Chapter 7: System Hacking Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 7: System Hacking > Flashcards

Flashcards in Chapter 7: System Hacking Deck (28):

Phase 4: System Hacking

methodical approach that includes cracking passwords, escalating privileges, executing apps, etc


Password Cracking

Hacking process typically starts w/ Password Cracking,

the process of recovering passwords from transmitted or stored data


Password Cracking Techniques (5)

1) Dictionary Attacks - password-cracking app has a dictionary file loaded into it, no good for passphrases

2) Brute-force Attacks - every possible combination of characters is attempted until the correct one is uncovered

3) Hybrid Attack - like Dictionary attack, but words are modified w/ the addition or substitution of special chars or #s (i.e. p@ssw0rd - password)

4) Syllable Attack - combination of brute-force & dictioanry attack, useful when password is not standard word or phrase

5) Rule-based Attack - an advanced attack where the assumption the user has created a PW using info the attacker has knowledge of (i.e. phrases & digits user may tend to use)


Types of attacks (4)

1) Passive Online Attacks - sitting back & listening (sniffing tools such as Wireshark, man-in-the-middle attacks, replay attacks)

2) Active Online Attacks - deeper engagement w/ targets w/ intent to break PW (i.e. password guessing, trojan/spyware/key loggers, hash injection, phishing)

3) Offline Attacks - preying on the weaknesses of how PWs are stored; (i.e. precomputed hashes, distributed NW attacks, rainbow attacks)

4) Nontechnical Attacks aka non-electronic attacks - moving from offline into the real world (i.e.shoulder surfing, social engineering, dumpster diving)


Passive Online Attack techniques (3)

1) Packet Sniffing - lookout for PWs from Telnet, FTP, SMTP, rlogin, other vulnerable protocols

//if you use a sniffer w/ out any extra steps, u are limited to a single collision domain aka can only sniff hosts not connected by switch or bridge

//most effective on a NW that employs a hub

2) Man-in-the-middle - while two parties are communicating, a third party inserts itself into the convo & attempts to alter or eavesdrop on the communications.

//to be fully successful, the attacker must be able to sniff traffic from both parties at the same time

//vulnerable protocols --> Telnet & FTP

3) Replay Attack - capture packets using packet sniffer; after the relevant info is extracted, the packet can be placed back on the NW; The intention is to inject the captured info back onto the NW


Active Online Attack techniques

1) Password Guessing - attacker seeks to recover PW by using words from dictionary or by brute-force; usually carried out by SW app;

2) Trojans, Spyware, & Keyloggers - Malware such as Trojans, spyware, & keyloggers can gather info through keyboard sniffing or keylogging;

3) Hash Injection -
1) Compromise a vulnerable workstation
2) When connected, attempt to extract the hashes
from the system for high-value users, such as domain or enterprise admins
3) Use the extracted hash to log on to a server such as a domain controller
4) If the system serves as a domain controller or similar, attempt to extract hashes from the system w/ the intention of exploiting other accounts


Offline Attacks 1: Password Hashing

Hashing is a form of one-way encryption that is used to verify integrity;

pws are commonly stored in hashed format so it is NOT in cleartext; when a PW is provided by the user, it needs to be verified; it is hashed on the client side & transmitted to the server, where the stored hash & the transmitted hash are compared


Offline Attacks 1: Extracting hashes from a System

1) open cmd
2) type pwdump7.exe //displays hashes
3) type pwdump7.exe > C;\hash.txt
4) Using notepad, browse to the C drive & open the hash.txt file to view the hashes


Offline Attacks 1: Precomputed Hash or Rainbow Tables

precomputed hashes are used in an attack known as rainbow table

Rainbow tables compute every possible combination of characters prior to capturing a PW

The attacker can capture the PW hash from the NW & compare it w/ the rainbow table hashes

//"Salting" is used in Linux, Unix, BSD, older windows; adding entropy or randomness in order to make sequences or patterns more difficult to detect... so it would be harder to use rainbow tables against these systems

CON - takes long time to compute all hash combinations ahead of time; can't crack PWs of unlimited length


Offline Attacks 1: Generating Rainbow Tables

GUI-based generator - winrtgen


Offline Attacks 1: Rainbow Crack

Program used to compare Rainbow table with Hash files


Offline Attacks 2: Distributed NW Attacks (DNA)

modern approach; takes ADV of unused processing power from multiple computers in an attempt perform an action (in this case, PW cracking)

//install a manager on a chosen system, which is used to manage multiple clients;

PRO: computing power

EXAMPLE: SETI@home (Search for Extraterrestrial Intelligence)


Other Techniques: Default Passwords

Guessing -- self explanatory

an attacker can guess what type of equipment/system you're using and look up default passwords if you do not change them


Other Techniques: USB Password Theft

embedding a password-stealing application on a USB drive, physically plugging the drive into a target system


Other Techniques: USB Password Theft application (steps to steal)

1) Obtain a PW-hacking utility such as pspv.exe
2) Copy it to USB
3) Create a Notepad file called launch.bat containing the following lines:
en = launch.bat
Start pspv.exe /s passwords.txt
4) Save launch.bat to the USB drive

//pspv.exe = protected-storage PW viewer, saves PWs contained in Internet Explorer & other applications

Mitigation: disabling autoplay of USB devices, which is on by default


Other Techniques: Authentication Mechanisms on Microsoft

Security Accounts Mgr (SAM) - DB in Windows OS that stores security principals; When system is running, Windows keeps a file lock on SAM to prevent it from being access, however a copy of SAM DB resides in memory & can be accessed

//System will only give up exclusive access of SAM when powered off or when there is BSOD
//SYSKEY (encryption key) is by default, enabled to protect SAM further; can be disabled


Passwords are stored in hashed format using

LM/NTLM hashing mechnisms, they are stored in c:\windows/system32/SAM


(Before 624AA is LT hash, after is NTLM hash)

Windows XP later do not store LM hash by default, they store a blank or dummy value which cannot be deciphered bc it has no direct coorelation to user's actual PW; if PW is longer than 14 chars, dummy value is auto used b/c LM hash cannot support longer than 14 chars



PW hashing is strengthened by adding an additional layer of randomness to hash


NTLM Authentication & SSP

NT Lan Mgr is a protocol for Microsoft products; NTLM v1 and v2 still widely used in environments, but is relatively insecure; this is used where Kerberos is not supported

SSP - Security Support Provider - layered on top of NTLM for additional protection


Domain Controller

responds to security authentication requests (such as logging in, permissions, etc)


Process of authentication w/ NTLM protocol

1) Client enters their username & PW into the login
2) Windows runs the PW through a hashing algorithm to generate hash
3) The client transmits the username & hash to the domain controller
4) The domain controller generates a 16-byte random char string known as a NONCE & transmits it back to the client
5) The client encrypts the nonce w/ the hash of the user PW & sends it back to the domain controller
6) The domain controller retrieves the hash from its SAM & uses it to encrypt the nonce it sent to the client

If hashest match, login request is accepted


What is Kerberos and steps to authenticate service

Authentication Protocol; strong cryptographic mechanism

1) You want to access another system, such as a server or client; Kerberos is in use in this environment, so a "ticket" is required

2) To obtain this ticket, you are first authenticated against the AS (Authentication Server). A session key is created based on your PW & the value that represents the service you wish to connect to. This request serves as your TGT (ticket-granting ticket)

3) TGT is presented to TGS (ticket-granting service), which generates a ticket that allows you to access the service

4) The service either accepts or rejects the ticket; If accepted, you have a finite period of time before ticket needs to be regenerated


Types of Privilege Escalation (2)

1) Horizontal Privilege Escalation - attacker attempts to take over rights & privileges of another user who has the same privileges as the current account

2) Vertical Privilege Escalation - attacker gains access to an account & then tries to elevate the privileges of the account or gaining access to a higher-privileged account


Privilege Escalation: Change password

Identify an account that has desired access & then change the password using the following tools:

Active@ Password Changer
Trinity Rescue Kit
ERD Commander
Windows Recovery Environment (WinRE)
Password Resetter


Trinity Rescue Kit (password reset tool)

Linux distribution (for Windows & Linux); Can be booted from CD or flash drive

1) cmd line: winpass -u Administrator
2) Choose file system
3) Set Password
4) Type: init 0, to shut down TRK Linux
5) Reboot


Types of Apps Executed (4)

1) Backdoors App - allow later access to take place;

2) Crackers - SW w/ ability to crack code or obtain PWs

3) Keyloggers - HW/SW used to gain info entered via keyboard

4) Malware - any type of SW designed to capture info, alter, or compromise system


Planting a Backdoor

-PsTools suite (suite of tools to ease system administration)
-PsExec is one of them; similar to Telnet but does not need installation & can be run local or remotely; Commands include:

psexec \\zelda cmd //launches an interative cmdprmpt on a system name \\zelda

psexec \\zelda ipconfig /all //executes ipconfig on remote system with the /all switch & outputs locally

psexec \\zelda -c rootkit.exe //copies the program rootkit.exe to the remote system & executes it interactively

psexec \\zelda -u administrator -c rootkit.exe //copies thee program rootkit.exe to the remote system & executes it interactively using the admin acct on the remote system


Covering your tracks

During this phase, seek to eliminate error messages, log files, and other items that may have been altered during the attack process

DISABLING AUDITING - Auditing designed to allow for detection and tracking of selected events on a system; we want to alter the way events are logged on target system;

How to disable running command in Windows (stop logging and auditing of events):

auditpol \\ /clear

DATA HIDING - hide files placed on the system;

ALTERNATE DATA STREAMS (ADS) (only NTFS) - major security issue w/ ADS bc it is nearly a perfect mechanism for hiding data; almost impossible to find; The data can lie and wait until the attacker decides to run it later; allows you to hide files within existing files

Creating an ADS:
type triforce.exe > smoke.doc:triforce.exe //executing this command hides triforce.exe behind the file smoke.doc, then delete original triforce.exe

Retrieve the file:
start smoke.doc:triforce.exe //opens hidden file & executes