ICT2212-Lecture 5-System Hacking 2024.pdf

Full Transcript

SIT Internal

ICT2212
Ethical Hacking

System Hacking
A/Prof Guo Huaqun (Linda)
 SIT Internal

Acknowledgement

This set of slides is based on
A version from Dr. Raymond Chan (Some slides developed by
Dr Peter Loh)

2
 SIT Internal

Introduction to System Hacking
Scanning and
Reconnaissance Enumeration

Cover Gain
Tracks Access

Keep
Access

Hacking here refers to the gaining of access into the target
system using previously obtained info
End-points (direct access, wifi, web)
Ease of gaining access depends on target’s attack surface
3
 SIT Internal

Introduction to System Hacking
Attack Surface Evaluation
o What is target’s attack surface?
o How do we measure it?
o Methodology
Microsoft Attack Surface Analyzer
o https://github.com/Microsoft/AttackSurfaceAnalyzer
Password Attacks
o Attack Techniques
o Existing Cracking Tools
o AI-based Password Cracking
Password Strength and Guidelines

4
 SIT Internal

ATTACK SURFACE EVALUATION
 SIT Internal

Attack Surface Overview

What is a software product’s attack surface?
o Where are the control and data entry and exit points?
o E.g. user interface, database interface, network interface
o Collection of all these entry and exit points = Attack Surface
o All = ?
6
 SIT Internal

Attack Surface Evaluation
Define your baseline
o Determine your minimal attack surface (baseline) at the start
Measure and monitor regularly
o If attack surface increases, determine why
o Can it be reduced?

7
 SIT Internal

Attack Surface Reduction – Best Practices

Reduce number of apps running on power up – start occasional use app only when you need it e.g.
skype, dropbox
Uninstall unnecessary software and services
Limit entry point access to trusted users – restrict network endpoint access to local subnet or IP
range; use authentication
Reduce access privilege to limit damage potential – give higher permissions for only as long as
needed; use authorisation
8
 SIT Internal

Relative Attack Surface Rankings
Which system feature increase or reduce attack surface?

Larger Attack Surface Smaller Attack Surface
Feature runs by default Feature doesn’t run by default
Open network connection Closed network connection
Listening for UDP and TCP Listening for TCP only
Anonymous access Authenticated access only
Internet access Subnet, LAN access
Code running as admin/root Code running in low privilege account
Loose (broad) Access Control Lists Strict (specific) ACLs
(ACLs)
Many URLs are entry points Only one/few URLs is/are entry points

9
 SIT Internal

Attack Surface Model
Environment Attacks

system
surface Entry/Exit Points
2. Channels
1. Methods

3. Data Items

An attack requires sending untrusted data items into or retrieving
them from a system via one or more channels managed by methods

Attack Surface Measurement: Identify relevant resources (methods,
channels, and data), and estimate the contribution of each such resource
10
 SIT Internal

Attack Surface Measurement
Resource Damage Potential Effort
Method (M) Method’s Privilege Access Rights
Channel (C) Channel’s Protocol Access Rights
Data Items (I) Persistent Data Type Access Rights

A resource’s contribution to a system’s attack surface depends on its damage potential, i.e., the level of
harm the attacker can cause in using the resource to attack and the effort spent to acquire the access
rights to be able to do this.
We estimate a method’s damage potential in terms of the method’s privilege. An attacker gains a
method’s privilege by using the method (eg. API) in an attack.
We estimate a channel’s damage potential in terms of its protocol (eg. TLS protocol in heartbleed bug).
A channel’s protocol imposes restrictions on the data exchange allowed using the channel.
A persistent data item’s type imposes restrictions on the data exchange (e.g., a file can be injected with
unknown executable code but not a registry entry, cookies can be hijacked). Hence we estimate a data
item’s damage potential in terms of its type.
11
 SIT Internal

ATTACK SURFACE ANALYZER
 SIT Internal

Microsoft Attack Surface Analyzer 2.0
Free tool for highlighting security issues in an application
Start by running baseline scan of platform (Windows):
 Itemize open files
 Itemize active apps
 Itemize Windows services
Install target app to be checked, run scan and compare against baseline
Useful for highlighting how new apps and drivers since baseline scan can
change the attack surface of your platform
 Generate scan report

13
 SIT Internal

Microsoft Attack Surface Analyzer 2.0

14
 SIT Internal

Microsoft Attack Surface Analyzer 2.0

Repeat after
new app installed

15
 SIT Internal

Attack Surface Analyzer Demo

https://www.youtube.com/watch?v=8h6n1eul9AI
16
 SIT Internal

Microsoft Attack Surface Analyzer

17
 SIT Internal

PASSWORD ATTACKS
 SIT Internal

Password System
Client Server
Password Hash Hashed Hashed Compare
Function Password Password Password

Stored Salt Stored Password

Allow/Deny Access

Password hashed and stored
 Salt added to randomize password and stored on system
Login – hashed password compared to stored password
Comparison match – allow access; otherwise deny access
Password attacks launched to crack encoded password
19
 SIT Internal

Password Salting
Adding random data to password before hashing it:
o Same string can hash to different values at different sites
o Salt is stored with the salted hashed password

20
 SIT Internal

Salting a Password Demo
Generate MD5 for random password e.g. “secret”
http://www.miraclesalad.com/webtools/md5.php
MD5 hash is: 5ebe2294ecd0e0f08eab7690d2a6ee69
Google with this hash value easily finds you “secret”
Now, generate MD5 for “Z01secret”
New MD5 hash is: d30a09de93a3c3b989eea283b9762790
Google with the new hash value
Can you find the original password?
“Z01” is the salt was added to make hashed passwords stronger
21
 SIT Internal

Hashed Password Application

Bank A
pwdA
pwdA
=
pwdB

Phishing attack or break-in at site B Site B
reveals password at A

Bank A
pwdA Replay attack
=

pwdB not possible

Generates a unique password per site Site B
22
 SIT Internal

Lan Manager (LM) Hash Generation
Separated into two 7 character strings (Pre Windows-NT)
Converted to upper case and padded with NULL to 14 characters

Singapore1 = SINGAPO + RE1****

Key Key

Constant DES DES Constant

Concatenate LM Hash

Lan Manager hash used in Windows systems for < 15 char passwords
Limited (alphanumeric) set, case-insensitive
23
 SIT Internal

NTLM Hash Generation

Singapore1
MD4 unicode
password

Post-NT versions of Windows use NTLM (MD4) hash
Uses 14 characters for a single hash
Store hashed password in Unicode
Harder to crack than older LM “hashes”
Can be cracked by existing public domain tools (eg. John the Ripper)
Both LM and NTLM hashed passwords are unsalted
Superceded by MD5 followed by SHA-n algorithms
24
 SIT Internal

SHA-n Hash Generation
Quantum computing
-> SHA-512

SHA stands for Secure Hashing Algorithm
SHA-n are different versions of the SHA algorithm. They differ in how the resulting
hash is created from the original data and in the bit-length of the hash
SHA-1 is a 160-bit hash (Google created a SHA-1 collision). Certificates expired in
2016.
SHA-2 is a class of hashes of various lengths, the most popular being 256-bit.
Others include: SHA-224, SHA-384, or SHA-512
SHA-256 produces a 256-bit (32 bytes) hash value
25
 SIT Internal

Typical Online Password Attack
Find a valid user ID
Create a list of possible passwords
Rank the passwords from high probability to low
Type in each password
If the system allows you in – success !
If not, try again, being careful not to exceed password lockout
(the number of times you can guess a wrong password before the
system shuts down and won’t let you try any more)

Need Good Guesses
26
 SIT Internal

Password Guessing Techniques
Dictionary words spelled backwards
First and last names, children, addresses, cities
Same with upper-case initials
All valid license plate numbers in your state
Room numbers, telephone numbers, etc.
Letter-number substitutions and other tricks
 4 for A; 3 for E; 5 for s or S
 If you can think of it, attacker will, too

27
 SIT Internal

Password Security Risks
Default or weak passwords
 E.g. admin; admin / access
 E.g. last 4 digits of NRIC
 Based on personal data e.g. family,
friends, achievements
Same password at multiple sites
 For banking, shopping, social
networking
Keystroke loggers
 Hardware (e.g. KeyGhost, KeyGrabber)
 Software (e.g. SpyAgent,
IAmBIgBrother)
28
 SIT Internal

Password Attacking Techniques
Dictionary Attack
 Attacker tries all words in dictionary to crack password
 Many people tend to use dictionary words as passwords
Brute Force Attack
 Try all permutations of the letters & symbols in the alphabet
Hybrid Attack
 Words from dictionary and their variations used in attack, and then Brute Force Attack
Rainbow Tables Attack
 Lists of pre-computed hashes
Social Engineering
 People use weak passwords based on personal data
 People disclose passwords naively to others
Shoulder Surfing (Observation Attack)
 Attackers slyly watch over peoples’ shoulders to steal passwords
Dumpster Diving
 People dump their trash papers in garbage which may contain information to crack passwords
29
 SIT Internal

AI-based Password Cracking – 1/4
Existing Password Cracking Techniques
 Typically based on guessing
 Exhaustive guessing – eg. bruteforce (overheads can be reduced with knowledge of password
length/formulation rules)
 Guided guessing – eg. dictionary / table based (success rate may be dependent on dictionary / table size and
password / hash generation rules -> overheads)

How to scale up a password
dictionary?

Password entropy measures the
unpredictability of a password

Does a real password have
very high entropy?
30
 SIT Internal

AI-based Password Cracking – 2/4
Password Cracking based on Machine Learning
 Based on a human attack vector – people use password creation schemes
 Targeted guessing 1 – first gain knowledge of user’s profile -> derive creation scheme(s) ->
reduced entropy
 Targeted guessing 2 – generate password dictionary with derived schemes (may include
obfuscation with leetspeak)

Found by
Google
Hacking

Note password schemes

31
 SIT Internal

AI-based Password Cracking – 3/4
AI Password Generation based on Derived Scheme
 Dictionary subset or password guesses are built based on AI-perceived
mangling of user profile data rather than security policy heuristics

32
 SIT Internal

AI-based Password Cracking – 4/4

PassGAN – Adversarial password cracking
 Uses a Generative Adversarial Network to learn distributions of real passwords from
actual leaked passwords
 Neural network (Generator G) is initialized with random noise (Gaussian or uniform
distribution) and tries to mimic underlying distribution of password samples
 Neural network (Discriminator D) is trained to distinguish between real and fake
password samples
 Advantage of neural networks - can be trained without apriori knowledge
33
 SIT Internal

Summary
Attack Surface Analysis
 What constitutes a platform’s attack surface
 Quantitative Evaluation – Methods, Channels and Data Items
 Use of Microsoft Attack Surface Analyzer
Password Attacks
 Password security – how passwords are hashed, salted & stored
 Weak and Strong Hashes – are strong hashes enough?
 Typical online password attack process
 Password guessing techniques
 Password security risks – default, weak and reused passwords, key loggers
 Password attacking techniques – existing and AI-based

Next Lecture – Password Cracking Tools
34
 SIT Internal

PASSWORD CRACKING TOOLS
 SIT Internal

Password Cracking Overview
Password cracking is the process of guessing or recovering a
password from stored locations or from data transmission systems
In attacking, for unauthenticated access
In pentesting, for evaluating authentication vulnerability
In forensics, for accessing suspect’s computer system and/or files

Automation Support, some cracking tools:
 RainbowCrack
 Wfuzz (bruteforcing web apps)
 John the Ripper
 THC Hydra
 Medusa
 OphCrack
 L0phtCrack
 Aircrack-NG
36
 SIT Internal

Localhost Password Recovery
pwdump7: pwdump7.exe (Dump system passwords)
In installed folder, enter: pwdump7 > pass.txt

Unveiling Password Vulnerabilities: Dump and Crack Hashes with pwdump7 and Ophcrack:
https://www.youtube.com/watch?v=2fMXsjC2pJ4

37
 SIT Internal

John the Ripper Account Creation
A fast password cracking tool ( http://www.openwall.com/john/ )
John the Ripper is an Open-Source password security auditing and password recovery tool
available for many operating systems.
John the Ripper jumbo supports hundreds of hash and cipher types, including for: user
passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, "web
apps" (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP,
etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.);
encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks
(macOS.dmg files and "sparse bundles", Windows BitLocker, etc.), archives (ZIP, RAR, 7z),
and document files (PDF, Microsoft Office's, etc.)
These are just some of the examples - there are many more.
Ethically Crack Passwords by John the Ripper
– https://www.youtube.com/watch?v=6Yehb5yjHF8

38
 SIT Internal

John the Ripper Account Creation
https://hash.online-convert.com/des-generator
https://hash.online-convert.com/md5-generator
https://hash.online-convert.com/sha256-generator

39
 SIT Internal

John the Ripper Cryptanalysis
Copy and paste DES-encrypted username:password to.txt
Run - john.txt
Repeat with MD5 version

40
 SIT Internal

Ophcrack Password Recovery
A password cracker based on rainbow tables
Available for Windows, Mac OSX and Unix
https://sourceforge.net/projects/ophcrack/
XP and Vista Tables: http://ophcrack.sourceforge.net/tables.php

41
 SIT Internal

Ophcrack Password Cracking

Ensure you have installed at least the downloaded rainbow tables
42
 SIT Internal

Ophcrack Password Cracking

Load pass.txt created by pwdump previously and click crack

43
 SIT Internal

THC Hydra Password Cracking

A very fast password cracking tool
(non-hashed lookup)
Hydra is a parallelized network login
cracker built in various operating
systems like Kali Linux, Parrot and other
major penetration testing
environments.
Hydra works by using different
approaches to perform brute-force
attacks in order to guess the right
username and password combination.
 SIT Internal

THC Hydra Password Cracking - 1

https://www.youtube.com/watch?v=2tJgPyRITGc
45
 SIT Internal

Brute-Force Attack Using Hydra in Kali
sudo hydra
"::"
┌──(kali㉿kali)-[/usr/share/wordlists]
└─$ sudo hydra -l newyork -P /usr/share/wordlists/rockyou.txt
lindaguo.mooo.com https-post-form
"/auth/login8.php:username=^USER^&password=^PASS^:Authentication
failed"
sudo hydra -L /usr/share/wordlists/username.txt -P
/usr/share/wordlists/rockyou.txt lindaguo.mooo.com https-post-form
"/auth/login8.php:username=^USER^&password=^PASS^:Authentication
failed"

46
 SIT Internal

Computation Power Needed

Custom GPU-based hardware
– A 5-server rig with 25 Radeon GPUs
– 348 billion NTLM passwords per second
NTLM = Microsoft’s suite of security protocols
6 seconds to crack a 14-character Windows XP password
– 77 million md5crypt-hashed passwords per second
md5crypt() is used by FreeBSD and Linux

Cloud-based cracking tools
– CloudCracker, Cloud Cracking Suite (CCS)
– Can use cloud-based browsers to do MapReduce jobs
25-GPU cluster cracks every standard Windows password in