Cracking passwords - Amazon Web Services



System HackingHacking a system is done in three steps:Gain accessMaintain accessClear logsAttackers first collect enough information which can be used to gain access to the system. Usually, it is a low-privileged account which they use to access the system, and then they escalate their privileges to admin level. Once they have the right privileges, their goal is to maintain the access for as long as possible during which time they execute malicious programs, steal information, or simply tamper with the system. After they are done with their attack, attackers hide their tracks by modifying the system logs.The objectives of system hacking are to:Gain access to the target systemEscalate privileges Execute applicationsHide filesCover tracksCracking passwordsCracking passwords refers to recovering passwords from the transmitted or stored data on computer systems. Password cracking has four categories which are based on the attack used:Non-electronic attacksActive online attacksPassive online attacksOffline attacksNon-electronic attacksNon-electronic attacks do not require the attacker to have any technical knowledge about cracking passwords. Attacks of this type include dumpster diving, shoulder surfing, and social engineering.Dumpster divingDumpster diving is a technique which requires going through the target’s trash bins, printer trash bins, and work desks and looking for notes or anything that can help in cracking the password.Shoulder surfingShoulder surfing refers to observing the target while they type in their passwords, that is, looking at their keyboard or screen.Social engineeringSocial engineering requires the attacker to interact with the target and trick them into revealing their passwords.Active online attacksActive online attacks require the attacker to communicate with the target machine in order to crack the password.Dictionary attackDictionary attack loads a dictionary file into a password cracking program which then checks the passwords against user accounts. The contents of the dictionary are commonly used passwords.Brute force attackBrute force attack requires the attacker to run every combination of characters until the password is cracked.Rule-based AttackRule-based attack is used when the attacker has some information about the password, such as the length, if there are any digits, and similar. In this attack, the attacker combines several other attacks to crack the password. Some of the attacks used are brute force, dictionary, and syllable attack.Password guessingPassword guessing requires the attacker to manually attempt to log into the target’s machine. In this attack, the attacker uses all information they have gathered about the target to create a list of possible passwords and then tries each password on the target’s machine. Steps of this attack are as follows:Find the target’s usernameCreate a password listSort the passwords by the probabilityTry each passwordAttackers sometimes attempt to gain access by using default passwords which are given by manufacturers. These default passwords are included into the dictionary list.Trojan/spyware/keyloggerAttackers install trojans, spyware, and keyloggers so that they could get the target’s passwords and usernames. Trojans are programs which are designed to collect information from the target’s machine or even harm the system. Such programs allow attackers to remotely access the machine and perform malicious activities. Spyware programs are also designed to collect secret information. Keyloggers are designed to record the target’s keystrokes and store them into files which are then sent to the attacker. All these programs run in the background and sometimes are difficult to detect.Hash injectionHash injection attack is an attack on systems that use hash functions for the user authentication. In that case, attackers first retrieve the hashes which are stored in a database, find the hash that belongs to the user, and then use that hash to create an authenticated session.LLMNR/NBT-NS poisoningLLMNR stands for Link Local Multicast Name Resolution, whereas NBT-NS stands for NetBIOS Name Service, and they represent two main Windows OS elements that perform host name resolution. The vulnerability here exists when DNS fails to resolve name queries, so the host sends a UDP broadcast message to other hosts asking them to authenticate themselves. This allows an attacker to listen for such broadcast messages and tricks the host into establishing a connection. Once the connection is established, the host sends its username and NTLMv2 hash, which the attacker can attempt to crack and in such a way discover the password.Passive online attacksPassive online attacks do not require the attacker to communicate with the target machine. Instead, the attacker monitors the communication channel and records the traffic data, which is later used to break into the system.Wire sniffingWire sniffing is an attack in which attackers sniff credentials by capturing packets that are being transmitted. During the packet transmission, attackers are able to capture packets and extract sensitive information such as passwords and emails and thus gain access to the target system.Man-in-the-middle attackMan-in-the-middle attack is an attack in which the attacker gains access to the communication channel between the target and server. Then, the attacker is able to extract information and data they need to gain unauthorized access.Replay attackReplay attack involves using a sniffer to capture packets and authentication tokens. Once the relevant data is extracted, the tokens are placed back on the network in an attempt to gain unauthorized access.Offline attacksOffline attacks are attacks in which the attacker tries to guess a password from a hash dump.Rainbow table attackRainbow table refers to a table of word and brute force lists and their hashes. The attack requires the attacker to create a rainbow table prior to the attack, and then use the information from the table to crack the password.Distributed network attackDistributed network attack utilizes the processing power of machines that are on the network in order to decrypt the password. This attack is used for recovering passwords from hashes. It works by installing a DNA manager in a central location from which it is possible to coordinate the attack by allocating portions of the key search to machines which are on the network.Escalating privilegesEscalating privileges refers to taking advantage of the operating system and software vulnerabilities which enable the attacker to gain admin privileges. Becoming an admin on the target system allows the attacker to perform all sorts of malicious activities.There are two types of privilege escalation:Horizontal privilege escalation: acquiring the privileges of the same levelVertical privilege escalation: acquiring higher privilegesWindows application are often vulnerable because of failure to supply a fully qualified path of a DLL library that is being loaded. In such situation, the application looks for the DLL in the directory from which it was executed. This allows attackers to place a malicious DLL into the directory and gain access to the system.Similarly, OS X looks for dynamic libraries (dylib) in multiple directories when loading them. This allows attackers to inject their malicious dylibs into one of the primary directories, which will then be loaded instead of the original one.Meltdown vulnerability affects some Intel chips and is able to bypass security mechanisms that prevent programs from reading arbitrary locations in system memory. This means that, if exploited, meltdown would give attackers ability to read the memory outside of the program that is running and thus obtain sensitive data and information. Attackers can escalate their privileges and read information such as credentials, private keys, and so on.Spectre vulnerability affects modern microprocessors and allows attackers to obtain sensitive information by tricking a program into accessing the program’s memory space. This allows attackers to read kernel memory or use JavaScript to launch a web-based attack.In general, attackers exploit vulnerabilities that exist in software or operating systems and try to run malicious code which could in turn grant them higher privileges.Executing applicationsOnce the attacker has gained access to the system and elevated privileges, they proceed to the next step in which they remotely execute malicious programs designed to steal information, crack passwords, install backdoor, and so on. Programs that attackers install include:Backdoors are designed to collect information and gain unauthorized access to the systemCrackers are designed to crack passwordsKeyloggers are designed to record keystrokesSpyware are designed to capture screenshots and send them to the attackerKeyloggers and spywareKeylogger is a program or hardware device designed to record every keystroke on the target’s keyboard, logs them into a file, and sends them to a remote location. Legitimate keyloggers are used for monitoring employee and children computer activity. Keyloggers allow gathering confidential information including emails and passwords.Keyloggers have two types:Hardware keyloggersSoftware keyloggersHardware keyloggers are devices that look like USB drives and are designed to record keystrokes, which are stored on the device. They are placed between a keyboard plug and USB socket and cannot be detected by antispyware or antivirus programs. However, because they have to be physically placed onto a target’s machine, makes them discoverable.Hardware keyloggers are classified into:PC/BIOS Embedded: refers to modifying the BIOS level firmware to capture the keystrokesKeylogger keyboard refers to attaching the hardware circuit with the keyboard cable connectorExternal keylogger: refers to attaching the keylogger between a keyboard and computer. Types of external keyloggers include: PS/2 and USB Keylogger, Acoustic/CAM Keylogger, Bluetooth Keylogger, and Wi-Fi Keylogger.Software keyloggers are programs installed on the target’s machine. Recorded keystrokes are logged into a log file on the target’s machine which is then sent to the attacker using email protocols. Software keyloggers are classified into:Application keylogger: designed to observe the target’s activity whenever type something. It can record emails, passwords, messages, browsing activities, and so on.Kernel/Rootkit/Device driver keylogger: kernel keylogger is designed to exist on a kernel level and act as a keyboard device driver, which allows it to record everything that is typed on the keyboard; rootkit keylogger refers to a forged Windows device driver which records keystrokes; device driver keylogger is designed to replace the driver that has the keylogging functionality, logs the keystrokes, and send the file to a remote locationHypervisor-based keylogger: designed to work within a malware hypervisor that is operating on the OSForm grabbing based keylogger: designed to record web browsing when the Submit event is triggered.Spyware is a stealthy program designed to record the target’s interaction with the computer and Internet and then send the recorded data to the attacker. This program is also able to take and send screenshots. The program is hidden when installed. Spyware programs are classified into:Desktop spywareEmail spywareInternet spywareChild-monitoring spywareScreen-capturing spywareUSB spywareAudio and video spywarePrint spywareTelephone spywareGPS spywareHiding filesHiding files is a process in which the attacker attempts to cover their tracks in order to ensure future access to the system.RootkitsRootkit is a program designed to help the attacker gain access to a system without being detected. It is designed to replace certain system calls and utilities allowing for malicious activities to be performed. Rootkits create a backdoor to the system and thus enable the attacker to access the system and perform malicious activities.Rootkits do not spread by themselves. Instead, they hide in software and wait for the installer to be activated. Once the target user runs the installer, the rootkit installs itself too and then waits for the hacker to activate it.In order to place a rootkit on a target machine, the attacker first finds a vulnerable computer or server, then conceals the rootkit within a program to be installed. Once the program is installed, the attacker launches a zero-day attack.The objectives of a rootkit include gaining remote backdoor access, hiding traces of the attack, collect confidential data, and install other malicious programs on the machine.Rootkits are classified into six types:Hypervisor level rootkit: designed to act as a hypervisor and load the target OS as a virtual machine. hardware/firmware rootkit: designed to conceal itself in hardware devices that are not inspected Kernel level rootkit: designed to add malicious code or replace portions of the core operating system with some modified code. Rootkits of this type cannot be easily detected because of the operating system privileges that they haveBoot loader level rootkit: designed to replace the original bootloader with a malicious oneApplication level rootkit: designed to change the behavior of the target applicationLibrary level rootkit: designed to replace the original system calls in order to hide the attacker’s activitiesSome of the popular rootkits include:Horse PillGrayFishSirefefNecursNTFS Data StreamNTFS data streams are two data streams that help NTFS store files. One data stream stores data about the file (for example, permissions), and the other stream stores the file data. There is another type of data stream called alternate data stream (ADS) which can be present within a file. Alternate data stream contains file metadata such as file attributes, author, access, and word count. ADS is not present in the file, but it is attached to the file through the Master File Table which contains a list of all file data streams and their locations on the disk. Alternate data stream enables attackers to inject malicious code into files and execute it. This is not easily detectable by the system admin because the file size and the contents remain the same, despite the size of the added ADS. the only way of discovering that the file has been tampered with is to check the file timestamps.SteganographySteganography refers to a technique which hides a message within another message. The hidden message is extracted when it arrives to its destination. This technique is used for maintaining information confidentiality.Attackers use steganography for malicious purposes such as hiding keyloggers inside images, inserting source code for hacking tools, attack plans, and so on.Based on the technique used, steganography can be:Technical steganography: uses scientific methods to hide messagesLinguistic steganography: uses a carrier to hide messagesBased on the cover medium, steganography can be:Image steganographyDocument steganographyFolder steganographyVideo steganographyAudio steganographyWeb steganographyspam/email steganographyDVD-ROM steganographyNatural text steganographyHidden OS steganographySource code steganographySteganalysis refers to discovering of the hidden data in a medium. Steganalysis uses steganography to detect hidden messages. It has two phases: detection, in which the analyst detects the existence of hidden information, and distortion, in which the analyst tries to extract the hidden message. There are six types of steganalysis:Stego-only attackKnown-stego attackKnown-message attackKnown-cover attackChosen-message attackChosen-stego attackCovering tracksCovering tracks is a phase in which the attacker attempts to hide their presence on the system. To avoid detection, the attacker needs to modify the system logs and delete their activity during the attack, and also ensure that future activities are not logged too. It is very important that the system appears uncompromised.Techniques used in covering tracks include:Disabling auditing: disabling auditing features of the systemClearing logs: deleting the attacker’s logged activitiesManipulating logs: changing the logs to prevent detectionTo cover tracks on network, attackers use:Reverse HTTP shells: designed to ask the master system for commands which, when received, are executed on the target’s machineReverse ICMP tunnels: technique in which the attacker accesses the system by using ICMP echo and reply packets as carriers of TCP payloadDNS tunneling: adding data payload to the target’s DNS server in order to create a back channel through which it is possible to steal information from the serverTCP parameters: using TCP parameters for payload distribution. Fields in which data can be hidden are IP identification field, TCP acknowledgement number, and TCP initial sequence number.MalwareMalware refers to a malicious program designed to cause damage to systems. Attackers use malware to gain access to target systems. Some of the programs that are considered to be malware include viruses, worms, trojans, ransomware, rootkits, backdoors, botnets, keyloggers, and crypters.TrojanTrojan is a program which contains malicious code and has the ability to cause damage to the target system. They are contained inside seemingly harmless programs and activated when such programs are executed. Trojans are bound with other programs with the help of wrappers. When a wrapped application is executed, the trojan is first installed, and then the wrapped application is run.CrypterCrypter is a program which hides malware from antiviruses by encrypting the program’s original binary code.VirusVirus is a program designed to replicate itself to other programs and documents on the infected machine. Viruses spread to other computers with the transfer of the infected files or programs. They are transmitted through file transfers, infected flash drives, and email attachments.WormWorm is a program which replicates itself across network connections. Worms are designed to exploit vulnerabilities on the victim machines and then spread to other computers as the infected files are transferred. RansomwareRansomware is a type of malware in which hackers restrict access to files and folders on the target system until a payment is made. Victims are usually required to pay a certain sum of money in order to be able to access their files.Malware analysisMalware analysis refers to a process of reverse engineering of a malware program. The purpose of the analysis is to determine how the malware works and assess the potential damage it could cause. Malware analysis helps find and remove the infections that exist in a system. This is done using the tools and techniques designed for this purpose.There are two types of malware analysis:Static malware analysisStatic analysis refers to analyzing the malware without running or installing it. The malware’s binary code is examined to determine if there are any data structures or function calls that have malicious behavior.Dynamic malware analysisDynamic analysis requires the malware program to be running in a monitored environment, such as a sandbox or virtual machine. This type of analysis helps in understanding how the malware works by monitoring its activities on the system.Anti-virus Sensor SystemsAnti-virus sensor system refers to a set of programs that are designed to detect and analyze malware. It includes programs such as antiviruses, anti-spyware, anti-trojans, anti-spamware, anti-phishing, and email scanners.Anti-trojan softwareAnti-trojan software identifies and stops malware from infecting systems and causing damage by using scanning strategies and tools that detect trojans, backdoors, rootkits, and other harmful programs.Antivirus SoftwareAntivirus software are designed in such a way to look for behavior typical to viruses and give warnings. In addition to this, antivirus software looks for already known virus signatures and warns the user if a threat is found. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download