System Hacking
Gabriel Avramescu www.ituniversity.ro [email protected] Vulnerabilities exploitation Passwords Authentication
Objectives
2 Vulnerabilities exploitation Special “program” written to exploit vulnerabilities found on computers, having as target to compromise their security ◦ Obtaining access, privilege escalation, blocking its functionality, etc. Remote vs. local exploits Public vs. private exploits Underground world Exploit development requires advanced programming knowledge: C/C++, perl, python
Security Exploits
4 Exploit=Vulnerability + Payload Payload=the code to be executed after the vulnerability is activated Written as Assembly Language (ASM) Is platform dependent special exploits for Windows, others for Linux Different types of payloads: Exec – executes a command or program on remote system Download_exec – Download a file from a URL and execute Upload_exec – Upload a local file and execute Adduser – Add user to system accounts Shell – provide an interactive shell ◦ Bind shell ◦ Reverse shell Example: Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (CVE-2008-4250)
Security Exploits
5 Security Focus (http://www.securityfocus.com) Exploit Database (http://www.exploit- db.com) Milw0rm (http://www.milw0rm.com) – Closed! Now inj3ct0r.com Packet Storm (http://packetstormsecurity.org) Kali Linux (metasploit)
Web sites containing exploits
6 SecurityFocus
7 Metasploit Framework (http://www.metasploit.com) LibExploit (http://nixbit.com) Inguma (http://inguma.sourceforge.net) Attack Tool Kit (http://www.computec.ch/projekte/atk)
Core Impact (http://www.coresecurity.com) Immunity CANVAS (http://www.immunitysec.com) SAINT (http://www.saintcorporation.com)
Application Specific: ◦ Orasploit (Oracle) ◦ BeEF (Browser Exploitation Framework) ◦ W3af (Web Application Exploit Framework)
Exploit frameworks
8 Open Source Project Project’s objectives Platform for developing, testing and exploit usage Used for penetration testing and vulnerabilities research Developed by HD Moore in 2003 using Perl Rewritten in Ruby Available on Linux and Windows (Cygwin) Bought by Rapid7 in 2009 (http://www.rapid7.com Commercial versions Metasploit Express and Metasploit Pro Modular and extendable Permits exploit development More about it ne future chapters
Metasploit Framework
9 Metasploit Command Line Interface (MSFCLI) Metasploit Console (MSFCONSOLE) Metasploit Web Interface (MSFWEB) Phases Select the exploit to be used (after vulnerability scanning) Specific options (target IP, port, etc.) Select the payload (exec, adduser, shell, etc.) Lunch the exploit
Metasploit framework (cont.)
10 Metasploit Console (MSFCONSOLE)
11 Automatic vulnerability explotation A database for information storage is required: MySQL, SQLite, Postgres Data can be imported from other programs Nessus NBE files, nmap XML nmap can run within Metasploit and store the results in its database Lunches exploits based on scanning results (ports, services, vulnerabilities)
Metasploit Framework - Autopwn
12 Meterpreter (Meta-Interpreter) It creates modules that can be uploaded on compromised systems Client-server configuration PassiveX Load ActiveX in the target process http://www.uninformed.org/?v=1&a=3&t=pdf Win32 UploadExec Win32 DLL Injection VNC Server DLL Injeciton
Metasploit Framework – Auxiliary Module
13 Very powerful tool (and very expensive too ~ $35 000) Very stable High number of exploits for Systems Users Web applications wireless
CORE IMPACT
14 CORE IMPACT (cont.)
15 Passwords The passwords are the most used in the authentication mechanism Usually the passwords compromise means access to a system The passwords are vulnerable to some types of attacks Identity theft represents momentary the “computer crime” with the highest rate of growth
Password Security
17 Usually, passwords are not stored in clear systems but encoded in the form of hash values The use of one-way functions for encrypting (DES, MD5, SHA, etc.)
When a user inserts a password, it’s hash is computed and compared with the one stored in the database If those two values are the same, the user is then authenticated
Password Representation
18 Salting – the insertion of a random value in hashes’ computing process The salt value is stored together with the hash value in the database If two users have the same passwords, those will represented as different encrypted values in the database (due to the different salt) It considerable increases the security level
Password Representation (cont.)
19 Online attacks Brute force Easy to be detected Offline attacks Implies gaining the hash values stored locally or transmitted trough the network Requires system access Network sniffing This kind of attack can’t be detected
Types of Passwords’ Attacks
20 Dictionary attack ◦ All the words in a text file (dictionary) are tested ◦ Very fast (depends on the number of words from the file) Brute Force ◦ All the combinations are tested ◦ It require time and computing power Hybrid ◦ Words from the dictionary and number and special characters combination ◦ Ex: P@ssw0rd, password12, password$% Raibow tables ◦ Lookup tables ◦ Pre-computed hash values ◦ It requires a lot of storage Keyloggers, phishing, social engineering
Types of Passwords’ Attacks (cont.)
21 2 types of hash values ◦ LM hash (LAN Manager hash) Used for LAN Manager authentication protocol Windows 95, 98, Me ◦ NT hash (NTLM hash) Used in NTLMv1, NTLMv2 and Kerberos authentication protocols Hash values are stored in Security Accounts Manager (SAM) or Active Directory databases SAM database is stored in Windows\system32\config directory It cannot be copied when the OS is running Solutions: Boot with a Live CD and copy the file (implies physical access to the PC) Use the backup copy from Windows\repair. This copy is made when the administrator used the RDISK utility SUSKEY – SAM encryption
Windows passwords
22 Hash value computing algorithm: Define LMOWFv1(Passwd, User, UserDom) as ConcatenationOf(DES(UpperCase(Passwd)[0..6],"KGS!@#$%"), DES(UpperCase(Passwd)[7..13],"KGS!@#$%")) EndDefine LM hash is relatively easy to be hacked for short passwords Example: For the passwords: 123456abcdef The lower cases are converted to upper cases and blanks are inserted until the passwords have 14 characters: 123456ABCDEF__ The result breaks in two parts and they are separately encrypted using DES algorithm: 123456A = 6BF11E04AFAB197F BCDEF__= F1E9FFDCC75575B15 The hash value is 6BF11E04AFAB197FF1E9FFDCC75575B15 Using L0pthCrack, the first part can be hacked in up to 24 hours and the second part in up to 60 seconds If the passwords contain less then 7 chars, then the second value of the hash will be the same NT 3.1 to Windows XP SP2 supports LM hashes in order to be back-compatible and this functionality is activated by default ◦ It is highly recommended to disabled this functionality!
LM hash
23 It supports passwords longer than 14 chars Doesn’t convert the passwords in upper cases and it doesn’t break it in two piaces NTLMv1 (used before Windows NT SP2) Hash value computing algorithm: Define NTOWFv1(Passwd, User, UserDom) as MD4(UNICODE(Passwd)) EndDefine Due to a weakness, the use of it is not recomennded! NTLMv2 (used starting with Windows NT SP3) Hash value computing algorithm: Define NTOWFv2(Passwd, User, UserDom) as HMAC_MD5(MD4(UNICODE(Passwd)), UNICODE(ConcatenationOf(Uppercase(User), UserDom))) EndDefine
NT Hash
24 Samdump2 http://sourceforge.net/prohects/ophcrack/files Linux Tool (Kali Linux) #mount /dev/hda1 /mnt/XXX #samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam > hash.txt Pwdump (1-7) http://en.wikipedia.org/wiki/Pwdump Windows tool c:\>pwdump7 > hash.txt Fgdump http://swamp.foofus.net/fizzgig/fgdump/downloads.htm Windows tool ◦ C:\>fgdump -v
Extracting hashes from SAM file
25 When a user loges in a domain, it’s password is stored in registry to be used for offline logon Creddump http://code.google.com/p/creddump Linux tool Cachedump ftp://ftp.openwall.com/hon/contrib/cachedump/ Windows tool
Hash extraction from cache (registry)
26 Fgdump C:\>fgdump -v -h hostname -u Username -p Password pwdump6 C:\>pwdump6 -u Username -p Password hostname Ettercap http://ettercap.sourceforge.net/ Cain & Abel http://www.oxid.it/ L0phtCrack http://www.l0phtcrack.com/ KerbCrack http://www.ntsecurity.nu/toolbox/kerbcrack/ kerbsniff, kerbcrack SMBRelay / SMBRelay2 MITM attacks http://www.xfocus.net/articles/200305/smbrelay.html
Hash extraction from the network
27 John the Ripper ◦ http://www.openwall.com/john/ ◦ Brute-force, knownforce, dictionary attacks ◦ Linux/Windows tool #/usr/local/john/john hash.txt (LM hash) #/usr/local/john/john --format:NT hash.txt (NT hash) #/usr/local/john/john --format:mscash hash.txt (cached cred) Cain&Abel ◦ http://www.oxid.it ◦ Brute-force, dictionary attacks, cryptanalysis L0pthCrach ◦ http://www.l0pthcrack.com ◦ Brute force, dictionary, hybrid, rainbow tables attacks ◦ Commercial product
Hacking Windows passwords
28 Ophcrack ◦ http://sourceforge.net/projects/ophcrack/files/ ◦ NTLM rainbow tables trebuie cumpărate: • http://www.objectif-securite.ch/en/products.php ◦ 1 – 6 characters long: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN OPQRSTUVWXYZ!"#$%&'()*+,-./:;&<=>?@[\]^_`{|}~ (space included) ◦ 7 character long: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN OPQRSTUVWXYZ ◦ 8 character long: 0123456789abcdefghijklmnopqrstuvwxyz RainbowCrack ◦ http://project-rainbowcrack.com/ ◦ rainbow tables
Cracking Windows passwords (cont.)
29 Local Windows Password ERD Commander Chntpw (Kali/Rescue CD) Ntpassword (http://pogostick.net/~pnh/ntpassword) Active Directory Resseting a Windows domain account http://www.nobodix.org/seb/win2003_adminpass.html Directory Restore Service Mode SRVANU.EXE, INSTSRC.EXE (Resource Kit)
Password Reset
30 Passwords are encrypted stored in /etc/passwd (accessible for any user) and /etc/shadow (accessible only by root) The encryption algorithm is DES The Salt is on 12 bits (4096 variants) /etc/passwd username:passwd:UID:GID:full_name:directory:shell username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh username:x:503:100:Full Name:/home/username:/bin/sh /etc/shadow username:passwd:last:may:must:warn:expire:disable:reserved username:Npge08pfz4wuk:9479:0:10000::::
Unix passwords
31 John the Ripper #unshadow /etc/passwd /etc/shadow >saltedpasswords #john saltedpasswords
Cracking Unix Password
32 Hydra / XHydra http://freeworld.thc.org/thc-hydra/ parallel computing support Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco SSL Support #hydra -l john -P passwords.txt -v 192.168.0.112 ftp #hydra -l john -P passwords.txt -v 192.168.0.112 pop3 #hydra -P passwords.txt -v 192.168.0.112 snmp Medusa http://www.foofus.net/ modular design, parallel computing support SMB, HTTP, POP3, MS-SQL, SSHv2, etc #medusa –d #medusa -h 192.168.0.100 -M ssh -U users.txt –P passwords.txt
Online password attacks
33 CeWL (Custom Word List) http://www.digininja.org/projects/cewl.php #cewl.rb –w wordlist.txt http://192.168.0.10 WYD http://www.remote-exploit.org/index.php/Wyd #wyd.pl –o output.txt www.ituniversity.ro
Custom Dictionaries
34 Some devices and application uses default password during installation Default passwords should be changed as soon as possible Phenolit List ◦ http://www.phenoelit-us.org/dpl.html CIRT ◦ 437 vendors, 1842 passwords ◦ http://www.cirt.net/passwords
Default passwords
35 Use complex passwords Use two-factor authentication Block the account for a certain timeframe or ask for a CAPCHA after a few unsuccessful attempts Log login attempts
Protection
36 Authentication What a user knows (password, PIN)
What a user have (Certificate, Token)
What a user is (fingerprint, voice, retina)
A secure authentication requires two or more factors!
Authentication Mechanism
38 Generate one-use passwords Digital certificates Biometric systems
Authentication Solutions
39 Passwords are vulnerable to some attacks They might be intercepted They might be guessed after repeated attempts Solution: one-use passwords RDS SecurID (www.rds.com) Vasco (www.vasco.com) Cryptocard (www.cryptocard.com) ActivIdentity (www.actividentity.com) Secure Computing (www.securecomputing.com)
One-Use Password Generators
40 RDS SecurID
41 Authentication devices ◦ Key Fob ◦ Card ◦ PIN Pad ◦ Software + Smart Card ◦ Smartphone, PDA
RDS SecurID (cont.)
42 RDS SecurID (cont.)
43 Uniform solution for user’s secure authentication Network – System – Application Simple and secure method Easy to use and manage Increased security level
RDS SecurID (cont.)
44 Phishing Server authentication (SSL Certificate) PwdHash (http://crypto.stanford.edu/PwdHash) Man-in-the-middle (MITM) Server authentication (SSL Certificate)
Attacks
45 Cryptography using public keys ◦ Each user have a key pair: a private and a public one ◦ Data encryption: the encryption is made using public key of the receiver – decryption can be made only by using private key ◦ Digital signatures – the sender uses it’s private key to sign the message. The signature can be verified using sender’s public key
How public keys are distributed? PKI – Public Key Infrastructure ◦ Certificate Authorities – trusted 3rd party that guarantee to whom a public key belongs to ◦ Digital certificate public keys
Digital Certificates
46 PKI – Public Key Infrastructure
47 X.509 v3 Digital Certificate
48 Subject X.500 Name ◦ C = RO, O = MTA, CN = Ion Bica, E = [email protected] Subject Alternative Name ◦ e-mail (rfc822Name) ◦ Windows username (UPN) Key Usage ◦ digitalSignature (short term signatures) ◦ nonRepudiation (long term signatures) ◦ keyEncipherment ◦ keyAgreement Extended Key Usage ◦ serverAuthentication ◦ clientAuthentication ◦ codeSigning ◦ emailProtection CRL Distribution Points
X.509 v3 Digital Certificate (cont.)
49 Authentication is possible for users having the private key pair of the public one from the server’s public certificate Digital signing of random data Digital certificate by itself is not an authentication factor Certificate is used only for validating data signed by the entity to be authenticated Applications that can use digital certificate as authentication mechanism: ◦ VPN (Virtual Private Network) ◦ Web Application (SSL/TLS) ◦ Kerberos (Windows Smart Card Logon) Cryptographic Smart Cards are used for insure key protection – the keys are generated and stored on the card, and the operations with those keys are executed only on the card
Digital certificate authentication
50 Kerberos
51 Publish Certificate Authority as trusted in Active Directory Deploy certificates Install drivers for smart card on workstations Issue certificates for the users Enhanced Key Usage (Smart Card Logon) Subject Alternative Name (User Principal Name)
Windows Smart Card Logon configuration
52 CA Compromise ◦ DigiNotar (July 2011) Man-in-the-browser (MITB) ◦ Vulnerability exploitation within web browser in order to change transactions content, insert additional transactions – very difficult or impossible to be detected by an user ◦ Out-of-band verification (SMS) ◦ Hardened browser (portable application, private browsing) Man-in-the-middle (MITM) ◦ http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike- Defeating-SSL.pdf
Attacks
53 Fingerprint Voice Iris Face geometry Hand geometry Retina scan Thermal imprint of the face AND Handwritten signature
Biometric methods
54 Biometric methods (cont.)
55 Biometric system
56 False Acceptance Rate (FAR) ◦ Represents the percent of impostors accepted by mistake False Rejection Rate (FRR) ◦ Represents the percent of real users rejected by mistake Threshold ◦ Is the value to be configured in order to control error rate
Biometric system performance
57 Casts after fingerprint ◦ Edible gelatin (has capacitance close to a human finger)
Fake iris ◦ High resolutions images
Compromised database containing biometric templates
Attacks
58 Example: when the same username is used in local network and VPN in the same time – someone else might use it’s credentials Multiple identities
59 Single Sign ON (SSO)
60