1 / 38

System Hacking Techniques

System Hacking Techniques. BAI514 – Security I. System Hacking Techniques. Once the pretest phases are complete, the next goal is to hack the target system The goal is to completely “own” the target This requires Passwords Active usernames Highest level of permissions

chase
Download Presentation

System Hacking Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. System Hacking Techniques BAI514 – Security I

  2. System Hacking Techniques • Once the pretest phases are complete, the next goal is to hack the target system • The goal is to completely “own” the target • This requires • Passwords • Active usernames • Highest level of permissions • This is achieved by exploiting common operating system vulnerabilities

  3. System Hacking Techniques • To successfully hack a system you need to • Identify various password cracking techniques and tools • Understand escalation of privilege • Understand keyloggers and rootkits • Understand how to hide files, cover tracks, perform steganography, and erase evidence

  4. Password Guessing • Password guessing is the first step to owning the target • Common passwords are • Password webmaster • Root backup • Administrator trial • Admin guest • operator member • Demo private • Test {blank}

  5. Password Guessing • Password guessing can be done by creating a null share, using a known username • Good candidate accounts include • Accounts that have never been logged in • Accounts that haven’t had a password change in a while • Administrator • Guest net use * \\target_ip\share * /u:name

  6. Password Guessing • Automated Password Guessing • Guessing passwords is seldom easy • Attackers need to hit as many accounts and try as many passwords as possible • Can be done by creating a simple script that loops the guessing with NET USEC:\> FOR /F “token=1, 2*” %i in (credentials.txt) do net use \\target\IPC$ %i /u: %jcredentials.txt = a username/password text file

  7. Password Guessing • Automated Password Guessing (cont.) • Drawbacks • Can cause a DoS if a password lockout policy exists • Target the guest account first to see if a policy exists • Automated password guessing tools • Legion • NetBIOS Auditing Tool

  8. Password Guessing • Password Sniffing • Often a preferred tactic to password guessing • Credentials are sniffed off the wire • Once captured, credentials are simply replayed

  9. Password Guessing • Password Sniffing (cont.) • L0phtcrack (LC5) • Password auditing and recovery application • Includes a sniffer to extract user credentials • Purchased by Symantec and discontinued • KerbCrack • Another useful password sniffer • Two parts • KerbSniff – listens on port 88 • Kerbcrack – used to brute force passwords

  10. Password Guessing • Password Sniffing (cont.) • Other sniffers • ScoopLM – sniffs for Windows LM/NTLM authentication • Has a built-in dictionary and brute force cracker • Dsniff – Collection of Unix tools for network auditing and pen testing • Wireshark • Sniffit – general purpose sniffer • Snort – IDS and sniffer • TCPDump/WinDump

  11. Password Guessing • Alternate means for acquiring passwords • Dumpster diving • Post-it notes are great! • Shoulder Surfing • Watch a user login or enter a code • Take pictures/video if you can

  12. Password Guessing • Keystroke loggers (keyloggers) • Intercept the targets keystrokes • Stored in a file to be read later • Transmit them to the hacker • All keystrokes are recorded • Lots of useful information! • Lots of useless information too...

  13. Password Guessing • Keyloggers (cont.) • Two types • Hardware • Require physical access to the computer • Most difficult to detect with anti-spyware/firewall • Software • Installed directly on the target system • Typically part of a trojan • Some include screen capture capabilities • Spector and PCSpy • Some include audio/video capture capabilities

  14. Password Guessing • Keyloggers (cont.) • Keylogging tools • ISpyNow • Invisible keylogger • PC Activity Monitor • IKS Software keylogger • KeyCaptor • Remote Spy

  15. Privilege Escalation • Often the Administrator account and password cannot be obtained • The attacker will have to settle for accessing the network with a non-administrator account • The attacker will need to escalate the privileges for this account

  16. Privilege Escalation • Privilege escalation tools must be executed on the local machine • Some can be executed remotely • OS patches can reduce the ability of these tools to function

  17. Privilege Escalation • Privilege escalation tools must be executed on the local machine • Some can be executed remotely • OS patches can reduce the ability of these tools to function

  18. Privilege Escalation • Privilege Escalation Tools • GetAdmin.exe – works only with NT 4.0 SP3 • Hk.exe – works on IIS 5.0 • Pipeupadmin – works on Windows 2000 • Billybastard – works on WS2K3 and XP • Getad – works on XP

  19. Password Cracking • Passwords are generally stored and transmitted in an encrypted form called a hash • When a user logs in, a password hash is generated and compared with a stored hash

  20. Password Cracking • Prior to Windows NT 4.0 SP4, windows supported two kinds of challenge/response • LanManager (LM) • Not case sensitive • Converts all characters to upper case • All passwords are stored as two 7-character hashes • Passwords exactly 14 characters will be split into two 7-character hashes • Passwords fewer than 14 characters will be padded upto 14 characters, then split in two • Due to the mathematics of password cracking, it is easier to crack two 7-character hashes than one 14-character hash

  21. Password Cracking • LanManager (cont.) • Example – password is “123456qwerty” • Password converted to upper case • “123456QWERTY” • Password is padded with NULL to 14 characters • “123456QWERTY..“ • Password split in two • “123456Q” and “WERTY..” • Each half is hashed • “123456Q” = 6BF11E04AFAB197F • “WERTY..” = F1E9FFDCC75575B15 • The two hashes are concatenated • 6BF11E04AFAB197F F1E9FFDCC75575B15

  22. Password Cracking • NTLM • Uses all 14 characters • Allows upper and lowercase letters • The LM hash has been replaced with WinNT Challenge/Response NTLMv2 • Key space is now 128 bits • Windows 2000 SP2 and later allowed the disabling of LAN Manager password storing

  23. Password Cracking • Password Cracking Techniques • Once a hash is obtained, it can be cracked • Tools must be used to generate hashes until a match is found • Automated password crackers employ one or more types of password attacks • Brute force • Dictionary attack • Hybrid attack • Rainbow attack

  24. Password Cracking • Password Cracking Techniques (cont.) • Dictionary attack • Fastest method for generating hashes • Many dictionaries are available • Most tools include a base dictionary

  25. Password Cracking • Password Cracking Techniques (cont.) • Brute Force Attack • Most powerful method • Randomly generates passwords and their hashes • Can take a very long time (months, years?) • All passwords can be cracked with brute force

  26. Password Cracking • Password Cracking Techniques (cont.) • Hybrid Attack • Builds on the dictionary method by adding numeric and symbolic characters to dictionary words • Examples • p@ssword • p@ssw0rd • p@55w0rd

  27. Password Cracking • Password Cracking Techniques (cont.) • Rainbow Attack • Trades off the time-consuming process of creating all possible password hashes • Builds a hash table in advance • Extremely fast • Hash table is stored in order for rapid indexing of the target hash

  28. Password Cracking • Stealing SAM • SAM file in Windows NT/2000/2003 contains the usernames and encrypted passwords • Located in:%systemroot%\system32\config • The file is locked when the system is running • Boot the system from an alternate OS • Starting with WinNT SP3, a second layer of 128-bit encryption was added called SYSKEY • This makes cracking the passwords MUCH harder

  29. Password Cracking • Cracking Tools • Once password hashes have been collected, a password cracking tool can be used • L0phtcrack – mentioned earlier • John the Ripper – currently available for Unix, DOS, Win32, BeOS • Brutus – uses dictionary and brute force attacks • Ophcrack – uses Rainbow Tables • RainbowCrack – uses Rainbow Tables • Pwdump – password extraction tool that can bypass SYSKEY

  30. Covering Tracks • Once a system has been compromised, the attacker is not finished... • The attacker must cover their tracks • Disable logging • Clear log files • Eliminate evidence • Plant additional tools

  31. Covering Tracks • Disable Auditing • Auditpol.exe • Included in the WinNT Resource Kit • Disables auditing c:\>auditpol \\10.1.1.13 /disable • Once the system is compromised and all tools are installed, auditing can be enabled again

  32. Covering Tracks • Clearing the Event Log • The attacker will want to clear the logs in Event Viewer • Tools • Eslave – clears the security log • This method will draw attention • Evidence Eliminator – very powerful, easy to use log cleanser • Winzapper – can erase event records selectively

  33. Covering Tracks • Planting Rootkits • One of the goals of hacking is to allow the attacker to access the box at a later time • This can be done by installing a rootkit • Rootkit • A collection of software tools that a cracker uses to obtain administrator access to a computer or network • Can also monitor traffic, keystrokes, create backdoors, alter log files, attack other systems, alter existing tools to circumvent detection

  34. Covering Tracks • Planting Rootkits • Ntrootkit • Can do all of the afore mentioned • Hide processes • Hide files • Hide registry entries • Intercept keystrokes • Issue a debug interrupt, causing a BSoD • Redirect EXE files

  35. Covering Tracks • File Hiding • Two ways of hiding files in Windows (other than rootkits) • File attributes • Attrib.exe +h [file/directory] • Using NTFS Alternate Data Streaming (ADS)

  36. Countermeasures • Password guessing/cracking • Enforce 7-12 character alphanumeric, upper/lower case, passwords • Force password changing on a regular basis • Physically isolate and protect servers • Use SYSKEY utility to store hashes on disk • Monitor server logs • Block access to TCP 135-139 • Disable WINS • Log failed login attempts • Log successful login attempts

  37. File hiding/rootkits

  38. FIN

More Related