Friday, 21 October 2011

Ethical Hacking



Table of Contents

  1. Ethics and Legality
  3. What is an Exploit?
  4. The Security Functionality Triangle  
  5. The Attacker's Process
  6. Reconnaissance
  7. Types of Attacks
  8. Categories of Exploits
  9. Goals Attackers Try to Achieve  
  10. Ethical Hackers and Crackers  
  11. Hacking for a Cause (Hacktivism)  
  12. Categories of Ethical Hackers  
  13. Skills Required for Ethical Hacking
  14. Ethical Hacker Job Duties
  15. Security Evaluation Plan
  16. Testing Types  
  17. Testing Types  
  18. Computer Crime  
  19. Overview of US Federal Laws  
  20. Cyber Security Enhancement Act of  
  21. Footprinting
  22. What is Footprinting?
  23. Steps for gathering information  
  24. Web-based Tools
  25. IANA  
  26. RIR’s
  27. Domain Location and Path Discovery
  28. ARIN, RIPE, and Regional Databases  
  29. Determining the Network Range
  30. Discovering the Organization’s Technology  
  31. E-mail Tips and Tricks  
  32. Scanning
  33. War Dialing
  34. War Driving
  35. ICMP - Ping  
  36. Detecting Ping Sweeps
  37. Port Scanning
  38. TCP Basics  
  39. TCP Scan Types
  40. UDP Basics
  41. Nmap  
  42. Port Scan Countermeasures  
  43. Active Stack Fingerprinting  
  44. Passive Stack Fingerprinting  
  45. Banner Grabbing
  46. Identifying Vulnerabilities  
  47. Enumeration
  48. Enumeration Defined
  49. NetBIOS Null Sessions
  50. The Inter-Process Communication Share
  51. NBTSTAT
  52. Active Directory Enumeration  
  53. Identifying Win Accounts  
  54. DumpSec  
  55. Null Session Countermeasures  
  56. Account Enumeration  
  57. SNMP Enumeration
  58. SNMPUtil  
  59. IP Network Browser  
  60. SNMP Enumeration Countermeasures  
  61. System Hacking
  62. Identifying Shares
  63. Password Guessing
  64. Manual Password Guessing  
  65. Performing Automated Password Guessing
  66. Password Guessing Countermeasures  
  67. Monitoring Event Viewer Logs  
  68. Sniffing Passwords  
  69. Privilege Escalation
  70. Privilege Escalation
  71. Retrieving the SAM File  
  72. Cracking Windows Passwords  
  73. Windows Password Insecurities  
  74. Password Cracking Countermeasures  
  75. SMB Redirection  
  76. Physical Access  
  77. Keystroke Logging  
  78. Rootkits  
  79. Evidence Hiding
  80. File Hiding  
  81. Data Hiding  
  82. Prompting the Box  
  83. Sniffers  
  84. Sniffers Defined
  85. Passive Sniffing  
  86. Active Sniffing  
  87. Generic Sniffing Tools  
  88. Specialized Sniffing Tools  
  89. Overcoming Switched Networks
  90. Flooding  
  91. ARP Spoofing  
  92. MAC Spoofing
  93. DNS Spoofing  
  94. Detecting Sniffers and Monitoring Traffic  
  95. Trojans and Backdoors
  96. What is a Trojan Horse?
  97. Common Trojans and Backdoors
  98. Wrappers
  99. Covert Channels
  100. Backdoor Countermeasures
  101. Port Monitoring Tools
  102. System File Verification  
  103. Viruses and Worms
  104. Viruses  
  105. Worms  
  106. Denial of Service
  107. What is Denial of Service Attack?  
  108. Common DoS Attacks  
  109. Common DoS Attack Strategies  
  110. Common DDoS Attacks
  111. DDoS Attack Sequence  
  112. Preventing DoS Attacks
  113. DoS Scanning Tools  
  114. Social Engineering  
  115. Common Types of Social Engineering  
  116. Human Based Impersonation  
  117. Computer Based Impersonation  
  118. Social Engineering Prevention  
  119. Session Hijacking
  120. Spoofing Vs Hijacking  
  121. Session Hijacking Steps
  122. TCP Concepts
  123. TCP -step startup
  124. Sequence Numbers  
  125. Session Hijacking Tools  
  126. Session Hijacking Countermeasures
  127. Hacking Wireless Networks
  128.  Standards  
  129. WEP
  130. Finding WLANs
  131. Cracking WEP Keys
  132. Sniffing Traffic  
  133. Wireless Attacks
  134. Securing Wireless Networks
  135. SQL Injection
  136. SQL Insertion Discovery
  137. SQL Injection Vulnerabilities
  138. SQL Injection Hacking Tools  
  139. Preventing SQL Injection
  140. Hacking Web Servers
  141. Web Server Identification  
  142. Web Server Enumeration  
  143. Vulnerability Identification
  144. Vulnerability Exploitation  
  145. ISAPI DLL Buffer Overflows  
  146. IPP Printer Overflow  
  147. ISAPI DLL Source Disclosure
  148. IIS Directory Traversal  
  149. Directory Listing  
  150. Shoveling the Shell  
  151. Escalating Privileges on IIS  
  152. Clearing IIS Logs  
  153. File System Traversal Countermeasures  
  154. Securing IIS
  155. Web Application Vulnerabilities
  156. Footprinting  
  157. Directory Structure  
  158. Site Ripping
  159. Documenting the Application Structure  
  160. Input Validation  
  161. Hidden Value Fields
  162. Cross Site Scripting  
  163. Cross-Site Scripting Countermeasures  
  164. Web Based Password Cracking Techniques
  165. Authentication Types
  166. Web-based Password Cracking  
  167. Stealing Cookies  
  168. Buffer Overflows
  169. Exploitation
  170. Detecting Buffer Overflows
  171. Skills Required to Exploit Buffer Overflows  
  172. Defense Against Buffer Overflows
  173. Tools for Compiling Programs Robust Code  
  174. IDS, Firewalls, and Honeypots  
  175. Intrusion Detection Systems
  176. Anomaly Detection
  177. Signature Recognition
  178. IDS Signature Matching
  179. IDS Software Vendors  
  180. Evading IDS  
  181. Hacking Through Firewalls
  182. Placing Backdoors Behind Firewalls
  183. Hiding Behind Covert Channels
  184. Honeypots  
  185. Honeypot Vendors  
  186. Cryptography  
  187. PKI
  188. Digital Certificates
  189. Hashing Algorithms  
  190. Hashing algorithms can be used for digital signatures or to verify the validity of a file It is a one-way process and
  191. is widely used
  192. SSL
  193. PGP
  194. SSH 


Ethics and Legality

Nothing contained in this CramSession is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you have written permission from the proper individuals before you use any of the tools or techniques described in this CramSession.

What is an Exploit?

According to the Jargon Dictionary, an exploit is defined as, “a vulnerability in software that is used for breaking security.” Hackers rely on exploits to gain access to, or to escalate their privileged status on, targeted systems.

The Security Functionality Triangle

The CIA triangle or triad comprises the three fundamental pillars of security. These include:
>>Confidentiality
>>Integrity
>>Availability

The Attacker's Process

Attackers follow a fixed methodology. The steps involved in attacks are shown below:

>>Footprinting
>>Scanning
>>Enumeration
>>Penetration – (Individuals that are unsuccessful at this step may opt for a Denial of Service attack)
>>Escalation of Privilege
>>Cover Tracks
>>Backdoors

Reconnaissance

Reconnaissance is one of the most important steps of the hacking process. Before an actual vulnerability can be exploited it must be discovered. Discovery of potential vulnerabilities is aided by identification of the technologies used, operating systems installed, and services/applications that are present. Reconnaissance can broadly be classified into two categories:

>>Passive Reconnaissance
>>Active Reconnaissance

Types of Attacks

There are several ways in which hackers can attack your network. No matter which path of opportunity they choose, their goal is typically the same: control and use of your network and its resources.
>>LAN Attack
>>WAN Attack
>>Physical Entry
>>Stolen Equipment
>>Unsecured Wireless Access
>>Dialup Attack

Categories of Exploits

An exploit is the act of taking advantage of a known vulnerability. When ethical hackers discover new vulnerabilities, they usually inform the product vendor before going public with their findings. This gives the vendor some time to develop solutions before the vulnerability can be exploited. Some of the most common types of exploits involve: Program bugs, Buffer overflows, Viruses, Worms, Trojan Horses, Denial of Service and Social Engineering.

Goals Attackers Try to Achieve

While the type of attack may vary, the hacker will typically follow a set methodology. This includes:
1. Reconnaissance
2. Gaining Access
3. Maintaining Access
4. Covering Tracks

Ethical Hackers and Crackers

Historically, the word hacker was not viewed in a negative manner. It was someone that enjoyed exploring the nuances of programs, applications, and operating systems. The term cracker actually refers to a “criminal hacker.” This is a person that uses his skills for malicious intent.

Hacking for a Cause (Hacktivism)

These are individuals that perform criminal hacks for a cause. Regardless of their stated good intentions (“self proclaimed ethical hackers”), the act of gaining unauthorized access to someone’s computer or system is nonetheless a crime.

Categories of Ethical Hackers

Ethical hackers can be separated into categories:
>>White Hat Hackers – perform ethical hacking to help secure companies and organizations.
>>Reformed Black Hat Hackers – claim to have changed their ways and that they can bring special insight into the ethical hacking methodology

Skills Required for Ethical Hacking

Ethical hackers must possess an in-depth knowledge of networking, operating systems, and technologies used in the computer field. They also need good written and verbal skills because their findings must be reported to individuals
that range from help desk employees to the CEO. These individuals must also understand the legal environment in which they operate. This is often referred to as the rules of engagement. These skills help ensure that ethical hackers are successful in their jobs.

Ethical Hacker Job Duties
Ethical Hackers typically perform penetration tests. These tests may be configured in such way that the ethical hackers have full knowledge or no knowledge of the target of evaluation.
>>White Box Testing – The ethical hacker has full knowledge of the network. This type of penetration test is the cheapest of the methods listed here
>>Black Box Testing – This type of penetration test offers the ethical hacker very little initial information. It takes longer to perform, cost more money, but may uncover unknown vulnerabilities

Security Evaluation Plan

The most important step that the ethical hacker must perform is that of obtaining a security evaluation plan. This needs to be compiled in document form and should clearly define the actions allowed during an ethical hack. This document is sometimes referred to as “rules of engagement.” It will clearly state what actions are allowed and denied. This document needs approval by the proper authorities within the organization that the security assessment is being
performed on. The security assessment will be one of several common types.

Testing Types

The three most common types of tests are listed below. These tests may require individuals on the team to attempt physical entry of the premises or manipulation of targeted employees through social engineering.
>>Internal Evaluations
>>External Evaluations
>>Stolen Equipment Evaluations

Computer Crime

The United States Department of Justice defines computer crime as "any violation of criminal law that involved the knowledge of computer technology for its perpetration, investigation, or prosecution."

Overview of US Federal Laws

Typically, illegal computer activity breaks federal law when one or more of the following conditions are met:
1. The illegal activity involves a computer owned by a US government department or agency
2. The activity involves national defense or other restricted government information
3. Banking, savings and loan, or other financial institutions have been accessed
4. The activity uses computers located in other states or countries
5. Interstate communication is involved
So, as you can see, it is very easy for a hacker to break federal law if he has used the Internet for any of his activities. While most computer crime is categorized under 18 U.S.C. 1029 and 1030, there are many other laws the hacker can run afoul of.

Cyber Security Enhancement Act of 2002

What is most important to know about the Cyber Security Enhancement Act of 2002 is that is specifies life sentences for hackers that endanger lives. It also allows the government to gather information, such as IP addresses, URL’s, and e-mail without a warrant if they believe national security is endangered.

Footprinting

What is Footprinting?

Footprinting is the process of gathering as much information about an organization as possible. The objective of footprinting is to gather this information in such a way as to not alert the organization. This information is publicly available information, available from third parties, and from the organization itself.

Steps for gathering information

Some of the most well-known tools used for information gathering include: WHOIS, Nslookup and Web Based Tools.

Web-based Tools

Many web-based tools are available to help uncover domain information. These services provide whois information, DNS information, and network queries.
>>Sam Spade - http://www.samspade.org
>>Geek Tools - http://www.geektools.com
>>Betterwhois - http://www.betterwhois.com
>>Dshield - http://www.dshield.org

IANA

The Internet Assigned Number Authority (IANA) is a non-profit corporation that is responsible for preserving the central coordinating functions of the global Internet for the public good. IANA is a good starting point for determining details about a domain. IANA lists all the top-level domains for each country and their associated technical and administrative contacts. Most of the associated domains will allow you to search by domain name.

RIR’s

RIR’s (Regional Internet Registries) are granted authority by ICANN to allocate IP address blocks within their respective geographical areas. These databases are an excellent resource to use to further research a domain once you have determined what area of the world it is located in.

Domain Location and Path Discovery

If you are unsure of a domain’s location, the best way to determine its location is by use of the traceroute command.

Traceroute determines a path to a domain by incrementing the TTL field of the IP header. When the TTL falls to zero, an ICMP message is generated. These ICMP messages identify each particular hop on the path to the destination. There are several good GUI based traceroute tools available. These tools draw a visual map that displays the path
and destination. NeoTrace and Visual Route are two GUI tools that map path and destination.

ARIN, RIPE, and Regional Databases

RIR’s are searchable by IP address. If you only have the domain name, you can resolve to IP by pinging the domain name. RIR’s and their area of control include:
>>ARIN (American Registry for Internet Numbers)
>>RIPE (Réseaux IP Européens Network Coordination Centre)
>>APNIC (Asia Pacific Network Information Centre)
>>AFRINIC (proposed African Regional Internet Registry)
>>LACNIC (Latin American and Caribbean Network Information Centre)

Determining the Network Range

You can query the RIR to find out what network range the organization owns. If you choose the wrong RIR, you will typically receive an error message that will point you to the correct record holder.

Discovering the Organization’s Technology

There are many ways in which individuals can passively determine the technology an organization uses. Some examples are: Job Boards and Google Groups.

E-mail Tips and Tricks

The Simple Mail Transfer Protocol (SMTP) is used for sending e-mail. Every e-mail you receive has a header that contains information such as the IP address of the server sending the message, the names of any attachments included with the e-mail, and the time and date the e-mail was sent and received.

Bouncing E-mail
One popular technique is to send an e-mail to an invalid e-mail address. The sole purpose of this activity is to examine the SMTP header that will be returned. This may reveal the e-mail server’s IP address, application type, and version. Other ways to track interesting e-mail is to use software that will allow you to verify where the e-mail originated from and how the recipient handled it, such as, eMailTracking Pro and MailTracking.com.

Scanning

Once a hacker has moved to the scanning phase, his goal will be to identify active systems. There are several ways that this identification process can take place. The methods of active systems identification include: War Dialing, War Driving, Pinging, and Port Scanning.
Regardless of the method chosen, the goal is the same: identify that the system is live, determine its services, verify its OS, and pinpoint its vulnerabilities.

War Dialing

While some may see war dialing as a dated art, it still has its place in the hacker’s arsenal of tools. If a thorough footprint has been performed, phone numbers were most likely found that can be associated to the organization. The numbers can serve as a starting point for war dialing scans. The hacker’s goal will be to uncover modems that may have been left open. Administrators may have configured these for out-of-band management. The goal of an ethical hacker is to uncover these devices during the security audit to make sure they are removed, as modems offer a way to bypass the corporate firewall. The tools most commonly used for war dialing include: THC-Scan, PhoneSweep War Dialer and Telesweep.

War Driving

This mode of penetration relies on finding unsecured wireless access points. A popular tool used for this operation is Netstumbler.

ICMP – Ping

Using the ping command is one of the easiest ways to determine if a system is reachable. Ping is actually an ICMP (Internet Control Message Protocol) echo request-response. Its original purpose was to provide diagnostic abilities to determine whether a network or device was reachable.
The important thing to remember about ping is that just because a system does not respond to ping, that doesn’t mean that it is not up. It might simply mean that ICMP type 0 and/or type 8 messages have been blocked by the target organization.
There are many tools available that can be used to automate the ping process. These tools will typically ping sweep an entire range of addresses. Some of these include: Pinger, Friendly Pinger, WS_Ping_Pro, NetScan Tools Pro
2000, Hping2,
and KingPing.

Detecting Ping Sweeps

Most IDS systems, such as SNORT, will detect ping sweeps. While performing a ping sweep is not illegal, it should alert an administrator, as it is generally part of the pre-attack phase.

Port Scanning

Port scanning allows a hacker to determine what services are running on the systems that have been identified. If vulnerable or insecure services are discovered, the hacker may be able to exploit these to gain unauthorized access.

There are a total of 65,535 * 2 ports (TCP & UDP). While a complete scan of all these ports may not be practical, an analysis of popular ports should be performed.
Many port scanners ping first, so make sure to turn this feature off to avoid missing systems that have blocked ICMP. Popular port scanning programs include: Nmap, Netscan Tools, Superscan and Angry IP Scanner.

TCP Basics

As TCP is a reliable service, a 3-step startup is performed before data is transported. ACK’s are sent to acknowledge data transfer and a four-step shut down is completed at the end of a communications session. TCP uses flags (Urgent, Acknowledgement, Push, Reset, Synchronize, Finish) to accomplish these tasks. Port scanners manipulate these flag settings to bypass firewalls and illicit responses from targeted systems.

TCP Scan Types

Most port scanners make full TCP connections. Stealth scanners do not make full connections and may not be detected by some IDS systems. Nmap is one of the most popular port scanners. Some common types of ports scans are: Ping Scan, SYN Scan, Full Scan, ACK Scan and XMAS Scan.

UDP Basics

UDP is a connectionless protocol. If ICMP has been blocked at the firewall, it can be much harder to scan for UDP ports than TCP ports, as there may be no returned response. Just as with TCP, hackers will look for services that can be exploited such as chargen, daytime, tftp, and echo. One of the best UDP and TCP port scanners is Nmap.

Nmap

Nmap (network mapper) is an open source portscanner that has the

capability to craft packets in many different ways. This allows the program to determine what services an OS is running.

Port Scan Countermeasures

Practice the principle of least privilege. Don’t leave unneeded ports open
and block ICMP echo requests at the firewall or external router. Allow traffic
through the external router to only specific hosts.

Active Stack Fingerprinting

Fingerprinting is the process of determining the OS that is running on the
target system. Active stack fingerprinting relies on subtle differences in the
responses to specially crafted packets. The most well-known program used
for active stack fingerprinting is Nmap. The –0 option is used for
fingerprinting. For a reliable prediction, one open port and one closed port is
required.

Passive Stack Fingerprinting

Passive fingerprinting is less reliable than active fingerprinting. Its primary
advantage is that it is stealthy. It relies on capturing packets sent from the
target system.

Banner Grabbing

Banner grabbing is used to identify services. Banner grabbing works by
making connections to the various services on a host and looking at the
response to hopefully determine the exact service and version running on
that port. Once these services are confirmed, this information can help to
identify possible vulnerabilities and the OS that the system is running.
Netcraft, Telnet and FTP are some of the common tools used to grab
banners.

Identifying Vulnerabilities

Once a hacker has completed the scanning steps described in this section,
he will attempt to identify vulnerabilities. Vulnerabilities are typically flaws or
weaknesses in the software or the OS. Vulnerabilities lead to risk and this
presents a threat to the target being scanned.
Three terms to remember include:
>>Vulnerability - A flaw or weakness in software or the OS
>>Risk - The likelihood of a threat exploiting a vulnerability such that a
hacker will be allowed unauthorized access or create a negative impact
>>Threat - The potential for a hacker to use a vulnerability

Enumeration

Enumeration Defined

Enumeration is the process of identifying each domain that is present within the LAN. These domains are typically identified using built-in Windows commands. The “net command” is the most widely used of these commands. Once the various domains have been identified, each host can be further enumerated to uncover its role. Likely
targets of malicious hackers include: PDC’s, dual homed computers, database servers, and web servers. The very act of Windows enumeration is possible because these computers advertise themselves via browse lists. To see a good example of this technology, take a look at Network Neighborhood on Windows systems.

These services are identifiable by the ports that can be found while performing the network scans that were discussed in the previous section. The ports associated with these services are as follows:
>>135 – MS-RPC Endmapper
>>137 – NetBIOS Name Service
>>138 – NetBIOS Datagram Service
>>139 – NetBIOS Session Service
>>445 – SMB over TCP/IP (Windows 2K and above)

NetBIOS Null Sessions

Once individual computers are identified, malicious hackers will next attempt to discover the role of the system by using NetBIOS Null Sessions. The legitimate purpose of a Null Session is to allow unauthenticated computers to obtain browse lists from servers, allow system accounts access to network resources, or to allow a null session pipe.
A null session pipe is used when a process on one system needs to communicate with a process on another system. Legitimate null sessions are established over the IPC$ share.

The Inter-Process Communication Share

Windows computers communicate with each other over the IPC$ "Inter-Process Communication" share. It is used for data sharing between applications and computers. In Windows NT and 2000 computers, it is on by default. You can think of IPC$ as the pipeline that facilitates file and print sharing. This is a huge vulnerability as hackers can connect
to your IPC$ share using the net use command (net use \\IP\IPC$ "" /u:"").
Once this connection has been made, many types of sensitive information can be retrieved, such as user names, comments, shares, and logon policies. What is most alarming about this vulnerability is that the attacker is able to logon with a null username and null password.

NBTSTAT

The NBTSTAT command can be used to further identify the services that are running on a particular system. For listing of the type codes and their corresponding service, visit the following link:
http://jcifs.samba.org/src/docs/nbtcodes.html

Active Directory Enumeration

To perform an Active Directory enumeration, you must have access to port 389 (LDAP Server). You must also be able to authenticate yourself as a guest or user. Then, if these conditions are met, enumeration of users and groups can proceed. Removing compatibility with all pre-windows 2000 computers during the installation of Active Directory can prevent this vulnerability.

Identifying Win2000 Accounts

Every object in Windows has a unique security identifier (SID). The SID is made up of two parts. The first part identifies the domain and is unique to it. The second part is a descriptor of the specific account. This second part is referred to as the relative identifier (RID). These follow a specific order and are tied to unique roles within the domain. RID's are defined as follows:
>>Account RID
>>Administrator 500
>>Guest 501
>>Domain users 1000 (and up)

So, while some administrators may promote the practice “security through obscurity” and rename accounts such as administrator, the RID of the account will remain unchanged. Tools such as USER2SID and SID2USER can be used to determine the true administrator account of the domain.

DumpSec

DumpSec is another tool that will allow for account enumeration. Once a null session has been established, this GUI tool will display information on users, account data, shares, and account policies.

Null Session Countermeasures

Disable File and Print sharing. Inside network properties, under Advanced Settings, disable NetBIOS over TCP/IP. Null sessions require access to ports 135-139 or 445. Blocking access to these ports will also prevent these exploits.

There is also a setting in Settings -> Control Panel -> Administrative Tools –> Local Security Policy –> Local Policies –

> Security Options –> Restrict Anonymous. In Windows 2000, this registry key has three possible settings:

0 – No Restrictions
1 - Allow null sessions but disallow account enumeration
2 - No null sessions are allowed
The default setting is “0.” A setting of “2” should be verified on a test network before use in a production setting as some older or custom applications may not function properly with it.

Account Enumeration

Account enumeration is a further probing of accounts. Before a concerted attack can take place, account policies and shares must be uncovered. As well, before attempting to connect to an active account, the attacker must identify an open share to which he can connect. Also, if there is a lock out policy in place, this must be determined. Otherwise, running tools such as NAT may result in the lockout of all accounts. This will do the attacker little good unless he is attempting a DoS. Tools such as Enum, UserInfo, GetAcct, and SNMPUtil can be used to accomplish this task.

SNMP Enumeration

SNMP (Simple Network Management Protocol) is a network management standard widely used within TCP/IP networks. It provides a means of managing routers, switches, and servers from a central location. It works through a system of agents and managers. SNMP provides only limited security through the use of community strings. The defaults are “public” and “private” and are transmitted over the network in clear text. Devices that are SNMP enabled, share a lot of information about each device that probably should not be shared with unauthorized parties. Hence consider changing the default passwords’ community strings.


SNMPUtil

SNMPUtil is a Windows enumeration tool that can be used to query computers running SNMP.

IP Network Browser

SolarWinds IP Network Browser is a GUI based network discovery tool. It allows you to scan a detailed discovery on one device or an entire subnet.

SNMP Enumeration Countermeasures

As with all other services, the principle of least privilege should also be followed here. If you don’t need SNMP, turn it off. You should always seek to remove or disable all unnecessary services. If you must use SNMP, change the default community strings and block port 161 at key points throughout the network.

System Hacking

System hacking is the point at which the line is crossed and an actual connection is made. It is the first true attack phase as the attacker is actually breaking and entering. This may be achieved by an administrative connection or an enumerated share.

Identifying Shares

One of the easiest ways to enumerate shares is with the net view command. This will identify all public shares. Hidden shares, those followed by a “$” will not be displayed. Common hidden shares include: IPC$, C$, D$ and Admin$ There are several GUI tools that can be used to identify non-hidden and hidden shares, such as, DumpSec and Legion.

Password Guessing

Many times, password guessing is successful because people like to use easy to remember words and phrases. A diligent attacker will look for subtle clues throughout the enumeration process to key in on probable wo rds or phrases
the account holder may have used for a password. Accounts that will be focused on for possible attack

include:

>>Accounts that haven’t changed passwords
>>Service accounts
>>Shared accounts
>>Accounts that indicate the user has never logged in
>>Accounts that have information in the comment field that may compromise password security

Manual Password Guessing


Assuming that a vulnerable account has been identified, the most common method of attack is manual password guessing. The net use command can be issued from the command line to attempt the connection.

Performing Automated Password Guessing

If manual password cracking was unsuccessful, attackers will most likely turn to automated tools. Most automated password guessing tools use dictionaries to try to crack accounts. These attacks can be automated from the command line by using the “FOR” command or they can also be attempted by using tools such as NAT or ENUM. To use NAT, two files would first need to be created. The first would contain a list of possible user names, while the second would comprise a dictionary file. Each user name would be attempted with every word in the dictionary until a match was achieved or all possibilities were exhausted
.
Password Guessing Countermeasures

Password guessing is made much more difficult when administrators use strict password policies. These policies should specify passwords that:

>>Are complex
>>Contain upper case and lower case letters
>>Use numbers, letters, and special characters

It is not uncommon to hear individuals talk about pass-phrases; this concept helps users realize that common words are not robust passwords. Another excellent password guessing countermeasure is to simply move away from passwords completely. Of the three types of authentication (see below), passwords are the weakest:

>>Something You Know - Passwords
>>Something You Have - Smart Cards
>>Something You Are - Biometrics

Monitoring Event Viewer Logs

No matter which form of authentication you choose, policies should be in place that require the regular review of event logs. Attacks cannot be detected if no one is monitoring activity. Luckily, there are tools to ease the burden of log file review and management. VisualLast is a tool that makes it easy to assess the monitor log activity and has a number of sophisticated features

Sniffing Passwords

Windows uses a challenge / response authentication method that is based on the NTLM protocol. The protocol requires a client to contact a server for domain authentication and a hash is passed. NTLM also functions in a peer-topeer network. Through the years, NTLM has evolved. The three basic forms of NTLM are listed below
:
>>LAN Manager – Insecure, used for Windows 3.11, 95, and 98 computers
>>NTLM V1 – Used for Windows NT Service Pack 3 or earlier
>>NTLM V2 – A more secure version of challenge response protocol used by Windows 2000 and XP

One problem with NTLM is that it is backwards compatible by default. This means if the network contains Windows 95  98 computers, the protocol will step down to the weaker form of authentication to try to allow authentication. This can be a big security risk. It is advisable to disable this by making a change to the Local Policies Security Options template. Another problem with NTLM is that tools have been developed that can extract the passwords from the logon exchange. One such set of tools is ScoopLM and BeatLM from http://www.securityfriday.com; another is L0phtCrack.
NTLM is not the only protocol that might be sniffed on an active network. Tools also exist to capture and crack Kerberos authentication. The Kerberos protocol was developed to provide a secure means for mutual authentication between a client and a server. Kerberos is found in large complex network environments. One of the tools that might be used to attempt to defeat this protocol is KerbCrack.

Privilege Escalation

If by this point the attacker has compromised an account, but not one of administrator status, the amount of damage he can do is limited. To be in full control of the system, the attacker needs administrator status. This is achieved through privilege escalation. What makes this most difficult is that these exploits must typically be run on the system under attack. Three ways this may be achieved:

1. Trick the user into executing a particular program.
2. Copy the privilege escalation program to the system and schedule it to run at a predetermined time
3. Gain interactive access to the system.

Retrieving the SAM File

One of the first activities that an attacker will usually attempt after gaining administrative access is that of stealing the SAM (Security Account Manager) file. The SAM contains the user account passwords stored in their hashed form. Microsoft raised the bar with the release of NT service pack 3. Products newer than this release contain a second layer of encryption called the SYSKEY. Even if an attacker obtains the SYSKEY hash, he must still defeat its 128-bit encryption. Todd Sabin found a way around this through the process of DLL injection and created a tool called Pwdump. This tool allows the attacker to hijack a privileged process and bypass SYSKEY encryption. Pwdump requires administrative access.

Cracking Windows Passwords

Once the passwords have been stolen, they will need to be cracked. This can be accomplished by using a passwordcracking program. Password cracking programs can mount several different types of attacks. These include:

Dictionary Attack, Hybrid Attack and Brute Force Attack.

Windows Password Insecurities

One of the big insecurities of Windows passwords is that if the WIN2K domain is set up to be backwards compatible, the passwords are 14 characters or less. This version of the hash is known as the LanManager (LANMAN) Hash.

What makes LANMAN quickly crackable is that while the password can be up to 14 characters, the passwords are actually divided into two 7 character fields. Thus, cracking can proceed simultaneously against each 7-character field. Several tools are available to exploit this weakness, including, L0phtCrack and John the Ripper.

Password Cracking Countermeasures

The domain password policy should be configured to restrict users from using the same password more than once or at least configured where eight to ten new passwords must be used before an individual can reuse an old password again. This policy can be enforced through the local / domain security policy. Passwords:

>>Should be at least 7 or 14 characters long
>>Should be upper and lower case
>>Should be numbers, letters, and special characters (*!&@#%$)
>>Should have a maximum life of no more than 30-days

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)