Security

vulnerabilities
and penetration
testing
Dr Phillip James
 Last week we considered enumeration, a form of
Recap and targeted information gathering.
today
Hence, so far, we have only obtained information
(all be it a lot, and all very important)

Today we step from disclosure to integrity.

System hacking
Targeted information retrieval.
 We have gained information on open ports (and
likely services).
The idea
But now it is crunch time, how do we gain access?

Get password:
Hiding: § Brute
§ Root kits force/dictionary/rainbow
§ Clear tracks/log files § Eavesdropping

Execute Apps:
§ Key loggers
Escalate privileges:
§ Backdoors
§ Vulnerabilities
§ Trojans/spyware
§ Horizontal/Vertical
Approaches • Obtaining and cracking passwords.
we will explore
• Accessing networks.

• Access via vulnerabilities (more to follow).

• Once in: Rootkits.

Passwords
‘password’
Gaining This is where we rely on vulnerabilities.
passwords
Type Examples
Passive Online wire sniffing/MiTM/replay
Active Online phishing/trojans/spyware/sql
injection
Non-technical Shoulder surfing/social
engineering/physical access
Offline Brute force/dictionary/rainbow
 Since Windows 2000, users passwords have been
Windows SAM stored using a database file known as SAM.

%SystemRoot%/system32/config/SAM
(Security account manager).

Passwords are hashed using LM/NTLM.

File encrypted with AES, key stored in similar

location.

Sounds pretty secure!

Accessing the However :

files • Decrypted, and can be dumped from memory.

• c:\Windows\Repair\ may have copies.

• Possible to extract files using Linux live cd or

mimikatz.

Then we can start to try to attack the passwords.

 Linux stores passwords in /etc/shadow (requires root) and user
information in /etc/passwd.

Linux shadows

1. Username : It is your login name.

2. Password : It is your encrypted password in format: $id$salt$hashed, The $id is
the algorithm used (e.g. blowfish).
3. Last password change: Days since Jan 1, 1970 that password was last changed
4. Minimum : The minimum number of days required between password changes.
5. Maximum : The maximum number of days the password is valid (after that user is
forced to change his/her password).
6. Warn : The number of days before password is to expire that user is warned.
7. Inactive : The number of days after password expires that account is disabled.
8. Expire : days since Jan 1, 1970 when the account will expire.
 Hashcat: Fastest and most advanced password
“recovery” tool.
Cracking Supports GPU based cracking
passwords
https://hashcat.net/hashcat/
a
aa
aaa
John the Ripper:
aaaa Popular CPU hash cracker.
…

https://github.com/magnumripper/JohnTheRipper

Feasible? Yes! Modern GPU’s can hash billions of times

per second -- 8 character alphanumeric password in less
than 4 minutes.
 Salt is usually stored in plaintext.
A note on salt
The reason we use salts is to stop precomputation
attacks, such as rainbow tables.
There’s also pepper – a value
stored in source code.

These attacks involve creating a database of hashes

and their plaintexts, so that hashes can be searched
for and immediately reversed into plaintext.

However, they do not really help if we are

targeting one password via brute force.
Demo: john tail -n 1 /etc/shadow > <filename>

Grad a word list!

./john –wordlist=<wordlist> <filename>

Gaining network
access
 From our scanning and enumeration phase we
Where are we? have:

• IP addresses
• Vendor/product information for access points.
• Information on default (perhaps random) netwrok
keys.
• Possibly mac adresses.

What would we like: acess to a wireless network

would be a good start.
 Aircrack-ng is a complete suite of tools to assess
WiFi network security:
Aircrack-ng
• Monitoring: Packet capture and export of data to
text files for further processing by third party
tools.

• Attacking: Replay attacks, de-authentication, fake

access points and others via packet injection.

• Testing: Checking WiFi cards and driver

capabilities (capture and injection).

• Cracking: WEP and WPA PSK (WPA 1 and 2).

 Basically we attack the handshake.
Attacking Idea: Never disclose PSK instead compute PTK.
WPA/WPA2

Full details see: https://en.wikipedia.org/wiki/IEEE_802.11i-2004

 1. AP sends ANonce to client (random integer).
The steps 2. Client uses ANonce and PMK (master key based on PSK)
to generate PTK (pairwise transient key). Sends SNonce
and MIC (message integrity code).
3. AP sends MIC and GTK (group temporal key, for
broadcast traffic) to client.
4. Client sends back ACK.

Notice:
• MIC verification is how AP checks the validity of PTK (and,
consequently, the password).
• Chances of a password producing PTK that is valid (relevant
part) is really low: 2-128.
 Overall, 4-way password "cracking" works like this:
The crack
1. 4-way handshake is parsed to get AP and STA
addresses, AP and STA nonces, and MIC.
2. Candidate password is used to compute PMK;
3. PTK is computed from PMK, AP and STA
addresses and nonces;
4. PTK is used (with other parts) to compute MIC.
5. Computed MIC is compared to the MIC
obtained at step 1. If they match then candidate
password is reported as correct.
 sudo airport –s
Demo (scan for routers/bssid’s/channels)

Based on OSX, things will be sudo airport en0 sniff <channel>

slightly different on linux (use
airmon instead of airport). (sniff data from selected channel number)

aircrack-ng –w <dictionary> –b <bssid> <cap_file>

(crack!)
Access via
vulnerabilities
OWASP
top 10

Over coming weeks we will explore these in depth.

Rootkits
 Once we have gained access, it would be great to
Root kit, what keep it!

Rootkits intercept and change standard operating

system processes, in order to enable access.

Example: If you list all programs that are running,

the rootkit might stealthily remove any programs.

Used by malware to avoid detection.

 Software makes system API call.

Example setup WinAPI manages, but it is intercepted by rootkit.

Files:
Normal.exe
x.exe

Software
Win Root-
makes API
call API kit

Infected PC
Files:
Normal.exe
 User-Mode
User-Mode rootkits are given administrative privileges on the computer they run
Types on. They are able to modify any files and resources and will start whenever the
computer boots.

Kernel-Mode
Rootkits running in kernel mode run at the same level as the operating system.
Apologies for the wall of text. Kernel level rootkits disguise themselves by interrupting system calls and returning
expected information concealing their presence.

User/Kernel Hybrid
Hybrid rootkits attempt to combine above. This style of rootkit in one of the most
common in existence currently.

Firmware Level
Hidden in firmware. Able to reinstall themselves on booting. Certain hard disk
rootkits have been found that are capable of reinstalling themselves after a
complete system formatting and installation.
A very famous Sony made headlines in late 2005!

example DRM software would hide under the Operating

System level and would secretly send data back to
Sony concerning activity on the users computer.

Left large security holes in the windows operating

system, hackers could easily create patches for the
Sony root kit that would allow them to gain control
of the users system.

The incident resulted in lawsuits against sony and

resulted in them having to pull CDs which
contained the rootkit off the shelves.
 Alternative medium
Shut down the computer check its storage rootkit cannot
Detecting actively hide.

them Behavioural-based
Looking for rootkit-like behaviour. For example, differences in
the timing and frequency of API calls. (complex!)

Signature-based
Signature-based detection methods can be effective against
well-published rootkits (but root-kits may kill your AV).

Integrity Checking
Code signing uses public-key infrastructure to check if a file
has been modified since being digitally signed by its publisher.
(on every call?)

Removal: Tools/Windows advice: format!

 Explore system hacking:
Summary • Password cracking
• Gaining network acess
• Rootkits
Noun: a brief statement or account
of the main points of something.

Lab: Passwords and rootkits.

Next week: Common vulnerabilities.