System hacking techniques
1 / 38

System Hacking Techniques - PowerPoint PPT Presentation

  • Uploaded on

System Hacking Techniques. BAI514 – Security I. System Hacking Techniques. Once the pretest phases are complete, the next goal is to hack the target system The goal is to completely “own” the target This requires Passwords Active usernames Highest level of permissions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'System Hacking Techniques' - chase

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
System hacking techniques

System Hacking Techniques

BAI514 – Security I

System hacking techniques1
System Hacking Techniques

  • Once the pretest phases are complete, the next goal is to hack the target system

  • The goal is to completely “own” the target

    • This requires

      • Passwords

      • Active usernames

      • Highest level of permissions

    • This is achieved by exploiting common operating system vulnerabilities

System hacking techniques2
System Hacking Techniques

  • To successfully hack a system you need to

    • Identify various password cracking techniques and tools

    • Understand escalation of privilege

    • Understand keyloggers and rootkits

    • Understand how to hide files, cover tracks, perform steganography, and erase evidence

Password guessing
Password Guessing

  • Password guessing is the first step to owning the target

    • Common passwords are

      • Password webmaster

      • Root backup

      • Administrator trial

      • Admin guest

      • operator member

      • Demo private

      • Test {blank}

Password guessing1
Password Guessing

  • Password guessing can be done by creating a null share, using a known username

  • Good candidate accounts include

    • Accounts that have never been logged in

    • Accounts that haven’t had a password change in a while

    • Administrator

    • Guest

      net use * \\target_ip\share * /u:name

Password guessing2
Password Guessing

  • Automated Password Guessing

    • Guessing passwords is seldom easy

    • Attackers need to hit as many accounts and try as many passwords as possible

    • Can be done by creating a simple script that loops the guessing with NET USEC:\> FOR /F “token=1, 2*” %i in (credentials.txt) do net use \\target\IPC$ %i /u: %jcredentials.txt = a username/password text file

Password guessing3
Password Guessing

  • Automated Password Guessing (cont.)

    • Drawbacks

      • Can cause a DoS if a password lockout policy exists

        • Target the guest account first to see if a policy exists

    • Automated password guessing tools

      • Legion

      • NetBIOS Auditing Tool

Password guessing4
Password Guessing

  • Password Sniffing

    • Often a preferred tactic to password guessing

    • Credentials are sniffed off the wire

    • Once captured, credentials are simply replayed

Password guessing5
Password Guessing

  • Password Sniffing (cont.)

    • L0phtcrack (LC5)

      • Password auditing and recovery application

      • Includes a sniffer to extract user credentials

      • Purchased by Symantec and discontinued

    • KerbCrack

      • Another useful password sniffer

      • Two parts

        • KerbSniff – listens on port 88

        • Kerbcrack – used to brute force passwords

Password guessing6
Password Guessing

  • Password Sniffing (cont.)

    • Other sniffers

      • ScoopLM – sniffs for Windows LM/NTLM authentication

        • Has a built-in dictionary and brute force cracker

      • Dsniff – Collection of Unix tools for network auditing and pen testing

      • Wireshark

      • Sniffit – general purpose sniffer

      • Snort – IDS and sniffer

      • TCPDump/WinDump

Password guessing7
Password Guessing

  • Alternate means for acquiring passwords

    • Dumpster diving

      • Post-it notes are great!

    • Shoulder Surfing

      • Watch a user login or enter a code

      • Take pictures/video if you can

Password guessing8
Password Guessing

  • Keystroke loggers (keyloggers)

    • Intercept the targets keystrokes

      • Stored in a file to be read later

      • Transmit them to the hacker

      • All keystrokes are recorded

        • Lots of useful information!

        • Lots of useless information too...

Password guessing9
Password Guessing

  • Keyloggers (cont.)

    • Two types

      • Hardware

        • Require physical access to the computer

        • Most difficult to detect with anti-spyware/firewall

      • Software

        • Installed directly on the target system

        • Typically part of a trojan

        • Some include screen capture capabilities

          • Spector and PCSpy

        • Some include audio/video capture capabilities

Password guessing10
Password Guessing

  • Keyloggers (cont.)

    • Keylogging tools

      • ISpyNow

      • Invisible keylogger

      • PC Activity Monitor

      • IKS Software keylogger

      • KeyCaptor

      • Remote Spy

Privilege escalation
Privilege Escalation

  • Often the Administrator account and password cannot be obtained

  • The attacker will have to settle for accessing the network with a non-administrator account

  • The attacker will need to escalate the privileges for this account

Privilege escalation1
Privilege Escalation

  • Privilege escalation tools must be executed on the local machine

    • Some can be executed remotely

  • OS patches can reduce the ability of these tools to function

Privilege escalation2
Privilege Escalation

  • Privilege escalation tools must be executed on the local machine

    • Some can be executed remotely

  • OS patches can reduce the ability of these tools to function

Privilege escalation3
Privilege Escalation

  • Privilege Escalation Tools

    • GetAdmin.exe – works only with NT 4.0 SP3

    • Hk.exe – works on IIS 5.0

    • Pipeupadmin – works on Windows 2000

    • Billybastard – works on WS2K3 and XP

    • Getad – works on XP

Password cracking
Password Cracking

  • Passwords are generally stored and transmitted in an encrypted form called a hash

  • When a user logs in, a password hash is generated and compared with a stored hash

Password cracking1
Password Cracking

  • Prior to Windows NT 4.0 SP4, windows supported two kinds of challenge/response

    • LanManager (LM)

      • Not case sensitive

      • Converts all characters to upper case

      • All passwords are stored as two 7-character hashes

        • Passwords exactly 14 characters will be split into two 7-character hashes

        • Passwords fewer than 14 characters will be padded upto 14 characters, then split in two

        • Due to the mathematics of password cracking, it is easier to crack two 7-character hashes than one 14-character hash

Password cracking2
Password Cracking

  • LanManager (cont.)

    • Example – password is “123456qwerty”

      • Password converted to upper case

        • “123456QWERTY”

      • Password is padded with NULL to 14 characters

        • “123456QWERTY..“

      • Password split in two

        • “123456Q” and “WERTY..”

      • Each half is hashed

        • “123456Q” = 6BF11E04AFAB197F

        • “WERTY..” = F1E9FFDCC75575B15

      • The two hashes are concatenated

        • 6BF11E04AFAB197F F1E9FFDCC75575B15

Password cracking3
Password Cracking

  • NTLM

    • Uses all 14 characters

    • Allows upper and lowercase letters

  • The LM hash has been replaced with WinNT Challenge/Response NTLMv2

    • Key space is now 128 bits

  • Windows 2000 SP2 and later allowed the disabling of LAN Manager password storing

Password cracking4
Password Cracking

  • Password Cracking Techniques

    • Once a hash is obtained, it can be cracked

    • Tools must be used to generate hashes until a match is found

    • Automated password crackers employ one or more types of password attacks

      • Brute force

      • Dictionary attack

      • Hybrid attack

      • Rainbow attack

Password cracking5
Password Cracking

  • Password Cracking Techniques (cont.)

    • Dictionary attack

      • Fastest method for generating hashes

      • Many dictionaries are available

      • Most tools include a base dictionary

Password cracking6
Password Cracking

  • Password Cracking Techniques (cont.)

    • Brute Force Attack

      • Most powerful method

      • Randomly generates passwords and their hashes

      • Can take a very long time (months, years?)

      • All passwords can be cracked with brute force

Password cracking7
Password Cracking

  • Password Cracking Techniques (cont.)

    • Hybrid Attack

      • Builds on the dictionary method by adding numeric and symbolic characters to dictionary words

      • Examples

        • p@ssword

        • p@ssw0rd

        • p@55w0rd

Password cracking8
Password Cracking

  • Password Cracking Techniques (cont.)

    • Rainbow Attack

      • Trades off the time-consuming process of creating all possible password hashes

      • Builds a hash table in advance

      • Extremely fast

      • Hash table is stored in order for rapid indexing of the target hash

Password cracking9
Password Cracking

  • Stealing SAM

    • SAM file in Windows NT/2000/2003 contains the usernames and encrypted passwords

    • Located in:%systemroot%\system32\config

    • The file is locked when the system is running

      • Boot the system from an alternate OS

    • Starting with WinNT SP3, a second layer of 128-bit encryption was added called SYSKEY

      • This makes cracking the passwords MUCH harder

Password cracking10
Password Cracking

  • Cracking Tools

    • Once password hashes have been collected, a password cracking tool can be used

      • L0phtcrack – mentioned earlier

      • John the Ripper – currently available for Unix, DOS, Win32, BeOS

      • Brutus – uses dictionary and brute force attacks

      • Ophcrack – uses Rainbow Tables

      • RainbowCrack – uses Rainbow Tables

      • Pwdump – password extraction tool that can bypass SYSKEY

Covering tracks
Covering Tracks

  • Once a system has been compromised, the attacker is not finished...

  • The attacker must cover their tracks

    • Disable logging

    • Clear log files

    • Eliminate evidence

    • Plant additional tools

Covering tracks1
Covering Tracks

  • Disable Auditing

    • Auditpol.exe

      • Included in the WinNT Resource Kit

      • Disables auditing c:\>auditpol \\ /disable

    • Once the system is compromised and all tools are installed, auditing can be enabled again

Covering tracks2
Covering Tracks

  • Clearing the Event Log

    • The attacker will want to clear the logs in Event Viewer

    • Tools

      • Eslave – clears the security log

        • This method will draw attention

      • Evidence Eliminator – very powerful, easy to use log cleanser

      • Winzapper – can erase event records selectively

Covering tracks3
Covering Tracks

  • Planting Rootkits

    • One of the goals of hacking is to allow the attacker to access the box at a later time

    • This can be done by installing a rootkit

    • Rootkit

      • A collection of software tools that a cracker uses to obtain administrator access to a computer or network

      • Can also monitor traffic, keystrokes, create backdoors, alter log files, attack other systems, alter existing tools to circumvent detection

Covering tracks4
Covering Tracks

  • Planting Rootkits

    • Ntrootkit

      • Can do all of the afore mentioned

      • Hide processes

      • Hide files

      • Hide registry entries

      • Intercept keystrokes

      • Issue a debug interrupt, causing a BSoD

      • Redirect EXE files

Covering tracks5
Covering Tracks

  • File Hiding

    • Two ways of hiding files in Windows (other than rootkits)

      • File attributes

        • Attrib.exe +h [file/directory]

      • Using NTFS Alternate Data Streaming (ADS)


  • Password guessing/cracking

    • Enforce 7-12 character alphanumeric, upper/lower case, passwords

    • Force password changing on a regular basis

    • Physically isolate and protect servers

    • Use SYSKEY utility to store hashes on disk

    • Monitor server logs

    • Block access to TCP 135-139

    • Disable WINS

    • Log failed login attempts

    • Log successful login attempts