N I L A D I C یکشنبه 5 شهریور 1396 11:10 ق.ظ نظرات ()
In past, we talk about Footprint, Scanning, Enumeration. All of those are part of information gathering.
Now, We are going to use that information and gain our access to the target ...

one of the most important thing in gain access are passwords ...
in this part, we try to know how we can crack passwords ...

* A password is designed to be something an individual can remember easily but at the same time, not something that can
be easily guessed or broken - - - > THIS IS PROBLEM
Human beings tend to choose passwords that are easy to remember, which can make them easy to guess

     Passwords that use only numbers
     Passwords that use only letters
     Passwords that are all upper- or lowercase
     Passwords that use proper names
     Passwords that use dictionary words
     Short passwords (fewer than eight characters)

     Passwords that contain letters, special characters, and numbers: stud@52
     Passwords that contain only special characters: &*#@!(%)
     Passwords that contain letters and numbers: meetl23
     Passwords that contain only letters and special characters: rex@&ba
     Passwords that contain only special characters and numbers: 123@$4


    - Dictionary attack:
    use dictionary file(file that contain known words up) and check password with the dictionary
    - Brute-Force attack
    very possible combination of characters is attempted until the correct one is uncovered
    - Hybrid attack
    base on dictionary attack and use that for cracking but with additional step. in most case the pass that tried in dic
    modified with addintionalspecial characters example: password -> p@ssw0rd
    - Syllable Attack:
    combination brute-force and dictionary
    - Rule-based Attack:
        -- Passive Online Attacks:
        using sniffing tools
        -- Active Online Attack
        password guessing, Trojan/spyware/key loggers, hash injection, and phishing
        -- Offline Attacks
        weaknesses of where passwords are stored not password weaknesses
        precomputed hashes, distributed network attacks, and rain-bow attacks
        -- Nontechnical Attacks
        shoulder surfing, social engineering, and dumpster diving

    ** Sniffing:
    using packet sniffers and capture packets and find out passwords ...
    two parties are communicating with one another and a third party inserts
    itself into the conversation and attempts to alter or eavesdrop on the communications
    Man-in-the-middle attacks commonly target vulnerable protocols and wireless technologies.
    Protocols such as Telnet and FTP are particularly vulnerable to this type of attack
    In a replay attack, packets are captured using a packet sniffer. After the relevant ­information
    is captured and extracted, the packets can be placed back on the network
    the goal is inject the captured information—such as a password—back onto the ­network and
    direct it toward a resource such as a server, with the goal of gaining access. Once replayed,
    the valid credentials provide access to a system, potentially giving an attacker the ability to
    change information or obtain confidential data

    ** password guessing
    ** Trojan/spyware/key loggers
    ** hash injection:
        1.      access a vulnerable workstation or desktop.
        2.      When connected, attempt to extract the hashes from the system for high-value users,
        such as domain or enterprise admins.
        3.      Use the extracted hash to log on to a server such as a domain controller.
        4.      If the system serves as a domain controller or similar, attempt to extract hashes from
        the system with the intention of exploiting other accounts.

extract hash from system and crack that hash ...
- extracting hash:
download pwdump7.exe
1.      Open the command prompt.
2.     Type pwdump7.exe to display the hashes on a system.
3.     Type pwdump7 > C:\hash.txt .
4.      Press Enter.
5.      Using Notepad, browse to the C drive and open the hash.txt file to view the hashes.

- cracking hash (Cain $ L0pht)
-- using rainbow tables: Rainbow tables compute every possible combination of characters prior to capturing a password
we can generate our rainbow table with " WINRTGEN "

--- Distributed Network Attack(DNA):
using power of multiple computers to cracking passwords ...

*** Default password sites:
■ http://cirt.net
■ http://default-password.info
■ www.defaultpassword.us
■ www.passwordsdatabase.com
■ https://w3dt.net
■ www.virus.org
■ http://open-sez.me
■ http://securityoverride.org
■ www.routerpasswords.com
■ www.fortypoundhead.com
■ www.phenoelite.de/dpl/dpl.html

*** Guessing:
1. Locate a valid user.
2. Determine a list of potential passwords.
3. Rank possible passwords from least to most likely.
4. Try passwords until access is gained or the options are exhausted.

*** USB Password Theft:
there are some automated mechanisms for obtaining passwords, such as via USB drives
in this type we should to access target physically ....
-- using windows autorun to steall passwords ( we can use for this " PSPV " )
2. Copy the utility to a USB drive.
3. Create a Notepad file called launch.bat containing the following lines:
en = launch.bat
Start pspv.exe /s passwords.txt
4. Save launch.bat to the USB drive.

*** Athuntication in microsoft platforms mechanisms:
SAM, LM, NTLM, Kerbros
-- SAM = security account manager
Inside the Windows operating system is a database that stores accounts or any entity that can be authenticated
what can stored them localy is SAM
SAM stored passwords in hash with LM or NTLM mechanisms
SAM Location IN WINDOWS XP: c:\windows\system 32\SAM

-- NTLM = NTLAN Manager ... NTLMv1 and NTLMv2

-- Kerbros: The protocol offers a strong authentication framework through
the use of strong cryptographic mechanisms such as secret key cryptography

*** Privilage Ecalation:
* Horizontal Privilege Escalation: An attacker attempts to take over the rights and privileges
of another user who has the same privileges as the current account
* Vertical Privilege Escalation: The attacker gains access to an account and then tries to
elevate the privileges of the account
-- Software "TRK(Trinity Rescue Kit)" ---> how to use it for windows OS's(Its Linux Software):
1. At the command line, enter the following command: winpass -u Administrator then it display blow message
Searching and mounting all file system on local machine
Windows NT/2K/XP installation(s) found in:
1: /hda1/Windows
Make your choice or ˈqˈ to quit [1]:
then type 1 or location of windows folder
2. Press Enter.
3. Enter the new password, or accept TRK’s suggestion to set the password to a blank.
4. You see this message: “Do you really wish to change it?” Enter Y, and press Enter.
5. Type init 0 to shut down the TRK Linux system.
6. Reboot.
--- Or we can use Ophcrack

***# somethings that are usefull #***

*** what we do after hack???
plant backdoor
-- how??
there are many software but one of them is " PsExec "
-- how to use PsExec???
-- psexec \\<target sys name> cmd
-- psexec \\<target sys name> ipconfig /all
-- psexec \\<target sys name> -c rootkit.exe ... commonly we use nc.exe as rootkit.exe
-- psexec \\<target sys name> -u administrator -c rootkit.exe

* there are other softwares that we can use for planting backdoor: " PDQ Deploy " , " RemoteExec " , " DameWare "

**** What after planting backdoor???
Cover Tracks
-- how????
on of the best way is to clean logs about logged in into target system(Disable Auditing)
one of the softwares that can we use is " auditpol " just with blow command
auditpol \\<ip address of target> /clear

-- we can also clear windows security logs with blow softwares
■ Dumpel
■ Elsave
■ WinZapper
■ CCleaner
■ Wipe
■ MRU-Blaster
■ Tracks Eraser Pro
■ Clear My History

*** Some Important Thing ***
    ### Data Hidding ###
as i say streams ....

-- how to use???
# type f.exe > sample.doc:f.exe
Executing this command hides the file f.exe behind the file sample.doc, The next step is to delete the
original file that you just hide, f.exe
# start sample.doc:f.exe
This command has the effect of opening the hidden file and executing it

-- Stream file viewer:
■ SFind—A forensic tool for finding streamed files
■ LNS—Used for finding ADS streamed files
■ Tripwire—Used to detect changes in files; by nature can detect ADS


******** TEXT HIDDING:
CMD -> <directory> -> notepad <name1.txt> -> type text in that -> notepad <name1.txt>:<name2.txt> -> type secret note there
its stream file and we just can see that with stream viewers


            *$* There is some type of attack Like DCOM and Blaster Worm that get access to the target but those are out of date *$*
                                                *** DCOM = PORTS 139 , 135 , 445 , 593 ***

-- Registry files = like where that saves password
applications like yahoo messsanger we can use latest loggedin pass
-- CRACKERS-WIN = cain , L0pht, ophcrack
-- CRACKERs-LINUX = john, hashcat, ophcrack
-- RAT = Remote access Trojan
-- Keylogger = Neptun , spyrix