System Hacking PDF

## EH.VN System Hacking - Module 05 ### Unmask the Invisible Hacker ### Information at Hand Before System Hacking Stage The following data is available at this stage: - Footprinting Module - IP Range - Namespace - Employees - Scanning Module - Target Assessment - Identified Systems - Identified Services - Enumeration Module - Intrusive Probing - User Lists - Security Flaws ### System Hacking: Goals | Hacking-Stage | Goal | Technique/Exploit Used | |---|---|---| | Gaining Access | To bypass access controls to gain access to the system | Password cracking, social engineering | | Escalating Privileges | To acquire the rights of another user or an admin | Exploiting known system vulnerabilities | | Executing Applications | To create and maintain remote access to the system | Trojans, spywares, backdoors, keyloggers | | Hiding Files | To hide attackers malicious activities and data theft | Rootkits, steganography | | Covering Tracks | To hide the evidence of compromise | Clearing logs | ### CEH Hacking Methodology (CHM) - Footprinting - Scanning - Enumeration **System Hacking** - Cracking Passwords - Escalating Privileges - Executing Applications - Hiding Files - Covering Tracks ### Password Cracking Password cracking techniques are used to recover passwords from computer systems. Attackers use password cracking techniques to gain unauthorized access to the vulnerable system. Most of the password cracking techniques are successful due to weak or easily guessable passwords. #### Types of Password Attacks **1. Non-Electronic Attacks** - Attacker need not posses technical knowledge to crack password, hence known as non-technical attack - **Examples:** - Shoulder Surfing - Social Engineering - Dumpster Diving **2. Active Online Attacks** - Attacker performs password cracking by directly communicating with the victim machine - **Examples:** - Dictionary and Brute Forcing Attack - Hash Injection and Phishing - Trojan/Spyware/Keyloggers - Password Guessing **3. Passive Online Attacks** - Attacker performs password cracking without communicating with the authorizing party - **Examples:** - Wire Sniffing - Man-in-the-Middle - Replay **4. Offline Attack** - Attacker copies the target's password file and then tries to crack passwords in his own system at different location - **Examples:** - Pre-Computed Hashes (Rainbow Table) - Distributed Network #### Active Online Attack: Dictionary, Brute Forcing and Rule-based Attack **1. Dictionary Attack** - A dictionary file is loaded into the cracking application that runs against user accounts **2. Brute Forcing Attack** - The program tries every combination of characters until the password is broken **3. Rule-based Attack** - This attack is used when the attacker gets some information about the password #### Active Online Attack: Password Guessing - Frequency of attacks is less - The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim's machine to crack the passwords - The failure rate is high **Steps for Password Guessing:** 1. Find a valid user 2. Create a list of possible passwords 3. Rank passwords from high probability to low 4. Key in each password, until correct password is discovered ### Default Passwords A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected. Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack. #### Online tools to search default passwords: - http://cirt.net - http://default-password.info - http://www.defaultpassword.us - http://www.passwordsdatabase.com - https://w3dt.net - http://www.virus.org - http://open-sez.me - http://securityoverride.org - http://www.routerpasswords.com - http://www.fortypoundhead.com #### Active Online Attack: Trojan/Spyware/Keylogger - Attacker installs Trojan/Spyware/Keylogger on victim's machine to collect victim's user names and passwords - Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker **Steps for Trojan/Spyware/Keylogger Attack:** 1. Attacker infects victim's local PC with Trojan/Spyware/Keylogger 2. Victim logs on to the domain server with his credentials 3. Trojan/Spyware/Keylogger sends login credentials to hacker 4. Attacker gains access to domain server #### Example of Active Online Attack Using USB Drive - Attacker inserts USB into victim's computer - Attacker creates autorun.inf in USB drive \[autorun] en-launch. bat - Attacker copies the downloaded files to USB drive - Attacker inserts the USB drive and the autorun window will pop-up (if enabled) - Attacker executes start pspv.exe/stext pspv.txt - PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive - Attacker extracts password #### Passive Online Attack: Wire Sniffing - Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic - The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails - Sniffed credentials are used to gain unauthorized access to the target system **Summary of Wire Sniffing:** - Wire Sniffing - Computationally Complex - Hard to Perpetrate #### Passive Online Attacks: Man-in-the-Middle and Replay Attack - In a replay attack, packets, and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access - In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information - Considerations: - Relatively hard to perpetrate - Must be trusted by one or both sides - Can sometimes be broken by invalidating traffic #### Offline Attack: Rainbow Table Attack - A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash values - Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked - It is easy to recover passwords by comparing captured password hashes to the precomputed tables #### How to Defend Against Password Cracking 1. Enable information security audit to monitor and track password attacks 2. Do not use the same password during password change  3. Do not share passwords 4. Do not use passwords that can be found in a dictionary 5. Do not use cleartext protocols and protocols with weak encryption 6. Set the password change policy to 30 days 7. Avoid storing passwords in an unsecured location 8. Do not use any system's default passwords 9. Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols 10. Ensure that applications neither store passwords to memory nor write them to disk in clear text 11. Use a random string (salt) as prefix or suffix with the password before encrypting 12. Enable SYSKEY with strong password to encrypt and protect the SAM database 13. Never use passwords such as date of birth, spouse, or child's or pet's name 14. Monitor the server's logs for brute force attacks on the users accounts 15. Lock out an account subjected to too many incorrect password guesses ### Privilege Escalation - An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges - Attacker performs privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications - These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc. #### Types of Privilege Escalation **1. Vertical Privilege Escalation** - Refers to gaining higher privileges than the existing **2. Horizontal Privilege Escalation** - Refers to acquiring the same level of privileges that already has been granted but assuming the identity of another user with the similar privileges #### How to Defend Against Privilege Escalation 1. Restrict the interactive logon privileges 2. Use encryption technique to protect sensitive data 3. Run users and applications on the least privileges 4. Reduce the amount of code that runs with particular privilege 5. Implement multi-factor authentication and authorization 6. Perform debugging using bounds checkers and stress tests 7. Run services as unprivileged accounts 8. Test operating system and application coding errors and bugs thoroughly 9. Implement a privilege separation methodology to limit the scope of programming errors and bugs 10. Patch the systems regularly ### Executing Applications - Attackers execute malicious applications in this stage. This is called "owning" the system. - Attacker executes malicious programs remotely in the victim's machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc. #### **Keylogger** - Keystroke loggers are programs or hardware devices monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location - Legitimate applications for keyloggers include in office and industrial settings to monitor employees' computer activities and in home environments where parents can monitor and spy on children's activity - It allows attacker to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc. - Physical keyloggers are placed between the keyboard hardware and the operating system **Keylogger Working** - Using the keylogger, the hacker installs malicious files. - The hacker receives it to a remote location or stores it to a log file. - The user types on the keyboard - The keylogger injection takes place. - The user inputs are recorded using the keyboard injection - Finally, the inputs are presented to the application #### **How to Defend Against Keyloggers** 1. Use pop-up blocker 2. Install anti-spyware/antivirus programs and keeps the signatures up to date 3. Install good professional firewall software and anti-keylogging software 4. Recognize phishing emails and delete them 5. Choose new passwords for different online accounts and change them frequently 6. Avoid opening junk emails 7. Do not click on links in unwanted or doubtful emails that may point to malicious sites #### Spyware - Spyware is a program that records user's interaction with the computer and Internet without the user's knowledge and sends them to the remote attackers. - Spyware hides its process, files, and other objects in order to avoid detection and removal. - It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download. - It allows attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, banking credentials, etc. #### **Spyware Propagation** - Drive-by download - Piggybacked software installation - Masquerading as anti-spyware - Browser add-ons - Web browser vulnerability exploits - Cookies #### **How to Defend Against Spyware** 1. Try to avoid using any computer system which is not totally under your control 2. Adjust browser security settings to medium or higher for Internet zone 3. Be cautious about suspicious emails and sites 4. Enhance the security level of the computer 5. Update the software regularly and use a firewall with outbound protection 6. Regularly check task manager report and MS configuration manager report 7. Update virus definition files and scan the system for spyware regularly 8. Install and use anti-spyware software 9. Perform web surfing safely and download cautiously 10. Do not use administrative mode unless it is necessary 11. Do not use public terminals for banking and other sensitive activities 12. Do not download free music files, screensavers, or smiley faces from Internet 13. Beware of pop-up windows or web pages. Never click anywhere on these windows. 14. Carefully read all disclosures, including the license agreement and privacy statement before installing any application. 15. Do not store personal information on any computer system that is not totally under your control #### Rootkits - Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at that time and also in future - Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed - A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc. #### **Attacker places a rootkit by:** - Scanning for vulnerable computers and servers on the web - Wrapping it in a special package like games - Installing it on the public computers or corporate computers through social engineering - Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) #### **Objectives of rootkit:** - To root the host system and gain remote backdoor access - To mask attacker tracks and presence of malicious applications or processes - To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access - To store other malicious programs on the system and act as a server resource for bot updates #### What is Steganography? - Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data - Utilizing a graphic image as a cover is the most popular method to conceal the data in files - Attacker can use steganography to hide messages such as list of the compromised servers, source code for the hacking tool, plans for future attacks, etc. #### Covering Tracks - Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection. **Techniques used by Attacker to cover tracks:** - Disable auditing - Clearing logs - Manipulating logs #### Disabling Auditing: Auditpol - Intruders will disable auditing immediately after gaining administrator privileges. - At the end of their stay, the intruders will just turn on auditing again using auditpol.exe. #### Clearing Logs - Attacker uses clearlogs.exe utility to clear the security, system, and application logs. - If the system is exploited with the Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system.

System Hacking PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue