Packet Fragmentation – splitting packet into several smaller packets, TCP header – nmap -sS -T4 -f -v <Target IP>
Source Routing – sending a route to the destination with a specified route in order to evade firewall/IDS
Source Port Manipulation – manipulating actual port number with common port numbers – namp -g 80 <Target IP>
IP Address Decoy – generating or manually specifying the IP addresses of decoys, appears that the decoys and the hosts are scanning the network – nmap -D RND:10 <Target IP>, nmap -D <decoyIPs> <Target IP>
IP Address Spoofing – changing the source IP address to appear to be coming from someone else, when victim replies, it goes back to the spoofed address. Hping3 xxx.com -a <spoofed address>
MAC Address Spoofing – spoofing MAC address with the MAC address of a legit user on the network- nmap -sT -Pn –spoof-mac 0 <Target IP>
Creating Custom Packets – Create and send custom packets to scan target behind IDS/FW – Colasoft Packet Builder, NetScanTools Pro
Randomizing Host Order – scan the number of host in the network in random order – nmap –randomize-host <Target IP>
Sending Bad Checksums – Send packets with bad/bugus TCP/UDP checksums – namp –badsum <Target IP>
Proxy Servers – Hide the actual source of the scan, Proxy chaining – user requests a resource from the destination – proxy client connected to a proxy server and passes the request the proxy server – proxy server strips the user info and passes to the next proxy server – repeat this process, until finally unencrypted request is passed to the websever Proxy Tools – Proxy switcher, CyberGhost VPN
Anonymizers – Removes all identity from the users computers, make activity untracable, access restricted content ,bypass IDS/FW – Networked Anonymizers – Transfer info through a network of computers before passing it to a website – Single-Point Anonymizers – Transfer info through a website before passing it on a website Anonymizer Tools – Whonix, Psiphon, TunnelBear, Invisible Internet Project, Orbot
Direct TTL Probes – Send a packet to the host of the suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet. if its different, its spoofed – Works if the attacker is in a different subnet
IP Identification Number – Send a probe to the host of the suspected spoofed traffic that triggers a reply and compare the IPID. if its not close in value, its spoofed – Works if attacker is in a same subnet
TCP Flow Control Method – Attackers sending spoofed TCP packet will not receive target SYN-ACK packets, attackers cannot response to a change to smaller congestion windows size. When received traffic continues after window size is exhausted, the packets are most likely spoofed
Countermeasure
Encrypt all the network tracffic
multiple firewalls
do not rely on IP based authentication
Use a random initial sequence number
Ingress Filtering – router/fw to filter incoming packets that appear to come from an internet IP address
Engress Filtering – filter all outgoing packets with invalid local IP address as a source
After gaining access and escalating privileges on the target system, now attackers try to maintain their access for further exploitation of the target system or make the compromised system a launchpad from which to attack other systems in the network. Attackers remotely execute malicious applications such as keyloggers, spyware, and other malicious programs to maintain their access to the target system and steal critical information such as usernames and passwords. Attackers hide their malicious programs or files using rootkits, steganography, NTFS data streams, etc. to maintain their access to the target system.
Executing Applications
– Attackers use malicious applications to own the system – executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture screenshot, install backdoor to maintain easy access.
Backdoors
Program designed to deny or disrupt the operation, gather information that leads to exploitation, loss of privacy, gain unauthorized access to system resources
Crackers
Programs designed for cracking code or passwords
Keyloggers
record each key stroke made on the computer keyboard
Spyware
Spy software may do screenshots, send to specified location defined by hacker.
Remote Code Execution Techniques – Backdoor
Exploitation for Client execution
– Unsecure coding practices in software can make it vulnerable to various attacks – targets vulnerabilities in software and exploits with an objective of arbitrary code execution to maintain access Web browser Base exploitation Office Application Based exploitation Third-Party Application Based exploitation
Service execution
– system services that run at the backend of the OS – Run binary files or commands that communicate with the windows system services such as Service Control Manager
Windows Management Instrumentation (WMI)
– features that provides platform for accessing Windows system resources locally and remotely – exploit WMI features to interact with the remote target system and use it to perform information gathering on systems resources, execute code for maintaining access
Window Remote Management (WinRM)
– Window based protocol to allow a user run an executable file, modify system services and registry on a remote system – use winrm to execute payload on remote system
Tools for executing Applications
Dameware Remote Support – Remote control and systems management tool that simplifies remote Windows administration. Other tools – Ninja – Pupy – PDQ Deploy – ManageEngine Desktop Central – PsExec
Keylogger
– Programs that monitor keystroke as the user types on a keyboard, logs onto a file, or transmits them to a remote location – gather confidential information – Physical keyloggers are placed between the keyboard hardware and the OS
Types of Keystroke Loggers
Hardware Keyloggers
PC/BIOS Embedded
BIOs-level firmware that is responsible for managing the keystrokes that are typed
keylogger Keyboard
Attached to the keyboard cable connector, capture keystrokes
External Keylogger
PS/2 / USB keylogger – no software/ OS dependency Acoustic/CAM keylogger – electromagnetic sound waves Bluetooth keylogger – access the target once, using bluetooth Wifi Keylogger – same as USB, Connect via Wifi, can remote access
– can record everything happening within the network
Kernel/Rootkit/Device Driver Keylogger
– Kernel level, difficult to detect, acts as driver driver
Hypervisor Based Keylogger
– works within a malware hypervisor operating on the OS
Form-Grabbing-Based Keylogger
– records web form data and submits over internet, bypassing https encryption. – recording web browsing on the “submit event” function
Javascript-Based Keylogger
– attackers inject malicious javascript tags on the webpage to listen to key events. – mitm, cross site scripting to inject script
Memory-Injection-Based Keylogger
– modify the memory tables associated with the web browser and system functions to log keystrokes.
Windows : Spyrix Keylogger, REFOG Personal Monitor, All in one keylogger, Elite Keylogger, StaffCorp Stardard, Spytector MacOS : Refog Mac keylogger, spyrix keylogger for Mac, Elite Keylogger for Mac, Aobo Mac OS X Keylogger, Perfect Keylogger for Mac, Kidlogger for MAC
Remote Keylogger Attack Using Metasploit – Attackers use Metasploit to launch persistent keylogging do ps -> getpid -> migrate pid of svchost.exe – Use Keyscan_start to initiate the keylogging process – Use Keyscan_dump to sniff the keystroke of the user on the machine – use keyscan_stop to stop sniffing
Automate by using lockout_keylogger exploit
Spyware
– stealthy records user interaction with the computer and the internet – like trojan horse, usually bundled as a hidden component off freeware programs – gather information about the victim and organization
Spyware Propagation – means install without user’s consent
Drive-by download
Piggybacked software installation
Masquerading as anti-spyware
Browser add ons
Web browser vulnerability exploits
Cookies
Spyware Tools: Spytech SpyAgent, Power Spy
Type of Spyware
Desktop Spyware
live recordings of remote desktop internet activities, software usage and timings activity logs, user’s keystrokes
Email Spyware
monitor, records, forwards all incoming and outgoing email.
Internet Spyware
monitor all webpages access by the users, able to block websites
Child Monitoring Spyware
track and monitor children activities on computer, online and offline. able to restrict web
Screen-capturing Spyware
monitor activities by taking snapshots, capture keystrokes, mouse activity, visited URL, etc.
USB Spyware
copies spyware from a USB device to a computer without any request or notification. monitors and captures everything
Audio Spyware
sound surveillance program
Video Spyware
video surveillance program
Print Spyware
monitor printer usage, number of pages printed, date/time, content, etc.
Telephone/Cellphone Spyware
monitor phone and activities
GPS Spyware
device or software using GPS to determine location of vehicle, person, attached/installed asset
Defense against Keyloggers
Use pop-up blockers and avoid opening Junk Mails
Use keystroke interference software that inserts randomized char into every keystroke
install antispyware/ anti virus programs
Scan the files before installing, use registry editor or process explorer to check for keystroke loggers
Install professional firewall software and anti-keylogging software
Use windows on-screen keyboard for password and confidential information
Recognize phishing emails and email them
Install host based IDS
Regularly update and patch system software
Use automatic form filling password manager or virtual keyboard
Do not click on this unsolicited/dubious emails
Frequently scan and monitors the changes in the system or network
Restrict physical access to sensitive computer systems
Check keyboard interface for no extra component are plugged into the keyboard cable connector
use encryption between keyboard and driver
use anti keylogger that detects the presence of hardware keylogger
use on-screen keyboard
check monitor cables to hardware keyloggers
setup video surveillance around the computer desk
disable USB ports or setup advanced BIOS authentication to enable BIOS
Avoid using any computer systems you do not have control over
use anti spyware
Browser security settings to medium or high
perform web surfing safely
Suspiuous emails and websites
avoid administrative mode
firewall to enhance security level
OS patching on the date
update firewall with outbound protection
avoid free music files, screensavers or emoticons from internet
Check task manager and MS configuration manager reports
Beware of pop-up windows or webpages, never click anywhere on these windows
update virus definition files
Read disclosures, license agreement and privacy statement before installing any applications
Anti-Spyware : SUPERAnti Spyware, Kaspersky Total Security, SecureAnywhere Internet Security, Adaware Antivirus, MacScan, Norton Antivirus
Rootkits
Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time, and in the future
Rootkits replace certain operating system calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system causing malicious functions to be executed
Attacker places a rootkit by
objectives
– Scanning for vulnerable devices – wrapping in special package – installing on public machine through social engineering – zero day attack
– root the host system and gain remote backdoor – mask attacker tracks – gather sensitive data, network traffic from the system – store other malicious programs
Hypervisor level rootkit – act as hypervisor and modifies the boot sequence of the computer system to load the host operating system as a vm
Hardware/Firmware rootkit – Hides in hardware devices or platform firmware that are not inspected for code integrity
Kernel Level rootkit – adds malicious code or replaces the original OS kernel and device driver codes
Boot Loader Level rootkit – replaces the original boot loader with the one controlled by a remote attacker
Application Level/User mode rootkit – replaces regular application binaries with a fake trojan or modifies the behavior of the existing applications by injecting malicious code
Library Level rootkit – replaces the original system calls with fake ones to hide information about the attacker
How a Rootkit works
System hooking is the process of changing and replacing the original function pointer with a pointer provided by the rootkit in stealth mode. The incline function hooking is a technique in which a rootkit changes some of the bytes of a function inside the core system DLLs, replacing an instruction so that any process calls hit the rootkit first.
Direct kernel object manipulation (DKOM) rootkits can locate and manipulate the “system” process in the kernel memory structures and patch it. This can also hide processes and ports change privileges, and misguide the windows event viewer without any problem by manipulating the list of active processes of the OS.
Tools
purplefox – distributed via a fake malicious telegram installer, can both 32-bit and 64-bit windows version trojan can be used for hiding within the system and maintaining persistence.
MoonBounce – concealed within UEFI firmware in the SPI flash that is schedule to execute as a specific time. Inject malicious driver into the windows kernel during the boot process.
Dubbed Demodex Rootkit – can survive OS reinstallation. Conceal malware fingerprints such as file, registry keys and network traffic.
Others: Moriya, iLOBleed, Netfilter, Skidmap
Detecting Rootkits
Integrity-Based detection – compares snapshot of the file system, boot records or memory with a known trusted baseline
Signature-Based detection – compares the characteristics of all system processes and executable files with a database of known rootkit fingerprints
Heuristic/ Behavior-Based detection – Deviations in the systems normal activity indicates the presence of a rootkit
Runtime execution path profiling – compares runtime execution paths of all the system processes before and after rootkit infection
Cross View-Based Detection -enumerates key elements in the computer system such as system files, processes ad registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Discrepancies between the two data sets indicates a presence of a root kit
Alternative trust medium – the infected system is shut down and then booted from an alternative trusted media to find traces of the rootkit
Analyzing Memory Dumps – the RAM of the suspected system is dumped analyzed to detect the rootkit in the system
Steps for detecting rootkits
Step 1 – Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results
Step 2 – Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results
Step 3 – Run the latest version of WinMerge on the two sets of results to detect file-hiding ghostware.
There will be some false positive, Also does not detect stealth software that hides in BIOS, video card, EEPROM, bad sectors, alternate data streams.
Defense against Rootkits
Reinstall OS/application from a trust source
update and patch OS, application and firmware
Maintain well documented automated installation procedures
Regularly verify integrity of system files using cryptographically strong digital fingerprint tech
Perform kernel dumps analysis to determine the presence of rootkits
Update antivirus and anti-spyware
harden the workstation or server
Avoid logging with administrative privileges
educate staff to avoid downloading any files from untrusted sources
principal of least privilege
install network and host based firewalls
antivirus software with rootkit protection
Ensure the availability of trusted restoration media
avoid installing unnecessary application, disable features/services if not used
Tools
GMER-detect and removes rootkits by scanning processes, threads, modules, services etc. Others: stinger, Avast One, TDSSKiller, Malwarebytes Anti Rootkit, Rootkit Buster
NTFS Data Streams
NTFS is a filesystem that stores file with the help of two data streams, called NTFS data streams, along with the file attributes. First data stream stores the security descriptor for the file to be stored, such as permissions, the second stores the data within a file. ADS are another type of named data stream that can be present in each file.
An ADS refers to any type of data attached to a file, but not in the file on an NTFS system. ADS is not contained in the master file table but attached to it through the file table.
How to create NTFS streams
Step 1 – Launch c:\>notepad myfile.txt:lion.txt click “yes” to create the new file, enter some data and save the file
Step 2 – Launch c:\>notepad myfile.txt:tiger.txt click “yes” to create the new file, enter some data and save the file
Step 3 – View the size of the myfile.txt (it should be zero)
Step 4 – To view or modify the stream data hidden in step 1 and 2, use the following commands respectively – notepad myfile.txt:lion.txt, notepad myfile.txt:tiger.txt
NTFS streams Manipulation
Step 1 – To move the contents of Trojan.exe to Readme.txt(stream): c:\type c:\Trojan.exe > c:\readme.txt:Trojan.exe the type command hides a file in an alternative data stream
Step 2 – To create a link to the Trojan.exe stream inside the readme.txt file c:\mklink backdoor.exe Readme.txt:Trojan.exe
Step 3 – To execute the Trojan.exe inside the Readme.txt(stream) c:\backdoor
Defense against NTFS Streams
To delete NTFS streams, move the suspected files to the FAT partition
file integrity checker
Stream detector or GMER to detect streams
Enable real-time antivirus scanning against execution of malicious streams in the system
up to date antivirus software
Countermeasure for NTFS streams
LADS – searches for streams and reports the presence of ADS
Move the file to FAT partition and move back. FAT does not support ADS, this effectively removes ADS from files.
Stream Armor – discovers hidden ADS and cleans them completely
Technique of hiding a secret message within an ordinary message and extracting it at the destination.
Utilizing a graphic image as a cover
Classification of Steganography
Technical Steganography – Uses physical or chemical methods to hide the existence of a message. – invisible ink – colorless liquid that can later be made visible – microbots – text or image considerable condensed in size, fitting up to one page in a single dot, to avoid detection by unintended recipients – Computer-Based method – makes changes to digital carriers to embed information foreign to the native carriers. Communication can be in the form of text, binary files, disk and storage devices, network protocols. — Substitution Techniques – tries to encode secret info by substituting the insignificant bits with the secret message — Transform Domain Techniques – hides the info in significant parts of the cover image, such as cropping, compression etc — Spread spectrum Techniques – The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the coder to recover the information from the spread spectrum data — Statistical Techniques – utilizes the existence of ‘1-bit’ steganography schemes by modifying the cover in such a way that, when transmission of a 1 occurs, some of the statistical characteristics change significantly. Some unchanged, to distinguish between the modified and unmodified covers — Distortion Techniques – implements a sequence of modification the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message. decoding the process requires knowledge about the original cover. — Cover Generation Techniques – digital objects are developed specifically to cover secret communication. When this information is encoded, it ensures that creation of a cover for the secret communication
Linguistic Steganography – Semagrams – hides information with the help of signs or symbols. — visual semagrams – hides infomation in a drawing, painting, letter, music or a symbol — text semagras – hides text message by converting or transforming the appearance of the carrier text message, such by change the font size, styles, adding extra spaces as whitespaces in a doc.
Open Codes – hides the secret message in a legit carrier message specially designed in a pattern on a document that is unclear to the average reader. Carrier message is known as a overt communication, the secret message is covert communication. — Jargon codes – language used that can be understood by the particular group — Covered Cipher – hides the message in a carrier medium visible to everyone. This type of message can be extracted by any person with the knowledge of the method used to hide it — Null cipher – hide the message within a large amount of useless data. the original data are mixed with the unused data in any order so that no one can understand it other than those who knows the order. — Grille cipher – encrypt plaintext by writing it onto a sheet of paper through a pierced (stenciled) sheet.
Types of Steganography based on Cover Medium
Image steganography — least-Significant Bit Insertion — Masking and filtering — Algorithms and Transformation – Openstego – Data hiding, watermarking, – StegOnline, Coagula, QuickStego, SSuite Picsel, CryptaPix
Document steganography – StegoStick – hide file in any other file, image, audio, video – SNOW, StegJ, Data Stash, Texto
Folder steganography – hiding secret information in folders – GiliSoft File Lock Pro – Folder Lock, Hide Folder 5, InvisibleSecrets, QuickCrypto
Video steganography – Omnihide Pro – hide any file within an image, video, music file
Audio steganography – Echo Data Hiding – by adding echo into audio – Spread Spectrum Method — Direct-Sequence Spread Spectrum DSSS – frequency modulation technique, spread a signal of low bandwidth over a broad frequency range to enable sharing of a single channel between multiple users. transposes the secret messages in radio wave frequencies. — Frequency Hopping Spread Spectrum FHSS – alters the audio files frequency spectrum so that it hops rapidly between frequencies. Used in secured communications commercial, military. — LSB Coding – inserts a secret binary message in the least significant bit of each sampling point of the audio signal — Tone Insertion – embedding data in the audio signal by inserting low-power tones. — Phase Encoding – initial audio segment is substituted by a reference phase that represents the data. – DeepSound – BitCrypt. Stegostick, MP3Stego, QuickCrypto, spectrology
White Space steganography – SNOW – for whitespace steganography
Web steganography – Hides web objects behind other objects and uploads them to a webserver
Spam/email steganography – Sending of secret message by embedding them and hiding the embedded data in spam emails. – Spam Mimic- encodes secret messages into innocent looking emails
DVD-Rom steganography – the user embeds the content in audio and graphical data
Natural text steganography – process of converting sensitive information into user-definable free speech as such as a play
Hidden OS steganography – hiding one OS in another
C++ source-code steganography – Users hides a set of tools in the files
For mobile phones – Segais, SPY PIX, PixelKnot, NoClue, Photo Hidden Data
Steganalysis
Reverse process of Stegnography – art of discoverying and rendering covert messages using stegnography – detects hidden messages embedded in images, text, audo, and video carrier mediums
Challenges of Steganalysis
suspect information stream may or may not have encoded hidden data
efficient and accurate detection of hidden content within digital images is difficult
the message could be encrypted before being inserted into a file or signal
some of the suspect signals or files may have irrelevant data or noise encoded into them
Steganalysis Methods/Attacks on Steganography
Stego-only – only stego object is available for analysis
Known-stego – attacker has access to the stego algorithm, cover medium and stego-object
Known-message – attacker has access to the hidden message and the stego object
Known-cover – compares the stego-object and the cover medium to identify the hidden message
Chosen-message – generates stego-objects from a known message using tools in order to identify the algorithm
Chosen-stego – attacker has access to the stego0object and stego algorithm
Chi-Square – probability analysis to test whether the stego object and original data are the same or not
Distinguishing statistical – analyzes the embedded algorithm, used to detect distinguishing statistical changes along with the length of the embedded data
Blind Classifier – blind detector is fed with the original unmodified data to learn the resemblance of the original data from multiple prespectives.
Detecting Steganography
Text file
– alteration are made to the character positions to hide the data – alterations are detected by looking for text patterns or disturbances and unusual amount of blank spaces
Image file
– hidden data in an image can be detected by determining changes in size, file format, last mod time-stamp pointing to the existence of hidden data – statistical analysis method is used for image scanning
Audio file
– use steganalysis method for detecting LSB modifications – inaudible frequencies – odd distortions and patterns
Video file
– Detection fo secret data in video files includes a combination of methods used in image and audio files
Steganography Detection Tools
zsteg – detect stegano-hidden data in PNG and BMP files others : StegoVeritas, Stegextract, StegoHUNT MP, Steganography Studio, virtual steganographic laboratory.
Maintaining Persistence by Abusing Boot or Logon AutoStart execution
Attackers abuse the system boot or logon autostart program for escalating privileges and maintaining persistence by applying custom configuration settings on the compromised machine
Registry run keys – Enumerating Assign permission using winPEAS
Startup files – abusing startup folder using icacls – using accesschk.exe for identifying permissions
Domain Dominance Through Different Paths
Domain dominance is a process of taking control over critical assets such as domain controllers on a target systems and gain access to other networks resources.
Domain Dominance Techniques
Remote code execution – Attackers attempt to execute malicious code on the target domain controller through CLI to launch a domain dominance attack — WIMC, PsExec.exe
Abusing Data Protection API – The Windows domain controllers contain a master key to decrypt DPAPl-protected files, attackers will want to obtain the master key — Mimikatz
Malicious replication – enables attackers to create an exact copy of user data using the admin credentials. such as krbtgt
Skeleton key attack – skeleton key is a form of malware that attackers use to inject false credentials into domain controllers to create a backdoor password. It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain
Golder ticket attack – A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the ent i re Active Directory (AD) Attackers forge Ticket Granting Tickets (TGTs) by compromising a Key Distribution Service account (KRBTGT) to access various AD resources
Silver ticket attacks- A silver ticket attack is a post-exploitation technique implemented by an attacker to steal legitimate users’ credentials and create a fake Kerberos Ticket Grant ing Service (TGS) ticket To initiate this attack, the attacker must have access to the credentials gathered from a local service account or the system’s SAM database
The attacker creates a forged Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service
The first step involves the use of various techniques by attackers to gain access to the target system. These techniques include cracking passwords, exploiting buffer overflows, and exploiting identified vulnerabilities.
Gain Access
Microsoft Authentication
Security Accounts Manager Database (SAM) – AD database – Passwords are hashed and stored in SAM
NTLM Authentication – NTLM and LM authentication protocol – Protocals store the password in the SAM database using different hash methods
Kerboros Authentication – MS upgraded default authentication protocol to Kerberos
Security Accounts Manager Database (SAM) – AD database
NTLM Authentication
Kerberos Authentication
Password Cracking
Process of recovering passwords from data in transit or stored.
Non-Electronic Attacks
Attacker does not need technical knowledge – Shoulder Surfing — looking at screens or keyboard
– Social Engineering — convincing people to reveal password
Directly communicating with the victim machine – Dictionary, Brute force, rule based attack — dictionary file loaded to run against uses account — Brute force every combination of characters — Rules-based having some information about the password
– Mask attack — recover password from hashes – hashcat
– Hash injection / Pass-the-hash attack — Compromise server(Domain controller) using local/remote exploit — Extract logged-on domain admin account hash — inject a compromised hash into a local session (victim)
– LLMNR/NBT-NS poisoning — Windows OS for name resolution — attacker cracks hash obtained from the victim’s authentication process — extracted credentials are used to log on to the host system in the network
– Trojan/spyware/keyloggers — runs in the background, collects usernames and passwords
– Password Guessing — Find a valid user — Create list of possible passwords — Rank passwords from high to low probability — Key in each password, until the correct password is discovered
– Default password — password supplied by manufacturer
– Password Spraying — target multiple user accounts and crack password using a small set of commonly used password.
Internal Monologue Attack – attackers use SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user
Cracking Kerberos Password AS-REP Roasting (Cracking TGT) — request a TGT from the KDC in the form or an AS-REQ packet Kerberoasting (Cracking TGS) — request a TGS for the SPN of the target service account Pass the ticket Attack – Mimikatz, Rubeus, Windows CredentialsEditor — Authenticating a user to a system without using Kerberos with password — dunmps kerberos tickets of legit accounts using credential dumping tools. — attack by stealing the ST/TGT from an end user or compromised authorization server — Mimikatz allows attacker to pass Kerberos TGT to other computers and sign in using the victims ticket — extract plain-text passwords, hashes, PIN codes and Kerberos tickets from memory
Other Active Online Attacks – Combinator Attack – Combine the entries of one dictionary with those of a second dictionary to generate a new wordlist – Fingerprint Attack – break down the passphrase into fingerprints comprising single and multi-character combinations. – PRINCE attack (PRobability INfinite Chained Elements) – advance version of Combinator, uses a single input dictionary to build chains of combined words instead of taking input from 2 dictionary. – Toggle-Case attack – combination of upper and lower case version of a word present in the input dictionary – Markov Chain attack – split each password entry into 2-3 char long syllables, using these char element, a new alphabet is developed, which is then matched with the existing password database – GPU-based attack – exploit the OpenGL API on GPUs to set up a spy on the victim device that infers user activities and passwords entered on a browser
Passive Online Attacks
Wire Sniffing – Runs packet sniffing tools on LANs to access and record network data – captured data may include sensitive information such as password and emails – sniffed credentials are used to gain unauthorized access
Man-in-the-middle – acquires access to the communication channels between the victim and the server – can be broken by invalidating the traffic Replay attack – packets and authentication tokens captured by the sniffer, where after information is extracted, tokens are placed back on the network to gain access.
Offline Attacks
Rainbow table attack – rtgen – precomputed table that contains wordlist like dictionary files, brute force lists and their hash values
Distributed Network Attack – DNA – used for recovering passwords from hashes or password protect files using the unused processing power of machines across the network
– pwdump7 – extracts LM and NTLM password hashes of local user accounts from the SAM database. other tools – mimikatz, powershell empire, ntdsxtract
Password cracking tools
Password cracking using domain password audit tool (DPAT) – python script that generates password use statistics from password hashes dumped from a domain controller and password crack file such as hashcat.pot – generates a html report which can be used to analyze usernames, passwords and other statistics
L0phtCrack – audit password and recover applications ophcrack – windows password cracker base on rainbow tables.
Password cracking tools – RainbowCrack – crack hashes with rainbows tables, uses a time-memory tradeoff algorithm to crack hashes – john the ripper, hashcat, THC-hydra, Medusa, secure-shell bruteforcer
Password Salting
Technique where a random string of characters are added to the password before calculating their hashes. – makes is more difficult to reverse hashes and defeat pre-computed hash attacks
Defence against Password Cracking
information security audit to monitor and track password attacks
disallow use of same password during password change
disallow password sharing
disallow use of passwords that can be found in a dictionary
do not use clear text and protocols with weak encryption
password change policy 30 days
storing passwords in unsecured location
do not use default passwords
make password hard to guess 8-12 alphanumberic char, upper and lower case, numbers and symbols
ensure applications neither store passwords in memory nor write them to disks in clear texts
random string(dslt) as a prefix or suffix before encryption
enable SYSKEY with strong password to encrpyt and protect the SAM database
monitor server logs for brute force
lockout account subjected to too many incorrect guesses
disallow use of passwords such as DOB, spouse, pet names
Defense against LLMNR/NBT-NS Poisoning
Disabling LMBNR – Turn off multicast name resolution Disabling NBT-NS – disable net bio over TCP/IP
Tools to Detect LLMNR/NBT-NS Poisoning Vindicate – LLMNR/NBNS/mDNS spoofing detection toolkit to detect name service spoofing Respounder – helps security professional to detect rogue hosts running on public wifi networks got-responded – check for LLMNR/NBTNS spoofing
Vulnerability Exploitation
identify the vulnerability
determine the risk associated with the vulnerability
determine the capability of the vulnerability
develop the exploit
select the method for delivering – local or remote
generate and deliver the payload
gain remote access
Exploit sites
exploit-db.com vuldb.com vulners.com MITRE CVE
Buffer Overflow
A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data. – Allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations – Attackers exploit this vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges gain shell access, etc.
Types of Buffer Overflow: Stack-Based Buffer Overflow
Stacks stored variable in last in first out order. When a function is called, the required memory for storing the variables is declared on the stock and when the function returns, the memory is automatically deallocated. PUSH, which stores data onto the stack, and POP, which removes data from the stack.
If an application or program is vulnerable to buffer overflow attack, then attackers take control of the EIP register to replace the return address of the function with malicious code that allows them to gain shell access to the target system.
Types of Buffer Overflow: Heap-Based Buffer Overflow
A heap is used for dynamic memory allocation. Heap memory is dynamically allocated at run time during the execution of the program, and it stores the program data. Accessing heap memory is slower than accessing stack memory. The allocation and deallocation of heap memory is not performed automatically.
Heap-based overflow occurs when a block of memory is allocated to a heap and data is written without any bound checking. This vulnerability leads to overwriting links to dynamic memory allocation (dynamic object pointers), heap headers, heap-based data, virtual function tables, etc. Attackers exploit heap-based buffer overflow to take control of the program’s execution.
Windows Buffer Overflow Exploitation
Steps involved in exploiting Windows based buffer overflow vulnerbility:
1. Perform spiking
5. Identify dad characters
2. Perform fuzzing
6. identify the right module
3. identify the offset
7. generate shellcode
4. overwrite the EIP register
8. gain root access
Spiking – send crafted TCP or UDP packets to the vulnerable server in order to make it crash – help attacker identify the buffer overflow vulnerabilities in the target applications
Fuzzing – send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register – helps identify number of bytes required to crash the target server – this information helps in determining location of EIP register, which further helps in injecting the malicious shellcode
identifying the offset – attackers use the metaspoit framework pattern_create and pattern_offset ruby tools to identify the offset and exact location of the EIP register is being overwritten
overwrite the EIP register – overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode
Identify bad characters – before injecting the shellcode into the EIP register, attackers identify bad characters that may cause issues in the shellcode – use immunity debugger look for: no byte , \x00 are bad chars
Identify the right module – identify the right module of the vulnerable server that lacks memory protection – use script mona.py to identify these modules
Generate shellcode and gain shell access – msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target
Return-Oriented Programming (ROP) Attack
exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection.
Return oriented programming is an exploitation technique
hijacks the target program control flow by gaining access to the call stack and execute arbitrary machine instructions by reusing available libraries known as gadgets
gadgets are collection of instructions that end with the x86 RET instruction
the attacker selects a chain of existing gadgets to create a new program and executes it with malicious intentions
ROP attacks are very effective as they utilize available and legal code libraries and not identified by security protection such as code signing and executable space protection
Exploit Chaining
– Vulnerability chaining – combines various exploits or vulnerabilities to infiltrate and compromise the target from its root level – during exploit chaining, an attacker first initiates the reconnaissance operation and then starts enumerating various digital footprints and underlying vulnerabilities one after another within the software or hardware
Active Directory Enumeration
Attackers perform Active Directory (AD) enumeration to extract sensitive information such as users, groups, domains, and other resources from the target AD environment.
Before performing enumeration using PowerView, Attackers perform Active Directory (AD) enumeration to extract sensitive information such as users, groups, domains, and other resources from the target AD environment
– Attackers disable the security monitoring option using the following command: Set-MpPreference -DisableRealtimeMonitoring $true
Domain Mapping and Exploitation with Bloodhound Attackers attempt to identify a complex attack path in the target – organization’s AD environment using tools such as Bloodhound and Docusnap
– Bloodhound uses graph theory to reveal the hidden and often unintended relationships within an AD environment
Identifying Insecurities Using GhostPack Seatbelt GhostPack Seatbelt is used to perform various security checks and collect information from a host system in both defensive and offensive ways
– Attackers use Seatbelt to collect host information including PowerShell security settings, Kerberos tickets, and items present in the Recycle Bin
Buffer Overflow Detection Tools
OllyDbg dynamically traces stack frames and program execution, and it logs arguments of known functions Veracode Flawfinder Kiuwan Splint BOVSTT
Defense against Buffer Overflows
Develop programs by following secure coding pratices
always protect the return pointer of the stack
use address space layout randomization (ASLR) technique
never allow the execution of code outside the code space
minimize code that requires root privileges
regularly patch application and OS
perform code review at source level using using static/dynamic code analyzers
perform code inspection
allow complier to add bounds to all the buffers
employ data execution prevention to mark the memory regions as non-executable
implement automatic bounds checking
implement code pointer integrity checking to detect whether a code pointer has been corrupted
Escalating Privileges
Horizontal privileges escalation – unauthorized user tries to access the resource that below to an authorized user who has a similar access permission. example: online banking user A accessing user B’s bank account Vertical privileges escalation – gain access to resource of a user with higher privileges such as administrator/
Privilege Escalation Using DLL Hijacking
Most windows applications do not use fully qualified path when loading an external DDL library. instead they search the directory from which they have been loaded. – Attacker can place malicious DLL in the application directory, , it will be executed in place of the real DLL – attackers use tools such as Robber and PowerSploit to detect hijackable DLLs and perform DLL hijacking
Privilege Escalation by Exploiting Vulnerabilities
– Attackers exploit software vulnerabilities by taking advantage of programming flaws, services, OS software or kernel to execute malicious code. – exploit to gain higher privileges then those existing or to bypass security mechainsms – exploits can based on OS and software applications can be searched on ExploitDB and VulDB
Privilege Escalation Using Dylib Hijacking
In macOS, when application load an external dylib, loader searchers for the dylib in multiple directories – attackers can inject a malicious dylib into one of the primary directories, it will be executed in place of the original dylib. – Dylib Hijack Scanner helps attackers to detect dylibs that are vulnerable to hijacking attacks
Defense: Dependency Walker – detects many common application problems such as missing modules, import/export mismatches and circular dependency errors
Dylib hijack scanners- scan for applications that are susceptible to dylib hijacking or have been hijacked.
Privilege Escalation Using Spectre and Meltdown Vulnerabilities
Spectre and Meltdown are vulnerabilities found in the desgin of modern processor chips from AMD, ARM and Intel. – Performance and CPU optimizations in processors such as branch prediction, out of order execution , caching lead to these vulnerabilities – attackers can gain unauthorize access and steal critical system information such as credential and secret keys stored in the application’s memory to escalate privileges
Spectre – read adjacent memory locations of a process to access information – read the kernel memory or perform web based attack using javascript
Meltdown – escalate privileges by forcing an unprivileged process to read other adjacent memory location such as kernel memory and physical memory – leads to revealing critical system information such as credential, private keys
Defense:
Regularly patch and update OS and firmware
Enabled continuous monitoring of critical applications and services running on the systems and network
Regularly patch vulnerable software such as browsers
Install and update ad-blockers and anti-malware to block injection of malware through websites
Enable traditional protection measures such as endpoint security tools to prevent unauthorized system access
block services and application that allow unprivileged users to execute code
never install unauthorized software or access untrusted websites from systems storing sensitive information
Use Data Loss Prevention (DLP) solutions to prevent leakage of critical information from runtime memory
Frequently check with the manufacturer for BIOS updates
Tool for defense: InSpectre – examines and discloses any windows system’s hardware and software vulnerabilities to meltdown and spectre attacks Spectre and Meltdown checker – shell script to tell if system is vulnerable to meltdown and spectre
Privilege Escalation Using Named Pipe Impersonation
In windows OS, named pipes provide legitimate communication between running processes. – often use for gaining higher access privileges – Metasploit to perform named pipe impersonation – getsystem to gain administrative-level privileges and extract password hashes of the admin accounts.
Privilege Escalation by Exploiting Misconfigured Services
Unquoted service Paths – Windows OS, when starting up a service, the system attempts to find the location of the executable file to launch the service. – The executable file is enclosed in quotation marks – attackers can exploit services with unquoted paths running under SYSTEM privileges to elevate their privileges
Service Object Permissions – misconfigured service permission may allow attacker to modify or reconfigure the attributes associated with the service – attackers can even add new users to the local administrator group and then hijack the new account to elevate their privileges
Unattended Installs – configuration settings used during the installation process are stored in Unattend.xml file – stored in application directories or system32 or system32\sysprep – attackers can use Unattend.xml to escalate privilege
Pivoting and Relaying to Hack External Machines
– Bypass the firewall to pivot via the compromised system to access other vulnerable systems in the network
Pivoting 1. Discover live hosts in the network 2. Setup routing rules 3. Scan ports of live systems 4. Exploit vulnerable services
Relaying 1. Setup port forwarding rules 2. Access the system resources
Privilege Escalation Using Misconfigured NFS
– misconfigured NFS paves the way for attackers to gain root-level access through regular user account – It uses port 2049 to provide communication between a client and server through the Remote Procedure Call (RPC). – attackers can sniff sensitive data and files passing through the intranet and launch further attacks use showmount -e to check if there’s any share available for mounting
Privilege Escalation Using Windows Sticky Keys
– in windows OS, sticky keys allows a combination of keys – after gaining access to the remote system, attacker escalate privileges by simply altering the file associated with the sticky keys features and pressing the shift key five times in rapid succession once the system has been booted. – replacing the file sethc.exe with cmd.exe
Privilege Escalation by Bypassing User Account Control (UAC)
– When attackers fail to escalate privileges using a simple payload, they attempt to evade windows security feature such as UAC and to gain system level access – UAC protection level is set to any option, attackers can abuse a few windows applications to escalate privileges without triggering a UAC notification.
Techniques to Bypass UAC Using Metasploit – Bypassing UAC protection – process injection msf > use exploit/windows/local/bypassuac It generates another session or shell without a UAC flag. After gaining shell access, attackers execute the getsystem and getuid commands to retrieve the privileges of system authority .
– Bypassing UAC protection via Memory Injection msf> use exploit/windows/local/bypassuac_injection Employs reflective DLL mechanisms to inject only DLL payload binaries. Using this command, attackers can obtain AUTHORITY\SYSTEM privileges.
– Bypassing UAC protection through FodHelper Registry key msf> use exploit/windows/local/pypassuac_fodhelper Hijacks a special key from the HKCU registry hive to bypass the UAC and attaches it to a fodhelper.exe. The custom commands can be invoked when the fodhelper.exe file is executed.
– Bypassing UAC protection through Eventvwr Registry key msf> use exploit/windows/local/bypassuac_eventvwr Hijacks a special key from the HKCU registry, and custom commands can be executed with the launch of Event Viewer. it will be wiped once the malicious commands or payloads are invoked.
– Bypassing UAC protection through COM handler Hijack msf> use exploit/windows/local/bypassuac_comhijack allows attackers to build COM handler registry entries within the current user hive to bypass UAC protection. These registry entries can be referenced to the execution of some high-level processes, which results in the loading of attacker-controlled DLLs. These DLLs can be injected with a malicious payload that allows attackers to establish elevated sessions.
Privilege Escalation by Abusing Boot or Logon Initialization Scripts
– Attackers can take advantage of boot or logon initialization scripts for escalating privileges or maintaining persistence on a target system – Boot or logon initialization scripts also allow attackers to perform administrative tasks, using which they can run other programs on the system.
Logon Script (Windows)
Attackers create persistence and escalate privileges on a system by embedding the path to their script in the following registry key: HKCU\environment\UserInitMprLogonScript
Logon Script (Mac)
known as login hooks. Execute automatically during system login. Can use to run malicious payload.
Network Logon Scripts
Allocated using AD or GPO gain administrator or local credentials based on the access configuration
RC Scripts
Embedding malicious binary shell or path in RC scripts such as rc.common or rc.local within UNIX-based systems
Startup Items
malicious files or folders within /library/StartupItems directory to maintain persistence StartupItems will be executed at the bootup with root level privilege
Privilege Escalation by Modifying Domain Policy
Domain policy comprises the configuration settings that may be implemented between the domains in the forest domain environment – attackers modify the domain settings by changing the group policy and trust relationship between domains – can also implant a fake domain controller to maintain a foothold and escalate privileges
Group Policy Modification – Modify the scheduledTasks.xml file to create a malicious schedule task/job using scripts such as New-GPOImmediateTask: <GPO_PATH>\Machine\Preference\ScheduledTasks\ScheduleTasks.xml
Domain Trust Modification – Use the domain_trusts utility to collect information about trusted domains and modify the settings of existing domain trusts: C:\windows\system32>nltest/domain_trusts
Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack – Mimikatz
In a DCSync attack, an attacker initially compromises and obtains privileged account access with domain replication rights and activates replication protocols to create a virtual domain controller similar to the original AD.
allows an attacker to send requests to the DC, retrieve administrator NTLM password hashes, and perform further attacks such as golden ticket, account manipulation and living-off-the-land attacks.
mimikatz includes a DCSync command that utilizes MS-DRSR to replicate the behavior of a legitimate DC.
Defense : Examine permissions assigned to the users and administrators, keep track of account s that request domain replication rights. – conduct security awareness training on the system configuration, system patch management, thread detection and response system – deploy network surveillance tool and decide which IP need to be included in the replication list.
Other Privilege Escalation Techniques
Access token Manipulation
Windows uses access tokens to determine the security context of a process. Obtain access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities while avoiding detection
Parent PID Spoofing
PPID can be set to the process that is derived from the SYSTEM through system processes such as svchost.exe or consent.exe Defense : Verify PPID fields where information is stored to detect irregularities – identify the legit parent process using the event header PID specified by ETW – analyse windows API calls such as CreateProcess for malicious PIDs – Monitor system API calls exclusively assigning PPIDs to new processes
Application Shimming
Windows Application Compatibility Framework called Shim is used to provide compatibility between older and newer version of windows. Shims such as RedirectEXE, InjectDLL and GetProcAddress can be used to escalate privileges, install backdoors and disable windows defender.
Filesystem Permission Weakness
if the filesystem permissions of binaries are not properly set, an attacker can replace the target binary with a malicious file.
Path Interception
Applications include many weaknesses and misconfigurations such as unquoted paths, paths environment variable misconfiguration and search order hijacking, which lead of path interception
Abusing Accessibility Features
Running malicious code within windows accessibility features Replacing the features with cmd.exe or replacing binaries in the registry
SID-History Injection
The Windows Security Identifier (SID) us a unique value assigned to each user and group account by the DC Attacker can inject the SID value of an administrator into the compromised user account’s history
COM Hijacking
COM hijacking process involves with tampering with object references or replacing them with malicious content in the windows registry
Scheduled Task in Windows
Windows Task Scheduler, can be used to schedule programs to be executed at a specific date and time. Malicious program can be schedule to run at startup
Scheduled Task in Linux
Linux utilized cron or crond for automating task scheduling scripts executed by cron located at /etc/crontab
Launch Daemon
Launchd is used in macOS boot up. Daemons have plists that are linked to executables that run at startup. plist can be altered with running malicious code
SetUID and SetGID
In Linux and MacOS, if an application uses setuid or setgid, then the application will execute with the privileges of the owning user or group. Exploit the applications with setuid or setgid flags to execute malicious code.
Web Shell
Web-based script that allows access to a webserver attackers create web shells to inject malicious scripts on a webserver.
Abusing Sudo Rights
Sudo is a UNIX and Linux system utility that permits users to run commands as superuse. Attackers can overwrite the sudo configuration file /etc/sudoers with their own malicious file
Defense – strong password policy for sudo users – turn off password caching by setting time-stamp to 0 – separate sudo-level admin accounts from administrator regular account to prevent theft – update user permissions and accounts at regular intervals – test sudo users with access to programs containing parameters for arbitrary code execution
Kernel Exploits
Exploit kernel into executing arbitrary commands or code
Privilege Escalation Tools
BeRoot – check common misconfigurations to find a way to escalate privilege linpostexp – obtains detailed information on the kernel which can be used to escalate privilege PowerSploit FullPower PEASSng Windows Exploit Suggester
Defense against Privilege Escalation
restrict interactive login privileges
Change the UAC settings to Always Notify
run users and application with the lowest privileges
Restrict users from writing files to the search paths for applications
Implement multi-factor authentication and authorization
Continuously monitor files-system permissions using auditing tools
Run services as unprivileged accounts
Reduce the privileges of users and groups
Implement a privilege separation methodology to limit the scope of programming errors and bugs
whitelisting tools to identify and block malicious software
Use encryption technique to protect sensitive data
Use fully qualified paths in all windows applications
Reduce the amount of code that runs with a particular privilege
Ensure that executables are placed in write protected directories
perform debugging using bounds checkers and stress tests
In MacOS, make plist files read only
thoroughly test the system for application coding errors and bugs
Block unwanted systems utilities that may be used to schedule tasks
CY - Technical Memory extension 