Chapter 7: System Hacking Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 7: System Hacking > Flashcards

Flashcards in Chapter 7: System Hacking Deck (28)
Loading flashcards...
1
Q

Phase 4: System Hacking

A

methodical approach that includes cracking passwords, escalating privileges, executing apps, etc

2
Q

Password Cracking

A

Hacking process typically starts w/ Password Cracking,

the process of recovering passwords from transmitted or stored data

3
Q

Password Cracking Techniques (5)

A

1) Dictionary Attacks - password-cracking app has a dictionary file loaded into it, no good for passphrases
2) Brute-force Attacks - every possible combination of characters is attempted until the correct one is uncovered
3) Hybrid Attack - like Dictionary attack, but words are modified w/ the addition or substitution of special chars or #s (i.e. p@ssw0rd - password)
4) Syllable Attack - combination of brute-force & dictioanry attack, useful when password is not standard word or phrase
5) Rule-based Attack - an advanced attack where the assumption the user has created a PW using info the attacker has knowledge of (i.e. phrases & digits user may tend to use)

4
Q

Types of attacks (4)

A

1) Passive Online Attacks - sitting back & listening (sniffing tools such as Wireshark, man-in-the-middle attacks, replay attacks)
2) Active Online Attacks - deeper engagement w/ targets w/ intent to break PW (i.e. password guessing, trojan/spyware/key loggers, hash injection, phishing)
3) Offline Attacks - preying on the weaknesses of how PWs are stored; (i.e. precomputed hashes, distributed NW attacks, rainbow attacks)
4) Nontechnical Attacks aka non-electronic attacks - moving from offline into the real world (i.e.shoulder surfing, social engineering, dumpster diving)

5
Q

Passive Online Attack techniques (3)

A

1) Packet Sniffing - lookout for PWs from Telnet, FTP, SMTP, rlogin, other vulnerable protocols

//if you use a sniffer w/ out any extra steps, u are limited to a single collision domain aka can only sniff hosts not connected by switch or bridge

//most effective on a NW that employs a hub

2) Man-in-the-middle - while two parties are communicating, a third party inserts itself into the convo & attempts to alter or eavesdrop on the communications.

//to be fully successful, the attacker must be able to sniff traffic from both parties at the same time

//vulnerable protocols –> Telnet & FTP

3) Replay Attack - capture packets using packet sniffer; after the relevant info is extracted, the packet can be placed back on the NW; The intention is to inject the captured info back onto the NW

6
Q

Active Online Attack techniques

A

1) Password Guessing - attacker seeks to recover PW by using words from dictionary or by brute-force; usually carried out by SW app;
2) Trojans, Spyware, & Keyloggers - Malware such as Trojans, spyware, & keyloggers can gather info through keyboard sniffing or keylogging;

3) Hash Injection -
1) Compromise a vulnerable workstation
2) When connected, attempt to extract the hashes
from the system for high-value users, such as domain or enterprise admins
3) Use the extracted hash to log on to a server such as a domain controller
4) If the system serves as a domain controller or similar, attempt to extract hashes from the system w/ the intention of exploiting other accounts

7
Q

Offline Attacks 1: Password Hashing

A

Hashing is a form of one-way encryption that is used to verify integrity;

pws are commonly stored in hashed format so it is NOT in cleartext; when a PW is provided by the user, it needs to be verified; it is hashed on the client side & transmitted to the server, where the stored hash & the transmitted hash are compared

8
Q

Offline Attacks 1: Extracting hashes from a System

A

1) open cmd
2) type pwdump7.exe //displays hashes
3) type pwdump7.exe > C;\hash.txt
4) Using notepad, browse to the C drive & open the hash.txt file to view the hashes

9
Q

Offline Attacks 1: Precomputed Hash or Rainbow Tables

A

precomputed hashes are used in an attack known as rainbow table

Rainbow tables compute every possible combination of characters prior to capturing a PW

The attacker can capture the PW hash from the NW & compare it w/ the rainbow table hashes

//”Salting” is used in Linux, Unix, BSD, older windows; adding entropy or randomness in order to make sequences or patterns more difficult to detect… so it would be harder to use rainbow tables against these systems

CON - takes long time to compute all hash combinations ahead of time; can’t crack PWs of unlimited length

10
Q

Offline Attacks 1: Generating Rainbow Tables

A

GUI-based generator - winrtgen

11
Q

Offline Attacks 1: Rainbow Crack

A

Program used to compare Rainbow table with Hash files

12
Q

Offline Attacks 2: Distributed NW Attacks (DNA)

A

modern approach; takes ADV of unused processing power from multiple computers in an attempt perform an action (in this case, PW cracking)

//install a manager on a chosen system, which is used to manage multiple clients;

PRO: computing power

EXAMPLE: SETI@home (Search for Extraterrestrial Intelligence)

13
Q

Other Techniques: Default Passwords

Guessing – self explanatory

A

an attacker can guess what type of equipment/system you’re using and look up default passwords if you do not change them

14
Q

Other Techniques: USB Password Theft

A

embedding a password-stealing application on a USB drive, physically plugging the drive into a target system

15
Q

Other Techniques: USB Password Theft application (steps to steal)

A

1) Obtain a PW-hacking utility such as pspv.exe
2) Copy it to USB
3) Create a Notepad file called launch.bat containing the following lines:
[autorun]
en = launch.bat
Start pspv.exe /s passwords.txt
4) Save launch.bat to the USB drive

//pspv.exe = protected-storage PW viewer, saves PWs contained in Internet Explorer & other applications

Mitigation: disabling autoplay of USB devices, which is on by default

16
Q

Other Techniques: Authentication Mechanisms on Microsoft

A

Security Accounts Mgr (SAM) - DB in Windows OS that stores security principals; When system is running, Windows keeps a file lock on SAM to prevent it from being access, however a copy of SAM DB resides in memory & can be accessed

//System will only give up exclusive access of SAM when powered off or when there is BSOD
//SYSKEY (encryption key) is by default, enabled to protect SAM further; can be disabled
17
Q

Passwords are stored in hashed format using

A

LM/NTLM hashing mechnisms, they are stored in c:\windows/system32/SAM

Link:1010:624AAC413795……

(Before 624AA is LT hash, after is NTLM hash)

Windows XP later do not store LM hash by default, they store a blank or dummy value which cannot be deciphered bc it has no direct coorelation to user’s actual PW; if PW is longer than 14 chars, dummy value is auto used b/c LM hash cannot support longer than 14 chars

18
Q

Salting

A

PW hashing is strengthened by adding an additional layer of randomness to hash

19
Q

NTLM Authentication & SSP

A

NT Lan Mgr is a protocol for Microsoft products; NTLM v1 and v2 still widely used in environments, but is relatively insecure; this is used where Kerberos is not supported

SSP - Security Support Provider - layered on top of NTLM for additional protection

20
Q

Domain Controller

A

responds to security authentication requests (such as logging in, permissions, etc)

21
Q

Process of authentication w/ NTLM protocol

A

1) Client enters their username & PW into the login
2) Windows runs the PW through a hashing algorithm to generate hash
3) The client transmits the username & hash to the domain controller
4) The domain controller generates a 16-byte random char string known as a NONCE & transmits it back to the client
5) The client encrypts the nonce w/ the hash of the user PW & sends it back to the domain controller
6) The domain controller retrieves the hash from its SAM & uses it to encrypt the nonce it sent to the client

If hashest match, login request is accepted

22
Q

What is Kerberos and steps to authenticate service

A

Authentication Protocol; strong cryptographic mechanism

1) You want to access another system, such as a server or client; Kerberos is in use in this environment, so a “ticket” is required
2) To obtain this ticket, you are first authenticated against the AS (Authentication Server). A session key is created based on your PW & the value that represents the service you wish to connect to. This request serves as your TGT (ticket-granting ticket)
3) TGT is presented to TGS (ticket-granting service), which generates a ticket that allows you to access the service
4) The service either accepts or rejects the ticket; If accepted, you have a finite period of time before ticket needs to be regenerated

23
Q

Types of Privilege Escalation (2)

A

1) Horizontal Privilege Escalation - attacker attempts to take over rights & privileges of another user who has the same privileges as the current account
2) Vertical Privilege Escalation - attacker gains access to an account & then tries to elevate the privileges of the account or gaining access to a higher-privileged account

24
Q

Privilege Escalation: Change password

A

Identify an account that has desired access & then change the password using the following tools:

Active@ Password Changer
Trinity Rescue Kit
ERD Commander
Windows Recovery Environment (WinRE)
Password Resetter
25
Q

Trinity Rescue Kit (password reset tool)

A

Linux distribution (for Windows & Linux); Can be booted from CD or flash drive

1) cmd line: winpass -u Administrator
2) Choose file system
3) Set Password
4) Type: init 0, to shut down TRK Linux
5) Reboot

26
Q

Types of Apps Executed (4)

A

1) Backdoors App - allow later access to take place;
2) Crackers - SW w/ ability to crack code or obtain PWs
3) Keyloggers - HW/SW used to gain info entered via keyboard
4) Malware - any type of SW designed to capture info, alter, or compromise system

27
Q

Planting a Backdoor

A
  • PsTools suite (suite of tools to ease system administration)
  • PsExec is one of them; similar to Telnet but does not need installation & can be run local or remotely; Commands include:

psexec \zelda cmd //launches an interative cmdprmpt on a system name \zelda

psexec \zelda ipconfig /all //executes ipconfig on remote system with the /all switch & outputs locally

psexec \zelda -c rootkit.exe //copies the program rootkit.exe to the remote system & executes it interactively

psexec \zelda -u administrator -c rootkit.exe //copies thee program rootkit.exe to the remote system & executes it interactively using the admin acct on the remote system

28
Q

Covering your tracks

A

During this phase, seek to eliminate error messages, log files, and other items that may have been altered during the attack process

DISABLING AUDITING - Auditing designed to allow for detection and tracking of selected events on a system; we want to alter the way events are logged on target system;

How to disable running command in Windows (stop logging and auditing of events):

auditpol \ /clear

DATA HIDING - hide files placed on the system;

ALTERNATE DATA STREAMS (ADS) (only NTFS) - major security issue w/ ADS bc it is nearly a perfect mechanism for hiding data; almost impossible to find; The data can lie and wait until the attacker decides to run it later; allows you to hide files within existing files

Creating an ADS:
type triforce.exe > smoke.doc:triforce.exe //executing this command hides triforce.exe behind the file smoke.doc, then delete original triforce.exe

Retrieve the file:
start smoke.doc:triforce.exe //opens hidden file & executes