Notes taken from Hacking Exposed, Chapter 5



Intro to Network Security

Hacking 2: Exploit

Text:

Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al.

Chapter 20

Objectives:

The student shall learn to:

• Define two techniques of password eavesdropping.

• Describe how the following 5 techniques can be used to gain entry into a system: information disclosure, directory traversal, buffer overflow, SQL injection, email worm/virus.

• Define rootkit, Principle of Least Privilege.

• Define countermeasures for hacking attacks.

• Describe the difference in security between Windows’ LM, NTLM, and Kerberos and Unix password schemes.

• Calculate the number of possible combinations when lower case versus lower & upper case versus alphanumeric versus alphanumeric plus symbols are used.

• Define three techniques to encode hard-to-guess passwords using an example.

• Define techniques you would use to enforcing a strong password policy.

Class Time:

The class shall be conducted as follows:

Hacking NT 1 hour

Passwords 1 hour

Total 2 hours

Hacking the NT Family

Microsoft security

• Greatest concentration of computers

• High visibility

• Features traditionally enabled

• Internet Information Server (IIS) and Server Message Block (SMB) are most vulnerable entry points

Three MS Password Encryption techniques:

• LM: (Unsafe) LAN Manager

• Password hash is split into two 7-character hashed segments, which can be processed in parallel. An 8-character password is UPPER-CASE and divided into a 7-character password and a 1-character password.

• Identical passwords provide identical hashes (UNIX-type Salt is not supported)

• Passwords > 14 characters cannot be cracked

• Only algorithm available: Windows 95, 98. Remains active unless removed until Windows 2003.

• NTLM: (Safer) NT LAN Manager

• Uses a single hashed password of 14 characters

• Can be cracked but takes a longer time

• Used with Windows NT, later machines if Kerberos not configured

• Kerberos: Safest

• Available in Windows 2000

Compare UNIX:

Unix Password file.

• Uses DES: Data Encryption Standard with 25 encryptions

• Alternate: MD5

• Uses a 12-bit 'salt' = key value unique to the user.

• Stored in /etc/passwd (all access) or /etc/shadow (root access): User ID, salt and encrypted password.

• Encrypted password is 13-character string: 2-chars salt, 11-character encrypted result

• Salt serves 3 purposes:

1. Salt prevents identical passwords from giving the same encrypted value.

2. Salt increases length of password without requiring user to remember additional characters.

3. Prevents use of a hardware implementation of DES which would ease the difficulty of a brute force guessing attack.

Hackers steep learning curve: Hackers share information on underground bulletin boards.

• Passwords have been made available on a bulletin board set up on victim's own machine.

• When security personnel exchange info about vulnerabilities attackers can eavesdrop and exploit vulnerabilities before holes are plugged.

Unauthenticated Attacks: Gaining Access

Unauthenticated attack techniques include:

• Password cracking

• Password eavesdropping

• Exploiting software vulnerabilities (back doors)

Password Cracking

Users tend to select easy passwords…

• Users tend to choose easy, short, passwords (including null)

• Users choose easy to remember names: related to their family, interests, address.

• Default passwords for MS: defpw

• Password cracking files:

• When caps, numbers must be used, people capitalize first letter, extend with number

Password Guessing

• Many password crackers exist

• Once username is known, password cracking is a matter of time

• Password crackers consist of the logic:

C:\> net use \\\IPC$ * /u: “Administrator”

Password: *: prompt for password; else “password”

Password guessing can be easy.

C:\> FOR /F “tokens=1,2*” %i,%j in (credentials.txt)

do net use \\target\IPC$ %i /u:%j

where file contains: password:username

To Safeguard Security:

• Restrict access or disable SMB services on TCP port 139 & 445 at firewall

• Enforce strong password policy

• Set an account lockout threshold and ensure it applies to Administrator, particularly for remote access

• Enable audit account logon failures and review event logs regularly

• Use admin (root) account only when necessary (e.g., not to read email)

• Use longer passwords for admin accounts

• Use IPSec

• For any system, never retain default passwords!

• Check for and remove invalid accounts (often accounts which have not been used in 30 days).

• Keep backup

Enforcing Strong Password Policy

• XP-> MMC or Windows 2000-> Admin Tools/Security Settings/Account Policies/Password Policy

• Can specify:

• At least N chars.

• Password expires in N Days

• Lockout after N bad login attempts

• Reset count after N minutes

• Lockout duration N minutes

• Enforce password history (N-count memory of passwords)

• Etc.

Microsoft’s strong password protection means:

• Must contain chars from 3 of following

• UPPERCASE LETTERS

• Lowercase letters

• Numerals (0..9)

• Non-alphanumeric (*$#@%&)

• Set via: Windows 2000->Admin Tools/Security settings/Account Policies/Password Policy/ Passwords must meet complexity requirements or XP-> MMC

Passprop (NTRK: NT Family Resource Kit)

• Allows the Administrator Acct (User ID=500) to have a lockout threshold for remote access

• Local administrator at console is never locked out.

• If /complex is set, passwords must be mixed case or contain symbol/number

Auditing & Logging

• Log failed/passed login attempts with:

Security Policy/Local Policies/Audit Policy

See logs via (Control Panel-> Classic View->) Admin Tools/Event Viewer/Security Log

• Can sort on different fields

• Other log tools are available (IDS can do log analysis)

Password Eavesdropping

Three techniques:

• Sniff passwords off of a hub network

• Sniff = Store transmitted protocol between source, destination

• Hacked relay between victim & host

• Relay = hacker bounces information between victim and host

• FTP web page requires password hashes for authentication

• Example: Email contains

Sniff password and replay: L0phtcrack or LC ()

• Can process NT password file offline

• Has SMB Packet Capture: Reads Challenge & Encrypted response

• LM-LAN manager hash algorithm

Listening techniques include:

• Listens to LAN (hub-based) for password sequences & imports for analysis

• Usually works offline against a NT password DB

• Effective on switched LANs via ARP spoofing

• Can monitor VPN Point-to-Point Tunneling Protocol (PPTP) logon exchange

• Can often become administrator within days

To Safeguard Security:

• Preferably use Kerberos, then NTLM Authentication. Disable LM Authentication

• To set NTLM only in Registry key: Set NTLM Response=4

• Prevents domain controllers from accepting LM authentication requests

• Does not work for non-NT clients (such as mixed mode – with Win 95/98/ME)

• Counter line tapping with link encryption techniques.

• Avoid software which sends passwords in the clear: rlogin, telnet, POP3

• Disable unused services: telnet, alerter, clipbook, indexing service, messenter (not IM-related), remote registry, and on servers if web not created: IIS.

• Limit permission on Windows shares (from Everyone – Full Control or Read)

• Eliminate or reduce anonymous access

• Turn off share option from desktop computers

• Use mail packages that check for viruses.

Exploiting Software Vulnerabilities

Information Disclosure: Exposes information unintentionally

Example: Append +.htr to an active file request and IIS retrieves source code instead of executing it

>nc –vv 80

GET /site/global.asn+.htr HTTP/1.0

In this case global_asa file lists passwords

Directory Traversal

• Using cs.uwp.edu/../../cmd.exe

Buffer Overflows

• Overflowing input buffers to corrupt system stack and cause code execution with intention of gaining access.

• Requires zero privilege

• Can exploit any node.

SQL Injection

Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;

Inserted Password: Aa’ OR ‘’=’

Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;

Inserted Password: ‘ OR 1=1 --

Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘ ‘ OR 1=1 --‘; (-- is comment)

Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%

Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’

Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’

Email Worms & Viruses

• Email attachments can lie about what type they are – and may be worm or virus

• Executing the attachment gives the executable the permissions of the email receiver

To Safeguard Security:

• Use the more secure NTFS or Kerberos Authentication

• Implement Egress Filtering: Filtering packets leaving network

• Hackers often initiate outbound session from victim computers

• Patch software regularly and use updated service packs

• Ensure web page system/data is separate from other system/data

• Do not provide sensitive data in source code (e.g., no credentials in ASP code)

• Backup Policy: How often are backups run? Stored offsite?

• Password Lockouts: How are they reset? Is proof of ID used?

• Remove unused system software that is commonly exploited

• Remove unnecessary ISAPI extensions (DLLs) that handle uncommon file types

• IIS is a common source of software vulnerabilities

• Log events and monitor log!

• Log ../.. patterns

• For input forms: Check all input through a common ‘validate input’ routine OR

• Take input from OS relating to username, password – not keyed entry

• Access database for outside use with limited privileges (e.g., no insert/update/delete)

• Do not display information (stack traces) in error messages

Apply Principle of Least Privilege:

Grant minimum Permissions necessary

• Provide access to files and database segments only as necessary

• Specify as limited permissions (rwx) as possible

• Limit use of admin accounts – do not process email while in root/admin account

• Separation of Duties in System Administration – the Administrator and separate log reader.

Authenticated Attacks: Exploiting Knowledge

Authenticated Attacks:

• Escalating privilege: After obtaining a user account, next goal -> obtain Administrator status

• Installing backdoors: To ensure future access

• Covering tracks: Modifying logs

• Make vulnerability secure, so system isn’t lost to other hackers.

Privilege Escalation: Methods include

• Grabbing password hashes: Collecting the Security Accounts Manager (SAM) database (NT4) or Active Directory (Windows 2000+).

• DLL injection: Modify or replace the DLL with a Trojan (allowing back door entry)

• Spoofing LPC Port Requests: Using Local Procedure Call (LPC) to impersonate a client and access a server.

• Install rootkit: includes installing backdoor, replacing existing utilities: ps, telnet.

Grabbing Password Hashes

Four techniques:

• Booting off an alternate OS and copying the password hashes

• Copying the SAM file backup (Difficult)

• Sniffing NT authentication exchanges

• Extracting the password hashes from the SAM or Active Directory

• With tools, an Administrator only can achieve

• For backward compatibility reasons, LM and NTLM hashes are both stored

• Disable LM Hash by changing registry value: HKEY_LOCAL_MACHINE in System\CurrentControlSet\Control\Lsa value | disable ‘No LM Hash’

Install Trojans

• Trojan msgina.dll: saves login information

• Msv1_0.dll: Ignores SAMS results but does not allow access to SAMS

Pilfering: After achieving Administration status, continuing to collect information for further conquests

Remote Control

• Command-Line Remote Control: Telnet-like ability using netcat

• Graphical Remote Control: Like teleconferencing ability – local and remote have identical screens

To Safeguard Security:

• Prevent hackers from becoming Administrators

• Establish the Administrator account as having no or few privileges, name Administrator account something else.

• Do not allow boots from floppy or CDs

• Lock up servers to prevent physical access

• Pick good passwords

• To counteract LM hashing: use 7-char or 14-char passwords

• Do not use the same password from one machine to the next. (Minimally compartmentalize passwords)

• Use non-printable ASCII characters such as CTRL-N or NUM-LOCK in password, if possible.

Password Selection

Distribution of passwords:

16.5% 1-3 characters long

14% 4 characters long

22% 5 characters all same case

19% 6 characters, lower case

15% words in dictionaries or lists of names

14% Good passwords

Techniques used to obtain password:

• Dictionaries: Specific to languages, interests, names, …

• Viewing: Over-the-shoulder, sniffing unencrypted, Trojan horse, finding written version.

• Social engineering: Tell me about your life, ethnicity, … I am your director…

• Guessing: Using knowledge of the user.

• Brute Force: Trying all combinations of letters/digits/symbols.

Brute Force Attack:

|Pattern |Calculation |Result |Time 1ms/guess |

| | | |If last passwd |

| | | |1000ms = 1sec |

|American Dictionary | |80,000 |80 seconds |

|1 character: |261 |26 |< 1 second |

|lower case alpha | | | |

|5 characters: |265 |11,881,376 |3.3 hours |

|lower case alpha | | | |

|6 characters: |266 |308,915,776 |86 hours |

|lower case alpha | | | |

|6 characters: |526 |19,770,609,664 |229 days |

|alpha | | | |

|6 characters: |626 |56,800,235,584 |657 days |

|alphanumeric | | | |

|6 characters: |806 |2.62144E+11 |8.3 years |

|all keyboard | | | |

|7 characters: |627 |3,521,614,606,208 |111.7 years |

|alphanumeric | | | |

Exercise 1:

• Assume a password is known to be between 5-9 characters, alphanumeric. How many iterations on average would it take to break the password if it is 6 characters long? If the password is 7 characters long?

Authentication can rely upon one or more of the following:

• Something the user knows: Passwords, PINs, mother’s maiden name, algorithm …

• Something the user has: Badges, keys, cards, etc.

• Something the user is: biometrics: fingerprint, voice frequency, face, …

E.g., Banks rely upon bank card & PIN

Methods of forming good passwords. Using a combination of methods is best.

Transform Illustrative Expression Password

Transliteration Photographic fotografik

Interweaving characters duke, iron dIuRkOeN,

Replace letter by decimal digit cabbage 3122175

Replace decimal # by letter 10/12/1492 j.ab.adib

Shift home position on keyboard zucchini xivvjomo

Synonym substitution coffee break javA_resT

Antonym substitution stoplight Start-Dark

Actuation of keyboard "shift" 6/6/1944 ^?^?!($$

Substitute abbreviations relative humidity rEl*hUm

Substitute acronyms Mothers Against Drunk Driving

National Organization for Women MADD1now

Repetition pan Pan*Pan

Manipulation swimshow swiwshom!

Shorten and combine chocolate-covered peanuts Cho-Cov.Pea

First characters of sentence I love Paris in the springtime ILPitST

Exercise 2:

• Develop a password based upon the following phrase: Next Week (Exam).

• Use two techniques to develop a good password.

Challenge-Response passwords

• The system issues a challenge

• The user performs one or more algorithms for its response

• Advantage: Response differs every time: Survives interception

• Example: f(x) = x+1

• Example: f(x) = Encrypt(x+secretKey)

• Example: f(a,b,c,d) = d,c,b,c

Exercise 3:

Devise a password scheme for an administrator that ensures:

1) Every machine has a different authentication sequence.

2) Can’t get in even if authentication sequence seen. (Assume you are developing password software for this one.)

Other sage advice:

• Do not give information about which piece of information failed: login name or password: “Invalid Access”

• Limit access to certain dates, or certain times of day, or to N sequential wrong attempts

• Do not replace o for 0 (zero), l for 1, s for $.

• Encrypt password files

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download