Ch07.ppt
- 1. © SYBEX Inc. 2016. All Rights Reserved.
System Hacking
Chapter 7
- 2. © SYBEX Inc. 2016. All Rights Reserved.
Gaining Access
• What is gaining access?
– Breaking passwords
– Opening up a system
– Can lead to further actions
- 3. © SYBEX Inc. 2016. All Rights Reserved.
Password Cracking
Passwords are the most widely used
form of authentication.
Usernames and passwords are a
commonly targeted item.
Enumeration may have gathered
usernames in some cases.
Password cracking is used to obtain
passwords.
Password cracking refers to a group of
techniques.
It is an essential skill for penetration
testers.
The ability to crack
passwords is a
required skill to you
as a penetration
tester as passwords
represent an
effective way to
gain access to a
system.
- 4. © SYBEX Inc. 2016. All Rights Reserved.
What Makes a Password
Susceptible to Cracking?
Passwords that contain letters, special characters,
and numbers: stud@52
Passwords that contain only numbers: 23698217
Passwords that contain only special characters:
&*#@!(%)
Passwords that contain letters and numbers:
meetl23
Passwords that contain only uppercase or only
lowercase: POTHMYDE
Passwords that contain only letters and special
characters: rex@&ba
Passwords that contain only special characters and
numbers: 123@$4
Passwords of 11 characters or less
Passwords
are intended
to be
something
that is easy
to remember
but at the
same time
not easily
guessed or
broken.
- 5. © SYBEX Inc. 2016. All Rights Reserved.
Password Cracking Types
Passive Online • Sniffing
Active Online
• Brute force
• Guessing
Offline
• Rainbow
tables
Nonelectronic
• Social
engineering
There are numerous
techniques used to
reveal or recover a
password that you
must explore, and
each uses a different
approach that can
yield a password.
Each method offers
advantages and
disadvantages that
you should be
familiar with.
- 6. © SYBEX Inc. 2016. All Rights Reserved.
Passive Online
Characteristics of
passive online
Passive attacks adopt a
“sit back and wait”
attitude.
Packet sniffers are a
common mechanism
to gather passwords.
Weak password
protection schemes
are at risk.
Many protocols of
older varieties are
vulnerable.
A passive online attack is any
attack where the individual
carrying out the process takes on
a “sit back and wait” attitude.
- 7. © SYBEX Inc. 2016. All Rights Reserved.
Protocols Vulnerable to Sniffing
Telnet and rlogin (remote login): Using these
protocols, anyone can access your keystrokes.
HTTP: This protocol sends usernames and
passwords in cleartext.
SNMP: This is like HTTP; it sends passwords in
cleartext.
POP: This sends passwords in cleartext.
FTP: This sends passwords in cleartext.
NNTP: This sends passwords in cleartext.
IMAP: This sends passwords in cleartext.
There are
thousands of
protocols that
allow people to
communicate via
networks while
also being used
to hack into
them.
- 8. © SYBEX Inc. 2016. All Rights Reserved.
Tools for Passive Attacks
A network sniffers monitors
data flowing over a network,
which can be a software
program or a hardware device
with the appropriate software
or firmware programming.
• Wireshark
• Network Miner
• Network Monitor
• Dsniff
- 9. © SYBEX Inc. 2016. All Rights Reserved.
Man-in-the-Middle
Designed to listen in on the
communication between two
parties
Can be completely passive if
attacker just listens to
communication
Could become active attack if
an attacker takes over the
session
Some protocols vulnerable to
sniffing
This type of attack takes place when two different parties
communicate with one another with a third party listening in.
- 10. © SYBEX Inc. 2016. All Rights Reserved.
Active Online
Attacks that fit into this category are those that require
direct interaction with a system in an attempt to break a
password.
• Guessing
• Malware
- 11. © SYBEX Inc. 2016. All Rights Reserved.
Password Guessing
Bad passwords
Pet’s
name
Spouse’s
name
Data
of
birth
Phone
#
Favorite
show
Best
friend
Password guessing is a
valid and somewhat
effective form of
obtaining a password.
During this process an
attacker will attempt to
gain a password by using
a piece of software
designed to test
passwords.
- 12. © SYBEX Inc. 2016. All Rights Reserved.
Using Malware
In February 2005, Joe Lopez, a businessman from Florida,
filed a suit against Bank of America after unknown hackers
stole $90,000 from his Bank of America account. The
money had been transferred to Latvia.
An investigation showed that Mr. Lopez’s computer was
infected with a malicious program, Backdoor.Coreflood,
which records every keystroke and sends this information to
malicious users via the Internet.
Malware is a class of software with no
beneficial use.
- 13. © SYBEX Inc. 2016. All Rights Reserved.
Using Malware
• Keyloggers are a
good example of
malware.
• Keyloggers can
be used to gain
countless pieces
of information.
- 14. © SYBEX Inc. 2016. All Rights Reserved.
Offline
• Rainbow tables
– Uses precomputed hashes to identify
password
- 15. © SYBEX Inc. 2016. All Rights Reserved.
What Is a Rainbow Table?
Rainbow tables are the end result of
a process where every possible
combination of characters is
generated within certain limits.
• Reduces difficulty in brute-
force methods
• Generates hashes for every
possible password
• Takes time to create hash table
• Faster than other types of
attacks
• Effective against LAN
Manager systems
- 16. © SYBEX Inc. 2016. All Rights Reserved.
Privilege Escalation
Privilege escalation
Increasing access for
compromised
account
Typically, breached
account will not have
broad privileges
Raising privileges to
a level where more
actions can take place
Can be vertical or
horizontal
Not every system hack will initially
provide an unauthorized user with
full access to the targeted system. In
those circumstances, privilege
escalation is required.
- 17. © SYBEX Inc. 2016. All Rights Reserved.
Privilege Escalation Types
Privilege escalation is the process where the access that is
obtained is increased to a higher level where more actions can
be carried out. The reality is that the account accessed typically
will end up being a lower privileged one and therefore one with
less access.
• Vertical
– Raising the privileges of an account that has already
been compromised
• Horizontal
– Compromising one account and then another and
another, each with an increased level of access
- 18. © SYBEX Inc. 2016. All Rights Reserved.
Tools for Privilege Escalation
Active@ Password Changer
Trinity Rescue Kit
ERD Commander
Kali Linux
Parrot OS
Windows Recovery Environment
(WinRE)
Windows Password Recovery
- 19. © SYBEX Inc. 2016. All Rights Reserved.
Opening a Shell
LAN Turtle is a remote access pen
testing tool
Housed with USB network adapter
Allows opening of a remote shell on a
system
With shell, open commands can be
transmitted to remote system
What LAN Turtle
enables is the
ability to perform
several attacks
such as man-in-
the-middle,
sniffing, and many
others.
- 20. © SYBEX Inc. 2016. All Rights Reserved.
Running Applications
Backdoors
Crackers
Keyloggers
Malware
When an attacker is
executing applications on a
system, they are doing so
with specific goals in mind.
- 21. © SYBEX Inc. 2016. All Rights Reserved.
Covering Tracks
Important step
in removing
evidence
Leave no trace
behind
Eliminate or
alter logs, error
messages, and
files
More evidence
or tracks means
greater chance
of being
detected
- 22. © SYBEX Inc. 2016. All Rights Reserved.
Working with Log Files
Prevent
leaving of
information
Disabling
of
auditing
on a
system
May
prevent
or slow
detection
Surgical
removal
of entries
in log
files is
possible
- 23. © SYBEX Inc. 2016. All Rights Reserved.
Alternate Data Streams
Feature of NTFS file system
Allows for compatibility with Macintosh
file system
Stores data in a nearly undetectable
resource fork
Tough to reveal presence of data stream
Special software required to detect files
ADS was introduced into the Windows
NTFS file system starting in Windows NT
3.1. This was implemented in order to
allow compatibility with the Macintosh
Hierarchical File System (HFS).
- 24. © SYBEX Inc. 2016. All Rights Reserved.
Summary
• What the process looks like
• Steps to take
• Tools to use
• Information to be obtained