Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?

Most networks use the broadcast technology; which means that every message emanating from any computer on the network can be captured by every other computer on the network. Normally, the message is not taken by other computers as the intended recipient's mac address does not match their mac address. Therefore, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it. However, if a system has a sniffer program running on it, it can scan all the messages which traverse the network looking for passwords and other sensitive information. For instance, if a user logs into a computer across the network, and the attacker's system is running a sniffer program, the attacker can sniff out the login information such as user name and its corresponding password. This will make it easy for the attacker to login to the target system as an authentic user and compromise it further. This technique is called password sniffing.

This is a serious threat to users — such as remote users - who login to computers from remote sites. Therefore, the password security of a remote user is as good as the network he/she uses to access the remote computer.

• LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.

• With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days.

Windows operating systems based on the LAN Manager networking protocols use an authentication system that consists of transmitting a hashed twenty four byte password across the network from client to server in a challenge/response format. The hashed password from the client is compared with the hash of the same password in the server's database. A match results in authentication. However, the problem lay in the weak hash algorithm and the conversion of the hash into uppercase (thereby eliminating case sensitivity). The algorithm divided the password into seven-character segments and hashed then individually. This allowed the attacker to restrict the password cracking to seven letters and also easier. The weakness of the password hash, coupled with the transmission of the hash across the network in the challenge/response format, made LM-based systems highly susceptible to password interception and brute-force attack by LOphtcrack.

In Windows NT however, case sensitivity was included to strengthen the password, but coupling LM authentication with the NTLM authentication scheme to facilitate backward compatibility with LAN Manager-based systems, resulted in both hashes being sent across the network for authentication and being stored in the password databases. This resulted in LOphtcrack capturing and cracking the much simpler LM password and then applying the results of that broken hash to the NTLM hash to determine any differences.

• KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.

KerbCrack demonstrates the possibility of obtaining user passwords by simply listening to the initial Kerberos logon exchange. Let us explore how this can also be vulnerable to brute force attacks.

In general, encryption protocols such as Kerberos can be circumvented under the following four scenarios:

• The attacker is able to steal the encrypted key — by any means possible.

• The attacker finds a flaw in the implementation of the protocol - attributable to the vendor.

• The attacker finds a flaw in the protocol itself — which is highly unlikely.

• The attacker tries all possible keys in a brute-force approach. This is a possibility.

• Block access to TCP and UDP ports 135–139.

• Disable bindings to Wins client on any adapter.

• Use complex passwords

• Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff

• Logging is of no use if no one ever analyzes the logs

• VisualLast from www.foundstone.com formats the event logs visually

VisualLast is considered as the advanced version of NTLast with a number of additional and sophisticated features. The program is designed to allow network administrators to view and report individual users log on and log off times and these events can be searched by time frames. This is an invaluable feature to security analysts looking for intrusion details.

• Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.

• Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.

• Default Admin$, C$, %Systemdrive% shares are good starting point.

One common security lapse seen is to leave in the built-in Administrator account with a null password. Password guessing appeals to the attacker because complicated passwords are difficult to remember and hence users tend to choose easiest password possible. It is often seen that users choose something that is easy to remember like birthday, pet's name, kid's name etc. Examples of these common user/password combinations can be downloaded all over the Internet.

One can categorize password guessing attacks by the amount of interaction they require with an authentication system. They are considered to be on-line attacks when the perpetrator must make use of an authentication system to check each guess of a password. On the other hand, offline attacks sees an attacker obtaining information (e.g. password hash) that will allow him to check password guesses on his own, without any further access to the system. On-line attacks are generally considered slower than off-line ones.

• A simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as LophtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is.

• The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration.

• A hybrid approach is one which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations such as two words together or a word and numbers.

Legion polls wide range of IP addresses to check for availability of shared folders. The application broadcasts a NetBIOS request across the LAN to find all computers that have NetBIOS services. The application then searches each polled computer for available shares, and displays the results. Once these shares are known, there is little to do on the administrator's part to detect or deter brute force password guessing. The commercial version of Legion has an option to brute force crack any shares that were identified as shared, but password protected. The vulnerable system can have its drive mapped to the attacker's system and he can use this point of access for further nefarious activities such as installing Trojans, stealing information and even corrupting the system - thereby resulting in a denial of service. The most obvious countermeasure is to make sure that File and Print Sharing is disabled. If this is required, it must be password protected and allowed only to specific IP addresses because DNS names can be spoofed. The system must also restrict null sessions.

NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.

NTInfoScan (now Cerberus internet scanner) is a vulnerability scanner designed by David Litchfield specifically to address the security concerns of Windows NT 4.0 operating system. It still works with Windows 2000 and The HTML based report highlights the security issues found on the target system along with further information. It tests a number of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan will check NetBIOS for share security and User account security.

• Userinfo is a little function that retrieves all available information about any known user from any NT/Win2k system that you can hit 139 on.

• Specifically calling the NetUserGetInfo API call at Level 3, Userinfo returns standard info like

  • SID and Primary group

  • logon restrictions and smart card requirements

  • special group information

  • pw expiration information and pw age

• This application works as a null user, even if the RA set to 1 to specifically deny anonymous enumeration.

  
  

  Hacking Tool: GetAcct
  

  GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines. Input the IP address or NetBIOS name of a target computer in the "Remote Computer" column. Input the number of 1000 or more in the "End of RID" column. The RID is user's relative identifier by which the Security Account Manager gives it when the user is created. Therefore, it is input as 1100, if there are 100 users.

  GetAcct shows the information that leaks by opening an anonymous login and showing the following information:

  • An enumeration of user IDs,

  • account names and full names

  • Password age

  • User groups the user is a member of

  • Account type

  • Whether the account is disabled or locked

  • Password policies

  • Last logon time, Number of logons

  • Bad password count

  • Quotas

    
    

    ---

    Amarjit Singh

• Anyone with a NetBIO S connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.

• The above syntax connects to the hidden Inter Process Communication 'share' (I PC $) at IP address 192.34.34.2 with the built- in anonymous user (/u:"") with ("") null password.

• The attacker now has a channel overwhich to attempt various techniques.

• The CIFS/SMB and NetBIOS standards in Windows 2000 include API s that return rich information about a machine via TCP port 139 - even to unauthenticated users.

  C: \>net use \\192.168.104.81 \IPC$ "" /u: ""

  The enumeration of machines and resources in a domain also makes it easier for an attacker to break in. If he is able to anonymously obtain the names of all of the machines in a domain, and then list the resource shares on those machines, it is only a matter of time before he finds a share which is open to "Everyone". Other possibilities include password cracking for a username that was enumerated, planting a backdoor for later access, dumping sensitive information etc.

  Let us see how a null session is established and how a remote computer can be enumerated from the command line prompt of a windows machine. In the example shown below, we can see that establishing a null session on the target host reveals that the system root can be easily compromised as the default setting of 'Everyone' may not have been changed, and the shares are visible to all.

In a NULL session, the TCP/IP connection to port 139 is made first with the following: net use \\127.0.0.1.i\ipc$ "" /user:"". This is followed by using the session layer protocols SMB and NetBIOS to access the hidden remote IPC share IPC$. The IPC$ is a special hidden share which allows communication between two processes on the same system (Inter Process Communication). The IPC$ share is an interface to the 'server' process on the machine. It is also associated with a pipe so it can be accessed remotely. This technique was programmatically written into an old exploit called the Red Button attack. This was addressed and fixed by Microsoft in Service Pack 3 for NT 4.0.

Once the attacker has a list of the remote shares, he could then attempt to map to a remote share. An example of the command structure for the attack is shown in the screenshot above. This attack will only work if the share is not password protected or shared out to the 'everyone' group.

Access to the hard drive is a serious security breach. Even if the attacker does not map a drive, he can gather sensitive information such user accounts, password policy and similar data that he can exploit later to continue his attack on the system. This may not be apparent to the victim initially, and the attacker can take the advantage of the time lapse for more information gathering and planting malicious code such as a virus or a Trojan. The open file share attack generally makes Trojan planting extremely easy to do. For instance, an intruder might try to place a key logger batch into the start-up folder to collect further information and perhaps log on later as an authenticated users.

Now, let us take a look at a typical LANMAN sessions on Windows 2000

• Here, the client sends a pre-authenticated (hash of user password) request along with a time stamp to the key distribution center (KDC) that resides on the domain controller (DC) of the concerned domain, requesting for a ticket granting ticket (TGT).

• The KDC extracts the hash of the user identity from its database and decrypts the request with it, noting the time stamp as well for recentness of request. A valid user account results in successful decryption.

• The KDC sends back a TGT, that contains among other information the session key (encrypted with users password) and the security identifiers (SID) identifying the user and the group among other things.

• The client uses the ticket to access the required resources.

  A null session is an insecure (unauthenticated) connection with no proof of identity. No user and password credentials are supplied in the establishment of the session. No session key is exchanged when establishing a null session, and hence it is impossible for the system to send encrypted or even signed messages on behalf of the user under a null session.

  When the LSA is asked to create a token for a remote client communicating via a null session, it produces a token with a user SID of S-1-5-7 (the null logon session), and a user name of anonymous logon. We have seen earlier that Everyone is included in all tokens, and the null session is classified as a network logon. This gives the null user access to file system shares and named pipes.

  Other areas where null sessions are considered useful is when the LMHOSTS.SAM file uses the "#INCLUDE " tag. The share point that contains the included file must be setup as a null session share. Additionally where a service, running under the local "SYSTEM" account, needs access to some network resource, a null session may be established to access these resources.

  An interesting part is that Null sessions can also be established at the API level with languages such as C++. Null sessions can be used to establish connections to 'null session pipes', if it is allowed by the server. A 'pipe' is a facility that allows a process on one system to communicate with a process on another system, while a inter process communication share allows communication between two processes on the same system.

  Null sessions can also be used to establish connections to shares, including such system shares as \\servername\IPC$. The IPC$ is a special hidden share. It may be noted that the IPC$ share is an interface to the 'server' process on the machine, also associated with a pipe so it can be accessed remotely. Null sessions make the enumeration of users, machines, and resources easier for administrative purposes especially across domains. This is the lure for the attacker who intends to use a null session to connect to the machine.

  During port scanning, the attacker takes note of any response from TCP port 139 and 445. Why would these ports interest an attacker? The answer lies in the SMB protocol.

  The SMB (Server Message Block) protocol is known for its use in file sharing on Windows NT / 2000 series among other things. Attackers can potentially intercept and modify unsigned SMB packets then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data.

  SMB is the resource sharing protocol supported by many Microsoft operating systems; it is the basis of network basic input/output system (NetBIOS) and many other protocols. SMB signing authenticates both the user and the server hosting the data. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), making it a bulky protocol with a large header as well as consuming greater time. In Windows NT, it used the ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, SMB was allowed to directly run over TCP/IP, without the extra layer of NBT. Therefore, port 445 started being used for this purpose.

  Each SMB session consumes server resources. Establishing numerous null sessions will slow or possibly crash the server even in Windows 2003. An attacker could repeatedly establish SMB sessions until the server stops responding. SMB services will become slow or unresponsive.

  ---

  Amarjit Singh