As a Windows administrator, when something with your Windows environment goes amiss, how likely are you to pinpoint the cause, and how much time might expire before you reach the point of certainty? In this blog, I want to offer up an example excerpted from my Useful Hacking Series to help Windows administrators improve their awareness of what happens whenever somebody does something within the system.
Understanding of operating system internals is crucial for understanding any hacking activities. So, with that said, let’s explore a simple hacking scenario. Hopefully, you can apply this knowledge to better protect and respond to threats in your Windows environment.
If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques.
Register now
How to sniff HTTPS & and steal logon credentials
For today’s lesson, let’s explore how a hacker might sniff HTTPS traffic using Event Tracing for Windows (ETW) – a framework that provides logging capabilities with very little overhead-to-run-time performance. As an integral part of the Microsoft Windows operating system, ETW is heavily used by several system components, and can be successfully used by third-party software. ETW can provide a staggering amount of information. If you want to see a small example of what information can be found in ETW logs, follow the steps I’ve outlined below and try to dump some data of web requests made by the web browser that uses WinInet library calls. If you want to learn Windows Internals – start from ETW!- First, you need to download and install Windows Performance Toolkit tools (WPT is a part of the Windows ADK: http://www.microsoft.com/en-US/download/details.aspx?id=39982) and added path to the xperf.exe to your PATH environment variable to make the usage comfortable. To sniff the credentials for basically any HTTPS- based portal, you must be logged out of the portal you desire to target.
- Start the cmd.exe as member of the Local Administrators group, as ETW requires administrative privileges.
- Next, start logger session named WinInetTest and capture events from the Microsoft-Windows-WinInet. To achieve that, run the following command:
>xperf.exe -start WinInetTest -on Microsoft-Windows-WinInet -FileMode Circular -MaxFile 50 -f WinInetTest.etl - Use Internet Explorer and navigate to the target HTTP-based site. Enter user name & password (doesn’t have to be a real one) and click ‘sign in’:
- Switch back to the cmd.exe, and stop the logger session in the following way:
>xperf.exe -stop WinInetTest - Now, it’s time to dump all the events from the wininet.etl file to the wininet.txt file:
>xperf -i wininettest.etl -o wininet.txt -a dumper - We are almost ready to see the result of the monitoring. To search the file for specific events use the following command:
>findstr /i "WININET_REQUEST_HEADER_OPTIONAL" wininet.txt
If you look at the Headers data, you can see your user name and password along with other POST data.
Summary Thoughts on Useful Hacking
Intercepting HTTPS traffic is possible if you are monitoring the beginning or the end of the HTTPS tunnel. At this stage, it’s important to understand that, in an operating system, there are several layers where communication is established. If one of these layers should malfunction, the security of transmission could be seriously jeopardized. Remember, HTTPS is just a protocol that is used to communicate securely, it is not used for any kind of data transformation. For the similar purpose, you can use tool Fiddler – Web Debugger. It is a fantastic tool for troubleshooting and sniffing HTTPS traffic If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques. Attendees to this session will learn what activities can be traced and monitored; starting from simple scenarios then ending with the exact steps a hacker may take to compromise a Windows system.
Paula Januszkiewicz, CEO and Founder of CQURE, Microsoft MVP and RD, Cybersecurity expert
Paula Januszkiewicz is the Founder and CEO of CQURE Inc. and CQURE Academy. She is also Enterprise Mobility MVP, honorable Microsoft Regional Director for CEE and a world class cybersecurity expert, consulting Customers all around the world.
In 2017, Paula graduated from Harvard Business School. She is a top speaker at conferences including Microsoft Ignite (she was rated No. 1 among 1,100 speakers at a conference with 26000 attendees), RSA (her speech was among top-rated sessions in 2022), Black Hat (she has been a regular speaker at Black Hat conferences all around the globe since 2017. In 2019, her presentation was voted best of Black Hat Asia 2019 Briefings), LEAP, Australian Cyber Conference, Hack in Paris or GISEC. Paula is known for her unique stage presence that is always well-received among diverse audiences, often gathering thousands of people!
Paula has 17 years of experience in the cybersecurity field, performing penetration tests, architecture consulting, trainings and seminars. Every year, before the pandemic, she took over 215 flights to provide security services, now she delivers tons of projects both online and onsite. Paula also creates security awareness programs for various organizations, including awareness sessions for top management. Paula is a member of the Technical Advisory Board at Royal Bank of Scotland – helping to keep its security at the highest level possible! What is more, Paula has access to a source code of Windows!
