6 - System Hacking Flashcards
What are the goals of system hacking?
-
Gain Access:
- Bypass security controls to gain access
- Password cracking, social engineering
-
Escalating Privileges:
- Acquire the rights of another user or an admin
- Exploiting vulnerabilities
-
Executing Applications:
- To create and maintain remote access to the system
- Malware
-
Hiding Files:
- To hide attackers malicious activities and data theft
- Rootkits, steganography
-
Covering Tracks:
- Hide evidence of compromise
- Clearing logs
What is Password Cracking?
Used to recover passwords from computer systems and gain unauthorized access to vulnerable system
What are the different types of password attacks?
-
Non-Electronic Attacks
- Does not require technical knowledge to crack password (social engineering, sholder surfing)
-
Active Online Attacks
- An attacker needs to communicate with target machines to gain password access (dictionary attacks)
-
Passive Online Attacks
- Attacker does not need to communicate with the system.
- Uses observed data to break into the system (sniffing)
-
Offline Attacks
- Attackers try to recover clear text passwords from a password hash dump (rainbow table attack)
How Hash Passwords Are Stored in Windows SAM?
Windows uses a Security Account Manager (SAM) database file to store user passwords.
What is Kerberos Authentication?
- A network authentication protocol that provides strong authentication by using secret-key cryptography.
- Both server and user verify each other’s identity
What is Password Salting?
- A technique where random string of characters are added to the password before calculating their hashes.
- Makes it more difficult to reverse the hashes and defeat pre-computed hash attacks.
How to Defend Against Password Cracking?
- Enable info security audit to monitor and track password attacks
- Do not use same password during password change
- Do not share password
- Do not use passwords that can be found in a dictionary
- Do not use cleartext protocols and protocols with weak encryption
- Set the password change policy to 30 days
- Avoid storing passwords in an unsecured location
- Do noy use system’s default passwords
- Make passwords hard to guess by using 8-12 characters in combination of uppercase, lowercase, numbers and symbols
- Ensure apps neither store passwords to memory nor write them to disk in clear text
- Use a random string (salt) as prefix or suffix with the password before encrypting
- Enable SYSKEY with strong password to encrypt and protect the SAM database
- Never use passwords such as date of birth, spouse, or child’s or pet’s name
- Monitor the server’s logs for brute force attacks
- Lockout accounts with too many incorrect attempts
What is Escalating Privileges?
- Attackers gain access using a non-admin user account and the next step would be to gain admin privileges
- Privilege escalation attack takes advantage of design flaws, programming errors, bugs, and config oversights in the OS and software
- These privileges allow attackers to view critical/sensitive info, delete files, or install malicious programs
What are the Types of Privilege Escalation?
-
Horizontal
- Assuming the identity of another user with similar privileges
-
Vertical
- Refers to gaining higher privileges than the existing account
What are Spectre and Meltdown Vulnerabilities?
-
Spectre Vulnerability:
- Tricks a processor to exploit speculative execution to read restricted data.
- Processors implement speculative execution in order to predict the future to complete the execution faster
- Attackers use this vulnerability to read adjacent memory locations of a process and access info they are not authorized for.
-
Meltdown Vulnerability:
- Leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution
What are Privilege Escalation Techniques?
-
Access Token Manipulation:
- Windows OS uses access tokens to determine the security context of a process or thread
- Attackers generate spooked tokens to escalate privileges
-
Application Shimming:
- Windows uses shim to provide compatibility between the older and newer versions of Windows OS
- Shims can be used by attackers to escalate privileges, install backdoors, disable Windows Defender, etc.
-
File System Permissions Weakness:
- If file system permissions of binaries are not properly set, an attacker can replace the target binary with malicious file.
- If executing process of binary has higher permissions, then malicious binary will also execute with higher permissions
-
Path Interception:
- Apps include many weaknesses and misconfiguration like unquoted paths, path environment variable misconfiguration, and search order hijacking that can lead to path interception
-
Scheduled Task:
- Task scheduling programs used to schedule programs at a specific time
- Attackers can manipulate these programs to execute malicious programs at system startup, maintain persistance, etc.
-
Launch Daemon:
- Daemons have plists that are linked to executables that run at startup
- Attackers can alter the launch the daemon’s executable
-
Plist Modification:
- Files in MacOS/OS X describe when programs should execute, file path, parameters, required permissions, etc.
- Attackers alter these files to execute malicious code
-
Setuid and Setgid:
- In Linux and MacOS, if an app uses setuid or setgid then the app will execute with privileges of the owning user or group
- An attacker can take advantage of these flags
-
Web Shell:
- A web based script that allows access to a web server
- Attackers use this inject malicious code
How to Defend Against Privilege Escalation?
- Restrict the interactive log privileges
- Use encryption technique to protect sensitive data
- Run users and applications on the least privileges
- Reduce the amount of code that runs with particular privilege
- Implement MFA and authorization
- Perform debugging using bounds checking and stress tests
- Run services as unprivileged accounts
- Test OS and application coding errors and bugs thoroughly
- Implement a privilege separation methodology to limit the scope of programming errors and bugs
- Path and update the kernel regularly
- Change UAC settings to “Always Notify”
- Restrict users from writing files to the search paths for apps
- Continuously monitor file system permissions using auditing tools
- Reduce the privileges of users and groups so that only legitimate admins can make service changes
- Use whitelisting tools to identify and block malicious software
- Use fully qualified paths in all Windows apps
- Ensure that all executables are placed in write-protected directories
- In Mac OS, make Plist files read-only
- Block unwanted system utilities or software that may be used to schedule tasks
- Patch and update the web servers regularly
What type of applications do attackers execute?
-
Keylogger:
- Monitors each keystroke, logs onto a file, and sends file to remote location
-
Spyware:
- A stealthy program that records user’s interaction with the computer and internet without user’s knowledge and sends them to the remote attackers
What type of files do attackers try to hide?
-
Rootkits:
- Programs that hide their presence as well as activities, granting them full access to the server.
-
NTFS Data Stream:
- NTFS Alternate Data Stream (ADS) is a hidden Windows stream which contains metadata about a file
-
Steganography:
- A technique of hiding a secret message within an ordinary message
What techniques do attackers use to cover tracks?
- Disable Auditing:
- Clearing Logs
- Manipulating Logs
- Attackers also clear Online tracks by removing Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, and clear Toolbar data from the browsers.
- Using Reverse HTTP Shells
- External master sends commands and it will execute on target system
- Using Reverse ICMP Tunnels:
- Using ICMP Echo and reply packets as carriers of TCP payload
- Using DNS Tunneling:
- Encoding malicious content within DNS queries and replies (DNS Tunneling)
- Tunneling creates a backchannel to access a remote server
- Using TCP Parameters:
- Data can be hidden in TCP fields such as: IP, acknowledgement #, sequence #
-
Windows
- Use Alternate Data Streams
-
Unix
- Add in front of file to hide it
- Update/modify/clear/shred history
What is Vulnerability Exploitation?
Involves the execution of multiple complex steps to gain access to a remote system.:
- Identify Vulnerability
- Determine the Risk
- Determine the capability of the vulnerability
- Develop the exploit
- Select the method for delivering - local or remote
- Generate and deliver the payload
- Gain remote access
What is are Exploit Sites?
Sites that are used to discover vulnerabilities and download or to develop exploits to perform remote exploitation on the target system. Sites include latest details of vulnerabilities. (Exploit Database, Security Focus, VulDB, MITRE CVE)
What is Buffer Overflow?
A buffer is an area of adjacent memory locations allocated to a program or app to handle its runtime data. Buffer Overflow is where an application or program accepts more data than allocated buffer. The vulnerability allows the app to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations. Attackers take advantage of this by injecting malicious code into the buffer.
What are the types of Buffer Overflow?
- Stack Based: A stack is used for static memory allocation and stores the variables in “LIFO” order (PUSH and POP functions). Attacker takes control of where new return address is on the EIP pointer and therefore executes shell access, etc.
- Heap Based: Heap memory that is dynamically allocated at runtime during the execution of the program and it scores program data. Vulnerability occurs when memory is allocated to a heap and data is written without any bound checking.
What are the steps for Windows Buffer Overflow Exploitation?
- Perform Spiking: Allows attackers to send crafted TCP or UDP packets to the vulnerable server to make it crash.
- Perform Fuzzing: Send a large amount of data to the target server to initiate overflow
- Identify the Offset: Identify where the EIP register is getting overwritten
- Overwrite the EIP register
- Identify Bad Characters: ID characters that may cause issues in the shellcode
- Identify the Right Module: ID module of the vulnerable server that lacks memory location.
- Generate Shellcode
- Gain Root Access