Exploit the possiblities

hackfaq-15.html

hackfaq-15.html
Posted Aug 17, 1999

hackfaq-15.html

tags | paper
MD5 | 28e5808a5c1c7754649938f4800b0c16

hackfaq-15.html

Change Mirror Download
<!DOCTYPE  HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
<TITLE>The Hack FAQ: NT Logging and Backdoors</TITLE>
<LINK REL="next" HREF="hackfaq-16.html">
<LINK REL="previous" HREF="hackfaq-14.html">
<LINK REL="contents" HREF="hackfaq.html#toc15">
</HEAD>
<BODY BGCOLOR="black" VLINK="gray" TEXT="white" LINK="gray" HLINK="red">
<A HREF="hackfaq-16.html">Next</A>
<A HREF="hackfaq-14.html">Previous</A>
<A HREF="hackfaq.html#toc15">Contents</A>
<HR>
<H2><A NAME="s15">15. NT Logging and Backdoors</A></H2>

<P>This section contains info regarding logging and backdoors for NT.
<P>
<H2><A NAME="ss15.1">15.1 Where are the common log files in NT?</A>
</H2>

<P>These are located in %root%\SYSTEM32\CONFIG. They are:
<P>
<UL>
<LI> AppEvent.Evt - Records events involving the running of certain applications.</LI>
<LI> SecEvent.Evt - Records security events.</LI>
<LI> SysEvent.Evt - Records basic events.</LI>
</UL>
<P>As a hacker do not worry about the AppEvent.Evt file much -- you are mainly
concerned with items in the regular event log (the SysEvent.Evt file) and the
security log (the SecEvent.Evt). By default regular users should be able to
read the regular event log, and you may wish to look that over if you can to
see if your "visit" left a trace. If it did and the entries look out of place,
consider adding entries from other users that are similiar by accessing the
system as these other users.
<P>You have to have Administrative Group rights to view the security event log.
And you'll certainly want to check that to see what is in it.
<P>
<H2><A NAME="ss15.2">15.2 How do I edit/change NT log files without being detected?</A>
</H2>

<P>Well this can be a little tricky as these files are locked in place during NT's
operation. You have a couple of choices at this time -- wipe the logs or try
to add stuff to them to add camoflage obfuscation. Not elegant, but better
than nothing.
<P>
<H2><A NAME="ss15.3">15.3 So how can I view/clear/edit the Security Log?</A>
</H2>

<P>You have to be in as an Administrator or as someone in the Administrator's group.
<P>Start the Event Viewer, and from the Log menu select Security. You view individual items by double clicking on them. To clear them (which is an all or nothing proposition) select Clear All Events from Log. If asked to save the info, answer no.
<P>There is currently no way to edit the contents of the Security Event Log, although it is not impossible. One could conceivably boot up the system with Linx on a floppy, copy the logs off for editing in a hex editor, and copy doctored logs back up. I've co
<P>nsidered writing the software to do this, although I probably never will.
<P>
<H2><A NAME="ss15.4">15.4 How can I turn off auditing in NT?</A>
</H2>

<P>This requires Administrator access. From the User Manager go to the Policies menu and select Audit. Turn off the things you wish to turn off.
<P>As far as individual files and directories, you have to right-click on the file or directory from within Explorer, go to Properties and go to the security tab. Click on the auditing button for details, and turn off what you need turned off.
<P>If you need to do this from a command line, check out the question "I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?" in the NT Client Attacks section.
<P>
<P>
<HR>
<A HREF="hackfaq-16.html">Next</A>
<A HREF="hackfaq-14.html">Previous</A>
<A HREF="hackfaq.html#toc15">Contents</A>
</BODY>
</HTML>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close