Introduction

System Hacking Interesting user information and accounts might have been discovered during the enumeration phase of the attack. If the attacker cannot be accessed directly during the attack, the next step is to find a way to get the target to reveal more information about itself. This can be done in by simple social engineering a victim into installing an illicit server or convincing them to click a link to a browser drive-by exploit.

For the white hat, hacking involves much more activity than this. Troubleshooting and other problem solving skills are developed. This and a greater awareness of security threats, the white hat can discover and thwart any illicit entrance into the network.

Password Cracking

The easiest form of authentication and least expensive to set up is the humble password. They are also exposed to a number of different attack techniques. Achieving the balance of the risks involved lies within the challenge of using password protection.

Password cracking is a combination of both an art and a science. At times a password is simply not practical to crack. However, there is a problem at times managing this form of credential, so there might be a weakness that can be exposed. Many times the default passwords have not been change or weak passwords are in use that are protecting both user and network resources.

The Four Approaches To Password Cracking

There are four types of password cracking attacks:

  • Passive Online Attacks
  • Active Online Attacks
  • Off-line Attacks
  • Non-Technical Attacks

Passive Online Attacks - This form of attack involves sniffing passwords form the network traffic. Over the years this has become more difficult on an Ethernet network due to hubs being replaced by switches. However, on a wireless network this attack is more effective since wireless networks have a hub-like environment.

Active Online Attacks - An example of this attack is the Man In The Middle (MiTM) attack. This attack captures credentials between two or more target hosts. The most likely vector would be the Address Resolution Poisoning (ARP) attack, but the attacker must have control of a host in the broadcast domain to make it work.

Attacks that have become more difficult over time are Session Hijacking and Replay Attacks. Session Hijacking is now more difficult due to the changes made to protocol implementations that make the many steps required more difficult to accomplish. Replay attacks involve sniffing a login sequence from the network wire and resending those packets to the server at a later time. Reply attacks are mitigated by the use of multi-factor authentication, time-stamps and challenges that can be associated with each captured packet thus rendering them unplayable at a future time.

Strangely, the most efficient and effective active online attack is a simple password guessing. To do so, the attacker would have to perform a complete reconnaissance and enumeration, gathering steps in order to know where guessing has the best chance possible.

Knowing something about the target is useful in a guessing attack. The password might be based on something like a hobby or interest. If cognitive passwords (answers to pre-chosen questions that must be provided,) is in use, guesses will be more accurate. All of this information can be added to a dictionary file if automating the guessing attack is used.

Document Grinding is the process of obtaining documents and parsing into dictionary word lists. The technique is effective if internal users are using internal jargon, for example, systems, departments or processes as a basis for their passwords. Users might even use password examples given in security policy manuals.

A pass-phrase is an advanced form of dictionary. It is easy to remember an entire sentence and then use carefully chosen letters in that sentence as the password.

Off-line Attacks - Though this practice happens more than you would think, passwords are stored in plain text. Usually they are placed through a hashing algorithm and the result of that calculation is stored. The way to avoid the same password always producing the same has result, a salt value is added to the hashing calculation. This salt works by generating a one-time value generated differently depending on the implementation. If an attacker can obtain a database of the hashes for each user of a system, they would also have to know something about how the salt is implemented.

Non-Technical Attacks - This involves social engineering. Strangely enough using human nature, one of the easiest ways to obtain information is to simply ask the target for it. Another method employed is shoulder surfing. This is accomplished by merely making a visual observation while a target is entering their credentials. Other methods are to install a WiFi connected camera hidden in a strategic location and to observe the keystrokes remotely.

Key-loggers can be obtained from sources on the INternet and are relatively easy to install. A key-logger can record every keystroke and can provide the attacker with a report that is easily searched. Though key-loggers are undetectable through software controls, they still require physical access to install and remove.

Another common off-line attack it to create a bogus website that is very similar to an actual website your targets frequent. By having the target log in with their credentials, the attacker can gain some valuable information from the target.

Password guessing is also applicable here as a non-technical attack as well. Technical documentation might have example passwords listed in these documents that users my use.

Password Recovery From Hashes

Hashing algorithms are used for data comparison. For example, if you have several files that are all of the same size, and you want to compare them to see if they are the same or not, the easiest way is to hash them and compare the results. If the same digest is produced, they are exactly the same.

The basic method behind the hash is that a message digest of string data is calculated producing a fingerprint that represents the data, however it does not reveal what the data string is. It is impossible to reverse the hash.

Passwords are stored as hashes. While the password cannot be guessed from a hash, it can still provide the credentials used at login time and is the same as what was selected in the past to be the password.

Several methods can be used to recover passwords. It is not about reversing the hash but about finding a value that produces the same fingerprint and hoping the system will accept that credential. This is known as collision and is a primary weakness of hashing algorithms.

Common Password Cracking Attacks

Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common practice is the brute-force attack. This attack is to make repeated guesses for the password and check them against an available cryptographic hash of the password.

One purpose of password cracking might be to help a user recover a forgotten password. This can be accomplished by installing an entirely new password is less of a security risk, however this action means a user with System Administration privileges. An attacker's motives however are different. They wish to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords.

There are other common password cracking attacks. These include:

  • Dictionary Attack
  • Syllable Attack
  • Rule-Based Attack
  • Hybrid Attack
  • Off-line Brute Force Attack
  • Rainbow Attack
  • DNA Attack

Dictionary Attack - This is to obtain a list of words that are hashed and compare these words with captured hashes.

Syllable Attack - Phonics or portions of words can be combined together and hashed instead of using full words.

Rule-Based Attack - In this attack rules are created. These rules are, for example, substitute character s or S with $. Regular expressions can be used in powerful ways to perform these substitutions on strings of dictionary or syllable attack variations.

Hybrid Attack - This attack is a combination of the above attacks but with something extra. Characters will be transposed or shifted and the case can be flipped. A couple of examples are: @ssw0rdP, P@SSw0Rd or Dr0Wss@p, etc.

Off-line Brute Force Attack - This attack uses different random combinations. The difficulty in performing this attack lies in selecting an appropriate character set.

Rainbow Attack - To carry out this attack, a rainbow table is used. This technique is used to solve the time-memory trade off problem. Here is an example.

Lets say it takes 118 years to brute force one hash. Think about having to start all over again for the next hash. Since the hard work has been accomplished, why not store the hashes in a look-up table as they are computed. With this method, each subsequent hash crack would take only seconds.

DNA Attack - Known as the Distributed Network Attack (DNA), it involves using the power of parallel processing. Upon a group of DNA hosts, a DNA client is downloaded. These hosts wish to participate in this group effort. A section of possible combination space is downloaded to each client that will work on the computations in the background or during idle time.

An interesting fact to remember is that by increasing the character set you can have a huge effect on how long it would take an attacker to crack a password. If you lengthened a password by only one character, it would increase the possibilities by the power of 8 because each bit doubles the space and a single character is 8 bits in length.

Obtaining Password Hashes

Hashes can be obtained through network sniffing or by copying them from a stored database. Some tools, such as FGDump or PWdump can be used to access these databases from remote locations, however the attacker would need privileged credentials to do so. There is also the physical access to a machine. Even more preferable would be to boot the host machine into an alternate operation system thus bypassing all local controls. A Linux based distribution, Ophtcack is such a distribution. It is designed specifically for this purpose and integrates easily with a variety of rainbow tables that understands the ways most common operating systems store passwords.

There are other algorithms used for obtaining password hashes. These are:

  • LM (LAN Manager)
    • This uses DES in ECB mode, (Data Encryption Standard in Electronic Code Book Mode.)
    • Divides every password into two halves of seven characters each. This results in two 56 bit keys that encrypt a static string and the result is stored.
    • If a password is shorter than the seven characters, the second half will always be NULL characters and will produce the same result every time.
    • Passwords longer than 14 characters cannot be stored as LM credentials. Fourteen NULL characters are used instead and will always produce the same result.
  • NTLMv2 (NT LAN Manager Version 2
    • Uses MD5 as the hashing algorithm.
    • Incorporates a challenge protocol that results in HMAC-MD5.
    • Is still commonly used for hosts that do not belong to a domain.
  • Kerberos
    • This protocol was developed at MIT and is implemented in many operating systems, each having its own variations.
    • It has a pre-auth key which is vulnerable to network sniffing when the client first authenticates to the server.
    • It cannot defend against the user credentials being compromised locally.

Privilege Escalation and Eavesdropping

Privilege Escalation

There are three types of privilege escalation.

  • Vertical - A lower privilege is promoted to a higher privilege.
  • Horizontal - A user of the same privilege is created.
  • De-Escalation - A User performs functions at a downgraded level.

At this stage of the attack, the attacker wants to gain and maintain access to any target that will provide the best advantage. The best host will have either better access, important data or user accounts that have high privileges.

Sometimes an attacker can convince a user to click a link in an e-mail that will take the user to a website that contains a code that exploits their browser. There is also a chance that the user will be surfing while logged on in an administrator role at the time. This happens over 95% of the time with home users. Additionally, users that have laptops at home that they bring to work are a great find for the attacker.

Creating an administrator account is not always necessary. It can benefit the attacker at times to create a normal user account and then run certain applications from it that have escalated privileges.

Key-loggers

Key-loggers can either be software or hardware. Software key-loggers are mostly part of a larger surveillance package. Hardware key-loggers are for the most part undetectable outside of a visual inspection. They are usually inexpensive and easy to use. It can sit between the keyboard connector and the PC and resembles a noise filter. Once retrieved, the attacker can install it on their own machine and the keystroke sequence to retrieve its contents. The only real challenge is the attacker's ability to gain physical access to install and remove the key-logger.

Spyware

At times the line between attacking tools, hacking tools and justifiable spying is not clear at all. People who want to observe their teens, spouses or employees create a market that will guarantee that malware we have to deal with will not only thrive but develop further. The paradoxical values fuel the market behind spyware.

The Trojan horse plays on the subjectivity of convenience products and is probably the most powerful example of this technique. Spyware is favored by hackers and show no signs of going away.

Rootkits

Rootkits are malware that gives the attacker control over the operating system. To hide the processes, a variety of techniques are used such as intercepting system calls and modifying authentication services. The goal is to maintain physical access of the target by the attacker. Initially, rootkits do not provide administrative access; by this phase, the attacker should already possess these rights.

The rootkit is a collection of files that replace existing system binary files. After the operating system has been modified, the rootkit files will allow regular users to perform privileged activities through backdoors that have been hidden from detection.

Kernel level rootkits are the most common type of rootkits seen. Many operation systems, such as Linux, use Loadable Kernel Modules (LKMs). They allow code such as device drivers to be installed and removed as needed. This architecture can be used by a rootkit to install itself in a way that allows it to operate at Ring 0 which is the most privileged protection level.

When malicious code operates at the same level as the kernel, it can intercept calls made by scanners to avoid being detected. It can also disguise itself as a legitimate service. Because of this, some anti-virus products have to install rootkits of their own functionality as some malware will attempt to disable it.

LKMs will target Dynamic Link Libraries (DLL) files as well as drivers and install applications. This is known as .dll injection. Hypervisor rootkits modify the boot order of an operation system. They can start a virtual machine and run the local operating system within it. By doing so, the rootkit completely wraps around the operation system and has complete control over everything, including hardware.

Once a rootkit has established itself, the system is then considered untrustworthy. To clean a rootkit out, it takes skill and persistence, but even then it is difficult to verify that the system has been restored. The only true method of removal is to rebuild the system.

Covering Your Tracks

Though it was discussed about covertly storing data, processes and activities, and though covert channels can employ hidden processes, encrypted network traffic or ways to store and forward information while bypassing filters and detection controls, sometimes this is not always necessary. Sometimes it is merely good enough to stay under the radar and delete files before leaving the system, and this is what many attackers do.

Obviously, the best way to avoid being caught is to avoid doing things that attract attention, but the attacker must do this while still achieving the goals set. Therefore, if the attacker has patience and discipline, he or she can remain undetected by not drawing attention to their activities and no one will pay enough attention to notice their activities.

Steganography

Steganography And Encryption

The act of hiding information inside other information is known as steganography, whereas encryption is about obscuring the meaning of data. The difference between the two is that encryption doesn't try to hide and good encryption looks like a random set of characters, can be hard to notice but usually can be seen.

Steganography on the other hand does not draw attention to itself. Without the use of sophisticated analysis, it is almost impossible to tell that a message has been hidden inside another file, a file that is plain view to the target.

By using a combination of steganography and encryption, the attacker can create a powerful way to store and move data with confidentiality and integrity in a way that is often completely undetectable.

Alternate Data Streams

A feature supported in the Microsoft NT File System (NTFS) is the Alternate Data Stream (ADS). Files in the NTFS are listed in the Master File Table (MFT) and the data for all file attributes is stored there. For example, the name of a file is $NAME and the $DATA is the contents of the file. Should the file bee to large to fit into the MFT, since each entry is 1024k, then pointers called external attributes are stored in the $DATA stream.

Other operation systems using High Performance File System (HPFS) gives every data file two data streams. Applications written for those systems can pull meta-data both data streams. This makes an incompatibility issue with systems running NTFS since only one data stream is available and attributes are accessed differently.

Microsoft solved this problem by giving NTFS a way to support a second data stream, but unfortunately, Windows Explorer does not see the two streams. Scanning a hard drive that depends on Windows Explorer will miss the alternate data stream entirely. Another thing to remember is that alternate stream data is not meant to be moved. If you copy a text file, for example, with an alternate stream to a flash drive or send it as an attachment in an email, the alternate data stream is lost in the copy.

Hiding Data Within Media Files

There are ways to hide data inside another file. Binaries can be encoded into character formats and then embedded as string data.

Text files, for example, use a markup language to describe the structure of the data within a file. Data can be hidden outside of the root container or within the root container but not within other markup.

By taking advantage of the way compression algorithms work, messages can be hidden inside music and video files. The data is hidden in the distortion that naturally occurs when converting an audio signal into a lower bitrate. This is done in such a way that the audible threshold is not exceeded. By doing this, the data will not affect how the media sounds.

It is equally as simple to hide data within image files and works best on detailed images such as trees with leaves next to a stream. Each pixel is represented by bits of data. If the image has 256 possible colors, only one byte per pixel is needed. For 16 million colors, three bytes are required. The Least Significant Bit (LSB) can be either odd or even aligned with the bits of a message intended on hiding.

There are two drawbacks though. One, the file size will not change. If a hash of the original image can be compared with the encoded image, it will be discovered that the file has changed. Problem two lies with compression techniques that are "lossy." Re-compressing an image that has already been encoded will lose data. If it was encrypted first, this could make the massage impossible to achieve.

Other Hiding Places

Physical steganography has been around for centuries. Messages have been hidden behind paintings and placed into ads posted in the classified section of a newspaper. Additionally, the printing industry commonly uses watermarks to hide data that allows documents to be tracked and authenticated. Technology companies who produce color printers embed a series of yellow dots throughout documents that indicate the manufacturer and serial number of the printer that has produced the image.

Even on physical storage devices, there are several places where data is hidden. Using forensic tools, these places are easily detectable. These locations are:

  • RAM Slack - The space from the end of a file marker and the end of a sector.
  • File Slack - The space from the end of a file marker and the end of a cluster.
  • Inter-Partition Gaps - Unallocated hard drive capacity.
  • White Noise Volumes - Encrypted data hidden within large areas of data that looks like fragments or noise from previous files.