Professional Documents
Culture Documents
15 Ceh System Hacking
15 Ceh System Hacking
15 Ceh System Hacking
Hacking
System Hacking
• Understand techniques to gain system access
Goals • Understand password cracking
• Understand privilege escalation
• Understand how to create and maintain remote
access to a system
• Describe different types of rootkits
• Describe steganography
• Describe how to hide evidence of compromise
Module 15.0 System Hacking
• 15.1 System Hacking Methodology • 15.9 Other Methods for Obtaining
Passwords
• 15.2 Windows System Vulnerabilities and
Exploits • 15.10 Keylogging
• 15.3 Linux System Vulnerabilities and • 15.11 Spyware
Exploits • 15.12 Rootkits
• 15.4 Password Cracking Methods • 15.13 Hiding Files
• 15.5 Network Service Password Cracking • 15.14 Steganography
• 15.15 Privilege Escalation
• 15.6 Windows Password Cracking
• 15.16 Creating and Maintaining Remote
• 15.7 Linux Password Cracking Access
• 15.8 Password Cracking Tools • 15.17 Hiding Evidence
• 15.18 System Hacking Penetration Testing
15.1 System
Hacking
Methodology
System Hacking Goals
• Gain access
• OS vulnerabilities
• Service and application vulnerabilities
• Social Engineering
• Escalate privilege
• Kernel flaws
• Social Engineering
• Execute applications
• Plant RATs
• Run payloads
• Hide files
• Leave malicious files on system
• Cover tracks
• Clear logs and history
15.2 Windows
System
Vulnerabilities
and Exploits
Common Windows Operating System Exploit Categories
Category Description
Remote code Any condition that allows attackers to execute arbitrary code
execution
Buffer or heap A programming error that allows attackers to overwrite allocated
overflow memory addresses with malicious code
Denial of service Any condition that allows attackers to use resources so that
legitimate requests can’t be served
• Use-After-Free
• Buffer overflow
• Heap overflow
• Integer overflow
• Memory leak DoS
15.3 Linux
System
Vulnerabilities
and Exploits
Linux Operating System
Vulnerabilities
• Linux distributions are versions of the open source
Linux operating system kernel that is packaged with
other components such as installation programs,
management tools, and other software
• Similar categories of vulnerabilities as in Windows:
• DoS
• Information disclosure
• Buffer or heap overflow
• Privilege escalation
• Remote code execution
• Memory corruption
• Security feature bypass
• Directory traversal
Feature Description Exploit
ret2libc • Existing function in the C library https://www.exploit-
• Eliminates the need for the attacker to inject their db.com/docs/english/28553-linux-classic-
own shell code to take control of a target return-to-libc-&-return-to-libc-chaining-
• Allows arbitrary code execution and escalation of tutorial.pdf
privilege
Insecure sudo • Similar to Windows RunAs command • Exploit-db.com contains 24 sudo-related
• Under certain conditions, this vulnerability allows exploits
attackers to by-pass protections and execute
commands that would normally require a password,
resulting in privilege escalation
Sticky bits • Permission bits set on directories • https://www.exploit-db.com/exploits/16216/
• Only the owner can delete or rename files in the • https://www.thegeekdiary.com/what-is-suid-
directory sgid-and-sticky-bit/
• Useful in the shared directories /var/tmp and /tmp • https://gist.github.com/anonymous/1016522
• Sticky bit exploits can be disruptive and cause DoS 4
Network • Hydra
• Medusa
Authentication • Ncrack
• NetBIOS Auditing Tool
Brute Forcing The image part with
relationship ID rId2
• AET2 Brutus
• Aircrack-ng
Tools
was not found in
the file.
• John the Ripper
• Rainbow Crack
• Cain & Abel
• L0phtCrack
• Ophcrack
• Hashcat
• Metasploit modules
15.6 Windows
Password
Cracking
• Windows passwords authenticate
users, services, and computers
notepad sample.txt:secret.txt
Method/Vulnerability Description
Local User Access • Bypass local Windows UAC; Use process injection to leverage
Control bypass a trusted publisher certificate
Weak process • Find processes with weak controls and attempt to inject
permissions malicious code into those processes
Shared folders • Search for sensitive information in shared folders
DLL hijacking • Elevate privileges by exploiting weak folder permissions,
unquoted service paths, or applications that run from
network shares
• Replace legitimate DLLs with malicious ones
Privilege Escalation Methods (cont’d)
Method/Vulnerability Description
Task Scheduler 2.0 • Task Scheduler 2.0 does not properly determine the security
context of its scheduled tasks, allowing an attacker to escalate
privilege
• Affects Windows Vista SP1/SP2, Windows Server 2008 Gold,
SP2/R2, Windows 7
• CVE-2010-3338, MS10-092
Missing patches and • Search for missing patches or common misconfigurations
misconfigurations that can lead to privilege escalation
Non-Windows Privilege Escalation Techniques
• Alter macOS and OSX boot daemon Launchd
• Edit macOS and OSX plists that are linked to startup executables to
run malicious code
• Change setuid and setgid on files in Linux/Unix to run in owner
privilege
• Use a web shell (web-based script) to inject malicious code on a
webserver to maintain persistent access and escalate privilege
Privilege Escalation Tools
• Dameware Remote Support
• ManageEngine Desktop Central
• Metasploit
• Searchsploit DB
• PDQ Deploy
• PSExec
• TheFatRat
Privilege Escalation Countermeasures
• Restrict interactive login privileges
• Encrypt sensitive data
• Assign least privilege to users and applications
• Assign standard accounts to services when possible
• Vulnerability scan, fuzz, and stress test applications
• Patch and update the kernel, web server, and other services regularly
• Change UAC settings to “Always Notify”
• Use fully qualified, quoted paths in all Windows applications
• Ensure executables are placed in write-protected directories
• In MAC Oses, make plist files read-only
• Disallow system utilities or software from scheduling tasks
• Disable the default local administrator account
15.16 Creating
and
Maintaining
Remote
Access
Remote Access Trojans and Backdoors
• A remote access Trojan (RAT) is a malware program that includes a back
door for administrative control over the target computer
• RATs are usually downloaded invisibly with a user-requested program --
such as a game -- or sent as an email attachment
• They are difficult to detect if designed to look like normal administrative
remote access tools
• They allow the attacker to connect later at any time
• Victim has a “listener” that opens a port for you to connect to
• Or, the victim can make a reverse connection to you, the hacker
• Good for getting past a firewall
• The hacker must set up a listener
RAT and Backdoor Tools
• Metasploit
• Sakula
• KjW0rm
• Havex
• Agent.BTZ
• Dark Comet
• AlienSpy
• SubSeven
• NetBus
• FatRat
• ProRat
15.17 Hiding
Evidence
Clearing Online Tracks
• Use private browsing • Clear cache on exit
• Delete browsing history • Delete downloads
• Disable stored history • Disable password manager
• Delete private data • Clear toolbar data
• Clear cookies on exit • Turn off AutoComplete
• Clear data in password • Use multiple user accounts
manager • Remove Most Recently Used
(MRU)
• Delete saved sessions
• Turn off most used apps and
• Delete user JavaScript recently opened items
Covering BASH Shell Tracks
• Disable history
• export HISTSIZE=0
• Clear history
• history -c //clears stored history
• history -w //clears history of current shell
• Clear user’s complete history
• cat /dev/null > ~.bash_history&& history -c && exit
• Shred history
• //Shred history file, then delete it, then clear evidence of this command
• shred ~/.bash_history
• shred ~/.bash_history&& cat /dev/null > .bash_history&& history -c && exit
• Use hidden files
• name a malicious file “. log” with a space between . and log - then hide in /dev or /tmp
Covering Network Tracks
• Use reverse HTTP shells
• Victim starts HTTP session to attacker
• This looks normal
• Use reverse ICMP tunnels
• Victim pings out past firewall with payload in ICMP data
• Use DNS tunneling
• Hide data inside DNS queries/replies
• Use TCP covert channels:
• IP ID field
• TCP ack #
• TCP initial sequence #
Disabling Auditing
auditpol /get /category:*
auditpol \\<target IP> /disable
Logs To Clear
• Windows
• Event Viewer Logs
• System
• Application
• Security
• Linux
• /var/log/messages
Covering Track Tools
• Clear_Event_Viewer_Logs.bat
• Free Internet Window Washer
• Metasploit clearev
• DBAN
• Privacy Eraser
• Wipe
• BleachBit
• ClearProg
• Clear My History
15.18 System
Hacking
Penetration
Testing
Steps to Performing System Hacking in
Penetration Testing
1. Identify password protected systems and services
2. Attempt buffer overflows and other remote exploits
3. Crack passwords using dictionary, brute force, rainbow tables, hash
dumping, and pass-the-hash
4. Install Trojans/spyware/keyloggers
5. If you obtain low-level access, attempt privilege escalation
• End user assistance through social engineering
• Exploit app or kernel weaknesses
6. Hide files as applicable
7. Cover tracks
• There are many tools you can use to hack a
system
• When hacking system services, prefer
buffer overflows that allow remote
System privilege execution
Hacking • Ultimately seek to escalate privilege and
maintain control through payload
Review execution or a RAT
• If you exhaust your password cracking
dictionary, try brute forcing, MITM, or
social engineering to get the password
• Use NTFS Streams or steganography to
hide files and data
• Don’t forget to cover your tracks!
Lab 15: System
Hacking