Gaining Access

In this phase you need to grab authentication credentials of some sort to gain access to the device
Authentication and Password Methods
- Something you are
- Something you know
- Something you have

What are the four main types of password attacks?

Non-electronic
- Social Engineering
- Shoulder surfing
- Dumpster diving
Active online
- carried out by directly communicating with the victim's machine
- take much longer than passive attacks and tend to be much easier to detect
- Includes:
  - Dictionary and brute-force attacks
  - Hash injections - When you steal a hash and inject it into a local session hoping to access something
  - Phishing
    A social engineering attack whereby the attacker crafts and email with bogus links
  - Trojans
  - Spyware
  - Keyloggers
    Keylogging
    is the process of using a hardware device or software application to capture the keystrokes a user types
    Software key loggers are easier to spot with antivirus and other scanning options
    Hardware loggers are almost impossible to detect according to ECC
  - Password guessing
  - LLMNR/NBT-NS (Link-Local Multicast Name Resolution and NetBIOS Name Service)
    Purpose was to keep name resolution as local as possible and provide a backup for when DNS fails
    LLMNR is based on the DNS format and allows hosts on the same subnet/local link to perform name resolution for other hosts
    NBT-NS identifies systems on a local network by their NetBIOS name
    LLMNR uses UDP 5355 and NBT-NS uses UDP 137
    LLMNR uses link-scope multicast IP address (224.0.0.252 for IPv4 and FF02:0:0:0:0:0:1:3 for IPv6)
    Attacker sends a response to a broadcast that poisons the receiving system's service and now sends all traffic to the attacker's system
    If the request requires identification and authentication, the user name and NTLMv2 has my be sent to the attacker's system
    Tools that pull off this attack
    NBNSpoof
    Pupy
    Metasploit
    Responder
    Mitigations
    Disable LLMNR and NetBIOS (in local computer security settings or via Group Policy)
Passive online
- Basically amounts to sniffing a wire in the hopes of either intercepting a password in clear text or attempting a replay attack of a man in the middle (MITM) attack
- If it is hashed you can compare it to a dictionary list or try a password cracker
- MITM attack
  - Attacker tries to re-send authentication request to the server for the client
  - Routing all traffic through the attacker's machine
- Replay attack
  - The entire authentication process is captured and replayed at a later time - the client is not even a part of the session
- Tools to pull off attack
  - Cain and Abel
    Windows based sniffer/password cracker
  - Ettercap
    Helps against pesky SSL encryption
    Can be setup as an SSL proxy and simply park between your target and any SSL site the victim is trying to visit
  - ScoopLM
    Built-in password cracker
    Looks for Windows authentication traffic on the wire
  - KerbCrack
    Built-in sniffer and password cracker
    Looks for port 88 Kerberos traffic
  - SSLsniff
    Acts as a man in the middle for all SSL connections on a LAN
    Dynamically generates certificates for the domains being accessed on the fly
    New certs are constructed in a cert chain that is signed by any certificate that you provide.
Offline
- Hacker steals a copy of the password file and works the cracking efforts on a separate system
- May require some form of physical access to the machine
- Dictionary attack
  - Easiest and fastest attack available
  - Uses a list of passwords in a text file that is hashed using the same algorithm that was used to hash the original password
  - The hashes are compared, if a match is found then the password is cracked
- Hybrid attack
  - Cracking tool is smart enough to take words from a list and substitute numbers and symbols for alpha characters
  - Can also append numbers and symbols to the end of dictionary file passwords
- Brute-force attack
  - Every conceivable combination of letters, numbers, and special characters is compared against the hash to determine a match
- Rainbow table
  - huge compilation of hashes of every password imaginable
  - attacker simply needs to compare a stolen hash to a table
- Tools
  - Cain
  - pwdump7
  - fgdump
  - KerbCrack
  - Legion
  - LC5
  - John the Ripper
  - OpenSezMe
  - CIRT
  - "defaultpassword" sites

Windows password recovery (or reset tools)

CHNTPW (Linux utility)
Stellar Phoenix
Windows Password Recovery Ultimate
ISeePassword
Windows Password Recovery Tool
Passware Kit
PCUnlocker

"net" commands

# Shows all systems in the domain name provided
net view /domain:domainname 

# Provides a list of open shares on the system named 
net view \\systemname 

# Sets up a null session 
net use \\target\ipc$ "" /u: "

# List of connected shared resources 
net use 

# Mount the folder fileshare on the remote machine *somename* 
net use Z://*somename*/*fileshare* 

# Make the mount persistent after reboot 
net use Z://*somename*/*fileshare* /persistent:yes

PreviousFoundational NextSession Hijacking

Last updated 1 year ago

# Shows all systems in the domain name provided net view /domain:domainname # Provides a list of open shares on the system named net view \\systemname # Sets up a null session net use \\target\ipc$ "" /u: " # List of connected shared resources net use # Mount the folder fileshare on the remote machine *somename* net use Z://*somename*/*fileshare* # Make the mount persistent after reboot net use Z://*somename*/*fileshare* /persistent:yes