attacking a system n - metropolitan state university of...
TRANSCRIPT
.
1
Attacking a System
Chapter #5:
CIS 4500
Outline
n Describe the CEH hacking methodology and system hacking steps
n Describe methods used to gain access to systems
n Describe methods used to escalate privileges
n Describe methods used to maintain access to systems
n Describe methods of evidence erasure
n Identify rootkit function and types
n Identify basics of Windows and Linux file structure, directories,
and commands
Attacking a System 2
CIS 4500
Phases of Hacking
Attacking a System 3 CIS 4500
Windows Security Architecture
n Credentials are stored in a SAM file
n It stores hash values
n On a domain passwords are stored in a database
n MS picked not a very good encryption but it became better
Attacking a System 4
Authentication Encryption OS versions LM DES Win 95/98
NTLM DES + MD4 Win NT
NTLM v2 + Kerberos Symm+Asymm Win 2000
.
2
CIS 4500
Windows 7
Attacking a System 5 CIS 4500
Windows 10
Attacking a System 6
CIS 4500
LM Authentication
n Converts everything to uppercase
n If the password was less than 14 characters, it would add
blank spaces to get it to 14
n Then the password would be split into two 7-character
strings
n These strings would be hashed separately, with both
hashes then combined for the output
Attacking a System 7 CIS 4500
LM Authentication
n If a password is seven characters or less, this significantly
reduces the amount of time required to crack the rest of it
— because the LM hash value of seven blank characters will
always be the same (AAD3B435B51404EE)
n The first half we put through a cracker and get to work
n The second is easily recognizable – hash of seven blanks!
n NTLM needs much more power to bruteforce
Attacking a System 8
.
3
CIS 4500
Password Considerations
n Password: 8 characters long
n Alphabet: 26 upper-case letters, 26 lower-case letters,
10 numbers, 33 special characters (95)
n 95^8 = 6,634,204,312,890,625
n Password: 9/10 characters long
n Alphabet: 26 upper-case letters, 26 lower-case letters (52)
n 52^9 = 2,779,905,883,635,712
n 52^10 = 144,555,105,949,057,024
Attacking a System 9 CIS 4500
Kerberos Exchange
Attacking a System 10
1. The client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)
2. The AS checks to see if the client is in its database. If it is, the AS generates the secret key (SK1) by hashing the password of the user found at the database (e.g., Active Directory in Windows Server) and sends back the following two messages to the client
Message A: Client/TGS Session Key (SK2) encrypted using the secret key of the client/user (SK1). Message B: Ticket-Granting-Ticket (TGT, which includes the client ID, client address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS (SK2).
3. Once the client receives messages A and B, it attempts to decrypt message A with the secret key (SK1) generated from the password entered by the user.
4. If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A.
5. With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key (SK2). This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.
CIS 4500
AD Credentials
n On a domain controller credentials are stored in Ntds.dit
ESE database file
n It is located in %SystemRoot%\NTDS\Ntds.dit or
%SystemRoot%\System32\Ntds.dit
n The NTDS.DIT file is effectively the entire Active Directory
in a file
Attacking a System 11 CIS 4500
AD Credentials
n ISAM (Indexed Sequential Access Method) is a file management
system developed at IBM that allows records to be accessed either
sequentially (in the order they were entered) or randomly (with an index)
n An ESE database looks like a single file to Windows. Internally the
database is a collection of 2, 4, 8, 16, or 32 kB pages
n Pages contain meta-data to describe the data contained within the
database, data itself, indexes to persist interesting orders of the data, and
other information.
n An ESE database may contain up to 232 pages, or 16 terabytes of data for
8 kilobyte sized pages.
Attacking a System 12
.
4
CIS 4500
Kerberos Ticket Stealing - Mimikatz
n It is part of Kali
/usr/share/mimikatz
Attacking a System 13 CIS 4500
Hash Cracking
Attacking a System 14
CIS 4500
samdump2 in Kali
Attacking a System 15 CIS 4500
Registry
n The Windows registry is a collection of all the settings and
configurations that make the system run
n It stores all sorts of configuration settings and options:
n low-level operating system components,
n applications running on the machine,
n drivers, the SAM file, and
n the user interface.
n Keys and values
Attacking a System 16
.
5
CIS 4500
Root-Level Keys
n HKEY_CLASSES_ROOT (HKCR) Contains information on file associations
and Object Linking and Embedding (OLE) classes.
n HKEY_CURRENT_USER (HKCU) Contains profile information for the user
currently logged on. Information includes user-level preferences for the OS
and applications.
n HKEY_LOCAL_MACHINE (HKLM) Contains information on hardware
(processor type, bus architecture, video, disk I/O, and so on) and software
(operating system, drivers, services, security, and installed applications).
n HKEY_USERS (HKU) Contains specific user configuration information for
all currently active users on the computer.
n HKEY_CURRENT_CONFIG (HKCC) Contains a pointer to HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\
Hardware Profiles\Current, designed to make accessing and editing this
profile information easier. Attacking a System 17 CIS 4500
Root-Level Keys
Attacking a System 18
CIS 4500
Root-Level Keys
Attacking a System 19 CIS 4500
Keys
Attacking a System 20
.
6
CIS 4500
MMC
Attacking a System 21 CIS 4500
Linux Security Architecture
Attacking a System 22
CIS 4500
Linux Security Architecture
n / – represents the root directory.
n /bin – holds all sorts of basic Linux commands (a lot like the
C:\Windows\System32 folder in Windows).
n /dev – contains the pointer locations to the various storage and
input/output systems you will need to mount if you want to use
them, such as optical drives and additional hard drives or
partitions. Note that everything in Linux is a file.
n /etc – contains all the administration files and passwords.
Both the password and shadow files are found here.
Attacking a System 23 CIS 4500
Linux Security Architecture
n /home – holds the user home directories.
n /mnt – holds the access locations you’ve actually mounted.
n /sbin (system binaries) – holds more administrative commands
and is the repository for most of the routines Linux runs (known
as daemons).
n /usr – holds almost all of the information, commands, and files
unique to the users.
Attacking a System 24
.
7
CIS 4500
UNIX Commands
Attacking a System 25
Command Description
adduser Adds a user to the system.
cat Displays the contents of a file.
cp Copies.
ifconfig Displays network configuration information about your NIC.
kill Kills a running process. (You must specify the process ID number
ls Displays the contents of a folder. -l, -a
man Displays the “manual” page for a command.
passwd Used to change your password.
ps Process status command.
pwd Displays the name of the current directory.
rm Removes files. The command rm-r also recursively removes all directories and subdirectories on the path and provides no warning when deleting a write-protected file.
su Allows you to perform functions as another user. The sudo command version allows you to run programs with root privileges.
CIS 4500
Linux Permissions
Attacking a System 26
CHMOD
CIS 4500
Users
Attacking a System 27 CIS 4500
Password File vs. Shadow File
Attacking a System 28
.
8
CIS 4500
Password Encryption
n The format of the encrypted password is:
$#$SALT$PWD_SALTED_HASH
n On Ubuntu 10.04 LTS, the # is '6' and means a SHA-512
hash was used.
n You can test a password with:
mkpasswd -m SHA-512 <PASSWORD> <SALT>
n This should return the encrypted password, starting w/
'$6$'
Attacking a System 29 CIS 4500
Password Attacks
n Non-electronic
social engineering
n Active online
n Passive online
n Offline
Attacking a System 30
CIS 4500
Active Online
n Dictionary and brute-force attacks
n Hash injections
n Phishing
n Trojans
n Spyware
n Keyloggers
n Password guessing
Attacking a System 31 CIS 4500
Passive Online
n Sniffing
n ARP poisoning
Attacking a System 32
.
9
CIS 4500
Offline
n Dictionary attack
rainbow tables (Windows)
n Hybrid attack
dictionary attack with substitutons
n Brute-force attack
Attacking a System 33
Stay Alert!
There is no 100 percent secure system,
and there is nothing that is foolproof!