Chapter 5 - Attacking a System (System Hacking) Flashcards
Kerberos Terms
Key Distribution Center (KDC)
Authentication Service (AS)
Ticket Granting Service (TGS)
Ticket Granting Ticket (TGT)
KDC holds the AS and TGS
Windows Kerberos Exchange Process
Client asks KDC for a ticket in cleartext
server responds with secret key which is hashed by the password copy on the server. This is the TGT
if client can decrypt message (it should) the TGT is sent back to server requesting a TGS service ticket
server responds with service ticket, client allowed to log on
note that the password itself is never sent
Only thing sent is a hash value of the password, encrypted with a secret key known only by both parties and good for only that session.
Pass the hash attack overview
Potentially use it to create a ‘golden ticket’ - a kerberos TGT that you present to the TGS and get domain access
steal hashes from users already connected to your target server
use a tool like mimikatz to copy and paste hash
Windows registry definition
Registry Keys
Registry Value
registry is a ‘database of configuration databases’ per MS
keys - location pointers like a folder in the file structure
values - defines the setting
Registry Values
REG_SZ REG_EXPAND_SZ REG_BINARY REG_DWORD REG_LINK REG_MULTI_SZ
REG_SZ - character string REG_EXPAND_SZ - expandable string value REG_BINARY - binary value REG_DWORD - 32 bit unsigned integer REG_LINK - symbolic link to another key REG_MULTI_SZ - multistring value
Linux file structure
/ /bin /dev /etc /home /mnt /sbin /usr
/ - root director
/bin - basic Linux commands (~system32 folder)
/dev - pointers to storage and IO systems you mount
/etc - admin files and passwords, incl password and shadow files
/home - user home directories
/mnt - access locations that have been mounted
/sbin - system binaries, more admin commands most of the routines (daemons) linux runs
/usr - holds all info, commands, files unique to users
Linux commands
adduser cat cp ifconfig kill ls man passwd ps rm su
adduser - adds user cat - displays contents of file cp - copies ifconfig - shows network configuration info for NIC kill - kills running process ls - displays contents of folder man - displays manual page passwd - changes password ps - process status command. Use -ef options to show all process running on system
rm - removes files. rm -r is recursive
su - lets you perform functions as other user
Exam Tip for Linux commands
adding an ampersand (&) after process name does what?
for the process to remain after user log out, do what?
Ampersand after a process name indicates that process should run in the background
For the process to stay persistent, use the ‘nohup’ command
chmod parameters
read - 4
write - 2
execute -1
chmod 464 sets permissions to r–rw-r–
chmod parameters
read - 4
write - 2
execute - 1
chmod 464 sets permissions to r–rw-r–
chmod 777
chmod 464
opens file up for everyone full access
user gets read, group gets rw, everyone gets read
identify the portions of this line from the /etc/passwd file
matt:x:500:500:Matt:/home/mat:/bin/csh
matt - username x - password (indicating use of the shadow file) 500 - UID 500 - GID Matt - full name of user /home/mat - user home directory /bin/csh - login shell
difference between passwd file and shadow file
passwd displays password in clear text (if it’s used, it never is today)
shadow file stores and displays encrypted passwords
Biometric measurement factors
false rejection rate (FRR)
false acceptance rate (FAR)
crossover error rate (CER)
FRR - percent of time a biometric reader denies access to legitimate user
FAR - percent of unauthorized access given by the system
CER - FRR and FAR are charted together and where they intersect is the Crossover Error Rate. CER is the ranking measurement of biometric systems (the lower the better(
Active Online Attack
note that ECC says phishing belongs here, even though it doesn’t seem to deal with password cracking
done by directly communicating with target machine
include dictionary, brute force attacks, hash injections, phishing, Trojans, spyware, key loggers, password guessing
take much longer time and easier to detect than passive attacks
exam time for net use commands
net use z:\somecomputer\fileshare /persistent: yes [no]
remember the /persistent:yes or no switch to make it stick after reboot
Passive online attack
sniffing to intercept a password, attempt a replay attack or MITM attack
capture clear text
arp spoof or poison
use ettercap to MITM or SSL proxy
Offline Attacks
hacker steals copy of password file and cracks it on a separate system
Dictionary attack
easiest and fastest password cracking attack. Uses list of passwords that’s hashed in the same way as the password and compared to each other
Hybrid Attack
takes words from a list like a dictionary attack but can substitute numbers and symbols for alphabetical characters
Brute Force Attack
every conceivable combination of letters, numbers, special characters is compared against hash to find a match
best option for complex passwords, but slow
Exam Tip for cracking passwords
ECC loves rainbow tables.
Rainbow tables are huge collections of hashes of every password imaginable. Attacker compares stolen hash to table and gets password.
Today GPU systems can brute force quickly so rainbow tables aren’t as useful as before
can use rtgen and winrtgen to make your own
Exam tip definitions
Vertical Privilege Escalation
Horizontal Privilege Escalation
Vertical Privilege Escalation
user executes code at a higher privilege level than they should have access to
Horizontal Privilege Escalation
not really escalation.
user executes code at same user level but from location that should be protected from access
4 Ways to Escalate Privileges
crack password of root account (ECC says this should be primary aim)
Utilize vulnerability found in OS or application that gives access as privileged user. ie 2009 Java or Adobe exploits
Use a tools that provides the access you want. Metasploit
Ask user to run a program for you
