Hiding Files | System Hacking

A hacker may want to hide files on a system to prevent their detection. These files may then be used to launch an attack on the system. There are two ways to hide files in Windows. The first is to use the attrib command. To hide a file with the attrib command, type the following at the command prompt:
attrib +h [file/directory]
The second way to hide a file in Windows is with NTFS alternate data streaming. NTFS file systems used by Windows NT, 2000, and XP have a feature called alternate data streams that allow data to be stored in hidden files linked to a normal, visible file. Streams aren't limited in size; more than one stream can be linked to a normal file.

NTFS File Streaming

NTFS file streaming allows a hidden file to be created within a legitimate file. The hidden file does not appear in a directory listing but the legitimate file does. A user would usually not suspect the legitimate file, but the hidden file can be used to store or transmit information. In Exercise, you'll learn how to hide files using NTFS file streaming.
Exercise : Hiding Files Using NTFS File Streaming

This exercise will only work on systems using the NTFS file system.

To create and test an NTFS file stream:
  1. At the command line, enter notepad test.txt.
  2. Put some data in the file, save the file, and close Notepad. Step 1 will open Notepad.
  3. At the command line, enter dir test.txt and note the file size.
  4. At the command line, enter notepad test.txt:hidden.txt. Type some text into Notepad, save the file, and close it.
  5. Check the file size again (it should be the same as in step 3).
  6. Open test.txt. You see only the original data.
  7. Enter type test.txt:hidden.txt at the command line. A syntax error message is displayed.

NTFS Stream Countermeasures

To delete a stream file, copy the first file to a FAT partition, and then copy it back to an NTFS partition.
Streams are lost when the file is moved to a FAT partition because they're a feature of NTFS and therefore exist only on an NTFS partition.

Understanding Rootkits

A rootkit is a type of program often used to hide utilities on a compromised system. Rootkits include so-called backdoors to help an attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. A backdoor may also allow processes started by a nonprivileged user to execute functions normally reserved for the administrator. A rootkit is frequently used to allow the programmer of the rootkit to see and access usernames and log-in information for sites that require them.
There are several types of rootkits, including the following:
  • Kernel-Level Rootkits Kernel-level rootkits add code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as loadable kernel modules in Linux or device drivers in Windows. Kernel-level rootkits are especially dangerous because they can be difficult to detect without appropriate software.
  • Library-Level Rootkits Library-level rootkits commonly patch, hook, or replace system calls with versions that hide information that might allow the hacker to be identified.
  • Application-Level Rootkits Application-level rootkits may replace regular application binaries with Trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
In the following sections, we'll explore the process of infecting a system with a rootkit.

Planting Rootkits on Windows 2000 and XP Machines

The Windows NT/2000 rootkit is built as a kernel-mode driver, which can be dynamically loaded at runtime. The rootkit runs with system privileges at the core of the NT kernel, so it has access to all the resources of the operating system. The rootkit can also hide processes, hide files, hide Registry entries, intercept keystrokes typed at the system console, issue a debug interrupt to cause a blue screen of death, and redirect EXE files.
The rootkit contains a kernel mode device driver called _root_.sys and a launcher program called DEPLOY.EXE. After gaining access to the target system, the attacker copies _root_.sys and DEPLOY.EXE onto the target system and executes DEPLOY.EXE. Doing so installs the rootkit device driver and starts it. The attacker later deletesDEPLOY.EXE from the target machine. The attacker can then stop and restart the rootkit at will by using the commands net stop _root_ and net start _root_. Once the rootkit is started, the file _root_.sys no longer appears in directory listings; the rootkit intercepts system calls for file listings and hides all files beginning with _root_from display.

Rootkit Embedded TCP/IP Stack

A new feature of the Windows NT/2000 rootkit is a stateless TCP/IP stack. It works by determining the state of the connection based on the data in the incoming packet. The rootkit has a hard-coded IP address ( to which it will respond. The rootkit uses raw Ethernet connections to the system's network card, so it's very powerful. The target port doesn't matter; a hacker can telnet to any port on the system. In addition, multiple people can log into the rootkit at once.

Rootkit Countermeasures

All rootkits require administrator access to the target system, so password security is critical. If you detect a rootkit, you should back up critical data and reinstall the operating system and applications from a trusted source. The administrator should also keep available a well-documented automated installation procedure and trusted restoration media.
Another countermeasure is to use the MD5 checksum utility. The MD5 checksum for a file is a 128-bit value, something like the file's fingerprint. (There is a small possibility of getting two identical checksums for two different files.) This algorithm is designed so that changing even one bit in the file data causes a different checksum value. This feature can be useful for comparing files and ensuring their integrity. Another good feature is the checksum's fixed length, regardless of the size of the source file.
The MD5 checksum makes sure a file hasn't changed. This can be useful in checking file integrity if a rootkit has been found on a system. Tools such as Tripwire implement MD5 checksums to identify files affected by the rootkit.

Escalating Privileges | System Hacking

Escalating privileges is the third step in the hacking cycle. Escalating privileges basically means adding more rights or permissions to a user account. Simply said, escalating privileges makes a regular user account into an administrator account.
Generally, administrator accounts have more stringent password requirements, and their passwords are more closely guarded. If it isn't possible to find a username and password of an account with administrator privileges, a hacker may choose to use an account with lower privileges. In this case, the hacker must then escalate that account's privileges.
This is accomplished by first gaining access using a nonadministrator user account—typically by gathering the username and password through one of the previously discussed methods—and then increasing the privileges on the account to the level of an administrator.
Once a hacker has a valid user account and password, the next step is to execute applications. Generally the hacker needs to have an account with administrator-level access in order to install programs, and that is why escalating privileges is so important. In the following sections, we'll see what hackers can do with your system once they have administrator privileges.

Executing Applications

Once a hacker has been able to access an account with administrator privileges, the next thing they do is execute applications on the target system. The purpose of executing applications may be to install a backdoor on the system, install a keystroke logger to gather confidential information, copy files, or just cause damage to the system—essentially, anything the hacker wants to do on the system.
Once the hacker is able to execute applications, the system is considered owned and under the control of the hacker.

Buffer Overflows

Buffer overflows are hacking attempts that exploit a flaw in an application's code. Essentially, the buffer overflow attack sends too much information to a field variable in an application, which can cause an application error. Most times, the application doesn't know what action to perform next because it's been overwritten with the overflow data. Therefore, it either executes the command in the overflow data or displays a command prompt to allow the user to enter the next command. The command prompt or shell is the key for a hacker and can be used to execute other applications.

Understanding Keyloggers and other Spyware Technologies

If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers. Keystroke loggers (keyloggers) can be implemented either using hardware or software. Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device. In order to install a hardware keylogger, a hacker must have physical access to the system.
Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system so that they can record every keystroke. Software keyloggers can be deployed on a system by Trojans or viruses.

NetBIOS DoS Attacks

A NetBIOS denial-of-service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.
Another way to create a more secure and memorable password is to follow a repeatable pattern, which will enable to password to be re-created when needed.
  1. Start with a memorable phrase, such as
    • Maryhadalittlelamb
  2. Change every other character to uppercase, resulting in
    • MaRyHaDaLiTtLeLaMb
  3. Change a to @ and i to 1 to yield
    • M@RyH@D@L1TtLeL@Mb
  4. Drop every other pair to result in a secure repeatable password or
    • M@H@L1LeMb
Now you have a password that meets all the requirements, yet can be "remade" if necessary.

Password-Cracking Countermeasures

The strongest passwords possible should be implemented to protect against password cracking. Systems should enforce 8–12-character alphanumeric passwords. The length of time the same password should be used is discussed in the next section.
To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server. The system administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server's hard disk. The server logs should also be monitored for brute-force attacks on user accounts.
A system administrator can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt:
  • Never leave a default password.
  • Never use a password that can be found in a dictionary.
  • Never use a password related to the hostname, domain name, or anything else that can be found with Whois.
  • Never use a password related to your hobbies, pets, relatives, or date of birth.
  • As a last resort, use a word that has more than 21 characters from a dictionary as a password.
This subject is discussed further in the section "Monitoring Event Viewer Logs," later in this chapter.
In the following sections, we'll look at two measures you can take to strengthen passwords and prevent password-cracking.

Password Change Interval

Passwords should expire after a certain amount of time so that users are forced to change them. If the password interval is set too low, users will forget their current passwords; as a result, a system administrator will have to reset users' passwords frequently. On the other hand, if passwords are allowed to be used for too long, security may be compromised. The recommended password-change interval is every 30 days. In addition, most security professionals recommended that users not be allowed to reuse the last three passwords.
You cannot completely block brute-force password attacks if the hacker switches the proxy server where the source packet is generated. A system administrator can only add security features to decrease the likelihood that brute-force password attacks will be useful.

Monitoring Event Viewer Logs

Administrators should monitor Event Viewer logs to recognize any intrusion attempts either before they take place or while they're occurring. Generally, several failed attempts are logged in the system logs before a successful intrusion or password attack. The security logs are only as good as the system administrators who monitor them.
Tools such as VisualLast aid a network administrator in deciphering and analyzing the security log files. VisualLast provides greater insight into the NT event logs so the administrator can assess the activity of the network more accurately and efficiently. The program is designed to allow network administrators to view and report individual users' logon and logoff times; these events may be searched according to time frame, which is invaluable to security analysts who are looking for intrusion details.
The event log located at c:\\windows\system32\config\Sec.Event.Evt contains the trace of an attacker's brute-force attempts.

Redirecting the SMB Logon to the Attacker

Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer. A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network.
  • SMBRelay An SMB server that captures usernames and password hashes from incoming SMB traffic. SMBRelay can also perform man-in-the-middle (MITM) attacks.
  • SMBRelay2 Similar to SMBRelay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.
  • pwdump2 A program that extracts the password hashes from a SAM file on a Windows system. The extracted password hashes can then be run through L0phtCrack to break the passwords.
  • Samdump Another program that extracts NTLM hashed passwords from a SAM file.
  • C2MYAZZ A spyware program that makes Windows clients send their passwords as cleartext. It displays usernames and their passwords as users attach to server resources.

Cracking Windows 2000 Passwords

The SAM file in Windows contains the usernames and hashed passwords. It's located in the Windows\system32\config directory. The file is locked when the operating system is running so that a hacker can't attempt to copy the file while the machine is booted to Windows.
One option for copying the SAM file is to boot to an alternate operating system such as DOS or Linux with a boot CD. Alternately, the file can be copied from the repairdirectory. If a system administrator uses the RDISK feature of Windows to back up the system, then a compressed copy of the SAM file called SAM._ is created inC:\windows\repair. To expand this file, use the following command at the command prompt:
  C:\>expand sam._ sam
After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against the SAM file using a tool like L0phtCrack. A similar tool to L0phtcrack is Ophcrack. Exercise 1 illustrates how to use Ophcrack to crack passwords.
Exercise 1: Use Ophcrack to Crack Passwords

  1. Download and install ophcrack from http://ophcrack.sourceforge.net/.
  2. Run the ophcrack program and set the number of threads under the Preferences tab to the number of cores of the computer running ophcrack plus one. If you change this value, you have to exit ophcrack and restart it in order to save the change.
    This step is optional but will speed up the cracking process.
  3. Click the Load button to add hashes. There are numerous ways to add the hashes:
    • Enter the hash manually (Single Hash option)
    • Import a text file containing hashes you created with pwdump, fgdump, or similar third-party tools (PWDUMP File option)
    • Extract the hashes from the SYSTEM and SAM files (Encrypted SAM option)
    • Dump the SAM from the computer ophcrack is running on (Local SAM option)
    • Dump the SAM from a remote computer (Remote SAM option)
    For the Encrypted SAM option, the SAM is located under the Windows system32/config directory and can only be accessed for a Windows partition that is not running. For the Local SAM and Remote SAM options, you must be logged in with the administrator rights on the computer you want to dump the SAM.
  4. Click the Tables button.
  5. Click the enable (green and yellow) buttons.
  6. Using the up and down arrows, sort the rainbow tables you are going to use. Keep in mind that storing the rainbow tables on a fast medium like a hard disk will significantly speed up the cracking process.
  7. Click the Crack button to start the cracking process. You'll see the progress of the cracking process in the bottom boxes of the ophcrack window. When a password is found, it will be displayed in the NT Pwd field. You can save the results of a cracking session at any time by clicking the Save button.

Cracking a Password

Manual password cracking involves attempting to log on with different passwords. The hacker follows these steps:
  1. Find a valid user account (such as Administrator or Guest).
  2. Create a list of possible passwords.
  3. Rank the passwords from high to low probability.
  4. Key in each password.
  5. Try again until a successful password is found.
A hacker can also create a script file that tries each password in a list. This is still considered manual cracking, but it's time consuming and not usually effective.
A more efficient way of cracking a password is to gain access to the password file on a system. Most systems hash (one-way encrypt) a password for storage on a system. During the logon process, the password entered by the user is hashed using the same algorithm and then compared to the hashed passwords stored in the file. A hacker can attempt to gain access to the hashing algorithm stored on the server instead of trying to guess or otherwise identify the password. If the hacker is successful, they can decrypt the passwords stored on the server.
Passwords are stored in the Security Accounts Manager (SAM) file on a Windows system and in a password shadow file on a Linux system.

Popular Posts