System Hacking - Practice Flashcards

Chapter 5: System Hacking

• System hacking is a multi-step process involving password cracking, privilege escalation, malicious program execution, file hiding, and track covering.

• The system-hacking process is typically not achieved in a single stroke; it is a gradual, time-consuming process akin to tunneling under a wall, yielding results of increasing access levels over time.

Password Cracking Foundations

• Definition: Password cracking is the process of recovering passwords from transmitted or stored data. It can be used by administrators to audit system holes or by attackers to facilitate unauthorized access.

• Non-Electronic Attacks: These require no technical knowledge.

  • Shoulder Surfing: Watching a user's keyboard or screen while they log in.

  • Social Engineering: Convincing individuals to reveal their credentials through manipulation.

  • Dumpster Diving: Searching through trash bins (physical or printer) and desks for sticky notes or sensitive data.

• Active Online Attacks: Directly communicating with the target machine.

  • Dictionary Attack: Loading a dictionary file into a cracking application to test against user accounts.

  • Brute Forcing Attack: Trying every possible combination of characters until the password is broken.

  • Rule-based Attack: Used when the attacker possesses some specific information about the password to narrow the search.

  • Password Guessing: Manually trying passwords compiled from information gathered via social engineering.

  • Default Passwords: Using factory-supplied passwords for equipment such as switches, hubs, and routers.

  • Trojan/Spyware/Keylogger: Installing programs that run in the background to capture and send credentials back to the attacker.

  • Hash Injection Attack: Injecting a compromised hash into a local session to validate network resources. An attacker extracts a logged-on domain admin account hash to log on to the domain controller.

• Passive Online Attacks: Cracking passwords without communicating with the authorizing party, relying on how passwords are stored or transported.

  • Wire Sniffing: Using packet sniffers on LANs to record traffic, capturing sensitive info from $FTP$, $rlogin$ sessions, and emails.

  • Man-in-the-Middle (MITM): Acquiring access to the communication channel between a victim and a server.

  • Replay Attack: Using a sniffer to capture packets and authentication tokens, which are later placed back on the network to gain access.

• Offline Attacks: Copying the target's password file to an external system for localized cracking.

  • Pre-Computed Hashes (Rainbow Tables): Comparing captured password hashes with a precomputed table (Rainbow Table) containing word lists and their corresponding hash values.

  • Rainbow Table Tool Examples: $Rtgen$ (command line) and $Winrtgen$ (graphical generator).

  • Distributed Network Attack (DNA): Recovering passwords using the unused processing power of multiple machines across a network. Coordinated by a $DNA \text{ Manager}$ utilizing $DNA \text{ Tools}$ like $Elcomsoft Distributed Password Recovery$.

Windows Authentication and Security Accounts Manager (SAM)

• SAM Database: Windows stores password hashes in the $Security Accounts Manager (SAM)$ for local accounts or the $Active Directory$ database for domains.

• Authentication Protocols:

  • LM (LAN Manager): An older protocol, now disabled by default in $Windows Vista$ and later versions; the hash field will appear blank in those systems.

  • NTLM (NT LAN Manager): A standard Windows authentication protocol.

  • Kerberos: The current default protocol providing stronger authentication for client-server applications.

• Password Salting: A technique adding a random string of characters to a password before hashing. While it defeats pre-computed hash attacks, Windows password hashes are not salted.

• Hashed Password Sample (Rainbow Table):

  • Input: $\text{1qazwed}$ → Hash: $\text{1c40e47dba72e77518ee3ef88ad0cc8}$

  • Input: $\text{Sodifo8sf}$ → Hash: $\text{2c749bf3fff89778efc50af7e4f8d6a8}$

Password Cracking Tools and Defense

• Extraction Tools:

  • PWDUMP: Extracts $LM$ and $NTLM$ hashes from the $SAM$ database.

  • fgdump: Similar to $pwdump$, but extracts cached credentials and allows remote execution.

• Cracking Tools:

  • L0phtCrack: Multi-featured recovery tool for 64-bit Windows and network monitoring.

  • Ophcrack: Based on rainbow tables.

  • RainbowCrack: Cracks hashes using rainbow tables.

  • Cain & Abel: Recovers passwords via sniffing, dictionary, brute-force, and cryptanalysis.

• Defensive Best Practices:

  • Do not reuse passwords or share them.

  • Avoid dictionary words or personal details (birthdays, names of children/pets).

  • Use $8-12$ alphanumeric characters with mixed case and symbols.

  • Enable $SYSKEY$ with a strong password to protect the $SAM$ database.

  • Implement an account lockout policy for excessive incorrect guesses.

  • Set password change policies to every $30 \text{ days}$.

Privilege Escalation

• Definition: The process of gaining higher levels of access than originally granted, often targeting administrative privileges to delete files or install malware.

• Types:

  • Vertical Privilege Escalation: Gaining higher privileges than currently held (e.g., standard user to admin).

  • Horizontal Privilege Escalation: Assuming the identity of another user with the same privilege level.

• DLL Hijacking: Exploiting Windows applications that search their local directory for $DLLs$ before checking fully qualified paths. Attackers place malicious $DLLs$ in the search path.

• Tools: $Active@ \text{ Password Changer}$ and Offline NT Password & Registry Editor (used to reset passwords from the command prompt).

• Countermeasures:

  • Apply the principle of least privilege.

  • Patch systems regularly and restrict interactive logon privileges.

  • Use multi-factor authentication.

Executing Applications and Malicious Programs

• Goal: Remotely executing software to gather info, exploit privacy, or install backdoors.

• Tools:

  • RemoteExec: Remotely installs applications and modifies registries.

  • PDQ Deploy: Silently installs applications or patches.

  • DameWare Remote Support: Remote management of servers and laptops.

• Keyloggers: Hardware or software that records every keystroke.

  • Hardware Types: $PC/BIOS$ embedded, Wi-Fi/Bluetooth keyloggers, $PS/2$ and $USB$ keyloggers.

  • Software Types: Application-level, Kernel-level, Hypervisor-based, and Form Grabbing-based loggers.

• Spyware: Records interactions and sends data to attackers, often bundled as freeware.

  • Propagation Methods: Drive-by downloads, masquerading as anti-spyware, web browser exploits, piggybacked software, cookies, and browser add-ons.

  • Examples: $Spytech SpyAgent$, $USBSpy$, $Spy Voice Recorder$, $WebCam Recorder$.

• Defenses: Use pop-up blockers, anti-spyware, host-based $IDS$, and on-screen keyboards. Frequently scan for unauthorized keyboard connectors.

Hiding Files and Rootkits

• Rootkits: Programs that hide their presence and the attacker's activity while granting full access. They replace $OS$ calls and utilities with modified versions via hooks or $DKOM (Direct Object Manipulation)$.

• Rootkit Types:

  • Hypervisor Level: Acts as a hypervisor to load the host $OS$ as a virtual machine.

  • Hardware/Firmware: Hidden in device firmware.

  • Kernel Level: Replaces original $OS$ kernel and drivers.

  • Boot Loader Level: Replaces the original boot loader.

  • Application/Library Level: Replaces binaries or system calls with Trojanized versions.

• Detection Methods: Integrity-based (snapshots), Signature-based (fingerprints), Heuristic/Behavioral (deviations), and Cross View-based detection.

• NTFS Alternate Data Stream (ADS): A Windows feature where data can be forked into existing files (metadata) without changing the file size or functionality in file browsers. Attackers use it to inject malicious code.

  • ADS Defense: Move files to $FAT$ partitions (which don't support $ADS$) to strip streams; use tools like $StreamArmor$ or $LADS$.

Steganography

• Definition: Hiding a secret message within an ordinary cover medium (image, video, audio, white space).

• Least Significant Bit (LSB) Insertion: A method where the rightmost bit of an image pixel is replaced with message bits.

  • Example: Hiding the letter ‘H’ ($01001000$) within an image bitstream. The attacker modifies binary sequences by changing only the $LSB$ to match the message bits.

• Tools: $QuickStego$, $wbStego$, $DeepSound$, and $SNOW$ (Whitespace steganography).

Covering Tracks

• Objective: Avoiding detection after gaining admin access.

• Techniques:

  • Disabling auditing immediately using $auditpol.exe$.

  • Clearing logs using $clearlogs.exe$ or $meterpreter$ shell in $Metasploit$.

  • Manipulating or manually clearing event logs based on the $OS$.

• Tools: $CCleaner$, $MRU-Blaster$, $Wipe$, $Tracks Eraser Pro$.