Notes taken from Hacking Exposed, Chapter 5
Intro to Network Security
Hacking 2: Exploit
Text:
Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al.
Chapter 20
Objectives:
The student shall learn to:
• Define two techniques of password eavesdropping.
• Describe how the following 5 techniques can be used to gain entry into a system: information disclosure, directory traversal, buffer overflow, SQL injection, email worm/virus.
• Define rootkit, Principle of Least Privilege.
• Define countermeasures for hacking attacks.
• Describe the difference in security between Windows’ LM, NTLM, and Kerberos and Unix password schemes.
• Calculate the number of possible combinations when lower case versus lower & upper case versus alphanumeric versus alphanumeric plus symbols are used.
• Define three techniques to encode hard-to-guess passwords using an example.
• Define techniques you would use to enforcing a strong password policy.
Class Time:
The class shall be conducted as follows:
Hacking NT 1 hour
Passwords 1 hour
Total 2 hours
Hacking the NT Family
Microsoft security
• Greatest concentration of computers
• High visibility
• Features traditionally enabled
• Internet Information Server (IIS) and Server Message Block (SMB) are most vulnerable entry points
Three MS Password Encryption techniques:
• LM: (Unsafe) LAN Manager
• Password hash is split into two 7-character hashed segments, which can be processed in parallel. An 8-character password is UPPER-CASE and divided into a 7-character password and a 1-character password.
• Identical passwords provide identical hashes (UNIX-type Salt is not supported)
• Passwords > 14 characters cannot be cracked
• Only algorithm available: Windows 95, 98. Remains active unless removed until Windows 2003.
• NTLM: (Safer) NT LAN Manager
• Uses a single hashed password of 14 characters
• Can be cracked but takes a longer time
• Used with Windows NT, later machines if Kerberos not configured
• Kerberos: Safest
• Available in Windows 2000
Compare UNIX:
Unix Password file.
• Uses DES: Data Encryption Standard with 25 encryptions
• Alternate: MD5
• Uses a 12-bit 'salt' = key value unique to the user.
• Stored in /etc/passwd (all access) or /etc/shadow (root access): User ID, salt and encrypted password.
• Encrypted password is 13-character string: 2-chars salt, 11-character encrypted result
• Salt serves 3 purposes:
1. Salt prevents identical passwords from giving the same encrypted value.
2. Salt increases length of password without requiring user to remember additional characters.
3. Prevents use of a hardware implementation of DES which would ease the difficulty of a brute force guessing attack.
Hackers steep learning curve: Hackers share information on underground bulletin boards.
• Passwords have been made available on a bulletin board set up on victim's own machine.
• When security personnel exchange info about vulnerabilities attackers can eavesdrop and exploit vulnerabilities before holes are plugged.
Unauthenticated Attacks: Gaining Access
Unauthenticated attack techniques include:
• Password cracking
• Password eavesdropping
• Exploiting software vulnerabilities (back doors)
Password Cracking
Users tend to select easy passwords…
• Users tend to choose easy, short, passwords (including null)
• Users choose easy to remember names: related to their family, interests, address.
• Default passwords for MS: defpw
• Password cracking files:
• When caps, numbers must be used, people capitalize first letter, extend with number
Password Guessing
• Many password crackers exist
• Once username is known, password cracking is a matter of time
• Password crackers consist of the logic:
C:\> net use \\\IPC$ * /u: “Administrator”
Password: *: prompt for password; else “password”
Password guessing can be easy.
C:\> FOR /F “tokens=1,2*” %i,%j in (credentials.txt)
do net use \\target\IPC$ %i /u:%j
where file contains: password:username
To Safeguard Security:
• Restrict access or disable SMB services on TCP port 139 & 445 at firewall
• Enforce strong password policy
• Set an account lockout threshold and ensure it applies to Administrator, particularly for remote access
• Enable audit account logon failures and review event logs regularly
• Use admin (root) account only when necessary (e.g., not to read email)
• Use longer passwords for admin accounts
• Use IPSec
• For any system, never retain default passwords!
• Check for and remove invalid accounts (often accounts which have not been used in 30 days).
• Keep backup
Enforcing Strong Password Policy
• XP-> MMC or Windows 2000-> Admin Tools/Security Settings/Account Policies/Password Policy
• Can specify:
• At least N chars.
• Password expires in N Days
• Lockout after N bad login attempts
• Reset count after N minutes
• Lockout duration N minutes
• Enforce password history (N-count memory of passwords)
• Etc.
Microsoft’s strong password protection means:
• Must contain chars from 3 of following
• UPPERCASE LETTERS
• Lowercase letters
• Numerals (0..9)
• Non-alphanumeric (*$#@%&)
• Set via: Windows 2000->Admin Tools/Security settings/Account Policies/Password Policy/ Passwords must meet complexity requirements or XP-> MMC
Passprop (NTRK: NT Family Resource Kit)
• Allows the Administrator Acct (User ID=500) to have a lockout threshold for remote access
• Local administrator at console is never locked out.
• If /complex is set, passwords must be mixed case or contain symbol/number
Auditing & Logging
• Log failed/passed login attempts with:
Security Policy/Local Policies/Audit Policy
See logs via (Control Panel-> Classic View->) Admin Tools/Event Viewer/Security Log
• Can sort on different fields
• Other log tools are available (IDS can do log analysis)
Password Eavesdropping
Three techniques:
• Sniff passwords off of a hub network
• Sniff = Store transmitted protocol between source, destination
• Hacked relay between victim & host
• Relay = hacker bounces information between victim and host
• FTP web page requires password hashes for authentication
• Example: Email contains
Sniff password and replay: L0phtcrack or LC ()
• Can process NT password file offline
• Has SMB Packet Capture: Reads Challenge & Encrypted response
• LM-LAN manager hash algorithm
Listening techniques include:
• Listens to LAN (hub-based) for password sequences & imports for analysis
• Usually works offline against a NT password DB
• Effective on switched LANs via ARP spoofing
• Can monitor VPN Point-to-Point Tunneling Protocol (PPTP) logon exchange
• Can often become administrator within days
To Safeguard Security:
• Preferably use Kerberos, then NTLM Authentication. Disable LM Authentication
• To set NTLM only in Registry key: Set NTLM Response=4
• Prevents domain controllers from accepting LM authentication requests
• Does not work for non-NT clients (such as mixed mode – with Win 95/98/ME)
• Counter line tapping with link encryption techniques.
• Avoid software which sends passwords in the clear: rlogin, telnet, POP3
• Disable unused services: telnet, alerter, clipbook, indexing service, messenter (not IM-related), remote registry, and on servers if web not created: IIS.
• Limit permission on Windows shares (from Everyone – Full Control or Read)
• Eliminate or reduce anonymous access
• Turn off share option from desktop computers
• Use mail packages that check for viruses.
Exploiting Software Vulnerabilities
Information Disclosure: Exposes information unintentionally
Example: Append +.htr to an active file request and IIS retrieves source code instead of executing it
>nc –vv 80
GET /site/global.asn+.htr HTTP/1.0
In this case global_asa file lists passwords
Directory Traversal
• Using cs.uwp.edu/../../cmd.exe
Buffer Overflows
• Overflowing input buffers to corrupt system stack and cause code execution with intention of gaining access.
• Requires zero privilege
• Can exploit any node.
SQL Injection
Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
Inserted Password: Aa’ OR ‘’=’
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Inserted Password: ‘ OR 1=1 --
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘ ‘ OR 1=1 --‘; (-- is comment)
Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’
Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’
Email Worms & Viruses
• Email attachments can lie about what type they are – and may be worm or virus
• Executing the attachment gives the executable the permissions of the email receiver
To Safeguard Security:
• Use the more secure NTFS or Kerberos Authentication
• Implement Egress Filtering: Filtering packets leaving network
• Hackers often initiate outbound session from victim computers
• Patch software regularly and use updated service packs
• Ensure web page system/data is separate from other system/data
• Do not provide sensitive data in source code (e.g., no credentials in ASP code)
• Backup Policy: How often are backups run? Stored offsite?
• Password Lockouts: How are they reset? Is proof of ID used?
• Remove unused system software that is commonly exploited
• Remove unnecessary ISAPI extensions (DLLs) that handle uncommon file types
• IIS is a common source of software vulnerabilities
• Log events and monitor log!
• Log ../.. patterns
• For input forms: Check all input through a common ‘validate input’ routine OR
• Take input from OS relating to username, password – not keyed entry
• Access database for outside use with limited privileges (e.g., no insert/update/delete)
• Do not display information (stack traces) in error messages
Apply Principle of Least Privilege:
Grant minimum Permissions necessary
• Provide access to files and database segments only as necessary
• Specify as limited permissions (rwx) as possible
• Limit use of admin accounts – do not process email while in root/admin account
• Separation of Duties in System Administration – the Administrator and separate log reader.
Authenticated Attacks: Exploiting Knowledge
Authenticated Attacks:
• Escalating privilege: After obtaining a user account, next goal -> obtain Administrator status
• Installing backdoors: To ensure future access
• Covering tracks: Modifying logs
• Make vulnerability secure, so system isn’t lost to other hackers.
Privilege Escalation: Methods include
• Grabbing password hashes: Collecting the Security Accounts Manager (SAM) database (NT4) or Active Directory (Windows 2000+).
• DLL injection: Modify or replace the DLL with a Trojan (allowing back door entry)
• Spoofing LPC Port Requests: Using Local Procedure Call (LPC) to impersonate a client and access a server.
• Install rootkit: includes installing backdoor, replacing existing utilities: ps, telnet.
Grabbing Password Hashes
Four techniques:
• Booting off an alternate OS and copying the password hashes
• Copying the SAM file backup (Difficult)
• Sniffing NT authentication exchanges
• Extracting the password hashes from the SAM or Active Directory
• With tools, an Administrator only can achieve
• For backward compatibility reasons, LM and NTLM hashes are both stored
• Disable LM Hash by changing registry value: HKEY_LOCAL_MACHINE in System\CurrentControlSet\Control\Lsa value | disable ‘No LM Hash’
Install Trojans
• Trojan msgina.dll: saves login information
• Msv1_0.dll: Ignores SAMS results but does not allow access to SAMS
Pilfering: After achieving Administration status, continuing to collect information for further conquests
Remote Control
• Command-Line Remote Control: Telnet-like ability using netcat
• Graphical Remote Control: Like teleconferencing ability – local and remote have identical screens
To Safeguard Security:
• Prevent hackers from becoming Administrators
• Establish the Administrator account as having no or few privileges, name Administrator account something else.
• Do not allow boots from floppy or CDs
• Lock up servers to prevent physical access
• Pick good passwords
• To counteract LM hashing: use 7-char or 14-char passwords
• Do not use the same password from one machine to the next. (Minimally compartmentalize passwords)
• Use non-printable ASCII characters such as CTRL-N or NUM-LOCK in password, if possible.
Password Selection
Distribution of passwords:
16.5% 1-3 characters long
14% 4 characters long
22% 5 characters all same case
19% 6 characters, lower case
15% words in dictionaries or lists of names
14% Good passwords
Techniques used to obtain password:
• Dictionaries: Specific to languages, interests, names, …
• Viewing: Over-the-shoulder, sniffing unencrypted, Trojan horse, finding written version.
• Social engineering: Tell me about your life, ethnicity, … I am your director…
• Guessing: Using knowledge of the user.
• Brute Force: Trying all combinations of letters/digits/symbols.
Brute Force Attack:
|Pattern |Calculation |Result |Time 1ms/guess |
| | | |If last passwd |
| | | |1000ms = 1sec |
|American Dictionary | |80,000 |80 seconds |
|1 character: |261 |26 |< 1 second |
|lower case alpha | | | |
|5 characters: |265 |11,881,376 |3.3 hours |
|lower case alpha | | | |
|6 characters: |266 |308,915,776 |86 hours |
|lower case alpha | | | |
|6 characters: |526 |19,770,609,664 |229 days |
|alpha | | | |
|6 characters: |626 |56,800,235,584 |657 days |
|alphanumeric | | | |
|6 characters: |806 |2.62144E+11 |8.3 years |
|all keyboard | | | |
|7 characters: |627 |3,521,614,606,208 |111.7 years |
|alphanumeric | | | |
Exercise 1:
• Assume a password is known to be between 5-9 characters, alphanumeric. How many iterations on average would it take to break the password if it is 6 characters long? If the password is 7 characters long?
Authentication can rely upon one or more of the following:
• Something the user knows: Passwords, PINs, mother’s maiden name, algorithm …
• Something the user has: Badges, keys, cards, etc.
• Something the user is: biometrics: fingerprint, voice frequency, face, …
E.g., Banks rely upon bank card & PIN
Methods of forming good passwords. Using a combination of methods is best.
Transform Illustrative Expression Password
Transliteration Photographic fotografik
Interweaving characters duke, iron dIuRkOeN,
Replace letter by decimal digit cabbage 3122175
Replace decimal # by letter 10/12/1492 j.ab.adib
Shift home position on keyboard zucchini xivvjomo
Synonym substitution coffee break javA_resT
Antonym substitution stoplight Start-Dark
Actuation of keyboard "shift" 6/6/1944 ^?^?!($$
Substitute abbreviations relative humidity rEl*hUm
Substitute acronyms Mothers Against Drunk Driving
National Organization for Women MADD1now
Repetition pan Pan*Pan
Manipulation swimshow swiwshom!
Shorten and combine chocolate-covered peanuts Cho-Cov.Pea
First characters of sentence I love Paris in the springtime ILPitST
Exercise 2:
• Develop a password based upon the following phrase: Next Week (Exam).
• Use two techniques to develop a good password.
Challenge-Response passwords
• The system issues a challenge
• The user performs one or more algorithms for its response
• Advantage: Response differs every time: Survives interception
• Example: f(x) = x+1
• Example: f(x) = Encrypt(x+secretKey)
• Example: f(a,b,c,d) = d,c,b,c
Exercise 3:
Devise a password scheme for an administrator that ensures:
1) Every machine has a different authentication sequence.
2) Can’t get in even if authentication sequence seen. (Assume you are developing password software for this one.)
Other sage advice:
• Do not give information about which piece of information failed: login name or password: “Invalid Access”
• Limit access to certain dates, or certain times of day, or to N sequential wrong attempts
• Do not replace o for 0 (zero), l for 1, s for $.
• Encrypt password files
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- psychology chapter 5 learning exam
- connect chapter 5 homework
- connect chapter 5 homework accounting
- chapter 5 photosynthesis quizlet
- chapter 5 psychology test
- chapter 5 learning psychology quiz
- quizlet psychology chapter 5 learning
- summary chapter 5 tom sawyer
- chapter 5 tom sawyer summary
- chapter 5 psychology learning quiz
- psychology chapter 5 review test
- psychology chapter 5 test answers