1. Manual password cracking
1.1. Default password
1.1.1. A default password is a password (usually "123", "admin", "root", "password", "<blank>", "secret", or "access") assigned to a program or hardware device by the developer or manufacturer.
1.1.2. Default passwords list - Select manufacturer
1.2. Guessing password
1.2.1. Attackers can guess passwords locally or remotely using either a manual or automated approach.
2. Attacks that can be used to gain password
2.1. a. Redirecting SMB Logon to attacker
2.1.1. Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.
2.1.2. Basic trick is to send an message to the victim with an embedded hyperlink to a fraudulent SMB server.
2.1.3. When the hyperlink is clicked, the user unwittingly sends his credentials over the network.
2.2. b. SMB relay MITM
2.2.1. SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic.
2.2.2. It can also perform man-in-the-middle (MITM) attacks.
2.3. c. NetBIOS DoS Attack
2.3.1. Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.
2.3.2. This will block the client from participating in the NetBIOS network.
3. Password cracking attacks using tool such as Hydra
3.1. Bruteforcing with Hydra - Kali Linux
4. Perform privilige escalation
4.1. privilige escalation
4.1.1. a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications.
4.1.2. types of privilige escalation
4.1.2.1. a. vertical
4.1.2.1.1. requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code.
4.1.2.2. b. horizontal
4.1.2.2.1. requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges.
4.1.2.2.2. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation.
5. Rules of passwords
5.1. When possible, use at least 12 characters. Never use less than 8.
5.2. Use a variety of characters including letters, numbers, punctuation, and upper and lower case. The greater the variety, the stronger your password will be.
5.3. Avoid using real words from any language.
5.4. Avoid using repeated characters or rows of adjacent keyboard characters.
5.5. Never use personal information such as your birthday, driver’s license number, family member or pet’s name.
5.6. Never use your username as your password.
6. Types of password attacks
6.1. a. passive online attack
6.1.1. an attacker don't contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with victim
6.2. b. active online attack
6.2.1. this type of attack can be directly termed as passsword guessing. An attacker tries number of passwords one by one against victim to crack his/her password.
6.3. c. offline attack
6.3.1. represent yet another form of attack that is very effective and difficult to detect in many cases
7. Password cracking countermeasures
7.1. Enforce 7-12 character alpha-numeric passwords.
7.2. Set the password change policy to 30 days.
7.3. Physically isolate and protect the server.
7.4. Monitor the server logs for brute force attacks on user accounts.
7.5. Use SYSKEY utility to store hashes on disk.
8. Rootkit countermeasures
8.1. Back up critical data (not binaries!) Wipe everything clean and reinstall OS/applications from trusted source
8.2. Don’t rely on backups, because you could be restoring from trojaned software.
8.3. Keep a well documented automated installation procedure.
8.4. Keep availability of trusted restoration media.
9. Perform system attack
9.1. Hiding files purpose and the techniques.
9.1.1. There are two ways to hide files in Windows. The first is to use the attrib command
9.1.2. To hide a file with the attrib command, type the following at the command prompt: attrib +h [file/directory]
9.2. NTFS file streaming
9.2.1. NTFS file systems used by Windows NT, 2000, and XP have a feature called alternate data streams that allow data to be stored in hidden files linked to a normal, visible file.
9.2.2. Streams aren't limited in size; more than one stream can be linked to a normal file.
9.3. NTFS countermeasures
9.3.1. Deleting a stream file involves copying the 'front' file to a FAT partition, then copying back to NTFS.
9.3.2. Streams are lost when the file is moved to FAT Partition.
9.4. Steganography technologies
9.4.1. used to conceal information inside of other information, thus making it difficult to detect.
9.4.2. Data is first encrypted by the usual means and then inserted, using a special algorithm, into redundant (that is, provided but unneeded) data that is part of a particular file format such as a JPEG image.
9.5. Buffer overflow attack
9.5.1. occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold.
9.5.2. Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.