Thursday, February 18, 2010

Certified Ethical Hacker 3

You can use a batch file to do automated password guessing. The contents in the batch file is as follows:for /f "token="1,2*" %i in (mydictionary.txt)
do net use \\\ipc% %i /u:%j

Legion is an automated password guessing tool using NetBIOS sessions. It looks for Windows shares and contains a manual dictionary attack tool.

NTInfoScan produces an HTML based report of security issues found on the target. It is also known as the Cerberus Internet Scanner.

Password Guessing Countermeasures
-Block access to TCP and UDP ports 135-139
-Remove Binding for the WINS client on all adapters
-Use complex passwords or pass phrases
-Audit for failed login attempts in Event Viewer - Security Log Event 529 or 539

Logging is of no use if no one ever analyzes the logs. Most logs are viewed when it's postmortem.

Password Sniffing is a much easier way than guessing or doing brute force. LOphtcrack by @stake can crack passwords in SAM and SMB packets on the local network. LOphtcrack guarantees that any password captured can be cracked in a few hours or a few weeks. You can get LOphtcrack here.

People can easily boot into a USB drive and copy the SAM files off.

KerbSniff and KerbCrack can monitor the network for Kerberos Authentications and run bruteforce.

Rainbow tables are precomputed hashes. They are similar to dictionaries for hashes.

Privilege Escalation is an attempt to raise privilege levels of a lower privileged account. Tools like GetAdmin can exploit NT systems to turn a Null Session into a Windows Service.

hk.exe exposes a flaw in the Local Procedure Call of Windows NT which escalates a user to the Administrators group.

Password Attack Options
-Dictionary/Brute Force/Hybrid
-Pre-computed (Time-Memory Trade-Off)
-Social Engineering (Shoulder Surfing, Dumpster Diving)

Cracking NT/2000 Passwords
The SAM file in NT/200 contains the usernames and encrypted passwords. It's located in windows/system32/config directory. The file is locked in Windows, so we need to boot into another OS and copy it off. Whenever rdisk or ASR is updated, a compressed copy of the SAM is created in windows/repair. Extract the hashes using SamInside, then use LOphtcrack to crack the passwords.

Redirecting SMB Logon to the Attacker
It's easier to eavesdrop onto an authentication session if we can trick the victim into sending their credentials to or through our system. It's easy to set up a rogue SMB server, then email the victim with a link to your server. Windows will automatically use their credentials to connect.

MetaSploit is an open source project where people contribute their own exploits. When you first run it, use the command:

This will retrieve the latest exploits and payloads. To view the list of available exploits, use:
show exploits

To use an exploit, use the syntax:
use msrpc_dcom_ms03_026

The prompt will change into the exploit. To show the payloads available, use:
show payloads

To use the payload, use:
set PAYLOAD w32_reverse

To see the options available, use:
show options

Use the set commands to set the variables like this:
set LPORT 80

When all the parameters are set, start the exploit with:

When that's done, you will have a prompt.

SMBRelay allows you to be a man-in-the-middle. Use the command:
smbrelay /IL 2 /IR /R /T
Where is the SMB server and is the victim.

However, to carry out such an attack, we would have to do an ARP poisoning to convince the host to connect to you.

SMBInside can speed up LOphtcrack's ability to crack passwords. We can use SMBDie to crash an SMB Server with a specially crafted packet. NBTDeputy registers a NetBIOS computer name on the network and responds to any NetBIOS name-query requests.

John the Ripper is a CLI tool used to crack Windows and UNIX passwords. It is extremely fast.

Keystroke Loggers can capture passwords without having to crack anything. There are two types of Keyloggers: Hardware and Software. Spector is a spyware and it will record everything anyone does on the internet. With spector, you can see exactly what your surveillance target is doing online and offline. eBlaster also does the same thing.

We will need to cover our tracks once we enter a system. We can run Microsoft's auditpol.exe to temporarily disable logging.

It is not recommended to erase the event logs, but you can do it with ELSave.exe. The syntax is as follows:
elsave -l system -F D:\System.log -C
elsave -s \\victim -F D:\Application.log

WinZapper will erase event records selectively from the security log in Windows 2000.

Evidence Eliminator is an easy way to eliminate stored records on the evidence found on the hard drive. It can prevent unwanted data from being left behind on your computer. It cleans recycle bins, internet cache, system files, temp folders, etc. However, it is not recommended to make the system too clean because there is definitely something going on.

We can hide a file by using alternate data streams. For example, we can create a text file like this:
notepad Test.txt

Right now we have a Test.txt. To do an alternate datastream, type it like this:
notepad Test.txt:Hidden.txt

Hidden.txt exists, but to access it, you'll need to type the code exactly as it is. Hidden.txt is stored as a metadata file of Test.txt.

makestrm.exe can move contents of a file into a stream. ads_cat can find alternate data streams. There is a freeware from sysinternals.com that can display NTFS files and ADS content. LADS (List Alternate Data Streams) can also find all files with ADS attachments.

ADS (Alternate Data Stream) only works on NTFS partitions. Once you copy it to other filesystems, the streams are lost.

Steganography is the process of hiding data inside graphics. Attackers can hide data such as:
-Propriety codes
-Hacked or vulnerable services
-Future plans
-Other private or confidential data

ImageHide is a program that can hide documents into an image and encrypt it. BlindSide can put files of up to 50KB into images and not change it at all. MP3Stego can hide data in sound files. Snow.exe can hide small text into word documents.

EFS is an encrypted filesystem but it can be easily decrypted using DiskProbe, which would search bit by bit for the encryption key used to encrypt the drive. It is recommended to store keys off the drive.

Buffer overflows can send commands and escalate privileges. Anything that's written in code can be victim to buffer overflows.

If an LM hash is less than 8 characters long, the right side of the hash would remain the same. Windows Syskey utility encrypts the hashes of passwords with a 128-bit key. LM Manager in Windows 2000 uses DES for hashing.

No comments :

Post a Comment