CSCM28 – Security Vulnerabilities and Penetration Testing

Week 4 - System Hacking

Jens Blanck

Jens Blanck CSCM28 Pen Testing 1 / 20

 Recap and Today

Recap and Today

Recap
Last week we considered enumeration, a
form of targeted information gathering. Today
Today we try to gain access to target
Hence, so far (reconnaissance and
systems.
scanning), we have only obtained
information (all be it a lot, and all very
important).

Jens Blanck CSCM28 Pen Testing 2 / 20

 Gaining Access

Gaining Access

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access?

Jens Blanck CSCM28 Pen Testing 3 / 20

 Gaining Access

Gaining Access

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access?

Jens Blanck CSCM28 Pen Testing 3 / 20

 Gaining Access

Gaining Access

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access?

Jens Blanck CSCM28 Pen Testing 3 / 20

 Gaining Access

Gaining Access

Get password:
Brute force/dictionary/rainbow
Eavesdropping

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access?

Jens Blanck CSCM28 Pen Testing 3 / 20

 Gaining Access

Gaining Access

Get password:
Brute force/dictionary/rainbow
Eavesdropping

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access?
Escalate privileges:
Vulnerabilities
Horizontal/Vertical

Jens Blanck CSCM28 Pen Testing 3 / 20

 Gaining Access

Gaining Access

Hiding: Get password:

Root kits Brute force/dictionary/rainbow

Clear tracks/log files Eavesdropping

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access?
Escalate privileges:
Vulnerabilities
Horizontal/Vertical

Jens Blanck CSCM28 Pen Testing 3 / 20

 Gaining Access

Gaining Access

Hiding: Get password:

Root kits Brute force/dictionary/rainbow

Clear tracks/log files Eavesdropping

We have gained information

on open ports (and likely
services).

But now it is crunch time,

how do we gain access? Execute Apps:
Escalate privileges:
Key loggers
Vulnerabilities
Backdoors
Horizontal/Vertical
Trojans/spyware

Jens Blanck CSCM28 Pen Testing 3 / 20

 Passwords

Gaining Passwords

This is where we rely on vulnerabilities.

Type Examples
Passive online wire sniffing/MiTM/replay
Active online phishing/trojans/spyware/sql injection
Non-technical Shoulder surfing/social engineering/physical access
Offline Brute force/dictionary/rainbow

Jens Blanck CSCM28 Pen Testing 4 / 20

 Passwords

Windows Security Account Manager (SAM)

Since Windows 2000, users passwords have been stored using a database file known as
SAM.

%SystemRoot%\system32\config\SAM

Passwords are hashed using LM/NTLM.

File encrypted with AES, key stored in similar location.
File cannot be moved or copied while Windows is running.

Sounds pretty secure!

Jens Blanck CSCM28 Pen Testing 5 / 20

 Passwords

Windows Security Account Manager (SAM)

Since Windows 2000, users passwords have been stored using a database file known as
SAM.

%SystemRoot%\system32\config\SAM

Passwords are hashed using LM/NTLM.

File encrypted with AES, key stored in similar location.
File cannot be moved or copied while Windows is running.

Sounds pretty secure!

Jens Blanck CSCM28 Pen Testing 5 / 20

 Passwords

Accessing SAM information

However:

Decrypted, and can be dumped from memory.

c:\Windows\Repair\ may have copies.
Possible to extract files using Linux live cd or mimikatz.

Jens Blanck CSCM28 Pen Testing 6 / 20

 Passwords

Accessing SAM information

However:

Decrypted, and can be dumped from memory.

c:\Windows\Repair\ may have copies.
Possible to extract files using Linux live cd or mimikatz.

Jens Blanck CSCM28 Pen Testing 6 / 20

 Passwords

Accessing SAM information

However:

Decrypted, and can be dumped from memory.

c:\Windows\Repair\ may have copies.
Possible to extract files using Linux live cd or mimikatz.

Jens Blanck CSCM28 Pen Testing 6 / 20

 Passwords

Accessing SAM information

However:

Decrypted, and can be dumped from memory.

c:\Windows\Repair\ may have copies.
Possible to extract files using Linux live cd or mimikatz.

Then we can start to try to attack the passwords.

Jens Blanck CSCM28 Pen Testing 6 / 20

 Passwords

Linux Passwords

Linux stores passwords

1 Username: It is your login name.
in /etc/shadow 2 Password: It is your encrypted password in format: $id$salt$hashed, The
(requires root), and $id is the algorithm used (e.g. blowfish).
3 Last password change: Days since Jan 1, 1970 that password was last changed
user information in 4 Minimum: The minimum number of days required between password
changes.
/etc/passwd.
5 Maximum: The maximum number of days the password is valid (after that
user is forced to change his/her password).
6 Warn: The number of days before password is to expire that user is warned.
7 Inactive: The number of days after password expires that account is disabled.
8 Expire: days since Jan 1, 1970 when the account will expire.
9 Unused:

Jens Blanck CSCM28 Pen Testing 7 / 20

 Passwords

Salt

Salt is usually stored in plaintext.

The reason we use salts is to stop precomputation attacks, such as rainbow tables.
These attacks involve creating a database of hashes and their plaintexts, so that
hashes can be searched for and immediately reversed into plaintext.
However, they do not really help if we are targeting one password via brute force.

Jens Blanck CSCM28 Pen Testing 8 / 20

 Passwords

Cracking Passwords

Hashcat: Fastest and most advanced John the Ripper: Popular CPU hash
password “recovery” tool. cracker.
Supports GPU based cracking https://github.com/magnumripper/
https://hashcat.net/hashcat/ JohnTheRipper

Feasible? Yes! Modern GPU’s can hash billions of times per second – 8 character
alphanumeric password in less than 4 minutes.

Jens Blanck CSCM28 Pen Testing 9 / 20

 Passwords

Cracking Passwords

Hashcat: Fastest and most advanced John the Ripper: Popular CPU hash
password “recovery” tool. cracker.
Supports GPU based cracking https://github.com/magnumripper/
https://hashcat.net/hashcat/ JohnTheRipper

Feasible? Yes! Modern GPU’s can hash billions of times per second – 8 character
alphanumeric password in less than 4 minutes.

Jens Blanck CSCM28 Pen Testing 9 / 20

 Gaining Network Access

Where are we?

From our scanning and enumeration phase we have:

IP addresses
Vendor/product information for access points.
Information on default (perhaps random) network keys.
Possibly mac addresses.

What would we like: acess to a wireless network would be a good start.

Jens Blanck CSCM28 Pen Testing 10 / 20

 Gaining Network Access

Where are we?

From our scanning and enumeration phase we have:

IP addresses
Vendor/product information for access points.
Information on default (perhaps random) network keys.
Possibly mac addresses.

What would we like: acess to a wireless network would be a good start.

Jens Blanck CSCM28 Pen Testing 10 / 20

 Gaining Network Access

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi

network security:
Monitoring: Packet capture and export of data to text
files for further processing by third party tools.
Attacking: Replay attacks, de-authentication, fake access
points and others via packet injection.
Testing: Checking WiFi cards and driver capabilities
(capture and injection).
Cracking: WEP and WPA PSK (WPA 1 and 2).

Jens Blanck CSCM28 Pen Testing 11 / 20

 Gaining Network Access

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi

network security:
Monitoring: Packet capture and export of data to text
files for further processing by third party tools.
Attacking: Replay attacks, de-authentication, fake access
points and others via packet injection.
Testing: Checking WiFi cards and driver capabilities
(capture and injection).
Cracking: WEP and WPA PSK (WPA 1 and 2).

Jens Blanck CSCM28 Pen Testing 11 / 20

 Gaining Network Access

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi

network security:
Monitoring: Packet capture and export of data to text
files for further processing by third party tools.
Attacking: Replay attacks, de-authentication, fake access
points and others via packet injection.
Testing: Checking WiFi cards and driver capabilities
(capture and injection).
Cracking: WEP and WPA PSK (WPA 1 and 2).

Jens Blanck CSCM28 Pen Testing 11 / 20

 Gaining Network Access

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi

network security:
Monitoring: Packet capture and export of data to text
files for further processing by third party tools.
Attacking: Replay attacks, de-authentication, fake access
points and others via packet injection.
Testing: Checking WiFi cards and driver capabilities
(capture and injection).
Cracking: WEP and WPA PSK (WPA 1 and 2).

Jens Blanck CSCM28 Pen Testing 11 / 20

 Gaining Network Access

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi

network security:
Monitoring: Packet capture and export of data to text
files for further processing by third party tools.
Attacking: Replay attacks, de-authentication, fake access
points and others via packet injection.
Testing: Checking WiFi cards and driver capabilities
(capture and injection).
Cracking: WEP and WPA PSK (WPA 1 and 2).

Jens Blanck CSCM28 Pen Testing 11 / 20

 Gaining Network Access

WPA/WPA2

Idea: Never disclose PSK/PMK (pre-shared key, pairwise master key)

– instead compute PTK (pairwise transient key).

1 AP sends ANonce to client (random integer).

2 Client uses ANonce and PMK to generate PTK. Sends SNonce
and MIC (message integrity code).
3 AP sends MIC and GTK (group temporal key, for broadcast
traffic) to client.
4 Client sends back ACK.

Notice:
MIC verification is how AP checks the validity of PTK (and,
consequently, the password).
Chances of a password producing PTK that is valid (relevant
part) is really low: 2−128 .

For details see:

https://en.wikipedia.org/wiki/IEEE_802.11i-2004

Jens Blanck CSCM28 Pen Testing 12 / 20

 Gaining Network Access

Cracking WEP/WPA/WPA2

Overall, 4-way password ”cracking” works like this:

1 4-way handshake is parsed to get AP and STA MAC addresses, AP and STA nonces,
and MIC.
2 Candidate password is used to compute PMK.
3 PTK is computed from PMK, AP and STA addresses and nonces.
4 PTK is used (with other parts) to compute MIC.
5 Computed MIC is compared to the MIC obtained at step 1. If they match then
candidate password is reported as correct.

Jens Blanck CSCM28 Pen Testing 13 / 20

 Gaining Network Access

Cracking WEP/WPA/WPA2

Overall, 4-way password ”cracking” works like this:

1 4-way handshake is parsed to get AP and STA MAC addresses, AP and STA nonces,
and MIC.
2 Candidate password is used to compute PMK.
3 PTK is computed from PMK, AP and STA addresses and nonces.
4 PTK is used (with other parts) to compute MIC.
5 Computed MIC is compared to the MIC obtained at step 1. If they match then
candidate password is reported as correct.

Jens Blanck CSCM28 Pen Testing 13 / 20

 Gaining Network Access

Cracking WEP/WPA/WPA2

Overall, 4-way password ”cracking” works like this:

1 4-way handshake is parsed to get AP and STA MAC addresses, AP and STA nonces,
and MIC.
2 Candidate password is used to compute PMK.
3 PTK is computed from PMK, AP and STA addresses and nonces.
4 PTK is used (with other parts) to compute MIC.
5 Computed MIC is compared to the MIC obtained at step 1. If they match then
candidate password is reported as correct.

Jens Blanck CSCM28 Pen Testing 13 / 20

 Gaining Network Access

Cracking WEP/WPA/WPA2

Overall, 4-way password ”cracking” works like this:

1 4-way handshake is parsed to get AP and STA MAC addresses, AP and STA nonces,
and MIC.
2 Candidate password is used to compute PMK.
3 PTK is computed from PMK, AP and STA addresses and nonces.
4 PTK is used (with other parts) to compute MIC.
5 Computed MIC is compared to the MIC obtained at step 1. If they match then
candidate password is reported as correct.

Jens Blanck CSCM28 Pen Testing 13 / 20

 Gaining Network Access

Cracking WEP/WPA/WPA2

Overall, 4-way password ”cracking” works like this:

1 4-way handshake is parsed to get AP and STA MAC addresses, AP and STA nonces,
and MIC.
2 Candidate password is used to compute PMK.
3 PTK is computed from PMK, AP and STA addresses and nonces.
4 PTK is used (with other parts) to compute MIC.
5 Computed MIC is compared to the MIC obtained at step 1. If they match then
candidate password is reported as correct.

Jens Blanck CSCM28 Pen Testing 13 / 20

 Gaining Network Access

Aircrack demo

Jens Blanck CSCM28 Pen Testing 14 / 20

 Access Via Vulnerabilities

OWASP Top 10

We’ll look at some of these vulnerabilities later.

Jens Blanck CSCM28 Pen Testing 15 / 20

 Rootkits

Root Kit – What it is

Once we have gained access, it would be great to keep it!

Rootkits intercept and change standard operating system processes, in order to enable
access.

Example: If you list all programs that are running, a rootkit might stealthily remove some
programs from the list.

Used by malware to avoid detection.

Jens Blanck CSCM28 Pen Testing 16 / 20

 Rootkits

Root Kit – What it is

Once we have gained access, it would be great to keep it!

Rootkits intercept and change standard operating system processes, in order to enable
access.

Example: If you list all programs that are running, a rootkit might stealthily remove some
programs from the list.

Used by malware to avoid detection.

Jens Blanck CSCM28 Pen Testing 16 / 20

 Rootkits

Root Kit – What it is

Once we have gained access, it would be great to keep it!

Rootkits intercept and change standard operating system processes, in order to enable
access.

Example: If you list all programs that are running, a rootkit might stealthily remove some
programs from the list.

Used by malware to avoid detection.

Jens Blanck CSCM28 Pen Testing 16 / 20

 Rootkits

Root Kit – What it is

Once we have gained access, it would be great to keep it!

Rootkits intercept and change standard operating system processes, in order to enable
access.

Example: If you list all programs that are running, a rootkit might stealthily remove some
programs from the list.

Used by malware to avoid detection.

Jens Blanck CSCM28 Pen Testing 16 / 20

 Rootkits

Types

User-Mode
User-Mode rootkits are given User/Kernel Hybrid
administrative privileges on the computer
Hybrid rootkits attempt to combine above.
they run on. They are able to modify any
This style of rootkit in one of the most
files and resources and will start whenever
common in existence currently.
the computer boots.

Kernel-Mode Firmware Level

Hidden in firmware. Able to reinstall
Rootkits running in kernel mode run at the
themselves on booting. Certain hard disk
same level as the operating system. Kernel
rootkits have been found that are capable
level rootkits disguise themselves by
of reinstalling themselves after a complete
interrupting system calls and returning
system formatting and installation.
expected information concealing their
presence.

Jens Blanck CSCM28 Pen Testing 17 / 20

 Rootkits

Types

User-Mode
User-Mode rootkits are given User/Kernel Hybrid
administrative privileges on the computer
Hybrid rootkits attempt to combine above.
they run on. They are able to modify any
This style of rootkit in one of the most
files and resources and will start whenever
common in existence currently.
the computer boots.

Kernel-Mode Firmware Level

Hidden in firmware. Able to reinstall
Rootkits running in kernel mode run at the
themselves on booting. Certain hard disk
same level as the operating system. Kernel
rootkits have been found that are capable
level rootkits disguise themselves by
of reinstalling themselves after a complete
interrupting system calls and returning
system formatting and installation.
expected information concealing their
presence.

Jens Blanck CSCM28 Pen Testing 17 / 20

 Rootkits

Types

User-Mode
User-Mode rootkits are given User/Kernel Hybrid
administrative privileges on the computer
Hybrid rootkits attempt to combine above.
they run on. They are able to modify any
This style of rootkit in one of the most
files and resources and will start whenever
common in existence currently.
the computer boots.

Kernel-Mode Firmware Level

Hidden in firmware. Able to reinstall
Rootkits running in kernel mode run at the
themselves on booting. Certain hard disk
same level as the operating system. Kernel
rootkits have been found that are capable
level rootkits disguise themselves by
of reinstalling themselves after a complete
interrupting system calls and returning
system formatting and installation.
expected information concealing their
presence.

Jens Blanck CSCM28 Pen Testing 17 / 20

 Rootkits

Types

User-Mode
User-Mode rootkits are given User/Kernel Hybrid
administrative privileges on the computer
Hybrid rootkits attempt to combine above.
they run on. They are able to modify any
This style of rootkit in one of the most
files and resources and will start whenever
common in existence currently.
the computer boots.

Kernel-Mode Firmware Level

Hidden in firmware. Able to reinstall
Rootkits running in kernel mode run at the
themselves on booting. Certain hard disk
same level as the operating system. Kernel
rootkits have been found that are capable
level rootkits disguise themselves by
of reinstalling themselves after a complete
interrupting system calls and returning
system formatting and installation.
expected information concealing their
presence.

Jens Blanck CSCM28 Pen Testing 17 / 20

 Rootkits

A Famous Example

Sony made headlines in late 2005!

DRM software would hide under the Operating System
level and would secretly send data back to Sony
concerning activity on the users computer.

Left large security holes in the Windows operating

system, hackers could easily create patches for the Sony
root kit that would allow them to gain control of the
users system.

The incident resulted in lawsuits against Sony and

resulted in them having to pull CDs which contained
the rootkit off the shelves.

Jens Blanck CSCM28 Pen Testing 18 / 20

 Rootkits

Detection and Removal

Alternative medium Shut down the computer check its storage. The rootkit cannot
actively hide.

Behavioural-based Looking for rootkit-like behaviour. For example, differences in the

timing and frequency of API calls. (Complex!)

Signature-based Signature-based detection methods can be effective against

well-published rootkits (but rootkits may kill your AV).

Integrity checking Code signing uses public-key infrastructure to check if a file has
been modified since being digitally signed by its publisher. (On
every call?)

Removal Tools/Windows advice: format!

Jens Blanck CSCM28 Pen Testing 19 / 20

 Rootkits

Detection and Removal

Alternative medium Shut down the computer check its storage. The rootkit cannot
actively hide.

Behavioural-based Looking for rootkit-like behaviour. For example, differences in the

timing and frequency of API calls. (Complex!)

Signature-based Signature-based detection methods can be effective against

well-published rootkits (but rootkits may kill your AV).

Integrity checking Code signing uses public-key infrastructure to check if a file has
been modified since being digitally signed by its publisher. (On
every call?)

Removal Tools/Windows advice: format!

Jens Blanck CSCM28 Pen Testing 19 / 20

 Summary

Summary

Explore system hacking: Lab: Passwords and rootkits.

Password cracking
Gaining network access Next week: Common vulnerabilities.
Rootkits

Jens Blanck CSCM28 Pen Testing 20 / 20