Attacking a System n - Metropolitan State University of Denverrowdysites.msudenver.edu/~fustos/cis4500/pdf/chapter05.pdf · 2017-10-01 · n Identify rootkit function and types

.

1

Attacking a System

Chapter #5:

CIS 4500

Outline

n  Describe the CEH hacking methodology and system hacking steps

n  Describe methods used to gain access to systems

n  Describe methods used to escalate privileges

n  Describe methods used to maintain access to systems

n  Describe methods of evidence erasure

n  Identify rootkit function and types

n  Identify basics of Windows and Linux file structure, directories,

and commands

Attacking a System 2

CIS 4500

Phases of Hacking

Attacking a System 3 CIS 4500

Windows Security Architecture

n  Credentials are stored in a SAM file

n  It stores hash values

n  On a domain passwords are stored in a database

n  MS picked not a very good encryption but it became better


Authentication Encryption OS versions LM DES Win 95/98

NTLM DES + MD4 Win NT

NTLM v2 + Kerberos Symm+Asymm Win 2000

.

2

CIS 4500

Windows 7


Windows 10


CIS 4500

LM Authentication

n  Converts everything to uppercase

n  If the password was less than 14 characters, it would add

blank spaces to get it to 14

n  Then the password would be split into two 7-character

strings

n  These strings would be hashed separately, with both

hashes then combined for the output


LM Authentication

n  If a password is seven characters or less, this significantly

reduces the amount of time required to crack the rest of it

— because the LM hash value of seven blank characters will

always be the same (AAD3B435B51404EE)

n  The first half we put through a cracker and get to work

n  The second is easily recognizable – hash of seven blanks!

n  NTLM needs much more power to bruteforce


.

3

CIS 4500

Password Considerations

n  Password: 8 characters long

n  Alphabet: 26 upper-case letters, 26 lower-case letters,

10 numbers, 33 special characters (95)

n  95^8 = 6,634,204,312,890,625

n  Password: 9/10 characters long

n  Alphabet: 26 upper-case letters, 26 lower-case letters (52)

n  52^9 = 2,779,905,883,635,712

n  52^10 = 144,555,105,949,057,024


Kerberos Exchange


1.  The client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)

2.  The AS checks to see if the client is in its database. If it is, the AS generates the secret key (SK1) by hashing the password of the user found at the database (e.g., Active Directory in Windows Server) and sends back the following two messages to the client

Message A: Client/TGS Session Key (SK2) encrypted using the secret key of the client/user (SK1). Message B: Ticket-Granting-Ticket (TGT, which includes the client ID, client address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS (SK2).

3.  Once the client receives messages A and B, it attempts to decrypt message A with the secret key (SK1) generated from the password entered by the user.

4.  If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A.

5.  With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key (SK2). This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.

CIS 4500

AD Credentials

n  On a domain controller credentials are stored in Ntds.dit

ESE database file

n  It is located in %SystemRoot%\NTDS\Ntds.dit or

%SystemRoot%\System32\Ntds.dit

n  The NTDS.DIT file is effectively the entire Active Directory

in a file


AD Credentials

n  ISAM (Indexed Sequential Access Method) is a file management

system developed at IBM that allows records to be accessed either

sequentially (in the order they were entered) or randomly (with an index)

n  An ESE database looks like a single file to Windows. Internally the

database is a collection of 2, 4, 8, 16, or 32 kB pages

n  Pages contain meta-data to describe the data contained within the

database, data itself, indexes to persist interesting orders of the data, and

other information.

n  An ESE database may contain up to 232 pages, or 16 terabytes of data for

8 kilobyte sized pages.


.

4

CIS 4500

Kerberos Ticket Stealing - Mimikatz

n  It is part of Kali

/usr/share/mimikatz


Hash Cracking


CIS 4500

samdump2 in Kali


Registry

n  The Windows registry is a collection of all the settings and

configurations that make the system run

n  It stores all sorts of configuration settings and options:

n  low-level operating system components,

n  applications running on the machine,

n  drivers, the SAM file, and

n  the user interface.

n  Keys and values


.

5

CIS 4500

Root-Level Keys

n  HKEY_CLASSES_ROOT (HKCR) Contains information on file associations

and Object Linking and Embedding (OLE) classes.

n  HKEY_CURRENT_USER (HKCU) Contains profile information for the user

currently logged on. Information includes user-level preferences for the OS

and applications.

n  HKEY_LOCAL_MACHINE (HKLM) Contains information on hardware

(processor type, bus architecture, video, disk I/O, and so on) and software

(operating system, drivers, services, security, and installed applications).

n  HKEY_USERS (HKU) Contains specific user configuration information for

all currently active users on the computer.

n  HKEY_CURRENT_CONFIG (HKCC) Contains a pointer to HKEY_

LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\

Hardware Profiles\Current, designed to make accessing and editing this

profile information easier. Attacking a System 17 CIS 4500

Root-Level Keys


CIS 4500

Root-Level Keys


Keys


.

6

CIS 4500

MMC


Linux Security Architecture


CIS 4500


n  / – represents the root directory.

n  /bin – holds all sorts of basic Linux commands (a lot like the

C:\Windows\System32 folder in Windows).

n  /dev – contains the pointer locations to the various storage and

input/output systems you will need to mount if you want to use

them, such as optical drives and additional hard drives or

partitions. Note that everything in Linux is a file.

n  /etc – contains all the administration files and passwords.

Both the password and shadow files are found here.



n  /home – holds the user home directories.

n  /mnt – holds the access locations you’ve actually mounted.

n  /sbin (system binaries) – holds more administrative commands

and is the repository for most of the routines Linux runs (known

as daemons).

n  /usr – holds almost all of the information, commands, and files

unique to the users.


.

7

CIS 4500

UNIX Commands


Command Description

adduser Adds a user to the system.

cat Displays the contents of a file.

cp Copies.

ifconfig Displays network configuration information about your NIC.

kill Kills a running process. (You must specify the process ID number

ls Displays the contents of a folder. -l, -a

man Displays the “manual” page for a command.

passwd Used to change your password.

ps Process status command.

pwd Displays the name of the current directory.

rm Removes files. The command rm-r also recursively removes all directories and subdirectories on the path and provides no warning when deleting a write-protected file.

su Allows you to perform functions as another user. The sudo command version allows you to run programs with root privileges.

CIS 4500

Linux Permissions


CHMOD

CIS 4500

Users


Password File vs. Shadow File


.

8

CIS 4500

Password Encryption

n  The format of the encrypted password is:

$#$SALT$PWD_SALTED_HASH

n  On Ubuntu 10.04 LTS, the # is '6' and means a SHA-512

hash was used.

n  You can test a password with:

mkpasswd -m SHA-512 <PASSWORD> <SALT>

n  This should return the encrypted password, starting w/

'$6$'


Password Attacks

n  Non-electronic

social engineering

n  Active online

n  Passive online

n  Offline


CIS 4500

Active Online

n  Dictionary and brute-force attacks

n  Hash injections

n  Phishing

n  Trojans

n  Spyware

n  Keyloggers

n  Password guessing


Passive Online

n  Sniffing

n  ARP poisoning


.

9

CIS 4500

Offline

n  Dictionary attack

rainbow tables (Windows)

n  Hybrid attack

dictionary attack with substitutons

n  Brute-force attack


Stay Alert!

There is no 100 percent secure system,

and there is nothing that is foolproof!

Documents

Attacking a System n - Metropolitan State University of Denverrowdysites.msudenver.edu/~fustos/cis4500/pdf/chapter05.pdf · 2017-10-01 · n Identify rootkit function and types