1. 4.1 Password cracking techniques.
1.1. 4.1.1 Rules of password.
1.1.1. Don't use names, surnames, pet names of family members, friends or pets, birthdays, anniversaries, or common phrases.
1.1.2. Spaces are not allowed at the beginning and end of passwords.
1.1.3. We impose the following password rules:
1.1.4. Your password has to be at least 6 characters long.
1.1.5. Must contain at least one lower case letter, one upper case letter, one digit, and one of these special characters ~!@#$%^&*()_+
1.1.5.1. one upper case letter,
1.1.6. Your password will expire from time to time.
1.1.7. The best place to store your password is in your head, but if you tend to forget these types of things please make sure that you write your password down and store in a very secure place.
1.2. 4.1.2 Types Of Attacks
1.2.1. Online Password Attack
1.2.1.1. An online password attack attempts to discover a password from an online system. For example, an attacker trying to log on to an account by trying to guess a user’s password is an online attack.
1.2.2. Offline password attack
1.2.2.1. Offline password attacks attempt to discover passwords from a captured database or captured packet scan. For example, when attackers hack into a web site causing a data breach, they can download entire databases.
1.3. 4.1.3 Manual Password Cracking
1.3.1. Default Password
1.3.1.1. Where a device needs a username and/or password to log in, a default password is usually provided that allows the device to be accessed during its initial setup, or after resetting to factory defaults.
1.3.2. Guessing passwords
1.3.2.1. Simply put, an attacker may target a system by doing the following: 1. Locate a valid user. 2. Determine a list of potential passwords. 3. Rank possible passwords from least to most likely. 4. Try passwords until access is gained or the options are exhausted.
1.4. 4.1.4 ATTACKS THAT CAN BE USED TO GAIN PASSWORD
1.4.1. Redirecting SMB Logon to attacker
1.4.1.1. Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer. A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network.
1.4.2. SMB Relay Attack
1.4.2.1. SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication that is normally used in the most of the companies. Unfortunately, when we are listening to what is going on in the network, we’re able to capture a certain part of the traffic related with the authentication and also relay it to the other servers.
1.4.3. NetBIOS DOS attack
1.4.3.1. This attack will crash the "services" executable, which in turn, disables the ability for the machine to perform actions via named pipes. As a consequence, users will be unable to remotely logon, logoff, manage the registry, create new file share connections, or perform remote administration. Services such as Internet Information Server may also fail to operate as expected. Rebooting the affected machine will resolve the issue, provided it is not attacked again.
1.5. 4.1.5 PASSWORD CRACKING ATTACKS USING TOOL SUCH AS HYDRA
1.5.1. Hydra is a brute force password cracking tool. In information security (IT security), password cracking is the methodology of guessing passwords from databases that have been stored in or are in transit within a computer system or network. A common approach, and the approach used by Hydra and many other similar pentesting tools and programs is referred to as Brute Force. We could easily do a Concise Bytes on ‘Brute Force Hacking’ but since this post is all about Hydra let’s place the brute-force attack concept within this password-guessing tool.
1.6. 4.1.6 PASSWORD CRACKING COUNTERMEASURES
1.6.1. To protect against hashing of the algorithms for password stored on the server it should be physically isolated and even passwords should be salted (randomized).
1.6.2. To protect hashes on hard disk. Network Administrator must use “syskey” feature to protect password database.
1.6.3. Network administrator can enable syskey feature by any of following ways.
2. 4.2 PERFORMS PRIVILEGE ESCALATION
2.1. 4.2.1 PRIVILEGE ESCALATION
2.1.1. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
2.2. 4.2.2 Rootkits
2.2.1. A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
2.3. 4.2.3 Several types of rootkits such as:
2.3.1. 1) Kernel rootkit: It is a type of rookit which hides as a kernel module which can be loaded or as a device driver in the operating system. Even if the device driver is updated the rootkit still manages to stay in there.
2.3.2. 2) Hardware or Firmware rootkit: This type of rootkit hides in the firmware. A firmware rootkit is activated if a BIOS function is called or when the machine is booted.
2.3.3. 3) Hypervisor or Virtualized rootkit: A hypervisor rootkit runs the operating system as a virtual machine. It changes the boot sequence of the computer. When the computer is booted the hypervisor is executed in the hardware. Then, operating system is started in a virtual machine.
2.3.4. 4) Library rootkit: A library rootkit hides itself in the system library. This type of rootkit can change arguments of system calls.
2.3.5. 5) Boot loader rootkit or Bootkit: A boot loader rootkit or bootkit is the one which infects Master Boot Record. It replaces a regular boot loader with a boot loader which is in the control of the bootkit.
2.3.6. 6) Memory rootkit: A memory rootkit is the one which hides itself in the memory (RAM).
2.3.7. 7) User or Application rootkit: A user or application rootkit hides itself in the application program. It hides with other application programs in the user mode. A user rootkit doesn’t have access to the kern
2.4. 4.2.4 Rootkits countermeasures.
3. 4.3 PERFORM SYSTEM ATTACK
3.1. 4.3.1 Hiding files purpose and the techniques.
3.1.1. Reasons Behind Hiding Data Personal, Private Data. Sensitive Data. Confidential Data, Trade Secrets. To avoid Misuse of Data. Unintentional damage to data, human error, accidental deletion. Monetary, Blackmail Purposes. Hide Traces of a crime.
3.1.2. There are two ways to hide files in Windows. 1 use the attrib command. To hide a file with the attrib command, type the following at the command prompt:
3.2. 4.3.2 NTFS file streaming.
3.2.1. NTFS file systems used by Windows NT, 2000, and XP have a feature called alternate data streams that allow data to be stored in hidden files linked to a normal, visible file.
3.2.2. To delete a stream file, copy the first file to a FAT partition, and then copy it back to an NTFS partition.
3.2.3. Streams are lost when the file is moved to a FAT partition because they're a feature of NTFS and therefore exist only on an NTFS partition.
3.2.4. Countermeasure Tool: lns.exe to detect NTFS streams.
3.2.5. LNS reports the existence and location of files that contain alternate data streams.
3.3. 4.3.3 NTFS countermeasures.
3.3.1. To delete a stream file, copy the first file to a FAT partition, and then copy it back to an NTFS partition.
3.3.2. Streams are lost when the file is moved to a FAT partition because they're a feature of NTFS and therefore exist only on an NTFS partition.
3.3.3. Countermeasure Tool: lns.exe to detect NTFS streams.
3.4. 4.3.4 Steganography technologies.
3.4.1. Steganography is used to conceal information inside of other information, thus making it difficult to detect. Data is first encrypted by the usual means and then inserted, using a special algorithm, into redundant (that is, provided but unneeded) data that is part of a particular file format such as a JPEG image.
3.5. 4.3.5 Buffer overflow attack.
3.5.1. In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.