System Hacking - key concepts
System Hacking - key concepts
1) Windows store hashes of passwords in the SAM file, located in C:\Windows\System32\Config folder.
2) In Microsoft Windowd, if the last 7 characters of the 14 characters of the LM hash is zero (and the password is 7 characters or less), the hash will always be AAD3B435B51404EE. Windows Viata and later LM hash is shown as NO PASSWORD in the SAM file.
3) Salting add protection by adding random data BEFORE hashing.
4) Kerberos is the Windows default authentication method. Kerberos use symmetric and asymmetric encryption. This is how Kerberos works: the client asks a ticket for the KDC (Key Distribution Center) - which holds the AS (Authentication Server) and TGS (Ticket Granting Service) in clear text. The server responds with a key hashed by the password copy kept on the Active Directory: this is the TGT (Ticket Granting Ticket). TGT is is sent back to the server requesting a TGS service ticket, and the server responds with a service ticket, and the client can log on. The password itself is NEVER SENT (only it’s hash value).
5) Windows Registry is a collection os the SETTINGS that allow the system run. It’s includes a) low-level operating system components, b) applications running, c) drivers, d) SAM file, e) user interface.
Two basic elements of the registry setting: KEY and VALUE. Tha value defines the settings.
The root-level keys in the registry are HKEY_LOCAL_MACHINE(HKLM), HKEY_CLASSES_ROOT(HKCR), HKEY_CURRENT_USER(HKCU), HKEY_USERS(HKU) and HKEY_CURRENT_CONFIG(HKCC).
Importants keys:
KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
6) The Linux root is / (slash). Important folders in Linux: /bin, /dev, /etc, /mnt, /sbin, /usr.
Important Linux commands: cp, pwd, ifconfig, kill, adduser, ls, ps, chmod.
The command ls -l displayscurrent security settings for the content of the actual directory.
Passwords in Linux are stored in PASSWRD FILE or SHADOW FILE. The SHADOW FILE is stored and displayed encripted and is acessible only by root.
7) The System Hacking methodology includes: 1) Reconnaissance, 2) Scanning/Enumeration, 3) Gaining Access (Cracking Passwords/Escalating Privileges), 4) Maintaining Access (Executing Applications/Hiding Files), 5) Covering Tracks (deleting log files on the machine).
8) AUTHENTICATION process is related with 3 options: something YOU ARE (fingerprints, etc), something YOU HAVE (card, token, etc) or something YOU KNOW (password).
9) Routers, switches, wireless access points, software packages, database engines, etc. have installed DEFAULT PASSWORDS.
10) There is 4 attacks for password cracking: 1) NON-ELECTRONIC ATTACK (social engeneering), ACTIVE ONLINE ATTACK (dictionary and brute force attack, hash injections, phishing, Trojans, spyware, keyloggers, password guessing). This attacks takes ling time and is easy to detect. 2) PASSIVE ONLINE ATTACK (MITM Attack), 3) OFFLINE ATTACK (dictionary, hybrid and brute-force attack), 4) RAINBOW TABLE ATTACK (huge compilation of hashes of every password possible. Tools: rtgen, Winrtgen).
11) There is 2 types of privilege scalation: 1) Vertical, 2) Horizontal
12) Executing Applications (“malicious” programming): keyloggers, spyware, back doors, crackers. Examples of tools: RemoteExec, PDQ Deploy, Dameware Remote Support.
13) Hide files on Windows: ADS (Alternate Data Stream) in the form of NTFS file streaming, and Steganopraphy.
14) Covering Tracks: 3 main logs in Windows OS (Application, System and Security Logs).
15) Rootkit: set of software put in place to obscure system compromise. Examples: Azazel, Avatar, Necurs, ZeroAccess. There is 6 types of rootkits: 1) hipervisor level, 2) hardware (firmware), 3) boot loader level, 4) application level, kernel level, library level.
https://owasp.org/
https://owasp.org/www-project-webgoat/#:~:text=WebGoat%20is%20a%20deliberately%20insecure,and%20popular%20open%20source%20components.
https://www.ietf.org/
https://www.w3.org/
https://www.techtarget.com/whatis/definition/Request-for-Comments-RFC
https://www.ietf.org/standards/rfcs/
https://www.rfc-editor.org/
https://www.rfc-editor.org/about/independent/
The Independent Submissions Editor (ISE) is currently Eliot Lear, who can be reached at
rfc-ise@rfc-editor.org
https://owasp.org/www-project-top-ten/
TOP critical security risk to web applications: BROKEN ACCESS CONTROL
A01:2021 – Broken Access Control
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Misconfiguration of web server settings is the most common vulnerability:
1) error messaging
2) default passwords
3) SSL certificates
4) scripts
5) remote administrative functions
6) configurations files
7) services on the machine
httpd.conf file on Apache server control who can view the server status page
php.ini file is used for verbose error messaging setting
https://en.m.wikipedia.org/wiki/Multitier_architecture
https://www.w3schools.com/html/html_entities.asp
https://www.w3schools.com/tags/ref_httpmethods.asp
Attacks vectors regarding webservers:
1) password attacks
2) DoS
3) MITM (sniffing)
4) DNS poisoning (hijacking)
5) Phishing
DNS amplification:
Manipulate recursive DNS to DoS a target
Directory traversal (dot-dot-slash, directory climbing or backtracking):
hacker attempts to access restricted directories and execute commands outside. Hacker sends HTTP requests asking the server to drop back to the root directory and give access to other folders.
Dot-dot-slash attack is a variant of Unicode input attack
Parameter or URL tampering:
manipulate parameters within the URL string to modify data
Misconfiguration Attack
Password Attack
SSH brute force Attack
Web defacement
Basic Metasploit exploit module make 5 actions:
1) select the exploit to use
2) configure the options within the exploit
3) select a target
4) select the payload (what execute on target nachine)
5) launch the exploit
https://www.metasploit.com/
Web 2.0 is a diferent method of creating websites and applications
web 1.0 is static HTML
web 2.0 uses „dynamic“ web pages = allow users to upload abd download in a website simultaneously. Bigger user interaction = bigger attack surface
File injection (injects pointer in the web form input)
Command injection ( injects comnands into form fields)
Shell injection (attempts to gain shell aacess using Java)
LDAP injection attack exploits applications that build LDAP statements based on user input:
Hacker add )(&) after username and using any password
SOAP (Simple Object Access Protocol) injection attack injects malicious query strings (like SQL injection) to bypass authentication and access databases. SOAP uses XML format, is compatible with HTTP and SMTP and, typically, messages are one-way.
Buffer overflow attack (smashing the the stack) attempts to write more data into application prebuilt buffer area to:
1) overwrite adjacent memory
2) execute code
3) crash the system (application)
XSS (Cross-site scripting) injects a script into a form. One classic XSS attack access the „document.cookie“ and send it to a remote host.
CSRF (Cross-site request forgery) attack forces end user to execute unwanted actions on a web application on which he/she are already authenticated. CSRF tricks the victim with a malicious request. To mitigate CSRF attack is needed configure the web server to send random challenge tokens.
Session fixation attack
Cookie is a small text-based file that is stored on the system to be used by the server the next time you log in. Cookie contain:
1) authentication details
2) site preferences
3) shopping cart contents
4) session details
Cookie is send in the header of the HTTP response from the web server and MAY have an expirarion date.
SQL injection is THE MOST SUCCESSFUL INJECTION ATTACK TECHNIQUE IN THE WORLD !!!
SQL (Structured Query Language) comes when someone add, delete, move, update or view data in tables and fields. SQL commands important to the hacker:
DROP TABLE tablename (delete table)
INSERT TABLE tablename
UPDTAE TABLE tablename
To discover if a website is suscetible to SQL injection, check a LOGIN WEBPAGE, and in the web form, write a single quote (‘) and analyse the error message (if any), or enter
anything‘or 1=1-
And analyse the result.
Usually, this this attacks are named as UNION QUERY, TAUTOLOGY, BLIND SQL injection, error-based SQL injection.
HTTP response spliting Attack add header response data to an input field for the server split the response in two directions, so the hacker can control the content of the second header and, for example, redirect the user to a malicious website controlled by the hacker.
A SIMPLE METHOD to test a web application is TRY TO USE IT IN A MANNER THAT WASN‘T PROJECT FOR.
COUNTERMEASURES FOR WEBSERVER AND WEB APPLICATION ATTACKS
1) correct placement of the servers
2) maintain a strong patch management effort
3) turning off unnecessary services, ports and protocols
4) remove outdated, unused accounts
5) configure default passwords
6) setting up apropriate file and folder permissions
7) disabling directory listing
8) ensure you have a mean to detect attacks and respond
Automated Scanners to look for injection vulnerabilities:
1) Sqlmap
2) Havij
3) sqlninja
https://nmap.org/nsedoc/scripts/ms-sql-brute.html
SQLBrute is tool perform guessing password on Microsoft SQL servers
Others tools:
Pangolin, SQLExec, Absinthe, BobCat
Comments
Post a Comment