🔐 System Hacking Fundamentals

System hacking is a crucial phase in ethical hacking where attackers (or ethical hackers) try to gain
access to systems, escalate privileges, hide their presence, and maintain access.

✅ 1. Goals of System Hacking

The key objectives are:

 Gaining Access: Getting unauthorized entry into a system.

 Escalating Privileges: Moving from a low-level user to an administrator/root.

 Maintaining Access: Setting up methods to return later (backdoors).

 Clearing Tracks: Hiding evidence of the intrusion.

🛠 2. Common Techniques & Tools

🔑 A. Password Cracking

Used to recover plaintext passwords from hashes or encrypted formats.

Techniques:

 Brute Force – Trying every combination.

 Dictionary Attack – Using wordlists of common passwords.

 Hybrid Attack – Combining dictionary + mutations.

 Rainbow Tables – Precomputed hash lookups.

 Keylogging – Capturing keystrokes using malware.

Tools:

 John the Ripper

 Hashcat

 Hydra

 Medusa

📶 B. Privilege Escalation

Once access is gained, attackers try to increase control (e.g., from local user to root/admin).

Techniques:

 Exploiting misconfigurations or vulnerable software.

 DLL Hijacking (in Windows).

 SUID bit exploitation (in Linux).

Tools:

 PowerUp (Windows)

 LinPEAS / WinPEAS (Privilege escalation checkers)

🔁 C. Maintaining Access

After entering a system, hackers want to stay inside for future access.

Methods:

 Backdoors

 Rootkits

 Creating rogue users

 Scheduled tasks / services

Tools:

 Netcat

 Metasploit backdoors

 Remote Access Trojans (RATs)

🧹 D. Clearing Tracks

Hiding activity to avoid detection.

Actions:

 Deleting logs

 Using timestomping (changing file timestamps)

 Disabling auditing

Tools:

 Metasploit’s clearev

 Timestomp

 Manual log clearing with wevtutil (Windows)

 SAM Database: Windows stores user passwords in the Security Accounts Manager.

 LSASS Process: Targeted to extract credentials from memory.

 Pass-the-Hash: Reusing stolen password hashes without cracking.

 Token Impersonation: Using another user’s access token for privilege escalation.

📚 4. Ethical Consideration

System hacking in CEH is always done in controlled environments with legal permission. Its goal is to
simulate real-world threats to improve defenses.

👨🏫 System Authentication Basics

📘 1. SAM Database (Security Accounts Manager)

🔐 What is it?
Think of the SAM database as a locked notebook inside every Windows computer. It stores usernames
and scrambled passwords of people who use that computer.

🧠 Example:
Let’s say you're logging in as "Ali123". When you type your password, Windows checks the SAM
notebook to see if what you typed matches the stored version.

🗝 Important Note:
The passwords inside SAM are not saved like "123456". They are saved in a scrambled, encrypted form
(called a hash) so others can’t easily read them.

🔁 2. NTLM Authentication (Old Way)

🧠 What is NTLM?
NTLM (NT LAN Manager) is an older method Windows used to check if someone’s login info is correct.

📦 How it works (Simplified):

1. You try to log in.

2. Your computer sends a challenge to your password.

3. It scrambles your password and sends it to the server.

5. If it matches = ✅ you're in!

🧠 Example:
Imagine a club where you show your secret handshake to the bouncer. If the handshake is correct,
you're allowed in.

⚠️ Why is NTLM outdated?

🛡️ 3. Kerberos Authentication (Modern & Secure Way)

🐶 What is Kerberos?
Kerberos is a secure login system that uses special digital "tickets" to prove who you are — like showing
a movie ticket to enter the cinema.

🎫 How it works (Simplified):

1. You log in with your username and password.

2. The system gives you a ticket saying “This person is legit”.

3. You show this ticket every time you need access to something (like email, shared files).

4. No need to enter your password again and again.

🧠 Example:
Imagine your college gives you an ID card. You don’t have to show your ID again and again — just swipe
it, and you’re allowed in classrooms, labs, etc.

🔐 Why is Kerberos better?

 It doesn't keep sending your password.

 It uses timestamps and encryption to stop hackers from reusing your info.
Slide 1: Password Cracking Techniques

 What is Password Cracking? It’s like guessing someone’s PIN by trying different combinations.

 Popular Methods:

o Dictionary Attack: Tries words from a list (like common passwords).

o Brute Force: Tries every possible combination (a bit like trying every key on a keyring).

o Hybrid Attack: Combines both methods.

o Rainbow Table: Uses a ready-made list of password patterns.

o Rule-Based: Tries variations (e.g., ‘p@ssw0rd’ for ‘password’).

Slide 2: Password Cracking Tools (Kali Linux)

 Think of these tools as very smart robots trying thousands of passwords quickly.

 Tools:

o John the Ripper: Cracks password files.

o Hydra: Tries passwords over the internet (e.g., for email, login portals).

o Hashcat: Uses graphics cards to crack faster.

o Medusa: Also great for testing many passwords quickly.

 Use: Ethical hackers use these tools to check if a company’s passwords are weak.

Slide 3: Privilege Escalation Methods

 What is it? If getting into the system is like entering a building, privilege escalation is like finding
the master key that opens every room.

 How attackers do it:

o Find software bugs

o Use files or programs with weak protections

o Trick the system into thinking they are an admin

Slide 4: Exploiting Weak Passwords

 Many people use simple passwords like ‘123456’ or ‘admin’.

 These can be cracked in seconds using wordlists (files with millions of common passwords).
  Lesson: Use strong passwords with a mix of letters, numbers, and symbols.

Slide 5: Brute Force and Dictionary Attacks

 Brute Force: Like trying every key until one works. Very slow but works eventually.

 Dictionary Attack: Faster, but only works if the password is common or guessable.

 Analogy: Imagine trying to open a lock by guessing words instead of random letters.

 Tools: Hydra, Medusa, Ncrack

Slide 6: Cracking Windows Passwords

 Where are passwords kept in Windows? In a locked box called the SAM file.

 Tools to open the box:

o Mimikatz: Extracts saved passwords from memory.

o pwdump, fgdump: Reads password hashes.

 Crack Tools: Hashcat, John the Ripper

Slide 7: Cracking Linux Passwords

 Linux stores passwords in a file called /etc/shadow.

 You need to “combine” it with another file to crack it (like combining ingredients before
cooking).

 Tools:

o John the Ripper

o Hashcat

Slide 8: Privilege Escalation on Windows

 Techniques:

o DLL Hijacking: Uses fake files to trick Windows.

o Token Impersonation: Acts as another user.

o UAC Bypass: Avoids permission pop-ups.

o PowerUp, Sherlock, Windows Exploit Suggester

Slide 9: Privilege Escalation on Linux

 How attackers become ‘root’ (the boss):

o Use buggy programs

o Find permissions mistakes

o Use known kernel exploits (e.g., Dirty Cow)

 Tools:

o LinPEAS, Linux Exploit Suggester, GTFOBins

Slide 10: Rootkits and Trojans

 Rootkits: Like invisibility cloaks for hackers. Hide their tools inside the system.

 Trojans: Seem harmless (like a game or file) but have a hidden payload.

 Detection Tools: chkrootkit, rkhunter

Slide 11: Hiding Files and Processes

 Techniques Used by Attackers:

o Rename files with a dot (e.g., .secretfile)

o Hide running programs from task managers

 Why? To stay invisible to users and security software

Slide 12: Covering Tracks and Removing Evidence

 Goal: Make it look like nothing happened.

 How?

o Delete logs (like browser history but for the system)

o Clear command history

o Change file timestamps

 Tools: Timestomp, Auditpol, history -c