6. System Hacking
Web Shell
A Web shell is a web-based script that allows access to a web server Attackers create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges
Privilege Escalation by Exploiting Vulnerabilities
-exploitation of software - execute malicious code. It allows to gain higher privileges or bypass security mechanisms -can access privileged user accounts -attackers search for an exploit based on the OS and software application on exploit sites such as SecurityFocus and ExploitDatabase
Attacker places a rootkit by
-scanning for vulnerable computers and servers on the web -wrapping it in a special package like games -installing it on the public computers or corporate computers through social engineering -launching zero-day attack (privilege escalation, Windows kernel exploitation
Escalating Privileges
-second stage of system hacking -attacker can gain access to the network using a non admin user account and the next step would be to gain administrative privileges -attacker performs privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications - these privileges allows attacker to view critical/sensitive information , delete files, or install malicious programs such as viruses, Trojans, worms
Spyware
-stealthy program that records user's interaction with the computer and internet without the user's knowledge and send them to the remote attackers It hides its process, files, and other objects It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the internet for download It allows attacker to gather info about a victim or organization such as email addresses, user login,
Authentication using NTLM protocol
-the client types the user password into the logon window -Windows runs the password through a hash algorithm and generates a hash for the password that has been entered in the logon window -the client computer sends a login request along with domain name to the domain controller -the domain controller generates a 16-byte random character string called a "nonce" and sends it to the client computer -the client computer encrypts the nonce with hash of the user password and sends it back to the domain controller -the domain controller retrieves the hash of the user password from the SAM and uses it to encrypt the nonce. The domain controller then compares the encrypted value with the value received from the client. A matching value authenticates the client and the logon is successful.
Kerberos Authentication
-user requests to the authentication server -AS reply of authentication server to the user request -Client requests to the TGS for as service ticket -TGS reply of the client's request -request of an application server to access a service -reply to prove it really is the server the client is expecting
GrayFish Rootkit
A Window kernel rootkit that runs inside the Windows op system and provides an effective mechanism, hidden storage and malicious command execution while remaining invisible. It injects its malicious code into the boot record which handles the launching of Windows at each step. It implements its own Virtual File System to store the stolen data and its won auxiliary information.
Default Passwords
A default password is a password supplied by the manufacturer with new equipment that is password protected. Attackers use default passwords present in the list of words or dictionary that they use to perform password guessing attack.
Defense against Spyware
1. avoid using any computer system which is not totally under your control 2. adjust browser security settings to medium or higher for internet zone 3. be cautious about suspicious emails and sites 4. enable firewall to enhance the security level of the computer 5. update the software regularly and use a firewall with outbound protection 6. regularly check task manager report and MS configuration manager report 7. update virus definition files and scan the system for spyware regularly 8. install and use anti-spyware software 9. perform web surfing safely and download cautiously 10. do not use administrative mode unless it is necessary 11. keep your operating system up to date 12. do not download free music files, screensavers, or smiley faces from internet 13. beware of pop-up windows or web pages. Never click anywhere on these windows 14. carefully read all disclosures, including the license agreement and privacy statement before installing any application
Active Online Attack Using USB Drive
1. download PassView, a password hacking tool 2. Copy the downloaded files to USB drive 3. Create autorum.inf in USB drive [autorun] en=launch.bat 4. Contents of launch.bat start pspv.exe/s text paspv.txt 5. Insert the USB drive and the autorun window pop-up (if enabled) 6. PassView is executed in the backgorund and passwords will be stored in the .txt files in teh USB drive.
Spyware Propagation
1. drive-by download 2. masquerade as anti-spyware 3. web browser vulnerability exploits 4. piggybacked software installation 5. browser add-ons 6. cookies
How to defend against password cracking
1. enable information security audit to monitor and track password attacks 2. do not use the same password during password change 3. do not share passwords 4. do not use passwords that can be found in a dictionary 5. do not use cleartext protocols and protocols with weak encryption 6. set the password change policy to 30 days 7. avoid storing passwords in an unsecured location 8. do not use any system's default passwords 9. make passwords hard to guess using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, number, and symbols 10. ensure that applications neither store passwords to memory nor write them to disk in clear text 11. use a random string (salt) as prefix or suffix with the password before encrypting 12. enable SYSKEY with strong password to encrypt and protect the SAM database 13. never use passwords such as data of birth, spouse, or child;s or pet's name 14. monitor the server's logs for brute force attacks on the users account 15. lock out an account subjected to too many incorrect password guesses
Defense against Privilege Escalation
1. restrict the interactive logon privileges 2. use encryption technique to protect sensitive data 3. run users and applications on the least privileges 4. reduce the amount of code that runs with particular privileges 5. implement multi-factor authentication and authorization 6. perform debugging using bounds checkers and stress tests 7. run services as unprivileged accounts 8. tests operating system and application coding errors and bugs thoroughly 9. implement a privilege separation methodology to limit the scope of programming errors and bugs 10. patch and update the kernel regularly 11. change user control settings to Always Notify 12. restrict users from writing files to the search paths for applications 13. continuously monitor file system permissions using auditing tools 14. reduce the privileges of users and groups so that only legitimate administrators can make service changes 15. use whitelisting tools to identify and block malicious software 16. use fully qualified paths in all the Windows applications 17. ensure that all executable are placed in write-protected directories 18. in Mac operating systems, make plist files read-only 19. block unwanted utilities or software that may be used to schedule tasks 20. patch and update the web servers regularly
Defense against Keyloggers
1. user pop-up blocker and avoid opening junk emails 2. install anti-spyware/antivirus programs and keeps the signatures up to date 3. install professional firewall software and anti-keylogging software 4.recognize phishing emails and delete them 5. update and patch system software 6. do not click on links in unwanted or doubtful emails that may point malicious sites 7. use keystroke interference software, which inserts randomized characters into every keystroke 8. scan the files before installing and use registry editor or process explorer to check for the keystroke loggers 9. Use Windows on screen keyboard accessibility utility to enter the password or any other confidential information 10. install a host-based IDS which can monitor your system and disable the installation of keyloggers 11. use automatic form-filling password manager or virtual keyboard to enter user name and password 12. use software that frequently scans and monitors the changes in the system or network
Steps in LLMNR/NBT-NS poisoning
1. user send a request to connect to the data sharing system, \\DataServer which she mistakenly typed as \\DtaSevr 2. The \\DataServer responds to the user saying that it does not know the host names \\DtaServr 3. The user then performs LLMNR/NBT-NS broadcast to find out if anyone in the network knows the host name \\DtaSrvr 4. The attacker replies to the user saying that it is \\DataServer and accepts user NTLMv2 hash and responds to the user with an error.
Kernel Level Rootkit
Adds malicious code or replaces original OS kernel and device driver codes
Software Keyloggers Types
Application Keylogger - allows you to observe everything the user types in his or her emails, chats, and other applications, including passwords. Kernel/Rootkit/Device Keylogger - it is used rarely as it is difficult to write and requires a high level of proficiency from the keylogger developers. This keylogger hides from the system and is undetectable, even with standard or dedicated tools. Hipervisor-based keylogger - works within a malware hypervisor operating on the operating system. Form Grabbing Based keylogger - records the web form data and then submits it over the internet, after bypassing https encryption.
Path Interception
Applications include many weaknesses and misconfigurations like unquoted paths, path environment variable misconfiguration, and search order hijacking that lead to path interception Path interception helps an attacker to maintain persistence on a system and escalate privileges
Spectre Vulnerability
Attacker amy take advantage of this vulnerability ti read adjacent memory locations of a process and access information for which he/she is not authorized Using this vulnerability an attacker can even read the kernel memory or perform a web based attack using JavaScript
Offline Attacks
Attacker copies the target's password file and then tries to crack passwords in his own system at different location Rainbow Table attack - pre-computed hashes Distributed Network attack
Executing Applications
Attacker execute malicious application in this stage. This is called "owning" the system Attacker executes malicious programs remotely in the victim's machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access
Meltdown Vulnerability
Attacker may take advantage of this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory This leads to revealing of critical system information such as credentials, private keys, etc.
Active Online attack
Attacker performs password cracking by directly communicating with the victim machine. Dictionary and Brute force attack Trojan/Spyware/Keyloggers Hash injection and Phishing Password guessing LLMNR/NBT-NS poisoning
Passive Online Attack
Attacker performs password cracking without communicating with the authorizing party. Wire Sniffing Man in the middle attack Replay attack
Passive Online Attack: Wire Sniffing
Attackers run packet sniffer tools on the local area network LAN to access and record the raw network traffic. The captured data may include sensitive information such as passwords (FTP, rlogin sessions) and emails. Sniffed credentials are used to gain unauthorized access to the target system.
Rule-based attack
Attackers use this type of attack when they obtain some info about the password. Useful information such as the method in which numbers and or special characters have been used, the password length, attackers can minimize the time required to crack the password and thereby enhance the cracking tool.
Location of SAM file
C:\windows\system32\config\SAM
Offline attack: Distributed Network Attack
DNA technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords. The DNA manager is installed in a central location where machines running on DNA client can access it over the network. DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network. DNA Client runs in the background consuming only unused processor time. The program combines processing capabilities of all the clients connected to network and uses it to crack the password.
GPS Spyware
Device or software application that uses the Global Positioning System to determine the location of a vehicle, person, or other attached or installed asset.
Steps to disable LLMNR/NBT-NS in any version of Windows
Disabling LMBNR -open group policy editor -navigate to Local Computer Policy - Computer Configuration - Administrative Templates - Network - DNS Client -in DNS client, double click Turn off multicast name resolution -select the enabled radio button and then click OK. Disabling NBT-NS -open Control Panel and navigate to Network and Internet - Network and Sharing Center and click on Change adapter settings option present on the right side. -right-click on the network adapter and click Properties, select TCP/IPv4 and then click Properties -under General tab, go to Advanced - WINS -from the NetBIOS options, check "Disable NetBIOS over TCP/IP" radio button and click OK.
System Hacking Concepts
Footprinting ModuleScanning ModuleEnumerating ModuleVulnerability Analysis Module
CEH Hacking Methodology
Gaining Access Maintaining Access Clearing Logs
Winrtgen
Graphical rainbow tables generator that helps attackers to create rainbow tables from which they can crack the hashes password.
Syllable Attack
Hackers use this cracking technique when passwords are not known words. Attackers user the dictionary and other methods to crack them, as well as all possible combination of the.
Hardware Keystroke Loggers
Hardware devices look like normal USB drives. Attackers can connect these keyloggers between a keyboard plug and USB socket. PC/BIOS Embedded - BIOS level firmware that is responsible for managing keyboard actions can be modified in such a way that is captured the keystrokes that are typed. It requires physical or admin-level access to the target computer. Keylogger Keyboard - It captures the key stroke by attaching the hardware circuit with the keyboard cable connector. External keylogger - attached between a usual PC keyboard and a computer.
Hash Injection Attack
Hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources. The attacker finds and extracts a logged on domain admin account hash. The attacker uses the extracted hash to log on to the domain controller.
Hardware/Firmware Rootkit
Hides in hardware device or platform firmware which is not inspected for code integrity
File System Permissions Weakness
If the file system permissions of binaries are not properly set, an attacker can replace the target binary with a malicious file If the process that is executing this binary is having higher level permissions
Setuid and Setgid
In Linux and MaOS, if an application uses setuid or setgid then the application will execute with the privileges of the owning user or group An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges
Hypervisor Level Rootkit
It acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine
Keylogger
Keystroke logger are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location Legitimate applications for keyloggers include in office and industrial settings to monitor employees' computer activities and in home environments where parents can monitor and spy on children's activity It allows attacker to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages Physical keyloggers are placed between the keyboard handware and the operating system
Active Online Attack: LLMNR/NB-NS Poisoning
LLMNR and NBT-NS are two main elements of Windows operating systems used to perform name resolution for hosts present on the same link. The attacker cracks the NTLMv2 hash obtained from the victim's authentication process. The extracted credentials are used to log on to the host system in the network.
Launch Daemon
Launchd is used in MacOS X boot up to complete the system initialization process by loading parameters for each launch-on-demand system-level daemon Daemon have plists that are linked to executable to maintain persistence or to escalate privileges
Horse Pill
Linux kernel root kit that resides inside the "initrd" using which it infects the system and deceives the system owner with the use of container primitives It has three important parts; klibc-horsepill.patch - this is a patch to klibc which provides run-init, which on modern Ubuntu systems runs the real unit, systemd. horsepill,stopt - the script takes in command-line arguments and puts them into the section referred to above. horsepill-infect - This will take the file to splat over run-init while assembling ramdisks as a command line argument. It then update-initramfs and splats over the rin-init as the ramdisks is being assembled.
Amac Keylogger
Mac OS X is a Mac application that allows users who want to spy on users on Macintosh computers and secretly record all information, including passwords, keystrokes, chat conversations, websites visited and screenshots captured. -logs typed passwords -logs keystrokes and chat conversations -records websites and takes screenshots -logs the Mac's IP address -automatically runs at startup stealthily -enables you to apply settings to all users with one click sends logs to email/FTP at preset intervals -password protects keylogger access
Kerberos Authentication
Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM
Privilege Escalation using DLL Hijacking
Most Windows applications do not use the fully qualified path when loading an external DLL library If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL
Types of Password Attacks
Non-Electronic Attacks Active Online Attacks Passive Online Attacks Offline Attacks
Power Spy
PC-user monitoring activity software. It runs secretly in the background of computer system. Features: Screen recording Keylogger Instant message and chat recording Email recording Website URL recording Application recording Document recording Clipboard text recording
External Keyloggers
PS/2 USB keylogger - completely transparent to computer operation and require no software or drivers for the functionality. Record all the keystrokes typed by the user on the computer keyboard, and store data such as emails, chat records, applications used, IMS and so on. Acoustic/CAM keylogger - work on principle of converting electromagnetic sound wave into data. Blutooth keylogger - requires physical access to the target computer only once, at the time of installation. WIFI Keylogger - besides standard PS/2 and USB keylogger functionality, it features remote access over the internet.
Password Cracking: L0phtCrack
Password auditing and recovery application packed with features such as scheduling, hash extension from 64-bit Windows version, and networks monitoring and decoding. It recovers lost Microsoft passwords with the help of dictionary, hybrid, rainbow table, and brute-force attacks, and also checks the strength of the password.
Plist Modification
Plist files in MacOS and OS X describe when programs should execute, executable file path, program parameters, required OS permissions
Rootkits
Programs that hide their presence as well as attacker's malicious activities, granting them fill access to the server or host at that time and also in future. Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots.
Offline Attack: Rainbow Table Attack
Rainbow table: is a precomputed table which contains word lists like dictionary files and brute force lists and their hash values. Compare the Hashes: capture the hash of passwords and compare it with the precomputed hash table. If a match is found then the password is cracked. Easy to recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
Library Level Rootkit
Replaces original system calls with fake ones to hide information about the attacker
Application level rootkit
Replaces regular application binaries with fake Trojan or modifies the behavior of existing applications by injecting malicious code
BootLoader Level Rootkit
Replaces the original boot loader with one controlled by a remote attacker
LLMNR/NBT-NS poisoning tools
Responder - it responds to sepcific NBT-NS NetBIOS Name Service) queries based on their name suffix. By default the tool only responds to a File Server request, which is SMB. Features: Built-in SMB Auth, MSSQL Auth server, HTTP and HTTPs Auth server, HTTPS Auth server, LDAP Auth servers ICMP redirect Rogue DHCP
Video Spyware
Software for video surveillance installed on the target computer without the user's knowledge . It runs transparently in the background, and secretly monitors and records webcams and video IM conversation.
NTLM Authentication
The NTLM authentication protocol types are: NTLM authentication protocol and LM authentication protocol These protocols atores user's passwords in the SAM database using different hashing methods
Password Guessing
The attacker creates a list of all possible passwords from the info collected through social engineering or any other way and tries them manually on the victim's machine to crack the passwords.
Manual Password-Cracking Algorithm
This algorithm can automate password guessing using a simple FOR loop. The main FOR loop can extract the user names and passwords from the text file, which serves as a dictionary as it iterates through every line: [file: credentials.txt] administrator "" administrator password administrator administrator
Hybrid Attack
This attack depends on the dictionary attack. The program would add some numbers and symbols to the words from the dictionary to try to crack the password
Hacking Stage: Escalating Privileges
To acquire the rights of another user or an admin Exploiting known system vulnerability
Hacking Stage: Gaining Access
To bypass access controls to gain access to the system Password cracking, social engineering
Hacking Stage: Executing Applications
To create and maintain remote access to the system Trojans, spywares, backdoors, keyloggers
Hacking Stage: Hiding Files
To hide attackers malicious activities and data theft Rootkits, steganography
Hacking Stage: Covering Tracks
To hide the evidence of compromiseClearing logs
Objectives of rootkit
To root the host system and gain remote backdoor access To mask attacker tracks and presence of malicious applications or processes To gather sensitive data, network traffic, from the system to which attackers might be restricted or posses no access To store other malicious programs on the system and act as a server resource for bot updates
Child- Monitoring Spyware
Tracks and monitors what children are doing on the computer, both online and offline. It logs all the programs used, websites visited, counts keystrokes and mouse clicks, and captures screenshot of activity.
Application Shimming
Windows Application Compatibility Framework, shim is used to provide compatibility between the older and newer versions of Windows operating system Shims like RedirectEXE, injectDLL, and GetProcAddress can be used by attackers to escalate privileges, install backdoors, disable Windows defender
Scheduled Task
Windows Task Scheduler along with utilities such as "at" and "schatasks" can be used to schedule programs that can be executed at a specific date and time Attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges
Access Token Manipulation
Windows operating system uses access tokens to determine the security context of a process or thread Attackers can obtain access tokens of other users or generate spoofed token to escalate privileges and perform malicious activities by evading detection
Password Cracking: Ophcrack
Windows password cracking tool that uses rainbow tables for cracking passwords. It comes with a graphical user interface and runs on different operating system such as Windows, Linux, Unix
Security Accounts Manager SAM Database
Windows stores user passwords in SAM, or in the Active Directory database in domains. Passwords are never stores in clear text. passwords are hashed and the results are stored in the SAM.
USB spyware
a program designed for spying on the computer that copies spyware files from a USB device onto the hard disk without any request and notification. USB spyware lets you capture, display, record, and analyze the data transferred between any USB device connected and a PC and its applications. -USB spyware copies files from USB device to your disk in hidden mode without any request -it creates a hidden file/directory with the current date and begins the background copying process -it allows you to capture, display, record, and analyze data transferred between any USB device connected to a PC and applications
Email Spyware
a program that monitors, records, and forwards all incoming and outgoing email. This type of a spyware records and send copies of all incoming and outgoing emails to you through a specified email address or saves the information on the local disk folder of the monitored computer. It works in a stealth mode - users will not be aware of the presence of email spyware on their computer.
Password Salting
a technique where random string of characters are added to the password before calculating their hashes Advantage: salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks
Internet Spyware
a utility that allows you to monitor all the web pages accessed by the users on your computer in your absence. It makes a chronological record of all visited URLs. It records all visited URLs into a log file and sends it to a specified email address and provides a summary report of overall web usage.
Anti-Keyloggers
also called anti-keystroke loggers, detect and disable keystroke logger software. It prevents a keylogger from logging every keystroke typed by the victim and thus keeps all personal info safe and secure.
Software Keystroke Loggers
are software installed remotely via network or email attachment in a target system for recording all the keystroke. The logged information is stored as a log file on a computer hard drive.
Non-Electronic Attacks
attacker need not posses technical knowledge to crack password, hence known as non-technical attack. Shoulder surfing Social engineering Dumpster diving
Print Spyware
can monitor the printer usage of the target organization remotely by using print spyware. It records all info related to the printer activities, saves the info in encrypted log, and sends the log file to a specified email address over the internet.
Spytech SpyAgent
computer spy software that allows you to monitor everything users do on your computer - in total secrecy. -can reveal all websites visited -records all online searches performed -monitors what programs and apps are in use -can track all file usage and printing info -records online chat conversations -also able to see every email communication on the user's computer -helps you determine what the user uploading and downloading -uncovers secret user passwords -monitors social networking behavior
Password Cracking: RainbowCrack
cracks hashes with rainbow tables, using a time-memory tradeoff algorithm. It pre-computes all possible plaintext hash pairs in the selected hash algorithm, charset, and plaintext length in advance and stores them in the "rainbow table" file.
KeyGrabber
hardware keylogger is an electronic device capable of capturing keystrokes from a PS/2 or USB keyboard.
Privilege Escation using Dylib Hijacking
in OS X, applications while loading external dylib (dynamic library), the loader searches for dylib in multiple directories if attacker can inject a malicious dylib in one of the primary directories, it will be executed in place of the original dylib
All in one Keylogger
is an invisible keylogger surveillance software that allows you to record keystrokes and monitors each activity of the computer user. -capture all keystrokes -record instant messages -monitor application usage -capture desktop activity and take screenshots -quick search over the log -send reports via email, FTP, network -record microphone sounds -general and sned HTML reports -disable anti keyloggers and unwanted software -filter monitored user accounts -block unwanted URLs -stop logging when the computer is idle
Screen capturing spyware
program that allows you to monitor computer activities by taking snapshots or screenshots of the computer on which the program is installed. It is only capable of taking screenshots but also keystrokes, mouse activity, visited websites URLs, and printer activities in real time.
Password Hash Extraction Tools
pwdump7 - application that dumps the password hashes from NT's SAM database. It extracts LM and NTLM password hashes of local user account from the Security Account Manager fgdump - utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines. It has the same capabilities of PWdump.
RemoteExec
remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network. It allows an attacker to modify the registry, change local admin passwords, disable local accounts, and copy/update/delete files and folders Activities: Remote MSI package installation Remote Execution Registry Modification File Operations Password and Local Account Management Interaction with Remote Systems
Tools to create Rainbow Tables
rtgen - Rainbow Crack is a general propose implementaion that takes advantage of the time memory trade-off technique to crack hashes.
Zemana AntiLogger
software application that blocks hackers. It detect any attempts to modify your computer's settings, record your activities, hool to your PC's sensitive processes, or inject malicious code in your system.
Desktop spyware
software that allows an attacker to gain information about a user's activity or gather information about the user and send it via the internet to third parties without the user's knowledge or consent. -live recording of remote desktops -recording and monitoring internet activities -recording software usage and timings -recording activity log and storing at one centralized location -logging user's keystrokes
Telephone/cellphone spyware
software tool that gives you full access to monitor a victim's phone or cell. Call History - can see entire history of the phone View text messages- enables you to view all incoming and outgoing text messages. it shows deleted messages in the log report. Web Site history - records the entire history of all websites visited through the phone in the log report file. GPS tracking
Audio Spyware
sound surveillance program designed to record sound onto the computer. Using audio spyware does not require any administrative privileges.
Password Cracking
techniques are used to recover passwords from computer systems attackers use password cracking techniques to gain unauthorized access to vulnerable system most of the password cracking techniques are successful due to weak or easily guessable passwords
Horizontal Privilege Escalation
the unauthorized user tries to access the resources, functions, and other privileges that belong to the authorized user who has similar access permissions.
Vertical Privilege Escalation
the unauthorized user tries to gain access to the resources and functions of the user with higher privileges, such as application or site administrators.