MOD6: System Hacking

Question 1

Where does Windows store passwords?

Answer 1

SAM (Security Accounts Manager) database or in the Active Directory database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in SAM.

Question 2

Which protocols store the user’s password in the SAM database?

Answer 2

The NTLM authentication protocol types are as follows: NTLM authentication protocol and LM authentication protocol. These protocols store the user’s password in the SAM database using different hashing methods.

Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain.

Question 3

What is Kerboros authentication?

Answer 3

Microsoft has upgraded it’s default authentication protocol to kerboros which provides a stronger authentication for client/server applications than NTLM.

Question 4

In Linux, passwords are stored in “shadow”.

True / False.

Answer 4

True.
In the Linux operating system, a shadow password file is a system file in which encryption user password are stored so that they aren’t available to people who try to break into the system.

Question 5

What is Ntds. dit?

Answer 5

The Ntds. dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.

Hint: think AD!

Question 6

Provide an example of how hash passwords are stored in Windows SAM.

Answer 6

Administrator:500:NO PASSWORD**:572967347564372848:::

Guest:501:NO PASSWORD**:572934547564371128:::

Sheila:1005:NO PASSWORD**:572967347544559944:::

HINT: Remember, the UserID for Admin will always be 500. The last bit of numbers is the NTLM hash.

Question 7

What are the 4 types of password attacks?

Answer 7

Non-electronic Attack
Active online attack
Passive online attack
Offline attack

Question 8

Type of Password attack:

What is a non-electronic attack?

Answer 8

The attacker does not need technical knowledge to crack the password.
ex. shoulder surfing, social engineering, dumpster diving

Question 9

Type of Password attack:

What is an Active online attack?

Answer 9

Attacker performs password cracking by directly communicating with the victim’s machine.

examples below:
Dictionary, brute forcing, and rule-based attack
hack injection attack
LLMNR/NBT-NS Poisoning
Trojan/spyware/keylogger
Password guessing
Internal Monologue attack
Cracking Kerboros passwords

Question 10

Type of Password attack:

What is a Passive online attack?

Answer 10

Attacker performs password cracking without communicating with the authorizing party.
examples below:
wire sniffing
MITM attack
replay attack

Question 11

Type of Password attack:

What is an Offline attack?

Answer 11

Attacker copies the target’s password file and then tries to crack passwords on his own system at a different location.

examples:
Rainbow Table attack (pre-computed hashes)
Distributed Network Attack

Question 12

What’s the difference between a brute-force attack and a rule-based attack?

Answer 12

Brute force attack - the program tries every combination of characters until the password is broken
rule-based attack - The attack is used when the attacker gets some info about the password.

Question 13

What is a birthday attack?

Answer 13

2 inputs produce the same hash.

HINT: hash collision!

Question 14

What is a hybrid attack?

Answer 14

adds random characters/data to the end of the dictionary root word. (ex. Apple02)

Question 15

What is hash injection / pass-the-hash (PtH) attack?

Answer 15

An attacker injects into a compromised hash into a local session and use the hash to validate network resources. The attacker finds and and extracts a logged-on domain admin account hash. The attacker then uses the extracted hash to log on to the domain controller.

Question 16

LLMNR (Link Local Multicast Name Resolution) or NBT-NS (NETBIOS over TCP/IP Name Services) is a scenario where you’re spoofing a response from a requested system and you’re impersonating it and actually one of the challenge-handshakes.

True/False.

Answer 16

True.

Question 17

_____ and _____ are the 2 main elements of Windows OSs that are used to perform name resolution for hosts present on the same link.

Answer 17

LLMNR and NBT-NS.

This is a type of “active attack” that is called LLMNR / NBT-NS Poisoning.

Question 18

What are the 2 types of Cracking Kerberos passwords.

Answer 18

1. AS-RES Roasting (cracking ticket-granting-ticket; TGT). Attackers request a TGT from the KDC in the form of an AS-REQ packet and crack the ticket to obtain the user’s password.
2. Kerberoasting (cracking Ticket-granting-service;TGS). Attackers request a TGS for the SPN (service principal name) of the target service account and crack the ticket to obtain the user’s psasword.

In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain.

Question 19

What is Pass the Ticket attack?

Answer 19

A technique used for authenticating a user to a system that is using Kerberos without providing the user’s password.
To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools.

Question 20

What type of tools can be used for Pass the Ticket attack?

Answer 20

Mimikatz, Rubeus, and Windows Credentials Editor are used by attackers to launch such attacks.

FYI, Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. Mimikatz can also help in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.

Question 21

What happens in a wire sniffing attack?

Answer 21

Attackers run packet sniffer tools on the LAN to access and record the raw network traffic.

FYI - this is a passive online attack.
This attack is hard to perpetrate.

Question 22

What occurs in a Man-in-the-middle attack?

Answer 22

The attacker acquires access to the communication channels between the victim and the server to extract the information they need.

FYI - This is a passive online attack.
This attack relatively hard to perpetrated.

Question 23

What occurs in a replay attack?

Answer 23

Packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.

FYI - This is a passive online attack.
This attack relatively hard to perpetrated.

Question 24

What is a rainbow table attack?

Answer 24

A rainbow table is a precomputed table that contains word lists like dictionary files, brute force lists, and their hash values. The hash of passwords is compared to the precomputed hash table. If a match is found, then the password gets cracked.

FYI - this is an offline attack
It is easy to recover passwords by comparing the captured password hashes to the precomputed tables.

Question 25

A hash is a 32 character hexadecimal.

True/False.

Answer 25

True.

Question 26

What is password salting?

Answer 26

A technique where a random string of characters are added to the password before calculating their hashes.
Advantage: salting makes it difficult to reverse the hashes and defeat pre-computed hash attacks.

Note: Windows password hashes are not salted.

Question 27

What is vulnerability exploitation?

Answer 27

It involves the execution of multiple complex, irrelated steps to gain access to a remote system.
Vulnerability > exploit > payload > launch

Here are the 7 steps: identify the vuln, determine the risk of vuln, determine capability of vuln, develop exploit, select method of delivering (local / remote), generate and deliver payload, gain remote access.

Question 28

What is buffer overflow?

Answer 28

A buffer is an area of adjacent memory locations allocated to a program or application to handle it’s runtime data. Buffer overflow is a common vulnerability in an application or programs that accepts more data than the allocated buffer. This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory allocations.

Question 29

Why would attackers want to exploit buffer overflow?

Answer 29

to inject malicious code into the buffer to damage files, modify program data, access critical info, escalate priviledges, etc.

Question 30

Why are programs and applications vulnerable to buffer overflow?

Answer 30

• lack of boundary checking
• using older versions of programming language
• using unsafe and vulnerable functions
• lack of good programming practices
• failing to set proper filtering and validation principles
• executing code present in the stack segment
• improper memory allocation
• insufficient input sanitization

Question 31

How can an attacker take advantage of a privilege attack?

Answer 31

Taking advantage of design flaws, programming errors, bugs, configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.

Question 32

What are the 2 types of privilege escalation?

Answer 32

1. Horizontal Privilege Escalation (think of Mario becoming Luigi)
2. Vertical Privilege Escalation (think of Mario becoming SUPERMario)

Question 33

When attackers execute malicious applications, it’s called “owning” the system.
True/False

Answer 33

True

Question 34

What type of malicious programs are used by attackers to execute on target systems?

a) keyloggers
b) backdoors
c) spyware
d) crackers
e) all of the above

Answer 34

all of the above.

Question 35

What is a keylogger?

Answer 35

Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on the keyboard, logs onto a file, or transmits them to a remote location.
Keyloggers will be either software or physical based.

FYI - keyloggers are a type of malware.

Question 36

What is spyware?

Answer 36

A program that records the user’s interaction with the computer and the internet without the user’s knowledge and sends the information to the remote attackers. Spyware hides its processes, files, and other objects to avoid detection.

FYI - spyware is a type of malware.

Question 37

What are rootkits?

Answer 37

Programs that hide their presence as well as the attacker’s malicious activities, granting them FULL ACCESS to the server or host at that time, and in the future. A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
The attacker places the rootkit by:
- scanning for vulnerable computers and servers on the web
- wrapping it in a special package like a game
- Installing it on public computers or corporate computers through social engineering
- launching a zero-day attack (privilege escalation, buffer overflow, Windows kernal exploitation, etc)

Question 38

In Windows, rootkits are a kernal mode device driver.

True / False.

Answer 38

True.

Question 39

What is steganography?

Answer 39

A technique of hiding a secret message with an ordinary message and extracting it at the destination to maintain confidentiality of data.
ex. utilizing a graphic image as a cover is the most popular method to conceal the data it files.
An attacker can use steganography to hide messages such as a list of the compromised servers, source code for the hacking tool, or plans for future attacks.

Question 40

What is image steganography?

Answer 40

The information is hidden in image files of a different format like .PNG, .JPG, and .BMT.

Image steganography tools replace redundant bits of image data with the message in such a way that the effect cannot be detected by the human eye.

Question 41

What is spam/email steganography?

Answer 41

The technique of sending secret messages by hiding them in spam/email messages.

Tool -> Spam Mimic

Question 42

What is steganalysis?

Answer 42

The art of discovering and rendering covert messages using steganography. It detects hidden messages embedded in images, text, audio, and video carrier mediums.

Question 43

What is a challenge of steganalysis?

a) suspect info steam may/may not have encoded hidden data
b) accurate detection of hiddent content in digital images is difficult
c) msg could be encrypted before being inserted in a file
d) some of the suspect signals or files may have irrelevant data or noise encoded into them.
e) all of them above

Answer 43

e) all of the above

Question 44

What techniques can attackers use to cover their tracks on the target system?

a) disabling auditing / disabling windows functionality
b) clearing logs / manipulating logs
c) deleting files
d) covering tracks on the network/OS
e) all of the above

Answer 44

e) all of the above

Question 45

If the system is exploited with Metasploit, the attacker uses meterpreter shell to wipe out all the logs from a windows system.
True/False.

Answer 45

True.

Question 46

What are reverse HTTP shells?

Answer 46

Attacker installs a reverse HTTP shell on the victim’s machine, which is programmed in such a way that it would ask for commands from an external master who controls the reverse HTTP shell.
The victim here will act as a web client who is executing HTTP GET commands, whereas the attacker behaves like a web server and responds to the requests.
This type of traffic is considered normal.

Question 47

What are reverse ICMP tunnels?

Answer 47

The attacker uses an ICMP tunneling technique to use ICMP echo and ICMP reply packets as a carrier of the TCP payload, to access or control a system stealthily.
The victim’s system is triggered to encapsulate the TCP payload in an ICMP echo packet that is forwarded to the proxy server.
Organizations have security mechanisms that check for INCOMING ICMP packets only, but not outgoing ICMP packets; therefore the attacker can easily bypass the firewall.