ETHICAL HACKING

CONCEPTS & PRACTICES

System Hacking P2

resentation includes contents available online including images copied from Google search and contents of presentations of other professors. I don’t claim any image or text to be my own. All the credit goes to the
 ESCALATING PRIVILEGES
• ESCALATING PRIVILEGES:
• What to do after gaining access to the target.

• Prior to anything after gaining access, you have to perform privilege escalation to have
complete high-level access with no or limited restrictions.

• Privilege escalation is further classified into two types: -

1. Horizontal privileges escalation
2. Vertical privileges escalation
 ESCALATING PRIVILEGES

• HORIZONTAL PRIVILEGES
ESCALATION:
• Horizontal privileges escalation, an attacker attempts to take
command over the privileges of another user having the same set of
privileges for his account.
• Horizontal privileges escalation occurs when an attacker is attempting
to gain access to the same set of resources allowed for the particular
user.
 ESCALATING PRIVILEGES
• VERTICAL PRIVILEGES ESCALATION:
• In vertical privileges escalation, an attacker attempts to escalate privileges to a
higher level.

• Vertical privileges escalation occurs when an attacker is attempting to gain access

usually to the administrator account.

• Higher privileges allow the attacker to access sensitive information, install, modify
and delete files and programs such as a virus, trojans, etc.
 ESCALATING PRIVILEGES
• PRIVILEGE ESCALATION USING DLL HIJACKING:
• Applications need dynamic link libraries (dll) for executable files to run.

• In windows operating system, most of the application search for dll in directories instead of
using fully qualified path.

• Taking advantage of this, legitimate dll is replacing malicious dll.

• Once these dlls are renamed with exactly the same name of legitimate dlls and replaced in
the directory, the executable file will load malicious dll from application directory instead of
real dll.
PRIVILEGE ESCALATION USING DLL HIJACKING:
 ESCALATING PRIVILEGES
• PRIVILEGE ESCALATION USING DLL HIJACKING:
• Using dll hijacking tool, such as metasploit can be used for generating dll which returns with
a session with privileges.

• This generated malicious dll is renamed and pasted in the directory.

• When application run, it will open the session with system privileges.

• In windows platform, known dlls' are specified in the registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manager\
 ESCALATING PRIVILEGES
• PRIVILEGE ESCALATION USING DLL HIJACKING:
• The application normally searches for dll in the exact directory if it is configured
with the fully qualified path, else, if the application is not using specified path it
may search in the following search paths used by microsoft:

• Directory of application or current directory

• System directory. C:\\windows\\systems32\
• Windows directory

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manager\
 EXECUTING APPLICATIONS
• EXECUTING APPLICATIONS:
• Once an attacker gains unauthorized access to the system and escalates privileges.

• Next step of the attacker is to execute malicious applications on the target system.

• This execution of malicious programs is intended for gaining unauthorized access to system
resources, crack passwords, set up backdoors, and for other motives.

• These executable programs can be customized application or available software.

• This process, execution of the application is also called as "system owning." The attacker is
to own the system.
 EXECUTING APPLICATIONS
• EXECUTING APPLICATIONS:
• Intentions or goals, an attacker, wanted to achieve by executing such malicious
application are: -

• Installation of malware to collect information. To setup backdoor to maintain access.

• To install cracker to crack password and scripts.

• To install keyloggers for gathering information via input devices such as a keyboard.
 EXECUTING APPLICATIONS
• REMOTE EXEC:
• Remoteexec is a software designed for installation of the application, execution of code and
scripts remotely.

• Additionally, remoteexec can update files on the target system across a network. Major
features offered by the remoteexec application are: -

• Deploy packages on the target system.

• Remotely execution of programs and scripts.
• Scheduling execution based on particular date and time.
• Remote configuration management such as modification of registry, disabling accounts,
modification, and manipulation of files.
• Remote controlling of target system such as power off, sleep, wake up, reboot and lock,
etc.
 EXECUTING APPLICATIONS
• PDQ DEPLOY:
• PDQ deploy is basically software, system administrator tool used to install and send updates
silently to the remote system.

• PDQ deploy allow or assist the admin in installing application and software to a particular
system as well as multiple systems in a network.

• It can silently deploy almost every application (such as .Exe) to the target system.

• Using PDQ deploy, you can install and uninstall, copy, execute and send files.
 EXECUTING APPLICATIONS
• KEYIOGGERS:
• Keystroke logging, keylogging and keyboard capturing is a process of monitoring or
recording the actions performed by any user such as monitoring a user using keyboard using
keyloggers.

• Keyloggers can be either hardware or software.

• The major purpose of using keyloggers are monitoring data copied to the clipboard,
screenshots captured by the user, screen logging by capturing a screenshot at every moment
even when the user just clicked.
 TYPES OF KEYSTROKE LOGGERS
SOFTWARE KEYLOGGERS:
•Software-based keyloggers are remotely installed, or an attacker may send it to user and user
can accidentally execute the application.

•Software keyloggers includes: -

• Application keyloggers
• Kernel keyloggers
• Hypervisor-based keyloggers
• Form grabbing based keyloggers
 TYPES OF KEYSTROKE LOGGERS
HARDWARE KEYLOGGERS:
•Hardware-based keyloggers are physical hardware's or keyloggers which are installed on
hardware by physically accessing the device.

•Firmware- based keyloggers requires physical access the to the machine to load the software
into bios, keyboard hardware such as key grabber USB is a physical device needs to be
installed inline with the keyboard.
 TYPES OF KEYSTROKE LOGGERS
HARDWARE KEYLOGGERS:
•Hardware keyloggers are further classified into following types includes: -
• PC/BIOS embedded keyloggers
• Keyloggers keyboard
• External keyloggers Hardware Keyloggers Webcite
KeyGrabber USB http://www.keydemon.co
KeyGrabber PS/2 m/
http://www.keydemon.co
VideoGhost m/
http://
www.keydemon.com/
KeyGrabber Nano Wi-Fi http://
www.keydemon.com/
KeyGrabber Wi-Fi Premium http://
www.keydemon.com/
KeyGrabber TimeKeeper http://
www.keydemon.com/
KeyGrabber Module http://
www.keydemon.com/
KeyGhost USB Keylogger http://
 TYPES OF KEYSTROKE LOGGERS
ANTI-KEYLOGGERS:
•Anti-keyloggers are application software which ensures protection against keylogging.

•This software eliminates the threat of keylogging by providing ssl protection, keylogging
protection, clipboard logging protection and screen logging protection.

• Some of the anti-keylogger software are listed below: -

• Zemana anti-keylogger (https://www.Zemana.Com)
• Spyshelter anti-keylogger software (https://www.Spyshelter.Com) anti-keylogger (http://anti-
keyloggers.Com)
 SPYWARE
• SPYWARE:
• Spywares are the software designed for gathering user interaction information with a
system
• Such as an email address, login credentials, and other details without informing the user
of the target system.
• Mostly, spyware is used for tracking internet interaction of the user.
• This gathered information is sent to a remote destination.
• Spyware hides its files and processes to avoid detection.
 SPYWARE
• TYPES OF SPYWARES :
• The most common types of spywares are: -
• Adware
• System monitors
• Tracking cookies
• Trojans
 SPYWARE
• FEATURES OF SPYWARE:
• Tracking users such as keylogging
• Monitoring user's activity such as web sites visited
• Records conversations
• Blocking application & services
• Remote delivery of logs
• Email communication tracking
 SPYWARE
• FEATURES OF SPYWARE:-
• Recording removable media communication like USB
• Voice recording
• Video recording
• Tracking location (GPS)
• Mobile tracking
 HIDING FILES
• ROOTKITS:-
• A rootkit is a collection of software designed to provide privileged access to a remote user
over the target system.
• Mostly, rootkits are the collection of malicious software deployed after an attack.
• When the attacker has the administrative access to the target system to maintain its privileged
access for future.
• It creates a backdoor for an attacker.
• Rootkits often mask the existence of its software which helps to avoid detection.
 HIDING FILES
• TYPES OF ROOTKITS:-
• Application level rootkits:-application level rootkits perform manipulation of standard
application files, modification of the behavior of the current application with an injection of
codes.

• Kernel-level rootkits:- the kernel is the core of an OS. Kernel-level rootkits add additional
codes (malicious), replace the section of codes of original operating system kernel.
 HIDING FILES
• TYPES OF ROOTKITS:-
• Hardware / firmware level rootkits:-type of rootkits that hides in hardware such as hard
drive, network interface card, system BIOS.
• These rootkits are built into a chipset for recovering stolen computers, delete data, or render
them useless.
• Additionally, rootkits has privacy and security concerns of undetectable spying.
• Hypervisor level rootkits:- hypervisor level rootkits exploits hardware features like amd-v
(hardware-assisted virtualization technologies) or intel vt, which hosts the target os as a
virtual machine..
 HIDING FILES
• TYPES OF ROOTKITS:-
• Boot loader level rootkits:- bootloader level rootkits (bootkits) replaces the legitimate boot
loader with the malicious one which enables the bootkits to be activated before an os run.
• Bootkits are a serious threat to the system security because they can infect startup codes such
as master boot record (mbr), volume boot record (vbr) or boot sector.
• It can be used to attack full disk encryption systems, hack encryption keys and passwords.
 HIDING FILES
• ROOTKIT TOOLS:-
• Avatar
• Necurs
• Azazel
• Zeroaccess
 HIDING FILES
• ROOTKIT TOOLS:-
• Detecting & defending rootkits:- integrity-based detection, using digital signatures, difference-based
detection, behavioral detection, memory dumps, and other approaches can be used for detecting rootkits.

• In unix platform, rootkit detection tools such as zeppoo, chrootkit and other tools are available for
detection.

• In windows, microsoft sysinternals rootkitrevealer, avast and gophos anti-rootkit software are available.
 NTFS DATA STREAM
• NTFS DATA STREAM:-
• NTFS stands for new technology file system.
• NTFS is a Windows proprietary file system by Microsoft.
• NTFS was the default file system of Windows NT s.1.
• It is also the primary file system for Windows 11, 10, 8, 7, Vista, XP, 2000, and Windows
NT operating systems.
 ALTERNATE DATA STREAM
• ALTERNATE DATA STREAM:-
• Alternate data streams (ADS) is a file attribute in NTFS file system.
• This feature of NTFS contains metadata for locating a particular file.
• Ads feature was introduced for macintosh hierarchical file system (HFS).
• Ads is capable of hiding file data into an existing file without altering or modifying any
noticeable changes.
• In a practical environment, ads is a threat to security because of its data hiding capability
which can hide a malicious piece of data hidden in a file which can be executed when an
attacker decides to run.
NTFS DATA STREAM
NTFS DATA STREAM
NTFS DATA STREAM
 ALTERNATE DATA STREAMS
DEMONSTRATION
D:\>echo Just a plan text file>sample.txt (This will create
sample.txt file in D)

D:\ > more< sample.txt (This will display the contents

of sample.txt)

D:\> echo This is hidden text>sample.txt:secret.txt

D:\> more< sample.txt:secret.txt

D:\> dir /r (will display ads files

as well)
NTFS DATA STREAM
 ALTERNATE DATA STREAM
• NTFS STREAMS COUNTERMEASURES:-
• Using third-party tools and technique can provide security and protection form NTFS
streams.
• The most basic method to file, to prevent ntfs stream is by moving the file such as suspected
ntfs stream to fat partition.
• Fat does not support alternate data stream (ads).
• Moving ads from ntfs to fat partition will corrupt the file. There are several tools such as
ADS spy, ADS tools, LADS, stream armor, and other tools can also detect and remove them
completely.
Q&A