Chapter 4 System Hacking

Get Started. It's Free
or sign up with your email address
Chapter 4 System Hacking by Mind Map: Chapter 4 System Hacking

1. Manual Password Cracking

1.1. Default passwords

1.1.1. Set by the manufacturer when the device or system is built.

1.1.2. They are documented and provided to the final consumer of the product and are intended to be changed.

1.1.3. However, not all users or businesses get around to taking this step, and hence they leave themselves vulnerable

1.1.4. Look up your default password at any of the following sites:

1.2. Guessing passwords

1.2.1. Locate a valid user.

1.2.2. Determine a list of potential passwords.

1.2.3. Rank possible passwords from least to most likely.

1.2.4. Try passwords until access is gained or the options are exhausted. This process can be automated through the use of scripts created by the attacker, but it still qualifies as a manual attack.

2. Attack that can be used to gain password

2.1. Redirecting SMB Logon to attacker

2.1.1. Another way to discover passwords on a network is to redirect the Server Message Block (SMB) logon to an attacker's computer so that the passwords are sent to the hacker. In order to do this, the hacker must sniff the NTLM responses from the authentication server and trick the victim into attempting Windows authentication with the attacker's computer. A common technique is to send the victim an email message with an embedded link to a fraudulent SMB server. When the link is clicked, the user unwittingly sends their credentials over the network

2.1.1.1. SMBRelay An SMB server that captures usernames and password hashes from incoming SMB traffic. SMBRelay can also perform man-in-the-middle (MITM) attacks.

2.1.1.2. SMBRelay2 Similar to SMBRelay but uses NetBIOS names instead of IP addresses to capture usernames and passwords.

2.1.1.3. pwdump2 A program that extracts the password hashes from a SAM file on a Windows system. The extracted password hashes can then be run through L0phtCrack to break the passwords.

2.1.1.4. Samdump Another program that extracts NTLM hashed passwords from a SAM file.

2.1.1.5. C2MYAZZ A spyware program that makes Windows clients send their passwords as cleartext. It displays usernames and their passwords as users attach to server resources.

2.2. SMB relay MITM

2.2.1. Attack is when the attacker sets up a fraudulent server with a relay address. when a victim client connects to the fraudulent server, the MITM server intercepts the call, hashes the password, and passes the connection to victim server

2.3. NetBIOS DOS attack

2.3.1. A NetBIOS denial-of-service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.

3. password cracking attacks using tool such as Hydra

3.1. Hydra is a very well-known and respected network log on cracker (password cracking tool) which can support many different services

4. Performs privilege escalation

4.1. Privilege escalation

4.1.1. One of the tactics that hackers use to gain unauthorized access to a network is known as privilege escalation.

4.1.2. Successful privilege escalation attacks grant hackers privileges that normal users don't have.

4.1.3. There are two common types of privilege escalation — horizontal and vertical

4.1.4. vertical

4.1.4.1. Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code

4.1.5. horizontal

4.1.5.1. Horizontal privilege escalation requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation.

5. Perform system attack

5.1. Hiding files purpose and the techniques.

5.1.1. Reasons Behind Hiding Data

5.1.1.1. Personal, Private Data.

5.1.1.2. Sensitive Data.

5.1.1.3. Confidential Data, Trade Secrets.

5.1.1.4. To avoid Misuse of Data.

5.1.2. There are two ways to hide files in Windows

5.1.2.1. The first is to use the attrib command. To hide a file with the attrib command, type the following at the command prompt: attrib +h [file/directory]

5.1.2.2. The second way to hide a file in Windows is with NTFS alternate data streaming

5.1.2.2.1. NTFS file systems used by Windows NT, 2000, and XP have a feature called alternate data streams that allow data to be stored in hidden files linked to a normal, visible file.

5.1.2.2.2. Streams aren't limited in size; more than one stream can be linked to a normal file.

6. Rules of password

6.1. A password is designed to be something an individual can remember easily but at the same time not something that can be easily guessed or broken

6.2. Human beings tend to choose passwords that are easy to remember, which can make them easy to guess.

6.3. Some examples of passwords that lend themselves to cracking:

6.3.1. Passwords that use only numbers

6.3.2. Passwords that use only letters

6.3.3. Passwords that are all upper- or lowercase

6.3.4. Passwords that use proper names

6.3.5. Passwords that use dictionary words

6.3.6. Short passwords (fewer than eight characters)

6.4. The rules for creating a strong password are a good line of defense against the attacks we will explore. Avoid the following:

6.4.1. Passwords that contain letters, special characters, and numbers: stud@52

6.4.2. Passwords that contain only numbers: 23698217

6.4.3. Passwords that contain only special characters: &*#@!(%)

6.4.4. Passwords that contain letters and numbers: meetl23

6.4.5. Passwords that contain only letters: POTHMYDE

6.4.6. Passwords that contain only letters and special characters: rex@&ba

6.4.7. Passwords that contain only special characters and numbers: 123@$4

7. Types of password attacks

7.1. Active online attacks

7.1.1. These attacks use a more aggressive form of penetration that is designed to recover passwords.

7.1.2. Examples: Using password guessing, Trojans, Spyware, Hash Injection and Keyloggers

7.2. Offline attacks

7.2.1. Offline attacks represent yet another form of attack that is very effective and difficult to detect in many cases.

7.2.2. Such attacks rely on the attacking party being able to learn how passwords are stored and then using this information to carry out an attack.

8. password cracking countermeasures

8.1. The first best counter measure against password cracking is using strong password

8.1.1. Passive online attacks

8.1.1.1. A passive online attack, the attacker tends to be not engaged or less engaged than they would be during other kinds of attacks.

8.1.1.2. The effectiveness of this attack tends to rely not only on how weak the password system is, but also on how reliably the password-collection mechanism is executed.

8.2. Possible strong password should be implemented to protect you against password cracking

8.3. This means a password must be at least 8-12 characters long and should be made of uppercase, lowercase, alphabets as well as numerals and special characters

8.4. To protect against hashing of the algorithms for password stored on the server it should be physically isolated and even passwords should be salted (randomized).

8.5. To protect hashes on hard disk. Network Administrator must use “syskey” feature to protect password database

8.6. Network administrator can enable syskey feature by any of following ways.

8.7. Also network administrator should encourage users to change their passwords at regular intervals and ask them to never leave their consoles or desktop unlocked since they can invite troubles like key loggers, spy wares, Trojans and sniffers.

8.8. Network administrator can force users to change their password in specific period of time and can also enforce them to use a password with length more than 8 characters by executing following command.

9. rootkit countermeasures

9.1. The term ‘rootkit’ originated in the UNIX world; however, today it’s often used to describe stealth technologies utilized by the authors of Windows Trojans

9.2. Initially, ‘rootkit’ was used to mean a collection of programs which made it possible for a hacker to evade detection.

9.3. In order to do this, executable system files (such as login, ps, ls, netstat etc) or system libraries (libproc.a) are replaced, or a kernel module is installed.

9.4. Both actions have the same purpose; to prevent users from receiving accurate information about what is taking place on the computer.

9.5. The increased popularity of rootkits is partly due to the fact that the source code of many rootkits is now openly available on the Internet.

9.6. It’s relatively easy for virus writers to make small modifications to such code. Another factor which influences the increased use of rootkits is the fact that most Windows users use the administrator’s account, rather than creating a separate user account.

9.7. This makes it much easier to install a rootkit on the victim machine

9.8. restrict admin access

9.9. monitor file changes

9.9.1. TripWire

9.9.2. dont forget sigverif

10. NTFS Countermeasures

10.1. To delete a stream file, copy the first file to a FAT partition, and then copy it back to an NTFS partition.

10.2. Streams are lost when the file is moved to a FAT partition because they're a feature of NTFS and therefore exist only on an NTFS partition

10.3. Countermeasure Tool: lns.exe to detect NTFS streams.

10.4. LNS reports the existence and location of files that contain alternate data streams.

11. Buffer overflow attack

11.1. Key Concepts of Buffer Overflow

11.1.1. This error occurs when there is more data in a buffer than it can handle, causing data to overflow into adjacent storage.

11.1.2. This vulnerability can cause a system crash or, worse, create an entry point for a cyberattack.

11.1.3. C and C++ are more susceptible to buffer overflow.

11.1.4. Secure development practices should include regular testing to detect and fix buffer overflows. These practices include automatic protection at the language level and bounds-checking at run-time.

11.1.5. Secure development practices should include regular testing to detect and fix buffer overflows. These practices include automatic protection at the language level and bounds-checking at run-time.

11.2. A buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. A buffer overflow, or buffer overrun, occurs when more data is put into a fixed-length buffer than the buffer can handle. The extra information, which has to go somewhere, can overflow into adjacent memory space, corrupting or overwriting the data held in that space. This overflow usually results in a system crash, but it also creates the opportunity for an attacker to run arbitrary code or manipulate the coding errors to prompt malicious actions. Many programming languages are prone to buffer overflow attacks. However, the extent of such attacks varies depending on the language used to write the vulnerable program. For instance, code written in Perl and JavaScript is generally not susceptible to buffer overflows. However, a buffer overflow in a program written in C, C++, Fortran or Assembly could allow the attacker to fully compromise the targeted system.

11.3. Buffer Overflow Causes

11.3.1. Coding errors are typically the cause of buffer overflow. Common application development mistakes that can lead to buffer overflow include failing to allocate large enough buffers and neglecting to check for overflow problems. These mistakes are especially problematic with C/C++, which does not have built-in protection against buffer overflows. Consequently, C/C++ applications are often targets of buffer overflow attacks.