EC Council CEH 312-50 – System Hacking Part 1
July 10, 2023

1. Introduction to System Hacking Introduction

In the system hacking section. We’ll discuss keystroke, loggers password, guessing tools as well as password cracking the sand database and some of the insecurities as well. We’ll discuss the various tools that are available for us. We’ll discuss rainbow tables as well as password snipping, some Windows authentication protocols and what makes them a little bit different. We’ll discuss Land Manager weaknesses. We’ll discuss tools like Knabled and Law Crack that allow us to crack passwords. We’ll discuss prison de escalation.

And then we’ll look at some countermeasures like monitoring the event viewer logs, multifactor authentication maybe covering our tracks, disable, auditing and clearing the event log hiding files within DFS alternate data stream. Then we’ll move into things like steganography and what it is steganography tools and how we’ve can use them, shredding local evidence. And finally, the big one is going to be our hacking tool like Rootkits rootkit counter mixes as well is what we’ll use to finish up with.

2. Types of Password Attacks, Keystroke Loggers

Now in this section, we’re going to be talking about the different types of password attacks. This is in our system hacking section. We have, as my graphic explains, three types of password hacks. And I’m going to further break this down to just a moment. I’m going to further break this down into social attacks and digital attacks. And then I’m going to break it down even further and say online attacks and offline attacks. So let’s get started with social attacks. Social attacks can be done by social engineering. Somebody coercing you to give up your password when you really didn’t want to do that.

A really easy way of doing that is just to simply sit behind someone and watch them, known as shoulder surfing. Another way of getting them to give up your password is act like a technical assistant who’s come down to speed up their computer. And I can tell you one thing guys, if you tell an end user you’re going to speed up their computer and could I get your chair for just a few moments, they will move out of that chair just as quick as you please. Because everyone has problems with slow computers or what they appear to be as slow. That would be a concept of social engineering.

And we talked earlier in one of the sections about social engineering, the most powerful tool was a clipboard, or even better an ipad, where you go in with your ipad or your clipboard like you’re doing an audit and then ask them to move out of their chair. And generally they’ll just go ahead and do it. Then we also have another term that we talked about before called dumpster diving. A lot of times people will throw away pertinent pieces of information. So this is kind of referred to as a social attack. Now, in the digital attacks, we can have things like keystroke loggers, password guessing, password cracking. And I’ll tell you in a couple of slides here, there’s no such thing as password cracking. There’s password guessing. Then we’ll have things like a dictionary brute force attack. Then finally we’ll go to the mother of all attacks, which is rainbow tables. So I want to further break down the digital attacks into what I refer to as online attacks and offline attacks. Ultimately, what we want to do is get at the password hashes. If we get at the password hashes, then we are able to crack those passwords by attempting to guess what those might happen to be. We talked a little bit about this in the cryptography section, and we said in the cryptography section that there is no such thing as cracking passwords.

There’s things like breaking passwords. In this slide we’re going to talk about keystroke loggers and we can further break down keystroke loggers as a hardware based keystroke logger or a software based keystroke logger. Let’s start off with the software based keystroke logger. Basically, what it’s going to do is monitor whatever you type on the keyboard and put that into a file, perhaps even send it to you. Web pages that you go to, blogs that you write, anything like that can be captured by a keystroke logger. Now, naturally, a software based keystroke logger, most of them are going to be identified by the antivirus software that you have installed.

But let’s say that you’re a parent and you want to make sure that your kids aren’t talking to somebody on social media that you wouldn’t necessarily approve of. You could insert one of these keystroke loggers and get that system that your child is using to send you a log of whatever they went to, whatever they said online. And this is something every parent probably is going to need to decide for themselves. Software based keystroke loggers can easily be identified with antivirus, but you can put in an entry into your antivirus telling it not to scan this or this was okay. Unless your child is very computer savvy, they’re not going to know that you’ve done this. Now, hardware based keystroke loggers are pretty much undetectable.

That means that I can put in a hardware based keystroke logger that you can see right here in our video. It looks very similar to just an extension perhaps on the keyboard where you plug this in. And you could also do the same thing with a USB one as well. So regardless of these, these are very difficult to detect because on the hardware based, the one for the plugin for actually an older computer one, is virtually impossible to detect. This one here makes itself out to be an hids as though it is a keyboard. So to the operating system, it’s just the keyboard. So it’s very, very difficult to detect. I always use the example when I’m teaching a class of some of the hardware based keystroke loggers that you can use that are very, very difficult to detect.

Some of them actually come built into a keyboard. So let’s take for an example. You’re going to go to the CEO secretary, the one who really does the work in the organization, and you want to grab whatever passwords or any type of information that she may be keying in. You could bring a new keyboard to them. And let’s say her name is Jane. Jane, I’m sorry, we’re having trouble with this keyboard. There’s been a recall on it. Let me give you this other keyboard and as soon as yours comes back, then we’ll trade you back. Is that okay? And you’ve just set the stage for a perfect hardware based keystroke logger insertion attack. So when you collect the old keyboard to return hers, it’s very easy to get all the information right out of that keyboard.

3. Password Guessing Online

Okay, gang, let’s just go ahead and review a couple of things that we should already know. Since hashing is a oneway process, in other words, there’s no cryptographic function that will turn the hash back into the plaintext password. In order to obtain that password, you must run plaintext through the same hashing function and see if the hash produced is the same as the one you’re attempting to break. Having an educated guess at the password may reduce the amount of tries you need to crack that hash. Whereas brute force requires generating hashes for all possible combinations until the correct one is found. This can obviously take some time.

precomputation produces a lookup table, if you will, like a dictionary of the hashes with a corresponding plaintext password. Let me see if I can illustrate this. I just popped over a notepad and I’m just going to put in what the password might happen to be and I’m going to put in just a makeshift hash. Now, I know these hashes are not correct. I’m just going to put this in for an easy way of explaining this. So this one is three, two, four, A. The next one is letter C is D is and then all the way down to Z, which might be one, two, four E. Then we’re going to start with AA and whatever its hash would happen to be. So I’m going to flesh out my table and crack all of what I could have possibly typed on the keyboard.

Now, if you’ll take a look, here is the password hash for A. And of course, we know it’s a lot longer in real life. This is the one for B, the one for C, the one for D. Let’s say I typed out everything I could have typed out on my keyboard within seven Ascii characters. And you’ll see why I’m talking about seven Ascii characters in just a few moments because the older versions of Windows stores the password two ways. It stores them as an LM hash and it stores them as an inthash. So the LM hash, as you’re going to find out in the next slide or so, is actually only seven characters long because it takes the hashes, chops them up into two and then we’re only really cracking seven characters.

So what I would theoretically do with this table that I’m building is I would sort it by this field right here, by the password hash field. And then I would take whatever the password hash that I’ve obtained is and match it up like I’d match up a word in the dictionary. And it would be really easy and quick to find, oh, here’s your password right here. Here’s the problem with the rainbow table. The rainbow table or pre computation, which some folks might like to call it, we have to have typed in electronically or manually whatever passwords it would have to generate to. So if you have a large key space. And in my case, I was just doing one for seven characters.

It was able to find it because the net BIOS passwords, or the LM passwords, I should say the Land Manager passwords, are only seven characters long. The Nt passwords are 126 characters long. Mixed Case so to compare the size of the table that would require the LM hash is about 40GB in size just for Seven characters. Can you imagine what it would be if it was using 126 characters? Mixed case. Why? You’re going to have to be seagate or max door yourself to hold the stinking thing. So it becomes impractical for us to create a huge amount of rainbow tables to crack this that is completely generated. And so we’ll oftentimes use the popular passwords and create a rainbow table for those and so on.

The benefit to using a rainbow table is that once a table has been produced, it can be stored and used instantly in the future. Many security analysts have external hard drives to look up rainbow tables for just this purpose. I also have one that I use in class, and I tell people, Type in the strongest password that you could possibly think. In other words, one that he’ll never get this one. And I end up cracking a good portion of their passwords. If they figured out that my rainbow table is longer than 14 characters, then they could usually be defeated, and these things will fall into place in the next slide. So let’s do just one last review, and then we’ll jump into cracking our passwords.

So if I typed in the password of password one, two, three, and I happen to type this in upper case, I’m going to save this file. I’ll close it if you’d like me to drag it over here, and you can see that the password hash ends in 6386. Okay, what I was saying earlier is there’s no way that I can cryptographically break this and turn it back into this. Although I could possibly guess that the password is password one, two, three. Run it through the MD five hash, and if it comes up with this hash, hey, you guessed the right password. Come on in. So the thing that I want you to understand is we always go through the hashing algorithm when we put in a new password, and it’s stored in the Windows Nt Registry or in the Sam database.

There’s a couple of other things we’re going to do to it as well I’ll talk about in the next slide. But the part that I want you to understand it is I can’t take this hash and somehow crack it back to this password. So in reality, what we’re doing is we’re guessing passwords, running it through the hash, and then if it turns out to be the same one that we’re looking for as far as the hash is concerned, hey, you guessed the right password. Come on in. This is very important to understand. Another important thing to understand just real quickly is the hash is always going to be a fixed length of size.

So when you see these movies like Swordfish or The Net with Sandra Bullock, if you recall, it came back and said, oh, I’ve got the first character, I’ve got the second character. That’s Hollywood. That is not the way it works. You must have all of it or you get none of it. So if I had to guess and I put in just password one, two as an example, I’ll save this one here, get out of this. Remember, my password ended in 6386. If I drag this in now, you’ll notice is every single one of those digits change. So there is no such thing as grabbing the first character, grabbing the second character, and that type of thing. That’s Hollywood. That’s not real life.

4. Cracking Windows Passwords – A

Okay, folks, let’s get into the real meat and potatoes of what you really wanted to do. In this particular section, we want to be able to crack the passwords from a Windows machine, and I’m going to show you exactly how we do that. Basically, you need to understand, as we talked about in the last video, password cracking involves obtaining the password hash if it’s an offline attack and perform off line attacks against it. So we’re going to have to have some way of actually sucking out the password hashes. Both the Sam database and the Active directory database stores a user’s password in two formats. This is true all the way up to Windows 2003. Windows Server 2008, as far as a server is concerned, and vista and Windows Seven, as far as workstations are concerned.

By default, they only stored them with the Nt hash, which has a maximum length of 126 or 127 characters, depending upon who you ask or whose book you read. In reality, the field length is 256, but it doesn’t let you get in more than 126 or 127 characters. So we have to obtain that hash. So, back to what we were discussing before. The Land Man hash has a maximum length of 14 characters, but those 14 characters are forced to uppercase. So when I was cracking them with my rainbow table, in reality, what I was doing was just cracking the first seven characters, because before encrypting the password to create that lambda hash, the 14 character string is split in two, and each half is encrypted separately.

So we have seven characters hashed and then another seven characters. Creating the second hash, the landman password, is much easier to crack. And so they would much prefer to use an older machine as they’ve extracted the password hashes from in order to crack these. Now, you may be asking yourself, why did they do that? That just seems ridiculous. Well, back when they created Windows Nt, back in 1990, 319, 94, somewhere around that time frame, the power of the computer wasn’t all that great. And so hashing a long, complex character, or string of characters, I should say, would take longer, and it would also take longer to log in.

So they got to thinking about it, okay, most people don’t use any longer than a seven character password, so we’re just going to break that into two store two password hashes of seven characters. Now, when they came out with Nt hash, it had a max length of 127 characters mixed case. When Windows Nt hashed your password when you’re logging on to Windows Nt, it used the entire 127 characters mixed case. Whereas Land Man, which was used for things like Windows for work groups, and possibly Windows 95, it actually just used the maximum length of 14 characters forced uppercase. So Nt is where the real security started to get stronger.

5. Cracking Windows Passwords – B

So as promised, here is the lab to crack passwords. Now, I’m actually going to crack the first set of passwords on a very old Windows 2000 machine. And before you start fleeing mud at me, let me explain why I’m doing this. I normally would crack them on a Windows Seven or above machine, which I’m going to do do in the next video. But I need to show you about the split on the land man hash. All else is exactly the same. So I’m just simply going to go in here and open up underneath my lab folders. I have a little utility called LC. Five setup. I’m just going to run that, this little tool called loftcrack version five. I’m going to click on Finish. I’m going to come over here, click on Start and under programs we should have an LC Five Tool.

Now when it comes up the very first time it’s going to ask do I want to run the trial? Do I want to wish to register? I have a registered copy, so I’m going to use that. So I’m going to click on register. It gives me a number right here. It’s going to grab that number real quick. Then I’ll go ahead and paste my new key in here and press OK. All right. First thing I’m going to do is I’m going to cancel this wizard and I’m going to do it manually so I can explain each one of the pieces as we go along. So I’m going to start a new session and I want to make sure that I want to view my password hashes so that I can explain to you what we were talking about.

For now, remember, the only reason we’re in Windows 2000 is so that I can explain that because it is on your test. All right? So the first thing I’m going to do is I’m going to attempt to put in or pull in some users. Now, if I click on import right here from the local machine, you’ll see it does import a few users, but it’s really the default users that came with the machine. So I’m going to add some other ones. Okay. And I’m going to do this from the command line. So I’m going to type in net user. And then I’ll just call this user one. And then I’m going to put in a password for that. And I’m just going to put in a one character password on this first onead push up arrow. And that’s the key to the reason I wanted to do it from the command line.

Change that to two and put in two character password up arrow number three. Put in a three character password number four. I’m going to put in a word from the dictionary like chair number five through ten. I’m just going to put in something random that I feel like is complex. And we’re going to pause for just a second while I put all the rest of those in. Okay, so I finished putting in all of those passwords and I’m just going to start a new session again. Say I don’t want to save this one, and I’m going to go into sessions and do an import one more time for the local machine. And you can see I’ve got user one through user ten in here. Now I want to show you a couple of things so you’ll be able to see what I was talking about.

I want you to notice these password hashes, all right? Now if you’ll take a look at one that has an empty password, it starts out with aad three, b four, and ends up in EE. Then it starts over again, aad three, B four, and ends up in EE. That’s how the system knows it has no password, because that’s the password hash for all the padding characters they put in. Now I want you to also notice that a number of my user accounts end up with aad three, b four and end up in EE. This is how it can tell whether the password is less than eight characters. So it hasn’t flipped the switch, if you will, to put in both sets of those password hashes. So just the first half of it is the password hash. The second half of it is that padding.

So all of your password cracking tools, though, will typically come back and say this is less than eight characters because the password hash on the first seven characters is not aad three, b four, and ends up in EE. But the second half on this one right here does. I want you to notice on user number eight, it does not say aad three B four in the second half of the LM hash. So consequently, on this particular one right here, we have to crack both halves of this. Okay? I also want you to notice how I was talking about before. We have the LM hash and we have the NTLM hash, or more precisely, just the Nt hash is what most books call it these days. This one hashes the entire string of characters.

Okay? So what we’re going to do next is I’m going to show you a number of different ways to be able to grab those passwords. So let’s go ahead and just take a moment and walk through this. The first thing I’m going to do is I’m going to go down to my Win In T folder, and this is what it was called on Windows 2000. It was Windows on everything else. So I’m just going to navigate down to it, tell it to show files. And if I will look in the Win In T System 32 and find the config directory, you’re going to see all of the very sensitive files. The file that we store our password hashes in is called the Sam file. The Security and Accounts Manager file now I want you to notice what happens when I try and copy this. I’m going to copy here.

Oh, can’t copy with the system running. That’s not going to work. Now I want you to notice the sam file and I also want you to notice a couple of other files SYSVent EDT and SEC event EDT. And I also want you to notice the system file. So Microsoft in their infinite wisdom decided that if you renamed the sam database file to something other than Sam, let’s maybe say sam old and renamed the SEC event to SEC event evt old and restarted your system. Now of course, in order to do this we’re going to have to boot up under some other operating system like bart or possibly linux to get to these and do it. It won’t let me rename it here naturally because it’s in use, it’s going to give me an error message.

So I would have to boot the system up underneath another operating system when it comes back up. Windows, in its infinite wisdom, decided that if it didn’t find a Sam database file, create a brand new sam database file. And here’s the kicker with a blank administrator password, if I renamed the Sam file to sam old and renamed secavent evt old, which is the security and accounts manager database for all of our logging, that’s concerned I would be able to go in and do my dirty d whatever I want to do with a blank administrator password. Once I get done with that, restart it again under bart or linux and rename those files back. Deleting the other two that it created. No one will ever be the wiser.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!