Skip to content
Search
Generic filters
Exact matches only

System Security Tutorial

Enumeration

After footprinting and the scanning phase, a hacker has to gain more specific information about hosts and devices in the network. → ENUMERATION.

Enumeration techniques:

  • Default passwords
  • User group extraction
  • Username from email
  • SNMP walking
  • Active directory
  • DNS zone transfer

NetBios Enumeration

Hacker can get information from the NetBIOS (commonly running on Windows system) using the following tools:

Users and default passwords

There are tools which are able to gather info from remote hosts (for example which application are running). One of this is PsExec.

Routers often have default passwords configured: a good method to find these passwords is just google them.

SNMP (Simple Network Management Protocol) Enumeration 

SNMP runs on network devices and it is a protocol for managing and monitoring network devices. The protocol is used for both gather info about configuration and change this configuration.

The command used to obtain info is snmpwalk: with this you can gather information about the device (which is running SNMP!).

For example with this command you can get the version of the OS running on a particular device:

snmpwalk -v2c -c public IP-ADDRESS | grep Version

Linux Enumeration

Some commands to use on Linux. They can reveal information about the users.

finger @IP-address → info about users on the system

rpc info -p IP-address → info about RPC end-point on the system

rpcclient $> netsharenum → get a list of hosted shares

showmount -e IP-address → displays NFS (Network File System) shares available

Enum4linux -v IP → Enum4linux is a script for Linux that automatically run all the previous commands (and other commands as well)

LDAP, NTP, SMTP, DNS enumeration

LDAP (Lightweight Directory Access Protocol) → for maintaining and directory information. It allows to gather names, manager, telephone numbers, …

Tools:

Countermeasures:

  • Authenticate queries to only domain users
  • Use LDAPS
  • Disable File/Printer Sharing

NTP (Network Time Protocol) → for networks synchronization Tools:

ntptrace, ntpdc, ntpq, ntpdate

SMTP (Simple Mail Transfer Protocol) → For sending emails Tools:

  • Netscan Tools Pro

Countermeasures:

  • Silently ignore unknown recipients
  • Disable relay for other domains

DNS (Domain Name System) → for translating domain names to IP addresses Tool:

  • dig axfr @NOMESERVER *.com Countermeasures:
  • Disable Zone Transfer
  • Don’t share internal IP addresses
  • Don’t use personal names when registering domains

System Hacking

Password Cracking

This video is a Demo of cracking Windows passwords with the tool OFHCRACK. This tool is available for both Windows and Kali Linux.

Sometimes systems use an additional parameter (Salt) to store password in database:

KeyLoggers and Anti-KeyLoggers

Hardware Keystroke logger 

  • PC/BIOS
  • Keyboard
  • External

The External keystroke logger are listed here:

Keylogger Defense (Hardware-based):

Software Keystroke loggers

Some type of thing on the system able to log keystrokes:

The defense against Software Keystroke loggers:

Anti KeyLoggers tools:

CoDefender, GuardedID, PrivacyKeyboard, KeyScrambler, Anti-KeyLogger, SpyShelter

Microsoft authentication

Credentials stored in SAM (Security Accounts Manager) and in the Active Directory Database.

Authentication methods:

  • NTLM → challenge response protocol
  • Kerberos → use tickets for the authentication

Privilege Escalation

2 types of escalation:

  • Horizontal: get access to another user’s account
  • Vertical: get access to admin (windows) or root (linux)

It is accomplished by inserting malware on DLLs (automatically executed when application initializes), exploiting software vulnerabilities, bypassing User Access Control (running programs as administrator → see sudo for Linux)

Tools:

Escalation defense:

Executing Applications

The execution of applications by a hacker is often accomplished remotely

Goals:

  • Gather more information (spyware: video, audio, USB-launched, GPS)
  • Create backdoors
  • Launch additional attacks

Execution tools (you get access to the system and then install them to have remote access):

– PsExec

  • Remote-Exec
  • PDQ Deploy
  • Dame-ware

Rootkits & Anti-Rootkits

 Rootkit is a software that allows the attacker to have further advantages after the attack is accomplished:

  • Gain admin privileges
  • Gain additional data
  • Monitor network traffic
  • Launch attacks to other hosts Some examples of Rootkit actions:

Defense against Rootkits:

  • Avoid untrusted downloads
  • Use Firewalls
  • Verify all software before installing (install only the necessary one)
  • Choose antivirus that protects from Rootkits

NTFS stream manipulation

It’s possible to determine if a critical file has been changed thank to the file metadata. NTFS Alternative Data Stream (NTFS ADS) allows a file’s content to be changes without changing the file metadata.
It allows the injection of malicious code.

Some tools to detect NTFS ADS:

Steganography

It’s the art of hiding a message or information within another data (doc,txt,img,audio,video…).

It’s used when the attacker accesses the information and he won’t make use that info right-away: so he hides it for further use.

over mediums and respective tools in the next table:

On the other hand, steganalysis is the art of discovering these hidden messages and is typical done by statistical analysis of files.
Tools for steganalysis:

Covering tracks

 The most common techniques for covering tracks are:

  • Delete log entries (Windows Event Viewer or /var/log in Linux
  • Change log entries (better than deleting because you don’t leave any “hole” in the entries
  • Disable auditing processes (no logs at all)
  • Delete command     history     (clear     MRU     in     Windows     and     shred     – zu/root/.bash_history in Linux)

Tools:

  • exe
  • meterpreter
  • CCleaner
  • MRU-Blaster
  • BleachBit
  • ClearProg

System Hacking

Some steps for hacking a system:

Malware threats

  • Trojan (appears to be normal program, but is destructive; may provide unauthorized access to hacker; does not replicate itself; spread via social engineering)

Types of Trojans:

  • Virus (malicious software code attached to another program; designed to replicate itself; infect data files; spread via social engineering)

Types of Virus:

  • Worm
  • Adware (advertising products)
  • Backdoor (allow the attacker to get access in the future by other ways)
  • Spyware
  • Botnet (it’s not software)
  • Crypter (use encryption technology for bad purposes)
  • Rootkit (provide more access to an already compromised system)

Malware actions:

Indications of infection

Common Ports for Malware

The range of ports (0-66535) is divided in 3 main blocks:

  • WELL-KNOWN PORTS (0-1023) → basic services from a long time
  • REGISTERED PORTS (1024-49151) → assigned to other services but you could use them for other services
  • PRIVATE PORTS (49152-66535) → not assigned to any specific service

Port scanning tools can be used to determine open ports: once infected, a host may open additional ports.

How malware gets into a system

  • Common Ports for Malware

The range of ports (0-66535) is divided in 3 main blocks:

  • WELL-KNOWN PORTS (0-1023) → basic services from a long time
  • REGISTERED PORTS (1024-49151) → assigned to other services but you could use them for other services
  • PRIVATE PORTS (49152-66535) → not assigned to any specific service

Port scanning tools can be used to determine open ports: once infected, a host may open additional ports.

How malware gets into a system

How to detect

Scan for suspicious:
1) Open ports Port scanner: CurrPorts, nmap, TCPView
2) Processes Process scanner: HijackThis, Security task Manager, Microsoft Process Explorer, Autoruns, OpManager, YAPM
3) Registry entries Registry scanners: Registry Viewer, Alie Registry Viewer, Active Registry Monitor, RegScanner
4) Startup programs Startup Program Scanners: WinPatrol, Startup Manager, Startup Booster, ActiveStartup
5) Services Windows service scanners: Process Hacker, Service+, Nagios XI, SMART, ServiWin, SrvMan
6) Drivers Drivers scanner: Driver Reviver, My Drivers, Driver-View, Driver-Easy
7) Folder & Files Folder & File scanners: Tripwire, FastSum, FCIV, SIGVERIF, WinMD5
8) Network activity

7.6 Trojan Horse Construction with Metasploit Demo

Malware Analysis

1) Use reverse engineering (break down the code) to determine what the malware is doing
2) Use online tools that examine the code for you and compare with other malwares already known:
a) Akana
b) Detux
c) Joe Sandbox
d) Binary Guard
e) Threat Expert

Countermeasures

Penetration Testing

Procedure for Backdoors and Trojans:

SCAN → ISOLATE → RESOLVE

Procedure for Virus:

ANTI-VIRUS → SCAN → ISOLATE & RESOLVE

Sniffing

Sniffing is about watching traffic on the network for both legitimate and illegitimate uses. Wiretapping is also considered a sniffing technique.

Packets can be sniffed for law-purposes (an authorization is needed).

Sniffing Attack types

PASSIVE SNIFFING: when the sniffer is silent. Use of Hubs or Taps.

With Hubs all hosts in a network see all traffic. They replicate to every port except for the source one.

Taps are hardware devices that sit in line with communication media and replicate bits on the wire.

ACTIVE SNIFFING: it’s primarily used on networks that use Layer 2 switches where the attacker poisons protocols to redirect traffic to himself. This kind of sniffing is detectable on a network.

Switches are different from Hubs because they do an intelligent routing looking at MAC addresses.

Active sniffing techniques → MAC flood, MAC duplication, ARP spoof, DHCP starvation

Sniffing packets is crucial for a hacker background: he can see what’s going on the network but he can also steel a lot of sensitive information. Many protocols provide usernames and passwords in clear text → Telnet, POP, IMAP, SMTP, HTTP, NNTP, FTP.

Protocol analyzers

Tools able to capture traffic and analyze it: tcpdump, wireshark, softperfect network protocol analyzer.

MAC Flooding

MAC Flooding is an attack to CAM tables of switches which can have a maximum number of entries. We have a flood when the number of entries is higher than this maximum. An attacker can then send a lot of ARP requests to induce this flood. When flooding, the switches starts sending traffic to every port and the attacker can capture the traffic if he is listening at least to one port.
Tools for MAC flooding:
Macof, Yersihia
Defense for MAC flooding:
Operate on ports → establish a max number if MAC address for every port

DHCP attacks

DHCP can be used to influence a switch/host to send traffic to us. The method consists on spoofing a DHCP offer by “winning the race” with the DHCP server when a request is sent. If the attackers anticipate the server with the reply, he can set himself as the default gateway and receive all traffic by that particular switch/host.

DHCP starvation is another method for DoS attacks. We spoof the src address and ask for many addresses with the goal of finishing the available IPs addresses. This is not a sniffing technique.

ARP spoofing and poisoning

Another sniffing method is to manipulate the ARP cache of a host in a network. When a host sends an ARP request (for example for the default Gateway), the attacker sends an unsolicited ARP reply declaring he is the gateway. If he spoof the gateway as well, he becomes a perfect man-in-the-middle. From this point he can modify traffic in flight, sniffing packets, hijacking sessions.

Attack tools: Ettercap
Countermeasure tool: XArp

DNS spoofing

Method to get people to send us traffic.
Three areas of focus:
– Man-in-the-middle → like in DHCP the goal is winning the race with the DNS server in asking to a request. The attacker has to be sure the victim will accept the reply.
– Cache poisoning → manipulate the cache on a resolver that uses the recursive DNS queries. If the attacker responds to this process before the authoritative name server he can resolve the domain himself.
– Proxy server → is more about manipulating a host proxy server settings to get it to send traffic to you.
To protect yourself against DNS spoofing:
– Use iACL to filter DNS request/responses

– Use IDS and firewalls
– Use host protection software
– Use DNSSEC → DNS security with authenticated requests and responses

Sniffing tools

– Wireshark (graphical tool) + demo
– Tcpdump (command line tool) + demo tcpdump -i eth0 → display traffic tcpdump -i eth0 -nn → display traffic (no names) tcpdump -i eth0 -nnvv → display traffic (no names + verbose) tcpdump -i eth0 -nnvvX → display traffic (no names + verbose + data info) tcpdump -i eth0 -nnvvX tcp port 23 → display only TCP traffic (no names + verbose + data info)
– Riverbed SteelCentral (commercial sniffer)
– Omnipeek Network Analyzer (from Savvius, commercial sniffer)
– Capsa Network Analyzer (from Colasoft, commercial sniffer)
– Observer Analyzer (from Viavi Solution, commercial sniffer)
– Colasoft Packet Builder (free & commercial options)

Sniffing detection and defense

A few techniques can be used to detect active sniffing:
– Ping Method: craft echo request to suspect sniffer
– DNS Method: it relies on a common default setting of sniffing applications: Reverse DNS IP/Name resolution
– ARP Method: send non-broadcast ARP Reply to a bogus MAC address, promiscuous NIC receives and passes to kernel, ARP cache entry created, send ICMP Echo Request

Penetration testing

Social Engineering

Goal: Compromise security by tricking people into breaking security policy. Impact of social engineering hack: financial loss, physical damage, loss of property, loss of data, loss of reputation, loss of privacy, lawsuits, business shut down.
Life cycle:

Target: everyone! Common targets:

Techniques

There are 3 primary types:
– Computer-based– Human-based

(NLP = Neuro Linguistic Programming & RSE = Reverse Social Engineering)

– Mobile-based

Social engineering sites

Social sites allow to collect user data.
1) Facebook (fake companies pages, fake group pages, fake profiles)
2) Twitter
3) Linkedin
4) Google+

Identity theft

Identity theft steps:
1) Research info (with social media, web search and dumpster diving)
2) Gather info (with DMV, SSA and other government orgs)
3) Apply (at banks, credit card companies and department stores)
4) Damage (financial damage, the ability of borrow goes down, bankruptcy)

Some advices to minimize the risks:
– Keep personal information secure
– Use advanced security techniques offered by bank
– Check credit reports regularly
– Avoid signing up for mailing or phone lists
– Avoid sensitive data storage on remote locations
– Shred doc that contain sensitive info
– Verify all request for personal/company info

Countermeasures

 

Share
Share
Shares 0