System Hacking
description
Transcript of System Hacking
System Hacking
Active System Intrusion
Aspects of System Hacking
• System password guessing• Password cracking• Key loggers• Eavesdropping• Sniffers• Man in the middle• DoS• Buffer overflows• Privilege escalation• Remote control and backdoor• Track covering• Hide sensitive information
Password Guessing
• NetBIOS TCP port 139 open then guess admin, guest, john smith (NULL passswords)
• Try connecting to shares C$ %systemdrive% admin$ guest$
Password Cracking
•Manual/automatic cracking (text file lists)
•Dictionary attack
•Brute Force
•Keyloggers
•Password Sniffing Legion
Cain 7 Able
LophtCrack
Jack the Ripper
Kerbcrack
Examples
• Administrator• User• Arcserve• Test• Lab• Username• Manager• Temp• ID number
NULL, password, admin administrator, user, password, backup, temp, ID
Examples
• Easy to remember names
• Use the same password for many accounts
• High probability pairs
www.mksecure.com/defpw
LM Manager
LM Early windows operating systems
NTLM NT operating systems
NTLMv2 Windows XP and 2000
(Kerberos 56bit 128bit encryption)
Eavesdropping
•Packet/Port filtering
•Security scanners
NTInfoScan
CountermeasuresBlock TCP/UDP ports 135-139 445(netbios network bindings)
Complex passwords
Log failed login events (event viewer EVENTS 529, 539)
Restrict rights to run system tools such as cmd.exe
Firewall
IPSec
Passprop RK (default admin no lock ability)
IDS
Demo/Exercise
• Cain & Able
• Create a user account and crack password.
SMB
• Server Message Blocks
Request
Response
Command line hacks
• At 15:23 /interactive cmd.exe• Net use \\192.168.0.1\c$ * /u:administrator
Vulnerabilities
• RPC
• LSASS
• Stack/Buffer overflows
• Buffer overflow attacks involve sending overly long input streams to the attacked server, causing the server to overflow parts of the memory and either crash the system or execute the attacker's arbitrary code as if it was part of the server's code. The result is full server compromise or denial of service.
• Some of the well-known Internet worms, including Code Red, Slapper and Slammer, use buffer overflow attacks to propagate and execute payloads. Buffer overflow vulnerabilities are some of the most common programming errors.
Man in the Middle
SMBRelay server
Because Windows automatically tries to log in as the current user if no other authentication information is explicitly supplied, if an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user.
Privilege Escalation
Gain access to a system and give your self more privileges
PipeupAdmin
GetAdmin.exe
Hk.exe
Sechole
Spoofing LPC
Psexec
Pilfering
Grabbing information such as the SAM database NT
Active Directory %windir%\windowsDS\ntds.dit
www.winhackingexposed.com
• In depth coverage of windows security and vulnerabilities
Countermeasures
• Deny Log on locally
• Lock down IIS URLScan IISLockdown
• Audit Logon events
Events/Database Export
• Dumpevt www.somarsoft.com
• EventCombWindows
IDS
• Blackice blackice.iss.net• Entercept www.mcafeesecurity.com• Cisco security Agent www.cisco.com• Sentivist www.nfr.com• E-trust IDS www3.ca.com• ITA enterprisesecurity.com• Realsecure www.iss.net• Tripwire www.tripwiresecurity.com
Exercise
• Use command line tools to connect to another computer
• Filter event logs