Professional Documents
Culture Documents
Countermeasures
Version 6
Module VII
System Hacking
Module Objective
• Password cracking
• Password attacks
• Identifying various password cracking tools
• Formulating countermeasures for password cracking
• E l ti privileges
Escalating i il
• Executing applications
• Keyloggers and Spywares
• Spywares and keyloggers countermeasures
• Hiding files
• Understanding rootkits
• g g p y
The use of Steganography
• Covering tracks
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Password Types
Passwords
d that
h contain only
l speciall characters
h
• $@$!()
Four types
yp of
password attacks Passive online
attacks
Active online
attacks
Offline attacks
Non-electronic
attacks
Considerations:
Succeeds with:
• Bad passwords
• Open authentication points
Considerations:
LM Hashes are much more vulnerable due to smaller key space and shorter length
Mitigations:
• Use good passwords
• Remove LM Hashes
• Attacker has password database
Considerations:
• Moore’s law
S
Succeeds
d only
l with
ith poor passwords
d
Insert entropy:
• Relatively fast
• Succeeds when entropy is poorly
used
Typically LM “hash”
Typically, hash is attacked first
Considerations:
• Very slow
• All passwords will eventually be found
• Attack against NT hash is much harder than LM hash
Generate all
ll possible
bl hhashes
h
Storing
S i h hashes
h • LM “Hashes”: 310 Terabytes
requires huge • NT Hashes < 15 chars:
storage: 5,652,897,009 exabytes
Shoulder surfing
Keyboard sniffing
•HHardware
d is cheap
h and
dhhard
d tto d
detect
t t
• Software is cheap and hard to detect
• Both can be controlled remotely
Social engineering
• Discussed in module 11
Smart cards
• Two-factor authentication
• Difficult to thwart
• High cost of initial deployment
Biometric
LC4 is a password auditing and recovery package distributed by @stake software. SMB
packet capture listens to the local network segment and captures the individual login
sessions
When this password is encrypted with the LM algorithm, it is first converted to all uppercase:
123456QWERTY
The password is padded with null (blank) characters to make it 14 characters in length:
123456QWERTY_
6QWERTY
Before encrypting this password, 14 character string is split in half: 123456Q and WERTY_
Note: The first half of the hash contains alphanumeric characters and it will take 24 hrs to
crack by Lophtcrack and the second half only takes 60 seconds. LM hashes are not salted
Alice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Same
Password
Cecil:root:209be1:a483b303c23af34761de02be038fde08
When you set or change the password for a user account to a password that
contains fewer than 15 characters, Windows generate both LAN Manager hash
(LM hash) and Windows NT hash (NT hash) of the password
These hashes are stored in the local Security Accounts Manager (SAM)
database or in Active Directory
M h d 3: U
Method Use a P
Password
d that
h iis at lleast 15 Ch
Characters L
Long
Network
Attacker
Copyright © by EC-Council
EC-Council CHC: Executing applications All Rights Reserved. Reproduction is Strictly Prohibited
Perfect Keylogger
Copyright © by EC-Council
EC-Council CHC: Executing applications All Rights Reserved. Reproduction is Strictly Prohibited
Hacking Tool: Hardware
Keylogger
Copyright © by EC-Council
EC-Council CHC: Executing applications All Rights Reserved. Reproduction is Strictly Prohibited
What is Spyware
Spyware is a program
that records computer
activities on a machine
• Records keystrokes
• Records email messages
g
• Records IM chat sessions
• Records websites visited
• Records applications opened
• Captures screenshots
Copyright © by EC-Council
EC-Council CHC: Executing applications All Rights Reserved. Reproduction is Strictly Prohibited
Keylogger Countermeasures
Install a Host-
Host
based IDS such
Install Antivirus as Cisco CSA Keep your Frequently check
software and agent which can hardware the keyboard
keep the monitor your systems secure cables for the
signatures up to system and in a locked attached
date disable the environment connectors
installation of
keyloggers
y gg
Copyright © by EC-Council
EC-Council CHC: Executing applications All Rights Reserved. Reproduction is Strictly Prohibited
Rootkits
Start by going to the command line and Check the file size again and notice that
typing
i notepad d test.txt it hasn’t changed!
Putt some d
P data
t iin th
the fil
file, save th
the fil
file, On opening the test.txt, only the
and close notepad original data will be seen
From the command line, type dir When the type command is used on
test.txt and note the file size the filename from the command line,
only the original data is displayed
Deleting a stream
LNS.exe from
file involves
Streams are lost (http://nt
copying the front
when the file is security.nu/cgi-
file to a FAT
moved to the bin/download/ln
partition and
FAT Partition s.exe.pl)
p can
then copying it
detect streams
back to NTFS
It is the technology
that attempts to
Steganalysis is the
defeat
art and science of
steganography—by
detecting hidden
d t ti th
detecting the hidd
hidden
messages using
information and
steganography
extracting it or
destroying it
Copyright © by EC-Council
EC-Council CHC: Hiding files All Rights Reserved. Reproduction is Strictly Prohibited
Stegdetect
IIt is
i capable
bl off
Stegdetect is an Stegbreak is used to
detecting different
automated tool for launch dictionary
steganographic
detecting attacks against Jsteg-
methods to embed
steganographic Shell, JPHide, and
hidd iinformation
hidden f i iin
content in images OutGuess 0.13b
JPEG images
Key stroke logging/other spyware tools are used as they gain entry to systems to
keep up the attacks
Invariably, attackers destroy evidence of “having been there and done the damage”
S li fil
Stealing files as well
ll as hidi
hiding fil
files are the
h means to sneak
k out sensitive
i i iinformation
f i
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited