Presentation is loading. Please wait.

Presentation is loading. Please wait.

System Hacking Techniques

Published byDonna Walsh Modified over 8 years ago

Similar presentations

Presentation on theme: "System Hacking Techniques"— Presentation transcript:

1 System Hacking Techniques
BAI514 – Security I

2 System Hacking Techniques
Once the pretest phases are complete, the next goal is to hack the target system The goal is to completely “own” the target This requires Passwords Active usernames Highest level of permissions This is achieved by exploiting common operating system vulnerabilities

3 System Hacking Techniques
To successfully hack a system you need to Identify various password cracking techniques and tools Understand escalation of privilege Understand keyloggers and rootkits Understand how to hide files, cover tracks, perform steganography, and erase evidence

4 Password Guessing Password guessing is the first step to owning the target Common passwords are Password webmaster Root backup Administrator trial Admin guest operator member Demo private Test {blank}

5 Password Guessing Password guessing can be done by creating a null share, using a known username Good candidate accounts include Accounts that have never been logged in Accounts that haven’t had a password change in a while Administrator Guest net use * \\target_ip\share * /u:name

6 Password Guessing Automated Password Guessing
Guessing passwords is seldom easy Attackers need to hit as many accounts and try as many passwords as possible Can be done by creating a simple script that loops the guessing with NET USE C:\> FOR /F “token=1, 2*” %i in (credentials.txt) do net use \\target\IPC$ %i /u: %j credentials.txt = a username/password text file

7 Password Guessing Automated Password Guessing (cont.) Drawbacks
Can cause a DoS if a password lockout policy exists Target the guest account first to see if a policy exists Automated password guessing tools Legion NetBIOS Auditing Tool

8 Password Guessing Password Sniffing
Often a preferred tactic to password guessing Credentials are sniffed off the wire Once captured, credentials are simply replayed

9 Password Guessing Password Sniffing (cont.) L0phtcrack (LC5) KerbCrack
Password auditing and recovery application Includes a sniffer to extract user credentials Purchased by Symantec and discontinued KerbCrack Another useful password sniffer Two parts KerbSniff – listens on port 88 Kerbcrack – used to brute force passwords

10 Password Guessing Password Sniffing (cont.) Other sniffers
ScoopLM – sniffs for Windows LM/NTLM authentication Has a built-in dictionary and brute force cracker Dsniff – Collection of Unix tools for network auditing and pen testing Wireshark Sniffit – general purpose sniffer Snort – IDS and sniffer TCPDump/WinDump

11 Password Guessing Alternate means for acquiring passwords
Dumpster diving Post-it notes are great! Shoulder Surfing Watch a user login or enter a code Take pictures/video if you can

12 Password Guessing Keystroke loggers (keyloggers)
Intercept the targets keystrokes Stored in a file to be read later Transmit them to the hacker All keystrokes are recorded Lots of useful information! Lots of useless information too...

13 Password Guessing Keyloggers (cont.) Two types Hardware Software
Require physical access to the computer Most difficult to detect with anti-spyware/firewall Software Installed directly on the target system Typically part of a trojan Some include screen capture capabilities Spector and PCSpy Some include audio/video capture capabilities

14 Password Guessing Keyloggers (cont.) Keylogging tools ISpyNow
Invisible keylogger PC Activity Monitor IKS Software keylogger KeyCaptor Remote Spy

15 Privilege Escalation Often the Administrator account and password cannot be obtained The attacker will have to settle for accessing the network with a non-administrator account The attacker will need to escalate the privileges for this account

16 Privilege Escalation Privilege escalation tools must be executed on the local machine Some can be executed remotely OS patches can reduce the ability of these tools to function

17 Privilege Escalation Privilege escalation tools must be executed on the local machine Some can be executed remotely OS patches can reduce the ability of these tools to function

18 Privilege Escalation Privilege Escalation Tools
GetAdmin.exe – works only with NT 4.0 SP3 Hk.exe – works on IIS 5.0 Pipeupadmin – works on Windows 2000 Billybastard – works on WS2K3 and XP Getad – works on XP

19 Password Cracking Passwords are generally stored and transmitted in an encrypted form called a hash When a user logs in, a password hash is generated and compared with a stored hash

20 Password Cracking Prior to Windows NT 4.0 SP4, windows supported two kinds of challenge/response LanManager (LM) Not case sensitive Converts all characters to upper case All passwords are stored as two 7-character hashes Passwords exactly 14 characters will be split into two 7-character hashes Passwords fewer than 14 characters will be padded upto 14 characters, then split in two Due to the mathematics of password cracking, it is easier to crack two 7-character hashes than one 14-character hash

21 Password Cracking LanManager (cont.)
Example – password is “123456qwerty” Password converted to upper case “123456QWERTY” Password is padded with NULL to 14 characters “123456QWERTY..“ Password split in two “123456Q” and “WERTY..” Each half is hashed “123456Q” = 6BF11E04AFAB197F “WERTY..” = F1E9FFDCC75575B15 The two hashes are concatenated 6BF11E04AFAB197F F1E9FFDCC75575B15

22 Password Cracking NTLM
Uses all 14 characters Allows upper and lowercase letters The LM hash has been replaced with WinNT Challenge/Response NTLMv2 Key space is now 128 bits Windows 2000 SP2 and later allowed the disabling of LAN Manager password storing

23 Password Cracking Password Cracking Techniques
Once a hash is obtained, it can be cracked Tools must be used to generate hashes until a match is found Automated password crackers employ one or more types of password attacks Brute force Dictionary attack Hybrid attack Rainbow attack

24 Password Cracking Password Cracking Techniques (cont.)
Dictionary attack Fastest method for generating hashes Many dictionaries are available Most tools include a base dictionary

25 Password Cracking Password Cracking Techniques (cont.)
Brute Force Attack Most powerful method Randomly generates passwords and their hashes Can take a very long time (months, years?) All passwords can be cracked with brute force

26 Password Cracking Password Cracking Techniques (cont.) Hybrid Attack
Builds on the dictionary method by adding numeric and symbolic characters to dictionary words Examples

27 Password Cracking Password Cracking Techniques (cont.) Rainbow Attack
Trades off the time-consuming process of creating all possible password hashes Builds a hash table in advance Extremely fast Hash table is stored in order for rapid indexing of the target hash

28 Password Cracking Stealing SAM
SAM file in Windows NT/2000/2003 contains the usernames and encrypted passwords Located in: %systemroot%\system32\config The file is locked when the system is running Boot the system from an alternate OS Starting with WinNT SP3, a second layer of 128-bit encryption was added called SYSKEY This makes cracking the passwords MUCH harder

29 Password Cracking Cracking Tools
Once password hashes have been collected, a password cracking tool can be used L0phtcrack – mentioned earlier John the Ripper – currently available for Unix, DOS, Win32, BeOS Brutus – uses dictionary and brute force attacks Ophcrack – uses Rainbow Tables RainbowCrack – uses Rainbow Tables Pwdump – password extraction tool that can bypass SYSKEY

30 Covering Tracks Once a system has been compromised, the attacker is not finished... The attacker must cover their tracks Disable logging Clear log files Eliminate evidence Plant additional tools

31 Covering Tracks Disable Auditing Auditpol.exe
Included in the WinNT Resource Kit Disables auditing c:\>auditpol \\ /disable Once the system is compromised and all tools are installed, auditing can be enabled again

32 Covering Tracks Clearing the Event Log
The attacker will want to clear the logs in Event Viewer Tools Eslave – clears the security log This method will draw attention Evidence Eliminator – very powerful, easy to use log cleanser Winzapper – can erase event records selectively

33 Covering Tracks Planting Rootkits
One of the goals of hacking is to allow the attacker to access the box at a later time This can be done by installing a rootkit Rootkit A collection of software tools that a cracker uses to obtain administrator access to a computer or network Can also monitor traffic, keystrokes, create backdoors, alter log files, attack other systems, alter existing tools to circumvent detection

34 Covering Tracks Planting Rootkits Ntrootkit
Can do all of the afore mentioned Hide processes Hide files Hide registry entries Intercept keystrokes Issue a debug interrupt, causing a BSoD Redirect EXE files

35 Covering Tracks File Hiding
Two ways of hiding files in Windows (other than rootkits) File attributes Attrib.exe +h [file/directory] Using NTFS Alternate Data Streaming (ADS)

36 Countermeasures Password guessing/cracking
Enforce 7-12 character alphanumeric, upper/lower case, passwords Force password changing on a regular basis Physically isolate and protect servers Use SYSKEY utility to store hashes on disk Monitor server logs Block access to TCP Disable WINS Log failed login attempts Log successful login attempts

37 File hiding/rootkits

38 FIN

Download ppt "System Hacking Techniques"

Similar presentations

Module XVII Novell Hacking

Module XVII Novell Hacking
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Week 5-1 Week 5: System Hacking Administrator Password Guessing.

Week 5-1 Week 5: System Hacking Administrator Password Guessing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.

Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

Similar presentations

Ads by Google