Windows Hacking

Apply Your Knowledge

As an ethical hacker, it is important to understand how files are hidden by attackers.

Exercises

4.1. NTFS File Streaming

By using NTFS file streaming, you can effectively hide files in an NTFS environment.

Estimated Time: 15 minutes.

  1. Download Sfind and LNStwo good NTFS file streaming programs. Sfind is at http://www.antiserver.it/Win%20NT/Security/download/ForensicToolkit14.exe, and LNS is at http://www.ntsecurity.nu/toolbox/lns/.

  2. Create a temporary folder on the root of your NTFS drive. Name the folder test, or give it another suitable name.

  3. Copy notepad.exe into the test folder and rename it hack.exe. You will use this file to simulate it as the hacking tool.

  4. Next, create a text file called readme.txt. Place some text inside the readme file, something like hello world will work.

  5. Open a command prompt and change directories to place yourself in the test folder. By performing a directory listing, you should see two files: hack.exe and readme.txt. Record the total free space shown after the directory listing: __________

  6. From the command line, issue the following command:

    Type hack.exe > readme.txt:hack.exe

  7. Now run a directory listing again and record the free space results: __________

  8. Has anything changed? You should have noticed that free space has been reduced. That is because you streamed hack.exe behind readme.txt.

  9. Erase hack.exe as it's no longer needed, and then execute the following from the command line:

    Start c: est eadme.txt:hack.exe

  10. Did you notice what happened? Your hacked file, notepad.exe, should have popped open on the screen. The file is completely hidden, as it is streamed behind readme.txt.

  11. Finally run both sfind and LNS from the command line. Both programs should detect the streamed file hack.exe. File streaming is a powerful way to hide information and make it hard to detect.

Exam Prep Questions

1.

How can you determine if an LM hash you extracted contains a password that is fewer than eight characters long?

A. There is no way to tell because a hash cannot be reversed.

B. The rightmost portion of the hash is always the same.

C. The hash always starts with AB923D.

D. The leftmost portion of the hash is always the same.
2.

Which of the following is a well-known password-cracking program?

A. L0phtcrack

B. Netcat

C. Jack the Ripper

D. Netbus
   
3.

What did the following commands determine?

C: user2sid \truck guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is Truck  

A. These commands demonstrate that the Joe account has a SID of 500.

B. These commands demonstrate that the guest account has not been disabled.

C. These commands demonstrate that the guest account has been disabled.

D. These commands demonstrate that the true administrator is Joe.
4.

What is the RID of the true administrator?

A. 0

B. 100

C. 500

D. 1000
5.

What is the best alternative if you discover that a rootkit has been installed on one of your computers?

A. Copy the system files from a known good system.

B. Perform a trap and trace.

C. Delete the files and try to determine the source.

D. Rebuild from known good media.
6.

To increase password security, Microsoft added a second layer of encryption. What is this second later called?

A. Salt

B. SYSKEY

C. SYS32

D. SAM
   
7.

SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers?

A. It's enabled by all network devices by default.

B. It's based on TCP.

C. It sends community strings in cleartext.

D. It is susceptible to sniffing if the community string is known.
8.

Which of the following is the best way to prevent the use of LM authentication in your Windows 2003 environment?

A. Use the LMShut tool from Microsoft.

B. Use the NoLMHash Policy by Using Group Policy.

C. Disable Lsass in Windows 2003.

D. Use a password that is at least 10 characters long.
9.

Which of the following tools can be used to clear the Windows logs?

A. Auditpol

B. Elsave

C. Pwdump

D. Cain
10.

What is one of the disadvantages of using John the Ripper?

A. It cannot crack NTLM passwords.

B. It separates the passwords into two separate halves.

C. It cannot differentiate between upper- and lowercase passwords.

D. It cannot perform brute force cracks.
   
11.

You found the following command on a compromised system:

Type nc.exe > readme.txt:nc.exe  

What is its purpose?

A. This command is used to start a Netcat listener on the victim's system.

B. This command is used to stream Netcat behind readme.txt.

C. This command is used to open a command shell on the victim with Netcat.

D. This command is used to unstream Netcat.exe.
12.

Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance?

A. Rainbow tables

B. Dictionary cracks

C. Hybrid cracks

D. Brute force cracks
13.

Why would an attacker scan for port 445?

A. To attempt to DoS the NetBIOS SMB service on the victim system

B. To scan for file and print sharing on the victim system

C. To scan for SMB services and verify that the system is Windows 2000 or greater

D. To scan for NetBIOS services and verify that the system is truly a Windows NT server
14.

You have downloaded a tool called SYSCracker, and you plan to use it to break SYSKEY encryption. The first thing the tool prompts you for is to set the level of SYSKEY encryption. How many bits are used for SYSKEY encryption?

A. 40 bits

B. 64 bits

C. 128 bits

D. 256 bits
15.

You are trying to establish a null session to a target system. Which is the correct syntax?

A. net use \IP_addressIPC$ "" /u:""

B. net use //IP_address/IPC$ "" u:""

C. net use \IP_addressIPC$ * /u:""

D. net use \IP_addressIPC$ * u:""

Answers to Exam Questions

A1:

1. B. When looking at an extracted LM hash, you will sometimes observe that the rightmost portion is always the same. This is padding that has been added to a password fewer than eight characters long. The usual ending is 1404EE. Answer A is incorrect because even though a hash cannot be reversed, it is possible to recognize the padding in the hash. Answer C is incorrect, as the hash will not always start with AB923D. Answer D is incorrect, as the leftmost portion of the hash might not always be the same.
A2:

2. A. L0phtcrack is a well-known password-cracking program. Answer B is incorrect because even though Netcat is considered the Swiss army knife of hacking tools, it is not used for password cracking. Answer C is incorrect, as John the Ripper is the password hacking tool. Answer D is incorrect because Netbus is a Trojan program.
A3:

3. D. One important goal of enumeration is to determine the true administrator. In the question, the true administrator is Joe. Answer A is incorrect because the Joe account has a RID of 500. Answer B is incorrect because the commands issued do not show that the account is disabled, which is not the purpose of the tool. Answer C is incorrect, as the commands do not show that the guest account has been disabled.
A4:

4. C.. The administrator account has a RID of 500. Therefore, answers A, B, and D are incorrect. RIDs of 0 and 100 are not used, although 1000 is the first user account.
A5:

5. D.. If a rootkit is discovered, you will need to rebuild the OS and related files from known good media. This typically means performing a complete reinstall. Answers A, B, and C are incorrect because copying system files will do nothing to replace infected files; performing a trap and trace might identify how the attacker entered the system, but will not fix the damage done; and deleting the files will not ensure that all compromised files have been cleaned.
A6:

6. B. SYSKEY is the second layer of encryption used to further obfuscate Windows passwords. It features 128-bit encryption. Answer A is incorrect, as a salt is used by Linux for password encryption. Answer C is incorrect because SYS32 is an executable used by the Flux.e Trojan. Answer D is incorrect because SAM stores password and account information.
A7:

7. C. Most SNMP devices are configured with public and private as the default community strings. These are sent in cleartext. Answer A is incorrect because it is not enabled on all devices by default. Answer B is incorrect because it is not based on TCP; it is UDP based. Answer D is incorrect, as anyone can sniff it while in cleartext. The community strings are required to connect.
A8:

8. B. There are several ways to prevent the use of LM authentication in your Windows 2003 environment. The easiest is to use the NoLMHash Policy by Using Group Policy. Although you could edit the registry, being done incorrectly can cause serious problems that might require you to reinstall your operating system. Answer A is incorrect, as the LMshut tool does not accomplish the required task. Answer C is incorrect because Lsass generates the process responsible for authenticating users for the Winlogon service. Answer D is incorrect, as passwords would need to be at least 15 characters long, not 10.
   
A9:

9. B. Elsave is used to clear the log files. Answers A, C, and D are incorrect because Auditpol is used to disable auditing, PWdump is used to extract the hash, and Cain is used for a host of activities, such as password cracking, although clearing the logs is not one of them.
A10:

10. C. John the Ripper cannot differentiate between upper- and lowercase passwords. Answer A is incorrect because it can crack NTLM passwords. Answer B is incorrect, as separating the NTLM passwords into two halves actually speeds cracking. Answer D is incorrect, as John the Ripper can perform brute force cracks.
A11:

11. B. Alternate data streams are another type of named data stream that can be present within each file. The command streams Netcat behind readme.txt on an NTFS drive. Answers A, C, and D are incorrect because the command does not start a Netcat listener, it does not open a command shell, and it is not used to unstream Netcat.
A12:

12. A. Rainbow tables use the faster time-memory trade-off technique and work by precomputing all possible passwords in advance. Answers B, C, and D are all incorrect because they are the traditional methods used to crack passwords.
A13:

13. C. The SMB protocol is used for file sharing in Windows 2000. In 2000 and newer systems, Microsoft added the capability to run SMB directly over TCP port 445. Answer A is incorrect, as a scan probably will not DoS the server. Answer B is incorrect because it is not the most correct answer. Answer D is incorrect, as Windows NT systems do not run port 445 by default.
A14:

14. C. After Windows NT SYSKEY was no longer optional, it's enabled by default at installation time. After being activated, the hashes are encrypted yet another time before being stored in SAM. SYSKEY offers 128-bit encryption. Answer A is incorrect because SYSKEY does not offer 40-bit encryption. Answer B is incorrect, as SYSKEY does not offer 64-bit encryption. Answer D is incorrect because SYSKEY does not offer 256-bit encryption.
A15:

15. A. The proper syntax is net use \IP_addressIPC$ "" /u:"". Therefore, answers B, C, and D are incorrect.

Suggested Reading and Resources

www.bindview.com/Services//RAZOR/Utilities/Windows/enum_readme.cfmEnum website

www.systemtools.com/cgi-bin/download.pl?DumpAclDumpSec home page

http://evgenii.rudnyi.ru/programming.html#overviewSID2USER enumeration tools

www.securityfocus.com/infocus/1352Enumerating Windows systems

www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbd_trb_gtvp.aspNBTStat overview and uses

www.governmentsecurity.org/articles/ExploitingTheIPCShare.phpExploiting the IPC$ share

www.netbus.org/keystroke-logger.htmlKeystroke loggers

www.theregister.co.uk/2003/03/07/windows_root_kits_a_stealthyWindows rootkits

www.hnc3k.com/hackingtutorials.htmHacking Windows

www.antionline.com/showthread.php?threadid=268572Privilege/escalation tools

Linux and Automated Security Assessment Tools
Related

Категории