Attacking a System Flashcards
LM Hashing
Takes a password and converts it to uppercase. If less than 14 characters will add blank spaces to make it 14. The 14 character password is split into two 7 character strings and each string separately hashed.
If a LM password is 7 or less characters, the second half of padded blanch characters would always be:
AAD3B435B51404EE, the hash value of 7 blank characters
In a Windows Vista or later SAM file a LM password shows up as:
Blank. The NTLM hash will show in the second part of the line.
Salting
Adding random data as additional input before a password is hashed.
Active Directory database
%SYSTEMROOT%\System32\Ntds.dit
Kerberos
Uses both symmetric and asymmetric encryption technologies to securely transmit passwords and key across a network. Made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS) and the Ticket Granting Ticket (TGT)
LM Authentication Levels
0 - Windows XP Default
2 - Windows 2003 Default
Active Directory Database
Stored on domain controllers in %SYSTEMROOT%\NTDS\NTDS.dit or %SYSTEMROOT%\System32\NTDS.dit
Tools used to crack Kerberos
Kerbsniff, KerbCrack
Password Security
The length of password is more important that the complexity of a password
Golden Ticket
Creating your own Kerberos TGT. Can be created by Mimikatz or Cobalt Strike using provided domain name, domain admin name, domain SID a Kerberos TGT hash
Pass the Hash
Password hashes stored in memory and passed to a requesting remote computer for authentication. Hashes are loaded by LSASS, Tools: mimikatz which can steal hashes, PIN codes, and Kerberos tickets from memory. Mimikatz is also included by Metasploit as a meterpreter script
Windows Registry - HKEY_LOCAL_MACHINE (HKLM)
Contains hardware information and software
Windows Registry - HKEY_CLASSES_ROOT (HKCR)
Contains information on file associations and Object Linking and Embedding (OLE) classes
Windows Registry - HKEY_CURRENT_USER (HKCU)
Contains profile information for the user currently logged on Includes preferences for the OS and applications
Windows Registry - HKEY_USERS (HKU)
Contains specific user configuration information for all currently active users on the computer
Windows Registry - HKEY_CURRENT_CONFIG (HKCC)
Contains a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Current\ to make access and editing this profile information easier
Registry Character String
REG_SZ
Registry Expandable String
REG_EXPAND_SZ
Registry Binary Value
REG_BINARY
32 bit unsigned integer
REG_DWORD
Symbolic link to another key
REG_LINK
Registry MultiValue
REG_MULTI_SZ
Startup keys
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Linux - File System - Root
Designated by a /
Linux - File System - /bin
Holds numerous Linux commands a lot like C:\WINDOWS\SYSTEM32
Linux - File System - /dev
Contains pointers to storage and I/O systems to mount such as optical drives and additional hard drives. Everything in Linux is a file
Linux - File System - /etc
Contains all administrative files and passwords. The password and shadow file are found here
Linux - File System - /home
User home folders
Linux - File System - /mnt
Holds the access locations that are mounted
Linux - File System - /sbin
System binaries - holds more admin commands and Linux daemons
Linux - File System - /usr
Holds information, commands and files unique to users
Common Linux commands
adduser - adds a user to the system cat - displays the content of a file cp - copies a file ifconfig - Like Windows ipconfig kill - kills a running process ls - displays the content of a folder man - display the manual pages of acommand passwd - used to change your password ps - process status command -ef will show all processes rm - removes files -r will also remove directories su - perform functions as another user. SUDO - run programs as super user pwd - print current working directory
Run a program in Linux in the background
Add an ampersand to the end of the command. The process will end when the user logs out. To make the process persistent and survive logout, add nohup to the beginning of the command.
Linux Users and Groups
Each user is assigned a unique Id called a UID and each group is assigned a unique Id called a GUID. These can be seen in /etc/passwd file and /etc/group files respectively as the third field.
Linux password storage
Linux can store passwords in either the /etc/passwd file or the /etc/shadow file. An “x” in the passwd file indicates that the password is stored salted and hashed in the shadow file. Only root has access to shadow
Tools to crack passwords from Linux shadow files
John the Ripper using brute force
Linux hacking distros
Backtrack, Kali, Phlack, Auditor
System Hacking Goals
Gaining Access, Escalating Privileges, Executing Applications, Hiding Files, Covering Tracks
Gaining Access
Cracking passwords and escalating privileges
CLear tracks methodology
In Metasploit use clearev
Clear most recently used (MRU) list in Windows and most recent documents
Can prepend a dot “.” to Linux files to hide them
Hacking Phases
Reconnaissance
Scanning - Discovery and port scanning, then Enumeration
Gaining Access - Cracking passwords, escalating privileges
Maintaining Access - Executing applications, hiding files
Covering Tracks - Clearing logs
Single factor authentication
Something you know
Two factor authentication
Something you know and something you have (biometric)
False Rejection Rate (FRR)
The percentage of time a biometric device will deny access to a legitimate user
False Acceptance Rate (FAR)
The percentage of time a biometric device will give an unauthorized user access to a system
Crossover Error Rate (CER)
Where the False Rejection Rate and the False Acceptance rate of a biometric device intersect
Active biometric decice
Must be touched. A retina scan is invasive because it send a bean of light into the eye and is therefore considered active.
Passive biometric device
You don’t have to touch. An iris scan is considered noninvasive because it takes a picture of the eye and is therefore considered passive
Biometric or e-passport
A token that you carry that holds biometric information identifying you. Still considered single factor authentication
Password fatigue
Users having to remember too many long and complex passwords.
Keyboard walk passwords
Using predictable path or pattern of keys on a keyboard as the password
Password cracking
Non-Electronic - social engineering,, shoulder surfing, dumpster diving
Active Online - direct interaction with the target, includes dictionary and brute force attacks, hash injections, phishing, Trojans, spyware, keyloggers, and password guessing
Passive Online -sniffing
Offline - steal a copy of a password file and crack it using a dictionary attack, hybrid attack or brute-force attack
Rule based password attack
A dictionary/brute-force attack where the attacker has some knowledge of your password policy
Keylogging
Using a hardware device or software application to capture a user’s keystrokes. Software keyloggers are easier to spot than hardware keyloggers which are almost impossible to detect.
Link-local Multicast Name Resolution (LLMNR) and Netbios Name Server attack
LLMNR is based on the DNS host format and allows hosts on the same subnet to perform name resolution for other hosts as a backup for local DNS name resolution. This is subject to DNS poisoning by resolving a LLMNR DNS request to the target of your choice. This could lead to password sniffing of subsequent authentication attempts to the poisoned entry. Tools: NBNSpoof,
Pupy,
Metasploit,
Responder.
You can mitigate by disabling LLMNR through the registry or via GPO
LLMNR port
UDP 5355 to IP address 224.0.0.252 and FF02::1:3
NBT-NS uses UDP port 137
Windows Password Recovery Tools
CHNTPW (linux), Stellar Phoenix, Windows Password Recovery Ultimate, ISeePassword, Windows Password Recovery Tool, Passware Kit, PCUnlocker
Net commands
Net View /domain:domainname
Net view \systemname - list of shares
Net use \target\ipc$ “” /u:” - sets a null session
Net use Z: \target\share /persistence:yes - makes the drive mapping permanent
You can use NETBIOS Auditing Tool and Legion to automate the testing of user IDs and passwords
Ferret and Hampster
Ferret
This tools use to grab session cookies, running in the background process to capturing session cookies that pass the network at port 80.
Hamster
This tools work as a proxy server to manipulate every data that has been grabbed by Ferret.
Online tools for password sniffing
Ettercap,
Kerbcrack (specifically looks for port 88 Kerberos traffic), Cain,
ScoopLM (specifically looks for Windows passwords)
SSLsniff
Acts as a man in the middle for SSL connections on a LAN and dynamically generates certificates for the domains that are being accessed on the fly
What is a hybrid offline password attack?
A step above the dictionary attack. The tool is smart enough to take a word from a list and substitute numbers and symbols for alpha characters.
Rainbow table
Precalculated password hashes for easier hash cracking. Can be created with rtgen and winrtgen
Offline password cracking tools
Cain, THC Hydra, John the Ripper, KerbCrack, LC5 (next gen L0phtcrack)
Default Password Sites
OpenSezMe,
CIRT,
Defaultpassword.com
Vertical Privilege Escalation
When a lower-level user executes code at a higher privilege level than they should have access to
Horizontal Privilege Escalation
Executing code at the same user level but from a location that should be protected from access
Four ways to gain root (admin) privileges
- Crack the admin password
- Take advantage of an OS vulnerabiliity
- Use a tool like Metasploit that will deliver a custom payload
- Social engineer the password
DLL hijacking
Adding a malicious DLL to a path where it is executed before the real DLL. Can do the same on MAC OS with DYLIB
Armitage
Offers a GUI front end for metasploit
Owning a system
Gaining access to the machine and escalating privileges
Tools for remote execution
RemoteExec,
PDQ Deploy,
Dameware Remote Support
NTFS Alternate Data Stream
An NTFS feature originally included for Apple File System compatibility, allows you to hide data or a file inside of an NTFS file
Type badfile.exe > c:\goodfile.exe:badfile.exe
There are methods for starting the badfile.exe depending on the version of Windows:
Use the start command, for example, START c:\goodfile,exe:badfile.exe or create a link to start it using mklink, for example, mklink innocent.exe goodfile.exe:badfile.exe and execute innocent.exe
Tools to find alternate data stream files
LNS,
Sfind,
dir /r.
You can also copy the file to a fat partition
Hide files with steganography
Imagehide, Snow, MP3Stego, Blindside, S-tools, wbstego, stealth
Semagram
Part of steganography
Visual semagram: Uses everyday objects to convey a message, for example, how objects are arranged on a desk. Semagrams hides information by using symbols,
signs, or visual objects. It is more like an indicator of
a larger, previously agreed upon message. For
example, Bob wants to tell Alice that the party will
take place on Friday. A semagram could be a
postcard with a picture of a Chevrolet car, which Bob
and Alice have already agreed that a Chevrolet car
means affirmative (the party will take place); while, a
Ford car means negative (the party won’t take place).
Text semagram: Obscures a message in text by using things such as font, size, type or spacing
Hide tracks by modifying or deleting log files
Turning auditing off and back on and deleting all entries in a log file can be discovered. Better to corrupt the log file. Tools for log file manipulation include: elsave, WinZapper, EvidenceEliminator, Auditpol (to disable log files)
Rootkit
A collection of software put in place by an attacker designed to obscure system compromise. Replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity. They provide back doors for the attacker to use later and include measures to remove and hide evidence of any activity.
Horsepill
A Linux kernel rootkit inside initrd with three main parts:
- klibc-horsepill.patch - creates a new malicious run-init
- horsepill_setopt - moves command line arguments to the malicious run-init
- hrsepill_infect - splats files
Grayfish
A Windows rootkit that injects code in the boot record. creating its own virtual file system
Other root kits
Sirefef, Azazel, Avatar, Necurs, ZeroAccess
Six types of root kits
- Hypervisor Level - modifies the boot sequence to load a virtual machine as the host OS
- Hardware (firmware) - Hide in hardware devices or firmware
- Boot loader level - replace the boot loader with one controlled by the hacker
- Application level - Replace valid application files with Trojan binaries
- Kernel level - attack the boot sectors and kernel level of the operating system itself, replacing kernel code with back door code. The most dangerous and difficult to detect and to remove
- Library level - use system calls to hide their existence
Blue Pill
The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.
Protection Rings
Ring 0 - The kernel
Ring 1 - Drivers
Ring 2 - Libraries
Ring 3 - Applications, also known as user mode
Steps for detecting a rootkit
First run dir /s /b /ah and dir /s /b /a-h in the potentially infected system and save the results. Boot a clean CD version and run the same commands. Use windiff to compare the two results files
