System Hacking

Active System Intrusion

Aspects of System Hacking

• System password guessing• Password cracking• Key loggers• Eavesdropping• Sniffers• Man in the middle• DoS• Buffer overflows• Privilege escalation• Remote control and backdoor• Track covering• Hide sensitive information

Password Guessing

• NetBIOS TCP port 139 open then guess admin, guest, john smith (NULL passswords)

• Try connecting to shares C$ %systemdrive% admin$ guest$

Password Cracking

•Manual/automatic cracking (text file lists)

•Dictionary attack

•Brute Force

•Keyloggers

•Password Sniffing Legion

Cain 7 Able

LophtCrack

Jack the Ripper

Kerbcrack

Examples

• Administrator• User• Arcserve• Test• Lab• Username• Manager• Temp• ID number

NULL, password, admin administrator, user, password, backup, temp, ID

Examples

• Easy to remember names

• Use the same password for many accounts

• High probability pairs

www.mksecure.com/defpw

LM Manager

LM Early windows operating systems

NTLM NT operating systems

NTLMv2 Windows XP and 2000

(Kerberos 56bit 128bit encryption)

Eavesdropping

•Packet/Port filtering

•Security scanners

NTInfoScan

CountermeasuresBlock TCP/UDP ports 135-139 445(netbios network bindings)

Complex passwords

Log failed login events (event viewer EVENTS 529, 539)

Restrict rights to run system tools such as cmd.exe

Firewall

IPSec

Passprop RK (default admin no lock ability)

IDS

Demo/Exercise

• Cain & Able

• Create a user account and crack password.

SMB

• Server Message Blocks

Request

Response

Command line hacks

• At 15:23 /interactive cmd.exe• Net use \\192.168.0.1\c$ * /u:administrator

Vulnerabilities

• RPC

• LSASS

• Stack/Buffer overflows

• Buffer overflow attacks involve sending overly long input streams to the attacked server, causing the server to overflow parts of the memory and either crash the system or execute the attacker's arbitrary code as if it was part of the server's code. The result is full server compromise or denial of service.

• Some of the well-known Internet worms, including Code Red, Slapper and Slammer, use buffer overflow attacks to propagate and execute payloads. Buffer overflow vulnerabilities are some of the most common programming errors.

Man in the Middle

SMBRelay server

Because Windows automatically tries to log in as the current user if no other authentication information is explicitly supplied, if an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user.

Privilege Escalation

Gain access to a system and give your self more privileges

PipeupAdmin

GetAdmin.exe

Hk.exe

Sechole

Spoofing LPC

Psexec

Pilfering

Grabbing information such as the SAM database NT

Active Directory %windir%\windowsDS\ntds.dit

www.winhackingexposed.com

• In depth coverage of windows security and vulnerabilities

Countermeasures

• Deny Log on locally

• Lock down IIS URLScan IISLockdown

• Audit Logon events

Events/Database Export

• Dumpevt www.somarsoft.com

• EventCombWindows

IDS

• Blackice blackice.iss.net• Entercept www.mcafeesecurity.com• Cisco security Agent www.cisco.com• Sentivist www.nfr.com• E-trust IDS www3.ca.com• ITA enterprisesecurity.com• Realsecure www.iss.net• Tripwire www.tripwiresecurity.com

Exercise

• Use command line tools to connect to another computer

• Filter event logs