CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [41]
Invisible KeyLogger Stealth (IKS) Software Logger is a high-performance virtual device driver (VxD) that runs silently at the lowest level of the Windows 95/98/ME operating system. All keystrokes are recorded in a binary keystroke file.
Fearless Key Logger is a Trojan that remains resident in memory to capture all user keystrokes. Captured keystrokes are stored in a log file and can be retrieved by a hacker.
E-mail Keylogger logs all e-mails sent and received on a target system. The e-mails can be viewed by sender, recipient, subject, and time/date. The e-mail contents and any attachments are also recorded.
Understand Escalating Privileges
Escalating privileges is the third step in the hacking cycle. Escalating privileges basically means adding more rights or permissions to a user account. Simply said, escalating privileges makes a regular user account into an administrator account.
Generally, Administrator accounts have more stringent password requirements, and their passwords are more closely guarded. If it isn't possible to find a username and password of an account with Administrator privileges, then a hacker may choose to use an account with lower privilege. In this case, the hacker must then escalate that account's privileges.
This is accomplished by first gaining access using a nonadmin user account-typically by gathering the username and password through one of the previously discussed methods-and then increasing the privileges on the account to the level of an Administrator.
Once a hacker has a valid user account and password the next step is to execute applications. Generally the hacker needs to have an account with Administrator level access in order to install programs and that is why escalating privileges is so important. In the following sections, we'll see what hackers can do with your system once they have Administrator privileges.
Hacking Tools
GetAdmi n. exe is a small program that adds a user to the local administrators group. It uses a low-level NT kernel routine to allowing access to any running process. A logon to the server console is needed to execute the program. GetAdmin.exe is run from the command line or from a browser. It works only with Windows NT 4.0 Service Pack 3.
The Hk. exe utility exposes a Local Procedure Call flaw in Windows NT. A nonadmin user can be escalated to the administrators group using this tool.
Executing Applications
Once a hacker has been able to access an account with Administrator privileges, the next thing they do is execute applications on the target system. The purpose of executing applications may be to install a back door on the system, install a keystroke logger to gather confidential information, copy files, or just cause damage to the system-essentially, anything the hacker wants to do on the system.
Once the hacker is able to execute applications, the system is considered owned and under the control of the hacker.
Hacking Tools
PsExec is a program that connects to and executes files on remote systems. No software needs to be installed on the remote system.
Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation) services. Administrators with null or weak passwords may be exploited through Task Scheduler (1025/tcp or above) or Distributed Component Object Mode (DCOM; default 135/tcp).
Buffer Overflows
Buffer overflows are hacking attempts that exploit a flaw in an application's code. Essentially, the buffer overflow attack sends too much information to a field variable in an application, which can cause an application error. Most times, the application doesn't know what action to perform next because it's been overwritten with the overflow data; so it either executes the command in the overflow data or drops out a command prompt to allow the user to enter the next command. The command prompt or shell is the key for a hacker and can