System Hacking Techniques - PowerPoint PPT Presentation

system hacking techniques n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
System Hacking Techniques PowerPoint Presentation
Download Presentation
System Hacking Techniques

play fullscreen
1 / 38
System Hacking Techniques
345 Views
Download Presentation
chase
Download Presentation

System Hacking Techniques

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. System Hacking Techniques BAI514 – Security I

  2. System Hacking Techniques • Once the pretest phases are complete, the next goal is to hack the target system • The goal is to completely “own” the target • This requires • Passwords • Active usernames • Highest level of permissions • This is achieved by exploiting common operating system vulnerabilities

  3. System Hacking Techniques • To successfully hack a system you need to • Identify various password cracking techniques and tools • Understand escalation of privilege • Understand keyloggers and rootkits • Understand how to hide files, cover tracks, perform steganography, and erase evidence

  4. Password Guessing • Password guessing is the first step to owning the target • Common passwords are • Password webmaster • Root backup • Administrator trial • Admin guest • operator member • Demo private • Test {blank}

  5. Password Guessing • Password guessing can be done by creating a null share, using a known username • Good candidate accounts include • Accounts that have never been logged in • Accounts that haven’t had a password change in a while • Administrator • Guest net use * \\target_ip\share * /u:name

  6. Password Guessing • Automated Password Guessing • Guessing passwords is seldom easy • Attackers need to hit as many accounts and try as many passwords as possible • Can be done by creating a simple script that loops the guessing with NET USEC:\> FOR /F “token=1, 2*” %i in (credentials.txt) do net use \\target\IPC$ %i /u: %jcredentials.txt = a username/password text file

  7. Password Guessing • Automated Password Guessing (cont.) • Drawbacks • Can cause a DoS if a password lockout policy exists • Target the guest account first to see if a policy exists • Automated password guessing tools • Legion • NetBIOS Auditing Tool

  8. Password Guessing • Password Sniffing • Often a preferred tactic to password guessing • Credentials are sniffed off the wire • Once captured, credentials are simply replayed

  9. Password Guessing • Password Sniffing (cont.) • L0phtcrack (LC5) • Password auditing and recovery application • Includes a sniffer to extract user credentials • Purchased by Symantec and discontinued • KerbCrack • Another useful password sniffer • Two parts • KerbSniff – listens on port 88 • Kerbcrack – used to brute force passwords

  10. Password Guessing • Password Sniffing (cont.) • Other sniffers • ScoopLM – sniffs for Windows LM/NTLM authentication • Has a built-in dictionary and brute force cracker • Dsniff – Collection of Unix tools for network auditing and pen testing • Wireshark • Sniffit – general purpose sniffer • Snort – IDS and sniffer • TCPDump/WinDump

  11. Password Guessing • Alternate means for acquiring passwords • Dumpster diving • Post-it notes are great! • Shoulder Surfing • Watch a user login or enter a code • Take pictures/video if you can

  12. Password Guessing • Keystroke loggers (keyloggers) • Intercept the targets keystrokes • Stored in a file to be read later • Transmit them to the hacker • All keystrokes are recorded • Lots of useful information! • Lots of useless information too...

  13. Password Guessing • Keyloggers (cont.) • Two types • Hardware • Require physical access to the computer • Most difficult to detect with anti-spyware/firewall • Software • Installed directly on the target system • Typically part of a trojan • Some include screen capture capabilities • Spector and PCSpy • Some include audio/video capture capabilities

  14. Password Guessing • Keyloggers (cont.) • Keylogging tools • ISpyNow • Invisible keylogger • PC Activity Monitor • IKS Software keylogger • KeyCaptor • Remote Spy

  15. Privilege Escalation • Often the Administrator account and password cannot be obtained • The attacker will have to settle for accessing the network with a non-administrator account • The attacker will need to escalate the privileges for this account

  16. Privilege Escalation • Privilege escalation tools must be executed on the local machine • Some can be executed remotely • OS patches can reduce the ability of these tools to function

  17. Privilege Escalation • Privilege escalation tools must be executed on the local machine • Some can be executed remotely • OS patches can reduce the ability of these tools to function

  18. Privilege Escalation • Privilege Escalation Tools • GetAdmin.exe – works only with NT 4.0 SP3 • Hk.exe – works on IIS 5.0 • Pipeupadmin – works on Windows 2000 • Billybastard – works on WS2K3 and XP • Getad – works on XP

  19. Password Cracking • Passwords are generally stored and transmitted in an encrypted form called a hash • When a user logs in, a password hash is generated and compared with a stored hash

  20. Password Cracking • Prior to Windows NT 4.0 SP4, windows supported two kinds of challenge/response • LanManager (LM) • Not case sensitive • Converts all characters to upper case • All passwords are stored as two 7-character hashes • Passwords exactly 14 characters will be split into two 7-character hashes • Passwords fewer than 14 characters will be padded upto 14 characters, then split in two • Due to the mathematics of password cracking, it is easier to crack two 7-character hashes than one 14-character hash

  21. Password Cracking • LanManager (cont.) • Example – password is “123456qwerty” • Password converted to upper case • “123456QWERTY” • Password is padded with NULL to 14 characters • “123456QWERTY..“ • Password split in two • “123456Q” and “WERTY..” • Each half is hashed • “123456Q” = 6BF11E04AFAB197F • “WERTY..” = F1E9FFDCC75575B15 • The two hashes are concatenated • 6BF11E04AFAB197F F1E9FFDCC75575B15

  22. Password Cracking • NTLM • Uses all 14 characters • Allows upper and lowercase letters • The LM hash has been replaced with WinNT Challenge/Response NTLMv2 • Key space is now 128 bits • Windows 2000 SP2 and later allowed the disabling of LAN Manager password storing

  23. Password Cracking • Password Cracking Techniques • Once a hash is obtained, it can be cracked • Tools must be used to generate hashes until a match is found • Automated password crackers employ one or more types of password attacks • Brute force • Dictionary attack • Hybrid attack • Rainbow attack

  24. Password Cracking • Password Cracking Techniques (cont.) • Dictionary attack • Fastest method for generating hashes • Many dictionaries are available • Most tools include a base dictionary

  25. Password Cracking • Password Cracking Techniques (cont.) • Brute Force Attack • Most powerful method • Randomly generates passwords and their hashes • Can take a very long time (months, years?) • All passwords can be cracked with brute force

  26. Password Cracking • Password Cracking Techniques (cont.) • Hybrid Attack • Builds on the dictionary method by adding numeric and symbolic characters to dictionary words • Examples • p@ssword • p@ssw0rd • p@55w0rd

  27. Password Cracking • Password Cracking Techniques (cont.) • Rainbow Attack • Trades off the time-consuming process of creating all possible password hashes • Builds a hash table in advance • Extremely fast • Hash table is stored in order for rapid indexing of the target hash

  28. Password Cracking • Stealing SAM • SAM file in Windows NT/2000/2003 contains the usernames and encrypted passwords • Located in:%systemroot%\system32\config • The file is locked when the system is running • Boot the system from an alternate OS • Starting with WinNT SP3, a second layer of 128-bit encryption was added called SYSKEY • This makes cracking the passwords MUCH harder

  29. Password Cracking • Cracking Tools • Once password hashes have been collected, a password cracking tool can be used • L0phtcrack – mentioned earlier • John the Ripper – currently available for Unix, DOS, Win32, BeOS • Brutus – uses dictionary and brute force attacks • Ophcrack – uses Rainbow Tables • RainbowCrack – uses Rainbow Tables • Pwdump – password extraction tool that can bypass SYSKEY

  30. Covering Tracks • Once a system has been compromised, the attacker is not finished... • The attacker must cover their tracks • Disable logging • Clear log files • Eliminate evidence • Plant additional tools

  31. Covering Tracks • Disable Auditing • Auditpol.exe • Included in the WinNT Resource Kit • Disables auditing c:\>auditpol \\10.1.1.13 /disable • Once the system is compromised and all tools are installed, auditing can be enabled again

  32. Covering Tracks • Clearing the Event Log • The attacker will want to clear the logs in Event Viewer • Tools • Eslave – clears the security log • This method will draw attention • Evidence Eliminator – very powerful, easy to use log cleanser • Winzapper – can erase event records selectively

  33. Covering Tracks • Planting Rootkits • One of the goals of hacking is to allow the attacker to access the box at a later time • This can be done by installing a rootkit • Rootkit • A collection of software tools that a cracker uses to obtain administrator access to a computer or network • Can also monitor traffic, keystrokes, create backdoors, alter log files, attack other systems, alter existing tools to circumvent detection

  34. Covering Tracks • Planting Rootkits • Ntrootkit • Can do all of the afore mentioned • Hide processes • Hide files • Hide registry entries • Intercept keystrokes • Issue a debug interrupt, causing a BSoD • Redirect EXE files

  35. Covering Tracks • File Hiding • Two ways of hiding files in Windows (other than rootkits) • File attributes • Attrib.exe +h [file/directory] • Using NTFS Alternate Data Streaming (ADS)

  36. Countermeasures • Password guessing/cracking • Enforce 7-12 character alphanumeric, upper/lower case, passwords • Force password changing on a regular basis • Physically isolate and protect servers • Use SYSKEY utility to store hashes on disk • Monitor server logs • Block access to TCP 135-139 • Disable WINS • Log failed login attempts • Log successful login attempts

  37. File hiding/rootkits

  38. FIN