Download presentation
Published byCleopatra Ross Modified over 9 years ago
1
Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files
2
Cracking Passwords Passive Online Attacks (sniffing)
MITM Replay Attack Active Online Attacks Guessing: works well for weak passwords Automating Dictionary Generator C:\> FOR /F “token=1, 2*” %i in (file.txt) Net use \\targetIP\IPC$ %1 /u: %j Countermeasures Complex passwords; policies; two factor authentication Authentication Mechanisms HTTP Authentication: Basic vs Digest - Basic: uses base64 encoded string; passed in clear text - Digest: uses challenge/response model; passed encrypted NTLM - challenge/response uses NT LAN Manager Authentication algorithm over HTTP Used with MS Explorer and IIS Web servers Certificate Based - Strongest; uses public key & digital certificate Forms Based - Uses a customized form usually created in HTML - Authentication ticket is issued via a cookie MS Passport - Single Signon; authentication for multiple servers;
3
Offline Attacks Dictionary Attack Hybrid Attack Birthday Attack
Brute-force Attack Rainbow Table Examples: Brutus: brute force, dictionary, hybrid; Windows only Cain: password cracking, Windows enumeration, VoIP sniffing; Windows only John the Ripper: dictionary & brute force; used for Windows & Linux/Unix Ophcrack: used for NTLM hash; Windows only Dictionary: fastest way to break into a machine - Automated with tools like LophtCrack Hybrid - add numbers or symbols to the dictionary file - eg: “cat”, “cat1”, “cat2”, etc Brute Force - often takes the longest time Birthday - Based on the anomaly of the birthday paradox
4
Non Electronic Attack Social Engineering Shoulder Surfing
Defense: Education; security-awareness Shoulder Surfing Defense: Special screens can’t be read at an angle Dumpster Diving Defense: Shredder
5
Password Cracking Manual Password Cracking Algorithm
Find a valid user account Create a list of possible passwords Rank the passwords from high to low probability Key in each password If the system allows entry -> Success; else try again
6
Password Cracking Automatic Password Cracking Algorithm
Find a valid user account Find encryption algorithm used Obtain encrypted passwords Create list of possible passwords Encrypt each word See if there is a match for each user ID Repeat above steps
7
Password Cracking Create a hash that matches Automating
Legion: used in NetBios session L0phtCrack Windows dictionary, brute-force, hybrid; captures SMB packets John the Ripper: Windows & Unix/Linus KerbCrack: Kerberos password sniffer (kerbsniff) & cracker (kerbcrack) Brute Force attacks on a database SQLBF, SQLDict, FindSA, FindSADic
8
Lan Manager Hash Used by NTLMv1; challenge/response protocol; uses MD4 hash of user’s password Convert to uppercase and pad to make 14 For 7 characters or less, the second ½ will be AAD3B435B51404EE Stored Windows: \Windows\system32\config\SAM Linux: /etc/shadow
9
Cracking Windows 2000 Passwords
Collect the SAM file C:\Windows\system32\config C:\repair Use a dictionary, brute-force, or hybrid attack Look for SID of …-500 to identify the Admin account
10
Redirect SMB Logins Cracking Tools SMBRelay SMBRelay2 pwdump2 C2MYAZZ
Captures username/passwords from SMB traffic SMBRelay2 Uses NetBIOS names instead of IP addresses pwdump2 Extracts password hashes from SAM file C2MYAZZ Tricks Windows systems into passing their credentials in clear text.
11
Password-Cracking Countermeasures
>=8 characters long Windows: SYSKEY (128bit) encryption Linux: shadow passwords Don’t use anything obvious Polices to force changes, complex, and lockout Monitoring Use CAPTCHA: challenge/response test to ensure that the response is not generated by a computer;
12
Keyloggers Hardware Software Requires physical access
Cannot be detected by monitoring software Software FBI’s “Magic Lantern” Keylogger & encryption-cracking tool Spector eBlaster SpyAnywhere
13
Escalating Privileges
Non-admin accounts might not have as stringent password as administrators Tools GetAdmin HK.exe Executing Apps once elevated PsExec Remoxec
14
Rootkits - Backdoor Kernel-Level Library-Level Application-Level
Hide processes Hide registry entries Intercept keystrokes Blue Screens of Death Redirect Exe files
15
Rootkit Countermeasure
Restrict Admin access Monitor file changes TripWire: checks file size, signature, & integrity Don’t forget: sigverif! Repair: reinstall the OS from known good source
16
Hiding Files Attrib +h NTFS Alternate Data Streaming Steganography
Hide data in Unused Sectors, Hidden Partitions, Slack Space ImageHide: Image files Blindside: BMP files MP3Stego: MP3 files Snow: ASCII files Stealth: PGP files Detecting Steganography Stegdetect; Dskprobe
17
Covering Tracks Disable Auditing Clear Event Logs Auditpol Elsave
Clears entire log WinZapper Selective clearing Evidence Eliminator
18
Additional Study Site
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.