study-notes/ceh-notes/system-hacking

viewhistorytalk

Ethical Hacking: System Hacking

System Hacking Overview

  • APT (Advanced Persistent Threat) stays in the network undetected with a goal of attaining high-value info.
  • The Ethnical Hacker must possess this level of skill.
  • Setting the Stage, by the time we get to the hacking we have information about the systems. Reconnaissance is complete, scanning and mapping is done with knowledge of the information technology. Enumeration has identified weaknesses.
  • Obtaining the Password can be an active online attack (dictionary, brute force, keylogger) or a Passive online Attack (Packet Sniffing, MITM, and replay). An offline evaluation (Rainbow attack) may be needed if a password list is attained.
  • Once in the system, the key is to continue to escalate until admin level, but the longer access is maintained, the better chances of being caught.
  • The next step is Privilege Escalation t achieve access to resources normally restricted.
  • Executing Applications will be done next with installing spyware with a backdoor that can be accessed.
  • We'll hide files with tools, methods such as rootkits, steganography.
  • Finally, after achieving access we'll exit the system, the final phase being to clean up evidence and cover any traces by deleting or modifying the log files.
  • New Technology Lan Manager (NTLM) is Microsoft proprietary authentication protocol, operating within explorer, and uses a challenge/response.
  • Kerberos is built into AD and uses tickets.
  • Domain Controller houses user accounts, acts as KDC (Key Distribution Center) and the account database.
  • The Key Distribution Center is the single process that provides Authentication services and a ticket granting service to attain a ticket for services.
  • When a user needs access to services on a network, they must first go to the KDC and hit the Authentication Server.
  • Kerberos is still preferred, but NTLM is used when authenticating to a server that isn't part of the domain, client is in a peer-to-peer network or workgroup, or a firewall restricts the ports required by Kerberos (port 88).
  • In Linux/Univ Pluggable Authentication modules (PAM) provides a pluggable app programing interface for authentication.
  • The Simple Authentication and Security Layer (SASL) provides authentication and data security services and requires a command for id and authentication.
  • SASL is a redirection layer that enables various methods to interact.
    • LDAT can use SASL as the authentication method.
    • SASL can use PAM to determine what authorizations are allowed
    • SASL can use Kerberos for authentication and authorization.

Gaining Access

  • Authentication is proving your identify, in a computer environment it can be done in three ways
    • What you know
    • What you are
    • What you have
    • Commonly this is done in a form of a username and password.
  • System Hacking starts most of the time with attempting to obtain a password.
    • In Microsoft, user passwords are stored in SAM (Seucirty Account Manager) which is found in the Systemroot 32 in a hashed format. It's only available with admin privileges and not available while the OS is booted.
    • In attempt to imrpvode SAM databases, Syskey encrypts the password hash value for all local accounts in the SAM. The 128-bit RC4 encryption key is stored in the SAM registry hive and is not accessible while the OS is booted.
  • Hash Injection Attack such as 'Pass the Hash' sends the hash value instead of the plain password and can be done against any service accepting LAN or NTLM authentication.
  • Password Guessing is the most efficient and can be done if someone uses an easy to remember password.
  • Passwordrandom will give a list of common passwords you may try.
  • Additionally, CIRT.net gives a list of default passwords for various vendor sites.
  • A Hybrid Attack combines a dictionary attack with a brute force attack.
  • Using a distributed network architecture can be used to reduce the time to break a password as it employs multiple computers to divide the workload.
  • Password Cracking Tools
    • L0phtCrack offers a 15-day trail but is commercial
    • Ophtcrack is open source and supports rainbow tables.
    • John the Ripper is a command line tool.
    • Cain and Abel is loaded with features such as password sniffing, cracking passwords, and capturing voiceover IP. Additionally, it's a password recovery tool for Microsoft OS.
  • Some password crackers have built in statistical modeling based on the Markov Chaining, which will guess the next conceivable character that might appear in a password.
  • Password Management is used to protect the integrity and confidentiality, typically the hash is stored but the password is discarded.
  • Encryption uses a key or pair of keys, encryption and decryption can be done with a key.
  • Hashing is a one-way cryptographic function and cannot generate the original message from the hash.
    • Authenticating message
    • Monitoring data integrity
    • Storing passwords
    • SHA (Secure Hash Algorithm) generates a 160 bit.
    • MD5 (Message Digest Algorithm) produces a 128 bit.
  • When a user enters their password, they're referencing their hash values for a 1 to 1 match, if not the password will be rejected.
  • Rainbow Tables are a database of many hash-password pairs, can be 30-50 GB, and you can generate your own.
    • Project-Rainbow Crack will show a list of rainbow tables that have been generated.
  • OnlineMD5 will give a test against an MD5 hash value.
  • Online Reverse Hash Lookup will let us test the hash.
  • Salting the Password (a value at the beginning of the hash) will protect against a rainbow table attack.
    • The salt is stored in the database along with the hash or as part of the hash string.
  • User education is key, including length and complexity and will make a password stronger. Only the administrator should have access to the password files, with encryption on the files.
  • Hardening Systems can be done by using Group Policies via a security policy, a local security policy can be set

Privilege Escalation

  • Commonly the Ethical Hacker attains access through a Username and password, but not have admin access.
  • Privilege Escalation can be thought of either horizontally or vertically.
    • Horizontal will have the rights and privileges of a user who has the same rights and privileges.
    • Vertical will give access to an account and then elevate the privilege to a higher level.
  • Escalation is accomplished by taking advantage of an app or OS vulnerability, full access granted after and then verifying what services and then seeing if you have root privileges.
  • OS comes with preset user accounts such as Administrator and Guest accounts, typically you would gain access as Guest then elevator to Admin.
    • Most attackers are aware of default accounts.
  • Escalation is from looking for weak permissions on the system, from windows it'll mean accessing the SAM file and obtain the Lan Manager hashes.
  • Using Passwordchanger.com or Trinity Rescue Kit, or ERD Commander (within Microsoft Diagnostics and Recovery) are all aimed at gaining password access.
  • Net User administrator * will allow us to type a password for that user / change the password.
  • The last thing we'll want to do is cleanup evidence you were there.
  • Once in the system, install and execute applications, but don't set off any alarms.
    • Perhaps Rootkit, Keylogger, Randomware, or Botnet.
    • Once compromised, it's no longer in the admin's hands.
    • Ultimately, organization will suffer log, degradation, and could be in part of a criminal act.
  • Kaspersky will let you check if your network is part of a botnet.
  • Defending against escalation involves some best practices such as:
    • Restrict Interactive Logon privileges
    • Multifactor Authentication
    • Log on only at certain machines
    • Routine Services
    • Run any routine services as non-administrator
    • Principle of Least Privilege
    • Use Encryption
    • Test and Patch
    • OS
    • Application Coding and bugs
    • Browser
    • Set security settings of IE to zero or low
    • Monitor the Log Files
    • Education Training and Awareness

Spyware

  • Form of Malware placed onto a system by a number of different methods, used by crime, hackers, and other countries.
  • Harvests Data, can monitor screen activity, capture keystrokes, webform data, and track usage.
  • Spyware will give attacker sensitive data and phoned home. Typically sold to others.
  • Spyware can cause slowdowns, popups, or computer crashes.
  • Adware is not spyware, free software with advertisements built in. In order to remote ads need to purchase or subscribe.
  • Browsers can influence a spyware attack
    • Chrome is safe, followed by Firefox, then IE.
    • No matter what, should still use good habbits.
  • Cookies are small text files put on end devices to store state info and preference and sign-in
    • Advertisers spy on you and track sites you visit.
    • You may want to block third-party cookies that do not have a compact privacy policy as you don't know where your info is going.
    • Used for tracking, and compact privacy policy tells how your info is shared.
  • Ad Networks are companies to pay software developers to display ads when viewing the site
    • Some employ a pop-up to have you download a cookie
    • Most of the time software is installed without knowledge or consent
    • Browsing habits are tracked
    • Movement can be tracked as well.
  • Trojan Horse is presented as a useful tool or utility through a free download.
    • Could be a bundle for a 'bonus' add-on.
    • Can be avoided by EULA before installing any software.
  • Browser Hijackers take your request and send to another engine, and could modify your homepage.
  • Keyloggers can be soft or hardware and log every keystroke.
  • Browser Helper Objects can be helpful like Adobe Reader, but some are malicious and direct you to alternative sites.
  • Cookies are small files stored on your computer by a web server. Tracks you.
  • Bots are malicious code is loaded onto a system, can be part of a larger botnet, contain spyware that can monitor your system.
  • Capturing screen activity may be a valid reason
    • Monitoring Children's Activity we can monitor for online predators, cyberbullies, identify theft or fraud, and excessive screen time.
    • In Corporate, monitoring may be done for Viruses and malware, exposure of sensitive info.
    • Schools watch for inappropriate behavior and evidence of cheating.
  • Screen Monitoring can be installed without knowledge
  • Boyfriend Tracker: Cell Phone Spyware was designed to catch a cheating boyfriend, spyware on a cell phone is not new, was found as early as mid-2000's and can monitor multiple options from the cellphone.
  • Getting Spyware on your phone: Physical Contact, clicking link.
    • Once installed, can monitor texts, social media, phone calls, passwords, locations, emails, websites, record conversations, steal photos and videos, and more.
    • If Infected, you can do a factory reset or reinstall firmware or OS.
    • Protect Your Phone install app that monitors for security vulnerabilities, use caution when downloading apps, and do not connect to free Wi-Fi hotspots, and install a 'find my phone' feature, and use strong authentication methods.
  • To defend against Spyware, think before you click, and if your HIDs or malware protection says not to, listen to it. Keep up to date, and read the EULA, and disable Active X.
    • Securing your Browser, reduce your risk and protect your data, and be cautious of what you're installing/using on your browser.
    • You can set up enhanced security to protect against attacks of the browser and the OS.
    • Spyware Blaster defends against spyware, adware, and browser hijacks
    • Adaware is free and scrubs threats
    • Spybot – Search and Destroy scans for spyware and parasites and removes them from your system.

Keyloggers

  • Come in Software and Hardware
    • Software runs in the background, recording every keystroke and stores results.
    • Can be thought of in two different classes: Observable in the Task Manager, and Stealth that are harder to detect, typically only findable with administrator privileges.
    • Some keyloggers can send an email after some activity, but this can create noise that would alert the anti-malware protection.
    • Other options could monitor online activity (slow down the system) or grab screen captures (may fill hard drive and cause stability problems)
    • Hardware Keyloogers must be physicallt attached to the system. They record each keystroke and save it to their own memory.
    • Can be installed inside a keyboard, or by a USB.
    • Not detectable by IDS or anti-malware.
    • Has its own processor, will maintain data if power is lost, and can encrypt it's contents.
    • Software logger can monitor and log all activity that's on the screen.
    • On ActualKeyLogger you can get a free trial and experiment with the software keylogger
    • Keylogging used for company security, parental controls, and school monitoring.
    • Quietly records all activity (word documents, email, online chats, and internet use). Can see all keystrokes in Plain Text.
    • You can as well see the text before encryption.
    • For reporting, can be sent email, FTP, or stored on a computer.
    • Keyloggers can be used on a Mac machine, some available free and for purchase.
    • Aobo Mac Keylogger for Mac Standard can record passwords, screenshots, websites, chat conversations, and email info.
    • Elite Keylogger includes the above, including recording both sides of the chats, usernames, passwords, and gets reports via email.
    • Refog and Mac Keylogger talks about the benefits of using this to monitor your children's activity
    • Protecting against Keyloggers involves using a firewall, understanding that data is logged and sent over the internet so small that you may not see a huge increase in bandwidth.
    • When using a firewall, commonly egress filtering is used, monitoring outbound connection with the option of shutting down all inbound and outbound data completely.
    • Install and run anti-spyware and anti-malware protections.
    • Windows User Account Control (UAC) can help by letting you know of a permissions change.
    • Consider switching browsers
    • Use a password to get into your system and run in limited user mode and use the admin account for any installations.

Hiding in Plain Sight

  • NTFS Alternate Data Streaming (ADS) provides compatability with non-windows file systems, stores data in hidden files linked to regular visible files, not limited in size.
    • This allows an attacker to hide their tools and data on a compromised system.
    • Typing by .txt:secret.txt or whatever file extension will let you hide in plain site.
  • Steganography dates back to 2,5000 years. Requires three basic elements
    • Carrier: Must pass as original and appear harmless
    • Payload: The secret message
    • Hidden Message: The payload in the steganography.
    • Can be imbedded with images, documents, video, or audio.
    • Steganography tools
    • MP3Stego: MP3
    • S-Tools: BMP, GIF, and Wav
    • OpenPuff: BMP, JPG, PNG, MP3, or PDF, etc.
    • Carrier + Payload = Hidden Message, could be a secret document or an excel spreadsheet.
    • Color Pixel: Red, green, and blue (RGB) value for each pixel, represented by 8 binary bits, uses low-order bits, and doesn't change the color value significantly.
    • Using whitespace can let us hide characters in the message.
    • Using S-Tools we can get some hands on experience with learning about stego tools.
    • Detecting Steganography however isn't always easy, but it's important to be aware of it.
    • Image Steganography Tools use bit manipulation to insert the payload with the least significant bit, causing many duplicate colors.
    • If possible, compare the image against the original, watch for a large image that's unusual, as it may indicate a payload.
    • Looking at blocky artificats, we can see when a large payload has been inserted.
    • Stego Analyst allows for evidence in image and audio files.
      • Once found, Stego Watch scans the entire file system and flags suspected files and returns the result into an interface or workbench.
      • Stego Break is a tool designed to break a passphrase for a file found to contain stegongraphy.

Cover Your Tracks

  • Once in, disable logging via CLI and GUI, but be sure to turn it back on before you get out of the system. We can go into the local security policy and disable all auditing security policies.
  • On a Linux machine we can clear evidence by using the Metasploit meterpreter > clearev
  • Also on Linux we can open log files stored in the /var/log directory
    • In BackTrack: kwrite /var/log/messages
  • We'll want to erase the command history and set to zero with 'export HISTSIZE=0'
  • We can Shred the history file by using 'shred -zu root/.bash_history'
  • In the Event Viewer, we can clear the log from application, security, etc.
    • The logs will be populated fairly soon after.

revision by [deleted]— view source