Automating Google Workspace (GWS) & more with Apps Script
Cyber security and ethical hacking 9
1. Cyber Security and Ethical Hacking
By Mehedi Hasan
Lecture 9:
Password Cracking Attacks Part 2
2. Windows Hacking
The SAM File
Windows login Passwords
FACT 1: It is public knowledge that windows store the login
passwords in the SAM file of Security Accounts Manager.
Fact 2: Location of the SAM file is also publically known:
C:windowssystem32config
C:windowsrepair
In the windows registry the SAM file data is found in:
HKEY_LOCAL_MACHINESAM
Fact 3: SAM file is locked as windows boots and cannot be accessed,
moved of copied. This property of SAM file was supposed to give
protection to windows login passwords.
3. Windows Hacking
The SAM File
Windows login Passwords
The typical Structure of the SAM file is like the following:
Username: UserID: LM_Hash: NTLM_hash
For Example:
Mehedi Hasan
423nfkdfkjio34lkerirelkfnm.z,dmworulkadj.,sdJDSAHREIRs
(Note: UserID 500 is for admin, 501 is for guest and 1000+ for
standard user)
(Note: LM Hash has been disabled in windows vista, windows 7
onwards. Instead of the LM Hash, blank will be displayed.)
4. Windows Hacking
NTLM and Kerberos
How to windows stores Passwords
NTLM and NTLMv2 are security protocols that was introduced by
Microsoft to security store user passwords. NTLM is much more
secure than LM. NTLM uses MD4 or MD5 instead of DES. The
password chosen by the user is passed through the MD5 algorithm 3
times to get the hash value unfortunately, the biggest weakness of
NTLMv2 is that it does not use salt, which makes them susceptible to
rainbow table attacks.
Whenever you create a windows account, windows generates both
the LM hash and the NT hash of the password, which are then stored
in the SAM file, which makes the password vulnerable to be stolen.
For backward compatibility, windows supports both LM hash and
NTLM hash.
5. Windows Hacking
NTLM and Kerberos
How to Disable LM Hash
The Storage of LM hash can be prevented using the following
technique
• Open windows registry, navigate to the registry key
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa and
add a new key called NoLMHasn
• Disable LM Hash by going to Security Options.
• Use a password longer than 15 characters, then LM hash wont be
created.
• LM hash is disabled by default in windows vista windows 7
onwards.
6. Windows Hacking
NTLM and Kerberos
http://www.foofus.net/~fizzgig/fgdump/
Dumps Password hashes from the SAM file. Requires Admin Access
8. Windows Hacking
Fgdump on some other user
Fgdump.exe –h 127.0.0.1 –u Admin_UserName
(Note: You will be asked to enter admin password)
9. Windows Hacking
Fgdump on some other Syetem
Fgdump.exe –h 198.168.10.0 –u Admin_UserName
(Note: You will be asked to enter admin password)
10. Windows Hacking
Online Attack : samdump
Comes with backtrack and allow you to dump SAM hashes
http://www.backtrack-linux.org
11. Windows Hacking
Online Attack : Cain and Able
Dumps password hashes from the SAM file requires admin access
http://www.oxid.it
12. Windows Hacking
Cain and Able
Brute force Attack against dumped password hashes. Can also perform
Rainbow table attacks.
http://www.oxid.it
13. Windows Hacking
John The Ripper
Can crack the windows password if SAM file dumps available. Only
dictionary based attack through. Supports LM and NTLM and cracks
UNIX passwords
14. Windows Hacking
Offline Attack : Ophcrack
Uses rainbow tables to crack the passwords comes with free rainbow
tables. Can dump hashes as well
(Works offline and online)
15. Windows Hacking
Offline NT password and registry editor or ntpassword
(Offline)
Resets the password of a valid account. Works in offline mode. Works
SYSKEY.
http://pogostick.net/~pnh/ntpasswd
16. Windows Hacking
PC Login Now (Office)
Resets/Deletes the password of a valid account
SYSKEY enabled.
http://www.pcloginnow.com
17. Windows Hacking
Kon Boot (Office)
Runs as bootable CD, modifies windows kernel during boot, hence alien
you to login without a password. Does not change anything in SAM file.
Hence when you restart all is normal again. Works with SYSKEY.
http://www.kryptoslogic.com
18. Windows Hacking
Trinity Rescue Kit
Free Linux distribution, Bootable from CD or Pen Drive, Can reset
password. Use the winpass tool in trinity rescue kit.
http://www.trinityhome.org
19. Windows Hacking
NTPWEdit
SAM file is locked as soon as windows boot. You can boot from bootable
CD or pen drive of windows PE and run the NTPWEdit tool to edit the
windows login password. You can also attach victim hard drive to
another computer and run NTPWEdit on that computer.
http://cdslow.webhost.ru/en/ntpwedit/
http://www.trinityhome.org
20. Windows Hacking
Windows PE
Windows PW (Windows Pre-Installation Environment or WinPE) is a
minimal verson of windows that can be booted from CD, Pen drive or
external HDD. It was originally designed to allow manufacturers to boot
a computer without any OS installed on it, so that they can then
preinstall windows on systems during the manufacturing stage.
However, it is nowadays also used for troubleshooting windows in the
offline mode and even hacking into windows from the offline mode.
Windows PE is a part of windows Automated installation kit (AIK) for
windows 7, which can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=5753
21. Windows Hacking
Windows RE
Windows RE (Windows Recovery Environment of WinRE) is based on
WinPE and is a recovery tool that allows you to diagnose and repair
your computer in case windows fails to boot.
It is possible to create a bootable windows recovery or WinRE disk or in
some cases it can also be accessed by pressing the F8 button during
boot up.
Microsoft has provided detailed instruction on how to create a bootable
disk of WinRE and WinPE.
http://www.microsoft.com/en-us/library/cc749103(v=ws.10).aspx
22. Windows Hacking
Proactive Password Auditor
Requires admin rights. Dumps hashes from memory or registry and
tests strength with brute force, dictionary & rainbow attacks. Can also
crack password dump files generated by other tools. Can also crack
password if you boot in windows or other OS.
http://www.elcomsoft.com/pspr.html
23. Windows Hacking
Proactive System Recovery
Cracks passwords for accounts through offline techniques.
http://www.elcomsoft.com/pspr.html
26. Windows Hacking
SYSKEY
Improve Windows Security
SYSKEY is a tool that was introduced by Microsoft to improve the
security of windows systems. Once enabled, it would encrypt the SAM
file using a 128-bit RC4 Encryption key.
27. Windows Hacking
SYSKEY
Improve Windows Security
Option 1: Require the user to enter a startup SYSKEY password. At least
12 characters long.
Option 2: Let System generate a password, which can be stored in a pen
drive. User must attach pen derive, otherwise wont be allowed to login.
You need to assign drive A: to your pen drive using windows Disk
Management Tool.
Option 3: Let system generate a password, but store it locally on the
system and user doesn't need to do anything.
28. Windows Hacking
SYSKEY
Improve Windows Security
Advantages:
• Criminal cant start windows without somehow gaining access to
encryption key on pen drive or without entering startup passwords,
even if offline hacking tools have been used.
• Even if a criminal has cracked. Changed or reset the windows login
password using offline techniques, they will still not be able to log in
since they will be asked for the SYSKEY password.
• Encrypts the SAM file, making it hander for brute force attacks to
work.
However, it has been shown that even SYSKEY is vulnerable. For a very
good tutorial about how to crack SYSKEY password using Ubuntu,
BKHive and Samdump2, visit http://epyxforensics.com/node/34
31. Windows Hacking
Windows Security
How to Protect Windows?
Things To Do:
• Disable boot from external drive by changing BIOS setting. However,
doesn’t protect against criminal physically opening CPU and connecting
hard drive to some other system and then performing attack. Or
cracking the BIOS password or resetting the BIOS settings.
• Enable SYSKEY.
• Encrypt Hard Drive.
Bitlocker Drive Encryption is a security feature in windows (Vista
onwards) that protects your data, passwords and files against offline
attacks. It can be enabled from control panel > System and Security > Bit
locker Drive encryption.
32. Windows Hacking
Privilege Escalation
Sticky Keys Attack
Sticky keys is a special feature that is built into windows for the benefit
of people with physical disabilities. It allows physically disabled people
to use function keys like SHIFT, CTRL, ALT or WINDOWS key by pressing
it after pressing the other key, instead of pressing both keys
simultaneously.
It is possible to activate Sticky key by pressing the SHIFT key 5 times at
the windows logon screen. When you activate sticky keys, then the
following EXE file normally gets executed.
C:windowssystem32sethc.exe
If you were to replace the above sethc.exe file with the cmd.exe file and
then press SHIFT key 5 time at the windows logon secrrn.
33. Windows Hacking
Privilege Escalation
Sticky Keys Attack
Create a bootable USB drive of windows PE (miniature bootable version
of windows) or start windows RE (by booting windows setup DVD and
then selecting repair).
Once windows PE or Windows RE boots, access the command line
prompt.
Type the command to replace sticky file with command prompt
Copy c:windowssystem32cmd.exe c:windowssystem32setch.exe
Restart system. When you see login prompt, press SHIFT 5 times to
enable sticky keys. Immediately, command line prompt will start.
Type the following command to change the password of any of the
existing users:
Net user username NewPassword /add
34. Windows Hacking
Privilege Escalation
Hidden Admin account attack
It is possible to create a new hidden admin account on a windows
machine by following the below procedure:
Step 1: Boot into windows PE or Windows RE and go to the command
line prompt and type the command:
Net user dhaka dhaka123 /add
(dhaka is a user name and dhaka123 is password)
35. Windows Hacking
Privilege Escalation
Hidden Admin account attack
Step 2: Go to the following registry entry.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVes
sionWinlogonSpecialAccountsUserList
If the sub keys special account and user list do not exist, then you need
to create them.
Step 3: Select userlist subkey in the left column and right click
anywhere in the right pane and select new DWORD value. The name of
the DWRD value should be the usrename of the hidden account you
wish to create (in this case dhaka). Set its value data to 0. this makes the
account hidden and it will not even appear in the login screen when
windows boots.
36. Windows Hacking
Windows Password Recovery 7.0
Can crack passwords which use windows biometric framework and use
of fingerprint readers.
http://www.passcape.com
.
39. Windows Hacking
SHA! & SHA@ Encoding
SHA stands for Secure hash algorithm and was developed by the US
government. It is more secure than MD5 Hash. SHA2 is the most secure
version of SHA as of now.
SHA is commonly used in various security protocols like SSL, Ipsec, SSH
and PGP.
45. Cracking Network Passwords
THC Hydra
It is a parallelized login cracker for various protocols
FTP. HTTP, POP, SQL, Oracle, Telnet, ets.
http://thc.org/thc-hydra/
47. Cracking Network Passwords
Distributed network attack
It is a technique that cracks the password by using unused &
underutilized processing power of all the computer on the network .
Elcomsoft distributed password recovery tools.
http://elcomsoft.com/
48. Cracking Network Passwords
Distributed network attack
Server has to be installed on central server and client needs to be
installed no other computers on the network.
Server creates smaller jobs of the password cracking process and
distributes them to all the clients across the network.
The client runs in the background, does not disturb regular applications
and only uses unutilized processing power of the systems.
-Such a distributed attack, reduces the amount of time it takes to crack
the password.
- Elcomsoft provides support for more than 2500+ clients running at the
same time.
49. Metasploit
Brut force Attacks using Metasploit.
Use auxilary/scanner/pop3/pop3_login
Use auxilary/scanner/http/http_login
Set RHOSTS www.nexiobd.com
run
52. Captcha
Captcha (almost like the world capture) is short for completely
automated public turning test to tell computers and humans apart.
Captcha is commonly used by websites to distinguish between humans
and automated computer scripts of bots.
Such text is usually only possible to be read by humans and be read by
computers of automated scripts.
Captcha is commonly used to fight spam, brute force password cracking
and to restrict rate of use of a service.
Google & CMU has come out with a system called reCaptcha & Mail
hide to fight spammers & criminals.
53. reCaptcha
reCaptcha is a project that was started at Carnegie mellon university
and was then later bought by Google. It is a free CAPTCHA service that
helps to digitize books, newspapers and radio shows.
To digitize reading material, pages are scanned and then converted into
text using optional character recognition (OCR), which is not 100%
accurate.
To improve the digitization, recaptcha takes all those words that cannot
be read by computers and sends them as captcha text for humans to
type.
You might argue, if a computer cant read the word being used as
captcha, then how does this system verify whether the user has entered
the correct word or not?
54. reCaptcha
Hence, re captcha sends each word that cannot be read by a computer
along with another word whose value is already known and asks users
to read both the words.
If a user correctly enters the word whose value is already known, then
the system assumes that the user also entered the unknown word
correctly. This unknown words is then sent to several other people as
well and with time, the system gets correct values for all unknown
words.
According to its official website (www.recaptcha.net), this system has
allowed them to archive 99.5% accuracy at the word level and more
than 200 million captcha are solved every day by people around the
world.
It is possible to install recaptcha on your website for free by visiting
website and following the instraction.
62. Meet in the Middle Attack
Usually to convert some unencrypted plain text into its encrypted value,
some function is executed on it.
Encrypted value = Plaintext * Some Function.
Encryption value = Plaintext * Some key.
We have already seen how easy it is so break this using various attacks.
In order to improve security, an obvious choice would be to use two
independent different functions.
Encrypted value – Second Key * (Plaintext* First Key)
If we were to use brute force, then to crack the above type of
encryption then 2 2n attempts would have to be made as opposed to 2n
attempts if only 1 key encryption was being used. So it seems that a 2
key encryption algorithm is more secure.
63. Meet in the Middle Attack
In the meet in the middle attack. Such a 2 key encryption algorithm is
attacked from both sides using brute force.
Attacker tries to encrypt the plaintext using different keys to get an
intermediate encrypted value (that has been passed through only any
one of the keys)
Simultaneously, attacker also tries to decrypt the encrypted value using
different keys to get an intermediate encrypted value (that has been
passed through only ) any one key of the keys)
For whichever case the intermediate value matches, it is highly likely
that the key used to encrypt the plaintext and the key used to decrypt
the encrypted value are the two keys of 2 key encryption algorithm
being used. Voila.
Such an attack works against any successive 2 key encryption algorithm
like Double DES, Twofish, AES etc.
64. Http Referrer Spoofing
Bypassing Authentication
The header of every HTTP request has something known as the referrer
that represents where the user has come from i.e. the previous
webpage from where the user has come to the current page.
User=>login page => members login
How are HTTP request referrers used for authentication?
Step 2: if somebody directly types the URL of members.asp into their
browser, then can technically directly access the members only page
without knowing the username and password! To prevent this, the
members only page will check the HTTP referrer and verify that the user
has come from the page or not!
65. Http Referrer Spoofing
Bypassing Authentication
HTTP referrer spoofing is the technique of changing the HTTP referrer
information and pretending to come from some other page so that the
website gets fooled into giving you access to members only pages!
There are various browser add-ons on Firefox Mozilla that allow you to
change the HTTP request header referrer to anything of your choice!