Download presentation
Presentation is loading. Please wait.
Published byDiana West Modified over 9 years ago
1
System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–
2
Into Gaining Access System Hacking
3
System Hacking
4
Before we go into grabbing passwords, lets see how they are created and stored Again, differs by OS... Usually not stored in the clear, but in general are “hashed” (a one way encryption algorithm is applied) such as DES and MD5 Creating Passwords
5
Creating Strong Passwords A strong password is one that will defeat even a brute force attack that uses a “super” computer Why? Because the math is in your favor –Character_set_size to the power of number_of_characters –For example: a password created with three lower-case only characters (a..z) has… 26 3 = 26 x 26 x 26 = 17,576 possible variations –You should draw from a large character set, and... –Make your passwords longer -- at least 8 characters, more would be even stronger
6
Time to Discover Comparison OLDER #s (Early 2007) if 8 charactersif 12 characters if a..z only26 8 ~2 days 26 12 ~3,000 yrs if a..z, and 0..936 8 ~33 days 36 12 ~150,000 yrs if a..z, A..Z, 0..9, and !@#$%^&*( ) 72 8 ~23 yrs 72 12 ~615,000,000 yrs All times above are based upon a notional password checking speed of one million checks per second. Numbers are rounded to enhance readability.
7
NEWEST #sif 8 charactersif 12 characters if a..z only26 8 ~2 days 1 Min 26 12 ~3,000 1 yrs if a..z, and 0..936 8 ~33 days 17 Min 36 12 ~150,000 53 yrs if a..z, A..Z, 0..9, and !@#$%^&*( ) 72 8 ~23 yrs 3 Days 72 12 ~615,000,000 yrs 220,000 yrs All times above are based upon a notional password checking speed of 2.8 Billion checks per second (2011 numbers, graphic cards, non-distributed). Numbers are rounded to enhance readability. Using a BOTNET of 500,000 computers with high-end graphic cards could take this down to 4 MONTHs Time to Discover Comparison
8
NEWEST #sif 8 charactersif 12 characters if a..z only26 8 2 days 26 Secs 26 12 3,000 yrs 3.5 Months if a..z, and 0..936 8 ~33 days 6 Min 36 12 ~150,000 18 yrs if a..z, A..Z, 0..9, and !@#$%^&*( ) 72 8 ~23 yrs 1 Day 72 12 ~615,000,000 yrs 77,000 yrs All times above are based upon a notional password checking speed of 8 Billion checks per second (2013 numbers, graphic cards, non-distributed). Numbers are rounded to enhance readability. Using a BOTNET of 500,000 computers with high-end graphic cards could take this down to 1.5 MONTHs Time to Discover Comparison Difference 6 yrs can make
9
12 Character Passwords Too Hard???
10
Passwords “Hacked” Individually Of course, none of this math helps when someone is willing to give their password away (as in phishing).
11
Password Hashes are created by: –The user types in a password Used to be limited to 8 chars represented via 7-bit ASCII set –There where 128 characters that can be used –this leads to over 72,000,000,000,000,000 possible passwords –That password is then combined with a system/host unique “salt” (a type of nonce) pwd+salt There are 4096 different possible salt values Creating UNIX Pwds
12
This combo (pwd+salt) becomes the key for the hashing (DES or MD5) the value “0” (zero) is then hashed with this key, producing 13 character string (the first 2 of which are the salt) –composed of 64 possible characters (upper & lower case letters, numbers, the “.” and “/”) This hash is then stored with the user account in a psw file (/etc/passwd) UNIX continued
13
This file (passwd) is readable by everyone, (for login purposes) The administrator may decide to “shadow” the hashes in a separate file(/etc/shadow) readable only by root, for greater protection To “crack” these passwords, we need these files! UNIX continued
14
Macintosh OS X Remember that this is FreeBSD underneath Also, on modern Unix systems, passwords are shadowed, which means only the administrator has access to them. /etc directory has the passwd and shadow files, but are NOT used (see later slides). The password file is readable by everyone and the shadow file, the one that keeps the encrypted password, is limited to the root account only.
15
Mac OS X On MacOS X, there is a passwd file in /etc but it is only used in single-user mode and the rest of the info in located elsewhere, accessible to the administrator only.
16
Mac OS X 10.1-10.6 As it turns out, the Net Info manager handles the user access to databases that hold information on: –Aliases, Groups, Machines, Mounts, Networks, Printers, Protocols, Rpcs, Services, & Users This can be seen if you open NetInfo Manager in the Utilities Directory.
17
Mac OS X 10.1-10.6 There is a command line access to the Net Info manager: –nidump This can be used to access the passwd file (and the hashes)... –nidump passwd / –man for more info on nidump. May have been fixed in version X.3 –tried this on 10.3.5 and still works :-) –Only new passwords created on 10.3.5+ will be fixed..
18
Mac 0s X 10.7+ A user creates an account, and then the encrypted hash of the user's password file, their "Shadow" file, is saved in a.plist file – located in /var/db/dslocal/nodes/Default/users. However, one major flaw was overlooked. Non-root users cannot directly view hash data, but rather, they can extract it from Directory Services.
19
Max OS X 10.7+ To see hash data, invoke Directory Services using the /Search/ path like so: dscl localhost -read /Search/Users/ Now, in the terminal output you should see a line in there that says: dsAttrTypeNative:ShadowHashData: –Look at the bytes below it. –Bytes 28-32 are the password salt (4 bytes are in each octet), and bytes 32-96 are the SHA512 hash. –load the hash into a password cracker for SHA512 hashes with 4 byte salts
20
Windows is a little different... It creates TWO representations of the password –Newer NT-specific algorithm –Older (for compatibility) LanMan hash used for Win 9x and Windows for Workgroups This older algorithm has been broken (reverse engineered) and therefor easier to break Finally turned of by default in Windows 7, Server 2008 Creating Windows Pwds
21
Weakness of the LM hash is the seperation of the password into two seven-character password halves –Thus an 8 char password is broken down into a 7 char and a 1 char passwords... much easier to break 7 chars then 14! LanMan Hashes
22
So pwd 123456qwerty becomes: –convert to all upper case 123456QWERTY –Split 123456Q and WERTY_ _ (spaces to fill 7) –123456Q is hashed to 6BF11E04AFAB197F –WERTY is hashed to 1E9FFDCC75575B15 –stored as a 6BF11E04AFAB197F1E9FFDCC75575B15 Example of LanMan Hash
23
NT & 2000 store the user account and password info in the SAM (Security Account Manager) file. –usually found in %systemroot%\system32\config directory –NOTE: its LOCKED while the OS is running an NOT readable by even Administrator SAM File
24
Some ways to get SAM data for later cracking: –Boot the system (host) into another OS special tools to do this such as NTFSDOS & Knoppix STD –Grab the backup of the SAM file found in the %systemroot%\repair directory its compressed and called sam._ –will need to be decompressed with special programs »c:\windows\system32\expand sam._ sam It can be created, if not there, with NT repair disk program rdisk with the /s argument Getting SAM Data
25
Continuing ways to get SAM data for later cracking: –Specialty programs that extract the hashes directly from the sam pwdump3 –requires a shell with admin access on the remote host! –Eavesdropping on network username/password exchanges L0phtcrack, dsniff, Cain & Abel can do this for you Getting SAM Data continued
26
Continuing ways to get SAM data for later cracking: –NT security Log for failed log on People sometimes mistakenly type their password in the user box –Keystroke capturing devices –Backup disks Getting SAM Data continued
27
AD vs. LDAP vs. Kerberos Kerberos –Authentication and Access Granting Service Active Directory (AD) –Windows database Query for access control to objects, for example Light Weight Access Protocol (LDAP) –Protocol for clients to query and manage information in a Directory Service (like AD) TCP port 389
28
Working Together AD: Access Control –Authorizes access to objects stored locally or in LDAP LDAP: Protocol for querying access permissions –Can store passwords Kerberos: Authentication –Used to Authenticate a user LDAP can also do this directly without Kerberos –SAM password file accessed by Kerberos
29
System Hacking is the 4 th Step Remember… –Registered names lead to IP addresses –IP addresses lead to ports –Ports lead to services –Services lead to… Versions of –Applications –OS –Services User Accounts Shares –Versions lead to exploits and access… –Access leads to higher privileges… Enumeration… Scanning… Foot- printing… Gaining Access… Escalation…
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.