Tải bản đầy đủ
•1.ז!!,;,• Disabling or active attacks

•1.ז!!,;,• Disabling or active attacks

Tải bản đầy đủ

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2-50 C ertified Ethical H acker

Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.

D e te c tin g

L

‫ב‬

T e x t a n d

Im a g e

S te g a n o g ra p h y

S t e g a n o g r a p h y is t h e a r t o f h id in g e i t h e r c o n f i d e n t i a l o r s e n s itiv e i n f o r m a t i o n w i t h i n

t h e c o v e r m e d i u m . In th is , t h e u n u s e d b its o f d a ta in c o m p u t e r file s such as g ra p h ic s , d ig ita l
im a g e s , t e x t , H T M L , e tc. a re used f o r h id i n g s e n s i t i v e i n f o r m a t i o n f r o m u n a u t h o r i z e d u s ers .
H id d e n d a ta is d e t e c t e d in d i f f e r e n t w a y s d e p e n d i n g o n t h e file used. T h e f o l l o w i n g file ty p e s
r e q u i r e s p e c ific m e t h o d s t o d e t e c t h id d e n m essages. W h e n a m e s s a g e is h id d e n in a f ile in such
a w a y t h a t o n l y t h e a u t h o r i z e d u s e r a w a r e o f t h e h id d e n m e s s a g e can re a d o r r e c o v e r t h e
m ess a g e , p r o b a b l y t h e a l t e r a t i o n is a p p lie d t o t h e c o v e r o r c a r r i e r file . T h e a l t e r a t i o n v a r ie s
b ase d o n t h e t y p e o f file used as c a rr ie r .
T e x t F ile s
For t e x t file s , t h e a lt e r a t i o n s a re m a d e t o t h e c h a r a c t e r p o s i t i o n f o r h id i n g t h e d a ta .
T h e s e a lt e r a t i o n s can be d e t e c t e d b y l o o k in g f o r t e x t p a t t e r n s o r d is t u r b a n c e s , t h e la n g u a g e
used , lin e h e ig h t, a n d u n u s u a l n u m b e r o f b la n k spaces.
Im a g e

F ile s

T h e i n f o r m a t i o n t h a t is h id d e n in t h e im a g e can be d e t e c t e d b y d e t e r m i n i n g c h a n g e s
in size, f ile f o r m a t , last m o d if ie d , la s t m o d i f i e d t i m e s t a m p , a n d c o lo r p a l e t t e o f t h e file .

M o d u le 0 5 P ag e 7 96

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2 -5 0 C ertified Ethical H acker

S ta tis tic a l a na ly sis m e t h o d s can be u sed w h e n s c a n n in g an im a g e . A s s u m in g t h a t t h e le a st
s i g n i f i c a n t b i t is m o r e o r less r a n d o m is an i n c o r r e c t a s s u m p t i o n since a p p ly in g a f i l t e r t h a t
s h o w s t h e LSBs can p r o d u c e a r e c o g n i z a b le im a g e . T h e r e f o r e , it can be c o n c l u d e d t h a t LSBs a re
n o t r a n d o m . R a th e r, t h e y c o n s is t o f i n f o r m a t i o n a b o u t t h e e n t i r e im a g e .
W h e n e v e r a s e c re t m e ssa g e is i n s e r t e d

i n t o an im a g e , LSBs a re n o lo n g e r r a n d o m . W i t h

e n c r y p t e d d a ta t h a t has h ig h e n t r o p y , t h e LSB o f t h e c o v e r w ill n o t c o n t a i n t h e i n f o r m a t i o n
a b o u t t h e o r ig in a l a n d is m o r e o r less r a n d o m . By u s in g s ta tis tic a l a na lysis o n t h e LSB, t h e
d if f e r e n c e b e t w e e n r a n d o m v a lu e s a n d real v a lu e s can be i d e n t if ie d .

M o d u le 0 5 P ag e 7 97

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2 -5 0 C ertified Ethical H acker

‫נ‬

Detecting Audio and Video
Steganography

CEH

Urt1fw4

ilhiul lUtbM

A u d i o File
S

S ta tis tic a l a n a ly s is m e th o d c a n a ls o b e u s e d
f o r a u d io file s s in c e t h e LSB m o d if ic a tio n s
a r e a ls o u s e d o n a u d io

5

T h e in a u d ib le f r e q u e n c i e s c a n b e s c a n n e d
f o r in f o r m a tio n

S

T he o d d d is to rtio n s a n d p a tte r n s s h o w th e
e x is te n c e o f t h e s e c r e t d a t a

V i d e o File
-

A dm inistrator

D e t e c t i o n o f t h e s e c r e t d a t a in v i d e o f ile s
i n c l u d e s a c o m b i n a t i o n o f m e t h o d s u s e d in
im a g e a n d a u d i o f ile s

-

S p e c ia l c o d e s ig n s a n d g e s t u r e s c a n a l s o b e
u s e d fo r d e te c tin g s e c re t d a ta

Copyright © by EfrCoincl. All Rights Reserved. Reproduction is Strictly Prohibited.

D e te c tin g

A u d io

a n d

V id e o

S te g a n o g ra p h y

A u d io F ile
In a u d io s te g a n o g r a p h y , c o n f i d e n t i a l i n f o r m a t i o n such as p r i v a t e d o c u m e n t s a n d file s
a re e m b e d d e d in d ig ita l s o u n d . T h e d o c u m e n t s t h a t a re h id d e n can be d e t e c t e d b y th e
fo llo w in g ways:
©

S ta tis tic a l a na lys is m e t h o d can also be used f o r a u d io file s since t h e LSB m o d if ic a t i o n s
a re also u sed o n a u d io

©

T h e i n a u d i b l e f r e q u e n c ie s can be s c a n n e d f o r i n f o r m a t i o n

©

T h e o d d d i s t o r t i o n s a n d p a t t e r n s s h o w t h e e x is te n c e o f t h e s e c r e t d a ta
V i d e o F ile

--------

In v i d e o

s te g a n o g ra p h y ,

c o n fid e n tia l

in fo rm a tio n

or

any

k in d

o f file s

w ith

any

e x te n s io n a re h id d e n in a c a r r i e r v i d e o file e i t h e r by u s in g a u d io s t e g a n o g r a p h y o r im a g e
s t e g a n o g r a p h y t o o l s . T h e r e f o r e , t h e d e t e c t i o n o f t h e s e c r e t d a t a in v i d e o file s in c lu d e s a
c o m b i n a t i o n o f m e t h o d s u sed in im a g e a n d a u d io files. S p e cia l c o d e signs a n d g e s tu r e s can also
be used f o r d e t e c t i n g s e c re t d a ta .

M o d u le 0 5 P ag e 7 98

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2 -5 0 C ertified Ethical H acker

r
S te g a n o g ra p h y
G a r g o y le

D e te c tio n

In v e s tig a to r ™

T o o l:
F o r e n s ic

P ro

EH

Copyright © by EfrCoincl. All Rights Reserved. Reproduction is Strictly Prohibited.

*

S te g a n o g ra p h y
In v e s tig a to r ™

D e te c tio n
F o r e n s ic

T o o l:

G a rg o y le

P ro

S o u rc e : h t t p : / / w w w . w e t s t o n e t e c h . c o m
G a rg o y le In v e s tig a to r ™ F o re n s ic Pro is a t o o l t h a t c o n d u c t s q u ic k s e a rc h e s o n a g iv e n c o m p u t e r
o r m a c h in e s f o r k n o w n c o n t r a b a n d a n d m a lic io u s p r o g r a m s . It is p o s s ib le t o f i n d r e m n a n t s e v e n
t h o u g h t h e p r o g r a m has b e e n r e m o v e d b e c a u s e t h e se arch is c o n d u c t e d f o r t h e in d iv id u a l file s
a s s o c ia te d w i t h a p a r t i c u l a r p r o g r a m . Its s i g n a t u r e s e t c o n ta in s o v e r 2 0 c a te g o r ie s , i n c lu d in g
b o t n e t s , T ro ja n s , s te g a n o g r a p h y , e n c r y p t i o n , k e y lo g g e rs , e tc. a n d h e lp s in d e t e c t i n g s t e g o file s
c r e a t e d b y u sin g B lin d S id e , W e a v W a v , S-Tools, e tc . It has t h e a b i l it y t o p e r f o r m a scan o n a
s t a n d - a l o n e c o m p u t e r o r n e t w o r k r e s o u r c e s f o r k n o w n m a l i c io u s p r o g r a m s , t h e a b i l it y o f scan
w i t h i n a rc h iv e file s, e tc.

M o d u le 0 5 P ag e 7 99

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2 -5 0 C ertified Ethical H acker

FIGURE 5.80: Gargoyle Investigator™ Forensic Pro Screenshot

•yj¥/2lM3 U:U:18AM I
j 4/29/2MO U:C4;18AM |
-j i/29/2000 H.C‫־‬t;16AM |
•] •V29/2Q00 11:04:18 AM |

|) 9/Uj2CC> 02:33:++AM |

FIGURE 5.80: Gargoyle Investigator™ Forensic Pro Timeline Result Screenshot

M o d u le 0 5 P ag e 8 00

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2-50 C ertified Ethical H acker

Steganography Detection Tools
((!►Wv

—1

StegAlyzerSS

X stegsecret

http://www.sarc-wv.com

http://stegsecret.sourceforge.net

StegM ark SDK

Stego Suite

‫ד‬-‫—ך‬

http://www.wetstonetech.com

http://www.datamark.com.sg

StegAlyzerAS

rv

‫! »!־‬

CEH

S teganography Studio

http://www.sarc-wv.com

http://stegstudio.sourceforge,net

StegAlyzerRTS

Virtual Steganographic
L aboratory (VSL)

http://www.sarc-wv.com

http://vsI.sourceforge,net
1W
SZU
M--

LM i

S teg d etect

http://www.outguess.org

Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.

S te g a n o g ra p h y

D e te c tio n

T o o ls

S t e g a n o g r a p h y d e t e c t i o n t o o l s a l l o w y o u t o d e t e c t a n d r e c o v e r h i d d e n i n f o r m a t i o n in
a n y d ig ita l m e d ia such as im a g e s , a u d io , a n d v id e o . T h e f o l l o w i n g is a list s t e g a n o g r a p h y
d e te c tio n to o ls :
Q

X s t e g s e c r e t a v a ila b le a t h t t p : / / s t e g s e c r e t . s o u r c e f o r g e . n e t

0

S te g o S u ite a v a ila b le a t h t t p : / / w w w . w e t s t o n e t e c h . c o m

Q

S te g A lyz e rA S a v a ila b le a t h t t p : / / w w w . s a r c - w v . c o m

Q

StegAlyzerR TS a v a ila b le a t h t t p : / / w w w . s a r c - w v . c o m

e

S teg S p y a v a ila b le a t h t t p : / / w w w . s p y - h u n t e r . c o m

0

StegAlyzerSS a v a ila b le a t h t t p : / / w w w . s a r c - w v . c o m

Q

S t e g M a r k SDK a v a ila b le a t h t t p : / / w w w . d a t a m a r k . c o m . s g

Q

S t e g a n o g r a p h y S t u d io a v a ila b le a t h t t p : / / s o u r c e f o r g e . n e t

Q

S t e g a n o g r a p h ic L a b o r a t o r y (VSL) a v a ila b le a t h t t p : / / v s l . s o u r c e f o r g e . n e t

©

S t e g d e t e c t a v a ila b le a t h t t p : / / w w w . o u t g u e s s . o r g

M o d u le 0 5 Page 801

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

C E H

S y s te m

Exam 3 1 2 -5 0 C ertified Ethical H acker

H a c k in g

S te p s

O n c e t h e a t t a c k e r b re a k s i n t o t h e t a r g e t n e t w o r k o r c o m p u t e r s u c c e s s fu lly , he o r she
tr ie s t o h id e h im s e l f o r h e r s e l f f r o m b e in g d e t e c t e d o r t r a c e d o u t . T hu s, t h e a t t a c k e r tr i e s t o
c o v e r all t h e tr a c k s o r logs t h a t a re g e n e r a t e d d u r in g his o r h e r a t t e m p t s t o g ain access t o t h e
t a r g e t n e t w o r k o r c o m p u t e r _________________________________________________________________
! = = ‫וי‬

ffe j


C r a c k in g P a s s w o r d s

E s c a la tin g P r iv ile g e s

E x e c u t in g A p p l i c a t i o n s

M o d u le 0 5 P ag e 802

H i d i n g Files

U

Co v e r i n g T ra c k s

2‫*נ־‬-

P e n e t r a t i o n T e s t in g

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s
S y ste m H acking

Exam 3 1 2 -5 0 C ertified Ethical H acker

W h y C o ver T racks?

~

They can

-

T h e y c a n c o v e r t h e tr a c k s to a v o id th e ir d e te c tio n

S

T h e y c a n i n s t a l l b a c k d o o r s t o g a i n a c c e s s in f u t u r e

‫ג‬

a t ta c k a g a in

SEC E V E N T .E V T ( s e c u r i t y ) : F a il e d l o g i n s , a c c e s s i n g
f ile s w i t h o u t p r iv ile g e s

:

SY S E V E N T .E V T ( s y s t e m ) : D r i v e r f a i l u r e , t h i n g s

:

A P P E V E N T .E V T ( a p p l i c a t i o n s )

«

T h e a tta c k e r m ig h t n o t w a n t to d e le te th e e n tire

n o t o p e r a tin g c o rr e c tly

Altering
event lo g s t-

lo g

Copyright © by EfrCaincl. All Rights Reserved. Reproduction is Strictly Prohibited.

‫מ►י‬4

W h y
The

s u c c e s s fu lly

C o v e r T ra c k s ?

c o m p le te
but

a lso

jo b

of

d is a b lin g

an

a tta c k e r

lo g g in g ,

in v o lv e s

c le a r in g

lo g

not
file s ,

o n ly

c o m p ro m is in g

e lim in a tin g

th e

e v id e n c e ,

s y s te m
p la n t in g

a d d it io n a l to o ls , a n d c o v e r in g his o r h e r tra c k s . T h e a t t a c k e r m u s t c le a r t h e e v id e n c e o f ‫ ״‬h a v in g
been th e re

and

d on e th e

d am age."

Erasing t h e

i n t r u s io n

logs, t r a c k i n g file s , a n d

a t ta c k

p ro c e s s e s is v e r y c r u c ia l f o r an a t t a c k e r as t h e m essa ge s can a le r t t h e a c tu a l o w n e r o f t h e
s y s te m t o c h a n g e t h e s e c u r i t y s e t t i n g s t o a v o id a tta c k s in t h e f u t u r e . If t h i s h a p p e n s , t h e n t h e
a t t a c k e r w ill be l e f t w i t h n o c h a n c e s f o r r e lo g g in g i n t o t h e s y s te m f o r la u n c h in g t h e a tta c k .
H e n ce , an a t t a c k e r n e e d s t o d e s t r o y t h e e v id e n c e o f i n t r u s i o n t o m a i n t a i n t h e access a nd
e v a s io n . If t h e a t t a c k e r c o v e r s o r d e le t e s t h e i r tra c k s , t h e n he o r she can r e - lo g in t o t h e s y s te m
a n d in s ta ll b a c k d o o r s . T h u s, t h e a t t a c k e r can g ain u s e rs' s e n s i t i v e i n f o r m a t i o n su ch as u s e r
n a m e s a n d p a s s w o r d s o f b a n k a c c o u n ts , e m a il IDs, e tc.
T h e a t t a c k e r m a y n o t w is h t o d e l e t e an e n t i r e log t o c o v e r his o r h e r tr a c k s as it m a y r e q u i r e
a d m i n p r e v ile g e s . If t h e a t t a c k e r is a b le t o d e l e t e o n l y t h e a t t a c k e v e n t logs, e v e n t h e n t h e
a t t a c k e r h id e s h im s e l f o r h e r s e l f f r o m b e in g d e t e c t e d .
©

T h e a t t a c k e r can m a n i p u l a t e t h e lo g file s w i t h t h e h e lp o f: SECEVENT.EVT ( s e c u rity ) :
fa ile d log ins, acc essing file s w i t h o u t p riv ile g e s

©

SYSEVENT.EVT (s y s te m ) : D r iv e r fa ilu r e , t h i n g s n o t o p e r a t i n g c o r r e c t ly

0

APPEVENT.E VT ( a p p lic a t io n s )

M o d u le 0 5 P ag e 803

Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil
All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .

E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
S y s te m

E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r

H a c k in g

C o v e r in g

T r a c k s

C E H

Once intruders have successfully g a in e d a d m in is t r a t o r
access o n a s y s te m , they will try to cover the tracks to
avoid their detection

H acker

Gained
administrator
"<

Install
backdoors

1 * 1‫׳‬

Target User

When all the information of interest has been stripped off
from the target, the intruder installs s e v e ra l b a c k d o o r s so
that he or she can gain easy access in the future

Copyright © by EfrCaincl. All Rights Reserved. Reproduction is Strictly Prohibited.

C o v e r in g T r a c k s
—•‫ ־‬Erasing evidence is a requirement for any attacker who would like to remain obscure.
This is one method to evade trace back. This starts with erasing the contaminated logins and
possible error messages that may have been generated from the attack process. Next, attention
is turned to effect any changes so that future logins are not allowed. By manipulating and
tweaking the event logs, the system administrator can be convinced that the output of his or
her system is correct, and that no intrusion or compromise has actually taken place.
Since the first thing a system administrator does to monitor unusual activity is to check the
system log files, it is common for intruders to use a utility to modify the system logs. In some
cases, rootkits can disable and discard all existing logs. This happens if the intruders intend to
use the system for a longer period of time as a launch base for future intrusions, if they remove
only those portions of logs that can reveal their presence with the attack.
It is imperative for attackers to make the system look like it did before they gained access and
established backdoors for their use. Any files that have been modified need to be changed back
to their original attributes. There are tools for covering one's tracks with regard to the NT
operating system. Information listed, such as file size and date, is just attribute information
contained within the file.

M o d u le 0 5 P a g e 8 0 4

E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t ©

b y E C - C 0 U n C il

A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .

E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
S y s te m

E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r

H a c k in g

Protecting against an attacker who is trying to cover his or her tracks by changing file
information can become difficult. However, it is possible to detect if an attacker has changed
file information by calculating a cryptographic hash on the file. This type of hash is a calculation
that is made against the entire file and then encrypted.

M o d u le 0 5 P a g e 8 0 5

E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t ©

b y E C - C 0 U n C il

A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .

E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s
S y s te m

E x a m 3 1 2 - 5 0 C e r t if ie d E th ic a l H a c k e r

H a c k in g

W a y s to

J

C le a r

O n lin e

T r a c k s

C E H

R e m o v e M o s t R e c e n tly U se d (M R U ), d e le te c o o k ie s , c le a r c a c h e , t u r n o f f A u to C o m p le te ,
c le a r T o o lb a r d a ta fr o m th e b r o w s e rs

From th e Registry
in Windows 8

In Windows 7
Click on the Start button, choose
Control Panel -‫ >־‬Appearance and
Personalization -> Taskbar and
Start Menu
Click the Start Menu tab, and then,
under Privacy, clear the Store and
display a list of recently opened
programs check box

P

©

H K C U \S o ftw a re \M ic ro s o ft\
W in d o w s \C u rre n tV e rs io n \
E x p lo re r and th e n re m o v e th e
key fo r "R e ce n t D ocs"

e

D e le te all th e values e xce p t
"(D e fa u lt)"

9

Ac



\

f i f e
I
V4 V

\

Copyright © by E&Cauaci. All Rights Reserved. Reproduction is Strictly Prohibited.

W a y s to C le a r O n lin e T r a c k s
The Internet is the ultimate resource to search or to gather information related to
any topic. Unfortunately, Internet resources are misused by attackers to track others' online
activities, which allow them to launch an attack or theft.
There are several ways to clear online tracks:
© Private browsing
© History in the address field
© Disable stored history
© Delete private data
0

Clear cookies on exit

0

Clear cache on exit

0

Delete downloads

0

Disable password manager

0

Clear data in password manager

© Delete saved sessions
M o d u le 0 5 P a g e 8 0 6

E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t ©

b y E C - C 0 U n C il

A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .