As the theme for this lab is key-logging, I recount my unsuccessful attempts at retrieving my friend's world of warcraft account credentials. Aside from experimentation as an act desperation back in the day, I have no personal experience using or being exposed for keyloggers. Keyloggers are most known for stealing other peoples passwords without their knowledge, but I've also been involved in companies where they use them as a tool for monitoring and alerting, compliance regulation and After-the-fact investigations.
Good keyloggers record intricate information such as autocompleting commands in the cmd window by use of the tab key, copy-pasting, spell checkers and spin and drop down controls that change values. Advanced keyloggers will also save screenshots, files and watch the clipboard.
First things first - we log into the domain administrator on the client machine and install Actualspy and do some initial preference tweaking.
After un-suspening the softweare from windows defender, we can open it and discover the main dashboard
In setting we check the "start at the system loading" and all the hiding option. It turns out it is still quite easy to detect this keylogger running.
I make sure we're utilizing all the logging modes
Logging out of the domain administrator, I log into the client admin to perform various tasks to see what the keylogger picks up. I quickly establish an overview over the running processes and detect a particular suspicious one...
Back in the domain admin account, I use the predefined shortcut "ctrl + shift + alt + f8" to activate actualspy again. I'm surprised by the fact that it logged a screenshot I did from my local, personal pc. Remember, this was done on a local machine, using VMware to run a virtual machine! The process that made this possible is probably not that complicated, but it's still someting to consider.
Going on to part to of the lab, we configure a basic online server to snap up password info from.
In the server manager, we disable anonymous authentication and enable basic authentication (plain text).
Back in the client, I install cain and abel and disable the windows defender features.
Back in the client we have to assign a static Ip to make sure cain and abel are happy
I authenticate myself on the server.classroom.local website, and delete all caches, passwords and similar. I then go back to the server to activate the windows login option, and return to the client to perform another login.
The sniffer worked! It captured all the info entered into the authentication login, both the basic unencrypted service, and the encrypted windows login.
in part three of the lab, I take a closer look at the encrypted password, and explore brute force decryption
I move on to the cracker tab of Cain and right click my admin credentials to choose brute force attack.
A window describing properties of the attack pops up and I press start attack. Note the time it takes for it to complete...
I exit the attack only to reconfigure and narrow a new attack. I limit it to 8 characters and enter a string of predefined characters. This is where it would make sense to adds peoples pets names and birthdays and similar.
As a last option, the lab decribes how it is possible to use rainbow tables for brute forcing passwords. It does not work with salted hash values, as it contains precomputed hashes. If a match is found the password will be able to be decrypted.