CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [44]
Camera/Shy works with Windows and Internet Explorer and lets users share censored or sensitive information stored in an ordinary GIF image.
Stealth is a filtering tool for PGP files. It strips off identifying information from the header, after which the file can be used for steganography.
Steganography can be detected by some programs, although doing so is difficult. The first step in detection is to locate files with hidden text, which can be done by analyzing patterns in the images and changes to the color palette.
Countermeasure Tools
Stegdetect is an automated tool ford etecting steganographic content in images. It's capable of detecting different steganographic methods to embed hidden information in JPEG images.
Dskprobe is a tool on the Windows 2000 installation CD. It's a low-level hard-disk scanner that can detect steganography.
Understanding How to Cover Your
Tracks and Erase Evidence
Once intruders have successfully gained Administrator access on a system, they try to cover their tracks to prevent detection of their presence (either current or past) on the system. A hacker may also try to remove evidence of their identity or activities on the system to prevent tracing of their identity or location by authorities. The hacker usually erases any error messages or security events that have been logged, to prevent detection.
In the following sections, we'll look at disabling auditing and clearing the event log, which are two methods used by a hacker to cover their tracks and avoid detection.
Disabling Auditing
The first thing intruders do after gaining Administrator privileges is to disable auditing. Windows auditing records certain events in a log file that is stored in the Windows Event Viewer. Events can include logging in to the system, an application, or an event log. An administrator can choose the level of logging implemented on a system. A hacker wants to determine the level of logging implemented to see whether they need to clear events that indicate their presence on the system.
Hacking Tools
AuditPol is a tool included in the Windows NT Resource Kit for system administrators. This tool can disable or enable auditing from the Windows command line. It can also be used to determine the level of logging implemented by a systems administrator.
Clearing the Event Log
Intruders can easily wipe out the security logs in the Windows Event Viewer. An event log that contains one or few events is suspicious because it usually indicates that other events have been cleared. It's still necessary to clear the event log after disabling auditing, because using the AuditPol tool places an entry in the event log indicating that auditing has been disabled. Several tools exist to clear the event log, or a hacker can do so manually in the Windows Event Viewer.
Hacking Tools
The elsave.exe utility is a simple tool for clearing the event log. It's command-line based.
WinZapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000. WinZapper also ensures that no security events are logged while the program is running.
Evidence Eliminator is a data-cleansing system for Windows PCs. It prevents unwanted data from becoming permanently hidden in the system. It cleans the recycle bin, Internet cache, system files, temp folders, and so on. Evidence Eliminator can also be used by a hacker to remove evidence from a system after an attack.
Exam Essentials
Understand the importance of password security. Implementing password-change intervals, strong alphanumeric passwords, and other password security measures is critical to network security.
Know the different types of password attacks. Passive online attacks include sniffing, manin-the-middle, and replay. Active online attacks include passive and automated password guessing. Offline attacks include dictionary, hybrid,