Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
A lab exercise for penetration testing and hacking techniques on a windows system. The exercise covers various methods for exploiting system vulnerabilities, including storing admin passwords, clearing passwords, installing keyloggers and backdoors, modifying the registry, rootkitting, and clearing logs. The goal is to gain unauthorized access to a target system and maintain persistent access via a backdoor.
Typology: Lab Reports
1 / 30
This page cannot be seen from the preview
Don't miss anything!
12/20/
LAB 19
Exploitation: Store the admin password using BartPE; c
lear the
admin password using Chntpw
; install a keylogger (Ardamax)
and backdoor (Netcat
); modify the Registry; rootkit the
backdoor using HackerDefender;
clear the logs; restore the
admin password using BartPE
; connect remotely via backdoor
Scenario
You have physical access of the target box.You āstoleā the SYSTEM and SAM files, but you wereunable to crack any passwords (using SamInside) back at theoffice. So, you must take another tackā¦Return to target. Boot the target using a (Windows) BartPE bootable CD. Save the SAM file to a fob. Reboot, this time
12/20/
LAB 19
bootable CD. Save the SAM file to a fob. Reboot, this time using
chntpw
. Clear the admin password. Boot normally
using the targetās (Windows) OS, log in as admin (nopassword). Install your keylogger and backdoor.Modify the Registry so the backdoor loads on boot. Rootkitthe backdoor. Clear the logs. Reboot with the BartPE CDand replace the SAM file. Test to make you can access thebackdoor remotely.
Potential Show Stoppers 1.
Must have physical access.
The port you have Netcat listen on must be allowedthrough any firewall.
12/20/
LAB 19
How You Should
**- Repeat: Should
Never log onto a computer if you can avoid it; itās nearlyimpossible to erase all your tracks!
Use
ERD Commander
($) to:
Copy a keylogger onto the target hard drive
Copy
Netcat
onto the target hard drive (a backdoor,
allowing you to maintain access to the target via the
12/20/
LAB 19
allowing you to maintain access to the target via the Internet)
Copy
Hacker Defender
onto the target hard drive (used to
rootkit the keylogger,
Netcat
, and
HackerDefender
Modify the target Registry, so the keylogger,
Netcat
, and
HackerDefender
run on boot.
Clear the logs. Reboot the target.
Use
Netcat
to connect remotely & download the keylogger file.
1. Store a copy of the targetās SAM file on a memory fob a.
Your computer MUST be OFF.
b.
Insert a USB fob in a USB port of the target.ā
You must
do this before
booting to BartPE!
c.
Insert the
BartPE
CD in the drive and boot the target.
d.
When asked if you want network support, click
No
e.
Click on
> programs
> A43 File Management Utility
12/20/
LAB 19
e.
Click on
> programs
> A43 File Management Utility
Using the window on the left, navigate to:
c:\windows\system32\config
f.
Click on
GO -> programs -> A43 File Management Utility
This time navigate to the USB fob.
g.
Drag the SAM file to your fob and close both windows.
h.
Click
Go-> Shut down -> Restart
i.
Remove the
BartPE
CD and the USB fob
Note!
2. Clear the admin password -
Insert the (Linux)
Chntpw
boot CD (did you remove the fob
Power the target completely down! Reboot!
Usually, the defaults are what you want:
If the boot process hangsā¦If the boot process hangsā¦If the boot process hangsā¦If the boot process hangsā¦
PressPress
ādāādā
Step ONEStep ONEStep ONEStep ONE
Select disk where Windows installation is
12/20/
LAB 19
8
Step ONEStep ONEStep ONEStep ONE
Select disk where Windows installation is
PressPress
Step TWOStep TWOStep TWOStep TWO
:::: Select PATH and registry files
If XP, pressIf XP, press
If using W2k, enter WINNT/system32/config
PressPress
2. Clear the administrator password
(cont.)
Remove the boot CD. Power down.
Power up, booting the target to Windows.
Stop the check ā it might fix itself
Log in as Administrator
No password needed!
12/20/
LAB 19
Log in as Administrator
No password needed!
User Switching (with its vertical stack of user nameswith icons, and the Administrator user is not shown),the attacker must press Ctrl-Alt-Delete to get a logonwindow.
If you cannot log in as Administrator, do it again
Chntpw
does not work...
3. Double-click on the AKL icon in the
task tray to load the Viewer.
See the next slideā¦
If the icon is not there,
AKL might
be installed, but not running! To runit:
Keylogger/Ardamax Keylogger
Right-click on the trayicon to bringup a menu ofoptions ā
See
next slideā¦
12/20/
LAB 19
Keylogger/Ardamax Keylogger
If it is NOT installed
, install it
c:\tools\keylogger
andā¦
Keylogger) to install.
install
finish
etc.) Go through the
āQuick Tourā if you like.
Ardamax Key LoggerAKL
can be
ārootkittedā by selecting
Hidden
12/20/
LAB 19
selecting
Hidden
Mode
Ctrl-Alt-Shift-H willthen bring the tray iconbackSelecting
Options
takes you to the
next
slideā¦
ArdamaxKey Logger Selecting Invisibility
12/20/
LAB 19
Invisibility takes you tothe
next
slideā¦
Ardamax KeyLogger Here, you can direct AKL to
Thismeans Icanāt actually
12/20/
LAB 19
direct AKL to send you thelog file viaFTP or emailor both ā ifyou haveregistered AKL.
actually do anyof this
4. Install a backdoor (Netcat) ā¢
Lucky for you, Netcat is already on your target ā remember?
c:\tools\netcat\nc.exe
12/20/
LAB 19
6. Install the Hacker Defender rootkit -
Well, the keylogger hides itself.
But now we need to hide Netcat! We do
not
want any:
dir
netstat
Ctrl-Alt-Delete
āCustomā Registry keys
12/20/
LAB 19
āCustomā Registry keys
Navigate to: c:\tools\Hacker Defender\hxdef
6. Install the Hacker Defender rootkit -
Note there might
be two .ini files:
If there is a
hxdef100.2.ini
file, the
hxdef100.ini
file will
have extra stuff to fool anti
virus software. (Open it with
Notepad
12/20/
LAB 19
have extra stuff to fool anti
virus software. (Open it with
Notepad
this in Explorer or, in a DOS window:
del hxdef100.ini> rename hxdef100.2.ini hxdef100.ini
If there is no
hxdef100.2.ini
file, just move onā¦
