6 - System Hacking Flashcards Preview

CEH - Certified Ethical Hacker > 6 - System Hacking > Flashcards

Flashcards in 6 - System Hacking Deck (52)
Loading flashcards...
1
Q

What are the goals of system hacking?

A
  • Gain Access:
    • Bypass security controls to gain access
    • Password cracking, social engineering
  • Escalating Privileges:
    • Acquire the rights of another user or an admin
    • Exploiting vulnerabilities
  • Executing Applications:
    • To create and maintain remote access to the system
    • Malware
  • Hiding Files:
    • To hide attackers malicious activities and data theft
    • Rootkits, steganography
  • Covering Tracks:
    • Hide evidence of compromise
    • Clearing logs
2
Q

What is Password Cracking?

A

Used to recover passwords from computer systems and gain unauthorized access to vulnerable system

3
Q

What are the different types of password attacks?

A
  • Non-Electronic Attacks
    • Does not require technical knowledge to crack password (social engineering, sholder surfing)
  • Active Online Attacks
    • An attacker needs to communicate with target machines to gain password access (dictionary attacks)
  • Passive Online Attacks
    • Attacker does not need to communicate with the system.
    • Uses observed data to break into the system (sniffing)
  • Offline Attacks
    • Attackers try to recover clear text passwords from a password hash dump (rainbow table attack)
4
Q

How Hash Passwords Are Stored in Windows SAM?

A

Windows uses a Security Account Manager (SAM) database file to store user passwords.

5
Q

What is Kerberos Authentication?

A
  • A network authentication protocol that provides strong authentication by using secret-key cryptography.
  • Both server and user verify each other’s identity
6
Q

What is Password Salting?

A
  • A technique where random string of characters are added to the password before calculating their hashes.
  • Makes it more difficult to reverse the hashes and defeat pre-computed hash attacks.
7
Q

How to Defend Against Password Cracking?

A
  • Enable info security audit to monitor and track password attacks
  • Do not use same password during password change
  • Do not share password
  • Do not use passwords that can be found in a dictionary
  • Do not use cleartext protocols and protocols with weak encryption
  • Set the password change policy to 30 days
  • Avoid storing passwords in an unsecured location
  • Do noy use system’s default passwords
  • Make passwords hard to guess by using 8-12 characters in combination of uppercase, lowercase, numbers and symbols
  • Ensure apps neither store passwords to memory nor write them to disk in clear text
  • Use a random string (salt) as prefix or suffix with the password before encrypting
  • Enable SYSKEY with strong password to encrypt and protect the SAM database
  • Never use passwords such as date of birth, spouse, or child’s or pet’s name
  • Monitor the server’s logs for brute force attacks
  • Lockout accounts with too many incorrect attempts
8
Q

What is Escalating Privileges?

A
  • Attackers gain access using a non-admin user account and the next step would be to gain admin privileges
  • Privilege escalation attack takes advantage of design flaws, programming errors, bugs, and config oversights in the OS and software
  • These privileges allow attackers to view critical/sensitive info, delete files, or install malicious programs
9
Q

What are the Types of Privilege Escalation?

A
  • Horizontal
    • Assuming the identity of another user with similar privileges
  • Vertical
    • Refers to gaining higher privileges than the existing account
10
Q

What are Spectre and Meltdown Vulnerabilities?

A
  • Spectre Vulnerability:
    • Tricks a processor to exploit speculative execution to read restricted data.
    • Processors implement speculative execution in order to predict the future to complete the execution faster
    • Attackers use this vulnerability to read adjacent memory locations of a process and access info they are not authorized for.
  • Meltdown Vulnerability:
    • Leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution
11
Q

What are Privilege Escalation Techniques?

A
  • Access Token Manipulation:
    • Windows OS uses access tokens to determine the security context of a process or thread
    • Attackers generate spooked tokens to escalate privileges
  • Application Shimming:
    • Windows uses shim to provide compatibility between the older and newer versions of Windows OS
    • Shims can be used by attackers to escalate privileges, install backdoors, disable Windows Defender, etc.
  • File System Permissions Weakness:
    • If file system permissions of binaries are not properly set, an attacker can replace the target binary with malicious file.
    • If executing process of binary has higher permissions, then malicious binary will also execute with higher permissions
  • Path Interception:
    • Apps include many weaknesses and misconfiguration like unquoted paths, path environment variable misconfiguration, and search order hijacking that can lead to path interception
  • Scheduled Task:
    • Task scheduling programs used to schedule programs at a specific time
    • Attackers can manipulate these programs to execute malicious programs at system startup, maintain persistance, etc.
  • Launch Daemon:
    • Daemons have plists that are linked to executables that run at startup
    • Attackers can alter the launch the daemon’s executable
  • Plist Modification:
    • Files in MacOS/OS X describe when programs should execute, file path, parameters, required permissions, etc.
    • Attackers alter these files to execute malicious code
  • Setuid and Setgid:
    • In Linux and MacOS, if an app uses setuid or setgid then the app will execute with privileges of the owning user or group
    • An attacker can take advantage of these flags
  • Web Shell:
    • A web based script that allows access to a web server
    • Attackers use this inject malicious code
12
Q

How to Defend Against Privilege Escalation?

A
  • Restrict the interactive log privileges
  • Use encryption technique to protect sensitive data
  • Run users and applications on the least privileges
  • Reduce the amount of code that runs with particular privilege
  • Implement MFA and authorization
  • Perform debugging using bounds checking and stress tests
  • Run services as unprivileged accounts
  • Test OS and application coding errors and bugs thoroughly
  • Implement a privilege separation methodology to limit the scope of programming errors and bugs
  • Path and update the kernel regularly
  • Change UAC settings to “Always Notify”
  • Restrict users from writing files to the search paths for apps
  • Continuously monitor file system permissions using auditing tools
  • Reduce the privileges of users and groups so that only legitimate admins can make service changes
  • Use whitelisting tools to identify and block malicious software
  • Use fully qualified paths in all Windows apps
  • Ensure that all executables are placed in write-protected directories
  • In Mac OS, make Plist files read-only
  • Block unwanted system utilities or software that may be used to schedule tasks
  • Patch and update the web servers regularly
13
Q

What type of applications do attackers execute?

A
  • Keylogger:
    • Monitors each keystroke, logs onto a file, and sends file to remote location
  • Spyware:
    • A stealthy program that records user’s interaction with the computer and internet without user’s knowledge and sends them to the remote attackers
14
Q

What type of files do attackers try to hide?

A
  • Rootkits:
    • Programs that hide their presence as well as activities, granting them full access to the server.
  • NTFS Data Stream:
    • NTFS Alternate Data Stream (ADS) is a hidden Windows stream which contains metadata about a file
  • Steganography:
    • A technique of hiding a secret message within an ordinary message
15
Q

What techniques do attackers use to cover tracks?

A
  • Disable Auditing:
  • Clearing Logs
  • Manipulating Logs
  • Attackers also clear Online tracks by removing Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, and clear Toolbar data from the browsers.
  • Using Reverse HTTP Shells
  • External master sends commands and it will execute on target system
  • Using Reverse ICMP Tunnels:
  • Using ICMP Echo and reply packets as carriers of TCP payload
  • Using DNS Tunneling:
  • Encoding malicious content within DNS queries and replies (DNS Tunneling)
  • Tunneling creates a backchannel to access a remote server
  • Using TCP Parameters:
  • Data can be hidden in TCP fields such as: IP, acknowledgement #, sequence #
  • Windows
    • Use Alternate Data Streams
  • Unix
    • Add in front of file to hide it
    • Update/modify/clear/shred history
16
Q

What is Vulnerability Exploitation?

A

Involves the execution of multiple complex steps to gain access to a remote system.:

  • Identify Vulnerability
  • Determine the Risk
  • Determine the capability of the vulnerability
  • Develop the exploit
  • Select the method for delivering - local or remote
  • Generate and deliver the payload
  • Gain remote access
17
Q

What is are Exploit Sites?

A

Sites that are used to discover vulnerabilities and download or to develop exploits to perform remote exploitation on the target system. Sites include latest details of vulnerabilities. (Exploit Database, Security Focus, VulDB, MITRE CVE)

18
Q

What is Buffer Overflow?

A

A buffer is an area of adjacent memory locations allocated to a program or app to handle its runtime data. Buffer Overflow is where an application or program accepts more data than allocated buffer. The vulnerability allows the app to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations. Attackers take advantage of this by injecting malicious code into the buffer.

19
Q

What are the types of Buffer Overflow?

A
  • Stack Based: A stack is used for static memory allocation and stores the variables in “LIFO” order (PUSH and POP functions). Attacker takes control of where new return address is on the EIP pointer and therefore executes shell access, etc.
  • Heap Based: Heap memory that is dynamically allocated at runtime during the execution of the program and it scores program data. Vulnerability occurs when memory is allocated to a heap and data is written without any bound checking.
20
Q

What are the steps for Windows Buffer Overflow Exploitation?

A
  • Perform Spiking: Allows attackers to send crafted TCP or UDP packets to the vulnerable server to make it crash.
  • Perform Fuzzing: Send a large amount of data to the target server to initiate overflow
  • Identify the Offset: Identify where the EIP register is getting overwritten
  • Overwrite the EIP register
  • Identify Bad Characters: ID characters that may cause issues in the shellcode
  • Identify the Right Module: ID module of the vulnerable server that lacks memory location.
  • Generate Shellcode
  • Gain Root Access
21
Q

What tools are used to identify Buffer Overflow?

A
  • OllyDbg
  • Veracode
  • Flawfinder
  • Kiuwan
  • Splint
  • BOVSTT
22
Q

How can you defend against Buffer Overflow?

A
  • Secure Coding Practices
  • Validate args and minimize code that requires root privileges.
  • Implement automatic bounds checking
  • Never allow execution of code outside the code space
  • Up to date patching
23
Q

What is Internal Monologue Attack?

A

Usually performed in a secure enviro where Security Provider Interface Interface (SSPI) from a user-mode app, a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM (a challenge-response authentication protocol) response in the context of the logged-on user.

24
Q

What is Cracking Kerberos Password?

A

Kerberos is the most commonly used authentication protocol for network entities. Attackers target Kerberos auth protocol in two common ways: cracking the TGS and cracking the TGT

  • Cracking the TGT (AS-REP Roasting): Attacker requests an auth ticket (TGT) from the KDC in the form of an AS-REQ packet. If user account exists, the KDC replies with a TGT encrypted with the account’s creds. Attacker saves encrypted ticket offline for cracking.
  • Cracking the TGS (Kerberoasting): Attackers request a TGS for the service principal name (SPN) of the target service account to the DC by using a valid domain user’s authentication ticket (TGT). DC finds account in AD records and responds with encrypted Service Ticket (ST) which is stored offline to be cracked.
25
Q

What is Pass the Ticket attack?

A

Used for authenticating a user to a system that is using Kerberos tickets without providing the user’s password. Attackers launch this attack by stealing the ST/TGT from either an end-user or from a compromised AS then gain access to the network services and search for additional permissions and critical data.

26
Q

What are the Combinator, Fingerprint, PRINCE, Toggle-Case, Markov-Chain attacks?

A
  • Combinator: Attackers combine the entries of the first dictionary with those of the second dictionary to generate a new wordlist to crack the password of the target system.
  • Fingerprint: Attackers break down the passphrase into fingerprints compromising single and multi-character combinations to crack complex passwords.
  • PRINCE: An advanced version of combinator where instead of taking input from 2 different dictionaries, attackers a single input dictionary to build chains of combined words.
  • Toggle-Case: Attackers try all possible combinations of upper and lower cases of a word present in the input dictionary.
  • Markov-Chain: Attackers gather a password database and split each password entry into 2- and 3- character long syllables to create a new alphabet and match with existing password database.
27
Q

What are some tools to detect LLMNR/NBT-NS Poisoning?

A

Vindicate, got-responded, Respounder

28
Q

What is Named Pipe Impersonation?

A

Named pipes are used to provide legit communication between running processes using a file. Attackers can use this technique to communicate with accounts of higher privilege.

29
Q

What is Exploiting Misconfigured Services?

A

Attackers try escalate privileges using misconfigured services

  • Unquoted Service Paths: In Windows, when starting a service, the system attempts to find the location of the exe file to launch it which is enclosed in quotation marks. Attackers will exploit services without quoted paths.
  • Service Object Permissions: Misconfigured service permissions may allow an attacker to modify or reconfigure the attributes associated with that service. Attacker can even add new users to local admin group.
  • Unattended Installs: Unattended install details such as config settings used during the installation process are stored in Unattend.xml file. Attackers exploit info in this file.
30
Q

What is Pivoting and Relaying to Hack External Machines?

A
  • Pivoting: Where a compromised system is used to compromise the true target of another system. Usually to bypass a FW or detection.
  • Relaying: Where a compromised system is used to access resources on another system.
31
Q

What are some tools used for Privilege Escalation?

A
  • BeRoot
  • Linpostexp
32
Q

What are some tools for defending against Privilege Escalation?

A
  • Dependency Walker
  • Dylib Hijack Scanner
33
Q

How can you defend against Spectre and Meltdown Vulnerabilities?

A
  • Regular patch
  • Continuous monitoring of critical apps and services
  • Ad-blockers
  • Endpoint security tools
  • Block services/apps that allow unprivileged users to execute code
  • Use DLP solutions
  • BIOS updates
  • Tools: InSpectre, Spectre & Meltdown Checker
34
Q

What are some Remote Code Execution Techniques?

A
  • Exploitation for Client Execution: Unsecure coding practices
  • Scheduled Task: Execution of malicious programs at scheduled times
  • Service Execution: Attackers run binary files or commands that can communicate with the Windows services to maintain access
  • Windows Management Instrumentation (WMI): Exploit features in WMI to interact with remote target system
  • Windows Remote Management (WinRM): WinRM is a protocol that allows users to run exe’s on a remote system. Attackers can take advantage of this.
35
Q

What are some tools for executing applications remotely?

A

Remote Exec, Pupy, PDQ Deploy, Dameware Remote Support, ManageEngine Desktop Central, PsExec

36
Q

What is a keylogger?

A

Programs or hardware devices that can monitor, logs, and transmit each keystroke.Types:

  • Hardware: PC/BIOS, Keyboard, External, PS/2 and USB, Acoustic/CAM, Bluetooth, WiFi
  • Software: Application, Kernel, Hypervisor, Form Grabbing, Javascript, Memory Injection
37
Q

What are some keylogger tools?

A
  • Hardware: KeyGrabber, KeyCarbon, Keyllama, KeyGhost, Keyboard logger
  • Windows: Spyrix, REFOG, All In One, Elite, StaffCop Standard, Spytector
  • Mac: Refog Mac, Spyrix, Elite, Aobo, Kidlogger for MAC, Perfect Keylogger
38
Q

What is Spyware?

A

A stealthy program that records the user’s interaction with PC and Internet without the user’s knowledge and sends info to the remote attackers.

Spreads by:

  • Drive-By Download
  • Masquerading as Anti-Spyware
  • Web Browser Vulnerability
  • Piggybacked software installation
  • Browser add-ons
  • Cookies
39
Q

What are some Spyware tools?

A

Spytech SpyAgent, Power Spy

40
Q

How can you defend against Keylogger?

A
  • Use pop-up lockers and avoid opening junk emails.
  • Use AV and anti-spyware
  • Install anti-keylogging and firewall software
  • Recognize phishing emails
  • Up to Date patching
  • Do not click on doubtful links
  • Use keystroke interference software
  • Scan files
  • Use on-screen keyboard for confidential info (click on characters with mouse)
  • Use form filling software
  • Host based IDS
  • Disable or lock down USB ports
41
Q

What are some Anti-Keylogger tools?

A

Zemana Antikeylogger, GuardedID, Keyscrambler, Oxynger Keyshield, Ghostpress, Spyshelter Free Anti-Keylogger

42
Q

How can you defend against Spyware?

A
  • Use pop-up lockers and avoid opening junk emails.
  • Use AV and anti-spyware
  • Install anti-keylogging and firewall software
  • Recognize phishing emails
  • Up to Date patching
  • Do not click on doubtful links
  • Use keystroke interference software
  • Scan files
  • Use on-screen keyboard for confidential info (click on characters with mouse)
  • Use form filling software
  • Host based IDS
  • Disable or lock down USB ports
43
Q

What are some Anti-Spyware tools?

A

SUPERAnti-Spyware, Kaspersky Internet Security 2019, SecureAnywhere, Adawhere, MacScan, Norton AV

44
Q

What is a Rootkit? And what are the types?

A

Programs that hide their presence granting them full access to the server/host. They replace certain OS calls and utilities with their own modified versions. They try to gain remote backdoor access, mask tracks, sniff traffic, and install other malicious programs.

Types:

  • Hypervisor Level: Acts as a Hypervisor
  • Hardware/Firmware: Hides in hardware devices
  • Kernel Level: Modifies or replaces OS kernel
  • Boot Loader Level: Replaces boot loader
  • Application Level/User Mode: Replaces app binaries with a fake Trojan
  • Library Level: Replaces OS calls with fake ones to hide info
45
Q

What are some popular rootkits?

A
  • LoJax: A type of UEFI rootkit that injects malware into the system and is automatically executed at start up.
  • Scranos: Windows Kernel rootkit
  • Horse Pill: Linux rootkit that resides inside the “initrd” which it uses to infect the system and deceives the system owner with the use of container primitives.
  • Necurs: Contains backdoor functionality allowing remote access and control of the infected computer.
46
Q

How can you detect Rootkits?

A
  • Integrity Based: Compares a snapshot with a known baseline
  • Signature Based: compares characteristics of files with know bad signatures
  • Heuristic/Behavior Based: Any deviations in systems normal activity
  • Runtime Execution Path: Compares runtime execution paths
  • Cross View Based: Enumerates key elements in a system for analysis
  • Alternative Trusted Medium: Shut down infected system and reboot with a known alternative trusted media
  • Analyzing Memory Dumps: Dump the RAM of suspected system and analyze.
47
Q

How can you defend against Rootkit?

A
  • Reinstall OS/apps from trusted source
  • Perform kernel memory dump analysis
  • Harden servers and workstations
  • Educate staff not to download from untrusted sources
  • Install FW’s
  • Up to date patches
  • Verify integrity of system files
  • Avoid using admin privileges
  • Least privilege principle
  • Do not install unnecessary apps.
48
Q

What are the steps to Covering Tracks?

A
  • Disable Auditing
  • Clearing Logs
  • Manipulating Logs
  • Covering Tracks on the Network/OS
  • Deleting Files
  • Disabling Windows Functionality
49
Q

What is Cipher.exe?

A

An in-built Windows command-line tool that can be used to securely delete data by overwriting it to avoid their recovery in the future.

50
Q

What are some methods to Disable Windows Functionality?

A
  • Disable the Last Access Timestamp
  • Disable Windows Hibernation
  • Disable Windows Virtual Memory (Paging File): A paging file is used when RAM falls short of usable space.
  • Disable System Restore Points: Restore Points contain info about hidden data and previously deleted files.
  • Disable Windows Thumbnail Cache: Thumbnail files contain info regarding files that were previously deleted or used on the system.
  • Disable Windows Prefetch Feature: Prefetch is a Windows feature that stores specific data about the apps that are typically used by the system users.
51
Q

What are some Track Covering tools?

A

CCleaner, DBAN, Privacy Eraser, Wipe, BleachBit, ClearProg

52
Q

How can you defend against Covering Tracks?

A
  • Logging
  • Audit regularly
  • Ensure new events do not overwrite old entries
  • Maintain separate logging server
  • Up to date patching
  • Close unused open ports
  • Encrypt log files
  • Set logs to “append only”
  • Backup logs