sign in sign up
<<
Home , Privilege (Computing), Privilege escalation, Web shell

The Ethical 's Guide To System Hacking

Attacker acquires information through techniques such as foot printing, scanning and enumeration to hack the target system.

1

Footprinting Scanning Enumeration Module Vulnerability Analysis

It is the process of accumulating data Vulnerability Assessment is an This is a procedure for identifying This is a method of intrusive probing, Footprinting Scanning System Hacking regarding a specific network environment. active hosts, open ports, and unnecessary through which attackers gather examination of the ability of a system or In this phase, the attacker creates a profile services enabled on ports. Attackers use information such as network lists, application, including current security CEH concepts of the target organization, obtaining different types of scanning, such as port routing tables, security flaws, and procedures, and controls to with stand 2 information such as its IP address range, scanning network scanning, and simple network protocol data (SNMP) assault. Attackers perform this analysis Methodology Vulnerability namespace and employees. Enumeration vulnerability, scanning of target networks data. to identify security loopholes, in the target Analysis Footprinting eases the process of or systems which help in identifying organization’s network, communication system hacking by revealing its possible vulnerabilities. infrastructure, and end systems. vulnerabilities 3

Clearing Logs Maintaining Access Gaining Access Hacking Stage Escalating Privileges Hacking Stage Gaining Access It involves gaining access to To maintain future system access, After gaining access to the target low-privileged user accounts by To acquire the rights of To bypass access CEH Hacking attackers attempt to avoid recognition system, attackers work to maintain cracking passwords through Goal another user or Goal controls to gain System Hacking by legitimate system users. To remain high levels of access to perform techniques such as brute forcing, and admin access to the system 4 Methodology Goals undetected, Attackers wipe out the malicious activities, such as stealing, password guessing, and social entries corresponding to their hiding or tampering with sensitive Exploiting known Password cracking, engineering and then escalate their (CHM) Technique used Technique used activities in the system log. files. system vulnerabilities Social engineering privileges to administrative levels, to perform a protected operation.

Non- Electronic Active Online Attack – Dictionary, Hacking Stage Executing Applications Hacking Stage Hiding Files Hacking Stage Covering Tracks Social Engineering Brute Forcing and Rule Based attack Password Cracking Convincing people to reveal passwords Social Engineering To create and maintain Convincing people to reveal passwords To hide attackers Types of Shoulder Surfing Goal remote access Goal Goal To hide the evidence Attackers use this technique to gain Shoulder Surfing malicious activities of compromise 5 Looking at either the user’s keyboard or screen Looking at either the user’s keyboard or screen and data theft unauthorized access to vulnerable system. while he/she is logging in Such a technique is mostly successful due Password attacks while he/she is logging in Dumpster diving to weak or easy passwords. Dumpster diving Trojans, , Searching for sensitive information in the Searching for sensitive information in the Technique used Technique used , stenography Technique used Clearing logs backdoors, keyloggers user’s trash-bins, printer trash bins, and user’s trash-bins, printer trash bins, and user desk for sticky notes. user desk for sticky notes.

Active Online Attack Active Online Attack – Password Guessing Active Online Attack – Dictionary, Passive Online Attack Passive Online Attack – Wire Sniffing Active Online Attack – LLMNR/NBT-NS Poisoning Active Online Attack – Hash Injection Attack – Trojan/ /Keylogger The attacker creates a list of all possible passwords Brute Forcing and Rule Based attack Man in the Middle and replay attack from the information collected through social • Attacker run packet sniffer tools on the local area engineering or any other way and tries them Dictionary • In a MITM attack, the attacker acquires access to the network (LAN) to access and record the raw network • A hash injection attack allows an attacker to inject a A dictionary file is loaded into the cracking • LLMNR/NBT are two main elements of windows compromised hash into a local session and use the manually on the victim’s machine to crack the communication channels between victim and server to traffic. • Attacker installs Trojan/spyware/keylogger passwords. application that runs against user accounts extract the information • The captured data may include sensitive information operating systems used to perform name resolution hash to validate network resources on victim’s machine to collect victim’s usernames • In a replay attack, packets and tokens for hosts present on the same link such as passwords (FTP, rlogin sessions, etc.) and • The attacker finds and extracts a logged-on and passwords Find a valid user Brute Forcing are captured using a sniffer. After the relevant info is emails. • The attacker cracks the NTLMv2 hash obtained from domain admin account hash the victim’s authentication process • Trojan/spyware/keylogger runs in the background Create a list possible password The program tries every combination of extracted, the tokens are placed back on the network • Sniffed credentials are used to gain unauthorized • The attacker uses the extracted hash to log on • The extracted credentials are used to log on to the and sends back all user credentials to the attacker. characters until the password is broken to gain access. access to the target system to the domain controller. Rank passwords from host system in the network high probability to low Rule Based attack Key in each password until correct This attack is used when the attacker gets password is discovered some information about the password

Offline Online Attack – Rainbow table attack Offline Online Attack 1.Enable audit to monitor and track password attacks 2.Do not use the same password during password change • DNA technique is used for recovering passwords Distributed Network Attack •An attacker can gain access to the network using a non-admin user 3.Do not share passwords •An attacker can gain access to the network using a non-admin user from hashes or password protected files using the account and the next step would be to gain administrative privileges. 4.Do not share passwords that can be found in a dictionary account and the next step would be to gain administrative privileges. unused processing power of machines across the These 5.Do not cleartext protocols and protocols with weak These network to decrypt passwords •These privileges allow attacker to view critical/ sensitive information, 6.Set the password change policy to 30 days •These privileges allow attacker to view critical/ sensitive information, • The DNA manager is installed in a central location where • A Rainbow table attack is a precomputed table delete files, or install malicious programs such as viruses, trojans, worms How to Defend against 7.Avoid storing passwords in an unsecured location Escalating delete files, or install malicious programs such as viruses, trojans, worms machines running on DNA client can access it over the which contains word lists like dictionary files and brute etc. 8.Do not use any systems default passwords etc. network force lists and their hash values. 6 •Attacker performs attack which takes advantage of 9.Make passwords hard to guess. 7 •Attacker performs privilege escalation attack which takes advantage of • DNA manager coordinates the attack and allocates Password Cracking Privileges design flaws, programming errors, bugs, and configuration oversights in 10.Ensure that applications neither store passwords to memory nor write them design flaws, programming errors, bugs, and configuration oversights in small portions of the key search to machines that are the OS and to disk in clear text. the OS and distributed over the network software application to gain administrative access to the network and 11.Use a random string or prefix or suffix with the password before encrypting software application to gain administrative access to the network and • DNA client runs in the background consuming only its associated applications. unused processor time 12.Monitor servers’ logs for brute force attacks on user accounts its associated applications. • The program combines processing capabilities of 13.Lock out an account subjected to too many incorrect password guesses all the clients connected to network and use it to 14.Enable SYSKEY with strong password to encrypt and protect SAM database crack the password

Scheduled Task - Access token Manipulation – Other privilege Techniques •Windows task scheduler along with utilities such as ‘at’ and ‘schtasks’ can be used Type of privileges 1.Restrict the interactive logon privileges to schedule programs that can be executed at a specific date and time. •Windows uses access tokens to determine the security 11.Change settings to “Always Notify” 2.Use encryption technique to protect sensitive data •Attacker can use this technique to execute malicious programs at system startup, context of a process or thread Access token Manipulation – 12.Restrict users from writing files to the search paths for maintain persistence, perform remote execution, escalate privileges etc. •Attackers can obtain access tokens of other users or generate spoofed • Windows operating system uses access tokens to 3.Run users and applications on the least privileges Launch Demon tokens to escalate privileges and perform malicious activities by evading detection determine the security context of a process or thread applications •LaunchD is used in MacOS and OS x boot up to complete the system initialization Application Shimming 13.Continuously monitor permissions using 4.Reduce the amount of code that runs with privilege process by loading parameters for each launch on demand system-level daemon •Windows applications compatibility framework, shim is used to provide • Attackers can obtain access tokens of other users or auditing tools •Daemons have plists that are linked to executable that run at start up generate spoofed tokens to escalate privileges and • Horizontal – Refers to acquiring the same level of 5.Implement multi factor authentication and •Attacker can alter the daemons executable to maintain persistence or to compatibility between the older and newer versions of windows operating system. 14.Reduce the privileges of users and groups so that only 6.Perform de-bugging using bounds checkers and stress escalate privileges • Shims like RedirectEXE, injectDLL, GetProAddress, can be used by attackers perform malicious activities by evading detection privileges that already has been granted but assuming legitimate administrators can make service changes How to Defend against Plist Modification – to escalate privileges, install backdoors disable, windows defenders etc. Application Shimming 15.Use whitelisting tools to identify and block malicious tests •Plist files in MacOS and OS X describe when programs should execute, File System Permissions weakness • Windows applications compatibility framework, shim is the identity of another user with the similar privileges software 7.Run services as unprivileged accounts executable file path, program parameters, required OS PERMISSIONS ETC. • If the file system permissions of binaries are not properly set, an attacker can used to provide compatibility between the older and 8 •Attackers alter plist files to execute malicious code on behalf of a legitimate replace the target binary with a malicious file • Vertical – Refers to gaining higher privileges than the newer versions of windows operating system. 16.Use fully qualified paths in all the windows applications 8.Test operating system and application coding user to escalate privileges. •If the process that is executing this binary is having higher level 17.Ensure that all executables are placed in write-protect Privilege Escalation Setuid and Setgid • Shims like RedirectEXE, injectDLL, GetProAddress, can be used by existing errors and bugs thoroughly •In Linux and MacOS, is an application uses setuid or setgid then the application permissions, then the malicious binary also executes under higher level permissions. directories will execute within the privileges of the owning user or group Path Interception – attackers to escalate privileges, install backdoors disable, windows defenders etc. 18.In Mac operating systems make pilst files read-only 9.Implement a methodology to limit •An Attacker can exploit the applications with the setuid or setgid flags to execute •Applications include many weaknesses and misconfigurations like unquoted File System Permissions weakness 19.Block unwanted system utilities or software that may be the scope of programming errors and bugs malicious code with elevated privileges. paths, path environment variable misconfiguration and search order hijacking • If the file system permissions of binaries are not properly set, an attacker can – that lead to oath interception. used to schedule tasks 10. and update the kernel regularly •A web shell is a web-based script that allows access to a replace the target binary with a malicious file 20.Patch and update the web servers regularly •Attackers create web shells to inject malicious script on a web server to maintain •Path interception helps an attacker to maintain persistence on a system and • If the process that is executing this binary is having higher level permissions, persistent access and escalate privileges escalate privileges then the malicious binary also executes under higher level permissions.

9

Attackers execute malicious applications in this stage. RemoteExe – Remotely installs applications, executes Keystroke loggers are programs or hardware devices that This is called “owning” the system. programs/scripts and updates files and folders on windows monitor each keystroke as user types on a keyboard, logs The malicious programs attackers execute on target system: systems throughout the network. onto a file, or transmits them to a remote location. Backdoors – Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, Tools used for executing application remotely helps attackers Legitimate applications for keyloggers include office and gain unauthorized access to system resources. perform various malicious activities on target systems. After industrial settings to monitor employee’s computer activities Executing Once attacker gain higher privileges on the target system by Crackers – piece of software or program designed for cracking a Tools for Executing gaining administrative privileges, attackers use these tools to and in-home environments where parents can monitor and spy trying various privilege escalation attempts, they may attempt code or passwords. install, execute, delete and/or modify the restricted resource on on children’s activity. to execute a malicious application by exploiting a vulnerability Keyloggers – This can be hardware or a software type. In either 10 the victim machine. 11 Keyloggers Applications to execute arbitrary code. case, the objective is to record each keystroke made on the Applications It allows attacker to gather confidential information about computer keyboards. It allows attacker to gather confidential It allows attacker to modify the registry, change local admin victim such as email ID, passwords, banking details, chat information about victim such as email ID, passwords, banking passwords, disable local accounts, and copy/update/delete files room activity, IRC, instant messaging etc. details, chat room activity, IRC etc. and folders. Spyware - Spy software may capture screenshots and send Physical keyloggers are placed between the keyboard them to a specified location defined by the hacker. hardware and the operating system.

How to Defend against keyloggers How to Defend Against keyloggers Types of Keystroke Loggers 1) Use pop up blocker and avoid opening junk emails Spyware allows attackers to gather information about a victim or organization such as email addresses, user logins, Hardware keylogger measures 2) Install antispyware/virus programs and keep the signatures up to date 3) Install professional software and anti-keylogging software Hardware Software passwords, credit cards, banking credentials etc. Video Telephone/cellphone GPS Spyware 1) Restrict physical access to sensitive computer 4) Recognize emails and delete them 5) Update and patch system software regularly Audio Spyware systems 6) Do not click on links in unwanted r doubtful emails that may point to PC/BIOS Embedded Application Keylogger Mov, avi Video Editor Phone spy Spyera Spyware USB Spyware 2) Periodically check all the computers and check malicious sites. Embedded Kernel Keylogger Spy Voice Recorder 7) Use keystroke interference software which inserts randomized characters Free2x webcam recorder XNSPY mSpy ACTIVtrak USB Analyzer whether there is any hardware device connected to into every keystroke Keylogger Keyboard Hypervisor Based Keylogger Veriato 360 USB Monitor Spy Audio listening Device Spyware 8) Scan the files before installing and use registry editor or process explorer Mobile spy 12 to check for the keystroke loggers iSpy iKeyMonitor the computer External Keylogger Based Keylogger Netvizor USB Deview Spy USB Voice Recorder 9) Use windows on-screen keyboard accessibility utility to enter the password 3) Use encryption between the keyboard and its driver or any other confidential information. NET video Spy OneSpy Mobistealth Activity Monitor Advanced USB Port Monitor Audio Spy PS/2 and USB Keylogger 4) Use an anti-keylogger that detects the presence of 10) Install a host-based IDS, which can monitor your system and disable the Voice activated flash drive voice recorder installation of keyloggers Acoustic/CAM Eyeline Video Surveillance TheTruthSpy FlexiSpy Soft Activity TS Monitor USB Monitor Pro a hardware keyloggersuch as oxynger KeyShield 11) Use automatic form -filing password manager or virtual keyboard to enter Software username and password Bluetooth keylogger 5) Use an On-screen keyboard and click on it. 12) Use software that frequently scans and monitors the changes in the system Wi-Fi Keylogger or network.

How to Defend against Spyware Root Kits Objectives of

Try to avoid using any computer system which is not totally Install and use anti-spyware software Root Kits are programs that hide their presence as well To root the host system and gain remote access. Attackers Places a Rootkit by: under control as attacker’s malicious activities, granting them full access Perform web surfing safely and download cautiously to the server or host at that time and in future. To mask attacker tracks and presence of malicious Scanning for vulnerable computers and servers on the web. Adjust settings to medium or higher for internet zone applications or processes. Do not use administrative mode unless it is necessary Wrapping it in a special package like games. Be cautious about suspicious emails and sites Rootkits replace certain operating system calls and utilities To gather sensitive data, network traffic, from the system to Keep your operating system up to date modified versions Installing it on the public computers or corporate computers 13 Hiding Files with its own of those routines that in turn which attackers might be restricted or possess no access. Enable firewall to enhance the security level of the computer determine the security of the target system causing malicious through social engineering. Do not download free music files, , or smiley faces from internet functions to be executed. To store other malicious programs on the system and act Update the software regularly and use a firewall with outbound protection Launching zero day attack (privilege escalation, , Beware of pop-up windows or webpages. as a server resource for bot updates. windows kernel exploitation, etc). A typical rootkit comprises of backdoor programs, Regularly check task manager report and MS configuration manager report Carefully read all disclosures, including the license agreement and Ddos programs, packet-sniffers, log-wiping utilities, Update virus definition files and scan the system for spyware regularly privacy statement before installing any application IRCBots, etc.

Detecting Rootkits Detecting Rootkits Classification of Stenography Stenography Types of Rootkits Types of Rootkits Cross View-based Enumerates key elements in the computer Integrity Based It compares a snapshot of the file system, Application Level Replaces regular application binaries with Acts as a hypervisor and modifies the boot Stenography Stenography is a technique of hiding secret message with an Detection system such as system files, processes, Detection boot records or memory with a known Hypervisor Level trusted baseline fake trojan or modifies the behavior of sequence of the computer system to load ordinary message and extracting it at the destination to maintain and registry keys and compares them to an Linguistic Stenography existing applications by injecting malicious the host operating system as a virtual confidentiality of data. algorithm used to generate a similar data set Signature - Based This technique compares characteristics codes. machine that does not rely on the common APIs. Semagrams open codes Utilizing a graphic image as a cover is the most popular Detection of all system processes and executable Any discrepancies between these two data files with a database of known rootkits Library Levels Replaces original system calls with fake Hardware / Hides in hardware devices or platform firm method to conceal data in files. Visual semagrams Covered Ciphers Null Cipher Stenography 14 sets indicate the presence of rootkit fingerprints ones to hide information about the attacker which is not inspected for code integrity Text semagrams Jargon code Griller Cipher Attackers can use stenography to hide messages such as Heuristic . Behavior Any deviation in the system’s normal activity Kernel Level Adds malicious code or replaces original list of the compromised servers, source code for the hacking Based Detection or behavior may indicate the presence of OS kernel and device driver codes Technical stenography tool, plans for future attacks etc. rootkit

Runtime Execution This technique compares runtime execution Boot Loader Level Replaces the original boot loader with one Path Profiling paths of all system processes and executable controlled by a remote attacker. files before and after the rootkit infection

Types of Stenography Covering Tracks Ways to Clear Online Tracks Once intruders have successfully gained administrator access Attackers clear online tracks maintained using web history, logs, on a system, they will try to cover the tracks to avoid their cookies, cache, downloads. This way the victims cannot notice detection. Image Web what online activities attacker have performed. Spam/email Covering Attackers use the following techniques to cover tracks on the target Ways to Clear Document What attackers do to clear their online tracks DVD-ROM 15 system 16 Folder Natural Text Tracks Online Tracks Disable password manager Video Disable auditing – Disables auditing features Delete history Delete private data Turnoff autocompletes Audio Hidden OS Clearing Logs – clear/delete the system log entries Delete cookies Delete user JavaScript Source Code Whitespace Remove most recently used Manipulating Logs -Manipulates logs in such a way that he/she will not be Clear cache on exit Delete all downloads Delete saved sessions. caught in legal actions.