Ceh v8 labs module 05 system hacking

CEH Lab M anual

S y s te m

H a c k in g
M

o d u le

0 5

M odule 05 - System H acking

S y s t e m H a c k in g
S y ste m h a c k in g is th e science o f testin g com p uters a n d n e tw o rk f o r v u ln era b ilities a n d
p lu g -in s.

La b S cen ario
{ I Valuable
—

intormntion____
Test your
knowledge_____
a* Web exercise
£Q! Workbook review

Password hacking 1s one of the easiest and most common ways hackers obtain
unauthorized computer 01‫ ־‬network access. Although strong passwords that are
difficult to crack (or guess) are easy to create and maintain, users often neglect tins.
Therefore, passwords are one of the weakest links 111 die uiformation-secunty chain.
Passwords rely 011 secrecy. After a password is compromised, its original owner isn’t
the only person who can access the system with it. Hackers have many ways to
obtain passwords. Hackers can obtain passwords from local computers by using
password-cracking software. To obtain passwords from across a network, hackers
can use remote cracking utilities 01‫ ־‬network analyzers. Tins chapter demonstrates
just how easily hackers can gather password information from your network and
descnbes password vulnerabilities diat exit 111 computer networks and
countermeasures to help prevent these vulnerabilities from being exploited 011 your
systems.

La b O b jectives
The objective of tins lab is to help students learn to m o n ito r a system rem o tely
and to extract hidden tiles and other tasks that include:
■ Extracting administrative passwords
■ HicUng files and extracting hidden files
■ Recovering passwords
■ Monitoring a system remotely
[‫ “׳‬Tools
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

La b Environm ent
To earn‫־‬out die lab you need:
■ A computer mnning Windows Server 2012
■ A web browser with an Internet connection
■ Administrative pnvileges to run tools

La b Duration
Tune: 100 Minutes

C E H Lab Manual Page

Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


O verview of System H acking
The goal of system hacking is to gain access, escalate privileges, execute applications,
and hide files.

^ task 1
Overview

La b T a s k s
Recommended labs to assist you 111 system hacking:
■ Extracting Administrator Passwords Using LCP
■ Hiding Files Using NTFS

S tream s

■ Find Hidden Files Using ADS

Spy

■

Hiding Files Using the S te a lth

■

Extracting SAM Hashes Using PW dump7 Tool

Files Tool

■ Creating die Rainbow Tables Using W inrtge
■ Password Cracking Using R ain bo w C rack
■
■

Extracting Administrator Passwords Using LOphtCrack
Password Cracking Using O p h crack

■ System Monitoring Using R em o teE xec
■ Hiding Data Using Snow Steganography
■ Viewing, Enabling and Clearing the Audit Policies Using Auditpol
■

Password Recovery Using CHNTPW .ISO

■ User System Monitoring and Surveillance Needs Using S pytech
■
■

Spy Agent

Web Activity Monitoring and Recording using P ow er Spy 2 0 1 3
Image Steganography Using Q uickStego

La b A n a ly sis
Analyze and document the results related to the lab exercise. Give your opinion on
the target’s security posture and exposure.

P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D TO T H I S L AB .

C E H Lab Manual Page 309



E x t r a c t in g A d m in is tr a to r
P a s s w o r d s U s in g L C P
L i n k C o n tro l P ro to co l (L C P ) is p a r t o f th e P o in t-to -P o in t (P P P ) p ro to c o l I n P P P
co m m un ication s, b o th th e sen d in g a n d receiving devices se n d o u t L C P p a c k e ts to
d eterm in e specific in fo rm a tio n re q u ire d fo r d a ta tra n sm issio n .

La b S cen ario
l£^7 Valuable
information
S

Test your
knowledge_____

*a Web exercise
£Q Workbook review

Hackers can break weak password storage mechanisms by using cracking
methods that outline 111 this chapter. Many vendors and developers believe that
passwords are safe from hackers if they don’t publish the source code for their
encryption algorithms. After the code is cracked, it is soon distributed across the
Internet and becomes public knowledge. Password-cracking utilities take
advantage of weak password encryption. These utilities do the grunt work and
can crack any password, given enough time and computing power. 111 order to
be an expert ethical hacker and penetration tester, you must understand how to
crack administrator passwords.

La b O b jectives
The objective of tins lab is to help students learn how to crack administrator
passwords for ethical purposes.
111

this lab you will learn how to:
■ Use an LCP tool
■ Crack administrator passwords

^^Tools
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

La b Environm ent
To carry out the lab you need:


‫י‬

LCP located at

D:CEH-ToolsCEHv8 M odule 05 System
H ackingP assw ord C racking ToolsLCP

■ You can also download the latest version of LCP from the link
http: /www.lcpsoft.com/engl1sh/index.11 tm


■ If you decide to download the la te s t
111 the kb might differ

version,

then screenshots shown

■ Follow the wizard driven installation instnictions
■ Run this tool 111 W indow s

S erver 2 0 1 2

■ Administrative privileges to run tools
■

TCP/IP

settings correctly configured and an accessible DNS server

La b Duration
Time: 10 Minutes

O verview of L C P
LCP program mainly audits user account passwords and recovers diem 111
Windows 2008 and 2003. General features of dns protocol are password recovery,
brute force session distribution, account information importing, and hashing. It can
be used to test password security, or to recover lost passwords. The program can
import from die local (or remote) computer, or by loading a SAM, LC, LCS,
PwDump or Sniff file. LCP supports dictionary attack, bmte force attack, as well as a
hybrid of dictionary and bmte force attacks.

La b T a s k s
9

TASK

1

1. Launch the S ta rt menu by hovering the mouse cursor 011 the lower-left
corner of the desktop.

Cracking
Adm inistrator
Password

S | W in d o w s Se rver 2012

FIGURE 1 : W
.1 indow S
s erver 2012—
Desktopview

2. Click the LCP app to launch LCP.

m You can also
download LCP from
http:/ / www.lcpsoft.com
.




A d m in is tr a to r

Start

Server
Manager

Windows
PowerShell

Computer

Control
Panel

T

y

Google
Chrome

Hyper-V
Manager

LCP

tet

*9

m

Hyper-V
Virtual
Machine...

SQL Server
Installation
Center...

Mozilla
Firefox

Global
Network
Inventory

?
Command
Prompt

£

©
a

I I

Nmap
Zenmap
GUI

Inwc* n$ *
ie»T

Workspace
Studio

Ku

O

Dnktop

3

FIGURE 1 W
.2: indow S
s erver 2012— pps
A

3. The LCP main window appears.
£ 7 LCP supports
additional encryption of
accounts by SYSKEY at
import from registry and
export from SAM file.

LCP
File

View

Import

Session

a c #
1 Dictionary attack
‫־‬

r

► ■
6
Hybrid attack

Dictionary word:
User Name

0
LM Password

Ready for passwords recovering

TZI

Help

?‫ ״ * * ■ ו‬a
r

Brute force attack

/0
NT Password

0.0000
I <8

>14

% done
LM Hash

NT Hash

0 of 0 passwords were found (0.000%)

FIGURE 1.3: LCP m window
ain

4. From die menu bar, select Im po rt and then Im port from

rem ote

com puter.




LCP
| File

View | Import | Session

fh

A
. 1

Help

Im port From Local Computer...

9

e

Im port From Remote Computer...
Im port From SA M File...

Dictionary wc
User Name

D

Im port From .LC File...

X done
LM Hash

Im port From .LCS File...

NT Hash

Im port From PwD um p File...
Import From Sniff File...

CQ l CP is logically a
transport layer protocol
according to the OSI
model



FIGURE 1.4: Import die rem com
ote
puter

5. Select C om puter nam e or IP
from registry, and click OK.

address,

select the Im po rt

typ e

as Im po rt

Import from remote computer
File View In

Com puter
OK
Com p utet n a m e ot I P ad dress:

□

W IN - 0 3 9 M R 5 H L 9 E 4
r

D ictio n ary at!

C ancel

H e lp

D ictio n ary word:
Im port type
Use r N am e

(• ) Im port from registry
O

Im port from m em ory
I

CQlcp ch dieidentity
ecks
of thelinkedd
eviceandeidier
accep or rejectsthepeer
ts
device, thend
eterm die
ines
accep lepacket sizefor
tab
tran issio .
sm n

I E n c r y p t transferred d a ta

Connection
E x e c u t e c o n n e c tio n
S h a r e d reso u rce: h p c $
U s e r nam e:

Adm inistrator

Pa s s w o rd : I

0

H id e p a ss w o rd

Ready for passw!

FIGURE 1.5: Import from rem com
ote
puter window

6. The output window appears.




_

LCP ‫[ ־‬C:Program Files (x86)LCPpwd80013.txt]
File

View

Import

Session

r

D ic tio n a ry a tta c k

H ybrid a t t a c k

D ic tio n a ry w ord:

r

1 ‫© ״* ®״׳‬
•

B ru te fo rc e a t t a c k

1

10

r

U ser Nam e

L M P a s s w o rd

^ A d m in is t r a t o r

x

Help

a e + l ► 0 !?> ‫י יי‬
r

□

X done

0 .0 0 0 0

<
8

NO P A S SW O .

N T P a s s w o rd

>14

LM H ash

N T H ash

X

NO P A S S W O R D

B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F .J

NO P A S S W O R D

NO P A S S W O R D

G uest
L A N G U A R D .. .

NO P A S SW O .

X

NO P A S S W O R D

C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F .J

-C

M artin

NO P A S SW O .

X

NO P A S S W O R D

5 E B E 7 D F A 0 7 4 D A 8 E E ..

S

Ju g g y b o y

NO P A S SW O .

X

NO P A S S W O R D

4 8 8 C D C D D 2 22 53 1 27 9.

S

Ja s o n

NO P A S SW O .

X

NO P A S S W O R D

2D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C ..

- C S h ie la

S Main purpose of LCP
programisuser account
passw
ords auditingand
recovery in W
indows

NO P A S SW O . .

;U

X

NO P A S SW O .

X

NO P A S S W O R D

0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...

NO P A S S W O ...



FIGURE 1.6: Importing the User Nam
es

7. Now select any U ser

N am e

and click the L1L4 Play button.

8. Tins action generates passwords.
LCP - [C:Program Files (x86)LCPpwd80013.txt.lcp]
File

View

Import

Session

0 0 4
‫ ״מ‬D ic tio n a ry a t t a c k

r

8 « *
1 1 1 ^ ‫ ״׳ ־‬l M o
1

H

H ybrid a t t a c k

D ic tio n a ry w ord: Adm inistrate

1

‫"י‬

User N am e
Adm inistrator

® G u e st

LM P a s s w o rd

142857

/ |7

*done

E n din g com bin ation : A D M IN IS T R A T 0 R Z Z

N T P a s s w o rd

<8

N O P A S S W O ...
N O P A S S W O ...

e

B ru te fo rc e a t t a c k

S tartin g com bin ation : A D M I N I S T R A T O R A

£

‫ ־‬a :
r

Help

>14
x

NO P A S S W O ...

LM H ash

N T H ash

NO P A S S W O R D

! B lA N G U A R . . .

N O P A S S W O ...

NO P A S S W O R D

C 2 5 5 1 0 2 1 9 F 6 6 F 9 F 1 2 F ..

^ M a r tin

NO

P A S S W O . . . a p p le

NO P A S S W O R D

5 EBE7D FA 074D A 8EE

NO

P A S S W O . . . g re e n

NO P A S S W O R D

4 8 8 C D C D D 222 53 1 27 9..

^ 3 Ja s o n

NO

P A S S W O . . . q w e rty

NO P A S S W O R D

2 D 2 0D 2 5 2 A 4 7 9 F 4 8 5 C

® S h ie la

NO

P A S S W O . . . test

NO P A S S W O R D

O C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 ...

Ju g g y b o y

Passwords recovering interrupted

x

B E 4 0 C 4 5 Q A B 9 9 7 1 3 D F ..

NO P A S S W O R D

x

NO P A S S W O R D


I

FIGURE 1 : LCPg eratesthepassw for the s le te usern e
.7
en
ord
ecd
am

La b A n a ly sis
Document all die IP addresses and passwords extracted for respective IP addresses.
Use tins tool only for trainmg purposes.




R E L A T E D TO T H I S L A B .

T o o l/U tility

In fo rm atio n C o lle cted /O b jec tiv es A chieved
R em ote C o m p u ter N a m e :

WIN-D39MR5HL9E4

O u tp u t:
LC P

User Name
■ Martin
■ Juggyboy
■ Jason
■ Sluela

-

NT Password
apple
green
qwerty
test

Q uestio ns
1. Y11at is the main purpose of LCP?
2. How do von continue recovering passwords with LCP?
In te rn e t C o n n ectio n R eq u ired
□ Yes

0

No

P latform S upported
0 C lassroom


0 !Labs



H id in g F ile s U s in g N T F S S t r e a m s
A . stre a m co n sists o f d a ta a sso cia ted rvith a m a in fi le o r d irecto ry ( k n o ir n a s th e
m a in n n n a m e d strea m ). E a c h f i e a n d d irecto ry in N T F S can h a ve m u ltip le d a ta
stre a m s th a t a re g en era lly h id d en fr o m th e user.

La b S cen ario
/ Valuable
information
' Test your
knowledge
SB Web exercise
m Workbook review

Once the hacker has fully hacked the local system, installed their backdoors and
port redirectors, and obtained all the information available to them, they will
proceed to hack other systems on the network. Most often there are matching
service, administrator, or support accounts residing on each system that make it
easy for the attacker to compromise each system in a short amount of time. As
each new system is hacked, the attacker performs the steps outlined above to
gather additional system and password information. Attackers continue to
leverage information 011 each system until they identity passwords for accounts
that reside 011 highly prized systems including payroll, root domain controllers,
and web servers. 111 order to be an expert ethical hacker and penetration tester,
you must understand how to hide files using NTFS streams.

La b O b jectives
The objective of tins lab is to help students learn how to hide files using NTFS
streams.
& T o o ls
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

It will teach you how to:
■ Use NTFS streams
■ Hide tiles

La b Environm ent
■ A computer running W indow s

S erver 2 0 0 8

as virtual machine

■ Formatted C: drive NTFS




La b Duration
Tune: 15 Minutes

O verview of N T FS S tre a m s
m

NTFS (New
Technology File System is
)
die standard file systemof
W
indows.

NTFS supersedes die FAT file system as the preferred file system tor Microsoft
Windows operating systems. NTFS has several improvements over FAT and HPFS
(High Performance File System), such as unproved support tor m etadata and die
use of advanced data structures.

La b T a s k s
Sd.

TASK

1

NTFS Stream s

1. Run this lab 111 Windows Server 2008 virmal machine
2. Make sure the C: drive is formatted for NTFS.
3. Create a folder called m agic on the C: drive and copy c a lc .e x e from
C :w indow ssystem 32 to C:m agic.
4. Open a command prompt and go to C :m agic and type notepad
re a d m e .tx t 111 command prompt and press Enter.
5.

re a d m e .tx t 111 Notepad appears. (Click Y es button it prompted to
create a new re a d m e .tx t file.)
6. Type H ello World! and Save the tile.

£ 3 NTFS streamruns on
W
indows Server 2008

7. Note the tile s ize of the re a d m e .tx t by typing d ir 111 the command
prompt.
8. Now hide c a lc .e x e inside the re a d m e .tx t by typing the following 111 the
command prompt:
typ e c :m a g ic c a lc .e x e > c :m a g ic re a d m e .tx t 1c a lc .e x e




-lo|x|

(cT Administrator C o m m a n d Prompt
C : N n a g i c > n o t e p a d rea d n e . t x t
C:Snagic>dir
Uolune in driue C has no label.
U olume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F
D i r e c t o r y of C : nagic

EQ a streamc n is ofdata
o s ts
asso
ciatedwith am fileor
ain
directory(know a the m
ns
ain
unnam stream
ed
).

09/12/2012
09/12/2012
01/1 9 / 2 0 0 8
09/1 2 / 2 0 1 2

05:39 AM
<DIR>
05:39 AM
<D I R >
06:51 AM
1 8 8 . 4 1 6 cal c . e x e
05 : 4 0 AM
12 read n e . t x t
188 , 4 2 8 bytes
2 File<s>
2 Dir<s>
4 , 3 7 7 . 6 7 7 , 8 2 4 bytes free

C : m a g i c >type c : n a g i c c a l c . e x e

> c : n a g i c r e a d n e .txt:calc.exe

C:magic>

FIGURE 2.2: Com andprom withhidingcalc.e ecom and
m
pt
x
m

Type d ir 111 command prompt and note the tile size of re a d m e .tx t.
[ T Administrator C o m m a n d Prompt
cT
D i r e c t o r y of C: m a g i c
09/12/2012
09/12/2012
01/19/2008
09/12/2012

05:39 AM
<D I R >
05:39 AM
<D I R >
06:51 AM
18 8 , 4 1 6 cal c . e x e
12 read n e . t x t
0 5 : 4 0 AM
1 88,428 bytes
2 F ile<s>
4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free
2 Dir<s>

C : n a g i c >type c : n a g i c c a l c . e x e

> c : m a g i c r e a d m e .txt:calc.exe

C : m a g i c >dir
Uolune in driue C has no label.
Uolune S e r i a l N u n b e r is 3 4 C 9 - D 7 8 F
D i r e c t o r y of C: n a g i c

t._ NTFS supersedes the
FAT file systema the
s
preferred file systemfor
Microsoft’sW
indows
operating system
s.

09/12/2012
09/1 2 / 2 0 1 2
01/19/2008
09/12/2012

05:39 A M
<
05:39 A M
<
18 8 , 4 1 6 cal c . e x e
06:51 AM
0 5 : 4 4 AM
12 read n e . t x t
1 88,428 bytes
2 F ile<s>
4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free
2 Dir<s>

LJ
FIGURE 23: Com andprom with execu ghiddenc lc.execom and
m
pt
tin
a
m

10. The file size of the readme.txt should not change. Now navigate to the
directory c:m agic and d e le te c a lc .e x e .
11. Return to the command prompt and type command:
m klin k b ackd o o r.exe re a d m e .tx t:c a lc .e x e


and press E nter

All Rights Reserved. Reproduction is Strictly Prohibited.


V A d m in istra to r Com m and Prom pt
.

09/12/2012
01 / 1 9 / 2 0 0 8
09 / 1 2 / 2 0 1 2

- I□ ! X

05:39 A M
<D I R >
06:51 A M
18 8 , 4 1 6 cal c . e x e
0 5 : 4 0 AM
12 r e a d m e . t x t
2 Fil e < s >
188 , 4 2 8 bytes
2 Dir<s>
4 , 3 7 7 , 6 7 7 , 8 2 4 bytes free

C:magic>type c:magiccalc.exe

> c : m a g i c r e a d m e .txt:calc.exe

C : m a g ic>dir
Uolume in driue C has no label.
Uolume S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F
D i r e c t o r y of C : magic
09 / 1 2 / 2 0 1 2
09 / 1 2 / 2 0 1 2
01 / 1 9 / 2 0 0 8
09 / 1 2 / 2 0 1 2

ffilA streamisaliiddenfile
that islinkedtoanorm
al
(visib file.
le)

05:39 A M
<D I R >
05:39 A M
<D I R >
06:51 A M
18 8 . 4 1 6 cal c . e x e
05:44 AM
12 r e a dme.txt
2 Fil e < s >
1 88,428 bytes
2 Dir<s>
4 , 3 7 7 , 4 1 5 , 6 8 0 bytes free

C : m a g i c > m klink b a c k d o o r . e x e r e a d m e . t x t: c a l c . e x e
sym b o l i c link c r e a t e d t o r b a c k d o o r . e x e
=== >•> readme .txt :calc ■exe
C:magic>

FIGURE 2.4: Com andprom linkingdie executedhiddenc lc x
m
pt
a .e e

12. Type backdoor, press E nter, and the the calculator program will be
e xecu ted .

ss

-

m im stra to r Com m and Pro m p t

09/12/2012

0 5 : 4 0 AM
2 F ile<s>
2 D ir<s>

12 rea d m e . t x t
188,42 8 bytes
18 8 . 4 2
4,377,677.8:

C:magic>type c:magiccalc.exe

> c:S

1

C:magic>dir
U olume in drive C has no label.
Uo l u m e S e r i a l N u m b e r is 3 4 C 9 - D 7 8 F

r

D i r e c t o r y of C : magic
09/12/2012
09/12/2012
01/19/2008
09/12/2012

<DIR>
05:39 AM
<DIR>
05:39 AM
188,41
06:51 AM
0 5 : 4 4 AM
1
188,4
2 File<s>
4,37 7 , 4 1 5 , 6
2 Dir<s>

C : m a g i c > m k l i n k b a c k d o o r . e x e readme.t)
s y m b o l i c link c r e a t e d f o r backdoor.ext
C : m a g i c )ba c k d o o r

Backspace

|

CE

1

_ !‫_ ע _ו‬

l

I.‫ע‬

MR

|

_

I_

l

L‫ע‬

MS

|

_ u _

l

‫־‬

1
sqrt

I.‫ע‬

_

l

I

l

|

jd

1

/x

|

_ l.‫ע‬

y

C:macric>

FIGURE 2.5: Com and prompt with executed hidden calc.exe
m

Lab A n a ly sis
Document all die results discovered during die lab.

R E L A T E D TO T H I S L AB .




Tool/Utility
NTFS Streams

Information Collected/Objectives Achieved
Output: Calculator (calc.exe) file executed

Q uestio ns
1. Evaluate alternative methods to hide the other exe files (like
calc.exe).
Internet Connection Required

□Y
es

0

No

Platform Stipported

0


Classroom

0 !Labs



3

F in d H id d e n F ile s U s in g A D S S p y
A d s S p y is a to o l u se d to list, view, o r delete A lte r n a te D n tn S tr e a m s ( A D S ) on
W in d o w s S e r v e r 2 0 0 8 w ith N T F S file s y s te m .

I C ON

KEY

/ Valuable
information
S

Test your
knowledge

‫ ־ ־‬Web exercise
=
ffi! Workbook review

La b S cen ario
Hackers have many ways to obtain passwords. Hackers can obtain passwords
from local computers by using password-cracking software. To obtain
passwords from across a network, hackers can use remote cracking utilities or
network analyzers. Tins chapter demonstrates just how easily hackers can gather
password information from your network and describes password
vulnerabilities that exit in computer networks and countermeasures to help
prevent these vulnerabilities from being exploited on your systems. 111 order to
be an expert ethical hacker and penetration tester, you must understand how to
find hidden files using ADS Spy.

La b O b jectives
The objective of tins lab is to help students learn how to list, view, or delete
A lte rn a te D ata S tream s and how to use them.
■ Use ADS Spy
■ Find hidden tiles
t£~Tools
dem onstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

La b Environm ent
To cany out the lab you need:
‫י‬

ADS Spy located at D:CEH-ToolsCEHv8

M odule 05 System
H ackingN TFS S tre a m D e te c to r ToolsADS Spy

■ You can also download the latest version of ADS
http: / / www.mer1jn.11u/programs.php#adsspv
■ It you decide to download the la te s t
111 the lab might differ
■ Run tins tool 111 W indow s


version,

Spy

from the link

then screenshots shown

S erver 2 0 1 2

Ethical Hacking and Countermeasures Copyright © by EC-Coundl


La b Duration
Tune: 10 Minutes

O verview of A D S Sp y
‫ ^ 1ן‬jj-,5 (^ternate
‫ןחר‬

ADS Spy is a tool used to list, view, or delete Alternate Data Streams (ADS) 011

Data Stream is a technique Windows Server 2008 widi NTFS file systems. ADS Spy is a method of stonng
)
used to store m
eta-info on
meta-inform ation of files, without actually stonng die information inside die file it
files.

belongs to.

La b T a s k s
m.

TASK

1

A lternative Data
Stream s

1.

Navigate to the CEH-Tools director}‫ ־‬D:CEH-ToolsCEHv8
System H ackingN TFS S tream D e te c to r ToolsADS Spy

2. Double-click and launch ADS

Spy.

ADS Spy v1.11 -Written by Merijn
A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of in fo h id d e n a s m etad ata o n files o n N T F S drives. T h e y a re not

^

visib le in Explorer a n d th e size th ey ta k e up is not rep orted by W in d o w s . R e c e n t brow ser h ijack e rs started
u sing A D S to h id e their files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e
th e s e stream s.
N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com ple tely sure th ey
a re m alicious!

[v

(•

Q u ic k s c a n (W in d o w s b a s e folder only)

C

Full s c a n (all N T F S drives)

C

S c a n only this folder:

|7

Ig n o re s a fe system in fo d a ta stream s fe n c ry p ta b le ', ,Su m m aryln form ation '. e tc )

[‫־ ־‬

C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts

J

S c a n th e system for alte rnate d a ta stream s

KlADS Spyis a sm
all
tool to list, view, or delete
Alternate Data Streams
(ADS) onWindows 2 1
02
with NTFS file system
s.

[R e a d y -

FIGURE 3.1 W
elcom screen of ADS Spy
e

3. Start an ap prop riate
4. Click Scan


R e m o v e s e le c te d stream s

scan

that you need.

th e system fo r a lte rn a te d a ta stream s.


M od


1
A lte rn a te D a t a S tre a m s ( A D S ) a re p ie c e s of info h id d e n a s m e ta d a ta o n files o n N T F S drives. T h e y a re not

/*.

visib le in Exp lorer a n d th e size th ey ta k e u p is not rep orted by W in d o w s . R e c e n t brow ser h ijac k e rs started
using A D S to h id e their files, a n d ve ry fe w anti-m alware s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o ve
th e s e stream s.
N o te : this a p p c a n als o display legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure they
a re m alicious!

Q u ic k s c a n (W in d o w s b a s e folder only)

C
| (»

£ ‫ ־‬ADS are a w ay
of storing metainformation
regarding files,
w ithout actually
storing the
information in the
file it belongs to,
carried over from
early MacOS
com patibility

Full s c a n (all N T F S d r iv e s )|
S c a n only this foldet:

C
11 ?
r

v

A

Ig n o te s a fe system info d a ta stream s fe n c ry p ta b le ', 'Su m m aryln form ation ', e tc )|
C a lc u la te M D 5 c h e c k s u m s of stream s' c o n ten ts

j S c a n th e system for aite rnate d a ta stream s

|


C:magicreadme txt: calc, exe (1051648 bytes)
C :U s e rs A d m in is tra to r D o c u m e n ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s)
□

C A U s e rs A d m in is tra to r F a v o rite s L in k s S u g g e s te d S it e s .u r l: fa v ic o n (894 b yte s)
C:U sersA d m in istra to rM y D o c u m e n t s : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 bytes)
C A W in d o w s .o ld .0 0 0 D o c u m e n ts a n d Se ttin g s A d m in is tra to r F a v o rite s L in k s Su g g e s te d S it e s .u r l: fa v ic o n (8 !

□

C : W in d o w s .o ld .0 0 0 U s e rs A d m in is tra to r F a vo rite s L in k s S u g g e 5 te d S it e s .u r l: fa v ic o n (894 bytes)

| S c a n c o m p le te, fo un d G alte rn ate d a ta stream s (A D S 's ).

FIGURE 3.2 ADS S windowwith Full Scan selected
py

5. Find the ADS
data streams.

hidden info file

while }*on scan the system for alternative

6. To remove the Alternate Data Stream, click Rem ove

s e le c te d stream s.

A lte rn a te D a t a S tre a m s ( A D S ) a te p ie c e s of info h id d e n a s m e ta d a ta o n files on N T F S drives. T h e y a re not
visib le in Exp lorer a n d th e size th ey ta k e u p is not rep otted b y W in d o w s . R e c e n t brow ser h ijack e rs started
using A D S to h ide theit files, a n d ve ry fe w anti-m alw are s c a n n e r s d e te c t this. U s e A D S S p y to find a n d rem o v e
th e s e stream s.
N o te : this a p p c a n also disp lay legitim ate A D S stream s. D o n 't d e le te stream s if y o u a re not com p le tely sure th ey
a te m alicious!

C

Q u ic k s c a n ( W in d o w s b a s e foldet only)

(*

Full s c a n (all N T F S d rives)

C

S c a n only this folder:

J

1✓ Ig n o te s a fe system info d a ta stream s ('e n cry p ta b le ', ‘Sum m aryln form ation ', e tc )

& Com patible
with: Windows
Server 2012,
20008

r

C a lc u la te M D 5 c h e c k s u m s of stream s' co n ten ts
S c a n th e system for alte rn ate d a ta stream s


□

C : m a g ic te a d m e .tx t: c a lc , e x e (1 05 1 G 48 b yte s)

□

C U s e 1sAdm in istrato rD ocu m en ts : {7 2 6 B 6 F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (1 2 bytes)

□

C .A U s e ts 'A d m 1 1s tra to rF avo r1te s L in k s S u g g e s te d S it e s .u r l: fa v ic o n (8 94 b y te s)
n

*‫ ׳׳‬C :U setsA d m in istrato rM y D o c u m e n t s : {7 2 6 B G F 7 C - E 8 8 9 - 4 E F E - 8 C A 3 - A E F 4 9 4 3 D B D 3 8 } (12 b yte s)

/Windows.old.000Documents and SeKings^drnini$tfat0fFav0ritesLinksSuggested Sites.url: favicon (8
C : W in d o w s .o ld O O O U se rs A d m in is tra to r F a vo rite s Lin k s S u g g e ste d S it e s .u r l: fa v ic o n (894 b yte s)

| S c a n c o m p le te, fo un d S alte rnate d a ta stream s (A D S 's ).

FIGURE 3.3: Find die hidden streamfile




L a b A n a ly s is

Document all die results and reports gathered during die lab.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB.

Tool/Utility

Scan Option: Full Scan (all NTFS drives)

ADS Spy

Output:
■ Hidden files with its location
■ Hidden files size

Q u e s t io n s

1. Analyze how ADS Spy detects NTFS streams.
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



H id in g F ile s U s in g t h e S t e a l t h F ile s
Tool
S te a lth F i/e s u se a p ro cess c a lled steganography to h id e a n y file s in sid e o f a n o th e r f i e .
I t is a n a lte rn a tiv e to en cryp tio n o f file s .

■ n
co

k ey

‫ ־־‬L a b S c e n a r io

/V
aluable

The Windows NT NTFS hie system has a feature that is not well documented
and is unknown to many NT developers and most users. A stream is a hidden
file that is linked to a normal (visible) file. A stream is not limited in size and
Test your
know
ledge
there can be more than one stream linked to a normal tile. Streams can have any
name that complies with NTFS naming conventions. 11 order to be an expert
1
sA W exercise
eb
ethical hacker and penetration tester, you must understand how to hide files
m W
orkbookreview using the Stealth Files tool. 1 1 this lab, discuss how to find hidden files inside of
1
other files using the Stealth Files Tool.
inform
ation___

L a b O b je c t iv e s

The objective of tins lab is to teach students how to hide files using the Stealth
Files tool.
■ Use the Stealth Files Tool
■ Hide files
— Tools
L a b E n v ir o n m e n t
demonstrated in
To carry out tins lab you need:
this lab are
available in
■ Stealth Files tool located at D:CEH-ToolsCEHv8 Module 05 System
D:CEHHackingSteganographyAudio SteganographyStealth Files
ToolsCEHv8
Module 05 System
■ A computer running Window Server 2012 (host machine)
Hacking
■ You can also download the latest version of Stealth Files from the link
http://www.froeb1s.com/e11glisl1/sf40.sl1tml




■ If you decide to download the latest version, then screenshots shown
in the lab might differ
■ Administrative privileges to run the Stealth files tool
■ Run this tool 111 Windows Server 2012 (Host Machine)
L a b D u r a tio n

Tune: 15 Minutes
O v e r v ie w o f S t e a lt h F ile s T o o l

£U

Stenography is the
art and science of writing
hidden messages.

Stealth files use a process called steganography to lude any tiles inside of another
.
.
.
.
7
.
.
.
tile. It is an alternative to encryption ot tiles because no one can decrypt the
encrypted information or data from die tiles unless diey know diat die ludden tiles
exist.
Lab T asks

B

TASK 1

Stenography

1. Follow the wizard-driven installation instructions to install Stealth Files
Tool.
2. Launch Notepad and write Hello World and save the tile as Readme.txt
on the desktop.
readme - Notepad
File

Edit

Format

View

Help

f l e l l o W o rld !

& Stealth Files
uses a process
called
steganography to
hide any file or
files inside of
another file

F IG U R E 4.1: Hello world in readme.txt

3. Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.




FIG U RE 4.2: Windows Server 2012 —
Desktop view

4. Click the Stealth Files 4.0 app to open the Stealth File window.

m
You can also
download Stealth File from
http://www.froebis.com.

F IG U R E 4.3: Windows Server 2012 —Apps

5. The main window of Stealth Files 4.0 is shown 111 the following figure.

This is an
alternative to
encryption
because no one
can decrypt
encrypted
information or
files unless they
know that the
hidden files exist.

F IG U R E 4.4: Control panel of Stealth Files




6. Click Hide Files to start the process of hiding the files.
7. Click Add files.
‫ם‬

Stealth Files 4.0 - Hide Files...
Step 1 ■
Choose Source Files:

S Before Stealth Files
hides a file, it compresses it
and encrypts it with a
password. Then you must
select a carrier file, which is
a file that contains die
hidden files

Destroy Source Filesl
Remove Selected Files!
Step 2 •Choose Carrier File:

I
r

‫^־‬J
Create a Backup of the Carrier File!

Step 3 ■
Choose Password:

F IG U R E 4.5: Add files Window

8. In Stepl, add the Calc.exe from c:windowssystem32calc.exe.
& Stealth Files
4.0 can be
downloaded from
the link:
http://www.froebis
.com/english/sf40.
shtml


9. In Step 2, choose the carrier file and add the file Readme.txt from the
desktop.
10. In Step 3, choose a password such as magic (you can type any desired
password).



13

Stealth Files 4.0” Hide Files...

!“ I‫ם‬

x

Step 1 ■
Choose Source Files:
C:W1ndowsSj1stem
32Vcacls.exe

5 You can also
remove the
hidden files from
the carrier file by
going to Remove
Hidden Files and
following the
instructions

I- Destroy Source Filesl
Add Files!

|

Remove Selected Files!

Step 2 Choose Carrier File.

1

1

C:Use sAdm
inistratorDesktop eadm
e.txt

:d

I- Create a Backup of the C
arrier File!
Choose Password:
m
agic)

I Hide Files! |

FIG U R E 4.6: Step 1-3 Window

11. Click Hide Files.
12. It will hide the file calc.exe inside the readme.txt located on the
desktop.
13. Open the notepad and check the file; calc.exe is copied inside it.
readme ‫ ־‬Notepad

I~ I‫ם‬

:

File Ed Form View H
it
at
elp
)H e llo W o rld !
h e h jlfc le d im m a ia lm o k b m p p o n ie g m b k ln n h a c d a h h h n o k e b ib jb ie h a a lb p o f
p p h if h lb k id o f h a k n b in k a d c a jjb p iia n jd h ib o b ig a g d g jo b p b f o jh k g g e e ia
b id jn c n ffb e a k jg h fb c c m h h iim h p p ip h m n e o m k b k h fc b d a fc p c h im g b ifjc id j
lo c g fih d d ilm c fd m c fo fd n c jd c o n g p b c ja d je b o b p n o e g d d b c jk n b jb k k n h a e b
lo c d k flm p n fc g jo b k lb c p g o k h h le llim fp fn c p ig o p o p d e g in a a o e g c k k p c k m g
leo n m b fn g b ln b h cik fd h k m g io d cfg n lg g o ad d cajm p ip fib h p p g g cg im m k a d n j
&T When you are ready to
recover your hidden files,
simply open them up with
Stealth Files, and if you
gave the carrier file a
password, you will
prompted to enter it again
to recover die hidden files

e b fb ld fd d fo ie a e lg n p p id m p jd g m h o p ije h lik e b lfn h o ifla m a d a m p a p b e e c a
k lfg p h fn a b d jm m e p b b g k h d c jp d p a m c jfc ld k e o m fb n c jd p e k p ja ib p c ie p o lb k
m e le p h c p f jp ik f ic k lf a k o o n n jle h b b jd a d a ip h k jg n o n ie lje a h f p a la p p d b a
c ile n o id lh ib e k p b h e jm if n g f h f a p m h a f b lif h lc g ia e b k ijik g o h d a g e e b ip b
o p c k h je h ip o c e k jo ip e n d e o e a llb a k e p m k d d n e im b fg ie lb m b o o k ia d e lllm n j
in ffm o n b k lk k a d p a h ifk p la n a b k d p p b fd c io a ja e k k p p n c g o jg d n h lk jm o fm n g
o e g jh k n m c ifjg jc p o fo c ie d c b fp fm k lm b e m o iib jjd e n jk n lm n lm c io n e o ik n i
lh k n je a p o n o b m k a lijm p lh m la fjfp a fk g fb d b lh fc b d n m jia e g n p k m n h e ih ie c
fnln adn n oaon eop oop bb agm d aoh m ekd gfcekcnb cgm injem egp n nh ein oilgej
o o ig lcd h a clc h jlh d g ib o o h e m b n a p m k m e p a o k jch h g cjb id fh a k c lg fb m a p n b d
o p k m e g fo a n e g d m lm fo n fn o p b k e h o n e in c d h ln o e fa h b n ifd jb d lg b h ije jc e ia
kam gkajbbnlndbiggagm cgnbnm afohogackcdnkhbom gofpdegibikm jm dpfkg

F IG U R E 4.7: Calc.exe copied inside notepad.txt

14. Now open the Stealth files Control panel and click Retrieve Files.



t

Stealth Fi1es 4.0

S Pictures will still look
the same, sound file will
still sound die same, and
programs will still work
fine

a
©

Retrieve Files

□

Remove Hidden Files

e

&■ These carrier files will
still work perfecdy even
with the hidden data in
diem

Hide Files

About Stealth Files

‫־‬

Close Program
F IG U R E 4.8: Stealth files main window

15. In Step 1 , choose the hie (Readme.txt) from desktop 111 which you have
saved the calc.exe.
16. 11 Step 2, choose the path to store the retrieved hidden file. 1 1 the lab
1
1
the path is desktop.
17. Enter the password magic (the password that is entered to liide the tile)
and click on Retrieve Files!
Stealth File! 4.0 - Retrieve Files...

S
This carrier file can be
any of these file types:
E X E , D LL, OCX, COM,
JPG , G IF, ART, MP3, AVI,
WAV, DOC, BMP, and
WMF. Most audio, video, and
executable files can also be
carrier files

I ‫ ם1 ־־‬T x

-Step1■ h o Crrie F :
C o se a r ile
C s rs A m is to D s to V a m.tx
: U e d in tra r e k p re d e t
I‫ ־־‬D stro Crrie F !
e y a r ile
Step2-C o seD s a nD c ry
h o e tin tio ire to :
C s rs '.d in tra rV e k p
:ll e V m is to D s to

d

r Step3• n r P ssw rd
E te a o :
|mg |
a ic
R
etrieveF s
ile !
F IG U R E 4.9: Retrieve files main window

18. The retrieved file is stored on the desktop.




05 Vorslon;
IP Address
MAC Addr•••:
Host Name

Windows NT 62
(non•)
D4 BE 09 CJ CE 20
WIN-039MR6HL9E4

Qs- You can transfer the
carrier file through die
Internet, and die hidden files
inside will transfer
simultaneously.

FIG U R E 4.10: Calc.ese running on desktop with the retrieved file

L a b A n a ly s is

Document all die results and reports gathered during die lab.


Tool/Utility

Hidden Files: Calc.exe (calculator)

Stealth Files
Tool

Retrieve File: readme.txt (Notepad)
Output: Hidden calculator executed

Q u e s t io n s

1. Evaluate other alternative parameters tor hiding tiles.
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



Lab

E x tr a c tin g S A M H a s h e s U s in g
P W dum p7 Tool
Pwdump7 can a s beusedt d / p m e t d i e Youcana w sc p a ue'teb [ u te e u i g
lo
o uuptcejls
l ay o y sdf/ ) j s x c t n
pnduffp7. x - c / c e f e d t
e e d o k d 1/ . a backjp- dfi otI o key
hxh led c n
L a b S c e n a r io
[£Z7 Valuable

Passwords are a big part ot tins modern generation. You can use the password
for your system to protect the business or secret information and you may
Test your
choose to limit access to your PC with a Windows password. These passwords
know
ledge
are an important security layer, but many passwords can be cracked and while
= W exercise
eb
that is worry, tliis clunk 111 the armour can come to your rescue. By using
password cracking tools 01‫ ־‬password cracking technologies that allows hackers
W
orkbookreview
to steal password can be used to recover them legitimately. 111 order to be an
expert ethical hacker and penetration tester, you must understand how to crack
administrator passwords. 111 tlus lab, we discuss extracting the user logui
password hashes to crack the password.
iiiform
ation___


Tlus lab teaches you how to:
■ Use the pw dum p7 tool

_^Tools

demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

■ Pwdump7 located at D:CEH-T00 lsCEHv8 Module 05 System
HackingPassword Cracking Toolspwdump7
■ Run tlus tool 011 Windows Server 2012
■ You can also download the latest version of pwdump7 from the link
http:/ /www.tarasco.org/security/pwdump 7/ 111dex.html


■ TCP/IP settings correctly configured and an accessible DNS server
■ Run this lab in Windows Server 2012 (host machine)
L a b D u r a tio n

Time: 10 Minutes

Overview of Pwdump7
Pwdump7 can be used to dump protected files. You can always copy a used file
just by executing: pwdump7.exe -d c:lockedf11e.dat backup-lockedf11e.dat. Icon
key
Lab T asks

Generating
Hashes

1. Open the command prompt and navigate to D:CEH-ToolsCEHv8
Module 05 System HackingPassword Cracking Toolspwdump7.
2. Alternatively, you can also navigate to D:CEH-ToolsCEHv8 Module 05
System HackingPassword Cracking Toolspwdump7a11d right-click
the pwdump7 folder and select CM prompt here to open the
D
command prompt.
Ad ministraton C:Wi ndowssystem32cmd.exe
[D:CEH-ToolsCEHv8 Module 05 Sys t e m Hack i n g P a s s w o r d C r ackingMJindows
Hrac ke t*spw d u m p 7 >

& Active
directory
passwords are
stored in the
ntds.dit file and
currently the
stored structure


Password C

F IG U R E 5.1: Command prompt at pwdump7 directory

3. Now type pwdump7.exe and press Enter, which will display all the
password hashes.



Administrator: Command Prompt
:CEH-T oolsCEHu8 Module 05 Sys t e m H a c k i n g P a s s w o r d C r a c k ingSWindows P a s sword C
ackerspwdunp7) p w d ump? .exe
w dunp vV.l - raw p a s sword e x tractor
uthor: Andres Tarasco A cuna
rl: h t t p : //www.514.es
A d m i n i s t r a t o r : 5 0 0 :NO PASSWORD*****
D 4 7 : ::
G u e s t :501 :NO P A S S W O R D * ******* * * ***
LA N G U A R D _ 1 1 _ U S E R : 1 0 0 6 : N O PASSWORD*
A67B960: : :
Mart in :1018 :NO P A S S W O R D * *****-*****

*: BE40C4 5 0 A B 9 9 7 1 3 D F 1 E D C 5 B 4 0 C 2 S A
*:NO PASSWORD*
*:C25510219F66F9F12FC9BE662
* : 5 E B E 7 D F A 0 7 4 D A 8 E E 8 A E F 1 F A A 2 B B D E 8 7 6 :::

J u g g y b o y :1 0 1 9 :NO P A S S W O R D * ********

***:488CDCDD2225312793ED6967B28C1025:

Jason :1020 :NO PASS W O R D *- *■
**■ ***■*■**- *
*■
S)liela:1021 :NO P A S S W O R D * * * * * * ** * * *

* : 2 D 2 0 D 2 5 2 A 4 7 9 F 4 8 5 C D F 5 E 1 7 1 D 9 3 9 8 5 B F : ::
**:0 C B 6 9 4 8 8 0 5 F 7 9 7 B F 2 A 8 2 8 0 7 9 7 3 B 8 9 5 3 7 : ::

:CEH-ToolsCEHu8 Module 05 Sys t e m Hack i n g S P a s s w o r d C r a c k ingVWindows P a s sword C
ac ke rs Spw d u m p 7 >

& Always copy a
used file just
executing:
pwdump7.exe -d
c:lockedfile.dat
backuplockedfile.dat.

F IG U R E 5.2: pwdump7.exe result window

4. Now type pwdump7.exe > c:hashes.txt 111 the command prompt, and
press Enter.
5 Tins command will copy all the data ot pwdump7.exe to the
c:hashes.txt tile. (To check the generated hashes you need to navigate
to the C: drive.)
hashes.txt - Notepad
File

Edit

Format

View

Help

(A d m in istra to r: 500: NO
PASSWORD****‫:******* ״ * * * * * * * * ״‬BE40C450AB99713DF1EDC5B40C25AD47
G uest:5 0 1 :NO PASSWORD**‫ : * ״ ״ ״ ״ * * ״ ״ ״ ״ * * ״ ״ ״ ״ ״ ״‬NO
PASSWORD**‫:: : ״ ״ ״ ״ ״ ״ ״ * ״ ״ ״ ״ ״ ״ ״ ״ * ״ ״‬
LANGUARD_11_USER:1006:NO
PASSWORD**********‫:********* ״ ״‬C25510219F66F9F12FC9BE662A67B960
M a rtin :1018:NO
P A S S W O R D * * * * * * * * * * * * * * * 5 : ‫ ״ * * * ״ ״‬EBE7DFA074DA8EE8AEF1FAA2BBDE876
Duggyboy:1019:NO
P A S S W O R D * 4 8 8 : * * ‫ ״ * * * * * * * * * * * * * * * * ״‬CDCDD2225312793ED6967B28C1025
]ason:1020:NO
PASSWORD* * * * * 2: * * * * * * * * * * * * * * * ‫ ״‬D20D252A479F485CDF5E171D93985BF
Shiela:1021:N O
P A S S W O R D * * * * 0 : ‫ ״ * * * * * * ״ * * ״ ״ * ״ ״ ״ ״‬CB6948805F797BF2A82807973B89537

F IG U R E 5.3: hashes.txt window

L a b A n a ly s is

Analyze all the password hashes gathered during die lab and figure out what die
password was.





Tool/Utility

PWdump7

Output: List of User and Password Hashes
■ Administrator
■ Guest
■ Lauguard
■ Martin
■ Juggyboy
■ Jason
■ shiela

Q u e s t io n s

1. What is pwdump7.exe command used for?
2. How do you copy the result of a command to a file?
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



C re a tin g th e R a in b o w T a b le s
U s in g W in rtg e n
Winrtgen i a graphical ‫־‬ainbow Tables Generator that s i p / s UM, FastLM,
s
R
/pot
N T L M , L M C H 4LL, HaljLMCHALL, N I U M C H A L L , M S C A C H E ,
M D 2, M D 4, M D 5, S H A 1 R I P E M D 160, M j S O L J 23, M j S O L S H 4 1,
,
CiscoPIX, O K 4CLE, S H 4-2 (
256) S H 4-2 (
,
384) and S H 4-2 (
512)
ha h s
se.
ICON KEY


[£ V
II7 aluable
inform
ation

111 computer and information security, the use ot password is essential for users to
protect their data to ensure a seemed access to dieir system or machine. As users
Test your
become increasingly aware of the need to adopt strong passwords, it also brings
know
ledge
challenges to protection of potential data. 111 tins lab, we will discuss creating die
rainbow table to crack the system users’ passwords. 111 order to be an expert ethical
= W exercise
= eb
hacker and penetration tester, you must understand how to create rainbow tables to
m W
orkbookreview crack the administrator password.


The objective of this lab is to help students how to create and use rainbow
table to perform system password hacking.

To earn‫ ׳‬out die lab, you need:
^^Tools

demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

■ Winrtgen Tool located at D:CEH-ToolsCEHv8 Module 05 System
HackingRainbow Table Creation ToolsWinrtgen
■ A computer running Window Server 2012
■ You can also download the latest version of Winrtgen from the link
http: / Avwwox1d.it/projects.html
■ If you decide to download the latest version, then screenshots shown 111 the
lab might differ


■ Run this tool 011 Windows Server 2012
■ Administrative pnvileges to mil tins program
L a b D u r a tio n

Time: 10 Minutes
You cau also
download Winrtge from

O v e r v ie w o f R a in b o w T a b le

iittpv'/w w
w .oxid.it/fjrojeef ^ rainbow table is a precomputed table for reversing cryptograpliic hash functions,
usually for cracking password hashes. Tables are usually used 111 recovering plaintext
passwords, up to a certain length, consisting of a limited set of characters.
Lab T ask
TASK 1

Generating
Rainbow Table

1. Double-click the winrtgen.exe tile. The main window of winrtgen is shown
111 die following figure.
r ‫־‬

Winrtgen v2.8 (Rainbow Tables Generator) by mao
F nm
ile a e

A dT b
d a le

S tu
ta s

R o
em ve

Ao t
bu

R o A
em ve ll

OK

E it
x

FIG U R E 6.1: winrtgen main window
Rainbow tables
usually used to crack a lot
of hash types such as
m

2. Click die Add Table button.

NTLM, MD5, SHA1




- ‫ם‬


x

£ Q You can also
http://www.oxid.it/project
s.html.

III
Add Table

Remove

Remove All

About

OK

Exit

FIG U R E 6.2: creating die rainbow table

3. Rainbow Table properties window appears:
i. Select ntlm from the Hash drop-down list
u. Set die M Len as 4, die Max Len as 9, and the Chain Count of
in
4000000
iii. Select loweralpha from die Charset drop-down list (tins depends on the
password).
4. Click OK.
Rainbow Table properties
r Hash
|ntlm

£vTools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

Min Len

I4

-Max Len rIndex

I9

1
°

Chain Len—

Chain Count —

|2400

I4000000

|abcdefghijklmnopqrstuvwxyz
Table properties
Key space: 5646683807856 keys
Disk space: 61.03 MB
Success probability: 0.001697 (017%)
Benchmark

Optional parameter

Hash speed:

|Adm
inistratot

Step speed:
Table precomputation tim
e:
Total precomputation tim
e:
Max cryptanalysis tim
e:
Benchmark |

FIG U R E 6.3: selecting die Rainbow table properties

5. A file will be created; click OK.




x

Filename

Status

n _ wra h # - _ _ 4 0 4 0 0 0o id 0 0
tlmlo e lp a 4 902 0 x 0 0 0 _ x 8 0 .rt

II
I

Add Table

Remove

Remove All

OK

About

Exit

FIG U RE 6.4: Alchemy Remote Executor progress tab window

Creating the hash table will take some time, depending on the selected hash
and charset.
Note: To save die time lor die lab demonstration, die generated hash table
is kept 111 die following !older: D:CEH-ToolsCEHv8 Module 05 System
HackingRainbow Table Creation ToolsYWinrtgen
m
You must be careful
of your harddisk space.
Simple rainbow table for 1
—5 alphanumeric and it
costs about 613MB of
your harddisk.

7 Created a hash table saved automatically 111 die folder containing
.

winrtgen.exe.
‫י‬

Winrtgen

' L

5
8

CEHv Module 05 System Hacking ► Rainbow Table Creation Tools ► Winrtgen

‫ ־&־‬Favorites
■

Desktop
Downloads

v

C

Date modified

Type

M charset.txt

7/10/2008 &29 PM

Text Document

| □ ntlm_loweralphag4-6_0_2400x4000000_ox... | 9/18/201211:31 AM

RT File

Recent places

H! winrtgen.exe

7/10/200810:24 PM

Application

□ winrtgen.exe.sig

%

Search Winrtgen

Name

7/10/2008 10:33 PM

SJG File

Size
6KB
62,500 KB
259 KB
1 KB

Libraries
[ J Documents
Music
II■! Pictures
H

Videos

Computer
&

Local Disk ( C )

1 m New Volume (D:)

4 items

1 item selected 61.0 M B

State: Q

Shared

FIG U RE 6.5: Generated Rainbow table file




L a b A n a ly s is

Analyze and document the results related to the lab exercise.
Tool/Utility

Purpose: Creating Rainbow table with lower alpha

Winrtge

Output: Created Rainbow table: ntlm_lowe1‫־‬alpha#46_0_2400X4000000_ox...


D Yes

0 No

Platform Supported
0 Classroom


0 !Labs



P a s s w o r d C r a c k in g U s in g
R a in b o w C ra c k
Rainbon'Crack i a computerprogram thatgenerates rainbow t b e t be usedin
s
als o
password c a k n .
rcig

1JV
'— aluable
inforination___

Computer passwords are like locks 011 doors; they keep honest people honest. It
someone wishes to gam access to your laptop or computer, a simple login password
Test your
will not stop them. Most computer users do not realize how simple it is to access die
know
ledge____ login password tor a computer, and end up leaving vulnerable data on their
computer, unencrypted and easy to access. Are you curious how easy it is tor
as W exercise
eb
someone to gain access to your computer? Windows is still the most popular
m W
orkbookreview operating system, and die method used to discover the login password is die easiest.
A hacker uses password cracking utilities and cracks vour system. That is how simple
it is for someone to hack your password. It requires 110 technical skills, 110 laborious
tasks, only simple words 01‫ ־‬programs. 111 order to be an ethical hacker and
penetration tester, you must understand how to crack administrator password. 111
tins lab we discuss how to crack guest users or administrator passwords using
RainbowCrack.

The objective ot this lab is to help students to crack passwords to perform
system password hacking.

£~Tools
demonstrated in
this lab are
available in
To earn‫ ־‬out die lab, you need:
D:CEHToolsCEHv8
■ RainbowCrack Tool located at D:CEH-T00 lsCEHv8 Module 05
Module 05 System
System HackingRainbow Table Creation ToolsRainbowCrack
Hacking
■ A computer running Window Server 2012

■ You can also download the latest version of RainbowCrack from the
link http://proiect-ra111bowcrack.com/

1



■ If you decide to download die latest version, then screenshots shown in die
lab nuglit differ

!2 2 You can also
http://www.oidd.it/project
s.html

■ Run diis tool 011 Windows Server 2012
■ Administrative privileges to mn diis program
L a b D u r a tio n

Tune: 10 Minutes
O v e r v ie w o f R a in b o w C r a c k

RauibowCrack is a computer program diat generates rainbow tables to be used ui
password crackuig. RauibowCrack differs from "conventional" bmte force crackers
in diat it uses large pre-computed tables called rauibow tables to reduce die lengdi of
time needed to crack a password.
Lab T ask
E task

1

Generating the
Rainbow Table

1. Double-click die rcrack_gui.exe tile. The maui window of RauibowCrack is
shown ui die following figure.

m
RainbowCrack for
G PU is the hash cracking
program in RainbowCrack
hash cracking utilities.

FIG U RE 7.1: RainbowCrack main window

2. Click File, and dien click Add Hash...




RainbowCrack 1.5
File | Edit

Rainbow Table

Help

Add Hash...

P la in te x t in

H ex

Load Hashes from File...
Load L M Hashes from P W D U M P File...
Load N T LM Hashes from P W D U M P File..
Save Results...

£Q! RainbowCrack for GPU
is significantly faster than any
non-GPU accelerated
rainbow table lookup
program and any straight
G PU brute forcing cracker

FIG U RE 7.2: Adding Hash values

3. The Add Hash window appears:
i.

Navigate to c:hashes, and opendie hashes.txt tile (which isalready
generated using Pwdump7 located at c:hashes.txt 111 the previous Lab
no:5) .

ii.

Right-click, copy die hashes from hashes.txt tile.

iii.

Paste into die Hash held, and give die comment (optional).

iv.

Click OK.
hashes.txt - Notepad

File

£Q| RainbowCrack uses
time-memoiy tradeoff
algorithm to crack hashes. It
differs from die hash crackers
that use brute force algorithm

Edit

Format

View

Help

Undo

A d m in is tra to r:5 0 0 :NO
Cut
P A S SW O R D *********************: BE40C450AB
Copy
G u e st: 501: NO PASSW O RD ******************"!
Paste
P A S SW O R D ********************** ‫* ׳‬
LANGUARD_11_USER:1006:NO
Delete
PASSWORD‫ :***** * * * * ״ * * * * * * * * * * ״‬C25510219F
Select All
M a r t in :1018:NO
Right * * * Reading order
P A S S W O R D 5 : * * * * * * * * * ‫ * * * * * * ״‬to*left ‫ ״‬EBE7DFA07
] uggy boy: 1019: NO
Show Unicode control characters
PAS S WORD488: * * * * * * * * * * * * * * * * * * * * ‫ ״‬CDCDD22
Insert Unicode control character
Dason:1020:NO
Open IME
P A S S W O R D 2
:* * * * * * * * * * * * * * * * * * •* ‫ ״‬D20D252A4
_____________________________ _______Shiela:1021:N O
PASSWORD* * * * * * * * * * * * * * * * * * * * *

FIG U R E 7.3: Selecting the hashes




RainbowCrack 1.5
File

Edit

Rainbow Table

* ‫־‬
‫י‬

Help
P l a i n t e x t I n H ex

£/Tools

demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

0C86948805F797BF2A82807973889537
Comment (optional):
password

FIG U R E 7.4: Adding Hashes

4. The selected hash is added, as shown 111 die following figure.
RainbowCrack 1.5
File

Edit

Rainbow Table

Help

H a sh

P la in te x t

@ 0 c b 6 9 4 e8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3b89537

?

P l a i n t e x t I n Hex

£ 2 Fun time-memory
tradeofftool suites, including
rainbow table generation,
sort, conversion and lookup

FIG U R E 7.5: Added hash show in window

5. To add more hashes, repeat steps 2 & 3 (i,ii,iii,iv)
6. Added hashes are shown 111 the following figure.




RainbowCrack 1.5

£ 0 . RainbowCrack's
purpose is to generate
rainbow tables and not to
crack passwords per-se,
some organizations have
endeavored to make
RainbowCrack's rainbow
tables available free over
the internet.

P File

Edit

Rainbow Table

H a sh
0

I

‫־־[ם‬r x

TI

Help
P la in te x t

P l a i n t e x t i n H ex

0 c b 6 9 4 8 8 0 S f 7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7

?

?

@ 0 c b 6 9 4 8 8 0 5 f7 9 7 b f2 a8 2 8 0 7 9 7 3 b 8 9 5 3 7

?

?

@ 4 8 8 c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5

?

‫ל‬

@ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6

?

?

@ c 2 5 5 1 0 2 1 9 £ 6 6 f 9 f l2 f c 9 b e 6 6 2 a 6 7 b 9 6 0

?

1

FIG U R E 7.6: Added Hashes in the window

7. Click die Rainbow Table from die menu bar, and click Search Rainbow
Table...
£ 9 RainbowCrack for
G PU software uses G PU
from N V ID IA for
computing, instead of
CPU. By offloading
computation task to G PU,
the RainbowCrack for
G PU software can be tens
of times faster than nonG PU version.

8. Browse die Rainbow Table diat is alreadv generated 111 the previous lab,
which is located at D:CEH-ToolsCEHv8 Module 05 System
HackingRainbow Table Creation ToolsWinrtgen.
9. Click Open.




Open
^
Organize ▼

jA

”

Windows Password Crac... ► winrtgen

v

( j | | Search winrtgen

New folder

Recent places

| ‫ב־‬

‫־׳י‬

[ jjj

P

k i

I

Name

Date modified

Type

Q ntlm.loweralphag4-6.0.24001(4000000.ox■..

Music

|

9/18/2012 11:31 AM

RT File

Libraries
j3] Documents

J l Music

E Q a time-memory
tradeoff hash cracker need
a pre-computation stage, at
the time all plaintext/hash
pairs within the selected
hash algorithm, charset,
plaintext length are
computed and results are
stored in files called
rainbow table

g

Pictures

9

Videos

1^

Computer
^

Local Disk (C:)

r . Local Disk (D:)
1 - Local Disk (£)

>
1
Filename: ntlmjoweralpha*4-6_0_2400x4000000_oxid*£ v

| Rainbow Tables (*.rt;*.rtc)
Open


10. It will crack the password, as shown 111 the following figure.
RainbowCrack 1.5
File

Edit

Rainbow Table

Help
P l a i n t e x t I n Hex
te s t

Com ment

74657374

H ash

p a ssw o rd

3

0 c b 6 9 4 8 8 0 5 f7 9 7 b f 2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7

3

0 c b 6 9 4 e 8 0 5 f7 9 7 b f2 a 8 2 8 0 7 9 7 3 b 8 9 5 3 7

te s t

74657374

4 e e c d c d d 2 2 2 5 3 1 2 7 9 3 e d 6 9 6 7 b 2 8 c l0 2 5

g ree n

677265656c

✓ 5 e b e 7 d fa 0 7 4 d a 8 e e 8 a e flfa a 2 b b d e 8 7 6

a p p le

6170706C 65

3

c 2 5 5 1 0 2 1 9 f6 6 f 9 fl2 fc 9 b e 6 6 2 a 6 7 b 9 6 0

?

3

2 d 2 0 d 2 5 2 a 4 7 9 f 4 8 5 c d f 5 e l7 1 d 9 3 9 8 5 b f

3

£ • ‫ ־‬RainbowCrack focus
==
!
on the development of
optimized time-memory
tradeoff implementation,
and generation of large
rainbow tables.

7
q w e r ty

t i n e o f a la rm c h e c k :
tin e o f w a it:
ti m e o f o t h e r o p e r a t i o n :
ti m e o f d i s k r e a d :
h a s h & re d u c e c a l c u l a t i o n o f c h a in t r a v e r s e :
h a s h 4 r e d u c e c a l c u l a t i o n o f a la r m c h e c k :
num ber o f a la r m :
s p e e d o f c h a in t r a v e r s e :
s p e e d o f a la r m c h e c k :

717765727479

2 .3 4 s
0 .0 0 s
0 .1 9 s
0 .0 8 s
5755200
35850648
55125
9 .7 1 m i l l i o n / s
1 5 .3 3 m l l l l o n / s

/s

5


L a b A n a ly s is

Analyze and document die results related to the lab exercise.





Tool/Utility


RainbowCrack

Hashes:
‫ י‬Administrator
‫ י‬Guest
‫ י‬Languard
‫ י‬Martin
■ Juggyboy
■ Jason
‫ י‬Shiela
Password Cracked:
‫ י‬test
‫ י‬test
‫ י‬green
‫ י‬apple
‫ י‬qwerty

Q u e s t io n s

1. What kind of hashes does RambowCrack support?
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



Lab

E x tra c tin g A d m in is tra to r
P a s s w o r d s U s in g L O p h tC ra c k
U)phtCrack i packed with powetfnlf a u e , such as sc du i g hash ex act
s
etrs
he l n ,
tr ion
f o / 64- i Windows v r i n ; multiprocessor al o i h s and network monitoring
r//
bt
esos
grtm,
and d o i g I can import and crack U N I X passwordfiles and remote Windows
ec d n . t
machines.

/V
aluable
inform
ation
Test your
know
ledge____
^ W exercise
eb

Since security and compliance are high priorities for most organizations, attacks
a company 01‫ ־‬organization's computer systems take many different forms,
such as spooling, smurfing, and other types of denial-of-service (DoS) attacks.
These attacks are designed to harm 01‫ ־‬interrupt the use of your operational
systems.
011

r*‫ ..־‬W
orkbookreview Password cracking is a term used to describe the penetration of a network,
system, 01‫ ־‬resource with 01‫ ־‬without the use of tools to unlock a resource that
has been secured with a password. 111 tins lab we will look at what password
cracking is, why attackers do it, how they achieve their goals, and what you can
do to do to protect yourself. Through an examination of several scenarios, in
tins lab we describe some of the techniques they deploy and the tools that aid
them 111 their assaults and how password crackers work both internally and
externally to violate a company's infrastructure.
111 order to be an expert ethical hacker and penetration tester, you must
understand how to crack administrator passwords. 111 tins lab we crack the
system user accounts using LOphtCrack.

^^Tools

demonstrated in L a b O b je c t iv e s
this lab are
The lab teaches you how to:
available in
D:CEH■ Use the LOphtCrack tool
ToolsCEHv8
Module 05 System
Hacking





To earn’ out the lab you need:
■ LOphtCrack tool located at D:CEH-ToolsCEHv8 Module 05 System
HackingPassword Cracking ToolsLOphtCrack
■ Run tliis tool on Windows Server 2012 (host machine)
■ You can also download the latest version of LOphtCrack from the link
http: / / www.lOphtcrack.com
■ Follow wizard driven installation instructions
■ TCP/IP settings correctly configured and an accessible DNS server
■ Tins tool requires the user to register or you can also use the evaluation
version for a limited period of time
L a b D u r a tio n

Time: 10 Minutes
O v e r v ie w o f L O p h t C r a c k

LOphtCrack provides a scoring metric to quickly assess password quality.
Passwords are measured against current industry best practices and are rated as
Strong, Medium, Weak, or Fail.
Lab T asks
TASK 1

Cracking
Administrator
Password

1. Launch the Start menu by hovering the mouse cursor to the lower left
most corner of the desktop.

|| W d w S rv r21
in o s e e 02
vm 1 «‫ן1י!שי'י5״ימ״‬
i‫׳‬
m
You can also
download the LOphtCrack
from
http://www.lOphtcrack.


FIG U R E 8.1: Windows Server 2012—Desktop view

2. Click the LOphtCrack6 app to open the LOphtCrack6 window



S ta rt

Server
Manager

F
a

Administrator

Windows
PowerShel

T

Google
Chrome

Hyper-V
Manager

o

‫י‬
‫י‬

Hyper-V
Virtual
Machine...

SQL Server
Installation
Center...

Computer

Control
Panel

*
J

m

Q

K

Command
Prompt

Mozilla
Firefox

Global
Network
Inventory

<
©

I
f

Nmap Zenmap
GUI

Workspace
Studio

O‫־‬

3

e
/LOphtCrack supports
pre-computed password
hashes.

Intrmrt fuplcrr‫׳‬

Drdlrp

F IG U R E 8.2: Windows Server 2012 —Apps

3. Launch LOphtCrack, and 111 the LOphtCrack Wizard, click Next.
LOphtCrack Password Auditor v6.0.16

x
LOphtCrack 6 Wizard

6

Welcome to the LOphtCrack Wizard Ths wizard wil
prompt you wth step-by-step nsbuctions to get you
audting n mrxies
First, the wizard w i help you determne where to
retrieve your encrypted passwords from
Second, you w i be prompted wth a few options
regardng which methods to use to audit the
passwords
Third, you w i be prompted wth how you wish to report
the results

6

Then. LOphtCrack w i proceed audting the
passwords and report status to you along the way.
notifying you when audfcng is complete
Press Next' to conbnue wth the wizard

LOphtCrack can also
cracks U N IX password
files.

[7 jjjprit show me this wizard on startup
‫ך‬

FIG U RE 8.3: Welcome screen of die LOphtCrack Wizard

4. Choose Retrieve from the local machine in the Get Encrypted
Passwords wizard and click Next.




LO h ra kPa o A d rv .0 6
p tC c ssw rd u ito 6 .1

Get Encrypted Passwords

Choose one of the folowng methods to retrieve the
encrypted passwords
| ♦ Retneve from the tocal machne |
Pulls encrypted passwords from the local machrte's
registry Admnatrator access a requred
Retneve from a remote machne
Retneve encrypted passwords from a remote
machne on your doman Admrwtrator access is
required
Retneve from SAM /SYSTEM backup
Use emergency repar disks, backup tapes, or
volume shadow copy techr»ques to obtain a copy of
the registry SAM and SY ST EM hives This contans
a copy of your non-doman passwords
Q Retneve by jnrffng the local network
Sniffing captures encrypted hashes n transit over
your network Logns.fie shamg and pmt shanng
al use network authentication that can be captured.

< Back

ca

LOphtCrack has a
built-in ability to import
passwords from remote
Windows, including 64-bit
versions of Vista, Windows
7, and U N IX machines,
without requiring a thirdparty utility.

Next >

■
|

FIG U R E 8.4: Selecting die password from die local machine

5. Choose Strong Password Audit from the Choose Auditing Method
wizard and click Next.
1 ‫'°׳‬
-

‫ן‬

FIG U R E 8.5: Choose a strong password audit

6. In Pick Reporting Style, select all Display encrypted password
hashes.
7. Click Next.




m
LOphtCrack offers
remediation assistance to
system administrators.

FIG U R E 8.6: Pick Reporting Style

8. Click Finish.
LO h ra kPa o A d r v .0 6
p tC c ssw rd u ito 6 .1

‫° ־‬

x

Bogin Auditing

P

O

_
._ LOphtCrack lias realtime reporting that is
displayed in a separate, tabbed
interface.

Step

Step 2

6

LOphtCrack « now ready to begn the password
aud*ing process Please confirm the folowng settings
and go back and change anythng that ts not correct
Retrieve passwords from the local machine
Perform 'Quick' password audit
Display doman password belongs to
Display passwords v41en audited
Display time spent auditing each password
Give visible notification *tfien done audrtng
Show method used to crack password

[/] Save these settings as sesaon defaults
Press ■finish'to bepn audtng

►
Step 5
6«g1n
Auditing

FIG U RE 8.7: Begin Auditing

9. LOpntcrack6 shows an Audit Completed message, Click OK.
10. Click Session options Irom the menu bar.




Cracked Accounts

J j.

<N

Weak Passwords
Pause

‫־‬
d

Stop

Schedule Scheduled
Audit
Tasks

Disable Force Password
Expired Accounts

Run y Report

Domain

User Name

LM Hash__________________________

LM Password

,X WIN-D39MR... Administrator

* missing *

£ WIN-D39MR... Guest

‫ ״‬missing *

J t WIN-D39MR... Jason

* missing *

4 WIN-D39MR... Juggyboy

* missing *

<tw1N-D39MR... IANGUARD_11_USER

* missing

A WIN-D39MR... Martin

‫ ״‬missing

LOphtCrack 6

I

x

to t a
00000000000000( uords 29151]
00000000000000
000
00000000000000( _wgrds_done
00000000000000
000
00000000000000(
00000000000000
000
1B5T
0TO?
00000000000000(
00000000000000
000
00000000000000( _______
00000000000000
000
00000000000000(
00000000000000
000

Audit completed.

_______

LtX&sslaezei
0d Oh 0» Os

OK

____ tlMS-iSlt
_ _ l ‫_־‬d o n S
III

>
4 X

Messages
0 9/1 8 /2 0 1 2
0 9/1 8 /2 0 1 2
0 9 / 1 8/2 01 2
0 9/1 8 /2 0 1 2

1 4 :4 7 :4 8 M u ^ i - c o r e o p e r a t i o n w i t h 4 c o r e s .
1 4 :4 7 :5 2 Im p o r t e d 2 a c c o u n t s fr o m t h e l o c a l
1 4 :4 7 :5 2 A u d i t s t a r t e d .
1 4 :4 7 :5 2 A u d i t i n g s e s s i o n c o m p le t e d .

m a c h in e

FIG U R E 8.8: Selecting Session options
£ Q LOphtCrack uses
Dictionary, Hybrid,
Recomputed, and Bmte
Force Password auditing
methods.

11. Auditing options For This Session window appears:
i. Select the Enabled, Crack NTLM Passwords check boxes 111
Dictionary Crack.
ii. Select the Enabled, Crack NTLM Passwords check boxes 111
Dictionary/Brute Hybrid Crack.
iii. Select the Enabled, Crack NTLM Passwords check boxes 111 Brute
Force Crack.
IV.

Select the Enable Brute Force Minimum Character Count check box.

v. Select the Enable Brute Force Maximum Character Count check
box.
12. Click OK.




‫־‬m

A d gO tio s Fo T isSessio
u itin p n r h
n
Dictionary Crack

The Dictionary Crack tests for passwords that are
the same as the words fcste inthe wordfile. This
d
test *very fast and findsthe weakest passwords.

Dictionary List
0 Crack NTLM Passwords
Dictionary/Brute H
ybrid Crack
[2 Enabled

0
V Crack NTLM Passwords
C m letter substitutions *
om on
(m slower)
uch

* Charactersto prepend
- Charactersto append

Precom
puted
E ! Enabled
C

The Dictionary/Brute H
ybrid Crack tests
forpasswordsthat are variations of the
words inthe wordfile. Itfinds passwords
such as Dana9 or monkeys! . This
9
test isfast andfinds weak passwords.

Also known as 'ranbow tables', the Precom
puted
Cracktests for passwords aganst a precom
puted
hashes contan-edn a file orfiles This test is very
fast andfinds passwords created fromthe sam
e
character set as the precom
puted hashes.
Preservng precom
putation data speeds up
consecutive m n exchange for disk space
ns
Ths crack works aganst LM and NTLM passwords,
but not Una

Hash File List

Preserve Precomputation Data

Location

Ba/te Force Crack
Language:

J£rack NTLM Passwords

The Brute Force Crack tests for passwords that
are m up of the characters specified inthe
ade
character set I finds passwords such as
"W
eR3pfc6s■ or "vC5%6S*12b" This test is slow
'
andfinds m < jmto strong passwords.
e fc

English

alphabet ♦num
bers
CustomCharacter Set (list each character):
E T N RIO AS D H LCFPU MYG W V BX K Q JZetnrioasd
hlcfpumygwvbxkqjzOI 23456789

Brute Force M im mCharacter C
in u
ount

Enabing a start orend point lets you control the
m im mand m x u num of characters to
in u
a im m
ber
iterate.

‫נ‬

Brute Force M im mCharacter Count
ax u
To

9

The actual m x u character count used m
a im m
ay
vary based on hash type
Specfy a character set w m characters to
ith ore
crack strongerpasswords.

’

QK

Qancel

F IG U R E 8.9: Selecting die auditing options

13. Click Begin ' ' ‫ ר‬from the menu bar. LOphtCrack cracks the
administrator password.
14. A report is generated with the cracked passwords.

FIG U RE 8.10: Generated cracked Password




L a b A n a ly s is

Document all die results and reports gathered during die kb.


Tool/Utility

LOphtCrack

User Names:
‫ י‬Guest
‫ י‬Jason
‫ י‬Juggvbov
‫ י‬LANGUARD_11_USER
‫ י‬Martin
Password Found:
‫ י‬qwerty
■ green
‫ י‬apple

Q u e s t io n s

1. What are the alternatives to crack administrator passwords?
2. Why is a brute force attack used 111 the LOphtCrack tool?
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



P a s s w o r d C r a c k in g U s in g
O p h c ra c k
Ophcrnck i a free open source ( P L l c n e ) program that cracks Windows
s
G
iesd
passn‫׳‬rds by using L M hashes through rainbow t b e .
o
als
ICON KEY

/V
aluable
inform
ation
J? T your
e$t
___know
ledge____

» W exercise
eb
W
orkbookreview


a security system that allows people to choose their own passwords, those people
tend to choose passwords that can be easily guessed. Tins weakness exists m
practically all widely used systems instead of forcing users to choose well-chosen
secrets that are likely to be difficult to remember. The basic idea is to ensure that
data available to the attacker is sufficiently unpredictable to prevent an off-line
verification of whether a guess is successful or not; we examine common forms of
guessing attacks, password cracking utilities to develop examples of cryptographic
protocols that are immune to such attacks. Poorly chosen passwords are vulnerable
to attacks based upon copying information. 111 order to be an expert ethical hacker
and penetration tester, you must understand how to crack the weak administrator 01‫־‬
system user account password using password cracking tools. 111 tins lab we show
you how to crack system user accounts usmg Ophcrack.
111


The objective of this lab is to help students learn:
‫ י‬Use the OphCrack tool
Tools
demonstrated in
this lab are
available in
D:CEHTo earn‫ ־‬out die lab, you need:
ToolsCEHv8
Module 05 System
" OphCrack tool located at D:CEH-T00 lsCEHv8 Module 05 System
Hacking
HackingPassword Cracking ToolsOphcrack
■ Run this tool 011 Windows Server 2 0 12 (Host Machine)
■ You can also download the latest version of LOphtCrack from the link
http: / / ophcrack.sourceforge.net/




■ Follow the wizard-driven installation instructions
L a b D u r a tio n

Time: 15 Minutes
O v e r v ie w o f O p h C r a c k

Rainbow tables for LM hashes of alphanumeric passwords are provided for free by
developers. By default, OphCrack is bundled with tables diat allow it to crack
passwords no longer than 14 characters using only alphanumeric characters.
Lab T ask
TASK 1

Cracking the
Password

1. Launch the Start menu by hovering the mouse cursor on the lower-left
corner of the desktop.

g| W d w S rv r21
n o s e e 02
v no !x ff1uKte u o a w c w
notfj rv 0 e jje n iow u w r
tvilwtor c ‫׳‬pv kud M O
c
O

‫ןןמישיייעןיימיירזמיי‬
FIG U R E 9.1: Windows Server 2012 - Desktop view

2. Click the OphCrack app to open the OphCrack window.

m
You can also
download the OphCrack
from
http:/ /ophcrack.sourceforg
e.net.

FIG U R E 9.2: Windows Server 2012—
Apps

3. The OphCrack main window appears.



M odule 05 - S ystem H ackin g

ophcrackC

1‫' ם ! ־‬

4A
Load
Progress

Statistics

J

Tables

^

11/

Save

Delete

Cradt

Help

G

Exit

About

Preferences

B Rainbow tables for LM
hashes of alphanumeric
passwords are provided for
free by die developers

Preload:

waitng

| Brute force:

waiting

j

Pwd found:

0/0

Time elapsed: |

OhOmQs

FIG U R E 9.3: OphCrack Main window

4. Click Load, and then click PW
DUMP file.
ophcrack

U/

‫ב‬

,•..‫י‬
©

&

e

<?

Single hash
PW D UM P file
Session file

& Ophcrack is
bundled with
tables that allows
it to crack
passwords no
longer than 14
characters using
only alphanumeric
characters

Encrypted SAM
Local SAM with samdump2
Local SAM with pwdump

6

Remote SAM

Directory

Preload: _______ waiting_______| Brute force: |

Progress

waitng

| PwdfouxJ:

Fig 9.4: Selecting PWDUMP file

5. Browse die PWDUMP file diat is already generated by using PT)UMP7111
die previous lab 110:5 (located at c:hashes.txt).
6. Click Open




O en PW UM file
p
D P

0C ^ ^
O
Organize

***

* Computer

■ Desktop

C

| Search Local Disk (C:)

A

Name

Date modified

Type

ji. Program Files

9/17/2012 9:25 AM

File folder

Program Files (x86)

9/18/20122:18 PM

File folder

j

TFTP-Root

9/4/2012 7:00 PM

File folder

j

S

P ] I

§=- E m
‫־‬
H

Users

9/18/20122:35 PM

File folder

8/30/20121:06 PM

File folder

W in d o w s

9/15/2012 3:26 PM

File folder

4• W indow s.old

4 Downloads

available as Live CD
distributions which
automate the retrieval,
decryption, and cracking of
passwords from a Windows
system.

v

► Local Disk (C:)

New folder

8/7/2012 1:50 AM

File folder

8/8/2012 12:03 AM

File folder

Recent places

J Music
)
^ Libraries

j. usr

(3| Documents

J

Music
fcl Pictures

.00
0

J,.
^

H Videos

W in d o w s.o ld

.rnd__________________

9/19/2012 9:58 AM

RND File
Text Document

r
. ^ Local Disk (D:)

9/18/2012 3:06 PM
9/15/2012 2:53 PM

System file

[ user.js
A

Local Disk (C:)

hashes.txt

|j6j msdos.sys

:■ Computer

9/6/20124:03 PM

‫ן‬

JS File

v,
v

File name: hashes.txt

j

[All Files (*/)
Open

FIG U R E 9.5 import the hashes from PWDUMP file

7. Loaded hashes are shown 111 the following figure.
ophcrack

O

Si

«S

IU

Load

Delete

Save

Tables

Progress

Statistics

j

O

Preferences |

User

NT Hash

Administrator

BE40C450AB997...

Guest

31d6cfe0d16ae9...
C25510219F66F...

LANGUARD.! 1_
Martin

5EBE7DFA074D...

Juggyboy
Jason

£7 Ophcrack C
racks
LMandNTLM
W
indows hashes

o

Crack

488CDCDD2225...
2D20D252A479F...

Shiela

0CB69488O5F79...

Directory

Preload: _______ waitng_______| Brute force: |

Progress

waiting

] Pwd foaxl:

FIG U RE 9.6 Hashes are added

8. Click Table. The Table Selection window will appear as shown 111 die
following figure.




^ ‫י ז‬

o h ra k
pc c
IU
Progress

',s ?
,g

Tables

Crack

Table Selection

Statistics 0

User

Directory

Table

Status

Administrator

m XP free fast

Guest

• XP free small

LANGUARD_11_

• XP special

not installed

Martin

# XP german vl

not installed

not installed
not installed

Juggyboy

• XP german v2

not installed

Jason

• Vista special

not installed

Shiela

• Vista free

not installed

• Vista nine

not installed

• Vista eight

not installed

• Vista num

not installed

• Vista seven

not installed

< Vista eight XL
•

&Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

not installed

• XP flash

not installed

III

<
• = enabled

J

= disabled

|

>

• = not nstaled

B B S S
Pretoad: _______ waiting_______| Brute force: |

waiting

] Pwd fouxJ:

T«ne elapsed:

Oh 0‫ וח‬Os

FIG U RE 9.7: selecting die Rainbow table

Note: You can download die free XP Rainbow Table, Vista Rainbow
Tables from http:// ophcrack.sourcetorge.net/tables.php
9. Select Vista free, and click Install.
‫״‬G

Table Selection

lab
le
• XPfre fa
e st
• XPfreesmll
a
9 XP sp cia
e l
• XP g rmnv
e a 1
• XP g rmnv
e a 2
• V sp cia
ista e l
| !• V fre
ista e
•V ne
ista in
#V e h
ista ig t
• V nm
ista u
< V se n
• ista ve
* X fla
P sh
<V e h X
• ista ig t L

<
l
< = nb d
• e a le

D cto
ire ry

III
4 = is b d
d a le

Sta s
tu
n t in lle
o sta d
n t in lle
o sta d
n t in lle
o sta d
n t in lle
o sta d
n t in ta d
o s lle
n t in lle
o sta d
n t in ta c
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle

‫<ן‬

• =n tinta d
o s lle

0 0 @ @
FIG U R E 9.8: Installing vista free rainbow table




10. The Browse For Folder window appears; select the the table_vista_free
folder (which is already download and kept at D:CEH-ToolsCEHv8
Module 05 System HackingPassword Cracking ToolsOphcrack)
11. Click OK.
Browse For Folder
Select the directory which contains the tables.

&■ Ophcrack Free tables
available for Windows XP,
Vista and 7

4

J4 CEHv8 M odule 05 System Hacking

A

Password Cracking

4

W indows Password Crackers

a

A

OphCrack
tables_vista_free
pwdump7

I

winrtgen
t
>
<

steganography
III

Make New Folder

V

1
OK

l>
Cancel

12. The selected table vista free is installed,; it shows a green color ball which
means it is enabled. Click O .
K
? x
Table Selection

& Loads hashes
from encrypted
SAM recovered
from a Windows
partition

D cto
ire ry

‫־‬b
fa le
• X fre fa
P e st
• X fre smll
P e a
• X sp cia
P e l
• X g anv
P erm 1
• X g anv2
P erm
• V sp cia
ista e l
> • V fre
ista e
•V ne
ista in
•V e h
ista ig t
• V nm
ista u
• V se n
ista ve
• X fla
P sh
* V eig t X
ista h L

C g F s(x 6 ta le
:/Pro ram ile 8 )/ b s_vista e
_fre

<
£ = enabled

A

>

III

4 = disabled

*

*

S tu
ta s
n t in ta d
o s lle
n t in ta d
o s lle
n t in ta d
o s lle
n t in lle
o sta d
n t in ta d
o s lle
n t in ta d
e s lle
o dk
n is
n t in ta c
o s lle
n t in lle
o sta d
n t in lle
o sta d
n t in lle
o sta d
n t in ta d
o s lle
n t in lle
o sta d

# = not installed

Inta
s ll

FIG U R E 9.9: vista free rainbow table installed successfully

13. Click Crack: it will crack die password as shown 111 die following figure.




ophcrack

i

«!

Load
Progress

This is necessary if die
generation of die LM hash
is disabled (this is default
for Windows Vista), or if
the password is longer than
14 characters (in which
case the LM hash is not
stored).

Statistics

J

User

a/

^

@

i

Save

Delete

Tables

Crack

Help

Bat

Preferences

LM Hash

NT Hash

Administrator

LM Pwd 1

LM Pwd 2

NT Pwd

BE40C450AB997...

Guest

31d6cfe0d16ae9...

LAN6UARDJ 1_...

em pty

C25510219F66F...

Martin

5EBE7DFA074D...

apple

Juggyboy

488CDCDD2225...

green

Jason

2D20D252A479F...

qwerty

Shiela

0CB6948805F79...

test

!able

Directory

Status

t> 4 Vista free

C:/Program File...

100% in RAM

Progress

FIG U R E 9.10: passwords ate cracked

L a b A n a ly s is

Analyze and document the results related to the lab exercise.

I

Tool/Utility


j

User Names:
‫ י‬Guest
‫ י‬LANGUARD_11_USER
‫ י‬Martin
‫־‬

OphCrack

‫י‬
‫י‬

Juggyb°y

Jason
Slieiela

Rainbow Table Used: Yista free
Password Found:
‫ י‬apple
‫ י‬green
‫ י‬qwerty
‫ י‬test



Q u e s t io n s

1. What are the alternatives to cracking administrator passwords?
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs



S y s te m M o n ito rin g U s in g
R e m o te E x e c
System hacking i t s i n e of t s i gcomputers and netnorksfor v l e a i i i s
s he c e c
etn
unrblte
andplugging.
^_ Valuable

inform
ation___
Test your
know
ledge

*A
m

To be an expert ethical hacker and penetration tester, you must have sound
knowledge of footprinting, scanning, and enumeration. This process requires an
active connection to the machine being attacked. A hacker enumerates applications
and banners 111 addition to identifying user accounts and shared resources.

W exercise
eb

You should also have knowledge of gaining access, escalating privileges, executing
W
orkbookreview applications, lnding tiles, and covering tracks.

The objective of tins lab is to help students to learn how to:
‫י‬

Modify Add /Delete registry kevs and or values

■ Install service packs, patches, and hotlixes
■ Copy folders and tiles
Tools
‫ י‬Run programs, scripts, and applications
demonstrated in
this lab are
■ Deploy Windows Installer packages 111 silent mode
available in
D:CEHL a b E n v ir o n m e n t
ToolsCEHv8
Module 05 System To earn‫ ־‬out die lab, you need:
Hacking
■ Remote Exec Tool located at D:CEH-ToolsCEHv8 Module 05 System
HackingExecuting Applications ToolsRemoteExec
■ Windows Server 2008 running on the Virtual machine
■ Follow die Wizard Driven Installation steps




■ You can also download die latest version of RemoteExec from the link
http://www.isdecisions.com/en
■ If you decide to download die latest version, dien screenshots shown 111 die
lab might differ
■ Administrative pnvileges to run tools
L a b D u r a tio n

Time: 10 Minutes
O v e r v ie w o f R e m o t e E x e c

RemoteExec, die universal deployer for Microsoft Windows systems, allows
network administrators to run tasks remotely.
Lab T ask
TASK 1

1. Install and launch RemoteExec.

Monitoring
System
RemoteExec
R otecxec
em

‫ח כ מ*כ‬
‫0 ס־‬

ram
e
f*l demote jobs
^eco‫־‬ter
^ Schedue‫׳‬

‫ ^׳‬o n
Otos

Albws vou ‫ מ‬corftare. rra-MOt 3rd exeats rerro:e jobs.
Albws vou ‫ מ‬dsjMv reco‫׳‬ts or renew executions.
Albws vou ro
renote executions ard oerie‫-׳‬ate autara ..
ConScu‫׳‬e Re*note€xec options.

0 3 . System Requirements:
Target computers can have
any of these operating
systems: Microsoft
Windows 2003/2008 (No
Service Pack is required);
an administration console
with Microsoft Windows
2003/2008 Service Pack 6,
IE5 or more.
,able of contert | Q a:cess |
| uick

FIG U RE 10.1: RemoteExec main window

2. To configure executing a file, double-click Remote jobs.




: 00B

Ne

Virco

‫י‬

rep

‫״‬

£ Q RemoteExec
considerably simplifies and
accelerates all install and
update tasks on a local or
wide area network (W AN)
as well as on remote
machines.

Alows you to dtspa,‫ ׳ ׳‬eports 0‫ ׳ ר׳‬errote execj$o1‫.«׳‬
Allows you to soedijte ‫׳‬errote e<ecjto1‫׳‬s snd generate sutoiia..
Configure RcmotcExcc optoas.

TaDle ofcontert Quick access

Remote execution
requirements: The account
running RemoteExec needs
administrative rights on
target computers.
Microsoft file and printer
sharing (SM B TCP 445)
and ICM P (ping) should be
enabled. These protocols
also need to be allowed in
any firewall between the
administration console and
target computers.

FIG U R E 10.2: RemoteExec configuring Remote jobs

3. To execute a New Remote job, double-click die New Remote job option
diat configures and executes a new remote job.
Hie

Tool* ]tfndo*

Help

& <nt€c
5o >
cc
New rcrrote )cb 5 0 :
execu%oo
;
Updax rstalafeon 1 - 0
|‫ ®•־‬M rstalaMn
SI
Systenn acton 1@ ■
■!

R otejo s
em
b
Rem
oteExec,‫׳‬Rerrote jobs
!

fn Cean
j t ork
Lcca acrouv ‫. ׳‬

pp “ ■
c tp ;

job
My Renote J3bs
ote
. ranrenaMy Rem Actons
^ MyTarget Com
puters

Mows you
/our favorite rem j»98
ste
/our favorite rarcte actors.
Yout favorite taroet conxiter bts.

Mutote aaons
j-™ My Renore 30
0s
i ^ My Rertore Actors
MyTargetCctoj»s ^ :
Report‫־‬
: * T ScredJcr
“
L-4^ Options

EU Configure files to be
generated: You see that the
report has been added after
the installation of Acrobat
Reader in the scheduled
tasks. A new section,
“ Document generation,” is
available to specify the
output files. Select a PD F
file to be generated in an
existing folder. Make sure
that the account running
the task has write access to
this folder.


Table ofconteni | Q accea
uick

FIG U R E 10.3: RemoteExec configuring New Remote job

4. 11a New Remote job configuration you can view different categories to
1
work remotely.
5. Here as an example: we are executing die hie execution option. To execute
double-click File Execution.



hie

Tools

Wmiow‫׳‬

E?

V

Hep

•

B ‫5: ^־־‬eno‫־‬eE>
. ec
P.enote (061

} Q3£ ^0
!■

£ ‫יל‬
Tools
demonstrated in
this lab are
available in
D:CEHToolsCEHv8
Module 05 System
Hacking

;
Ffc execuSon
i 1-0 Update rstalafon
j--j^|MSI ratilaaon
HfcSyste»ac*>n
j-uT F*? Coe‫ ׳‬ason
1
-^‫ ־‬Loca arroinr ‫׳‬rante
I ~PCpLp
=MJtcle aeons 5
‫״‬
Nr teoote J>x “
j ^ Mr Rcnote *ctcrc
:Nv Taract Ccrojtcn ^ :
jfe Reporte‫־‬
; ‘“ t ScTcdJcr
!‫״‬y*Opfcon«

New remote job
RemoteExeciRefrote jobs/Newrem jc
ote

| ) Update retalafion
(Si MSI m
stalotion
{§fcSystem action
Fib Ooo‫־‬ation
Local account m
aintenance
S I Popup
(5 Multtfe actions

Instil 5Marosoft jadaie reretefy.
Instil o Winda^s Instiler > x > rsrrctSY•
3 qc
Rcaoot,^Shutoovm
,V3< up a eonou» ‫־‬cnotdy.
r
C03y files or faWa5 » cirotc am u K n
Chanas the bed xhincbati p s/< »Cand'or doeue a otho‫־‬local a
e5 0
il
Dectay 3 nessage to t r jttt ewe*: an t‫, ־‬em com
*
ote
pute!
Execute se!‫׳‬e‫׳‬al actons r one pass.

IraMe QfcontenT| Quiet access
|

FIG U R E 10.4: RemoteExec configuring File Execution

6. In the File execution settings, browse die executable file, select
Interactive from drop-down list of Context, and check the Auto option.
Note:

Using
RemoteExec, you can:
Install patches, service
packs, and hotfixes
Deploy Windows Installer
packages in silent mode
Run applications,
programs, and scripts
Copy files and folders

FIG U R E 10.5: RemoteExec File execution settings
0 3 Automated reports:
You may want to get all
these reports automatically
by email each time a
scheduled attempt has been
done. To do this, follow
the steps below

7. Configuring die Filter Section:
a. For the OS version, select = from die drop-down menu and specify die
operating system.
b. For the OS level, select = from die drop-down menu and select
Workstation.
c. For the IE version, select >= from die drop-down menu and specify the
IE version.




d. For die Service Pack, select = from die drop-down menu and speciiv
die service pack version.
hie

!eia Once installed,
RemoteExec aiid its
documentation are
accessible through die
Windows Start menu. By
default, RemoteExec is
installed in evaluation
mode.

Tods

V/niow

Hep

3• ^ ‫־‬eno:e£>ec
•3
11^ Reno* jobs
• B ^ Newrarote tfc

File execution

^

RenoteExeqReirote ]0b3/N rem job/^le executor
ew ote

! l o Update rstaloton
MSI rstalaMn *■:
SwteT Kton | 6 -!

[‫§ן‬

Schectie
save r My Rorct® Jobs

r-rj)«? C ra n !
D Jo

..loca( account rvam
cena
fflpo»M; <
‫ •י‬t+itr*e arm
NyR«n»»>90c «

La-nch

tjfr La/rh ‫חו‬a r»?/» tab

^
■
:

Mk n :»Atc ,”
v « o c rc

Ny ljr jet (.croj'.efc
•
ls»
Reports
ScredJcf ^ !
Opton^ - ' *

0 OS verson
B O S level

*

H K vcr»n

save r K‫׳‬y Rem Acsoot
ote

^

= ■.|| vw
v ndow 7/2XB
e

Save r My Target C»m
put«rc

> H] M * 1
-

•H Wortotatoo
j

!
□Regetry vw
kM

□ Oor't e:<e:j:e scan or a com
puter wne‫׳‬e tne actor aas ahead/exeo.ee

»‫״‬
C
oflnoute‫*׳‬

FIG U R E 10.6: RemoteExec Filter tab
C O ln ! e remote job was
automatically set with the
filter option, “Don’t
execute again on a
computer where the action
was already executed.” So,
even if several execution
attempts have been
scheduled, the installation
of Acrobat Reader is
executed only once on each
computer.

Selecting a Target Computer: Enter die target computer name manually by
selecting Name from the drop-down list and clicking OK.
tie

B

:cols

vnnoow

• 5

‫־‬

RenoteExec
£ 0 Rertote )005
1
j (‫)־‬
New remote jo
fc

I qgasssHi

____

File execution

^

Re‫׳‬roteE>e:/3emote jobs!New ‫־׳‬
errcre job/File execution

I MO Update nstabton
|

Laandi

Q?

Launch ina new tab

d

Schedule

P

r | 0 MS nstafexn
;
Systen actor
i‫״‬Cp Fie: Opecttx‫־‬

Save n M Remote jx k
y‫׳‬
S5ve n My Remote Actjors

Lx
cd

rS f
aaomtrranKTa...
h ■ Poxo
=-l§ mJtpfe actons
j•
‫ ©■־‬My Reroe Jets

^

Save n My Taraet Cwtdu^s

I

Nv Rerote Actons
Ny Tarost Cortxters
Reaxte‫׳‬
j• ■ Scheduler
•©
;

‫י‬V* O h rs
• Do

© C onfigure the report
you want to generate
automatically as if you
wanted to display it. When
you schedule a report, if
you select die latest
execution, the report is
always generated for die
latest execution.


X J
FIG U R E 10.7: RemoteExec Add/Edit a computer

9. To execute the defined action on die remote computer, click the Launch
option 111 the nglit pane of die window.


Ceh v8 labs module 05 system hacking

Ceh v8 labs module 05 system hacking

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (18)

Semelhante a Ceh v8 labs module 05 system hacking

Semelhante a Ceh v8 labs module 05 system hacking (20)

Último

Último (20)

Ceh v8 labs module 05 system hacking