Pluralsight is not an official partner or accredited training center of
EC-Council. You've done your homework; now it's time to totally and completely "pwn" your target and yet make no one the wiser that you've made it in.
Pluralsight is not an official partner or accredited training center of
EC-Council. This is what it all comes down to. After we've done our research, we've found our target, and identified its services, shares, users and resources, it’s time to take total and complete control of this box. In turn, we then use this box to repeat our efforts to pwn more boxes within the network as well as grab any intellectual property that could be of great worth. This course is part of the Ethical Hacking Series. http://blog.pluralsight.com/learning-path-ethical-hacking
Dale Meredith received his Certified Ethical Hacker and Certified EC-Counsel Instructor certifications back in 2006, as well as being a Microsoft Certified Trainer since 1998 (yes we had computers back then). Dale takes great pride in helping students comprehend and simplify complex IT concepts.
More Cracking Okay so I told you that this subject is too big for one module. So in this module we're going to continue to learn about how we gain access by doing some more cracking. In this module we'll continue to release the cracking. Should I give up on the joke? Is it done? We'll go through and take a look at NTLM authentication. This authentication mechanism, believe it or not, is still used today. And a lot of you may be saying, no deal, we don't use NTLM authentication we're using Kerberos, guess what, there are some specific situations where Kerberos can't be used and the default is to roll back to NTLM. So we need to make sure we understand how NTLM authentication works as well as how Kerberos authentication works. Understanding these two authentication mechanisms help us to understand when passwords are utilized and when they're not. Or at least when they're transmitted. Then we'll go through and take a look at salting, no I didn't say assaulting, as in an attack. But salting is where we take those hashes that we talked about in the previous module and we add some characters to the end of it. So that the hash values aren't the same for the same passwords. Then we'll go through and take a look at rainbow tables and other options. I know, you all want me to break out in a Judy Garland rendition of Somewhere Over the Rainbow, it's not happening. No rainbow tables speed up the cracking time and there's also some other tables, there's reverse lookup tables, there's also just standard tables that we can use to compare the hash to see if we can figure out what the password is. Now if you did not watch the previous module you have to go back and watch it so you understand this continuation of cracking passwords. So let's get cracking.
Phase 3: Maintaining Access – Executing Applications Okay so we've made it this far, we've gone through, we've cracked a password, figured out our user account, got into the system, elevated our privileges, so we're done? Well we may have pwned the machine so far, but a total pone is when we can maintain access via executing applications. And that's what we're going to focus on in this particular module. Now when we talk about executing applications, it reminds me of, yep here it comes my trickiness. It reminds me of something the famous star fleet captain once said, actually he said it many times, make it so number one. Meaning execute. And that's what we want to do here. And in fact I typically laugh at this stage, because we're technically we're talking about bing you've got pwned. And that's what we're going to do here is we're going to look at our goals, what is we need to accomplish at this executing application phase. And part of that is the applications themselves. We're going to go through and take a look at also spyware and queue mission impossible theme song. (singing) No, it's not what you think it is and I'm sure that you probably have a pre conception of what spyware is, but we're going to really dig into this one a bit, because actually there's good spyware and then there's evil spyware. We'll also go through and take a look at backdoors. I like the ones that lead me out into a beach and a nice sunset. Backdoors are actually coding that's placed inside of a legitimate program that allows an attacker to get in through, hey the backdoor. We'll also go through and take a look at, and this should scare you a bit, key loggers. No they're just not software based anymore, actually they've been hardware for quite some time. And of course with today's technology, they've gotten even more advanced. So let's go see if you've got pwned.
Phase 4: Maintaining Access – Hiding Your Tools Okay, so we're continuing on down the phases. Now we're to phase four of maintaining access, and that is hiding your tools. And I know what you're thinking. There's no way he can come up with a joke for this one, right? So when I'm talking about hiding your tools, I'm not talking about putting your in-laws in the back room. Thank you, thank you. See, I told you I could pull one out. Well, what we're really getting into here, folks, is something I saw on a t-shirt, one of those sarcastic t-shirts of Shhhh…I'm hiding from stupid people! And that's what we're going to do here is we're going to hide our tools so that, maybe we should phrase it, less intelligent people will be able to find them, or people that are not security-minded. Again, the last thing we want to do is go through all this effort to get our machine totally pwned and then lose it because we don't hide the software that we just talked about in previous modules from the users or from an IT expert. So, in this module, we'll go through and actually take a look at making sure that we hide our tools so if, again, if they see us, we're going to be done. We're going to use a couple different technologies. One of them, you've probably heard about. It's called rootkits. Yeah, I got one coming, but I'm going to hold off. We also have something that, how do I want to phrase this? It scared the patootie out of me when I saw this. And it's been around for a long time. Again, this is typically the course where IT guys go wait a second. They get to that realization that there are things going on possibly that they can't control. Well, alternate data streams is a technology that literally scares me every single time. Alternate data streams, in my opinion, is one of the higher priorities because of how well it's done, and it's built in to the OS. We'll also go through and take a look at steganography, or we also refer to it as stego. This is simply a technology that allows us to hide our tools inside of a picture, as well as other types of files. So let's see if I can scare you like a little kid going through a haunted house for the first time.
Phase 5: Covering Your Tracks - Clearing Logs and Evidence Okay, so we've gotten in. We've totally pwned this machine. The next phase is covering your tracks, or CYT. Yeah, you thought I was going to go with a different letter, didn't you? So, this module, we're just going to quickly go through and talk about how we clear logs and any evidence of the fact that we've been inside of a system. Now a lot of people say, Dale, what is the goal here? Well, in the words of a famous philosopher, Obi-Wan Kenobi, "These are not the droids you're looking for. " That's what we want to do. We want to make it look like that nobody's been in this box because, again, we've invested a lot of time. I don't know if you remember, but back in understanding ethical hacking, we talked about during one of the phases after an attacker pwns a machine, he actually hardens it up so that other attackers can't get in. Well, part of that hardening process, he's also going to go and make sure that nobody knows that he's been inside. Well, how do we do that? That depends on if you're a good attacker or a great attacker. So in this module, we'll go through and take a look at why we clear out our tracks, and then we'll look at the basic methods of clearing out our tracks, as well as maybe a more advanced mechanism. So just like the movies, when the bandit is being tracked by the sheriff and the posse, let's break out a shrub and try to scratch and cover our tracks out of the dust.