Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files.

Published byCleopatra Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files."— Presentation transcript:

1 Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files

2 Cracking Passwords Passive Online Attacks (sniffing)
MITM Replay Attack Active Online Attacks Guessing: works well for weak passwords Automating Dictionary Generator C:\> FOR /F “token=1, 2*” %i in (file.txt) Net use \\targetIP\IPC$ %1 /u: %j Countermeasures Complex passwords; policies; two factor authentication Authentication Mechanisms HTTP Authentication: Basic vs Digest - Basic: uses base64 encoded string; passed in clear text - Digest: uses challenge/response model; passed encrypted NTLM - challenge/response uses NT LAN Manager Authentication algorithm over HTTP Used with MS Explorer and IIS Web servers Certificate Based - Strongest; uses public key & digital certificate Forms Based - Uses a customized form usually created in HTML - Authentication ticket is issued via a cookie MS Passport - Single Signon; authentication for multiple servers;

3 Offline Attacks Dictionary Attack Hybrid Attack Birthday Attack
Brute-force Attack Rainbow Table Examples: Brutus: brute force, dictionary, hybrid; Windows only Cain: password cracking, Windows enumeration, VoIP sniffing; Windows only John the Ripper: dictionary & brute force; used for Windows & Linux/Unix Ophcrack: used for NTLM hash; Windows only Dictionary: fastest way to break into a machine - Automated with tools like LophtCrack Hybrid - add numbers or symbols to the dictionary file - eg: “cat”, “cat1”, “cat2”, etc Brute Force - often takes the longest time Birthday - Based on the anomaly of the birthday paradox

4 Non Electronic Attack Social Engineering Shoulder Surfing
Defense: Education; security-awareness Shoulder Surfing Defense: Special screens can’t be read at an angle Dumpster Diving Defense: Shredder

5 Password Cracking Manual Password Cracking Algorithm
Find a valid user account Create a list of possible passwords Rank the passwords from high to low probability Key in each password If the system allows entry -> Success; else try again

6 Password Cracking Automatic Password Cracking Algorithm
Find a valid user account Find encryption algorithm used Obtain encrypted passwords Create list of possible passwords Encrypt each word See if there is a match for each user ID Repeat above steps

7 Password Cracking Create a hash that matches Automating
Legion: used in NetBios session L0phtCrack Windows dictionary, brute-force, hybrid; captures SMB packets John the Ripper: Windows & Unix/Linus KerbCrack: Kerberos password sniffer (kerbsniff) & cracker (kerbcrack) Brute Force attacks on a database SQLBF, SQLDict, FindSA, FindSADic

8 Lan Manager Hash Used by NTLMv1; challenge/response protocol; uses MD4 hash of user’s password Convert to uppercase and pad to make 14 For 7 characters or less, the second ½ will be AAD3B435B51404EE Stored Windows: \Windows\system32\config\SAM Linux: /etc/shadow

9 Cracking Windows 2000 Passwords
Collect the SAM file C:\Windows\system32\config C:\repair Use a dictionary, brute-force, or hybrid attack Look for SID of …-500 to identify the Admin account

10 Redirect SMB Logins Cracking Tools SMBRelay SMBRelay2 pwdump2 C2MYAZZ
Captures username/passwords from SMB traffic SMBRelay2 Uses NetBIOS names instead of IP addresses pwdump2 Extracts password hashes from SAM file C2MYAZZ Tricks Windows systems into passing their credentials in clear text.

11 Password-Cracking Countermeasures
>=8 characters long Windows: SYSKEY (128bit) encryption Linux: shadow passwords Don’t use anything obvious Polices to force changes, complex, and lockout Monitoring Use CAPTCHA: challenge/response test to ensure that the response is not generated by a computer;

12 Keyloggers Hardware Software Requires physical access
Cannot be detected by monitoring software Software FBI’s “Magic Lantern” Keylogger & encryption-cracking tool Spector eBlaster SpyAnywhere

13 Escalating Privileges
Non-admin accounts might not have as stringent password as administrators Tools GetAdmin HK.exe Executing Apps once elevated PsExec Remoxec

14 Rootkits - Backdoor Kernel-Level Library-Level Application-Level
Hide processes Hide registry entries Intercept keystrokes Blue Screens of Death Redirect Exe files

15 Rootkit Countermeasure
Restrict Admin access Monitor file changes TripWire: checks file size, signature, & integrity Don’t forget: sigverif! Repair: reinstall the OS from known good source

16 Hiding Files Attrib +h NTFS Alternate Data Streaming Steganography
Hide data in Unused Sectors, Hidden Partitions, Slack Space ImageHide: Image files Blindside: BMP files MP3Stego: MP3 files Snow: ASCII files Stealth: PGP files Detecting Steganography Stegdetect; Dskprobe

17 Covering Tracks Disable Auditing Clear Event Logs Auditpol Elsave
Clears entire log WinZapper Selective clearing Evidence Eliminator

18 Additional Study Site

Download ppt "Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files."

Similar presentations

Module V System Hacking

Module V System Hacking
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
Password Attacks Mike. Guessing Default Passwords Many applications and operating systems include built-in default passwords. Lazy administrators Database.

Password Attacks Mike. Guessing Default Passwords Many applications and operating systems include built-in default passwords. Lazy administrators Database.
Week 5-1 Week 5: System Hacking Administrator Password Guessing.

Week 5-1 Week 5: System Hacking Administrator Password Guessing.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Similar presentations

Ads by Google