As an ethical hacker, it is important to understand how files are hidden by attackers.
4.1. NTFS File Streaming
By using NTFS file streaming, you can effectively hide files in an NTFS environment.
Estimated Time: 15 minutes.
Type hack.exe > readme.txt:hack.exe
Start c: est eadme.txt:hack.exe
Exam Prep Questions
How can you determine if an LM hash you extracted contains a password that is fewer than eight characters long?
Which of the following is a well-known password-cracking program?
What did the following commands determine?
C: user2sid \truck guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is Truck
What is the RID of the true administrator?
What is the best alternative if you discover that a rootkit has been installed on one of your computers?
To increase password security, Microsoft added a second layer of encryption. What is this second later called?
SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers?
Which of the following is the best way to prevent the use of LM authentication in your Windows 2003 environment?
Which of the following tools can be used to clear the Windows logs?
What is one of the disadvantages of using John the Ripper?
You found the following command on a compromised system:
Type nc.exe > readme.txt:nc.exe
What is its purpose?
Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance?
Why would an attacker scan for port 445?
You have downloaded a tool called SYSCracker, and you plan to use it to break SYSKEY encryption. The first thing the tool prompts you for is to set the level of SYSKEY encryption. How many bits are used for SYSKEY encryption?
You are trying to establish a null session to a target system. Which is the correct syntax?
Answers to Exam Questions
1. B. When looking at an extracted LM hash, you will sometimes observe that the rightmost portion is always the same. This is padding that has been added to a password fewer than eight characters long. The usual ending is 1404EE. Answer A is incorrect because even though a hash cannot be reversed, it is possible to recognize the padding in the hash. Answer C is incorrect, as the hash will not always start with AB923D. Answer D is incorrect, as the leftmost portion of the hash might not always be the same.
2. A. L0phtcrack is a well-known password-cracking program. Answer B is incorrect because even though Netcat is considered the Swiss army knife of hacking tools, it is not used for password cracking. Answer C is incorrect, as John the Ripper is the password hacking tool. Answer D is incorrect because Netbus is a Trojan program.
3. D. One important goal of enumeration is to determine the true administrator. In the question, the true administrator is Joe. Answer A is incorrect because the Joe account has a RID of 500. Answer B is incorrect because the commands issued do not show that the account is disabled, which is not the purpose of the tool. Answer C is incorrect, as the commands do not show that the guest account has been disabled.
4. C.. The administrator account has a RID of 500. Therefore, answers A, B, and D are incorrect. RIDs of 0 and 100 are not used, although 1000 is the first user account.
5. D.. If a rootkit is discovered, you will need to rebuild the OS and related files from known good media. This typically means performing a complete reinstall. Answers A, B, and C are incorrect because copying system files will do nothing to replace infected files; performing a trap and trace might identify how the attacker entered the system, but will not fix the damage done; and deleting the files will not ensure that all compromised files have been cleaned.
6. B. SYSKEY is the second layer of encryption used to further obfuscate Windows passwords. It features 128-bit encryption. Answer A is incorrect, as a salt is used by Linux for password encryption. Answer C is incorrect because SYS32 is an executable used by the Flux.e Trojan. Answer D is incorrect because SAM stores password and account information.
7. C. Most SNMP devices are configured with public and private as the default community strings. These are sent in cleartext. Answer A is incorrect because it is not enabled on all devices by default. Answer B is incorrect because it is not based on TCP; it is UDP based. Answer D is incorrect, as anyone can sniff it while in cleartext. The community strings are required to connect.
8. B. There are several ways to prevent the use of LM authentication in your Windows 2003 environment. The easiest is to use the NoLMHash Policy by Using Group Policy. Although you could edit the registry, being done incorrectly can cause serious problems that might require you to reinstall your operating system. Answer A is incorrect, as the LMshut tool does not accomplish the required task. Answer C is incorrect because Lsass generates the process responsible for authenticating users for the Winlogon service. Answer D is incorrect, as passwords would need to be at least 15 characters long, not 10.
9. B. Elsave is used to clear the log files. Answers A, C, and D are incorrect because Auditpol is used to disable auditing, PWdump is used to extract the hash, and Cain is used for a host of activities, such as password cracking, although clearing the logs is not one of them.
10. C. John the Ripper cannot differentiate between upper- and lowercase passwords. Answer A is incorrect because it can crack NTLM passwords. Answer B is incorrect, as separating the NTLM passwords into two halves actually speeds cracking. Answer D is incorrect, as John the Ripper can perform brute force cracks.
11. B. Alternate data streams are another type of named data stream that can be present within each file. The command streams Netcat behind readme.txt on an NTFS drive. Answers A, C, and D are incorrect because the command does not start a Netcat listener, it does not open a command shell, and it is not used to unstream Netcat.
12. A. Rainbow tables use the faster time-memory trade-off technique and work by precomputing all possible passwords in advance. Answers B, C, and D are all incorrect because they are the traditional methods used to crack passwords.
13. C. The SMB protocol is used for file sharing in Windows 2000. In 2000 and newer systems, Microsoft added the capability to run SMB directly over TCP port 445. Answer A is incorrect, as a scan probably will not DoS the server. Answer B is incorrect because it is not the most correct answer. Answer D is incorrect, as Windows NT systems do not run port 445 by default.
14. C. After Windows NT SYSKEY was no longer optional, it's enabled by default at installation time. After being activated, the hashes are encrypted yet another time before being stored in SAM. SYSKEY offers 128-bit encryption. Answer A is incorrect because SYSKEY does not offer 40-bit encryption. Answer B is incorrect, as SYSKEY does not offer 64-bit encryption. Answer D is incorrect because SYSKEY does not offer 256-bit encryption.
15. A. The proper syntax is net use \IP_addressIPC$ "" /u:"". Therefore, answers B, C, and D are incorrect.
Suggested Reading and Resources
www.systemtools.com/cgi-bin/download.pl?DumpAclDumpSec home page
http://evgenii.rudnyi.ru/programming.html#overviewSID2USER enumeration tools
www.securityfocus.com/infocus/1352Enumerating Windows systems
www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbd_trb_gtvp.aspNBTStat overview and uses
www.governmentsecurity.org/articles/ExploitingTheIPCShare.phpExploiting the IPC$ share
Linux and Automated Security Assessment Tools