With computing many programs and processes run in the background. Unless you’re a savvy computer user you may not be aware of these processes. Hackers sometimes use these processes to hide themselves inside victim computers.
In this post I’ll be using two of my virtual machines to demonstrate how a hack happens, one way a hacker can hide in a system, and how it can be found on the victim.
NOTE: These two machines are both under a host only network. Meaning that the hacking attempts shown in this demo cannot get out into the open internet. Even though this demo involves hacking I do not in any way support the illegal hacking of any computing device.
First I start off with setting my two virtual machines in a host only network sand boxed within my host system.
After confirming that the two VMs are configured correctly I boot them and disabled any firewalls, AV software, and other programs that would detect the hack on the victim. The purpose of this test is not to bypass all of these programs but to get a piece of malicious software on the machine and to show some ways that it can be found.
After the two computers are connected I had the VMs ping each other to make sure they can communicate. After that I used zenmap on my hacking platform to scan for open ports on the victim VM.
I already know which attack vector I want to use on the victim. It requires port 445 to be open. After checking the Zenmap report I found that port 445 is open. From there I start Metasploit and configure it to attack the victim.
Before hacking the victim I start a calculator on the victim and ran the tasklist command in the command line. What this command does is it shows all of the currently running processes on the computer and how much memory each process is using.
After the configuring of Metasploit is finished I ran the exploit with the meterpreter payload. What this does is it gives me a shell (a text user interface) to interact with the victim computer. Using this shell I can gather information on the victim computer. Examples are password hashes, OS version, user account names, and processes that are running on the victim.
Right know the rouge program should be sitting in memory. This can be found pretty easily by a savvy system administrator. Next I take the rouge process and hide it in a process that is running on the victim.
If the system admin knows roughly how much memory each process is taking when they run then this should raise a red flag. This is one way that can be used to see if a computer has been compromised. But more evidence is needed in order to make a clear determination if the computer was hacked.
Now that I know something is amiss I check which connections are currently open or “Established”. I used the netstat command on the command line to do this.
After I found the strange connection I decided to check the event logs. First I checked the security logs.
After finding that event in the security logs I check the system logs to see if anything was installed on the computer. I use the time of the first event to search the system logs.
In this demo I have used the netstat command on the command line, memory usage of running processes, and the security and system event logs to discover that something odd was happening on this system. These are just a few of the ways that can be used to find out if a computer was compromised. The most important fact to note is that you have to know what is running on your system. If you don’t then you not have a reference to find out if something is wrong. I hope you enjoyed this post. For the next post I’ll be running memory analysis to show what processes are running on a computer. Thanks for reading!