System Hacking

Contents:

• Explain the different techniques to gain access to a system,

• Apply privilege escalation techniques,
• Explain different techniques to gain and maintain remote access to a system,
• Describe different types of rootkits
 Microsoft Authentication: How Hash Passwords
Are Stored in Windows SAM?
Windows stores user passwords in SAM, or in the Active Directory database in
domains. Passwords are never stored in clear text and are hashed, and the results
are stored in the SAM
pwdump7
pwdump7 extracts LM and NTLM password hashes of local user accounts from the
Security Account Manager (SAM) database
Tools to Extract the Password Hashes:
Mimikatz https://github.com
DSInternals https://github.com
Hashcat https://hashcat.net
PyCrack https://github.com
 Microsoft Authentication: NTLM
Authentication Process
• The NTLM authentication protocol types are as follows: NTLM authentication
protocol and LM authentication protocol
• These protocols store the user’s password in the SAM database using different
hashing methods
 Microsoft Authentication: Kerberos Authentication
Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger
authentication for client/server applications than NTLM.
 Password Cracking
• Attackers use password cracking techniques to gain unauthorized access to
vulnerable systems
 Active Online Attacks: Dictionary, Brute-Force, and
Rule-based Attack
Dictionary Attack: A dictionary file is loaded into the cracking application that runs
against user accounts.
Brute-Force Attack: The program tries every combination of characters until the
password is broken.
Rule-based Attack: This attack is used when the attacker gets some information
about the password:

Step 1: Obtain the rockyou.txt wordlist located in the usr/share/wordlists directory

Step 2: Create a customized dictionary of passwords by modifying the configuration
of john.conf file
Step 3: Run the following command to generate a customized dictionary of
passwords:
 Active Online Attacks: Hash Injection/Pass-the-Hash
(PtH) Attack
A hash injection/PtH attack allows an attacker to inject a compromised hash into a
local session and use the hash to validate network resources
The attacker finds and extracts a logged-on domain admin account hash
The attacker uses the extracted hash to log on to the domain controller
 Active Online Attacks: LLMNR/NBT-NS Poisoning
• LLMNR and NBT-NS are the two main elements of Windows operating systems that are used
to perform name resolution for hosts present on the same link
• The attacker cracks the NTLMv2 hash obtained from the victim’s authentication process
• The extracted credentials are used to log on to the host system in the network
 Active Online Attacks: Pass the Ticket Attack
• Pass the Ticket is a technique used for authenticating a user to a system that is using
Kerberos without providing the user’s password
• To perform this attack, the attacker dumps Kerberos tickets of legitimate accounts
using credential dumping tools
• The attacker then launches a pass the ticket attack either by stealing the ST/TGT from
an end-user machine, or by stealing the ST/TGT from a compromised Authorization
Server
• The attacker uses the retrieved ticket to gain unauthorized access to the target
network services
• Tools such as Mimikatz, Rubeus, and Windows Credentials Editor are used by
attackers to launch such attacks.
Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the
victim’s ticket
It also helps in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets
from memory
 Perform SSH BruteForce Attack using ShellGPT
“Use Hydra to perform SSH bruteforce on IP address=10.10.1.9 using username.txt
andpassword.txt files available at location /home/attacker/Wordlist“.
 Password-Cracking Tools
L0phtCrack is a tool designed to audit passwords and recover applications
THC-Hydra is a powerful password-cracking tool designed for performing brute
force attacks against various protocols and services.
 Password Salting
Password salting is a technique where a random string of characters are added to the password before
calculating their hashes
Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks
How to Defend against Password Cracking
 Vulnerability Exploitation
Vulnerability exploitation involves the execution of multiple complex, interrelated steps to gain access to a
remote system. The steps involved are as follows:
Exploit Sites
• Exploit sites such as Exploit-DB, VulDB, etc. are invaluable resources during the
vulnerability exploitation phase of hacking
• Attackers can use these sites to discover vulnerabilities and download exploits to
perform remote exploitation on the target system.
How attackers use exploit sites?
• Identification: An attacker identifies a vulnerable service or application on a target
system
• Search: They search Exploit-DB for known exploits related to the identified
vulnerability
• Download: They download the exploit code along with any necessary instructions or
dependencies
• Modification: If needed, they modify the exploit to suit the specific environment
• Execution: The attacker executes the exploit against the target system
Metasploit Framework
The Metasploit Framework is an exploit development platform that
supports fully automated exploitation of web servers, by abusing
known vulnerabilities and leveraging weak passwords via Telnet, SSH,
HTTP, and SNMP
AI-Powered Vulnerability Exploitation
Tools
Buffer Overflow
• A buffer is an area of adjacent memory locations allocated to a program or application to
handle its runtime data
• Buffer overflow or overrun is a common vulnerability in an applications or programs that
accepts more data than the allocated buffer
• This vulnerability allows the application to exceed the buffer while writing data to the
buffer and overwrite neighboring memory locations
• Attackers exploit buffer overflow vulnerability to inject malicious code into the buffer to
damage files, modify program data, access critical information, escalate privileges, gain
shell access, etc.
 Types of Buffer Overflow: Stack-Based
Buffer Overflow
• A stack is used for static memory allocation and stores the variables in “Last-in First-out” (LIFO)
order
• There are two stack operations: PUSH stores the data onto the stack and POP removes data from
the stack
• If an application is vulnerable to stack-based buffer overflow, then attackers take control of the EIP
register to replace the return address of the function with the malicious code that allows them to
gain shell access to the target system.
Simple Buffer Overflow in C
 Buffer Overflow Detection Tools
OllyDbg dynamically traces stack frames and program execution, and it logs
arguments of known functions
Defending against Buffer Overflows
Thankyou