Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on timestamps, event log clearing and password cracking. A timestamp is a metadata field that informs a system about when a file was created, edited, opened or moved. You can defeat timestamps on a Windows machine by obfuscation, in Linux you can also use the touch command. Windows event logs can be used to store information about nearly everything on a system and are managed via the command line wevtutil. Participants also learn about two methods of password cracking: Brute force: trying every possible combination until something works. Dictionary attacks: using a list of words to crack password. This method can be highly effective as 98% of passwords are made up of the 10,000 most common passwords.

Video Transcription

00:04
All right, ladies and gentlemen, and welcome to
00:07
the
00:09
last video in covering tracks and password cracking. I'm in this video. We're gonna discover we're going to discuss a few topics among which are time stamps,
00:19
event, log clearing and password cracking.
00:22
First, we're gonna be discussing this time stamps, and we'll be discussing this primarily in Lennox as well as how to edit them.
00:30
Timestamps. Almost every operating system has time stamps. It's a metadata field which informs the system and users
00:38
When If I was created when it was edited, when last it was red moved is actually kind of in line with created.
00:46
But it tells you, you know, when a file got to where it is now,
00:50
they could be used to pinpoint, You know, when a militias user got on and changed them,
00:55
they could be used his comparison for backups. So if we have, you know, unknown good file from last Tuesday at 12.
01:03
And this Wednesday, it one,
01:06
everything's falling apart and we see that that's the file. With the timestamp change, we can pull from the last update and you're the last back up and we're good,
01:15
um, in Windows, the only real way to defeat time stamps is by obfuscation.
01:19
You can edit tons and tons of files writing script at it, as many files as possible. That looked like they might be important.
01:27
You can copy a file and, you know, open the copy if you're only opening for reading.
01:34
Um, depending on the Windows version, this mayor may not affect timestamps Windows seven and later. Don't bother with this method. It's primarily from X p and older systems.
01:44
Um,
01:45
harmlessly editing a bunch of files is kind of a useful way to do it,
01:49
if only because a script which opens a vial is very easy. You know, open the file. Close a file,
01:57
easy to write.
01:59
But if you do that with, you know, a couple 100 files from the system 32
02:02
then you're going to freak them out. They're gonna have no idea what you're actually doing.
02:07
So, you know, kind of giving them too much to look at
02:10
sort of the opposite of the way. A lot of times you would go, but by giving them too much information, you can actually prevent them from seeing what you really want them to see.
02:20
I mean, linens, however, there's a
02:22
there's a much better option,
02:23
and it's called touch.
02:28
So this is what touch commands look like. All touch really is is a file which affects timestamps. If you use touch on a file that doesn't exist, it will create a file. But in general, what you're gonna use touch with is to actually edit a time set.
02:45
Now the reasons for this are fuzzy.
02:49
Um,
02:50
I'm sure there was a great reason for it once upon a time,
02:53
but now there aren't really many good reasons to use touch. I mean degrees. In terms of our thinking,
03:00
you know, it's easy to hide the bad things we've done, but in terms of an actual you know, proper user, there's not much justification for it.
03:07
So what you'll do is you'll just type touch, and then you'll type the option,
03:13
which were only going to really look up to here,
03:15
Uh, which will be the tactic and attack? A.
03:17
You could also use taxi, but it's functionally identical, other than the only differences which time stamp it edits,
03:24
and then you type obviously the file name where the file names you can actually had it several files at once, which will look at it in just a second.
03:30
Um
03:32
so, for example, the tack T says touch timestamp. Otherwise, if you do touch, it will try, and it'll basically just update it to the current time. Tak t Let's give it a specific time.
03:44
So, for example, you can type in
03:46
1 May 2005 at 10. 22
03:51
full of the file name and then basically all of that pile name that problem's access.
03:57
Um, And if its creation, I was later that its creation time and all the other long times will change back to this time right here,
04:05
Um, it's very handy if you want to. You know,
04:09
you broke into a system at
04:11
12. 01
04:12
messed with all their stuff until 12. 30. And now you want to change it back to 12. 01 It's a really easy way to adjust the time Stamp it. No one's ever gonna catch it.
04:21
The other one that we're gonna look at his touch Tak es, which is slightly different. And it's sort of the example of all the other touches. Touch decays for access time. Um,
04:32
so there's tea.
04:34
Aye aye, affects the access times the last time it was opened. So it is actually possible to do you know, the life last access was 2001 and the creation was 2004.
04:47
That's going to set some red flags, obviously,
04:53
but if you're feeling mean, it is totally doable. One thing I did want you to notice is that the file or the time stamp for the files it's clearly different.
05:01
The more granular and specific you can be the better,
05:05
because this 1st 1 right here
05:09
is going to edit it to be a 22 5 2001 May is very, very, very specific, and it'll blend much more easily. Where is the 2nd 1?
05:21
Whatever year it ISS will be the 14th of May,
05:25
Um, and it will be at
05:28
zero in the morning, just first thing,
05:30
which is sort of noticeable. It's actually midnight, but its accounts it for the morning. So first thing in the morning,
05:38
which is
05:39
sort of noticeable if it's a file that gets messed with a lot.
05:42
So the more granular in the more specific you can be the better, Which is why it's always good to know what time it is when you pop onto a system.
05:49
I'm the one that I did want to include because it's one of my favorites to run
05:53
is to do a touch
05:56
some ridiculous
05:59
time period on every single file in the directory
06:01
on this can mess with certain source code. Monitor your certain source court management.
06:06
So if you're going in to do it, DOS and you change all of the time stamps back to, you know the same day. Ah, lot of simpler applications will do their updates and emerges based on
06:17
timestamp.
06:19
So if you add it that you can actually do damage to a lot of source good servers,
06:24
I'd recommend to get actually doing it because the company is going to get very upset with you. But you can show them that you could have done it and kind of drive your point
06:32
about really others for touch. It's a fairly straightforward demand.
06:35
Next subject
06:38
is Event Lux. Now event logs like a road here. They're basically bash history On crack
06:44
were bash history stores, all of the commands you ran the event log store, everything about every one and every item.
06:50
Um, just any bit of information to be started in about log. Ah, when I actually ran the w w e v t you tell which we're gonna discuss in a moment on my own computer.
07:00
It sent me back nearly 78 kilobytes. And that was just
07:04
file names That wasn't the actual store of data stored in those logs.
07:10
Different applications. Almost all of
07:13
the windows applications will create their own logs and their own event logs a cz well, as their security system in all sorts of other logs,
07:21
they will look at it just a second. But they could be used to store information about just anything you can imagine.
07:27
They're created by the system in the cup for just any sort of obscure data reference they may want to make.
07:33
So we look here, Debbie evey t you till the two options. We're gonna look at it gonna be e l N c l e l is a numerator. See, Ellis, clear
07:43
a CZ. You see, there are a few of them right now. This is just a quick sample of the ones that came up because they're that
07:49
The ones closest to security really is why they got selected.
07:54
Um,
07:55
so you see the first option, the one that's most important to me right now is security.
07:59
This is security logs. So whatever they've got set as sort of a host I d s in its own way. Where they've got said is saying, This is something I want you to keep track up. This is something that either shouldn't happen or something we should know about when it happens. Whatever set up
08:16
is whatever certain can certain config things are changed.
08:20
It will register. Their system is when pretty much any major lake,
08:24
no windows configure windows, admin privilege. Basically,
08:28
any time you need to use admin privileges, system's going to see it in some way.
08:33
Um, those three were really the biggest ones.
08:37
Although
08:39
Windows Power Shell does indicate
08:41
Yeah, that's one that's worth getting rid of two
08:43
because, you know, because it's storing, you know, logs from a different kind of show. But
08:48
it's still a command line utility. So if you find all the command line utilities that logs you clear those out,
08:54
you're not actually necessarily gonna get rid of all of the command you've run. But you're going to get rid of any security warnings or anything like that that may have come of it or whatever they're choosing to love is essentially what you'll get rid of, um, again, thing that is worth noting here
09:09
is that with Windows, you don't have the opportunity to
09:13
manually edit logs or, you know, carefully change each one. You basically just get tortured,
09:20
which is what really right here.
09:24
You just nuke it. It is very noticeable. It's very, very noticeable. When an entire security log goes missing, every sys admin worth his salt is going to see that you've done something wrong.
09:35
However, it's our only recourse at the low level that we're operating.
09:39
Um,
09:41
there exist, you know, hacks and applications. And you could write your own application, which could more properly sneak into the windows logs and edit things. That's not really the purview of, ah, a relatively basic course like this one.
09:54
Um,
09:56
so, barring all of the other options and stave in well, Bart forests,
10:01
we have no choice, particularly the law. So we're gonna hit security. We're gonna hit, you know,
10:05
system. We're gonna hit all the logs have mentioned a minute ago. We're gonna rip him out
10:11
again. They're going to know we did something. But the bright side is they're not going to know what we did.
10:16
Um,
10:16
in a ch class, I was in a while back, the instructor gave me a piece of advice, which is
10:22
it's not only illegal if you get caught, it's only illegal after you're convicted.
10:26
Which isn't necessarily advice, I would say is quite correct for the real world. Certainly not for penetration testing, because if you do something illegal, they're going to freak.
10:37
And by freak, I mean, they're going to arrest you.
10:39
Um, but
10:41
if they have no evidence of the commands you've run, if you have no choice but to torture systems logs to hide your activities
10:48
better that than they know exactly what you did. So again, it's always a balancing act between effective and noticeable, and in this case, the pendulum swings pretty far
11:00
toward noticeable.
11:01
But
11:01
effective still works out.
11:05
And that's pretty much all there is for Windows in that logs are gonna move on to our final topic in this section,
11:09
Um, and really our final major topic in general, which is password cracking,
11:15
Ah, password cracking kind of falls under the covering tracks,
11:18
not because it's part of covering tracks with because it's actually the first step in the next portion
11:24
of hacking, which is sort of a cycle, really, Once you get to the exploit and the post exploit stage,
11:31
it kind of turns into this constant cycle you exploit into a system, you gather all the information, you do all the fun stuff.
11:39
Then you explode into the next system
11:41
and you do whatever you want to do to that system. Then you exploited server or the next system, or whatever,
11:46
the long story short being that
11:50
once you get to this point in the penetration, testing or whatever you're doing,
11:56
you've sort of stopped going in the strait progression and it's turned into, ah, thin, a short circle that's going to continually spend.
12:03
So we're gonna go ahead and prepare for maneuvering through the network and, you know, gaining for their access and all that by cracking passwords.
12:11
Password cracking is a very important element of this field. Everyone has had to crack the password at some point who is a security professional,
12:20
a za result of that. They're a bunch of tools for doing it John the Ripper is extremely popular.
12:26
Um,
12:26
they're just tons and tons of password baby password crackers, online hash crackers. It's actually possible because of how many
12:35
of the most popular MD five some things that have been cracked where you can actually use Ah, a Google based password cracker. You can write an application, and I know this from experience. You can actually write an application, which will send a Google query
12:50
click essentially the first return.
12:54
And in about seven out of 10 cases, you can actually just google the hash programmatically and break passwords that way.
13:01
Um,
13:03
not part of that is because MD five is very weak hashing out of them. You should never, ever use it.
13:09
We'll get into that in a little bit,
13:11
like so. They're just tons and tons of ways of breaking ashes and finding passwords. But pretty much all of them in one capacity or another, revert back to
13:20
just a few methods the two methods were going going to discuss. Here are the two basic methods There are, you know, very complicated math based algorithm, crackers and things that actually take advantage of the math behind these algorithms. But we're really not gonna worry about that.
13:35
Um, if you're interested in something like that, then by all means, it's a very cool field, but it's sort of outside the purview of this class.
13:46
It's the 1st 1
13:46
The brawn,
13:48
A brute force password cracking consists of trying every single possible combination until you get it. Response.
13:54
It could be very, very slow, but it is in its own right, unbeatable. Eventually you're going to find the right combination because you're trying every combination.
14:05
The problem with that and
14:07
even those of you without a background in cryptography can probably identify it.
14:13
I mentioned incredibly slow,
14:15
I'm sure to attempt to have to crack every single shot 5 12 hash. It would take you in the hundreds of millions of years
14:24
the actual amount of time it would take. You would be longer than it's taken man to evolve from lizards,
14:30
so I would recommend against that. It's not going to work out.
14:35
Um, by the time you Kenbrell force a password, it's usually too late.
14:41
That's not in every case, but its usual. The big differences or the important thing, is really how good their password rules are and how could. Their hash is if they're using nd five,
14:52
you can probably bring your way through with, you know,
14:56
a normal desktop or a few GP use dedicated to the task.
15:01
If they're using shot 5 12 and serious password rules,
15:05
it's not gonna work out for you.
15:07
So here's a little pseudo code example of what brute force cracking looks like. Here we have a function name. It's not important we start out at zero. So we're starting out of the very first hash hash is don't go in any incremental order. They're completely or pseudo random.
15:22
Ah, but they increase progressively or they don't increase progressively. But is this number increases progressively, they'll change the way statistics working the way probability works. Once you've theoretically tried a number of inputs equal to the the maximum number of combinations,
15:39
you will have found every possible hash in reality, because collisions, it'll be both faster and slower than that
15:46
faster, most likely to find the hash. You want slower to actually find every hash. But then we do a while true, which is basically just spin forever.
15:58
And we checked the hash against you know, they calculate ash, so we calculate the hash of Justin incriminating value.
16:06
And if the ash is equal to the one we're given,
16:08
we returned that hash and say, Hey,
16:11
well, really Return that hash return I or that value. So hey, this is the value that will work as the password.
16:18
If we go back and no, then we're gonna incriminate value and try again.
16:22
So this is a very short snippet of code, and it can spin thousands and thousands of times per second on a good machine. It can spin incredibly fast. The problem with that, of course, is that as fast as it can spend, the numbers with which it's dealing are
16:36
hilariously large to to the 500. And 12 is a very,
16:41
very big number. So while brute force crackers are very good on short passwords and weak passwords,
16:47
they're not so great on the newer algorithms. They're not gonna do much good, which is where
16:51
dictionary attacks come in. Dictionary attacks were sort of the brain.
16:55
A dictionary is a list of words. A dictionary attack uses a list of words is that's all there is to. It comes from basic sort of fact, which is that 98% of all passwords. All systems are made up of the 10,000 most common passwords. Creating a new password is hard.
17:12
It is after you have to come up with some
17:17
strange, contrived series of letters and numbers and symbols,
17:21
and then you've gotta memorize it. And the longer and more difficult to pass word it is, the less likely you are to do that. So you know,
17:27
most people revert to one of 10,000 passwords because there are 10,000 possibilities.
17:33
And, you know, no one knows everyone else's password. You think you're being clever or you think you know Oh well, that master, it's so stupid no one would ever guess it. A. Crucially we would, and we do all the time
17:47
when I kind of drop here. And it's starting sort of a funny coincidence from something else that was also 78 kilobytes earlier.
17:53
But ah, 10,000 passwords at eight characters. Each
17:57
is 78 kilobytes.
18:00
Ah, a computer
18:00
can crack that in seconds. Minutes is a stretch. If you don't have Salter, if you don't have something special toe kind of slow it down,
18:11
a dictionary attack is going to get roughly 98% of all passwords
18:15
in a few minutes at most.
18:18
And the more characters you add,
18:21
it doesn't really change the time very dramatically.
18:23
So the problem with dictionary attacks and what keeps people who you know, execute dictionary attacks from owning the world
18:33
is a combination of things. Now one of those things is putting. Rules on lockout are on attempts to log in before you get locked out. Essentially, you can't keep trying different passwords because the system will kick you all
18:45
that combined with assault, not to be confused with assault, which is, you know, hitting someone with a rubber hose until they tell you their password but assaulting your hashes. Essentially, all that does is it. It puts a random value
18:59
on passwords so that when they get hashed, it's not the same ash that password would normally be on another site, which uses a different hash, a different hash salt,
19:10
what that allows you to do essentially. What it means is that
19:12
when people crack a assault, people crack a hash on a weaker website.
19:18
They can't then use that to go get into a stronger website. It doesn't work out the thing with that, really, is that dictionary attacks are still very functional. Um, you can still break into a website without a whole lot of trouble simply by guessing passwords.
19:34
If you manage to get a copy of a shadow vial or any sort of password hash file,
19:40
the dictionary attack becomes relatively trivial to finish up,
19:44
so dictionary attacks are obviously extremely powerful. They're still among the most powerful and most efficient ways to break into a system.
19:52
Um, and again, with the top 98% pass routes
19:56
98% of all passwords being made up of the top 10,000 it'll be a while before dictionary attacks stopped being extremely effective. So this just for your edification is what a dictionary attack looks like. You got a function name,
20:11
you say for every word in my list for every word in my list,
20:15
hash it and see if it works.
20:18
And as soon as one does tell me
20:21
very simple, it spins up. Not
20:23
it spends up about as quickly as a brute force, but with a much smaller attack surface, so it's much easier.
20:30
Dictionary attacks, like they say, are very dangerous. They're very effective and they're based off of the most
20:37
incapable and the weakest part of any computer system, which is the user. And on that note, we're going to go ahead and finish up this video and therefore the covering tracks portion.
20:45
Now, other than the conclusion, you have
20:48
fairly well completed this course you deserve a pat on the back,
20:52
and, um, I'm sure that I'll be hearing from some of you any questions You might have any thoughts you might have on the subject or any information like to pass along. Always feel free to contact him.
21:03
Joseph Perry and I'm your residents. Me and you've been watching this video and all the other videos like it on cyber ery dot i t.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor