Learn how hackers launch cyber warfare in the digital world. IT Professionals must learn all the tools, strategies and techniques and take the play to the hackers. Generic content will not cut it, bespoke training will align your training objectives to your goals and strategies. Learn from us : www.tech-strategygroup.com

1. How Hackers Launch Cyber
Warfare: Lets Level the
Playing Field
By Mohsin Baig
This Photo by Unknown Author is licensed under CC BY

2. Exploiting an
Application
Hackers are able to exploit built in applications
• The following type of attack can overcome all Windows protection
checks: Pressing the Shift Key at least 5 times opens the StickyKeys
options in windows, hackers can replace the sethc.exec with
cmd.exe. Replacing the file and using command prompt and
executing explorer.exe permits full access to the computer
• In this attack; first- Window initially validates if .exe is digitally
signed in which cmd.exe is, second- windows performs validation
that.exe is in existence within the system directory
(%systemroot%system32) hence to validate the integrity level and
administrator permissions. Windows then exercises to ensure that
the executable is maintained within the internal list of Windows
protected system files, in which cmd.exe is and consequently is
approved. Consequently Windows maintains the view that is it
executing the accessibility feature Stickeys, however on the
contrary it is deploying the shellcode running as LocalSystem

3. Exploiting
Buffer
Overflow
• Buffer overflow typically takes place when a data storage
area experiences larger character buffer (such as 32
character) as opposed to the actual amount of space
allocated (such as 24 character) for a particular task.
• Poor error checking makes programs vulnerable to buffer
overflows
• Boundary protection can be implemented to prevent
buffer overflows
• C programs are largely known to be vulnerable to buffer
overflow attacks since C has inherited many functions
which do not perform checking of boundaries
• Constantly patching system and applications is one of the
most effective measures to protect against buffer
overflows and privilege escalation tools.

4. Example of C –
Language
Functions
Vulnerable to
Buffer
Overflows

5. Accessing the
SAM
• Once the Hacker accesses the SAM they have potential
access to all the passwords
• All user account passwords are maintained in the SAM in
the hashed form
• SAM can stolen via physical and logical access
• SAM can also be obtained from the NT ERD (Emergency
Repair Disk) from C:winntrepairsam
• Implementing tools such as LINNT and NTFSDOS can
provide physical access
• Tools such as Pwdump and LCP can be implemented to
exploit SAM via Logical Access

6. Windows
Authentication
Types
• Large number of authentication protocols are supported by
Windows
• Windows supports protocols for network authentication
(NTLM), dialup authentication, and internet authentication
Windows authentication protocols comprise of the following:
1. LM Authentication: Used by 95/98/Me and is based on DES
2. NTLM authentication: Used by NT until Service Pack 3 and is
based on DES and MD4
3. NTLM v2 authentication: Used post-NT Service Pack 3 and is
based on MD4 and MD5
4. Kerberos: Implemented first in Windows 2000 and can be
used by all current versions of Windows, including Server
2012 and Windows 10

7. • Windows incorporates six levels of authentication to secure to built better defences against
cracking passwords:

8. Hiding Files
and Covering
Tracks
The following are techniques that Hackers can implement
to disguise their attacks:
• Disabling Logging: Auditpol, a Windows tools for auditing
policies, works well for hackers, too, as long as they have
administrative access.
• Clear the Log file: The attacker will also attempt to clear
the log. Tools such as Winzapper, Evidence Eliminator,
and ELSave can be used. ELSave will remove all entries
from the logs, except one entry that shows the logs were
cleared.

9. Rootkit
• Consists of tools and replacement executables for the
operating system critical components
• Can be used disguise evidence and trace of the Hacker
• Largely dependent on root access, however permit full
scale access to Hacker once system is under control
• Contain log cleaners that can be channelled to remove all
Hacker presence from log files
• Traditionally, rootkits replaced binaries, such as ls,
ifconfig, inetd, killall, login, netstat, passwd, pidof, and
ps, with Trojaned versions that were written to hide
certain processes or information from the administrators

10. • Rootkits of this type are detectable because of the
change in size of the Trojaned binaries.
• Tools such as MD5Sum and Tripwire can be effectively
used to uncovering these types of hacks.

11. • Rootkits can be divided into several categories:
1. Hypervisor: Modifies the boot sequence of a virtual
machine
2. Hardware/firmware: Hides in hardware or firmware
3. Bootloader: Replaces the original bootloader
4. Library level: Replaces original system calls
5. Application level: Replaces application binaries with fake
ones
6. Loadable kernel level: Adds malware to the security kernel