MOD6: System Hacking Flashcards
Where does Windows store passwords?
SAM (Security Accounts Manager) database or in the Active Directory database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in SAM.
Which protocols store the user’s password in the SAM database?
The NTLM authentication protocol types are as follows: NTLM authentication protocol and LM authentication protocol. These protocols store the user’s password in the SAM database using different hashing methods.
Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain.
What is Kerboros authentication?
Microsoft has upgraded it’s default authentication protocol to kerboros which provides a stronger authentication for client/server applications than NTLM.
In Linux, passwords are stored in “shadow”.
True / False.
True.
In the Linux operating system, a shadow password file is a system file in which encryption user password are stored so that they aren’t available to people who try to break into the system.
What is Ntds. dit?
The Ntds. dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
Hint: think AD!
Provide an example of how hash passwords are stored in Windows SAM.
Administrator:500:NO PASSWORD**:572967347564372848:::
Guest:501:NO PASSWORD**:572934547564371128:::
Sheila:1005:NO PASSWORD**:572967347544559944:::
HINT: Remember, the UserID for Admin will always be 500. The last bit of numbers is the NTLM hash.
What are the 4 types of password attacks?
Non-electronic Attack
Active online attack
Passive online attack
Offline attack
Type of Password attack:
What is a non-electronic attack?
The attacker does not need technical knowledge to crack the password.
ex. shoulder surfing, social engineering, dumpster diving
Type of Password attack:
What is an Active online attack?
Attacker performs password cracking by directly communicating with the victim’s machine.
examples below: Dictionary, brute forcing, and rule-based attack hack injection attack LLMNR/NBT-NS Poisoning Trojan/spyware/keylogger Password guessing Internal Monologue attack Cracking Kerboros passwords
Type of Password attack:
What is a Passive online attack?
Attacker performs password cracking without communicating with the authorizing party. examples below: wire sniffing MITM attack replay attack
Type of Password attack:
What is an Offline attack?
Attacker copies the target’s password file and then tries to crack passwords on his own system at a different location.
examples:
Rainbow Table attack (pre-computed hashes)
Distributed Network Attack
What’s the difference between a brute-force attack and a rule-based attack?
Brute force attack - the program tries every combination of characters until the password is broken
rule-based attack - The attack is used when the attacker gets some info about the password.
What is a birthday attack?
2 inputs produce the same hash.
HINT: hash collision!
What is a hybrid attack?
adds random characters/data to the end of the dictionary root word. (ex. Apple02)
What is hash injection / pass-the-hash (PtH) attack?
An attacker injects into a compromised hash into a local session and use the hash to validate network resources. The attacker finds and and extracts a logged-on domain admin account hash. The attacker then uses the extracted hash to log on to the domain controller.
LLMNR (Link Local Multicast Name Resolution) or NBT-NS (NETBIOS over TCP/IP Name Services) is a scenario where you’re spoofing a response from a requested system and you’re impersonating it and actually one of the challenge-handshakes.
True/False.
True.
_____ and _____ are the 2 main elements of Windows OSs that are used to perform name resolution for hosts present on the same link.
LLMNR and NBT-NS.
This is a type of “active attack” that is called LLMNR / NBT-NS Poisoning.
What are the 2 types of Cracking Kerberos passwords.
- AS-RES Roasting (cracking ticket-granting-ticket; TGT). Attackers request a TGT from the KDC in the form of an AS-REQ packet and crack the ticket to obtain the user’s password.
- Kerberoasting (cracking Ticket-granting-service;TGS). Attackers request a TGS for the SPN (service principal name) of the target service account and crack the ticket to obtain the user’s psasword.
In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain.
What is Pass the Ticket attack?
A technique used for authenticating a user to a system that is using Kerberos without providing the user’s password.
To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools.
What type of tools can be used for Pass the Ticket attack?
Mimikatz, Rubeus, and Windows Credentials Editor are used by attackers to launch such attacks.
FYI, Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. Mimikatz can also help in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
What happens in a wire sniffing attack?
Attackers run packet sniffer tools on the LAN to access and record the raw network traffic.
FYI - this is a passive online attack.
This attack is hard to perpetrate.
What occurs in a Man-in-the-middle attack?
The attacker acquires access to the communication channels between the victim and the server to extract the information they need.
FYI - This is a passive online attack.
This attack relatively hard to perpetrated.
What occurs in a replay attack?
Packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
FYI - This is a passive online attack.
This attack relatively hard to perpetrated.
What is a rainbow table attack?
A rainbow table is a precomputed table that contains word lists like dictionary files, brute force lists, and their hash values. The hash of passwords is compared to the precomputed hash table. If a match is found, then the password gets cracked.
FYI - this is an offline attack
It is easy to recover passwords by comparing the captured password hashes to the precomputed tables.
A hash is a 32 character hexadecimal.
True/False.
True.
What is password salting?
A technique where a random string of characters are added to the password before calculating their hashes.
Advantage: salting makes it difficult to reverse the hashes and defeat pre-computed hash attacks.
Note: Windows password hashes are not salted.
What is vulnerability exploitation?
It involves the execution of multiple complex, irrelated steps to gain access to a remote system.
Vulnerability > exploit > payload > launch
Here are the 7 steps: identify the vuln, determine the risk of vuln, determine capability of vuln, develop exploit, select method of delivering (local / remote), generate and deliver payload, gain remote access.
What is buffer overflow?
A buffer is an area of adjacent memory locations allocated to a program or application to handle it’s runtime data. Buffer overflow is a common vulnerability in an application or programs that accepts more data than the allocated buffer. This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory allocations.
Why would attackers want to exploit buffer overflow?
to inject malicious code into the buffer to damage files, modify program data, access critical info, escalate priviledges, etc.
Why are programs and applications vulnerable to buffer overflow?
- lack of boundary checking
- using older versions of programming language
- using unsafe and vulnerable functions
- lack of good programming practices
- failing to set proper filtering and validation principles
- executing code present in the stack segment
- improper memory allocation
- insufficient input sanitization
How can an attacker take advantage of a privilege attack?
Taking advantage of design flaws, programming errors, bugs, configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
What are the 2 types of privilege escalation?
- Horizontal Privilege Escalation (think of Mario becoming Luigi)
- Vertical Privilege Escalation (think of Mario becoming SUPERMario)
When attackers execute malicious applications, it’s called “owning” the system.
True/False
True
What type of malicious programs are used by attackers to execute on target systems?
a) keyloggers
b) backdoors
c) spyware
d) crackers
e) all of the above
all of the above.
What is a keylogger?
Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on the keyboard, logs onto a file, or transmits them to a remote location.
Keyloggers will be either software or physical based.
FYI - keyloggers are a type of malware.
What is spyware?
A program that records the user’s interaction with the computer and the internet without the user’s knowledge and sends the information to the remote attackers. Spyware hides its processes, files, and other objects to avoid detection.
FYI - spyware is a type of malware.
What are rootkits?
Programs that hide their presence as well as the attacker’s malicious activities, granting them FULL ACCESS to the server or host at that time, and in the future. A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
The attacker places the rootkit by:
- scanning for vulnerable computers and servers on the web
- wrapping it in a special package like a game
- Installing it on public computers or corporate computers through social engineering
- launching a zero-day attack (privilege escalation, buffer overflow, Windows kernal exploitation, etc)
In Windows, rootkits are a kernal mode device driver.
True / False.
True.
What is steganography?
A technique of hiding a secret message with an ordinary message and extracting it at the destination to maintain confidentiality of data.
ex. utilizing a graphic image as a cover is the most popular method to conceal the data it files.
An attacker can use steganography to hide messages such as a list of the compromised servers, source code for the hacking tool, or plans for future attacks.
What is image steganography?
The information is hidden in image files of a different format like .PNG, .JPG, and .BMT.
Image steganography tools replace redundant bits of image data with the message in such a way that the effect cannot be detected by the human eye.
What is spam/email steganography?
The technique of sending secret messages by hiding them in spam/email messages.
Tool -> Spam Mimic
What is steganalysis?
The art of discovering and rendering covert messages using steganography. It detects hidden messages embedded in images, text, audio, and video carrier mediums.
What is a challenge of steganalysis?
a) suspect info steam may/may not have encoded hidden data
b) accurate detection of hiddent content in digital images is difficult
c) msg could be encrypted before being inserted in a file
d) some of the suspect signals or files may have irrelevant data or noise encoded into them.
e) all of them above
e) all of the above
What techniques can attackers use to cover their tracks on the target system?
a) disabling auditing / disabling windows functionality
b) clearing logs / manipulating logs
c) deleting files
d) covering tracks on the network/OS
e) all of the above
e) all of the above
If the system is exploited with Metasploit, the attacker uses meterpreter shell to wipe out all the logs from a windows system.
True/False.
True.
What are reverse HTTP shells?
Attacker installs a reverse HTTP shell on the victim’s machine, which is programmed in such a way that it would ask for commands from an external master who controls the reverse HTTP shell.
The victim here will act as a web client who is executing HTTP GET commands, whereas the attacker behaves like a web server and responds to the requests.
This type of traffic is considered normal.
What are reverse ICMP tunnels?
The attacker uses an ICMP tunneling technique to use ICMP echo and ICMP reply packets as a carrier of the TCP payload, to access or control a system stealthily.
The victim’s system is triggered to encapsulate the TCP payload in an ICMP echo packet that is forwarded to the proxy server.
Organizations have security mechanisms that check for INCOMING ICMP packets only, but not outgoing ICMP packets; therefore the attacker can easily bypass the firewall.
