n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems

Transcription

1 Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used to maintain access to systems n Describe methods of evidence erasure n Identify rootkit function and types n Identify basics of Windows and Linux file structure, directories, and commands 2 Phases of Hacking Windows Security Architecture n Credentials are stored in a SAM file n It stores hash values n On a domain passwords are stored in a database n MS picked not a very good encryption but it became better 3 Authentication Encryption OS versions LM DES Win 95/98 NTLM DES + MD4 Win NT NTLM v2 + Kerberos Symm+Asymm Win

2 Windows 7 5 Windows 10 6 LM Authentication LM Authentication n Converts everything to uppercase n If a password is seven characters or less, this significantly reduces the amount of time required to crack the rest of it n If the password was less than 14 characters, it would add because the LM hash value of seven blank characters will blank spaces to get it to 14 always be the same (AAD3B435B51404EE) n Then the password would be split into two 7-character n The first half we put through a cracker and get to work strings n The second is easily recognizable hash of seven blanks! n These strings would be hashed separately, with both n NTLM needs much more power to bruteforce hashes then combined for the output 7 8 2

3 Password Considerations Kerberos Exchange n Password: 8 characters long n Alphabet: 26 upper-case letters, 26 lower-case letters, 10 numbers, 33 special characters (95) n 95^8 = 6,634,204,312,890,625 n Password: 9/10 characters long n Alphabet: 26 upper-case letters, 26 lower-case letters (52) n 52^9 = 2,779,905,883,635,712 n 52^10 = 144,555,105,949,057, The client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user (Note: Neither the secret key nor the password is sent to the AS) 2 The AS checks to see if the client is in its database If it is, the AS generates the secret key (SK1) by hashing the password of the user found at the database (eg, Active Directory in Windows Server) and sends back the following two messages to the client Message A: Client/TGS Session Key (SK2) encrypted using the secret key of the client/user (SK1) Message B: Ticket-Granting-Ticket (TGT, which includes the client ID, client address, ticket validity period, and the client/tgs session key) encrypted using the secret key of the TGS (SK2) 3 Once the client receives messages A and B, it attempts to decrypt message A with the secret key (SK1) generated from the password entered by the user 4 If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A 5 With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key (SK2) This session key is used for further communications with the TGS (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key) At this point, the client has enough information to authenticate itself to the TGS 10 AD Credentials AD Credentials n On a domain controller credentials are stored in Ntdsdit n ISAM (Indexed Sequential Access Method) is a file management system developed at IBM that allows records to be accessed either ESE database file sequentially (in the order they were entered) or randomly (with an index) n It is located in %SystemRoot%\NTDS\Ntdsdit or n An ESE database looks like a single file to Windows Internally the %SystemRoot%\System32\Ntdsdit database is a collection of 2, 4, 8, 16, or 32 kb pages n The NTDSDIT file is effectively the entire Active Directory n Pages contain meta-data to describe the data contained within the database, data itself, indexes to persist interesting orders of the data, and in a file other information n An ESE database may contain up to 232 pages, or 16 terabytes of data for 8 kilobyte sized pages

4 Kerberos Ticket Stealing - Mimikatz Hash Cracking n It is part of Kali /usr/share/mimikatz samdump2 in Kali Registry n The Windows registry is a collection of all the settings and configurations that make the system run n It stores all sorts of configuration settings and options: n low-level operating system components, n applications running on the machine, n drivers, the SAM file, and n the user interface n Keys and values

5 Root-Level Keys Root-Level Keys n HKEY_CLASSES_ROOT (HKCR) Contains information on file associations and Object Linking and Embedding (OLE) classes n HKEY_CURRENT_USER (HKCU) Contains profile information for the user currently logged on Information includes user-level preferences for the OS and applications n HKEY_LOCAL_MACHINE (HKLM) Contains information on hardware (processor type, bus architecture, video, disk I/O, and so on) and software (operating system, drivers, services, security, and installed applications) n HKEY_USERS (HKU) Contains specific user configuration information for all currently active users on the computer n HKEY_CURRENT_CONFIG (HKCC) Contains a pointer to HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\ Hardware Profiles\Current, designed to make accessing and editing this profile information easier Root-Level Keys 19 Keys 20 5

6 MMC 21 Linux Security Architecture 22 Linux Security Architecture Linux Security Architecture n / represents the root directory n /home holds the user home directories n /bin holds all sorts of basic Linux commands (a lot like the n /mnt holds the access locations you ve actually mounted C:\Windows\System32 folder in Windows) n /sbin (system binaries) holds more administrative commands n /dev contains the pointer locations to the various storage and and is the repository for most of the routines Linux runs (known input/output systems you will need to mount if you want to use them, such as optical drives and additional hard drives or as daemons) n /usr holds almost all of the information, commands, and files partitions Note that everything in Linux is a file unique to the users n /etc contains all the administration files and passwords Both the password and shadow files are found here

7 UNIX Commands Linux Permissions Command Description adduser Adds a user to the system cat Displays the contents of a file cp Copies ifconfig Displays network configuration information about your NIC kill Kills a running process (You must specify the process ID number ls Displays the contents of a folder -l, -a man Displays the manual page for a command passwd Used to change your password ps Process status command pwd Displays the name of the current directory rm Removes files The command rm-r also recursively removes all directories and subdirectories on the path and provides no warning when deleting a write-protected file su Allows you to perform functions as another user The sudo command version allows you to run programs with root privileges 25 CHMOD 26 Users 27 Password File vs Shadow File 28 7

8 Password Encryption Password Attacks n The format of the encrypted password is: n Non-electronic $#$SALT$PWD_SALTED_HASH social engineering n On Ubuntu 1004 LTS, the # is '6' and means a SHA-512 hash was used n Active online n Passive online n You can test a password with: n Offline mkpasswd -m SHA-512 <PASSWORD> <SALT> n This should return the encrypted password, starting w/ '$6$' Active Online Passive Online n Dictionary and brute-force attacks n Sniffing n Hash injections n ARP poisoning n Phishing n Trojans n Spyware n Keyloggers n Password guessing

9 Offline n Dictionary attack There is no 100 percent secure system, rainbow tables (Windows) n Hybrid attack and there is nothing that is foolproof! dictionary attack with substitutons n Brute-force attack Stay Alert! 33 9