System Hacking
description
Transcript of System Hacking
![Page 1: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/1.jpg)
System Hacking
Active System Intrusion
![Page 2: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/2.jpg)
Aspects of System Hacking
• System password guessing• Password cracking• Key loggers• Eavesdropping• Sniffers• Man in the middle• DoS• Buffer overflows• Privilege escalation• Remote control and backdoor• Track covering• Hide sensitive information
![Page 3: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/3.jpg)
Password Guessing
• NetBIOS TCP port 139 open then guess admin, guest, john smith (NULL passswords)
• Try connecting to shares C$ %systemdrive% admin$ guest$
![Page 4: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/4.jpg)
Password Cracking
•Manual/automatic cracking (text file lists)
•Dictionary attack
•Brute Force
•Keyloggers
•Password Sniffing Legion
Cain 7 Able
LophtCrack
Jack the Ripper
Kerbcrack
![Page 5: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/5.jpg)
Examples
• Administrator• User• Arcserve• Test• Lab• Username• Manager• Temp• ID number
NULL, password, admin administrator, user, password, backup, temp, ID
![Page 6: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/6.jpg)
Examples
• Easy to remember names
• Use the same password for many accounts
• High probability pairs
www.mksecure.com/defpw
![Page 7: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/7.jpg)
LM Manager
LM Early windows operating systems
NTLM NT operating systems
NTLMv2 Windows XP and 2000
(Kerberos 56bit 128bit encryption)
![Page 8: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/8.jpg)
Eavesdropping
•Packet/Port filtering
•Security scanners
NTInfoScan
![Page 9: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/9.jpg)
CountermeasuresBlock TCP/UDP ports 135-139 445(netbios network bindings)
Complex passwords
Log failed login events (event viewer EVENTS 529, 539)
Restrict rights to run system tools such as cmd.exe
Firewall
IPSec
Passprop RK (default admin no lock ability)
IDS
![Page 10: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/10.jpg)
Demo/Exercise
• Cain & Able
• Create a user account and crack password.
![Page 11: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/11.jpg)
SMB
• Server Message Blocks
Request
Response
![Page 12: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/12.jpg)
Command line hacks
• At 15:23 /interactive cmd.exe• Net use \\192.168.0.1\c$ * /u:administrator
![Page 13: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/13.jpg)
Vulnerabilities
• RPC
• LSASS
• Stack/Buffer overflows
• Buffer overflow attacks involve sending overly long input streams to the attacked server, causing the server to overflow parts of the memory and either crash the system or execute the attacker's arbitrary code as if it was part of the server's code. The result is full server compromise or denial of service.
• Some of the well-known Internet worms, including Code Red, Slapper and Slammer, use buffer overflow attacks to propagate and execute payloads. Buffer overflow vulnerabilities are some of the most common programming errors.
![Page 14: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/14.jpg)
Man in the Middle
SMBRelay server
Because Windows automatically tries to log in as the current user if no other authentication information is explicitly supplied, if an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user.
![Page 15: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/15.jpg)
Privilege Escalation
Gain access to a system and give your self more privileges
PipeupAdmin
GetAdmin.exe
Hk.exe
Sechole
Spoofing LPC
Psexec
![Page 16: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/16.jpg)
Pilfering
Grabbing information such as the SAM database NT
Active Directory %windir%\windowsDS\ntds.dit
![Page 17: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/17.jpg)
www.winhackingexposed.com
• In depth coverage of windows security and vulnerabilities
![Page 18: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/18.jpg)
Countermeasures
• Deny Log on locally
• Lock down IIS URLScan IISLockdown
• Audit Logon events
![Page 19: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/19.jpg)
Events/Database Export
• Dumpevt www.somarsoft.com
• EventCombWindows
![Page 20: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/20.jpg)
IDS
• Blackice blackice.iss.net• Entercept www.mcafeesecurity.com• Cisco security Agent www.cisco.com• Sentivist www.nfr.com• E-trust IDS www3.ca.com• ITA enterprisesecurity.com• Realsecure www.iss.net• Tripwire www.tripwiresecurity.com
![Page 21: System Hacking](https://reader035.fdocuments.us/reader035/viewer/2022062322/568148b8550346895db5ce7f/html5/thumbnails/21.jpg)
Exercise
• Use command line tools to connect to another computer
• Filter event logs