MOD6: System Hacking Flashcards
Where does Windows store passwords?
SAM (Security Accounts Manager) database or in the Active Directory database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in SAM.
Which protocols store the user’s password in the SAM database?
The NTLM authentication protocol types are as follows: NTLM authentication protocol and LM authentication protocol. These protocols store the user’s password in the SAM database using different hashing methods.
Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain.
What is Kerboros authentication?
Microsoft has upgraded it’s default authentication protocol to kerboros which provides a stronger authentication for client/server applications than NTLM.
In Linux, passwords are stored in “shadow”.
True / False.
True.
In the Linux operating system, a shadow password file is a system file in which encryption user password are stored so that they aren’t available to people who try to break into the system.
What is Ntds. dit?
The Ntds. dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
Hint: think AD!
Provide an example of how hash passwords are stored in Windows SAM.
Administrator:500:NO PASSWORD**:572967347564372848:::
Guest:501:NO PASSWORD**:572934547564371128:::
Sheila:1005:NO PASSWORD**:572967347544559944:::
HINT: Remember, the UserID for Admin will always be 500. The last bit of numbers is the NTLM hash.
What are the 4 types of password attacks?
Non-electronic Attack
Active online attack
Passive online attack
Offline attack
Type of Password attack:
What is a non-electronic attack?
The attacker does not need technical knowledge to crack the password.
ex. shoulder surfing, social engineering, dumpster diving
Type of Password attack:
What is an Active online attack?
Attacker performs password cracking by directly communicating with the victim’s machine.
examples below: Dictionary, brute forcing, and rule-based attack hack injection attack LLMNR/NBT-NS Poisoning Trojan/spyware/keylogger Password guessing Internal Monologue attack Cracking Kerboros passwords
Type of Password attack:
What is a Passive online attack?
Attacker performs password cracking without communicating with the authorizing party. examples below: wire sniffing MITM attack replay attack
Type of Password attack:
What is an Offline attack?
Attacker copies the target’s password file and then tries to crack passwords on his own system at a different location.
examples:
Rainbow Table attack (pre-computed hashes)
Distributed Network Attack
What’s the difference between a brute-force attack and a rule-based attack?
Brute force attack - the program tries every combination of characters until the password is broken
rule-based attack - The attack is used when the attacker gets some info about the password.
What is a birthday attack?
2 inputs produce the same hash.
HINT: hash collision!
What is a hybrid attack?
adds random characters/data to the end of the dictionary root word. (ex. Apple02)
What is hash injection / pass-the-hash (PtH) attack?
An attacker injects into a compromised hash into a local session and use the hash to validate network resources. The attacker finds and and extracts a logged-on domain admin account hash. The attacker then uses the extracted hash to log on to the domain controller.
LLMNR (Link Local Multicast Name Resolution) or NBT-NS (NETBIOS over TCP/IP Name Services) is a scenario where you’re spoofing a response from a requested system and you’re impersonating it and actually one of the challenge-handshakes.
True/False.
True.
_____ and _____ are the 2 main elements of Windows OSs that are used to perform name resolution for hosts present on the same link.
LLMNR and NBT-NS.
This is a type of “active attack” that is called LLMNR / NBT-NS Poisoning.
What are the 2 types of Cracking Kerberos passwords.
- AS-RES Roasting (cracking ticket-granting-ticket; TGT). Attackers request a TGT from the KDC in the form of an AS-REQ packet and crack the ticket to obtain the user’s password.
- Kerberoasting (cracking Ticket-granting-service;TGS). Attackers request a TGS for the SPN (service principal name) of the target service account and crack the ticket to obtain the user’s psasword.
In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain.
What is Pass the Ticket attack?
A technique used for authenticating a user to a system that is using Kerberos without providing the user’s password.
To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts using credential dumping tools.
What type of tools can be used for Pass the Ticket attack?
Mimikatz, Rubeus, and Windows Credentials Editor are used by attackers to launch such attacks.
FYI, Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. Mimikatz can also help in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
What happens in a wire sniffing attack?
Attackers run packet sniffer tools on the LAN to access and record the raw network traffic.
FYI - this is a passive online attack.
This attack is hard to perpetrate.
What occurs in a Man-in-the-middle attack?
The attacker acquires access to the communication channels between the victim and the server to extract the information they need.
FYI - This is a passive online attack.
This attack relatively hard to perpetrated.
What occurs in a replay attack?
Packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
FYI - This is a passive online attack.
This attack relatively hard to perpetrated.
What is a rainbow table attack?
A rainbow table is a precomputed table that contains word lists like dictionary files, brute force lists, and their hash values. The hash of passwords is compared to the precomputed hash table. If a match is found, then the password gets cracked.
FYI - this is an offline attack
It is easy to recover passwords by comparing the captured password hashes to the precomputed tables.