Presentation is loading. Please wait.

Presentation is loading. Please wait.

System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–

Published byDiana West Modified over 8 years ago

Similar presentations

Presentation on theme: "System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–"— Presentation transcript:

1 System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–

2 Into Gaining Access System Hacking

3 System Hacking

4 Before we go into grabbing passwords, lets see how they are created and stored Again, differs by OS... Usually not stored in the clear, but in general are “hashed” (a one way encryption algorithm is applied) such as DES and MD5 Creating Passwords

5 Creating Strong Passwords A strong password is one that will defeat even a brute force attack that uses a “super” computer Why? Because the math is in your favor –Character_set_size to the power of number_of_characters –For example: a password created with three lower-case only characters (a..z) has… 26 3 = 26 x 26 x 26 = 17,576 possible variations –You should draw from a large character set, and... –Make your passwords longer -- at least 8 characters, more would be even stronger

6 Time to Discover Comparison OLDER #s (Early 2007) if 8 charactersif 12 characters if a..z only26 8 ~2 days 26 12 ~3,000 yrs if a..z, and 0..936 8 ~33 days 36 12 ~150,000 yrs if a..z, A..Z, 0..9, and !@#$%^&*( ) 72 8 ~23 yrs 72 12 ~615,000,000 yrs All times above are based upon a notional password checking speed of one million checks per second. Numbers are rounded to enhance readability.

7 NEWEST #sif 8 charactersif 12 characters if a..z only26 8 ~2 days 1 Min 26 12 ~3,000 1 yrs if a..z, and 0..936 8 ~33 days 17 Min 36 12 ~150,000 53 yrs if a..z, A..Z, 0..9, and !@#$%^&*( ) 72 8 ~23 yrs 3 Days 72 12 ~615,000,000 yrs 220,000 yrs All times above are based upon a notional password checking speed of 2.8 Billion checks per second (2011 numbers, graphic cards, non-distributed). Numbers are rounded to enhance readability. Using a BOTNET of 500,000 computers with high-end graphic cards could take this down to 4 MONTHs Time to Discover Comparison

8 NEWEST #sif 8 charactersif 12 characters if a..z only26 8 2 days 26 Secs 26 12 3,000 yrs 3.5 Months if a..z, and 0..936 8 ~33 days 6 Min 36 12 ~150,000 18 yrs if a..z, A..Z, 0..9, and !@#$%^&*( ) 72 8 ~23 yrs 1 Day 72 12 ~615,000,000 yrs 77,000 yrs All times above are based upon a notional password checking speed of 8 Billion checks per second (2013 numbers, graphic cards, non-distributed). Numbers are rounded to enhance readability. Using a BOTNET of 500,000 computers with high-end graphic cards could take this down to 1.5 MONTHs Time to Discover Comparison Difference 6 yrs can make

9 12 Character Passwords Too Hard???

10 Passwords “Hacked” Individually Of course, none of this math helps when someone is willing to give their password away (as in phishing).

11 Password Hashes are created by: –The user types in a password Used to be limited to 8 chars represented via 7-bit ASCII set –There where 128 characters that can be used –this leads to over 72,000,000,000,000,000 possible passwords –That password is then combined with a system/host unique “salt” (a type of nonce) pwd+salt There are 4096 different possible salt values Creating UNIX Pwds

12 This combo (pwd+salt) becomes the key for the hashing (DES or MD5) the value “0” (zero) is then hashed with this key, producing 13 character string (the first 2 of which are the salt) –composed of 64 possible characters (upper & lower case letters, numbers, the “.” and “/”) This hash is then stored with the user account in a psw file (/etc/passwd) UNIX continued

13 This file (passwd) is readable by everyone, (for login purposes) The administrator may decide to “shadow” the hashes in a separate file(/etc/shadow) readable only by root, for greater protection To “crack” these passwords, we need these files! UNIX continued

14 Macintosh OS X Remember that this is FreeBSD underneath Also, on modern Unix systems, passwords are shadowed, which means only the administrator has access to them. /etc directory has the passwd and shadow files, but are NOT used (see later slides). The password file is readable by everyone and the shadow file, the one that keeps the encrypted password, is limited to the root account only.

15 Mac OS X On MacOS X, there is a passwd file in /etc but it is only used in single-user mode and the rest of the info in located elsewhere, accessible to the administrator only.

16 Mac OS X 10.1-10.6 As it turns out, the Net Info manager handles the user access to databases that hold information on: –Aliases, Groups, Machines, Mounts, Networks, Printers, Protocols, Rpcs, Services, & Users This can be seen if you open NetInfo Manager in the Utilities Directory.

17 Mac OS X 10.1-10.6 There is a command line access to the Net Info manager: –nidump This can be used to access the passwd file (and the hashes)... –nidump passwd / –man for more info on nidump. May have been fixed in version X.3 –tried this on 10.3.5 and still works :-) –Only new passwords created on 10.3.5+ will be fixed..

18 Mac 0s X 10.7+ A user creates an account, and then the encrypted hash of the user's password file, their "Shadow" file, is saved in a.plist file – located in /var/db/dslocal/nodes/Default/users. However, one major flaw was overlooked. Non-root users cannot directly view hash data, but rather, they can extract it from Directory Services.

19 Max OS X 10.7+ To see hash data, invoke Directory Services using the /Search/ path like so: dscl localhost -read /Search/Users/ Now, in the terminal output you should see a line in there that says: dsAttrTypeNative:ShadowHashData: –Look at the bytes below it. –Bytes 28-32 are the password salt (4 bytes are in each octet), and bytes 32-96 are the SHA512 hash. –load the hash into a password cracker for SHA512 hashes with 4 byte salts

20 Windows is a little different... It creates TWO representations of the password –Newer NT-specific algorithm –Older (for compatibility) LanMan hash used for Win 9x and Windows for Workgroups This older algorithm has been broken (reverse engineered) and therefor easier to break Finally turned of by default in Windows 7, Server 2008 Creating Windows Pwds

21 Weakness of the LM hash is the seperation of the password into two seven-character password halves –Thus an 8 char password is broken down into a 7 char and a 1 char passwords... much easier to break 7 chars then 14! LanMan Hashes

22 So pwd 123456qwerty becomes: –convert to all upper case 123456QWERTY –Split 123456Q and WERTY_ _ (spaces to fill 7) –123456Q is hashed to 6BF11E04AFAB197F –WERTY is hashed to 1E9FFDCC75575B15 –stored as a 6BF11E04AFAB197F1E9FFDCC75575B15 Example of LanMan Hash

23 NT & 2000 store the user account and password info in the SAM (Security Account Manager) file. –usually found in %systemroot%\system32\config directory –NOTE: its LOCKED while the OS is running an NOT readable by even Administrator SAM File

24 Some ways to get SAM data for later cracking: –Boot the system (host) into another OS special tools to do this such as NTFSDOS & Knoppix STD –Grab the backup of the SAM file found in the %systemroot%\repair directory its compressed and called sam._ –will need to be decompressed with special programs »c:\windows\system32\expand sam._ sam It can be created, if not there, with NT repair disk program rdisk with the /s argument Getting SAM Data

25 Continuing ways to get SAM data for later cracking: –Specialty programs that extract the hashes directly from the sam pwdump3 –requires a shell with admin access on the remote host! –Eavesdropping on network username/password exchanges L0phtcrack, dsniff, Cain & Abel can do this for you Getting SAM Data continued

26 Continuing ways to get SAM data for later cracking: –NT security Log for failed log on People sometimes mistakenly type their password in the user box –Keystroke capturing devices –Backup disks Getting SAM Data continued

27 AD vs. LDAP vs. Kerberos Kerberos –Authentication and Access Granting Service Active Directory (AD) –Windows database Query for access control to objects, for example Light Weight Access Protocol (LDAP) –Protocol for clients to query and manage information in a Directory Service (like AD) TCP port 389

28 Working Together AD: Access Control –Authorizes access to objects stored locally or in LDAP LDAP: Protocol for querying access permissions –Can store passwords Kerberos: Authentication –Used to Authenticate a user LDAP can also do this directly without Kerberos –SAM password file accessed by Kerberos

29 System Hacking is the 4 th Step Remember… –Registered names lead to IP addresses –IP addresses lead to ports –Ports lead to services –Services lead to… Versions of –Applications –OS –Services User Accounts Shares –Versions lead to exploits and access… –Access leads to higher privileges… Enumeration… Scanning… Foot- printing… Gaining Access… Escalation…

Download ppt "System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–"

Similar presentations

Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
The Cain Tool Presented by: Sagar Chivate CS 685F.

The Cain Tool Presented by: Sagar Chivate CS 685F.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Chapter 2 Accessing Your System and the Common Desktop Environment.

Chapter 2 Accessing Your System and the Common Desktop Environment.
Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.

Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.
F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.

F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Chapter 6 Enumeration Modified 9-28-09. Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.

Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Similar presentations

Ads by Google