Module #5 System Hacking (8th ed)

Module description

This module will introduce techniques used to gain access to a remote host or network. Vulnerabilities that allow access into a system will be studied and used in the lab.

This module is about getting on to that remote host! Techniques covered will include cracking passwords, escalating privileges, executing applications on that remote host, hiding your presence, and steganography.

Module Objectives {incorporate, learn, absorb, integrate, take on board, know, understand, comprehend, digest, examine, assimilate, familiarize, experience, recognize, be acquainted with, identify, discern, and distinguish, grasp, have a handle on, integrate, become skilled at, discover}

From the reading:

(Module/Chapter 5 of CEH Text)

·  Describe the five stages of System Hacking, being able to match each with its goal and an example of the technique/exploit used

o  See table System Hacking: Goals

·  Know the 3 broad catagories of System Hacking, and the subparts of each, represented in the CEH Hacking Methodology (CHM) slide

·  Though the book starts to talk about password cracking techniques, be sure to fully comprehend how passwords are created and stored on computers by reviewing the errata slides and slides on pages 567 – 579.

o  Realize that passwords are usually stored as hashes on a system and not in the clear.

o  Comprehend that passwords, when stored as a hash, cannot be decrypted but must be reversed through hashing password guesses and comparing those hashes with the one of the actual password stored on the system.

o  Grasp why any password can be cracked, given enough time and resources.

·  Examine the 5 Password Cracking Techniques, being able to match each to its description.

o  Know, and understand why, the order the 5 techniques should be applied by a tool.

§  Dictionary

§  Hybrid

§  Syllable

§  Rule-based

§  Brute-force (always last!)

o  Recognize that one should always look for and include system default passwords in their dictionaries when performing password cracking.

·  Absorb the Types of Passwords Attacks and their respective categories, such as active vs. passive and on-line vs. offline.

o  Sniffing

o  Man-in-the-Middle

o  Password Guessing

o  Keyloggers

o  Hash Injection Attack

o  Pre-computed tables and Rainbow tables

§  Understand that rainbow tables are slightly different then pre-computed tables in that rainbows use a series of trade-offs to create a look-up parsing algorithm set of tables (they do not have a complete set of pre-computed tables), so not every password may be found in a rainbow set of tables.

o  Distributed Network Attack

o  Non-electric attacks such as social engineering, shoulder surfing, and dumpster diving.

·  Discover the 3 methods Microsoft uses for password storage and authentication.

o  LAN Manager (also know as LANMAN or LM)

o  NTLM

o  Kerberos

·  Know why LANMAN is more susceptible to cracking then the other two.

o  Be able to describe what LANMAN does to passwords before hashing them.

·  Recognize why LANMAN was continued to be used even though its vulnerability was well known

o  Microsoft’s desire for legacy system support and user-friendliness at the cost of better security.

o  Windows systems before Windows Vista/Windows Server 2008 enabled the LAN Manager hash by default for backward compatibility with legacy LAN Manager

·  Be able to identify by acronym and name the parts of the Kerberos authentication system, and what each part is responsible for.

·  Recognize what Salting does and why it is used.

o  Salting adds a nonce (or also known as a salt) to the clear password before it’s hashed.

This is done to add complexity to the password, without the need for a user to remember as long a password, in hopes of defeating password guessing or the use of pre-computed tables.

·  Be acquainted with why tools such as PWdump are needed.

Used to obtain the password hashes from a Window’s system as the password Security Access Manager (SAM) file is locked even to the administrator while the OS is running; utilizing certain function calls to the OS that provide the hashes.

·  From the lab, remember that Linux systems store passwords in the passwd file (readable by everyone), but the shadow file is only readable by root, and that both can be found under the /etc/ directory.

·  Realize that once access to a system is gained, Escalation of Privileges may be required, if the account privilege is less then that of the administrator or system.

o  Learn the two types of privilege escalation, vertical and horizontal, and how they differ from each other.

·  Discover how one might execute applications remotely, and why they might do that.

o  This is done in order to more thoroughly own the system, gaining more passwords, allowing for uploading of applications that would enable coving one’s presence on the system (through deletion of logs, or even by installing rootkits)

o  psexec

o  Alchemy remote executer

o  Keyloggers (know there are all different types)

§  Know the advantages and disadvantages of software and hardware keyloggers.

o  Spyware

§  Including those to supervise children (parental monitoring software)

§  Again, recognize that there are many different types (see slide on page 647)

·  Digest what rootkits do, why they would be installed.

o  Grasp that rootkits also come in a variety of types

§  Hypervisor, Kernel, application, firmware, hardware, DLL.

Identify the ways of detecting rootkist, being able to identify them from a list of given choices.

·  Discover ways files can be hidden.

o  Identify what Alternate Data Streams (ADS) are and how NTFS uses them.

o  Be able to describe, or choose from a list, the correct format for creating and accessing NTFS ADS’.

o  Describe what Steganogrophy is, and algorithms they may use such as:

§  Least Significant Bit (LSB)

§  Whitespace with SNOW

§  How encryption can be used with steganogrophy to further reduce the chances of detection on steganalysis.

·  Understand the value of covering ones tracks as a hacker.

From the labs:

·  Examine how password guessing for the administrator’s account can be done manually and in an automated fashion, using tools such as metasploit’s auxiliary module on smb_login or NAT (the NetBIOS Auditing Tool) works utilizing guessed passwords and NetBIOS connections over port 139 and/or 445 using the net use command (similarly to our earlier null sessions, but with an actual user account and password).

o  Assimilate that this technique works because account lockout policies do NOT apply to the net use command, only the GUI log on.

·  Become skilled in cracking passwords through the knowledge of how cracking is done, and how to use such tools as LCP, John the Ripper and rainbow tables with rcrack.

·  Digest what the syskey utility is used for (encrypting the SAM file), how it is helpful (SAM file cannot be read without the key, even if booted from another medium), and how it can be defeated (obtaining the key or using apps like pwdump3 to obtain them via system calls/APIs).

·  Discover the tool PSExec for running remote applications via the command line, and that it REQUIRES an admin account to work.

·  Identify the two main ways of hiding files within Microsoft specific operating systems (ATTRIB.exe and NTFS Alt Streams), the advantage of each, and how to use them from the command line. Be prepared to identify the format of a correct command from a list of command choices.

From the reading:

(Chapter 5 of Metaploit The Penetration Tester’s Guide)

·  Learn how to use the show command within metasploit to list certain modules.

·  Examine how you could brute force the call back reverse connection with the all-ports payload.

·  Know what a resource file is and what it is used for.