Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files

Cracking Passwords Passive Online Attacks (sniffing) MITM Replay Attack Active Online Attacks Guessing: works well for weak passwords Automating Dictionary Generator C:\> FOR /F “token=1, 2*” %i in (file.txt) Net use \\targetIP\IPC$ %1 /u: %j Countermeasures Complex passwords; policies; two factor authentication Authentication Mechanisms HTTP Authentication: Basic vs Digest - Basic: uses base64 encoded string; passed in clear text - Digest: uses challenge/response model; passed encrypted NTLM - challenge/response uses NT LAN Manager Authentication algorithm over HTTP Used with MS Explorer and IIS Web servers Certificate Based - Strongest; uses public key & digital certificate Forms Based - Uses a customized form usually created in HTML - Authentication ticket is issued via a cookie MS Passport - Single Signon; authentication for multiple servers;

Offline Attacks Dictionary Attack Hybrid Attack Birthday Attack Brute-force Attack Rainbow Table Examples: Brutus: brute force, dictionary, hybrid; Windows only Cain: password cracking, Windows enumeration, VoIP sniffing; Windows only John the Ripper: dictionary & brute force; used for Windows & Linux/Unix Ophcrack: used for NTLM hash; Windows only Dictionary: fastest way to break into a machine - Automated with tools like LophtCrack Hybrid - add numbers or symbols to the dictionary file - eg: “cat”, “cat1”, “cat2”, etc Brute Force - often takes the longest time Birthday - Based on the anomaly of the birthday paradox

Non Electronic Attack Social Engineering Shoulder Surfing Defense: Education; security-awareness Shoulder Surfing Defense: Special screens can’t be read at an angle Dumpster Diving Defense: Shredder

Password Cracking Manual Password Cracking Algorithm Find a valid user account Create a list of possible passwords Rank the passwords from high to low probability Key in each password If the system allows entry -> Success; else try again

Password Cracking Automatic Password Cracking Algorithm Find a valid user account Find encryption algorithm used Obtain encrypted passwords Create list of possible passwords Encrypt each word See if there is a match for each user ID Repeat above steps

Password Cracking Create a hash that matches Automating Legion: used in NetBios session L0phtCrack Windows dictionary, brute-force, hybrid; captures SMB packets John the Ripper: Windows & Unix/Linus KerbCrack: Kerberos password sniffer (kerbsniff) & cracker (kerbcrack) Brute Force attacks on a database SQLBF, SQLDict, FindSA, FindSADic http://video.google.com/videoplay?docid=4683570944129697667&q#

Lan Manager Hash Used by NTLMv1; challenge/response protocol; uses MD4 hash of user’s password Convert to uppercase and pad to make 14 For 7 characters or less, the second ½ will be AAD3B435B51404EE Stored Windows: \Windows\system32\config\SAM Linux: /etc/shadow

Cracking Windows 2000 Passwords Collect the SAM file C:\Windows\system32\config C:\repair Use a dictionary, brute-force, or hybrid attack Look for SID of …-500 to identify the Admin account

Redirect SMB Logins Cracking Tools SMBRelay SMBRelay2 pwdump2 C2MYAZZ Captures username/passwords from SMB traffic SMBRelay2 Uses NetBIOS names instead of IP addresses pwdump2 Extracts password hashes from SAM file C2MYAZZ Tricks Windows systems into passing their credentials in clear text.

Password-Cracking Countermeasures >=8 characters long Windows: SYSKEY (128bit) encryption Linux: shadow passwords Don’t use anything obvious Polices to force changes, complex, and lockout Monitoring Use CAPTCHA: challenge/response test to ensure that the response is not generated by a computer;

Keyloggers Hardware Software Requires physical access Cannot be detected by monitoring software Software FBI’s “Magic Lantern” Keylogger & encryption-cracking tool Spector eBlaster SpyAnywhere

Escalating Privileges Non-admin accounts might not have as stringent password as administrators Tools GetAdmin HK.exe Executing Apps once elevated PsExec Remoxec

Rootkits - Backdoor Kernel-Level Library-Level Application-Level Hide processes Hide registry entries Intercept keystrokes Blue Screens of Death Redirect Exe files http://www.youtube.com/watch?v=u5VvmL5Tqvc&feature=related http://www.youtube.com/watch?v=PcqnG4-NkZ4

Rootkit Countermeasure Restrict Admin access Monitor file changes TripWire: checks file size, signature, & integrity Don’t forget: sigverif! Repair: reinstall the OS from known good source

Hiding Files Attrib +h NTFS Alternate Data Streaming Steganography Hide data in Unused Sectors, Hidden Partitions, Slack Space ImageHide: Image files Blindside: BMP files MP3Stego: MP3 files Snow: ASCII files Stealth: PGP files http://www.youtube.com/watch?v=bnHVSXbXdnQ Detecting Steganography Stegdetect; Dskprobe

Covering Tracks Disable Auditing Clear Event Logs Auditpol Elsave Clears entire log WinZapper Selective clearing Evidence Eliminator

Additional Study Site http://www.scribd.com/doc/35606512/10/Performing-automated-password-guessing