Attacking a System Flashcards
(86 cards)
1
Q
LM Hashing
A
Takes a password and converts it to uppercase. If less than 14 characters will add blank spaces to make it 14. The 14 character password is split into two 7 character strings and each string separately hashed.
2
Q
If a LM password is 7 or less characters, the second half of padded blanch characters would always be:
A
AAD3B435B51404EE, the hash value of 7 blank characters
3
Q
In a Windows Vista or later SAM file a LM password shows up as:
A
Blank. The NTLM hash will show in the second part of the line.
4
Q
Salting
A
Adding random data as additional input before a password is hashed.
5
Q
Active Directory database
A
%SYSTEMROOT%\System32\Ntds.dit
6
Q
Kerberos
A
Uses both symmetric and asymmetric encryption technologies to securely transmit passwords and key across a network. Made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS) and the Ticket Granting Ticket (TGT)
7
Q
LM Authentication Levels
A
0 - Windows XP Default
2 - Windows 2003 Default
8
Q
Active Directory Database
A
Stored on domain controllers in %SYSTEMROOT%\NTDS\NTDS.dit or %SYSTEMROOT%\System32\NTDS.dit
9
Q
Tools used to crack Kerberos
A
Kerbsniff, KerbCrack
10
Q
Password Security
A
The length of password is more important that the complexity of a password
11
Q
Golden Ticket
A
Creating your own Kerberos TGT. Can be created by Mimikatz or Cobalt Strike using provided domain name, domain admin name, domain SID a Kerberos TGT hash
12
Q
Pass the Hash
A
Password hashes stored in memory and passed to a requesting remote computer for authentication. Hashes are loaded by LSASS, Tools: mimikatz which can steal hashes, PIN codes, and Kerberos tickets from memory. Mimikatz is also included by Metasploit as a meterpreter script
13
Q
Windows Registry - HKEY_LOCAL_MACHINE (HKLM)
A
Contains hardware information and software
14
Q
Windows Registry - HKEY_CLASSES_ROOT (HKCR)
A
Contains information on file associations and Object Linking and Embedding (OLE) classes
15
Q
Windows Registry - HKEY_CURRENT_USER (HKCU)
A
Contains profile information for the user currently logged on Includes preferences for the OS and applications
16
Q
Windows Registry - HKEY_USERS (HKU)
A
Contains specific user configuration information for all currently active users on the computer
17
Q
Windows Registry - HKEY_CURRENT_CONFIG (HKCC)
A
Contains a pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HardwareProfiles\Current\ to make access and editing this profile information easier
18
Q
Registry Character String
A
REG_SZ
19
Q
Registry Expandable String
A
REG_EXPAND_SZ
20
Q
Registry Binary Value
A
REG_BINARY
21
Q
32 bit unsigned integer
A
REG_DWORD
22
Q
Symbolic link to another key
A
REG_LINK
23
Q
Registry MultiValue
A
REG_MULTI_SZ
24
Q
Startup keys
A
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
25
Linux - File System - Root
Designated by a /
26
Linux - File System - /bin
Holds numerous Linux commands a lot like C:\WINDOWS\SYSTEM32
27
Linux - File System - /dev
Contains pointers to storage and I/O systems to mount such as optical drives and additional hard drives. Everything in Linux is a file
28
Linux - File System - /etc
Contains all administrative files and passwords. The password and shadow file are found here
29
Linux - File System - /home
User home folders
30
Linux - File System - /mnt
Holds the access locations that are mounted
31
Linux - File System - /sbin
System binaries - holds more admin commands and Linux daemons
32
Linux - File System - /usr
Holds information, commands and files unique to users
33
Common Linux commands
```
adduser - adds a user to the system
cat - displays the content of a file
cp - copies a file
ifconfig - Like Windows ipconfig
kill - kills a running process
ls - displays the content of a folder
man - display the manual pages of acommand
passwd - used to change your password
ps - process status command -ef will show all processes
rm - removes files -r will also remove directories
su - perform functions as another user.
SUDO - run programs as super user
pwd - print current working directory
```
34
Run a program in Linux in the background
Add an ampersand to the end of the command. The process will end when the user logs out. To make the process persistent and survive logout, add nohup to the beginning of the command.
35
Linux Users and Groups
Each user is assigned a unique Id called a UID and each group is assigned a unique Id called a GUID. These can be seen in /etc/passwd file and /etc/group files respectively as the third field.
36
Linux password storage
Linux can store passwords in either the /etc/passwd file or the /etc/shadow file. An "x" in the passwd file indicates that the password is stored salted and hashed in the shadow file. Only root has access to shadow
37
Tools to crack passwords from Linux shadow files
John the Ripper using brute force
38
Linux hacking distros
Backtrack, Kali, Phlack, Auditor
39
System Hacking Goals
```
Gaining Access,
Escalating Privileges,
Executing Applications,
Hiding Files,
Covering Tracks
```
40
Gaining Access
Cracking passwords and escalating privileges
41
CLear tracks methodology
In Metasploit use clearev
Clear most recently used (MRU) list in Windows and most recent documents
Can prepend a dot "." to Linux files to hide them
42
Hacking Phases
Reconnaissance
Scanning - Discovery and port scanning, then Enumeration
Gaining Access - Cracking passwords, escalating privileges
Maintaining Access - Executing applications, hiding files
Covering Tracks - Clearing logs
43
Single factor authentication
Something you know
44
Two factor authentication
Something you know and something you have (biometric)
45
False Rejection Rate (FRR)
The percentage of time a biometric device will deny access to a legitimate user
46
False Acceptance Rate (FAR)
The percentage of time a biometric device will give an unauthorized user access to a system
47
Crossover Error Rate (CER)
Where the False Rejection Rate and the False Acceptance rate of a biometric device intersect
48
Active biometric decice
Must be touched. A retina scan is invasive because it send a bean of light into the eye and is therefore considered active.
49
Passive biometric device
You don't have to touch. An iris scan is considered noninvasive because it takes a picture of the eye and is therefore considered passive
50
Biometric or e-passport
A token that you carry that holds biometric information identifying you. Still considered single factor authentication
51
Password fatigue
Users having to remember too many long and complex passwords.
52
Keyboard walk passwords
Using predictable path or pattern of keys on a keyboard as the password
53
Password cracking
Non-Electronic - social engineering,, shoulder surfing, dumpster diving
Active Online - direct interaction with the target, includes dictionary and brute force attacks, hash injections, phishing, Trojans, spyware, keyloggers, and password guessing
Passive Online -sniffing
Offline - steal a copy of a password file and crack it using a dictionary attack, hybrid attack or brute-force attack
54
Rule based password attack
A dictionary/brute-force attack where the attacker has some knowledge of your password policy
55
Keylogging
Using a hardware device or software application to capture a user's keystrokes. Software keyloggers are easier to spot than hardware keyloggers which are almost impossible to detect.
56
Link-local Multicast Name Resolution (LLMNR) and Netbios Name Server attack
LLMNR is based on the DNS host format and allows hosts on the same subnet to perform name resolution for other hosts as a backup for local DNS name resolution. This is subject to DNS poisoning by resolving a LLMNR DNS request to the target of your choice. This could lead to password sniffing of subsequent authentication attempts to the poisoned entry. Tools: NBNSpoof,
Pupy,
Metasploit,
Responder.
You can mitigate by disabling LLMNR through the registry or via GPO
57
LLMNR port
UDP 5355 to IP address 224.0.0.252 and FF02::1:3
| NBT-NS uses UDP port 137
58
Windows Password Recovery Tools
```
CHNTPW (linux),
Stellar Phoenix,
Windows Password Recovery Ultimate,
ISeePassword,
Windows Password Recovery Tool,
Passware Kit,
PCUnlocker
```
59
Net commands
Net View /domain:domainname
Net view \\systemname - list of shares
Net use \\target\ipc$ "" /u:" - sets a null session
Net use Z: \\target\share /persistence:yes - makes the drive mapping permanent
You can use NETBIOS Auditing Tool and Legion to automate the testing of user IDs and passwords
60
Ferret and Hampster
Ferret
This tools use to grab session cookies, running in the background process to capturing session cookies that pass the network at port 80.
Hamster
This tools work as a proxy server to manipulate every data that has been grabbed by Ferret.
61
Online tools for password sniffing
Ettercap,
Kerbcrack (specifically looks for port 88 Kerberos traffic), Cain,
ScoopLM (specifically looks for Windows passwords)
62
SSLsniff
Acts as a man in the middle for SSL connections on a LAN and dynamically generates certificates for the domains that are being accessed on the fly
63
What is a hybrid offline password attack?
A step above the dictionary attack. The tool is smart enough to take a word from a list and substitute numbers and symbols for alpha characters.
64
Rainbow table
Precalculated password hashes for easier hash cracking. Can be created with rtgen and winrtgen
65
Offline password cracking tools
```
Cain,
THC Hydra,
John the Ripper,
KerbCrack,
LC5 (next gen L0phtcrack)
```
66
Default Password Sites
OpenSezMe,
CIRT,
Defaultpassword.com
67
Vertical Privilege Escalation
When a lower-level user executes code at a higher privilege level than they should have access to
68
Horizontal Privilege Escalation
Executing code at the same user level but from a location that should be protected from access
69
Four ways to gain root (admin) privileges
1. Crack the admin password
2. Take advantage of an OS vulnerabiliity
3. Use a tool like Metasploit that will deliver a custom payload
4. Social engineer the password
70
DLL hijacking
Adding a malicious DLL to a path where it is executed before the real DLL. Can do the same on MAC OS with DYLIB
71
Armitage
Offers a GUI front end for metasploit
72
Owning a system
Gaining access to the machine and escalating privileges
73
Tools for remote execution
RemoteExec,
PDQ Deploy,
Dameware Remote Support
74
NTFS Alternate Data Stream
An NTFS feature originally included for Apple File System compatibility, allows you to hide data or a file inside of an NTFS file
Type badfile.exe > c:\goodfile.exe:badfile.exe
There are methods for starting the badfile.exe depending on the version of Windows:
Use the start command, for example, START c:\goodfile,exe:badfile.exe or create a link to start it using mklink, for example, mklink innocent.exe goodfile.exe:badfile.exe and execute innocent.exe
75
Tools to find alternate data stream files
LNS,
Sfind,
dir /r.
You can also copy the file to a fat partition
76
Hide files with steganography
```
Imagehide,
Snow,
MP3Stego,
Blindside,
S-tools,
wbstego,
stealth
```
77
Semagram
Part of steganography
Visual semagram: Uses everyday objects to convey a message, for example, how objects are arranged on a desk. Semagrams hides information by using symbols,
signs, or visual objects. It is more like an indicator of
a larger, previously agreed upon message. For
example, Bob wants to tell Alice that the party will
take place on Friday. A semagram could be a
postcard with a picture of a Chevrolet car, which Bob
and Alice have already agreed that a Chevrolet car
means affirmative (the party will take place); while, a
Ford car means negative (the party won’t take place).
Text semagram: Obscures a message in text by using things such as font, size, type or spacing
78
Hide tracks by modifying or deleting log files
```
Turning auditing off and back on and deleting all entries in a log file can be discovered. Better to corrupt the log file. Tools for log file manipulation include:
elsave,
WinZapper,
EvidenceEliminator,
Auditpol (to disable log files)
```
79
Rootkit
A collection of software put in place by an attacker designed to obscure system compromise. Replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity. They provide back doors for the attacker to use later and include measures to remove and hide evidence of any activity.
80
Horsepill
A Linux kernel rootkit inside initrd with three main parts:
1. klibc-horsepill.patch - creates a new malicious run-init
2. horsepill_setopt - moves command line arguments to the malicious run-init
3. hrsepill_infect - splats files
81
Grayfish
A Windows rootkit that injects code in the boot record. creating its own virtual file system
82
Other root kits
```
Sirefef,
Azazel,
Avatar,
Necurs,
ZeroAccess
```
83
Six types of root kits
1. Hypervisor Level - modifies the boot sequence to load a virtual machine as the host OS
2. Hardware (firmware) - Hide in hardware devices or firmware
3. Boot loader level - replace the boot loader with one controlled by the hacker
4. Application level - Replace valid application files with Trojan binaries
5. Kernel level - attack the boot sectors and kernel level of the operating system itself, replacing kernel code with back door code. The most dangerous and difficult to detect and to remove
6. Library level - use system calls to hide their existence
84
Blue Pill
The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.
85
Protection Rings
Ring 0 - The kernel
Ring 1 - Drivers
Ring 2 - Libraries
Ring 3 - Applications, also known as user mode
86
Steps for detecting a rootkit
First run dir /s /b /ah and dir /s /b /a-h in the potentially infected system and save the results. Boot a clean CD version and run the same commands. Use windiff to compare the two results files
