Chapter 4. Enumeration and System Hacking

This chapter covers the following topics:

  • Enumeration: The process of counting off or listing what services, applications, and protocols are present on each identified computer.

  • System Hacking: The process of gaining access, escalating privileges, maintaining control, and covering tracks.

This chapter introduces enumeration and system hacking. It gives you the knowledge you need to prepare for the Certified Ethical Hacker exam, and it broadens your knowledge of operating system (OS) security controls and weaknesses. However, this chapter addresses only the basic information, because an entire book would be required to cover all system hacking issues. If you are seriously considering a career as a penetration tester, this chapter should whet your appetite for greater knowledge.

The chapter starts by examining enumeration and discussing what kind of information can potentially be uncovered. Enumeration is the final pre-attack phase in which you probe for usernames, system roles, account details, open shares, and weak passwords. This chapter also reviews some basics of Windows and Linux architecture and discusses Windows users and groups. The last topic is system hacking, which includes discussion of the tools and techniques for gaining access to computer systems.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 4-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 4-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section



2–5, 10

System Hacking

1, 6–9


The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following is considered a nontechnical attack?

a. Password sniffing

b. Dumpster diving

c. Password injection

d. Software keylogger

2. When reviewing a Windows domain, you are able to extract some account information. A RID of 500 is associated with what account?

a. A user account

b. The first user’s account

c. The guest account

d. The administrator account

3. During enumeration, what port may specifically indicate a Windows computer and most likely not a Linux computer?

a. 110

b. 111

c. 25

d. 445

4. During enumeration, what port may specifically indicate a portmapper on a Linux computer?

a. 110

b. 111

c. 389

d. 445

5. Which of the following is a tool commonly used for enumeration?

a. Hyena

b. John

c. LCP

d. IAM tool kit

6. Which type of password cracking makes use of the space/time memory trade-off?

a. Dictionary attack

b. Rainbow table

c. Rule

d. Hybrid

7. Microsoft uses various techniques to protect user account information. The second layer of security on the SAM file is known as what?

a. Encoding

b. Obscuring


d. Salting

8. Which format stores Windows passwords in a 14-character field?

a. NTLMv2

b. Kerberos

c. Salted

d. LAN Manager

9. Which of the following matches the common padding found on the end of short Windows LanMan (LM) passwords?

a. 1404EE

b. EE4403


d. 1902DD

10. If you were going to enumerate DNS, which of the following tools could you use?

a. Route print

b. ARP -A

c. Nslookup

d. IPconfig

Foundation Topics



Enumeration can be described as an in-depth analysis of targeted computers. Enumeration is performed by actively connecting to each system to identify the user accounts, system accounts, services, and other system details. Enumeration is the process of actively querying or connecting to a target system to acquire information on NetBIOS/LDAP, SNMP, UNIX/Linux operation, NTP servers, SMTP servers, and DNS servers. These topics are discussed next.

Windows Enumeration

The object of Windows enumeration is to identify a user account or system account for potential use. You might not have to find a system administrator account because escalation of privilege may be possible. At this point, we are simply seeking the knowledge to gain some level of access.

To better target Microsoft Windows computers, you should understand how they function. Windows ships with both client and server versions. Client systems that are still being supported as of this writing include the following: Windows 7, 8, and 10. On the server side, Microsoft supports Windows 2008 to 2019. Each of these operating systems shares a somewhat similar kernel. The kernel is the most trusted part of the operating system. How does the operating system know who and what to trust? The answer is by implementing rings of protection. The protection ring model provides the operating system with various levels at which to execute code or restrict its access. The protection ring model provides a level of access control and granularity. As you move toward the outer bounds of the model, the numbers increase, and the level of trust decreases.

Figure 4-1 shows the basic model that Windows uses for protective rings.

A simplified overview of windows architecture is shown.

Figure 4-1 Windows Architecture

With the Windows architecture, you can see that there are two basic modes: user mode (ring 3) and kernel mode (ring 0). User mode has restrictions, whereas kernel mode allows full access to all resources. This is an important concept for the ethical hacker to contemplate because antivirus and analysis tools can detect hacking tools and code that run in user mode. However, if code can be deployed on a Windows system to run in kernel mode, it can hide itself from user mode detection and will be harder to detect and eradicate. All the code that runs on a Windows computer must run in the context of an account. The system account can perform kernel-mode activities. The privilege level of the account you hold determines your ability to execute code on a system. Hackers always want to run code at the highest possible privilege. Windows uses the following two types of identifiers to help keep track of a user’s security rights and identity:

  • Security identifiers (SID)

  • Relative identifiers (RID)

A SID is a data structure of variable length that identifies user, group, and computer accounts. For example, a SID of S-1-1-0 indicates a group that includes all users. Closely tied to SIDs are RIDs. A RID is a portion of the SID that identifies a user or group in relation to the authority that user has. Let’s look at an example:

    S for security id
    1 Revision level
    5 Identifier Authority (48 bit) 5 = logon id
    21 Sub-authority (21 = nt non unique)
    1607980848      SA
    492894223       SA domain id
    1202660629      SA
    500             User  id

Focus your attention on the last line of text in this example. The user ID specifies the specific user, as shown in Table 4-2.


Table 4-2 User ID and Corresponding RID Code

User ID








First user


Second user


This table shows that the administrator account has a RID of 500 by default, the guest has a RID of 501, and the first user account has a RID of 1000. Each new user gets the next available RID. This information is important because simply renaming an account will not prevent someone from discovering key accounts. This is similar to the way that Linux controls access for users and system processes through an assigned user ID (UID) and a group ID (GID) that is found in the /etc/passwd file. On a related topic, let’s look at some other important security components of Microsoft Windows that will help you understand the enumeration process.


You should be able to correlate specific user accounts and RIDs for the exam, such as 500 = administrator.

Windows Security

On a standalone Windows computer, user information and passwords are stored in the Security Account Manager (SAM) database. If the system is part of a domain, the domain controller stores the critical information in Active Directory (AD). On standalone systems not functioning as domain controllers, SAM contains the defined local users and groups, along with their passwords and other attributes. The SAM database is stored in the WindowsSystem32config folder in a protected area of the Registry under HKLMSAM.

AD is a directory service, which contains a database that stores information about objects in a domain. AD keeps password information and privileges for domain users and groups that were once kept in the domain SAM. Unlike the old NT trust model, a domain is a collection of computers and their associated security groups that are managed as a single entity. AD was designed to be compatible to Lightweight Directory Access Protocol (LDAP); you can get more background information from RFC 2251.

Another important Windows security mechanism is Local Security Authority Server Service (LSASS). LSASS is a user mode process that is responsible for the local system security policy. This includes controlling access, managing password policies, authenticating users, and sending security audit messages to the event log.

NetBIOS and LDAP Enumeration

NetBIOS was a creation of IBM. It is considered a legacy protocol today but may still be found on some older obsolete systems, such as Windows XP or Windows Server 2003. On local-area networks (LANs), NetBIOS systems usually identify themselves by using a 15-character unique name. Because NetBIOS is nonroutable by default, Microsoft adapted it to run over Transmission Control Protocol/Internet Protocol (TCP/IP). NetBIOS is used with Server Message Block (SMB). SMB allows for the remote access of shared directories and files. These services are provided through the ports shown in Table 4-3.

Table 4-3 Microsoft Key Ports and Protocols







MS-RPC endpoint mapper



NetBIOS name service



NetBIOS datagram service



NetBIOS session service






SMB over TCP

This table lists key ports and protocols that Microsoft systems use. When performing a port scan or attempting to identify a system, finding these open ports will signal that you might be dealing with a Microsoft system. After these ports have been identified, you can begin to further enumerate each system.


Make sure that you can identify key Windows ports.


Even though Windows XP is no longer supported by Microsoft, a survey performed in 2018 found that 5 percent of all desktops were still running this OS. Although this number will continue to fall, you might find Windows XP or other older systems during a pen test. While it may be hard to believe there are old systems still in use, sometimes these continue to exist to support legacy applications.

LDAP is an Internet protocol for accessing distributed directory services. The information that is exchanged between the client and server is transmitted using Basic Encoding Rules (BER). A client starts an LDAP session by connecting on TCP port 389 and sending an operating request to the directory system agent. The services provided can include any organizational set of records, such as a company email directory. From an attacker’s standpoint, LDAP is an attractive target because it might be used to gather information such as usernames, addresses, and department information, which in turn might be used to further an attack.

SMB was designed to make it possible for users to share files and folders, although InterProcess Communication (IPC$) offers a default share on Windows systems. This share, the IPC$, was used to support named pipes that programs use for interprocess (or process-to-process) communications. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration. As you might think, this can be a problem.

A null session occurs when you log in to a system with no user ID and password at all. In legacy Windows versions, such as Windows 2003, a null session could be set up using the net command.

There’s an entire host of net commands. A few are discussed here, but for a more complete list, just type net from the command line and the /? syntax after any of the commands you see that you would like more information on.

Even though you may not see the IPC$ share when looking for shared drives and folders, that doesn’t mean that it is not there. For example, if you have identified open ports of 135, 139, and 445 on targeted systems, you might attempt the net view /domain command:

C:>net view /domain
The command completed successfully.

Notice that these net commands are quite handy. They have identified the sales, marketing, and accounting groups. To query any specific domain group, just use the net command again in the form of net view /domain:domain_name:

C:>net view /domain:accounting
Server Name            Remark
The command completed successfully.

You can take a closer look at any one system by using the net view \system_name command:

et view \charon
Shared resources at \CHARON
Sharename    Type          Comment
CDRW         Disk
D            Disk
Payroll      Disk
Printer      Disk
Temp         Disk
The command was completed successfully.

Now that you have completed some basic groundwork, let’s move on to enumerating user details, account information, weak passwords, and so on. IPC$ is further exploited for these activities. Specifically, you will need to set up a null session. You can do so manually with the net command:

et use \charonipc$ "" /u:""


Microsoft has secured newer operating systems, such as Windows Server 2019, Windows 8, and Windows 10 to protect them against attempts to set up a null session to take advantage of the underlying communications protocols, but you might still find a few old systems on which this is possible.

NetBIOS Enumeration Tools

With a net use \ computer name ipc$ “” /u:“” command executed, you’re primed to start hacking at the system. The tools discussed in this section, such as DumpSec and Hyena, require that you have a null session established before you attempt to use them. DumpSec is a Windows-based graphical user interface (GUI) enumeration tool from SomarSoft. It enables you to remotely connect to Windows machines and dump account details, share permissions, and user information. It is shown in Figure 4-2. Its GUI-based format makes it easy to take the results and port them into a spreadsheet so that holes in system security are readily apparent and easily tracked. It can provide you with usernames, SIDs, RIDs, account comments, account policies, and dial-in information.

Wireshark screenshot is shown.

Figure 4-2 DumpSec

Hyena is a GUI-based tool used to show logon names, shares, IP addresses, and other account information. It can extract SID, RID, comments, full name, and so on. From our discussion earlier about SIDs on Windows machines, you know that the administrator account on the machine ends in 500. Therefore, you can use Hyena to discover the SIDs for the usernames found in your enumeration and discover who has administrative access.

Many tools can be used for enumeration. The ones listed here should give you an idea of what this category of tool can do. Listed here are some other tools that perform the same type of enumeration:

  • SuperScan: A McAfee tool, SuperScan retrieves all available information about any known user from any vulnerable Windows system.

  • NetBIOS Enumerator: A GUI tool that is free and available on SourceForge that extracts user info from a domain or computer.

  • Ldp: This executable is what you need if you’re working with AD systems. After you find port 389 open and authenticate yourself using an account (even guest will work), you will be able to enumerate all the users and built-in groups.

Other tools are available to enumerate a Windows system. For example, if you are local to the system, you can also use Nbtstat. Microsoft defines Nbtstat as a tool designed to help troubleshoot NetBIOS name resolution problems. It has options such as local cache lookup, WINS server query, broadcast, LMHOSTS lookup, Hosts lookup, and DNS server query. Typing nbtstat at a Windows command prompt will tell you all about its usage:

C: nbtstat
Displays protocol statistics and current TCP/IP connections using
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n]
         [-r] [-R] [-s] [S] [interval] ]

One of the best ways to use Nbtstat is with the -A option. Let’s look at what that returns:

C: >NBTstat -A
            NetBIOS Remote Machine Name Table
    Name             Type         Status
    MINNY            <00>    UNIQUE    Registered
    WORKGROUP        <00>    GROUP     Registered
    MINNY            <20>    UNIQUE    Registered
    WORKGROUP        <1E>    GROUP     Registered
    WORKGROUP        <1D>    UNIQUE    Registered
    ..__MSBROWSE__.  <01>    GROUP     Registered
    MAC Address = 00-19-5D-1F-26-68

A name table that provides specific hex codes and tags of UNIQUE or GROUP is returned. These codes identify the services running on this specific system. For example, note the code of 1D UNIQUE. This signifies that the system Minny is the master browser for this particular workgroup. Other common codes include the following:


Hex Value






Domain master browser




Domain controllers




Master browser




Browser service elections

You can find a complete list of NetBIOS name codes by searching the Web for NetBIOS name codes.

SNMP Enumeration

Simple Network Management Protocol (SNMP) is a popular TCP/IP standard for remote monitoring and management of hosts, routers, and other nodes and devices on a network. It’s used to report the status of services and devices. It works through a system of agents and nodes. SNMP is designed so that requests are sent to agents, and the agents send back replies. The requests and replies refer to configuration variables accessible by agent software. Traps are used to signify an event, such as a reboot or interface failure. SNMP makes use of the Management Information Base (MIB). The MIB is the database of configuration variables that resides on the networking device.

SNMP version 3 offers data encryption and authentication. Both versions 1 and 2 are still in use, but they are clear-text protocols that provide only weak security through the use of community strings. The default community strings are public and private and are transmitted in clear text. If the community strings have not been changed or if someone can sniff the community strings, that person then has more than enough to enumerate the vulnerable devices.


SNMP versions 1 and 2 use default community strings of public and private.

Devices that are SNMP enabled share a lot of information about each device that probably should not be shared with unauthorized parties. SNMP enumeration tools can be found in both Windows and Linux. Several are mentioned here:

  • snmpwalk: A Linux command-line SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

  • Network Performance Monitor: A GUI-based network discovery tool from that enables you to perform a detailed discovery on one device or an entire subnet.

  • SNScan: A free GUI-based SNMP scanner from McAfee.

The best defense against SNMP enumeration is to turn off SNMP if it is not needed. If it is required, make sure that you block ports 161 and 162 at network chokepoints, and ensure that an upgrade to SNMPv3 is possible. Changing the community strings is another defensive tactic, as is making them different in each zone of the network.

Linux/UNIX Enumeration

After any type of Linux or UNIX system is found, further probing is still required to determine what it’s running. Although exploiting Windows-specific services might be out of the question, you can still exploit services such as finger, rwho, rusers, and Simple Mail Transfer Protocol (SMTP) to learn more.

Rwho and rusers are Remote Procedure Call (RPC) services that can give information about the various users on the system. Running rpcinfo -p against the system will allow an attacker to learn the status of rwho and rusers. Rusers depends on the Rwho daemon. It lists the users logged in to all local machines, in whois format (hostnames, usernames).

Although not commonly seen anymore, Finger is a program that tells you the name associated with an email address. It might also tell you whether users are currently logged in at their system or their most recent login session, and possibly other information, depending on the data that is maintained about users on that computer. Finger originated as part of BSD UNIX. Another potential tool to use for enumeration is SMTP, which sometimes can be helpful in identifying users. Attackers gain this information by using the SMTP vrfy (verify) and expn (expand) commands. These commands can be used to guess users on the system. Simply input the names, and if the user exists, you receive an RFC 822 email address with the @ sign. If the user doesn’t exist, you receive a “user unknown” error message. Although a username is not enough for access, it is half of what’s needed to get into most systems. If a default password is being used, the attacker may be able to gain easy access. Attackers might also look to see if a syslog server is present on UDP port 514.

Some of the techniques used to exploit Linux systems include the following:

  • Rpcclient: Using the rpcclient command, the attacker can enumerate usernames (for example, rpcclient $> netshareenum).

  • Showmount: The showmount command displays a list of all clients that have remotely mounted a file system from a specified machine in the host parameter.

  • Finger: The finger command enumerates the user and the host. It enables the attacker to view the user’s home directory, login time, idle times, office location, and the last time the user or host received or read mail. This service is typically off. By default, it runs on port 79.

  • Rpfinfo: The rpfinfo command helps to enumerate the RPC protocol. It makes an RPC call to an RPC server and reports what it finds.

  • Enum4linux: The enum4linux command is used for enumerating information from Windows and Samba systems. The application basically acts as a wrapper around the Samba commands smbclient, rpclient, net, and nmblookup.

NTP Enumeration

Network Time Protocol (NTP) is a protocol designed to synchronize clocks of networked computers. Networks using Kerberos or other time-based services need a time server to synchronize systems. NTP uses UDP port 123. Basic commands that can be attempted include the following:

  • Ntpdate: Used to collect time samples

  • Ntptrace: Follows time servers back up the chain to the primary time server

  • Ntpdc: Used to query about the state of the time server

  • Ntpq: Used to monitor performance

NTP enumeration tools include the following:

  • PresenTense Time Server

  • NTP Server Scanner

  • LAN Time Analyzer

SMTP Enumeration

Simple Mail Transfer Protocol (SMTP) is used for the transmission of email messages. SMTP operates on TCP port 25. SMTP is something that a hacker will be interested in because it can potentially be used to perform username enumeration via the EXPN, RCPT, and VRFY commands. Penetration testers can also leverage the usernames that have been obtained from this enumeration to conduct further attacks on other systems. SMTP enumeration can be performed with utilities such as Netcat. From the command line, you type the following:

nc IP Address 25

Other common SMTP enumeration tools include the following:

  • NetScanTools Pro

  • Nmap

  • Telnet

IPsec and VoIP Enumeration

Any service can be enumerated. As an example, searching for the components of IPsec can determine if those services are being used. IPsec uses Encapsulated Security Payload (ESP) and Authenticated Header (AH). A scan for the port of 500 can indicate whether a VPN gateway is present.

Voice over IP (VoIP) uses a set of specific ports. VoIP’s main use of the Session Initiation Protocol (SIP) uses ports 2000, 2001, 5050, and 5061. A scan for these ports can be used to determine whether VoIP is being used. After ports are identified, an attacker might launch a DDoS attack, launch a spoofing attack, or even attempt to eavesdrop.

DNS Enumeration

Domain Name System (DNS) enumeration is the process of locating all information about DNS. This can include identifying internal and external DNS servers and performing lookups of DNS records for information such as usernames, computer names, and IP addresses of potential target systems and performing zone transfers. Much of this activity was demonstrated in Chapter 3, “Footprinting and Scanning.” The most straightforward way is to use Nslookup or attempt a DNS zone transfer to copy the entire zone file for the domain from the DNS server.

One of the unique attributes of Microsoft Windows is that when a client can’t resolve a hostname using DNS, it will resort to the Link-Local Multicast Name Resolution (LLMNR) protocol. LLMNR is used to resolve both IPv4 and IPv6 addresses. If LMBRN fails, NetBios will be used. NetBios functions in a similar way as LLMNR; the big difference between the two is NetBios works over IPv4 only.

When LLMNR or NetBios are used to resolve a request, any host on the network who knows the IP of the host being asked about can reply. Even if a host replies to one of these requests with incorrect information, it will still be regarded as legitimate. What this means is that the service can be spoofed. A number of attack tools have been developed that will reply to all these queries in the hope of receiving sensitive information. The primary defense against these two attacks is to disable these services.

System Hacking


System hacking is a big step because you are no longer simply scanning and enumerating a system. At this point, you are attempting to gain access. Things start to change because this stage is about breaking and entering into the targeted system. Previous steps, such as footprinting, scanning, and enumeration, are all considered pre-attack stages. As stated, before you begin, make sure that you have permission to perform these activities on other people’s systems.

The primary goal of the system hacking stage is to authenticate to the remote host with the highest level of access. This section covers some common nontechnical and technical password attacks against authentication systems.

Nontechnical Password Attacks

Attackers are always looking for easy ways to gain access to systems. Hacking authentication systems is getting harder because most organizations have upped their game, using strong authentication and improving auditing controls. That is one reason why nontechnical attacks remain so popular. Basic techniques include the following:

  • Dumpster diving: Dumpster diving is the act of looking through a company’s trash to find information that may help in an attack. Access codes, notes, passwords, and even account information can be found.

  • Online Pwned Databases: There are multiple online repositories that have the lists of previously breached services and the passwords that users had used for access. If the user has reused the password for another account, this may allow the attacker access. Password reuse is a big problem that many users are guilty of. Figure 4-3 provides an example.

    A screenshot of have I been pwned window is shown. A text box for entering the email address or user name is given below. Also, the window displays the number of pwned websites, pwned accounts, pastes, and paste account along with a list of top 10 breaches.

    Figure 4-3 Have I Been Pwned?

  • Social engineering: We spend much more time discussing social engineering later in the book, but for now what is important to know is that social engineering is the manipulation of people into performing actions or divulging confidential information.

  • Shoulder surfing: The act of watching over someone’s shoulder to get information such as passwords, logins, and account details.

Technical Password Attacks

Technical password attacks require some use of technology. These attacks also build on the information you have obtained in the previous steps. Tools used during enumeration, such as Hyena, Network Performance Monitor, and Nbtstat, may have returned some valuable clues about specific accounts. By now, you may even have account names, know who is the administrator, know whether there is a lockout policy, and even know the names of open shares. Technical password attack techniques discussed here include the following:

  • Password guessing

  • Automated password guessing

  • Password sniffing

  • Keylogging


Many of today’s most successful attacks involve both technical and nontechnical elements. Although the technical portion of the attack may be very sophisticated, it may rely on a human element, such as phishing, to be completed.

Password Guessing

Guessing usernames and passwords requires that you review your findings. Remember that good documentation is always needed during a penetration test, so make sure that you have recorded all your previous activities. When password guessing is successful, it is usually because people like to use easy-to-remember words and phrases. A diligent penetration tester or attacker will look for subtle clues throughout the enumeration process to key in on—probably words or phrases the account holder might have used for a password. There are also tools and online pwned password repositories that can be used to look up breached passwords. Recon-ng is a full-featured reconnaissance tool that features a pwned lookup. There are also sites with searchable databases of pwned accounts, such as Have I Been Pwned? at Have I Been Pwned? is shown in Figure 4-3.

If you are attempting to guess a user’s password, consider what you know about that individual, such as what his hobbies are, and try related passwords. If the account holder is not known to you, focus on accounts that

  • Haven’t had password changes for a long time

  • Have weakly protected service accounts

  • Have poorly shared accounts

  • Indicate the user has never logged in

  • Have information in the comment field that might be used to compromise password security

If you can identify such an account, you can issue the net use command from the command line to attempt the connection:

net use * \IP_address share* /u: name

You’ll be prompted for a password to complete the authentication:

C: >net use * \$ * /u:jack
Type the password for \$:
The command completed successfully

What is important to keep in mind is that use of passwords (something you know) is one of the weakest forms of authentication. If you are tasked with suggesting countermeasures after a pen test, one option is to utilize multifactor authentication (MFA). In order for MFA to work, you need to combine multiple forms of authentication techniques. In addition to passwords, other authentication techniques include something you have (tokens) and something you are (biometrics). Although there are many types of biometrics, these are the most common characteristics to consider:

  • FAR and FRR: The two most common measurements used to evaluate biometric systems are the false acceptance rate (FAR) and the false rejection rate (FRR). The FAR is the ratio of users who were accepted by the biometric system but should have been rejected because they are not authorized. The FRR is the ratio of users who were rejected by the biometric system but should have been accepted because they are authorized.

  • CER: The crossover error rate (CER) is a quick way to compare the accuracy of biometric devices. The CER is the value of FAR and FRR when equal. In general, the biometric device with the lowest CER is the most accurate.

  • Strength: Iris biometric systems are considered one of the strongest forms of authentication. Although Retina is also a good choice, the infrastructure equipment may be cost prohibitive, and the false rejections rate can be increased because of vascular problems or anomalies caused by the use of caffeine. Some forms of biometrics may be weaker than others depending on their implementation. These can include items such as voice or even fingerprint. For example, older optical fingerprint readers could be forced to authenticate using the latent image on the reader, a fine powder such as (Lycopodium Powder), and a strong backlight.

  • Acceptance: Regardless of which biometric system you choose, it must work in the environment you have chosen. Some systems might not be suitable for industrial environments, so issues such as environment, throughput, time to enroll, and accuracy are all important considerations.

There is a second class of biometrics that are behavioral in nature. Some examples of them include gait, typing, and writing. These may not be viewed as being viable because they can be impacted by multiple external conditions.

Automated Password Guessing

Because you may want to set up a method of trying each account once or twice for weak passwords, you might consider looping the process. Automated password guessing can be performed by constructing a simple loop using the Windows command shell. It is based on the standard net use syntax. The steps are as follows:

  1. Create a simple username and password file.

  2. Pipe this file into a FOR command as follows:

C: > FOR/F "token=1, 2*" %i in (credentials.txt) do net use \
target IPC$ %i /u:%j

Many dedicated software programs automate password guessing. Some of the more popular free tools include Brutus and THC Hydra.


Make sure that you identify whether there is a password lockout policy, because you might have only two or three tries before the account is locked. Otherwise, you might inadvertently cause a denial of service (DoS) if you lock out all the users.

Password Sniffing

If your attempts to guess passwords have not been successful, sniffing or keystroke loggers might offer hope. Think about how much traffic passes over a typical network every day. Most networks handle a ton of traffic, and a large portion of it might not even be encrypted. Password sniffing requires that you have physical or logical access to the device. If that can be achieved, you can sniff the credentials right off the wire as users log in.

One such technique is to pass the hash. Passing the hash enables the hacker to authenticate to a remote server by using the underlying NTLM and/or LM hash of a user’s password, instead of using the associated plain-text password. Mimikatz is a pass the hash application that enables an attacker to authenticate to a remote server using the LM/NTLM hash of a user’s password, eliminating the need to crack/brute-force the hashes to obtain the clear-text password. Because Windows does not salt passwords, they remain static in LSASS from session to session until the password is changed. If the password is stored in LSASS and the attacker can obtain a password hash, it can be functionally equivalent to obtaining the clear-text password. Rather than attempting to crack the hash, attackers can simply replay them to gain unauthorized access. You can download this pass the hash toolkit at


Although tools like pass the hash are very powerful in the right environment, keep in mind that the default setting in Windows 8 and Windows 10 is to not store plain-text passwords in LSASS.

Besides tools to capture Windows authentications, there are tools to capture and crack Kerberos authentication. The Kerberos protocol was developed to provide a secure means for mutual authentication between a client and a server. It enables the organization to implement single sign-on (SSO). You should already have a good idea if Kerberos is being used, because you most likely scanned port 88, the default port for Kerberos, in an earlier step.

KerbCrack, a tool from, can be used to attack Kerberos. It consists of two separate programs. The first portion is a sniffer that listens on port 88 for Kerberos logins, and the second portion is used as a cracking program to dictionary or brute-force the password. If all this talk of sniffing has raised your interest in the topic, you’ll enjoy Chapter 6, “Sniffers, Session Hijacking, and Denial of Service,” which covers sniffers in detail.


If none of the options discussed previously are feasible, there is still keystroke logging, which is discussed next.


Keylogging (aka keystroke loggers) are software or hardware devices used to monitor keyboard activity. Although an outsider to a company might have some trouble getting one of these devices installed, an insider is in a prime position.

Hardware keystroke loggers are usually installed while users are away from their desks and are completely undetectable, except for their physical presence. When was the last time you looked at the back of your computer? Even then, they can be overlooked because they resemble a keyboard extension cable or adapter. KeyGhost Ltd ( has a large collection. Some hardware keyloggers use Wi-Fi, which means that after the keylogger is deployed, the attacker does not have to retrieve the device and can communicate with it remotely via wireless or Bluetooth connection.

Software keystroke loggers sit between the operating system and the keyboard. Most of these software programs are simple, but some are more complex and can even email the logged keystrokes back to a preconfigured address. What they all have in common is that they operate in stealth mode and can grab all the text a user enters. Table 4-4 lists some common keystroke loggers.

Table 4-4 Software Keystroke Loggers



PC Activity Monitor


Veriato Investigator


Using a keystroke logger is one way to obtain usernames and passwords.

Privilege Escalation and Exploiting Vulnerabilities

If the attacker can gain access to a Windows system as a standard user, the next step is privilege escalation. Two good examples include Spectre and Meltdown. These take advantage of vulnerabilities found in CPUs from AMD and Intel. If an attacker can exploit Spectre, she can read adjacent memory locations of a process and access information for which she is not authorized. If Meltdown is exploited, the attacker can escalate privileges by forcing an unprivileged process to read adjacent memory locations. This step is required because standard user accounts are limited; to be in full control, administrator access is needed. This might not always be an easy task because privilege-escalation tools must be executed on the victim’s system. How do you get the victim to help you exploit a vulnerability? Common techniques include the following:

  • Exploiting the OS or an application

  • Manipulation of an access token

  • Path interception

  • Tricking the user into executing the program

  • Scheduling a task

  • Create a webshell to inject a malicious script

  • Gaining interactive access to the system, such as Terminal Services Web Access (TS Web Access), Microsoft Remote Desktop, Bomgar, and so on


One means of privilege escalation is through dynamic link library (DLL) injection. Many Windows applications do not use the fully qualified path when loading an external DLL. As such, if the attacker can get a malicious DLL loaded in place of the real DLL, the malicious DLL will be executed.


Privilege escalation is not just for Windows. In MacOS, when applications are loading an external dynamic library, the loader searches in multiple directories. If an attacker can inject a malicious library into one of these directories, that library can potentially be executed.

Exploiting an Application

Sometimes a hacker can get lucky and exploit a built-in application. For example, when you press the Shift key five or more times, Windows opens StickyKeys options for you. The resulting dialog box that appears is an interface to enable the use of StickyKeys, which is a Windows feature to aid physically disabled users. There is nothing wrong with the use of this feature. The only problem is how it is implemented. If an attacker can gain access, it might be possible to replace sethc.exe with cmd.exe. After replacing the file, you can invoke the command prompt and execute explorer.exe and commands with full access to the computer.

The reason this attack works is because it slips through all of Windows protection checks. Windows first checks whether the .exe is digitally signed, which cmd.exe is. Next, it checks that the .exe is located in the system directory (%systemroot%system32), thus validating integrity level and administrator permissions. Windows then checks to make sure the executable is on its internal list of Windows protected system files and known to be part of the OS, which cmd.exe is and therefore passes. Therefore, Windows thinks that it is launching the accessibility feature StickyKeys, but instead, it is launching shellcode running as LocalSystem.

Exploiting a Buffer Overflow

What is a buffer overflow? It is like trying to pour a liter of your favorite soda into a 12-ounce cup! Buffers have a finite amount of space allocated for any one task. For example, if you allocate a 24-character buffer and then attempt to stuff 32 characters into it, you’re going to have a real problem.

A buffer is a temporary data storage area whose length is defined in the program that creates it or by the operating system. Ideally, programs should be written to check that you cannot stuff 32 characters into a 24-character buffer. However, this type of error checking does not always occur. Error checking is really nothing more than making sure that buffers accept only the correct type and amount of information required.

Programs are vulnerable to buffer overflows for a variety of reasons, although primarily because of poor error checking. The easiest way to prevent buffer overflows is to stop accepting data when the buffer is filled. This task can be accomplished by adding boundary protection. C programs are especially susceptible to buffer-overflow attacks because C has many functions that do not properly check for boundaries. If you are familiar with C, you probably remember coding a program similar to the one shown here:

#include <stdio.h>
int main( void )
            printf("%s", "Hello, World!");
            return 0;

This simple “Hello World!” program might not be vulnerable, but it doesn’t take much more than this for a buffer overflow to occur. Table 4-5 lists functions in the C language that are vulnerable to buffer overflows.

Table 4-5 Common C Functions Vulnerable to Buffer Overflow




Copies the content pointed by src to dest, stopping after the terminating null character is copied


Gets line from file pointer


Copies n bytes from one string to another; might overflow the dest buffer


Reads a line from the standard input stream stdin and stores it in a buffer


Appends src string to dest string


Moves one buffer to another


Reads data from the standard input (stdin) and stores it in the locations given by arguments


Copies num bytes from the src buffer to memory location pointed by destination

It’s not just these functions that cause buffer-overflow troubles for programmers; the practice of making assumptions is another source. It is really easy for programmers to assume that users will enter the right kind of data or the right amount of data, leaving the door open to hackers to cause buffer overflows. Really high-level programming languages, such as Perl, are more immune to such problems, but the C language provides little protection against such problems. Assembly language also provides little protection. Even if most of your program is written in another language, many library routines are written in C or C++, so you might not have as complete of protection from buffer overflows as you think.

It’s also important to realize that vulnerabilities to buffer overflows, memory corruption, and heap attacks are patched over time. Therefore, these exploits work only for specific versions of operating systems or applications. Heap spraying is the act of loading a large amount of data in the heap along with some shellcode. The aim of placing all this data onto the heap is to create the right conditions in memory to allow the shellcode to be executed.

Java is another application that has been exploited in several attacks. One example is the Java watering-hole attacks. Stack-based buffer overflows in the Java Stored Procedure infrastructure allow remotely authenticated users to execute arbitrary code by leveraging certain CONNECT and EXECUTE privileges.


Keeping systems and applications patched is one of the best countermeasures to defend against buffer overflows and privilege-escalation tools.


Privilege escalation includes both vertical and horizontal escalation. Vertical privilege escalation refers to gaining higher privileges. For example, the hacker gains access as a user and escalates to a superuser. Horizontal privilege escalation refers to acquiring the same level of privilege (lateral) that already has been granted by assuming the identity of another user with similar privileges.

Owning the Box

One of the first activities an attacker wants to do after he owns the box and has covered his tracks (or attempted to) is to make sure that he has continued access. One way to ensure continued access is to compromise other accounts. Accessing the SAM is going to give the attacker potential access to all the passwords. SAM contains the user account passwords stored in their hashed form. SYSKEY adds a second layer of 128-bit encryption. After being enabled, this key is required by the system every time it is started so that the password data is accessible for authentication purposes.

Attackers can steal the SAM through physical or logical access. If physical access is possible, the SAM can be obtained from the NT ERD (Emergency Repair Disk) from C:winnt epairsam. Newer versions of Windows place a backup copy in C:winnt epair egbacksam, although SYSKEY prevents this from easily being cracked. One final note here is that you can always reset the passwords. If you have physical access, you can use tools such as LINNT and NTFSDOS to gain access. NTFSDOS can mount any NTFS partition as a logical drive. NTFSDOS is a read-only network file system driver for DOS/Windows. If loaded onto a CD or thumb drive, it makes a powerful access tool. Logical access presents some easier possibilities. The Windows SAM database is a binary format, so it’s not easy to directly inspect. Tools such as PWdump and LCP can be used to extract and crack SAM. Before those programs are examined, let’s briefly review how Windows encrypts passwords and authenticates users.

Windows Authentication Types

Windows supports many authentication protocols, including those used for network authentication, dialup authentication, and Internet authentication. For network authentication and local users, Windows supports Windows NT Challenge/Response, also known as NTLM. Windows authentication algorithms have improved over time. The original LAN Manager (LM) authentication has been replaced by NTLMv2. Windows authentication protocols include the following:

  • LM authentication: Used by 95/98/Me and is based on DES

  • NTLM authentication: Used by NT until Service Pack 3 and is based on DES and MD4

  • NTLM v2 authentication: Used post-NT Service Pack 3 and is based on MD4 and MD5

  • Kerberos: Implemented first in Windows 2000 and can be used by all current versions of Windows, including Server 2012 and Windows 10

Because of backward compatibility, LM may still be used in some situations where legacy devices are found. LM encrypted passwords are particularly easy to crack because the password is uppercased, padded to 14 characters, and divided into two 7-character parts. The two hashed results are concatenated and stored as the LM hash, which is stored in SAM. To see how weak this system is, consider the following example. Let’s say that an LM password to be encrypted is Dilbert!:

  1. When this password is encrypted with an LM algorithm, it is converted to all uppercase: DILBERT!

  2. Then the password is padded with null (blank) characters to make it a 14-character length: DILBERT!_ _ _ _ _ _

  3. Before encrypting this password, the 14-character string is divided into two 7-character pieces: DILBERT and !_ _ _ _ _ _

  4. Each string is encrypted individually, and the results are concatenated together.

With the knowledge of how LM passwords are created, examine the two following password entries that have been extracted from SAM with PWdump7:

Bart: 1001:

Homer: 1002:

Notice how each entry has been extracted in two separate character fields. As you can see, the first half of each portion of the hash ends with 1404EE. That is the padding, and it is how password-cracking programs know the length of the LM password. It also aids in password-cracking time. Just consider the original Dilbert! example. If extracted, one seven-character field will hold Dilbert, whereas the other only has one character (!).

Cracking 1 character or even 7 is much easier than cracking a full 14. Fortunately, Windows has moved on to more secure password algorithms. Windows can use six levels of authentication now, as shown in Table 4-6. Using longer passwords, greater than 14 characters, and stronger algorithms is one of the best defenses against cracking passwords.

Table 4-6 LM, NTLM, and NTLM2


















Kerberos authentication started with Windows 2000 and is the default authentication on all current versions of Microsoft Windows products. Kerberos is considered a strong form of authentication.

Cracking Windows Passwords

One direct way to remove the passwords from a local or remote system is by using L0phtCrack. L0phtCrack is a Windows password-cracking tool. LC7 is the current version. It can extract hashes from the local machine or a remote machine and can sniff passwords from the local network if you have administrative rights.

Tools such as FGdump and PWdump are other good password-extraction tools. You can find download links to PWdump at This command-line tool can bypass SYSKEY encryption if you have administrative access. PWdump works by a process of dynamic link library (DLL) injection. This allows the program to hijack a privileged process. PWdump7, the current version, was expanded to allow remote access to the victim system. The program is shown here:

C: pwdump>pwdump7 password.txt

For PWdump7 to work correctly, you need to establish a session to an administrative share. The resulting text file reveals the hashed passwords:

C: pwdump>type password.txt
Jack:       500:       A34A4329AAD3MFEB435B51404EE:
Ben:        1000:      466C097A37B26C0CAA5B51404EE:
Guest:        501:       NO PASSWORD*********************:
                                NO PASSWORD*********************:
Martha:     1001:      D79135112A43EC2AAD3B431404EE:
Curley:     1002:      D83A4FB0461F70A3B435B51404EE:

With the hashed passwords safely stored in the text file, the next step is to perform a password crack. Historically, three basic types of password cracking exist: dictionary, hybrid, and brute-force attacks.

A dictionary password attack pulls words from the dictionary or word lists to attempt to discover a user’s password. A dictionary attack uses a predefined dictionary to look for a match between the encrypted password and the encrypted dictionary word. Many times, dictionary attacks will recover a user’s password in a short period of time if simple dictionary words are used.

A hybrid attack uses a dictionary or a word list and then prepends and appends characters and numbers to dictionary words in an attempt to crack the user’s password. These programs are comparatively smart because they can manipulate a word and use its variations. For example, take the word password. A hybrid password audit would attempt variations such as 1password, password1, [email protected], pa44w0rd, and so on. Hybrid attacks might add some time to the password-cracking process, but they increase the odds of successfully cracking an ordinary word that has had some variation added to it.

A brute-force attack uses random numbers and characters to crack a user’s password. A brute-force attack on an encrypted password can take hours, days, months, or years, depending on the complexity and length of the password. The speed of success depends on the speed of the CPU’s power. Brute-force audits attempt every combination of letters, numbers, and characters.

Tools such as L0phtCrack, LCP, Cain and Abel, and John the Ripper can all perform dictionary, hybrid, and brute-force password cracking. The most popular are explained in the following list:

  • Cain and Abel is a multipurpose tool that can perform a variety of tasks, including password cracking, Windows enumeration, and Voice over IP (VoIP) sniffing. The password-cracking portion of the program can perform dictionary/brute-force attacks and can use precomputed rainbow tables. It is shown in Figure 4-4. Notice the many types of password cracking it can perform.

    A screenshot of Cain and Abel window is illustrated. The menu bar includes five tabs: file, view, configure, tools, and help. The left navigation pane lists the various types of hashes of crackers. The right pane has six columns in which the first line ASPNET is highlighted with a pop-up dialog box on it.

    Figure 4-4 Cain and Abel

  • John the Ripper is another great password-auditing tool. It is available for 11 types of UNIX systems, plus Windows. It can crack most common passwords, including Kerberos AFS and Windows hashes. Also, a large number of add-on modules are available for John the Ripper that can enable it to crack Open-VMS passwords, Windows credentials cache, and MySQL passwords. Just remember that the cracked passwords are not case sensitive and might not represent the real mixed-case password. A determined attacker can overcome this small hindrance.

Years ago, dictionary, hybrid, and brute-force attacks were the primary methods used to recover passwords or attempt to crack them. Many passwords were considered secure just because of the time it would take to crack them. This time factor was what made these passwords seem secure. If given enough time, the password could be cracked, but it might take several months. A relatively new approach to password cracking has changed this belief. It works by means of a rainbow table. The RainbowCrack technique is the implementation of Philippe Oechslin’s faster time-memory trade-off technique. It works by precomputing all possible passwords in advance. After this time-consuming process is complete, the passwords and their corresponding encrypted values are stored in a file called a rainbow table. An encrypted password can be quickly compared to the values stored in the table and cracked within a few seconds. RainbowCrack and Ophcrack are examples of two such programs.

Ophcrack is a password-cracking tool that implements the rainbow table techniques previously discussed. What’s most important to note here is that if a password is in the rainbow table, it will be cracked quickly. The Ophcrack website also lets you enter a hash and reveal the password in just a few seconds.


CEH exam candidates should understand how both Windows and Linux passwords are structured.

Linux Authentication and Passwords

Linux requires that user accounts have a password, but by default it will not prevent you from leaving one set as blank. During installation, Linux gives the user the choice of setting the password encryption standard. Most versions of Linux, such as Fedora and others, use message digest algorithm 5 (MD5) by default. If you choose not to use MD5, you can choose Data Encryption Standard (DES); be aware, however, that it limits passwords to eight alphanumeric characters. Linux also includes the /etc/shadow file for additional password security. Take a look at an entry from an /etc/shadow file here:


Moving the passwords to the shadow file makes it less likely that the encrypted password can be decrypted, because only the root user has access to the shadow file. The format of the password file is as follows:


An easy way to examine the passwd file is shown here:

[[email protected] /root]# cat /etc/passwd
ftp:x:14:50:FTP User:/home/ftp:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false

Notice that the second field has an “X” (mike:x:503). That is because the passwords have been shadowed. Because so many hacking tools are Linux only, you should know some basic Linux commands so you can navigate distributions such as Kali. Table 4-7 describes some of these basic commands.

Table 4-7 Linux Commands




Lists the contents of a file


Changes directory


Changes file and folder rights and ownership


The copy command


Shows the history of up to 500 commands


Similar to ipconfig in Windows


Kills a running process by specifying the PID


Lists the contents of a folder


Opens manual pages


Command to move file and directories


Command to change your password


The process status command


Prints the working directory path


Removes a file

rm -r

Removes a directory and all its contents


Pauses a program


Puts the current program into the background


Puts the current program to sleep

Just as in the world of Microsoft, Linux users must be managed in an organized way. Access for users and system processes is controlled through the assignment of a user ID (UID) and a group ID (GID). Groups are the logical grouping of users who have similar requirements. This information is contained in the /etc/passwd file. As an ethical hacker, it is critical that you understand the importance of this file. Just imagine that you came into work and found the following in a syslog file:

env x='(){:;};echo exploit' bash -c 'cat /etc/passwd'

Without a basic knowledge of Linux, would you know that an attacker is attempting to use Shellshock to export the contents of passwd to the screen of his or her computer?

Even if an attacker was able to access your passwords, Linux systems provide another layer of security in that they salt passwords. Salts are needed to add a layer of randomness to the passwords. Because MD5 is a hashing algorithm, if I were to use secret for my password and another user used secret for his password, encrypted values would look the same. A salt can be one of 4,096 values and helps further scramble the password. Under Linux, the MD5 password is 32 characters long and begins with $1$. The characters between the second and third $ represent the salt. In the previous example, that value is Gjt/eO.e. Passwords created in this way are considered to be one-way. That is, there is no easy way to reverse the process.

The shadow file isn’t the only way to help guard against attackers who try to bypass the authentication process. There are other, more advanced ways to protect resources. If a new authentication scheme is going to be used, you need a way to alert applications to this fact without having to rewrite every piece of code already developed. The answer to this challenge is the use of pluggable authentication modules (PAM). PAMs enable a program designer to forgo the worry of the types of authentication that will be performed and concentrate on the application itself. FreeBSD, Linux, Solaris, and others use PAMs. The role of a PAM is to control the interaction between the user and authentication. This might be Telnet, FTP, logging in to the console, or changing a password. PAMs support stronger authentication schemes, such as Kerberos, S/Key, and RADIUS. The directory that holds the configuration file and modules specific to a PAM is in /etc/pam.d/.

Cracking Linux Passwords

All this talk of passwords brings up the issue of password security. Just as in the world of Microsoft, Linux has a host of password-cracking tools available such as Hashcat, Ophcrack, and John the Ripper.


John the Ripper is available at

It is probably the most well-known, most versatile, password-cracking program around. Best of all, it’s free and supports six different password-hashing schemes that cover various flavors of UNIX and the Windows LANMan hashes. It can use specialized word lists or password rules based on character type and placement. It runs on more than 12 operating systems, but it comes preinstalled on many Linux distributions. Before you go out and start cracking passwords, spend a few minutes to check out the various options by issuing -./john -h from the command line. You can verify that John works by running it in test mode. This command generates a baseline cracking speed for your system:

[[email protected] /root]#./john -test
Benchmarking: Traditional DES [32/32 BS]... DONE
Many salts: 160487 c/s real, 161600 c/s virtual
Only one salt:144262 c/s real, 146978 c/s virtual
Benchmarking: BSDI DES (x725) [32/32 BS]... DONE
Many salts: 5412 c/s real, 5280 c/s virtual
Only one salt:5889 c/s real, 5262 c/s virtual
Benchmarking: FreeBSD MD5 [32/32 X2]... DONE
Raw:3666 c/s real, 3246 c/s virtual
Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw:241 c/s real, 227 c/s virtual
Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short:70438 c/s real, 72263 c/s virtual
Long: 192506 c/s real, 200389 c/s virtual
Benchmarking: NT LM DES [32/32 BS]... DONE
Raw:1808844 c/s real, 1877553 c/s virtual

Review the results of the FreeBSD MD5 and NT LM DES benchmarks. The cracks per second (c/s) difference between these two is a factor of more than 500, which means that a complete brute-force attack will take more than 500 times longer against password hashes on a FreeBSD system than against a Windows system. Which one of those systems would you rather hold critical data?


Regardless of the OS, the steps that can be taken to protect passwords come back to the analogy of toothbrushes. “They should be changed often, not shared with others, and used only by you!”

Hiding Files and Covering Tracks

Before moving on to other systems, the attacker must attend to a few unfinished items. According to Locard’s exchange principle, “Whenever someone comes in contact with another person, place, or thing, something of that person is left behind.” This means that the attacker must disable logging, clear log files, eliminate evidence, plant additional tools, and cover his tracks. If this is on a Linux system, the attacker may attempt to stop the syslog server, /etc/init.d/syslogd stop/. Listed here are some of the techniques that an attacker can use to cover his tracks.

  • Disabling logging: Auditpol, a Windows tools for auditing policies, works well for hackers, too, as long as they have administrative access. Just point it at the victim’s system as follows:

Click here to view code image

C: >auditpol \ /disable
Auditing Disabled
  • Clear the log file: The attacker will also attempt to clear the log. Tools such as Winzapper, Evidence Eliminator, and ELSave can be used. ELSave will remove all entries from the logs, except one entry that shows the logs were cleared. It is used as follows:

Click here to view code image

elsave -s \ -l "Security" -C

One way for attackers to cover their tracks is with rootkits.


After an attacker is on a Linux system and has made himself root, he will be concerned with maintaining access and covering his tracks. One of the best ways to maintain access is with a rootkit. A rootkit contains a set of tools and replacement executables for many of the operating system’s critical components. Once installed, a rootkit can be used to hide evidence of the attacker’s presence and to give the attacker backdoor access to the system. Rootkits require root access, but in return, they give the attacker complete control of the system. The attacker can come and go at will and hide his activities from the administrator. Rootkits can contain log cleaners that attempt to remove all traces of an attacker’s presence from the log files.

Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, and ps, with Trojaned versions that were written to hide certain processes or information from the administrators. Rootkits of this type are detectable because of the change in the size of the Trojaned binaries. Tools such as MD5Sum and Tripwire can be a big help in uncovering these types of hacks. Rootkits can be divided into several categories:

  • Hypervisor: Modifies the boot sequence of a virtual machine

  • Hardware/firmware: Hides in hardware or firmware

  • Bootloader: Replaces the original bootloader

  • Library level: Replaces original system calls

  • Application level: Replaces application binaries with fake ones

  • Loadable kernel level: Adds malware to the security kernel

Some rootkits target the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension. Because kernel rootkits corrupt the kernel, they can do basically anything, including avoiding detection by many software methods. The best way to avoid these rootkits is just to recompile the kernel without support for LKMs. Some rootkits can also hide their existence by using application programming interface (API) hooks. These hooks usually work only against other processes on the infected computer while the system is running. If the system is analyzed as a static drive or by a third-party system, the existence of the hooks may become apparent.

Although the use of rootkits is widespread, many administrators still don’t know much about them. The following list describes a few of these rootkits:

  • Avatar: This rootkit does not replace system binaries, because it uses a driver infection technique. Avatar makes use of a dropper to prevent detection by intrusion detection. It targets x86 systems.

  • Necurs: This malware was first seen in 2011 but was later incorporated into the Gameover Zeus botnet. It installs a kernel-mode rootkit.

  • Azazel: This rootkit is a userland rootkit based off the Jynx rootkit. The term userland references all code that runs outside the operating system’s kernel. Azazel is focused heavily on anti-debugging and anti-detection.

  • Horse Pill: This Linux rootkit resided in the intrd process.

  • GrayFish: This rootkit targets the Windows kernel and injects malicious code into the boot record.

  • Zeroaccess: A kernel-mode rootkit that uses advanced techniques to hide its presence and is designed to infect Windows computers. It can be used as a dropper to load other malware and contains a strong self-defense functionality.


Make sure that you can describe a kernel rootkit and how it differs from an application rootkit.

How should an ethical hacker respond if he believes that a system has been compromised and has had a rootkit installed? Your first action will most likely be to remove the infected host from the network. An attacker who knows that he has been discovered might decide to trash the system in an attempt to cover his tracks. After isolating the host from the network, you can then begin the process of auditing the system and performing some forensic research. A number of tools enable you to detect rootkits. Most work by one or more of the following techniques: integrity-based detection, signature-based detection, cross-view detection, and heuristic detection. Tools that you can use to audit suspected rootkit attacks include the following:

  • Chkrootkit: An excellent tool that enables you to search for signs of a rootkit.

  • RootKitRevealer: A standalone utility used to detect and remove complex rootkits.

  • McAfee Rootkit Detective: Designed to look for and find known rootkits. It can examine system binaries for modification.

  • Trend Micro RootkitBuster: Another tool that scans file and system binaries for known and unknown rootkits.


If the thought of chasing down hackers and working on incident response excites you, check out another EC Council certification, the Certified Hacking Forensic Investigator (CHFI).

File Hiding


Various techniques are used by attackers to hide their tools on the compromised computer. Some attackers might attempt to use the attribute command to hide files, whereas others might place their files in low-traffic areas. A more advanced method is to use NTFS alternate data streams (ADS). NTFS ADSs were developed to provide for compatibility outside of the Windows world with structures such as the Macintosh Hierarchical File System (HFS). These structures use resource forks to maintain information associated with a file, such as icons and so on.

The streams are a security concern because an attacker can use these streams to hide files on a system. ADSs provide hackers with a means of hiding malware or hacking tools on a system to later be executed without being detected by the systems administrator. Because the streams are almost completely hidden, they represent a near-perfect hiding spot on a file system, allowing the attacker to hide his tools until he needs to use them at a later date. An ADS is essentially files that can be executed. To delete a stream, its pointer must be deleted first (or copy the pointer file to a FAT file system). That will delete the stream because FAT cannot support ADS. To create an ADS, issue the following command:

Type >

This command streamed behind readme.txt. This is all that is required to stream the file. Now the original secret file can be erased:


All the hacker must do to retrieve the hidden file is to type the following:

Start c:

This will execute the ADS and open the secret file. Tools that can detect streamed files include the following:

  • Streams: A Microsoft tool

  • Sfind: A forensic tool for finding streamed files

  • LNS: Another tool used for finding streamed files, developed by

Linux does not support ADS, although an interesting slack space tool is available called Bmap, which you can download from This Linux tool can pack data into existing slack space. Anything could be hidden there, as long as it fits within the available space or is parsed up to meet the existing size requirements.

One final step for the attacker is to gain a command prompt on the victim’s system. This allows the attacker to actually be the owner of the box. Tools that allow the attacker to have a command prompt on the system include Psexec, Remoxec, and Netcat. After the attacker has a command prompt on the victim’s computer, he will usually restart the methodology, looking for other internal targets to attack and compromise. At this point, the methodology is complete. As shown in Figure 4-5, the attacker has come full circle.

The methodology overview represents a cyclic process and is broken down into six distinct phases. The cycle goes clockwise which is as follows: reconnaissance, scanning and enumeration, gaining access, escalation of privilege, maintaining access, and cover tracks.

Figure 4-5 Methodology Overview


In this chapter, you learned about Windows and Linux OS enumeration and system hacking. Enumeration of Windows systems can be aided by SMB, the IPC$ share, SMTP, SNMP, and DNS. Each offers opportunities for the attacker to learn more about the network and systems he is preparing to attack. The goal of enumeration is to gather enough information to map the attack surface, which is a collection of potential entry points. It might be a buffer overflow, an unsecure application, such as SNMPv1 or 2, or even a weak password that is easily guessed.

System hacking represents a turning point, which is the point at which the attacker is no longer probing but is actually attacking the systems and attempting to break in. System hacking might start with a low-level account. One key component of system hacking is escalation of privilege, which is the act of exploiting a bug, design flaw, or configuration oversight to gain elevated access. The attacker’s overall goal is to own the system. After spending time gaining access, the attacker will want long-term control of the computer or network. After an attacker penetrates and controls one computer, he rarely stops there. He will typically work to cover his tracks and remove any log entries. Besides redirecting sensitive information, stealing proprietary data, and establishing backdoors, attackers will most likely use the compromised system to spread their illegal activities to other computers. If any one system is compromised, the entire domain is at risk. The best defense is a good offense. Don’t give the attacker any type of foothold.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here, Chapter 12, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 4-8 lists a reference of these key topics and the page numbers on which each is found.

Table 4-8 Key Topics for Chapter 4


Key Topic Element


Page Number


Explains how enumeration works


Table 4-2

User ID and Corresponding RID Code


Table 4-3

Microsoft Key Ports and Protocols



Explains how system hacking works



Explains how ADS works


Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

brute-force attack

dictionary attack

Simple Network Management Protocol


4.1 NTFS File Streaming

In this exercise, you use NTFS file streaming to effectively hide files in an NTFS environment.

Estimated Time: 15 minutes.

Step 1. Download LNS—a good NTFS file streaming programs—from

Step 2. Create a temporary folder on the root of your NTFS drive. Name the folder test, or give it another suitable name.

Step 3. Copy notepad.exe into the test folder and rename it hack.exe. You will use this file to simulate it as the hacking tool.

Step 4. Create a text file called readme.txt. Place some text inside the readme file…something like hello world will work.

Step 5. Open a command prompt and change directories to place yourself in the test folder. By performing a directory listing, you should see two files: hack.exe and readme.txt. Record the total free space shown after the directory listing:___________

Step 6. From the command line, issue the following command:

Click here to view code image

Type hack.exe > readme.txt:hack.exe

Step 7. Run a directory listing again and record the free space results: ___________

Step 8. Has anything changed? You should have noticed that free space has been reduced. That is because you streamed hack.exe behind readme.txt.

Step 9. Execute the following from the command line:

Click here to view code image

Start c: test readme.txt:hack.exe

Step 10. Did you notice what happened? Your hacked file, notepad.exe, should have popped open on the screen. The file is completely hidden, as it is streamed behind readme.txt.

Step 11. Run LNS from the command line. The program should detect the streamed file hack.exe. File streaming is a powerful way to hide information and make it hard to detect.

Review Questions

1. As part of a review of an access control system, you have been asked to recommend a replacement for the username/password system that is currently used. As such, which of the following is best when selecting a biometric system?

a. A high false acceptance rate

b. A high false rejection rate

c. A high false acceptance rate and false rejection rate

d. A low crossover error rate

2. You have just gotten an alert from your IDS. It has flagged the following string: env x=’(){:;};echo exploit’ bash -c ‘cat /etc/passwd’. What is the attacker attempting to do?

a. Use the Heartbleed vulnerability to display the passwd file.

b. Use the Shellshock vulnerability to change the passwd file.

c. Use the Heartbleed vulnerability to change the passwd file.

d. Use the Shellshock vulnerability to display the passwd file.

3. You are working with a pen test team that is performing enumeration. You have just seen a team member enter the following command. What does it demonstrate?

C:user2sid   truck guest
C: sid2user 5 21 343818398 789336058 1343024091 500
Name is Joe
Domain is Truck

a. The Joe account has a SID of 500.

b. The guest account has not been disabled.

c. The guest account has been disabled.

d. The true administrator is Joe.

4. During a pen test, you have successfully gained access to a system. You are able to gain local administrator status on one workstation and have now moved to the local administrator on a second workstation. With this in mind, which of the following is true?

a. You have no access.

b. You have completed horizontal privilege escalation.

c. You will have a RID of 501.

d. You have completed vertical privilege escalation.

5. You are part of an incident response team. You have discovered that an attacker broke into the network, planted a rootkit, and secretly installed a cryptominer. To contain the incident and complete the investigation, what is the best alternative now that you found a rootkit has been installed on one of your computers?

a. Copy the system files from a known good system

b. Perform a trap and trace

c. Delete the files and try to determine the source

d. Rebuild from known good media

6. When reviewing the Windows core design, which of the following corresponds to user mode and is the level of least privilege?

a. Ring 0

b. Ring 1

c. Ring 2

d. Ring 3

7. SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers?

a. It’s enabled by all network devices by default.

b. It’s based on TCP.

c. It sends community strings in clear text.

d. It is susceptible to sniffing if the community string is known.

8. When discussing Windows authentication, which of the following is considered the weakest?

a. NTLMv1

b. NTLMv2

c. LM

d. Kerberos

9. Which of the following tools can be used to clear the Windows logs?

a. Auditpol

b. ELSave

c. PWdump

d. Cain and Abel

10. What is one of the disadvantages of using John the Ripper?

a. It cannot crack NTLM passwords.

b. It separates the passwords into two separate halves.

c. It cannot differentiate between uppercase and lowercase passwords.

d. It cannot perform brute-force cracks.

11. You found the following command on a compromised system:

Type nc.exe > readme.txt:nc.exe

What is its purpose?

a. This command is used to start a Netcat listener on the victim system.

b. This command is used to stream Netcat behind readme.txt.

c. This command is used to open a command shell on the victim system with Netcat.

d. This command is used to unstream Netcat.exe.

12. Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance?

a. Rainbow tables

b. Dictionary cracks

c. Hybrid cracks

d. Brute-force crack

13. Why would an attacker scan for port 445?

a. To attempt to cause DoS of the NetBIOS SMB service on the victim system

b. To scan for file and print sharing on the victim system

c. To scan for SMB services and verify that the system is Windows OS

d. To scan for NetBIOS services and verify that the system is truly a Windows NT server

14. Which of the following types of biometric systems is considered the most accurate?

a. Fingerprint scanning

b. Iris scanning

c. Voice scanning

d. Palm scanning

15. You are trying to establish a null session to a target system. Which is the correct syntax?

a. net use \ IP_address IPC$ “ ” /u: “ ”

b. net use //IP_address/IPC$ “ ” u: “ ”

c. net use \ IP_address IPC$ * /u: “ ”

d. net use \ IP_address IPC$ * u: “ ”

16. After finding port 161 open on a targeted system, you have decided to attempt to guess what passwords/community strings to use. Which of the following should you try first?

a. user/password

b. abc123/passw0rd

c. Password/administrator

d. Public/private

17. You have gained access to a system. You would now like to hide a file that will be hidden and streamed behind another. Which of the following file systems is required?



c. FAT

d. FAT32

18. Which of the following types of rootkits would be found at ring 0?

a. Software

b. Library

c. Application

d. Kernel

19. You are about to target a Linux server and would like to attempt access to the passwords. Which of the following folders is where you would find them?

a. /etc

b. /sbin

c. /ect

d. /var

20. Which of the following protocols uses UDP port 514?

a. Syslog

b. NetBIOS

c. Finger


Suggested Reading and Resources Enum with Hyena How to harden Windows Top 10 password-cracking tools of 2016 Hacking Windows 10 with Hercules Hardening Linux Online rainbow tables NSA rootkits Pass-the-hash toolkit Crossover error rate

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.