System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–

System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4

CS3695– Network Vulnerability Assessment

& Risk Mitigation–

Into Gaining Access

SystemHacking

System Hacking

• Before we go into grabbing passwords, lets see how they are created and stored

• Again, differs by OS...• Usually not stored in the clear,

but in general are “hashed” (a one way encryption algorithm is applied) such as DES and MD5

Creating Passwords

Creating Strong Passwords

• A strong password is one that will defeat even a brute force attack that uses a “super” computer

• Why? Because the math is in your favor– Character_set_size to the power of number_of_characters– For example: a password created with three lower-case

only characters (a..z) has…• 263 = 26 x 26 x 26 = 17,576 possible variations

– You should draw from a large character set, and...– Make your passwords longer -- at least 8 characters, more

would be even stronger

Time to Discover Comparison

OLDER #s(Early 2007)

if 8 characters if 12 characters

if a..z only 268

~2 days2612

~3,000 yrs

if a..z, and 0..9 368

~33 days3612

~150,000 yrs

if a..z, A..Z, 0..9, and!@#$%^&*( )

728

~23 yrs7212

~615,000,000 yrs

All times above are based upon a notional password checking speed of one million checks per second. Numbers are rounded to enhance readability.

All times above are based upon a notional password checking speed of 2.8 Billion checks per second (2011 numbers, graphic cards, non-distributed). Numbers are rounded to enhance readability.

Using a BOTNET of 500,000 computers with high-end graphic cards could take this down to 4

MONTHs

Time to Discover Comparison

All times above are based upon a notional password checking speed of 8 Billion checks per second (2013 numbers, graphic cards, non-distributed). Numbers are rounded to enhance readability.

Using a BOTNET of 500,000 computers with high-end graphic cards could take this down to 1.5

MONTHs

Time to Discover Comparison Difference 6 yrs can make

12 Character Passwords Too Hard???

Passwords “Hacked” Individually

• Of course, none of this math helps when someone is willing to give their password away (as in phishing).

• Password Hashes are created by:– The user types in a password

• Used to be limited to 8 chars represented via 7-bit ASCII set

– There where 128 characters that can be used– this leads to over 72,000,000,000,000,000 possible passwords

– That password is then combined with a system/host unique “salt” (a type of nonce)

• pwd+salt• There are 4096 different possible salt values

Creating UNIX Pwds

• This combo (pwd+salt) becomes the key for the hashing (DES or MD5)

• the value “0” (zero) is then hashed with this key, producing 13 character string (the first 2 of which are the salt) – composed of 64 possible characters (upper &

lower case letters, numbers, the “.” and “/”)• This hash is then stored with the user account

in a psw file (/etc/passwd)

UNIX continued

• This file (passwd) is readable by everyone, (for login purposes)

• The administrator may decide to “shadow” the hashes in a separate file(/etc/shadow) readable only by root, for greater protection

• To “crack” these passwords, we need these files!

UNIX continued

Macintosh OS X• Remember that this is FreeBSD underneath• Also, on modern Unix systems, passwords are

shadowed, which means only the administrator has access to them.

• /etc directory has the passwd and shadow files, but are NOT used (see later slides).

• The password file is readable by everyone and the shadow file, the one that keeps the encrypted password, is limited to the root account only.

Mac OS X• On MacOS X, there is a passwd file in

/etc but it is only used in single-user mode and the rest of the info in located elsewhere, accessible to the administrator only.

Mac OS X 10.1-10.6

• As it turns out, the Net Info manager handles the user access to databases that hold information on:

– Aliases, Groups, Machines, Mounts, Networks, Printers, Protocols, Rpcs, Services, & Users

• This can be seen if you open NetInfo Manager in the Utilities Directory.

Mac OS X 10.1-10.6• There is a command line access to the Net Info

manager:– nidump

• This can be used to access the passwd file (and the hashes)...– nidump passwd /

– man for more info on nidump.

• May have been fixed in version X.3– tried this on 10.3.5 and still works :-)

– Only new passwords created on 10.3.5+ will be fixed..

Mac 0s X 10.7+

• A user creates an account, and then the encrypted hash of the user's password file, their "Shadow" file, is saved in a .plist file– located in /var/db/dslocal/nodes/Default/users.

• However, one major flaw was overlooked. Non-root users cannot directly view hash data, but rather, they can extract it from Directory Services.

Max OS X 10.7+• To see hash data, invoke Directory Services

using the /Search/ path like so: dscl localhost -read /Search/Users/<root user>

• Now, in the terminal output you should see a line in there that says:dsAttrTypeNative:ShadowHashData:–Look at the bytes below it. –Bytes 28-32 are the password salt (4 bytes are in each octet), and bytes 32-96 are the SHA512 hash. –load the hash into a password cracker for SHA512 hashes with 4 byte salts

• Windows is a little different...• It creates TWO representations of the

password– Newer NT-specific algorithm– Older (for compatibility) LanMan hash

• used for Win 9x and Windows for Workgroups• This older algorithm has been broken (reverse

engineered) and therefor easier to break• Finally turned of by default in Windows 7, Server 2008

Creating Windows Pwds

• Weakness of the LM hash is the seperation of the password into two seven-character password halves– Thus an 8 char password is broken down into a

7 char and a 1 char passwords... much easier to break 7 chars then 14!

LanMan Hashes

• So pwd 123456qwerty becomes:– convert to all upper case 123456QWERTY– Split 123456Q and WERTY_ _ (spaces to fill 7)– 123456Q is hashed to 6BF11E04AFAB197F– WERTY is hashed to 1E9FFDCC75575B15– stored as a

6BF11E04AFAB197F1E9FFDCC75575B15

Example of LanMan Hash

• NT & 2000 store the user account and password info in the SAM (Security Account Manager) file.– usually found in %systemroot%\system32\

config directory– NOTE: its LOCKED while the OS is running

an NOT readable by even Administrator

SAM File

• Some ways to get SAM data for later cracking:– Boot the system (host) into another OS

• special tools to do this such as NTFSDOS & Knoppix STD– Grab the backup of the SAM file

• found in the %systemroot%\repair directory• its compressed and called sam._

– will need to be decompressed with special programs» c:\windows\system32\expand sam._ sam

• It can be created, if not there, with NT repair disk program rdisk with the /s argument

Getting SAM Data

• Continuing ways to get SAM data for later cracking:– Specialty programs that extract the hashes directly

from the sam• pwdump3

– requires a shell with admin access on the remote host!

– Eavesdropping on network username/password exchanges

• L0phtcrack, dsniff, Cain & Abel can do this for you

Getting SAM Data continued

• Continuing ways to get SAM data for later cracking:– NT security Log for failed log

on• People sometimes mistakenly

type their password in the user box

– Keystroke capturing devices– Backup disks

Getting SAM Data continued

AD vs. LDAP vs. Kerberos• Kerberos

– Authentication and Access Granting Service• Active Directory (AD)

– Windows database • Query for access control to objects, for example

• Light Weight Access Protocol (LDAP)– Protocol for clients to query and manage

information in a Directory Service (like AD) • TCP port 389

Working Together• AD: Access Control

– Authorizes access to objects stored locally or in LDAP

• LDAP: Protocol for querying access permissions– Can store passwords

• Kerberos: Authentication– Used to Authenticate a user

• LDAP can also do this directly without Kerberos

– SAM password file accessed by Kerberos

System Hacking is the 4th Step• Remember…

– Registered names lead to IP addresses– IP addresses lead to ports– Ports lead to services– Services lead to…

• Versions of– Applications– OS– Services

• User Accounts• Shares

– Versions lead to exploits and access…– Access leads to higher privileges…

Enumeration…

Scanning…

Foot-printing…

Gaining Access…Escalation…