CNS320 Lesson 6 – Exploitation

Lesson 6 – Exploitation

Screen Shot 2016-01-23 at 1.37.29 PM.png

Screen Shot 2016-01-23 at 1.37.31 PM.png

Screen Shot 2016-01-23 at 1.37.32 PM.png

Screen Shot 2016-01-23 at 1.37.33 PM.png

Screen Shot 2016-01-23 at 1.37.34 PM.png

  • If you have the ability to listen to traffic on the network (on an open WiFi access point or an old network using hubs, for instance), you could easily find poorly-protected passwords going over the wires.  Services like telnet, FTP, and badly-written websites can transmit password in plain-text over unencrypted channels.
  • The other option is, if the network doesn’t allow you sniff all traffic, then make the traffic come through you!  A man-in-the-middle (MiTM) attack means you get in between your victim and the target you want to access, so you can sniff password or other sensitive info.  More on this subject to come.
  • A compliment to a MiTM attack, or perhaps other attacks we’ll talk about later like cross-site scripting (XSS) or pass-the-hash, is to try a replay attack.  If a system has poor session management or authentication processes, you might be able to capture a hash, access token, session cookie, or similar and just send it to the server, letting you in without ever having to guess or crack your victim’s password.
  • An active online attack would be password guessing, where you connect to the system, web app, etc. and try different passwords.

Screen Shot 2016-01-23 at 1.37.37 PM.png

  • Offline attacks mean that you’ve captured  password hashes, either by stealing the authentication database from a web app, or the Windows SAM file, the Linux shadow file, or similar.  The passwords are in stored in a cryptographic hash format, meaning they’ve been run through a one-way algorithm to generate a fix-length hash (which usually looks like hexadecimal gobbledegook).  The way to crack hashes is to run different words or strings of characters through the same hashing algorithm (such as NTLM for Windows, MD5 for most web apps, etc.), and if you get a match against the stolen hash, then you know that word or string of characters is the password.
  • A dictionary attack is just like what it says: take a dictionary of words, common passwords, or what-have-you and throw it against the system.  The most common and the most effective type of attack.  Kali Linux has several dictionaries in the /usr/share/wordlists directory.  One of the most widely-used is the RockYou list, which is a dump of millions of real-world passwords that were used by users of a popular gaming site that was compromised in 2009.  You’ll also find other wordlists and dictionaries in other app’s directories in the /usr/share tree.
  • Brute-forcing is trying every possible character combination until you find the password.  In essence, you start at “a”, then try “b”, eventually you work up to “aa”, and so on.  In the end, brute forcing will always win…it’s simple a matter of whether it’ll take minutes or centuries to finally guess your password.
  • Hybrid attacks are anything in between.
  • Rainbow tables (AKA precomputed hashes) are just huge lists of millions or billions of different password hashes for you to throw against a certain system (like a list of every possible NTLM hash to try against Windows or every MD5 hash to try against a web app’s stolen password database).  The idea is that you spend the time up-front generating all the possible hashes so that you can then quickly use it against multiple targets.
  • Syllable attacks are a combination of dictionary and brute-forcing, where you might try different permutations of dictionary words (like “password” > “password1” > “p@ssw0rd” etc.)
  • Rule-based attacks are were you have some sort of intelligence about the password policy.  For example, you know that passwords on the system have to be between 8 and 12 characters long, have to have one upper-case and one lower-case letter, and only allow “!” or “@” for special characters.  You could then tailor the attack to only try out guesses that match those rules, e.g., you wouldn’t waste time trying a password like “passwd” or “pa$$word”
  • A distributed attack could be any of the above, except that instead of just one computer trying to crack the password, multiple machines in parallel might each be trying to crack it, each other them divvying up the workload.  This is usually facilitated with a botnet.

Screen Shot 2016-01-23 at 1.37.38 PM.png

  • Shoulder surfing is when an attacker tries to get close to a victim as they are inputing their password and watch the keys pressed.
  • Keyboard sniffers are hardware- or software-based tools that capture the keystrokes a user puts in, which an attacker can then read and learn the victim’s password
  • To paraphrase Kevin Mitnick, why spend hours cracking hashes when users will just give you their passwords?  We’ll cover social engineering more later.

Screen Shot 2016-01-23 at 1.37.40 PM.png

  • John the Ripper is one of the oldest and most widely-used password cracking tools.  It can quickly perform dictionary or brute-force attacks on password hashes.
  • Hashcat is a newer program that offers various types of dictionary, brute-force, and hybrid attack options.  It can also utilize the GPU graphics cards in computers for extremely-fast cracking.
  • Cain and Abel is a Windows-only all-in-one hacking tool.  Password hash cracking is one of its many features.
  • Ophcrack and L0phtcrack are both famous Linux-based tools for cracking Windows LM and NTLM hashes
  • RainbowCrack is, you guessed, used to generate rainbow tables and crack hashes against them
  • There are many other password cracking tools out there, many tailored to specific sorts of password hash formats.

Screen Shot 2016-01-23 at 1.37.41 PM.png

  • THC Hydra is the old gold-standard for brute forcing everything from SSH to FTP to online forms to Cisco appliances.  It takes a user or list of users, then a wordlist of potential passwords, and will go to work brute-forcing logins.
  • Medusa is a work-alike to Hydra that’s meant to be faster and more stable.
  • CeWL is a custom wordlist generator.  It can spider a target’s website(s) and use the information it gathers to build customized wordlists of potential passwords to try out.
  • Burp Suite, WebScarab, and ZAP are all HTTP/S intercept proxies that can be used to attack web logins.  We’ll talk more about them in our lessons on web vulnerabilities.

Screen Shot 2016-01-23 at 1.37.42 PM.png

Screen Shot 2016-01-23 at 1.37.44 PM.png

  • The SAM is well-known for having local usernames and hashes stored in it; if you also have the SYSTEM and SECURITY hives with it, you also get access to cached Active Directory hashes, password history, and other valuable intel
  • Active Directory Domain Controllers have a domain-wide password hash database called NTDS.dit.  If you get NTDS.dit, you have the hashes of every user in the domain.
  • SAM, SYSTEM, and SECURITY are stored in C:\WINDOWS\system32\config\ and the NTDS.dit file is stored in C:\WINDOWS\ntds\
  • You can’t normally get to the SAM, SYSTEM, and SECURITY files while a Windows machine is turned on, but you can steal them out of memory or from Volume Shadow Service (VSS) backup copies, if they exist.  If you have physical access, you can turn the machine off, boot it from a Linux LiveCD or LiveUSB, mount the Windows hard drive, and steal the files.

Screen Shot 2016-01-23 at 1.37.45 PM.png

Screen Shot 2016-01-23 at 1.37.46 PM.png

Screen Shot 2016-01-23 at 1.37.48 PM.png

Screen Shot 2016-01-23 at 1.37.49 PM.png

  • There are lots of tools that will try to dump the SAM file, either out of memory or out of Volume Shadow Service (VSS) backup copies, including pwdump, fgdump, and others.  There’s a cat-and-mouse game between these tools and antivirus detection engines, so they’re constantly being updated, changed, or new ones written.
  • chntpw is a Linux utility you can used when you mount a hard drive with Windows on it to steal hashes or overwrite them with your own
  • NTDSXtract is for stealing hashes from NTDS.dit files
  • Kon-Boot used to be a free tool that is now for-pay, unfortunately.  You would boot it from a CD or USB stick, it would run first, then it would boot Windows and act as a man-in-the-middle rootkit, allowing you to completely bypass the password screen and gain instant access to a Windows workstation.
  • Volume Shadow Service (VSS) is a Windows service that takes backup snapshots of the running Windows OS.  If you have admin-level privileges, you can often find backup copies of the SAM and other important files in here.  There are numerous tools available to automate this.
  • As mentioned, you can just boot Linux from a CD or USB on the victim machine, mount the Windows drive, and steal the file that way

Screen Shot 2016-01-23 at 1.37.50 PM.png

  • WMIC = Windows Management Instrumentation Command-Line
  • Example: “wmic qfe get Caption,Description,HotFixID,InstalledOn” would list out all the hotfix and security patches applied to that Windows install

Screen Shot 2016-01-23 at 1.37.51 PM.png

Screen Shot 2016-01-23 at 1.37.53 PM.png

Screen Shot 2016-01-23 at 1.37.54 PM.png

Screen Shot 2016-01-23 at 1.37.56 PM.png

Screen Shot 2016-01-23 at 1.37.57 PM.png

  • As you’ll see, there’s a lot of things that can go wrong with Linux, especially in regards to privilege escalation via setuid or sudo

Screen Shot 2016-01-23 at 1.37.58 PM.png

Screen Shot 2016-01-23 at 1.38.00 PM.png

Screen Shot 2016-01-23 at 1.38.01 PM.png

Screen Shot 2016-01-23 at 1.38.02 PM.png

  • When Linux systems crash, they often “dump core” and dump the contents of RAM into a file, for the purpose of diagnosing what caused the crash.
  • Users of SSH will have a hidden directory called .ssh automatically created in their home folder.  This could contain keyfiles that they use to login to other servers.

Screen Shot 2016-01-23 at 1.38.04 PM.png

  • Cron is the task scheduling system used by most Linux/Unix systems.  Unfortunately, cron jobs can be all over the place, depending on who or what is scheduling them; hence all the different places you have to look.

Screen Shot 2016-01-23 at 1.38.05 PM.png

  • Hence why dd is sometimes said to stand for “disk destroyer” 🙂

Screen Shot 2016-01-23 at 1.38.06 PM.png

Screen Shot 2016-01-23 at 1.38.08 PM.png

Screen Shot 2016-01-23 at 1.38.09 PM.png

Screen Shot 2016-01-23 at 1.38.10 PM.png

Screen Shot 2016-01-23 at 1.38.11 PM.png

  • Example: you hacked an account with sudo rights, but all it can do is use sudo to execute a script called “”.  Just delete the script (rm, then link the old name to a shell (ln /bin/bash, then run it with sudo permission (sudo ./ and bam, you have root!
  • Another one is if you’re granted sudo rights to some sort of program that can edit files, like nano, vim, or even a hex editor.  You can then run it and change the sudoers file to expand that compromised account’s rights or grant rights to another account of your choosing.

Screen Shot 2016-01-23 at 1.38.13 PM.png

  • Normally, in Linux and Unix, when you run a program, it runs with your own level of permisisons.  But some programs need to run at a higher level of privilege in order to use special OS services, like the “mount” utility that has to interact with the kernel to mount new filesystems.  Instead of giving everyone root permissions, you can just give the program the “setuid” access right so that when normal users run it, it’s as if root was running.
  • An example of exploiting this would be if a text editor owned by root had the setuid attribute set.  If you ran it, you could then go edit the sudoers file, open up and read the shadow file, or otherwise get access to sensitive files beyond your access level.

Screen Shot 2016-01-23 at 1.38.14 PM.png

  • If you always type “ls –al” when listing directory contents, you might make an alias of “ll” or “lal” or even just “ls” for that command and save it to your shell’s config file (usually .profile or .bashrc or similar).  You could also use alias to trick users into executing rootkitted version of apps like top or free to hide your activity.
  • Chroot is in every Unix-like distro.  Jail is much stricter and is mostly seen in BSD distributions.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s