Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH > Module 06: System Hacking > Flashcards

Module 06: System Hacking Flashcards

1
Q

What are the three phases of the hacking cycle that system hacking cover?

A

Phases 3-5:

  1. Gaining access
  2. Maintaining access
  3. Covering tracks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the two basic ways to gain access to a system?

A
  1. Crack user passwords
  2. Exploit system vulnerabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where are passwords stored on Windows and Linux systems?

A

To confirm a typed password is correct, the correct password to verify the match against has to be stored somewhere on the box.

  • The password storage locations on Windows systems for non domain controllers is the SAM database found in the system 32 config directory. SAM file is located at c:\windows\system32\config\SAM

In Windows, SAM stands for Security Account Manager. The SAM database is a file that stores user account information, including usernames and encrypted passwords, and is used for local authentication on the system.

There is also the ntds.dit file which is the storage location on an AD domain controller

  • In Linux systems there is typically a file called shadow with the hashes and password file with users.
  • Kerberos is a more secure form of authentication but it can fall back to NTLM (which is outdated and insecure) if Kerberos isn’t supported.

Why do hackers not go after the password storage? They do , so we make passwords on the system difficult to achieve and they are hashed.

You have to crack the hash which cannot be reversed but must be re-created, where resultant output matches a hash. This can be incredibly time consuming. Need to guess correct pw until we find correct resultant hash output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SAM Database

A

Windows stores user passwords in the SAM (Security Accounts Manager) Database, or in the Active Directory database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in the SAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NTLM Authentication

A

The NTLM authentication protocol stores the users’ password in the SAM database using different hashing methods depending whether it’s the NTLM authentication protocol or LM authentication protocol.

___

NTLM (NT LAN Manager) is a Windows authentication protocol used to verify users and services within a network. It relies on a challenge-response mechanism, where hashed passwords are used for authentication without sending the actual password over the network. The Windows Domain controller has a stored copy of the user’s hashed password and decrypts the challenge response from the user using their stored password hash for the user.

Although it’s older and less secure compared to Kerberos (which Windows now favors), NTLM is still supported for backward compatibility and certain network scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Kerberos authentication

A

Microsoft’s new, upgraded default authentication protocol which provides stronger authentication for client server applications, and issues TGTs from the KDC, then relevant service tickets.

Kerberos is more secure because everything is encrypted. When you log into Kerberos KDC (aka domain controller), when you log in first time that day you need a TGT (ticket granting ticket) that Kerberos sends back with a key encrypted with your password, which is held in memory and never leave the machine, unknown to an eavesdropper. The TGT is decrypted with password in memory, then it’s replayed against a ticket granting server to request access to other services. Each subsequent session ticket has a unique symmetric key encrypted with the client’s password. We have an unknown encrypted with an unknown key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Active vs Passive online attacks

A

Active Online Attacks: dictionary, brute force, rule-based attacks, hash injection, spyware, password spraying, internal monologue, cracking Kerberos

Passive online attacks: wire sniffing, MITM, replay attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Offline attacks

A

taking the password file and cracking passwords on your own system in a different location - length and complexity of pw determine its resiliency to brute force attacks.

Need to figure out what password will = the hash of the captured password when running the hashing algorithm used by the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Dictionary attack

A

takes a word list and takes each word one at a time. Uses trial and error until you achieve right hash. Finding a collision will authenticate you to the system even if the password is wrong, as the system only knows the hash, not the password itself. If password is not in word list you are ok. You can also add number variations to dictionary root word lists using hybrids but that takes longer.

Dictionary attack is always the shortest way but doesn’t always work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Brute force

A

tries every possible combination of letters/numbers in a methodical way (a, aa, aaa). Exhaustive but guaranteed to be successful eventually (could be thousands of years from now).
Rule-based configuration comes in where you know something about the password environments and program the cracker to follow specific rules. EX: 8 characters = 10 years, depending on the processing power

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Rainbow tables

A

you generate your hash tables ahead of time, which can save you time after. You can instantly generate hashes to decrypt. They take long to generate and take up lots of space, but can be neutralized with salting or peppering.
There is more math involved with a challenge handshake vs. non-challenge shake.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Password spraying

A

attack multiple user accounts simultaneously and crack the small list of commonly used passwords. Attempts to avoid account lockout in live environment.

Tool: CrackMapExec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Credential stuffing

A

captured username and PW from one site, blast credential pairs against random websites hoping to get a match

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Default passwords

A

you can find websites dedicated to cataloging default passwords by vendor and by product - default configurations are definitely a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Pass the hash

A

Here you don’t have to crack the hash, you only have to replay it using tools like mimecast, whosethere, iam

  • You can rewrite your authentication token after you’ve logged into a Windows machine. You can look at your authentication token and clone the UN and PW hash of another account, then use that to present yourself to other resources to move through a network

You can also compromise a hash and append it to a challenge in NTLM authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

LLMNR / NBT-NS Poisoning

A

These are the two main elements of Windows operating systems that are used to perform name resolution for hosts present on the same link.

An attacker can crack the NTLMvs2 has obtained from the victim’s authentication process, then use the extracted credentials to log onto the host system.

SPOOFING TOOL: Responder

17
Q

How can you compromise Kerberos passwords

A
  1. AS-REP Roasting (cracking TGT)
    Attackers request a TGT from the KDC in the form of an AS-REQ packet and crack the ticket to obtain the user’s password
  2. Kerberoasting (Cracking TGS)
    Attackers request a TGS for the SPN of the target service account and crack the ticket to obtain the user’s passsword
18
Q

DNA

A

Disrtributed Network Attacks, involves multiple agents running in a coordinated fashion - use for recovering passwords from hashes or password-protected files. Managed by a manager. Grid computing, parallel processing, graphics cards.

19
Q

How do the following tools work:

-pwdump7
-rainbowcrack
- John the Ripper
- hashcat
- THC-Hyrdra
- Medusa
- Secure Shell Bruteforcer

A

pwdump7: Extracts hashed passwords from Windows’ SAM file, which attackers can then attempt to crack offline to retrieve user passwords.

rainbowcrack: Uses precomputed rainbow tables to quickly match password hashes to plaintext passwords, speeding up the cracking process.

John the Ripper: A versatile password-cracking tool that uses dictionary and brute-force attacks to crack various hash types, commonly used in penetration testing.

hashcat: A highly efficient, GPU-optimized password-cracking tool that supports multiple hash types, allowing attackers to perform large-scale, fast hash-cracking attacks.

THC-Hydra: A network login cracker that can perform brute-force and dictionary attacks on numerous network protocols, including FTP, SSH, and HTTP.

Medusa: Similar to Hydra, Medusa is a parallel brute-forcing tool that tests login credentials against various network services to discover valid user credentials.

Secure Shell Bruteforcer: A specialized tool for brute-forcing SSH logins by trying various username-password combinations to gain unauthorized access to a target system.

20
Q

Buffer overflow

A

Cvulnerability that deals with lack of input validating on length of input. You can flood adjacent memory locations allocated to a program or application to handle its runtime.

Not something you will do day in and day out, is more manual and not a daily driver activity.

  • start with spiking to send packets to a server until it crashes

-fuzzing sends random, large amounts of data, to see how far you have to push to flood the buffer

-identify the offset, where EIP register is, then overwrite it with malicious shellcode.

-then identify bad characters that may cause issue with the shell code
-generate shell code, inject it into the register, exploit the box

21
Q

Heap vs stack overflows

A

Stack overflow often involves overwriting control data on the stack, like return addresses, making it easier to hijack execution flow.

Heap overflow involves corrupting dynamically allocated memory on the heap, usually targeting function pointers or objects, making it more complex but also harder to detect.

22
Q

What are the primarily tools for code analysis?

A

Debuggers show memory space being occupied by a process

Disassemblers turn compiled code into assembly instructions

23
Q

DLL Hijacking

A

DLL hijacking and injection are techniques attackers use to load malicious code into legitimate applications by exploiting how Windows handles Dynamic Link Libraries (DLLs):

DLL Hijacking:
- Exploits the way some applications search for and load DLL files.
- An attacker places a malicious DLL with the same name as a legitimate DLL in a directory the application checks first.
- When the application loads this DLL, the malicious code runs under the application’s process, potentially giving the attacker control.

DLL Injection:
- Involves forcing a target application to load a malicious DLL at runtime.
- Attackers use system calls or functions (e.g., CreateRemoteThread in Windows) to inject the DLL into the process’s memory space.
- This allows the attacker to execute arbitrary code within the context of the target application, often used for espionage or privilege escalation.

Both techniques enable attackers to run code within trusted processes, making detection difficult and allowing deeper access to the system.

____

Since most Windows applications do not use the full qualified path when loading an external DLL library, and instead search the directory from which they have been loading, then if you can inject a malicious DLL in an application directory, you can subvert the application when it calls the DLL.

Robber and Powersploit can find injectable DLLs.

Dylib is same process but MacOS

24
Q

What are some ways of maintaining access?

A

Keyloggers: hardware or software. Metasploit has a keylogger feature called keyscan_start and key

Spyware: the most basic form of spyware is a tracking cooking - it records your activities.

Browser add ons and trojans: piggyback software installs, drive by downloads, web vulnerability exploits

Spytech, spyagent, power spy are marked as legit but get abused.

Rootkit means kit to provide root access from remote location or backdoor access. Now stealthy, concealed undetectable on the target system. May provide backdoor functionality and hide and cloak system processes. You can scan and protect for before it is dropped, but will eventually run as kernel object driver.

*The only way to determine a process is running is thru a memory dump.

25
Q

Maintaining persistence by abusing boot or logon autostart executions

A

Attackers can abuse boot or logon autostart executions for escalating privileges and maintaining persistence by applying custom configuration settings on the compromised machine, allowing attackers to automatically run a program at the time of system boot or logon

Two methods to abuse boot or logon autostart execution:
1. Registry run keys
2. Startup folder

If you want to maintain persistence you need the backdoor to start every time the system boots. Typically embedded as registry keys or in the startup folder.
Back to Kerberos - golden ticket attack is forging TGT, while silver ticket attacks are forging TGS.

26
Q

What are 6 ways to cover tracks?

A
  1. Disable Auditing: turns off auditing, going into log file
  2. Clearing Logs: clean log file, may raise suspicion
  3. Manipulating Logs: removing specific entries, most meticulous method
  4. Covering tracks on the Network / OS
  5. Deleting Files / Hiding Artifacts
  6. Disabling Windows Functionality

TOOLS:

Disabling Auditing: Auditpol

-When disabling auditing that itself is a log entry

Clearing Logs looking suspicious but is better than nothing;
- Clear_Event_Viewer_Logs.bat utility, can also use Meterpreter shell in Metasploit to wipe from a Windows system with the clear_ev command

You can also clear event logs with Powershell, living off the land to use native utility.

Can also manually clear log files. In Linux the /var/log directory has a plaintext file with the log messages that you can manipulate with a text editor
Windows tracks all kinds of things you use. Using a multi-faceted tracks-clearing utility is recommended like cc clear, window washer, bleach bit etc.

_____
Disable Auditing: Turns off system auditing to prevent security events from being recorded in log files.

Clearing Logs: Erases entire log files to remove evidence, though this can raise suspicion due to the absence of expected logs.

Manipulating Logs: Selectively removes or edits specific entries in logs, providing a stealthier approach by keeping other log events intact.

Covering Tracks on the Network / OS: Hides network activity or tampering with OS records to mask unauthorized access or data exfiltration.

Deleting Files / Hiding Artifacts: Removes or obscures files and traces left by malware or commands, reducing evidence of malicious activity.

Disabling Windows Functionality: Disables key Windows functions (like firewall or antivirus) to avoid detection or limit logging of malicious actions.

27
Q

Other methods

A

Remove the Most Recently Used (MRU), delete cookies, clear the cache, turn of AutoComplete, and clear the Toolbar data from the browsers

BASH shell tracks the command history - it is ongoing, while the Windows stops when terminal window is closed. The Linux history file is ongoing and is appended to future history files. When you delete those history files they are still there - should use shred or cat-nul utility.

Deleted is not deleted, we are waiting around until it’s overwritten.

28
Q

How do you obscure your communications across a network and OS?

A

Across a network you can use reverse http shells, icp tunnels, dns tunneling and more.

Covering tracks in an OS you can append “.” at the beginning to hide the file.

cipher.exe is for managing encrypted file system in Windows command line, otherwise deleted files are far from deleted.

29
Q

What are some other track covering tools and how do they work?

A
  • CCleaner: Cleans junk files, temporary files, and unused registry entries on a system, improving performance and freeing up disk space.
  • DBAN (Darik’s Boot and Nuke): Securely wipes entire hard drives by overwriting data multiple times, making data recovery virtually impossible.
  • Privacy Eraser: Removes traces of online and offline activities, like browsing history, cache, and temporary files, to enhance privacy on a system.
  • Wipe: Erases specific files, folders, or entire drives by overwriting them multiple times, ensuring that deleted data cannot be recovered.
  • BleachBit: Deletes temporary files, frees disk space, and erases system and application traces to protect privacy and improve system performance.
30
Q
A

CEH (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions