Chapter 5 - Attacking a System (System Hacking)

Question 1

Kerberos Terms

Key Distribution Center (KDC)
Authentication Service (AS)
Ticket Granting Service (TGS)
Ticket Granting Ticket (TGT)

Answer 1

KDC holds the AS and TGS

Question 2

Windows Kerberos Exchange Process

Client asks KDC for a ticket in cleartext

server responds with secret key which is hashed by the password copy on the server. This is the TGT

if client can decrypt message (it should) the TGT is sent back to server requesting a TGS service ticket

server responds with service ticket, client allowed to log on

Answer 2

note that the password itself is never sent

Only thing sent is a hash value of the password, encrypted with a secret key known only by both parties and good for only that session.

Question 3

Pass the hash attack overview

Potentially use it to create a ‘golden ticket’ - a kerberos TGT that you present to the TGS and get domain access

Answer 3

steal hashes from users already connected to your target server

use a tool like mimikatz to copy and paste hash

Question 4

Windows registry definition

Registry Keys

Registry Value

Answer 4

registry is a ‘database of configuration databases’ per MS

keys - location pointers like a folder in the file structure

values - defines the setting

Question 5

Registry Values

REG_SZ
REG_EXPAND_SZ
REG_BINARY
REG_DWORD
REG_LINK
REG_MULTI_SZ

Answer 5

REG_SZ - character string
REG_EXPAND_SZ - expandable string value
REG_BINARY - binary value
REG_DWORD - 32 bit unsigned integer
REG_LINK - symbolic link to another key
REG_MULTI_SZ - multistring value

Question 6

Linux file structure

/
/bin
/dev
/etc
/home
/mnt
/sbin
/usr

Answer 6

/ - root director
/bin - basic Linux commands (~system32 folder)
/dev - pointers to storage and IO systems you mount
/etc - admin files and passwords, incl password and shadow files

/home - user home directories
/mnt - access locations that have been mounted
/sbin - system binaries, more admin commands most of the routines (daemons) linux runs

/usr - holds all info, commands, files unique to users

Question 7

Linux commands

adduser
cat
cp
ifconfig
kill
ls
man
passwd
ps
rm
su

Answer 7

adduser - adds user
cat - displays contents of file
cp - copies
ifconfig - shows network configuration info for NIC
kill - kills running process
ls - displays contents of folder
man - displays manual page
passwd - changes password
ps - process status command. Use -ef options to show all process running on system

rm - removes files. rm -r is recursive
su - lets you perform functions as other user

Question 8

Exam Tip for Linux commands

adding an ampersand (&) after process name does what?

for the process to remain after user log out, do what?

Answer 8

Ampersand after a process name indicates that process should run in the background

For the process to stay persistent, use the ‘nohup’ command

Question 9

chmod parameters

read - 4
write - 2
execute -1

Answer 9

chmod 464 sets permissions to r–rw-r–

Question 10

chmod parameters

read - 4
write - 2
execute - 1

Answer 10

chmod 464 sets permissions to r–rw-r–

Question 11

chmod 777

chmod 464

Answer 11

opens file up for everyone full access

user gets read, group gets rw, everyone gets read

Question 12

identify the portions of this line from the /etc/passwd file

matt:x:500:500:Matt:/home/mat:/bin/csh

Answer 12

matt - username
x - password (indicating use of the shadow file)
500 - UID
500 - GID
Matt - full name of user
/home/mat - user home directory
/bin/csh - login shell

Question 13

difference between passwd file and shadow file

Answer 13

passwd displays password in clear text (if it’s used, it never is today)

shadow file stores and displays encrypted passwords

Question 14

Biometric measurement factors

false rejection rate (FRR)

false acceptance rate (FAR)

crossover error rate (CER)

Answer 14

FRR - percent of time a biometric reader denies access to legitimate user

FAR - percent of unauthorized access given by the system

CER - FRR and FAR are charted together and where they intersect is the Crossover Error Rate. CER is the ranking measurement of biometric systems (the lower the better(

Question 15

Active Online Attack

note that ECC says phishing belongs here, even though it doesn’t seem to deal with password cracking

Answer 15

done by directly communicating with target machine

include dictionary, brute force attacks, hash injections, phishing, Trojans, spyware, key loggers, password guessing

take much longer time and easier to detect than passive attacks

Question 16

exam time for net use commands

net use z:\somecomputer\fileshare /persistent: yes [no]

Answer 16

remember the /persistent:yes or no switch to make it stick after reboot

Question 17

Passive online attack

Answer 17

sniffing to intercept a password, attempt a replay attack or MITM attack

capture clear text
arp spoof or poison
use ettercap to MITM or SSL proxy

Question 18

Offline Attacks

Answer 18

hacker steals copy of password file and cracks it on a separate system

Question 19

Dictionary attack

Answer 19

easiest and fastest password cracking attack. Uses list of passwords that’s hashed in the same way as the password and compared to each other

Question 20

Hybrid Attack

Answer 20

takes words from a list like a dictionary attack but can substitute numbers and symbols for alphabetical characters

Question 21

Brute Force Attack

Answer 21

every conceivable combination of letters, numbers, special characters is compared against hash to find a match

best option for complex passwords, but slow

Question 22

Exam Tip for cracking passwords

ECC loves rainbow tables.

Answer 22

Rainbow tables are huge collections of hashes of every password imaginable. Attacker compares stolen hash to table and gets password.

Today GPU systems can brute force quickly so rainbow tables aren’t as useful as before

can use rtgen and winrtgen to make your own

Question 23

Exam tip definitions

Vertical Privilege Escalation

Horizontal Privilege Escalation

Answer 23

Vertical Privilege Escalation
user executes code at a higher privilege level than they should have access to

Horizontal Privilege Escalation
not really escalation.
user executes code at same user level but from location that should be protected from access

Question 24

4 Ways to Escalate Privileges

Answer 24

crack password of root account (ECC says this should be primary aim)

Utilize vulnerability found in OS or application that gives access as privileged user. ie 2009 Java or Adobe exploits

Use a tools that provides the access you want. Metasploit

Ask user to run a program for you

Question 25

4 Ways to Escalate Privileges

Answer 25

crack password of root account (ECC says this should be primary aim)

Utilize vulnerability found in OS or application that gives access as privileged user. ie 2009 Java or Adobe exploits

Use a tools that provides the access you want. Metasploit

Ask user to run a program for you. Social engineering, phishing, MS Office macro to someone on unpatched system, etc.

Question 26

Executing Applications after escalating privileges

Answer 26

ECC refers to this step as “owning” a system

Includes most everything you can think of: key loggers,, spyware, backdoors, crackers, etc.

The idea is to do what you need now that you have the privileges

Question 27

Caveats about ethical hacking

Answer 27

Your goal is success, no matter how it comes.

Don’t get caught up in the step-by-step processes

Question 28

Tools to know for this stage of executing remote applications

Remote EXEC (isdecisions.com)
PDQ Deploy (adminarsenal.com)
DameWare Remote Support

Answer 28

Tools in this phase are designed to deliver and execute applications in a network to remote systems, so administrators can deploy software and patches to their machines

Question 29

Alternate Data Streams

NTFS File Streaming

Answer 29

Know for exam

Way to hide files on Windows machines in the form of NTFS file streaming. Available on all versions of Windows, even 10

c:\type c:\naughty.exe > c:\readme.txt:naughty.exe

put the .txt file wherever you want. To run it type
start readme.txt:naughty.exe

or create a link like this
c:\mklink innocent.exe readme.txt:naughty.exe

all forensic tools check for this today. and an executable in a txt file will show up in the task manager as part of the parent

Question 30

Semagram

Answer 30

term related to steganography

visual semagram uses everyday object to convey a message. Examples are doodling and the way items are laid out on a desk

text semagram hides a message in text by using things like font, size, type or spacing

Question 31

Windows Application Log

Answer 31

holds entries related to applications.

Only entries programmed by developers get in

Question 32

Windows System Log

Answer 32

registers system events like drivers failing, startup and shutdown times

Question 33

Windows Security Log

Answer 33

records login attempts, access, activities about resources

Question 34

To clean up logs after / during your access

Answer 34

edit what is being audited

if possible, disable auditing only on things you’re hitting (failed resource access, failed logins, etc)

visit log and remove items showing your presence and activities

remove security event log showing where you edited the audit log

alternate approach entirely is to try and corrupt the log file when you’re done

Question 35

Tools for cleaning or manipulating log files

Answer 35

Administrative tools | Local Security Policy | Local Policies | Audit Policy to change the audit policy

Security Settings | Advanced Audit Policy configuration

WinZapper, elusive, Evidence Eliminator, Auditpol for older systems

Question 36

Tools for cleaning or manipulating log files

Answer 36

Administrative tools | Local Security Policy | Local Policies | Audit Policy to change the audit policy

Security Settings | Advanced Audit Policy configuration

WinZapper, elusive, Evidence Eliminator, Auditpol (form old NT Resource Kit) for older systems

Question 37

ECC Definition of rootkit

Answer 37

collection of software put in place by attacker that’s designed to obscure system compromise

in practice, it’s software that replaces or substitutes admin utilities and capabilities with versions that obscure malicious activity

Provide backdoors for attacker and include measures to remove and hide evidence of activity

If done correctly, user and security monitors won’t know anything is wrong

Question 38

Rootkits to know for Exam

Answer 38

Azazel
Avatar
Necurs
ZeroAccess

Question 39

6 types of Rootkits to know for CEH

Hypervisor level
Hardware (firmware)
Boot loader level
Application level
Kernel level
Library level

Answer 39

Hypervisor - modify boot sequence of host system to load a VM as the host OS

Hardware - these hide in HW or firmware

Boot loader - replace boot loader with one controlled by attacker

Application - replace application files with Trojan binaries. Work inside application and use various means to change its behavior, rights, actions, permissions

Kernel - attack boot sectors and kernel level of OS. Replace kernel code with backdoor code

Library - use system-level calls to hide their existence

Question 40

Protection rings

Answer 40

concentric, hierarchical rings from kernel out to applications.

Each ring has own fault tolerance and security requirements

ring 0 - kernel
ring 1 - drivers
ring 2 - libraries
ring 3 - user mode

kernel rootlets work at ring 0, application RK’s at ring 3

Question 41

ECC Steps for detecting rootkits

Answer 41

run dir /s /b /ah and dir /s /b /a-h on the machine and save results

boot clean CD version and run same commands for same drive.

User WinDiff on both results to see any hidden malware