Directly Jump To
What is system hacking?
- System hacking is defined as the compromise of computer systems and software to access the target computer and steal or misuse their sensitive information.
- Here the malicious hacker exploits the weaknesses in a computer system or network to gain unauthorized access to its data or take illegal advantage.
Cracking Passwords
- Password cracking techniques are used to recover passwords from computer systems
- Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
- Most of the password cracking techniques are successful due to weak or easily guessable passwords.
Types of Password Attacks
- Non-Electronic Attacks: Attacker need not posses technical knowledge to crack password, hence known as non-technical attack.
- Shoulder Surfing: Looking at either the user’s keyboard or screen while he/she is logging in.
- Social Engineering: Convincing people to reveal passwords
- Dumpster Diving: Searching for sensitive information at the user’s trash-bins, printer trash bins, and user desk for sticky notes.
- Active Online Attacks: Attacker performs password cracking by directly communicating with the victim machine.
- Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
- Brute Forcing Attack: The program tries every combination of characters until the password is broken.
- Rule-based Attack: This attack is used when the attacker gets some information about the password.
- Example of Active Online Attacks :
- Download PassView, a password hacking tool
- Copy the downloaded files to USB drive
- Create autorun.info in USB drive [autorun en=launch.bat
- Contents of launch.bat start pspv.exe/stext pspv.txt
- Insert the USB drive and the autorun window will pop-up (if enabled) 6.
- PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive
- Passive Online Attacks: Attacker performs password cracking without communicating with the authorizing party.
- Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash value.
- Compare the Hashes: Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked.
- Easy to Recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
- Precomputed Hashes: 1qazwed -> 21c40e47dba72e77518ee3ef88ad0cc8 hh021da -> 2ce80b192cfa47a0d6c8a2446314810b 9da8dasf -> eb0f5690164ffabbed1744087a4d6761
- Offline Attack: Attacker copies the target’s password file and then tries to crack passwords in his own system at different location.
Escalating Privileges
- An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges.
- Attacker performs privilege escalation attack which takes advantages of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
- These privileges allows attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc.
Escalating Privileges: Using DLL Hijacking
- Most Windows applications do not use the fully qualified path when loading an external DLL library instead they search directory from which they have been loaded first.
- If attackers can place a malicious DLL in the application directory, it will be executed in place of the real DLL.
Escalating Privileges: Resetting Passwords Using Command Prompt
- If attacker succeeds in gaining administrative privileges, he/she can reset the passwords of any other nonadministrative accounts using command prompt.
- Open the command prompt, type net user command and press Enter to list out all the user accounts on target system.
- Now type net user useraccountname * and press Enter, useraccountname is account name from list.
- Type the new password to reset the password for specific account.
Executing Applications:
- Attackers execute malicious applications in this stage. This is called “owning” the system.
- Attacker executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.
Executing Applications: Executing Application Tools
- RemoteExec:
- RemoteExec remotely installs applications, executes programs/scripts, and updates files and folders on Windows systems throughout the network.
- It allows attacker to modify the registry, change local admin passwords, disable local accounts, and copy/update/delete files and folders.
- PDQ Deploy:
- PDQ Deploy is a software deployment tool that allows admins to silently install almost any application or patch.
- DameWare Remote Support:
- DameWare Remote Support lets you mange servers, notebooks, and laptops remotely.
- It allows attacker to remotely manage and administer Windows computers.
Key logger
- Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location.
- Legitimate applications for keyloggers include in office and industrial settings to monitor employees’ computer activities and in home environments where parents can monitor and spy on children’s activity.
- It allows attacker to gather confidential information about victim such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc.
- Physical keyloggers are placed between the keyboard hardware and the operating system.
Spywares
# Spytech SpyAgent:
- Spytech SpyAgent allows you to monitor everything users do on your computer.
# Power Spy 2014:
- Power Spy secretly monitors and records all activities on your computer.
- It records all Facebook use, keystrokes, emails, web sites visited, chats, and IMs in Windows Live Messenger, Skype, Yahoo Messenger, Tencent QQ, Google Talk, AOL Instant Messenger (AIM), and others.
# USB Spywares
# Audio Spywares
# Video Spywares
Hiding Files: Root Kits
- Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time and also in future.
- Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed.
- A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, etc.
Attacker places a rootkit by
- Scanning for vulnerable computers and servers on the web.
- Wrapping it in a special package like games.
- Installing it on the public computers or corporate computers through social engineering
- Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)
Objectives of Root Kits
- To root the host system and gain remote backdoor access.
- To mask attacker tracks and presence of malicious applications or processes.
- To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access.
- To store other malicious programs on the system and act as a server resource for bot updates.
Types of Root Kits
- Hypervisor Level Rootkit: Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.
- Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity.
- Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes.
- Boot Loader Level Rootkit: Replaces the original boot loader with one controlled by a remote attacker.
- Application Level Rootkit: Replaces regular application binaries with fake Trojan, or modifies the behavior of existing applications by injecting malicious code.
Root Kits Examples
# Avatar
- Avatar rootkit runs in the background and gives remote attackers access to an infected PC.
- The infection technique is restricted in its capability (by code signing policy for kernel-mode modules) and it works only on x86 systems.
# Necurs
- Necurs contains backdoor functionality, allowing remote access and control of the infected computer. ΓΌ
- It enables further compromise by providing the functionality to:
- Download additional malware
- Stop security applications from functioning
# ZeroAccess
- ZeroAccess is a kernel-mode rootkit which uses advanced techniques to hide its presence.
- It is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer and acts as a sophisticated delivery platform for other malware.
Covering Tracks
- Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection.
- Attacker uses following techniques to cover tracks on the target system:
- Disable auditing
- Intruders will disable auditing immediately after gaining administrator privileges.
- At the end of their stay, the intruders will just turn on auditing again using auditpol.exe
- Example https://docs.microsoft.com/en-us/windowsserver/administration/windows-commands/auditpol-clear
- Clearing logs
- Windows Navigate to Start > Control Panel > System and Security > Administrative Tools > double click Event Viewer. Delete the all the log entries logged while compromising of the system.
- Linux Navigates to /var/log directory on the Linux system. Open plain text file containing log messages with text editor /var/log/messages Delete the all the log entries logged while compromising of the system.
- Manipulating logs
- Disable auditing
Penetration Testing
- Password Cracking
- Privilege Escalation
- Executing Applications
- Hiding Files
- Covering Tracks
