Ethical Hacking

1
Ethical Hacking

• Phase V
• Covering tracks

2
Module Objective

• Understand the following
• Covering tracks
• Hiding files

3
Covering Tracks

• Once intruders have successfully gained
  Administrator access on a system, they will try
  to cover the detection of their presence.
• When all the information of interest has been
  stripped from the target, they will install
  several back doors so that easy access can be
  obtained in the future.

4
Disabling Auditing

• First thing intruders will do after gaining
  Administrator privileges is to disable auditing.
• NT Resource Kit's auditpol.exe tool can disable
  auditing using command line.
• At the end of their stay, the intruders will just
  turn on auditing again using auditpol.exe

5
Hiding Files

• There are two ways of hiding files in NT/2000.
• 1. Attrib
• use attrib h file/directory
• 2. NTFS Alternate Data Streaming
• NTFS files system used by Windows NT, 2000 and XP
  has a feature Alternate Data Streams - allow data
  to be stored in hidden files that are linked to a
  normal visible file.
• Streams are not limited in size and there can be
  more than one stream linked to a normal file.
• Lab 7 ADS streams.

6
Creating Alternate Data Streams

• Start by going to the command line and typing
  notepad test.txt
• Put some data in the file, save the file, and
  close Notepad.
• From the command line, type dir test.txt and note
  the file size.
• Next, go to the command line and type notepad
  test.txthidden.txt Type some text into Notepad,
  save the file, and close.

• Check the file size again and notice that it
  hasnt changed!
• If you open test.txt, you see your original data
  and nothing else.
• If you use the type command on the filename from
  the command line, you still get the original
  data.
• If you go to the command line and type type
  test.txthidden.txt you get an error.

7
Tools ADS creation and detection

• makestrm.exe moves the physical contents of a
  file to its stream.

• ads_cat from Packet Storm is a utility for
  writing to NTFS's Alternate File Streams and
  includes ads_extract, ads_cp, and ads_rm,
  utilities to read, copy, and remove data from
  NTFS alternate file streams.
• Mark Russinovich at www.sysinternals.com has
  released freeware utility Streams which displays
  NTFS files that have alternate streams content.
• Heysoft has released LADS (List Alternate Data
  Streams), which scans the entire drive or a given
  directory. It lists the names and size of all
  alternate data streams it finds.

8
NTFS Streams countermeasures

• Deleting a stream file involves copying the
  'front' file to a FAT partition, then copying
  back to NTFS.
• Streams are lost when the file is moved to FAT
  Partition.
• LNS.exe from (http//nt security.nu/cgi-bin/downlo
  ad/lns.exe.pl) can detect streams.

9
Summary

• Hackers use a variety of means to penetrate
  systems.
• Password guessing / cracking is one of the first
  steps.
• Password sniffing is a preferred eavesdropping
  tactic.
• Vulnerability scanning aids hacker to identify
  which password cracking technique to use.
• Key stroke logging /other spy ware tools are used
  as they gain entry to systems to keep up the
  attacks.
• Invariably evidence of having been there and
  done the damage is eliminated by attackers.
• Stealing files as well as Hiding files are means
  used to sneak out sensitive information.