Certified Ethical Hacker (CEHv13) Module 06 System Hacking

Active Directory/Security Accounts Manager (SAM) Database

Manages user accounts and passwords in hashed format using a registry file on Windows computers

NT LAN Manager (NTLM)

A windows authentication scheme that performs authentication using a challenge/response strategy

Kerberos

A Windows network mutual authentication protocol that provides strong authentication for client/server applications through secret-key cryptography

Kerberos Key Distribution Center (KDC)

Consists of two parts: authentication server (AS) and ticket granting server (TGS). Responsible for authenticating users and issuing out session keys and tickets. In Windows Active Directory implementations, the domain controller serves as the KDC.

pwdump7

An application that dumps the LM and NTLM password hashes from the Windows SAM database

NTLM Authentication Process

1. Client enters username and password

2. Windows generates a hash for the entered password

3. The client's computer sends a login request and domain name to the domain controller

4. The domain controller generates a 16 byte random character called a nonce which it sends to the client

5. The client's computer encrypts the nonce with the hash of the user password and sends it to the domain controller

6. The domain controller gets the password hash from the Windows SAM Database and encrypts the nonce with the hash. The domain controller then checks if their password hash is the same as the one the user sent.

Password Cracking

The process of recovering passwords from the data transmitted by a computer system or from the data stored in it

Non-Eletric Password Attacks

Do not require any technical knowledge about hacking or system exploitation

Active Online Password Attacks

The attacker communicates with the target machine to gain password access

Passive Online Password Attacks

A type of system attack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication.

Offline Password Attacks

An attacker tries to recover cleartext passwords from a password hash dump

Social Engineering Attacks

A non-technical type of intrusion that exploits human behavior

Shoulder Surfing

A Non-Eletric technique of stealing passwords by hovering near the legitimate users and watching them enter their passwords

Dumpster Diving

The collection of useful, general information from waste dumps such as trashcans, curbside containers, and dumpsters

Dictionary Password Attack

An active online password attack where a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password.

Brute Force Password Attack

An active online password attack where attackers try every combination of characters until the password is broken

Rule Based Password Attack

An active online password attack used when the attacker obtains some information about the password. This is a more powerful attack than dictionary and brute-force attacks because the cracker knows the password type.

Password Spraying

An active online password attack that targets multiple user accounts simultaneously using one or a small set of commonly used passwords.

Mask Attack

An active online password attack similar to brute-force attacks, but recovers passwords from hashes with a more specific set of characters based on information known to the attacker

Password Guessing

An active online password attack that involves attempting to log on to the target system with different passwords manually

Default Passwords

Default passwords are those supplied by manufacturers with new equipment (e.g., switches, hubs, routers). Usually, default passwords provided by the manufacturers of password-protected devices allow the user to access the device during the initial setup and then change the password. However, often an administrator will either forget to set the new password or ignore the password-change recommendation and continue using the original password. Attackers can exploit this lapse and find the default password for the target device from manufacturer websites or using online tools that show default passwords to access the target device successfully.

Pass the Hash Attack

Attacker retrieves the hashes from the SAM databases then inputs the hashes acquired directly into the authentication mechanism

LLMNR/NBT-NS

Two main elements of Windows OSs used to perform name resolution for hosts present on the same link

LLMNR/NBT-NS Poisoning

Attacker listens to network for LLMNR/NBT-NS broadcasts and responds to request pretending to be target host. The server then send NTLM hash to attacker who can then crack it.

NTLM Relay Attack

An NTLM relay attack involves an attacker intercepting and relaying NTLM authentication requests between a client and server to impersonate the client and gain unauthorized access.

Kerberos Attacks

- Cracking TGS

- Cracking TGT

- Pass the Ticket Attack

Combinator Attack

An online password attack where attackers combine the entries of the first dictionary with those of the second dictionary.

PRINCE Attack

An advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words

Fingerprint Attack

The passphrase is broken down into fingerprints consisting of single-and multi-character combinations that a target user might choose as his/her password

Toggle Case Attack

Attackers try all possible upper-case and lower-case combinations of a word present in the input dictionary

Markov Chain Attack

Attackers gather a password database and split each password entry into two-and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database.

GPU Based Attack

Attackers initially perform social engineering to trick the victim into downloading a malicious program or application. Then, the malicious program allows the attackers to secretly track user activities on the browser and perform side-channel leaks to steal passwords

Wire Sniffing

A passive online attack where hackers sniff credentials during transit by capturing Internet packets

MITM Attack

A third party intercepts a communication between the two parties without their knowledge

Rainbow Table Attack

Uses already-calculated information stored in memory to crack the encryption. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance.

Distributed Network Attack (DNA)

Attacker installs a DNA manager in a central location where machines running DNA clients can access it over a network. The DNA manager coordinates the attack and assigns small portions of the key search to machines distributed throughout the network. The DNA client runs in the background, only taking the processor time that was unused. The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password.

Password Salting

Adding a random string of characters to a password before hashing it, making it harder to crack

Vulnerability Exploitation

Involves the execution of multiple complex, interrelated steps to gain access to a remote system

Steps to Vulnerability Exploitation

1. Identify the Vulnerability

2. Determine the Risk Associated with the Vulnerability

3. Determine the Capability of the Vulnerability

4. Develop the Exploit

5. Select the Method for Delivering - Local or Remote

6. Generate and Deliver the Payload

7. Gain Remote Access

Proof of Concept (PoC)

Involves the execution of multiple complex, interrelated steps to gain access to a remote system

Exploit Sites

Include details of the latest vulnerabilities and exploits

Exploit Sites Examples

- Exploit Database

- OSV

- MITRE CVE

- Windows Exploit Suggester - Next Generation (WES-NG)

Metasploit

A penetration-testing toolkit, exploit development platform, and research tool that includes hundreds of working remote exploits for various platforms

Types of Metasploit Payload Modules

1. Stagers

2. Stages

3. Standalones

Metasploit Exploit Modules

Used to encapsulate a single exploit, using which users target many platforms

Metasploit Payload Modules

Establishes a communication channel between the Metasploit framework and victim host. It combines arbitrary code that is executed as the result of an exploit succeeding

Metasploit Auxiliary Modules

Used to perform arbitrary, one-off actions such as port scanning, DoS, and even fuzzing. It includes tools and modules that assess the security of the target

Metasploit NOPS Module

NOP modules generate no-operation instructions used for blocking out buffers

Metasploit Encoder Modules

Used to encode payloads to avoid detection by antivirus software, intrusion detection systems (IDS), and other security mechanisms

Metasploit Evasion Modules

Designed to modify the behavior and characteristics of payloads and exploits to avoid detection by security systems, such as antivirus software, intrusion detection systems (IDS), and endpoint protection platforms.

Metasploit Post Exploitation Modules

Tools used after successfully compromising the target system

Buffer

An area of adjacent memory locations allocated to a program or application to handle its runtime data

Buffer Overflow

A common vulnerability in applications or programs that accept more data than the allocated buffer

Stack

Stores data

Stack Operations

- PUSH

- POP

LIFO

Last In First Out

PUSH

Stores data on stack

POP

Removes data from stack

Extended Base Pointer (EBP)

Stores the address of the first data element stored on the stack

Extended Stack Pointer (ESP)

Stores the address of the next data element to be stored on the stack

Extended Instruction Pointer (EIP)

Stores the address of the next instruction to be executed

Extended Source Index (ESI)

Maintains the source index for various string operations

Extended Destination Index (EDI)

Maintains the destination index for various string operations

Heap

Used for dynamic memory allocation during the runtime execution of the program

Windows Buffer Overflow Steps

1. Perform Spiking

2. Perform Fuzzing

3. Identify the Offset

4. Overwrite the EIP Register

5. Identify Bad Characters

6. Identify the Right Module

7. Generate Shellcode

8. Gain Root Access

Spiking

Attackers send crafted TCP/UDP packets to the vulnerable server to make it crash. It helps attackers identify buffer overflow vulnerabilities in the target applications.

Fuzzing

Attackers use fuzzing to send a large amount of data to the target server so that it experiences a buffer overflow and overwrites the EIP register. Fuzzing helps in identifying the number of bytes required to crash the server which helps in determine the location of the EIP register.

Return-Oriented Programming (ROP) Attack

An exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection. Using this technique, an attack hijacks the target program control flow by gaining access to the call stack and then executes arbitrary machine instructions by reusing available libraries known as gadgets.

Address Space Layout Randomization (ASLR)

Randomizes memory addresses used by system and application process, making it harder for attackers to predict where their malicious payloads are located in memory

Data Execution Prevention (DEP)

Prevents code from being executed in regions of memory that aren't explicitly marked as executable, thwarting exploit techniques that rely on executing code from non-executable memory regions

Heap Spraying

Involves flooding the free space of a target process's memory heap by writing multiple copies of malicious code into specific memory locations. By suturing the memory heap with copies of their payload, attackers increase the likelihood of their malicious code being executable in the vulnerable program or application.

Heap Spraying Steps

1. Vulnerability Identification

2. Filling the Heap Space

3. Overwriting Pointers to Heap

4. Malicious Code Execution

Just In Time (JIT) Spraying

Attacker crafts JavaScript Code that forces the target browser to execute the malicious code. As a result the JIT complier dynamically generates the equivalent machine code of the malicious JavaScript. Then attackers exploit vulnerabilities in the JIT complier.

Active Directory (AD) Domain Enviornemnt

Provides the overall architecture of an AD domain's structure. It shows the trust relationship between domain users and groups in an AD environment.

Active Directory (AD) Domain

An AD Domain is a logical set of objects such as computers, users, and devices that share common administration security and replication settings

Active Directory (AD) Domain Controller (DC)

An AD DC is a server that processes and verifies authentication requests originating from the users on computer networks

Active Directory (AD) Groups

Manageable units of domain user accounts, computers, etc

Organizational Unit (OU)

A subdivision of AD used for categorizing users, groups, and computers

AD One-Way Trust

Bidirectional trust that allows users in a trusted domain to access the resources of a trusted domain

AD Two-Way Trust

Bidirectional trust that allows users of one domain to access resources in another domain and vice versa

AD Enumeration

- Enumerating Domains

- Enumerating Domain Policy

- Enumerating Domain Controllers

- Enumerating Domain Users

- Enumerating Domain Computers

- Enumerating Domain Groups

- Enumerating Domain Shares

- Enumerating Group Polices and OUs

- Enumerating ACLs

- Enumerating Domain Trustees and Forests

Defending Against Buffer Overflow Attacsk

- Use secure coding practices and guidelines

- Validate arguments and minimize code that requires root provides

- Perform code review

- Allow compiler to add bounds to all the buffers

- Implement bounds checking

- Always protect the return pointer

- Never allow execution of code outside the code space

- Regularly patch applications and OSs

- Perform code inspection

- Implement code pointer integrity

- Use safe versions of functions

Use mechanisms to enforce strict memory access control

Privildges

A security role assigned to users to limit their access

Privilege Escalation Attack

Attackers first gain access to a network using a non-admin user account and then try to gain administrator privileges

Horizontal Privilege Escalation

Unauthorized user tries to access the resources, functions, and other privileges that belong to an authorized user who has similar access permissions

Vertical Privilege Escalation

Unauthorized user tries to gain access to the resources and functions of a user with higher privileges, such as application or site administrators

DLL Library

Most Windows applications do not use the fully qualified path when loading an external DLL library. Instead, the search the directory from which they have been loaded.

DLL Hijacking

Attackers can place a malicious DLL in the application directory and the application will execute the malicious DLL in place of the real one.

Vulnerability

The existence of a weakness, design flaw, or implementation error that can lead to an unexpected event compromising the security of the system

dylib

A MacOS dynamic library

Dylib Hijacking

A MacOS attack that allows an attacker to load a malicious library in place of the original dylib

Spectre Vulnerability

Vulnerability found in modern processors that allows attackers to trick a processor into exploiting speculative execution of read restricted data

Meltdown Vulnerability

A vulnerability found in Intel and ARM processors deployed by Apple. This vulnerability allows attackers to trick a process into accessing out-of-bounds memory by exploiting CPU optimization mechanisms such as speculative execution.

Named Pipes

In Windows OS, named pipes provide legitimate communication between running processes

Named Pipe Impersonation

Attackers create a pipe server and try to connect to a client with higher privileges than the server

Unquoted Service Paths

In Windows OS, executable paths should be enclosed in quotation marks. Some executable files may not include quoted paths and include whitespace in between; in this scenario, the system tries to find the application binary by searching all the folders that exist in the path until the executable is found. Attackers exploit services with unquoted paths running under SYSTEM privileges to elevate their privileges.

Types of Privilege Escalation Through Misconfigured Services

1. Unattended Install

2. Unquoted Service Paths

3. Service Object Permissions

Pivoting

Once a system is compromised, the attacker uses the compromised system to exploit other systems

Relaying

Once a system is compromised, the attacker uses the compromised system to access resources present other systems without actually exploiting the other systems

Network File System (NFS)

A protocol used to share and access data and files of a secure intranet