1 / 18

Chapter 4

Chapter 4. System Hacking: Password Cracking, Escalating Privileges, & Hiding Files. Cracking Passwords. Passive Online Attacks (sniffing) MITM Replay Attack Active Online Attacks Guessing: works well for weak passwords Automating Dictionary Generator

hung
Download Presentation

Chapter 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files

  2. Cracking Passwords • Passive Online Attacks (sniffing) • MITM • Replay Attack • Active Online Attacks • Guessing: works well for weak passwords • Automating • Dictionary Generator • C:\> FOR /F “token=1, 2*” %i in (file.txt) • Net use \\targetIP\IPC$ %1 /u: %j • Countermeasures • Complex passwords; policies; two factor authentication

  3. Offline Attacks • Dictionary Attack • Hybrid Attack • Birthday Attack • Brute-force Attack • Hybrid Attack • Rainbow Table • Examples: • Brutus: brute force, dictionary, hybrid; Windows only • Cain: password cracking, Windows enumeration, VoIP sniffing; Windows only • John the Ripper: dictionary & brute force; used for Windows & Linux/Unix • Ophcrack: used for NTLM hash; Windows only

  4. Non Electronic Attack • Social Engineering • Defense: Education; security-awareness • Shoulder Surfing • Defense: Special screens can’t be read at an angle • Dumpster Diving • Defense: Shredder

  5. Password Cracking • Manual Password Cracking Algorithm • Find a valid user account • Create a list of possible passwords • Rank the passwords from high to low probability • Key in each password • If the system allows entry -> Success; else try again

  6. Password Cracking • Automatic Password Cracking Algorithm • Find a valid user account • Find encryption algorithm used • Obtain encrypted passwords • Create list of possible passwords • Encrypt each word • See if there is a match for each user ID • Repeat above steps

  7. Password Cracking • Create a hash that matches • Automating • Legion: used in NetBios session • L0phtCrack • Windows dictionary, brute-force, hybrid; captures SMB packets • John the Ripper: Windows & Unix/Linus • KerbCrack: Kerberos password sniffer (kerbsniff) & cracker (kerbcrack) • Brute Force attacks on a database • SQLBF, SQLDict, FindSA, FindSADic • http://video.google.com/videoplay?docid=4683570944129697667&q#

  8. Lan Manager Hash • Used by NTLMv1; challenge/response protocol; uses MD4 hash of user’s password • Convert to uppercase and pad to make 14 • For 7 characters or less, the second ½ will be • AAD3B435B51404EE • Stored • Windows: \Windows\system32\config\SAM • Linux: /etc/shadow

  9. Cracking Windows 2000 Passwords • Collect the SAM file • C:\Windows\system32\config • C:\repair • Use a dictionary, brute-force, or hybrid attack • Look for SID of …-500 to identify the Admin account

  10. Redirect SMB Logins • Cracking Tools • SMBRelay • Captures username/passwords from SMB traffic • SMBRelay2 • Uses NetBIOS names instead of IP addresses • pwdump2 • Extracts password hashes from SAM file • C2MYAZZ • Tricks Windows systems into passing their credentials in clear text.

  11. Password-Cracking Countermeasures • >=8 characters long • Windows: SYSKEY (128bit) encryption • Linux: shadow passwords • Don’t use anything obvious • Polices to force changes, complex, and lockout • Monitoring • Use CAPTCHA: challenge/response test to ensure that the response is not generated by a computer;

  12. Keyloggers • Hardware • Requires physical access • Cannot be detected by monitoring software • Software • FBI’s “Magic Lantern” • Keylogger & encryption-cracking tool • Spector • eBlaster • SpyAnywhere

  13. Escalating Privileges • Non-admin accounts might not have as stringent password as administrators • Tools • GetAdmin • HK.exe • Executing Apps once elevated • PsExec • Remoxec

  14. Rootkits - Backdoor • Kernel-Level • Library-Level • Application-Level • Hide processes • Hide registry entries • Intercept keystrokes • Blue Screens of Death • Redirect Exe files • http://www.youtube.com/watch?v=u5VvmL5Tqvc&feature=related • http://www.youtube.com/watch?v=PcqnG4-NkZ4

  15. Rootkit Countermeasure • Restrict Admin access • Monitor file changes • TripWire: checks file size, signature, & integrity • Don’t forget: sigverif! • Repair: reinstall the OS from known good source

  16. Hiding Files • Attrib +h • NTFS Alternate Data Streaming • Steganography • Hide data in Unused Sectors, Hidden Partitions, Slack Space • ImageHide: Image files • Blindside: BMP files • MP3Stego: MP3 files • Snow: ASCII files • Stealth: PGP files • http://www.youtube.com/watch?v=bnHVSXbXdnQ • Detecting Steganography • Stegdetect; Dskprobe

  17. Covering Tracks • Disable Auditing • Clear Event Logs • Auditpol • Elsave • Clears entire log • WinZapper • Selective clearing • Evidence Eliminator

  18. Additional Study Site • http://www.scribd.com/doc/35606512/10/Performing-automated-password-guessing

More Related