System Hacking and Password Cracking

Questions and Answers

Which of the following is the primary goal of system hacking related to gaining access?

• Bypassing access controls to enter the system. (correct)
• Executing applications remotely on the system.
• Covering tracks to erase evidence.
• Hiding files to avoid detection.

An attacker performs password cracking by directly communicating with the victim's machine, what type of attack are they using?

• Non-electronic attack
• Passive online attack
• Active online attack (correct)
• Offline attack

Which type of attack does NOT require an attacker to possess technical knowledge to crack passwords?

• Non-Electronic Attacks (correct)
• Offline Attacks
• Passive Online Attacks
• Active Online Attacks

An attacker captures network packets to extract authentication tokens and replays them to gain access. What type of attack is this?

Replay attack (B)

Which of the following best describes a 'rainbow table' in the context of password cracking?

A precomputed table containing wordlists and their hash values. (A)

In Windows, where are password hashes typically stored?

C:\Windows\System32\config\SAM (B)

During NTLM authentication, what role does the Domain Controller (DC) play after receiving a login request?

It sends a challenge to the computer and compares the response with its own hash. (A)

Which of the following is the main function of a Ticket-Granting Server (TGS) in the Kerberos authentication process?

To connect the user with the service server. (A)

What is the primary advantage of using password salting?

It makes it more difficult to reverse the hashes. (B)

An attacker wants to extract LM and NTLM password hashes from a Windows system. Which tool is most suitable for this task?

Pwdump7 (A)

Which of the following is a recommended measure to defend against password cracking?

Enabling information security audits. (A)

What is the primary difference between horizontal and vertical privilege escalation?

Horizontal involves gaining access to a different user account with similar privileges, while vertical involves gaining higher-level privileges. (B)

Why is restricting interactive logon privileges an effective defense against privilege escalation?

It limits the ability of attackers to gain initial access. (B)

What is the purpose of executing malicious applications in the system hacking process?

To gather information, gain unauthorized access, or maintain system control. (A)

Which of the following tools is designed to remotely install applications and execute programs on Windows systems?

RemoteExec (B)

What is the primary function of a keylogger?

To monitor and record keystrokes. (A)

Which of the following is a type of hardware keylogger?

PS/2 and USB keylogger (A)

What is the main purpose of spyware?

To monitor user activity without their consent. (D)

Which of the following actions does a rootkit perform?

It hides the attacker's malicious activities. (D)

Which type of rootkit modifies the boot sequence of the computer system?

Hypervisor Level Rootkit (C)

What is the main purpose of steganography?

To hide the existence of a message. (C)

Which of the following is an example of steganography based on the cover medium?

Image Steganography (D)

Which of the following best describes whitespace steganography?

Hiding messages by adding whitespace to the end of lines. (A)

What is the primary goal of 'covering tracks' in the context of system hacking?

To avoid detection after gaining access. (C)

An attacker deletes system log entries. What technique are they using?

Clearing Logs (B)

Flashcards

Gaining Access

Bypassing access controls to gain unauthorized entry, often through password cracking or social engineering.

Escalating Privileges

Acquiring elevated permissions on a system, such as becoming an administrator.

Executing Applications

Creating and using remote access tools like Trojans and keyloggers.

Hiding Files

Concealing malicious activities and stolen data using rootkits and steganography.

Covering Tracks

Removing or obscuring evidence of a security breach to avoid detection.

Password Cracking

Techniques used to recover passwords from computer systems.

Non-Electronic Attacks

Attacks not requiring technical expertise to crack passwords.

Active Online Attacks

Gaining unauthorized access by directly communicating with the victim's machine.

Passive Online Attacks

Password cracking without direct communication with the victim's system.

Offline attack

Cracking passwords offline after copying the target's password file.

Social Engineering

Convincing individuals to reveal their passwords through deception.

Shoulder Surfing

Looking at a user's keyboard or screen while they log in.

Dumpster Diving

Searching trash for sensitive information.

Brute Forcing Attack

Systematically trying every character combination until the password is broken.

Rules-based attack

Attack that uses some information about the password.

Password Guessing

Creating a list of probable passwords based on gathered information.

Default password

A password supplied by the manufacturer with new equipment.

Hash Injection Attack

Injecting a compromised hash to validate network resources.

Wire Sniffing

Running packet sniffer tools to access and record raw network traffic.

Man-in-the-Middle Attack

Interception of communication channels between victim and server.

Replay attack

Capturing and replaying packets to gain unauthorized access.

Rainbow Table attack

Table containing precomputed hashes used to crack passwords.

Password Salting

Adding random data to passwords before hashing.

Privilege Escalation

Elevating access permissions beyond the original level.

Steganography

Hiding a secret message within an ordinary one.

Study Notes

System Hacking Overview

• System hacking includes gaining access, escalating privileges, executing applications, hiding files, and covering tracks
• Goals consist of bypassing access controls, acquiring user rights, creating remote access, concealing malicious activities, and hiding compromise evidence

Password Cracking

• Password cracking recovers passwords from computer systems without authorization
• Weak passwords increase the success of cracking attempts

Types of Password Attacks

• Non-electronic attacks don't require technical expertise
  • Examples: Shoulder surfing, social engineering, and dumpster diving
• Active online attacks crack passwords by directly communicating with the victim machine
  • Methods include dictionary attacks, brute force attacks, hash injection, phishing, the use of trojans/spyware/keyloggers, and password guessing
• Passive online attacks crack passwords without communicating with the authorizing party
  • Techniques include wire sniffing, man-in-the-middle attacks, and replay attacks
• Offline attacks copy the target's password file to crack passwords on another system
  • Rainbow table attacks and distributed network attacks are types of offline attacks

Password Guessing

• Password guessing involves creating a list of possible passwords and manually attempting them on the victim's machine
  • This involves finding a valid user, creating a password list, ranking passwords by probability, and attempting each one
• Default passwords are those supplied by the manufacturer with new equipment and are often targeted
  • Many online sites provide lists of default passwords
• A Trojan/Spyware/Keylogger attack involves installing malware to collect usernames and passwords
  • The program runs in the background, relaying credentials to attackers

Active Online attack

• An active online attack can be performed using a USB drive to extract passwords
  • This involves downloading password tools, copying them to the drive, creating an autorun file, and inserting the drive

Hash Injection Attack

• A hash injection attack injects a compromised hash into a local session to validate network access
• This involves finding and extracting a logged-on domain admin account hash and using it to log on to the domain controller

Passive Online Attack

• Wire Sniffing involves using packet sniffers on a local network to capture raw network traffic
  • Captured data may include passwords, FTP, rlogin sessions, and email content

Gaining Unauthorized Access

• Sniffed credentials can be used to gain unauthorized system access

Man-in-the-Middle Attack

• This attack intercepts communication between a victim and a server to extract information

Replay Attack

• This attack captures packets and authentication tokens using a sniffer
• Tokens are placed back on the network to gain access after extracting relevant info

Offline Attack

• A rainbow table attack uses a precomputed table with wordlists and hash values
• Password hashes are captured and compared with the rainbow table to find a match, cracking the password
• It's easy to recover passwords by comparing captured hashes to the precomputed table

Password Storage

• Windows stores password hashes in this file: C:\windows\system32\config\SAM
• Information stored: Username, User ID, LM Hash, and NTLM Hash

NTLM Authentication Process

• User types password, and Windows uses a hash algorithm
• The computer sends login request to the Domain Controller
• The Windows Domain Controller has a stored, hashed password copy
• The Domain Controller sends a logon challenge, and the computer sends a response
• The DC compares the computer's response with its own hash and grants access if they match

Kerberos Authentication

• Kerberos uses symmetric-key cryptography with a Key Distribution Center to verify user identities.
• The KDC has a ticket-granting server that connects the user with a service server
• It maintains a database of verified user credentials
• Password salting adds a random string of characters to passwords before hashing
  • Salting makes it more difficult to reverse hashes and prevents pre-computed hash attacks

Password Hash Tools:

• Pwdump7.exe extracts LM and NTLM password hashes
• Fgdump.exe also extracts cached credentials, permitting remote network execution
• Command: fgdump.exe -h <ip> -u Administrator -p hacker to dump a remote machine hash

Password Cracking Protection

• Enable information security audits
• Rotate Passwords Regularly
• Never share passwords
• Disallow dictionary words as passwords
• Use strong encryption (not cleartext protocols)
• Enforce a password change policy, such as every 30 days
• Store passwords securely
• Avoid any system's default password

Privilege Escalation

• Privilege escalation is when an attacker gains higher-level permissions than originally allowed

Horizontal Escalation

• This involves the same privilege level, but in a different user account

Vertical Escalation

• This involves higher-level privileges than the attacker initially possessed

Types of Privilege Escalation

• Exploiting vulnerabilities
• Weak configurations
• Using malicious software like rootkits
• Compromising user accounts
• Social Engineering

Privilege Escalation Prevention

• DLL hijacking: Preventing malicious DLL injection by restricting the interactive logon privileges
• User encryption
• Run users and applications with least privileges
• Reduce code runs with that privilege
• Multi-factor authentication
• Debugging using bounds checkers and stress tests
• Run services non-privileged
• Testing all coding errors
• Patch and update kernel regularly

Executing Applications

• Attackers can execute malicious apps to "own" a system such as gather info, unauthorized access or crackpasswords

Common examples of Executing Applications

• Keyloggers
• Spyware
• Backdoors
• Crackers

RemoteExec

• RemoteExec installs applications, executes program/scripts, and updates data files
• Attackers have the ability to modify the registry, disable local passwords/accounts, update files/folders

Executing Application Tools

• PDQ Deploy : https://www.pdq.com
• Psexec: https://docs.mircrosoft.com
• TheFatRat: https://github.com

Keyloggers

• These programs or hardware devices monitor keystrokes
• Keystroke loggers have legitimate uses such as monitor employee activity or parental monitoring of children
• Keyloggers lets gathers a victim’s email, password, bank data, chat etc

Hardware Keyloggers

• PC/BIOS Embedded
• Keyboard Keylogger
• External Keylogger
  • PS/2 and USB keylogger
  • Acoustic/CAM keylogger
  • Bluetooth keylogger
  • Wifi Keylogger

Software Keyloggers

• Application Kernel
• Kernel Keylogger
• Hypervisor based keylogger
• Form grabbing based keylogger

Spyware

• Programs that record user interactions secretly and send the data to remote attackers
• Spyware hides processes, files, data, etc. in order to avoid detection
• Spyware gathers email addresses, logins, passwords, credit card data, back data
• Spyware: spytech spyagent and powerspy

Spyware agents

• Spytech spy agent: Monitors everything users do on a computer.
• Power spy: Monitors data activities secretly.

Spyware tools

• Netvizor
• Activity monitor
• Usb analyzer
• Spy voice recorder

Rootkits

• Programs that hide themselves and malicious activities
• Gaining full access to the system
• Rootkits replace operating system calls which will cause many malicious functions to be executed, undermining security
• Rootkits comprise backdoor programs, DDoS, packet sniffing, log-wiping and irc bots.

Rootkit Distribution

• Attackers can:
• Scanning a system for vulnerabilities on the web
• Wrapping it with a package like games
• Installing in corporate or public computers

Rootkits Types

• Hypervisor Level Rootkit
• Hardware/Firmware Rootkit
• Kernel Level Rootkit
• Bootloader Level Rootkit
• Application Level Rootkit
• Library Level Rootkits

Higher level of Rootkits

• Hypervisor Level modifies the boot sequence
• Hardware/firmware hides in the hardware

Kernel level Rootkit

• Malware codes add malicious code to the original

Boot Loader Level Rootkit

• Remote attackers have full range

Application Level Rootkit

• Binary files modify behaviors

Library Level Rootkits

• System calls hide info on attacker

Steganography

Hides data.

Types of Steganography

• Image Steganography
• Document Steganography
• Folder Steganography
• Video Steganography
• Audio Steganography
• Web Steganography
• Spam/Email Steganography
• Hidden os Steganography
• Source Code Steganography
• white space steganography

Whitespace Steganography

• ASCII text hides endline message

Image Steganography

• Image files in .png or .jpg are hidden
• Tool: https://www.pelock.com/products/steganography-online-codec

Document Steganography

• Adding codes to transferred documents
• Tool :snow

Video Steganography

• This has secret info, hiding on a video file

tool :stegostick

Audio Steganography

• Hides audio files

tool stegostick

Folder Steganography

• Files code and hide on apps

Email Steganography

• Secret messages in email

Covering Tracks

• Covering Tracks prevents getting caught

Common attack track to stop

• Disable Auditing- disable features
• Clearing Logs- clear system log
• Manipulating Logs- prevent people from catching hackers
• Windows- delete log events
• Linux- remove this
• export HISTSIZE=0
• history -c # clear all history
• S
• Cat /dev/null > ~.bash_history && history -c && exit