Exercise One: Keyloggers
In this exercise, we are installing a keylogger on the Client VM, which we need to log in as the domain administrator first.
Once logged in we can install Actual spy and do the following steps;
- Check the box to allow the program to start on startup
- Check all boxes under hiding
- Check the logging
Once the program was configured, it’s was now time to start it.
Now the keylogger is running we need to log in as the local Administrator, and then look for any suspicious task manager processes.
As soon as I opened Task Manager it was right there in plain sight, sure it has a different name but an icon with a shifty looking spy guy never looks bad right?
Now we need to open a run box and enter;
Once there I needed to log in as a domain admin, so I entered my credentials and then proceeded to just create a folder with a text document in it.
Now we have played around on another user it is time to log back in as the domain admin, and see what we found by pressing the hotkey to bring up the keylogger.
To my surprise the keylogger did not capture any passwords, it only seems to have captured my CTRL and ALT keys.
Exercise 2: Cain and Abel
In this exercise, we will try and sniff passwords using Cain and Abel. For this, we need to be in the Server VM.
Once in here, we need to go to IIS and disable Anonymous Authentication and enable Basic Authentication.
Now I need to log in on the Client VM and set a static IP address for it, as Cain requires a static IP address.
After setting the static IP I can now install Cain and Abel making sure not to install Win Cap.
After installing Cain I needed to turn off the firewall.
After that, we can start the password sniffer.
The exercise is complete at this stage but here are the password sniffing results found. Also I had to delete the browsing history and data.
Exercise 3: Cracking Windows Passwords
In this exercise, we will be using Cain to crack passwords.
First, we need to switch to the Server VM and change some Authentication options again.
Setting Basic Authentication to disabled and Windows Authentication to Enabled.
Now on the Client VM, I need to open
Now I have entered my credentials in Cain has captured my data, which is located under MSKerb5-PreAuth I need to move one to the cracker and make a note of how long a brute force attack will take.
Now as you can see this is no coffee break, so what we can do is try a custom option using ‘pPaAsSwWoOeEdD05$@1’ (I added the 1 because the password I’m using is different to the one in the lab)
This is less time but still a long wait, another option is obtaining the password storage file.
We can go to the LM & NTLM Hashes and add import hashes local system.
This is again a long wait, the last option is a rainbow attack but this requires pre-computed hashes and would only work if the password was not salted.
I had played around with Cain prior to this lab so I was familiar with how it worked, what I liked most was the sniffing tool on and detecting passwords entered on the VM.
I don’t think I would approach this lab any different as the steps are easy to follow and I would not think people could get lost following them.
What I did find strange though was how the keylogger did not pick up any passwords, and I am confident I did not set it up wrong :/ Maybe if they told me what the end result was suppose to be I would know if I was right or wrong.