CEHv8 module 05 system hacking

Học viện Công Nghệ Thông Tin Bach Khoa Information at Hand Before System Hacking Stage IP Range ® Target assessment ® Intrusive probing Namespace ® identification of ® User lists... Họ

Trang 1

Module 5

Engineered by Presented by Professionals

CER Certified Ethical Hacker

Trang 2

had been made publicly available on the company’s FTP server for

at least a month, the organisation has now confirmed it in a communication to members, advising them to change their details immediately

The IEEE is an organisation that is designed to advance technology and has over 400,000

members worldwide, many of those including employees at Apple, Google, IBM, Oracle

and Samsung It is responsible for globally used standards like the IEEE 802.3 Ethernet

standard and the IEEE 802.11 Wireless Networking standard At an organisation like this, you'd expect security to be high

Still, this hack was no hoax The official announcement of it was sent out yesterday and reads: “

This matter has been addressed and resolved None of your financial information was made accessible in this situation.”

Trang 3

Privilege Escalation Executing Applications

Types of Keystroke Loggers and Spywares Anti-Keylogger and Anti-Spywares

Detecting Rootkits Anti-Rootkits NTFS Stream Manipulation Classification of Steganography Steganalysis Methods/Attacks on Steganography

Covering Tracks Penetration Testing

e=

Trang 4

Học viện Công Nghệ Thông Tin Bach Khoa

Information at Hand Before System Hacking Stage

IP Range ® Target assessment ® Intrusive probing

Namespace ® identification of ® User lists

Trang 5

system Hacking:

Password eavesdropping,

brute forcing

to gain access

Password cracking, known exploits

backdoor access

To hide the presence of

Trang 7

Trang 8

Password

recover passwords from computer systems =

Trang 9

Passwords that contain letters, special characters, and numbers apt@s2

Passwords that contain only numbers 23698217

5

Passwords that contain only letters POTHMYDE

Complexity

Passwords that contain omy letters and spec al character: boba.:&ba

Passwords that contain only special characters and numbers 123@$45

Trang 10

Password Cracking Techniques

The program tries every

combination of characters until the

password is broken

Dictionary Attacks

TY 92210777771)

A dictionary file is loaded into the cracking

application that runs

against user accounts

CIEH

It is the combination of both brute force attack and 6` —

Syllable Rule-based Attack Attack

This attack is used when the

attacker gets some information

about the password

it works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password

Trang 11

Types of Password Attacks

oe Pah

taas-in-tt a

Trang 12

Passive Online Attacks:

Attackers run packet sniffer tools on the

The captured data may include Si

Telnet, FTP, rlogin sessions, and electronic

mail sent and received

c0 1-0 1 7—.-'i

CIEH

Trang 13

Học viện Công Nghệ Thông Tin Bách Khoa 1)

spare PUL} Lai

_ at SỐ Lo) Be pre Street es 2

Trang 14

MITM / Replay : Traffic

2 Must be trusted by

are captured using a After the relevant info is extracted, the tokens are placed back on the network to gain access

broken by invalidating traffic

CR eee Melee itt sR Bee es Prohebtte‹1

Trang 15

Active Online Attack:

The attacker takes a set of dictionary

Trang 16

id Abbett pather information about a

44/22/0042 -ˆ

remote attackers to record

every keystroke

6ets access to the stored passwords in the attacked computer and is able to

read personal documents, delete files,

and display pictures

Trang 17

Active Online Attack:

local session and use the hash to validate to network resources

™ The attacker finds and extracts a logged on

® The attacker uses the extracted hash to log on to the

inject a compromised hash into a local session

Trang 18

like dictionary files and list of possible passwords passwords by

brute force lists into and compere it with the comparing captured

password hashes using ’ e precomputed hash tabk password hashes to the

tec! nique 5 such as if a match ¡s found then precomputed tables

Trang 19

can access it over the network

that are distributed

ver tite wiwor

Trang 22

to search default passwords: 3COM crebusde: 2OOC/G0OO/3500/2502 | Telnet Detug —

http://www.defaultpassword.com | scom Metfutide SME LM

http://www.passwordsdatabase.com \COM | OfficeConnect S12 ADSI | —_— _adminttd — admintte

http://www phencelit-us.org

Trang 23

Trang 24

for each user ID

Trang 25

DAI HOC

wi SsBK ACAD

stealing Passwords Using USB Drive

¬ — ? ncert LISR into - F -

victirr s computer ' Extract Password - -

——————<19 | —

# ` hacking toot to LISS drive ` [autorun]

en~ launch bat

Contents of launch bet insert the USB drive cx Password? is executed

\ cớ pasty exe) etext window will pop-up * passwords will be

` in the USS drive

Trang 26

>+2sựeeeslarigong láregreortndd pandemics

to Kerberos, a considerably more secure option than NTLM

Trang 27

ArcTin: 1005: 624AAC4 1 SISSCDCIAADSSZSSSSILSE0USEE:CSA237

>! tr OJ0? ©7276 c<AAC é _ /#935>CDC 3E £'l i SFAPLEEFESS: sBiIiSé /E

n :

Vv Vv Username UserID

Trang 28

What is ?

LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and

vì 1

\ mY / Microsoft Windows use to store user passwords that are less than 15 characters long

When this password is encrypted with the LM algorithm, all the letters are converted to

Windows Vista and Windows 7,

Trang 29

What is ?

r2 iD: The first are derived from the first 7 characters of the password and the

Fy `“ second 8 bytes are derived from characters 8 through 14 of the password

Trang 30

Padded with NULL Converted to saab: into

to 14 characters the uppercase two /-character

Trang 31

LM, NTLMvl1, and NTLMv2

Attribute | LM) ONTEMvd | ONTEMv2 |

S6bit+S6bit+ 56bit + 56bit +

C/R Key fh Key tenet Length 16bit 16bit 128bit

C/R Algorithm DES (ECB mode) DES(ECB mode) HMIAC_MIDS5

C/R Value Length 64bit +64bit+ 64bit 64bit 64bit + 64bit + 128b'

Trang 32

¿ 4 a Client Computer Window Domain Controller

cr

password into logon oor P gps mm Ẻ the user's hashed password

hash h alg algorithm 1 response with the response

- it created with its own hash omputer sends login réquest to Dt > :

: lế they match, the logon ‡s a

All Rights Reserwed Reproduction ts Strictly Protututed

Trang 33

| asx: on ghe ị (TGS) Database

—> Realy of the to the ciient’<« request

Client

_

& ~ Windows Server 2008

Request to an eoolicetic server to access & service

Seer eee ee eee ee eee ee eee eeee ‘eevee eee «4 eevee eeeee eoeeeeeeweeeeee mm ` >

Application Server

Trang 34

Salting technique prevents deriving

Aliceœ:root:b4ef12 1 |3ba4303ce24a83íc0317608deO2bf38d Bob:root:a9c4fa: 3282abdöo308323ef0349dc 7 232c 349ac

5

Advantage: Defeats pre-computed hash

ha Stored representation differs es

Trang 37

6x r@ v2: ator tee

Meters MepAscast art Resor

<f*=£e-rrsr£«< -“s£e=s

*IP47EỠ42Z046377%4

CSA23787E SSE 708 6FSESFFGFFE200E59 FSC 10381 499904eF 43 totus

Trang 38

ASB Œ@ ru ME + / & LOSeSBeveoes Of fi

> lý ——— [ao sere lef Creche i2@ Trecercate |= 4 oy la AN ees 1% ery |

———————————

i i L“?At>xcxd © MT Pecs~ex# LM hee

AC: 94 12“ | Lal G4 ER |

Trang 39

Pile Ect Raerpbow Table Heb

OB od Bd on et Hash Test `

`suadsce2ộ4604319^3vađ2b42*ũSs1424ee , 'r+?? r? r?+? Ađatrtztrxatot

3703Sbic4ae2ZbOc 5D? S$e0c8d769542a50 ra??? r>+?2?? i}>?????????????1?11?!? 'r>??? Meckers

b221iaidaiử6c535Êe415944099$teif€a PP PPP PPP PPI? Pp>????! P>????? , } : HelpAzeistant

<2 4aac41^222scỏcL4cˆ313‹rlcdđenOf4ec7€ x+.^+yˆ*39 s "t.-*ỡtstẻtˆev tt} t>i*-r*.ˆsr.x+*°đ Ja2ot1

&<24aac41"7^2ằcỏc1ÊÊ1273€*tarl€treẽs PP PPIPPIPP PPI IPF , r>?? ’ r???+?????? Jcứui

Ă 6242ac41 3725cỏc1^a45b42°%b*1424eô<e i„p?7??71?1 Zi PP? ??? Martin

x cỏc L4e21*frlcađđôO0f4c2€ p;y??7?7??:?!? , : Smith

Toolse\Systes hacking\Vindows Password Crackecs\cainbowereck~-1.4)1-win\reinbowcrack~-1.4l-@in\eccrack exe:

Creckecs\rceinbowcreck-l1.4l-win\reinbovcreck-1.4l1-win\ccreck exe: ' ' hrạ ý t3

wereck~-1.4l-win\ccrtack.exe: ` tạ r+* 3 System hbacking\Gindows Passwore Cra

ine in ' : re ; System hecking\Vindowse Paseword Crackeres\cainbowcrack-i1.4i-win\ tceinbowcre

stem becking\Vindows Password Crackers\ceinbowcre ack~1.4l-win\rceinbowcreck~-1.4l-win\rcreck.exe:

e\ceinbowcrack-1l.4l-win\ ceinbowereck-1.41-—-win\ccreck.exe: V ts byetes

L.4il-win\ccreck.exe: ` r4 ‘2 ' iys heacking\Vindows Pessword Creckers\cô

Le\Syeteen hbecking\Vindows Password Cracketces\cainbowcreack~-1.4) sinbowcteck~-1.4l-win\cctreck.exe: An appl

Trang 42

Backward Compatibility

Windows 2000-based servers and Windows Server

connect with ( omputers that are running the earlier versions of Windows

Trang 43

Method 2

Implement the NoLMHash Policy by using group policy

Method 1 = Disable “Network security: Do not store LAN Manage:

hash value on next password change in Local Sex uirity

Policy > Security Option:

Trang 44

How to Defend against Password

Cracking?

Make passwords hard to guess by using 8-12 alphanumeric characters in combination

of uppercase and lowercase letters, numbers, and symbols

EG-Gouncil

Do not use the same password during password change

Set the password change policy to 30 days Monitor the server‘s logs for brute force attacks on the users accounts

Avoid storing passwords in an unsecured location

Do not use passwords that can be found in a dictionary

Never use passwords such as date of birth, spouse, or child’s or pet’s name

Aji Rights Reserved Reproduction ts Strictly Prohubited

Trang 45

Implement and Enforce Strong Security Policy

Benefits

= Opening unsolicited e-mail @ Refusal to abide by security policy

7 @ Sending spam @ Sending unsolicited «mail

= Emanating Viruses = Allowing kids to use company computer

@ Alternpted unauthorved access @ Running P2P file sharing

Termination Reason @ Installing shareware = Annoying the System Admin

@ Possession of hacking tools

Trang 46

Trang 47

ee

Privilege Escalation

An attacker can gain access to the network using a non-admin user account, and the

next step would be to gain administrative privileges

Trang 48

To cancel Sack ytieys chick Carol

Te Geactrv ate Ge bey cornet bor Sek 4 ey it 5 ch ro:

Trang 52

Tools

s Stellar Phoenix Password m Windows Password Reset

ae hittp-//www.recoveronypessword.com = — bttp-//www.reset- windows password_net

| ki 1

— http-//www_lostpessword.com http://www windowspesswordsrecovery.com

FF Password Unlocker Bundle ElcomSoft System Recovery

http-//www_passwordunlocker.com ~~ -%) hbttp-//www.eclcomsoft.com

http:-//pogostick net

Trang 54

Covering Tracks

Trang 55

Executing Applications

Attackers execute malicious applications in this stage This is called

“owning” the system

peepee Res!

Trang 56

Aichemy Remote Executor is a

system management tool that

allows you to execute programs

Proges | Competers | Progress

Please epecty the progean yoru wer to eum on the semote computers opbonal working cer

Socal fot Ge rercte Comes ters! aud optiorvely the Ett of achGhrored thes that thendd be comed

to the remote computers before execution Command | me

Working deectory

lophorwal Dhark m= moe! Canes]

Aaidtonal tec Die Mes that should be Cogeed to the Lange! machew before

Pe pogem execution}

All Rights Seserved Reproduction is Strictly Protubited.

Trang 57

CJre%6414

“1reewoœ Bey Kees

ey Keese se

“1‹ee%422

““lxee%t2d _ “x—

Trang 58

begr use one of the methods found urnier the Fide merw to load computer names

the box lebeed “Awadsble Comexters” Then heghiolt the computers you wash bo Lar the bet and chock the Execute Program’ ntton The seats of the Progeam Execution will be

: Sopdeyed betoew Pde to Cony to Remote Comenter

WÑ pou wash to Copy 6 local te to The remote

comegusers betore exec son plese 18 mn the

bowes labefed Fide to Copy to Remote

Comoute and Destrshon of File foe Remote Computer’ I! these bowes are lett there then the tte spectied m the The to Execute’ bow wal be execufed

>

ior

Desiesehon of Fido for Remote Comexter

Fie to Execute On Remote Commenter

Avalatde Computer:

Fie Name!

Định dạng
Số trang	166
Dung lượng	7,51 MB