Attacking a System Flashcards
LM Hashing
Takes a password and converts it to uppercase. If less than 14 characters will add blank spaces to make it 14. The 14 character password is split into two 7 character strings and each string separately hashed.
If a LM password is 7 or less characters, the second half of padded blanch characters would always be:
AAD3B435B51404EE, the hash value of 7 blank characters
In a Windows Vista or later SAM file a LM password shows up as:
Blank. The NTLM hash will show in the second part of the line.
Salting
Adding random data as additional input before a password is hashed.
Active Directory database
%SYSTEMROOT%\System32\Ntds.dit
Kerberos
Uses both symmetric and asymmetric encryption technologies to securely transmit passwords and key across a network. Made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS) and the Ticket Granting Ticket (TGT)
LM Authentication Levels
0 - Windows XP Default
2 - Windows 2003 Default
Active Directory Database
Stored on domain controllers in %SYSTEMROOT%\NTDS\NTDS.dit or %SYSTEMROOT%\System32\NTDS.dit
Tools used to crack Kerberos
Kerbsniff, KerbCrack
Password Security
The length of password is more important that the complexity of a password
Golden Ticket
Creating your own Kerberos TGT. Can be created by Mimikatz or Cobalt Strike using provided domain name, domain admin name, domain SID a Kerberos TGT hash
Pass the Hash
Password hashes stored in memory and passed to a requesting remote computer for authentication. Hashes are loaded by LSASS, Tools: mimikatz which can steal hashes, PIN codes, and Kerberos tickets from memory. Mimikatz is also included by Metasploit as a meterpreter script
Windows Registry - HKEY_LOCAL_MACHINE (HKLM)
Contains hardware information and software
Windows Registry - HKEY_CLASSES_ROOT (HKCR)
Contains information on file associations and Object Linking and Embedding (OLE) classes
Windows Registry - HKEY_CURRENT_USER (HKCU)
Contains profile information for the user currently logged on Includes preferences for the OS and applications
Windows Registry - HKEY_USERS (HKU)
Contains specific user configuration information for all currently active users on the computer
Windows Registry - HKEY_CURRENT_CONFIG (HKCC)
Contains a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Current\ to make access and editing this profile information easier
Registry Character String
REG_SZ
Registry Expandable String
REG_EXPAND_SZ
Registry Binary Value
REG_BINARY
32 bit unsigned integer
REG_DWORD
Symbolic link to another key
REG_LINK
Registry MultiValue
REG_MULTI_SZ
Startup keys
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Linux - File System - Root
Designated by a /
Linux - File System - /bin
Holds numerous Linux commands a lot like C:\WINDOWS\SYSTEM32
Linux - File System - /dev
Contains pointers to storage and I/O systems to mount such as optical drives and additional hard drives. Everything in Linux is a file
Linux - File System - /etc
Contains all administrative files and passwords. The password and shadow file are found here
Linux - File System - /home
User home folders
Linux - File System - /mnt
Holds the access locations that are mounted
Linux - File System - /sbin
System binaries - holds more admin commands and Linux daemons
Linux - File System - /usr
Holds information, commands and files unique to users
Common Linux commands
adduser - adds a user to the system cat - displays the content of a file cp - copies a file ifconfig - Like Windows ipconfig kill - kills a running process ls - displays the content of a folder man - display the manual pages of acommand passwd - used to change your password ps - process status command -ef will show all processes rm - removes files -r will also remove directories su - perform functions as another user. SUDO - run programs as super user pwd - print current working directory
Run a program in Linux in the background
Add an ampersand to the end of the command. The process will end when the user logs out. To make the process persistent and survive logout, add nohup to the beginning of the command.