CEH_System_Hacking_MindMap.pdf

(937 KB) Pobierz

Use Attrib +h [ﬁle/directory]

Allows data to be stored in hidden ﬁles

that are linked to a normal visible ﬁle

Hides hidden.txt within test.txt

test.txt has to already exist

notepad test.txt:hidden.txt

Attrib.exe

Two ways of hiding ﬁles in NT/2000

NTFS Alternate Data Streaming

The process of hiding data within images

Windows App

Simple encrypt/decrypt of data

No increase in image size

Hides information within an .mp3 ﬁle

Hidden in the mp3 bit stream

Whitespace steganography program

Hides data in ASCII text by appending

whitespace to the end of lines

Windows App

Easy to use

Hides data in GIF images

To view the messages live on the web

Comes with its own browser app

Camera/Shy

Snow.exe

Tools

Mp3stego

Image Hide

Steganography

Hiding Files

Automated tool for detecting

steganographic content in images

Stegdetect

Countermeasures

Moves the contents of a ﬁle to ids data

strem

Packetstorm utility to write ﬁles to the NTFS ADS

Contains utilities to add, extract and remove ADS

Displays NTFS ﬁles that have ADS

Lists ﬁles with ADS

One manual way to remove a stream is to

copy the ﬁle to a FAT partition, then back.

This removes the stream

makestrm.exe

Tools

ads_cat

streams

List ADS

Countermeasures

FAT Copy

Also known as rootkits

Screen capture

Keystroke logging

Microphone enable

Log ﬁle analysis

Spyware can install remote

control and backdoors

Motivation and Study Techniques to help

you learn, remember, and pass your

technical exams!

Cisco

CISSP

CEH

More coming soon...

Usually these tools offer multiple different

ways of interacting with a ﬁlesystem

Visit us

Spector

eBlaster

www.mindcert.com

Software that interacts with the OS

Replaces core functions within the OS

Good at hiding its existence

Windows

Unix

Detects and removes Spector from your system

Detects and removes spy software

Available for

RootKit

Tools

Remote Control and

Backdoors

Subscribe via RSS

NetBIOS Port

Most effective method o breaking into Windows is

Password guessing

Anti-Spector

Tools

Spyguard

Countermeasures

Assuming TCP Port 139 is open

Connect to an enumerated share

IPC$

Default Admin shares

Admin$

Once intruders have gained access they

will need to cover their tracks

Intruders will normally install

Backdoors so they can always

come back to the machine using

a covert channel

These normally include looking at logs

Therefore, logs are always sanitized or

cleared down totally.

Sometimes, the intruder actually

disables logging totally

Comes with NT/2000 Resource Kit

Command line util to ﬁnd out audit

status of a target machine

c:\>auditpol \\<ip address of target>

Can be run over the network

Auditpol.exe

Administrator Password

The default admin account is

administrator

same as root under UNIX

Sometimes has a blank password

Create or use a username/password ﬁle

Automated password guessing

Can use a simple DOS Shell script

Build a script using the FOR command

FOR /F "token=1, 2*" %1 in

(credentials.txt)

do net use \\target\IPC$ %i /u: %j

To cover tracks you have to look

at general sys admin activities

Windows application

Legion

Automates password guessing for

NetBIOS sessions

Scans multiple Class C addresses

Manual dictionary attack tool

Windows tool

Remote Password Guessing

Tools

Comes with NT/2000 Resource Kit

Produces a tab delimited CSV ﬁle

Dumps and event log for a local or

remote system

Dumpel.exe

Covering Tracks

NTInfoscan (now CIS)

Now Cerberus Internet Scanner

Vulnerability Scanner designed for NT4

Will check NetBIOS shares

Lets the intruder know what is in the logs

Simple tool for clearing the event logs

on Windows/2000

Correct privileges are required on the remote system

Selectively erases records from the

Win 2000 security log

Command line application

Needs admin rights

GUI commercial system for Windows

Counters all privacy issues

Find a valid user

Create a list of possible passwords

Ken in each password

Success

If the system allows you in

Try again

Else

Manual Password Cracking

Evidence Eliminator

WinZapper

Block access to TCP and UDP Ports

135 to 139

Tools

eslave.exe

Disable WINS client on all adapters

Use strong passwords

Or two factor authentication

Security Log

Event

Log failed logon attempts

Look at a logging application

VisualLast

529 or 539

From Foundstone

Visual Log manager

Countermeasures

Eavesdropping is sniffing the

passwords from the network segment

To eavesdrop you have to be

able to sniff all VLAN traffic

Subtopic

Switch ports by default only see your

traffic and broadcasts

Hubs forward all frames out of all ports

Telnet

Have to use a tool to get around this

Some passwords are unencrypted

Algorithms

POP3

etc..

Find a valid user

Find encryption algorithms used

Obtain encrypted passwords

Create list of possible passwords

Encrypt each word

Success

See if it works

Try again

Else

Easiest to crack

Only letters

Only numbers

Only special characters

Harder to crack

Letters and numbers

Automatic Password Cracking

Certiﬁed Ethical Hacker

Module 5 - System Hacking

Eavesdropping

LOphtcrack

Some passwords are encrypted

Collect these passwords and hashes and

then run attacks against them offline

Windows Application

Password auditing and recovery tool

SMB Packet capture listens to the local

network segment

Captures individual login sessions

Attacks the 24 byte hashed password

ses either Dictionary

Or Brute Force attacks

Tools

Windows command line application

KerbCrack

kerbsniff

kerbcrack

Listens on the network and captures

2000/XP kerberos logins

Uses dictionary or brute force to crack the password

Conists of two programs

Password Types

Letters and special characters

Numbers and special characters

Most secure passwords

Letters, numbers, and special characters

Dictionary attack

nbname

Sending a NetBIOS name release to the

NetBIOS name service (UDP 137)

places the name in conﬂict

No longer able to use it

Using a dictionary of words

Or a wordlist

Going through all possible combinations

Eventually

Will always work

Denial of Service

Brute force attack

Tools

Blocks the client from participating in

the NetBIOS network

Carries out a NetBIOS DoS attack

SMBDie

Crashes computers running Windows 2000/XP/NT

Sends a specially crafted SMB request

A mixture of dictionary and brute force attacks

Ask the user for there password

Look over there shoulder

Try to ﬁnd password evidence in trash

NT/2000/XP

Win9x Clients only send LM hashes

123ANDREW

First converted to Uppercase

Hybrid attack

Password Attacks

It is important to gain root or

administrative level access

Social engineering

Once hacker has access to a system

Shoulder surﬁng

Dumpster diving

May have gained access with a non

admin account

Small .exe that adds a user to the local admin

group

Windows clients by default send LM

and NTLM password hashes

Privilege Escalation

Tools

GetAdmin

Need to logon to the server console

Run from the command line

Only works on NT4.0 SP3

123ANDREW_____

123ANDR

EW_____

Password is padded with null characters to

make it a 14 character length

Your password is 123andrew

The 14 character string is split in two halves

Each string is encrypted and the

results concatenated

Subtopic

SAM ﬁle in NT/2000 contains the

usernames and encrypted passwords

C:\windows\system32\conﬁg

Example

hk.exe

Exposes a LPC Flaw in NT

Escalates a non admin user to an admin user

Lan Manager Hashes

Log all keyboard activity

Password Cracking

Hardware

Physical devices that are connected to

the keyboard port

Applications that have to be installed

on a users machine

Hardware Keystroke logger

USB or PS2

Windows software

Types

Software

Keystroke Loggers

Tools

Keyghost

Bootable Linux distribution

Such as Backtrack

Boot to an alternate OS

Mount the drive

NT/2000 Passwords

IKS Software Keylogger

Invisible to the user

Buffer of 100 keystrokes

Then dumps this to a conﬁgurable

text ﬁle on the machine

In the repair directory

Called SAM._

Backup the SAM from the Repair directory

use c:\expand same._sam

Expand the ﬁle

File is locked when OS running

Cracking Passwords

Use L0phtcrack

Extract the hashes from the ﬁles

Trick the user into trying SMB

authentication against the attacker

Redirecting SMB to the Attacker

The SMB authentication will fail

SMB server to capture usernames and

passwords from incoming SMB traffic

Man in the Middle attacks (MITM)

Can relay the traffic to another server

to provide a MITM attack

These are then extracted with L0phtcrack

Receives a connection on port 139

SMBRelay

Send an email with a link

Embed code etc..

But the attacker has the encrypted credentials

Collects NTLM password hashes to a text ﬁle

Increases speed of L0phtcrack

Removes duplication

Provides facility to target speciﬁc users

Registers a NetBIOS name on the network

SMBGrind

Tools

NBTDeputy

Helps resolve IP address from NetBIOS name

Works well with SMBRelay

Windows and Unix

Command line tools

Cracks both Unix and Windows passwords

Extremely fast

May not reﬂect correct password

Resulting Passwords are Case Insensitive

John the Ripper

Enforce 7-12 character alpha-numeric

passwords

Set the password expiration policy to 30 days

Physically isolate and protect the server

Syskey initiates 128 bit encryption for the SAM

Use the "syskey" utility

Countermeasures

Monitor all server logs for password attacks

CEH_System_Hacking_MindMap.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: