Pentesting

Gaining Access

  • In this phase you need to grab authentication credentials of some sort to gain access to the device

  • Authentication and Password Methods

    • Something you are

    • Something you know

    • Something you have

What are the four main types of password attacks?

  • Non-electronic

    • Social Engineering

    • Shoulder surfing

    • Dumpster diving

  • Active online

    • carried out by directly communicating with the victim's machine

    • take much longer than passive attacks and tend to be much easier to detect

    • Includes:

      • Dictionary and brute-force attacks

      • Hash injections - When you steal a hash and inject it into a local session hoping to access something

      • Phishing

        • A social engineering attack whereby the attacker crafts and email with bogus links

      • Trojans

      • Spyware

      • Keyloggers

        • Keylogging

          • is the process of using a hardware device or software application to capture the keystrokes a user types

          • Software key loggers are easier to spot with antivirus and other scanning options

          • Hardware loggers are almost impossible to detect according to ECC

      • Password guessing

      • LLMNR/NBT-NS (Link-Local Multicast Name Resolution and NetBIOS Name Service)

        • Purpose was to keep name resolution as local as possible and provide a backup for when DNS fails

        • LLMNR is based on the DNS format and allows hosts on the same subnet/local link to perform name resolution for other hosts

        • NBT-NS identifies systems on a local network by their NetBIOS name

        • LLMNR uses UDP 5355 and NBT-NS uses UDP 137

        • LLMNR uses link-scope multicast IP address (224.0.0.252 for IPv4 and FF02:0:0:0:0:0:1:3 for IPv6)

        • Attacker sends a response to a broadcast that poisons the receiving system's service and now sends all traffic to the attacker's system

        • If the request requires identification and authentication, the user name and NTLMv2 has my be sent to the attacker's system

        • Tools that pull off this attack

          • NBNSpoof

          • Pupy

          • Metasploit

          • Responder

        • Mitigations

          • Disable LLMNR and NetBIOS (in local computer security settings or via Group Policy)

  • Passive online

    • Basically amounts to sniffing a wire in the hopes of either intercepting a password in clear text or attempting a replay attack of a man in the middle (MITM) attack

    • If it is hashed you can compare it to a dictionary list or try a password cracker

    • MITM attack

      • Attacker tries to re-send authentication request to the server for the client

      • Routing all traffic through the attacker's machine

    • Replay attack

      • The entire authentication process is captured and replayed at a later time - the client is not even a part of the session

    • Tools to pull off attack

      • Cain and Abel

        • Windows based sniffer/password cracker

      • Ettercap

        • Helps against pesky SSL encryption

        • Can be setup as an SSL proxy and simply park between your target and any SSL site the victim is trying to visit

      • ScoopLM

        • Built-in password cracker

        • Looks for Windows authentication traffic on the wire

      • KerbCrack

        • Built-in sniffer and password cracker

        • Looks for port 88 Kerberos traffic

      • SSLsniff

        • Acts as a man in the middle for all SSL connections on a LAN

        • Dynamically generates certificates for the domains being accessed on the fly

        • New certs are constructed in a cert chain that is signed by any certificate that you provide.

  • Offline

    • Hacker steals a copy of the password file and works the cracking efforts on a separate system

    • May require some form of physical access to the machine

    • Dictionary attack

      • Easiest and fastest attack available

      • Uses a list of passwords in a text file that is hashed using the same algorithm that was used to hash the original password

      • The hashes are compared, if a match is found then the password is cracked

    • Hybrid attack

      • Cracking tool is smart enough to take words from a list and substitute numbers and symbols for alpha characters

      • Can also append numbers and symbols to the end of dictionary file passwords

    • Brute-force attack

      • Every conceivable combination of letters, numbers, and special characters is compared against the hash to determine a match

    • Rainbow table

      • huge compilation of hashes of every password imaginable

      • attacker simply needs to compare a stolen hash to a table

    • Tools

      • Cain

      • pwdump7

      • fgdump

      • KerbCrack

      • Legion

      • LC5

      • John the Ripper

      • OpenSezMe

      • CIRT

      • "defaultpassword" sites

Windows password recovery (or reset tools)

  • CHNTPW (Linux utility)

  • Stellar Phoenix

  • Windows Password Recovery Ultimate

  • ISeePassword

  • Windows Password Recovery Tool

  • Passware Kit

  • PCUnlocker

"net" commands

# Shows all systems in the domain name provided
net view /domain:domainname 

# Provides a list of open shares on the system named 
net view \\systemname 

# Sets up a null session 
net use \\target\ipc$ "" /u: "

# List of connected shared resources 
net use 

# Mount the folder fileshare on the remote machine *somename* 
net use Z://*somename*/*fileshare* 

# Make the mount persistent after reboot 
net use Z://*somename*/*fileshare* /persistent:yes
PreviousFoundationalNextSession Hijacking

Last updated