers believe that
passwords are safe from hackers if they don’t publish the source code for their
encryption algorithms. After the code is cracked, it is soon distributed across the
Internet and becomes public knowledge. Password-cracking utilities take
advantage of weak password encryption. These utilities do the grunt work and
can crack any password, given enough time and computing power. 111 order to
be an expert ethical hacker and penetration tester, you must understand how to
crack administrator passwords.
La b O b jectives
The objective of tins lab is to help students learn how to crack administrator
passwords for ethical purposes.
111
this lab you will learn how to:
■ Use an LCP tool
■ Crack administrator passwords
^^Tools
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
La b Environm ent
To carry out the lab you need:
C E H Lab Manual Page 310
י
LCP located at
D:CEH-ToolsCEHv8 M odule 05 System
H ackingP assw ord C racking ToolsLCP
■ You can also download the latest version of LCP from the link
http: /www.lcpsoft.com/engl1sh/index.11 tm
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 5. M odule 05 - System H acking
■ If you decide to download the la te s t
111 the kb might differ
version,
then screenshots shown
■ Follow the wizard driven installation instnictions
■ Run this tool 111 W indow s
S erver 2 0 1 2
■ Administrative privileges to run tools
■
TCP/IP
settings correctly configured and an accessible DNS server
La b Duration
Time: 10 Minutes
O verview of L C P
LCP program mainly audits user account passwords and recovers diem 111
Windows 2008 and 2003. General features of dns protocol are password recovery,
brute force session distribution, account information importing, and hashing. It can
be used to test password security, or to recover lost passwords. The program can
import from die local (or remote) computer, or by loading a SAM, LC, LCS,
PwDump or Sniff file. LCP supports dictionary attack, bmte force attack, as well as a
hybrid of dictionary and bmte force attacks.
La b T a s k s
9
TASK
1
1. Launch the S ta rt menu by hovering the mouse cursor 011 the lower-left
corner of the desktop.
Cracking
Adm inistrator
Password
S | W in d o w s Se rver 2012
FIGURE 1 : W
.1 indow S
s erver 2012—
Desktopview
2. Click the LCP app to launch LCP.
m You can also
download LCP from
http:/ / www.lcpsoft.com
.
C E H Lab Manual Page 311
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 6. M odule 05 - System H acking
A d m in is tr a to r
Start
Server
Manager
Windows
PowerShell
Computer
Control
Panel
T
y
Google
Chrome
Hyper-V
Manager
LCP
tet
*9
m
Hyper-V
Virtual
Machine...
SQL Server
Installation
Center...
Mozilla
Firefox
Global
Network
Inventory
?
Command
Prompt
£
©
a
I I
Nmap
Zenmap
GUI
Inwc* n$ *
ie»T
Workspace
Studio
Ku
O
Dnktop
3
FIGURE 1 W
.2: indow S
s erver 2012— pps
A
3. The LCP main window appears.
£ 7 LCP supports
additional encryption of
accounts by SYSKEY at
import from registry and
export from SAM file.
LCP
File
View
Import
Session
a c #
1 Dictionary attack
־
r
► ■
6
Hybrid attack
Dictionary word:
User Name
0
LM Password
Ready for passwords recovering
TZI
Help
? ״ * * ■ וa
r
Brute force attack
/0
NT Password
0.0000
I <8
>14
% done
LM Hash
NT Hash
0 of 0 passwords were found (0.000%)
FIGURE 1.3: LCP m window
ain
4. From die menu bar, select Im po rt and then Im port from
rem ote
com puter.
C E H Lab Manual Page 312
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 7. M odule 05 - System H acking
LCP
| File
View | Import | Session
fh
A
. 1
Help
Im port From Local Computer...
9
e
Im port From Remote Computer...
Im port From SA M File...
Dictionary wc
User Name
D
Im port From .LC File...
X done
LM Hash
Im port From .LCS File...
NT Hash
Im port From PwD um p File...
Import From Sniff File...
CQ l CP is logically a
transport layer protocol
according to the OSI
model
Ready for passwords recovering
0 of 0 passwords were found (0.000%)
FIGURE 1.4: Import die rem com
ote
puter
5. Select C om puter nam e or IP
from registry, and click OK.
address,
select the Im po rt
typ e
as Im po rt
Import from remote computer
File View In
Com puter
OK
Com p utet n a m e ot I P ad dress:
□
W IN - 0 3 9 M R 5 H L 9 E 4
r
D ictio n ary at!
C ancel
H e lp
D ictio n ary word:
Im port type
Use r N am e
(• ) Im port from registry
O
Im port from m em ory
I
CQlcp ch dieidentity
ecks
of thelinkedd
eviceandeidier
accep or rejectsthepeer
ts
device, thend
eterm die
ines
accep lepacket sizefor
tab
tran issio .
sm n
I E n c r y p t transferred d a ta
Connection
E x e c u t e c o n n e c tio n
S h a r e d reso u rce: h p c $
U s e r nam e:
Adm inistrator
Pa s s w o rd : I
0
H id e p a ss w o rd
Ready for passw!
FIGURE 1.5: Import from rem com
ote
puter window
6. The output window appears.
C E H Lab Manual Page 313
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 8. M odule 05 - System H acking
_
LCP [ ־C:Program Files (x86)LCPpwd80013.txt]
File
View
Import
Session
r
D ic tio n a ry a tta c k
H ybrid a t t a c k
D ic tio n a ry w ord:
r
1 © ״* ®״׳
•
B ru te fo rc e a t t a c k
1
10
r
U ser Nam e
L M P a s s w o rd
^ A d m in is t r a t o r
x
Help
a e + l ► 0 !?> י יי
r
□
X done
0 .0 0 0 0
<
8
NO P A S SW O .
N T P a s s w o rd
>14
LM H ash
N T H ash
X
NO P A S S W O R D
B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .J
NO P A S S W O R D
NO P A S S W O R D
G uest
L A N G U A R D .. .
NO P A S SW O .
X
NO P A S S W O R D
C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .J
-C
M artin
NO P A S SW O .
X
NO P A S S W O R D
5 E B E 7 D F A 0 7 4 D A 8 E E ..
S
Ju g g y b o y
NO P A S SW O .
X
NO P A S S W O R D
4 8 8 C D C D D 2 22 53 1 27 9.
S
Ja s o n
NO P A S SW O .
X
NO P A S S W O R D
2D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C ..
- C S h ie la
S Main purpose of LCP
programisuser account
passw
ords auditingand
recovery in W
indows
NO P A S SW O . .
;U
X
NO P A S SW O .
X
NO P A S S W O R D
0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...
NO P A S S W O ...
Ready for passwords recovering
1 of 7 passwords were found (14.286%)
FIGURE 1.6: Importing the User Nam
es
7. Now select any U ser
N am e
and click the L1L4 Play button.
8. Tins action generates passwords.
LCP - [C:Program Files (x86)LCPpwd80013.txt.lcp]
File
View
Import
Session
0 0 4
״מD ic tio n a ry a t t a c k
r
8 « *
1 1 1 ^ ״׳ ־l M o
1
H
H ybrid a t t a c k
D ic tio n a ry w ord: Adm inistrate
1
"י
User N am e
Adm inistrator
® G u e st
LM P a s s w o rd
142857
/ |7
*done
E n din g com bin ation : A D M IN IS T R A T 0 R Z Z
N T P a s s w o rd
<8
N O P A S S W O ...
N O P A S S W O ...
e
B ru te fo rc e a t t a c k
S tartin g com bin ation : A D M I N I S T R A T O R A
£
־a :
r
Help
>14
x
NO P A S S W O ...
LM H ash
N T H ash
NO P A S S W O R D
! B lA N G U A R . . .
N O P A S S W O ...
NO P A S S W O R D
C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F ..
^ M a r tin
NO
P A S S W O . . . a p p le
NO P A S S W O R D
5 EBE7D FA 074D A 8EE
NO
P A S S W O . . . g re e n
NO P A S S W O R D
4 8 8 C D C D D 222 53 1 27 9..
^ 3 Ja s o n
NO
P A S S W O . . . q w e rty
NO P A S S W O R D
2 D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C
® S h ie la
NO
P A S S W O . . . test
NO P A S S W O R D
O C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...
Ju g g y b o y
Passwords recovering interrupted
x
B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F ..
NO P A S S W O R D
x
NO P A S S W O R D
5 of 7 passwords were found (71.429%)
I
FIGURE 1 : LCPg eratesthepassw for the s le te usern e
.7
en
ord
ecd
am
La b A n a ly sis
Document all die IP addresses and passwords extracted for respective IP addresses.
Use tins tool only for trainmg purposes.
C E H Lab Manual Page 314
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 9. M odule 05 - System H acking
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D TO T H I S L A B .
T o o l/U tility
In fo rm atio n C o lle cted /O b jec tiv es A chieved
R em ote C o m p u ter N a m e :
WIN-D39MR5HL9E4
O u tp u t:
LC P
User Name
■ Martin
■ Juggyboy
■ Jason
■ Sluela
-
NT Password
apple
green
qwerty
test
Q uestio ns
1. Y11at is the main purpose of LCP?
2. How do von continue recovering passwords with LCP?
In te rn e t C o n n ectio n R eq u ired
□ Yes
0
No
P latform S upported
0 C lassroom
C E H Lab Manual Page 315
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 10. M odule 05 - System H acking
H id in g F ile s U s in g N T F S S t r e a m s
A . stre a m co n sists o f d a ta a sso cia ted rvith a m a in fi le o r d irecto ry ( k n o ir n a s th e
m a in n n n a m e d strea m ). E a c h f i e a n d d irecto ry in N T F S can h a ve m u ltip le d a ta
stre a m s th a t a re g en era lly h id d en fr o m th e user.
La b S cen ario
/ Valuable
information
' Test your
knowledge
SB Web exercise
m Workbook review
Once the hacker has fully hacked the local system, installed their backdoors and
port redirectors, and obtained all the information available to them, they will
proceed to hack other systems on the network. Most often there are matching
service, administrator, or support accounts residing on each system that make it
easy for the attacker to compromise each system in a short amount of time. As
each new system is hacked, the attacker performs the steps outlined above to
gather additional system and password information. Attackers continue to
leverage information 011 each system until they identity passwords for accounts
that reside 011 highly prized systems including payroll, root domain controllers,
and web servers. 111 order to be an expert ethical hacker and penetration tester,
you must understand how to hide files using NTFS streams.
La b O b jectives
The objective of tins lab is to help students learn how to hide files using NTFS
streams.
& T o o ls
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
It will teach you how to:
■ Use NTFS streams
■ Hide tiles
La b Environm ent
To carry out the lab you need:
■ A computer running W indow s
S erver 2 0 0 8
as virtual machine
■ Formatted C: drive NTFS
C E H Lab Manual Page
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 11. M odule 05 - System H acking
La b Duration
Tune: 15 Minutes
O verview of N T FS S tre a m s
m
NTFS (New
Technology File System is
)
die standard file systemof
W
indows.
NTFS supersedes die FAT file system as the preferred file system tor Microsoft
Windows operating systems. NTFS has several improvements over FAT and HPFS
(High Performance File System), such as unproved support tor m etadata and die
use of advanced data structures.
La b T a s k s
Sd.
TASK
1
NTFS Stream s
1. Run this lab 111 Windows Server 2008 virmal machine
2. Make sure the C: drive is formatted for NTFS.
3. Create a folder called m agic on the C: drive and copy c a lc .e x e from
C :w indow ssystem 32 to C:m agic.
4. Open a command prompt and go to C :m agic and type notepad
re a d m e .tx t 111 command prompt and press Enter.
5.
re a d m e .tx t 111 Notepad appears. (Click Y es button it prompted to
create a new re a d m e .tx t file.)
6. Type H ello World! and Save the tile.
£ 3 NTFS streamruns on
W
indows Server 2008
7. Note the tile s ize of the re a d m e .tx t by typing d ir 111 the command
prompt.
8. Now hide c a lc .e x e inside the re a d m e .tx t by typing the following 111 the
command prompt:
typ e c :m a g ic c a lc .e x e > c :m a g ic re a d m e .tx t 1c a lc .e x e
C E H Lab Manual Page 317
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 12. M odule 05 - System H acking
-lo|x|
(cT Administrator C o m m a n d Prompt
C : N n a g i c > n o t e p a d rea d n e . t x t
C:Snagic>dir
Uolune in driue C has no label.
U olume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F
D i r e c t o r y of C : nagic
EQ a streamc n is ofdata
o s ts
asso
ciatedwith am fileor
ain
directory(know a the m
ns
ain
unnam stream
ed
).
09/12/2012
09/12/2012
01/1 9 / 2 0 0 8
09/1 2 / 2 0 1 2
05:39 AM
<DIR>
05:39 AM
<D I R >
06:51 AM
1 8 8 . 4 1 6 cal c . e x e
05 : 4 0 AM
12 read n e . t x t
188 , 4 2 8 bytes
2 File<s>
2 Dir<s>
4 , 3 7 7 . 6 7 7 , 8 2 4 bytes free
C : m a g i c >type c : n a g i c c a l c . e x e
> c : n a g i c r e a d n e .txt:calc.exe
C:magic>
FIGURE 2.2: Com andprom withhidingcalc.e ecom and
m
pt
x
m
Type d ir 111 command prompt and note the tile size of re a d m e .tx t.
[ T Administrator C o m m a n d Prompt
cT
D i r e c t o r y of C: m a g i c
09/12/2012
09/12/2012
01/19/2008
09/12/2012
05:39 AM
<D I R >
05:39 AM
<D I R >
06:51 AM
18 8 , 4 1 6 cal c . e x e
12 read n e . t x t
0 5 : 4 0 AM
1 88,428 bytes
2 F ile<s>
4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free
2 Dir<s>
C : n a g i c >type c : n a g i c c a l c . e x e
> c : m a g i c r e a d m e .txt:calc.exe
C : m a g i c >dir
Uolune in driue C has no label.
Uolune S e r i a l N u n b e r is 3 4 C 9 - D 7 8 F
D i r e c t o r y of C: n a g i c
t._ NTFS supersedes the
FAT file systema the
s
preferred file systemfor
Microsoft’sW
indows
operating system
s.
09/12/2012
09/1 2 / 2 0 1 2
01/19/2008
09/12/2012
05:39 A M
<
05:39 A M
<
18 8 , 4 1 6 cal c . e x e
06:51 AM
0 5 : 4 4 AM
12 read n e . t x t
1 88,428 bytes
2 F ile<s>
4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free
2 Dir<s>
LJ
FIGURE 23: Com andprom with execu ghiddenc lc.execom and
m
pt
tin
a
m
10. The file size of the readme.txt should not change. Now navigate to the
directory c:m agic and d e le te c a lc .e x e .
11. Return to the command prompt and type command:
m klin k b ackd o o r.exe re a d m e .tx t:c a lc .e x e
C E H Lab Manual Page 318
and press E nter
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 13. M odule 05 - System H acking
V A d m in istra to r Com m and Prom pt
.
09/12/2012
01 / 1 9 / 2 0 0 8
09 / 1 2 / 2 0 1 2
- I□ ! X
05:39 A M
<D I R >
06:51 A M
18 8 , 4 1 6 cal c . e x e
0 5 : 4 0 AM
12 r e a d m e . t x t
2 Fil e < s >
188 , 4 2 8 bytes
2 Dir<s>
4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free
C:magic>type c:magiccalc.exe
> c : m a g i c r e a d m e .txt:calc.exe
C : m a g ic>dir
Uolume in driue C has no label.
Uolume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F
D i r e c t o r y of C : magic
09 / 1 2 / 2 0 1 2
09 / 1 2 / 2 0 1 2
01 / 1 9 / 2 0 0 8
09 / 1 2 / 2 0 1 2
ffilA streamisaliiddenfile
that islinkedtoanorm
al
(visib file.
le)
05:39 A M
<D I R >
05:39 A M
<D I R >
06:51 A M
18 8 . 4 1 6 cal c . e x e
05:44 AM
12 r e a dme.txt
2 Fil e < s >
1 88,428 bytes
2 Dir<s>
4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free
C : m a g i c > m klink b a c k d o o r . e x e r e a d m e . t x t: c a l c . e x e
sym b o l i c link c r e a t e d t o r b a c k d o o r . e x e
=== >•> readme .txt :calc ■exe
C:magic>
FIGURE 2.4: Com andprom linkingdie executedhiddenc lc x
m
pt
a .e e
12. Type backdoor, press E nter, and the the calculator program will be
e xecu ted .
ss
-
m im stra to r Com m and Pro m p t
09/12/2012
0 5 : 4 0 AM
2 F ile<s>
2 D ir<s>
12 rea d m e . t x t
188,42 8 bytes
18 8 . 4 2
4,377,677.8:
C:magic>type c:magiccalc.exe
> c:S
1
C:magic>dir
U olume in drive C has no label.
Uo l u m e S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F
r
D i r e c t o r y of C : magic
09/12/2012
09/12/2012
01/19/2008
09/12/2012
<DIR>
05:39 AM
<DIR>
05:39 AM
188,41
06:51 AM
0 5 : 4 4 AM
1
188,4
2 File<s>
4,37 7 , 4 1 5 , 6
2 Dir<s>
C : m a g i c > m k l i n k b a c k d o o r . e x e readme.t)
s y m b o l i c link c r e a t e d f o r backdoor.ext
C : m a g i c )ba c k d o o r
Backspace
|
CE
1
_ !_ ע _ו
l
I.ע
MR
|
_
I_
l
Lע
MS
|
_ u _
l
־
1
sqrt
I.ע
_
l
I
l
|
jd
1
/x
|
_ l.ע
y
C:macric>
FIGURE 2.5: Com and prompt with executed hidden calc.exe
m
Lab A n a ly sis
Document all die results discovered during die lab.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D TO T H I S L AB .
C E H Lab Manual Page 319
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 14. M odule 05 - System H acking
Tool/Utility
NTFS Streams
Information Collected/Objectives Achieved
Output: Calculator (calc.exe) file executed
Q uestio ns
1. Evaluate alternative methods to hide the other exe files (like
calc.exe).
Internet Connection Required
□Y
es
0
No
Platform Stipported
0
C E H Lab Manual Page 320
Classroom
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 15. M odule 05 - System H acking
3
F in d H id d e n F ile s U s in g A D S S p y
A d s S p y is a to o l u se d to list, view, o r delete A lte r n a te D n tn S tr e a m s ( A D S ) on
W in d o w s S e r v e r 2 0 0 8 w ith N T F S file s y s te m .
I C ON
KEY
/ Valuable
information
S
Test your
knowledge
־ ־Web exercise
=
ffi! Workbook review
La b S cen ario
Hackers have many ways to obtain passwords. Hackers can obtain passwords
from local computers by using password-cracking software. To obtain
passwords from across a network, hackers can use remote cracking utilities or
network analyzers. Tins chapter demonstrates just how easily hackers can gather
password information from your network and describes password
vulnerabilities that exit in computer networks and countermeasures to help
prevent these vulnerabilities from being exploited on your systems. 111 order to
be an expert ethical hacker and penetration tester, you must understand how to
find hidden files using ADS Spy.
La b O b jectives
The objective of tins lab is to help students learn how to list, view, or delete
A lte rn a te D ata S tream s and how to use them.
It will teach you how to:
■ Use ADS Spy
■ Find hidden tiles
t£~Tools
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
La b Environm ent
To cany out the lab you need:
י
ADS Spy located at D:CEH-ToolsCEHv8
M odule 05 System
H ackingN TFS S tre a m D e te c to r ToolsADS Spy
■ You can also download the latest version of ADS
http: / / www.mer1jn.11u/programs.php#adsspv
■ It you decide to download the la te s t
111 the lab might differ
■ Run tins tool 111 W indow s
C E H Lab Manual Page 321
version,
Spy
from the link
then screenshots shown
S erver 2 0 1 2
Ethical Hacking and Countermeasures Copyright © by EC-Coundl
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 16. M odule 05 - System H acking
La b Duration
Tune: 10 Minutes
O verview of A D S Sp y
^ 1ןjj-,5 (^ternate
ןחר
ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011
Data Stream is a technique Windows Server 2008 widi NTFS file systems. ADS Spy is a method of stonng
)
used to store m
eta-info on
meta-inform ation of files, without actually stonng die information inside die file it
files.
belongs to.
La b T a s k s
m.
TASK
1
A lternative Data
Stream s
1.
Navigate to the CEH-Tools director} ־D:CEH-ToolsCEHv8
System H ackingN TFS S tream D e te c to r ToolsADS Spy
2. Double-click and launch ADS
Spy.
ADS Spy v1.11 -Written by Merijn
A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of in fo h id d e n a s m etad ata o n files o n N T F S drives. T h e y a re not
^
visib le in Explorer a n d th e size th ey ta k e up is not rep orted by W in d o w s . R e c e n t brow ser h ijack e rs started
u sing A D S to h id e their files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e
th e s e stream s.
N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com ple tely sure th ey
a re m alicious!
[v
(•
Q u ic k s c a n (W in d o w s b a s e folder only)
C
Full s c a n (all N T F S drives)
C
S c a n only this folder:
|7
Ig n o re s a fe system in fo d a ta stream s fe n c ry p ta b le ', ,Su m m aryln form ation '. e tc )
[־ ־
C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts
J
S c a n th e system for alte rnate d a ta stream s
KlADS Spyis a sm
all
tool to list, view, or delete
Alternate Data Streams
(ADS) onWindows 2 1
02
with NTFS file system
s.
[R e a d y -
FIGURE 3.1 W
elcom screen of ADS Spy
e
3. Start an ap prop riate
4. Click Scan
C E H Lab Manual Page 322
R e m o v e s e le c te d stream s
scan
that you need.
th e system fo r a lte rn a te d a ta stream s.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
M od
- 17. M odule 05 - System H acking
ADS Spy v1.1 -Written by Merijn
1
A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of info h id d e n a s m e ta d a ta o n files o n N T F S drives. T h e y a re not
/*.
visib le in Exp lorer a n d th e size th ey ta k e u p is not rep orted by W in d o w s . R e c e n t brow ser h ijac k e rs started
using A D S to h id e their files, a n d ve ry fe w anti-m alware s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o ve
th e s e stream s.
N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure they
a re m alicious!
Q u ic k s c a n (W in d o w s b a s e folder only)
C
| (»
£ ־ADS are a w ay
of storing metainformation
regarding files,
w ithout actually
storing the
information in the
file it belongs to,
carried over from
early MacOS
com patibility
Full s c a n (all N T F S d r iv e s )|
S c a n only this foldet:
C
11 ?
r
v
A
Ig n o te s a fe system info d a ta stream s fe n c ry p ta b le ', 'Su m m aryln form ation ', e tc )|
C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts
j S c a n th e system for aite rnate d a ta stream s
|
R e m o v e s e le c te d stream s
C:magicreadme txt: calc, exe (1051648 bytes)
C :U s e rs A d m in is tra to r D o c u m e n ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s)
□
C A U s e rs A d m in is tra to r F a v o rite s L in k s S u g g e s te d S it e s .u r l: fa v ic o n (894 b yte s)
C:U sersA d m in istra to rM y D o c u m e n t s : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 bytes)
C A W in d o w s .o ld .0 0 0 D o c u m e n ts a n d Se ttin g s A d m in is tra to r F a v o rite s L in k s Su g g e s te d S it e s .u r l: fa v ic o n (8 !
□
C : W in d o w s .o ld .0 0 0 U s e rs A d m in is tra to r F a vo rite s L in k s S u g g e 5 te d S it e s .u r l: fa v ic o n (894 bytes)
| S c a n c o m p le te, fo un d G alte rn ate d a ta stream s (A D S 's ).
FIGURE 3.2 ADS S windowwith Full Scan selected
py
5. Find the ADS
data streams.
hidden info file
while }*on scan the system for alternative
6. To remove the Alternate Data Stream, click Rem ove
s e le c te d stream s.
ADS Spy v1.11 -Written by Merijn
A lte rn a te D a t a S tre a m s ( A D S ) a te p ie c e s of info h id d e n a s m e ta d a ta o n files on N T F S drives. T h e y a re not
visib le in Exp lorer a n d th e size th ey ta k e u p is not rep otted b y W in d o w s . R e c e n t brow ser h ijack e rs started
using A D S to h ide theit files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e
th e s e stream s.
N o te : this a p p c a n also disp lay legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure th ey
a te m alicious!
C
Q u ic k s c a n ( W in d o w s b a s e foldet only)
(*
Full s c a n (all N T F S d rives)
C
S c a n only this folder:
J
1✓ Ig n o te s a fe system info d a ta stream s ('e n cry p ta b le ', ‘Sum m aryln form ation ', e tc )
& Com patible
with: Windows
Server 2012,
20008
r
C a lc u la te M D 5 c h e c k s u m s of stream s' co n ten ts
S c a n th e system for alte rn ate d a ta stream s
R e m o v e s e le c te d stream s
□
C : m a g ic te a d m e .tx t: c a lc , e x e (1 05 1 G 48 b yte s)
□
C U s e 1sAdm in istrato rD ocu m en ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (1 2 bytes)
□
C .A U s e ts 'A d m 1 1s tra to rF avo r1te s L in k s S u g g e s te d S it e s .u r l: fa v ic o n (8 94 b y te s)
n
* ׳׳C :U setsA d m in istrato rM y D o c u m e n t s : {7 2 6 B G F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s)
/Windows.old.000Documents and SeKings^drnini$tfat0fFav0ritesLinksSuggested Sites.url: favicon (8
C : W in d o w s .o ld O O O U se rs A d m in is tra to r F a vo rite s Lin k s S u g g e ste d S it e s .u r l: fa v ic o n (894 b yte s)
| S c a n c o m p le te, fo un d S alte rnate d a ta stream s (A D S 's ).
FIGURE 3.3: Find die hidden streamfile
C E H Lab Manual Page 323
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 18. M odule 05 - System H acking
L a b A n a ly s is
Document all die results and reports gathered during die lab.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved
Scan Option: Full Scan (all NTFS drives)
ADS Spy
Output:
■ Hidden files with its location
■ Hidden files size
Q u e s t io n s
1. Analyze how ADS Spy detects NTFS streams.
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 324
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 19. M odule 05 - System H acking
H id in g F ile s U s in g t h e S t e a l t h F ile s
Tool
S te a lth F i/e s u se a p ro cess c a lled steganography to h id e a n y file s in sid e o f a n o th e r f i e .
I t is a n a lte rn a tiv e to en cryp tio n o f file s .
■ n
co
k ey
־־L a b S c e n a r io
/V
aluable
The Windows NT NTFS hie system has a feature that is not well documented
and is unknown to many NT developers and most users. A stream is a hidden
file that is linked to a normal (visible) file. A stream is not limited in size and
Test your
know
ledge
there can be more than one stream linked to a normal tile. Streams can have any
name that complies with NTFS naming conventions. 11 order to be an expert
1
sA W exercise
eb
ethical hacker and penetration tester, you must understand how to hide files
m W
orkbookreview using the Stealth Files tool. 1 1 this lab, discuss how to find hidden files inside of
1
other files using the Stealth Files Tool.
inform
ation___
L a b O b je c t iv e s
The objective of tins lab is to teach students how to hide files using the Stealth
Files tool.
It will teach you how to:
■ Use the Stealth Files Tool
■ Hide files
— Tools
L a b E n v ir o n m e n t
demonstrated in
To carry out tins lab you need:
this lab are
available in
■ Stealth Files tool located at D:CEH-ToolsCEHv8 Module 05 System
D:CEHHackingSteganographyAudio SteganographyStealth Files
ToolsCEHv8
Module 05 System
■ A computer running Window Server 2012 (host machine)
Hacking
■ You can also download the latest version of Stealth Files from the link
http://www.froeb1s.com/e11glisl1/sf40.sl1tml
C E H Lab Manual Page 325
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 20. M odule 05 - System H acking
■ If you decide to download the latest version, then screenshots shown
in the lab might differ
■ Administrative privileges to run the Stealth files tool
■ Run this tool 111 Windows Server 2012 (Host Machine)
L a b D u r a tio n
Tune: 15 Minutes
O v e r v ie w o f S t e a lt h F ile s T o o l
£U
Stenography is the
art and science of writing
hidden messages.
Stealth files use a process called steganography to lude any tiles inside of another
.
.
.
.
7
.
.
.
tile. It is an alternative to encryption ot tiles because no one can decrypt the
encrypted information or data from die tiles unless diey know diat die ludden tiles
exist.
Lab T asks
B
TASK 1
Stenography
1. Follow the wizard-driven installation instructions to install Stealth Files
Tool.
2. Launch Notepad and write Hello World and save the tile as Readme.txt
on the desktop.
readme - Notepad
File
Edit
Format
View
Help
f l e l l o W o rld !
& Stealth Files
uses a process
called
steganography to
hide any file or
files inside of
another file
F IG U R E 4.1: Hello world in readme.txt
3. Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.
C E H Lab Manual Page 326
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 21. M odule 05 - System H acking
FIG U RE 4.2: Windows Server 2012 —
Desktop view
4. Click the Stealth Files 4.0 app to open the Stealth File window.
m
You can also
download Stealth File from
http://www.froebis.com.
F IG U R E 4.3: Windows Server 2012 —Apps
5. The main window of Stealth Files 4.0 is shown 111 the following figure.
This is an
alternative to
encryption
because no one
can decrypt
encrypted
information or
files unless they
know that the
hidden files exist.
F IG U R E 4.4: Control panel of Stealth Files
C E H Lab Manual Page 327
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 22. M odule 05 - System H acking
6. Click Hide Files to start the process of hiding the files.
7. Click Add files.
ם
Stealth Files 4.0 - Hide Files...
Step 1 ■
Choose Source Files:
S Before Stealth Files
hides a file, it compresses it
and encrypts it with a
password. Then you must
select a carrier file, which is
a file that contains die
hidden files
Destroy Source Filesl
Remove Selected Files!
Step 2 •Choose Carrier File:
I
r
^־J
Create a Backup of the Carrier File!
Step 3 ■
Choose Password:
F IG U R E 4.5: Add files Window
8. In Stepl, add the Calc.exe from c:windowssystem32calc.exe.
& Stealth Files
4.0 can be
downloaded from
the link:
http://www.froebis
.com/english/sf40.
shtml
C E H Lab Manual Page 328
9. In Step 2, choose the carrier file and add the file Readme.txt from the
desktop.
10. In Step 3, choose a password such as magic (you can type any desired
password).
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 23. M odule 05 - System H acking
13
Stealth Files 4.0” Hide Files...
!“ Iם
x
Step 1 ■
Choose Source Files:
C:W1ndowsSj1stem
32Vcacls.exe
5 You can also
remove the
hidden files from
the carrier file by
going to Remove
Hidden Files and
following the
instructions
I- Destroy Source Filesl
Add Files!
|
Remove Selected Files!
Step 2 Choose Carrier File.
1
1
C:Use sAdm
inistratorDesktop eadm
e.txt
:d
I- Create a Backup of the C
arrier File!
Choose Password:
m
agic)
I Hide Files! |
FIG U R E 4.6: Step 1-3 Window
11. Click Hide Files.
12. It will hide the file calc.exe inside the readme.txt located on the
desktop.
13. Open the notepad and check the file; calc.exe is copied inside it.
readme ־Notepad
I~ Iם
:
File Ed Form View H
it
at
elp
)H e llo W o rld !
h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f
p p h if h lb k id o f h a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b f o jh k g g e e ia
b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j
lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b
lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g
leo n m b fn g b ln b h cik fd h k m g io d cfg n lg g o ad d cajm p ip fib h p p g g cg im m k a d n j
&T When you are ready to
recover your hidden files,
simply open them up with
Stealth Files, and if you
gave the carrier file a
password, you will
prompted to enter it again
to recover die hidden files
e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a
k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k
m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h f p a la p p d b a
c ile n o id lh ib e k p b h e jm if n g f h f a p m h a f b lif h lc g ia e b k ijik g o h d a g e e b ip b
o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j
in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g
o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i
lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c
fnln adn n oaon eop oop bb agm d aoh m ekd gfcekcnb cgm injem egp n nh ein oilgej
o o ig lcd h a clc h jlh d g ib o o h e m b n a p m k m e p a o k jch h g cjb id fh a k c lg fb m a p n b d
o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia
kam gkajbbnlndbiggagm cgnbnm afohogackcdnkhbom gofpdegibikm jm dpfkg
F IG U R E 4.7: Calc.exe copied inside notepad.txt
14. Now open the Stealth files Control panel and click Retrieve Files.
C E H Lab Manual Page 329
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 24. M odule 05 - System H acking
t
Stealth Fi1es 4.0
S Pictures will still look
the same, sound file will
still sound die same, and
programs will still work
fine
a
©
Retrieve Files
□
Remove Hidden Files
e
&■ These carrier files will
still work perfecdy even
with the hidden data in
diem
Hide Files
About Stealth Files
־
Close Program
F IG U R E 4.8: Stealth files main window
15. In Step 1 , choose the hie (Readme.txt) from desktop 111 which you have
saved the calc.exe.
16. 11 Step 2, choose the path to store the retrieved hidden file. 1 1 the lab
1
1
the path is desktop.
17. Enter the password magic (the password that is entered to liide the tile)
and click on Retrieve Files!
Stealth File! 4.0 - Retrieve Files...
S
This carrier file can be
any of these file types:
E X E , D LL, OCX, COM,
JPG , G IF, ART, MP3, AVI,
WAV, DOC, BMP, and
WMF. Most audio, video, and
executable files can also be
carrier files
I ם1 ־־T x
-Step1■ h o Crrie F :
C o se a r ile
C s rs A m is to D s to V a m.tx
: U e d in tra r e k p re d e t
I ־־D stro Crrie F !
e y a r ile
Step2-C o seD s a nD c ry
h o e tin tio ire to :
C s rs '.d in tra rV e k p
:ll e V m is to D s to
d
r Step3• n r P ssw rd
E te a o :
|mg |
a ic
R
etrieveF s
ile !
F IG U R E 4.9: Retrieve files main window
18. The retrieved file is stored on the desktop.
C E H Lab Manual Page 330
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 25. M odule 05 - System H acking
05 Vorslon;
IP Address
MAC Addr•••:
Host Name
Windows NT 62
(non•)
D4 BE 09 CJ CE 20
WIN-039MR6HL9E4
Qs- You can transfer the
carrier file through die
Internet, and die hidden files
inside will transfer
simultaneously.
FIG U R E 4.10: Calc.ese running on desktop with the retrieved file
L a b A n a ly s is
Document all die results and reports gathered during die lab.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved
Hidden Files: Calc.exe (calculator)
Stealth Files
Tool
Retrieve File: readme.txt (Notepad)
Output: Hidden calculator executed
Q u e s t io n s
1. Evaluate other alternative parameters tor hiding tiles.
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 331
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 26. M odule 05 - System H acking
Lab
E x tr a c tin g S A M H a s h e s U s in g
P W dum p7 Tool
Pwdump7 can a s beusedt d / p m e t d i e Youcana w sc p a ue'teb [ u te e u i g
lo
o uuptcejls
l ay o y sdf/ ) j s x c t n
pnduffp7. x - c / c e f e d t
e e d o k d 1/ . a backjp- dfi otI o key
hxh led c n
L a b S c e n a r io
[£Z7 Valuable
Passwords are a big part ot tins modern generation. You can use the password
for your system to protect the business or secret information and you may
Test your
choose to limit access to your PC with a Windows password. These passwords
know
ledge
are an important security layer, but many passwords can be cracked and while
= W exercise
eb
that is worry, tliis clunk 111 the armour can come to your rescue. By using
password cracking tools 01 ־password cracking technologies that allows hackers
W
orkbookreview
to steal password can be used to recover them legitimately. 111 order to be an
expert ethical hacker and penetration tester, you must understand how to crack
administrator passwords. 111 tlus lab, we discuss extracting the user logui
password hashes to crack the password.
iiiform
ation___
L a b O b je c t iv e s
Tlus lab teaches you how to:
■ Use the pw dum p7 tool
■ Crack administrator passwords
L a b E n v ir o n m e n t
To carry out the lab you need:
_^Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
C E H Lab Manual Page 332
■ Pwdump7 located at D:CEH-T00 lsCEHv8 Module 05 System
HackingPassword Cracking Toolspwdump7
■ Run tlus tool 011 Windows Server 2012
■ You can also download the latest version of pwdump7 from the link
http:/ /www.tarasco.org/security/pwdump 7/ 111dex.html
■ Administrative privileges to run tools
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 27. M odule 05 - System H acking
■ TCP/IP settings correctly configured and an accessible DNS server
■ Run this lab in Windows Server 2012 (host machine)
L a b D u r a tio n
Time: 10 Minutes
Overview of Pwdump7
Pwdump7 can be used to dump protected files. You can always copy a used file
just by executing: pwdump7.exe -d c:lockedf11e.dat backup-lockedf11e.dat. Icon
key
Lab T asks
Generating
Hashes
1. Open the command prompt and navigate to D:CEH-ToolsCEHv8
Module 05 System HackingPassword Cracking Toolspwdump7.
2. Alternatively, you can also navigate to D:CEH-ToolsCEHv8 Module 05
System HackingPassword Cracking Toolspwdump7a11d right-click
the pwdump7 folder and select CM prompt here to open the
D
command prompt.
Ad ministraton C:Wi ndowssystem32cmd.exe
[D:CEH-ToolsCEHv8 Module 05 Sys t e m Hack i n g P a s s w o r d C r ackingMJindows
Hrac ke t*spw d u m p 7 >
& Active
directory
passwords are
stored in the
ntds.dit file and
currently the
stored structure
C E H Lab Manual Page 333
Password C
F IG U R E 5.1: Command prompt at pwdump7 directory
3. Now type pwdump7.exe and press Enter, which will display all the
password hashes.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 28. M odule 05 - System H acking
Administrator: Command Prompt
:CEH-T oolsCEHu8 Module 05 Sys t e m H a c k i n g P a s s w o r d C r a c k ingSWindows P a s sword C
ackerspwdunp7) p w d ump? .exe
w dunp vV.l - raw p a s sword e x tractor
uthor: Andres Tarasco A cuna
rl: h t t p : //www.514.es
A d m i n i s t r a t o r : 5 0 0 :NO PASSWORD*****
D 4 7 : ::
G u e s t :501 :NO P A S S W O R D * ******* * * ***
LA N G U A R D _ 1 1 _ U S E R : 1 0 0 6 : N O PASSWORD*
A67B960: : :
Mart in :1018 :NO P A S S W O R D * *****-*****
*: BE40C4 5 0 A B 9 9 7 1 3 D F 1 E D C 5 B 4 0 C 2 S A
*:NO PASSWORD*
*:C25510219F66F9F12FC9BE662
* : 5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 :::
J u g g y b o y :1 0 1 9 :NO P A S S W O R D * ********
***:488CDCDD2225312793ED6967B28C1025:
Jason :1020 :NO PASS W O R D *- *■
**■ ***■*■**- *
*■
S)liela:1021 :NO P A S S W O R D * * * * * * ** * * *
* : 2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F : ::
**:0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 : ::
:CEH-ToolsCEHu8 Module 05 Sys t e m Hack i n g S P a s s w o r d C r a c k ingVWindows P a s sword C
ac ke rs Spw d u m p 7 >
& Always copy a
used file just
executing:
pwdump7.exe -d
c:lockedfile.dat
backuplockedfile.dat.
F IG U R E 5.2: pwdump7.exe result window
4. Now type pwdump7.exe > c:hashes.txt 111 the command prompt, and
press Enter.
5 Tins command will copy all the data ot pwdump7.exe to the
c:hashes.txt tile. (To check the generated hashes you need to navigate
to the C: drive.)
hashes.txt - Notepad
File
Edit
Format
View
Help
(A d m in istra to r: 500: NO
PASSWORD****:******* ״ * * * * * * * * ״BE40C450AB99713DF1EDC5B40C25AD47
G uest:5 0 1 :NO PASSWORD** : * ״ ״ ״ ״ * * ״ ״ ״ ״ * * ״ ״ ״ ״ ״ ״NO
PASSWORD**:: : ״ ״ ״ ״ ״ ״ ״ * ״ ״ ״ ״ ״ ״ ״ ״ * ״ ״
LANGUARD_11_USER:1006:NO
PASSWORD**********:********* ״ ״C25510219F66F9F12FC9BE662A67B960
M a rtin :1018:NO
P A S S W O R D * * * * * * * * * * * * * * * 5 : ״ * * * ״ ״EBE7DFA074DA8EE8AEF1FAA2BBDE876
Duggyboy:1019:NO
P A S S W O R D * 4 8 8 : * * ״ * * * * * * * * * * * * * * * * ״CDCDD2225312793ED6967B28C1025
]ason:1020:NO
PASSWORD* * * * * 2: * * * * * * * * * * * * * * * ״D20D252A479F485CDF5E171D93985BF
Shiela:1021:N O
P A S S W O R D * * * * 0 : ״ * * * * * * ״ * * ״ ״ * ״ ״ ״ ״CB6948805F797BF2A82807973B89537
F IG U R E 5.3: hashes.txt window
L a b A n a ly s is
Analyze all the password hashes gathered during die lab and figure out what die
password was.
C E H Lab Manual Page 334
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 29. M odule 05 - System H acking
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Tool/Utility
PWdump7
Information Collected/Objectives Achieved
Output: List of User and Password Hashes
■ Administrator
■ Guest
■ Lauguard
■ Martin
■ Juggyboy
■ Jason
■ shiela
Q u e s t io n s
1. What is pwdump7.exe command used for?
2. How do you copy the result of a command to a file?
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 335
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 30. M odule 05 - System H acking
C re a tin g th e R a in b o w T a b le s
U s in g W in rtg e n
Winrtgen i a graphical ־ainbow Tables Generator that s i p / s UM, FastLM,
s
R
/pot
N T L M , L M C H 4LL, HaljLMCHALL, N I U M C H A L L , M S C A C H E ,
M D 2, M D 4, M D 5, S H A 1 R I P E M D 160, M j S O L J 23, M j S O L S H 4 1,
,
CiscoPIX, O K 4CLE, S H 4-2 (
256) S H 4-2 (
,
384) and S H 4-2 (
512)
ha h s
se.
ICON KEY
L a b S c e n a r io
[£ V
II7 aluable
inform
ation
111 computer and information security, the use ot password is essential for users to
protect their data to ensure a seemed access to dieir system or machine. As users
Test your
become increasingly aware of the need to adopt strong passwords, it also brings
know
ledge
challenges to protection of potential data. 111 tins lab, we will discuss creating die
rainbow table to crack the system users’ passwords. 111 order to be an expert ethical
= W exercise
= eb
hacker and penetration tester, you must understand how to create rainbow tables to
m W
orkbookreview crack the administrator password.
L a b O b je c t iv e s
The objective of this lab is to help students how to create and use rainbow
table to perform system password hacking.
L a b E n v ir o n m e n t
To earn ׳out die lab, you need:
^^Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
C E H Lab Manual Page 336
■ Winrtgen Tool located at D:CEH-ToolsCEHv8 Module 05 System
HackingRainbow Table Creation ToolsWinrtgen
■ A computer running Window Server 2012
■ You can also download the latest version of Winrtgen from the link
http: / Avwwox1d.it/projects.html
■ If you decide to download the latest version, then screenshots shown 111 the
lab might differ
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 31. M odule 05 - System H acking
■ Run this tool 011 Windows Server 2012
■ Administrative pnvileges to mil tins program
L a b D u r a tio n
Time: 10 Minutes
You cau also
download Winrtge from
O v e r v ie w o f R a in b o w T a b le
iittpv'/w w
w .oxid.it/fjrojeef ^ rainbow table is a precomputed table for reversing cryptograpliic hash functions,
usually for cracking password hashes. Tables are usually used 111 recovering plaintext
passwords, up to a certain length, consisting of a limited set of characters.
Lab T ask
TASK 1
Generating
Rainbow Table
1. Double-click the winrtgen.exe tile. The main window of winrtgen is shown
111 die following figure.
r ־
Winrtgen v2.8 (Rainbow Tables Generator) by mao
F nm
ile a e
A dT b
d a le
S tu
ta s
R o
em ve
Ao t
bu
R o A
em ve ll
OK
E it
x
FIG U R E 6.1: winrtgen main window
Rainbow tables
usually used to crack a lot
of hash types such as
m
2. Click die Add Table button.
NTLM, MD5, SHA1
C E H Lab Manual Page 337
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 32. M odule 05 - System H acking
- ם
Winrtgen v2.8 (Rainbow Tables Generator) by mao
x
£ Q You can also
download Winrtge from
http://www.oxid.it/project
s.html.
III
Add Table
Remove
Remove All
About
OK
Exit
FIG U R E 6.2: creating die rainbow table
3. Rainbow Table properties window appears:
i. Select ntlm from the Hash drop-down list
u. Set die M Len as 4, die Max Len as 9, and the Chain Count of
in
4000000
iii. Select loweralpha from die Charset drop-down list (tins depends on the
password).
4. Click OK.
Rainbow Table properties
r Hash
|ntlm
£vTools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
Min Len
I4
-Max Len rIndex
I9
1
°
Chain Len—
Chain Count —
|2400
I4000000
|abcdefghijklmnopqrstuvwxyz
Table properties
Key space: 5646683807856 keys
Disk space: 61.03 MB
Success probability: 0.001697 (017%)
Benchmark
Optional parameter
Hash speed:
|Adm
inistratot
Step speed:
Table precomputation tim
e:
Total precomputation tim
e:
Max cryptanalysis tim
e:
Benchmark |
FIG U R E 6.3: selecting die Rainbow table properties
5. A file will be created; click OK.
C E H Lab Manual Page 338
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 33. M odule 05 - System H acking
x
Winrtgen v2.8 (Rainbow Tables Generator) by mao
Filename
Status
n _ wra h # - _ _ 4 0 4 0 0 0o id 0 0
tlmlo e lp a 4 902 0 x 0 0 0 _ x 8 0 .rt
II
I
Add Table
Remove
Remove All
OK
About
Exit
FIG U RE 6.4: Alchemy Remote Executor progress tab window
Creating the hash table will take some time, depending on the selected hash
and charset.
Note: To save die time lor die lab demonstration, die generated hash table
is kept 111 die following !older: D:CEH-ToolsCEHv8 Module 05 System
HackingRainbow Table Creation ToolsYWinrtgen
m
You must be careful
of your harddisk space.
Simple rainbow table for 1
—5 alphanumeric and it
costs about 613MB of
your harddisk.
7 Created a hash table saved automatically 111 die folder containing
.
winrtgen.exe.
י
Winrtgen
' L
5
8
CEHv Module 05 System Hacking ► Rainbow Table Creation Tools ► Winrtgen
־&־Favorites
■
Desktop
Downloads
v
C
Date modified
Type
M charset.txt
7/10/2008 &29 PM
Text Document
| □ ntlm_loweralphag4-6_0_2400x4000000_ox... | 9/18/201211:31 AM
RT File
Recent places
H! winrtgen.exe
7/10/200810:24 PM
Application
□ winrtgen.exe.sig
%
Search Winrtgen
Name
7/10/2008 10:33 PM
SJG File
Size
6KB
62,500 KB
259 KB
1 KB
Libraries
[ J Documents
Music
II■! Pictures
H
Videos
Computer
&
Local Disk ( C )
1 m New Volume (D:)
4 items
1 item selected 61.0 M B
State: Q
Shared
FIG U RE 6.5: Generated Rainbow table file
C E H Lab Manual Page 339
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 34. M odule 05 - System H acking
L a b A n a ly s is
Analyze and document the results related to the lab exercise.
Tool/Utility
Information Collected/Objectives Achieved
Purpose: Creating Rainbow table with lower alpha
Winrtge
Output: Created Rainbow table: ntlm_lowe1־alpha#46_0_2400X4000000_ox...
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Internet Connection Required
D Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 340
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 35. M odule 05 - System H acking
P a s s w o r d C r a c k in g U s in g
R a in b o w C ra c k
Rainbon'Crack i a computerprogram thatgenerates rainbow t b e t be usedin
s
als o
password c a k n .
rcig
L a b S c e n a r io
1JV
'— aluable
inforination___
Computer passwords are like locks 011 doors; they keep honest people honest. It
someone wishes to gam access to your laptop or computer, a simple login password
Test your
will not stop them. Most computer users do not realize how simple it is to access die
know
ledge____ login password tor a computer, and end up leaving vulnerable data on their
computer, unencrypted and easy to access. Are you curious how easy it is tor
as W exercise
eb
someone to gain access to your computer? Windows is still the most popular
m W
orkbookreview operating system, and die method used to discover the login password is die easiest.
A hacker uses password cracking utilities and cracks vour system. That is how simple
it is for someone to hack your password. It requires 110 technical skills, 110 laborious
tasks, only simple words 01 ־programs. 111 order to be an ethical hacker and
penetration tester, you must understand how to crack administrator password. 111
tins lab we discuss how to crack guest users or administrator passwords using
RainbowCrack.
L a b O b je c t iv e s
The objective ot this lab is to help students to crack passwords to perform
system password hacking.
£~Tools
demonstrated in
this lab are
L a b E n v ir o n m e n t
available in
To earn ־out die lab, you need:
D:CEHToolsCEHv8
■ RainbowCrack Tool located at D:CEH-T00 lsCEHv8 Module 05
Module 05 System
System HackingRainbow Table Creation ToolsRainbowCrack
Hacking
■ A computer running Window Server 2012
■ You can also download the latest version of RainbowCrack from the
link http://proiect-ra111bowcrack.com/
C E H Lab Manual Page
1
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 36. M odule 05 - System H acking
■ If you decide to download die latest version, then screenshots shown in die
lab nuglit differ
!2 2 You can also
download Winrtge from
http://www.oidd.it/project
s.html
■ Run diis tool 011 Windows Server 2012
■ Administrative privileges to mn diis program
L a b D u r a tio n
Tune: 10 Minutes
O v e r v ie w o f R a in b o w C r a c k
RauibowCrack is a computer program diat generates rainbow tables to be used ui
password crackuig. RauibowCrack differs from "conventional" bmte force crackers
in diat it uses large pre-computed tables called rauibow tables to reduce die lengdi of
time needed to crack a password.
Lab T ask
E task
1
Generating the
Rainbow Table
1. Double-click die rcrack_gui.exe tile. The maui window of RauibowCrack is
shown ui die following figure.
m
RainbowCrack for
G PU is the hash cracking
program in RainbowCrack
hash cracking utilities.
FIG U RE 7.1: RainbowCrack main window
2. Click File, and dien click Add Hash...
C E H Lab Manual Page 342
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 37. M odule 05 - System H acking
RainbowCrack 1.5
File | Edit
Rainbow Table
Help
Add Hash...
P la in te x t in
H ex
Load Hashes from File...
Load L M Hashes from P W D U M P File...
Load N T LM Hashes from P W D U M P File..
Save Results...
£Q! RainbowCrack for GPU
is significantly faster than any
non-GPU accelerated
rainbow table lookup
program and any straight
G PU brute forcing cracker
FIG U RE 7.2: Adding Hash values
3. The Add Hash window appears:
i.
Navigate to c:hashes, and opendie hashes.txt tile (which isalready
generated using Pwdump7 located at c:hashes.txt 111 the previous Lab
no:5) .
ii.
Right-click, copy die hashes from hashes.txt tile.
iii.
Paste into die Hash held, and give die comment (optional).
iv.
Click OK.
hashes.txt - Notepad
File
£Q| RainbowCrack uses
time-memoiy tradeoff
algorithm to crack hashes. It
differs from die hash crackers
that use brute force algorithm
Edit
Format
View
Help
Undo
A d m in is tra to r:5 0 0 :NO
Cut
P A S SW O R D *********************: BE40C450AB
Copy
G u e st: 501: NO PASSW O RD ******************"!
Paste
P A S SW O R D ********************** * ׳
LANGUARD_11_USER:1006:NO
Delete
PASSWORD :***** * * * * ״ * * * * * * * * * * ״C25510219F
Select All
M a r t in :1018:NO
Right * * * Reading order
P A S S W O R D 5 : * * * * * * * * * * * * * * * ״to*left ״EBE7DFA07
] uggy boy: 1019: NO
Show Unicode control characters
PAS S WORD488: * * * * * * * * * * * * * * * * * * * * ״CDCDD22
Insert Unicode control character
Dason:1020:NO
Open IME
P A S S W O R D 2
:* * * * * * * * * * * * * * * * * * •* ״D20D252A4
_____________________________ _______Shiela:1021:N O
PASSWORD* * * * * * * * * * * * * * * * * * * * *
FIG U R E 7.3: Selecting the hashes
C E H Lab Manual Page 343
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 38. M odule 05 - System H acking
RainbowCrack 1.5
File
Edit
Rainbow Table
* ־
י
Help
P l a i n t e x t I n H ex
£/Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
0C86948805F797BF2A82807973889537
Comment (optional):
password
FIG U R E 7.4: Adding Hashes
4. The selected hash is added, as shown 111 die following figure.
RainbowCrack 1.5
File
Edit
Rainbow Table
Help
H a sh
P la in te x t
@ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537
?
P l a i n t e x t I n Hex
£ 2 Fun time-memory
tradeofftool suites, including
rainbow table generation,
sort, conversion and lookup
FIG U R E 7.5: Added hash show in window
5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv)
6. Added hashes are shown 111 the following figure.
C E H Lab Manual Page 344
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 39. M odule 05 - System H acking
RainbowCrack 1.5
£ 0 . RainbowCrack's
purpose is to generate
rainbow tables and not to
crack passwords per-se,
some organizations have
endeavored to make
RainbowCrack's rainbow
tables available free over
the internet.
P File
Edit
Rainbow Table
H a sh
0
I
־־[םr x
TI
Help
P la in te x t
P l a i n t e x t i n H ex
0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
?
?
@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7
?
?
@ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
?
ל
@ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
?
?
@ c 2 5 5 1 0 2 1 9 £ 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0
?
1
FIG U R E 7.6: Added Hashes in the window
7. Click die Rainbow Table from die menu bar, and click Search Rainbow
Table...
£ 9 RainbowCrack for
G PU software uses G PU
from N V ID IA for
computing, instead of
CPU. By offloading
computation task to G PU,
the RainbowCrack for
G PU software can be tens
of times faster than nonG PU version.
8. Browse die Rainbow Table diat is alreadv generated 111 the previous lab,
which is located at D:CEH-ToolsCEHv8 Module 05 System
HackingRainbow Table Creation ToolsWinrtgen.
9. Click Open.
C E H Lab Manual Page 345
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 40. M odule 05 - System H acking
Open
^
Organize ▼
jA
”
Windows Password Crac... ► winrtgen
v
( j | | Search winrtgen
New folder
Recent places
| ב־
־׳י
[ jjj
P
k i
I
Name
Date modified
Type
Q ntlm.loweralphag4-6.0.24001(4000000.ox■..
Music
|
9/18/2012 11:31 AM
RT File
Libraries
j3] Documents
J l Music
E Q a time-memory
tradeoff hash cracker need
a pre-computation stage, at
the time all plaintext/hash
pairs within the selected
hash algorithm, charset,
plaintext length are
computed and results are
stored in files called
rainbow table
g
Pictures
9
Videos
1^
Computer
^
Local Disk (C:)
r . Local Disk (D:)
1 - Local Disk (£)
>
1
Filename: ntlmjoweralpha*4-6_0_2400x4000000_oxid*£ v
| Rainbow Tables (*.rt;*.rtc)
Open
FIG U R E 7.8: Added Hashes in the window
10. It will crack the password, as shown 111 the following figure.
RainbowCrack 1.5
File
Edit
Rainbow Table
Help
P l a i n t e x t I n Hex
te s t
Com ment
74657374
H ash
p a ssw o rd
3
0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
3
0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7
te s t
74657374
4 e e c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5
g ree n
677265656c
✓ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6
a p p le
6170706C 65
3
c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0
?
3
2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f
3
£ • ־RainbowCrack focus
==
!
on the development of
optimized time-memory
tradeoff implementation,
and generation of large
rainbow tables.
7
q w e r ty
t i n e o f a la rm c h e c k :
tin e o f w a it:
ti m e o f o t h e r o p e r a t i o n :
ti m e o f d i s k r e a d :
h a s h & re d u c e c a l c u l a t i o n o f c h a in t r a v e r s e :
h a s h 4 r e d u c e c a l c u l a t i o n o f a la r m c h e c k :
num ber o f a la r m :
s p e e d o f c h a in t r a v e r s e :
s p e e d o f a la r m c h e c k :
717765727479
2 .3 4 s
0 .0 0 s
0 .1 9 s
0 .0 8 s
5755200
35850648
55125
9 .7 1 m i l l i o n / s
1 5 .3 3 m l l l l o n / s
/s
5
FIG U R E 7.9: Added Hashes in the window
L a b A n a ly s is
Analyze and document die results related to the lab exercise.
C E H Lab Manual Page 346
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 41. M odule 05 - System H acking
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved
RainbowCrack
Hashes:
יAdministrator
יGuest
יLanguard
יMartin
■ Juggyboy
■ Jason
יShiela
Password Cracked:
יtest
יtest
יgreen
יapple
יqwerty
Q u e s t io n s
1. What kind of hashes does RambowCrack support?
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 347
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 42. M odule 05 - System H acking
Lab
E x tra c tin g A d m in is tra to r
P a s s w o r d s U s in g L O p h tC ra c k
U)phtCrack i packed with powetfnlf a u e , such as sc du i g hash ex act
s
etrs
he l n ,
tr ion
f o / 64- i Windows v r i n ; multiprocessor al o i h s and network monitoring
r//
bt
esos
grtm,
and d o i g I can import and crack U N I X passwordfiles and remote Windows
ec d n . t
machines.
L a b S c e n a r io
/V
aluable
inform
ation
Test your
know
ledge____
^ W exercise
eb
Since security and compliance are high priorities for most organizations, attacks
a company 01 ־organization's computer systems take many different forms,
such as spooling, smurfing, and other types of denial-of-service (DoS) attacks.
These attacks are designed to harm 01 ־interrupt the use of your operational
systems.
011
r* ..־W
orkbookreview Password cracking is a term used to describe the penetration of a network,
system, 01 ־resource with 01 ־without the use of tools to unlock a resource that
has been secured with a password. 111 tins lab we will look at what password
cracking is, why attackers do it, how they achieve their goals, and what you can
do to do to protect yourself. Through an examination of several scenarios, in
tins lab we describe some of the techniques they deploy and the tools that aid
them 111 their assaults and how password crackers work both internally and
externally to violate a company's infrastructure.
111 order to be an expert ethical hacker and penetration tester, you must
understand how to crack administrator passwords. 111 tins lab we crack the
system user accounts using LOphtCrack.
^^Tools
demonstrated in L a b O b je c t iv e s
this lab are
The lab teaches you how to:
available in
D:CEH■ Use the LOphtCrack tool
ToolsCEHv8
■ Crack administrator passwords
Module 05 System
Hacking
C E H Lab Manual Page
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 43. M odule 05 - System H acking
L a b E n v ir o n m e n t
To earn’ out the lab you need:
■ LOphtCrack tool located at D:CEH-ToolsCEHv8 Module 05 System
HackingPassword Cracking ToolsLOphtCrack
■ Run tliis tool on Windows Server 2012 (host machine)
■ You can also download the latest version of LOphtCrack from the link
http: / / www.lOphtcrack.com
■ Administrative privileges to run tools
■ Follow wizard driven installation instructions
■ TCP/IP settings correctly configured and an accessible DNS server
■ Tins tool requires the user to register or you can also use the evaluation
version for a limited period of time
L a b D u r a tio n
Time: 10 Minutes
O v e r v ie w o f L O p h t C r a c k
LOphtCrack provides a scoring metric to quickly assess password quality.
Passwords are measured against current industry best practices and are rated as
Strong, Medium, Weak, or Fail.
Lab T asks
TASK 1
Cracking
Administrator
Password
1. Launch the Start menu by hovering the mouse cursor to the lower left
most corner of the desktop.
|| W d w S rv r21
in o s e e 02
vm 1 «ן1י!שי'י5״ימ״
i׳
m
You can also
download the LOphtCrack
from
http://www.lOphtcrack.
C E H Lab Manual Page 349
FIG U R E 8.1: Windows Server 2012—Desktop view
2. Click the LOphtCrack6 app to open the LOphtCrack6 window
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 44. M odule 05 - System H acking
S ta rt
Server
Manager
F
a
Administrator
Windows
PowerShel
T
Google
Chrome
Hyper-V
Manager
o
י
י
Hyper-V
Virtual
Machine...
SQL Server
Installation
Center...
Computer
Control
Panel
*
J
m
Q
K
Command
Prompt
Mozilla
Firefox
Global
Network
Inventory
<
©
I
f
Nmap Zenmap
GUI
Workspace
Studio
O־
3
e
/LOphtCrack supports
pre-computed password
hashes.
Intrmrt fuplcrr׳
Drdlrp
F IG U R E 8.2: Windows Server 2012 —Apps
3. Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next.
LOphtCrack Password Auditor v6.0.16
x
LOphtCrack 6 Wizard
6
Welcome to the LOphtCrack Wizard Ths wizard wil
prompt you wth step-by-step nsbuctions to get you
audting n mrxies
First, the wizard w i help you determne where to
retrieve your encrypted passwords from
Second, you w i be prompted wth a few options
regardng which methods to use to audit the
passwords
Third, you w i be prompted wth how you wish to report
the results
6
Then. LOphtCrack w i proceed audting the
passwords and report status to you along the way.
notifying you when audfcng is complete
Press Next' to conbnue wth the wizard
LOphtCrack can also
cracks U N IX password
files.
[7 jjjprit show me this wizard on startup
ך
FIG U RE 8.3: Welcome screen of die LOphtCrack Wizard
4. Choose Retrieve from the local machine in the Get Encrypted
Passwords wizard and click Next.
C E H Lab Manual Page 350
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 45. M odule 05 - System H acking
LO h ra kPa o A d rv .0 6
p tC c ssw rd u ito 6 .1
Get Encrypted Passwords
Choose one of the folowng methods to retrieve the
encrypted passwords
| ♦ Retneve from the tocal machne |
Pulls encrypted passwords from the local machrte's
registry Admnatrator access a requred
Retneve from a remote machne
Retneve encrypted passwords from a remote
machne on your doman Admrwtrator access is
required
Retneve from SAM /SYSTEM backup
Use emergency repar disks, backup tapes, or
volume shadow copy techr»ques to obtain a copy of
the registry SAM and SY ST EM hives This contans
a copy of your non-doman passwords
Q Retneve by jnrffng the local network
Sniffing captures encrypted hashes n transit over
your network Logns.fie shamg and pmt shanng
al use network authentication that can be captured.
< Back
ca
LOphtCrack has a
built-in ability to import
passwords from remote
Windows, including 64-bit
versions of Vista, Windows
7, and U N IX machines,
without requiring a thirdparty utility.
Next >
■
|
FIG U R E 8.4: Selecting die password from die local machine
5. Choose Strong Password Audit from the Choose Auditing Method
wizard and click Next.
1 '°׳
-
ן
FIG U R E 8.5: Choose a strong password audit
6. In Pick Reporting Style, select all Display encrypted password
hashes.
7. Click Next.
C E H Lab Manual Page 351
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 46. M odule 05 - System H acking
m
LOphtCrack offers
remediation assistance to
system administrators.
FIG U R E 8.6: Pick Reporting Style
8. Click Finish.
LO h ra kPa o A d r v .0 6
p tC c ssw rd u ito 6 .1
° ־
x
Bogin Auditing
P
O
_
._ LOphtCrack lias realtime reporting that is
displayed in a separate, tabbed
interface.
Step
Step 2
6
LOphtCrack « now ready to begn the password
aud*ing process Please confirm the folowng settings
and go back and change anythng that ts not correct
Retrieve passwords from the local machine
Perform 'Quick' password audit
Display doman password belongs to
Display passwords v41en audited
Display time spent auditing each password
Give visible notification *tfien done audrtng
Show method used to crack password
[/] Save these settings as sesaon defaults
Press ■finish'to bepn audtng
►
Step 5
6«g1n
Auditing
FIG U RE 8.7: Begin Auditing
9. LOpntcrack6 shows an Audit Completed message, Click OK.
10. Click Session options Irom the menu bar.
C E H Lab Manual Page 352
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 47. M odule 05 - System H acking
Cracked Accounts
J j.
<N
Weak Passwords
Pause
־
d
Stop
Schedule Scheduled
Audit
Tasks
Disable Force Password
Expired Accounts
Run y Report
Domain
User Name
LM Hash__________________________
LM Password
,X WIN-D39MR... Administrator
* missing *
£ WIN-D39MR... Guest
״missing *
J t WIN-D39MR... Jason
* missing *
4 WIN-D39MR... Juggyboy
* missing *
<tw1N-D39MR... IANGUARD_11_USER
* missing
A WIN-D39MR... Martin
״missing
LOphtCrack 6
I
x
to t a
00000000000000( uords 29151]
00000000000000
000
00000000000000( _wgrds_done
00000000000000
000
00000000000000(
00000000000000
000
1B5T
0TO?
00000000000000(
00000000000000
000
00000000000000( _______
00000000000000
000
00000000000000(
00000000000000
000
Audit completed.
_______
LtX&sslaezei
0d Oh 0» Os
OK
____ tlMS-iSlt
_ _ l _־d o n S
III
>
4 X
Messages
0 9/1 8 /2 0 1 2
0 9/1 8 /2 0 1 2
0 9 / 1 8/2 01 2
0 9/1 8 /2 0 1 2
1 4 :4 7 :4 8 M u ^ i - c o r e o p e r a t i o n w i t h 4 c o r e s .
1 4 :4 7 :5 2 Im p o r t e d 2 a c c o u n t s fr o m t h e l o c a l
1 4 :4 7 :5 2 A u d i t s t a r t e d .
1 4 :4 7 :5 2 A u d i t i n g s e s s i o n c o m p le t e d .
m a c h in e
FIG U R E 8.8: Selecting Session options
£ Q LOphtCrack uses
Dictionary, Hybrid,
Recomputed, and Bmte
Force Password auditing
methods.
11. Auditing options For This Session window appears:
i. Select the Enabled, Crack NTLM Passwords check boxes 111
Dictionary Crack.
ii. Select the Enabled, Crack NTLM Passwords check boxes 111
Dictionary/Brute Hybrid Crack.
iii. Select the Enabled, Crack NTLM Passwords check boxes 111 Brute
Force Crack.
IV.
Select the Enable Brute Force Minimum Character Count check box.
v. Select the Enable Brute Force Maximum Character Count check
box.
12. Click OK.
C E H Lab Manual Page 353
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 48. M odule 05 - System H acking
־m
A d gO tio s Fo T isSessio
u itin p n r h
n
Dictionary Crack
The Dictionary Crack tests for passwords that are
the same as the words fcste inthe wordfile. This
d
test *very fast and findsthe weakest passwords.
Dictionary List
0 Crack NTLM Passwords
Dictionary/Brute H
ybrid Crack
[2 Enabled
0
V Crack NTLM Passwords
C m letter substitutions *
om on
(m slower)
uch
* Charactersto prepend
- Charactersto append
Precom
puted
E ! Enabled
C
The Dictionary/Brute H
ybrid Crack tests
forpasswordsthat are variations of the
words inthe wordfile. Itfinds passwords
such as Dana9 or monkeys! . This
9
test isfast andfinds weak passwords.
Also known as 'ranbow tables', the Precom
puted
Cracktests for passwords aganst a precom
puted
hashes contan-edn a file orfiles This test is very
fast andfinds passwords created fromthe sam
e
character set as the precom
puted hashes.
Preservng precom
putation data speeds up
consecutive m n exchange for disk space
ns
Ths crack works aganst LM and NTLM passwords,
but not Una
Hash File List
Preserve Precomputation Data
Location
Ba/te Force Crack
Language:
J£rack NTLM Passwords
The Brute Force Crack tests for passwords that
are m up of the characters specified inthe
ade
character set I finds passwords such as
"W
eR3pfc6s■ or "vC5%6S*12b" This test is slow
'
andfinds m < jmto strong passwords.
e fc
English
alphabet ♦num
bers
CustomCharacter Set (list each character):
E T N RIO AS D H LCFPU MYG W V BX K Q JZetnrioasd
hlcfpumygwvbxkqjzOI 23456789
Brute Force M im mCharacter C
in u
ount
Enabing a start orend point lets you control the
m im mand m x u num of characters to
in u
a im m
ber
iterate.
נ
Brute Force M im mCharacter Count
ax u
To
9
The actual m x u character count used m
a im m
ay
vary based on hash type
Specfy a character set w m characters to
ith ore
crack strongerpasswords.
’
QK
Qancel
F IG U R E 8.9: Selecting die auditing options
13. Click Begin ' ' רfrom the menu bar. LOphtCrack cracks the
administrator password.
14. A report is generated with the cracked passwords.
FIG U RE 8.10: Generated cracked Password
C E H Lab Manual Page 354
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 49. M odule 05 - System H acking
L a b A n a ly s is
Document all die results and reports gathered during die kb.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
Tool/Utility
LOphtCrack
Information Collected/Objectives Achieved
User Names:
יAdministrator
יGuest
יJason
יJuggvbov
יLANGUARD_11_USER
יMartin
Password Found:
יqwerty
■ green
יapple
Q u e s t io n s
1. What are the alternatives to crack administrator passwords?
2. Why is a brute force attack used 111 the LOphtCrack tool?
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 355
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 50. M odule 05 - System H acking
P a s s w o r d C r a c k in g U s in g
O p h c ra c k
Ophcrnck i a free open source ( P L l c n e ) program that cracks Windows
s
G
iesd
passn׳rds by using L M hashes through rainbow t b e .
o
als
ICON KEY
/V
aluable
inform
ation
J? T your
e$t
___know
ledge____
» W exercise
eb
W
orkbookreview
L a b S c e n a r io
a security system that allows people to choose their own passwords, those people
tend to choose passwords that can be easily guessed. Tins weakness exists m
practically all widely used systems instead of forcing users to choose well-chosen
secrets that are likely to be difficult to remember. The basic idea is to ensure that
data available to the attacker is sufficiently unpredictable to prevent an off-line
verification of whether a guess is successful or not; we examine common forms of
guessing attacks, password cracking utilities to develop examples of cryptographic
protocols that are immune to such attacks. Poorly chosen passwords are vulnerable
to attacks based upon copying information. 111 order to be an expert ethical hacker
and penetration tester, you must understand how to crack the weak administrator 01־
system user account password using password cracking tools. 111 tins lab we show
you how to crack system user accounts usmg Ophcrack.
111
L a b O b je c t iv e s
The objective of this lab is to help students learn:
יUse the OphCrack tool
Tools
■ Crack administrator passwords
demonstrated in
this lab are
L a b E n v ir o n m e n t
available in
D:CEHTo earn ־out die lab, you need:
ToolsCEHv8
Module 05 System
" OphCrack tool located at D:CEH-T00 lsCEHv8 Module 05 System
Hacking
HackingPassword Cracking ToolsOphcrack
■ Run this tool 011 Windows Server 2 0 12 (Host Machine)
■ You can also download the latest version of LOphtCrack from the link
http: / / ophcrack.sourceforge.net/
C E H Lab Manual Page 356
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 51. M odule 05 - System H acking
■ Administrative privileges to run tools
■ Follow the wizard-driven installation instructions
L a b D u r a tio n
Time: 15 Minutes
O v e r v ie w o f O p h C r a c k
Rainbow tables for LM hashes of alphanumeric passwords are provided for free by
developers. By default, OphCrack is bundled with tables diat allow it to crack
passwords no longer than 14 characters using only alphanumeric characters.
Lab T ask
TASK 1
Cracking the
Password
1. Launch the Start menu by hovering the mouse cursor on the lower-left
corner of the desktop.
g| W d w S rv r21
n o s e e 02
v no !x ff1uKte u o a w c w
notfj rv 0 e jje n iow u w r
tvilwtor c ׳pv kud M O
c
O
ןןמישיייעןיימיירזמיי
FIG U R E 9.1: Windows Server 2012 - Desktop view
2. Click the OphCrack app to open the OphCrack window.
m
You can also
download the OphCrack
from
http:/ /ophcrack.sourceforg
e.net.
FIG U R E 9.2: Windows Server 2012—
Apps
3. The OphCrack main window appears.
C E H Lab Manual Page 357
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 52. M odule 05 - S ystem H ackin g
ophcrackC
1' ם ! ־
4A
Load
Progress
Statistics
J
Tables
^
11/
Save
Delete
Cradt
Help
G
Exit
About
Preferences
B Rainbow tables for LM
hashes of alphanumeric
passwords are provided for
free by die developers
Preload:
waitng
| Brute force:
waiting
j
Pwd found:
0/0
Time elapsed: |
OhOmQs
FIG U R E 9.3: OphCrack Main window
4. Click Load, and then click PW
DUMP file.
ophcrack
U/
ב
,•..י
©
&
e
<?
Single hash
PW D UM P file
Session file
& Ophcrack is
bundled with
tables that allows
it to crack
passwords no
longer than 14
characters using
only alphanumeric
characters
Encrypted SAM
Local SAM with samdump2
Local SAM with pwdump
6
Remote SAM
Directory
Preload: _______ waiting_______| Brute force: |
Progress
waitng
| PwdfouxJ:
Fig 9.4: Selecting PWDUMP file
5. Browse die PWDUMP file diat is already generated by using PT)UMP7111
die previous lab 110:5 (located at c:hashes.txt).
6. Click Open
C E H Lab Manual Page 358
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 53. M odule 05 - System H acking
O en PW UM file
p
D P
0C ^ ^
O
Organize
***
* Computer
■ Desktop
C
| Search Local Disk (C:)
A
Name
Date modified
Type
ji. Program Files
9/17/2012 9:25 AM
File folder
Program Files (x86)
9/18/20122:18 PM
File folder
j
TFTP-Root
9/4/2012 7:00 PM
File folder
j
S
P ] I
§=- E m
־
H
Users
9/18/20122:35 PM
File folder
8/30/20121:06 PM
File folder
W in d o w s
9/15/2012 3:26 PM
File folder
4• W indow s.old
4 Downloads
available as Live CD
distributions which
automate the retrieval,
decryption, and cracking of
passwords from a Windows
system.
v
► Local Disk (C:)
New folder
8/7/2012 1:50 AM
File folder
8/8/2012 12:03 AM
File folder
Recent places
J Music
)
^ Libraries
j. usr
(3| Documents
J
Music
fcl Pictures
.00
0
J,.
^
H Videos
W in d o w s.o ld
.rnd__________________
9/19/2012 9:58 AM
RND File
Text Document
r
. ^ Local Disk (D:)
9/18/2012 3:06 PM
9/15/2012 2:53 PM
System file
[ user.js
A
Local Disk (C:)
hashes.txt
|j6j msdos.sys
:■ Computer
9/6/20124:03 PM
ן
JS File
v,
v
File name: hashes.txt
j
[All Files (*/)
Open
FIG U R E 9.5 import the hashes from PWDUMP file
7. Loaded hashes are shown 111 the following figure.
ophcrack
O
Si
«S
IU
Load
Delete
Save
Tables
Progress
Statistics
j
O
Preferences |
User
NT Hash
Administrator
BE40C450AB997...
Guest
31d6cfe0d16ae9...
C25510219F66F...
LANGUARD.! 1_
Martin
5EBE7DFA074D...
Juggyboy
Jason
£7 Ophcrack C
racks
LMandNTLM
W
indows hashes
o
Crack
488CDCDD2225...
2D20D252A479F...
Shiela
0CB69488O5F79...
Directory
Preload: _______ waitng_______| Brute force: |
Progress
waiting
] Pwd foaxl:
FIG U RE 9.6 Hashes are added
8. Click Table. The Table Selection window will appear as shown 111 die
following figure.
C E H Lab Manual Page 359
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 54. M odule 05 - System H acking
^ י ז
o h ra k
pc c
IU
Progress
',s ?
,g
Tables
Crack
Table Selection
Statistics 0
User
Directory
Table
Status
Administrator
m XP free fast
Guest
• XP free small
LANGUARD_11_
• XP special
not installed
Martin
# XP german vl
not installed
not installed
not installed
Juggyboy
• XP german v2
not installed
Jason
• Vista special
not installed
Shiela
• Vista free
not installed
• Vista nine
not installed
• Vista eight
not installed
• Vista num
not installed
• Vista seven
not installed
< Vista eight XL
•
&Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
not installed
• XP flash
not installed
III
<
• = enabled
J
= disabled
|
>
• = not nstaled
B B S S
Pretoad: _______ waiting_______| Brute force: |
waiting
] Pwd fouxJ:
T«ne elapsed:
Oh 0 וחOs
FIG U RE 9.7: selecting die Rainbow table
Note: You can download die free XP Rainbow Table, Vista Rainbow
Tables from http:// ophcrack.sourcetorge.net/tables.php
9. Select Vista free, and click Install.
״G
Table Selection
lab
le
• XPfre fa
e st
• XPfreesmll
a
9 XP sp cia
e l
• XP g rmnv
e a 1
• XP g rmnv
e a 2
• V sp cia
ista e l
| !• V fre
ista e
•V ne
ista in
#V e h
ista ig t
• V nm
ista u
< V se n
• ista ve
* X fla
P sh
<V e h X
• ista ig t L
<
l
< = nb d
• e a le
D cto
ire ry
III
4 = is b d
d a le
Sta s
tu
n t in lle
o sta d
n t in lle
o sta d
n t in lle
o sta d
n t in lle
o sta d
n t in ta d
o s lle
n t in lle
o sta d
n t in ta c
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
<ן
• =n tinta d
o s lle
0 0 @ @
FIG U R E 9.8: Installing vista free rainbow table
C E H Lab Manual Page 360
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 55. M odule 05 - System H acking
10. The Browse For Folder window appears; select the the table_vista_free
folder (which is already download and kept at D:CEH-ToolsCEHv8
Module 05 System HackingPassword Cracking ToolsOphcrack)
11. Click OK.
Browse For Folder
Select the directory which contains the tables.
&■ Ophcrack Free tables
available for Windows XP,
Vista and 7
4
J4 CEHv8 M odule 05 System Hacking
A
Password Cracking
4
W indows Password Crackers
a
A
OphCrack
tables_vista_free
pwdump7
I
winrtgen
t
>
<
steganography
III
Make New Folder
V
1
OK
l>
Cancel
12. The selected table vista free is installed,; it shows a green color ball which
means it is enabled. Click O .
K
? x
Table Selection
& Loads hashes
from encrypted
SAM recovered
from a Windows
partition
D cto
ire ry
־b
fa le
• X fre fa
P e st
• X fre smll
P e a
• X sp cia
P e l
• X g anv
P erm 1
• X g anv2
P erm
• V sp cia
ista e l
> • V fre
ista e
•V ne
ista in
•V e h
ista ig t
• V nm
ista u
• V se n
ista ve
• X fla
P sh
* V eig t X
ista h L
C g F s(x 6 ta le
:/Pro ram ile 8 )/ b s_vista e
_fre
<
£ = enabled
A
>
III
4 = disabled
*
*
S tu
ta s
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in lle
o sta d
n t in ta d
o s lle
n t in ta d
e s lle
o dk
n is
n t in ta c
o s lle
n t in lle
o sta d
n t in lle
o sta d
n t in lle
o sta d
n t in ta d
o s lle
n t in lle
o sta d
# = not installed
Inta
s ll
FIG U R E 9.9: vista free rainbow table installed successfully
13. Click Crack: it will crack die password as shown 111 die following figure.
C E H Lab Manual Page 361
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 56. M odule 05 - System H acking
ophcrack
i
«!
Load
Progress
This is necessary if die
generation of die LM hash
is disabled (this is default
for Windows Vista), or if
the password is longer than
14 characters (in which
case the LM hash is not
stored).
Statistics
J
User
a/
^
@
i
Save
Delete
Tables
Crack
Help
Bat
Preferences
LM Hash
NT Hash
Administrator
LM Pwd 1
LM Pwd 2
NT Pwd
BE40C450AB997...
Guest
31d6cfe0d16ae9...
LAN6UARDJ 1_...
em pty
C25510219F66F...
Martin
5EBE7DFA074D...
apple
Juggyboy
488CDCDD2225...
green
Jason
2D20D252A479F...
qwerty
Shiela
0CB6948805F79...
test
!able
Directory
Status
t> 4 Vista free
C:/Program File...
100% in RAM
Progress
FIG U R E 9.10: passwords ate cracked
L a b A n a ly s is
Analyze and document the results related to the lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.
I
Tool/Utility
Information Collected/Objectives Achieved
j
User Names:
יAdministrator
יGuest
יLANGUARD_11_USER
יMartin
־
OphCrack
י
י
Juggyb°y
Jason
Slieiela
Rainbow Table Used: Yista free
Password Found:
יapple
יgreen
יqwerty
יtest
C E H Lab Manual Page 362
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 57. M odule 05 - System H acking
Q u e s t io n s
1. What are the alternatives to cracking administrator passwords?
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 363
0 !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 58. M odule 05 - System H acking
S y s te m M o n ito rin g U s in g
R e m o te E x e c
System hacking i t s i n e of t s i gcomputers and netnorksfor v l e a i i i s
s he c e c
etn
unrblte
andplugging.
L a b S c e n a r io
^_ Valuable
inform
ation___
Test your
know
ledge
*A
m
To be an expert ethical hacker and penetration tester, you must have sound
knowledge of footprinting, scanning, and enumeration. This process requires an
active connection to the machine being attacked. A hacker enumerates applications
and banners 111 addition to identifying user accounts and shared resources.
W exercise
eb
You should also have knowledge of gaining access, escalating privileges, executing
W
orkbookreview applications, lnding tiles, and covering tracks.
L a b O b je c t iv e s
The objective of tins lab is to help students to learn how to:
י
Modify Add /Delete registry kevs and or values
■ Install service packs, patches, and hotlixes
■ Copy folders and tiles
Tools
יRun programs, scripts, and applications
demonstrated in
this lab are
■ Deploy Windows Installer packages 111 silent mode
available in
D:CEHL a b E n v ir o n m e n t
ToolsCEHv8
Module 05 System To earn ־out die lab, you need:
Hacking
■ Remote Exec Tool located at D:CEH-ToolsCEHv8 Module 05 System
HackingExecuting Applications ToolsRemoteExec
■ Windows Server 2008 running on the Virtual machine
■ Follow die Wizard Driven Installation steps
C E H Lab Manual Page
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 59. M odule 05 - System H acking
■ You can also download die latest version of RemoteExec from the link
http://www.isdecisions.com/en
■ If you decide to download die latest version, dien screenshots shown 111 die
lab might differ
■ Administrative pnvileges to run tools
L a b D u r a tio n
Time: 10 Minutes
O v e r v ie w o f R e m o t e E x e c
RemoteExec, die universal deployer for Microsoft Windows systems, allows
network administrators to run tasks remotely.
Lab T ask
TASK 1
1. Install and launch RemoteExec.
Monitoring
System
RemoteExec
R otecxec
em
ח כ מ*כ
0 ס־
ram
e
f*l demote jobs
^eco־ter
^ Schedue׳
^׳o n
Otos
Albws vou מcorftare. rra-MOt 3rd exeats rerro:e jobs.
Albws vou מdsjMv reco׳ts or renew executions.
Albws vou ro
renote executions ard oerie-׳ate autara ..
ConScu׳e Re*note€xec options.
0 3 . System Requirements:
Target computers can have
any of these operating
systems: Microsoft
Windows 2003/2008 (No
Service Pack is required);
an administration console
with Microsoft Windows
2003/2008 Service Pack 6,
IE5 or more.
,able of contert | Q a:cess |
| uick
FIG U RE 10.1: RemoteExec main window
2. To configure executing a file, double-click Remote jobs.
C E H Lab Manual Page 365
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 60. M odule 05 - System H acking
: 00B
Ne
Virco
י
rep
״
£ Q RemoteExec
considerably simplifies and
accelerates all install and
update tasks on a local or
wide area network (W AN)
as well as on remote
machines.
Alows you to dtspa, ׳ ׳eports 0 ׳ ר׳errote execj$o1.«׳
Allows you to soedijte ׳errote e<ecjto1׳s snd generate sutoiia..
Configure RcmotcExcc optoas.
TaDle ofcontert Quick access
Remote execution
requirements: The account
running RemoteExec needs
administrative rights on
target computers.
Microsoft file and printer
sharing (SM B TCP 445)
and ICM P (ping) should be
enabled. These protocols
also need to be allowed in
any firewall between the
administration console and
target computers.
FIG U R E 10.2: RemoteExec configuring Remote jobs
3. To execute a New Remote job, double-click die New Remote job option
diat configures and executes a new remote job.
Hie
Tool* ]tfndo*
Help
& <nt€c
5o >
cc
New rcrrote )cb 5 0 :
execu%oo
;
Updax rstalafeon 1 - 0
| ®•־M rstalaMn
SI
Systenn acton 1@ ■
■!
R otejo s
em
b
Rem
oteExec,׳Rerrote jobs
!
fn Cean
j t ork
Lcca acrouv . ׳
pp “ ■
c tp ;
job
My Renote J3bs
ote
. ranrenaMy Rem Actons
^ MyTarget Com
puters
Mows you
/our favorite rem j»98
ste
/our favorite rarcte actors.
Yout favorite taroet conxiter bts.
Mutote aaons
j-™ My Renore 30
0s
i ^ My Rertore Actors
MyTargetCctoj»s ^ :
Report־
: * T ScredJcr
“
L-4^ Options
EU Configure files to be
generated: You see that the
report has been added after
the installation of Acrobat
Reader in the scheduled
tasks. A new section,
“ Document generation,” is
available to specify the
output files. Select a PD F
file to be generated in an
existing folder. Make sure
that the account running
the task has write access to
this folder.
C E H Lab Manual Page 366
Table ofconteni | Q accea
uick
FIG U R E 10.3: RemoteExec configuring New Remote job
4. 11a New Remote job configuration you can view different categories to
1
work remotely.
5. Here as an example: we are executing die hie execution option. To execute
double-click File Execution.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 61. M odule 05 - System H acking
hie
Tools
Wmiow׳
E?
V
Hep
•
B 5: ^־־eno־eE>
. ec
P.enote (061
} Q3£ ^0
!■
£ יל
Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking
;
Ffc execuSon
i 1-0 Update rstalafon
j--j^|MSI ratilaaon
HfcSyste»ac*>n
j-uT F*? Coe ׳ason
1
-^ ־Loca arroinr ׳rante
I ~PCpLp
=MJtcle aeons 5
״
Nr teoote J>x “
j ^ Mr Rcnote *ctcrc
:Nv Taract Ccrojtcn ^ :
jfe Reporte־
; ‘“ t ScTcdJcr
!״y*Opfcon«
New remote job
RemoteExeciRefrote jobs/Newrem jc
ote
| ) Update retalafion
(Si MSI m
stalotion
{§fcSystem action
Fib Ooo־ation
Local account m
aintenance
S I Popup
(5 Multtfe actions
Instil 5Marosoft jadaie reretefy.
Instil o Winda^s Instiler > x > rsrrctSY•
3 qc
Rcaoot,^Shutoovm
,V3< up a eonou» ־cnotdy.
r
C03y files or faWa5 » cirotc am u K n
Chanas the bed xhincbati p s/< »Cand'or doeue a otho־local a
e5 0
il
Dectay 3 nessage to t r jttt ewe*: an t, ־em com
*
ote
pute!
Execute se!׳e׳al actons r one pass.
IraMe QfcontenT| Quiet access
|
FIG U R E 10.4: RemoteExec configuring File Execution
6. In the File execution settings, browse die executable file, select
Interactive from drop-down list of Context, and check the Auto option.
Note:
Using
RemoteExec, you can:
Install patches, service
packs, and hotfixes
Deploy Windows Installer
packages in silent mode
Run applications,
programs, and scripts
Copy files and folders
FIG U R E 10.5: RemoteExec File execution settings
0 3 Automated reports:
You may want to get all
these reports automatically
by email each time a
scheduled attempt has been
done. To do this, follow
the steps below
7. Configuring die Filter Section:
a. For the OS version, select = from die drop-down menu and specify die
operating system.
b. For the OS level, select = from die drop-down menu and select
Workstation.
c. For the IE version, select >= from die drop-down menu and specify the
IE version.
C E H Lab Manual Page 367
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
- 62. M odule 05 - System H acking
d. For die Service Pack, select = from die drop-down menu and speciiv
die service pack version.
hie
!eia Once installed,
RemoteExec aiid its
documentation are
accessible through die
Windows Start menu. By
default, RemoteExec is
installed in evaluation
mode.
Tods
V/niow
Hep
3• ^ ־eno:e£>ec
•3
11^ Reno* jobs
• B ^ Newrarote tfc
File execution
^
RenoteExeqReirote ]0b3/N rem job/^le executor
ew ote
! l o Update rstaloton
MSI rstalaMn *■:
SwteT Kton | 6 -!
[§ן
Schectie
save r My Rorct® Jobs
r-rj)«? C ra n !
D Jo
..loca( account rvam
cena
fflpo»M; <
•יt+itr*e arm
NyR«n»»>90c «
La-nch
tjfr La/rh חוa r»?/» tab
^
■
:
Mk n :»Atc ,”
v « o c rc
Ny ljr jet (.croj'.efc
•
ls»
Reports
ScredJcf ^ !
Opton^ - ' *
0 OS verson
B O S level
*
H K vcr»n
save r K׳y Rem Acsoot
ote
^
= ■.|| vw
v ndow 7/2XB
e
Save r My Target C»m
put«rc
> H] M * 1
-
•H Wortotatoo
j
!
□Regetry vw
kM
□ Oor't e:<e:j:e scan or a com
puter wne׳e tne actor aas ahead/exeo.ee
»״
C
oflnoute*׳
FIG U R E 10.6: RemoteExec Filter tab
C O ln ! e remote job was
automatically set with the
filter option, “Don’t
execute again on a
computer where the action
was already executed.” So,
even if several execution
attempts have been
scheduled, the installation
of Acrobat Reader is
executed only once on each
computer.
Selecting a Target Computer: Enter die target computer name manually by
selecting Name from the drop-down list and clicking OK.
tie
B
:cols
vnnoow
• 5
־
RenoteExec
£ 0 Rertote )005
1
j ()־
New remote jo
fc
I qgasssHi
____
File execution
^
Re׳roteE>e:/3emote jobs!New ־׳
errcre job/File execution
I MO Update nstabton
|
Laandi
Q?
Launch ina new tab
d
Schedule
P
r | 0 MS nstafexn
;
Systen actor
i״Cp Fie: Opecttx־
Save n M Remote jx k
y׳
S5ve n My Remote Actjors
Lx
cd
rS f
aaomtrranKTa...
h ■ Poxo
=-l§ mJtpfe actons
j•
©■־My Reroe Jets
^
Save n My Taraet Cwtdu^s
I
Nv Rerote Actons
Ny Tarost Cortxters
Reaxte׳
j• ■ Scheduler
•©
;
יV* O h rs
• Do
© C onfigure the report
you want to generate
automatically as if you
wanted to display it. When
you schedule a report, if
you select die latest
execution, the report is
always generated for die
latest execution.
C E H Lab Manual Page 368
X J
FIG U R E 10.7: RemoteExec Add/Edit a computer
9. To execute the defined action on die remote computer, click the Launch
option 111 the nglit pane of die window.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.