Chapter 7: System Hacking Flashcards
Phase 4: System Hacking
methodical approach that includes cracking passwords, escalating privileges, executing apps, etc
Password Cracking
Hacking process typically starts w/ Password Cracking,
the process of recovering passwords from transmitted or stored data
Password Cracking Techniques (5)
1) Dictionary Attacks - password-cracking app has a dictionary file loaded into it, no good for passphrases
2) Brute-force Attacks - every possible combination of characters is attempted until the correct one is uncovered
3) Hybrid Attack - like Dictionary attack, but words are modified w/ the addition or substitution of special chars or #s (i.e. p@ssw0rd - password)
4) Syllable Attack - combination of brute-force & dictioanry attack, useful when password is not standard word or phrase
5) Rule-based Attack - an advanced attack where the assumption the user has created a PW using info the attacker has knowledge of (i.e. phrases & digits user may tend to use)
Types of attacks (4)
1) Passive Online Attacks - sitting back & listening (sniffing tools such as Wireshark, man-in-the-middle attacks, replay attacks)
2) Active Online Attacks - deeper engagement w/ targets w/ intent to break PW (i.e. password guessing, trojan/spyware/key loggers, hash injection, phishing)
3) Offline Attacks - preying on the weaknesses of how PWs are stored; (i.e. precomputed hashes, distributed NW attacks, rainbow attacks)
4) Nontechnical Attacks aka non-electronic attacks - moving from offline into the real world (i.e.shoulder surfing, social engineering, dumpster diving)
Passive Online Attack techniques (3)
1) Packet Sniffing - lookout for PWs from Telnet, FTP, SMTP, rlogin, other vulnerable protocols
//if you use a sniffer w/ out any extra steps, u are limited to a single collision domain aka can only sniff hosts not connected by switch or bridge
//most effective on a NW that employs a hub
2) Man-in-the-middle - while two parties are communicating, a third party inserts itself into the convo & attempts to alter or eavesdrop on the communications.
//to be fully successful, the attacker must be able to sniff traffic from both parties at the same time
//vulnerable protocols –> Telnet & FTP
3) Replay Attack - capture packets using packet sniffer; after the relevant info is extracted, the packet can be placed back on the NW; The intention is to inject the captured info back onto the NW
Active Online Attack techniques
1) Password Guessing - attacker seeks to recover PW by using words from dictionary or by brute-force; usually carried out by SW app;
2) Trojans, Spyware, & Keyloggers - Malware such as Trojans, spyware, & keyloggers can gather info through keyboard sniffing or keylogging;
3) Hash Injection -
1) Compromise a vulnerable workstation
2) When connected, attempt to extract the hashes
from the system for high-value users, such as domain or enterprise admins
3) Use the extracted hash to log on to a server such as a domain controller
4) If the system serves as a domain controller or similar, attempt to extract hashes from the system w/ the intention of exploiting other accounts
Offline Attacks 1: Password Hashing
Hashing is a form of one-way encryption that is used to verify integrity;
pws are commonly stored in hashed format so it is NOT in cleartext; when a PW is provided by the user, it needs to be verified; it is hashed on the client side & transmitted to the server, where the stored hash & the transmitted hash are compared
Offline Attacks 1: Extracting hashes from a System
1) open cmd
2) type pwdump7.exe //displays hashes
3) type pwdump7.exe > C;\hash.txt
4) Using notepad, browse to the C drive & open the hash.txt file to view the hashes
Offline Attacks 1: Precomputed Hash or Rainbow Tables
precomputed hashes are used in an attack known as rainbow table
Rainbow tables compute every possible combination of characters prior to capturing a PW
The attacker can capture the PW hash from the NW & compare it w/ the rainbow table hashes
//”Salting” is used in Linux, Unix, BSD, older windows; adding entropy or randomness in order to make sequences or patterns more difficult to detect… so it would be harder to use rainbow tables against these systems
CON - takes long time to compute all hash combinations ahead of time; can’t crack PWs of unlimited length
Offline Attacks 1: Generating Rainbow Tables
GUI-based generator - winrtgen
Offline Attacks 1: Rainbow Crack
Program used to compare Rainbow table with Hash files
Offline Attacks 2: Distributed NW Attacks (DNA)
modern approach; takes ADV of unused processing power from multiple computers in an attempt perform an action (in this case, PW cracking)
//install a manager on a chosen system, which is used to manage multiple clients;
PRO: computing power
EXAMPLE: SETI@home (Search for Extraterrestrial Intelligence)
Other Techniques: Default Passwords
Guessing – self explanatory
an attacker can guess what type of equipment/system you’re using and look up default passwords if you do not change them
Other Techniques: USB Password Theft
embedding a password-stealing application on a USB drive, physically plugging the drive into a target system
Other Techniques: USB Password Theft application (steps to steal)
1) Obtain a PW-hacking utility such as pspv.exe
2) Copy it to USB
3) Create a Notepad file called launch.bat containing the following lines:
[autorun]
en = launch.bat
Start pspv.exe /s passwords.txt
4) Save launch.bat to the USB drive
//pspv.exe = protected-storage PW viewer, saves PWs contained in Internet Explorer & other applications
Mitigation: disabling autoplay of USB devices, which is on by default
Other Techniques: Authentication Mechanisms on Microsoft
Security Accounts Mgr (SAM) - DB in Windows OS that stores security principals; When system is running, Windows keeps a file lock on SAM to prevent it from being access, however a copy of SAM DB resides in memory & can be accessed
//System will only give up exclusive access of SAM when powered off or when there is BSOD //SYSKEY (encryption key) is by default, enabled to protect SAM further; can be disabled
Passwords are stored in hashed format using
LM/NTLM hashing mechnisms, they are stored in c:\windows/system32/SAM
Link:1010:624AAC413795……
(Before 624AA is LT hash, after is NTLM hash)
Windows XP later do not store LM hash by default, they store a blank or dummy value which cannot be deciphered bc it has no direct coorelation to user’s actual PW; if PW is longer than 14 chars, dummy value is auto used b/c LM hash cannot support longer than 14 chars
Salting
PW hashing is strengthened by adding an additional layer of randomness to hash
NTLM Authentication & SSP
NT Lan Mgr is a protocol for Microsoft products; NTLM v1 and v2 still widely used in environments, but is relatively insecure; this is used where Kerberos is not supported
SSP - Security Support Provider - layered on top of NTLM for additional protection
Domain Controller
responds to security authentication requests (such as logging in, permissions, etc)
Process of authentication w/ NTLM protocol
1) Client enters their username & PW into the login
2) Windows runs the PW through a hashing algorithm to generate hash
3) The client transmits the username & hash to the domain controller
4) The domain controller generates a 16-byte random char string known as a NONCE & transmits it back to the client
5) The client encrypts the nonce w/ the hash of the user PW & sends it back to the domain controller
6) The domain controller retrieves the hash from its SAM & uses it to encrypt the nonce it sent to the client
If hashest match, login request is accepted
What is Kerberos and steps to authenticate service
Authentication Protocol; strong cryptographic mechanism
1) You want to access another system, such as a server or client; Kerberos is in use in this environment, so a “ticket” is required
2) To obtain this ticket, you are first authenticated against the AS (Authentication Server). A session key is created based on your PW & the value that represents the service you wish to connect to. This request serves as your TGT (ticket-granting ticket)
3) TGT is presented to TGS (ticket-granting service), which generates a ticket that allows you to access the service
4) The service either accepts or rejects the ticket; If accepted, you have a finite period of time before ticket needs to be regenerated
Types of Privilege Escalation (2)
1) Horizontal Privilege Escalation - attacker attempts to take over rights & privileges of another user who has the same privileges as the current account
2) Vertical Privilege Escalation - attacker gains access to an account & then tries to elevate the privileges of the account or gaining access to a higher-privileged account
Privilege Escalation: Change password
Identify an account that has desired access & then change the password using the following tools:
Active@ Password Changer Trinity Rescue Kit ERD Commander Windows Recovery Environment (WinRE) Password Resetter
Trinity Rescue Kit (password reset tool)
Linux distribution (for Windows & Linux); Can be booted from CD or flash drive
1) cmd line: winpass -u Administrator
2) Choose file system
3) Set Password
4) Type: init 0, to shut down TRK Linux
5) Reboot
Types of Apps Executed (4)
1) Backdoors App - allow later access to take place;
2) Crackers - SW w/ ability to crack code or obtain PWs
3) Keyloggers - HW/SW used to gain info entered via keyboard
4) Malware - any type of SW designed to capture info, alter, or compromise system
Planting a Backdoor
- PsTools suite (suite of tools to ease system administration)
- PsExec is one of them; similar to Telnet but does not need installation & can be run local or remotely; Commands include:
psexec \zelda cmd //launches an interative cmdprmpt on a system name \zelda
psexec \zelda ipconfig /all //executes ipconfig on remote system with the /all switch & outputs locally
psexec \zelda -c rootkit.exe //copies the program rootkit.exe to the remote system & executes it interactively
psexec \zelda -u administrator -c rootkit.exe //copies thee program rootkit.exe to the remote system & executes it interactively using the admin acct on the remote system
Covering your tracks
During this phase, seek to eliminate error messages, log files, and other items that may have been altered during the attack process
DISABLING AUDITING - Auditing designed to allow for detection and tracking of selected events on a system; we want to alter the way events are logged on target system;
How to disable running command in Windows (stop logging and auditing of events):
auditpol \ /clear
DATA HIDING - hide files placed on the system;
ALTERNATE DATA STREAMS (ADS) (only NTFS) - major security issue w/ ADS bc it is nearly a perfect mechanism for hiding data; almost impossible to find; The data can lie and wait until the attacker decides to run it later; allows you to hide files within existing files
Creating an ADS:
type triforce.exe > smoke.doc:triforce.exe //executing this command hides triforce.exe behind the file smoke.doc, then delete original triforce.exe
Retrieve the file:
start smoke.doc:triforce.exe //opens hidden file & executes
