Chapter 7: System Hacking

Question 1

Phase 4: System Hacking

Answer 1

methodical approach that includes cracking passwords, escalating privileges, executing apps, etc

Question 2

Password Cracking

Answer 2

Hacking process typically starts w/ Password Cracking,

the process of recovering passwords from transmitted or stored data

Question 3

Password Cracking Techniques (5)

Answer 3

1) Dictionary Attacks - password-cracking app has a dictionary file loaded into it, no good for passphrases
2) Brute-force Attacks - every possible combination of characters is attempted until the correct one is uncovered
3) Hybrid Attack - like Dictionary attack, but words are modified w/ the addition or substitution of special chars or #s (i.e. p@ssw0rd - password)
4) Syllable Attack - combination of brute-force & dictioanry attack, useful when password is not standard word or phrase
5) Rule-based Attack - an advanced attack where the assumption the user has created a PW using info the attacker has knowledge of (i.e. phrases & digits user may tend to use)

Question 4

Types of attacks (4)

Answer 4

1) Passive Online Attacks - sitting back & listening (sniffing tools such as Wireshark, man-in-the-middle attacks, replay attacks)
2) Active Online Attacks - deeper engagement w/ targets w/ intent to break PW (i.e. password guessing, trojan/spyware/key loggers, hash injection, phishing)
3) Offline Attacks - preying on the weaknesses of how PWs are stored; (i.e. precomputed hashes, distributed NW attacks, rainbow attacks)
4) Nontechnical Attacks aka non-electronic attacks - moving from offline into the real world (i.e.shoulder surfing, social engineering, dumpster diving)

Question 5

Passive Online Attack techniques (3)

Answer 5

1) Packet Sniffing - lookout for PWs from Telnet, FTP, SMTP, rlogin, other vulnerable protocols

//if you use a sniffer w/ out any extra steps, u are limited to a single collision domain aka can only sniff hosts not connected by switch or bridge

//most effective on a NW that employs a hub

2) Man-in-the-middle - while two parties are communicating, a third party inserts itself into the convo & attempts to alter or eavesdrop on the communications.

//to be fully successful, the attacker must be able to sniff traffic from both parties at the same time

//vulnerable protocols –> Telnet & FTP

3) Replay Attack - capture packets using packet sniffer; after the relevant info is extracted, the packet can be placed back on the NW; The intention is to inject the captured info back onto the NW

Question 6

Active Online Attack techniques

Answer 6

1) Password Guessing - attacker seeks to recover PW by using words from dictionary or by brute-force; usually carried out by SW app;
2) Trojans, Spyware, & Keyloggers - Malware such as Trojans, spyware, & keyloggers can gather info through keyboard sniffing or keylogging;

3) Hash Injection -
1) Compromise a vulnerable workstation
2) When connected, attempt to extract the hashes
from the system for high-value users, such as domain or enterprise admins
3) Use the extracted hash to log on to a server such as a domain controller
4) If the system serves as a domain controller or similar, attempt to extract hashes from the system w/ the intention of exploiting other accounts

Question 7

Offline Attacks 1: Password Hashing

Answer 7

Hashing is a form of one-way encryption that is used to verify integrity;

pws are commonly stored in hashed format so it is NOT in cleartext; when a PW is provided by the user, it needs to be verified; it is hashed on the client side & transmitted to the server, where the stored hash & the transmitted hash are compared

Question 8

Offline Attacks 1: Extracting hashes from a System

Answer 8

1) open cmd
2) type pwdump7.exe //displays hashes
3) type pwdump7.exe > C;\hash.txt
4) Using notepad, browse to the C drive & open the hash.txt file to view the hashes

Question 9

Offline Attacks 1: Precomputed Hash or Rainbow Tables

Answer 9

precomputed hashes are used in an attack known as rainbow table

Rainbow tables compute every possible combination of characters prior to capturing a PW

The attacker can capture the PW hash from the NW & compare it w/ the rainbow table hashes

//”Salting” is used in Linux, Unix, BSD, older windows; adding entropy or randomness in order to make sequences or patterns more difficult to detect… so it would be harder to use rainbow tables against these systems

CON - takes long time to compute all hash combinations ahead of time; can’t crack PWs of unlimited length

Question 10

Offline Attacks 1: Generating Rainbow Tables

Answer 10

GUI-based generator - winrtgen

Question 11

Offline Attacks 1: Rainbow Crack

Answer 11

Program used to compare Rainbow table with Hash files

Question 12

Offline Attacks 2: Distributed NW Attacks (DNA)

Answer 12

modern approach; takes ADV of unused processing power from multiple computers in an attempt perform an action (in this case, PW cracking)

//install a manager on a chosen system, which is used to manage multiple clients;

PRO: computing power

EXAMPLE: SETI@home (Search for Extraterrestrial Intelligence)

Question 13

Other Techniques: Default Passwords

Guessing – self explanatory

Answer 13

an attacker can guess what type of equipment/system you’re using and look up default passwords if you do not change them

Question 14

Other Techniques: USB Password Theft

Answer 14

embedding a password-stealing application on a USB drive, physically plugging the drive into a target system

Question 15

Other Techniques: USB Password Theft application (steps to steal)

Answer 15

1) Obtain a PW-hacking utility such as pspv.exe
2) Copy it to USB
3) Create a Notepad file called launch.bat containing the following lines:
[autorun]
en = launch.bat
Start pspv.exe /s passwords.txt
4) Save launch.bat to the USB drive

//pspv.exe = protected-storage PW viewer, saves PWs contained in Internet Explorer & other applications

Mitigation: disabling autoplay of USB devices, which is on by default

Question 16

Other Techniques: Authentication Mechanisms on Microsoft

Answer 16

Security Accounts Mgr (SAM) - DB in Windows OS that stores security principals; When system is running, Windows keeps a file lock on SAM to prevent it from being access, however a copy of SAM DB resides in memory & can be accessed

//System will only give up exclusive access of SAM when powered off or when there is BSOD
//SYSKEY (encryption key) is by default, enabled to protect SAM further; can be disabled

Question 17

Passwords are stored in hashed format using

Answer 17

LM/NTLM hashing mechnisms, they are stored in c:\windows/system32/SAM

Link:1010:624AAC413795……

(Before 624AA is LT hash, after is NTLM hash)

Windows XP later do not store LM hash by default, they store a blank or dummy value which cannot be deciphered bc it has no direct coorelation to user’s actual PW; if PW is longer than 14 chars, dummy value is auto used b/c LM hash cannot support longer than 14 chars

Question 18

Salting

Answer 18

PW hashing is strengthened by adding an additional layer of randomness to hash

Question 19

NTLM Authentication & SSP

Answer 19

NT Lan Mgr is a protocol for Microsoft products; NTLM v1 and v2 still widely used in environments, but is relatively insecure; this is used where Kerberos is not supported

SSP - Security Support Provider - layered on top of NTLM for additional protection

Question 20

Domain Controller

Answer 20

responds to security authentication requests (such as logging in, permissions, etc)

Question 21

Process of authentication w/ NTLM protocol

Answer 21

1) Client enters their username & PW into the login
2) Windows runs the PW through a hashing algorithm to generate hash
3) The client transmits the username & hash to the domain controller
4) The domain controller generates a 16-byte random char string known as a NONCE & transmits it back to the client
5) The client encrypts the nonce w/ the hash of the user PW & sends it back to the domain controller
6) The domain controller retrieves the hash from its SAM & uses it to encrypt the nonce it sent to the client

If hashest match, login request is accepted

Question 22

What is Kerberos and steps to authenticate service

Answer 22

Authentication Protocol; strong cryptographic mechanism

1) You want to access another system, such as a server or client; Kerberos is in use in this environment, so a “ticket” is required
2) To obtain this ticket, you are first authenticated against the AS (Authentication Server). A session key is created based on your PW & the value that represents the service you wish to connect to. This request serves as your TGT (ticket-granting ticket)
3) TGT is presented to TGS (ticket-granting service), which generates a ticket that allows you to access the service
4) The service either accepts or rejects the ticket; If accepted, you have a finite period of time before ticket needs to be regenerated

Question 23

Types of Privilege Escalation (2)

Answer 23

1) Horizontal Privilege Escalation - attacker attempts to take over rights & privileges of another user who has the same privileges as the current account
2) Vertical Privilege Escalation - attacker gains access to an account & then tries to elevate the privileges of the account or gaining access to a higher-privileged account

Question 24

Privilege Escalation: Change password

Answer 24

Identify an account that has desired access & then change the password using the following tools:

Active@ Password Changer
Trinity Rescue Kit
ERD Commander
Windows Recovery Environment (WinRE)
Password Resetter

Question 25

Trinity Rescue Kit (password reset tool)

Answer 25

Linux distribution (for Windows & Linux); Can be booted from CD or flash drive

1) cmd line: winpass -u Administrator
2) Choose file system
3) Set Password
4) Type: init 0, to shut down TRK Linux
5) Reboot

Question 26

Types of Apps Executed (4)

Answer 26

1) Backdoors App - allow later access to take place;
2) Crackers - SW w/ ability to crack code or obtain PWs
3) Keyloggers - HW/SW used to gain info entered via keyboard
4) Malware - any type of SW designed to capture info, alter, or compromise system

Question 27

Planting a Backdoor

Answer 27

• PsTools suite (suite of tools to ease system administration)
• PsExec is one of them; similar to Telnet but does not need installation & can be run local or remotely; Commands include:

psexec \zelda cmd //launches an interative cmdprmpt on a system name \zelda

psexec \zelda ipconfig /all //executes ipconfig on remote system with the /all switch & outputs locally

psexec \zelda -c rootkit.exe //copies the program rootkit.exe to the remote system & executes it interactively

psexec \zelda -u administrator -c rootkit.exe //copies thee program rootkit.exe to the remote system & executes it interactively using the admin acct on the remote system

Question 28

Covering your tracks

Answer 28

During this phase, seek to eliminate error messages, log files, and other items that may have been altered during the attack process

DISABLING AUDITING - Auditing designed to allow for detection and tracking of selected events on a system; we want to alter the way events are logged on target system;

How to disable running command in Windows (stop logging and auditing of events):

auditpol \ /clear

DATA HIDING - hide files placed on the system;

ALTERNATE DATA STREAMS (ADS) (only NTFS) - major security issue w/ ADS bc it is nearly a perfect mechanism for hiding data; almost impossible to find; The data can lie and wait until the attacker decides to run it later; allows you to hide files within existing files

Creating an ADS:
type triforce.exe > smoke.doc:triforce.exe //executing this command hides triforce.exe behind the file smoke.doc, then delete original triforce.exe

Retrieve the file:
start smoke.doc:triforce.exe //opens hidden file & executes