Chapter 5 - Attacking a System Flashcards
Characteristics of LM Hashing
Splits the password up and all letters converted to uppercase. If it’s over 7 characters, it is padded to 14 characters and split 7 x 7. Easily cracked
What is the Ntds.dit ?
It’s a database file on the domain controller that stores passwords
What are the steps for Kerberos?
- Clinet asks Key Distribution Center (KDC) for ticket. 2. Server responsds with Ticket Granting Ticket (TGT). This is a secret key which is hashed and stored on server. 3. If client can decrypt it, the TGT is sent back to the server requesting a Ticket Granting Service (TGS) service ticket. 4. Server sends TGS service ticket which client uses to access resources,.
What tools can you use to crack Kerberos?
Kerbsniff, KerbCrack
HKEY_LOCAL_MACHINE (HKLM)
Information on hardware and software
HKEY_CLASSES_ROOT (HKCR)
Information oon file assocates and OLE classes
HKEY_CURRENT_USER (HKCU)
Profile information for the current user including preferences
HKEY_USERS (HKU)
Specific user configuration information for all currently active users
HKEY_CURRENT_CONFIG (HKCC)
Pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current
What is the RID of the following: S-1-5 21-3623811015-3361044348-30300820 - 1013
1013 , RID is the Relative Identifier
/bin
Basic linux commands
/dev
Contains pointer locations to various storage and input/output systems
/etc
all admin files and passwords. Password and shadow files here
/home
holds user home directories
/mnt
holds the access locations you’ve mounted
/sbin
system binaries folder which holds more administrative commnds
/usr
holds almost all of the information, commands, and files unique to the users
Root has the UID and GID of what?
UID and GID of 0
The first user has the UID and GID of what?
UID and GID of 500
FAR vs FRR vs CER
False Acceptance Rate - Rate that a system accepts access for people that shouldn’t have it. False Rejection Rate (FRR) - Rate that a system rejects access for someone who should have it. Crossover Error Rate (CER) - Combination of the two; the lower the CER, the better the system
What are the system hacking goals?
- Gaining Access 2. Escalating Privilege 3. Executing Applications. 4. Hiding Files 5. Covering Tracks.
Password Attack: Non-electronic
Social engineering attacks - most effective.
Password Attack: Active Online
Done by directly communicating with the victim’s machine. Includes dictionary, brute-force attacks, hash injection, phishing, trojans, spyware, etc.
Password Attack: LLMNR/NBT-NS
Attack based off Windows that caches DNS locally. Responding to these poisons local cache. If an NTLMv2 hash is sent over, it can be sniffed out.
Offline Password Attack
Hacker steals copy of password file and doesthe cracking on a separate system.
LLMNR Port Number?
UDP 5355
NBT-NS Port Number?
UDP 137
Tool that can be used to automate testing of user IDs and Passwords?
NetBIOS Auditing Tool or Legion
NBNSpoof
Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder
Pupy
Tool that is used for LLMNR/NBT-NS poisoning. Similar to responder
Responder
Tool that is used for LLMNR/NBT-NS poisoning.
Hydra
Password cracking tool
What are the four main attack types for password cracking?
Non-electronic: Social engineering (most effective). Active Online - Done by directly communicating with vitcim’s machine (trojan, brute-force attack). Passive Online - Sniffing the wire to intercept a password or MITM attack. Offline - When the hacker steals a copy of the password file and does the cracking on a separate system.
Examples of an Active Online Attack
Done by directly communicating with victim’s machine. Examples: Keylogging, LLMNR/NBT-NS attacks (local dns attack). Tools: NBNSpoof, Pupy, Metasploit, Responder
LLMNR port
UDP 5355
NBT-NS Port
UDP 137
Cain and Abel (sniffing)
Password cracker that can poison ARP and then monitor victim’s traffic
Ettercap
Similar to cain and abel but also helps against SSL encryption
KerbCrack
Built-in sniffer and password cracker looking for port 88 Kerberos traffic
ScoopLM
Specifically looks for Windows authentication traffic on the wire and has a password cracker.
Passive Online Sniffing Tools
Cain and Abel, Ettercap, KerbCrack, ScoopLM
Dictionary vs. Brute Force vs. Hybrid Attack
Dictionary: Uses a wordlist to attack the password. Brute Force: Tries every combination of characters to crack a password. Hybrid: Takes a dictionary attack and replaces cahracters or adds numbers at the end.
Horizontal vs. Vertical Privilege Escalation
Vertical: Lower-level user executes code at a higher privilege level. Horizontal: Executing code at the same user level but from a location that would be protected from that access.
DLL Hijacking
replacing a DLL in the application directory with your own.
Alternate Data Streams (ADS)
Hides files. To show: dir /r Example can execute by: readme.txt:badfile.exe
How would you hide a file by attributes in Windows?
attrib +h filename
Tools for hiding files
ImageHide, Snow, Mp3Stego, Blindside, S-Tools, wbStego, and Stealth
Hypervisor Level Rootkit
Rootkits that modify the boot sequence of a host system to load a VM as the host OS
Hardware rootkit
Hide malware in devices or firmware
Boot Loader Level Rootkit
Replace boot loader with one controlled by hacker
Application Level Rootkit
Directed to replace valid application files with Trojans
Kernel Level Rootkit
Attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous
Library Level Rootkit
Uses system-level calls to hide themselves . One way to detect is to compare files with known good cd backup.
How would you describe an Interrupt
A signal that indicates that an event has occurred
On Windows, where are authentication credentials stored? Where is the file located?
Stored in SAM file. File is located at C:\windows\system32\config
