CEHv11 - Module Six

Passive Online Attacks: Wire Sniffing

- The attacker performs password cracking without communicating with the authorizing party -Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic -The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails -Sniffed credentials are used to gain unauthorized access to the target system

Offline Attacks: Distributed Network Attack

-A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password-protected files using the unused processing power of machines across the network -The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network -The DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network -The DNA Client runs in the background consuming only unused processor time -The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password

Buffer Overflow

-A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data -Buffer overflow or overrun is a common vulnerability in an applications or programs that accepts more data than the allocated buffer -This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations -Attackers exploit buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, etc. Why Are Programs and Applications Vulnerable to Buffer Overflows? -Lack of boundary checking -Using older versions of programming languages -Using unsafe and vulnerable functions -Lack of good programming practices -Failing to set proper filtering and validation principles -Executing code present in the stack segment -Improper memory allocation -Insufficient input sanitization

Delete Files using Cipher.exe

-Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting it to avoid their recovery in the future

Spyware

-Spyware is a stealthy program that records the user's interaction with the computer and the Internet without the user's knowledge and sends the information to the remote attackers -Spyware hides its process, files, and other objects in order to avoid detection and removal -It is like a Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download -It allows the attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, and banking credentials Spyware Propagation -Drive-by download -Masquerading as anti-spyware -Web browser vulnerability exploits -Piggybacked software installation -Browser add-ons -Cookies

Covering BASH Shell Tracks

-The BASH is an sh-compatible shell that stores command history in a file called bash_history -You can view the saved command history using the more ~/.bash_history command -Disabling history export HISTSIZE=0 -Clearing the history history -c (Clears the stored history) history -w (Clears history of the current shell) -Clearing the user's complete history cat /dev/null > ~.bash_history && history -c && exit -Shredding the history shred ~/.bash_history (Shreds the history file, making its content unreadable) shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit (Shreds the history file and clears the evidence of the command)

Offline Attacks: Rainbow Table Attack

-The attacker copies the target's password file and then tries to crack passwords on his own system at a different location Rainbow Table -A rainbow table is a precomputed table that contains word lists like dictionary files, brute force lists, and their hash values Compare the Hashes -The hash of passwords is captured and compared with the precomputed hash table. If a match is found, then the password gets cracked Easy to Recover -It is easy to recover passwords by comparing the captured password hashes to the precomputed tables Tool to Create Rainbow Tables: rtgen -The rtgen program needs several parameters to generate a rainbow table. The syntax for the command line is as follows

Non-Electronic Attacks

-The attacker does not need technical knowledge to crack the password, hence it is known as a non-technical attack Social Engineering -Convincing people to reveal passwords Shoulder Surfing -Looking at either the user's keyboard or screen while he/she is logging in Dumpster Diving -Searching for sensitive information in the user's trash-bins, printer trash bins, and in/on the user's desk for sticky notes

Active Online Attacks: Trojans/Spyware/Keyloggers

-The attacker installs a Trojan/Spyware/Keylogger on the victim's machine to collect the victim's usernames and passwords -The Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker

Clearing Logs

-The attacker uses the Clear_Event_Viewer_Logs.bat utility to clear the security, system, and application logs -If the system is exploited with Metasploit, the attacker uses meterpreter shell to wipe out all the logs from a Windows system -The attacker uses the Clear-EventLog command to clear all the PowerShell event logs from local or remote computers -To clear the entries fromthe PowerShell event from a local or remote system: >Clear-EventLog "Windows PowerShell" -To clear specific multiple log types from the local and remote systems: >Clear-EventLog -LogName ODiag, OSession - ComputerName localhost, Server02 -To clear all logs on the specified systems and then display the event log list: >Clear-EventLog -LogName application, system -confirm -The attacker uses the wevtutil utility to clear event logs related to the system, application, and security

Executing Applications

-When attackers execute malicious applications it is called "owning" the system -The attacker executes malicious programs remotely in the victim's machine to gather the information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.

Defending against Covering Tracks

1. Activate logging functionality on all critical systems 2. Conduct a periodic audit on IT systems to ensure logging functionality is in accordance with the security policy 3. Ensure new events do not overwrite old entries in the log files when the storage limit is exceeded 4. Configure appropriate and minimal permissions necessary to read and write log files 5. Maintain a separate logging server on the DMZ to store logs from critical servers 6. Regularly update and patch operating systems, applications, and firmware 7. Close all unused open ports and services 8. Encrypt the log files stored on the system, so that altering them is not possible without an appropriate decryption key 9. Set log files to "append only" mode to prevent unauthorized deletion of log entries 10. Periodically backup the log files to unalterable media

Defending against Buffer Overflows

1. Develop programs by following secure coding practices and guidelines 2. Use address space layout randomization (ASLR) technique 3. Validate arguments and minimize code that requires root privileges 4. Perform code review at the source code level by using static and dynamic code analyzers 5. Allow the compiler to add bounds to all buffers 6. Implement automatic bounds checking 7 8 9 10 11 12 7. Always protect the return pointer on the stack 8. Never allow execution of code outside the code space 9. Regularly patch the applications and operating systems 10. Perform code inspection manually with a checklist to ensure that the code meets certain criteria 11. Employ Data Execution Prevention (DEP) to mark memory regions as non-executable 12. Implement code pointer integrity checking to detect whether a code pointer has been corrupted before it is dereference

How to Create NTFS Streams

1. Launch c:\>notepad myfile.txt:lion.txt Click 'Yes' to create the new file, enter some data and Save the file 2. Launch c:\>notepad myfile.txt:tiger.txt Click 'Yes' to create the new file, enter some data and Save the file 3. View the file size of myfile.txt (It should be zero) 4. To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad myfile.txt:lion.txt notepad myfile.txt:tiger.txt

Defending against Spectre and Meltdown Vulnerabilities

1. Regularly patch and update operating systems and firmware 2. Enable continuous monitoring of critical applications and services running on the system and network 3. Regularly patch vulnerable software such as browsers 4. Install and update ad-blockers and anti-malware software to block injection of malware through compromised websites 5. Enable traditional protection measures such as endpoint security tools to prevent unauthorized system access 6. Block services and applications that allow unprivileged users to execute code 7. Never install unauthorized software or access untrusted websites from systems storing sensitive information 8. Use Data Loss Prevention (DLP) solutions to prevent leakage of critical information from runtime memory 9. Frequently check with the manufacturer for BIOS updates and follow the instructions provided by the manufacturer to install the updates

How to Defend against NTFS Streams

1. To delete NTFS streams, move the suspected files to the FAT partition 2. Use a third-party file integrity checker such as Tripwire File Integrity Manager to maintain the integrity of an NTFS partition files 3. Use programs such as Stream Detector, LADS, or ADS Detector to detect streams 4. Enable real-time antivirus scanning to protect against the execution of malicious streams in your system 5. Use up-to-date antivirus software on your system

NTFS Stream Manipulation

1. To move the contents of Trojan.exe to Readme.txt (stream): C:\>type c:\Trojan.exe > c:\Readme.txt:Trojan.exe 2. To create a link to the Trojan.exe stream inside the Readme.txt file: C:\>mklink backdoor.exe Readme.txt:Trojan.exe 3. To execute the Trojan.exe inside the Readme.txt (stream), type: C:\>backdoor

How to Defend against Spyware

1. Try to avoid using any computer system that is not entirely under your control 2. Adjust the browser security settings to medium or higher for the Internet zone 3. Be cautious about suspicious emails and sites 4. Enable the firewall to enhance the security level of the computer 5. Regularly update the software and use a firewall with outbound protection 6. Regularly check the task manager report and MS configuration manager report 7. Regularly update virus definition files and scan the system for spyware 8. Install and use anti-spyware software 9. Perform web surfing safely and download cautiously 10. Do not use administrative mode unless it is necessary 11. Keep your operating system up to date 12. Do not download free music files, screensavers, or smiley faces from the Internet 13. Beware of pop-up windows or web pages. Never click anywhere on these windows 14. Carefully read all disclosures, including the license agreement and privacy statement before installing any application

Default Passwords

-A default password is a password supplied by the manufacturer with new equipment (e.g., switches, hubs, routers) that is password protected -Attackers use default passwords present in the list of words or dictionary that they use to perform password guessing attack

Privilege Escalation using Named Pipe Impersonation

-In the Windows operating system, named pipes provide legitimate communication between running processes -Attackers often exploit this technique to escalate privileges on the victim's system to those of a user account having higher access privileges

CEH Hacking Methodology (CHM)

1. Footprinting 2. Scanning 3. Enumeration 4. Vulnerability Analysis Happens after four steps: System Hacking Gaining Access Escalating Privileges Maintaining Access Clearing Logs

What is Steganography?

1. Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data 2. Utilizing a graphic image as a cover is the most popular method to conceal the data in files 3. The attacker can use steganography to hide messages such as a list of the compromised servers, source code for the hacking tool, or plans for future attacks

How to Defend against Keyloggers

1. Use pop-up blockers and avoid opening junk emails 2. Install anti-spyware/antivirus programs and keep the signatures up to date 3. Install professional firewall software and anti-keylogging software 4. Recognize phishing emails and delete them Regularly update and patch system software 5. Do not click on links in unwanted or doubtful emails that may point to malicious sites 6. Use keystroke interference software, which inserts randomized characters into every keystroke 7. Scan the files before installing and use registry editor or process explorer to check for keystroke loggers 8. Use the Windows on-screen keyboard accessibility utility to enter the password or any other confidential information 9. Install a host-based IDS, which can monitor your system and disable the installation of keyloggers 10. Use an automatic form-filling password manager or virtual keyboard to enter your username and password 11. Use software that frequently scans and monitors the changes in the system or network

Active Online Attacks: Cracking Kerberos Passwor

AS-REP Roasting (Cracking TGT) -Attackers request a TGT from the KDC in the form of the an AS-REQ packet and crack the ticket to obtain the user's password Kerberoasting (Cracking TGS) -Attackers request a TGS for the SPN of the target service account and crack the ticket to obtain the user's password

Track-Covering Tools

CCleaner -CCleaner cleans traces of temporary files, log files, registry files, memory dumps, and your online activities such as your Internet history

Manually Clearing Event Logs

For Windows -Navigate to Start -> Control Panel -> System and Security -> Administrative Tools -> double click Event Viewer -Delete the all the log entries logged while compromising the system For Linux -Navigate to /var/log directory on the Linux system -Open the plain text file containing log messages with text editor /var/log/messages -Delete all the log entries logged while compromising the system

Hardware Keyloggers

KeyGrabber Hardware Keyloggers Vendors KeyGrabber USB http://www.keelog.com KeyCarbon http://www.keycarbon.com Keyllama Keylogger https://Keyllama.com Keyboard logger https://www.detective-store.com KeyGhost https://www.keyghost.com

Tools to Detect LLMNR/NBT-NS Poisoning

Vindicate -Vindicate is an LLMNR/NBNS/mDNS Spoofing Detection Toolkit to detect name service spoofing got-responded -got-responded helps security professionals to check for both LLMNR/NBT-NS spoofing

Anti-Keyloggers

Zemana AntiLogger -Zemana AntiLogger detects the malware at the time it attacks your system rather than detecting it based on its signature fingerprint

Tools to Extract the Password Hashes

pwdump7 -pwdump7 extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database Tools to Extract the Password Hashes -Mimikatz (https://github.com) -Powershell Empire (https://github.com) -DSInternals PowerShell (https://github.com) -Ntdsxtract (https://github.com)

Steganography Detection Tools

zsteg -zsteg tool is used to detect stegano-hidden data in PNG and BMP image files

Keylogger

-Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on a keyboard, logs onto a file, or transmits them to a remote location -Legitimate applications for keyloggers include in office and industrial settings to monitor employees' computer activities and in the home environment where parents can monitor and spy on children's activity -It allows the attacker to gather confidential information about the victim such as email ID, passwords, banking details, chat room activity, IRC, and instant messages -Physical keyloggers are placed between the keyboard hardware and the operating system

Active Online Attacks: LLMNR/NBT-NS Poisoning

-LLMNR and NBT-NS are the two main elements of Windows operating systems that are used to perform name resolution for hosts present on the same link -The attacker cracks the NTLMv2 hash obtained from the victim's authentication process -The extracted credentials are used to log on to the host system in the network

Privilege Escalation Using DLL Hijacking

-Most Windows applications do not use the fully qualified path when loading an external DLL library. Instead they search the directory, from which they have been loaded -If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL -Attackers use tools such as Robber and PowerSploit to detect hijackable DLLs and perform DLL hijacking on the target system Robber -Robber is an open-source tool that helps attackers to find executables prone to DLL hijacking

NTFS Data Stream

-NTFS Alternate Data Stream (ADS) is a Windows hidden stream, which contains metadata for the file, such as attributes, word count, author name and access, and modification time of the files -ADS can fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities -ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user

Covering Tracks

-Once intruders have successfully gained administrator access on a system, they will try to cover their tracks to avoid detection 1. Disable Auditing 2. Clearing Logs 3. Manipulating Logs 4. Covering Tracks on the Network/OS 5. Deleting Files 6. Disabling Windows Functionality

Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack

-A hash injection/PtH attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources -The attacker finds and extracts a logged-on domain admin account hash -The attacker uses the extracted hash to log on to the domain controlle

Types of Buffer Overflow: Stack-Based Buffer Overflow

-A stack is used for static memory allocation and stores the variables in "Last-in First-out" (LIFO) order -There are two stack operations: -PUSH stores the data onto the stack -POP removes data from the stack -When a function starts execution, a stack frame is pushed onto the stack in the ESP register -When the function returns, the stack frame is popped out and execution resumes from the return address stored on the EIP register -If an application is vulnerable to stack-based buffer overflow, then attackers take control of the EIP register to replace the return address of the function with the malicious code that allows them to gain shell access to the target syste

Privilege Escalation

-An attacker can gain access to the network using a non-admin user account and the next step would be to gain administrative privileges -The attacker performs a privilege escalation attack that takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications -These privileges allow the attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, or worms Horizontal Privilege Escalation -Refers to acquiring the same privileges that have already been granted, by assuming the identity of another user with the same privileges Vertical Privilege Escalation -Refers to gaining higher privileges than those existing

Privilege Escalation by Exploiting Vulnerabilities

-Attackers exploit software vulnerabilities by taking advantage of programming flaws in a program, service, or within the operating system software or kernel, to execute malicious code -Exploiting software vulnerabilities allows the attacker to execute a command or binary on a target machine to gain higher privileges than those existing or to bypass security mechanisms -Attackers using these exploits can access privileged user accounts and credentials -Attackers search for an exploit based on the OS and software application on exploit sites such as SecurityFocus (https://www.securityfocus.com) and Exploit Database (https://www.exploit-db.com

Active Online Attacks: Internal Monologue Attack

-Attackers perform an internal monologue attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on use

Pivoting and Relaying to Hack External Machines

-Attackers use the pivoting technique to compromise a system, gain remote shell access on it, and further bypass the firewall to pivot via the compromised system to access other vulnerable systems in the network -Attackers use the relaying technique to access resources present on other systems via the compromised system such a way that the requests to access the resources are coming from the initially compromised system Pivoting 1. Discover live hosts in the network 2. Set up routing rules 3. Scan ports of live systems 4. Exploit vulnerable services Relaying 1. Set up port forwarding rules 2. Access the system resources -Attackers can browse the http server running on the target system using the following URL: http://localhost:10080 2. -Attackers can access the SSH server running on the target system by executing the following command: # ssh myadmin@localhost

Audio Steganography

-Audio steganography refers to hiding secret information in audio files such as .MP3, .RM, and .WAV -Information can be hidden in an audio file using LSB or using frequencies that are inaudible to the human ear (>20,000 Hz) -Some of the audio steganography methods are echo data hiding, spread spectrum method, LSB coding, tone insertion, phase encoding, etc. DeepSound -DeepSound hides secret data in audio files - wave and flac -It enables the extraction of secret files directly from audio CD tracks

Document Steganography

-Document steganography is the technique of hiding secret messages transferred in the form of documents -It includes the addition of white spaces and tabs at the end of the lines

Password Recovery Tools

-Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment -Password Recovery Toolkit https://accessdata.com -Passware Kit Forensic https://www.passware.com -hashcat https://hashcat.net -Windows Password Recovery Tool https://www.windowspasswordsrecovery.com -PCUnlocker https://www.top-password.com

Types of Buffer Overflow: Heap-Based Buffer Overflow

-Heap memory is dynamically allocated at runtime during the execution of the program and it stores program data -Heap-based overflow occurs when a block of memory is allocated to a heap, and data is written without any bounds checking -This vulnerability leads to overwriting dynamic object pointers, heap headers, heap -based data, virtual function table, etc. -Attackers exploit heap-based buffer overflow to take control of the program's execution. Unlike stack overflows, heap overflows are inconsistent and have different exploitation techniques

Privilege Escalation Using Dylib Hijacking

-In OS X, when applications load an external dylib (dynamic library), the loader searches for the dylib in multiple directories -If attackers can inject a malicious dylib into one of the primary directories, it will be executed in place of the original dylib -Dylib Hijack Scanner helps attackers to detect dylibs that are vulnerable to hijacking attack -Attackers use tools such as DylibHijack to perform dylib hijacking on the target system

Passive Online Attacks: Man-in-the-Middle and Replay Attacks

-In an MITM attack, the attacker acquires access to the communication channels between the victim and the server to extract the information needed -In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant information is extracted, the tokens are placed back on the network to gain access Considerations -Relatively hard to perpetrate -Must be trusted by one or both sides -Can sometimes be broken by invalidating traffic

Folder Steganography

-In folder steganography, files are hidden and encrypted within a folder and do not appear to normal Windows applications, including Windows Explorer GiliSoft File Lock Pro -It locks files, folders, and drives, hides files, folders, and drives to make them invisible, or password protects files folders, and drives

Image Steganography

-In image steganography, the information is hidden in image files of different formats such as .PNG, .JPG, and .BMP -Image steganography tools replace redundant bits of image data with the message in such a way that the effect cannot be detected by the human eye Least Significant Bit Insertion -The binary data of the message is broken, which is then inserted into the LSB of each pixel in the image file in a deterministic sequence Masking and Filtering -Masking and filtering techniques hide data using techniques such as watermarks on an actual paper; this can be done by modifying the luminance of some image parts Algorithms and Transformation -Hide data in mathematical functions that are used in compression algorithms -The data are embedded in the cover image by changing the coefficients of a transform of an image

Whitespace Steganography

-In white space steganography, the user hides the messages in ASCII text by adding white spaces to the ends of the lines -Because spaces and tabs are not generally visible in text viewers, the message is effectively hidden from casual observers -Use of built-in encryption makes the message unreadable even if it is detected -Use the SNOW tool to hide the message

Disabling Auditing: Auditpol

-Intruders disable auditing immediately after gaining administrator privileges -Toward the end of their stay, the intruders simply turn on auditing again using auditpol.exe

Active Online Attacks: Pass the Ticket Attack

-Pass the Ticket is a technique used for authenticating a user to a system that is using Kerberos without providing the user's password -To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools -The attacker then launches a pass the ticket attack either by stealing the ST/TGT from an end-user machine, or by stealing the ST/TGT from a compromised Authorization Server -The attacker uses the retrieved ticket to gain unauthorized access to the target network services -Tools such as Mimikatz, Rubeus, and Windows Credentials Editor are used by attackers to launch such attacks Mimikatz -Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim's ticket -It also helps in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memor

Password Cracking

-Password cracking techniques are used to recover passwords from computer systems -Attackers use password cracking techniques to gain unauthorized access to vulnerable systems -Most of the password cracking techniques are successful because of weak or easily guessable password

Password Salting

-Password salting is a technique where a random string of characters are added to the password before calculating their hashes -Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks

Ways to Clear Online Tracks

-Remove the Most Recently Used (MRU), delete cookies, clear the cache, turn off AutoComplete, and clear the Toolbar data from the browsers From the Privacy Settings in Windows 10 -Right-click on the Start button, choose Settings, and click on "Personalization" -In Personalization, click Start from the left pane and Turn Off both "Show most used apps" and "Show recently opened items in Jump Lists on Start or the taskbar" From the Registry in Windows 10 -Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\ Explorer and then remove the key for "RecentDocs" -Delete all the values except "(Default)"

Spam/Email Steganography

-Spam/email steganography refers to the technique of sending secret messages by hiding them in spam/email messages -Spam emails help to communicate secretly by embedding the secret messages in some way and hiding the embedded data in the spam emails -Spam Mimic is a spam/email steganography tool that encodes the secret message into an innocent-looking spam email

Privilege Escalation Using Spectre and Meltdown Vulnerabilities

-Spectre and Meltdown are vulnerabilities found in the design of modern processor chips from AMD, ARM, and Intel -The performance and CPU optimizations in the processors, such as branch prediction, out of order execution, caching, and speculative execution, lead to these vulnerabilities -Attackers exploit these vulnerabilities to gain unauthorized access and steal critical system information such as credentials and secret keys stored in the application's memory, to escalate privileges Spectre Vulnerability -Attackers may take advantage of this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized -Using this vulnerability, an attacker can even read the kernel memory or perform a web-based attack using JavaScript Meltdown Vulnerability -Attackers may take advantage of this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory -This leads to revealing critical system information such as credentials, private keys, etc.

Active Online Attacks: Dictionary, Brute-Force, and Rule-based Attack

-The attacker performs password cracking by directly communicating with the victim's machine Dictionary Attack -A dictionary file is loaded into the cracking application that runs against user accounts Brute-Force Attack -The program tries every combination of characters until the password is broken Rule-based Attack -This attack is used when the attacker gets some information about the password Active Online Attacks: Password Guessing -The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and manually inputs them on the victim's machine to crack the password 1. Find a valid user 2. Create a list of possible passwords 3. Rank passwords from high to low probability 4. Key in each password, until the correct password is discovered

Video Steganography

-Video steganography refers to hiding secret information in a carrier video file -In video steganography, the information is hidden in video files of different formats such as .AVI, .MPG4, and .WMV -Discrete Cosine Transform (DCT) manipulation is used to add secret data at the time of the transformation process of the video OmniHide Pro -OmniHide Pro hides a file within another file. Any file can be hidden within common image/music/video/document formats. The output file will work in the same way as the original source file

How to Defend against Rootkits

1. Reinstall OS/applications from a trusted source after backing up the critical data 2. Well-documented automated installation procedures need to be kept 3. Perform kernel memory dump analysis to determine the presence of rootkits 4. Harden the workstation or server against the attack 5. Educate staff not to download any files/programs from untrusted sources 6. Install network and host-based firewalls 7. Ensure the availability of trusted restoration media 8. Update and patch operating systems, applications, and firmware 9. Regularly verify the integrity of system files using cryptographically strong digital fingerprint technologies 10. Regularly update antivirus and anti-spyware software 11. Avoid logging in to an account with administrative privileges 12. Adhere to the least privilege principle 13. Ensure the chosen antivirus software possesses rootkit protection 14. Do not install unnecessary applications and also disable the features and services not in use

How to Defend Against Privilege Escalation

1. Restrict the interactive logon privileges 2. Run users and applications with the lowest privileges 3. Implement multi-factor authentication and authorization 4. Run services as unprivileged accounts 5. Implement a privilege separation methodology to limit the scope of programming errors and bugs 6. Use an encryption technique to protect sensitive data 7. Reduce the amount of code that runs with a particular privilege 8. Perform debugging using bounds checkers and stress tests 9. Test the system for application coding errors and bugs thoroughly 10. Regularly patch and update the kernel 11. Change the User Account Control settings to "Always Notify" 12. Restrict users from writing files to the search paths for applications 13. Continuously monitor file system permissions using auditing tools 14. Reduce the privileges of users and groups so that only legitimate administrators can make service changes 15. Use whitelisting tools to identify and block malicious software 16. Use fully qualified paths in all Windows applications 17. Ensure that all executables are placed in write-protected directories 18. In Mac operating systems, make plist files read-only 19. Block unwanted system utilities or software that may be used to schedule tasks 20. Regularly patch and update the web servers

How to Defend against Password Cracking

1. Use an information security audit to monitor and track password attacks 2. Disallow use of the same password during a password change 3. Disallow password sharing 4. Disallow the use of passwords that can be found in a dictionary 5. Do not use cleartext protocols and protocols with weak encryption 6. Set the password change policy to 30 days 7. Avoid storing passwords in an unsecured location 8. Do not use any system default passwords 9. Make passwords hard to guess by requiring 8-12 alphanumeric characters consisting of a combination of uppercase and lowercase letters, numbers, and symbols 10. Disallow the use of passwords such as date of birth, spouse, child's, or pet's name 11. Enable SYSKEY with a strong password to encrypt and protect the SAM database 12. Use a random string (salt) as a prefix or suffix to the password before encryption 13. Ensure that applications neither store passwords in memory nor write them to disks in clear text 14. Monitor the server's logs for brute force attacks on the users' accounts 15. Lockout an account subjected to too many incorrect password guesses 16. Make the system BIOS password-protected, particularly on devices that are susceptible to physical threats 17. Train employees to thwart social engineering tactics such as shoulder surfing and dumpster diving, which are used to steal credentials 18. Secure and control physical access to systems to prevent offline password attacks 19. Use two-factor or multi-factor authentication, for example, using CAPTCHA to prevent automated attacks 20. Perform password screening when new passwords are created to avoid using commonly used passwords 21. Ensure that the password database files are encrypted and accessible only to system administrators 22. Mask the display of passwords on the screen to avoid shoulder surfing attacks

Other Privilege Escalation Techniques

Access Token Manipulation -The Windows operating system uses access tokens to determine the security context of a process or thread -Attackers can obtain access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection Application Shimming -The Windows Application Compatibility Framework called Shim is used to provide compatibility between the older and newer versions of the Windows operating system -Shims like RedirectEXE, injectDLL, and GetProcAddress can be used by attackers to escalate privileges, install backdoors, disable Windows Defender, etc. Filesystem Permissions Weakness -If the filesystem permissions of binaries are not properly set, an attacker can replace the target binary with a malicious file -If the process that is executing this binary has higher level permissions, then the malicious binary also executes under higher level permissions Path Interception -Applications include many weaknesses and misconfigurations like unquoted paths, path environment variable misconfiguration, and search order hijacking that lead to path interception -Path interception helps an attacker to maintain persistence on a system and escalate privileges Scheduled Task -The Windows Task Scheduler along with utilities such as 'at' and 'schtasks' can be used to schedule programs that can be executed at a specific date and time -The attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc. Launch Daemon -Launchd is used in MacOS and OS X boot up to complete the system initialization process by loading parameters for each launch-on-demand system-level daemon -Daemons have plists that are linked to executables that run at start up -The attacker can alter the launch daemon's executable to maintain persistence or to escalate privileges Plist Modification -Plist files in MacOS and OS X describe when programs should execute, the executable file path, the program parameters, the required OS permissions, etc. -Attackers alter plist files to execute malicious code on behalf of a legitimate user to escalate privileges Setuid and Setgid -In Linux and MacOS, if an application uses setuid or setgid then the application will execute with the privileges of the owning user or group -An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges Web Shell -A Web shell is a web-based script that allows access to a web server -Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges

Exploit Sites

Attackers can use various exploit sites such as Exploit Database, SecurityFocus, etc. to discover vulnerabilities and download or develop exploits to perform remote exploitation on the target system.

Other Active Online Attacks

Combinator Attack -Attackers combine the entries of the first dictionary with those of the second dictionary to generate a new wordlist to crack the password of the target system Fingerprint Attack -Attackers break down the passphrase into fingerprints comprising single and multi-character combinations to crack complex passwords PRINCE Attack -An advanced version of a combinator attack where instead of taking input from two different dictionaries, attackers use a single input dictionary to build chains of combined words Toggle-Case Attack -Attackers try all possible combinations of upper and lower cases of a word present in the input dictionary Markov-Chain Attack -Attackers gather a password database and split each password entry into 2-and 3-character long syllables; using these character elements, a new alphabet is developed, which is then matched with the existing password database

Tools for Defending against DLL and Dylib Hijacking

Dependency Walker -Dependency Walker detects many common application problems such as missing modules, invalid modules, import/export mismatches, and circular dependency errors Dylib Hijack Scanner -Dylib Hijack Scanner is a simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked

Disable Windows Functionality

Disable the Last Access Timestamp -fsutil is a utility in Windows used to set the NTFS volume behavior parameter, DisableLastAccess, which controls enabling or disabling of the last access timestamp DisableWindows Hibernation -Disable Windows hibernation using the Registry Editor or powercfg command

How to Defend against Keyloggers (cont'd)

Hardware Keylogger Countermeasures 1. Restrict physical access to sensitive computer systems 2. Periodically check your keyboard interface to ensure that no extra components are plugged into the keyboard cable connector 3. Use encryption between the keyboard and its driver 4. Use an anti-keylogger that detects the presence of a hardware keylogger such as KeyGrabber 5. Use an on-screen keyboard and click on it using a mouse 6. Periodically check the video monitor cables to detect the presence of hardware keyloggers 7. Setup video surveillance around the computer desk to detect the addition of malicious hardware 8. Disable USB ports or setup advanced BIOS authentication mechanisms to enable USB ports

Types of Keystroke Loggers

Hardware Keystroke Loggers -PC/BIOS Embedded -Keylogger Keyboard -External Keylogger -PS/2 and USB Keylogger -Acoustic/CAM Keylogger -Bluetooth Keylogger -Wi-Fi Keylogger Software Keystroke Loggers -Application Keylogger -Kernel Keylogger -Hypervisor-based Keylogger -Form Grabbing Based Keylogger -Javascript Based Keylogger -Memory Injection Based Keylogger

Detecting Rootkits

Integrity-Based Detection - It compares a snapshot of the file system, boot records, or memory with a known trusted baseline Signature-Based Detection -This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints Heuristic/Behavior - Based Detection - Any deviations in the system's normal activity or behavior may indicate the presence of a rootkit Runtime Execution Path Profiling -This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection Cross View-Based Detection -Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of a rootkit Alternative Trusted Medium -The infected system is shut down and then booted from an alternative trusted media such as a bootable CD-ROM or USB flash drive to find the traces of the rootkit Analyzing Memory Dumps -The volatile memory (RAM) of the suspected system is dumped and analyzed to detect the rootkit in the system

Steps for Detecting Rootkits

Step 1 Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results Step 2 Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive and save the results Step 3 Run a latest version of WinMerge on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from the outside)

Windows Buffer Overflow Exploitation

Steps involved in exploiting Windows based buffer overflow vulnerability: 1. Perform spiking 2. Perform fuzzing 3. Identify the offset 4. Overwrite the EIP register 5. Identify bad characters 6. Identify the right module 7. Generate shellcode Gain root access Perform Spiking -Spiking allows attackers to send crafted TCP or UDP packets to the vulnerable server in order to make it crash -Spiking helps attackers to identify buffer overflow vulnerabilities in the target applications Perform Fuzzing -Attackers use fuzzing to send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register -Fuzzing helps in identifying the number of bytes required to crash the target server -This information helps in determining the exact location of the EIP register, which further helps in injecting malicious shellcode Identify the Offset -Attackers use the Metasploit framework pattern_create and pattern_offset ruby tools to identify the offset and exact location where the EIP register is being overwritten Overwrite the EIP Register -Overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode Identify Bad Characters -Before injecting the shellcode into the EIP register, attackers identify bad characters that may cause issues in the shellcode -You can obtain the badchars through a Google search. Characters such as no byte, i.e., "\x00", are badchars Identify the Right Module -In this step, attackers identify the right module of the vulnerable server that lacks memory protection -In Immunity Debugger, you can use scripts such as mona.py to identify modules that lack memory protection Generate Shellcode and Gain Shell Access -Attackers use the msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target vulnerable server

NTFS Stream Detectors

Stream Armor -Stream Armor discovers hidden Alternate Data Streams (ADS) and cleans them completely from the syste

Covering Tracks on a Network

Using Reverse HTTP Shells -The attacker installs a reverse HTTP shell on the victim's machine, which is programmed in such a way that it would ask for commands from an external master who controls the reverse HTTP shell -The victim here will act as a web client who is executing HTTP GET commands, whereas the attacker behaves like a web server and responds to the requests -This type of traffic is considered as normal traffic by an organization's network perimeter security controls like DMZ, firewall, etc. Using Reverse ICMP Tunnels -The attacker uses an ICMP tunneling technique to use ICMP echo and ICMP reply packets as a carrier of the TCP payload, to access or control a system stealthily -The victim's system is triggered to encapsulate the TCP payload in an ICMP echo packet that is forwarded to the proxy server -Organizations have security mechanisms that only check incoming ICMP packets but not outgoing ICMP packets, therefore attackers can easily bypass the firewall Using DNS Tunneling -Attackers can use DNS tunneling to encode malicious content or data of other programs within DNS queries and replies -DNS tunneling creates a back channel to access a remote server and applications -Attackers can make use of this back channel to exfiltrate stolen, confidential, or sensitive information from the server Using TCP Parameters -TCP parameters can be used by the attacker to distribute the payload and to create covert channels -TCP fields where data can be hidden are as follows: IP Identification field TCP acknowledgement number TCP initial sequence number

Rootkits

-Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at that time, and in the future -Rootkits replace certain operating system calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system causing malicious functions to be executed -A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc. The attacker places a rootkit by: -Scanning for vulnerable computers and servers on the web -Wrapping it in a special package like a game Installing it on public computers or corporate computers through social engineering -Launching a zero-day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) Objectives of a rootkit: -To root the host system and gain remote backdoor access To mask attacker tracks and presence of malicious applications or processes -To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access -To store other malicious programs on the system and act as a server resource for bot updates

Other Privilege Escalation Techniques (Cont'd)

Abusing Sudo Rights -Sudo is a UNIX and Linux based system utility that permits users to run commands as a superuser or root using the security privileges of another user -Attackers can overwrite the sudo configuration file, /etc/sudoers with their own malicious file to escalate privileges Abusing SUID and SGID Permissions -SUID and SGID are access permissions given to a program file in Unix based systems -Attackers can use executable commands with SUID and SGID bits enabled to escalate privileges Kernel Exploits -Kernel exploits are referred to as the programs the can exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges -Attackers can attain superuser access or root-level access to the target system by exploiting kernel vulnerabilities

Classification of Steganography

Based on its technique, steganography can be classified into two areas: technical and linguistic. -In technical steganography, a message is hidden using scientific methods -In linguistic steganography, it is hidden in a carrier, which is the medium used to communicate or transfer messages or files. This medium comprises of the hidden message, carrier, and steganography key.

Privilege Escalation Tools

BeRoot -BeRoot is a post-exploitation tool to check common misconfigurations to find a way to escalate privileges linpostexp -linpostexp tool obtains detailed information on the kernel, which can be used to escalate privileges on the target system

Spyware Tools

Desktop and Child Monitoring Spyware ACTIVTrak https://activtrak.com USB Spyware USB Analyzer https://www.eltima.com Audio Spyware Spy Voice Recorder http://www.mysuperspy.com Veriato Cerebral https://www.veriato.com USB Monitor https://www.hhdsoftware.com Spy Audio Listening Device https://www.securityplanet.co NetVizor https://www.netvizor.net USBDeview https://www.nirsoft.net Spy USB Voice Recorder https://www.securityplanet.co SoftActivity Monitor https://www.softactivity.com Advanced USB Port Monitor https://www.aggsoft.com Voice Activated Flash Drive Voice Recorder https://www.spytec.com SoftActivity TS Monitor https://www.softactivity.com USB Monitor Pro http://www.usb-monitor.com Audio Spyware Snooper https://www.snooper.s Video Spyware Movavi Video Editor https://www.movavi.com Free2X Webcam Recorder http://www.free2x.com iSpy https://www.ispyconnect.com Telephone/Cellphone Spyware GPS Spyware Phone Spy https://www.phonespysoftware.com Spyera https://spyera.com XNSPY https://xnspy.com mSpy https://www.mspy.com iKeyMonitor https://ikeymonitor.com MOBILE SPY http://www.mobile-spy.com NET Video Spy https://www.sarbash.com Eyeline Video Surveillance Software https://www.nchsoftware.com OneSpy https://onespy.com MobiStealth https://www.mobistealth.com TheTruthSpy https://thetruthspy.com FlexiSPY https://www.flexispy.com

How to Defend against LLMNR/NBT-NS Poisoning

Disabling LMBNR -Open the Local Group Policy Editor and navigate to Local Computer Policy-> Computer Configuration->Administrative Templates-> Network->DNS Client -In the DNS client, double-click on Turn off multicast name resolution -Select the Enabled radio button and then click OK Disabling NBT-NS -Open the Control Panel and navigate to Network and Internet-> Network and Sharing Center and click on Change adapter settings option present on the right side -Right-click on the network adapter and click Properties, select TCP/IPv4 and then click Properties -Under the General tab, go to Advanced->WINS -From the NetBIOS options, check "Disable NetBIOS over TCP/IP" radio button and click OK

Image Steganography Tools

Open Stego -Data Hiding: It can hide any data within a cover file (e.g., images) -Watermarking: Watermarking files (e.g., images) with an invisible signature. It can be used to detect unauthorized file copying

Remote Code Execution Techniques

Exploitation for Client Execution -Unsecure coding practices in software can make it vulnerable to various attacks -Attackers can take advantage of the vulnerabilities in software through focused and targeted exploitations with an objective of arbitrary code execution to maintain access to the target remote system Scheduled Task -Attackers can execute malicious programs at the startup of the system or schedule it for a specific date and time for maintaining access to the target system -Utilities such as at and schtasks, can be used along with the Windows Task Scheduler to execute specific programs at a scheduled date and time Service Execution -System services are programs that run and operate at the backend of an operating system -Attackers run binary files or commands that can communicate with the Windows system services such as Service Control Manager to maintain access to the remote system Windows Management Instrumentation (WMI) -WMI is a feature in Windows administration that provides a platform for accessing Windows system resources locally and remotely -Attackers can exploit WMI features to interact with the remote target system and use it to perform information gathering on system resources and further execute code for maintaining access to the target system Windows Remote Management (WinRM) -WinRM is a Windows-based protocol designed to allow a user to run an executable file, modify system services, and the registry on a remote system -Attackers can use the winrm command to interact with WinRM and execute a payload on the remote system as a part of the lateral movement

Anti-Rootkits

GMER -GMER is an application that detects and removes rootkits by scanning processes, threads, modules, services, files, etc.

System Hacking Goals

Gaining Access: To bypass access controls to gain access to the system -> Password cracking, vulnerability exploitation, social engineering Escalating Privileges: To acquire the rights of another user or an admin -> Exploiting known system vulnerabilities Executing Applications: To create and maintain remote access to the system -> Trojans, spywares, backdoors, keyloggers Hiding Files: To hide attackers' malicious activities, and to steal data -> Rootkits, steganography Covering Tracks: To hide the evidence of compromise -> Clearing logs

Types of Rootkits

Hypervisor Level Rootkit -Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine Boot Loader Level Rootkit -Replaces the original boot loader with the one controlled by a remote attacker Hardware/Firmware Rootkit -Hides in hardware devices or platform firmware that are not inspected for code integrity Kernel Level Rootkit -Adds malicious code or replaces the original OS kernel and device driver codes Application Level/User Mode Rootkit -Replaces regular application binaries with a fake Trojan or modifies the behavior of existing applications by injecting malicious code Library Level Rootkits -Replaces the original system calls with fake ones to hide information about the attacker

Types of Steganography based on Cover Medium

Image Steganography Document Steganography Folder Steganography Video Steganography Audio Steganography White Space Steganography Web Steganography Spam/Email Steganography DVD-ROM Steganography Natural Text Steganography Hidden OS Steganography C++ Source-Code Steganography

Tools for Detecting Spectre and Meltdown Vulnerabilities

InSpectre -InSpectre examines and discloses any Windows system's hardware and software vulnerability to Meltdown and Spectre attacks Spectre & Meltdown Checker -Spectre & Meltdown Checker is a shell script to tell if your system is vulnerable against the several "speculative execution" CVEs

Kerberos Authentication

Kerberos is a network authentication protocol that provides strong authentication for client/server applications through secret-key cryptography, which provides mutual authentication. Both the server and the user verify each other's identity. Messages sent through this protocol are protected against replay attacks and eavesdropping.

Password-Cracking Tools: L0phtCrack and ophcrack

L0phtCrack -L0phtCrack is a tool designed to audit passwords and recover applications ophcrack -ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms RainbowCrack -RainbowCrack cracks hashes with rainbow tables. It uses a time-memory tradeoff algorithm to crack hashes -John the Ripper https://www.openwall.com -hashcat https://hashcat.net -THC-Hydra https://github.com -Medusa http://foofus.net

Popular Rootkits

LoJax -LoJax is a type of UEFI rootkit that injects malware into the system and is automatically executed whenever the system starts up -It exploits UEFI that acts as an interface between the OS and the firmware Scranos -GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, hidden storage, and malicious command execution while remaining invisible -It injects its malicious code into the boot record which handles the launching of Windows at each step Horse Pill -Horse Pill is a Linux kernel rootkit that resides inside the "initrd," which it uses to infect the system and deceives the system owner with the use of container primitives -It has three important parts; klibc-horsepill.patch, horsepill_setopt, and horsepill_infect Necurs -Necurs contains backdoor functionality allowing remote access and control of the infected computer -It monitors and filters network activity and has been observed to send spam and install rogue security software

NTLM Authentication Proces

NTLM includes three methods of challenge-response authentication: LM, NTLMv1, and NTLMv2, all of which use the same technique for authentication. The only difference between them is the level of encryption. In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft-negotiated Security Support Provider (SSP).

Types of Password Attacks

Non-Electronic Attacks Active Online Attacks Passive Online Attacks Offline Attacks

Buffer Overflow Detection Tools

OllyDbg -OllyDbg dynamically traces stack frames and program execution, and it logs arguments of known functions Veracode https://www.veracode.com Flawfinder https://dwheeler.com Kiuwan https://www.kiuwan.com Splint https://github.com BOVSTT https://github.com

Keyloggers for Mac

Refog Mac Keylogger -Refog Mac Keylogger provides undetected surveillance and records all the keystrokes on the computer -Spyrix Keylogger For Mac OS http://www.spyrix.com -Elite Keylogger for Mac https://www.elite-keylogger.net -Aobo Mac OS X Keylogger https://www.easemon.com -KidLogger for MAC http://kidlogger.net -Perfect Keylogger for Mac https://www.blazingtools.com

Tools for Executing Applications

Remote Exec -RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network -Pupy https://github.com -PDQ Deploy https://www.pdq.com -Dameware Remote Support https://www.dameware.com -ManageEngine Desktop Central https://www.manageengine.com -PsExec https://docs.microsoft.com

Steganalysis

Reverse Process of Steganography -Steganalysis is the art of discovering and rendering covert messages using steganography -It detects hidden messages embedded in images, text, audio, and video carrier mediums Challenges of Steganalysis -Suspect information stream may or may not have encoded hidden data -Efficient and accurate detection of hidden content within digital images is difficult -The message could be encrypted before being inserted into a file or signal -Some of the suspect signals or files may have irrelevant data or noise encoded into them

Anti-Spyware

SUPERAnti Spyware -SUPERAntiSpyware is a software application that can detect and remove spyware, adware, Trojan horses, and other potentially harmful software applications

Microsoft Authentication

Security Accounts Manager (SAM) Database -Windows stores user passwords in SAM, or in the Active Directory database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in the SAM NTLM Authentication -The NTLM authentication protocol types are as follows: NTLM authentication protocol and LM authentication protocol -These protocols store the user's password in the SAM database using different hashing methods Kerberos Authentication -Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM

Keyloggers for Windows

Spyrix Keylogger Free -Spyrix Keylogger Free is used for remote monitoring on your PC that includes recording of keystrokes, passwords, and screenshots -REFOG Personal Monitor https://www.refog.com -All In One Keylogger http://www.relytec.com -Elite Keylogger https://www.elitekeyloggers.com -StaffCop Standard https://www.staffcop.com -Spytector https://www.spytector.com

Spyware Tools: Spytech SpyAgent and Power Spy

Spytech SpyAgent -Spytech SpyAgent allows you to monitor everything users do on your computer Power Spy -Power Spy secretly monitors and records all activities on your computer

Steganography Tools for Mobile Phones

Steganography Master Stegais

Steganalysis Methods/Attacks on Steganography

Stego-only -Only the stego object is available for analysis Known-stego -The attacker has access to the stego algorithm and both the cover medium and the stego-object Known-message -The attacker has access to the hidden message and the stego object Known-cover -The attacker compares the stego-object and the cover medium to identify the hidden message Chosen-message -This attack generates stego objects from a known message using specific steganography tools in order to identify the steganography algorithms Chosen-stego -The attacker has access to the stego-object and stego algorithm Chi-square -The attacker performs probability analysis to test whether the stego object and original data are the same or not Distinguishing Statistical -The attacker analyzes the embedded algorithm used to detect distinguishing statistical changes along with the length of the embedded data Blind Classifier -A blind detector is fed with the original or unmodified data to learn the resemblance of original data from multiple perspectives

Detecting Steganography (Text, Image, Audio, and Video Files)

Text File -For text files, the alterations are made to the character positions to hide the data -The alterations are detected by looking for text patterns or disturbances, language used, and an unusual amount of blank spaces Image File -The hidden data in an image can be detected by determining changes in size, file format, the last modified timestamp, and the color palette pointing to the existence of the hidden data -The statistical analysis method is used for image scanning Audio File -The statistical analysis method can be used for detecting audio steganography as it involves LSB modifications -The inaudible frequencies can be scanned for hidden information -Any odd distortions and patterns show the existence of the secret data Video File -Detection of the secret data in video files includes a combination of methods used in image and audio file

Privilege Escalation by Exploiting Misconfigured Services

Unquoted Service Paths -In Windows operating systems, when starting a service, the system attempts to find the location of the executable file to launch the service -The executable path is enclosed in quotation marks "", so that the system can easily locate the application binary -Attackers exploit services with unquoted paths running under SYSTEM privileges to elevate their privileges Service Object Permissions -Misconfigured service permissions may allow an attacker to modify or reconfigure the attributes associated with that service -By exploiting such services, attackers can even add new users to the local administrator group and then hijack the new account to elevate their privileges Unattended Installs -Unattended install details such as configuration settings used during the installation process are stored in Unattend.xml file -Unattend.xml file is stored in one of the following locations: C:\Windows\Panther\ C:\Windows\Panther\Unattend\ C:\Windows\System32\ C:\Windows\System32\sysprep\ -Attackers exploit information stored in Unattend.xml to escalate privilege

Vulnerability Exploitation

Vulnerability exploitation involves the execution of multiple complex, interrelated steps to gain access to a remote system. The steps involved are as follows: 1. Identify the vulnerability 2. Determine the risk associated with the vulnerability 3. Determine the capability of the vulnerability 4. Develop the exploit 5. Select the method for delivering - local or remote 6. Generate and deliver the payload 7. Gain remote access

Covering Tracks on an OS

Windows -NTFS has a feature known as Alternate Data Streams that allows attackers to hide a file behind normal files -Given below are some steps to hide a file using NTFS: -Open the command prompt with an elevated privilege -Type the command "type C:\SecretFile.txt > C:\LegitFile.txt:SecretFile.txt" (here, the file is kept in C drive where the SecretFile.txt file is hidden inside LegitFile.txt file) -To view the hidden file, type "more < C:\SecretFile.txt" (for this you need to know the hidden file name) UNIX -Files in UNIX can be hidden just by appending a dot (.) in front of a file name -Attackers can use this feature to edit the log files to cover their tracks -Attackers can use the "export HISTSIZE=0" command to delete the command history and the specific command they used to hide log files

How Hash Passwords Are Stored in Windows SAM?

Windows OSs use a Security Account Manager (SAM) database file to store user passwords. The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems, and Windows mounts it in the registry under the HKLM/SAM registry hive. It stores LM or NTLM hashed passwords.