Tips on Advanced Monitoring & Alerting in Windows Systems
September 7th, 2017
As a Windows administrator, when something with your Windows environment goes amiss, how likely are you to pinpoint the cause, and how much time might expire before you reach the point of certainty? In this blog, I want to offer up an example excerpted from my Useful Hacking Series to help Windows administrators improve their awareness of what happens whenever somebody does something within the system.
Understanding of operating system internals is crucial for understanding any hacking activities. So, with that said, let’s explore a simple hacking scenario. Hopefully, you can apply this knowledge to better protect and respond to threats in your Windows environment.
If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques.
How to sniff HTTPS & and steal logon credentials
For today’s lesson, let’s explore how a hacker might sniff HTTPS traffic using Event Tracing for Windows (ETW) – a framework that provides logging capabilities with very little overhead-to-run-time performance. As an integral part of the Microsoft Windows operating system, ETW is heavily used by several system components, and can be successfully used by third-party software. ETW can provide a staggering amount of information.
If you want to see a small example of what information can be found in ETW logs, follow the steps I’ve outlined below and try to dump some data of web requests made by the web browser that uses WinInet library calls. If you want to learn Windows Internals – start from ETW!
- First, you need to download and install Windows Performance Toolkit tools (WPT is a part of the Windows ADK: http://www.microsoft.com/en-US/download/details.aspx?id=39982) and added path to the xperf.exe to your PATH environment variable to make the usage comfortable. To sniff the credentials for basically any HTTPS- based portal, you must be logged out of the portal you desire to target.
- Start the cmd.exe as member of the Local Administrators group, as ETW requires administrative privileges.
- Next, start logger session named WinInetTest and capture events from the Microsoft-Windows-WinInet. To achieve that, run the following command:
>xperf.exe -start WinInetTest -on Microsoft-Windows-WinInet -FileMode Circular -MaxFile 50 -f WinInetTest.etl
- Use Internet Explorer and navigate to the target HTTP-based site. Enter user name & password (doesn’t have to be a real one) and click ‘sign in’:
- Switch back to the cmd.exe, and stop the logger session in the following way:
>xperf.exe -stop WinInetTest
- Now, it’s time to dump all the events from the wininet.etl file to the wininet.txt file:
>xperf -i wininettest.etl -o wininet.txt -a dumper
- We are almost ready to see the result of the monitoring. To search the file for specific events use the following command:
>findstr /i "WININET_REQUEST_HEADER_OPTIONAL" wininet.txt
Here is the summary of all we did:
If you look at the Headers data, you can see your user name and password along with other POST data.
Summary Thoughts on Useful Hacking
Intercepting HTTPS traffic is possible if you are monitoring the beginning or the end of the HTTPS tunnel. At this stage, it’s important to understand that, in an operating system, there are several layers where communication is established. If one of these layers should malfunction, the security of transmission could be seriously jeopardized.
Remember, HTTPS is just a protocol that is used to communicate securely, it is not used for any kind of data transformation. For the similar purpose, you can use tool Fiddler – Web Debugger. It is a fantastic tool for troubleshooting and sniffing HTTPS traffic
If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques. Attendees to this session will learn what activities can be traced and monitored; starting from simple scenarios then ending with the exact steps a hacker may take to compromise a Windows system.