Module 06: System Hacking
Abusing Sudo Rights
1) A UNIX and Linux based system utility that permits users to run commands as a superuser or root using the security privileges of another user 2) Attackers can overwrite the sudo configuration file with their own malicious file to escalate privileges
Windows Remote Management (WinRM)
1) A Windows-based protocol designed to allow a user to run an executable file, modify system services, and the registry on a remote system 2) Attackers can use the winrm command to interact with WinRM and execute a payload on the remote system as a part of the lateral movement
Windows Management Instrumentation (WMI)
1) A feature in Windows administration that provides a platform for accessing Windows system resources locally and remotely 2) Attackers can exploit WMI features to interact with the remote target system and use it to perform information gathering on system resources and further execute code for maintaining access to the target system
Default Passwords
1) A password supplied by the manufacturer with new equipment that is password protected 2) Attackers use default passwords present in the list of words or dictionary that they used to perform password guessing attack
Stack-based buffer overflow
1) A stack is used for static memory allocation and stores the variables in "Last-in-first-out" (LIFO) order 2) PUSH stores the data onto the stack 3) POP removes data from the stack 4) When a function starts execution, a stack frame is pushed onto the stack in the ESP register 5) When the function returns, the stack frame is popped out and execution resumes from the return address stored on the EIP register 6) If an application is vulnerable to stack-based buffer overflow, then attackers take control of the EIP register to replace the return address of the function with the malicious code that allows them to gain shell access to the target system
Spyware
1) A stealthy program that records the user's interaction with the computer and the internet without the user's knowledge and sends the information to the remote attackers 2) Hides its process, files, and other objects in order to avoid detection and removal 3) It is like a Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the internet for download 4) It allows the attacker to gather information about a victim or organization such as email addresses, user logins, passwords, credit card numbers, and banking credentials
Steganography
1) A technique of hiding a secret message within an ordinary message and extracting it the destination to maintain confidentiality of data 2) Utilizing a graphic image as a cover is the most popular method to conceal the data in files 3) The attacker can use this to hide message such as a list of the compromised servers, source code for the hacking tool, or plans for future attacks
Web Shell
1) A web-based script that allows access to a web server 2) Attacker create web shells to inject malicious script on a web server to maintain persistent access and escalate privileges
Buffer Overflow
1) An area of adjacent memory locations allocated to a program or application to handle its runtime data 2) A common vulnerability in an application or programs that accepts more data than the allocated buffer 3) This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations 4) Attackers exploit buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, etc.,
Privilege Escalation
1) An attacker can gain access to the network using a non-admin user account and the next step would be to gain administrative privileges 2) The attacker perform this attack that takes advantage of design flaws, programming errors, bugs and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications 3) These privileges allows the attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojan, or worms
Path Interception
1) Applications include many weakness and misconfigurations like unquoted paths, path environment variable misconfiguration, and search order hijacking that lead to path interception 2) Helps an attacker to maintain persistence on a system and escalate privileges
Keylogger
1) Are programs or hardware devices that monitor each keystroke as the user types on a keyboard, logs onto a file, or transmit them to a remote location 2) Legitimate applications for keyloggers include in office and industrial settings to monitor employees' computer activities and in the home environment where parents can monitor and spy on children's activity 3) It allows the attacker to gather confidential information about the victim such as email ID< passwords, bank details, chat room activity, IRC, and instant messages 4) Physical keyloggers are placed between the keyboard hardware and the operating system
Meltdown Vulnerability
1) Attackers may take advantage of this vulnerability to escalate privileges by forcing an unprivileged process to read other adjacent memory locations such as kernel memory and physical memory 2) This leads to revealing critical system information such as credentials, private keys, etc.
Spectre Vulnerability
1) Attackers may take advantage of this vulnerability to read adjacent memory locations of a process and access information for which he/she is not authorized 2) Using this vulnerability, an attacker can even read the kernel memory or perform a web-based attack using JavaScript
Privilege Escalation by exploiting vulnerabilities
1) Attackers take advantage of programming flaws in a program, service, or within the operating system software or kernel, to execute malicious code 2) Allows the attacker to execute a command or binary on a target machine to gain higher privileges than those existing or to bypass security mechanisms 3) Attackers using these exploits can access privileged user accounts and credentials 4) Attackers search for an exploit based on the OS and software application on exploit sites such as SecurityFocus and Exploit Database
Pivoting and Relaying to Hack External Machines
1) Attackers use the pivoting technique to compromise a system, gain remote shell access on it, and further bypass the firewall to pivot via the compromised system to access other vulnerable systems in the network 2) Attackers use the relaying technique to access resources present on other system via the compromised system such a way that the request to access the resources are coming from the initially compromised system
Active Online Attack
1) Dictionary attack 2) Brute-force attack 3) Rule-based attack
Techniques use to cover his/her tracks on the taarget system
1) Disable Auditing 2) Clearing Logs 3) Manipulating logs 4) Covering tracks on the network/OS 5) Deleting files 6) Disabling windows functionality
Spyware Propagation
1) Drive-by download 2) Masquerading as anti-spyware 3) Web browser vulnerability 4) Piggybacked software installation 5) Browser add-ons 6) Cookies
Heaped-based buffer overflow
1) Heap memory is dynamically allocated at runtime during execution of the program and it stores program data 2) It occurs when a block of memory is allocated to a heap, and data is written without any bounds checking 3) This vulnerability leads to overwriting dynamic object pointers, heap headers, heap-based data, virtual function table, etc. 4) Attackers exploit heap-based buffer overflow to take control of the program's execution. Unlike stack overflows, heap overflows are inconsistent and have different exploitation techniques
Filesystem Permissions Weakness
1) If the filesystem permissions of binaries are not properly set, an attacker can replace the target binary with a malicious file 2) If the process that is executing this binary has higher level permissions, then the malicious binary also executes under higher level permissions
setuid and setgid
1) In Linux and macOS, if an application uses setuid and setgid then the application will execute with the privileges of the owning user or group 2) An attacker can exploit the applications with the setuid and or setgid flags to execute malicious code with elevated privileges
Plist Modification
1) In the MacOS and OS X describe when program should execute, the executable file path, the program parameters, the required OS permissions, etc. 2) Attackers can plist files to executes malicious code on behalf of a legitimate user to escalate privileges
Privilege Escalation using Named Pipe Impersonation
1) In the windows operating system, named pipes provide legitimate communication between running process 2) Attackers often exploit this technique to escalate privileges on the victim's system to those of a user account having higher access privileges
Exploitation for client execution
1) Insecure coding practices in software can make it vulnerable to various attacks 2) Attackers can take advantage of the vulnerabilities in software through focused and targeted exploitations with an objectives of arbitrary code execution to maintain access to the target remote system
Malicious program that attackers execute on target system
1) Keyloggers 2) Spyware 3) Backdoors 4) Crackers
Reason for programs and application vulnerable to bufferoverflows
1) Lack of boundary checking 2) Using older versions of programming languages 3) Using unsafe and vulnerable function 4) Lack of good programing practices 5) Failing to set proper filtering and validation principles 6) Executing code present in the stack segment 7) Improper memory allocation 8) Insufficient input sanitization
Privilege Escalation Using DLL Hijacking
1) Most Windows application do no use the fully qualified path when loading an external DLL library. Instead they search the directory, from which they have been loaded. 2) Attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL 3) Attackers use tools such as Robber and PowerSploit to detect hijackable DLLs and perform DLL hijacking on the target system
NTFS Data Stream
1) NTFS Alternate Data Stream (ADS) is a Windows hidden stream, which contains metadata for the file, such as attributes, word count, author names and access, and modification time of the files 2) ADS can fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities 3) ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user
NTLM Authentication
1) NTLM Authentication protocol and LM authentication protocol 2) These protocols store the user's password in the SAM database using different hashing methods
Rootkits
1) Programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at that time, and in the future 2) Replaces certain operating system calls and utilities with their own modified versions of those routines that in turn undermine the security of the target system causing malicious function to be executed 3) A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
Kernel exploits
1) Referred to as the programs that cam exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges 2) Attackers can attain superuser access or root-level access to the target system by exploiting kernel vulnerabilities
Abusing SUID and SGID Permissions
1) SUID and SGID are access permission given to a program file in Unix based systems 2) Attackers can use executable commands with SUID and SGID bits enabled to escalate privileges
The attackers places a rootkit by
1) Scanning for vulnerable computers and servers on the web 2) Wrapping it in a special package like a game 3) Installing it on public computers or corporate computers through social engineering 4) Launching a zero-day attack
Microsoft Authentication
1) Security Accounts Manager (SAM) Database 2) NTLM Authentication 3) Kerberos Authentication
Non-electronic attack
1) Social Engineering 2) Shoulder Surfing 3) Dumpster Diving
Challenges of steganalysis
1) Suspect information stream may or may not have encoded hidden data 2) Efficient and accurate detection of hidden content within digital images is difficult 3) The message could be encrypted before being inserted into a file or signal 4) Some of the suspect signals or files may have irrelevant data or noise encoded into them
Service Execution
1) System services are programs that run and operate at the backend of an operating system 2) Attackers run binary files or commands that can communicate with the Windows system services such as Service Control Manager to maintain access to the remote system
Scheduled task
1) The Windows task scheduler along with utilities such as "at" and "schtasks" can be used to schedule programs that can be executed at a specific data and time 2) The attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc.
Steganalysis
1) The art of discovering and rendering convert message using steganography 2) It detect hidden message embedded in images, text, audio and video carrier mediums
Application Shimming
1) The windows application compatibility Framework called shim is used to provide compatibility between the older and newer versions of the Windows operating system 2) Shims like RedirectEXE, injectDLL and GetProcAddress can be used by attackers to escalate privileges, install backdoors, disable windows defender, etc.
Access Token Manipulation
1) The windows operating system uses access tokens to determine the security context of a process or thread 2) Attackers can obtain access token of other users or generate spoofed tokens to escalate privileges and perform malicious activities by evading detection
Privilege Escalation Using Spectre and Meltdown vulnerabilities
1) Their vulnerabilities are found in the design of modern processor chips from AMD, ARM, and Intel 2) The performance and CPU optimizations in the processors, such as branch prediction, out of order execution, caching, and speculative execution, lead to these vulnerabilities 3) Attackers exploit these vulnerabilities to gain unauthorized access and steal critical system information such as credentials and secret keys stored in the application's memory, to escalate privileges
Objectives of a rootkit
1) To root the host system and gain remote backdoor access 2) To mask attacker tracks and presence of malicious application or processes 3) To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or posses no access 4) T0 store other malicious programs on the system and act as a server resource for bot updates
Launch Daemon
1) Used in MacOS and OS X boot up to complete the system initialization process by loading parameters for each launch-on-demand-system-level daemon 2) Daemons have plists that are linked to executables that run at start up 3) The attacker can alter it's executable to maintain persistence or to escalate privileges
Password cracking
1) Used to recover passwords from computer systems 2) Attacker use it to gain unauthorized access to vulnerable systems 3) Most of it are successful because of weak or easily guessable password
Whitespace steganography
1) Users hides the message in ASCII text by adding white spaces to the ends of the lines 2) Because spaces and tabs are not generally visible in text viewers, the message is effectively hidden from casual observers 3) Use of built-in-encryption makes the message unreadable even if it is detected 4) Use the SNOW tool to hide the message
Scheduled Task
1) Utilities such as at and schtasks, can be used along with the Window task scheduler to execute specific programs at a scheduled data and time 2) Attackers can execute malicious program at the startup of the system or schedule it for a specific date and tome for maintaining access to the target system
Executing Applications
1) When attackers execute malicious application it is called "owning" the system 2) The attacker executes malicious programs remotely in the victim's machine to gather the information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access etc.
Dictionary attack
A dictionary file is loaded into the cracking application that runs against user accounts
Password Salting
A technique where a random string of characters are added to the password before calculating their hashes
Hypervisor Level rootkit
Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine
Kernel Level Rootkit
Adds malicious codes or replaces the original OS kernel and device driver codes
PRINCE attack
An advanced version of a combinator attack where instead of taking input from two different dictionaries, attackers use a single input dictionary to build chains of combined words
Combinator attack
Attacker combine the entries of the first dictionary with those of the second dictionary to generate a new wordlist to crack the password of the target system
Fingerprint attack
Attackers break down the passphrase into fingerprints comprising single and multi-character combinations to crack complex passwords
Markov-chain attack
Attackers gather a password database and split each password entry into 2- and 3-character long syllables; using these character elements, a new alphabet is developed, which is then matched with the existing password database
Toggle-Case attack
Attackers try all possible combinations of upper and lower cases of a word present in the input dictionary
Social Engineering
Convincing people to reveal password
Hardware/firmware rootkit
Hides in hardware devices or platform firmware which is not inspected for code integrity
Vulnerability Exploitation
Involves the execution of multiple complex, interrelated steps to gain access to a remote system
Shoulder surfing
Looking at either the user's keyboard or screen while he/she is logging in
Advantage of password salting
Makes it more difficult to reverse the hashes and defeat pre-computed hash attack
Kerberos Authentication
Microsoft has upgraded its default authentication protocol to Kerberos which provide a stronger authentication for client/server applications than NTLM
Covering Tracks
Once intruders have successfully gained administrator access on a system, they will try to cover their tracks to avoid detection
Horizontal Privilege Escalation
Refers to acquiring the same privileges that have already been granted, by assuming the identity of another user with the same privileges
Vertical Privilege Escalation
Refers to gaining higher privileges than those existing
Application Level/User Mode Rootkit
Replaces regular application binaries with a fake Trojan or modifies the behavior of existing applications by injecting malicious code
BootLoader Level Rootkit
Replaces the original boot loader with the one controlled by a remote attacker
Library Level Rootkits
Replaces the original system calls with fake ones to hide information about the attacker
Dumpster Diving
Searching for sensitive information in the user's trash-bins, printer trash bins, and in/on the user's desk for sticky notes
Offline Attacks
The attacker copies the target's password file and then tries to crack passwords on his own system at a different location
Non-electronic attacks
The attacker does not need technical knowledge to crack the password, hence it is known as a non-technical attack
Active Online Attacks
The attacker performs password cracking by directly communicating with the victim's machine
Passive Online Attacks
The attacker performs password cracking without communicating with the authorizing party
Brute-force attack
The program tries every combination of characters until the password is broken
Rule-based attack
This attack is used when the attacker get some information about the password
Offline Attacks: Distributed network attack
Used for recovering passwords from hashes or password-protected files using the unused processing power of machine across the network
SAM Database
Windows store user passwords in SAM, or in the Active Directory database in domain. Passwords are never stored in clear text and are hashed, and the results are stored in the SAM