Chapter 7: System Hacking Flashcards
Phase 4: System Hacking
methodical approach that includes cracking passwords, escalating privileges, executing apps, etc
Password Cracking
Hacking process typically starts w/ Password Cracking,
the process of recovering passwords from transmitted or stored data
Password Cracking Techniques (5)
1) Dictionary Attacks - password-cracking app has a dictionary file loaded into it, no good for passphrases
2) Brute-force Attacks - every possible combination of characters is attempted until the correct one is uncovered
3) Hybrid Attack - like Dictionary attack, but words are modified w/ the addition or substitution of special chars or #s (i.e. p@ssw0rd - password)
4) Syllable Attack - combination of brute-force & dictioanry attack, useful when password is not standard word or phrase
5) Rule-based Attack - an advanced attack where the assumption the user has created a PW using info the attacker has knowledge of (i.e. phrases & digits user may tend to use)
Types of attacks (4)
1) Passive Online Attacks - sitting back & listening (sniffing tools such as Wireshark, man-in-the-middle attacks, replay attacks)
2) Active Online Attacks - deeper engagement w/ targets w/ intent to break PW (i.e. password guessing, trojan/spyware/key loggers, hash injection, phishing)
3) Offline Attacks - preying on the weaknesses of how PWs are stored; (i.e. precomputed hashes, distributed NW attacks, rainbow attacks)
4) Nontechnical Attacks aka non-electronic attacks - moving from offline into the real world (i.e.shoulder surfing, social engineering, dumpster diving)
Passive Online Attack techniques (3)
1) Packet Sniffing - lookout for PWs from Telnet, FTP, SMTP, rlogin, other vulnerable protocols
//if you use a sniffer w/ out any extra steps, u are limited to a single collision domain aka can only sniff hosts not connected by switch or bridge
//most effective on a NW that employs a hub
2) Man-in-the-middle - while two parties are communicating, a third party inserts itself into the convo & attempts to alter or eavesdrop on the communications.
//to be fully successful, the attacker must be able to sniff traffic from both parties at the same time
//vulnerable protocols –> Telnet & FTP
3) Replay Attack - capture packets using packet sniffer; after the relevant info is extracted, the packet can be placed back on the NW; The intention is to inject the captured info back onto the NW
Active Online Attack techniques
1) Password Guessing - attacker seeks to recover PW by using words from dictionary or by brute-force; usually carried out by SW app;
2) Trojans, Spyware, & Keyloggers - Malware such as Trojans, spyware, & keyloggers can gather info through keyboard sniffing or keylogging;
3) Hash Injection -
1) Compromise a vulnerable workstation
2) When connected, attempt to extract the hashes
from the system for high-value users, such as domain or enterprise admins
3) Use the extracted hash to log on to a server such as a domain controller
4) If the system serves as a domain controller or similar, attempt to extract hashes from the system w/ the intention of exploiting other accounts
Offline Attacks 1: Password Hashing
Hashing is a form of one-way encryption that is used to verify integrity;
pws are commonly stored in hashed format so it is NOT in cleartext; when a PW is provided by the user, it needs to be verified; it is hashed on the client side & transmitted to the server, where the stored hash & the transmitted hash are compared
Offline Attacks 1: Extracting hashes from a System
1) open cmd
2) type pwdump7.exe //displays hashes
3) type pwdump7.exe > C;\hash.txt
4) Using notepad, browse to the C drive & open the hash.txt file to view the hashes
Offline Attacks 1: Precomputed Hash or Rainbow Tables
precomputed hashes are used in an attack known as rainbow table
Rainbow tables compute every possible combination of characters prior to capturing a PW
The attacker can capture the PW hash from the NW & compare it w/ the rainbow table hashes
//”Salting” is used in Linux, Unix, BSD, older windows; adding entropy or randomness in order to make sequences or patterns more difficult to detect… so it would be harder to use rainbow tables against these systems
CON - takes long time to compute all hash combinations ahead of time; can’t crack PWs of unlimited length
Offline Attacks 1: Generating Rainbow Tables
GUI-based generator - winrtgen
Offline Attacks 1: Rainbow Crack
Program used to compare Rainbow table with Hash files
Offline Attacks 2: Distributed NW Attacks (DNA)
modern approach; takes ADV of unused processing power from multiple computers in an attempt perform an action (in this case, PW cracking)
//install a manager on a chosen system, which is used to manage multiple clients;
PRO: computing power
EXAMPLE: SETI@home (Search for Extraterrestrial Intelligence)
Other Techniques: Default Passwords
Guessing – self explanatory
an attacker can guess what type of equipment/system you’re using and look up default passwords if you do not change them
Other Techniques: USB Password Theft
embedding a password-stealing application on a USB drive, physically plugging the drive into a target system
Other Techniques: USB Password Theft application (steps to steal)
1) Obtain a PW-hacking utility such as pspv.exe
2) Copy it to USB
3) Create a Notepad file called launch.bat containing the following lines:
[autorun]
en = launch.bat
Start pspv.exe /s passwords.txt
4) Save launch.bat to the USB drive
//pspv.exe = protected-storage PW viewer, saves PWs contained in Internet Explorer & other applications
Mitigation: disabling autoplay of USB devices, which is on by default
Other Techniques: Authentication Mechanisms on Microsoft
Security Accounts Mgr (SAM) - DB in Windows OS that stores security principals; When system is running, Windows keeps a file lock on SAM to prevent it from being access, however a copy of SAM DB resides in memory & can be accessed
//System will only give up exclusive access of SAM when powered off or when there is BSOD //SYSKEY (encryption key) is by default, enabled to protect SAM further; can be disabled
Passwords are stored in hashed format using
LM/NTLM hashing mechnisms, they are stored in c:\windows/system32/SAM
Link:1010:624AAC413795……
(Before 624AA is LT hash, after is NTLM hash)
Windows XP later do not store LM hash by default, they store a blank or dummy value which cannot be deciphered bc it has no direct coorelation to user’s actual PW; if PW is longer than 14 chars, dummy value is auto used b/c LM hash cannot support longer than 14 chars
Salting
PW hashing is strengthened by adding an additional layer of randomness to hash
NTLM Authentication & SSP
NT Lan Mgr is a protocol for Microsoft products; NTLM v1 and v2 still widely used in environments, but is relatively insecure; this is used where Kerberos is not supported
SSP - Security Support Provider - layered on top of NTLM for additional protection
Domain Controller
responds to security authentication requests (such as logging in, permissions, etc)
Process of authentication w/ NTLM protocol
1) Client enters their username & PW into the login
2) Windows runs the PW through a hashing algorithm to generate hash
3) The client transmits the username & hash to the domain controller
4) The domain controller generates a 16-byte random char string known as a NONCE & transmits it back to the client
5) The client encrypts the nonce w/ the hash of the user PW & sends it back to the domain controller
6) The domain controller retrieves the hash from its SAM & uses it to encrypt the nonce it sent to the client
If hashest match, login request is accepted
What is Kerberos and steps to authenticate service
Authentication Protocol; strong cryptographic mechanism
1) You want to access another system, such as a server or client; Kerberos is in use in this environment, so a “ticket” is required
2) To obtain this ticket, you are first authenticated against the AS (Authentication Server). A session key is created based on your PW & the value that represents the service you wish to connect to. This request serves as your TGT (ticket-granting ticket)
3) TGT is presented to TGS (ticket-granting service), which generates a ticket that allows you to access the service
4) The service either accepts or rejects the ticket; If accepted, you have a finite period of time before ticket needs to be regenerated
Types of Privilege Escalation (2)
1) Horizontal Privilege Escalation - attacker attempts to take over rights & privileges of another user who has the same privileges as the current account
2) Vertical Privilege Escalation - attacker gains access to an account & then tries to elevate the privileges of the account or gaining access to a higher-privileged account
Privilege Escalation: Change password
Identify an account that has desired access & then change the password using the following tools:
Active@ Password Changer Trinity Rescue Kit ERD Commander Windows Recovery Environment (WinRE) Password Resetter
