Introduction
Interesting user information and accounts might have been discovered during the enumeration phase of the attack. If
the attacker cannot be accessed directly during the attack, the next step is to find a way to get the target to
reveal more information about itself. This can be done in by simple social engineering a victim into installing
an illicit server or convincing them to click a link to a browser drive-by exploit.
For the white hat, hacking involves much more activity than this. Troubleshooting and other problem solving skills
are developed. This and a greater awareness of security threats, the white hat can discover and thwart any illicit
entrance into the network.
Password Cracking
The easiest form of authentication and least expensive to set up is the humble password. They are also exposed
to a number of different attack techniques. Achieving the balance of the risks involved lies within the challenge
of using password protection.
Password cracking is a combination of both an art and a science. At times a password is simply not practical to
crack. However, there is a problem at times managing this form of credential, so there might be a weakness that
can be exposed. Many times the default passwords have not been change or weak passwords are in use that are
protecting both user and network resources.
The Four Approaches To Password Cracking
There are four types of password cracking attacks:
- Passive Online Attacks
- Active Online Attacks
- Off-line Attacks
- Non-Technical Attacks
Passive Online Attacks - This form of attack involves sniffing passwords form the network traffic.
Over the years this has become more difficult on an Ethernet network due to hubs being replaced by switches.
However, on a wireless network this attack is more effective since wireless networks have a hub-like environment.
Active Online Attacks - An example of this attack is the Man In The Middle (MiTM) attack. This
attack captures credentials between two or more target hosts. The most likely vector would be the Address
Resolution Poisoning (ARP) attack, but the attacker must have control of a host in the broadcast domain to make
it work.
Attacks that have become more difficult over time are Session Hijacking and Replay Attacks. Session
Hijacking is now more difficult due to the changes made to protocol implementations that make the many steps required
more difficult to accomplish. Replay attacks involve sniffing a login sequence from the network wire and resending
those packets to the server at a later time. Reply attacks are mitigated by the use of multi-factor authentication,
time-stamps and challenges that can be associated with each captured packet thus rendering them unplayable at a
future time.
Strangely, the most efficient and effective active online attack is a simple password guessing. To do so, the
attacker would have to perform a complete reconnaissance and enumeration, gathering steps in order to know where
guessing has the best chance possible.
Knowing something about the target is useful in a guessing attack. The password might be based on something like
a hobby or interest. If cognitive passwords (answers to pre-chosen questions that must be provided,) is in use,
guesses will be more accurate. All of this information can be added to a dictionary file if automating the
guessing attack is used.
Document Grinding is the process of obtaining documents and parsing into dictionary word lists. The
technique is effective if internal users are using internal jargon, for example, systems, departments or processes
as a basis for their passwords. Users might even use password examples given in security policy manuals.
A pass-phrase is an advanced form of dictionary. It is easy to remember an entire sentence and then use
carefully chosen letters in that sentence as the password.
Off-line Attacks - Though this practice happens more than you would think, passwords are stored in
plain text. Usually they are placed through a hashing algorithm and the result of that calculation is stored. The
way to avoid the same password always producing the same has result, a salt value is added to the hashing
calculation. This salt works by generating a one-time value generated differently depending on the implementation.
If an attacker can obtain a database of the hashes for each user of a system, they would also have to know something
about how the salt is implemented.
Non-Technical Attacks - This involves social engineering. Strangely enough using human nature, one
of the easiest ways to obtain information is to simply ask the target for it. Another method employed is
shoulder surfing. This is accomplished by merely making a visual observation while a target is entering
their credentials. Other methods are to install a WiFi connected camera hidden in a strategic location and
to observe the keystrokes remotely.
Key-loggers can be obtained from sources on the INternet and are relatively easy to install. A key-logger can record
every keystroke and can provide the attacker with a report that is easily searched. Though key-loggers are
undetectable through software controls, they still require physical access to install and remove.
Another common off-line attack it to create a bogus website that is very similar to an actual website your targets
frequent. By having the target log in with their credentials, the attacker can gain some valuable information from
the target.
Password guessing is also applicable here as a non-technical attack as well. Technical documentation might have
example passwords listed in these documents that users my use.
Password Recovery From Hashes
Hashing algorithms are used for data comparison. For example, if you have several files that are all of the same
size, and you want to compare them to see if they are the same or not, the easiest way is to hash them and
compare the results. If the same digest is produced, they are exactly the same.
The basic method behind the hash is that a message digest of string data is calculated producing a
fingerprint that represents the data, however it does not reveal what the data string is. It is impossible
to reverse the hash.
Passwords are stored as hashes. While the password cannot be guessed from a hash, it can still provide the credentials
used at login time and is the same as what was selected in the past to be the password.
Several methods can be used to recover passwords. It is not about reversing the hash but about finding a value
that produces the same fingerprint and hoping the system will accept that credential. This is known as
collision and is a primary weakness of hashing algorithms.
Common Password Cracking Attacks
Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a
computer system. A common practice is the brute-force attack. This attack is to make repeated guesses for the
password and check them against an available cryptographic hash of the password.
One purpose of password cracking might be to help a user recover a forgotten password. This can be accomplished
by installing an entirely new password is less of a security risk, however this action means a user with System
Administration privileges. An attacker's motives however are different. They wish to gain unauthorized
access to a system, or as a preventive measure by system administrators to check for easily crackable passwords.
There are other common password cracking attacks. These include:
- Dictionary Attack
- Syllable Attack
- Rule-Based Attack
- Hybrid Attack
- Off-line Brute Force Attack
- Rainbow Attack
- DNA Attack
Dictionary Attack - This is to obtain a list of words that are hashed and compare these words
with captured hashes.
Syllable Attack - Phonics or portions of words can be combined together and hashed instead of
using full words.
Rule-Based Attack - In this attack rules are created. These rules are, for example, substitute
character s or S with $. Regular expressions can be used in powerful ways to perform these substitutions
on strings of dictionary or syllable attack variations.
Hybrid Attack - This attack is a combination of the above attacks but with something extra.
Characters will be transposed or shifted and the case can be flipped. A couple of examples are: @ssw0rdP,
P@SSw0Rd or Dr0Wss@p, etc.
Off-line Brute Force Attack - This attack uses different random combinations. The difficulty
in performing this attack lies in selecting an appropriate character set.
Rainbow Attack - To carry out this attack, a rainbow table is used. This technique is used
to solve the time-memory trade off problem. Here is an example.
Lets say it takes 118 years to brute force one hash. Think about having to start all over again
for the next hash. Since the hard work has been accomplished, why not store the hashes in a look-up table
as they are computed. With this method, each subsequent hash crack would take only seconds.
DNA Attack - Known as the Distributed Network Attack (DNA), it involves using the power of
parallel processing. Upon a group of DNA hosts, a DNA client is downloaded. These hosts wish to participate
in this group effort. A section of possible combination space is downloaded to each client that will work
on the computations in the background or during idle time.
An interesting fact to remember is that by increasing the character set you can have a huge effect on how long
it would take an attacker to crack a password. If you lengthened a password by only one character, it would
increase the possibilities by the power of 8 because each bit doubles the space and a single character is 8
bits in length.
Obtaining Password Hashes
Hashes can be obtained through network sniffing or by copying them from a stored database. Some tools, such
as FGDump or PWdump can be used to access these databases from remote locations, however the attacker would
need privileged credentials to do so. There is also the physical access to a machine. Even more preferable
would be to boot the host machine into an alternate operation system thus bypassing all local controls. A
Linux based distribution, Ophtcack is such a distribution. It is designed specifically for this purpose and
integrates easily with a variety of rainbow tables that understands the ways most common operating systems
store passwords.
There are other algorithms used for obtaining password hashes. These are:
- LM (LAN Manager)
- This uses DES in ECB mode, (Data Encryption Standard in Electronic Code Book Mode.)
- Divides every password into two halves of seven characters each. This results in two 56 bit keys
that encrypt a static string and the result is stored.
- If a password is shorter than the seven characters, the second half will always be NULL characters
and will produce the same result every time.
- Passwords longer than 14 characters cannot be stored as LM credentials. Fourteen NULL characters
are used instead and will always produce the same result.
- NTLMv2 (NT LAN Manager Version 2
- Uses MD5 as the hashing algorithm.
- Incorporates a challenge protocol that results in HMAC-MD5.
- Is still commonly used for hosts that do not belong to a domain.
- Kerberos
- This protocol was developed at MIT and is implemented in many operating systems, each having
its own variations.
- It has a pre-auth key which is vulnerable to network sniffing when the client first authenticates
to the server.
- It cannot defend against the user credentials being compromised locally.
Privilege Escalation and Eavesdropping
Privilege Escalation
There are three types of privilege escalation.
- Vertical - A lower privilege is promoted to a higher privilege.
- Horizontal - A user of the same privilege is created.
- De-Escalation - A User performs functions at a downgraded level.
At this stage of the attack, the attacker wants to gain and maintain access to any target that will provide the
best advantage. The best host will have either better access, important data or user accounts that have high
privileges.
Sometimes an attacker can convince a user to click a link in an e-mail that will take the user to a website that
contains a code that exploits their browser. There is also a chance that the user will be surfing while logged
on in an administrator role at the time. This happens over 95% of the time with home users. Additionally, users
that have laptops at home that they bring to work are a great find for the attacker.
Creating an administrator account is not always necessary. It can benefit the attacker at times to create a normal
user account and then run certain applications from it that have escalated privileges.
Key-loggers
Key-loggers can either be software or hardware. Software key-loggers are mostly part of a larger surveillance package.
Hardware key-loggers are for the most part undetectable outside of a visual inspection. They are usually inexpensive
and easy to use. It can sit between the keyboard connector and the PC and resembles a noise filter. Once retrieved,
the attacker can install it on their own machine and the keystroke sequence to retrieve its contents. The only
real challenge is the attacker's ability to gain physical access to install and remove the key-logger.
Spyware
At times the line between attacking tools, hacking tools and justifiable spying is not clear at all. People who
want to observe their teens, spouses or employees create a market that will guarantee that malware we have to
deal with will not only thrive but develop further. The paradoxical values fuel the market behind spyware.
The Trojan horse plays on the subjectivity of convenience products and is probably the most powerful example of
this technique. Spyware is favored by hackers and show no signs of going away.
Rootkits
Rootkits are malware that gives the attacker control over the operating system. To hide the processes, a variety
of techniques are used such as intercepting system calls and modifying authentication services. The goal is to
maintain physical access of the target by the attacker. Initially, rootkits do not provide administrative access; by
this phase, the attacker should already possess these rights.
The rootkit is a collection of files that replace existing system binary files. After the operating system has been
modified, the rootkit files will allow regular users to perform privileged activities through backdoors that have
been hidden from detection.
Kernel level rootkits are the most common type of rootkits seen. Many operation systems, such as Linux, use Loadable
Kernel Modules (LKMs). They allow code such as device drivers to be installed and removed as needed. This
architecture can be used by a rootkit to install itself in a way that allows it to operate at Ring 0 which
is the most privileged protection level.
When malicious code operates at the same level as the kernel, it can intercept calls made by scanners to avoid being
detected. It can also disguise itself as a legitimate service. Because of this, some anti-virus products have to
install rootkits of their own functionality as some malware will attempt to disable it.
LKMs will target Dynamic Link Libraries (DLL) files as well as drivers and install applications. This is known as
.dll injection. Hypervisor rootkits modify the boot order of an operation system. They can start a
virtual machine and run the local operating system within it. By doing so, the rootkit completely wraps around the
operation system and has complete control over everything, including hardware.
Once a rootkit has established itself, the system is then considered untrustworthy. To clean a rootkit out, it takes
skill and persistence, but even then it is difficult to verify that the system has been restored. The only true
method of removal is to rebuild the system.
Covering Your Tracks
Though it was discussed about covertly storing data, processes and activities, and though covert channels can
employ hidden processes, encrypted network traffic or ways to store and forward information while bypassing filters
and detection controls, sometimes this is not always necessary. Sometimes it is merely good enough to stay under
the radar and delete files before leaving the system, and this is what many attackers do.
Obviously, the best way to avoid being caught is to avoid doing things that attract attention, but the attacker
must do this while still achieving the goals set. Therefore, if the attacker has patience and discipline, he or
she can remain undetected by not drawing attention to their activities and no one will pay enough attention to
notice their activities.
Steganography
Steganography And Encryption
The act of hiding information inside other information is known as steganography, whereas encryption
is about obscuring the meaning of data. The difference between the two is that encryption doesn't try to hide and good
encryption looks like a random set of characters, can be hard to notice but usually can be seen.
Steganography on the other hand does not draw attention to itself. Without the use of sophisticated analysis, it is almost
impossible to tell that a message has been hidden inside another file, a file that is plain view to the target.
By using a combination of steganography and encryption, the attacker can create a powerful way to store and move data with
confidentiality and integrity in a way that is often completely undetectable.
Alternate Data Streams
A feature supported in the Microsoft NT File System (NTFS) is the Alternate Data Stream (ADS). Files in the NTFS are
listed in the Master File Table (MFT) and the data for all file attributes is stored there. For example, the name
of a file is $NAME and the $DATA is the contents of the file. Should the file bee to large to fit into the MFT,
since each entry is 1024k, then pointers called external attributes are stored in the $DATA stream.
Other operation systems using High Performance File System (HPFS) gives every data file two data streams. Applications
written for those systems can pull meta-data both data streams. This makes an incompatibility issue with systems
running NTFS since only one data stream is available and attributes are accessed differently.
Microsoft solved this problem by giving NTFS a way to support a second data stream, but unfortunately, Windows
Explorer does not see the two streams. Scanning a hard drive that depends on Windows Explorer will miss the
alternate data stream entirely. Another thing to remember is that alternate stream data is not meant to be moved.
If you copy a text file, for example, with an alternate stream to a flash drive or send it as an attachment in
an email, the alternate data stream is lost in the copy.
Hiding Data Within Media Files
There are ways to hide data inside another file. Binaries can be encoded into character formats and then embedded
as string data.
Text files, for example, use a markup language to describe the structure of the data within a file. Data can be
hidden outside of the root container or within the root container but not within other markup.
By taking advantage of the way compression algorithms work, messages can be hidden inside music and video files.
The data is hidden in the distortion that naturally occurs when converting an audio signal into a lower bitrate.
This is done in such a way that the audible threshold is not exceeded. By doing this, the data will not affect how
the media sounds.
It is equally as simple to hide data within image files and works best on detailed images such as trees with leaves
next to a stream. Each pixel is represented by bits of data. If the image has 256 possible colors, only one byte
per pixel is needed. For 16 million colors, three bytes are required. The Least Significant Bit (LSB) can be either
odd or even aligned with the bits of a message intended on hiding.
There are two drawbacks though. One, the file size will not change. If a hash of the original image can be
compared with the encoded image, it will be discovered that the file has changed. Problem two lies with compression
techniques that are "lossy." Re-compressing an image that has already been encoded will lose data. If it was
encrypted first, this could make the massage impossible to achieve.
Other Hiding Places
Physical steganography has been around for centuries. Messages have been hidden behind paintings and placed into
ads posted in the classified section of a newspaper. Additionally, the printing industry commonly uses watermarks
to hide data that allows documents to be tracked and authenticated. Technology companies who produce color printers
embed a series of yellow dots throughout documents that indicate the manufacturer and serial number of the printer
that has produced the image.
Even on physical storage devices, there are several places where data is hidden. Using forensic tools, these
places are easily detectable. These locations are:
- RAM Slack - The space from the end of a file marker and the end of a sector.
- File Slack - The space from the end of a file marker and the end of a cluster.
- Inter-Partition Gaps - Unallocated hard drive capacity.
- White Noise Volumes - Encrypted data hidden within large areas of data that looks like
fragments or noise from previous files.