CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [43]
The MD5 checksum makes sure a file hasn't changed. This can be useful in checking file integrity if a rootkit has been found on a system. Tools such a Tripwire implement MD5 checksums to identify files affected by the rootkit.
Countermeasure Tools
Tripwire is a filesystem integrity-checking program for Unix and Linux operating systems. In addition to one or more cryptographic checksums representing the contents of each directory and file, the Tripwire database also contains information that lets you verify access permissions and file mode settings, the username of the file owner, the date and time the file was last accessed, and the last modification made to the item.
Understanding How to Hide Files
A hacker may want to hide files on a system to prevent their detection. These files may then be used to launch an attack on the system. There are two ways to hide files in Windows. The first is to use the att ri b command. To hide a file with the att ri b command, type the following at the command prompt:
The second way to hide a file in Windows is with NTFS alternate data streaming. NTFS filesystems used by Windows NT, 2000, and XP have a feature called alternate data streams that allow data to be stored in hidden files linked to a normal, visible file. Streams aren't limited in size, more than one stream can be linked to a normal file.
NTFS File Streaming
To create and test an NTFS file stream, perform the following steps:
1. At the command line, enter notepad test. txt.
2. Put some data in the file, save the file, and close Notepad. Step 1 will open notepad.
3. At the command line, enter di r test. txt and note the file size.
4. At the command line, enter notepad test. txt : hi dden. txt. Type some text into Notepad, save the file, and close it.
5. Check the file size again (it should be the same as in step 3).
6. Open test. txt. You see only the original data.
7. Enter type test. txt: hi dden. txt at the command line. A syntax error message is displayed.
Hacking Tools
makestrm.exe is a utility that moves the data from a file to an alternate data stream linked to the original file.
NTFS Stream Countermeasures
To delete a stream file, first copy the first file to a FAT partition, and then copy it back to an NTFS partition.
Streams are lost when the file is moved to FAT partition because they're a feature of NTFS and therefore exist only on an NTFS partition.
Countermeasure Tools
You can use LNS. exe to detect NTFS streams. LNS reports the existence and location of files that contain alternate data streams.
Understanding Steganography
Technologies
Steganography is the process of hiding data in other types of data such as images or text files. The most popular method of hiding data in files is to utilize graphic images as hiding places. Attackers can embed any information in a graphic file using steganography. The hacker can hide directions on making a bomb, a secret bank account number, or answers to a test. Really any text imaginable can be hidden in an image.
Hacking Tools
ImageHide is a steganography program that hides large amounts of text in images. Even after adding bytes of data, there is no increase in the image size. The image looks the same in a normal graphics programs. It loads and saves to files and therefore is able to bypass most e-mail sniffers.
Blindside is a steganography application that hides information inside BMP (bitmap) images. It's a command-line utility.
MP3Stego hides information in MP3 files during the compression process. The data is compressed, encrypted, and then hidden in the MP3 bit stream.
Snow is a whitespace steganography program that conceals messages in ASCII text by appending whitespace to the end of lines. Because spaces