System Hacking Gabriel Avramescu www.ituniversity.ro [email protected] Vulnerabilities exploitation Passwords Authentication Objectives 2 Vulnerabilities exploitation Special “program” written to exploit vulnerabilities found on computers, having as target to compromise their security ◦ Obtaining access, privilege escalation, blocking its functionality, etc. Remote vs. local exploits Public vs. private exploits Underground world Exploit development requires advanced programming knowledge: C/C++, perl, python Security Exploits 4 Exploit=Vulnerability + Payload Payload=the code to be executed after the vulnerability is activated Written as Assembly Language (ASM) Is platform dependent special exploits for Windows, others for Linux Different types of payloads: Exec – executes a command or program on remote system Download_exec – Download a file from a URL and execute Upload_exec – Upload a local file and execute Adduser – Add user to system accounts Shell – provide an interactive shell ◦ Bind shell ◦ Reverse shell Example: Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (CVE-2008-4250) Security Exploits 5 Security Focus (http://www.securityfocus.com) Exploit Database (http://www.exploit- db.com) Milw0rm (http://www.milw0rm.com) – Closed! Now inj3ct0r.com Packet Storm (http://packetstormsecurity.org) Kali Linux (metasploit) Web sites containing exploits 6 SecurityFocus 7 Metasploit Framework (http://www.metasploit.com) LibExploit (http://nixbit.com) Inguma (http://inguma.sourceforge.net) Attack Tool Kit (http://www.computec.ch/projekte/atk) Core Impact (http://www.coresecurity.com) Immunity CANVAS (http://www.immunitysec.com) SAINT (http://www.saintcorporation.com) Application Specific: ◦ Orasploit (Oracle) ◦ BeEF (Browser Exploitation Framework) ◦ W3af (Web Application Exploit Framework) Exploit frameworks 8 Open Source Project Project’s objectives Platform for developing, testing and exploit usage Used for penetration testing and vulnerabilities research Developed by HD Moore in 2003 using Perl Rewritten in Ruby Available on Linux and Windows (Cygwin) Bought by Rapid7 in 2009 (http://www.rapid7.com Commercial versions Metasploit Express and Metasploit Pro Modular and extendable Permits exploit development More about it ne future chapters Metasploit Framework 9 Metasploit Command Line Interface (MSFCLI) Metasploit Console (MSFCONSOLE) Metasploit Web Interface (MSFWEB) Phases Select the exploit to be used (after vulnerability scanning) Specific options (target IP, port, etc.) Select the payload (exec, adduser, shell, etc.) Lunch the exploit Metasploit framework (cont.) 10 Metasploit Console (MSFCONSOLE) 11 Automatic vulnerability explotation A database for information storage is required: MySQL, SQLite, Postgres Data can be imported from other programs Nessus NBE files, nmap XML nmap can run within Metasploit and store the results in its database Lunches exploits based on scanning results (ports, services, vulnerabilities) Metasploit Framework - Autopwn 12 Meterpreter (Meta-Interpreter) It creates modules that can be uploaded on compromised systems Client-server configuration PassiveX Load ActiveX in the target process http://www.uninformed.org/?v=1&a=3&t=pdf Win32 UploadExec Win32 DLL Injection VNC Server DLL Injeciton Metasploit Framework – Auxiliary Module 13 Very powerful tool (and very expensive too ~ $35 000) Very stable High number of exploits for Systems Users Web applications wireless CORE IMPACT 14 CORE IMPACT (cont.) 15 Passwords The passwords are the most used in the authentication mechanism Usually the passwords compromise means access to a system The passwords are vulnerable to some types of attacks Identity theft represents momentary the “computer crime” with the highest rate of growth Password Security 17 Usually, passwords are not stored in clear systems but encoded in the form of hash values The use of one-way functions for encrypting (DES, MD5, SHA, etc.) When a user inserts a password, it’s hash is computed and compared with the one stored in the database If those two values are the same, the user is then authenticated Password Representation 18 Salting – the insertion of a random value in hashes’ computing process The salt value is stored together with the hash value in the database If two users have the same passwords, those will represented as different encrypted values in the database (due to the different salt) It considerable increases the security level Password Representation (cont.) 19 Online attacks Brute force Easy to be detected Offline attacks Implies gaining the hash values stored locally or transmitted trough the network Requires system access Network sniffing This kind of attack can’t be detected Types of Passwords’ Attacks 20 Dictionary attack ◦ All the words in a text file (dictionary) are tested ◦ Very fast (depends on the number of words from the file) Brute Force ◦ All the combinations are tested ◦ It require time and computing power Hybrid ◦ Words from the dictionary and number and special characters combination ◦ Ex: P@ssw0rd, password12, password$% Raibow tables ◦ Lookup tables ◦ Pre-computed hash values ◦ It requires a lot of storage Keyloggers, phishing, social engineering Types of Passwords’ Attacks (cont.) 21 2 types of hash values ◦ LM hash (LAN Manager hash) Used for LAN Manager authentication protocol Windows 95, 98, Me ◦ NT hash (NTLM hash) Used in NTLMv1, NTLMv2 and Kerberos authentication protocols Hash values are stored in Security Accounts Manager (SAM) or Active Directory databases SAM database is stored in Windows\system32\config directory It cannot be copied when the OS is running Solutions: Boot with a Live CD and copy the file (implies physical access to the PC) Use the backup copy from Windows\repair. This copy is made when the administrator used the RDISK utility SUSKEY – SAM encryption Windows passwords 22 Hash value computing algorithm: Define LMOWFv1(Passwd, User, UserDom) as ConcatenationOf(DES(UpperCase(Passwd)[0..6],"KGS!@#$%"), DES(UpperCase(Passwd)[7..13],"KGS!@#$%")) EndDefine LM hash is relatively easy to be hacked for short passwords Example: For the passwords: 123456abcdef The lower cases are converted to upper cases and blanks are inserted until the passwords have 14 characters: 123456ABCDEF__ The result breaks in two parts and they are separately encrypted using DES algorithm: 123456A = 6BF11E04AFAB197F BCDEF__= F1E9FFDCC75575B15 The hash value is 6BF11E04AFAB197FF1E9FFDCC75575B15 Using L0pthCrack, the first part can be hacked in up to 24 hours and the second part in up to 60 seconds If the passwords contain less then 7 chars, then the second value of the hash will be the same NT 3.1 to Windows XP SP2 supports LM hashes in order to be back-compatible and this functionality is activated by default ◦ It is highly recommended to disabled this functionality! LM hash 23 It supports passwords longer than 14 chars Doesn’t convert the passwords in upper cases and it doesn’t break it in two piaces NTLMv1 (used before Windows NT SP2) Hash value computing algorithm: Define NTOWFv1(Passwd, User, UserDom) as MD4(UNICODE(Passwd)) EndDefine Due to a weakness, the use of it is not recomennded! NTLMv2 (used starting with Windows NT SP3) Hash value computing algorithm: Define NTOWFv2(Passwd, User, UserDom) as HMAC_MD5(MD4(UNICODE(Passwd)), UNICODE(ConcatenationOf(Uppercase(User), UserDom))) EndDefine NT Hash 24 Samdump2 http://sourceforge.net/prohects/ophcrack/files Linux Tool (Kali Linux) #mount /dev/hda1 /mnt/XXX #samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam > hash.txt Pwdump (1-7) http://en.wikipedia.org/wiki/Pwdump Windows tool c:\>pwdump7 > hash.txt Fgdump http://swamp.foofus.net/fizzgig/fgdump/downloads.htm Windows tool ◦ C:\>fgdump -v Extracting hashes from SAM file 25 When a user loges in a domain, it’s password is stored in registry to be used for offline logon Creddump http://code.google.com/p/creddump Linux tool Cachedump ftp://ftp.openwall.com/hon/contrib/cachedump/ Windows tool Hash extraction from cache (registry) 26 Fgdump C:\>fgdump -v -h hostname -u Username -p Password pwdump6 C:\>pwdump6 -u Username -p Password hostname Ettercap http://ettercap.sourceforge.net/ Cain & Abel http://www.oxid.it/ L0phtCrack http://www.l0phtcrack.com/ KerbCrack http://www.ntsecurity.nu/toolbox/kerbcrack/ kerbsniff, kerbcrack SMBRelay / SMBRelay2 MITM attacks http://www.xfocus.net/articles/200305/smbrelay.html Hash extraction from the network 27 John the Ripper ◦ http://www.openwall.com/john/ ◦ Brute-force, knownforce, dictionary attacks ◦ Linux/Windows tool #/usr/local/john/john hash.txt (LM hash) #/usr/local/john/john --format:NT hash.txt (NT hash) #/usr/local/john/john --format:mscash hash.txt (cached cred) Cain&Abel ◦ http://www.oxid.it ◦ Brute-force, dictionary attacks, cryptanalysis L0pthCrach ◦ http://www.l0pthcrack.com ◦ Brute force, dictionary, hybrid, rainbow tables attacks ◦ Commercial product Hacking Windows passwords 28 Ophcrack ◦ http://sourceforge.net/projects/ophcrack/files/ ◦ NTLM rainbow tables trebuie cumpărate: • http://www.objectif-securite.ch/en/products.php ◦ 1 – 6 characters long: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN OPQRSTUVWXYZ!"#$%&'()*+,-./:;&<=>?@[\]^_`{|}~ (space included) ◦ 7 character long: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN OPQRSTUVWXYZ ◦ 8 character