Chapter 7: System Hacking Flashcards
Passive Online Attack techniques (3)
1) Packet Sniffing - lookout for PWs from Telnet, FTP, SMTP, rlogin, other vulnerable protocols
//if you use a sniffer w/ out any extra steps, u are limited to a single collision domain aka can only sniff hosts not connected by switch or bridge
//most effective on a NW that employs a hub
2) Man-in-the-middle - while two parties are communicating, a third party inserts itself into the convo & attempts to alter or eavesdrop on the communications.
//to be fully successful, the attacker must be able to sniff traffic from both parties at the same time
//vulnerable protocols –> Telnet & FTP
3) Replay Attack - capture packets using packet sniffer; after the relevant info is extracted, the packet can be placed back on the NW; The intention is to inject the captured info back onto the NW
Active Online Attack techniques
1) Password Guessing - attacker seeks to recover PW by using words from dictionary or by brute-force; usually carried out by SW app;
2) Trojans, Spyware, & Keyloggers - Malware such as Trojans, spyware, & keyloggers can gather info through keyboard sniffing or keylogging;
3) Hash Injection -
1) Compromise a vulnerable workstation
2) When connected, attempt to extract the hashes
from the system for high-value users, such as domain or enterprise admins
3) Use the extracted hash to log on to a server such as a domain controller
4) If the system serves as a domain controller or similar, attempt to extract hashes from the system w/ the intention of exploiting other accounts
DNA
Distributed Network Attack:
using botnet to crack or attack
LM/NTLM Hashes
Windows SAM Hashing method. NTLM replaces LM
Windows XP later do not store LM hash by default, they store a blank or dummy value which cannot be deciphered bc it has no direct coorelation to user’s actual PW; if PW is longer than 14 chars, dummy value is auto used b/c LM hash cannot support longer than 14 chars
Salting
PW hashing is strengthened by adding an additional layer of randomness to hash
NTLM Authentication & SSP
NT Lan Mgr is a protocol for Microsoft products; NTLM v1 and v2 still widely used in environments, but is relatively insecure; this is used where Kerberos is not supported
SSP - Security Support Provider - layered on top of NTLM for additional protection
Domain Controller
responds to security authentication requests (such as logging in, permissions, etc)
Process of authentication w/ NTLM protocol
- (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.
- The client sends the user name to the server (in plaintext).
- The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
- The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the response.
- The server sends the following three items to the domain controller:
User name
Challenge sent to the client
Response received from the client - The domain controller uses the user name to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
7 The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.
What is Kerberos and steps to authenticate service
Universal login service
The Kerberos protocol makes use of the following groups of components:
- Key distribution center (KDC)
- Authentication server (AS)
- Ticket-granting server (TGS)
Process:
1) authenticate with AS, receive ticket-granting-ticket (TGT) which expires after a configurable period
2) TGT is presented to TGS (ticket-granting service), which generates another ticket for you to present to the service
3) The service either accepts or rejects the ticket
Types of Privilege Escalation (2)
1) Horizontal Privilege Escalation - attacker attempts to take over rights & privileges of another user who has the same privileges as the current account
2) Vertical Privilege Escalation - attacker gains access to an account & then tries to elevate the privileges of the account or gaining access to a higher-privileged account
ADS
ALTERNATE DATA STREAMS (ADS) (only NTFS) - major security issue w/ ADS bc it is nearly a perfect mechanism for hiding data; almost impossible to find; The data can lie and wait until the attacker decides to run it later; allows you to hide files within existing files
Creating an ADS:
type triforce.exe > smoke.doc:triforce.exe //executing this command hides triforce.exe behind the file smoke.doc, then delete original triforce.exe
Retrieve the file:
start smoke.doc:triforce.exe //opens hidden file & executes
Dictionary Password Attack
password-cracking app has a dictionary file loaded into it, no good for passphrases
Brute Force Password Attack
every possible combination of characters is attempted until the correct one is uncovered
Hybrid Password Attack
like Dictionary attack, but words are modified w/ the addition or substitution of special chars or #s (i.e. p@ssw0rd - password)
Syllable Password Attack
combination of brute-force & dictioanry attack, useful when password is not standard word or phrase
