ICT2212-Lecture 5-System Hacking 2024.pdf
Document Details
Uploaded by FamedEllipsis4591
Full Transcript
SIT Internal ICT2212 Ethical Hacking System Hacking A/Prof Guo Huaqun (Linda) SIT Internal Acknowledgement This set of slides is based on A version from Dr. Raymond Chan (Some slides developed by Dr Peter Loh)...
SIT Internal ICT2212 Ethical Hacking System Hacking A/Prof Guo Huaqun (Linda) SIT Internal Acknowledgement This set of slides is based on A version from Dr. Raymond Chan (Some slides developed by Dr Peter Loh) 2 SIT Internal Introduction to System Hacking Scanning and Reconnaissance Enumeration Cover Gain Tracks Access Keep Access Hacking here refers to the gaining of access into the target system using previously obtained info End-points (direct access, wifi, web) Ease of gaining access depends on target’s attack surface 3 SIT Internal Introduction to System Hacking Attack Surface Evaluation o What is target’s attack surface? o How do we measure it? o Methodology Microsoft Attack Surface Analyzer o https://github.com/Microsoft/AttackSurfaceAnalyzer Password Attacks o Attack Techniques o Existing Cracking Tools o AI-based Password Cracking Password Strength and Guidelines 4 SIT Internal ATTACK SURFACE EVALUATION SIT Internal Attack Surface Overview What is a software product’s attack surface? o Where are the control and data entry and exit points? o E.g. user interface, database interface, network interface o Collection of all these entry and exit points = Attack Surface o All = ? 6 SIT Internal Attack Surface Evaluation Define your baseline o Determine your minimal attack surface (baseline) at the start Measure and monitor regularly o If attack surface increases, determine why o Can it be reduced? 7 SIT Internal Attack Surface Reduction – Best Practices Reduce number of apps running on power up – start occasional use app only when you need it e.g. skype, dropbox Uninstall unnecessary software and services Limit entry point access to trusted users – restrict network endpoint access to local subnet or IP range; use authentication Reduce access privilege to limit damage potential – give higher permissions for only as long as needed; use authorisation 8 SIT Internal Relative Attack Surface Rankings Which system feature increase or reduce attack surface? Larger Attack Surface Smaller Attack Surface Feature runs by default Feature doesn’t run by default Open network connection Closed network connection Listening for UDP and TCP Listening for TCP only Anonymous access Authenticated access only Internet access Subnet, LAN access Code running as admin/root Code running in low privilege account Loose (broad) Access Control Lists Strict (specific) ACLs (ACLs) Many URLs are entry points Only one/few URLs is/are entry points 9 SIT Internal Attack Surface Model Environment Attacks system surface Entry/Exit Points 2. Channels 1. Methods 3. Data Items An attack requires sending untrusted data items into or retrieving them from a system via one or more channels managed by methods Attack Surface Measurement: Identify relevant resources (methods, channels, and data), and estimate the contribution of each such resource 10 SIT Internal Attack Surface Measurement Resource Damage Potential Effort Method (M) Method’s Privilege Access Rights Channel (C) Channel’s Protocol Access Rights Data Items (I) Persistent Data Type Access Rights A resource’s contribution to a system’s attack surface depends on its damage potential, i.e., the level of harm the attacker can cause in using the resource to attack and the effort spent to acquire the access rights to be able to do this. We estimate a method’s damage potential in terms of the method’s privilege. An attacker gains a method’s privilege by using the method (eg. API) in an attack. We estimate a channel’s damage potential in terms of its protocol (eg. TLS protocol in heartbleed bug). A channel’s protocol imposes restrictions on the data exchange allowed using the channel. A persistent data item’s type imposes restrictions on the data exchange (e.g., a file can be injected with unknown executable code but not a registry entry, cookies can be hijacked). Hence we estimate a data item’s damage potential in terms of its type. 11 SIT Internal ATTACK SURFACE ANALYZER SIT Internal Microsoft Attack Surface Analyzer 2.0 Free tool for highlighting security issues in an application Start by running baseline scan of platform (Windows): Itemize open files Itemize active apps Itemize Windows services Install target app to be checked, run scan and compare against baseline Useful for highlighting how new apps and drivers since baseline scan can change the attack surface of your platform Generate scan report 13 SIT Internal Microsoft Attack Surface Analyzer 2.0 14 SIT Internal Microsoft Attack Surface Analyzer 2.0 Repeat after new app installed 15 SIT Internal Attack Surface Analyzer Demo https://www.youtube.com/watch?v=8h6n1eul9AI 16 SIT Internal Microsoft Attack Surface Analyzer 17 SIT Internal PASSWORD ATTACKS SIT Internal Password System Client Server Password Hash Hashed Hashed Compare Function Password Password Password Stored Salt Stored Password Allow/Deny Access Password hashed and stored Salt added to randomize password and stored on system Login – hashed password compared to stored password Comparison match – allow access; otherwise deny access Password attacks launched to crack encoded password 19 SIT Internal Password Salting Adding random data to password before hashing it: o Same string can hash to different values at different sites o Salt is stored with the salted hashed password 20 SIT Internal Salting a Password Demo Generate MD5 for random password e.g. “secret” http://www.miraclesalad.com/webtools/md5.php MD5 hash is: 5ebe2294ecd0e0f08eab7690d2a6ee69 Google with this hash value easily finds you “secret” Now, generate MD5 for “Z01secret” New MD5 hash is: d30a09de93a3c3b989eea283b9762790 Google with the new hash value Can you find the original password? “Z01” is the salt was added to make hashed passwords stronger 21 SIT Internal Hashed Password Application Bank A pwdA pwdA = pwdB Phishing attack or break-in at site B Site B reveals password at A Bank A pwdA Replay attack = pwdB not possible Generates a unique password per site Site B 22 SIT Internal Lan Manager (LM) Hash Generation Separated into two 7 character strings (Pre Windows-NT) Converted to upper case and padded with NULL to 14 characters Singapore1 = SINGAPO + RE1**** Key Key Constant DES DES Constant Concatenate LM Hash Lan Manager hash used in Windows systems for < 15 char passwords Limited (alphanumeric) set, case-insensitive 23 SIT Internal NTLM Hash Generation Singapore1 MD4 unicode password Post-NT versions of Windows use NTLM (MD4) hash Uses 14 characters for a single hash Store hashed password in Unicode Harder to crack than older LM “hashes” Can be cracked by existing public domain tools (eg. John the Ripper) Both LM and NTLM hashed passwords are unsalted Superceded by MD5 followed by SHA-n algorithms 24 SIT Internal SHA-n Hash Generation Quantum computing -> SHA-512 SHA stands for Secure Hashing Algorithm SHA-n are different versions of the SHA algorithm. They differ in how the resulting hash is created from the original data and in the bit-length of the hash SHA-1 is a 160-bit hash (Google created a SHA-1 collision). Certificates expired in 2016. SHA-2 is a class of hashes of various lengths, the most popular being 256-bit. Others include: SHA-224, SHA-384, or SHA-512 SHA-256 produces a 256-bit (32 bytes) hash value 25 SIT Internal Typical Online Password Attack Find a valid user ID Create a list of possible passwords Rank the passwords from high probability to low Type in each password If the system allows you in – success ! If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more) Need Good Guesses 26 SIT Internal Password Guessing Techniques Dictionary words spelled backwards First and last names, children, addresses, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc. Letter-number substitutions and other tricks 4 for A; 3 for E; 5 for s or S If you can think of it, attacker will, too 27 SIT Internal Password Security Risks Default or weak passwords E.g. admin; admin / access E.g. last 4 digits of NRIC Based on personal data e.g. family, friends, achievements Same password at multiple sites For banking, shopping, social networking Keystroke loggers Hardware (e.g. KeyGhost, KeyGrabber) Software (e.g. SpyAgent, IAmBIgBrother) 28 SIT Internal Password Attacking Techniques Dictionary Attack Attacker tries all words in dictionary to crack password Many people tend to use dictionary words as passwords Brute Force Attack Try all permutations of the letters & symbols in the alphabet Hybrid Attack Words from dictionary and their variations used in attack, and then Brute Force Attack Rainbow Tables Attack Lists of pre-computed hashes Social Engineering People use weak passwords based on personal data People disclose passwords naively to others Shoulder Surfing (Observation Attack) Attackers slyly watch over peoples’ shoulders to steal passwords Dumpster Diving People dump their trash papers in garbage which may contain information to crack passwords 29 SIT Internal AI-based Password Cracking – 1/4 Existing Password Cracking Techniques Typically based on guessing Exhaustive guessing – eg. bruteforce (overheads can be reduced with knowledge of password length/formulation rules) Guided guessing – eg. dictionary / table based (success rate may be dependent on dictionary / table size and password / hash generation rules -> overheads) How to scale up a password dictionary? Password entropy measures the unpredictability of a password Does a real password have very high entropy? 30 SIT Internal AI-based Password Cracking – 2/4 Password Cracking based on Machine Learning Based on a human attack vector – people use password creation schemes Targeted guessing 1 – first gain knowledge of user’s profile -> derive creation scheme(s) -> reduced entropy Targeted guessing 2 – generate password dictionary with derived schemes (may include obfuscation with leetspeak) Found by Google Hacking Note password schemes 31 SIT Internal AI-based Password Cracking – 3/4 AI Password Generation based on Derived Scheme Dictionary subset or password guesses are built based on AI-perceived mangling of user profile data rather than security policy heuristics 32 SIT Internal AI-based Password Cracking – 4/4 PassGAN – Adversarial password cracking Uses a Generative Adversarial Network to learn distributions of real passwords from actual leaked passwords Neural network (Generator G) is initialized with random noise (Gaussian or uniform distribution) and tries to mimic underlying distribution of password samples Neural network (Discriminator D) is trained to distinguish between real and fake password samples Advantage of neural networks - can be trained without apriori knowledge 33 SIT Internal Summary Attack Surface Analysis What constitutes a platform’s attack surface Quantitative Evaluation – Methods, Channels and Data Items Use of Microsoft Attack Surface Analyzer Password Attacks Password security – how passwords are hashed, salted & stored Weak and Strong Hashes – are strong hashes enough? Typical online password attack process Password guessing techniques Password security risks – default, weak and reused passwords, key loggers Password attacking techniques – existing and AI-based Next Lecture – Password Cracking Tools 34 SIT Internal PASSWORD CRACKING TOOLS SIT Internal Password Cracking Overview Password cracking is the process of guessing or recovering a password from stored locations or from data transmission systems In attacking, for unauthenticated access In pentesting, for evaluating authentication vulnerability In forensics, for accessing suspect’s computer system and/or files Automation Support, some cracking tools: RainbowCrack Wfuzz (bruteforcing web apps) John the Ripper THC Hydra Medusa OphCrack L0phtCrack Aircrack-NG 36 SIT Internal Localhost Password Recovery pwdump7: pwdump7.exe (Dump system passwords) In installed folder, enter: pwdump7 > pass.txt Unveiling Password Vulnerabilities: Dump and Crack Hashes with pwdump7 and Ophcrack: https://www.youtube.com/watch?v=2fMXsjC2pJ4 37 SIT Internal John the Ripper Account Creation A fast password cracking tool ( http://www.openwall.com/john/ ) John the Ripper is an Open-Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, "web apps" (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS.dmg files and "sparse bundles", Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office's, etc.) These are just some of the examples - there are many more. Ethically Crack Passwords by John the Ripper – https://www.youtube.com/watch?v=6Yehb5yjHF8 38 SIT Internal John the Ripper Account Creation https://hash.online-convert.com/des-generator https://hash.online-convert.com/md5-generator https://hash.online-convert.com/sha256-generator 39 SIT Internal John the Ripper Cryptanalysis Copy and paste DES-encrypted username:password to.txt Run - john.txt Repeat with MD5 version 40 SIT Internal Ophcrack Password Recovery A password cracker based on rainbow tables Available for Windows, Mac OSX and Unix https://sourceforge.net/projects/ophcrack/ XP and Vista Tables: http://ophcrack.sourceforge.net/tables.php 41 SIT Internal Ophcrack Password Cracking Ensure you have installed at least the downloaded rainbow tables 42 SIT Internal Ophcrack Password Cracking Load pass.txt created by pwdump previously and click crack 43 SIT Internal THC Hydra Password Cracking A very fast password cracking tool (non-hashed lookup) Hydra is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to guess the right username and password combination. SIT Internal THC Hydra Password Cracking - 1 https://www.youtube.com/watch?v=2tJgPyRITGc 45 SIT Internal Brute-Force Attack Using Hydra in Kali sudo hydra "::" ┌──(kali㉿kali)-[/usr/share/wordlists] └─$ sudo hydra -l newyork -P /usr/share/wordlists/rockyou.txt lindaguo.mooo.com https-post-form "/auth/login8.php:username=^USER^&password=^PASS^:Authentication failed" sudo hydra -L /usr/share/wordlists/username.txt -P /usr/share/wordlists/rockyou.txt lindaguo.mooo.com https-post-form "/auth/login8.php:username=^USER^&password=^PASS^:Authentication failed" 46 SIT Internal Computation Power Needed Custom GPU-based hardware – A 5-server rig with 25 Radeon GPUs – 348 billion NTLM passwords per second NTLM = Microsoft’s suite of security protocols 6 seconds to crack a 14-character Windows XP password – 77 million md5crypt-hashed passwords per second md5crypt() is used by FreeBSD and Linux Cloud-based cracking tools – CloudCracker, Cloud Cracking Suite (CCS) – Can use cloud-based browsers to do MapReduce jobs 25-GPU cluster cracks every standard Windows password in