-
remember the 5 phases of attack
- reconnaissance
- scanning
- gaining access
- mantaining access
- covering tracks
-
CHM - CEH Hacking Methodology
- Footprinting
- Scanning
- Enumeration
- Vulnerability Analysis
- System Hacking
- Gaining access
- Cracking Passwords
- Vulnerability exploitation
- Escalating privileges
- Maintaining access
- executing applications
- hiding files
- Clearing Logs
- covering tracks
- Gaining access
-
GEEHC - Gaining access, Escalating privileges, Executing applications, Hiding files, Covering tracks
-
Windows authentication:
- SAM (security account manager) database
- located ad
c:\windows\system32\config\sam
- located ad
- NTLM (NT Lan Manager, the auth scheme)
- NTLM authentication protocol
- LM (Lan Manager) protocol
- the maximum password length is 14 characters
- there are no distinctions between uppercase and lowercase
- the password is split into two 7-byte halves
- this password is null-padded to 14 bytes
- Kerberos (default authentication method of Microsoft)
- KDC (Key Distribution Center)
- AS (Authentication Server)
- TGS (Ticket Granting Server)
- KDC (Key Distribution Center)
- SAM (security account manager) database
-
password cracking
- non-electronic attacks
- social engineering
- shoulder surfing
- dumpster diving
- active online attacks
- dictionary attack - a dictionary file is loaded into the cracking application that runs against user accounts
- brute-force attack - attackers try every combination of characters until the password is broken
- rule-based attack
- hybrid - it uses both a dictionary attack and brute force attack
- syllable
- password guessing
- steps:
- Find a valid user
- Create a list of possible passwords
- Rank passwords from high to low probability
- Key in each password, until the correct password is discovered
- default passwords (e.g. https://open-sez.me/)
- steps:
- trojans/spywares/keyloggers
- hash injection/pass-the-hash (PtH)
- LLMNR/NBT-NS poisoning
- user sends request to a mispelled share system X
- system responds that it does know X
- user sends LLMNTR/NBT-NS broadcast message to all local network hosts
- attacker responds that knows X, accept NTLMv2 hash and sends error message
- internal monologue - allows NTLMv1 challenge-response hashes to be obtained from the victim’s system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS)
- Kerberos
- AS-REP Roasting (cracking TGT)
- Kerberoasting (cracking TGS)
- Pass-the-ticket
- Other Active Online Attacks
- combinator - attackers combine the entries of the first dictionary with those of the second dictionary
- fingerprint - the passphrase is broken down into fingerprints consisting of single and multi-character combinations that a target user might choose as his/her password
- PRINCE (PRobability INfinite Chained Elements)
- toggle-case - attackers try all possible upper-case and lower-case combinations of a word present in the input dictionary
- markov-chain - attackers gather a password database and split each password entry into two and three-character syllables (2-grams and 3-grams)
- passive online attacks
- wire sniffing
- man-in-the-middle
- offline attacks
- rainbow table (to generate rainbow tables
rtgen) - DNA (Distributed Network Attack)
- perfomed using PRTL (Password Recovery Toolkit)
- rainbow table (to generate rainbow tables
- non-electronic attacks
-
password salting
-
how to defend against password cracking
-
how to defend against LLMNR/NBT-NS poisoning
-
detect LLMNR/NBT-NS poisoning
- Vindicate
- get-responded
- Respounder
-
vulnerability exploitation (vulnerability -> exploit -> payload -> remote access)
- identify
- determine the risk associated
- determine the capability
- develop the exploit
- choose between local or remote delivering
- generate and deliver the payload
- gain remote access
-
buffer overflow
- stack-based
- EBP (Extended Base Pointer) - stores the address of the first data element stored onto the stack
- ESP (Extended Stack Pointer) - stores the address of the next data element to be stored onto the stack
- EIP (Extended Instruction Pointer) - stores the address of the next instruction to be executed
- ESI (Extended Source Index) - maintains the source index for various string operations
- EDI (Extended Destination Index) - maintains the destination index for various string operations
- heap-based
- windows buffer overflow
- Perform spiking
- estabilish a connection with the target host using netcat (
nc -nv <Target IP> <Target Port>) - generate spike templates and perform spiking
- estabilish a connection with the target host using netcat (
- Perform fuzzing
- Identify the offset
- Overwrite the EIP register
- Identify bad characters
- Identify the right module
- Generate shellcode
- Gain root access
- Perform spiking
- stack-based
-
defending agains buffer overflow
-
privilege escalation
-
vertical vs horizontal
-
DLL Hijacking (using Robber or Powersploit)
-
Dylib Hijacking (Dylib Hijack Scanner and DyLibHijack)
-
by exploiting vulnerabilities
-
spectre and meltdown (and prevention)
-
named pipe impersonation (using
metasploit) -
misconfigured services
- unquoted service paths
- service object permission
- unattended installs
-
pivoting:
- Discover live hosts in the network
- Set up routing rules
- Scan ports of live systems
- Exploit vulnerable services
-
relaying
-
other techniques:
- access token manipulation
- application shimming - can be used to make the applications developed for the earlier versions of Windows OS still work on the latest version of Windows
- filesystem permission weakness
- path interception
- scheduled task
- launch daemon
- plist modification
- setuid and setguid
- webshell
- abusing sudo rights
- abusing SUID and SGID permissions
- kernel exploits
-
privilege escalation prevention
- Restrict interactive logon privileges
- Run users and applications with the lowest privileges
- Implement multi-factor authentication and authorization
- Run services as unprivileged accounts
- Implement a privilege separation methodology to limit the scope of programming errors and bugs
- Use an encryption technique to protect sensitive data
- Reduce the amount of code that runs with a particular privilege
- Perform debugging using bounds checkers and stress tests
-
-
maintaining access
-
malicious program
- backdoors
- crackers
- remote code execution techniques
- exploitation for client execution
- web-browser-based
- offline-application-based
- third-party-application-based
- scheduled task
- service execution
- windows management instrumentation (WMI)
- windows remote management (WRM)
- exploitation for client execution
- keylogger
- hardware
- PC/BIOS embedded
- keyboard
- external
- PS2/USB
- Acustic/CAM
- Bluetooth
- Wi-Fi
- software
- application
- kernel/rootkit/device driver
- hypervisor-based
- from grabbing
- javascript-based
- memory injection based (bypass UAC in windows systems)
- hardware
- spyware
- propagation
- drive-by download (e.g. advertisement)
- masquerading as anti-spyware
- web browser vulnerability exploits
- piggybacked software installation
- browser add-on
- cookies
- types:
- desktop
- internet
- child-monitoring
- screen-capturing
- usb
- audio
- video
- telephone
- gps
- propagation
-
hiding files
- rootkits (hide itself and get system root)
- types:
- hypervisor-level
- hardware/firmware
- kernel level
- boot loader level
- By attaching itself to the master boot record in a hard drive and changing the machines boot sequence/options Windows 7 boot record never has the opportunity to determine something is wrong.
- application level/user mode
- library level
- popular rootkit
- Lojax
- Scranos
- Horse pill
- Necurs
- detecting types:
- integrity-based
- signature-based
- heuristic/behaviour based
- runtime execution path profiling
- cross view-based
- alternative trusted medium
- analyzing memory dumps
- anti-rootkit
- GMER
- how to defend against rootkits
- use POLP (principle of least privilege) - is the practice of limiting access rights for users, accounts and computing processes to only those needed to do the job at hand.
- types:
- NTFS data stream
- create
c:\>notepad myfile.txt:lion.txtc:\>notepad myfile.txt:tiger.txt
- manipulation
C:\>type c:\Trojan.exe > c:\Readme.txt:Trojan.exeC:\>mklink backdoor.exe Readme.txt:Trojan.exeC:\>backdoor
- how to defend
- move file to FAT partition
- file integrity checker
- Stream detector, LADS, ADS detector
- real-time antivirus enabled and updated
- create
- steganography
-
Spread Spectrum Techniques - In this technique, communication signals occupy more bandwidth than required to send the information. The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the code to recover the information from the spread spectrum data.
-
Transform Domain Techniques - The transform domain technique hides the information in significant parts of the cover image, such as cropping, compression, and some other image processing areas.
-
Substitution Techniques - In this technique, the attacker tries to encode secret information by substituting the insignificant bits with the secret message.
-
Distortion Techniques - In this technique, the user implements a sequence of modifications to the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message.
-
attacks
- Chosen-message: generates stego objects from a known message using specific steganography tools in order to identify the steganography algorithms.
- Chi-square: The attacker performs probability analysis to test whether a given stego object and original data are the same or not.
- Known-cover: The attacker compares the stego-object and the cover medium to identify the hidden message.
- Distinguishing Statistical: The attacker analyzes the embedded algorithm used to detect distinguishing statistical changes along with the length of the embedded data
-
- rootkits (hide itself and get system root)
-
Clearing Logs
- covering tracks
- disabling audit (
auditpol) - clearing logs
- clear_event_viewer_logs file
- event viewer in windows
SECEVENT.EVTto manipulate windows log files/var/login linux
- manipulating logs
- clear or
shredbash_history history -c
- clear or
- covering tracks on the network
clearevin meterpreter session
- covering tracks on the OS
- deleting files
- disabling windows functionality
- TCP parameters can be used by the attacker to distribute the payload and to create covert channels
- disabling audit (
- covering tracks
-
-
Internet covert channel - is the digital equivalent of a briefcase with a secret compartment that a spy might use to slip sensitive documents past security guards into or out of a secure facility. An attacker can use Internet covert channels to transmit sensitive documents unobserved, bypassing network security measures.
- oxid
- responder (python script)
- mimikatz
- pwdump7
- ollydbg
- powershell empire
- ntdextract
- john the ripper
- hashcat
- hydra
- medusa
- rainbowcrack
- fu (rootkit to hide process from process manager)
- adspy
- shred command to shredding the history
- responder (for LLMNR/NBT-NS poisoning attack)
- password recovery toolkit
- privilege escalation tools
- beroot
- linpostexp
- DDL and Dylib hijacking
- dependency walker
- dylib hijack scanner
- spectre and meltdown](https://meltdownattack.com/)
- spectre - Spectre vulnerability is found in many modern processors such as AMD, ARM, Intel, Samsung, and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future and to complete the execution faster.
- meltdown - This is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out-of-bounds memory by exploiting CPU optimization mechanisms such as speculative execution
- tools
- InSpectre
- Spectre & meltdown checker
- executing application
- remoteExec
- keyloggers
- spyrix
- refog mac
- ant-keylogger
- zemana antilogger
- guardedid
- spyware
- spytech spyagent
- powerspy
- covering tracks
- CCleaner