Covering Tracks

• Disabling Auditing: disable Auditing using Auditpol.

• Clearing the Event Log: use elsave to clear the Event Log.

• Hiding files: using attrib, NTFS file streaming. Use LNS to search for files hidden in streams.

Consolidation of Power

• Remote control: Remote control applications (pcAnywhere, VNC, Windows Remote Desktop, etc.) are useful, but a major security risk, even when configured properly.

• Rootkits: patching the OS kernel with rogue code, assuming control of the OS. See the Rootkit page and removal tools.

• Port redirection: redirect from one IP number and port to another IP number and port at the gateway/firewall. See rinetd and fpipe.

• Man-in-the-middle attacks: originally using SMBRelay and SMBProxy. Cain provides sniffing and MITM capabilities.

Previous slide

Back to first slide

View graphic version